Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Start removing protocol and path vars, rely on sRootPath (ChurchCRM#309)
- Loading branch information
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -116,32 +116,35 @@ | |
| if ($iUserID > 0) | ||
| { | ||
| // Get the information for the selected user | ||
| $sSQL = "SELECT * FROM user_usr WHERE usr_per_ID = '$iUserID'"; | ||
| extract(mysql_fetch_array(RunQuery($sSQL))); | ||
|
|
||
| $sSQL = "SELECT * FROM person_per WHERE per_ID = '$iUserID'"; | ||
| extract(mysql_fetch_array(RunQuery($sSQL))); | ||
|
|
||
| $bPasswordMatch = FALSE; | ||
|
|
||
| // Check the user password | ||
| $sPasswordHashSha256 = hash("sha256", $_POST['Password'].$iUserID); | ||
|
|
||
| // Block the login if a maximum login failure count has been reached | ||
| if ($iMaxFailedLogins > 0 && $usr_FailedLogins >= $iMaxFailedLogins) | ||
| { | ||
| $sErrorText = '<br>' . gettext('Too many failed logins: your account has been locked. Please contact an administrator.'); | ||
| } | ||
| // Does the password match? | ||
| elseif ($usr_Password != $sPasswordHashSha256) | ||
| { | ||
| // Increment the FailedLogins | ||
| $sSQL = 'UPDATE user_usr SET usr_FailedLogins = usr_FailedLogins + 1 '. | ||
| "WHERE usr_per_ID ='$iUserID'"; | ||
| RunQuery($sSQL); | ||
|
|
||
| // Set the error text | ||
| $sErrorText = ' ' . gettext('Invalid login or password'); | ||
| } | ||
| else | ||
| { | ||
| // Set the LastLogin and Increment the LoginCount | ||
| $sSQL = "UPDATE user_usr SET usr_LastLogin = NOW(), usr_LoginCount = usr_LoginCount + 1, usr_FailedLogins = 0 WHERE usr_per_ID ='$iUserID'"; | ||
| RunQuery($sSQL); | ||
|
|
@@ -165,7 +168,8 @@ | |
| $_SESSION['sEmailAddress'] = $per_Email; | ||
|
|
||
| // If user has administrator privilege, override other settings and enable all permissions. | ||
| if ($usr_Admin) | ||
| { | ||
| $_SESSION['bAddRecords'] = true; | ||
| $_SESSION['bEditRecords'] = true; | ||
| $_SESSION['bDeleteRecords'] = true; | ||
|
|
@@ -177,9 +181,9 @@ | |
| $_SESSION['bCanvasser'] = true; | ||
| $_SESSION['bAdmin'] = true; | ||
| } | ||
| // Otherwise, set the individual permissions. | ||
| else | ||
| { | ||
| // Set the Add permission | ||
| $_SESSION['bAddRecords'] = $usr_AddRecords; | ||
|
|
||
|
|
@@ -247,16 +251,12 @@ | |
| // Set the Root Path ... used in basic security check | ||
| $_SESSION['sRootPath'] = $sRootPath; | ||
|
|
||
This comment has been minimized.
Sorry, something went wrong. 
dschwen
Author
Owner
|
||
| // If PHP's magic quotes setting is turned off, we want to use a workaround to ensure security. | ||
| if (function_exists('get_magic_quotes_gpc')) | ||
| $_SESSION['bHasMagicQuotes'] = get_magic_quotes_gpc(); | ||
| else | ||
| $_SESSION['bHasMagicQuotes'] = 0; | ||
|
|
||
| // Pledge and payment preferences | ||
| $_SESSION['sshowPledges'] = $usr_showPledges; | ||
| $_SESSION['sshowPayments'] = $usr_showPayments; | ||
|
|
@@ -280,42 +280,46 @@ | |
| $_SESSION['bSearchFamily'] = $usr_SearchFamily; | ||
|
|
||
| if (isset($bEnableMRBS) && $bEnableMRBS) { | ||
| // set the session variable recognized by MRBS | ||
| $_SESSION["UserName"] = $UserName; | ||
|
|
||
| // Update the MRBS user record to match this ChurchInfo user | ||
| $iMRBSLevel = 0; | ||
| if ($usr_AddRecords) $iMRBSLevel = 1; | ||
| if ($usr_Admin) $iMRBSLevel = 2; | ||
|
|
||
| $sSQL = "INSERT INTO mrbs_users (id, level, name, email) VALUES ('$iUserID', '$iMRBSLevel', '$UserName', '$per_Email') ON DUPLICATE KEY UPDATE level='$iMRBSLevel', name='$UserName',email='$per_Email'"; | ||
| RunQuery($sSQL); | ||
| } | ||
|
|
||
| if (isset($bEnableWebCalendar) && $bEnableWebCalendar) | ||
| { | ||
