mirror of
https://github.com/Piwigo/Piwigo.git
synced 2026-07-06 09:52:29 +02:00
- revert feature 564: log the login of each user; but add the possibility to be
done by a plugin - create a "standard" way to define PHP functions that we use but might not be available in the current php version - when a comment is rejected (spam, anti-flood etc), put the content back to the browser in case there is a real user behind it - now a comment can be entered only if the page was retrieved between 2 seconds ago and 1 hour ago git-svn-id: http://piwigo.org/svn/trunk@1744 68402e56-0260-453c-a942-63ccdbb3a9ee
This commit is contained in:
@@ -121,6 +121,17 @@ if (!defined('PHPWG_INSTALLED'))
|
||||
exit;
|
||||
}
|
||||
|
||||
foreach( array(
|
||||
'array_intersect_key', //PHP 5 >= 5.1.0RC1
|
||||
'hash_hmac', //(hash) - enabled by default as of PHP 5.1.2
|
||||
) as $func)
|
||||
{
|
||||
if (!function_exists($func))
|
||||
{
|
||||
include_once(PHPWG_ROOT_PATH . 'include/php_compat/'.$func.'.php');
|
||||
}
|
||||
}
|
||||
|
||||
include(PHPWG_ROOT_PATH . 'include/config_default.inc.php');
|
||||
@include(PHPWG_ROOT_PATH. 'include/config_local.inc.php');
|
||||
include(PHPWG_ROOT_PATH . 'include/constants.php');
|
||||
|
||||
@@ -717,5 +717,6 @@ function set_status_header($code, $text='')
|
||||
}
|
||||
header("HTTP/1.1 $code $text");
|
||||
header("Status: $code $text");
|
||||
trigger_action('set_status_header', $code, $text);
|
||||
}
|
||||
?>
|
||||
|
||||
@@ -252,23 +252,6 @@ SELECT DISTINCT(id)
|
||||
return $items;
|
||||
}
|
||||
|
||||
|
||||
if (!function_exists('array_intersect_key')) {
|
||||
function array_intersect_key()
|
||||
{
|
||||
$arrs = func_get_args();
|
||||
$result = array_shift($arrs);
|
||||
foreach ($arrs as $array) {
|
||||
foreach ($result as $key => $v) {
|
||||
if (!array_key_exists($key, $array)) {
|
||||
unset($result[$key]);
|
||||
}
|
||||
}
|
||||
}
|
||||
return $result;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* returns the LIKE sql clause corresponding to the quick search query $q
|
||||
* and the field $field. example q="john bill", field="file" will return
|
||||
|
||||
@@ -858,8 +858,9 @@ function get_language_filepath($filename, $dirname = '')
|
||||
/**
|
||||
* returns the auto login key or false on error
|
||||
* @param int user_id
|
||||
* @param string [out] username
|
||||
*/
|
||||
function calculate_auto_login_key($user_id)
|
||||
function calculate_auto_login_key($user_id, &$username)
|
||||
{
|
||||
global $conf;
|
||||
$query = '
|
||||
@@ -871,7 +872,12 @@ WHERE '.$conf['user_fields']['id'].' = '.$user_id;
|
||||
if (mysql_num_rows($result) > 0)
|
||||
{
|
||||
$row = mysql_fetch_assoc($result);
|
||||
$key = sha1( $row['username'].$row['password'] );
|
||||
$username = $row['username'];
|
||||
$data = $row['username'].$row['password'];
|
||||
$key = base64_encode(
|
||||
pack('H*', sha1($data))
|
||||
.hash_hmac('md5', $data, $conf['secret_key'],true)
|
||||
);
|
||||
return $key;
|
||||
}
|
||||
return false;
|
||||
@@ -889,7 +895,7 @@ function log_user($user_id, $remember_me)
|
||||
|
||||
if ($remember_me and $conf['authorize_remembering'])
|
||||
{
|
||||
$key = calculate_auto_login_key($user_id);
|
||||
$key = calculate_auto_login_key($user_id, $username);
|
||||
if ($key!==false)
|
||||
{
|
||||
$cookie = array('id' => (int)$user_id, 'key' => $key);
|
||||
@@ -928,12 +934,13 @@ function auto_login() {
|
||||
if ( isset( $_COOKIE[$conf['remember_me_name']] ) )
|
||||
{
|
||||
$cookie = unserialize(stripslashes($_COOKIE[$conf['remember_me_name']]));
|
||||
if ($cookie!==false)
|
||||
if ($cookie!==false and is_numeric(@$cookie['id']) )
|
||||
{
|
||||
$key = calculate_auto_login_key($cookie['id']);
|
||||
$key = calculate_auto_login_key( $cookie['id'], $username );
|
||||
if ($key!==false and $key===$cookie['key'])
|
||||
{
|
||||
log_user($cookie['id'], true);
|
||||
trigger_action('login_success', $username);
|
||||
return true;
|
||||
}
|
||||
}
|
||||
@@ -942,6 +949,31 @@ function auto_login() {
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Tries to login a user given username and password (must be MySql escaped)
|
||||
* return true on success
|
||||
*/
|
||||
function try_log_user($username, $password, $remember_me)
|
||||
{
|
||||
global $conf;
|
||||
// retrieving the encrypted password of the login submitted
|
||||
$query = '
|
||||
SELECT '.$conf['user_fields']['id'].' AS id,
|
||||
'.$conf['user_fields']['password'].' AS password
|
||||
FROM '.USERS_TABLE.'
