diff options
author | Loui Chang <louipc.ist@gmail.com> | 2007-10-04 01:47:01 -0400 |
---|---|---|
committer | Dan McGee <dan@archlinux.org> | 2008-01-19 23:49:35 -0600 |
commit | e9de45954ae404fe1952fec067aad57bcd787a96 (patch) | |
tree | 08c757c7828c76a0fed9fdddf5c6e48b216ac4e9 /web | |
parent | b2816c13cfe9bee50220d63685f78788467e990e (diff) |
Several functions added to web/lib/acctfuncs.inc Weeere back!
try_login() to login users
valid_username() checks if a new username fits criteria
valid_user() checks if the user exists in the database
good_passwd() only checks for minimum password length for now.
can be later expanded to tell a user to make a stronger password.
valid_passwd() checks if the password for the specified user is correct
user_suspended() checks if the user is suspended (or not)
user_delete() deletes a user (it doesn't orphan PKGs yet though)
user_is_privileged() returns privilege level User (0) TU (2) Dev (3) of
user ID. 0 is used for a regular user for ease in conditionals.
Also: Enforce proper usernames on account creation or editing
Fix bug where $SUPPORTED_LANGS needs to be reset on account creation
Fix bug where an account could be created with an empty passwd
Display (required) beside password fields on account creation
Enforce good_passwd() on account creation
TUs and Devs can edit a user to have a username that doesn't conform to
the standard valid_username(). This is to allow them to edit old
accounts without messing up the user name.
Signed-off-by: Loui Chang <louipc.ist@gmail.com>
Diffstat (limited to 'web')
-rw-r--r-- | web/lib/acctfuncs.inc | 215 |
1 files changed, 211 insertions, 4 deletions
diff --git a/web/lib/acctfuncs.inc b/web/lib/acctfuncs.inc index ef8e774..2968adb 100644 --- a/web/lib/acctfuncs.inc +++ b/web/lib/acctfuncs.inc @@ -79,7 +79,7 @@ function display_account_form($UTYPE,$A,$U="",$T="",$S="", print "<td align='left'>".__("Password").":</td>"; print "<td align='left'><input type='password' size='30' maxlength='32'"; print " name='P' value='".$P."'>"; - if ($TYPE == "new") { + if ($A != "UpdateAccount") { print " (".__("required").")"; } print "</td></tr>\n"; @@ -88,7 +88,7 @@ function display_account_form($UTYPE,$A,$U="",$T="",$S="", print "<td align='left'>".__("Re-type password").":</td>"; print "<td align='left'><input type='password' size='30' maxlength='32'"; print " name='C' value='".$C."'>"; - if ($TYPE == "new") { + if ($A != "UpdateAccount") { print " (".__("required").")"; } print "</td></tr>\n"; @@ -108,6 +108,8 @@ function display_account_form($UTYPE,$A,$U="",$T="",$S="", print "<tr>"; print "<td align='left'>".__("Language").":</td>"; print "<td align='left'><select name=L>\n"; + + reset($SUPPORTED_LANGS); while (list($code, $lang) = each($SUPPORTED_LANGS)) { if ($L == $code) { print "<option value=".$code." selected> ".$lang."\n"; @@ -132,6 +134,7 @@ function display_account_form($UTYPE,$A,$U="",$T="",$S="", print "<tr>"; print "<td> </td>"; print "<td align='left'>"; + if ($A == "UpdateAccount") { print "<input type='submit' class='button'"; print " value='".__("Update")."'> "; @@ -173,15 +176,21 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", # global $SUPPORTED_LANGS; + if(isset($_COOKIE['AURSID'])) + $editor_user = uid_from_sid($_COOKIE['AURSID']); + else + $editor_user = null; + $dbh = db_connect(); $error = ""; - if (!isset($E) || !isset($U)) { + if (empty($E) || empty($U)) { $error = __("Missing a required field."); } + if ($TYPE == "new") { # they need password fields for this type of action # - if (!isset($P) || !isset($C)) { + if (empty($P) || empty($C)) { $error = __("Missing a required field."); } } else { @@ -189,9 +198,22 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", $error = __("Missing User ID"); } } + + if (!$error && !valid_username($U) && !user_is_privileged($editor_user)) + $error = __("The username is invalid.") . "<ul>\n" + ."<li>" . __("It must be " . USERNAME_MIN_LEN . "-" . USERNAME_MAX_LEN + . " characters long") . "</li>" + . "<li>" . __("start and end with a letter or number") . "</li>" + . "<li>" . __("can contain only one period, underscore or hyphen.") + . "</li>\n</ul>"; + if (!$error && $P && $C && ($P != $C)) { $error = __("Password fields do not match."); } + if (!$error && $P != '' && !good_passwd($P)) + $error = __("Your password must be at least " . PASSWD_MIN_LEN + . " characters."); + if (!