deon/khosb
Archived
1
0
Fork 0
Code Issues 6 Pull Requests Packages Projects Releases Wiki Activity

OSB enhancements to date

Browse Source
This commit is contained in:
Deon George
2010-11-30 09:41:08 +11:00
parent 8715a2059b
commit ec6a542bc3
478 changed files with 23423 additions and 9309 deletions
Download Patch File Download Diff File Expand all files Collapse all files

362
modules/core/login.inc.php
View File

@@ -1,327 +1,207 @@
<?php
/**
* AgileBill - Open Billing Software
*
* This body of work is free software; you can redistribute it and/or
* modify it under the terms of the Open AgileBill License
* License as published at http://www.agileco.com/agilebill/license1-4.txt
*
* For questions, help, comments, discussion, etc., please join the
* Agileco community forums at http://forum.agileco.com/
*
* Originally authored by Tony Landis, AgileBill LLC
*
* Recent modifications by Deon George
*
* @author Deon George <deonATleenooksDOTnet>
* @copyright 2009 Deon George
* @link http://osb.leenooks.net
*
* @link http://www.agileco.com/
* @copyright 2004-2008 Agileco, LLC.
* @license http://www.agileco.com/agilebill/license1-4.txt
* @author Tony Landis <tony@agileco.com>
* @author Tony Landis <tony@agileco.com>
* @package AgileBill
* @version 1.4.93
* @subpackage Core:Login
*/
class CORE_login_handler
{
function login($VAR, $md5=true)
{
global $C_translate, $C_debug;
/**
* The main AgileBill Login Class
*
* @package AgileBill
* @subpackage Core:Login
*/
class CORE_login_handler {
/**
* Login to OSB
*/
public function login($VAR,$md5=true) {
global $C_translate, $C_debug;
$db = &DB();
# check that the username/password are both set
if(($VAR['_username'] == '') || ($VAR['_password'] == ''))
{
if ((! $VAR['_username']) || (! $VAR['_password'])) {
$C_debug->alert($C_translate->translate('login_enter_both','',''));
return;
return false;
}
# md5 the password
if($md5)
$pass = md5($VAR['_password']);
else
$pass = $VAR['_password'];
$pass = $md5 ? md5($VAR['_password']) : $VAR['_password'];
# check the database for a match
$db = &DB();
$q = "SELECT id,status,username,password,date_expire FROM " . AGILE_DB_PREFIX . "account WHERE
password = '$pass' AND
username = '".$VAR['_username']."' AND
site_id = '" . DEFAULT_SITE . "'";
$result = $db->Execute($q);
# Check the database for a match
$rs = $db->Execute(
sqlSelect('account','id,status,username,password,date_expire',
array('where'=>array('username'=>$VAR['_username'],'password'=>$pass))));
# get the account id
$id = $result->fields['id'];
# check that their is no lock on this account id or IP address:
if($this->locked ($id))
{
$C_debug->alert($C_translate->translate('login_locked','',''));
return;
}
# verify the username/password match.
if($result->fields['username'] == $VAR['_username'])
{
if (($result->fields['password'] !== $VAR['_password']) && ($result->fields['password'] != $pass))
{
# no match
$C_debug->alert($C_translate->translate('login_pw_failed','',''));
# log as a failed login
$this->lock_check($VAR,"0",$id);
return;
}
}
else
{
# no username match
if (! $rs || ! $rs->RecordCount() == 1) {
$C_debug->alert($C_translate->translate('login_un_pw_failed','',''));
# reload the login page
$VAR["_page"] = 'account:user_login';
# Log as a failed login
$this->lock_check($VAR,0,$VAR['_username']);
return false;
}
# Get the account id
$id = $rs->fields['id'];
# Check that their is no lock on this account id or IP address:
if ($this->locked($id)) {
$C_debug->alert($C_translate->translate('login_locked','',''));
# log as a failed login
$this->lock_check($VAR,"0",$VAR['_username']);
return;
}
if($result->fields['date_expire'] == "0" || $result->fields['date_expire'] == "")
$date_expire = time()+99;
if ($rs->fields['date_expire'] == 0 || ! $rs->fields['date_expire'])
$date_expire = time()+99;
else
$date_expire = $result->fields['date_expire'];
$date_expire = $rs->fields['date_expire'];
# Check that it is an active account
if ($rs->fields['status'] != 1 || $date_expire <= time()) {
# Inactive account
$C_debug->alert($C_translate->translate('login_inactive','',''));
