Commit e9de4595 authored by Loui Chang's avatar Loui Chang Committed by Dan McGee
Browse files

Several functions added to web/lib/acctfuncs.inc Weeere back!



try_login() to login users

valid_username() checks if a new username fits criteria

valid_user() checks if the user exists in the database

good_passwd() only checks for minimum password length for now.
can be later expanded to tell a user to make a stronger password.

valid_passwd() checks if the password for the specified user is correct

user_suspended() checks if the user is suspended (or not)

user_delete() deletes a user (it doesn't orphan PKGs yet though)

user_is_privileged() returns privilege level User (0) TU (2) Dev (3) of
user ID. 0 is used for a regular user for ease in conditionals.

Also:	Enforce proper usernames on account creation or editing
	Fix bug where $SUPPORTED_LANGS needs to be reset on account creation
	Fix bug where an account could be created with an empty passwd
	Display (required) beside password fields on account creation
	Enforce good_passwd() on account creation

	TUs and Devs can edit a user to have a username that doesn't conform to
	the standard valid_username(). This is to allow them to edit old
	accounts without messing up the user name.

Signed-off-by: default avatarLoui Chang <louipc.ist@gmail.com>
parent b2816c13
......@@ -79,7 +79,7 @@ function display_account_form($UTYPE,$A,$U="",$T="",$S="",
print "<td align='left'>".__("Password").":</td>";
print "<td align='left'><input type='password' size='30' maxlength='32'";
print " name='P' value='".$P."'>";
if ($TYPE == "new") {
if ($A != "UpdateAccount") {
print " (".__("required").")";
}
print "</td></tr>\n";
......@@ -88,7 +88,7 @@ function display_account_form($UTYPE,$A,$U="",$T="",$S="",
print "<td align='left'>".__("Re-type password").":</td>";
print "<td align='left'><input type='password' size='30' maxlength='32'";
print " name='C' value='".$C."'>";
if ($TYPE == "new") {
if ($A != "UpdateAccount") {
print " (".__("required").")";
}
print "</td></tr>\n";
......@@ -108,6 +108,8 @@ function display_account_form($UTYPE,$A,$U="",$T="",$S="",
print "<tr>";
print "<td align='left'>".__("Language").":</td>";
print "<td align='left'><select name=L>\n";
reset($SUPPORTED_LANGS);
while (list($code, $lang) = each($SUPPORTED_LANGS)) {
if ($L == $code) {
print "<option value=".$code." selected> ".$lang."\n";
......@@ -132,6 +134,7 @@ function display_account_form($UTYPE,$A,$U="",$T="",$S="",
print "<tr>";
print "<td>&nbsp;</td>";
print "<td align='left'>";
if ($A == "UpdateAccount") {
print "<input type='submit' class='button'";
print " value='".__("Update")."'> &nbsp; ";
......@@ -173,15 +176,21 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
#
global $SUPPORTED_LANGS;
if(isset($_COOKIE['AURSID']))
$editor_user = uid_from_sid($_COOKIE['AURSID']);
else
$editor_user = null;
$dbh = db_connect();
$error = "";
if (!isset($E) || !isset($U)) {
if (empty($E) || empty($U)) {
$error = __("Missing a required field.");
}
if ($TYPE == "new") {
# they need password fields for this type of action
#
if (!isset($P) || !isset($C)) {
if (empty($P) || empty($C)) {
$error = __("Missing a required field.");
}
} else {
......@@ -189,9 +198,22 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
$error = __("Missing User ID");
}
}
if (!$error && !valid_username($U) && !user_is_privileged($editor_user))
$error = __("The username is invalid.") . "<ul>\n"
."<li>" . __("It must be " . USERNAME_MIN_LEN . "-" . USERNAME_MAX_LEN
. " characters long") . "</li>"
. "<li>" . __("start and end with a letter or number") . "</li>"
. "<li>" . __("can contain only one period, underscore or hyphen.")
. "</li>\n</ul>";
if (!$error && $P && $C && ($P != $C)) {
$error = __("Password fields do not match.");
}
if (!$error && $P != '' && !good_passwd($P))
$error = __("Your password must be at least " . PASSWD_MIN_LEN
. " characters.");
if (!$error && !valid_email($E)) {
$error = __("The email address is invalid.");
}
