PageRenderTime 76ms CodeModel.GetById 35ms RepoModel.GetById 1ms app.codeStats 0ms

/symphony/content/content.login.php

https://github.com/nils-werner/symphony-2
PHP | 275 lines | 167 code | 48 blank | 60 comment | 37 complexity | 7b5b50922d718b63595be381bb9a24c7 MD5 | raw file
    

  1. <?php
    2. 

  2. 

  3. 	/**
    4. 

  4. 	 * @package content
    5. 

  5. 	 */
    6. 

  6. 

  7. 	/**
    8. 

  8. 	 * The default Symphony login page that is shown to users who attempt
    9. 

  9. 	 * to access `SYMPHONY_URL` but are not logged in. This page has logic
    10. 

  10. 	 * to allow users to reset their passwords should they forget.
    11. 

  11. 	 */
    12. 

  12. 	Class contentLogin extends HTMLPage{
    13. 

  13. 

  14. 		public $failedLoginAttempt = false;
    15. 

  15. 

  16. 		public function __construct(){
    17. 

  17. 			parent::__construct();
    18. 

  18. 			$this->addHeaderToPage('Content-Type', 'text/html; charset=UTF-8');
    19. 

  19. 

  20. 			$this->Html->setElementStyle('html');
    21. 

  21. 			$this->Html->setDTD('<!DOCTYPE html>');
    22. 

  22. 			$this->Html->setAttribute('lang', Lang::get());
    23. 

  23. 			$this->addElementToHead(new XMLElement('meta', NULL, array('charset' => 'UTF-8')), 0);
    24. 

  24. 			$this->addElementToHead(new XMLElement('meta', NULL, array('http-equiv' => 'X-UA-Compatible', 'content' => 'IE=edge,chrome=1')), 1);
    25. 

  25. 			$this->addElementToHead(new XMLElement('meta', NULL, array('name' => 'viewport', 'content' => 'width=device-width, initial-scale=1')), 2);
    26. 

  26. 

  27. 			$this->addStylesheetToHead(APPLICATION_URL . '/assets/css/symphony.css', 'screen', 30);
    28. 

  28. 			$this->addStylesheetToHead(APPLICATION_URL . '/assets/css/symphony.forms.css', 'screen', 31);
    29. 

  29. 			$this->addStylesheetToHead(APPLICATION_URL . '/assets/css/symphony.frames.css', 'screen', 32);
    30. 

  30. 

  31. 			$this->setTitle(__('%1$s &ndash; %2$s', array(__('Login'), __('Symphony'))));
    32. 

  32. 

  33. 			$this->Body->setAttribute('id', 'login');
    34. 

  34. 

  35. 			Symphony::Profiler()->sample('Page template created', PROFILE_LAP);
    36. 

  36. 		}
    37. 

  37. 

  38. 		public function build($context=NULL) {
    39. 

  39. 			if($context) $this->_context = $context;
    40. 

  40. 			if(isset($_REQUEST['action'])) $this->action();
    41. 

  41. 			$this->view();
    42. 

  42. 		}
    43. 

  43. 

  44. 		public function view() {
    45. 

  45. 			if(isset($this->_context[0]) && in_array(strlen($this->_context[0]), array(6, 8))){
    46. 

  46. 				if(!$this->__loginFromToken($this->_context[0])) {
    47. 

  47. 					if(Administration::instance()->isLoggedIn()) redirect(SYMPHONY_URL);
    48. 

  48. 				}
    49. 

  49. 			}
    50. 

  50. 

  51. 			$this->Form = Widget::Form(SYMPHONY_URL . '/login/', 'post');
    52. 

  52. 			$this->Form->setAttribute('class', 'frame');
    53. 

  53. 			$this->Form->appendChild(new XMLElement('h1', __('Symphony')));
    54. 

  54. 

  55. 			$fieldset = new XMLElement('fieldset');
    56. 

  56. 

  57. 			// Display retrieve password UI
    58. 

  58. 			if(isset($this->_context[0]) && $this->_context[0] == 'retrieve-password'):
    59. 

  59. 				$this->Form->setAttribute('action', SYMPHONY_URL.'/login/retrieve-password/');
    60. 

  60. 

  61. 				if(isset($this->_email_sent) && $this->_email_sent) {
    62. 

