summaryrefslogtreecommitdiffstats
path: root/web
diff options
context:
space:
mode:
authorLoui Chang <louipc.ist@gmail.com>2007-09-28 05:00:08 +0200
committerDan McGee <dan@archlinux.org>2008-01-20 06:47:03 +0100
commit6b3e9028517bbd8ffe6f1816b905585a88091052 (patch)
treefd3d91b4da4bbff9de62b2d16b5578d82fc05094 /web
parent8f7fb2b1cbd5e39a3f17b93afdd72e5eb34a56a8 (diff)
downloadaur-6b3e9028517bbd8ffe6f1816b905585a88091052.tar.gz
aur-6b3e9028517bbd8ffe6f1816b905585a88091052.tar.xz
Several functions added to web/lib/acctfuncs.inc
try_login() to login users valid_username() checks if a new username fits criteria valid_user() checks if the user exists in the database good_passwd() only checks for minimum password length for now. can be later expanded to tell a user to make a stronger password. valid_passwd() checks if the password for the specified user is correct user_suspended() checks if the user is suspended (or not) user_delete() deletes a user Also: Enforce proper usernames on account creation Fix bug where $SUPPORTED_LANGS needs to be reset on account creation Fix bug where an account could be created with an empty passwd Display (required) beside password fields on account creation Enforce good_passwd() on account creation Signed-off-by: Loui Chang <louipc.ist@gmail.com>
Diffstat (limited to 'web')
-rw-r--r--web/lib/acctfuncs.inc195
1 files changed, 191 insertions, 4 deletions
diff --git a/web/lib/acctfuncs.inc b/web/lib/acctfuncs.inc
index ef8e774b..7915f9cc 100644
--- a/web/lib/acctfuncs.inc
+++ b/web/lib/acctfuncs.inc
@@ -79,7 +79,7 @@ function display_account_form($UTYPE,$A,$U="",$T="",$S="",
print "<td align='left'>".__("Password").":</td>";
print "<td align='left'><input type='password' size='30' maxlength='32'";
print " name='P' value='".$P."'>";
- if ($TYPE == "new") {
+ if ($A != "UpdateAccount") {
print " (".__("required").")";
}
print "</td></tr>\n";
@@ -88,7 +88,7 @@ function display_account_form($UTYPE,$A,$U="",$T="",$S="",
print "<td align='left'>".__("Re-type password").":</td>";
print "<td align='left'><input type='password' size='30' maxlength='32'";
print " name='C' value='".$C."'>";
- if ($TYPE == "new") {
+ if ($A != "UpdateAccount") {
print " (".__("required").")";
}
print "</td></tr>\n";
@@ -108,6 +108,8 @@ function display_account_form($UTYPE,$A,$U="",$T="",$S="",
print "<tr>";
print "<td align='left'>".__("Language").":</td>";
print "<td align='left'><select name=L>\n";
+
+ reset($SUPPORTED_LANGS);
while (list($code, $lang) = each($SUPPORTED_LANGS)) {
if ($L == $code) {
print "<option value=".$code." selected> ".$lang."\n";
@@ -132,6 +134,7 @@ function display_account_form($UTYPE,$A,$U="",$T="",$S="",
print "<tr>";
print "<td>&nbsp;</td>";
print "<td align='left'>";
+
if ($A == "UpdateAccount") {
print "<input type='submit' class='button'";
print " value='".__("Update")."'> &nbsp; ";
@@ -175,13 +178,14 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
$dbh = db_connect();
$error = "";
- if (!isset($E) || !isset($U)) {
+ if (empty($E) || empty($U)) {
$error = __("Missing a required field.");
}
+
if ($TYPE == "new") {
# they need password fields for this type of action
#
- if (!isset($P) || !isset($C)) {
+ if (empty($P) || empty($C)) {
$error = __("Missing a required field.");
}
} else {
@@ -189,9 +193,22 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
$error = __("Missing User ID");
}
}
+
+ if (!$error && !valid_username($U))
+ $error = __("The username is invalid.") . "<ul>\n"
+ ."<li>" . __("It must be " . USERNAME_MIN_LEN . "-" . USERNAME_MAX_LEN
+ . " characters long") . "</li>"
+ . "<li>" . __("start and end with a letter or number") . "</li>"
+ . "<li>" . __("can contain only one period, underscore or hyphen.")
+ . "</li>\n</ul>";
+
if (!$error && $P && $C && ($P != $C)) {
$error = __("Password fields do not match.");
}
+ if (!$error && !good_passwd($P))
+ $error = __("Your password must be at least " . PASSWD_MIN_LEN
+ . " characters.");
+
if (!$error && !valid_email($E)) {
$error = __("The email address is invalid.");
}
@@ -578,5 +595,175 @@ function display_account_info($U="",$T="",
return;
}
+/*
+ * Returns SID (Session ID) and error (error message) in an array
+ * SID of 0 means login failed.
