Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- // Prepare the script to work within phpBB's environment.
- define('IN_PHPBB', true);
- $phpbb_root_path = '../';
- $phpEx = substr(strrchr(__FILE__, '.'), 1);
- include($phpbb_root_path . 'common.' . $phpEx);
- include($phpbb_root_path . '/includes/functions_user.' . $phpEx);
- $doLog = false;
- $logHandle = null;
- $logfile = "/var/www/forum/xmlrpclog/exauth_phpbb_forumxmlrpc.log";
- if ($doLog) {
- $logHandle = fopen($logfile, "a") or die("Error opening log file: ". $logfile);
- }
- LogExAuth('Received exauth request from ejabberd');
- // Hidden secret to confirm we are allowed to request this data (might be handled differently in the future)
- $secret = md5(md5($config['eveapi_ejabber_code']));
- $type = request_var('type', "");
- $result = false;
- LogExAuth('Type detected: ' . $type);
- if($type != "" && $config['eveapi_jabber_masterswitch'] && $config['eveapi_ejabber_switch'])
- {
- LogExAuth('Jabber is enabled on forum. Checking Challenge... ');
- $challenge = request_var('challenge', '');
- if($challenge == $secret)
- {
- LogExAuth('Challenge matches. Checking type: ' . $type);
- if($type == "checkAuth")
- {
- $user = sanitizeUser(urldecode(request_var('user', '')));
- $pass = urldecode(request_var('pass', ''));
- $pass = base64_decode($pass);
- $result = checkAuth($user, $pass);
- }
- elseif($type == "isUser")
- {
- LogExAuth('Received isUser request');
- $user = sanitizeUser(urldecode(request_var('user', '')));
- LogExAuth('Checking if "' . $user . '" is a valid user.');
- $usernames = array($user);
- $userids = array();
- $id = user_get_id_name($userids, $usernames, array(0, 3));
- LogExAuth('Result from user_get_id_name is: ' . $id);
- if($id === false)
- {
- $result = true;
- } else {
- }
- }
- }
- }
- $response_text = ($result) ? "true" : "false";
- header("Content-Type:text/xml");
- echo "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n";
- echo "<result>\n";
- echo "<response>{$response_text}</response>\n";
- echo "</result>\n";
- // --------------------------------------------
- function checkAuth($username, $password)
- {
- global $db, $config;
- // do not allow empty password
- if (!$password)
- {
- return false;
- }
- if (!$username)
- {
- return false;
- }
- $username_clean = utf8_clean_string($username);
- $sql = 'SELECT user_id, username, user_password, user_passchg, user_pass_convert, user_email, user_type, user_login_attempts
- FROM ' . USERS_TABLE . "
- WHERE username_clean = '" . $db->sql_escape($username_clean) . "'";
- $result = $db->sql_query($sql);
- $row = $db->sql_fetchrow($result);
- $db->sql_freeresult($result);
- if (!$row)
- {
- return false;
- }
- if($config['max_login_attempts'] && $row['user_login_attempts'] >= $config['max_login_attempts'])
- {
- return false;
- }
- // Check password ...
- if (!$row['user_pass_convert'] && phpbb_check_hash($password, $row['user_password']))
- {
- $sql = 'DELETE FROM ' . LOGIN_ATTEMPT_TABLE . '
- WHERE user_id = ' . $row['user_id'];
- $db->sql_query($sql);
- if ($row['user_login_attempts'] != 0)
- {
- // Successful, reset login attempts (the user passed all stages)
- $sql = 'UPDATE ' . USERS_TABLE . '
- SET user_login_attempts = 0
- WHERE user_id = ' . $row['user_id'];
- $db->sql_query($sql);
- }
- // User inactive...
- if ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE)
- {
- return false;
- }
- // Successful login... set user_login_attempts to zero...
- return true;
- }
- // Password incorrect - increase login attempts
- $sql = 'UPDATE ' . USERS_TABLE . '
- SET user_login_attempts = user_login_attempts + 1
- WHERE user_id = ' . (int) $row['user_id'] . '
- AND user_login_attempts < ' . LOGIN_ATTEMPTS_MAX;
- $db->sql_query($sql);
- // Give status about wrong password...
- return false;
- }
- function LogExAuth($msg, $timestamp = true) {
- global $doLog, $logHandle;
- $time = "";
- if($timestamp)
- {
- $time = "[" . date("D d M Y H:i:s") . "]";
- }
- if($doLog && is_resource($logHandle))
- {
- fwrite($logHandle, $time ." ". $msg ."\n");
- }
- }
- /**
- * Sanitize users
- *
- * Convert a jabber JID to a Forum Username
- * - perform base64 decode of incoming username
- * - replace underscores with spaces
- * - check if the resulting username is one of the difficult cases where special characters
- * were removed from the JID and convert to the correct forum username.
- *
- * @param string $username Base64-encoded username coming from ejabberd external auth.
- * @return string sanitized username in a format that phpbb should recognize.
- */
- function sanitizeUser($username)
- {
- $username = strtolower(str_replace("_", " ", base64_decode($username)));
- $difficultUsers = array(
- "difficult user" => "difficult 'user",
- );
- if (array_key_exists($username, $difficultUsers)) {
- $username = $difficultUsers[$username];
- }
- return $username;
- }
- //Close log handler
- if (is_resource($logHandle)){
- fclose($logHandle);
- }
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement