Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # pushed login submit button
- #
- elseif(
- self::$expected_input === true
- and self::$btn_login_sub
- and !self::$user->getLoggedIn()
- ){
- $loginwrong = false;
- $data = UserDataPort::getUserByName(self::$txtfld_login_UserName);
- if(!$data){
- $loginwrong = true;
- }elseif(!self::$user->setUser($data)){
- $loginwrong = true;
- }elseif(UserGroups::is_disabledUser(self::$user->getUser('ugroupid'))){
- UserErrorList::addError('Words_userDisabled');
- }elseif(
- self::$user->getUser('ugroupid') == UserGroups::getAutoAdminUgroup()
- and !WebSettings::getVal('allow_autoadm_login')
- and !defined('CRON')
- ){
- UserErrorList::addError('Emsg_noAutoAdmLogin');
- }elseif(self::$user->getUser('id') == self::$dummy_userid){
- UserErrorList::addError('Words_userDisabled');
- }else{
- # we do check now the normal pw and/or the pwactive hash
- # means:
- # by using the "forgot password"-function we store a (new) temp-pw
- # the temp-pw is stored in db @ column 'pwactive'
- # BUT the original pw is still active!
- # otherwise anybody who knows the email-address of a user could force this user to renew his pw
- # so we now check both pw-hashes
- #
- $hash_temp = (self::$user->getUserAction('pwactive') != 1)
- ?self::$user->getUserAction('pwactive')
- :false;
- $hash = self::$user->getUser('pw');
- $got = false;
- $pwok = false;
- if($hash_temp and UserPw::verifyPw(self::$txtfld_login_UserPassword,$hash_temp)){
- $got = 'pwactive';
- $pwok = true;
- }elseif(UserPw::verifyPw(self::$txtfld_login_UserPassword,$hash)){
- $got = 'pw';
- $pwok = true;
- }
- if($pwok !== true){ # password wrong
- $loginwrong = true;
- }else{ # password ok
- if(self::$user->getUserAction('emailactive') != 1){ # email not activated?
- UserErrorList::addError('Emsg_accNotActivated');
- }elseif($got == 'pwactive'){ # got temp password
- if(self::$user->getUserAction('pwreset')+WebSettings::getVal('pwreset_lifetime') < time()){ # temp pw (sent via mail) too "old"
- # user tried to login with a temp pw
- # which was sent via eMail on a pw-reset (forgot pw-function)
- # but the temp pw is too old and will be NOT accepted!
- # max temp pw life time => see: WebSettings::getVal('pwreset_lifetime')
- UserErrorList::addError('Imsg_pwResetTooOld');
- if(!UserDataPort::updateUserForgotPwRollback(self::$user->getUser('id'))){
- ErrorHandler::writeLogFile('failed at UserDataPort::updateUserForgotPwRollback() -- too old pw-reset temp-pw used! See logfiles for detailed. (!)DO: set user (id: `'.self::$user->getUser('id').'`) manually to "pwactive" = 1 !');
- }
- }else{
- # # # # # # # # # # # # #
- # # # TEMP-login ok # # #
- # # # # # # # # # # # # #
- EventHandler::log('Logged in with temp pw. User: `'.self::$user->getUser('name').'`; IP: `'.get_ip_address().'`');
- UserEventList::add('Imsg_hasToRenewPw');
- UserSession::setTempLogin(self::$user->getUser('id'),self::$user->getUser('pw'));
- UserSession::setUserLang(self::$user->getUser('langid'));
- UserHTML::setCurrentUserTemplate('has_to_renew_pw');
- }
- }elseif($got == 'pw'){ #got original password
- # # # # # # # # # # # # # # # #
- # # # login ok / accepted # # #
- # # # # # # # # # # # # # # # #
- if(self::$user->getUserAction('pwactive') != 1){
- # user (or somebody else) has used the "forgot-pw"-function
- # but the logged in happen with the original pw
- # we now set back the pw reset (which is stored in 'pwactive' @db)
- if(UserDataPort::updateUserForgotPwRollback(self::$user->getUser('id'))){
- # reload profile:
- self::$user->setUser(UserDataPort::getUserById(self::$user->getUser('id')));
- UserEventList::add('Imsg_forgotPwRollback');
- }else{
- ErrorHandler::writeLogFile('failed at UserDataPort::updateUserForgotPwRollback() -- original pw used! See logfiles for detailed.');
- }
- }
- # check if the hole user group got disabled
- if(UserGroups::is_disabledUserGroup(self::$user->getUser('ugroupid'))){ # is_disabledUserGroup() == hole group got disabled
- # user is NOT disabled/blocked
- # but the user group is disabled/not in use anymore
- # ! have to change the users group to normal registered user !
- if(UserDataPort::updateUserGroupById(self::$user->getUser('id'),UserGroups::getRegisteredUgroup())){
- # reload profile:
- self::$user->setUser(UserDataPort::getUserById(self::$user->getUser('id')));
- UserEventList::add('Words_userGroupDisabled');
- }else{
- ErrorHandler::writeLogFile('failed at UserDataPort::updateUserGroupById()! See logfiles for detailed.');
- }
- }
- # check if password needs to be rehashed (see php.net: password_needs_rehash())
- if(UserPw::needsRehash($hash)){
- $newhash = UserPw::createHash(self::$txtfld_login_UserPassword);
- if(UserPw::verifyPw(self::$txtfld_login_UserPassword,$newhash)){ # paranoid =)
- if(UserDataPort::updateUserPw(self::$user->getUser('id'),$newhash)){
- # reload profile:
- self::$user->setUser(UserDataPort::getUserById(self::$user->getUser('id')));
- }else{
- ErrorHandler::writeLogFile('failed at UserDataPort::updateUserPw()! See logfiles for detailed.');
- }
- }
- unset($newhash);
- }
- self::$user->setLoggedIn(true);
- UserSession::login(self::$user->getUser('id'),self::$user->getUser('pw'),self::$user->getUser('ugroupid'));
- UserDataPort::clearWrongUserLoginAttempts(self::$user->getUser('id'),get_ip_address());
- UserSession::setUserLang(self::$user->getUser('langid'));
- if(self::$chkbox_login_rememberChkBox){
- UserCookie::login(self::$user->getUser('id'),self::$user->getUser('pw'));
- }
- UserHTML::setCurrentUserTemplate('logged_in');
- }
- }
- unset($hash,$hash_temp,$got,$pwok);
- UserPw::clear();
- }
- if($loginwrong){
- UserSession::loginWrong();
- UserDataPort::countUpWrongUserLoginAttempts((self::$user->getUser('id'))?self::$user->getUser('id'):self::$dummy_userid,get_ip_address(),time());
- UserErrorList::addError('Emsg_userNameAndOrPwWrong');
- /*disabled: not giving a hint here
- if(self::$user->getUserAction('pwactive') != 1){
- UserErrorList::addError('Emsg_accPwRest');
- }*/
- }
- unset($data,$loginwrong);
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement