/administrator/components/com_patch/patch/administrator/index.php
PHP | 248 lines | 167 code | 34 blank | 47 comment | 46 complexity | 404b894cc405e7e8d42639642be5c7ac MD5 | raw file
1<?php 2 3/** 4 5* This file has been modified by Vincent Cheah, ByOS Technologies 2008-02-27 12:07 6 7* for integration with JACLPlus Component 8 9*/ 10 11/** 12 13* @version $Id: index.php 10041 2008-02-15 21:48:13Z eddieajau $ 14 15* @package Joomla 16 17* @copyright Copyright (C) 2005 Open Source Matters. All rights reserved. 18 19* @license http://www.gnu.org/copyleft/gpl.html GNU/GPL, see LICENSE.php 20 21* Joomla! is free software. This version may have been modified pursuant 22 23* to the GNU General Public License, and as distributed it includes or 24 25* is derivative of works licensed under the GNU General Public License or 26 27* other free or open source software licenses. 28 29* See COPYRIGHT.php for copyright notices and details. 30 31*/ 32 33 34 35// Set flag that this is a parent file 36 37define( '_VALID_MOS', 1 ); 38 39 40 41if (!file_exists( '../configuration.php' )) { 42 43 header( 'Location: ../installation/index.php' ); 44 45 exit(); 46 47} 48 49 50 51require( '../globals.php' ); 52 53require( '../configuration.php' ); 54 55 56 57// SSL check - $http_host returns <live site url>:<port number if it is 443> 58 59$http_host = explode(':', $_SERVER['HTTP_HOST'] ); 60 61if( (!empty( $_SERVER['HTTPS'] ) && strtolower( $_SERVER['HTTPS'] ) != 'off' || isset( $http_host[1] ) && $http_host[1] == 443) && substr( $mosConfig_live_site, 0, 8 ) != 'https://' ) { 62 63 $mosConfig_live_site = 'https://'.substr( $mosConfig_live_site, 7 ); 64 65} 66 67 68 69require_once( '../includes/joomla.php' ); 70 71include_once ( $mosConfig_absolute_path . '/language/'. $mosConfig_lang .'.php' ); 72 73 74 75//Installation sub folder check, removed for work with SVN 76 77if (file_exists( '../installation/index.php' ) && $_VERSION->SVN == 0) { 78 79 define( '_INSTALL_CHECK', 1 ); 80 81 include ($mosConfig_absolute_path .'/offline.php'); 82 83 exit(); 84 85} 86 87 88 89$option = strtolower( strval( mosGetParam( $_REQUEST, 'option', NULL ) ) ); 90 91 92 93// mainframe is an API workhorse, lots of 'core' interaction routines 94 95$mainframe = new mosMainFrame( $database, $option, '..', true ); 96 97 98 99if (isset( $_POST['submit'] )) { 100 101 $usrname = stripslashes( mosGetParam( $_POST, 'usrname', NULL ) ); 102 103 $pass = stripslashes( mosGetParam( $_POST, 'pass', NULL ) ); 104 105 106 107 if($pass == NULL) { 108 109 echo "<script>alert('Please enter a password'); document.location.href='index.php?mosmsg=Please enter a password'</script>\n"; 110 111 exit(); 112 113 } 114 115 116 117 $query = "SELECT COUNT(*)" 118 119 . "\n FROM #__users" 120 121 . "\n WHERE (" 122 123 // Administrators 124 125 . "\n gid = 24" 126 127 // Super Administrators 128 129 . "\n OR gid = 25" 130 131 . "\n )" 132 133 ; 134 135 $database->setQuery( $query ); 136 137 $count = intval( $database->loadResult() ); 138 139 if ($count < 1) { 140 141 mosErrorAlert( _LOGIN_NOADMINS ); 142 143 } 144 145 146 147 $my = null; 148 149 $query = "SELECT u.*, m.