PageRenderTime 26ms CodeModel.GetById 42ms RepoModel.GetById 0ms app.codeStats 0ms

/common/user.php

https://github.com/carlosefonseca/ER-client-webapp
PHP | 215 lines | 122 code | 25 blank | 68 comment | 34 complexity | fcf6ef232d405f0831fd13db6ed22487 MD5 | raw file
    

  1. <?
    2. 

  2. global $permissions;
    3. 

  3. global $logged_in;
    4. 

  4. 

  5. function hasPermission($permission) {
    6. 

  6. 	if ($permission[0] == 'j') {
    7. 

  7. 		return hasGardenPermission($permission);
    8. 

  8. 	}
    9. 

  9. 	return (in_array($permission, $_SESSION["permissions"]) || in_array("admin", $_SESSION["permissions"]));
    10. 

  10. }
    11. 

  11. 

  12. function hasGardenPermission($garden) {
    13. 

  13. 	if ($garden[0] == 'j') {
    14. 

  14. 		$garden = substr($garden, 1);
    15. 

  15. 	}
    16. 

  16. 	return (in_array('*', $_SESSION["permGardens"]) || in_array($garden, $_SESSION["permGardens"]));
    17. 

  17. }
    18. 

  18. 

  19. /**
    20. 

  20.  * Checks whether or not the given username is in the
    21. 

  21.  * database, if so it checks if the given password is
    22. 

  22.  * the same password in the database for that user.
    23. 

  23.  * If the user doesn't exist or if the passwords don't
    24. 

  24.  * match up, it returns an error code (1 or 2). 
    25. 

  25.  * On success it returns 0.
    26. 

  26.  */
    27. 

  27. 

  28. function confirmUser($username, $password){
    29. 

  29. 	global $permissions;
    30. 

  30. 	global $client;
    31. 

  31. 	require_once(u("DBconnect.php"));
    32. 

  32. 	/* Add slashes if necessary (for query) */
    33. 

  33. 	if(!get_magic_quotes_gpc()) {
    34. 

  34. 		$username = addslashes($username);
    35. 

  35. 		$password = stripslashes($password);
    36. 

  36. 	}
    37. 

  37. 

  38. 	/* Verify that user is in database */
    39. 

  39. 	
    40. 

  40. 	$q = "select users.user, email, gardens, permissions.permissions
    41. 

  41. 		  from users left join permissions on (users.user=permissions.user)
    42. 

  42. 		  WHERE (permissions.client = '$client' OR permissions.client = '*')
    43. 

  43. 		  	and (users.user = '$username' OR users.email = '$username')
    44. 

  44. 		  	and pass='$password';";
    45. 

    46. 

  46. //	iLog($q);
    47. 

  47. 

  48. 

  49. 	$result = mysql_query($q);
    50. 

  50. 	if(!$result || (mysql_num_rows($result) != 1)){
    51. 

  51. 		return false; //Indicates failure
    52. 

  52. 	}
    53. 

  53. 

  54. 	$dbarray = mysql_fetch_array($result);
    55. 

  55. 	if ($dbarray['gardens']=="" && $dbarray['permissions'] == "") {
    56. 

  56. 		return "NO_PERMISSION";
    57. 

  57. 	}
    58. 

  58. 	
    59. 

  59. 	$_SESSION["permissions"] = explode(",", $dbarray['permissions']);
    60. 

  60. 	$_SESSION["permGardens"] = explode(",", $dbarray['gardens']);
    61. 

  61. 	return $dbarray['user'];
    62. 

  62. /*	$dbarray['password']  = stripslashes($dbarray['password']);
    63. 

  63. 	$password = stripslashes($password);
    64. 

    65. 

  65. 	/* Validate that password is correct *
    66. 

  66. 	if(md5($password) == $dbarray['password']){
    67. 

  67. 		return 0; //Success! Username and password confirmed
    68. 

  68. 	}
    69. 

  69. 	else{
    70. 

  70. 		return 2; //Indicates password failure
    71. 

  71. 	}*/
    72. 

