evolution-cms /
evolution
@@ -1,23 +1,23 @@ discard block |
||
| 1 | 1 | <?php |
| 2 | -if(!isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])) { |
|
| 2 | +if (!isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])) { |
|
| 3 | 3 | header('HTTP/1.0 404 Not Found'); |
| 4 | 4 | exit('error'); |
| 5 | 5 | } |
| 6 | -define('IN_MANAGER_MODE', true); // we use this to make sure files are accessed through |
|
| 6 | +define('IN_MANAGER_MODE', true); // we use this to make sure files are accessed through |
|
| 7 | 7 | define('MODX_API_MODE', true); |
| 8 | -include_once(__DIR__ . '/../../index.php'); |
|
| 8 | +include_once(__DIR__.'/../../index.php'); |
|
| 9 | 9 | $modx->db->connect(); |
| 10 | 10 | $modx->getSettings(); |
| 11 | 11 | $modx->invokeEvent('OnManagerPageInit'); |
| 12 | 12 | $modx->loadExtension('ManagerAPI'); |
| 13 | 13 | $modx->loadExtension('phpass'); |
| 14 | 14 | |
| 15 | -$core_path = MODX_MANAGER_PATH . 'includes/'; |
|
| 15 | +$core_path = MODX_MANAGER_PATH.'includes/'; |
|
| 16 | 16 | // include_once the language file |
| 17 | 17 | $_lang = array(); |
| 18 | 18 | include_once("{$core_path}lang/english.inc.php"); |
| 19 | 19 | |
| 20 | -if($manager_language !== 'english' && is_file("{$core_path}lang/{$manager_language}.inc.php")) { |
|
| 20 | +if ($manager_language !== 'english' && is_file("{$core_path}lang/{$manager_language}.inc.php")) { |
|
| 21 | 21 | include_once("{$core_path}lang/{$manager_language}.inc.php"); |
| 22 | 22 | } |
| 23 | 23 | |
@@ -25,7 +25,7 @@ discard block |
||
| 25 | 25 | include_once("{$core_path}log.class.inc.php"); |
| 26 | 26 | |
| 27 | 27 | // Initialize System Alert Message Queque |
| 28 | -if(!isset($_SESSION['SystemAlertMsgQueque'])) { |
|
| 28 | +if (!isset($_SESSION['SystemAlertMsgQueque'])) { |
|
| 29 | 29 | $_SESSION['SystemAlertMsgQueque'] = array(); |
| 30 | 30 | } |
| 31 | 31 | $SystemAlertMsgQueque = &$_SESSION['SystemAlertMsgQueque']; |
@@ -51,7 +51,7 @@ discard block |
||
| 51 | 51 | $rs = $modx->db->select($fields, $from, $where); |
| 52 | 52 | $limit = $modx->db->getRecordCount($rs); |
| 53 | 53 | |
| 54 | -if($limit == 0 || $limit > 1) { |
|
| 54 | +if ($limit == 0 || $limit > 1) { |
|
| 55 | 55 | jsAlert($_lang['login_processor_unknown_user']); |
| 56 | 56 | return; |
| 57 | 57 | } |
@@ -73,32 +73,32 @@ discard block |
||
| 73 | 73 | |
| 74 | 74 | // get the user settings from the database |
| 75 | 75 | $rs = $modx->db->select('setting_name, setting_value', '[+prefix+]user_settings', "user='{$internalKey}' AND setting_value!=''"); |
| 76 | -while($row = $modx->db->getRow($rs)) { |
|
| 76 | +while ($row = $modx->db->getRow($rs)) { |
|
| 77 | 77 | extract($row); |
| 78 | 78 | ${$setting_name} = $setting_value; |
| 79 | 79 | } |
| 80 | 80 | |
| 81 | 81 | // blocked due to number of login errors. |
| 82 | -if($failedlogins >= $failed_allowed && $blockeduntildate > time()) { |
|
| 82 | +if ($failedlogins >= $failed_allowed && $blockeduntildate > time()) { |
|
| 83 | 83 | @session_destroy(); |
| 84 | 84 | session_unset(); |
