| [ Index ] |
|
Code source de b2evolution 2.1.0-beta |
1 <?php 2 /** 3 * This is the login screen. It also handles actions related to loggin in and registering. 4 * 5 * This file is part of the evoCore framework - {@link http://evocore.net/} 6 * See also {@link http://sourceforge.net/projects/evocms/}. 7 * 8 * @copyright (c)2003-2007 by Francois PLANQUE - {@link http://fplanque.net/} 9 * Parts of this file are copyright (c)2004-2006 by Daniel HAHLER - {@link http://thequod.de/contact}. 10 * 11 * {@internal License choice 12 * - If you have received this file as part of a package, please find the license.txt file in 13 * the same folder or the closest folder above for complete license terms. 14 * - If you have received this file individually (e-g: from http://evocms.cvs.sourceforge.net/) 15 * then you must choose one of the following licenses before using the file: 16 * - GNU General Public License 2 (GPL) - http://www.opensource.org/licenses/gpl-license.php 17 * - Mozilla Public License 1.1 (MPL) - http://www.opensource.org/licenses/mozilla1.1.php 18 * }} 19 * 20 * {@internal Open Source relicensing agreement: 21 * Daniel HAHLER grants Francois PLANQUE the right to license 22 * Daniel HAHLER's contributions to this file and the b2evolution project 23 * under any OSI approved OSS license (http://www.opensource.org/licenses/). 24 * 25 * Matt FOLLETT grants Francois PLANQUE the right to license 26 * Matt FOLLETT's contributions to this file and the b2evolution project 27 * under any OSI approved OSS license (http://www.opensource.org/licenses/). 28 * }} 29 * 30 * @package htsrv 31 * 32 * {@internal Below is a list of authors who have contributed to design/coding of this file: }} 33 * @author blueyed: Daniel HAHLER 34 * @author fplanque: Francois PLANQUE 35 * @author mfollett: Matt FOLLETT. 36 * 37 * @version $Id: login.php,v 1.94 2007/06/25 10:58:49 fplanque Exp $ 38 */ 39 40 /** 41 * Includes: 42 */ 43 require_once dirname(__FILE__).'/../conf/_config.php'; 44 require_once $inc_path.'_main.inc.php'; 45 46 param( 'action', 'string', 'req_login' ); 47 param( 'mode', 'string', '' ); 48 49 param( 'login', 'string', '' ); 50 // echo 'login: ', $login; 51 52 // gets used by header_redirect(); 53 // TODO: dh> problem here is that $ReqURI won't include the e.g. "ctrl" param in a POSTed form and therefor the user lands on the default admin page after logging in (again) 54 // fp> I think this will fix itself when we do another improvement: 303 redirect after each POST so that we never have an issue with people trying to reload a post 55 param( 'redirect_to', 'string', $ReqURI ); 56 57 switch( $action ) 58 { 59 case 'logout': 60 logout(); // logout $Session and set $current_User = NULL 61 62 // TODO: to give the user feedback through Messages, we would need to start a new $Session here and append $Messages to it. 63 64 header_nocache(); 65 header_redirect(); // defaults to redirect_to param and exits 66 /* exited */ 67 break; 68 69 70 case 'retrievepassword': // Send passwort change request by mail 71 $login_required = true; // Do not display "Without login.." link on the form 72 73 $UserCache = & get_Cache( 'UserCache' ); 74 $ForgetfulUser = & $UserCache->get_by_login( $login ); 75 76 if( ! $ForgetfulUser ) 77 { // User does not exist 78 // pretend that the email is sent for avoiding guessing user_login 79 $Messages->add( T_('If you correctly typed in your login, a link to change your password has been sent to your registered email address.' ), 'success' ); 80 $action = 'req_login'; 81 break; 82 } 83 84 // echo 'email: ', $ForgetfulUser->email; 85 // echo 'locale: '.$ForgetfulUser->locale; 86 87 if( $demo_mode && ($ForgetfulUser->login == 'demouser' || $ForgetfulUser->ID == 1) ) 88 { 89 $Messages->add( T_('You cannot reset this account in demo mode.'), 'error' ); 90 $action = 'req_login'; 91 break; 92 } 93 94 locale_temp_switch( $ForgetfulUser->locale ); 95 96 // DEBUG! 97 // echo $message.' (password not set yet, only when sending email does not fail); 98 99 if( empty( $ForgetfulUser->email ) ) 100 { 101 $Messages->add( T_('You have no email address with your profile, therefore we cannot reset your password.') 