ISPConfig3 devel
blame | history | patch | commit | commitdiff | ignore whitespace
tbrehm
2012-01-27 b0711a41c9cd3628507c424aba889d94b0c2cef2 
 interface/web/login/index.php


@@ -37,84 +37,189 @@


   private $app;


   private $conf;


   


   public function __construct()


   {


      global $app, $conf;


      $this->app  = $app;


      $this->conf = $conf;


   }


	


   public function render() {


      


      if(isset($_SESSION['s']['user']) && is_array($_SESSION['s']['user']) && is_array($_SESSION['s']['module'])) {


         die('HEADER_REDIRECT:'.$_SESSION['s']['module']['startpage']);


      global $app, $conf;


		


      /* Redirect to page, if login form was NOT send */


      if(count($_POST) == 0) {


         if(isset($_SESSION['s']['user']) && is_array($_SESSION['s']['user']) && is_array($_SESSION['s']['module'])) {


            die('HEADER_REDIRECT:'.$_SESSION['s']['module']['startpage']);


         }


      }


      


      $this->app->uses('tpl');


      $this->app->tpl->newTemplate('form.tpl.htm');


      $app->uses('tpl');


      $app->tpl->newTemplate('form.tpl.htm');


       


       $error = '';    


       $error = '';


		


      $app->load_language_file('web/login/lib/lang/'.$conf["language"].'.lng');


   


   


      //* Login Form was send


      if(count($_POST) > 0) {


			


         //** Check variables


         if(!preg_match("/^[\w\.\-\_\@]{1,128}$/", $_POST['username'])) $error = $app->lng('user_regex_error');


         if(!preg_match("/^.{1,64}$/i", $_POST['passwort'])) $error = $app->lng('pw_error_length');


			


           //** iporting variables


           $ip      = $app->db->quote(ip2long($_SERVER['REMOTE_ADDR']));


           $username = $app->db->quote($_POST['username']);


           $passwort = $app->db->quote($_POST['passwort']);


         $loginAs  = false;


         $time = time();


   


           // iporting variables


           $ip      = $this->app->db->quote(ip2long($_SERVER['REMOTE_ADDR']));


           $username = $this->app->db->quote($_POST['username']);


           $passwort = $this->app->db->quote($_POST['passwort']); 


	


           if($username != '' and $passwort != '') {


              //* Check if there already wrong logins


              $sql = "SELECT * FROM `attempts_login` WHERE `ip`= '{$ip}' AND  `login_time` < NOW() + INTERVAL 15 MINUTE LIMIT 1";


              $alreadyfailed = $this->app->db->queryOneRecord($sql);


           if($username != '' && $passwort != '' && $error == '') {


            /*


             *  Check, if there is a "login as" instead of a "normal" login


             */


            if (isset($_SESSION['s']['user']) && $_SESSION['s']['user']['active'] == 1){


               /*


                * only the admin can "login as" so if the user is NOT a admin, we


                * open the startpage (after killing the old session), so the user


                * is logout and has to start again!


                */


               if ($_SESSION['s']['user']['typ'] != 'admin') {


                  /*


                   * The actual user is NOT a admin, but maybe the admin


                   * has logged in as "normal" user bevore...


                   */


                  if (isset($_SESSION['s_old'])&& ($_SESSION['s_old']['user']['typ'] == 'admin')){


                     /* The "old" user is admin, so everything is ok */


                  }


                  else {


                     die("You don't have the right to 'login as'!");


                  }


               }


               $loginAs = true;


            }


            else {


               /* normal login */


               $loginAs = false;


            }




              //* Check if there are already wrong logins


              $sql = "SELECT * FROM `attempts_login` WHERE `ip`= '{$ip}' AND  `login_time` > (NOW() - INTERVAL 1 MINUTE) LIMIT 1";


              $alreadyfailed = $app->db->queryOneRecord($sql);


              //* login to much wrong


              if($alreadyfailed['times'] > 5) {


                 $error = $this->app->lng(1004);


                 $error = $app->lng('error_user_too_many_logins');


              } else {


                 $sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and ( PASSWORT = '".md5($passwort)."' or PASSWORT = password('$passwort') )";


                  $user = $this->app->db->queryOneRecord($sql);


	        		


               if ($loginAs){


                    $sql = "SELECT * FROM sys_user WHERE USERNAME = '$username' and PASSWORT = '". $passwort. "'";


                  $user = $app->db->queryOneRecord($sql);


               } else {


                  if(stristr($username,'@')) {


                     //* mailuser login


                     $sql = "SELECT * FROM mail_user WHERE login = '$username'";


                     $mailuser = $app->db->queryOneRecord($sql);


                     $user = false;


                     if($mailuser) {


                        $saved_password = stripslashes($mailuser['password']);


                        $salt = '$1$'.substr($saved_password,3,8).'$';


                        //* Check if mailuser password is correct


                        if(crypt(stripslashes($passwort),$salt) == $saved_password) {


                           //* we build a fake user here which has access to the mailuser module only and userid 0


                           $user = array();


                           $user['userid'] = 0;


                           $user['active'] = 1;


                           $user['startmodule'] = 'mailuser';


                           $user['modules'] = 'mailuser';