| 85 | - if($cip = getenv("HTTP_CLIENT_IP")) { |
|
| 85 | + if ($cip = getenv("HTTP_CLIENT_IP")) { |
|
| 86 | 86 | $ip = $cip; |
| 87 | - } elseif($cip = getenv("HTTP_X_FORWARDED_FOR")) { |
|
| 87 | + } elseif ($cip = getenv("HTTP_X_FORWARDED_FOR")) { |
|
| 88 | 88 | $ip = $cip; |
| 89 | - } elseif($cip = getenv("REMOTE_ADDR")) { |
|
| 89 | + } elseif ($cip = getenv("REMOTE_ADDR")) { |
|
| 90 | 90 | $ip = $cip; |
| 91 | 91 | } else { |
| 92 | 92 | $ip = "UNKNOWN"; |
| 93 | 93 | } |
| 94 | 94 | $log = new logHandler; |
| 95 | - $log->initAndWriteLog("Login Fail (Temporary Block)", $internalKey, $username, "119", $internalKey, "IP: " . $ip); |
|
| 95 | + $log->initAndWriteLog("Login Fail (Temporary Block)", $internalKey, $username, "119", $internalKey, "IP: ".$ip); |
|
| 96 | 96 | jsAlert($_lang['login_processor_many_failed_logins']); |
| 97 | 97 | return; |
| 98 | 98 | } |
| 99 | 99 | |
| 100 | 100 | // blocked due to number of login errors, but get to try again |
| 101 | -if($failedlogins >= $failed_allowed && $blockeduntildate < time()) { |
|
| 101 | +if ($failedlogins >= $failed_allowed && $blockeduntildate < time()) { |
|
| 102 | 102 | $fields = array(); |
| 103 | 103 | $fields['failedlogincount'] = '0'; |
| 104 | 104 | $fields['blockeduntil'] = time() - 1; |
@@ -106,7 +106,7 @@ discard block |
||
| 106 | 106 | } |
| 107 | 107 | |
| 108 | 108 | // this user has been blocked by an admin, so no way he's loggin in! |
| 109 | -if($blocked == '1') { |
|
| 109 | +if ($blocked == '1') { |
|
| 110 | 110 | @session_destroy(); |
| 111 | 111 | session_unset(); |
| 112 | 112 | jsAlert($_lang['login_processor_blocked1']); |
@@ -114,7 +114,7 @@ discard block |
||
| 114 | 114 | } |
| 115 | 115 | |
| 116 | 116 | // blockuntil: this user has a block until date |
| 117 | -if($blockeduntildate > time()) { |
|
| 117 | +if ($blockeduntildate > time()) { |
|
| 118 | 118 | @session_destroy(); |
| 119 | 119 | session_unset(); |
| 120 | 120 | jsAlert($_lang['login_processor_blocked2']); |
@@ -122,7 +122,7 @@ discard block |
||
| 122 | 122 | } |
| 123 | 123 | |
| 124 | 124 | // blockafter: this user has a block after date |
| 125 | -if($blockedafterdate > 0 && $blockedafterdate < time()) { |
|
| 125 | +if ($blockedafterdate > 0 && $blockedafterdate < time()) { |
|
| 126 | 126 | @session_destroy(); |
| 127 | 127 | session_unset(); |
| 128 | 128 | jsAlert($_lang['login_processor_blocked3']); |
@@ -130,24 +130,24 @@ discard block |
||
| 130 | 130 | } |
| 131 | 131 | |
| 132 | 132 | // allowed ip |
| 133 | -if($allowed_ip) { |
|
| 134 | - if(($hostname = gethostbyaddr($_SERVER['REMOTE_ADDR'])) && ($hostname != $_SERVER['REMOTE_ADDR'])) { |
|
| 135 | - if(gethostbyname($hostname) != $_SERVER['REMOTE_ADDR']) { |
|
| 133 | +if ($allowed_ip) { |
|
| 134 | + if (($hostname = gethostbyaddr($_SERVER['REMOTE_ADDR'])) && ($hostname != $_SERVER['REMOTE_ADDR'])) { |
|
| 135 | + if (gethostbyname($hostname) != $_SERVER['REMOTE_ADDR']) { |
|
| 136 | 136 | jsAlert($_lang['login_processor_remotehost_ip']); |
| 137 | 137 | return; |