+ * There should be a better way of doing this...I think
+ */
+function try_login() {
+ $login_error = "";
+ $new_sid = "";
+ $userID = null;
+
+ if ( isset($_REQUEST['user']) || isset($_REQUEST['passwd']) ) {
+
+
+ $userID = valid_user($_REQUEST['user']);
+
+ if ( user_suspended( $userID ) ) {
+ $login_error = "Account Suspended.";
+ }
+ elseif ( $userID && isset($_REQUEST['passwd'])
+ && valid_passwd($userID, $_REQUEST['passwd']) ) {
+
+ $logged_in = 0;
+ $num_tries = 0;
+
+ # Account looks good. Generate a SID and store it.
+ #
+
+ $dbh = db_connect();
+ while (!$logged_in && $num_tries < 5) {
+ $new_sid = new_sid();
+ $q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS)"
+ ." VALUES ( $userID, '" . $new_sid . "', UNIX_TIMESTAMP())";
+ $result = db_query($q, $dbh);
+ # Query will fail if $new_sid is not unique
+ #
+ if ($result) {
+ $logged_in = 1;
+ break;
+ }
+ $num_tries++;
+ }
+ if ($logged_in) {
+ # set our SID cookie
+
+ setcookie("AURSID", $new_sid, 0, "/");
+# header("Location: /index.php");
+ header("Location: " . $_SERVER['PHP_SELF']);
+ $login_error = "";
+
+ }
+ else {
+ $login_error = "Error trying to generate session id.";
+ }
+ }
+ else {
+ $login_error = "Bad username or password.";
+ }
+ }
+ return array('SID' => $new_sid, 'error' => $login_error);
+}
+
+/*
+ * Only checks if the name itself is valid
+ * Longer or equal to USERNAME_MIN_LEN
+ * Shorter or equal to USERNAME_MAX_LEN
+ * Starts and ends with a letter or number
+ * Contains at most ONE dot, hyphen, or underscore
+ * Returns the username if it is valid
+ * Returns nothing if it isn't valid
+ */
+function valid_username( $user )
+{
+
+ #Is it non-empty?
+ if (!empty($user)) {
+
+ #Is username at not too short or too long?
+ if ( strlen($user) >= USERNAME_MIN_LEN &&
+ strlen($user) <= USERNAME_MAX_LEN ) {
+
+ $user = strtolower($user);
+ #Does username:
+ # start and end with a letter or number
+ # contain only letters and numbers,
+ # and at most has one dash, period, or underscore
+ if ( preg_match("/^[a-z0-9]+[.-_]?[a-z0-9]+$/", $user) ) {
+ #All is good return the username
+ return $user;
+ }
+ }
+ }
+
+ return;
+}
+
+/*
+ * Checks if the username is valid and if it exists in the database
+ * Returns the username ID or nothing
+ */
+function valid_user( $user )
+{
+ /* if ( $user = valid_username($user) ) { */
+ if ( $user ) {
+ $dbh = db_connect();
+ /* $q = "SELECT ID FROM Users WHERE Username = '$user'"; */
+ $q = "SELECT ID FROM Users WHERE Username = '"
+ . mysql_real_escape_string($user). "'";
+
+ $result = mysql_fetch_row(db_query($q, $dbh));
+ #Is the username in the database?
+ if ($result[0]) {
+ return $result[0];
+ }
+ }
+ return;
+}
+
+function good_passwd( $passwd )
+{
+ if ( strlen($passwd) >= PASSWD_MIN_LEN ) {
+ return true;
+ }
+ return false;
+}
+
+/* Verifies that the password is correct for the userID specified.
+ * Returns true or false
+ */
+function valid_passwd( $userID, $passwd )
+{
+ if ( good_passwd($passwd) ) {
+ $dbh = db_connect();
+ $q = "SELECT ID FROM Users".
+ " WHERE ID = '$userID'" .
+ " AND Passwd = '" . md5($passwd) . "'";
+
+ $result = mysql_fetch_row(db_query($q, $dbh));
+ if ($result[0]) {
+ #is it the right password?
+ return true;
+ }
+ }
+ return false;
+}
+
+/*
+ * Is the user account suspended?
+ */
+function user_suspended( $id )
+{
+ $dbh = db_connect();
+ $q = "SELECT Suspended FROM Users WHERE ID = '$id'";
+ $result = mysql_fetch_row(db_query($q, $dbh));
+ if ($result[0] == 1 ) {
+ return true;
+ }
+ return false;
+}
+
+/*
+ * This should be expanded to return something
+ * TODO: Handle orphaning of user's packages
+ */
+function user_delete( $id )
+{
+ $dbh = db_connect();
+ $q = "DELETE FROM Users WHERE ID = '$id'";
+ $result = mysql_fetch_row(db_query($q, $dbh));
+}
+
# vim: ts=2 sw=2 noet ft=php
?>