  72. }
    73. 

  73. 

  74. /**
    75. 

  75.  * checkLogin - Checks if the user has already previously
    76. 

  76.  * logged in, and a session with the user has already been
    77. 

  77.  * established. Also checks to see if user has been remembered.
    78. 

  78.  * If so, the database is queried to make sure of the user's 
    79. 

  79.  * authenticity. Returns true if the user has logged in.
    80. 

  80.  */
    81. 

  81. function checkLogin(){
    82. 

  82. 	/* Check if user has been remembered */
    83. 

  83. 	if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookpass'])){
    84. 

  84. 		$_SESSION['username'] = $_COOKIE['cookname'];
    85. 

  85. 		$_SESSION['password'] = $_COOKIE['cookpass'];
    86. 

  86. 	}
    87. 

  87. 

  88. 	/* Username and password have been set */
    89. 

  89. 	if(isset($_SESSION['username']) && isset($_SESSION['password'])){
    90. 

  90. //		iLog("User&Pass are set... confirming...");
    91. 

  91. 		/* Confirm that username and password are valid */
    92. 

  92. 		if(confirmUser($_SESSION['username'], $_SESSION['password'])){
    93. 

  93. 			return true;
    94. 

  94. 		} else {
    95. 

  95. 			/* Variables are incorrect, user not logged in */
    96. 

  96. 			unset($_SESSION['username']);
    97. 

  97. 			unset($_SESSION['password']);
    98. 

  98. 			return false;
    99. 

  99. 		}
    100. 

  100. 	}
    101. 

  101. 	/* User not logged in */
    102. 

  102. 	else{
    103. 

  103. 		return false;
    104. 

  104. 	}
    105. 

  105. }
    106. 

  106. 

  107. 

  108. function requireLogin() {
    109. 

  109. 	if(!checkLogin()) header("Location: ".L(login,true));
    110. 

  110. }
    111. 

  111. 

  112. /**
    113. 

  113.  * Determines whether or not to display the login
    114. 

  114.  * form or to show the user that he is logged in
    115. 

  115.  * based on if the session variables are set.
    116. 

  116.  */
    117. 

  117. function displayLogin(){
    118. 

  118. 	global $logged_in;
    119. 

  119. 	if($logged_in){
    120. 

  120. 		echo "<h3>Logged In!</h3>";
    121. 

  121. 		echo "Bem-vindo <b>$_SESSION[username]</b>. <a href=\"".L("logout",true)."\">Logout</a>";
    122. 

  122. 	}
    123. 

  123. 	else{
    124. 

  124. ?>
    125. 

  125. 

  126. <form action="<? L("login"); ?>" method="post">
    127. 

  127. <h3>Login :: Área de Cliente</h3>
    128. 

  128. <div id="username"><span>Utilizador ou email: </span><input type="text" name="user" maxlength="30" size="15"></div>
    129. 

  129. <div id="password"><span>Password: </span><input type="password" name="pass" maxlength="30" size="15"></div>
    130. 

  130. <? /*<tr><td colspan="2" align="left"><input type="checkbox" name="remember">
    131. 

  131. <font size="2">Remember me next time</td></tr>*/?>
    132. 

  132. 

  133. <? if (isset($_GET['e'])): ?>
    134. 

  134. 	<p class="login error">O nome de utilizador e password que introduziu não existem.</p>
    135. 

  135. <? elseif (isset($_GET['np']) && isset($_GET['u'])): ?>
    136. 

  136. 	<p class="login error">O utilizador '<?= $_GET['u'];?>' não tem permissões de acesso a este site. Contacte o seu responsável.</p>
    137. 

  137. <? endif; ?>
    138. 

  138. 

  139. <div id="submit"><input type="submit" name="sublogin" class="botao" value="Login"></div>
    140. 

  140. <p><a href="<? l("newaccount"); ?>">Criar uma conta</a></p>
    141. 

  141. </form>
    142. 

  142. <?
    143. 

  143. 	}
    144. 

  144. }
    145. 

  145. 

  146. 

