gnh1201/seeddms-code
1
0
Fork 0
mirror of https://git.code.sf.net/p/seeddms/code synced 2025-06-01 14:37:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

- use new class LetoDMS_Session instead of accessing the database directly

Browse Source
This commit is contained in:
steinm 2011-01-11 09:08:04 +00:00
parent e00419b1cc
commit c3030165ae
2 changed files with 266 additions and 288 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

465
op/op.Login.php
View File

@ -1,73 +1,74 @@
<?php <?php
// MyDMS. Document Management System // MyDMS. Document Management System
// Copyright (C) 2002-2005 Markus Westphal // Copyright (C) 2002-2005 Markus Westphal
// Copyright (C) 2006-2008 Malcolm Cowe // Copyright (C) 2006-2008 Malcolm Cowe
// //
// This program is free software; you can redistribute it and/or modify // This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by // it under the terms of the GNU General Public License as published by
// the Free Software Foundation; either version 2 of the License, or // the Free Software Foundation; either version 2 of the License, or
// (at your option) any later version. // (at your option) any later version.
// //
// This program is distributed in the hope that it will be useful, // This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of // but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details. // GNU General Public License for more details.
// //
// You should have received a copy of the GNU General Public License // You should have received a copy of the GNU General Public License
// along with this program; if not, write to the Free Software // along with this program; if not, write to the Free Software
// Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. // Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
include("../inc/inc.Settings.php"); include("../inc/inc.Settings.php");
include("../inc/inc.Utils.php"); include("../inc/inc.Utils.php");
include("../inc/inc.Language.php"); include("../inc/inc.Language.php");
include("../inc/inc.ClassDMS.php"); include("../inc/inc.ClassDMS.php");
include("../inc/inc.DBAccess.php"); include("../inc/inc.ClassSession.php");
include("../inc/inc.DBAccess.php");
include("../inc/inc.DBInit.php"); include("../inc/inc.DBInit.php");
include("../inc/inc.ClassUI.php"); include("../inc/inc.ClassUI.php");
include("../inc/inc.ClassEmail.php"); include("../inc/inc.ClassEmail.php");
function _printMessage($heading, $message) { function _printMessage($heading, $message) {
UI::htmlStartPage($heading, "login"); UI::htmlStartPage($heading, "login");
UI::globalBanner(); UI::globalBanner();
UI::pageNavigation($heading); UI::pageNavigation($heading);
UI::contentContainer($message); UI::contentContainer($message);
UI::htmlEndPage(); UI::htmlEndPage();
return; return;
} }
if (isset($_POST["login"])) { if (isset($_POST["login"])) {
$login = sanitizeString($_POST["login"]); $login = sanitizeString($_POST["login"]);
$login = str_replace("*", "", $login); $login = str_replace("*", "", $login);
} }
else if (isset($_GET["login"])) { else if (isset($_GET["login"])) {
$login = sanitizeString($_GET["login"]); $login = sanitizeString($_GET["login"]);
$login = str_replace("*", "", $login); $login = str_replace("*", "", $login);
} }
if (!isset($login) || strlen($login)==0) { if (!isset($login) || strlen($login)==0) {
_printMessage(getMLText("login_error_title"), "<p>".getMLText("login_not_given")."</p>\n". _printMessage(getMLText("login_error_title"), "<p>".getMLText("login_not_given")."</p>\n".
"<p><a href='".$settings->_httpRoot."op/op.Logout.php'>".getMLText("back")."</a></p>\n"); "<p><a href='".$settings->_httpRoot."op/op.Logout.php'>".getMLText("back")."</a></p>\n");
exit; exit;
} }
$pwd = (string) $_POST["pwd"]; $pwd = (string) $_POST["pwd"];
if (get_magic_quotes_gpc()) { if (get_magic_quotes_gpc()) {
$pwd = stripslashes($pwd); $pwd = stripslashes($pwd);
} }
$guestUser = $dms->getUser($settings->_guestID); $guestUser = $dms->getUser($settings->_guestID);
if ((!isset($pwd) || strlen($pwd)==0) && ($login != $guestUser->getLogin())) { if ((!isset($pwd) || strlen($pwd)==0) && ($login != $guestUser->getLogin())) {
_printMessage(getMLText("login_error_title"), "<p>".getMLText("login_error_text")."</p>\n". _printMessage(getMLText("login_error_title"), "<p>".getMLText("login_error_text")."</p>\n".