| 138 | 138 | } |
| 139 | 139 | } |
| 140 | - if(!in_array($_SERVER['REMOTE_ADDR'], array_filter(array_map('trim', explode(',', $allowed_ip))))) { |
|
| 140 | + if (!in_array($_SERVER['REMOTE_ADDR'], array_filter(array_map('trim', explode(',', $allowed_ip))))) { |
|
| 141 | 141 | jsAlert($_lang['login_processor_remote_ip']); |
| 142 | 142 | return; |
| 143 | 143 | } |
| 144 | 144 | } |
| 145 | 145 | |
| 146 | 146 | // allowed days |
| 147 | -if($allowed_days) { |
|
| 147 | +if ($allowed_days) { |
|
| 148 | 148 | $date = getdate(); |
| 149 | 149 | $day = $date['wday'] + 1; |
| 150 | - if(!in_array($day,explode(',',$allowed_days))) { |
|
| 150 | + if (!in_array($day, explode(',', $allowed_days))) { |
|
| 151 | 151 | jsAlert($_lang['login_processor_date']); |
| 152 | 152 | return; |
| 153 | 153 | } |
@@ -164,33 +164,33 @@ discard block |
||
| 164 | 164 | |
| 165 | 165 | // check if plugin authenticated the user |
| 166 | 166 | $matchPassword = false; |
| 167 | -if(!isset($rt) || !$rt || (is_array($rt) && !in_array(true, $rt))) { |
|
| 167 | +if (!isset($rt) || !$rt || (is_array($rt) && !in_array(true, $rt))) { |
|
| 168 | 168 | // check user password - local authentication |
| 169 | 169 | $hashType = $modx->manager->getHashType($dbasePassword); |
| 170 | - if($hashType == 'phpass') { |
|
| 170 | + if ($hashType == 'phpass') { |
|
| 171 | 171 | $matchPassword = login($username, $_REQUEST['password'], $dbasePassword); |
| 172 | - } elseif($hashType == 'md5') { |
|
| 172 | + } elseif ($hashType == 'md5') { |
|
| 173 | 173 | $matchPassword = loginMD5($internalKey, $_REQUEST['password'], $dbasePassword, $username); |
| 174 | - } elseif($hashType == 'v1') { |
|
| 174 | + } elseif ($hashType == 'v1') { |
|
| 175 | 175 | $matchPassword = loginV1($internalKey, $_REQUEST['password'], $dbasePassword, $username); |
| 176 | 176 | } else { |
| 177 | 177 | $matchPassword = false; |
| 178 | 178 | } |
| 179 | -} else if($rt === true || (is_array($rt) && in_array(true, $rt))) { |
|
| 179 | +} else if ($rt === true || (is_array($rt) && in_array(true, $rt))) { |
|
| 180 | 180 | $matchPassword = true; |
| 181 | 181 | } |
| 182 | 182 | |
| 183 | -if(!$matchPassword) { |
|
| 183 | +if (!$matchPassword) { |
|
| 184 | 184 | jsAlert($_lang['login_processor_wrong_password']); |
| 185 | 185 | incrementFailedLoginCount($internalKey, $failedlogins, $failed_allowed, $blocked_minutes); |
| 186 | 186 | return; |
| 187 | 187 | } |
| 188 | 188 | |
| 189 | -if($modx->config['use_captcha'] == 1) { |
|
| 190 | - if(!isset ($_SESSION['veriword'])) { |
|
| 189 | +if ($modx->config['use_captcha'] == 1) { |
|
| 190 | + if (!isset ($_SESSION['veriword'])) { |
|
| 191 | 191 | jsAlert($_lang['login_processor_captcha_config']); |
| 192 | 192 | return; |
| 193 | - } elseif($_SESSION['veriword'] != $captcha_code) { |
|
| 193 | + } elseif ($_SESSION['veriword'] != $captcha_code) { |
|
| 194 | 194 | jsAlert($_lang['login_processor_bad_code']); |
| 195 | 195 | incrementFailedLoginCount($internalKey, $failedlogins, $failed_allowed, $blocked_minutes); |
