209 lines
6.1 KiB
PHP
209 lines
6.1 KiB
PHP
<?php
|
|
/**
|
|
* AgileBill - Open Billing Software
|
|
*
|
|
* This body of work is free software; you can redistribute it and/or
|
|
* modify it under the terms of the Open AgileBill License
|
|
* License as published at http://www.agileco.com/agilebill/license1-4.txt
|
|
*
|
|
* Originally authored by Tony Landis, AgileBill LLC
|
|
*
|
|
* Recent modifications by Deon George
|
|
*
|
|
* @author Deon George <deonATleenooksDOTnet>
|
|
* @copyright 2009 Deon George
|
|
* @link http://osb.leenooks.net
|
|
*
|
|
* @link http://www.agileco.com/
|
|
* @copyright 2004-2008 Agileco, LLC.
|
|
* @license http://www.agileco.com/agilebill/license1-4.txt
|
|
* @author Tony Landis <tony@agileco.com>
|
|
* @package AgileBill
|
|
* @subpackage Core:Login
|
|
*/
|
|
|
|
/**
|
|
* The main AgileBill Login Class
|
|
*
|
|
* @package AgileBill
|
|
* @subpackage Core:Login
|
|
*/
|
|
class CORE_login_handler {
|
|
/**
|
|
* Login to OSB
|
|
*/
|
|
public function login($VAR,$md5=true) {
|
|
global $C_translate, $C_debug;
|
|
$db = &DB();
|
|
|
|
# check that the username/password are both set
|
|
if ((! $VAR['_username']) || (! $VAR['_password'])) {
|
|
$C_debug->alert($C_translate->translate('login_enter_both','',''));
|
|
|
|
return false;
|
|
}
|
|
|
|
$pass = $md5 ? md5($VAR['_password']) : $VAR['_password'];
|
|
|
|
# Check the database for a match
|
|
$rs = $db->Execute(
|
|
sqlSelect('account','id,status,username,password,date_expire',
|
|
array('where'=>array('username'=>$VAR['_username'],'password'=>$pass))));
|
|
|
|
if (! $rs || ! $rs->RecordCount() == 1) {
|
|
$C_debug->alert($C_translate->translate('login_un_pw_failed','',''));
|
|
|
|
# Log as a failed login
|
|
$this->lock_check($VAR,0,$VAR['_username']);
|
|
|
|
return false;
|
|
}
|
|
|
|
# Get the account id
|
|
$id = $rs->fields['id'];
|
|
|
|
# Check that their is no lock on this account id or IP address:
|
|
if ($this->locked($id)) {
|
|
$C_debug->alert($C_translate->translate('login_locked','',''));
|
|
|
|
return;
|
|
}
|
|
|
|
if ($rs->fields['date_expire'] == 0 || ! $rs->fields['date_expire'])
|
|
$date_expire = time()+99;
|
|
else
|
|
$date_expire = $rs->fields['date_expire'];
|
|
|
|
# Check that it is an active account
|
|
if ($rs->fields['status'] != 1 || $date_expire <= time()) {
|
|
# Inactive account
|
|
$C_debug->alert($C_translate->translate('login_inactive','',''));
|
|
|
|
# Log as failed login
|
|
$this->lock_check($VAR,0,$id);
|
|
|
|
return;
|
|
|
|
} else {
|
|
# Active account - check for password sharing if login_share module is installed
|
|
include_once(PATH_CORE.'list.inc.php');
|
|
$C_list = new CORE_list;
|
|
|
|
if ($C_list->is_installed('login_share')) {
|
|
include_once(PATH_MODULES.'login_share/login_share.inc.php');
|
|
$share = new login_share;
|
|
|
|
if (! $share->login($id,$VAR['_username'])) {
|
|
# Shared account alert
|
|
$C_debug->alert($C_translate->translate('shared_account','login_share',''));
|
|
|
|
# Log as failed login
|
|
$this->lock_check($VAR,0,$id);
|
|
|
|
return;
|
|
}
|
|
}
|
|
}
|
|
|
|
# Set the expiry date of the login session
|
|
$date_expire = time()+(SESSION_EXPIRE*60);
|
|
|
|
# Update the DB
|
|
$rs = $db->Execute(
|
|
sqlUpdate($db,'session',array('ip'=>USER_IP,'date_expire'=>$date_expire,'logged'=>1,'account_id'=>$id),array('id'=>SESS)));
|
|
|
|