......@@ -578,5 +600,190 @@ function display_account_info($U="",$T="",
return;
}
/*
* Returns SID (Session ID) and error (error message) in an array
* SID of 0 means login failed.
* There should be a better way of doing this...I think
*/
function try_login() {
$login_error = "";
$new_sid = "";
$userID = null;
if ( isset($_REQUEST['user']) || isset($_REQUEST['passwd']) ) {
$userID = valid_user($_REQUEST['user']);
if ( user_suspended( $userID ) ) {
$login_error = "Account Suspended.";
}
elseif ( $userID && isset($_REQUEST['passwd'])
&& valid_passwd($userID, $_REQUEST['passwd']) ) {
$logged_in = 0;
$num_tries = 0;
# Account looks good. Generate a SID and store it.
#
$dbh = db_connect();
while (!$logged_in && $num_tries < 5) {
$new_sid = new_sid();
$q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS)"
." VALUES ( $userID, '" . $new_sid . "', UNIX_TIMESTAMP())";
$result = db_query($q, $dbh);
# Query will fail if $new_sid is not unique
#
if ($result) {
$logged_in = 1;
break;
}
$num_tries++;
}
if ($logged_in) {
# set our SID cookie
setcookie("AURSID", $new_sid, 0, "/");
# header("Location: /index.php");
header("Location: " . $_SERVER['PHP_SELF']);
$login_error = "";
}
else {
$login_error = "Error trying to generate session id.";
}
}
else {
$login_error = "Bad username or password.";
}
}
return array('SID' => $new_sid, 'error' => $login_error);
}
/*
* Only checks if the name itself is valid
* Longer or equal to USERNAME_MIN_LEN
* Shorter or equal to USERNAME_MAX_LEN
* Starts and ends with a letter or number
* Contains at most ONE dot, hyphen, or underscore
* Returns the username if it is valid
* Returns nothing if it isn't valid
*/
function valid_username( $user )
{
#Is it non-empty?
if (!empty($user)) {
#Is username at not too short or too long?
if ( strlen($user) >= USERNAME_MIN_LEN &&
strlen($user) <= USERNAME_MAX_LEN ) {
$user = strtolower($user);
#Does username:
# start and end with a letter or number
# contain only letters and numbers,
# and at most has one dash, period, or underscore
if ( preg_match("/^[a-z0-9]+[.\-_]?[a-z0-9]+$/", $user) ) {
#All is good return the username
return $user;
}
}
}
return;
}
/*
* Checks if the username is valid and if it exists in the database
* Returns the username ID or nothing
*/
function valid_user( $user )
{
/* if ( $user = valid_username($user) ) { */
if ( $user ) {
$dbh = db_connect();
$q = "SELECT ID FROM Users WHERE Username = '"
. mysql_real_escape_string($user). "'";
$result = mysql_fetch_row(db_query($q, $dbh));
#Is the username in the database?
if ($result[0]) {
return $result[0];
}
}
return;
}
function good_passwd( $passwd )
{
if ( strlen($passwd) >= PASSWD_MIN_LEN ) {
return true;
}
return false;
}
/* Verifies that the password is correct for the userID specified.
* Returns true or false
*/
function valid_passwd( $userID, $passwd )
{
if ( good_passwd($passwd) ) {
$dbh = db_connect();
$q = "SELECT ID FROM Users".
" WHERE ID = '$userID'" .
" AND Passwd = '" . md5($passwd) . "'";
$result = mysql_fetch_row(db_query($q, $dbh));
if ($result[0]) {
#is it the right password?
return true;
}
}
return false;
}
/*
* Is the user account suspended?
*/
function user_suspended( $id )
{
$dbh = db_connect();
$q = "SELECT Suspended FROM Users WHERE ID = '$id'";
$result = mysql_fetch_row(db_query($q, $dbh));
if ($result[0] == 1 ) {
return true;
}
return false;
}
/*
* This should be expanded to return something
* TODO: Handle orphaning of user's packages
*/
function user_delete( $id )
{
$dbh = db_connect();
$q = "DELETE FROM Users WHERE ID = '$id'";
$result = mysql_fetch_row(db_query($q, $dbh));
return;
}
/*
* A different way of determining a user's privileges
* rather than account_from_sid()
*/
function user_is_privileged( $id )
{
$dbh = db_connect();
$q = "SELECT AccountTypeID FROM Users WHERE ID = '$id'";
$result = mysql_fetch_row(db_query($q, $dbh));
if( $result[0] > 1)
return $result[0];
return 0;
}
# vim: ts=2 sw=2 noet ft=php
?>
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment