PageRenderTime 19ms CodeModel.GetById 1ms app.highlight 13ms RepoModel.GetById 1ms app.codeStats 0ms

/administrator/components/com_patch/patch/administrator/index.php

https://github.com/viollarr/alab
PHP | 248 lines | 167 code | 34 blank | 47 comment | 46 complexity | 404b894cc405e7e8d42639642be5c7ac MD5 | raw file
  1<?php
  2
  3/**
  4
  5* This file has been modified by Vincent Cheah, ByOS Technologies 2008-02-27 12:07 
  6
  7* for integration with JACLPlus Component 
  8
  9*/
 10
 11/**
 12
 13* @version $Id: index.php 10041 2008-02-15 21:48:13Z eddieajau $
 14
 15* @package Joomla
 16
 17* @copyright Copyright (C) 2005 Open Source Matters. All rights reserved.
 18
 19* @license http://www.gnu.org/copyleft/gpl.html GNU/GPL, see LICENSE.php
 20
 21* Joomla! is free software. This version may have been modified pursuant
 22
 23* to the GNU General Public License, and as distributed it includes or
 24
 25* is derivative of works licensed under the GNU General Public License or
 26
 27* other free or open source software licenses.
 28
 29* See COPYRIGHT.php for copyright notices and details.
 30
 31*/
 32
 33
 34
 35// Set flag that this is a parent file
 36
 37define( '_VALID_MOS', 1 );
 38
 39
 40
 41if (!file_exists( '../configuration.php' )) {
 42
 43	header( 'Location: ../installation/index.php' );
 44
 45	exit();
 46
 47}
 48
 49
 50
 51require( '../globals.php' );
 52
 53require( '../configuration.php' );
 54
 55
 56
 57// SSL check - $http_host returns <live site url>:<port number if it is 443>
 58
 59$http_host = explode(':', $_SERVER['HTTP_HOST'] );
 60
 61if( (!empty( $_SERVER['HTTPS'] ) && strtolower( $_SERVER['HTTPS'] ) != 'off' || isset( $http_host[1] ) && $http_host[1] == 443) && substr( $mosConfig_live_site, 0, 8 ) != 'https://' ) {
 62
 63	$mosConfig_live_site = 'https://'.substr( $mosConfig_live_site, 7 );
 64
 65}
 66
 67
 68
 69require_once( '../includes/joomla.php' );
 70
 71include_once ( $mosConfig_absolute_path . '/language/'. $mosConfig_lang .'.php' );
 72
 73
 74
 75//Installation sub folder check, removed for work with SVN
 76
 77if (file_exists( '../installation/index.php' ) && $_VERSION->SVN == 0) {
 78
 79	define( '_INSTALL_CHECK', 1 );
 80
 81	include ($mosConfig_absolute_path .'/offline.php');
 82
 83	exit();
 84
 85}
 86
 87
 88
 89$option = strtolower( strval( mosGetParam( $_REQUEST, 'option', NULL ) ) );
 90
 91
 92
 93// mainframe is an API workhorse, lots of 'core' interaction routines
 94
 95$mainframe = new mosMainFrame( $database, $option, '..', true );
 96
 97
 98
 99if (isset( $_POST['submit'] )) {
100
101	$usrname 	= stripslashes( mosGetParam( $_POST, 'usrname', NULL ) );
102
103	$pass 		= stripslashes( mosGetParam( $_POST, 'pass', NULL ) );
104
105
106
107	if($pass == NULL) {
108
109		echo "<script>alert('Please enter a password'); document.location.href='index.php?mosmsg=Please enter a password'</script>\n";
110
111		exit();
112
113	}
114
115
116
117	$query = "SELECT COUNT(*)"
118
119	. "\n FROM #__users"
120
121	. "\n WHERE ("
122
123	// Administrators
124
125	. "\n gid = 24"
126
127	// Super Administrators
128
129	. "\n OR gid = 25"
130
131	. "\n )"
132
133	;
134
135	$database->setQuery( $query );
136
137	$count = intval( $database->loadResult() );
138
139	if ($count < 1) {
140
141		mosErrorAlert( _LOGIN_NOADMINS );
142
143	}
144
145
146
147	$my = null;
148
149	$query = "SELECT u.*, m.*"
150
151	. "\n FROM #__users AS u"
152
153	. "\n LEFT JOIN #__messages_cfg AS m ON u.id = m.user_id AND m.cfg_name = 'auto_purge'"
154
155	. "\n WHERE u.username = " . $database->Quote( $usrname )
156
157	. "\n AND u.block = 0"
158
159	;
160
