Changeset 4124 for extensions/NBC_UserAdvManager/trunk/main.inc.php
- Timestamp:
- Oct 26, 2009, 11:34:13 PM (15 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
extensions/NBC_UserAdvManager/trunk/main.inc.php
r4061 r4124 70 70 -- 2.11.5 : Bug 1195 fixed : Registration displays the good title 71 71 72 -- pre 2.12.0 : Password control and enforcement (step 1) 73 72 -- pre 2.12.0 : Bug 1206 fixed : All plugin functionnalities work in user's profile page 73 Plugin's core code and admin panel refactoring 74 Password control and enforcement : A complexity score is computed on user registration. If this score is less than the goal set by admin, the password choosen is rejected. 74 75 */ 75 76 … … 83 84 84 85 ++ Password control and enforcement 85 -- Empty password (done in Piwigo 2.x) 86 ++ Can not be the same as username 87 ++ complexity of the password (Numbers+Lettrers+Low and high case+Special+minimal length) 86 ?? Can not be the same as username -> Could password score control be sufficient ? 88 87 89 88 ++ Security : Blocking brut-force attacks ! … … 99 98 100 99 101 if (!defined('PHPWG_ROOT_PATH')) die('Hacking attempt!'); 100 if (!defined('PHPWG_ROOT_PATH')) 101 { 102 die('Hacking attempt!'); 103 } 102 104 103 105 define('NBC_UserAdvManager_DIR' , basename(dirname(__FILE__))); … … 135 137 136 138 $conf_nbc_UserAdvManager = isset($conf['nbc_UserAdvManager']) ? explode(";" , $conf['nbc_UserAdvManager']) : array(); 137 138 if (( isset($conf_nbc_UserAdvManager[0]) and $conf_nbc_UserAdvManager[0] == 'true') or ( isset($conf_nbc_UserAdvManager[2]) and $conf_nbc_UserAdvManager[2] == 'true')) 139 140 SendMail2User(1, $register_user['id'], $register_user['username'], $_POST['password'], $register_user['email'], true); 139 140 /* Sending registration confirmation by email */ 141 if ((isset($conf_nbc_UserAdvManager[0]) and $conf_nbc_UserAdvManager[0] == 'true') or (isset($conf_nbc_UserAdvManager[2]) and $conf_nbc_UserAdvManager[2] == 'true')) 142 { 143 SendMail2User(1, $register_user['id'], $register_user['username'], $_POST['password'], $register_user['email'], true); 144 } 141 145 } 142 146 … … 148 152 function UserAdvManager_Deluser($user_id) 149 153 { 150 151 154 DeleteConfirmMail($user_id); 152 153 } 154 155 } 156 157 158 /* Check users registration */ 159 add_event_handler('register_user_check', 'UserAdvManager_RegistrationCheck', EVENT_HANDLER_PRIORITY_NEUTRAL, 2); 160 161 function UserAdvManager_RegistrationCheck($err, $user) 162 { 163 global $errors, $conf; 164 165 $PasswordCheck = 0; 166 167 $conf_nbc_UserAdvManager = isset($conf['nbc_UserAdvManager']) ? explode(";" , $conf['nbc_UserAdvManager']) : array(); 168 169 /* Password enforcement control */ 170 if (isset($conf_nbc_UserAdvManager[14]) and $conf_nbc_UserAdvManager[14] == 'true' and !empty($conf_nbc_UserAdvManager[15])) 171 { 172 if (!empty($user['password']) and !is_admin()) 173 { 174 $PasswordCheck = testpassword($user['password']); 175 176 if ($PasswordCheck < $conf_nbc_UserAdvManager[15]) 177 { 178 $message = get_l10n_args('reg_err_login4_%s', $PasswordCheck); 179 return($lang['reg_err_pass'] = l10n_args($message).$conf_nbc_UserAdvManager[15]); 180 } 181 } 182 else if (!empty($user['password']) and is_admin() and isset($conf_nbc_UserAdvManager[16]) and $conf_nbc_UserAdvManager[16] == 'true') 183 { 184 $PasswordCheck = testpassword($user['password']); 185 186 if ($PasswordCheck < $conf_nbc_UserAdvManager[15]) 187 { 188 $message = get_l10n_args('reg_err_login4_%s', $PasswordCheck); 189 return($lang['reg_err_pass'] = l10n_args($message).