  147. /**
    148. 

  148.  * Checks to see if the user has submitted his
    149. 

  149.  * username and password through the login form,
    150. 

  150.  * if so, checks authenticity in database and
    151. 

  151.  * creates session.
    152. 

  152.  */
    153. 

  153. if(isset($_POST['sublogin'])){
    154. 

  154. 	global $logged_in;
    155. 

  155. 	/* Check that all fields were typed in */
    156. 

  156. 	if(!$_POST['user'] || !$_POST['pass']){
    157. 

  157. 		die('You didn\'t fill in a required field.');
    158. 

  158. 	}
    159. 

  159. 	/* Spruce up username, check length */
    160. 

  160. 	$_POST['user'] = trim($_POST['user']);
    161. 

  161. 	if(strlen($_POST['user']) > 30){
    162. 

  162. 		die("Sorry, the username is longer than 30 characters, please shorten it.");
    163. 

  163. 	}
    164. 

  164. 

  165. 	/* Checks that username is in database and password is correct */
    166. 

  166. 	$md5pass = md5($_POST['pass']);
    167. 

  167. //	iLog("2-User&Pass are set... confirming...");
    168. 

  168. 	$result = confirmUser($_POST['user'], $md5pass);
    169. 

  169. 	/* Check error codes */
    170. 

  170. 	if($result === false){
    171. 

  171. 		header("Location: ".url("login&e"));	
    172. 

  172. //		echo 'That username/password doesn\'t exist in our database.';
    173. 

  173. 		return ;
    174. 

  174. 	}
    175. 

  175. 	if ($result == "NO_PERMISSION") {
    176. 

  176. 		header("Location: ".url("login&np&u=".$_POST['user']));
    177. 

  177. 		return ;
    178. 

  178. 	}
    179. 

  179. 

  180. 	/* Username and password correct, register session variables */
    181. 

  181. 	$_POST['user'] = $result;//stripslashes($_POST['user']);
    182. 

  182. 	$_SESSION['username'] = $result;//$_POST['user'];
    183. 

  183. 	$_SESSION['password'] = $md5pass;
    184. 

  184. 	$_SESSION['permissions'] = $permissions;
    185. 

  185. 

  186. 	/**
    187. 

  187.  	* This is the cool part: the user has requested that we remember that
    188. 

  188.  	* he's logged in, so we set two cookies. One to hold his username,
    189. 

  189.  	* and one to hold his md5 encrypted password. We set them both to
    190. 

  190.  	* expire in 100 days. Now, next time he comes to our site, we will
    191. 

  191.  	* log him in automatically.
    192. 

  192.  	*
    193. 

  193. 	if(isset($_POST['remember'])){
    194. 

  194. 		setcookie("cookname", $_SESSION['username'], time()+60*60*24*100, "/");
    195. 

  195. 		setcookie("cookpass", $_SESSION['password'], time()+60*60*24*100, "/");
    196. 

  196. 	}/
    197. 

    198. 

  198. 	/* Quick self-redirect to avoid resending data on refresh */
    199. 

  199. 	//echo "<meta http-equiv=\"Refresh\" content=\"0;url=$HTTP_SERVER_VARS[PHP_SELF]\">";
    200. 

  200. 	header("Location: $_SERVER[PHP_SELF]");
    201. 

  201. 	return;
    202. 

  202. } else {
    203. 

  203. 	if(isset($_GET['q']) && $_GET['q'] == 'logout') {
    204. 

  204. 		/* Kill session variables */
    205. 

  205. 		unset($_SESSION['username']);
    206. 

  206. 		unset($_SESSION['password']);
    207. 

  207. 		unset($_SESSION['permissions']);
    208. 

  208. 		$_SESSION = array(); // reset session array
    209. 

  209. 		session_destroy();	// destroy session.
    210. 

  210. 	}
    211. 

  211. }
    212. 

  212. 

  213. /* Sets the value of the logged_in variable, which can be used in your code */
    214. 

  214. $logged_in = checkLogin();
    215. 

  215. ?>
    216.