login ablauf

1. # pushed login submit button
2. #
3. elseif(
4.     self::$expected_input === true
5.     and self::$btn_login_sub
6.     and !self::$user->getLoggedIn()
7. ){
8.     $loginwrong = false;
9.     $data = UserDataPort::getUserByName(self::$txtfld_login_UserName);
10.     if(!$data){
11.         $loginwrong = true;
12.     }elseif(!self::$user->setUser($data)){
13.         $loginwrong = true;
14.     }elseif(UserGroups::is_disabledUser(self::$user->getUser('ugroupid'))){
15.         UserErrorList::addError('Words_userDisabled');
16.     }elseif(
17.         self::$user->getUser('ugroupid') == UserGroups::getAutoAdminUgroup()
18.         and !WebSettings::getVal('allow_autoadm_login')
19.         and !defined('CRON')
20.     ){
21.         UserErrorList::addError('Emsg_noAutoAdmLogin');
22.     }elseif(self::$user->getUser('id') == self::$dummy_userid){
23.         UserErrorList::addError('Words_userDisabled');
24.     }else{
25.         # we do check now the normal pw and/or the pwactive hash
26.        # means:
27.        #   by using the "forgot password"-function we store a (new) temp-pw
28.        #   the temp-pw is stored in db @ column 'pwactive'
29.        #   BUT the original pw is still active!
30.        #   otherwise anybody who knows the email-address of a user could force this user to renew his pw
31.        # so we now check both pw-hashes
32.        #
33.        $hash_temp = (self::$user->getUserAction('pwactive') != 1)
34.             ?self::$user->getUserAction('pwactive')
35.             :false;
36.         $hash = self::$user->getUser('pw');
37.         $got = false;
38.         $pwok = false;
39.         if($hash_temp and UserPw::verifyPw(self::$txtfld_login_UserPassword,$hash_temp)){
40.             $got = 'pwactive';
41.             $pwok = true;
42.         }elseif(UserPw::verifyPw(self::$txtfld_login_UserPassword,$hash)){
43.             $got = 'pw';
44.             $pwok = true;
45.         }
46.         if($pwok !== true){ # password wrong
47.            $loginwrong = true;
48.         }else{ # password ok
49.            if(self::$user->getUserAction('emailactive') != 1){ # email not activated?
50.                UserErrorList::addError('Emsg_accNotActivated');
51.             }elseif($got == 'pwactive'){ # got temp password
52.                if(self::$user->getUserAction('pwreset')+WebSettings::getVal('pwreset_lifetime') < time()){ # temp pw (sent via mail) too "old"
53.                    # user tried to login with a temp pw
54.                    # which was sent via eMail on a pw-reset (forgot pw-function)
55.                    # but the temp pw is too old and will be NOT accepted!
56.                    # max temp pw life time => see: WebSettings::getVal('pwreset_lifetime')
57.                    UserErrorList::addError('Imsg_pwResetTooOld');
58.                     if(!UserDataPort::updateUserForgotPwRollback(self::$user->getUser('id'))){
59.                         ErrorHandler::writeLogFile('failed at UserDataPort::updateUserForgotPwRollback() -- too old pw-reset temp-pw used! See logfiles for detailed. (!)DO: set user (id: `'.self::$user->getUser('id').'`) manually to "pwactive" = 1 !');
60.                     }
61.                 }else{
62.                     # # # # # # # # # # # # #
63.                    # # # TEMP-login ok # # #
64.                    # # # # # # # # # # # # #
65.                    EventHandler::log('Logged in with temp pw. User: `'.self::$user->getUser('name').'`; IP: `'.get_ip_address().'`');
66.                     UserEventList::add('Imsg_hasToRenewPw');
67.                     UserSession::setTempLogin(self::$user->getUser('id'),self::$user->getUser('pw'));
68.                     UserSession::setUserLang(self::$user->getUser('langid'));
69.                     UserHTML::setCurrentUserTemplate('has_to_renew_pw');
70.                 }
71.             }elseif($got == 'pw'){ #got original password
72.                # # # # # # # # # # # # # # # #
73.                # # # login ok / accepted # # #