| 196 | 196 | return; |
@@ -218,25 +218,25 @@ discard block |
||
| 218 | 218 | $_SESSION['mgrPermissions'] = $modx->db->getRow($rs); |
| 219 | 219 | |
| 220 | 220 | // successful login so reset fail count and update key values |
| 221 | -$modx->db->update('failedlogincount=0, ' . 'logincount=logincount+1, ' . 'lastlogin=thislogin, ' . 'thislogin=' . time() . ', ' . "sessionid='{$currentsessionid}'", '[+prefix+]user_attributes', "internalKey='{$internalKey}'"); |
|
| 221 | +$modx->db->update('failedlogincount=0, '.'logincount=logincount+1, '.'lastlogin=thislogin, '.'thislogin='.time().', '."sessionid='{$currentsessionid}'", '[+prefix+]user_attributes', "internalKey='{$internalKey}'"); |
|
| 222 | 222 | |
| 223 | 223 | // get user's document groups |
| 224 | 224 | $i = 0; |
| 225 | -$rs = $modx->db->select('uga.documentgroup', $modx->getFullTableName('member_groups') . ' ug |
|
| 226 | - INNER JOIN ' . $modx->getFullTableName('membergroup_access') . ' uga ON uga.membergroup=ug.user_group', "ug.member='{$internalKey}'"); |
|
| 225 | +$rs = $modx->db->select('uga.documentgroup', $modx->getFullTableName('member_groups').' ug |
|
| 226 | + INNER JOIN ' . $modx->getFullTableName('membergroup_access').' uga ON uga.membergroup=ug.user_group', "ug.member='{$internalKey}'"); |
|
| 227 | 227 | $_SESSION['mgrDocgroups'] = $modx->db->getColumn('documentgroup', $rs); |
| 228 | 228 | |
| 229 | 229 | $_SESSION['mgrToken'] = md5($currentsessionid); |
| 230 | 230 | |
| 231 | -if($rememberme == '1') { |
|
| 232 | - $_SESSION['modx.mgr.session.cookie.lifetime'] = (int)$modx->config['session.cookie.lifetime']; |
|
| 231 | +if ($rememberme == '1') { |
|
| 232 | + $_SESSION['modx.mgr.session.cookie.lifetime'] = (int) $modx->config['session.cookie.lifetime']; |
|
| 233 | 233 | |
| 234 | 234 | // Set a cookie separate from the session cookie with the username in it. |
| 235 | 235 | // Are we using secure connection? If so, make sure the cookie is secure |
| 236 | 236 | global $https_port; |
| 237 | 237 | |
| 238 | 238 | $secure = ((isset ($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') || $_SERVER['SERVER_PORT'] == $https_port); |
| 239 | - if(version_compare(PHP_VERSION, '5.2', '<')) { |
|
| 239 | + if (version_compare(PHP_VERSION, '5.2', '<')) { |
|
| 240 | 240 | setcookie('modx_remember_manager', $_SESSION['mgrShortname'], time() + 60 * 60 * 24 * 365, MODX_BASE_URL, '; HttpOnly', $secure); |
| 241 | 241 | } else { |
| 242 | 242 | setcookie('modx_remember_manager', $_SESSION['mgrShortname'], time() + 60 * 60 * 24 * 365, MODX_BASE_URL, NULL, $secure, true); |
@@ -251,9 +251,9 @@ discard block |
||
| 251 | 251 | // Check if user already has an active session, if not check if user pressed logout end of last session |
| 252 | 252 | $rs = $modx->db->select('lasthit', $modx->getFullTableName('active_user_sessions'), "internalKey='{$internalKey}'"); |
| 253 | 253 | $activeSession = $modx->db->getValue($rs); |
| 254 | -if(!$activeSession) { |
|
| 254 | +if (!$activeSession) { |
|
