- revert feature 564: log the login of each user; but add the possibility to be

done by a plugin
- create a "standard" way to define PHP functions that we use but might not be
available in the current php version
- when a comment is rejected (spam, anti-flood etc), put the content back to the
browser in case there is a real user behind it
- now a comment can be entered only if the page was retrieved between 2 seconds
ago and 1 hour ago

git-svn-id: http://piwigo.org/svn/trunk@1744 68402e56-0260-453c-a942-63ccdbb3a9ee

8 files changed, 120 insertions, 63 deletions

diff --git a/include/common.inc.php b/include/common.inc.php
index 5a0a82ff9..aea694639 100644
--- a/include/common.inc.php
+++ b/include/common.inc.php
@@ -121,6 +121,17 @@ if (!defined('PHPWG_INSTALLED'))
   exit;
 }
 
+foreach( array(
+  'array_intersect_key', //PHP 5 >= 5.1.0RC1
+  'hash_hmac', //(hash) - enabled by default as of PHP 5.1.2
+  ) as $func)
+{
+  if (!function_exists($func))
+  {
+    include_once(PHPWG_ROOT_PATH . 'include/php_compat/'.$func.'.php');
+  }
+}
+
 include(PHPWG_ROOT_PATH . 'include/config_default.inc.php');
 @include(PHPWG_ROOT_PATH. 'include/config_local.inc.php');
 include(PHPWG_ROOT_PATH . 'include/constants.php');
diff --git a/include/functions_html.inc.php b/include/functions_html.inc.php
index 8b544defa..bb8861ba4 100644
--- a/include/functions_html.inc.php
+++ b/include/functions_html.inc.php
@@ -717,5 +717,6 @@ function set_status_header($code, $text='')
   }
   header("HTTP/1.1 $code $text");
   header("Status: $code $text");
+  trigger_action('set_status_header', $code, $text);
 }
 ?>
diff --git a/include/functions_search.inc.php b/include/functions_search.inc.php
index 8f1105caf..24b676e1f 100644
--- a/include/functions_search.inc.php
+++ b/include/functions_search.inc.php
@@ -252,23 +252,6 @@ SELECT DISTINCT(id)
   return $items;
 }
 
-
-if (!function_exists('array_intersect_key')) {
-   function array_intersect_key()
-   {
-       $arrs = func_get_args();
-       $result = array_shift($arrs);
-       foreach ($arrs as $array) {
-           foreach ($result as $key => $v) {
-               if (!array_key_exists($key, $array)) {
-                   unset($result[$key]);
-               }
-           }
-       }
-       return $result;
-   }
-}
-
 /**
  * returns the LIKE sql clause corresponding to the quick search query $q
  * and the field $field. example q="john bill", field="file" will return
diff --git a/include/functions_user.inc.php b/include/functions_user.inc.php
index 5499eb86c..74c1c81f1 100644
--- a/include/functions_user.inc.php
+++ b/include/functions_user.inc.php
@@ -858,8 +858,9 @@ function get_language_filepath($filename, $dirname = '')
 /**
  * returns the auto login key or false on error
  * @param int user_id
+ * @param string [out] username
 */
-function calculate_auto_login_key($user_id)
+function calculate_auto_login_key($user_id, &$username)
 {
   global $conf;
   $query = '
@@ -871,7 +872,12 @@ WHERE '.$conf['user_fields']['id'].' = '.$user_id;
   if (mysql_num_rows($result) > 0)
   {
     $row = mysql_fetch_assoc($result);
-    $key = sha1( $row['username'].$row['password'] );
+    $username = $row['username'];
+    $data = $row['username'].$row['password'];
+    $key = base64_encode(
+      pack('H*', sha1($data))
+      .hash_hmac('md5', $data, $conf['secret_key'],true)
+      );
     return $key;
   }
   return false;
@@ -889,7 +895,7 @@ function log_user($user_id, $remember_me)
 