$error && !valid_email($E)) { $error = __("The email address is invalid."); } @@ -578,5 +600,190 @@ function display_account_info($U="",$T="", return; } +/* + * Returns SID (Session ID) and error (error message) in an array + * SID of 0 means login failed. + * There should be a better way of doing this...I think + */ +function try_login() { + $login_error = ""; + $new_sid = ""; + $userID = null; + + if ( isset($_REQUEST['user']) || isset($_REQUEST['passwd']) ) { + + + $userID = valid_user($_REQUEST['user']); + + if ( user_suspended( $userID ) ) { + $login_error = "Account Suspended."; + } + elseif ( $userID && isset($_REQUEST['passwd']) + && valid_passwd($userID, $_REQUEST['passwd']) ) { + + $logged_in = 0; + $num_tries = 0; + + # Account looks good. Generate a SID and store it. + # + + $dbh = db_connect(); + while (!$logged_in && $num_tries < 5) { + $new_sid = new_sid(); + $q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS)" + ." VALUES ( $userID, '" . $new_sid . "', UNIX_TIMESTAMP())"; + $result = db_query($q, $dbh); + # Query will fail if $new_sid is not unique + # + if ($result) { + $logged_in = 1; + break; + } + $num_tries++; + } + if ($logged_in) { + # set our SID cookie + + setcookie("AURSID", $new_sid, 0, "/"); +# header("Location: /index.php"); + header("Location: " . $_SERVER['PHP_SELF']); + $login_error = ""; + + } + else { + $login_error = "Error trying to generate session id."; + } + } + else { + $login_error = "Bad username or password."; + } + } + return array('SID' => $new_sid, 'error' => $login_error); +} + +/* + * Only checks if the name itself is valid + * Longer or equal to USERNAME_MIN_LEN + * Shorter or equal to USERNAME_MAX_LEN + * Starts and ends with a letter or number + * Contains at most ONE dot, hyphen, or underscore + * Returns the username if it is valid + * Returns nothing if it isn't valid + */ +function valid_username( $user ) +{ + + #Is it non-empty? + if (!empty($user)) { + + #Is username at not too short or too long? + if ( strlen($user) >= USERNAME_MIN_LEN && + strlen($user) <= USERNAME_MAX_LEN ) { + + $user = strtolower($user); + #Does username: + # start and end with a letter or number + # contain only letters and numbers, + # and at most has one dash, period, or underscore + if ( preg_match("/^[a-z0-9]+[.\-_]?[a-z0-9]+$/", $user) ) { + #All is good return the username + return $user; + } + } + } + + return; +} + +/* + * Checks if the username is valid and if it exists in the database + * Returns the username ID or nothing + */ +function valid_user( $user ) +{ + /* if ( $user = valid_username($user) ) { */ + if ( $user ) { + $dbh = db_connect(); + $q = "SELECT ID FROM Users WHERE Username = '" + . mysql_real_escape_string($user). "'"; + + $result = mysql_fetch_row(db_query($q, $dbh)); + #Is the username in the database? + if ($result[0]) { + return $result[0]; + } + } + return; +} + +function good_passwd( $passwd ) +{ + if ( strlen($passwd) >= PASSWD_MIN_LEN ) { + return true; + } + return false; +} + +/* Verifies that the password is correct for the userID specified. + * Returns true or false + */ +function valid_passwd( $userID, $passwd ) +{ + if ( good_passwd($passwd) ) { + $dbh = db_connect(); + $q = "SELECT ID FROM Users". + " WHERE ID = '$userID'" . + " AND Passwd = '" . md5($passwd) . "'"; + + $result = mysql_fetch_row(db_query($q, $dbh)); + if ($result[0]) { + #is it the right password? + return true; + } + } + return false; +} + +/* + * Is the user account suspended? + */ +function user_suspended( $id ) +{ + $dbh = db_connect(); + $q = "SELECT Suspended FROM Users WHERE ID = '$id'"; + $result = mysql_fetch_row(db_query($q, $dbh)); + if ($result[0] == 1 ) { + return true; + } + return false; +} + +/* + * This should be expanded to return something + * TODO: Handle orphaning of user's packages + */ +function user_delete( $id ) +{ + $dbh = db_connect(); + $q = "DELETE FROM Users WHERE ID = '$id'"; + $result = mysql_fetch_row(db_query($q, $dbh)); + return; +} + +/* + * A different way of determining a user's privileges + * rather than account_from_sid() + */ +function user_is_privileged( $id ) +{ + $dbh = db_connect(); + $q = "SELECT AccountTypeID FROM Users WHERE ID = '$id'"; + $result = mysql_fetch_row(db_query($q, $dbh)); + if( $result[0] > 1) + return $result[0]; + return 0; + +} + # vim: ts=2 sw=2 noet ft=php ?> |