$conf_nbc_UserAdvManager[15]); 190 } 191 } 192 } 193 194 /* Username non case sensitive */ 195 if (isset($conf_nbc_UserAdvManager[1]) and $conf_nbc_UserAdvManager[1] == 'true') 196 { 197 $new_username = NotSensibleSearchUsername($_POST['login']); 198 $_POST['login'] = $new_username == '' ? $_POST['login'] : $new_username; 199 } 200 201 /* Username without forbidden keys */ 202 if (isset($conf_nbc_UserAdvManager[7]) and $conf_nbc_UserAdvManager[7] == 'true' and !empty($_POST['login']) and !ValidateUsername($_POST['login'])) 203 { 204 $_POST['login'] = ''; 205 return($lang['reg_err_login1'] = l10n('reg_err_login6')."'".$conf_nbc_UserAdvManager[8]."'"); 206 } 207 208 /* Email without forbidden domains */ 209 if (isset($conf_nbc_UserAdvManager[12]) and $conf_nbc_UserAdvManager[12] == 'true' and !empty($_POST['mail_address']) and !ValidateEmailProvider($_POST['mail_address'])) 210 { 211 $_POST['login'] = ''; 212 return($lang['reg_err_login1'] = l10n('reg_err_login7')."'".$conf_nbc_UserAdvManager[13]."'"); 213 } 214 } 215 216 217 if (script_basename() == 'profile') 218 { 219 add_event_handler('loc_begin_profile', 'UserAdvManager_Profile_Init'); 220 221 function UserAdvManager_Profile_Init() 222 { 223 global $conf, $user, $template; 224 225 $conf_nbc_UserAdvManager = isset($conf['nbc_UserAdvManager']) ? explode(";" , $conf['nbc_UserAdvManager']) : array(); 226 227 if (isset($_POST['validate'])) 228 { 229 /* Email without forbidden domains */ 230 if (isset($conf_nbc_UserAdvManager[12]) and $conf_nbc_UserAdvManager[12] == 'true' and !empty($_POST['mail_address'])) 231 { 232 if (!ValidateEmailProvider($_POST['mail_address'])) 233 { 234 $template->append('errors', l10n('reg_err_login7')."'".$conf_nbc_UserAdvManager[13]."'"); 235 unset($_POST['validate']); 236 } 237 } 238 239 $typemail = 3; 240 241 if (!empty($_POST['use_new_pwd'])) 242 { 243 $typemail = 2; 244 245 /* Password enforcement control */ 246 if (isset($conf_nbc_UserAdvManager[14]) and $conf_nbc_UserAdvManager[14] == 'true' and !empty($conf_nbc_UserAdvManager[15])) 247 { 248 $PasswordCheck = testpassword($_POST['use_new_pwd']); 249 250 if ($PasswordCheck < $conf_nbc_UserAdvManager[15]) 251 { 252 $message = get_l10n_args('reg_err_login4_%s', $PasswordCheck); 253 $template->append('errors', l10n_args($message).$conf_nbc_UserAdvManager[15]); 254 unset($_POST['use_new_pwd']); 255 unset($_POST['validate']); 256 } 257 } 258 } 259 260 /* Sending registration confirmation by email */ 261 if (( isset($conf_nbc_UserAdvManager[0]) and $conf_nbc_UserAdvManager[0] == 'true') or ( isset($conf_nbc_UserAdvManager[2]) and $conf_nbc_UserAdvManager[2] == 'true')) 262 { 263 $confirm_mail_need = false; 264 265 if (!empty($_POST['mail_address']) and ValidateEmailProvider($_POST['mail_address'])) 266 { 267 $query = ' 268 SELECT '.$conf['user_fields']['email'].' AS email 269 FROM '.USERS_TABLE.' 270 WHERE '.$conf['user_fields']['id'].' = \''.$user['id'].'\' 271 ;'; 272 273 list($current_email) = mysql_fetch_row(pwg_query($query)); 274 275 if ( $_POST['mail_address'] != $current_email and ( isset($conf_nbc_UserAdvManager[2]) and $conf_nbc_UserAdvManager[2] == 'true') ) 276 277 $confirm_mail_need = true; 278 } 279 280 if ((!empty($_POST['use_new_pwd']) and ( isset($conf_nbc_UserAdvManager[0]) and $conf_nbc_UserAdvManager[0] == 'true') or $confirm_mail_need) ) 281 { 282 $query = ' 283 SELECT '.