# check that it is an active account
if($result->fields['status'] != "1" || $date_expire <= time())
{
# inactive account
$C_debug->alert($C_translate->translate('login_inactive','',''));
# Log as failed login
$this->lock_check($VAR,0,$id);
# log as failed login
$this->lock_check($VAR,"0",$id);
return;
}
else
{
# active account - check for password sharing if login_share module is installed
} else {
# Active account - check for password sharing if login_share module is installed
include_once(PATH_CORE.'list.inc.php');
$C_list = new CORE_list;
if($C_list->is_installed('login_share'))
{
$C_list = new CORE_list;
if ($C_list->is_installed('login_share')) {
include_once(PATH_MODULES.'login_share/login_share.inc.php');
$share = new login_share;
if(!$share->login($id, $VAR['_username']))
{
# shared account alert
if (! $share->login($id,$VAR['_username'])) {
# Shared account alert
$C_debug->alert($C_translate->translate('shared_account','login_share',''));
# log as failed login
$this->lock_check($VAR,"0",$id);
# Log as failed login
$this->lock_check($VAR,0,$id);
return;
}
}
return;
}
}
}
# set the expiry date of the login session
$date_expire = (time() + (SESSION_EXPIRE * 60));
# Set the expiry date of the login session
$date_expire = time()+(SESSION_EXPIRE*60);
# update the DB
$db = &DB();
$q = "UPDATE " . AGILE_DB_PREFIX . "session
SET
ip= '". USER_IP ."',
date_expire = '$date_expire',
logged = '1',
account_id = '$id'
WHERE
id = '" . SESS . "'
AND
site_id = '" . DEFAULT_SITE . "'";
$result = $db->Execute($q);
# Update the DB
$rs = $db->Execute(
sqlUpdate($db,'session',array('ip'=>USER_IP,'date_expire'=>$date_expire,'logged'=>1,'account_id'=>$id),array('id'=>SESS)));
# delete any old sessions for this account
$db = &DB();
$q = "DELETE FROM " . AGILE_DB_PREFIX . "session WHERE
account_id = '$id' AND
id != '" . SESS . "' AND
site_id = '" . DEFAULT_SITE . "'";
$result = $db->Execute($q);
# Delete any old sessions for this account
$rs = $db->Execute(sqlDelete($db,'session',sprintf('account_id=%s AND id!="%s"',$id,SESS)));
#return logged in message
# Return logged in message
$C_debug->alert($C_translate->translate('login_success','',''));
# Get the last successful login:
$db = &DB();
$q = "SELECT * FROM " . AGILE_DB_PREFIX . "login_log WHERE
account_id = ". $db->qstr($id)." AND
status = ". $db->qstr(1)." AND
site_id = ". $db->qstr(DEFAULT_SITE) . "
ORDER BY date_orig DESC LIMIT 1";
$result = $db->Execute($q);
if($result->RecordCount() != 0)
{
$ip = $result->fields["ip"];
$date = $result->fields["date_orig"];
$date1 = date(UNIX_DATE_FORMAT, $date);
$date1.= " ".date(DEFAULT_TIME_FORMAT, $date);
$rs = $db->Execute(
sqlSelect('login_log','ip,date_orig',array('where'=>array('account_id'=>$id,'status'=>1),'orderby'=>'date_orig DESC','limit'=>1)));
$message = $C_translate->translate('login_log_success','','');
$message = ereg_replace('%date%', $date1, $message);
$message = ereg_replace('%ip%', $ip, $message);
$C_debug->alert($message);
}
if ($rs && $rs->RecordCount())
$C_debug->alert(
str_replace('%DATE%',
sprintf('<b>%s %s</b>',date(UNIX_DATE_FORMAT,$rs->fields['date_orig']),date(DEFAULT_TIME_FORMAT,$rs->fields['date_orig'])),
str_replace('%IP%',sprintf('<b>%s</b>',$rs->fields['ip']),_('Last successful login was on %DATE% from %IP%'))));
# log the successful login
$this->lock_check($VAR,"1",$id);
# Log the successful login
$this->lock_check($VAR,1,$id);
}
public function logout($VAR) {
global $C_debug,$C_translate;
function logout ($VAR)
{
global $C_debug, $C_translate;
$db = &DB();
# logout the current session by editing the database record
$q = "UPDATE ". AGILE_DB_PREFIX ."session SET logged='0'
WHERE id = '" . SESS . "' AND
site_id = '" . DEFAULT_SITE . "'";
$result = $db->Execute($q);
# Logout the current session by editing the database record
$db->Execute(sqlUpdate($db,'session',array('logged'=>0),array('id'=>SESS)));
# delete any session caches!
$q = 'DELETE FROM '.AGILE_DB_PREFIX.'session_auth_cache WHERE
session_id = '. $db->qstr(SESS) .' AND
site_id = '. $db->qstr(DEFAULT_SITE);
$db->Execute($q);