"<p><a href='".$settings->_httpRoot."op/op.Logout.php'>".getMLText("back")."</a></p>\n"); "<p><a href='".$settings->_httpRoot."op/op.Logout.php'>".getMLText("back")."</a></p>\n");
exit; exit;
} }
// //
// LDAP Sign In // LDAP Sign In
// //
/* new code by doudoux - TO BE TESTED */ /* new code by doudoux - TO BE TESTED */
$ldapSearchAttribut = "uid="; $ldapSearchAttribut = "uid=";
$tmpDN = "uid=".$login.",".$settings->_ldapBaseDN; $tmpDN = "uid=".$login.",".$settings->_ldapBaseDN;
@ -81,22 +82,22 @@ if (isset($settings->_ldapType))
} }
/* end of new code */ /* end of new code */
$user = false; $user = false;
if (isset($settings->_ldapHost) && strlen($settings->_ldapHost)>0) { if (isset($settings->_ldapHost) && strlen($settings->_ldapHost)>0) {
if (isset($settings->_ldapPort) && is_int($settings->_ldapPort)) { if (isset($settings->_ldapPort) && is_int($settings->_ldapPort)) {
$ds = ldap_connect($settings->_ldapHost, $settings->_ldapPort); $ds = ldap_connect($settings->_ldapHost, $settings->_ldapPort);
} }
else { else {
$ds = ldap_connect($settings->_ldapHost); $ds = ldap_connect($settings->_ldapHost);
} }
if (!is_bool($ds)) { if (!is_bool($ds)) {
// Ensure that the LDAP connection is set to use version 3 protocol. // Ensure that the LDAP connection is set to use version 3 protocol.
// Required for most authentication methods, including SASL. // Required for most authentication methods, including SASL.
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
// try an anonymous bind first. If it succeeds, get the DN for the user. // try an anonymous bind first. If it succeeds, get the DN for the user.
$bind = @ldap_bind($ds); $bind = @ldap_bind($ds);
$dn = false; $dn = false;
/* new code by doudoux - TO BE TESTED */ /* new code by doudoux - TO BE TESTED */
@ -111,185 +112,169 @@ if (isset($settings->_ldapHost) && strlen($settings->_ldapHost)>0) {
} }
/* end of new code */ /* end of new code */
/* old code */ /* old code */
if ($bind) { if ($bind) {
$search = ldap_search($ds, $settings->_ldapBaseDN, "uid=".$login); $search = ldap_search($ds, $settings->_ldapBaseDN, "uid=".$login);
if (!is_bool($search)) { if (!is_bool($search)) {
$info = ldap_get_entries($ds, $search); $info = ldap_get_entries($ds, $search);
if (!is_bool($info) && $info["count"]>0) { if (!is_bool($info) && $info["count"]>0) {
$dn = $info[0]['dn']; $dn = $info[0]['dn'];
} }
} }
} }
/* end of old code */ /* end of old code */
if (is_bool($dn)) { if (is_bool($dn)) {
// This is the fallback position, in case the anonymous bind does not // This is the fallback position, in case the anonymous bind does not
// succeed. // succeed.
/* new code by doudoux - TO BE TESTED */ /* new code by doudoux - TO BE TESTED */
$dn = $tmpDN; $dn = $tmpDN;
/* old code */ /* old code */
//$dn = "uid=".$login.",".$settings->_ldapBaseDN; //$dn = "uid=".$login.",".$settings->_ldapBaseDN;
} }
$bind = @ldap_bind($ds, $dn, $pwd); $bind = @ldap_bind($ds, $dn, $pwd);
if ($bind) { if ($bind) {
// Successfully authenticated. Now check to see if the user exists within // Successfully authenticated. Now check to see if the user exists within
// the database. If not, add them in, but do not add their password. // the database. If not, add them in, but do not add their password.