  62. 					$fieldset->appendChild(new XMLElement('p', __('An email containing a customised login link has been sent to %s. It will expire in 2 hours.', array(
    63. 

  63. 						'<code>' . $this->_email_sent_to . '</code>')
    64. 

  64. 					)));
    65. 

  65. 					$fieldset->appendChild(new XMLElement('p', Widget::Anchor(__('Login'), SYMPHONY_URL.'/login/', null)));
    66. 

  66. 					$this->Form->appendChild($fieldset);
    67. 

  67. 				}
    68. 

  68. 				else {
    69. 

  69. 					$fieldset->appendChild(new XMLElement('p', __('Enter your email address or username to be sent further instructions for logging in.')));
    70. 

  70. 

  71. 					$label = Widget::Label(__('Email Address or Username'));
    72. 

  72. 					$label->appendChild(Widget::Input('email', General::sanitize($_POST['email']), 'text', array('autofocus' => 'autofocus')));
    73. 

  73. 					if(isset($this->_email_sent) && !$this->_email_sent) {
    74. 

  74. 						$label = Widget::Error($label, __('Unfortunately no account was found using this information.'));
    75. 

  75. 					}
    76. 

  76. 					$fieldset->appendChild($label);
    77. 

  77. 

  78. 					$this->Form->appendChild($fieldset);
    79. 

  79. 

  80. 					$div = new XMLElement('div', NULL, array('class' => 'actions'));
    81. 

  81. 					$div->appendChild(
    82. 

  82. 						new XMLElement('button', __('Send Email'), array('name' => 'action[reset]', 'type' => 'submit'))
    83. 

  83. 					);
    84. 

  84. 					$div->appendChild(
    85. 

  85. 						Widget::Anchor(__('Cancel'), SYMPHONY_URL.'/login/', null, 'action-link')
    86. 

  86. 					);
    87. 

  87. 					$this->Form->appendChild($div);
    88. 

  88. 				}
    89. 

  89. 

  90. 			// Normal login
    91. 

  91. 			else:
    92. 

  92. 

  93. 				$fieldset->appendChild(new XMLElement('legend', __('Login')));
    94. 

  94. 

  95. 				// Display error message
    96. 

  96. 				if($this->failedLoginAttempt){
    97. 

  97. 					$p = new XMLElement('p');
    98. 

  98. 					$p = Widget::Error($p, __('The login details provided are incorrect.'));
    99. 

  99. 					$fieldset->appendChild($p);
    100. 

  100. 				}
    101. 

  101. 

  102. 				// Username
    103. 

  103. 				$label = Widget::Label(__('Username'));
    104. 

  104. 				$username = Widget::Input('username', isset($_POST['username']) ? General::sanitize($_POST['username']) : null);
    105. 

  105. 				if(!$this->failedLoginAttempt) {
    106. 

  106. 					$username->setAttribute('autofocus', 'autofocus');
    107. 

  107. 				}
    108. 

  108. 				$label->appendChild($username);
    109. 

  109. 				if(isset($_POST['action'], $_POST['action']['login']) && empty($_POST['username'])) {
    110. 

  110. 					$username->setAttribute('autofocus', 'autofocus');
    111. 

  111. 					$label = Widget::Error($label, __('No username was entered.'));
    112. 

  112. 				}
    113. 

  113. 				$fieldset->appendChild($label);
    114. 

  114. 

  115. 				// Password
    116. 

  116. 				$label = Widget::Label(__('Password'));
    117. 

  117. 				$password = Widget::Input('password', NULL, 'password');
    118. 

  118. 				$label->appendChild($password);
    119. 

  119. 				if(isset($_POST['action'], $_POST['action']['login']) && empty($_POST['password'])) {
    120. 

  120. 					$password->setAttribute('autofocus', 'autofocus');
    121. 

  121. 					$label = Widget::Error($label, __('No password was entered.'));
    122. 

  122. 				}
    123. 

  123. 				else if($this->failedLoginAttempt) {
    124. 

  124. 					$password->setAttribute('autofocus', 'autofocus');
    125. 

  125. 				}
    126. 

  126. 				$fieldset->appendChild($label);
    127. 

  127. 				$this->Form->appendChild($fieldset);
    128. 

  128. 