|
||||
WHERE '.$conf['user_fields']['username'].' = \''.$username.'\'
|
||||
;';
|
||||
$row = mysql_fetch_assoc(pwg_query($query));
|
||||
if ($row['password'] == $conf['pass_convert']($password))
|
||||
{
|
||||
log_user($row['id'], $remember_me);
|
||||
trigger_action('login_success', $username);
|
||||
return true;
|
||||
}
|
||||
trigger_action('login_failure', $username);
|
||||
return false;
|
||||
}
|
||||
|
||||
/*
|
||||
* Return access_type definition of uuser
|
||||
* Test does with user status
|
||||
|
||||
@@ -0,0 +1,35 @@
|
||||
<?php
|
||||
// http://www.php.net/manual/en/function.array-intersect-key.php
|
||||
// PHP 5 >= 5.1.0RC1
|
||||
function array_intersect_key()
|
||||
{
|
||||
$args = func_get_args();
|
||||
if (count($args) < 2) {
|
||||
trigger_error('Wrong parameter count for array_intersect_key()', E_USER_WARNING);
|
||||
return;
|
||||
}
|
||||
|
||||
// Check arrays
|
||||
$array_count = count($args);
|
||||
for ($i = 0; $i !== $array_count; $i++) {
|
||||
if (!is_array($args[$i])) {
|
||||
trigger_error('array_intersect_key() Argument #' . ($i + 1) . ' is not an array', E_USER_WARNING);
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
// Compare entries
|
||||
$result = array();
|
||||
foreach ($args[0] as $key1 => $value1) {
|
||||
for ($i = 1; $i !== $array_count; $i++) {
|
||||
foreach ($args[$i] as $key2 => $value2) {
|
||||
if ((string) $key1 === (string) $key2) {
|
||||
$result[$key1] = $value1;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return $result;
|
||||
}
|
||||
?>
|
||||
@@ -0,0 +1,25 @@
|
||||
<?php
|
||||
//(hash) - enabled by default as of PHP 5.1.2
|
||||
function hash_hmac($algo, $data, $key, $raw_output=false)
|
||||
{
|
||||
/* md5 and sha1 only */
|
||||
$algo=strtolower($algo);
|
||||
$p=array('md5'=>'H32','sha1'=>'H40');
|
||||
if ( !isset($p[$algo]) or !function_exists($algo) )
|
||||
{
|
||||
$algo = 'md5';
|
||||
}
|
||||
if(strlen($key)>64) $key=pack($p[$algo],$algo($key));
|
||||
if(strlen($key)<64) $key=str_pad($key,64,chr(0));
|
||||
|
||||
$ipad=substr($key,0,64) ^ str_repeat(chr(0x36),64);
|
||||
$opad=substr($key,0,64) ^ str_repeat(chr(0x5C),64);
|
||||
|
||||
$ret = $algo($opad.pack($p[$algo],$algo($ipad.$data)));
|
||||
if ($raw_output)
|
||||
{
|
||||
$ret = pack('H*', $ret);
|
||||
}
|
||||
return $ret;
|
||||
}
|
||||
?>
|
||||
@@ -30,32 +30,6 @@
|
||||
*
|
||||
*/
|
||||
|
||||
if (!function_exists('hash_hmac'))
|
||||
{
|
||||
function hash_hmac($algo, $data, $key, $raw_output=false)
|
||||
{
|
||||
/* md5 and sha1 only */
|
||||
$algo=strtolower($algo);
|
||||
$p=array('md5'=>'H32','sha1'=>'H40');
|
||||
if ( !isset($p[$algo]) or !function_exists($algo) )
|
||||
{
|
||||
$algo = 'md5';
|
||||
}
|
||||