| 255 | 255 | $rs = $modx->db->select('lasthit', $modx->getFullTableName('active_users'), "internalKey='{$internalKey}' AND action != 8"); |
| 256 | - if($lastHit = $modx->db->getValue($rs)) { |
|
| 256 | + if ($lastHit = $modx->db->getValue($rs)) { |
|
| 257 | 257 | $_SESSION['show_logout_reminder'] = array( |
| 258 | 258 | 'type' => 'logout_reminder', |
| 259 | 259 | 'lastHit' => $lastHit |
@@ -274,17 +274,17 @@ discard block |
||
| 274 | 274 | |
| 275 | 275 | // check if we should redirect user to a web page |
| 276 | 276 | $rs = $modx->db->select('setting_value', '[+prefix+]user_settings', "user='{$internalKey}' AND setting_name='manager_login_startup'"); |
| 277 | -$id = (int)$modx->db->getValue($rs); |
|
| 278 | -if($id > 0) { |
|
| 279 | - $header = 'Location: ' . $modx->makeUrl($id, '', '', 'full'); |
|
| 280 | - if($_POST['ajax'] == 1) { |
|
| 277 | +$id = (int) $modx->db->getValue($rs); |
|
| 278 | +if ($id > 0) { |
|
| 279 | + $header = 'Location: '.$modx->makeUrl($id, '', '', 'full'); |
|
| 280 | + if ($_POST['ajax'] == 1) { |
|
| 281 | 281 | echo $header; |
| 282 | 282 | } else { |
| 283 | 283 | header($header); |
| 284 | 284 | } |
| 285 | 285 | } else { |
| 286 | - $header = 'Location: ' . MODX_MANAGER_URL; |
|
| 287 | - if($_POST['ajax'] == 1) { |
|
| 286 | + $header = 'Location: '.MODX_MANAGER_URL; |
|
| 287 | + if ($_POST['ajax'] == 1) { |
|
| 288 | 288 | echo $header; |
| 289 | 289 | } else { |
| 290 | 290 | header($header); |
@@ -296,12 +296,12 @@ discard block |
||
| 296 | 296 | * |
| 297 | 297 | * @param string $msg |
| 298 | 298 | */ |
| 299 | -function jsAlert($msg) { |
|
| 299 | +function jsAlert($msg){ |
|
| 300 | 300 | global $modx; |
| 301 | - if($_POST['ajax'] != 1) { |
|
| 302 | - echo "<script>window.setTimeout(\"alert('" . addslashes($modx->db->escape($msg)) . "')\",10);history.go(-1)</script>"; |
|
| 301 | + if ($_POST['ajax'] != 1) { |
|
| 302 | + echo "<script>window.setTimeout(\"alert('".addslashes($modx->db->escape($msg))."')\",10);history.go(-1)</script>"; |
|
| 303 | 303 | } else { |
| 304 | - echo $msg . "\n"; |
|
| 304 | + echo $msg."\n"; |
|
| 305 | 305 | } |
| 306 | 306 | } |
| 307 | 307 | |
@@ -311,7 +311,7 @@ discard block |
||
| 311 | 311 | * @param string $dbasePassword |
| 312 | 312 | * @return bool |
| 313 | 313 | */ |
| 314 | -function login($username, $givenPassword, $dbasePassword) { |
|
| 314 | +function login($username, $givenPassword, $dbasePassword){ |
|
| 315 | 315 | global $modx; |
| 316 | 316 | return $modx->phpass->CheckPassword($givenPassword, $dbasePassword); |
| 317 | 317 | } |
@@ -323,21 +323,21 @@ discard block |
||
| 323 | 323 | * @param string $username |
| 324 | 324 | * @return bool |
| 325 | 325 | */ |
| 326 | -function loginV1($internalKey, $givenPassword, $dbasePassword, $username) { |
|
| 326 | +function loginV1($internalKey, $givenPassword, $dbasePassword, $username){ |
|
| 327 | 327 | global $modx; |
| 328 | 328 | |
| 329 | 329 | $user_algo = $modx->manager->getV1UserHashAlgorithm($internalKey); |
| 330 | 330 | |
| 331 | - if(!isset($modx->config['pwd_hash_algo']) || empty($modx->config['pwd_hash_algo'])) { |