# Delete any session caches!
$db->Execute(sqlDelete($db,'session_auth_cache',array('session_id'=>SESS)));
# logout success:
$C_debug->alert($C_translate->translate('logout_success','',''));
}
function locked ($account_id)
{
# @todo this should move to login_lock.inc.php
private function locked($account_id) {
global $C_list;
include_once(PATH_CORE.'list.inc.php');
$C_list = new CORE_list;
$C_list = new CORE_list;
if (! $C_list->is_installed('login_lock'))
return false;
if($account_id != '')
$sql = " OR account_id = '$account_id' AND ";
else
$sql = " AND ";
# check by IP & USER
$db = &DB();
$q = "SELECT id FROM " . AGILE_DB_PREFIX . "login_lock WHERE
ip = '" . USER_IP . "'";
$q .= $sql;
$q .= " date_expire >= '" . time() . "' AND
site_id = '" . DEFAULT_SITE . "'";
$result = $db->Execute($q);
$i = 0;
$rs = $db->Execute(
sqlSelect('login_lock','id',
array('where'=>
sprintf('ip=::%s:: AND date_expire>=%s %s',USER_IP,time(),$account_id ? sprintf('AND account_id=%s',$account_id) : ''))));
while (!$result->EOF)
{
$i++;
$result->MoveNext();
}
# return the results
if ($i > 0)
if ($rs && $rs->RecordCount())
return true;
else
return false;
}
# @todo this should move to login_lock.inc.php
private function lock_check($VAR,$status,$account_id) {
global $C_list;
include_once(PATH_CORE.'list.inc.php');
$C_list = new CORE_list;
function lock_check ($VAR,$status,$account_id)
{
# if this is a success, delete all login old login records..
/*
if($status == 1)
{
# delete all login attempts for this account
# (to clean the slate after the account login lock expires)
$db = &DB();
$q = "DELETE FROM " . AGILE_DB_PREFIX . "login_log WHERE
account_id = '$account_id' AND
site_id = '" . DEFAULT_SITE . "'";
$result = $db->Execute($q);
}
*/
# create the appropriate login attempt record.
$db = &DB();
$login_id = $db->GenID(AGILE_DB_PREFIX . 'login_log_id');
$q = "INSERT INTO " . AGILE_DB_PREFIX . "login_log SET
id = " . $db->qstr($login_id) . ",
ip = " . $db->qstr( USER_IP ) . ",
account_id = " . $db->qstr($account_id ) . ",
date_orig = " . $db->qstr(time()) . ",
status = " . $db->qstr($status ) . ",
site_id = " . $db->qstr(DEFAULT_SITE);
$result = $db->Execute($q);
# Create the appropriate login attempt record.
$db->Execute(sqlInsert($db,'login_log',array('ip'=>USER_IP,'account_id'=>$account_id,'date_orig'=>time(),'status'=>$status)));
# if this is a successfull login, we can now exit...
if($status == 1) return;
if ($status == 1 || ! $C_list->is_installed('login_lock'))
return true;
# determine the time period to check for login attempts after:
$date_orig = (time() - (LOGIN_ATTEMPT_TIME*60));
# Determine the time period to check for login attempts after:
$date_orig = time()-(LOGIN_ATTEMPT_TIME*60);
# check the database for all the failed login attempts from
# this IP withing the time period defined in the setup.
$q = "SELECT id FROM " . AGILE_DB_PREFIX . "login_log WHERE
ip = '" . USER_IP . "' AND
date_orig >= '$date_orig' AND
status = '0' AND
site_id = '" . DEFAULT_SITE . "'";
$result = $db->Execute($q);
$i = 0;
while (!$result->EOF)
{
$i++;
$result->MoveNext();
}
# Check the database for all the failed login attempts from this IP withing the time period defined in the setup.
$rs = $db->Execute(sqlSelect('login_log','COUNT(id) as id',array('where'=>sprintf('ip=::%s:: AND date_orig>=%s AND status=0',USER_IP,$date_orig))));
# Check that it does not exceed the allowed failed login attempts
if ($rs && $rs->fields['id']>=LOGIN_ATTEMPT_TRY) {
# Get the time this login block will expire:
$date_expire = time()+(LOGIN_ATTEMPT_LOCK*60);
# check that it does not exceed the allowed failed login attempts
if($i >= LOGIN_ATTEMPT_TRY)
{
# get the time this login block will expire:
$date_expire = (time() + (LOGIN_ATTEMPT_LOCK * 60));
# Delete all old blocks for this ip
$result = $db->Execute(sqlDelete($db,'login_lock',array('ip'=>USER_IP)));
# delete all old blocks for this ip
$q = "DELETE FROM " . AGILE_DB_PREFIX . "login_lock WHERE
ip = '" . USER_IP . "' AND
site_id = '" . DEFAULT_SITE . "'";
$result = $db->Execute($q);
# create a block on this login
$q = "INSERT INTO " . AGILE_DB_PREFIX . "login_lock SET
ip = '" . USER_IP . "',
date_orig = '".time()."',
date_expire = '$date_expire',
site_id = '" . DEFAULT_SITE . "'";
$result = $db->Execute($q);
# delete all login attempts for this account
# (to clean the slate after the account login lock expires)
$q = "DELETE FROM " . AGILE_DB_PREFIX . "login_log WHERE
ip = '" . USER_IP . "' AND
status = '0' AND
site_id = '" . DEFAULT_SITE . "'";
$result = $db->Execute($q);
# Create a block on this login
$result = $db->Execute(sqlInsert($db,'login_lock',array('ip'=>USER_IP,'date_orig'=>time(),'date_expire'=>$date_expire)));
}
}
}