register.php | searchcode

/frontend/php/account/register.php

#
PHP | 369 lines | 239 code | 57 blank | 73 comment | 55 complexity | 34e4d98f4903191bbbc9b91399d11be7 MD5 | raw file
Possible License(s): AGPL-3.0

<?php
# Register an account, part 1 (part 2 is e-mail confirmation)
# 
# Copyright 1999-2000 (c) The SourceForge Crew
# Copyright 2003-2006 (c) Mathieu Roy <yeupou--gna.org>
# Copyright (C) 2007  Sylvain Beucler
# 
# This file is part of Savane.
# 
# Savane is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
# 
# Savane is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
# 
# You should have received a copy of the GNU Affero General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

require_once('../include/init.php');
require_once('../include/sane.php');
require_once('../include/account.php');
require_once('../include/dnsbl.php');
require_once('../include/spam.php');
require_once('../include/form.php');
require_once('../include/utils.php');
require_once('../include/html.php');
require_once('../include/sendmail.php');

register_globals_off();

extract(sane_import('post',
  array('update', 'form_id',
	'form_loginname', 'form_pw', 'form_pw2', 'form_realname', 'form_email',
	'form_year',
	'form_usepam')));

if (isset($GLOBALS['sys_https_host']) && !session_issecure())
{
  # Force use of TLS for login
  header('Location: '.$GLOBALS['sys_https_url'].$_SERVER['REQUEST_URI']);
}

# Logged users have no business here
if (user_isloggedin())
{
  session_redirect($GLOBALS['sys_home'] . 'my/');
}


# Block here potential robots
dnsbl_check();
# Block banned IP
spam_bancheck();


$login_is_valid = false;
$pw_is_valid = false;
$email_is_valid = false;
$realname_is_valid = false;
$antispam_is_valid = false;

if (!empty($update) and form_check($form_id))
// Form is submitted
{
  // feedback included by the check function

  // Temporary spam block
  if ($GLOBALS['sys_registration_text_spam_test'])
  {
      if ($form_year != 1983)
      {
          fb(_("Please answer the antispam test!"),1);
      }
      else
      {
          $antispam_is_valid = true;
      }
  }
  if ($GLOBALS['sys_registration_captcha'])
  {
      include_once $GLOBALS['sys_securimagedir'] . '/securimage.php';
      $securimage = new Securimage();

      if ($securimage->check($_POST['captcha_code']) == false)
      {
          fb(_("Please correctly answer the antispam captcha!"),1);
      }
      else
      {
          $antispam_is_valid = true;
      }
  }

  if (!$GLOBALS['sys_registration_captcha'] &&
      !$GLOBALS['sys_registration_text_spam_test'])
  {
      $antispam_is_valid = true;
  }

  // Login
  if ($form_loginname == '')
    {
      fb(_("You must supply a username."),1);
    }
  else if (!account_namevalid($form_loginname))
    {
      // feedback included by the check function
    }
  // Avoid duplicates
  else if (db_numrows(db_execute("SELECT user_id FROM user WHERE user_name = ?",
				 array($form_loginname))) > 0)
    {
      fb(_("That username already exists."),1);
    }
  else if (db_numrows(db_execute("SELECT group_list_id FROM mail_group_list WHERE "
				 . "list_name = ?", array($form_loginname))) > 0)
    {
      fb(_("That username is blocked to avoid conflict with mailing-list addresses."),1);
    }
  else
    {
      $login_is_valid = true;
    }

  // Password
  if ($form_pw == '')
    {
      fb(_("You must supply a password."),1);
    }
  // Password sanity checks - unless PAM is used
  else if ($GLOBALS['sys_use_pamauth'] != "yes" and $form_usepam != 1 and $form_pw != $form_pw2)
    {
      fb(_("Passwords do not match."),1);
    }
  else if ($GLOBALS['sys_use_pamauth'] != "yes" and $form_usepam != 1 and !account_pwvalid($form_pw))
    {
      // feedback included by the check function
    }
  else
    {
      $pw_is_valid = true;
    }

  // E-mail
  if (!$form_email)
    {
      fb(_("You must supply a valid email address."),1);
    }
  else if (!account_emailvalid($form_email))
    {
      // feedback included by the check function
    }
  else
    {
      $email_is_valid = true;
    }

