diff options
| author | rvelices <rv-github@modusoptimus.com> | 2007-01-23 01:22:52 +0000 |
|---|---|---|
| committer | rvelices <rv-github@modusoptimus.com> | 2007-01-23 01:22:52 +0000 |
| commit | e90aaffbd551a2e80b67cb67362519b16ee61203 (patch) | |
| tree | 1f449b20b66d1321860db9762b126ed8d48068dc /include/functions_user.inc.php | |
| parent | 767064c9fe94e28acb77a1123c2853281d13f2d1 (diff) | |
- revert feature 564: log the login of each user; but add the possibility to be
done by a plugin
- create a "standard" way to define PHP functions that we use but might not be
available in the current php version
- when a comment is rejected (spam, anti-flood etc), put the content back to the
browser in case there is a real user behind it
- now a comment can be entered only if the page was retrieved between 2 seconds
ago and 1 hour ago
git-svn-id: http://piwigo.org/svn/trunk@1744 68402e56-0260-453c-a942-63ccdbb3a9ee
Diffstat (limited to 'include/functions_user.inc.php')
| -rw-r--r-- | include/functions_user.inc.php | 42 |
1 files changed, 37 insertions, 5 deletions
diff --git a/include/functions_user.inc.php b/include/functions_user.inc.php index 5499eb86c..74c1c81f1 100644 --- a/include/functions_user.inc.php +++ b/include/functions_user.inc.php @@ -858,8 +858,9 @@ function get_language_filepath($filename, $dirname = '') /** * returns the auto login key or false on error * @param int user_id + * @param string [out] username */ -function calculate_auto_login_key($user_id) +function calculate_auto_login_key($user_id, &$username) { global $conf; $query = ' @@ -871,7 +872,12 @@ WHERE '.$conf['user_fields']['id'].' = '.$user_id; if (mysql_num_rows($result) > 0) { $row = mysql_fetch_assoc($result); - $key = sha1( $row['username'].$row['password'] ); + $username = $row['username']; + $data = $row['username'].$row['password']; + $key = base64_encode( + pack('H*', sha1($data)) + .hash_hmac('md5', $data, $conf['secret_key'],true) + ); return $key; } return false; @@ -889,7 +895,7 @@ function log_user($user_id, $remember_me) if ($remember_me and $conf['authorize_remembering']) { - $key = calculate_auto_login_key($user_id); + $key = calculate_auto_login_key($user_id, $username); if ($key!==false) { $cookie = array('id' => (int)$user_id, 'key' => $key); @@ -928,12 +934,13 @@ function auto_login() { if ( isset( $_COOKIE[$conf['remember_me_name']] ) ) { $cookie = unserialize(stripslashes($_COOKIE[$conf['remember_me_name']])); - if ($cookie!==false) + if ($cookie!==false and is_numeric(@$cookie['id']) ) { - $key = calculate_auto_login_key($cookie['id']); + $key = calculate_auto_login_key( $cookie['id'], $username ); if ($key!==false and $key===$cookie['key']) { log_user($cookie['id'], true); + trigger_action('login_success', $username); return true; } } @@ -942,6 +949,31 @@ function auto_login() { return false; } +/** + * Tries to login a user given username and password (must be MySql escaped) + * return true on success + */ +function try_log_user($username, $password, $remember_me) +{ + global $conf; + // retrieving the encrypted password of the login submitted + $query = ' +SELECT '.$conf['user_fields']['id'].' AS id, + '.$conf['user_fields']['password'].' AS password + FROM '.USERS_TABLE.' + WHERE '.$conf['user_fields']['username'].' = \''.$username.'\' +;'; + $row = mysql_fetch_assoc(pwg_query($query)); + if ($row['password'] == $conf['pass_convert']($password)) + { + log_user($row['id'], $remember_me); + trigger_action('login_success', $username); + return true; + } + trigger_action('login_failure', $username); + return false; +} + /* * Return access_type definition of uuser * Test does with user status |