public function login($type = 'public', $redirect = true)
{
// Initialize
global $config;
// Get user row
if (!($user_row = DB::queryFirstRow("SELECT * FROM users WHERE username = %s", strtolower($_POST['username'])))) {
$this->invalid_login($type);
}
// Check password
$client = new encrypt();
if ($client->get_password_hash($_POST['password'], $user_row['id']) != $user_row['password']) {
$this->invalid_login($type);
}
// Get session ID
do {
$session_id = generate_random_string(60);
$exists = DB::queryFirstRow("SELECT * FROM auth_sessions WHERE auth_hash = %s", hash('sha512', $session_id)) ? 1 : 0;
} while ($exists > 0);
// Check for 2FA
$require_2fa = false;
if ($config['enable_2fa'] == 'all') {
$require_2fa = true;
} elseif ($config['enable_2fa'] == 'admin' && $user_row['group_id'] == 1) {
$require_2fa = true;
}
// Generate 2FA hash, if needed
if ($require_2fa === true) {
$status_2fa = 0;
$hash_2fa = generate_random_string(60);
// Send e-mail
$url = "http://" . $_SERVER['HTTP_HOST'] . '/2fa/' . $hash_2fa;
mail($user_row['email'], "2FA Authentication - {$config['site_name']}", "You are receiving this e-mail because you just tried to login to {$config['site_name']}, which required 2FA. To proceed with your login, please click on the below URL:\r\n\r\n\t{$url}\r\n\r\nThank you,\r\n{$config['site_name']}\r\n");
} else {
$status_2fa = 1;
$hash_2fa = '';
}
// Create session
DB::insert('auth_sessions', array('userid' => $user_row['id'], 'last_active' => time(), 'auth_hash' => hash('sha512', $session_id), '2fa_status' => $status_2fa, '2fa_hash' => $hash_2fa));
// Set cookie
$cookie_name = COOKIE_NAME . 'auth_hash';
setcookie($cookie_name, $session_id);
// Update alerts
DB::query("UPDATE alerts SET is_new = 0 WHERE is_new = 2 AND userid = %d", $user_row['id']);
DB::query("UPDATE alerts SET is_new = 2 WHERE is_new = 1 AND userid = %d", $user_row['id']);
// Redirect user
if ($status_2fa == 0) {
$route = $type == 'admin' ? 'admin/2fa' : '2fa';
$template = new template($route);
echo $template->parse();
exit(0);
} elseif ($type == 'admin' && $redirect === true) {
header("Location: " . SITE_URI . "/admin/index");
exit(0);
}
// Return
return $user_row['id'];
}
public function update()
{
// Initialize
global $template, $config;
// Checks
if (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
$template->add_message("Invalid e-mail address, {$_POST['email']}", 'error');
}
// Set variables
$updates = array();
if ($config['username_field'] == 'email') {
$_POST['new_username'] = $_POST['email'];
}
$old_username = DB::queryFirstField("SELECT username FROM users WHERE id = %d", $this->userid);
// Set updates array
if ($old_username != $_POST['new_username']) {
if ($row = DB::queryFirstRow("SELECT * FROM users WHERE username = %s", strtolower($_POST['new_username']))) {
$template->add_message("Unable to change username, as username already exists, {$_POST['new_username']}", 'error');
} else {
$updates['username'] = strtolower($_POST['new_username']);
}
}
// Set other variables
if (isset($_POST['is_admin'])) {
$updates['group_id'] = $_POST['is_admin'] == 1 ? 1 : 2;
}
if (isset($_POST['is_active'])) {
$updates['status'] = $_POST['is_active'] == 1 ? 'active' : 'inactive';
}
if (isset($_POST['full_name'])) {
$updates['full_name'] = $_POST['full_name'];
}
$updates['email'] = strtolower($_POST['email']);
// Update password, if needed
if ($_POST['password'] != '' && $_POST['password'] == $_POST['password2']) {
$client = new encrypt();
$updates['password'] = $client->get_password_hash($_POST['password'], $this->userid);
}
// Get custom fields
$custom_fields = array();
$rows = DB::query("SELECT * FROM users_custom_fields ORDER BY id");
foreach ($rows as $row) {
$var = 'custom' . $row['id'];
if (!isset($_POST[$var])) {
continue;
}
$custom_fields[$var] = $_POST[$var];
}
$updates['custom_fields'] = serialize($custom_fields);
// Update database
if ($template->has_errors != 1) {
DB::update('users', $updates, "id = %d", $this->userid);
return true;
} else {
return false;
}
}