$conf['user_fields']['username'].' 284 FROM '.USERS_TABLE.' 285 WHERE '.$conf['user_fields']['id'].' = \''.$user['id'].'\' 286 ;'; 287 288 list($username) = mysql_fetch_row(pwg_query($query)); 289 290 SendMail2User($typemail, $user['id'], $username, $_POST['use_new_pwd'], $_POST['mail_address'], $confirm_mail_need); 291 } 292 } 293 } 294 } 295 } 155 296 156 297 … … 160 301 { 161 302 load_language('plugin.lang', NBC_UserAdvManager_PATH); 162 global $conf, $template, $page, $lang; 163 164 $PasswordCheck = 0; 303 global $conf, $template, $page, $lang, $errors; 165 304 166 305 $conf_nbc_UserAdvManager = isset($conf['nbc_UserAdvManager']) ? explode(";" , $conf['nbc_UserAdvManager']) : array(); 167 306 168 169 if ( isset($conf_nbc_UserAdvManager[1]) and $conf_nbc_UserAdvManager[1] == 'true' ) 307 /* Username non case sensitive */ 308 if (isset($conf_nbc_UserAdvManager[1]) and $conf_nbc_UserAdvManager[1] == 'true') 309 { 170 310 $lang['reg_err_login5'] = l10n('reg_err_login5'); 171 311 } 312 313 172 314 173 /* User identi cation */315 /* User identification */ 174 316 if (script_basename() == 'identification') 175 317 { … … 186 328 187 329 188 189 330 /* Admin user management */ 190 331 if (script_basename() == 'admin' and isset($_GET['page']) and $_GET['page'] == 'user_list') … … 199 340 } 200 341 201 202 342 /* Username without forbidden keys */ 203 343 if (isset($conf_nbc_UserAdvManager[7]) and $conf_nbc_UserAdvManager[7] == 'true' and !empty($_POST['login']) and !ValidateUsername($_POST['login'])) 204 344 { 205 $ lang['reg_err_login1'] = l10n('reg_err_login6')."'".$conf_nbc_UserAdvManager[8]."'";206 $_POST['login'] = '';345 $template->append('errors', l10n('reg_err_login6')."'".$conf_nbc_UserAdvManager[8]."'"); 346 unset($_POST['submit_add']); 207 347 } 208 348 209 349 /* Email without forbidden domains */ 210 /* This don't work on call of ValidateEmailProvider() function - Why ?? -> Due to the "return = false|true" in function ?*/ 211 //if (isset($conf_nbc_UserAdvManager[12]) and $conf_nbc_UserAdvManager[12] == 'true' and !empty($_POST['email']) and !ValidateEmailProvider($_POST['email'])) 212 //{ 213 // $lang['reg_err_login1'] = l10n('reg_err_login7')."'".$conf_nbc_UserAdvManager[13]."'"; 214 // $_POST['login'] = ''; 215 //} 216 /* This work with a code copy of ValidateEmailProvider() function */ 217 if (isset($conf_nbc_UserAdvManager[12]) and $conf_nbc_UserAdvManager[12] == 'true' and !empty($_POST['email'])) 218 { 219 $ncsemail = strtolower($_POST['email']); 220 $conf_nbc_MailExclusion = preg_split("/[\s,]+/",$conf_nbc_UserAdvManager[13]); 221 for ($i = 0 ; $i < count($conf_nbc_MailExclusion) ; $i++) 222 { 223 $pattern = '/'.$conf_nbc_MailExclusion[$i].'/'; 224 if (preg_match($pattern, $ncsemail)) 225 { 226 $lang['reg_err_login1'] = l10n('reg_err_login7')."'".