*" 150 151 . "\n FROM #__users AS u" 152 153 . "\n LEFT JOIN #__messages_cfg AS m ON u.id = m.user_id AND m.cfg_name = 'auto_purge'" 154 155 . "\n WHERE u.username = " . $database->Quote( $usrname ) 156 157 . "\n AND u.block = 0" 158 159 ; 160 161 $database->setQuery( $query ); 162 163 $database->loadObject( $my ); 164 165 166 167 /** find the user group (or groups in the future) */ 168 169 if (@$my->id) { 170 171 $grp = $acl->getAroGroup( $my->id ); 172 173 $my->gid = $grp->group_id; 174 175 $my->usertype = $grp->name; 176 177 if(isset($grp->jaclplus) && class_exists('JACLPlus')) $my->jaclplus = $grp->jaclplus; 178 179 180 181 // Conversion to new type 182 183 if ((strpos($my->password, ':') === false) && $my->password == md5($pass)) { 184 185 // Old password hash storage but authentic ... lets convert it 186 187 $salt = mosMakePassword(16); 188 189 $crypt = md5($pass.$salt); 190 191 $my->password = $crypt.':'.$salt; 192 193 194 195 // Now lets store it in the database 196 197 $query = 'UPDATE #__users ' . 198 199 'SET password = '.$database->Quote($my->password) . 200 201 'WHERE id = '.(int)$my->id; 202 203 $database->setQuery($query); 204 205 if (!$database->query()) { 206 207 // This is an error but not sure what to do with it ... we'll still work for now 208 209 } 210 211 } 212 213 214 215 list($hash, $salt) = explode(':', $my->password); 216 217 $cryptpass = md5($pass.$salt); 218 219 220 221 if ( strcmp( $hash, $cryptpass ) || !$acl->acl_check( 'administration', 'login', 'users', $my->usertype ) ) { 222 223 mosErrorAlert("Incorrect Username, Password, or Access Level. Please try again", "document.location.href='index.php'"); 224 225 } 226 227 228 229 // construct Session ID 230 231 $logintime = time(); 232 233 $session_id = md5( $my->id . $my->username . $my->usertype . $logintime ); 234 235 236 237 session_name( md5( $mosConfig_live_site ) ); 238 239 session_id( $session_id ); 240 241 session_start(); 242 243 244 245 // add Session ID entry to DB 246 247 $query = "INSERT INTO #__session" 248 249 . "\n SET time = " . $database->Quote( $logintime ) . ", session_id = " . $database->Quote( $session_id ) . ", userid = " . (int) $my->id . ", usertype = " . $database->Quote( $my->usertype) . ", username = " . $database->Quote( $my->username ) 250 251 . ( isset($my->jaclplus) ? ", gid = " . (int) $my->gid . ", jaclplus = " . $database->Quote( $my->jaclplus ) : "" ) 252 253 ; 254 255 $database->setQuery( $query ); 256 257 if (!$database->query()) { 258 259 echo $database->stderr(); 260 261 } 262 263 264 265 // check if site designated as a production site 266 267 // for a demo site allow multiple logins with same user account 268 269 if ( $_VERSION->SITE == 1 ) { 270 271 // delete other open admin sessions for same account 272 273 $query = "DELETE FROM #__session" 274 275 . "\n WHERE userid = " . (int) $my->id 276 277 . "\n AND username = " . $database->Quote( $my->username ) 278 279 . "\n AND usertype = " . $database->Quote( $my->usertype ) 280 281 . "\n AND session_id != " . $database->Quote( $session_id ) 282 283 // this ensures that frontend sessions are not purged 284 285 . "\n AND guest = 1" 286 287 . ( isset($my->jaclplus) ? "\n AND gid = " . (int) $my->gid : "\n AND gid = 0" ) 288 289 ; 290 291 $database->setQuery( $query ); 292 293 if (!$database->query()) { 294 295 echo $database->stderr(); 296 297 } 298 299 } 300 301 302 303 $_SESSION['session_id'] = $session_id; 304 305 $_SESSION['session_user_id'] = $my->id; 306 307 $_SESSION['session_username'] = $my->username; 308 309 $_SESSION['session_usertype'] = $my->usertype; 310 311 $_SESSION['session_gid'] = $my->gid; 312 313 $_SESSION['session_logintime'] = $logintime; 314 315 $_SESSION['session_user_params'] = $my->params; 316 317 $_SESSION['session_userstate'] = array(); 318 319 