summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLoui Chang <louipc.ist@gmail.com>2007-10-04 01:47:01 -0400
committerDan McGee <dan@archlinux.org>2008-01-19 23:49:35 -0600
commite9de45954ae404fe1952fec067aad57bcd787a96 (patch)
tree08c757c7828c76a0fed9fdddf5c6e48b216ac4e9
parentb2816c13cfe9bee50220d63685f78788467e990e (diff)
downloadaurweb-e9de45954ae404fe1952fec067aad57bcd787a96.tar.xz
Several functions added to web/lib/acctfuncs.inc Weeere back!
try_login() to login users valid_username() checks if a new username fits criteria valid_user() checks if the user exists in the database good_passwd() only checks for minimum password length for now. can be later expanded to tell a user to make a stronger password. valid_passwd() checks if the password for the specified user is correct user_suspended() checks if the user is suspended (or not) user_delete() deletes a user (it doesn't orphan PKGs yet though) user_is_privileged() returns privilege level User (0) TU (2) Dev (3) of user ID. 0 is used for a regular user for ease in conditionals. Also: Enforce proper usernames on account creation or editing Fix bug where $SUPPORTED_LANGS needs to be reset on account creation Fix bug where an account could be created with an empty passwd Display (required) beside password fields on account creation Enforce good_passwd() on account creation TUs and Devs can edit a user to have a username that doesn't conform to the standard valid_username(). This is to allow them to edit old accounts without messing up the user name. Signed-off-by: Loui Chang <louipc.ist@gmail.com>
-rw-r--r--web/lib/acctfuncs.inc215
1 files changed, 211 insertions, 4 deletions
diff --git a/web/lib/acctfuncs.inc b/web/lib/acctfuncs.inc
index ef8e774..2968adb 100644
--- a/web/lib/acctfuncs.inc
+++ b/web/lib/acctfuncs.inc
@@ -79,7 +79,7 @@ function display_account_form($UTYPE,$A,$U="",$T="",$S="",
print "<td align='left'>".__("Password").":</td>";
print "<td align='left'><input type='password' size='30' maxlength='32'";
print " name='P' value='".$P."'>";
- if ($TYPE == "new") {
+ if ($A != "UpdateAccount") {
print " (".__("required").")";
}
print "</td></tr>\n";
@@ -88,7 +88,7 @@ function display_account_form($UTYPE,$A,$U="",$T="",$S="",
print "<td align='left'>".__("Re-type password").":</td>";
print "<td align='left'><input type='password' size='30' maxlength='32'";
print " name='C' value='".$C."'>";
- if ($TYPE == "new") {
+ if ($A != "UpdateAccount") {
print " (".__("required").")";
}
print "</td></tr>\n";
@@ -108,6 +108,8 @@ function display_account_form($UTYPE,$A,$U="",$T="",$S="",
print "<tr>";
print "<td align='left'>".__("Language").":</td>";
print "<td align='left'><select name=L>\n";
+
+ reset($SUPPORTED_LANGS);
while (list($code, $lang) = each($SUPPORTED_LANGS)) {
if ($L == $code) {
print "<option value=".$code." selected> ".$lang."\n";
@@ -132,6 +134,7 @@ function display_account_form($UTYPE,$A,$U="",$T="",$S="",
print "<tr>";
print "<td>&nbsp;</td>";
print "<td align='left'>";
+
if ($A == "UpdateAccount") {
print "<input type='submit' class='button'";
print " value='".__("Update")."'> &nbsp; ";
@@ -173,15 +176,21 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
#
global $SUPPORTED_LANGS;
+ if(isset($_COOKIE['AURSID']))
+ $editor_user = uid_from_sid($_COOKIE['AURSID']);
+ else
+ $editor_user = null;
+
$dbh = db_connect();
$error = "";
- if (!isset($E) || !isset($U)) {
+ if (empty($E) || empty($U)) {
$error = __("Missing a required field.");
}
+
if ($TYPE == "new") {
# they need password fields for this type of action
#
- if (!isset($P) || !isset($C)) {
+ if (empty($P) || empty($C)) {
$error = __("Missing a required field.");
}
} else {
@@ -189,9 +198,22 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
$error = __("Missing User ID");
}
}
+
+ if (!$error && !valid_username($U) && !user_is_privileged($editor_user))
+ $error = __("The username is invalid.") . "<ul>\n"
+ ."<li>" . __("It must be " . USERNAME_MIN_LEN . "-" . USERNAME_MAX_LEN
+ . " characters long") . "</li>"
+ . "<li>" . __("start and end with a letter or number") . "</li>"
+ . "<li>" . __("can contain only one period, underscore or hyphen.")
+ . "</li>\n</ul>";
+
if (!$error && $P && $C && ($P != $C)) {
$error = __("Password fields do not match.");
}
+ if (!$error && $P != '' && !good_passwd($P))
+ $error = __("Your password must be at least " . PASSWD_MIN_LEN
+ . " characters.");
+
if (!$error && !valid_email($E)) {
$error = __("The email address is invalid.");
}
@@ -578,5 +600,190 @@ function display_account_info($U="",$T="",
return;
}
+/*
+ * Returns SID (Session ID) and error (error message) in an array
+ * SID of 0 means login failed.