102 .' '.T_('Please try contacting the admin.'), 'error' ); 103 } 104 else 105 { 106 $request_id = generate_random_key(22); // 22 to make it not too long for URL but unique/safe enough 107 108 $message = T_( 'Somebody (presumably you) has requested a password change for your account.' ) 109 ."\n\n" 110 .T_('Login:')." $login\n" 111 .T_('Link to change your password:') 112 ."\n" 113 .$htsrv_url_sensitive.'login.php?action=changepwd' 114 .'&login='.rawurlencode( $ForgetfulUser->login ) 115 .'&reqID='.$request_id 116 .'&sessID='.$Session->ID // used to detect cookie problems 117 ."\n\n" 118 .T_('Please note:') 119 .' '.T_('For security reasons the link is only valid for your current session (by means of your session cookie).') 120 ."\n\n" 121 .T_('If it was not you that requested this password change, simply ignore this mail.'); 122 123 if( ! send_mail( $ForgetfulUser->email, sprintf( T_('Password change request for %s'), $ForgetfulUser->login ), $message, $notify_from ) ) 124 { 125 $Messages->add( T_('Sorry, the email with the link to reset your password could not be sent.') 126 .'<br />'.T_('Possible reason: the PHP mail() function may have been disabled on the server.'), 'error' ); 127 } 128 else 129 { 130 $Session->set( 'core.changepwd.request_id', $request_id, 86400 * 2 ); // expires in two days (or when clicked) 131 $Session->dbsave(); // save immediately 132 133 $Messages->add( T_('If you correctly typed in your login, a link to change your password has been sent to your registered email address.' ), 'success' ); 134 } 135 } 136 137 locale_restore_previous(); 138 139 $action = 'req_login'; 140 break; 141 142 143 case 'changepwd': // Clicked "Change password request" link from a mail 144 param( 'reqID', 'string', '' ); 145 param( 'sessID', 'integer', '' ); 146 147 $UserCache = & get_Cache( 'UserCache' ); 148 $ForgetfulUser = & $UserCache->get_by_login($login); 149 150 if( ! $ForgetfulUser || empty($reqID) ) 151 { // This was not requested 152 $Messages->add( T_('Invalid password change request! Please try again...'), 'error' ); 153 $action = 'lostpassword'; 154 $login_required = true; // Do not display "Without login.." link on the form 155 break; 156 } 157 158 if( $sessID != $Session->ID ) 159 { // Another session ID than for requesting password change link used! 160 $Messages->add( T_('You have to use the same session (by means of your session cookie) as when you have requested the action. Please try again...'), 'error' ); 161 $action = 'lostpassword'; 162 $login_required = true; // Do not display "Without login.." link on the form 163 break; 164 } 165 166 // Validate provided reqID against the one stored in the user's session 167 if( $Session->get( 'core.changepwd.request_id' ) != $reqID ) 168 { 169 $Messages->add( T_('Invalid password change request! Please try again...'), 'error' ); 170 $action = 'lostpassword'; 171 $login_required = true; // Do not display "Without login.." link on the form 172 break; 173 } 174 175 // Link User to Session: 176 $Session->set_user_ID( $ForgetfulUser->ID ); 177 178 // Add Message to change the password: 179 $Messages->add( T_( 'Please change your password to something you remember now.' ), 'success' ); 180 181 // Note: the 'core.changepwd.request_id' Session setting gets removed in b2users.php 182 183 // Redirect to the user's profile in the "users" controller: 184 // TODO: This will probably fail if the user has no admin-access permission! Redirect to profile page in blog instead!? 185 header_nocache(); 186 // redirect Will save $Messages into Session: 187 header_redirect( url_add_param( $admin_url, 'ctrl=users&user_ID='.$ForgetfulUser->ID, '&' ) ); // display user's profile 188 /* exited */ 189 break; 190 191 192 case 'validatemail': // Clicked "Validate email" link from a mail 193 param( 'reqID', 'string', '' ); 194 param( 'sessID', 'integer', '' ); 195 196 if( is_logged_in() && $current_User->validated ) 197 { // Already validated, e.g. clicked on an obsolete email link: 198 $Messages->add( T_('Your account has already been validated.'), 'note' ); 199 // no break: cleanup & redirect below 200 } 201 else 202 { 203 // Check valid format: 204 if( empty($reqID) ) 205 { // This was not requested 206 $Messages->add( T_('Invalid email address validation request!'), 'error' ); 