161	$database->setQuery( $query );
162
163	$database->loadObject( $my );
164
165
166
167	/** find the user group (or groups in the future) */
168
169	if (@$my->id) {
170
171		$grp 			= $acl->getAroGroup( $my->id );
172
173		$my->gid 		= $grp->group_id;
174
175		$my->usertype 	= $grp->name;
176
177		if(isset($grp->jaclplus) && class_exists('JACLPlus')) $my->jaclplus	= $grp->jaclplus;
178
179
180
181		// Conversion to new type
182
183		if ((strpos($my->password, ':') === false) && $my->password == md5($pass)) {
184
185			// Old password hash storage but authentic ... lets convert it
186
187			$salt = mosMakePassword(16);
188
189			$crypt = md5($pass.$salt);
190
191			$my->password = $crypt.':'.$salt;
192
193
194
195			// Now lets store it in the database
196
197			$query = 'UPDATE #__users ' .
198
199					'SET password = '.$database->Quote($my->password) .
200
201					'WHERE id = '.(int)$my->id;
202
203			$database->setQuery($query);
204
205			if (!$database->query()) {
206
207				// This is an error but not sure what to do with it ... we'll still work for now
208
209			}
210
211		}
212
213
214
215		list($hash, $salt) = explode(':', $my->password);
216
217		$cryptpass = md5($pass.$salt);
218
219
220
221		if ( strcmp( $hash, $cryptpass ) || !$acl->acl_check( 'administration', 'login', 'users', $my->usertype ) ) {
222
223			mosErrorAlert("Incorrect Username, Password, or Access Level.  Please try again", "document.location.href='index.php'");
224
225		}
226
227
228
229		// construct Session ID
230
231		$logintime	= time();
232
233		$session_id = md5( $my->id . $my->username . $my->usertype . $logintime );
234
235
236
237		session_name( md5( $mosConfig_live_site ) );
238
239		session_id( $session_id );
240
241		session_start();
242
243
244
245		// add Session ID entry to DB
246
247		$query = "INSERT INTO #__session"
248
249		. "\n SET time = " . $database->Quote( $logintime ) . ", session_id = " . $database->Quote( $session_id ) . ", userid = " . (int) $my->id . ", usertype = " . $database->Quote( $my->usertype) . ", username = " . $database->Quote( $my->username )
250
251		. ( isset($my->jaclplus) ? ", gid = " . (int) $my->gid . ", jaclplus = " . $database->Quote( $my->jaclplus ) : "" )
252
253		;
254
255		$database->setQuery( $query );
256
257		if (!$database->query()) {
258
259			echo $database->stderr();
260
261		}
262
263
264
265		// check if site designated as a production site
266
267		// for a demo site allow multiple logins with same user account
268
269		if ( $_VERSION->SITE == 1 ) {
270
271			// delete other open admin sessions for same account
272
273			$query = "DELETE FROM #__session"
274
275			. "\n WHERE userid = " . (int) $my->id
276
277			. "\n AND username = " . $database->Quote( $my->username )
278
279			. "\n AND usertype = " . $database->Quote( $my->usertype )
280
281			. "\n AND session_id != " . $database->Quote( $session_id )
282
283			// this ensures that frontend sessions are not purged
284
285			. "\n AND guest = 1"
286
287			. ( isset($my->jaclplus) ? "\n AND gid = " . (int) $my->gid : "\n AND gid = 0" )
288
289			;
290
291			$database->setQuery( $query );
292
293			if (!$database->query()) {
294
295				echo $database->stderr();
296
297			}
298
299		}
300
301
302
303		$_SESSION['session_id'] 			= $session_id;
304
305		$_SESSION['session_user_id'] 		= $my->id;
306
307		$_SESSION['session_username'] 		= $my->username;
308
309		$_SESSION['session_usertype'] 		= $my->usertype;
310
311		$_SESSION['session_gid'] 			= $my->gid;
312
313		$_SESSION['session_logintime'] 		= $logintime;
314
315		$_SESSION['session_user_params']	= $my->params;
316
317		$_SESSION['session_userstate'] 		= array();
