My favorites | Sign in
Project Home Issues Source
Checkout   Browse   Changes  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
<?php

/*
This is Textpattern

Copyright 2005 by Dean Allen
www.textpattern.com
All rights reserved

Use of this software indicates acceptance of the Textpattern license agreement

$HeadURL$
$LastChangedRevision$

*/

if (!defined('txpinterface')) die('txpinterface is undefined.');

function doAuth()
{
global $txp_user;

$txp_user = NULL;

$message = doTxpValidate();

if(!$txp_user)
{
doLoginForm($message);
}

ob_start();
}

// -------------------------------------------------------------
function txp_validate($user,$password)
{
$safe_user = doSlash($user);
$passwords = array();

$passwords[] = "password(lower('".doSlash($password)."'))";
$passwords[] = "password('".doSlash($password)."')";

if (version_compare(mysql_get_server_info(), '4.1.0', '>='))
{
$passwords[] = "old_password(lower('".doSlash($password)."'))";
$passwords[] = "old_password('".doSlash($password)."')";
}

$name = safe_field("name", "txp_users",
"name = '$safe_user' and (pass = ".join(' or pass = ', $passwords).") and privs > 0");

if ($name !== FALSE)
{
// update the last access time
safe_update("txp_users", "last_access = now()", "name = '$safe_user'");
return $name;

}

return false;
}

// -------------------------------------------------------------

function doLoginForm($message)
{
global $txpcfg;

include txpath.'/lib/txplib_head.php';

pagetop(gTxt('login'));

$stay = (cs('txp_login') and !gps('logout') ? 1 : 0);
$reset = gps('reset');

list($name) = split(',', cs('txp_login'));

echo form(
startTable('edit').
n.n.tr(
n.td().
td(graf($message))
).

n.n.tr(
n.fLabelCell('name', '', 'name').
n.fInputCell('p_userid', $name, 1, '', '', 'name')
).

($reset ? '' :
n.n.tr(
n.fLabelCell('password', '', 'password').
n.td(
fInput('password', 'p_password', '', 'edit', '', '', '', 2, 'password')
)
)
).

($reset ? '' :
n.n.tr(
n.td().
td(
graf(checkbox('stay', 1, $stay, 3, 'stay').'<label for="stay">'.gTxt('stay_logged_in').'</label>'.
sp.popHelp('remember_login'))
)
)
).

n.n.tr(
n.td().
td(
($reset ? hInput('p_reset', 1) : '').
fInput('submit', '', gTxt($reset ? 'password_reset_button' : 'log_in_button'), 'publish', '', '', '', 4).
($reset ? '' : graf('<a href="?reset=1">'.gTxt('password_forgotten').'</a>'))
)
).

endTable().

(gps('event') ? eInput(gps('event')) : '')
).


n.'</body>'.n.'</html>';

exit(0);
}

// -------------------------------------------------------------
function doTxpValidate()
{
global $logout,$txpcfg, $txp_user;
$p_userid = ps('p_userid');
$p_password = ps('p_password');
$p_reset = ps('p_reset');
$stay = ps('stay');
$logout = gps('logout');
$message = gTxt('login_to_textpattern');
$pub_path = preg_replace('|//$|','/', rhu.'/');

if (cs('txp_login') and strpos(cs('txp_login'), ','))
{
list($c_userid, $c_hash) = split(',', cs('txp_login'));
}
else
{
$c_hash = '';
$c_userid = '';
}

if ($logout)
{
setcookie('txp_login', '', time()-3600);
setcookie('txp_login_public', '', time()-3600, $pub_path);
}
elseif ($c_userid and strlen($c_hash) == 32) // cookie exists
{
$nonce = safe_field('nonce', 'txp_users', "name='".doSlash($c_userid)."' AND last_access > DATE_SUB(NOW(), INTERVAL 30 DAY)");

if ($nonce and $nonce === md5($c_userid.pack('H*', $c_hash)))
{
// cookie is good, create $txp_user
$txp_user = $c_userid;
return '';
}
else
{
setcookie('txp_login', $c_userid, time()+3600*24*365);
setcookie('txp_login_public', '', time()-3600, $pub_path);
$message = gTxt('bad_cookie');
}

}
elseif ($p_userid and $p_password) // incoming login vars
{
sleep(3);

$name = txp_validate($p_userid,$p_password);

if ($name !== FALSE)
{
$c_hash = md5(uniqid(mt_rand(), TRUE));
$nonce = md5($name.pack('H*',$c_hash));

safe_update(
'txp_users',
"nonce = '".doSlash($nonce)."'",
"name = '".doSlash($name)."'"
);

setcookie(
'txp_login',
$name.','.$c_hash,
($stay ? time()+3600*24*365 : 0)
);

setcookie(
'txp_login_public',
substr(md5($nonce), -10).$name,
($stay ? time()+3600*24*30 : 0),
$pub_path
);

// login is good, create $txp_user
$txp_user = $name;
return '';
}
else
{
$message = gTxt('could_not_log_in');
}
}
elseif ($p_reset) // reset request
{
sleep(3);

include_once txpath.'/lib/txplib_admin.php';

$message = send_reset_confirmation_request($p_userid);
}
elseif (gps('reset'))
{
$message = gTxt('password_reset');
}
elseif (gps('confirm'))
{
sleep(3);

$confirm = pack('H*', gps('confirm'));
$name = substr($confirm, 5);
$nonce = safe_field('nonce', 'txp_users', "name = '".doSlash($name)."'");

if ($nonce and $confirm === pack('H*', substr(md5($nonce), 0, 10)).$name)
{
include_once txpath.'/lib/txplib_admin.php';

$message = reset_author_pass($name);
}
}

$txp_user = '';
return $message;
}
?>

Change log

r3084 by r.wetzlmayr on Jan 23, 2009   Diff
copy source
Go to: 
Project members, sign in to write a code review

Older revisions

r2856 by r...@vanmelick.com on Apr 7, 2008   Diff
use the login name as specified upon
user account creation instead of the
login name as specified by the user
when logging in (it's case
insensitive, so they can differ) to
...
r2844 by ruud on Mar 18, 2008   Diff
fix a few validation errors on the
login page (thanks ware0x54).
r2812 by wet on Feb 5, 2008   Diff
Slash trailing white space.
All revisions of this file

File info

Size: 5215 bytes, 245 lines

File properties

svn:keywords
HeadURL LastChangedRevision
Powered by Google Project Hosting