   if ($remember_me and $conf['authorize_remembering'])
   {
-    $key = calculate_auto_login_key($user_id);
+    $key = calculate_auto_login_key($user_id, $username);
     if ($key!==false)
     {
       $cookie = array('id' => (int)$user_id, 'key' => $key);
@@ -928,12 +934,13 @@ function auto_login() {
   if ( isset( $_COOKIE[$conf['remember_me_name']] ) )
   {
     $cookie = unserialize(stripslashes($_COOKIE[$conf['remember_me_name']]));
-    if ($cookie!==false)
+    if ($cookie!==false and is_numeric(@$cookie['id']) )
     {
-      $key = calculate_auto_login_key($cookie['id']);
+      $key = calculate_auto_login_key( $cookie['id'], $username );
       if ($key!==false and $key===$cookie['key'])
       {
         log_user($cookie['id'], true);
+        trigger_action('login_success', $username);
         return true;
       }
     }
@@ -942,6 +949,31 @@ function auto_login() {
   return false;
 }
 
+/**
+ * Tries to login a user given username and password (must be MySql escaped)
+ * return true on success
+ */
+function try_log_user($username, $password, $remember_me)
+{
+  global $conf;
+  // retrieving the encrypted password of the login submitted
+  $query = '
+SELECT '.$conf['user_fields']['id'].' AS id,
+       '.$conf['user_fields']['password'].' AS password
+  FROM '.USERS_TABLE.'
+  WHERE '.$conf['user_fields']['username'].' = \''.$username.'\'
+;';
+  $row = mysql_fetch_assoc(pwg_query($query));
+  if ($row['password'] == $conf['pass_convert']($password))
+  {
+    log_user($row['id'], $remember_me);
+    trigger_action('login_success', $username);
+    return true;
+  }
+  trigger_action('login_failure', $username);
+  return false;
+}
+
 /*
  * Return access_type definition of uuser
  * Test does with user status
diff --git a/include/php_compat/array_intersect_key.php b/include/php_compat/array_intersect_key.php
new file mode 100644
index 000000000..748b8f6f1
--- /dev/null
+++ b/include/php_compat/array_intersect_key.php
@@ -0,0 +1,35 @@
+<?php
+// http://www.php.net/manual/en/function.array-intersect-key.php
+// PHP 5 >= 5.1.0RC1
+function array_intersect_key()
+{
+  $args = func_get_args();
+  if (count($args) < 2) {
+      trigger_error('Wrong parameter count for array_intersect_key()', E_USER_WARNING);
+      return;
+  }
+
+  // Check arrays
+  $array_count = count($args);
+  for ($i = 0; $i !== $array_count; $i++) {
+      if (!is_array($args[$i])) {
+          trigger_error('array_intersect_key() Argument #' . ($i + 1) . ' is not an array', E_USER_WARNING);
+          return;
+      }
+  }
+
+  // Compare entries
+  $result = array();
+  foreach ($args[0] as $key1 => $value1) {
+      for ($i = 1; $i !== $array_count; $i++) {
+          foreach ($args[$i] as $key2 => $value2) {
+              if ((string) $key1 === (string) $key2) {
+                  $result[$key1] = $value1;
+              }
+          }
+      }
+  }
+
+  return $result;
+}
+?>
\ No newline at end of file
diff --git a/include/php_compat/hash_hmac.php b/include/php_compat/hash_hmac.php
new file mode 100644
index 000000000..5f05e370c
--- /dev/null
+++ b/include/php_compat/hash_hmac.php
@@ -0,0 +1,25 @@
+<?php
+//(hash) - enabled by default as of PHP 5.1.2
+function hash_hmac($algo, $data, $key, $raw_output=false)
+{
+  /* md5 and sha1 only */
+  $algo=strtolower($algo);
+  $p=array('md5'=>'H32','sha1'=>'H40');
+  if ( !isset($p[$algo]) or !function_exists($algo) )
+  {
+    $algo = 'md5';
+  }
+  if(strlen($key)>64) $key=pack($p[$algo],$algo($key));
+  if(strlen($key)<64) $key=str_pad($key,64,chr(0));
+
+  $ipad=substr($key,0,64) ^ str_repeat(chr(0x36),64);
+  $opad=substr($key,0,64) ^ str_repeat(chr(0x5C),64);
+
+  $ret = $algo($opad.pack($p[$algo],$algo($ipad.$data)));
+  if ($raw_output)
+  {
+    $ret = pack('H*', $ret);
+  }
+  return $ret;
+}
+?>
\ No newline at end of file
diff --git a/include/picture_comment.inc.php b/include/picture_comment.inc.php
index fbbe80d50..faf1d9d7d 100644
--- a/include/picture_comment.inc.php
+++ b/include/picture_comment.inc.php
@@ -30,32 +30,6 @@
  *
  */
 
