include/auth.php

   1 <?php
   2
   3
   4 function nuke_session() {
   5         unset($_SESSION['authenticated']);
   6         unset($_SESSION['uid']);
   7         unset($_SESSION['visitor_id']);
   8         unset($_SESSION['administrator']);
   9         unset($_SESSION['cid']);
  10         unset($_SESSION['theme']);
  11         unset($_SESSION['page_flags']);
  12 }
  13
  14
  15 // login/logout
  16
  17
  18
  19
  20 if((isset($_SESSION)) && (x($_SESSION,'authenticated')) && ((! (x($_POST,'auth-params'))) || ($_POST['auth-params'] !== 'login'))) {
  21
  22         if(((x($_POST,'auth-params')) && ($_POST['auth-params'] === 'logout')) || ($a->module === 'logout')) {
  23
  24                 // process logout request
  25
  26                 nuke_session();
  27                 notice( t('Logged out.') . EOL);
  28                 goaway($a->get_baseurl());
  29         }
  30
  31         if(x($_SESSION,'uid')) {
  32
  33                 // already logged in user returning
  34
  35                 $check = get_config('system','paranoia');
  36                 // extra paranoia - if the IP changed, log them out
  37                 if($check && ($_SESSION['addr'] != $_SERVER['REMOTE_ADDR'])) {
  38                         nuke_session();
  39                         goaway($a->get_baseurl());
  40                 }
  41
  42                 $r = q("SELECT * FROM `user` WHERE `uid` = %d LIMIT 1",
  43                         intval($_SESSION['uid'])
  44                 );
  45
  46                 if(! count($r)) {
  47                         nuke_session();
  48                         goaway($a->get_baseurl());
  49                 }
  50
  51                 // initialise user environment
  52
  53                 $a->user = $r[0];
  54                 $_SESSION['theme'] = $a->user['theme'];
  55                 $_SESSION['page_flags'] = $a->user['page-flags'];
  56
  57                 if(strlen($a->user['timezone'])) {
  58                         date_default_timezone_set($a->user['timezone']);
  59                         $a->timezone = $a->user['timezone'];
  60                 }
  61
  62                 $_SESSION['my_url'] = $a->get_baseurl() . '/profile/' . $a->user['nickname'];
  63
  64                 $r = q("SELECT `uid`,`username` FROM `user` WHERE `password` = '%s' AND `email` = '%s'",
  65                         dbesc($a->user['password']),
  66                         dbesc($a->user['email'])
  67                 );
  68                 if(count($r))
  69                         $a->identities = $r;
  70
  71                 $r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `self` = 1 LIMIT 1",
  72                         intval($_SESSION['uid']));
  73                 if(count($r)) {
  74                         $a->contact = $r[0];
  75                         $a->cid = $r[0]['id'];
  76                         $_SESSION['cid'] = $a->cid;
  77
  78                 }
  79                 header('X-Account-Management-Status: active; name="' . $a->user['username'] . '"; id="' . $a->user['nickname'] .'"');
  80         }
  81 }
  82 else {
  83
  84         if(isset($_SESSION)) {
  85                 nuke_session();
  86         }
  87
  88         if((x($_POST,'password')) && strlen($_POST['password']))
  89                 $encrypted = hash('whirlpool',trim($_POST['password']));
  90         else {
  91                 if((x($_POST,'openid_url')) && strlen($_POST['openid_url'])) {
  92
  93                         $noid = get_config('system','no_openid');
  94
  95                         $openid_url = trim($_POST['openid_url']);
  96
  97                         // validate_url alters the calling parameter
  98
  99                         $temp_string = $openid_url;
 100
 101                         // if it's an email address or doesn't resolve to a URL, fail.
 102
 103                         if(($noid) || (strpos($temp_string,'@')) || (! validate_url($temp_string))) {
 104                                 $a = get_app();
 105                                 notice( t('Login failed.') . EOL);
 106                                 goaway($a->get_baseurl());
 107                                 // NOTREACHED
 108                         }
 109
 110                         // Otherwise it's probably an openid.
 111
 112                         require_once('library/openid.php');
 113                         $openid = new LightOpenID;
 114                         $openid->identity = $openid_url;
 115                         $_SESSION['openid'] = $openid_url;
 116                         $a = get_app();
 117                         $openid->returnUrl = $a->get_baseurl() . '/openid';
 118
 119                         $r = q("SELECT `uid` FROM `user` WHERE `openid` = '%s' LIMIT 1",
 120                                 dbesc($openid_url)
 121                         );
 122                         if(count($r)) {
 123                                 // existing account
 124                                 goaway($openid->authUrl());
 125                                 // NOTREACHED
 126                         }
 127                         else {
 128                                 if($a->config['register_policy'] == REGISTER_CLOSED) {
 129                                         $a = get_app();
 130                                         notice( t('Login failed.') . EOL);
 131                                         goaway($a->get_baseurl());
 132                                         // NOTREACHED
 133                                 }
 134                                 // new account
 135                                 $_SESSION['register'] = 1;
 136                                 $openid->required = array('namePerson/friendly', 'contact/email', 'namePerson');
 137                                 $openid->optional = array('namePerson/first','media/image/aspect11','media/image/default');
 138                                 goaway($openid->authUrl());
 139                                 // NOTREACHED
 140                         }
 141                 }
 142         }
 143         if((x($_POST,'auth-params')) && $_POST['auth-params'] === 'login') {
 144
 145                 $record = null;
 146
 147                 $addon_auth = array(
 148                         'username' => trim($_POST['openid_url']),
 149                         'password' => trim($_POST['password']),
 150                         'authenticated' => 0,
 151                         'user_record' => null
 152                 );
 153
 154                 /**
 155                  *
 156                  * A plugin indicates successful login by setting 'authenticated' to non-zero value and returning a user record
 157                  * Plugins should never set 'authenticated' except to indicate success - as hooks may be chained
 158                  * and later plugins should not interfere with an earlier one that succeeded.