$conf_nbc_UserAdvManager[13]."'"; 227 $_POST['login'] = ''; 228 } 229 } 230 } 231 } 232 } 233 234 /* User creation */ 235 if (script_basename() == 'register') 236 { 237 if (isset($_POST['submit'])) 238 { 239 /* Username non case sensitive */ 240 if (isset($conf_nbc_UserAdvManager[1]) and $conf_nbc_UserAdvManager[1] == 'true') 241 { 242 $new_username = NotSensibleSearchUsername($_POST['login']); 243 $_POST['login'] = $new_username == '' ? $_POST['login'] : $new_username; 244 } 245 246 247 /* Username without forbidden keys */ 248 if (isset($conf_nbc_UserAdvManager[7]) and $conf_nbc_UserAdvManager[7] == 'true' and !empty($_POST['login']) and !ValidateUsername($_POST['login'])) 249 { 250 $lang['reg_err_login1'] = l10n('reg_err_login6')."'".$conf_nbc_UserAdvManager[8]."'"; 251 $_POST['login'] = ''; 252 } 253 254 255 if (isset($conf_nbc_UserAdvManager[14]) and $conf_nbc_UserAdvManager[14] == 'true' and !empty($conf_nbc_UserAdvManager[15])) 256 { 257 //$PasswordCheck = testpassword($_POST['password']); 258 $PasswordCheck = 10; 259 if ($PasswordCheck < $conf_nbc_UserAdvManager[15]) 260 { 261 array_push($errors, l10n('reg_err_login4')."'".$conf_nbc_UserAdvManager[15]."'"); 262 //$lang['reg_err_login1'] = l10n('reg_err_login4')."'".$conf_nbc_UserAdvManager[15]."'"; 263 $_POST['password'] = ""; 264 $_POST['password_conf'] = ""; 265 $PasswordCheck = 0; 266 } 267 } 268 269 /* Email without forbidden domains */ 270 /* This don't work on call of ValidateEmailProvider() function - Why ?? -> Due to the "return = false|true" in function ?*/ 271 //if (isset($conf_nbc_UserAdvManager[12]) and $conf_nbc_UserAdvManager[12] == 'true' and !empty($_POST['mail_address']) and !ValidateEmailProvider($_POST['mail_address'])) 272 //{ 273 // $lang['reg_err_mail_address'] = l10n('reg_err_login7')."'".$conf_nbc_UserAdvManager[13]."'"; 274 // $_POST['mail_address'] = ''; 275 //} 276 /* This work with a code copy of ValidateEmailProvider() function */ 277 if (isset($conf_nbc_UserAdvManager[12]) and $conf_nbc_UserAdvManager[12] == 'true' and !empty($_POST['mail_address'])) 278 { 279 $ncsemail = strtolower($_POST['mail_address']); 280 $conf_nbc_MailExclusion = preg_split("/[\s,]+/",$conf_nbc_UserAdvManager[13]); 281 for ($i = 0 ; $i < count($conf_nbc_MailExclusion) ; $i++) 282 { 283 $pattern = '/'.$conf_nbc_MailExclusion[$i].'/'; 284 if (preg_match($pattern, $ncsemail)) 285 { 286 $lang['reg_err_login1'] = l10n('reg_err_login7')."'".$conf_nbc_UserAdvManager[13]."'"; 287 $_POST['login'] = ''; 288 } 289 } 290 } 291 } 292 } 293 294 /* User profile update */ 295 if (script_basename() == 'profile') 296 { 297 if (isset($_POST['validate'])) 298 { 299 /* Sending email to user */ 300 if (( isset($conf_nbc_UserAdvManager[0]) and $conf_nbc_UserAdvManager[0] == 'true') or ( isset($conf_nbc_UserAdvManager[2]) and $conf_nbc_UserAdvManager[2] == 'true')) 301 { 302 global $conf, $user ; 303 $errors = array(); 304 305 $int_pattern = '/^\d+$/'; 306 if (empty($_POST['nb_image_line']) 307 or (!preg_match($int_pattern, $_POST['nb_image_line']))) 308 { 309 $errors[] = l10n('nb_image_line_error'); 310 } 311 312 if (empty($_POST['nb_line_page']) 313 or (!preg_match($int_pattern, $_POST['nb_line_page']))) 314 { 315 $errors[] = l10n('nb_line_page_error'); 316 } 317 318 if ($_POST['maxwidth'] != '' 319 and (!preg_match($int_pattern, $_POST['maxwidth']) 320 or $_POST['maxwidth'] < 50)) 321 { 322 $errors[] = l10n('maxwidth_error'); 323 } 324 if ($_POST['maxheight'] 325 and (!preg_match($int_pattern, $_POST['maxheight']) 326 or $_POST['maxheight'] < 50)) 327 { 328 $errors[] = l10n('maxheight_error'); 329 } 330 331 if (isset($_POST['mail_address'])) 332 { 333 $mail_error = validate_mail_address($user['id'], $_POST['mail_address']); 334 if (!empty($mail_error)) 335 { 336 $errors[] = $mail_error; 337 } 338 339 if (isset($conf_nbc_UserAdvManager[12]) and $conf_nbc_UserAdvManager[12] == 'true' and !empty($_POST['mail_address'])) 340 { 341 $ncsemail = strtolower($_POST['mail_address']); 342 $conf_nbc_MailExclusion = preg_split("/[\s,]+/",$conf_nbc_UserAdvManager[13]); 343 for ($i = 0 ; $i < count($conf_nbc_MailExclusion) ; $i++) 344 { 345 $pattern = '/'.