$user = $dms->getUserByLogin($login); $user = $dms->getUserByLogin($login);
if (is_bool($user) && !$settings->_restricted) { if (is_bool($user) && !$settings->_restricted) {
// Retrieve the user's LDAP information. // Retrieve the user's LDAP information.
/* new code by doudoux - TO BE TESTED */ /* new code by doudoux - TO BE TESTED */
$search = ldap_search($ds, $settings->_ldapBaseDN, $ldapSearchAttribut . $login); $search = ldap_search($ds, $settings->_ldapBaseDN, $ldapSearchAttribut . $login);
/* old code */ /* old code */
//$search = ldap_search($ds, $dn, "uid=".$login); //$search = ldap_search($ds, $dn, "uid=".$login);
if (!is_bool($search)) { if (!is_bool($search)) {
$info = ldap_get_entries($ds, $search); $info = ldap_get_entries($ds, $search);
if (!is_bool($info) && $info["count"]==1 && $info[0]["count"]>0) { if (!is_bool($info) && $info["count"]==1 && $info[0]["count"]>0) {
$user = $dms->addUser($login, null, $info[0]['cn'][0], $info[0]['mail'][0], $settings->_language, $settings->_theme, ""); $user = $dms->addUser($login, null, $info[0]['cn'][0], $info[0]['mail'][0], $settings->_language, $settings->_theme, "");
} }
} }
} }
if (!is_bool($user)) { if (!is_bool($user)) {
$userid = $user->getID(); $userid = $user->getID();
} }
} }
ldap_close($ds); ldap_close($ds);
} }
} }
if (is_bool($user)) { if (is_bool($user)) {
// //
// LDAP Authentication did not succeed or is not configured. Try internal // LDAP Authentication did not succeed or is not configured. Try internal
// authentication system. // authentication system.
// //
//Retrieve user information from the database. // Try to find user with given login.
$queryStr = "SELECT * FROM tblUsers WHERE login = '".$login."'"; $user = $dms->getUserByLogin($login);
$resArr = $db->getResultArray($queryStr); if (!$user) {
if (is_bool($resArr) && $resArr == false) { _printMessage(getMLText("login_error_title"), "<p>".getMLText("login_error_text")."</p>\n".
_printMessage(getMLText("login_error_title"), "<p>".getMLText("internal_error")." - database: " . $db->getErrorMsg(). "<p><a href='".$settings->_httpRoot."op/op.Logout.php'>".getMLText("back")."</a></p>\n");
"</p>\n<p><a href='".$settings->_httpRoot."op/op.Logout.php'>".getMLText("back")."</a></p>\n"); exit;
exit; }
}
$userid = $user->getID();
if (count($resArr) == 0) {
_printMessage(getMLText("login_error_title"), "<p>".getMLText("login_error_text")."</p>\n". if (($userid == $settings->_guestID) && (!$settings->_enableGuestLogin)) {
"<p><a href='".$settings->_httpRoot."op/op.Logout.php'>".getMLText("back")."</a></p>\n"); _printMessage(getMLText("login_error_title"), "<p>".getMLText("guest_login_disabled").
exit; "</p>\n<p><a href='".$settings->_httpRoot."op/op.Logout.php'>".getMLText("back")."</a></p>\n");
} exit;
}
$resArr = $resArr[0];
$userid = $resArr["id"]; //Vergleichen des Passwortes (falls kein guest-login)
$user = $dms->getUser($userid); // Assume that the password has been sent via HTTP POST. It would be careless
// (and dangerous) for passwords to be sent via GET.
if (($resArr["id"] == $settings->_guestID) && (!$settings->_enableGuestLogin)) { if (($userid != $settings->_guestID) && (md5($pwd) != $user->getPwd())) {
_printMessage(getMLText("login_error_title"), "<p>".getMLText("guest_login_disabled"). _printMessage(getMLText("login_error_title"), "<p>".getMLText("login_error_text").