  // Real name
  if ($form_realname == '')
    {
      fb(_("You must supply a real name."),1);
    }
  else
    {
      $realname_is_valid = true;
    }

  # Remove quotes from the realname, we do not want to allow that but
  # it is not a blocker issue.
  # Beuc 2007-02-24: enable quotes in realname, it's a perfect test for unsecure MySQL queries
  # $GLOBALS['form_realname'] = strtr($_POST['form_realname'], "\'\"\,", "     ");


  ####


  $krb5ret = '';
  if ($GLOBALS['sys_use_krb5'] == "yes")
    {
      $krb5ret = krb5_login($form_loginname, $form_pw);
      if($krb5ret == -1)
	{ # KRB5_NOTOK
	  fb(_("phpkrb5 module failure"),1);
	  $pw_is_valid = false;
	}
      elseif($krb5ret == 1)
	{ # KRB5_BAD_PASSWORD
	    fb(sprintf(_("User is a kerberos principal but password do not match. Please use your kerberos password for the first login and then change your %s password. This is necessary to prevent someone from stealing your account name."),$GLOBALS['sys_name']),1);

	  $pw_is_valid = false;
	}
      elseif ($krb5ret == "2")
	{
	  # KRB5_BAD_USER

	  /*

FIXME : this is broken and seems to be due to the kerberos module.
        we did not changed anything about that and we get 2 as return
        for any name.

	  if($_POST['form_loginname']."@".$GLOBALS['sys_mail_domain'])
	    {
	      $GLOBALS['register_error'] = sprintf(_("User %s is a known mail alias and cannot be used. If you own this alias (%s@%s) please create a another user (for instance xx%s) and ask %s@%s to rename it to %s."),
						   $_POST['form_loginname'],
						   $_POST['form_loginname'],

						   $GLOBALS['sys_mail_domain'],
						   $_POST['form_loginname'],
						   $GLOBALS['sys_admin_list'],
						   $GLOBALS['sys_mail_domain'],
						   $_POST['form_loginname']);
	      return 0;
	    }
	  */
	}
    }
}

# Don't forget parenthesis to avoid precendence issues with 'and'
$form_is_valid = ($login_is_valid and $pw_is_valid
		  and $email_is_valid and $realname_is_valid
		  and $antispam_is_valid);

if ($form_is_valid)
{
  if ($GLOBALS['sys_use_pamauth'] == "yes" && $form_usepam == 1)
    {
      // if user chose PAM based authentication, set his encrypted
      // password to the specified string
      $passwd = 'PAM';
    }
  else
    {
      $passwd = account_encryptpw($form_pw);
    }

  $confirm_hash = substr(md5(rand(0, 32768) . $passwd . time()), 0, 16);
  $result=db_autoexecute(
    'user',
    array(
      'user_name' => strtolower($form_loginname),
      'user_pw'   => $passwd,
      'realname'  => $form_realname,
      'email'     => $form_email,
      'add_date'  => time(),
      'status'    => 'P',
      'confirm_hash' => $confirm_hash),
    DB_AUTOQUERY_INSERT);

  if (!$result)
    {
      exit_error('error',db_error());
    }
  else
    {

      $newuserid = db_insertid($result);

      # clean id
      form_clean($form_id);

      # send mail
      $message = sprintf(_("Thank you for registering on the %s web site."),$GLOBALS['sys_name'])."\n"
	."("._("Your login is not mentioned in this mail to prevent account creation by robots").")\n\n"
#	.sprintf(_("Your login is: %s"), addslashes(strtolower($_POST[form_loginname])))."\n\n"
	._("In order to complete your registration, visit the following URL:\n\n")
	. $GLOBALS['sys_https_url']
	. $GLOBALS['sys_home']
	. "account/verify.php?confirm_hash=$confirm_hash\n\n"
	._("Enjoy the site").".\n\n"
	. sprintf(_("-- the %s team.")."\n",$GLOBALS['sys_name']);

      if ($krb5ret == 0) #KRB5_OK
	{
	  $message .= sprintf(_("P.S. Your kerberos password is now stored in encrypted form\nin the %s database."),$GLOBALS['sys_name']);
	  $message .= sprintf(_("For better security we advise you\nto change your %s password as soon as possible.\n"),$GLOBALS['sys_name']);
	}


      sendmail_mail($GLOBALS['sys_mail_replyto']."@".$GLOBALS['sys_mail_domain'],
		    $form_email,
		    $GLOBALS['sys_name']." "._("Account Registration"),
		    $message);