if(strlen($key)>64) $key=pack($p[$algo],$algo($key));
|
||||
if(strlen($key)<64) $key=str_pad($key,64,chr(0));
|
||||
|
||||
$ipad=substr($key,0,64) ^ str_repeat(chr(0x36),64);
|
||||
$opad=substr($key,0,64) ^ str_repeat(chr(0x5C),64);
|
||||
|
||||
$ret = $algo($opad.pack($p[$algo],$algo($ipad.$data)));
|
||||
if ($raw_output)
|
||||
{
|
||||
$ret = pack('H*', $ret);
|
||||
}
|
||||
return $ret;
|
||||
}
|
||||
}
|
||||
|
||||
//returns string action to perform on a new comment: validate, moderate, reject
|
||||
function user_comment_check($action, $comment, $picture)
|
||||
{
|
||||
@@ -166,7 +140,8 @@ if ( $page['show_comments'] and isset( $_POST['content'] ) )
|
||||
|
||||
$key = explode(':', @$_POST['key']);
|
||||
if ( count($key)!=2
|
||||
or $key[0]>time() or $key[0]<time()-1800 // 30 minutes expiration
|
||||
or $key[0]>time()-2 // page must have been retrieved more than 2 sec ago
|
||||
or $key[0]<time()-3600 // 60 minutes expiration
|
||||
or hash_hmac('md5', $key[0], $conf['secret_key'])!=$key[1]
|
||||
)
|
||||
{
|
||||
@@ -257,6 +232,7 @@ if ( $page['show_comments'] and isset( $_POST['content'] ) )
|
||||
}
|
||||
else
|
||||
{
|
||||
set_status_header(403);
|
||||
$template->assign_block_vars('information',
|
||||
array('INFORMATION'=>l10n('comment_not_added') )
|
||||
);
|
||||
@@ -354,9 +330,15 @@ SELECT id,author,date,image_id,content
|
||||
{
|
||||
$key = time();
|
||||
$key .= ':'.hash_hmac('md5', $key, $conf['secret_key']);
|
||||
$content = '';
|
||||
if ('reject'===@$comment_action)
|
||||
{
|
||||
$content = htmlspecialchars($comm['content']);
|
||||
}
|
||||
$template->assign_block_vars('comments.add_comment',
|
||||
array(
|
||||
'key' => $key
|
||||
'KEY' => $key,
|
||||
'CONTENT' => $content
|
||||
));
|
||||
// display author field if the user is not logged in
|
||||
if ($user['is_the_guest'])
|
||||
|
||||
@@ -494,20 +494,8 @@ function ws_session_login($params, &$service)
|
||||
{
|
||||
return new PwgError(400, "This method requires POST");
|
||||
}
|
||||
|
||||
$username = $params['username'];
|
||||
// retrieving the encrypted password of the login submitted
|
||||
$query = '
|
||||
SELECT '.$conf['user_fields']['id'].' AS id,
|
||||
'.$conf['user_fields']['password'].' AS password
|
||||
FROM '.USERS_TABLE.'
|
||||
WHERE '.$conf['user_fields']['username'].' = \''.$username.'\'
|
||||
;';
|
||||
$row = mysql_fetch_assoc(pwg_query($query));
|
||||
|
||||
if ($row['password'] == $conf['pass_convert']($params['password']))
|
||||
if (try_log_user($params['username'], $params['password'],false))
|
||||
{
|
||||
log_user($row['id'], false);
|
||||
return true;
|
||||
}
|
||||
return new PwgError(999, 'Invalid username/password');
|
||||
|
||||
Reference in New Issue
Block a user