From e9de45954ae404fe1952fec067aad57bcd787a96 Mon Sep 17 00:00:00 2001 From: Loui Chang Date: Thu, 4 Oct 2007 01:47:01 -0400 Subject: Several functions added to web/lib/acctfuncs.inc Weeere back! try_login() to login users valid_username() checks if a new username fits criteria valid_user() checks if the user exists in the database good_passwd() only checks for minimum password length for now. can be later expanded to tell a user to make a stronger password. valid_passwd() checks if the password for the specified user is correct user_suspended() checks if the user is suspended (or not) user_delete() deletes a user (it doesn't orphan PKGs yet though) user_is_privileged() returns privilege level User (0) TU (2) Dev (3) of user ID. 0 is used for a regular user for ease in conditionals. Also: Enforce proper usernames on account creation or editing Fix bug where $SUPPORTED_LANGS needs to be reset on account creation Fix bug where an account could be created with an empty passwd Display (required) beside password fields on account creation Enforce good_passwd() on account creation TUs and Devs can edit a user to have a username that doesn't conform to the standard valid_username(). This is to allow them to edit old accounts without messing up the user name. Signed-off-by: Loui Chang --- web/lib/acctfuncs.inc | 215 +++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 211 insertions(+), 4 deletions(-) (limited to 'web/lib') diff --git a/web/lib/acctfuncs.inc b/web/lib/acctfuncs.inc index ef8e774b..2968adbb 100644 --- a/web/lib/acctfuncs.inc +++ b/web/lib/acctfuncs.inc @@ -79,7 +79,7 @@ function display_account_form($UTYPE,$A,$U="",$T="",$S="", print "".__("Password").":"; print ""; - if ($TYPE == "new") { + if ($A != "UpdateAccount") { print " (".__("required").")"; } print "\n"; @@ -88,7 +88,7 @@ function display_account_form($UTYPE,$A,$U="",$T="",$S="", print "".__("Re-type password").":"; print ""; - if ($TYPE == "new") { + if ($A != "UpdateAccount") { print " (".__("required").")"; } print "\n"; @@ -108,6 +108,8 @@ function display_account_form($UTYPE,$A,$U="",$T="",$S="", print ""; print "".__("Language").":"; print "   "; @@ -173,15 +176,21 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # global $SUPPORTED_LANGS; + if(isset($_COOKIE['AURSID'])) + $editor_user = uid_from_sid($_COOKIE['AURSID']); + else + $editor_user = null; + $dbh = db_connect(); $error = ""; - if (!isset($E) || !isset($U)) { + if (empty($E) || empty($U)) { $error = __("Missing a required field."); } + if ($TYPE == "new") { # they need password fields for this type of action # - if (!isset($P) || !isset($C)) { + if (empty($P) || empty($C)) { $error = __("Missing a required field."); } } else { @@ -189,9 +198,22 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", $error = __("Missing User ID"); } } + + if (!$error && !valid_username($U) && !user_is_privileged($editor_user)) + $error = __("The username is invalid.") . ""; + if (!$error && $P && $C && ($P != $C)) { $error = __("Password fields do not match."); } + if (!$error && $P != '' && !good_passwd($P)) + $error = __("Your password must be at least " . PASSWD_MIN_LEN + . " characters."); + if (!$error && !valid_email($E)) { $error = __("The email address is invalid."); } @@ -578,5 +600,190 @@ function display_account_info($U="",$T="", return; } +/* + * Returns SID (Session ID) and error (error message) in an array + * SID of 0 means login failed. + * There should be a better way of doing this...I think + */ +function try_login() { + $login_error = ""; + $new_sid = ""; + $userID = null; + + if ( isset($_REQUEST['user']) || isset($_REQUEST['passwd']) ) { + + + $userID = valid_user($_REQUEST['user']); + + if ( user_suspended( $userID ) ) { + $login_error = "Account Suspended."; + } + elseif ( $userID && isset($_REQUEST['passwd']) + && valid_passwd($userID, $_REQUEST['passwd']) ) { + + $logged_in = 0; + $num_tries = 0; + + # Account looks good. Generate a SID and store it. + # + + $dbh = db_connect(); + while (!