Changeset 1744

Timestamp:

Jan 23, 2007, 2:22:52 AM (17 years ago)

Author:

rvelices

Message:

• revert feature 564: log the login of each user; but add the possibility to be

done by a plugin

• create a "standard" way to define PHP functions that we use but might not be

available in the current php version

• when a comment is rejected (spam, anti-flood etc), put the content back to the

browser in case there is a real user behind it

• now a comment can be entered only if the page was retrieved between 2 seconds

ago and 1 hour ago

Location:

trunk

Files:

• admin/configuration.php (modified) (1 diff)
• identification.php (modified) (1 diff)
• include/common.inc.php (modified) (1 diff)
• include/functions_html.inc.php (modified) (1 diff)
• include/functions_search.inc.php (modified) (1 diff)
• include/functions_user.inc.php (modified) (5 diffs)
• include/php_compat (added)
• include/php_compat/array_intersect_key.php (added)
• include/php_compat/hash_hmac.php (added)
• include/picture_comment.inc.php (modified) (4 diffs)
• include/ws_functions.inc.php (modified) (1 diff)
• install/config.sql (modified) (1 diff)
• install/db/46-database.php (added)
• language/en_UK.iso-8859-1/admin.lang.php (modified) (1 diff)
• language/en_UK.iso-8859-1/help/configuration.html (modified) (1 diff)
• language/fr_FR.iso-8859-1/admin.lang.php (modified) (1 diff)
• language/fr_FR.iso-8859-1/help/configuration.html (modified) (1 diff)
• template/yoga/admin/configuration.tpl (modified) (1 diff)
• template/yoga/picture.tpl (modified) (1 diff)

trunk/admin/configuration.php

@@ -52 +52 @@
     'history_admin',
     'history_guest',
-    'login_history',
     'email_admin_on_new_user',
     'allow_user_registration',

trunk/identification.php

@@ -46 +46 @@
 {
   $redirect_to = isset($_POST['redirect']) ? $_POST['redirect'] : '';
-  $username = mysql_escape_string($_POST['username']);
-  // retrieving the encrypted password of the login submitted
-  $query = '
-SELECT '.$conf['user_fields']['id'].' AS id,
-       '.$conf['user_fields']['password'].' AS password
-  FROM '.USERS_TABLE.'
-  WHERE '.$conf['user_fields']['username'].' = \''.$username.'\'
-;';
-  $row = mysql_fetch_array(pwg_query($query));
-  if ($row['password'] == $conf['pass_convert']($_POST['password']))
+  $remember_me = isset($_POST['remember_me']) and $_POST['remember_me']==1;
+  if ( try_log_user($_POST['username'], $_POST['password'], $remember_me) )
   {
-    $remember_me = false;
-    if (isset($_POST['remember_me'])
-        and $_POST['remember_me'] == 1)
-    {
-      $remember_me = true;
-    }
-    log_user($row['id'], $remember_me);
     redirect(empty($redirect_to) ? make_index_url() : $redirect_to);
   }

trunk/include/common.inc.php

@@ -122 +122 @@
 }
 
+foreach( array(
+  'array_intersect_key', //PHP 5 >= 5.1.0RC1
+  'hash_hmac', //(hash) - enabled by default as of PHP 5.1.2
+  ) as $func)
+{
+  if (!function_exists($func))
+  {
+    include_once(PHPWG_ROOT_PATH . 'include/php_compat/'.$func.'.php');
+  }
+}
+
 include(PHPWG_ROOT_PATH . 'include/config_default.inc.php');
 @include(PHPWG_ROOT_PATH. 'include/config_local.inc.php');

trunk/include/functions_html.inc.php

@@ -718 +718 @@
   header("HTTP/1.1 $code $text");
   header("Status: $code $text");
+  trigger_action('set_status_header', $code, $text);
 }
 ?>

trunk/include/functions_search.inc.php

@@ -251 +251 @@
 
   return $items;
-}
-
-
-if (!function_exists('array_intersect_key')) {
-   function array_intersect_key()
-   {
-       $arrs = func_get_args();
-       $result = array_shift($arrs);
-       foreach ($arrs as $array) {
-           foreach ($result as $key => $v) {
-               if (!array_key_exists($key, $array)) {
-                   unset($result[$key]);
-               }
-           }
-       }
-       return $result;
-   }
 }
 