74.                # # # # # # # # # # # # # # # #
75.                if(self::$user->getUserAction('pwactive') != 1){
76.                     # user (or somebody else) has used the "forgot-pw"-function
77.                    # but the logged in happen with the original pw
78.                    # we now set back the pw reset (which is stored in 'pwactive' @db)
79.                    if(UserDataPort::updateUserForgotPwRollback(self::$user->getUser('id'))){
80.                         # reload profile:
81.                        self::$user->setUser(UserDataPort::getUserById(self::$user->getUser('id')));
82.                         UserEventList::add('Imsg_forgotPwRollback');
83.                     }else{
84.                         ErrorHandler::writeLogFile('failed at UserDataPort::updateUserForgotPwRollback() -- original pw used! See logfiles for detailed.');
85.                     }
86.                 }
87.                 # check if the hole user group got disabled
88.                if(UserGroups::is_disabledUserGroup(self::$user->getUser('ugroupid'))){ # is_disabledUserGroup() == hole group got disabled
89.                    # user is NOT disabled/blocked
90.                    # but the user group is disabled/not in use anymore
91.                    # ! have to change the users group to normal registered user !
92.                    if(UserDataPort::updateUserGroupById(self::$user->getUser('id'),UserGroups::getRegisteredUgroup())){
93.                         # reload profile:
94.                        self::$user->setUser(UserDataPort::getUserById(self::$user->getUser('id')));
95.                         UserEventList::add('Words_userGroupDisabled');
96.                     }else{
97.                         ErrorHandler::writeLogFile('failed at UserDataPort::updateUserGroupById()! See logfiles for detailed.');
98.                     }
99.                 }
100.                 # check if password needs to be rehashed (see php.net: password_needs_rehash())
101.                if(UserPw::needsRehash($hash)){
102.                     $newhash = UserPw::createHash(self::$txtfld_login_UserPassword);
103.                     if(UserPw::verifyPw(self::$txtfld_login_UserPassword,$newhash)){ # paranoid =)
104.                        if(UserDataPort::updateUserPw(self::$user->getUser('id'),$newhash)){
105.                             # reload profile:
106.                            self::$user->setUser(UserDataPort::getUserById(self::$user->getUser('id')));
107.                         }else{
108.                             ErrorHandler::writeLogFile('failed at UserDataPort::updateUserPw()! See logfiles for detailed.');
109.                         }
110.                     }
111.                     unset($newhash);
112.                 }
113.                 self::$user->setLoggedIn(true);
114.                 UserSession::login(self::$user->getUser('id'),self::$user->getUser('pw'),self::$user->getUser('ugroupid'));
115.                 UserDataPort::clearWrongUserLoginAttempts(self::$user->getUser('id'),get_ip_address());
116.                 UserSession::setUserLang(self::$user->getUser('langid'));
117.                 if(self::$chkbox_login_rememberChkBox){
118.                     UserCookie::login(self::$user->getUser('id'),self::$user->getUser('pw'));
119.                 }
120.                 UserHTML::setCurrentUserTemplate('logged_in');
121.             }
122.         }
123.         unset($hash,$hash_temp,$got,$pwok);
124.         UserPw::clear();
125.     }
126.     if($loginwrong){
127.         UserSession::loginWrong();
128.         UserDataPort::countUpWrongUserLoginAttempts((self::$user->getUser('id'))?self::$user->getUser('id'):self::$dummy_userid,get_ip_address(),time());
129.         UserErrorList::addError('Emsg_userNameAndOrPwWrong');
130.         /*disabled: not giving a hint here
131.         if(self::$user->getUserAction('pwactive') != 1){
132.             UserErrorList::addError('Emsg_accPwRest');
133.         }*/
134.     }
135.     unset($data,$loginwrong);
136. }