| $sAdmin = ($usr_Admin ? 'Y' : 'N'); | ||
| $GLOBALS['login'] = $UserName; | ||
| $GLOBALS['firstname'] = $per_FirstName; | ||
| $GLOBALS['lastname'] = $per_LastName; | ||
| $GLOBALS['is_admin'] = $sAdmin; | ||
| $GLOBALS['email'] = $per_Email; | ||
| $GLOBALS['fullname'] = "$per_FirstName $per_LastName"; | ||
| $GLOBALS['enabled'] = 1; | ||
|
|
||
| $_SESSION['webcal_login'] = $UserName; | ||
|
|
||
| $sSQL = "INSERT INTO webcal_user (cal_login, cal_firstname, cal_lastname, cal_is_admin, cal_email) VALUES ('$UserName', '". mysql_real_escape_string ($per_FirstName)." ', '".mysql_real_escape_string ($per_LastName)."', '$sAdmin', '$per_Email') ON DUPLICATE KEY UPDATE cal_login='$UserName', cal_firstname='".mysql_real_escape_string ($per_FirstName)."', cal_lastname='".mysql_real_escape_string ($per_LastName)."',cal_is_admin='$sAdmin', cal_email='$per_Email'"; | ||
| RunQuery($sSQL); | ||
| } | ||
|
|
||
| // Redirect to the Menu | ||
| Redirect('CheckVersion.php'); | ||
| exit; | ||
| } | ||
| } | ||
|
|
||
| // Turn ON output buffering | ||
| ob_start(); | ||
|
|
||
| // Set the page title and include HTML header | ||
| $sPageTitle = "ChurchCRM - Login"; | ||
| require ("Include/HeaderNotLoggedIn.php"); | ||
| ?> | ||
|
|
||
|
|
@@ -328,60 +332,21 @@ | |
| <p class="login-box-msg"><?= gettext('Please Login'); ?></p> | ||
|
|
||
| <?php | ||
This comment has been minimized.
Sorry, something went wrong.
dschwen
Author
Owner
|
||
|
|
||
| $loginPageMsg = ''; | ||
| if (isset($_GET['timeout'])) { | ||
| $loginPageMsg = "Your previous session timed out. Please login again."; | ||
| } | ||
| if ($sErrorText != '') { | ||
| $loginPageMsg = $sErrorText; | ||
| } | ||
|
|
||
| if ($loginPageMsg != '') { ?> | ||
| <div class="alert alert-warning"><?= $loginPageMsg; ?></div><?php | ||
| } | ||
|
|
||
| ?><form class="form-signin" role="form" method="post" name="LoginForm" action="Default.php"> | ||
| <div class="form-group has-feedback"> | ||
| <input type="text" id="UserBox" name="User" class="form-control" placeholder="Email/Username" required autofocus> | ||
| <span class="glyphicon glyphicon-envelope form-control-feedback"></span> | ||
| </div> | ||
|
|
@@ -402,19 +367,14 @@ | |
| <button type="submit" class="btn btn-primary btn-block btn-flat"><?= gettext('Login'); ?></button> | ||
| </div> | ||
| </div> | ||
| </form> | ||
|
|
||
| <script language="JavaScript" type="text/JavaScript"> | ||
| document.LoginForm.User.focus(); | ||
| </script><?php | ||
|
|
||
| // | ||
| // Basic security checks: | ||
| // | ||
| // Check if https is required: | ||
| // Verify that page has an authorized URL in the browser address bar. | ||
|
|
@@ -423,19 +383,29 @@ | |
| // | ||
| if (isset($bLockURL) && ($bLockURL === TRUE)) | ||
| { | ||
| // get the URL of this page | ||
| $currentURL = 'http' . (isset($_SERVER['HTTPS']) ? 's' : '') . '://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; | ||
This comment has been minimized.
Sorry, something went wrong.
dschwen
Author
Owner
|
||
|
|
||
| // chop off the query string | ||
| $currentURL = explode('?', $currentURL)[0]; | ||
|
|
||
| // check if this matches any one of teh whitelisted login URLS | ||
| $validURL = false; | ||
| foreach ($URL as $value) | ||
| if ($value === $currentURL) | ||
| { | ||
| $validURL = true; | ||
| break; | ||
| } | ||
|
|
||
| // jump to the first whitelisted url (TODO: maybe pick a ranodm URL?) | ||
| if (!$validURL) | ||
| { | ||
| header('Location: '.$URL[0]); | ||
| exit; | ||
| } | ||
| } | ||
|
|
||
| // | ||
| // End of basic security checks | ||
| // | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Every instance of
$sURLPathshould be replaceable by$sRootPath