From e90aaffbd551a2e80b67cb67362519b16ee61203 Mon Sep 17 00:00:00 2001
From: rvelices <rv-github@modusoptimus.com>
Date: Tue, 23 Jan 2007 01:22:52 +0000
Subject: - revert feature 564: log the login of each user; but add the
 possibility to be done by a plugin - create a "standard" way to define PHP
 functions that we use but might not be available in the current php version -
 when a comment is rejected (spam, anti-flood etc), put the content back to
 the browser in case there is a real user behind it - now a comment can be
 entered only if the page was retrieved between 2 seconds ago and 1 hour ago

git-svn-id: http://piwigo.org/svn/trunk@1744 68402e56-0260-453c-a942-63ccdbb3a9ee
---
 include/functions_user.inc.php | 42 +++++++++++++++++++++++++++++++++++++-----
 1 file changed, 37 insertions(+), 5 deletions(-)

(limited to 'include/functions_user.inc.php')

diff --git a/include/functions_user.inc.php b/include/functions_user.inc.php
index 5499eb86c..74c1c81f1 100644
--- a/include/functions_user.inc.php
+++ b/include/functions_user.inc.php
@@ -858,8 +858,9 @@ function get_language_filepath($filename, $dirname = '')
 /**
  * returns the auto login key or false on error
  * @param int user_id
+ * @param string [out] username
 */
-function calculate_auto_login_key($user_id)
+function calculate_auto_login_key($user_id, &$username)
 {
   global $conf;
   $query = '
@@ -871,7 +872,12 @@ WHERE '.$conf['user_fields']['id'].' = '.$user_id;
   if (mysql_num_rows($result) > 0)
   {
     $row = mysql_fetch_assoc($result);
-    $key = sha1( $row['username'].$row['password'] );
+    $username = $row['username'];
+    $data = $row['username'].$row['password'];
+    $key = base64_encode(
+      pack('H*', sha1($data))
+      .hash_hmac('md5', $data, $conf['secret_key'],true)
+      );
     return $key;
   }
   return false;
@@ -889,7 +895,7 @@ function log_user($user_id, $remember_me)
 
   if ($remember_me and $conf['authorize_remembering'])
   {
-    $key = calculate_auto_login_key($user_id);
+    $key = calculate_auto_login_key($user_id, $username);
     if ($key!==false)
     {
       $cookie = array('id' => (int)$user_id, 'key' => $key);
@@ -928,12 +934,13 @@ function auto_login() {
   if ( isset( $_COOKIE[$conf['remember_me_name']] ) )
   {
     $cookie = unserialize(stripslashes($_COOKIE[$conf['remember_me_name']]));
-    if ($cookie!==false)
+    if ($cookie!==false and is_numeric(@$cookie['id']) )
     {
-      $key = calculate_auto_login_key($cookie['id']);
+      $key = calculate_auto_login_key( $cookie['id'], $username );
       if ($key!==false and $key===$cookie['key'])
       {
         log_user($cookie['id'], true);
+        trigger_action('login_success', $username);
         return true;
       }
     }
@@ -942,6 +949,31 @@ function auto_login() {
   return false;
 }
 
+/**
+ * Tries to login a user given username and password (must be MySql escaped)
+ * return true on success
+ */
+function try_log_user($username, $password, $remember_me)
+{
+  global $conf;
+  // retrieving the encrypted password of the login submitted
+  $query = '
+SELECT '.$conf['user_fields']['id'].' AS id,
+       '.$conf['user_fields']['password'].' AS password
+  FROM '.USERS_TABLE.'
+  WHERE '.$conf['user_fields']['username'].' = \''.$username.'\'
+;';
+  $row = mysql_fetch_assoc(pwg_query($query));
+  if ($row['password'] == $conf['pass_convert']($password))
+  {
+    log_user($row['id'], $remember_me);
+    trigger_action('login_success', $username);
+    return true;
+  }
+  trigger_action('login_failure', $username);
+  return false;
+}
+
 /*
  * Return access_type definition of uuser
  * Test does with user status
-- 
cgit v1.2.3