                           $user['typ'] = 'user';


                           $user['email'] = $mailuser['email'];


                           $user['username'] = $username;


                           $user['language'] = $conf['language'];


                           $user['theme'] = $conf['theme'];


                           $user['mailuser_id'] = $mailuser['mailuser_id'];


                           $user['default_group'] = $mailuser['sys_groupid'];


                        }


                     }


							


                  } else {


                     //* normal cp user login


                     $sql = "SELECT * FROM sys_user WHERE USERNAME = '$username'";


                     $user = $app->db->queryOneRecord($sql);


							


                     if($user) {


                        $saved_password = stripslashes($user['passwort']);


							


                        if(substr($saved_password,0,3) == '$1$') {


                           //* The password is crypt-md5 encrypted


                           $salt = '$1$'.substr($saved_password,3,8).'$';


								


                           if(crypt(stripslashes($passwort),$salt) != $saved_password) {


                              $user = false;


                           }


                        } else {


								


                           //* The password is md5 encrypted


                           if(md5($passwort) != $saved_password) {


                              $user = false;


                           }


                        }


                     } else {


                        $user = false;


                     }


                  }


               }


		            


                  if($user) {


                      if($user['active'] == 1) {


                         // User login right, so attempts can be deleted


                         $sql = "DELETE FROM `attempts_login` WHERE `ip`='{$ip}'";


                         $this->app->db->query($sql);


                         $user = $this->app->db->toLower($user);


                          $_SESSION = array();


                          $_SESSION['s']['user'] = $user;


                          $_SESSION['s']['user']['theme'] = isset($user['app_theme']) ? $user['app_theme'] : 'default';


                          $_SESSION['s']['language'] = $user['language'];


                         $app->db->query($sql);


                         $user = $app->db->toLower($user);


							


                     if ($loginAs) $oldSession = $_SESSION['s'];


                     $_SESSION = array();


                     if ($loginAs) $_SESSION['s_old'] = $oldSession; // keep the way back!


                     $_SESSION['s']['user'] = $user;


                     $_SESSION['s']['user']['theme'] = isset($user['app_theme']) ? $user['app_theme'] : 'default';


                     $_SESSION['s']['language'] = $user['language'];


                     $_SESSION["s"]['theme'] = $_SESSION['s']['user']['theme'];


                              


                     if(is_file($_SESSION['s']['user']['startmodule'].'/lib/module.conf.php')) {


                        include_once($_SESSION['s']['user']['startmodule'].'/lib/module.conf.php');


                        $_SESSION['s']['module'] = $module;


                     }


                     echo 'HEADER_REDIRECT:'.$_SESSION['s']['module']['startpage'];


							


                     $app->plugin->raiseEvent('login',$this);


							


                     /*


                      * We need LOGIN_REDIRECT instead of HEADER_REDIRECT to load the


                      * new theme, if the logged-in user has another


                      */


                     echo 'LOGIN_REDIRECT:'.$_SESSION['s']['module']['startpage'];


                              


                            exit;


                      } else {


                         $error = $this->app->lng(1003);


                         $error = $app->lng('error_user_blocked');


                      }


                 } else {


                    if(!$alreadyfailed['times'] )


                    {


                       //* user login the first time wrong


                       $sql = "INSERT INTO `attempts_login` (`ip`, `times`, `login_time`) VALUES ('{$ip}', 1, NOW())";


                       $this->app->db->query($sql);


                       $app->db->query($sql);


                    } elseif($alreadyfailed['times'] >= 1) {


                       //* update times wrong


                       $sql = "UPDATE `attempts_login` SET `times`=`times`+1, `login_time`=NOW() WHERE `login_time` >= '{$time}' LIMIT 1";


                       $this->app->db->query($sql);


                       $app->db->query($sql);


                    }


                     //* Incorrect login - Username and password incorrect


                      $error = $this->app->lng(1002);


                      if($this->app->db->errorMessage != '') $error .= '<br />'.$this->app->db->errorMessage != '';


                      $error = $app->lng('error_user_password_incorrect');


                      if($app->db->errorMessage != '') $error .= '<br />'.$app->db->errorMessage != '';


						


                  $app->plugin->raiseEvent('login_failed',$this);	


                    }


              }


            } else {


                //* Username or password empty


               $error = $this->app->lng(1001);


               if($error == '') $error = $app->lng('error_user_password_empty');


				


            $app->plugin->raiseEvent('login_empty',$this);


           }


      }


      if($error != ''){


@@ -123,13 +228,16 @@


   


   


   


      $this->app->tpl->setVar('error', $error);


      $this->app->tpl->setInclude('content_tpl','login/templates/index.htm');


      $this->app->tpl_defaults();


      $app->tpl->setVar('error', $error);


      $app->tpl->setVar('username_txt', $app->lng('username_txt'));


      $app->tpl->setVar('password_txt', $app->lng('password_txt'));


      $app->tpl->setVar('login_button_txt', $app->lng('login_button_txt'));


      $app->tpl->setInclude('content_tpl','login/templates/index.htm');


      $app->tpl_defaults();


      


      $this->status = 'OK';


      


      return $this->app->tpl->grab();


      return $app->tpl->grab();


      


   } // << end function