X-Git-Url: http://git.harvie.cz/?a=blobdiff_plain;f=wwwroot%2Finc%2Feventz%2Flogin.inc;h=5ebb3ae1a42b0b3186501c825c058af56b58e137;hb=c0aaf671335c0eff681bc78b3f4da279a26d0d3e;hp=c19f4e7f29c6923b34cb1d6b79db0bc99874ad80;hpb=51ff32267c4949bad6a8dddc502cbc01ed56edc8;p=mirrors%2FKyberia-bloodline.git diff --git a/wwwroot/inc/eventz/login.inc b/wwwroot/inc/eventz/login.inc index c19f4e7..5ebb3ae 100644 --- a/wwwroot/inc/eventz/login.inc +++ b/wwwroot/inc/eventz/login.inc @@ -1,15 +1,27 @@ This is da default one - require(SYSTEM_ROOT.'/inc/ldap.inc'); +function jabberctl($command, $args) { //XXXTODO Move to some .inc file... + //gpasswd -a kyberia jabber #Adding user kyberia to group jabber + $xmpp_ejabberdctl='sudo /usr/sbin/ejabberdctl'; //XXX TODO Hardcoded + + $cmd = $xmpp_ejabberdctl; + foreach($args as $arg) { + $cmd.=' '.escapeshellarg($arg); + } + system($cmd); +} + +function login_check($login, $password, $login_type='id') { global $db,$error,$node_id; - $login = mysql_real_escape_string($_POST['login']); - $password = $_POST['password']; - $hash = md5($password); - $login_type = $_POST['login_type']; + $login = mysql_real_escape_string($login); //Not SQLi in $password but be carefull + $password_hash_algos=array('sha256','sha1','md5'); //List of supported algos can be obtained using: php -r 'print_r(hash_algos());' + + $hash_query='('; + foreach($password_hash_algos as $algo) { + $hash_query.="password='".hash($algo, $password)."' OR "; + } + $hash_query.='false )'; + $referer = $_SERVER['HTTP_REFERER']; if (!session_id()) { @@ -17,29 +29,29 @@ function login() { return false; } - switch ($login_type) { - case "name": - $q = "select * from users where login='$login'"; - $set = $db->query($q); - $set->next(); - $user_id = $set->getString('user_id'); - $user_name = $set->getString('login'); - break; - case "id": - $q="select * from users where user_id='$login'"; - $set=$db->query($q); - $set->next(); - $user_id=$set->getString('user_id'); - $user_name=$set->getString('login'); - break; - } - - $ldap_response=LDAPuser::auth($user_id,$password); - if ($set->getString('password') != $hash and !$ldap_response) { + switch ($login_type) { + case "name": + $q = "select * from users where login='$login' and $hash_query"; + break; + case "base36id": + $login = base_convert($login, 36, 10); + case "id": + $login=intval($login); //HA! if it is number, escape_string is not enough + $q="select * from users where user_id='$login' and $hash_query"; + break; + } + + $set = $db->query($q); + $set->next(); + $user_id = $set->getString('user_id'); + $user_name = $set->getString('login'); + $xmpp = strtolower($set->getString('xmpp')); + + if (!$set) { //XXX test $error="Zadal si nespravne uzivatelske meno [alebo id] alebo heslo. Rob so sebou nieco"; return false; } - elseif ($set->getString('header_id') == 2091520) { + elseif ($set->getString('hash')) { $error='Tvoja registracia este nebola schvalena.'; return false; } @@ -53,11 +65,11 @@ Prajem prijemnu odvykacku:-)"; return false; } -//ldap replicate -// LDAPuser::ldap_mysql_sync($user_name,$user_id,$password); +// Login sucessfull + // prevent session fixation + session_regenerate_id(); -// $cube_vector=$set->getString('cube_vector'); // saves friends list as an array into user session @@ -90,7 +102,6 @@ where node_access.user_id='$user_id' and node_bookmark='yes' order by node_name" $_SESSION['fook'][$fookset->getString('node_parent')]=true; } - LDAPuser::replicate($user_name,$user_id,$password); //save bookstyle into user session $q="select node_content from nodes where node_parent=19 and external_link='session://bookstyl' and node_creator='$user_id'"; @@ -109,12 +120,19 @@ where node_access.user_id='$user_id' and node_bookmark='yes' order by node_name" $_SESSION['mood_name'] = $mset->getString('node_name'); $_SESSION['mood_content'] = addslashes(substr(strip_tags($mset->getString('node_content')),0,223)); } - // last login - $db->query(sprintf('update users set last_login = NOW() where user_id = %d', $user_id)); + + $db->query(sprintf('update users set date_last_login = NOW() where user_id = %d', $user_id)); $_SESSION['user_id']=$user_id; $_SESSION['user_name']=addslashes($user_name); + setcookie('jabber_login', $xmpp, time()+60*60*24*10, '/'); //10days on whole domain - should have persistent username in future... + $xmpp_pass=hash('md5', 'jabber:'.$_POST['password']); + setcookie('jabber_password', $xmpp_pass, time()+60*60*24*10, '/'); //10days on whole domain + $xmpp_domain='kyberia.cz'; //XXX TODO Hardcoded kyberia.cz jabber domain (NOT dev.kyberia.cz!!!!!) + jabberctl('register', array($xmpp, $xmpp_domain, $xmpp_pass)); + jabberctl('change_password', array($xmpp, $xmpp_domain, $xmpp_pass)); + jabberctl('push_alltoall', array($xmpp_domain, $xmpp_domain)); if (!empty($cube_vector)) $_SESSION['cube_vector']=$cube_vector; if (empty($_SESSION['template_set'])) $_SESSION['template_set']=$set->getString('template_set'); if (is_numeric($_POST['screen_width'])) $_SESSION['browser']['screen_width']=$_POST['screen_width']; @@ -126,4 +144,10 @@ where node_access.user_id='$user_id' and node_bookmark='yes' order by node_name" // header("Location: $referer"); return true; } -?> \ No newline at end of file + +function login() { + $login = $_POST['login']; + $password = $_POST['password']; + $login_type = $_POST['login_type']; + return login_check($login, $password, $login_type); +}