207 $action = 'req_validatemail'; 208 break; 209 } 210 211 // Check valid session (format only, meant as help for the user): 212 if( $sessID != $Session->ID ) 213 { // Another session ID than for requesting account validation link used! 214 $Messages->add( T_('You have to use the same session (by means of your session cookie) as when you have requested the action. Please try again...'), 'error' ); 215 $action = 'req_validatemail'; 216 break; 217 } 218 219 // Validate provided reqID against the one stored in the user's session 220 $request_ids = $Session->get( 'core.validatemail.request_ids' ); 221 if( ( ! is_array($request_ids) || ! in_array( $reqID, $request_ids ) ) 222 && ! ( isset($current_User) && $current_User->group_ID == 1 && $reqID == 1 /* admin users can validate themselves by a button click */ ) ) 223 { 224 $Messages->add( T_('Invalid email address validation request!'), 'error' ); 225 $action = 'req_validatemail'; 226 $login_required = true; // Do not display "Without login.." link on the form 227 break; 228 } 229 230 if( ! is_logged_in() ) 231 { // this can happen, if a new user registers and clicks on the "validate by email" link, without logging in first 232 // Note: we reuse $reqID and $sessID in the form to come back here. 233 234 $Messages->add( T_('Please login to validate your account.'), 'error' ); 235 break; 236 } 237 238 // Validate user: 239 240 $current_User->set( 'validated', 1 ); 241 $current_User->dbupdate(); 242 243 $Messages->add( T_( 'Your email address has been validated.' ), 'success' ); 244 } 245 246 $redirect_to = $Session->get( 'core.validatemail.redirect_to' ); 247 248 if( empty($redirect_to) && $current_User->check_perm('admin') ) 249 { // User can access backoffice 250 $redirect_to = $admin_url; 251 } 252 253 // Cleanup: 254 $Session->delete('core.validatemail.request_ids'); 255 $Session->delete('core.validatemail.redirect_to'); 256 257 header_nocache(); 258 // redirect Will save $Messages into Session: 259 header_redirect(); 260 /* exited */ 261 break; 262 263 } // switch( $action ) (1st) 264 265 266 267 /* For actions that other delegate to from the switch above: */ 268 switch( $action ) 269 { 270 case 'req_validatemail': // Send email validation link by mail (initial form and action) 271 if( ! is_logged_in() ) 272 { 273 $Messages->add( T_('You have to be logged in to request an account validation link.'), 'error' ); 274 $action = ''; 275 break; 276 } 277 278 if( ! $Settings->get('newusers_mustvalidate') || $current_User->validated ) 279 { // validating emails is not activated/necessary (check this after login, so it gets not "announced") 280 $action = ''; 281 break; 282 } 283 284 param( 'req_validatemail_submit', 'integer', 0 ); // has the form been submitted 285 param( 'email', 'string', $current_User->email ); // the email address is editable 286 287 if( $req_validatemail_submit ) 288 { // Form has been submitted 289 param_check_email( 'email', true ); 290 291 // Call plugin event to allow catching input in general and validating own things from DisplayRegisterFormFieldset event 292 $Plugins->trigger_event( 'ValidateAccountFormSent' ); 293 294 if( $Messages->count('error') ) 295 { 296 break; 297 } 298 299 // Update user's email: 300 $current_User->set_email( $email ); 301 if( $current_User->dbupdate() ) 302 { 303 $Messages->add( T_('Your profile has been updated.'), 'note' ); 304 } 305 306 if( $current_User->send_validate_email($redirect_to) ) 307 { 308 $Messages->add( sprintf( /* TRANS: %s gets replaced by the user's email address */ T_('An email has been sent to your email address (%s). Please click on the link therein to validate your account.'), $current_User->dget('email') ), 'success' ); 309 } 310 else 311 { 312 $Messages->add( T_('Sorry, the email with the link to validate and activate your password could not be sent.') 313 .'