$conf_nbc_MailExclusion[$i].'/'; 346 if (preg_match($pattern, $ncsemail)) 347 { 348 $mail_error = l10n('reg_err_login7')."'".$conf_nbc_UserAdvManager[13]."'"; 349 } 350 } 351 } 352 if (!empty($mail_error)) 353 { 354 $errors[] = $mail_error; 355 } 356 } 357 358 $typemail = 3; 359 360 if (!empty($_POST['use_new_pwd'])) 361 { 362 $typemail = 2; 363 364 // password must be the same as its confirmation 365 if ($_POST['use_new_pwd'] != $_POST['passwordConf']) 366 { 367 $errors[] = l10n('New password confirmation does not correspond'); 368 } 369 370 if (isset($conf_nbc_UserAdvManager[14]) and $conf_nbc_UserAdvManager[14] == 'true' and !empty($conf_nbc_UserAdvManager[15])) 371 { 372 //$PasswordCheck = testpassword($_POST['password']); 373 $PasswordCheck = 10; 374 if ($PasswordCheck < $conf_nbc_UserAdvManager[15]) 375 { 376 $lang['reg_err_login1'] = l10n('reg_err_login4')."'".$conf_nbc_UserAdvManager[15]."'"; 377 } 378 } 379 else if (isset($conf_nbc_UserAdvManager[14]) and $conf_nbc_UserAdvManager[14] == 'true') 380 { 381 $lang['reg_err_login1'] = l10n('reg_err_login3'); 382 } 383 384 if ( !defined('IN_ADMIN') ) 385 {// changing password requires old password 386 $query = ' 387 SELECT '.$conf['user_fields']['password'].' AS password 388 FROM '.USERS_TABLE.' 389 WHERE '.$conf['user_fields']['id'].' = \''.$user['id'].'\' 390 ;'; 391 list($current_password) = mysql_fetch_row(pwg_query($query)); 392 393 if ($conf['pass_convert']($_POST['password']) != $current_password) 394 { 395 $errors[] = l10n('Current password is wrong'); 396 } 397 } 398 } 399 400 $confirm_mail_need = false; 401 402 if (!empty($_POST['mail_address'])) 403 { 404 $query = ' 405 SELECT '.$conf['user_fields']['email'].' AS email 406 FROM '.USERS_TABLE.' 407 WHERE '.$conf['user_fields']['id'].' = \''.$user['id'].'\' 408 ;'; 409 list($current_email) = mysql_fetch_row(pwg_query($query)); 410 411 if ( $_POST['mail_address'] != $current_email and ( isset($conf_nbc_UserAdvManager[2]) and $conf_nbc_UserAdvManager[2] == 'true') ) 412 $confirm_mail_need = true; 413 } 414 415 if (count($errors) == 0 and (!empty($_POST['use_new_pwd']) and ( isset($conf_nbc_UserAdvManager[0]) and $conf_nbc_UserAdvManager[0] == 'true') or $confirm_mail_need) ) 416 { 417 $query = ' 418 SELECT '.$conf['user_fields']['username'].' 419 FROM '.USERS_TABLE.' 420 WHERE '.$conf['user_fields']['id'].' = \''.$user['id'].'\' 421 ;'; 422 list($username) = mysql_fetch_row(pwg_query($query)); 423 424 425 SendMail2User($typemail, $user['id'], $username, $_POST['use_new_pwd'], $_POST['mail_address'], $confirm_mail_need); 426 } 350 if (isset($conf_nbc_UserAdvManager[12]) and $conf_nbc_UserAdvManager[12] == 'true' and !empty($_POST['email']) and !ValidateEmailProvider($_POST['email'])) 351 { 352 $template->append('errors', l10n('reg_err_login7')."'".$conf_nbc_UserAdvManager[13]."'"); 353 unset($_POST['submit_add']); 427 354 } 428 355 }
Note: See TracChangeset
for help on using the changeset viewer.