357 lines
9.7 KiB
PHP
357 lines
9.7 KiB
PHP
<?php
|
|
|
|
/**
|
|
* AgileBill - Open Billing Software
|
|
*
|
|
* This body of work is free software; you can redistribute it and/or
|
|
* modify it under the terms of the Open AgileBill License
|
|
* License as published at http://www.agileco.com/agilebill/license1-4.txt
|
|
*
|
|
* For questions, help, comments, discussion, etc., please join the
|
|
* Agileco community forums at http://forum.agileco.com/
|
|
*
|
|
* @link http://www.agileco.com/
|
|
* @copyright 2004-2008 Agileco, LLC.
|
|
* @license http://www.agileco.com/agilebill/license1-4.txt
|
|
* @author Tony Landis <tony@agileco.com>
|
|
* @package AgileBill
|
|
* @version 1.4.93
|
|
*/
|
|
|
|
class CORE_login_handler
|
|
{
|
|
|
|
function login($VAR, $md5=true)
|
|
{
|
|
global $C_translate, $C_debug;
|
|
|
|
# check that the username/password are both set
|
|
if(($VAR['_username'] == '') || ($VAR['_password'] == ''))
|
|
{
|
|
$C_debug->alert($C_translate->translate('login_enter_both','',''));
|
|
return;
|
|
}
|
|
|
|
# md5 the password
|
|
if($md5)
|
|
$pass = md5($VAR['_password']);
|
|
else
|
|
$pass = $VAR['_password'];
|
|
|
|
# check the database for a match
|
|
$db = &DB();
|
|
$q = "SELECT id,status,username,password,date_expire FROM " . AGILE_DB_PREFIX . "account WHERE
|
|
password = '$pass' AND
|
|
username = '".$VAR['_username']."' AND
|
|
site_id = '" . DEFAULT_SITE . "'";
|
|
$result = $db->Execute($q);
|
|
|
|
# get the account id
|
|
$id = $result->fields['id'];
|
|
|
|
# check that their is no lock on this account id or IP address:
|
|
if($this->locked ($id))
|
|
{
|
|
$C_debug->alert($C_translate->translate('login_locked','',''));
|
|
return;
|
|
}
|
|
|
|
|
|
# verify the username/password match.
|
|
if($result->fields['username'] == $VAR['_username'])
|
|
{
|
|
if (($result->fields['password'] !== $VAR['_password']) && ($result->fields['password'] != $pass))
|
|
{
|
|
# no match
|
|
$C_debug->alert($C_translate->translate('login_pw_failed','',''));
|
|
|
|
# log as a failed login
|
|
$this->lock_check($VAR,"0",$id);
|
|
return;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
# no username match
|
|
$C_debug->alert($C_translate->translate('login_un_pw_failed','',''));
|
|
|
|
# reload the login page
|
|
$VAR["_page"] = 'account:login';
|
|
|
|
# log as a failed login
|
|
$this->lock_check($VAR,"0",$VAR['_username']);
|
|
return;
|
|
}
|
|
|
|
|
|
if($result->fields['date_expire'] == "0" || $result->fields['date_expire'] == "")
|
|
$date_expire = time()+99;
|
|
else
|
|
$date_expire = $result->fields['date_expire'];
|
|
|
|
|
|
# check that it is an active account
|
|
if($result->fields['status'] != "1" || $date_expire <= time())
|
|
{
|
|
# inactive account
|
|
$C_debug->alert($C_translate->translate('login_inactive','',''));
|
|
|
|
# log as failed login
|
|
$this->lock_check($VAR,"0",$id);
|
|
return;
|
|
}
|
|
else
|
|
{
|
|
# active account - check for password sharing if login_share module is installed
|
|
include_once(PATH_CORE.'list.inc.php');
|
|
$C_list = new CORE_list;
|
|
if($C_list->is_installed('login_share'))
|
|
{
|
|
