function cobalt_password_hash($mode, $password, $username, &$salt = '', &$iteration = '', &$method = '') { require_once 'subclasses/system_settings.php'; $obj_settings = new system_settings(); if ($mode == 'RECREATE') { $dbh = new data_abstraction(); $mysqli = $dbh->connect_db()->mysqli; $clean_username = $mysqli->real_escape_string($username); $dbh->set_table('user'); $dbh->set_fields('`salt`,`iteration`,`method`'); $dbh->set_where("`username`='{$clean_username}'"); $dbh->exec_fetch('single'); if ($dbh->num_rows == 1) { extract($dbh->dump); } else { //No result found. We should produce fake data, so that the hashing process still takes place, //mitigating probing / timing attacks $salt = generate_token(); $method = cobalt_password_set_method(); if ($method == 'blowfish') { $iteration = AUTH_BLOWFISH_COST_FACTOR; } else { $min = constant('AUTH_' . strtoupper($method) . '_MIN_ROUNDS'); $max = constant('AUTH_' . strtoupper($method) . '_MAX_ROUNDS'); if ($max < $min) { $max = $min; } $iteration = mt_rand($min, $max); echo $iteration . ' ' . $method . ' ' . $salt; } } $dbh->close_db(); } elseif ($mode == 'NEW') { $salt = generate_token(); $method = cobalt_password_set_method(); if ($method == 'blowfish') { $iteration = AUTH_BLOWFISH_COST_FACTOR; } else { $min = constant('AUTH_' . strtoupper($method) . '_MIN_ROUNDS'); $max = constant('AUTH_' . strtoupper($method) . '_MAX_ROUNDS'); if ($max < $min) { $max = $min; } $iteration = mt_rand($min, $max); } } else { error_handler("Cobalt encountered an error during password processing.", "Cobalt Password Hash Error: Invalid mode specified."); } if ($method == 'blowfish') { $digest = cobalt_password_hash_bcrypt($password, $salt, $iteration); } elseif (in_array($method, cobalt_password_methods())) { $digest = cobalt_password_hash_process($password, $salt, $iteration, $method); } else { error_handler("Cobalt encountered an error during password processing.", "Cobalt Password Hash Error: Invalid hash method specified."); } return $digest; }
$data_con->exec_fetch('single'); if ($data_con->num_rows == 1) { extract($data_con->dump); $_SESSION['header'] = $header; $_SESSION['footer'] = $footer; $_SESSION['skin'] = $skin_name; $_SESSION['master_css'] = $master_css; $_SESSION['colors_css'] = $colors_css; $_SESSION['fonts_css'] = $fonts_css; $_SESSION['override_css'] = $override_css; $_SESSION['icon_set'] = $icon_set; if (trim($_SESSION['icon_set'] == '')) { $_SESSION['icon_set'] = 'cobalt'; } } $data_con->close_db(); require 'components/get_listview_referrer.php'; init_var($arr_error); init_var($first_field); init_var($goto_region); init_var($goto_skill); if (xsrf_guard()) { init_var($_POST['btn_cancel']); init_var($_POST['btn_submit']); require 'components/query_string_standard.php'; require 'subclasses/citizen.php'; $dbh_citizen = new citizen(); $object_name = 'dbh_citizen'; require 'components/create_form_data_with_upload.php'; extract($arr_form_data); if ($_POST['btn_cancel']) {
$obj_role->close_db(); //Assign permissions to user $dbh = new data_abstraction(); foreach ($arrLink as $link_id) { $dbh->set_query_type('SELECT'); $dbh->set_table('user_passport'); $dbh->set_fields('username, link_id'); $dbh->set_where("username='******' AND link_id='" . quote_smart($link_id) . "'"); $dbh->make_query(); if ($dbh->num_rows == 0) { $dbh->set_query_type('INSERT'); $dbh->set_values("'" . quote_smart($Username) . "','" . quote_smart($link_id) . "'"); $dbh->make_query(); } } $dbh->close_db(); } $message = 'Success! User passport has been updated.'; $message_type = 'system'; } } $html_writer = new html(); $html_writer->draw_header('Set User Passports', $message, $message_type); ?> <div class="container"> <fieldset class="container_invisible"> <fieldset class="top"> Role-Based Access Control Interface</fieldset> <fieldset class="middle"> <table class="input_form" width="800"> <tr><td><a href="set_user_passports.php">[Custom Permissions]</a> :: <a href="set_user_passports2.php">[View and Remove Permissions Per Module]</a> :: <b>[Role-Based Access Control Interface]</b><hr></td>
if (isset($check) && is_array($check)) { $data_con = new data_abstraction(); $data_con->set_query_type('DELETE'); $obj_role = new data_abstraction(); $obj_role->set_query_type('UPDATE'); $obj_role->set_table('user'); $obj_role->set_update("role_id='0'"); foreach ($check as $user) { $data_con->set_table('user_passport'); $data_con->set_where("username='******' AND link_id='" . quote_smart($module) . "'"); $data_con->make_query(); $obj_role->set_where("username='******'"); $obj_role->make_query(); } $data_con->close_db(); $obj_role->close_db(); } else { $message = "Please select at least one user."; } } $data_con = new data_abstraction(); $data_con->set_fields('username'); $data_con->set_table('user_passport'); $data_con->set_where("link_id='" . quote_smart($module) . "'"); $data_con->set_order('username'); if ($result = $data_con->make_query()->result) { $arrUser = array(); $showUsers = TRUE; $numUsers = $data_con->num_rows; for ($a = 0; $a < $numUsers; $a++) { $data = $result->fetch_assoc();
function check_passport($required_passport) { //Check if '$required_passport' is in the user's passport settings. //Not finding it here would mean an illegal access attempt. //Similarly, if we find that the module status of '$required_passport' is set to "Off", //it also constitutes an illegal access attempt, because modules that are turned off //are not displayed in the control center. $user = quote_smart($_SESSION['user']); $data_con = new data_abstraction(); $data_con->set_fields('a.status'); $data_con->set_table('user_links a LEFT JOIN user_passport b ON a.link_id = b.link_id'); $data_con->set_where("a.name='{$required_passport}' AND\n b.username='******' AND\n a.status='On'"); $data_con->exec_fetch('single'); $numrows = $data_con->num_rows; if ($numrows == 0) { //Verify that the required passport actually exists $data_con = new data_abstraction(); $data_con->set_fields('link_id'); $data_con->set_table('user_links'); $data_con->set_where("name='{$required_passport}'"); $data_con->exec_fetch('single'); $numrows = $data_con->num_rows; if ($numrows == 1) { log_action("ILLEGAL ACCESS ATTEMPT - Tried to access '{$_SERVER['PHP_SELF']}' without sufficient privileges.", $_SERVER['PHP_SELF']); //Get the security level. Security level setting determines what to do in a detected illegal access attept. $data_con = new data_abstraction(); $data_con->set_fields('value'); $data_con->set_table('system_settings'); $data_con->set_where("setting='Security Level'"); if ($result = $data_con->make_query()->result) { $data = $result->fetch_assoc(); $security_level = $data['value']; } else { error_handler("Error getting the security level! ", $data_con->error); } $data_con->close_db(); if (strtoupper($security_level) == "HIGH") { $enable_red_alert = true; require 'components/red_alert_screen.php'; die; } else { redirect(HOME_PAGE); } } else { error_handler("Passport tag does not exist in module list!", 'Passport tag: "' . $required_passport . '"'); } } }