318
319		if(isset($my->jaclplus)) $_SESSION['session_jaclplus'] 	= $my->jaclplus;
320
321
322
323		session_write_close();
324
325
326
327		$expired = 'index2.php';
328
329
330
331		// check if site designated as a production site
332
333		// for a demo site disallow expired page functionality
334
335		if ( $_VERSION->SITE == 1 && @$mosConfig_admin_expired === '1' ) {
336
337			$file 	= $mainframe->getPath( 'com_xml', 'com_users' );
338
339			$params =& new mosParameters( $my->params, $file, 'component' );
340
341
342
343			$now 	= time();
344
345
346
347			// expired page functionality handling
348
349			$expired 		= $params->def( 'expired', '' );
350
351			$expired_time 	= $params->def( 'expired_time', '' );
352
353
354
355			// if now expired link set or expired time is more than half the admin session life set, simply load normal admin homepage
356
357			$checktime = ( $mosConfig_session_life_admin ? $mosConfig_session_life_admin : 1800 ) / 2;
358
359			if (!$expired || ( ( $now - $expired_time ) > $checktime ) ) {
360
361				$expired = 'index2.php';
362
363			}
364
365			// link must also be a Joomla link to stop malicious redirection
366
367			if ( strpos( $expired, 'index2.php?option=com_' ) !== 0 ) {
368
369				$expired = 'index2.php';
370
371			}
372
373
374
375			// clear any existing expired page data
376
377			$params->set( 'expired', '' );
378
379			$params->set( 'expired_time', '' );
380
381
382
383			// param handling
384
385			if (is_array( $params->toArray() )) {
386
387				$txt = array();
388
389				foreach ( $params->toArray() as $k=>$v) {
390
391					$txt[] = "$k=$v";
392
393				}
394
395				$saveparams = implode( "\n", $txt );
396
397			}
398
399
400
401			// save cleared expired page info to user data
402
403			$query = "UPDATE #__users"
404
405			. "\n SET params = " . $database->Quote( $saveparams )
406
407			. "\n WHERE id = " . (int) $my->id
408
409			. "\n AND username = " . $database->Quote( $my->username )
410
411			. "\n AND usertype = " . $database->Quote( $my->usertype )
412
413			;
414
415			$database->setQuery( $query );
416
417			$database->query();
418
419		}
420
421
422
423		// check if auto_purge value set
424
425		if ( $my->cfg_name == 'auto_purge' ) {
426
427			$purge 	= $my->cfg_value;
428
429		} else {
430
431		// if no value set, default is 7 days
432
433			$purge 	= 7;
434
435		}
436
437		// calculation of past date
438
439		$past = date( 'Y-m-d H:i:s', time() - $purge * 60 * 60 * 24 );
440
441
442
443		// if purge value is not 0, then allow purging of old messages
444
445		if ($purge != 0) {
446
447		// purge old messages at day set in message configuration
448
449			$query = "DELETE FROM #__messages"
450
451			. "\n WHERE date_time < " . $database->Quote( $past )
452
453			. "\n AND user_id_to = " . (int) $my->id
454
455			;
456
457			$database->setQuery( $query );
458
459			if (!$database->query()) {
460
461				echo $database->stderr();
462
463			}
464
465		}
466
467
468
469		/** cannot using mosredirect as this stuffs up the cookie in IIS */
470
471		// redirects page to admin homepage by default or expired page
472
473		echo "<script>document.location.href='$expired';</script>\n";
474
475		exit();
476
477	} else {
478
479		mosErrorAlert("Incorrect Username, Password, or Access Level.  Please try again", "document.location.href='index.php?mosmsg=Incorrect Username, Password, or Access Level. Please try again'");
480
481	}
482
483} else {
484
485	initGzip();
486
487	$path = $mosConfig_absolute_path . '/administrator/templates/' . $mainframe->getTemplate() . '/login.php';
488
489	require_once( $path );
490
491	doGzip();
492
493}
494
495?>