  129. 				// Actions
    130. 

  130. 				$div = new XMLElement('div', NULL, array('class' => 'actions'));
    131. 

  131. 				$div->appendChild(
    132. 

  132. 					new XMLElement('button', __('Login'), array('name' => 'action[login]', 'type' => 'submit', 'accesskey' => 's'))
    133. 

  133. 				);
    134. 

  134. 				$div->appendChild(
    135. 

  135. 					Widget::Anchor(__('Retrieve password?'), SYMPHONY_URL.'/login/retrieve-password/', null, 'action-link')
    136. 

  136. 				);
    137. 

  137. 				$this->Form->appendChild($div);
    138. 

  138. 

  139. 				if(isset($this->_context['redirect'])) {
    140. 

  140. 					$this->Form->appendChild(
    141. 

  141. 						Widget::Input('redirect', SYMPHONY_URL . General::sanitize($this->_context['redirect']), 'hidden')
    142. 

  142. 					);
    143. 

  143. 				}
    144. 

  144. 

  145. 			endif;
    146. 

  146. 

  147. 			$this->Body->appendChild($this->Form);
    148. 

  148. 		}
    149. 

  149. 

  150. 		public function action() {
    151. 

  151. 			if(isset($_POST['action'])) {
    152. 

  152. 

  153. 				$actionParts = array_keys($_POST['action']);
    154. 

  154. 				$action = end($actionParts);
    155. 

  155. 

  156. 				// Login Attempted
    157. 

  157. 				if($action == 'login'):
    158. 

  158. 					if(empty($_POST['username']) || empty($_POST['password']) || !Administration::instance()->login($_POST['username'], $_POST['password'])) {
    159. 

  159. 						/**
    160. 

  160. 						 * A failed login attempt into the Symphony backend
    161. 

  161. 						 *
    162. 

  162. 						 * @delegate AuthorLoginFailure
    163. 

  163. 						 * @since Symphony 2.2
    164. 

  164. 						 * @param string $context
    165. 

  165. 						 * '/login/'
    166. 

  166. 						 * @param string $username
    167. 

  167. 						 *  The username of the Author who attempted to login.
    168. 

  168. 						 */
    169. 

  169. 						Symphony::ExtensionManager()->notifyMembers('AuthorLoginFailure', '/login/', array('username' => Symphony::Database()->cleanValue($_POST['username'])));
    170. 

  170. 						$this->failedLoginAttempt = true;
    171. 

  171. 					}
    172. 

  172. 

  173. 					else {
    174. 

  174. 						/**
    175. 

  175. 						 * A successful login attempt into the Symphony backend
    176. 

  176. 						 *
    177. 

  177. 						 * @delegate AuthorLoginSuccess
    178. 

  178. 						 * @since Symphony 2.2
    179. 

  179. 						 * @param string $context
    180. 

  180. 						 * '/login/'
    181. 

  181. 						 * @param string $username
    182. 

  182. 						 *  The username of the Author who logged in.
    183. 

  183. 						 */
    184. 

  184. 						Symphony::ExtensionManager()->notifyMembers('AuthorLoginSuccess', '/login/', array('username' => Symphony::Database()->cleanValue($_POST['username'])));
    185. 

  185. 

  186. 						isset($_POST['redirect']) ? redirect($_POST['redirect']) : redirect(SYMPHONY_URL);
    187. 

  187. 					}
    188. 

  188. 

  189. 				// Reset of password requested
    190. 

  190. 				elseif($action == 'reset'):
    191. 

  191. 

  192. 					$author = Symphony::Database()->fetchRow(0, sprintf("
    193. 

  193. 							SELECT `id`, `email`, `first_name`
    194. 

  194. 							FROM `tbl_authors`
    195. 

  195. 							WHERE `email` = '%1\$s' OR `username` = '%1\$s'
    196. 

  196. 						", Symphony::Database()->cleanValue($_POST['email'])
    197. 

  197. 					));
    198. 

  198. 

  199. 					if(!empty($author)){
    200. 

  200. 						Symphony::Database()->delete('tbl_forgotpass', " `expiry` < '".DateTimeObj::getGMT('c')."' ");
    201. 

  201. 