<br />'.T_('Possible reason: the PHP mail() function may have been disabled on the server.'), 'error' ); 314 } 315 } 316 else 317 { // Form not yet submitted: 318 // Add a note, if we have already sent validation links: 319 $request_ids = $Session->get( 'core.validatemail.request_ids' ); 320 if( is_array($request_ids) && count($request_ids) ) 321 { 322 $Messages->add( sprintf( T_('We have already sent you %d email(s) with a validation link.'), count($request_ids) ), 'note' ); 323 } 324 325 if( empty($current_User->email) ) 326 { // add (error) note to be displayed in the form 327 $Messages->add( T_('You have no email address with your profile, therefore we cannot validate it. Please give your email address below.'), 'error' ); 328 } 329 } 330 break; 331 } 332 333 334 if( ! defined( 'EVO_MAIN_INIT' ) ) 335 { // Do not check this if the form was included inside of _main.inc 336 // echo $htsrv_url_sensitive.'login.php'; 337 // echo '<br>'.$ReqHost.$ReqPath; 338 if( $ReqHost.$ReqPath != $htsrv_url_sensitive.'login.php' ) 339 { 340 $Messages->add( sprintf( T_('WARNING: you are trying to log in on <strong>%s</strong> but we expect you to log in on <strong>%s</strong>. If this is due to an automatic redirect, this will prevent you from successfully loging in. You must either fix your webserver configuration, or your %s configuration in order for these two URLs to match.'), $ReqHost.$ReqPath, $htsrv_url_sensitive.'login.php', $app_name ), 'error' ); 341 } 342 } 343 344 345 // Note: the following regexp would fail when loging on to the same domain, because cookie_domain starts with a dot '.' 346 // However, same domain logins will happen with a relative redirect_to, so it is covered with '^/' 347 // (forms should use e.g. "url_rel_to_same_host($redirect_to, $htsrv_url_sensitive)" for this) 348 if( strlen($redirect_to) ) 349 { 350 // Make it relative to the form's target, in case it has been set absolute (and can be made relative). 351 // Just in case it gets sent absolute. This should not trigger this warning then..! 352 $redirect_to = url_rel_to_same_host($redirect_to, $htsrv_url_sensitive); 353 354 if( !preg_match( '#^/|(https?://[a-z\-.]*'.str_replace( '.', '\.', $cookie_domain ).')#i', $redirect_to ) ) 355 { 356 $Messages->add( sprintf( T_('WARNING: you are trying to log in to <strong>%s</strong> but your cookie domain is <strong>%s</strong>. You will not be able to successfully log in to the requested domain until you fix your cookie domain in your %s configuration.'), $redirect_to, $cookie_domain, $app_name ), 'error' ); 357 } 358 } 359 360 361 if( preg_match( '#/login.php([&?].*)?$#', $redirect_to ) ) 362 { // avoid "endless loops" 363 $redirect_to = $admin_url; 364 } 365 366 // Remove login and pwd parameters from URL, so that they do not trigger the login screen again: 367 $redirect_to = preg_replace( '~(?<=\?|&) (login|pwd) = [^&]+ ~x', '', $redirect_to ); 368 $Debuglog->add( 'redirect_to: '.$redirect_to ); 369 370 371 /** 372 * Display: 373 */ 374 switch( $action ) 375 { 376 case 'lostpassword': 377 // Lost password: 378 // Display retrieval form: 379 require $adminskins_path.'login/_lostpass_form.main.php'; 380 break; 381 382 case 'req_validatemail': 383 // Send email validation link by mail (initial form and action) 384 // Display validation form: 385 require $adminskins_path.'login/_validate_form.main.php'; 386 break; 387 388 default: 389 // Display login form 390 require $adminskins_path.'login/_login_form.main.php'; 391 } 392 393 exit(); 394 395 396 /* 397 * $Log: login.php,v $ 398 * Revision 1.94 2007/06/25 10:58:49 fplanque 399 * MODULES (refactored MVC) 400 * 401 * Revision 1.93 2007/05/15 18:35:03 blueyed 402 * Use the same string when faking a success message! 403 * 404 * Revision 1.92 2007/04/26 00:11:14 fplanque 405 * (c) 2007 406 * 407 * Revision 1.91 2007/02/26 03:41:16 fplanque 408 * doc 409 * 410 * Revision 1.90 2007/02/21 23:52:26 fplanque 411 * doc 412 * 413 * Revision 1.89 2007/02/21 21:16:14 blueyed 414 * todo 415 * 416 * Revision 1.88 2007/02/13 21:03:40 blueyed 417 * Improved login/register/validation process: 418 // So seriously now: "been validated already" and then "already been validated" on the same line!!! I don't think this is funny any longer. ("already been" is better) 419 * - "Your account has been validated already." if an account had already been validated 420 * - "We have already sent you %d email(s) with a validation link." note 421 * - Autologin the user after he has registered (he just typed his credentials!) 