+ * There should be a better way of doing this...I think
+ */
+function try_login() {
+ $login_error = "";
+ $new_sid = "";
+ $userID = null;
+
+ if ( isset($_REQUEST['user']) || isset($_REQUEST['passwd']) ) {
+
+
+ $userID = valid_user($_REQUEST['user']);
+
+ if ( user_suspended( $userID ) ) {
+ $login_error = "Account Suspended.";
+ }
+ elseif ( $userID && isset($_REQUEST['passwd'])
+ && valid_passwd($userID, $_REQUEST['passwd']) ) {
+
+ $logged_in = 0;
+ $num_tries = 0;
+
+ # Account looks good. Generate a SID and store it.
+ #
+
+ $dbh = db_connect();
+ while (!$logged_in && $num_tries < 5) {
+ $new_sid = new_sid();
+ $q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS)"
+ ." VALUES ( $userID, '" . $new_sid . "', UNIX_TIMESTAMP())";
+ $result = db_query($q, $dbh);
+ # Query will fail if $new_sid is not unique
+ #
+ if ($result) {
+ $logged_in = 1;
+ break;
+ }
+ $num_tries++;
+ }
+ if ($logged_in) {
+ # set our SID cookie
+
+ setcookie("AURSID", $new_sid, 0, "/");
+# header("Location: /index.php");
+ header("Location: " . $_SERVER['PHP_SELF']);
+ $login_error = "";
+
+ }
+ else {
+ $login_error = "Error trying to generate session id.";
+ }
+ }
+ else {
+ $login_error = "Bad username or password.";
+ }
+ }
+ return array('SID' => $new_sid, 'error' => $login_error);
+}
+
+/*
+ * Only checks if the name itself is valid
+ * Longer or equal to USERNAME_MIN_LEN
+ * Shorter or equal to USERNAME_MAX_LEN
+ * Starts and ends with a letter or number
+ * Contains at most ONE dot, hyphen, or underscore
+ * Returns the username if it is valid
+ * Returns nothing if it isn't valid
+ */
+function valid_username( $user )
+{
+
+ #Is it non-empty?
+ if (!empty($user)) {
+
+ #Is username at not too short or too long?
+ if ( strlen($user) >= USERNAME_MIN_LEN &&
+ strlen($user) <= USERNAME_MAX_LEN ) {
+
+ $user = strtolower($user);
+ #Does username:
+ # start and end with a letter or number
+ # contain only letters and numbers,
+ # and at most has one dash, period, or underscore
+ if ( preg_match("/^[a-z0-9]+[.\-_]?[a-z0-9]+$/", $user) ) {
+ #All is good return the username
+ return $user;
+ }
+ }
+ }
+
+ return;
+}
+
+/*
+ * Checks if the username is valid and if it exists in the database
+ * Returns the username ID or nothing
+ */
+function valid_user( $user )
+{
+ /* if ( $user = valid_username($user) ) { */
+ if ( $user ) {
+ $dbh = db_connect();
+ $q = "SELECT ID FROM Users WHERE Username = '"
+ . mysql_real_escape_string($user). "'";
+
+ $result = mysql_fetch_row(db_query($q, $dbh));
+ #Is the username in the database?
+ if ($result[0]) {
+ return $result[0];
+ }
+ }
+ return;
+}
+
+function good_passwd( $passwd )
+{
+ if ( strlen($passwd) >= PASSWD_MIN_LEN ) {
+ return true;
+ }
+ return false;
+}
+
+/* Verifies that the password is correct for the userID specified.
+ * Returns true or false
+ */
+function valid_passwd( $userID, $passwd )
+{
+ if ( good_passwd($passwd) ) {
+ $dbh = db_connect();
+ $q = "SELECT ID FROM Users".
+ " WHERE ID = '$userID'" .
+ " AND Passwd = '" . md5($passwd) . "'";
+
+ $result = mysql_fetch_row(db_query($q, $dbh));
+ if ($result[0]) {
+ #is it the right password?
+ return true;
+ }
+ }
+ return false;
+}
+
+/*
+ * Is the user account suspended?
+ */
+function user_suspended( $id )
+{
+ $dbh = db_connect();
+ $q = "SELECT Suspended FROM Users WHERE ID = '$id'";
+ $result = mysql_fetch_row(db_query($q, $dbh));
+ if ($result[0] == 1 ) {
+ return true;
+ }
+ return false;
+}
+
+/*
+ * This should be expanded to return something
+ * TODO: Handle orphaning of user's packages
+ */
+function user_delete( $id )
+{
+ $dbh = db_connect();
+ $q = "DELETE FROM Users WHERE ID = '$id'";
+ $result = mysql_fetch_row(db_query($q, $dbh));
+ return;
+}
+
+/*
+ * A different way of determining a user's privileges
+ * rather than account_from_sid()
+ */
+function user_is_privileged( $id )
+{
+ $dbh = db_connect();
+ $q = "SELECT AccountTypeID FROM Users WHERE ID = '$id'";
+ $result = mysql_fetch_row(db_query($q, $dbh));
+ if( $result[0] > 1)
+ return $result[0];
+ return 0;
+
+}
+
# vim: ts=2 sw=2 noet ft=php
?>