if(isset($my->jaclplus)) $_SESSION['session_jaclplus'] = $my->jaclplus; 320 321 322 323 session_write_close(); 324 325 326 327 $expired = 'index2.php'; 328 329 330 331 // check if site designated as a production site 332 333 // for a demo site disallow expired page functionality 334 335 if ( $_VERSION->SITE == 1 && @$mosConfig_admin_expired === '1' ) { 336 337 $file = $mainframe->getPath( 'com_xml', 'com_users' ); 338 339 $params =& new mosParameters( $my->params, $file, 'component' ); 340 341 342 343 $now = time(); 344 345 346 347 // expired page functionality handling 348 349 $expired = $params->def( 'expired', '' ); 350 351 $expired_time = $params->def( 'expired_time', '' ); 352 353 354 355 // if now expired link set or expired time is more than half the admin session life set, simply load normal admin homepage 356 357 $checktime = ( $mosConfig_session_life_admin ? $mosConfig_session_life_admin : 1800 ) / 2; 358 359 if (!$expired || ( ( $now - $expired_time ) > $checktime ) ) { 360 361 $expired = 'index2.php'; 362 363 } 364 365 // link must also be a Joomla link to stop malicious redirection 366 367 if ( strpos( $expired, 'index2.php?option=com_' ) !== 0 ) { 368 369 $expired = 'index2.php'; 370 371 } 372 373 374 375 // clear any existing expired page data 376 377 $params->set( 'expired', '' ); 378 379 $params->set( 'expired_time', '' ); 380 381 382 383 // param handling 384 385 if (is_array( $params->toArray() )) { 386 387 $txt = array(); 388 389 foreach ( $params->toArray() as $k=>$v) { 390 391 $txt[] = "$k=$v"; 392 393 } 394 395 $saveparams = implode( "\n", $txt ); 396 397 } 398 399 400 401 // save cleared expired page info to user data 402 403 $query = "UPDATE #__users" 404 405 . "\n SET params = " . $database->Quote( $saveparams ) 406 407 . "\n WHERE id = " . (int) $my->id 408 409 . "\n AND username = " . $database->Quote( $my->username ) 410 411 . "\n AND usertype = " . $database->Quote( $my->usertype ) 412 413 ; 414 415 $database->setQuery( $query ); 416 417 $database->query(); 418 419 } 420 421 422 423 // check if auto_purge value set 424 425 if ( $my->cfg_name == 'auto_purge' ) { 426 427 $purge = $my->cfg_value; 428 429 } else { 430 431 // if no value set, default is 7 days 432 433 $purge = 7; 434 435 } 436 437 // calculation of past date 438 439 $past = date( 'Y-m-d H:i:s', time() - $purge * 60 * 60 * 24 ); 440 441 442 443 // if purge value is not 0, then allow purging of old messages 444 445 if ($purge != 0) { 446 447 // purge old messages at day set in message configuration 448 449 $query = "DELETE FROM #__messages" 450 451 . "\n WHERE date_time < " . $database->Quote( $past ) 452 453 . "\n AND user_id_to = " . (int) $my->id 454 455 ; 456 457 $database->setQuery( $query ); 458 459 if (!$database->query()) { 460 461 echo $database->stderr(); 462 463 } 464 465 } 466 467 468 469 /** cannot using mosredirect as this stuffs up the cookie in IIS */ 470 471 // redirects page to admin homepage by default or expired page 472 473 echo "<script>document.location.href='$expired';</script>\n"; 474 475 exit(); 476 477 } else { 478 479 mosErrorAlert("Incorrect Username, Password, or Access Level. Please try again", "document.location.href='index.php?mosmsg=Incorrect Username, Password, or Access Level. Please try again'"); 480 481 } 482 483} else { 484 485 initGzip(); 486 487 $path = $mosConfig_absolute_path . '/administrator/templates/' . $mainframe->getTemplate() . '/login.php'; 488 489 require_once( $path ); 490 491 doGzip(); 492 493} 494 495?>