示例#1
0
 /**
  * Start recovery of a users password
  */
 public function startPasswordRecovery()
 {
     $form = new sfc\Form(SSP_Path(), "noTable", "startPasswordRecovery");
     $form->tplf = "passwordrecover.tpl";
     $form->tpl = $this->tpl(array("title" => "Password recovery"));
     $form->errorAutoFormDisplay = false;
     $form->tda("loginPath", $this->cfg->logonScript);
     $form->fe("text", "email", "Enter your registered email");
     $form->fep("required=true,width=30, dataType=email");
     $form->fe("submit", "submit", "Recover Password");
     $form->fep("elClass=SSPFormButton");
     if ($form->processForm($_POST)) {
         if (!$form->error) {
             // check for the email
             $fields = array("UserId", "UserEmail", "UserName", "UserPassword");
             $where["UserEmail"] = SSP_encrypt(trim($form->getField("email")));
             $row = $this->db->getf($this->cfg->userTable, $fields, $where, "SSP user admin: getting user info for password recovery");
             if ($this->db->numRows()) {
                 // found the email
                 $rowMisc = $this->db->get($this->cfg->userMiscTable, array("UserId" => $row->UserId), "Getting user name for password recovery");
                 if ($this->cfg->passwordRecovery == 0 or $this->cfg->encryptPassword) {
                     // use user change of password method
                     // Generate user response token
                     $token = SSP_ResponseToken($row->UserId, $this->cfg->recoverTime);
                     // generate email
                     if ($this->cfg->loginType == 1) {
                         // Supply user name if used for login
                         $content["UserName"] = $row["UserName"];
                     }
                     $content["link"] = $this->cfg->newPassword;
                     $content['token'] = $token;
                     $content["adminEmail"] = $this->cfg->adminEmail;
                     $email = new Email($this->cfg);
                     $email->noReplyEmail($content, "emailpasswordrecovery0.tpl", $row->UserEmail, $rowMisc->FirstName . " " . $rowMisc->FamilyName);
                 } else {
                     // email all info to the user
                     // generate email
                     if ($this->cfg->loginType == 1) {
                         // Supply user name if used for login
                         $content["UserName"] = $row["UserName"];
                     }
                     $content["UserPassword"] = $row["UserPassword"];
                     $content["adminEmail"] = $this->cfg->adminEmail;
                     $email = new Email($this->cfg);
                     $email->noReplyEmail($content, "emailpasswordrecovery1.tpl", $row->UserEmail, $rowMisc->FirstName . " " . $rowMisc->FamilyName);
                 }
                 $form->tda("sent");
                 $result = $form->create();
             } else {
                 // email not found
                 $form->tda("error");
                 $result = $form->create();
             }
         } else {
             $result = $form->create(true);
         }
     } else {
         // display form
         $result = $form->create();
     }
     return $result;
 }
示例#2
0
 /**
  * Constructor
  * @param string $pageAccessLevel - users allowed to access the page
  * @param bool $pageCheckEquals - if true only this user type can access this page
  * @param bool $doHistory - do history for this page
  * @param ProtectConfig $config - Protected session configuration options
  */
 public function __construct($pageAccessLevel = "", $pageCheckEquals = false, $doHistory = true, $config = false)
 {
     global $loginContent;
     if ($config === false) {
         $this->config = new \w34u\ssp\ProtectConfig();
     } else {
         $this->config = $config;
     }
     $this->cfg = Configuration::getConfiguration();
     $this->db = SspDb::getConnection();
     // set up db session handling
     $handler = new SessionHandler();
     session_set_save_handler(array($handler, 'open'), array($handler, 'close'), array($handler, 'read'), array($handler, 'write'), array($handler, 'destroy'), array($handler, 'gc'));
     // the following prevents unexpected effects when using objects as save handlers
     register_shutdown_function("session_write_close");
     session_start();
     $this->setupLanguage();
     $this->maintenanceMode();
     // turn off sql cacheing if it is set, but preserve the status to turn it back on after
     if ($this->db->cache) {
         $queryResultCacheing = true;
         $this->db->cache = false;
     } else {
         $queryResultCacheing = false;
     }
     $pageAccessLevel = $this->checkParameters($pageAccessLevel, $pageCheckEquals);
     if (isset($loginContent)) {
         $_SESSION["SSP_LoginPageAddtionalContent"] = $loginContent;
     }
     // check https:// site, and if fail divert to correct url
     if ($this->cfg->useSSL or $this->config->forceSSLPath) {
         if (!isset($_SERVER['HTTPS']) or $_SERVER['HTTPS'] == "off") {
             // script not called using https
             SSP_Divert(SSP_Path(true, true));
         }
     }
     $this->country = "";
     // do any external routines before history is called
     $this->autoLogin();
     if ($doHistory) {
         $this->pageHistory();
     }
     // get all session information for valid sessions
     $query = sprintf("select * from %s where %s = ? and %s = ?", $this->cfg->sessionTable, $this->db->qt("SessionId"), $this->db->qt("SessionName"));
     $values = array(session_id(), session_name());
     $this->db->query($query, $values, "SSP session handling: Get session information");
     if ($this->db->numRows() > 0) {
         // get result if existing session
         $sessionInfo = $this->db->fetchRow();
         $newSession = false;
     } else {
         $newSession = true;
         $this->log("New session started");
     }
     // process user information if logged in.
