prefix ."messages (ts,". $dbconn->colname("message") .") values (". $dbconn->DateTime($now) .",". $dbconn->String($msg) .")"; $dbconn->Exec($query); } /** --------------------------------------------------------------------------- * send a lost password or generate a new one */ Function password_lost(&$dbconn,$uname) { global $tutos,$lang,$current_user; $query = "SELECT a.* ,p.*,p.id as u_id FROM ". $dbconn->prefix ."addresses a, ". $dbconn->prefix ."people p WHERE p.login = ". $dbconn->String(trim($uname)) ." AND p.adr_id = a.id"; $result = $dbconn->Exec($query); $r = array(); $r[0] = ""; if ( ! $result ) { $r[0] .= "unknown user '". $uname ."'"; $r[0] .= "
you have to enter a valid username "; $r[1] = $r[0]; return $r; } if ( 1 != $result->numrows()) { $r[0] .= "unknown user '". $uname ."'"; $r[0] .= "
you have to enter a valid username "; $r[1] = $r[0]; return $r; } $current_user = new tutos_user($dbconn); $current_user->read_result($result,0); $result->free(); $m = $current_user->default_email(); if ( empty($m) ) { $r[0] .= "no email found "; $r[1] = $r[0]; return $r; } $mail = new mail(); $mail->setFrom($current_user); $mail->addHeader("Sensitivity","Company-Confidential"); $mail->setSubject("TUTOS: your account"); $mail->addTo($current_user); $body = ""; if ( ! findMailTemplate("password.proto",$current_user,$body) ) { $r[0] = sprintf($lang['Err0037'],$mail->subject,$body); $r[1] = $r[0]; return $r; } if ( ($tutos[pwlostsupport] == 2) || ($dbconn->db->crypt == 1)) { $current_user->setPassword(substr(session_id(),0,8)); $current_user->updatepw = 1; if ($tutos[demo] != 1 ) { $current_user->save(); } else { $r[0] .= "Sorry this feature is disabled in demo mode
"; } $body = eregi_replace("@PW@",$current_user->pw,$body); $body = eregi_replace("","",$body); $body = eregi_replace("","",$body); } else { $body = eregi_replace("@PW@",$current_user->pw,$body); $body = eregi_replace(".*","",$body); } $body = eregi_replace("@TO@",$current_user->getFullName(),$body); if ( isset($_SERVER['HTTP_X_FORWARDED_FOR']) ) { $body = eregi_replace("@IP@",$_SERVER['REMOTE_ADDR']." ".$_SERVER['HTTP_X_FORWARDED_FOR'],$body); } else { $body = eregi_replace("@IP@",$_SERVER['REMOTE_ADDR'],$body); } $mail->addBody($body,"text/plain","","",$current_user->lg['content_encoding']); $r[0] .= $mail->send(); $r[1] = $r[0]; return $r; } /** --------------------------------------------------------------------------- * Check for permmision */ Function check_user() { global $lang ,$dbconn , $current_user,$tutos, $confmsg, $msg, $calpath; $current_user= new tutos_user($dbconn); # determine if this is a intial session opener $initial_auth = true; # Take a possible transfered message to global namespace # Stuff that is delivered in an unsecure way (GET/POST) will be # handeld with HtmlEntities $msg = ""; if ( isset($_POST['msg']) ) { $msg .= HtmlEntities(UrlDecode($_POST['msg'])); } elseif ( isset($_GET['msg']) ) { $msg .= HtmlEntities(UrlDecode($_GET['msg'])); } elseif ( isset($_POST['msgid']) ) { if (isset($_SESSION[$_POST['msgid']])) { $msg .= UrlDecode($_SESSION[$_POST['msgid']]); unset($_SESSION[$_POST['msgid']]); } else { $msg = "?"; } } elseif ( isset($_GET['msgid']) ) { if (isset($_SESSION[$_GET['msgid']])) { $msg .