include_once(PATH_MODULES.'login_share/login_share.inc.php');
|
|
$share = new login_share;
|
|
if(!$share->login($id, $VAR['_username']))
|
|
{
|
|
# shared account alert
|
|
$C_debug->alert($C_translate->translate('shared_account','login_share',''));
|
|
|
|
# log as failed login
|
|
$this->lock_check($VAR,"0",$id);
|
|
|
|
return;
|
|
}
|
|
}
|
|
}
|
|
|
|
# set the expiry date of the login session
|
|
$date_expire = (time() + (SESSION_EXPIRE * 60));
|
|
|
|
# update the DB
|
|
$db = &DB();
|
|
$q = "UPDATE " . AGILE_DB_PREFIX . "session
|
|
SET
|
|
ip= '". USER_IP ."',
|
|
date_expire = '$date_expire',
|
|
logged = '1',
|
|
account_id = '$id'
|
|
WHERE
|
|
id = '" . SESS . "'
|
|
AND
|
|
site_id = '" . DEFAULT_SITE . "'";
|
|
$result = $db->Execute($q);
|
|
|
|
# delete any old sessions for this account
|
|
$db = &DB();
|
|
$q = "DELETE FROM " . AGILE_DB_PREFIX . "session WHERE
|
|
account_id = '$id' AND
|
|
id != '" . SESS . "' AND
|
|
site_id = '" . DEFAULT_SITE . "'";
|
|
$result = $db->Execute($q);
|
|
|
|
#return logged in message
|
|
$C_debug->alert($C_translate->translate('login_success','',''));
|
|
|
|
|
|
# Get the last successful login:
|
|
$db = &DB();
|
|
$q = "SELECT * FROM " . AGILE_DB_PREFIX . "login_log WHERE
|
|
account_id = ". $db->qstr($id)." AND
|
|
status = ". $db->qstr(1)." AND
|
|
site_id = ". $db->qstr(DEFAULT_SITE) . "
|
|
ORDER BY date_orig DESC LIMIT 1";
|
|
$result = $db->Execute($q);
|
|
if($result->RecordCount() != 0)
|
|
{
|
|
$ip = $result->fields["ip"];
|
|
$date = $result->fields["date_orig"];
|
|
$date1 = date(UNIX_DATE_FORMAT, $date);
|
|
$date1.= " ".date(DEFAULT_TIME_FORMAT, $date);
|
|
|
|
$message = $C_translate->translate('login_log_success','','');
|
|
$message = ereg_replace('%date%', $date1, $message);
|
|
$message = ereg_replace('%ip%', $ip, $message);
|
|
$C_debug->alert($message);
|
|
}
|
|
|
|
|
|
# log the successful login
|
|
$this->lock_check($VAR,"1",$id);
|
|
|
|
|
|
####################################################################
|
|
### Do any db_mapping
|
|
####################################################################
|
|
$sql = 'SELECT id FROM ' . AGILE_DB_PREFIX . 'module WHERE
|
|
site_id = ' . $db->qstr(DEFAULT_SITE) . ' AND
|
|
name = ' . $db->qstr('db_mapping') . ' AND
|
|
status = ' . $db->qstr("1");
|
|
$result = $db->Execute($sql);
|
|
if($result->RecordCount() > 0)
|
|
{
|
|
include_once ( PATH_MODULES . 'db_mapping/db_mapping.inc.php' );
|
|
$db_map = new db_mapping;
|
|
$db_map->login ( $id );
|
|
}
|
|
}
|
|
|
|
|
|
|
|
|
|
function logout ($VAR)
|
|
{
|
|
global $C_debug, $C_translate;
|
|
$db = &DB();
|
|
|
|
# get the account id (for DB mapping):
|
|
$q = "SELECT account_id FROM ". AGILE_DB_PREFIX ."session WHERE
|
|
id = '" . SESS . "' AND
|
|
site_id = '" . DEFAULT_SITE . "'";
|
|
$result = $db->Execute($q);
|
|
$account_id = $result->fields['account_id'];
|
|
|
|
# logout the current session by editing the database record
|
|
$q = "UPDATE ". AGILE_DB_PREFIX ."session SET logged='0'
|
|
WHERE id = '" . SESS . "' AND
|
|
site_id = '" . DEFAULT_SITE . "'";
|
|
$result = $db->Execute($q);
|
|
|
|
|
|
# delete any session caches!
|
|
$q = 'DELETE FROM '.AGILE_DB_PREFIX.'session_auth_cache WHERE
|
|
session_id = '. $db->qstr(SESS) .' AND
|
|
site_id = '. $db->qstr(DEFAULT_SITE);
|
|
$db->Execute($q);
|
|
|
|
# logout success:
|
|
$C_debug->alert($C_translate->translate('logout_success','',''));
|
|
|
|
####################################################################
|
|
### Do any db_mapping
|
|
####################################################################
|
|
$sql = 'SELECT id FROM ' . AGILE_DB_PREFIX . 'module WHERE
|
|
site_id = ' . $db->qstr(DEFAULT_SITE) . ' AND
|
|
name = ' . $db->qstr('db_mapping') . ' AND
|
|
status = ' . $db->qstr("1");
|
|
$result = $db->Execute($sql);
|
|
if($result->RecordCount() > 0) {
|
|
include_once ( PATH_MODULES . 'db_mapping/db_mapping.inc.php' );
|
|
$db_map = new db_mapping;
|
|
$db_map->logout ( $account_id );
|
|
}
|
|
}
|
|
|
|
|
|
|
|
|
|
function locked ($account_id)
|
|
{
|
|
if($account_id != '')
|
|
$sql = " OR account_id = '$account_id' AND ";
|
|
else
|
|
$sql = " AND ";
|
|
|
|
# check by IP & USER
|
|
$db = &DB();
|
|
$q = "SELECT id FROM " . AGILE_DB_PREFIX . "login_lock WHERE
|
|
ip = '" . USER_IP . "'";
|
|
$q .= $sql;
|
|
$q .= " date_expire >= '" . time() . "' AND
|
|
site_id = '" . DEFAULT_SITE . "'";
|
|
$result = $db->Execute($q);
|
|
|
|
$i = 0;
|
|
while (!$result->EOF)
|
|
{
|
|
$i++;
|
|
$result->MoveNext();
|
|
}
|
|
|
|
# return the results
|
|
if ($i > 0)
|
|
return true;
|
|
else
|
|
return false;
|
|
}
|
|
|
|
|
|
|
|
function lock_check ($VAR,$status,$account_id)
|
|
{
|
|
# if this is a success, delete all login old login records..
|
|
/*
|
|
if($status == 1)
|
|
{
|
|
# delete all login attempts for this account
|
|
# (to clean the slate after the account login lock expires)
|
|
$db = &DB();
|
|
$q = "DELETE FROM " . AGILE_DB_PREFIX . "login_log WHERE
|
|
account_id = '$account_id' AND
|
|
site_id = '" . DEFAULT_SITE . "'";
|
|
$result = $db->Execute($q);
|
|
}
|
|
*/
|
|
|
|
# create the appropriate login attempt record.
|
|
$db = &DB();
|
|
$login_id = $db->GenID(AGILE_DB_PREFIX . 'login_log_id');
|
|
$q = "INSERT INTO " . AGILE_DB_PREFIX . "login_log SET
|
|
id = " . $db->qstr($login_id) . ",
|
|
ip = " . $db->qstr( USER_IP ) . ",
|
|
account_id = " . $db->qstr($account_id ) . ",
|
|
date_orig = " . $db->qstr(time()) . ",
|
|
status = " . $db->qstr($status ) . ",
|
|
site_id = " . $db->qstr(DEFAULT_SITE);
|
|
$result = $db->Execute($q);
|
|
|
|
# if this is a successfull login, we can now exit...
|
|
if($status == 1) return;
|
|
|
|
# determine the time period to check for login attempts after:
|
|
$date_orig = (time() - (LOGIN_ATTEMPT_TIME*60));
|
|
|
|
# check the database for all the failed login attempts from
|
|
# this IP withing the time period defined in the setup.
|
|
$q = "SELECT id FROM " . AGILE_DB_PREFIX . "login_log WHERE
|
|
ip = '" . USER_IP . "' AND
|
|
date_orig >= '$date_orig' AND
|
|
status = '0' AND
|
|
site_id = '" . DEFAULT_SITE . "'";
|
|
$result = $db->Execute($q);
|
|
$i = 0;
|
|
while (!$result->EOF)
|
|
{
|
|
$i++;
|
|
$result->MoveNext();
|
|
}
|
|
|
|
|
|
# check that it does not exceed the allowed failed login attempts
|
|
if($i >= LOGIN_ATTEMPT_TRY)
|
|
{
|
|
# get the time this login block will expire:
|
|
$date_expire = (time() + (LOGIN_ATTEMPT_LOCK * 60));
|
|
|
|
# delete all old blocks for this ip
|
|
$q = "DELETE FROM " . AGILE_DB_PREFIX . "login_lock WHERE
|
|
ip = '" . USER_IP . "' AND
|
|
site_id = '" . DEFAULT_SITE . "'";
|
|
$result = $db->Execute($q);
|
|
|
|
# create a block on this login
|
|
$q = "INSERT INTO " . AGILE_DB_PREFIX . "login_lock SET
|
|
ip = '" . USER_IP . "',
|
|
date_orig = '".time()."',
|
|
date_expire = '$date_expire',
|
|
site_id = '" . DEFAULT_SITE . "'";
|
|
$result = $db->Execute($q);
|
|
|
|
# delete all login attempts for this account
|
|
# (to clean the slate after the account login lock expires)
|
|
$q = "DELETE FROM " . AGILE_DB_PREFIX . "login_log WHERE
|
|
ip = '" . USER_IP . "' AND
|
|
status = '0' AND
|
|
site_id = '" . DEFAULT_SITE . "'";
|
|
$result = $db->Execute($q);
|
|
}
|
|
}
|
|
}
|
|
?>
|