     $userFault = false;
     $needHigherLogin = false;
     $userInfo = null;
     if (!$newSession and trim($sessionInfo->UserId) != "") {
         $where = array("UserId" => $sessionInfo->UserId);
         $userInfo = $this->db->get($this->cfg->userTable, $where, "SSP Session: getting login data");
         if ($this->db->numRows()) {
             // user found
             // check for login expiry
             if ($sessionInfo->SessionTime + $this->cfg->loginExpiry > time()) {
                 $this->loggedIn = true;
                 $this->userId = $userInfo->UserId;
                 $this->userName = $userInfo->UserName;
                 $this->userAccessLevel = $userInfo->UserAccess;
                 if ($this->cfg->userLevels[$this->userAccessLevel] >= $this->cfg->adminLevel) {
                     // admin user
                     $this->admin = true;
                 }
                 $this->userEmail = SSP_decrypt($userInfo->UserEmail);
                 if (isset($userInfo->country) and trim($userInfo->country) != "") {
                     $this->country = $userInfo->country;
                 }
             } else {
                 $this->log("Login expired");
                 $this->loggedIn = false;
                 $this->db->update($this->cfg->sessionTable, array('UserId' => ''), array('SessionId' => session_id(), 'SessionName' => session_name()), 'SSP Session: clearing user id from expired login');
             }
         } else {
             $this->log("User not found from ID");
             $userFault = true;
         }
     }
     $pageAccess = $this->cfg->userLevels[$pageAccessLevel];
     if ($this->loggedIn) {
         // do security checking for user if logged in
         // validate flags
         $flagsValid = true;
         foreach ($this->cfg->validUserFlags as $flagName => $validFlagValue) {
             if ($userInfo->{$flagName} != $validFlagValue) {
                 $flagsValid = false;
                 $this->log("Invalid user flag " . $flagName . " value required: " . $validFlagValue . " actual: " . $userInfo->{$flagName});
                 break;
             }
         }
         if (!$flagsValid) {
             $userFault = true;
         } elseif ($this->cfg->userLevels[$userInfo->UserAccess] < $pageAccess) {
             // user does not have a high enough access level
             $userFault = true;
             $needHigherLogin = true;
             // flag higher login needed
             $this->log("User Access level not high enough Level: " . $userInfo->UserAccess . " " . $this->cfg->userLevels[$userInfo->UserAccess] . " Page " . $pageAccess);
         } elseif ($pageCheckEquals and $this->cfg->userLevels[$userInfo->UserAccess] != $pageAccess) {
             // user does not have the correct user access level
             $userFault = true;
             $needHigherLogin = true;
             // flag different login needed
             $this->log("User Access level not equal to the page's level");
         } elseif ($this->cfg->checkIpAddress and SSP_trimIp($sessionInfo->SessionIp) !== SSP_trimIp($_SERVER["REMOTE_ADDR"])) {
             // users IP address has changed
             $userFault = true;
             $this->log("User IP address changed " . SSP_paddIp($_SERVER["REMOTE_ADDR"]));
         } elseif (($this->cfg->fixedIpAddress or $userInfo->UserIpCheck) and SSP_paddIp($sessionInfo->SessionUserIp) !== SSP_paddIp($_SERVER["REMOTE_ADDR"])) {
             // user is at incorrect IP address
             $userFault = true;
             $this->log("User IP address incorrect, UserIP: " . SSP_paddIp($sessionInfo->SessionUserIp) . " Remote IP: " . SSP_paddIp($_SERVER["REMOTE_ADDR"]));
         }
         $userFault = $this->chackRandom($sessionInfo);
     } else {
         $this->log("User not logged in");
     }
     // handle user faults
     $this->userFaultHandling($pageAccess, $userFault, $needHigherLogin, $queryResultCacheing);
     // final setup of page
     $this->finalSetup($userInfo);
     // restore query cacheing mode
     $this->db->cache = $queryResultCacheing;
 }