function autologin() { if (auth_is_user_authenticated()) { return; } $t_login_method = config_get('login_method'); if ($t_login_method != BASIC_AUTH) { trigger_error("Invalid login method. ({$t_login_method})", ERROR); } $t_user_id = user_get_id_by_name($_SERVER['REMOTE_USER']); if (!$t_user_id) { trigger_error('Invalid user.', ERROR); } user_increment_login_count($t_user_id); user_reset_failed_login_count_to_zero($t_user_id); user_reset_lost_password_in_progress_count_to_zero($t_user_id); auth_set_cookies($t_user_id, true); auth_set_tokens($t_user_id); }
$f_user_id = gpc_get_string('id'); $f_confirm_hash = gpc_get_string('confirm_hash'); # force logout on the current user if already authenticated if( auth_is_user_authenticated() ) { auth_logout(); # reload the page after logout print_header_redirect( "verify.php?id=$f_user_id&confirm_hash=$f_confirm_hash" ); } $t_calculated_confirm_hash = auth_generate_confirm_hash( $f_user_id ); if ( $f_confirm_hash != $t_calculated_confirm_hash ) { trigger_error( ERROR_LOST_PASSWORD_CONFIRM_HASH_INVALID, ERROR ); } # set a temporary cookie so the login information is passed between pages. auth_set_cookies( $f_user_id, false ); user_reset_failed_login_count_to_zero( $f_user_id ); user_reset_lost_password_in_progress_count_to_zero( $f_user_id ); # fake login so the user can set their password auth_attempt_script_login( user_get_field( $f_user_id, 'username' ) ); user_increment_failed_login_count( $f_user_id ); include ( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'account_page.php' );
/** * Reset the user's password * Take into account the 'send_reset_password' setting * - if it is ON, generate a random password and send an email * (unless the second parameter is false) * - if it is OFF, set the password to blank * Return false if the user is protected, true if the password was * successfully reset * * @param integer $p_user_id A valid user identifier. * @param boolean $p_send_email Whether to send confirmation email. * @return boolean */ function user_reset_password($p_user_id, $p_send_email = true) { $t_protected = user_get_field($p_user_id, 'protected'); # Go with random password and email it to the user if (ON == $t_protected) { return false; } # @@@ do we want to force blank password instead of random if # email notifications are turned off? # How would we indicate that we had done this with a return value? # Should we just have two functions? (user_reset_password_random() # and user_reset_password() )? if (ON == config_get('send_reset_password') && ON == config_get('enable_email_notification')) { $t_email = user_get_field($p_user_id, 'email'); if (is_blank($t_email)) { trigger_error(ERROR_LOST_PASSWORD_NO_EMAIL_SPECIFIED, ERROR); } # Create random password $t_password = auth_generate_random_password(); $t_password2 = auth_process_plain_password($t_password); user_set_field($p_user_id, 'password', $t_password2); # Send notification email if ($p_send_email) { $t_confirm_hash = auth_generate_confirm_hash($p_user_id); email_send_confirm_hash_url($p_user_id, $t_confirm_hash); } } else { # use blank password, no emailing $t_password = auth_process_plain_password(''); user_set_field($p_user_id, 'password', $t_password); # reset the failed login count because in this mode there is no emailing user_reset_failed_login_count_to_zero($p_user_id); } return true; }
/** * Attempt to login the user with the given password * If the user fails validation, false is returned * If the user passes validation, the cookies are set and * true is returned. If $p_perm_login is true, the long-term * cookie is created. * @param string $p_username a prepared username * @param string $p_password a prepared password * @param bool $p_perm_login whether to create a long-term cookie * @return bool indicates if authentication was successful * @access public */ function auth_attempt_login($p_username, $p_password, $p_perm_login = false) { $t_user_id = user_get_id_by_name($p_username); $t_login_method = config_get('login_method'); if (false === $t_user_id) { if (BASIC_AUTH == $t_login_method) { $t_auto_create = true; } else { if (LDAP == $t_login_method && ldap_authenticate_by_username($p_username, $p_password)) { $t_auto_create = true; } else { $t_auto_create = false; } } if ($t_auto_create) { # attempt to create the user $t_cookie_string = user_create($p_username, md5($p_password)); if (false === $t_cookie_string) { # it didn't work return false; } # ok, we created the user, get the row again $t_user_id = user_get_id_by_name($p_username); if (false === $t_user_id) { # uh oh, something must be really wrong # @@@ trigger an error here? return false; } } else { return false; } } # check for disabled account if (!user_is_enabled($t_user_id)) { return false; } # max. failed login attempts achieved... if (!user_is_login_request_allowed($t_user_id)) { return false; } # check for anonymous login if (!user_is_anonymous($t_user_id)) { # anonymous login didn't work, so check the password if (!auth_does_password_match($t_user_id, $p_password)) { user_increment_failed_login_count($t_user_id); return false; } } # ok, we're good to login now # increment login count user_increment_login_count($t_user_id); user_reset_failed_login_count_to_zero($t_user_id); user_reset_lost_password_in_progress_count_to_zero($t_user_id); # set the cookies auth_set_cookies($t_user_id, $p_perm_login); auth_set_tokens($t_user_id); return true; }
/** * Attempt to login the user with the given password * If the user fails validation, false is returned * If the user passes validation, the cookies are set and * true is returned. If $p_perm_login is true, the long-term * cookie is created. * @param string $p_username A prepared username. * @param string $p_password A prepared password. * @param boolean $p_perm_login Whether to create a long-term cookie. * @return boolean indicates if authentication was successful * @access public */ function auth_attempt_login($p_username, $p_password, $p_perm_login = false) { $t_user_id = auth_get_user_id_from_login_name($p_username); if ($t_user_id === false) { $t_user_id = auth_auto_create_user($p_username, $p_password); if ($t_user_id === false) { return false; } } # check for disabled account if (!user_is_enabled($t_user_id)) { return false; } # max. failed login attempts achieved... if (!user_is_login_request_allowed($t_user_id)) { return false; } # check for anonymous login if (!user_is_anonymous($t_user_id)) { # anonymous login didn't work, so check the password if (!auth_does_password_match($t_user_id, $p_password)) { user_increment_failed_login_count($t_user_id); return false; } } # ok, we're good to login now # increment login count user_increment_login_count($t_user_id); user_reset_failed_login_count_to_zero($t_user_id); user_reset_lost_password_in_progress_count_to_zero($t_user_id); # set the cookies auth_set_cookies($t_user_id, $p_perm_login); auth_set_tokens($t_user_id); return true; }