    $HTML->header(array('title'=>_("Register Confirmation")));

    print '<h3>'.$GLOBALS['sys_name'].' : '._("New Account Registration Confirmation").'</h3>'
      .sprintf(_("Congratulations. You have registered on %s "),$GLOBALS['sys_name'])
      .sprintf(_("Your login is: %s"), '<strong>'.user_getname($newuserid).'</strong>');

    print '<p>'._("You are now being sent a confirmation email to verify your email address. Visiting the link sent to you in this email will activate your account.").' <span class="warn">'._("Accounts not confirmed after two days are deleted from the database.").'</span></p>';

    }
}

# not valid registration, or first time to page
else

{

  site_header(array('title'=>_("User account registration"),'context'=>'account'));


  print form_header($_SERVER['PHP_SELF'], $form_id);
  print '<p><span class="preinput">'._("Login Name:").'</span><br />&nbsp;&nbsp;';
  print form_input("text", "form_loginname", $form_loginname);

  print '<p><span class="preinput">'._("Password / passphrase:")." ".account_password_help().'</span><br />&nbsp;&nbsp;';
  print form_input("password", "form_pw", $form_pw);
  print "</p>";

  print '<p><span class="preinput">'._("Re-type Password:").'</span><br />&nbsp;&nbsp;';
  print form_input("password", "form_pw2", $form_pw2);
  print "</p>";

  print '<p><span class="preinput">'._("Real Name:").'</span><br />&nbsp;&nbsp;';
  print '<input size="30" type="text" name="form_realname" value="'.$form_realname.'" /></p>';

  print '<p><span class="preinput">'._("Email Address:").'</span><br />&nbsp;&nbsp;';
  print '<input size="30" type="text" name="form_email" value="'.$form_email.'" />';
  print '<br /><span class="text">'._("This email address will be verified before account activation.").'</span></p>';

  if ($GLOBALS['sys_registration_text_spam_test'])
  {
      print '<p><span class="preinput">'._("Antispam test:").'</span><br />&nbsp;&nbsp;';
      print '<input size="30" type="text" name="form_year" value="'.$form_year.'" />';
      print '<br /><span class="text">'
          ._("In what year was the GNU project announced?"
             . " [<a href='http://www.gnu.org/gnu/gnu-history.html'>click for a hint</a>]")
          . '</span></p>';
  }
  if ($GLOBALS['sys_registration_captcha'])
  {
      print '<img id="captcha" src="' . $GLOBALS['sys_home'] . 'gencaptcha.php" alt="CAPTCHA" /><br />';
      print '[ <a href="#" onclick="document.getElementById(\'captcha\').src = \'' .
          $GLOBALS['sys_home'] . 'gencaptcha.php?\' + Math.random(); return false">' . _("Different Image") . '</a> ] ';
      print '[ <a href="' . $GLOBALS['sys_home'] . 'playcaptcha.php">' . _("Play Captcha") . '</a> ]<br />';
      print _("Antispam test:") . '<input type="text" name="captcha_code" size="10" maxlength="6" />';

  }

  # Extension for PAM authentication
  # FIXME: for now, only the PAM authentication that exists is for AFS.
  #  but PAM is not limited to AFS, so we should consider a way to configure
  #  this (to put it in site specific content probably).
  if ($sys_use_pamauth=="yes")
    {
      print "<p>Instead of providing a new password you
      may choose to authenticate via an <strong>AFS</strong> account you own
      at this site (this requires your new login name to be the
      same as the AFS account name):";

      print '<p>&nbsp;&nbsp;&nbsp;<INPUT type="checkbox"
      name="form_usepam" value="1" > use AFS based authentication';
    }


  print form_footer();

}



$HTML->footer(array());