# Delete any old sessions for this account
|
|
$rs = $db->Execute(sqlDelete($db,'session',sprintf('account_id=%s AND id!="%s"',$id,SESS)));
|
|
|
|
# Return logged in message
|
|
$C_debug->alert($C_translate->translate('login_success','',''));
|
|
|
|
# Get the last successful login:
|
|
$rs = $db->Execute(
|
|
sqlSelect('login_log','ip,date_orig',array('where'=>array('account_id'=>$id,'status'=>1),'orderby'=>'date_orig DESC','limit'=>1)));
|
|
|
|
if ($rs && $rs->RecordCount())
|
|
$C_debug->alert(
|
|
str_replace('%DATE%',
|
|
sprintf('<b>%s %s</b>',date(UNIX_DATE_FORMAT,$rs->fields['date_orig']),date(DEFAULT_TIME_FORMAT,$rs->fields['date_orig'])),
|
|
str_replace('%IP%',sprintf('<b>%s</b>',$rs->fields['ip']),_('Last successful login was on %DATE% from %IP%'))));
|
|
|
|
# Log the successful login
|
|
$this->lock_check($VAR,1,$id);
|
|
}
|
|
|
|
public function logout($VAR) {
|
|
global $C_debug,$C_translate;
|
|
|
|
$db = &DB();
|
|
|
|
# Logout the current session by editing the database record
|
|
$db->Execute(sqlUpdate($db,'session',array('logged'=>0),array('id'=>SESS)));
|
|
|
|
# Delete any session caches!
|
|
$db->Execute(sqlDelete($db,'session_auth_cache',array('session_id'=>SESS)));
|
|
|
|
# logout success:
|
|
$C_debug->alert($C_translate->translate('logout_success','',''));
|
|
}
|
|
|
|
# @todo this should move to login_lock.inc.php
|
|
private function locked($account_id) {
|
|
global $C_list;
|
|
|
|
include_once(PATH_CORE.'list.inc.php');
|
|
$C_list = new CORE_list;
|
|
|
|
if (! $C_list->is_installed('login_lock'))
|
|
return false;
|
|
|
|
$db = &DB();
|
|
|
|
$rs = $db->Execute(
|
|
sqlSelect('login_lock','id',
|
|
array('where'=>
|
|
sprintf('ip=::%s:: AND date_expire>=%s %s',USER_IP,time(),$account_id ? sprintf('AND account_id=%s',$account_id) : ''))));
|
|
|
|
if ($rs && $rs->RecordCount())
|
|
return true;
|
|
else
|
|
return false;
|
|
}
|
|
|
|
# @todo this should move to login_lock.inc.php
|
|
private function lock_check($VAR,$status,$account_id) {
|
|
global $C_list;
|
|
|
|
include_once(PATH_CORE.'list.inc.php');
|
|
$C_list = new CORE_list;
|
|
|
|
$db = &DB();
|
|
|
|
# Create the appropriate login attempt record.
|
|
$db->Execute(sqlInsert($db,'login_log',array('ip'=>USER_IP,'account_id'=>$account_id,'date_orig'=>time(),'status'=>$status)));
|
|
|
|
# if this is a successfull login, we can now exit...
|
|
if ($status == 1 || ! $C_list->is_installed('login_lock'))
|
|
return true;
|
|
|
|
# Determine the time period to check for login attempts after:
|
|
$date_orig = time()-(LOGIN_ATTEMPT_TIME*60);
|
|
|
|
# Check the database for all the failed login attempts from this IP withing the time period defined in the setup.
|
|
$rs = $db->Execute(sqlSelect('login_log','COUNT(id) as id',array('where'=>sprintf('ip=::%s:: AND date_orig>=%s AND status=0',USER_IP,$date_orig))));
|
|
|
|
# Check that it does not exceed the allowed failed login attempts
|
|
if ($rs && $rs->fields['id']>=LOGIN_ATTEMPT_TRY) {
|
|
# Get the time this login block will expire:
|
|
$date_expire = time()+(LOGIN_ATTEMPT_LOCK*60);
|
|
|
|
# Delete all old blocks for this ip
|
|
$result = $db->Execute(sqlDelete($db,'login_lock',array('ip'=>USER_IP)));
|
|
|
|
# Create a block on this login
|
|
$result = $db->Execute(sqlInsert($db,'login_lock',array('ip'=>USER_IP,'date_orig'=>time(),'date_expire'=>$date_expire)));
|
|
}
|
|
}
|
|
}
|
|
?>
|