  202. 						if(!$token = Symphony::Database()->fetchVar('token', 0, "SELECT `token` FROM `tbl_forgotpass` WHERE `expiry` > '".DateTimeObj::getGMT('c')."' AND `author_id` = ".$author['id'])){
    203. 

  203. 							$token = substr(SHA1::hash(time() . rand(0, 1000)), 0, 6);
    204. 

  204. 							Symphony::Database()->insert(array(
    205. 

  205. 								'author_id' => $author['id'],
    206. 

  206. 								'token' => $token,
    207. 

  207. 								'expiry' => DateTimeObj::getGMT('c', time() + (120 * 60))
    208. 

  208. 							), 'tbl_forgotpass');
    209. 

  209. 						}
    210. 

  210. 

  211. 						try{
    212. 

  212. 							$email = Email::create();
    213. 

  213. 

  214. 							$email->recipients = $author['email'];
    215. 

  215. 							$email->subject = __('New Symphony Account Password');
    216. 

  216. 							$email->text_plain = __('Hi %s,', array($author['first_name'])) . PHP_EOL .
    217. 

  217. 									__('A new password has been requested for your account. Login using the following link, and change your password via the Authors area:') . PHP_EOL .
    218. 

  218. 									PHP_EOL . '	' . SYMPHONY_URL . "/login/{$token}/" . PHP_EOL . PHP_EOL .
    219. 

  219. 									__('It will expire in 2 hours. If you did not ask for a new password, please disregard this email.') . PHP_EOL . PHP_EOL .
    220. 

  220. 									__('Best Regards,') . PHP_EOL .
    221. 

  221. 									__('The Symphony Team');
    222. 

  222. 

  223. 							$email->send();
    224. 

  224. 							$this->_email_sent = true;
    225. 

  225. 							$this->_email_sent_to = $author['email']; // Set this so we can display a customised message
    226. 

  226. 						}
    227. 

  227. 						catch(Exception $e) {}
    228. 

  228. 

  229. 						/**
    230. 

  230. 						 * When a password reset has occurred and after the Password
    231. 

  231. 						 * Reset email has been sent.
    232. 

  232. 						 *
    233. 

  233. 						 * @delegate AuthorPostPasswordResetSuccess
    234. 

  234. 						 * @since Symphony 2.2
    235. 

  235. 						 * @param string $context
    236. 

  236. 						 * '/login/'
    237. 

  237. 						 * @param integer $author_id
    238. 

  238. 						 *  The ID of the Author who requested the password reset
    239. 

  239. 						 */
    240. 

  240. 						Symphony::ExtensionManager()->notifyMembers('AuthorPostPasswordResetSuccess', '/login/', array('author_id' => $author['id']));
    241. 

  241. 					}
    242. 

  242. 

  243. 					else {
    244. 

  244. 

  245. 						/**
    246. 

  246. 						 * When a password reset has been attempted, but Symphony doesn't
    247. 

  247. 						 * recognise the credentials the user has given.
    248. 

  248. 						 *
    249. 

  249. 						 * @delegate AuthorPostPasswordResetFailure
    250. 

  250. 						 * @since Symphony 2.2
    251. 

  251. 						 * @param string $context
    252. 

  252. 						 * '/login/'
    253. 

  253. 						 * @param string $email
    254. 

  254. 						 *  The sanitised Email of the Author who tried to request the password reset
    255. 

  255. 						 */
    256. 

  256. 						Symphony::ExtensionManager()->notifyMembers('AuthorPostPasswordResetFailure', '/login/', array('email' => Symphony::Database()->cleanValue($_POST['email'])));
    257. 

  257. 

  258. 						$this->_email_sent = false;
    259. 

  259. 					}
    260. 

  260. 

  261. 				endif;
    262. 

  262. 			}
    263. 

  263. 		}
    264. 

  264. 

  265. 		public function __loginFromToken($token){
    266. 

  266. 			// If token is invalid, return to login page
    267. 

  267. 			if(!Administration::instance()->loginFromToken($token)) return false;
    268. 

  268. 

  269. 			// If token is valid and is an 8 char shortcut
    270. 

  270. 			if(strlen($token) != 6) redirect(SYMPHONY_URL); // Regular token-based login
    271. 

  271. 

  272. 			return false;
    273. 

  273. 		}
    274. 

  274. 

  275. 	}
    276. 

  276.