422 * 423 * Revision 1.87 2007/02/03 19:48:55 blueyed 424 * Fixed possible E_NOTICE 425 * 426 * Revision 1.86 2007/01/26 18:40:43 blueyed 427 * Saner order of validate-email-link error message handling. 428 * 429 * Revision 1.85 2007/01/19 03:06:57 fplanque 430 * Changed many little thinsg in the login procedure. 431 * There may be new bugs, sorry. I tested this for several hours though. 432 * More refactoring to be done. 433 * 434 * Revision 1.84 2007/01/18 23:59:29 fplanque 435 * Re: Secunia. Proper sanitization. 436 * 437 * Revision 1.82 2007/01/17 23:54:54 blueyed 438 * fixed "empty $redirect_to" regression 439 * 440 * Revision 1.81 2006/12/28 19:18:49 fplanque 441 * trap yet another login/cookie caveat 442 * 443 * Revision 1.80 2006/12/28 15:44:31 fplanque 444 * login refactoring / simplified 445 * 446 * Revision 1.79 2006/12/06 23:25:32 blueyed 447 * Fixed bookmarklet plugins (props Danny); removed unneeded bookmarklet handling in core 448 * 449 * Revision 1.78 2006/12/06 22:30:07 fplanque 450 * Fixed this use case: 451 * Users cannot register themselves. 452 * Admin creates users that are validated by default. (they don't have to validate) 453 * Admin can invalidate a user. (his email, address actually) 454 * 455 * Revision 1.77 2006/11/26 02:30:38 fplanque 456 * doc / todo 457 * 458 * Revision 1.76 2006/11/24 18:27:22 blueyed 459 * Fixed link to b2evo CVS browsing interface in file docblocks 460 * 461 * Revision 1.75 2006/11/24 18:06:02 blueyed 462 * Handle saving of $Messages centrally in header_redirect() 463 * 464 * Revision 1.74 2006/10/23 22:19:02 blueyed 465 * Fixed/unified encoding of redirect_to param. Use just rawurlencode() and no funky & replacements 466 * 467 * Revision 1.73 2006/10/12 23:48:15 blueyed 468 * Fix for if redirect_to is relative 469 * 470 * Revision 1.72 2006/08/21 19:07:52 blueyed 471 * doc 472 * 473 * Revision 1.71 2006/08/21 16:07:43 fplanque 474 * refactoring 475 * 476 * Revision 1.70 2006/08/20 22:25:20 fplanque 477 * param_() refactoring part 2 478 * 479 * Revision 1.69 2006/08/19 07:56:29 fplanque 480 * Moved a lot of stuff out of the automatic instanciation in _main.inc 481 * 482 * Revision 1.68 2006/07/26 20:19:15 blueyed 483 * Set $current_User = NULL on logout (not false!) 484 * 485 * Revision 1.67 2006/07/17 01:33:13 blueyed 486 * Fixed account validation by email for users who registered themselves 487 * 488 * Revision 1.66 2006/07/08 17:04:18 fplanque 489 * minor 490 * 491 * Revision 1.65 2006/07/08 13:33:54 blueyed 492 * Autovalidate admin group instead of primary admin user only. 493 * Also delegate to req_validatemail action on failure directly instead of providing a link. 494 * 495 * Revision 1.64 2006/07/04 23:38:08 blueyed 496 * Validate email: admin user (#1) has an extra button to validate him/herself through the form; store multiple req_validatemail keys in the user's session. 497 * 498 * Revision 1.63 2006/06/25 23:34:15 blueyed 499 * wording pt2 500 * 501 * Revision 1.62 2006/06/25 23:23:38 blueyed 502 * wording 503 * 504 * Revision 1.61 2006/06/22 22:30:04 blueyed 505 * htsrv url for password related scripts (login, register and profile update) 506 * 507 * Revision 1.60 2006/05/19 18:15:04 blueyed 508 * Merged from v-1-8 branch 509 * 510 * Revision 1.59.2.1 2006/05/19 15:06:23 fplanque 511 * dirty sync 512 * 513 * Revision 1.59 2006/05/05 21:47:42 blueyed 514 * consistency 515 * 516 * Revision 1.58 2006/04/24 20:52:30 fplanque 517 * no message 518 * 519 * Revision 1.57 2006/04/22 02:54:37 blueyed 520 * Fixes: Always go to validatemail form; delete used request ID 521 * 522 * Revision 1.56 2006/04/22 02:36:38 blueyed 523 * Validate users on registration through email link (+cleanup around it) 524 * 525 * Revision 1.55 2006/04/20 12:15:32 fplanque 526 * no message 527 * 528 * Revision 1.54 2006/04/19 23:50:39 blueyed 529 * Normalized Messages handling (error displaying and transport in Session) 530 * 531 * Revision 1.53 2006/04/19 20:13:48 fplanque 532 * do not restrict to :// (does not catch subdomains, not even www.) 533 * 534 * Revision 1.52 2006/04/11 21:22:25 fplanque 535 * partial cleanup 536 * 537 */ 538 ?>
titre
Description
Corps
titre
Description
Corps
titre
Description
Corps
titre
Corps
| Généré le : Thu Nov 29 23:58:50 2007 | par Balluche grâce à PHPXref 0.7 |
|
|