trunk/include/functions_user.inc.php

@@ -859 +859 @@
  * returns the auto login key or false on error
  * @param int user_id
+ * @param string [out] username
 */
-function calculate_auto_login_key($user_id)
+function calculate_auto_login_key($user_id, &$username)
 {
   global $conf;
@@ -872 +873 @@
   {
     $row = mysql_fetch_assoc($result);
-    $key = sha1( $row['username'].$row['password'] );
+    $username = $row['username'];
+    $data = $row['username'].$row['password'];
+    $key = base64_encode(
+      pack('H*', sha1($data))
+      .hash_hmac('md5', $data, $conf['secret_key'],true)
+      );
     return $key;
   }
@@ -890 +896 @@
   if ($remember_me and $conf['authorize_remembering'])
   {
-    $key = calculate_auto_login_key($user_id);
+    $key = calculate_auto_login_key($user_id, $username);
     if ($key!==false)
     {
@@ -929 +935 @@
   {
     $cookie = unserialize(stripslashes($_COOKIE[$conf['remember_me_name']]));
-    if ($cookie!==false)
-    {
-      $key = calculate_auto_login_key($cookie['id']);
+    if ($cookie!==false and is_numeric(@$cookie['id']) )
+    {
+      $key = calculate_auto_login_key( $cookie['id'], $username );
       if ($key!==false and $key===$cookie['key'])
       {
         log_user($cookie['id'], true);
+        trigger_action('login_success', $username);
         return true;
       }
@@ -940 +947 @@
     setcookie($conf['remember_me_name'], '', 0, cookie_path());
   }
+  return false;
+}
+
+/**
+ * Tries to login a user given username and password (must be MySql escaped)
+ * return true on success
+ */
+function try_log_user($username, $password, $remember_me)
+{
+  global $conf;
+  // retrieving the encrypted password of the login submitted
+  $query = '
+SELECT '.$conf['user_fields']['id'].' AS id,
+       '.$conf['user_fields']['password'].' AS password
+  FROM '.USERS_TABLE.'
+  WHERE '.$conf['user_fields']['username'].' = \''.$username.'\'
+;';
+  $row = mysql_fetch_assoc(pwg_query($query));
+  if ($row['password'] == $conf['pass_convert']($password))
+  {
+    log_user($row['id'], $remember_me);
+    trigger_action('login_success', $username);
+    return true;
+  }
+  trigger_action('login_failure', $username);
   return false;
 }

trunk/include/picture_comment.inc.php

@@ -31 +31 @@
  */
 
-if (!function_exists('hash_hmac'))
-{
-function hash_hmac($algo, $data, $key, $raw_output=false)
-{
-  /* md5 and sha1 only */
-  $algo=strtolower($algo);
-  $p=array('md5'=>'H32','sha1'=>'H40');
-  if ( !isset($p[$algo]) or !function_exists($algo) )
-  {
-    $algo = 'md5';
-  }
-  if(strlen($key)>64) $key=pack($p[$algo],$algo($key));
-  if(strlen($key)<64) $key=str_pad($key,64,chr(0));
-
-  $ipad=substr($key,0,64) ^ str_repeat(chr(0x36),64);
-  $opad=substr($key,0,64) ^ str_repeat(chr(0x5C),64);
-
-  $ret = $algo($opad.pack($p[$algo],$algo($ipad.$data)));
-  if ($raw_output)
-  {
-    $ret = pack('H*', $ret);
-  }
-  return $ret;
-}
-}
-
 //returns string action to perform on a new comment: validate, moderate, reject
 function user_comment_check($action, $comment, $picture)
@@ -167 +141 @@
   $key = explode(':', @$_POST['key']);
   if ( count($key)!=2
-        or $key[0]>time() or $key[0]<time()-1800 // 30 minutes expiration
+        or $key[0]>time()-2 // page must have been retrieved more than 2 sec ago
+        or $key[0]<time()-3600 // 60 minutes expiration
         or hash_hmac('md5', $key[0], $conf['secret_key'])!=$key[1]
       )
@@ -258 +233 @@
   else
   {
+    set_status_header(403);
     $template->assign_block_vars('information',
           array('INFORMATION'=>l10n('comment_not_added') )
@@ -355 +331 @@
     $key = time();
     $key .= ':'.hash_hmac('md5', $key, $conf['secret_key']);
+    $content = '';
+    if ('reject'===@$comment_action)
+    {
+      $content = htmlspecialchars($comm['content']);
+    }
     $template->assign_block_vars('comments.add_comment',
         array(
-          'key' => $key
+          'KEY' => $key,
+          'CONTENT' => $content
         ));
     // display author field if the user is not logged in