= UrlDecode($_SESSION[$_GET['msgid']]); unset($_SESSION[$_GET['msgid']]); } else { $msg = "?"; } } if (isset($confmsg)) { $msg .= $confmsg; } if ( isset($_COOKIE['TUTOS']) ) { $tutos['SESSID'] = $_COOKIE['TUTOS']; } elseif ( isset($_POST['TUTOS']) ) { $tutos['SESSID'] = $_POST['TUTOS']; } elseif ( isset($_GET['TUTOS']) ) { $tutos['SESSID'] = $_GET['TUTOS']; } if ( $tutos[mailmode] == 0 ) { $tutos[pwlostsupport] = 0; } $auth = array(); $al = split(" ",$tutos[authtype]); $cnt = 0; foreach ( $al as $a ) { require_once $calpath .'auth/auth_'. $a .'.pinc'; $x = "auth_".$tutos[authtype]; if ( class_exists ($x) ) { $auth[$cnt++] = new $x(); } else { die("Missing Authentification: ".$x ."\n(see \$tutos[authtype] parameter)\n"); } } if ( isset($_POST['dbnr']) ) { $db = $_POST['dbnr']; } elseif ( isset($_GET['dbnr']) ) { $db = $_GET['dbnr']; } else { $db = 0; } if ( isset($_POST['login']) ) { $action = $_POST['login']; } elseif ( isset($_GET['login']) ) { $action = $_GET['login']; } else { $action = ""; } if ( isset($tutos['SESSID']) && (isset($_SESSION['userid']) && $_SESSION['userid'] != -1) ) { // there is a session session_id($tutos['SESSID']); if ( isset ($_SESSION['userid']) ) { $userid = $_SESSION['userid']; } else { $userid = -1; } if ( isset ($_SESSION['dbnr']) ) { $dbnr = $_SESSION['dbnr']; } else { $dbnr = -1; } if ( ($dbnr == -1) || ($userid == -1) ) { $userid = -1; } error_log("check_user: old session ". $tutos['SESSID'] ." :". $_SERVER['PHP_SELF'] .": userid=". $userid ."\n",3,$tutos[errlog]); } else { $tutos['SESSID'] = session_id(); $userid = -1; error_log("check_user: new session ". $tutos['SESSID'] ." :". $_SERVER['PHP_SELF'] .": userid=". $userid ."\n",3,$tutos[errlog]); # For login we use default language (via browser settings) if ( free_login($dbconn) == 1 ) { ReadLang($lang); return $current_user; } if ($auth[0]->getuname() == "") { ReadLang($lang); $auth[0]->login_form($_SERVER['PHP_SELF'],$msg); } } # update the TTL if (isset($_SERVER['REQUEST_URI'])) { $xxxx = split("/",$_SERVER['REQUEST_URI']); } else { $xxxx[1] = ""; } setcookie(session_name(),$tutos['SESSID'],time() + 60 * $tutos[timetolive],"/". $xxxx[1]); if ( ($userid < 1) OR !is_numeric($userid) ) { # NOT LOGGED IN # For login we use default language (via browser settings) ReadLang($lang); if ( ($tutos[pwlostsupport] > 0) && ($action == $lang['LostPassword']) ) { $dbconn = DB_Open($db); # find the entry $r = password_lost($dbconn,$auth[0]->getuname()); $auth[0]->login_form($_SERVER['PHP_SELF'],$r[0]); } if ( $auth[0]->getuname() == "" || $auth[0]->getpw() == "" ) { /* No Username or no password supplied */ if ( free_login($dbconn) == 1 ) { return $current_user; } # logmessage("missing uname or pw "); $msg .= "
". $lang['Err0025']; $auth[0]->login_form($_SERVER['PHP_SELF'],$msg); } $dbconn = DB_Open($db); $auth[0]->init($dbconn); $r = $auth[0]->check(); if ( is_array($r) ) { error_log($r[0]."\n", 3, $tutos[errlog]); error_log($r[1]."\n", 3, $tutos[errlog]); logmessage($r[0]); $auth[0]->login_form($_SERVER['PHP_SELF'],$r[1]); } $_SESSION['userid'] = $current_user->id; $_SESSION['dbnr'] = $db; ReadLang($lang); $msg .= sprintf($lang['Welcome_1'],$current_user->getFullname())."\n"; $msg .= "
".sprintf($lang['Welcome_2'], $current_user->last_seen->getDateTime(),$current_user->last_host) ."