"</p>\n<p><a href='".$settings->_httpRoot."op/op.Logout.php'>".getMLText("back")."</a></p>\n"); "</p>\n<p><a href='".$settings->_httpRoot."op/op.Logout.php'>".getMLText("back")."</a></p>\n");
exit; exit;
} }
//Vergleichen des Passwortes (falls kein guest-login)
// Assume that the password has been sent via HTTP POST. It would be careless
// (and dangerous) for passwords to be sent via GET.
if (($resArr["id"] != $settings->_guestID) && (md5($pwd) != $resArr["pwd"])) {
_printMessage(getMLText("login_error_title"), "<p>".getMLText("login_error_text").
"</p>\n<p><a href='".$settings->_httpRoot."op/op.Logout.php'>".getMLText("back")."</a></p>\n");
exit;
}
// control admin IP address if required // control admin IP address if required
// TODO: extend control to LDAP autentication // TODO: extend control to LDAP autentication
if ($user->isAdmin() && ($_SERVER['REMOTE_ADDR'] != $settings->_adminIP ) && ( $settings->_adminIP != "") ){ if ($user->isAdmin() && ($_SERVER['REMOTE_ADDR'] != $settings->_adminIP ) && ( $settings->_adminIP != "") ){
_printMessage(getMLText("login_error_title"), "<p>".getMLText("invalid_user_id"). _printMessage(getMLText("login_error_title"), "<p>".getMLText("invalid_user_id").
"</p>\n<p><a href='".$settings->_httpRoot."op/op.Logout.php'>".getMLText("back")."</a></p>\n"); "</p>\n<p><a href='".$settings->_httpRoot."op/op.Logout.php'>".getMLText("back")."</a></p>\n");
exit; exit;
} }
} }
// Capture the user's language and theme settings.
// Löschen von Sitzungen, die älter als 24h sind if (isset($_POST["lang"]) && strlen($_POST["lang"])>0 && is_numeric(array_search($_POST["lang"],getLanguages())) ) {
// Delete any sessions that are more than 24 hours old. Probably not the most $lang = sanitizeString($_POST["lang"]);
// reliable place to put this check -- move to inc.Authentication.php? $user->setLanguage($lang);
$queryStr = "DELETE FROM tblSessions WHERE " . mktime() . " - lastAccess > 86400"; }
if (!$db->getResult($queryStr)) { else if (isset($_GET["lang"]) && strlen($_GET["lang"])>0 && is_numeric(array_search($_GET["lang"],getLanguages())) ) {
_printMessage(getMLText("login_error_title"), "<p>".getMLText("error_occured").": ".$db->getErrorMsg()."</p>"); $lang = sanitizeString($_GET["lang"]);
exit; $user->setLanguage($lang);
} }
else {
//Erstellen einer Sitzungs-ID $lang = $user->getLanguage();
$id = "" . rand() . mktime() . rand() . ""; if (strlen($lang)==0) {
$id = md5($id); $lang = $settings->_language;
$user->setLanguage($lang);
// Capture the user's language and theme settings. }
if (isset($_POST["lang"]) && strlen($_POST["lang"])>0 && is_numeric(array_search($_POST["lang"],getLanguages())) ) { }
$lang = sanitizeString($_POST["lang"]); if (isset($_POST["sesstheme"]) && strlen($_POST["sesstheme"])>0 && is_numeric(array_search($_POST["sesstheme"],UI::getStyles())) ) {
$user->setLanguage($lang); $sesstheme = sanitizeString($_POST["sesstheme"]);
} $user->setTheme($sesstheme);
else if (isset($_GET["lang"]) && strlen($_GET["lang"])>0 && is_numeric(array_search($_GET["lang"],getLanguages())) ) { }
$lang = sanitizeString($_GET["lang"]); else if (isset($_GET["sesstheme"]) && strlen($_GET["sesstheme"])>0 && is_numeric(array_search($_GET["sesstheme"],UI::getStyles())) ) {
$user->setLanguage($lang); $sesstheme = sanitizeString($_GET["sesstheme"]);
} $user->setTheme($sesstheme);
else { }
$lang = $user->getLanguage(); else {
if (strlen($lang)==0) { $sesstheme = $user->getTheme();
$lang = $settings->_language; if (strlen($sesstheme)==0) {
$user->setLanguage($lang); $sesstheme = $settings->_theme;
} $user->setTheme($sesstheme);
} }
if (isset($_POST["sesstheme"]) && strlen($_POST["sesstheme"])>0 && is_numeric(array_search($_POST["sesstheme"],UI::getStyles())) ) { }
$sesstheme = sanitizeString($_POST["sesstheme"]);
$user->setTheme($sesstheme); $session = new LetoDMS_Session($db);
}
else if (isset($_GET["sesstheme"]) && strlen($_GET["sesstheme"])>0 && is_numeric(array_search($_GET["sesstheme"],UI::getStyles())) ) { // Delete all sessions that are more than 24 hours old. Probably not the most
$sesstheme = sanitizeString($_GET["sesstheme"]); // reliable place to put this check -- move to inc.Authentication.php?