trunk/include/ws_functions.inc.php

@@ -495 +495 @@
     return new PwgError(400, "This method requires POST");
   }
-
-  $username = $params['username'];
-  // retrieving the encrypted password of the login submitted
-  $query = '
-SELECT '.$conf['user_fields']['id'].' AS id,
-       '.$conf['user_fields']['password'].' AS password
-  FROM '.USERS_TABLE.'
-  WHERE '.$conf['user_fields']['username'].' = \''.$username.'\'
-;';
-  $row = mysql_fetch_assoc(pwg_query($query));
-
-  if ($row['password'] == $conf['pass_convert']($params['password']))
-  {
-    log_user($row['id'], false);
+  if (try_log_user($params['username'], $params['password'],false))
+  {
     return true;
   }

trunk/install/config.sql

@@ -22 +22 @@
 INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('history_admin','false','keep a history of administrator visits on your website');
 INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('history_guest','true','keep a history of guest visits on your website');
-INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('login_history','true','keep a history of user logins on your website');
 INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('allow_user_registration','true','allow visitors to register?');
 INSERT INTO phpwebgallery_config (param,value,comment) VALUES ('secret_key', MD5(RAND()), 'a secret key specific to the gallery for internal use');

trunk/language/en_UK.iso-8859-1/admin.lang.php

@@ -107 +107 @@
 $lang['Linked categories'] = 'Linked categories';
 $lang['Lock gallery'] = 'Lock gallery';
-$lang['Login history'] = 'User login history';
 $lang['Maintenance'] = 'Maintenance';
 $lang['Manage permissions for a category'] = 'Manage permissions for a category';

trunk/language/en_UK.iso-8859-1/help/configuration.html

@@ -41 +41 @@
 
   <li><strong>History Guests</strong>: page visits by guests will be saved.</li>
-
-  <li><strong>User login history</strong>: when a user logs in, it will be
-  logged in the <code>history</code> table.</li>
-
 </ul>
 

trunk/language/fr_FR.iso-8859-1/admin.lang.php

@@ -107 +107 @@
 $lang['Linked categories'] = 'Catégories associées';
 $lang['Lock gallery'] = 'Verrouiller la galerie';
-$lang['Login history'] = 'Historique des connexions';
 $lang['Maintenance'] = 'Maintenance';
 $lang['Manage permissions for a category'] = 'Gérer les permissions pour une catégorie';

trunk/language/fr_FR.iso-8859-1/help/configuration.html

@@ -42 +42 @@
   <li><strong>Historique Invités</strong>: les visites des pages
   par les invités sont enregistrées.</li>
-
-  <li><strong>Historique des connexions</strong>: chaque connexion
-  utilisateur, est enregistrée dans la table <code>history</code>.</li>
-
 </ul>
 

trunk/template/yoga/admin/configuration.tpl

@@ -83 +83 @@
             <label><span class="property">{lang:Guests}</span><input type="checkbox" name="history_guest" {general.HISTORY_GUEST} /></label>
           </li>
-
-          <li>
-            <label><span class="property">{lang:Login history}</span><input type="checkbox" name="login_history" {general.LOGIN_HISTORY} /></label>
-          </li>
         </ul>
       </fieldset>

trunk/template/yoga/picture.tpl

@@ -191 +191 @@
       <label>{lang:upload_author}<input type="text" name="author"></label>
       <!-- END author_field -->
-      <label>{lang:comment}<textarea name="content" rows="5" cols="80"></textarea></label>
-      <input type="hidden" name="key" value="{comments.add_comment.key}" />
+      <label>{lang:comment}<textarea name="content" rows="5" cols="80">{comments.add_comment.CONTENT}</textarea></label>
+      <input type="hidden" name="key" value="{comments.add_comment.KEY}" />
       <input type="submit" value="{lang:submit}">
     </fieldset>