-if (!function_exists('hash_hmac'))
-{
-function hash_hmac($algo, $data, $key, $raw_output=false)
-{
-  /* md5 and sha1 only */
-  $algo=strtolower($algo);
-  $p=array('md5'=>'H32','sha1'=>'H40');
-  if ( !isset($p[$algo]) or !function_exists($algo) )
-  {
-    $algo = 'md5';
-  }
-  if(strlen($key)>64) $key=pack($p[$algo],$algo($key));
-  if(strlen($key)<64) $key=str_pad($key,64,chr(0));
-
-  $ipad=substr($key,0,64) ^ str_repeat(chr(0x36),64);
-  $opad=substr($key,0,64) ^ str_repeat(chr(0x5C),64);
-
-  $ret = $algo($opad.pack($p[$algo],$algo($ipad.$data)));
-  if ($raw_output)
-  {
-    $ret = pack('H*', $ret);
-  }
-  return $ret;
-}
-}
-
 //returns string action to perform on a new comment: validate, moderate, reject
 function user_comment_check($action, $comment, $picture)
 {
@@ -166,7 +140,8 @@ if ( $page['show_comments'] and isset( $_POST['content'] ) )
 
   $key = explode(':', @$_POST['key']);
   if ( count($key)!=2
-        or $key[0]>time() or $key[0]<time()-1800 // 30 minutes expiration
+        or $key[0]>time()-2 // page must have been retrieved more than 2 sec ago
+        or $key[0]<time()-3600 // 60 minutes expiration
         or hash_hmac('md5', $key[0], $conf['secret_key'])!=$key[1]
       )
   {
@@ -257,6 +232,7 @@ if ( $page['show_comments'] and isset( $_POST['content'] ) )
   }
   else
   {
+    set_status_header(403);
     $template->assign_block_vars('information',
           array('INFORMATION'=>l10n('comment_not_added') )
         );
@@ -354,9 +330,15 @@ SELECT id,author,date,image_id,content
   {
     $key = time();
     $key .= ':'.hash_hmac('md5', $key, $conf['secret_key']);
+    $content = '';
+    if ('reject'===@$comment_action)
+    {
+      $content = htmlspecialchars($comm['content']);
+    }
     $template->assign_block_vars('comments.add_comment',
         array(
-          'key' => $key
+          'KEY' => $key,
+          'CONTENT' => $content
         ));
     // display author field if the user is not logged in
     if ($user['is_the_guest'])
diff --git a/include/ws_functions.inc.php b/include/ws_functions.inc.php
index 849407ef2..61310265b 100644
--- a/include/ws_functions.inc.php
+++ b/include/ws_functions.inc.php
@@ -494,20 +494,8 @@ function ws_session_login($params, &$service)
   {
     return new PwgError(400, "This method requires POST");
   }
-
-  $username = $params['username'];
-  // retrieving the encrypted password of the login submitted
-  $query = '
-SELECT '.$conf['user_fields']['id'].' AS id,
-       '.$conf['user_fields']['password'].' AS password
-  FROM '.USERS_TABLE.'
-  WHERE '.$conf['user_fields']['username'].' = \''.$username.'\'
-;';
-  $row = mysql_fetch_assoc(pwg_query($query));
-
-  if ($row['password'] == $conf['pass_convert']($params['password']))
+  if (try_log_user($params['username'], $params['password'],false))
   {
-    log_user($row['id'], false);
     return true;
   }
   return new PwgError(999, 'Invalid username/password');