$logged_in && $num_tries < 5) { + $new_sid = new_sid(); + $q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS)" + ." VALUES ( $userID, '" . $new_sid . "', UNIX_TIMESTAMP())"; + $result = db_query($q, $dbh); + # Query will fail if $new_sid is not unique + # + if ($result) { + $logged_in = 1; + break; + } + $num_tries++; + } + if ($logged_in) { + # set our SID cookie + + setcookie("AURSID", $new_sid, 0, "/"); +# header("Location: /index.php"); + header("Location: " . $_SERVER['PHP_SELF']); + $login_error = ""; + + } + else { + $login_error = "Error trying to generate session id."; + } + } + else { + $login_error = "Bad username or password."; + } + } + return array('SID' => $new_sid, 'error' => $login_error); +} + +/* + * Only checks if the name itself is valid + * Longer or equal to USERNAME_MIN_LEN + * Shorter or equal to USERNAME_MAX_LEN + * Starts and ends with a letter or number + * Contains at most ONE dot, hyphen, or underscore + * Returns the username if it is valid + * Returns nothing if it isn't valid + */ +function valid_username( $user ) +{ + + #Is it non-empty? + if (!empty($user)) { + + #Is username at not too short or too long? + if ( strlen($user) >= USERNAME_MIN_LEN && + strlen($user) <= USERNAME_MAX_LEN ) { + + $user = strtolower($user); + #Does username: + # start and end with a letter or number + # contain only letters and numbers, + # and at most has one dash, period, or underscore + if ( preg_match("/^[a-z0-9]+[.\-_]?[a-z0-9]+$/", $user) ) { + #All is good return the username + return $user; + } + } + } + + return; +} + +/* + * Checks if the username is valid and if it exists in the database + * Returns the username ID or nothing + */ +function valid_user( $user ) +{ + /* if ( $user = valid_username($user) ) { */ + if ( $user ) { + $dbh = db_connect(); + $q = "SELECT ID FROM Users WHERE Username = '" + . mysql_real_escape_string($user). "'"; + + $result = mysql_fetch_row(db_query($q, $dbh)); + #Is the username in the database? + if ($result[0]) { + return $result[0]; + } + } + return; +} + +function good_passwd( $passwd ) +{ + if ( strlen($passwd) >= PASSWD_MIN_LEN ) { + return true; + } + return false; +} + +/* Verifies that the password is correct for the userID specified. + * Returns true or false + */ +function valid_passwd( $userID, $passwd ) +{ + if ( good_passwd($passwd) ) { + $dbh = db_connect(); + $q = "SELECT ID FROM Users". + " WHERE ID = '$userID'" . + " AND Passwd = '" . md5($passwd) . "'"; + + $result = mysql_fetch_row(db_query($q, $dbh)); + if ($result[0]) { + #is it the right password? + return true; + } + } + return false; +} + +/* + * Is the user account suspended? + */ +function user_suspended( $id ) +{ + $dbh = db_connect(); + $q = "SELECT Suspended FROM Users WHERE ID = '$id'"; + $result = mysql_fetch_row(db_query($q, $dbh)); + if ($result[0] == 1 ) { + return true; + } + return false; +} + +/* + * This should be expanded to return something + * TODO: Handle orphaning of user's packages + */ +function user_delete( $id ) +{ + $dbh = db_connect(); + $q = "DELETE FROM Users WHERE ID = '$id'"; + $result = mysql_fetch_row(db_query($q, $dbh)); + return; +} + +/* + * A different way of determining a user's privileges + * rather than account_from_sid() + */ +function user_is_privileged( $id ) +{ + $dbh = db_connect(); + $q = "SELECT AccountTypeID FROM Users WHERE ID = '$id'"; + $result = mysql_fetch_row(db_query($q, $dbh)); + if( $result[0] > 1) + return $result[0]; + return 0; + +} + # vim: ts=2 sw=2 noet ft=php ?> -- cgit v1.2.3-24-g4f1b