\n"; logmessage("check_user: Logged in ". $current_user->id .":". $current_user->login .":". $current_user->getFullname()); $initial_auth = true; } else { $initial_auth = false; # echo "UID:" .$userid ."
\n"; $dbconn = DB_Open($dbnr); $current_user= new tutos_user($dbconn); $current_user = $current_user->read($userid,$current_user); ReadLang($lang); if ( $current_user->id == -1 ) { $msg .= "
". $lang['Err0028']; // account deleted logmessage($msg); $auth[0]->logout(); $auth[0]->login_form($_SERVER['PHP_SELF'],$msg); } $n = new DateTime(); $diff = $n->getTimestamp() - $current_user->last_seen->getTimestamp(); # logmessage("check_user: still logged in ". $current_user->admin ." $userid:". $current_user->getFullname() . " idle for ". $diff ); # logmessage("check_user: ". $current_user->last_seen->getDateTime() ." " . $n->getDateTime() ); # logmessage("check_user: |". $current_user->last_seen->format ."|" . $n->format ); # logmessage("check_user: |". $current_user->last_seen->orig ."|" . $n->orig ); # logmessage("check_user: |". $current_user->last_seen->ts ."|" . $n->ts ); if ( $diff > (60 * $tutos[timetolive]) ) { $msg .= "
automated logout after ". $tutos[timetolive] ." minutes "; logmessage($msg ." ". $current_user->getFullname()); $auth[0]->logout(); $auth[0]->login_form($_SERVER['PHP_SELF'],$msg); } } if ( $current_user->disabled == 1 ) { $msg .= "
".sprintf($lang['Err0049'],$current_user->login); $auth[0]->logout(); logmessage($msg); $auth[0]->login_form($_SERVER['PHP_SELF'],$msg); } $current_user->update($initial_auth); $n = new DateTime(); $_SESSION['username'] = $current_user->getFullName(); $_SESSION['lastseen'] = $current_user->last_seen->getTimeStamp(); $_SESSION['lasthost'] = $current_user->last_host; $_SESSION['path'] = ini_get("session.cookie_path"); if (isset($_SERVER["HTTP_HOST"])) { $_SESSION['server'] = $_SERVER["HTTP_HOST"]; } else { $_SESSION['server'] = "?"; } if (isset($_SERVER["HTTP_USER_AGENT"])) { $_SESSION['client'] = $_SERVER["HTTP_USER_AGENT"]; } else { $_SESSION['client'] = "?"; } # logmessage($current_user->tz ." ". getenv("TZ")); $x = Date("Z"); # this happens in Default TZ $dbconn->TimeZone($current_user->tz); $y = Date("Z"); if ( ($dbconn->gettype() == "MySQL") || ($dbconn->gettype() == "Oracle") ) { $current_user->offset = ($y - $x); } else { $current_user->offset = 0; } # logmessage($y ." - ". $x ." ". $current_user->tz ." ". getenv("TZ")); if ( session_id() == "" ) { $auth[0]->login_form($_SERVER['PHP_SELF'],"No Session"); } # Do this only once !! if ( isset($_GET['th']) || isset($_POST['th']) ) { if ( isset($_GET['th']) ) { $current_user->themename = basename(strtolower($_GET['th'])); } else { $current_user->themename = basename(strtolower($_POST['th'])); } } $current_user->read_permissions(); ReadISOCntryCde(); ReadHolidayInfo(); ReadNamedayInfo(); return $current_user; }; /** --------------------------------------------------------------------------- * modifies select-query for checking acl * uses SQL92 subselect * for mysql-user: "Subselects are currently being implemented in the 4.1 development tree." * maybe redesign with two select-statements * DOES THIS WORK with TEAMS in TEAMS ?? */ Function check_dbacl( &$query, $user_id, $id_name="id") { global $tutos,$current_user; if ( ($tutos[use_check_dbacl] == 1) && ! is_admin($current_user) ) { $query = "SELECT DISTINCT i.* FROM (".$query.") AS i, adrteam t , acl a " . "WHERE i.".$id_name."=a.obj_id AND a.perm>=".$tutos[seeok]." AND ((a.adr_id=".$user_id . ") OR (a.adr_id=0) OR ((t.adr_id=".$user_id.") AND (a.adr_id=t.team_id)))"; } } ?>