$user->setTheme($sesstheme); if(!$session->deleteByTime(86400)) {
} _printMessage(getMLText("login_error_title"), "<p>".getMLText("error_occured").": ".$db->getErrorMsg()."</p>");
else { exit;
$sesstheme = $user->getTheme(); }
if (strlen($sesstheme)==0) {
$sesstheme = $settings->_theme; // Create new session in database
$user->setTheme($sesstheme); if(!$id = $session->create(array('userid'=>$userid, 'theme'=>$sesstheme, 'lang'=>$lang))) {
} _printMessage(getMLText("login_error_title"), "<p>".getMLText("error_occured").": ".$db->getErrorMsg()."</p>");
} exit;
}
//Einfügen eines neuen Datensatzes in tblSessions
$queryStr = "INSERT INTO tblSessions (id, userID, lastAccess, theme, language) ". // Set the session cookie.
"VALUES ('".$id."', ".$userid.", ".mktime().", '".$sesstheme."', '".$lang."')"; setcookie("mydms_session", $id, 0, $settings->_httpRoot);
if (!$db->getResult($queryStr)) {
_printMessage(getMLText("login_error_title"), "<p>".getMLText("error_occured").": ".$db->getErrorMsg()."</p>");
exit;
}
//Setzen des Sitzungs-Cookies
// Set the session cookie.
setcookie("mydms_session", $id, 0, $settings->_httpRoot);
// TODO: by the PHP manual: The superglobals $_GET and $_REQUEST are already decoded. // TODO: by the PHP manual: The superglobals $_GET and $_REQUEST are already decoded.
// Using urldecode() on an element in $_GET or $_REQUEST could have unexpected and dangerous results. // Using urldecode() on an element in $_GET or $_REQUEST could have unexpected and dangerous results.
if (isset($_POST["referuri"]) && strlen($_POST["referuri"])>0) { if (isset($_POST["referuri"]) && strlen($_POST["referuri"])>0) {
$referuri = urldecode($_POST["referuri"]); $referuri = urldecode($_POST["referuri"]);
} }
else if (isset($_GET["referuri"]) && strlen($_GET["referuri"])>0) { else if (isset($_GET["referuri"]) && strlen($_GET["referuri"])>0) {
$referuri = urldecode($_GET["referuri"]); $referuri = urldecode($_GET["referuri"]);
} }
add_log_line(); add_log_line();
if (isset($referuri) && strlen($referuri)>0) { if (isset($referuri) && strlen($referuri)>0) {
header("Location: http".((isset($_SERVER['HTTPS']) && (strcmp($_SERVER['HTTPS'],'off')!=0)) ? "s" : "")."://".$_SERVER['HTTP_HOST'] . $referuri); header("Location: http".((isset($_SERVER['HTTPS']) && (strcmp($_SERVER['HTTPS'],'off')!=0)) ? "s" : "")."://".$_SERVER['HTTP_HOST'] . $referuri);
} }
else { else {
header("Location: ../".(isset($settings->_siteDefaultPage) && strlen($settings->_siteDefaultPage)>0 ? $settings->_siteDefaultPage : "out/out.ViewFolder.php?folderid=1")); header("Location: ../".(isset($settings->_siteDefaultPage) && strlen($settings->_siteDefaultPage)>0 ? $settings->_siteDefaultPage : "out/out.ViewFolder.php?folderid=1"));
} }
//_printMessage(getMLText("login_ok"), //_printMessage(getMLText("login_ok"),
// "<p><a href='".$settings->_httpRoot.(isset($settings->_siteDefaultPage) && strlen($settings->_siteDefaultPage)>0 ? $settings->_siteDefaultPage : "out/out.ViewFolder.php")."'>".getMLText("continue")."</a></p>"); // "<p><a href='".$settings->_httpRoot.(isset($settings->_siteDefaultPage) && strlen($settings->_siteDefaultPage)>0 ? $settings->_siteDefaultPage : "out/out.ViewFolder.php")."'>".getMLText("continue")."</a></p>");
?> ?>

89
op/op.Logout.php
View File

@ -1,50 +1,43 @@
<?php <?php
// MyDMS. Document Management System // MyDMS. Document Management System
// Copyright (C) 2002-2005 Markus Westphal // Copyright (C) 2002-2005 Markus Westphal
// Copyright (C) 2006-2008 Malcolm Cowe // Copyright (C) 2006-2008 Malcolm Cowe
// // Copyright (C) 2010 Uwe Steinmann
// This program is free software; you can redistribute it and/or modify //
// it under the terms of the GNU General Public License as published by // This program is free software; you can redistribute it and/or modify
// the Free Software Foundation; either version 2 of the License, or // it under the terms of the GNU General Public License as published by
// (at your option) any later version. // the Free Software Foundation; either version 2 of the License, or
// // (at your option) any later version.
// This program is distributed in the hope that it will be useful, //
// but WITHOUT ANY WARRANTY; without even the implied warranty of // This program is distributed in the hope that it will be useful,
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // but WITHOUT ANY WARRANTY; without even the implied warranty of
// GNU General Public License for more details. // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// // GNU General Public License for more details.
// You should have received a copy of the GNU General Public License //
// along with this program; if not, write to the Free Software // You should have received a copy of the GNU General Public License
// Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. // along with this program; if not, write to the Free Software
// Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
include("../inc/inc.Settings.php");
include("../inc/inc.Utils.php");
include("../inc/inc.ClassDMS.php");
include("../inc/inc.DBAccess.php");
include("../inc/inc.DBInit.php");
//Code when running PHP as Module -----------------------------------------------------------------
/*
setcookie("mydms_logged_out", "true", 0, $settings->_httpRoot);
header("Location: ../out/out.ViewFolder.php");
print "Logout successful";
*/
//Code when running PHP in CGI-Mode ---------------------------------------------------------------
//Delete from tblSessions
$dms_session = $_COOKIE["mydms_session"];
$dms_session = sanitizeString($dms_session);
$queryStr = "DELETE FROM tblSessions WHERE id = '$dms_session'";
if (!$db->getResult($queryStr))
UI::exitError(getMLText("logout"),$db->getErrorMsg());
//Delete Cookie include("../inc/inc.Settings.php");
include("../inc/inc.Utils.php");
include("../inc/inc.ClassDMS.php");
include("../inc/inc.ClassSession.php");
include("../inc/inc.DBAccess.php");
include("../inc/inc.DBInit.php");
// Delete session from database
$dms_session = $_COOKIE["mydms_session"];
$dms_session = sanitizeString($dms_session);
$session = new LetoDMS_Session($db);
if(!$session->delete($dms_session)) {
UI::exitError(getMLText("logout"),$db->getErrorMsg());
}
// Delete Cookie
setcookie("mydms_session", $_COOKIE["mydms_session"], time()-3600, $settings->_httpRoot); setcookie("mydms_session", $_COOKIE["mydms_session"], time()-3600, $settings->_httpRoot);
//Forward to Login-page //Forward to Login-page
header("Location: ../out/out.Login.php"); header("Location: ../out/out.Login.php");
?> ?>