|
| 331 | + if (!isset($modx->config['pwd_hash_algo']) || empty($modx->config['pwd_hash_algo'])) { |
|
| 332 | 332 | $modx->config['pwd_hash_algo'] = 'UNCRYPT'; |
| 333 | 333 | } |
| 334 | 334 | |
| 335 | - if($user_algo !== $modx->config['pwd_hash_algo']) { |
|
| 335 | + if ($user_algo !== $modx->config['pwd_hash_algo']) { |
|
| 336 | 336 | $bk_pwd_hash_algo = $modx->config['pwd_hash_algo']; |
| 337 | 337 | $modx->config['pwd_hash_algo'] = $user_algo; |
| 338 | 338 | } |
| 339 | 339 | |
| 340 | - if($dbasePassword != $modx->manager->genV1Hash($givenPassword, $internalKey)) { |
|
| 340 | + if ($dbasePassword != $modx->manager->genV1Hash($givenPassword, $internalKey)) { |
|
| 341 | 341 | return false; |
| 342 | 342 | } |
| 343 | 343 | |
@@ -353,10 +353,10 @@ discard block |
||
| 353 | 353 | * @param string $username |
| 354 | 354 | * @return bool |
| 355 | 355 | */ |
| 356 | -function loginMD5($internalKey, $givenPassword, $dbasePassword, $username) { |
|
| 356 | +function loginMD5($internalKey, $givenPassword, $dbasePassword, $username){ |
|
| 357 | 357 | global $modx; |
| 358 | 358 | |
| 359 | - if($dbasePassword != md5($givenPassword)) { |
|
| 359 | + if ($dbasePassword != md5($givenPassword)) { |
|
| 360 | 360 | return false; |
| 361 | 361 | } |
| 362 | 362 | updateNewHash($username, $givenPassword); |
@@ -367,7 +367,7 @@ discard block |
||
| 367 | 367 | * @param string $username |
| 368 | 368 | * @param string $password |
| 369 | 369 | */ |
| 370 | -function updateNewHash($username, $password) { |
|
| 370 | +function updateNewHash($username, $password){ |
|
| 371 | 371 | global $modx; |
| 372 | 372 | |
| 373 | 373 | $field = array(); |
@@ -381,23 +381,23 @@ discard block |
||
| 381 | 381 | * @param int $failed_allowed |
| 382 | 382 | * @param int $blocked_minutes |
| 383 | 383 | */ |
| 384 | -function incrementFailedLoginCount($internalKey, $failedlogins, $failed_allowed, $blocked_minutes) { |
|
| 384 | +function incrementFailedLoginCount($internalKey, $failedlogins, $failed_allowed, $blocked_minutes){ |
|
| 385 | 385 | global $modx; |
| 386 | 386 | |
| 387 | 387 | $failedlogins += 1; |
| 388 | 388 | |
| 389 | 389 | $fields = array('failedlogincount' => $failedlogins); |
| 390 | - if($failedlogins >= $failed_allowed) //block user for too many fail attempts |
|
| 390 | + if ($failedlogins >= $failed_allowed) //block user for too many fail attempts |
|
| 391 | 391 | { |
| 392 | 392 | $fields['blockeduntil'] = time() + ($blocked_minutes * 60); |
| 393 | 393 | } |
| 394 | 394 | |
| 395 | 395 | $modx->db->update($fields, '[+prefix+]user_attributes', "internalKey='{$internalKey}'"); |
| 396 | 396 | |
| 397 | - if($failedlogins < $failed_allowed) { |
|
| 397 | + if ($failedlogins < $failed_allowed) { |
|
| 398 | 398 | //sleep to help prevent brute force attacks |
| 399 | 399 | $sleep = (int) $failedlogins / 2; |
| 400 | - if($sleep > 5) { |
|
| 400 | + if ($sleep > 5) { |
|
| 401 | 401 | $sleep = 5; |
| 402 | 402 | } |
| 403 | 403 | sleep($sleep); |