 159                  *
 160                  */
 161
 162                 call_hooks('authenticate', $addon_auth);
 163
 164                 if(($addon_auth['authenticated']) && (count($addon_auth['user_record']))) {
 165                         $record = $addon_auth['user_record'];
 166                 }
 167                 else {
 168
 169                         // process normal login request
 170
 171                         $r = q("SELECT * FROM `user` WHERE ( `email` = '%s' OR `nickname` = '%s' )
 172                                 AND `password` = '%s' AND `blocked` = 0 AND `verified` = 1 LIMIT 1",
 173                                 dbesc(trim($_POST['openid_url'])),
 174                                 dbesc(trim($_POST['openid_url'])),
 175                                 dbesc($encrypted)
 176                         );
 177                         if(count($r))
 178                                 $record = $r[0];
 179                 }
 180
 181                 if((! $record) || (! count($record))) {
 182                         logger('authenticate: failed login attempt: ' . trim($_POST['openid_url']));
 183                         notice( t('Login failed.') . EOL );
 184                         goaway($a->get_baseurl());
 185                 }
 186
 187                 $_SESSION['uid'] = $record['uid'];
 188                 $_SESSION['theme'] = $record['theme'];
 189                 $_SESSION['authenticated'] = 1;
 190                 $_SESSION['page_flags'] = $record['page-flags'];
 191                 $_SESSION['my_url'] = $a->get_baseurl() . '/profile/' . $record['nickname'];
 192                 $_SESSION['addr'] = $_SERVER['REMOTE_ADDR'];
 193
 194                 $a->user = $record;
 195
 196                 if($a->user['login_date'] === '0000-00-00 00:00:00') {
 197                         $_SESSION['return_url'] = 'profile_photo/new';
 198                         $a->module = 'profile_photo';
 199                         notice( t("Welcome ") . $a->user['username'] . EOL);
 200                         notice( t('Please upload a profile photo.') . EOL);
 201                 }
 202                 else
 203                         notice( t("Welcome back ") . $a->user['username'] . EOL);
 204
 205                 if(strlen($a->user['timezone'])) {
 206                         date_default_timezone_set($a->user['timezone']);
 207                         $a->timezone = $a->user['timezone'];
 208                 }
 209
 210                 $r = q("SELECT `uid`,`username` FROM `user` WHERE `password` = '%s' AND `email` = '%s'",
 211                         dbesc($a->user['password']),
 212                         dbesc($a->user['email'])
 213                 );
 214                 if(count($r))
 215                         $a->identities = $r;
 216
 217
 218                 $r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `self` = 1 LIMIT 1",
 219                         intval($_SESSION['uid']));
 220                 if(count($r)) {
 221                         $a->contact = $r[0];
 222                         $a->cid = $r[0]['id'];
 223                         $_SESSION['cid'] = $a->cid;
 224                 }
 225
 226
 227                 q("UPDATE `user` SET `login_date` = '%s' WHERE `uid` = %d LIMIT 1",
 228                         dbesc(datetime_convert()),
 229                         intval($_SESSION['uid'])
 230                 );
 231
 232                 call_hooks('logged_in', $a->user);
 233
 234                 header('X-Account-Management-Status: active; name="' . $a->user['username'] . '"; id="' . $a->user['nickname'] .'"');
 235                 if(($a->module !== 'home') && isset($_SESSION['return_url']))
 236                         goaway($a->get_baseurl() . '/' . $_SESSION['return_url']);
 237         }
 238 }
 239
 240 // Returns an array of group id's this contact is a member of.
 241 // This array will only contain group id's related to the uid of this
 242 // DFRN contact. They are *not* neccessarily unique across the entire site.
 243
 244
 245 if(! function_exists('init_groups_visitor')) {
 246 function init_groups_visitor($contact_id) {
 247         $groups = array();
 248         $r = q("SELECT `gid` FROM `group_member`
 249                 WHERE `contact-id` = %d ",
 250                 intval($contact_id)
 251         );
 252         if(count($r)) {
 253                 foreach($r as $rr)
 254                         $groups[] = $rr['gid'];
 255         }
 256         return $groups;
 257 }}
 258
 259