admin.inc.php
148 lines
| 4.7 KiB
| text/x-php
|
PhpLexer
/ include / admin.inc.php
| r1 | <?php | |||
| /* Megatokyo Website Administration */ | ||||
| require_once('../LocalSettings.php'); | ||||
| // Core lib | ||||
| require_once('html.php'); | ||||
| require_once('mysql.php'); | ||||
| require_once('cookies.php'); | ||||
| require_once('functions.php'); | ||||
| require_once('error.php'); | ||||
| require_once('uploads.php'); | ||||
| require_once('nonce.php'); | ||||
| // Objects | ||||
| require_once('rants.php'); | ||||
| require_once('user.php'); | ||||
| require_once('strip.php'); | ||||
| require_once('transcript.php'); | ||||
| require_once('type.php'); | ||||
| require_once('pages.php'); | ||||
| require_once('extra.php'); | ||||
| require_once('twitter.php'); | ||||
| require_once('tumblr.php'); | ||||
| require_once('images.php'); | ||||
| require_once('rss.php'); | ||||
| require_once('twitteroauth/twitteroauth.php'); | ||||
| $mtdb = new MysqlStore(); | ||||
| $mtdb->connect( DB_SERVER, DB_WRITE_USER, DB_WRITE_PASS, DB_NAME ); | ||||
| /* TODO: Move these definitions to LocalSettings.php */ | ||||
| if ( !defined('RANTIMG') ) | ||||
| define('RANTIMG', '../rantimgs/'); | ||||
| define('USING_TIDY', false); | ||||
| /* These function are all for core authentication. */ | ||||
| // Call mysql to hash a password | ||||
| function mt_hash_password($password) { | ||||
| global $mtdb; | ||||
| return $mtdb->getOne('SELECT SHA1("' . mysql_real_escape_string($password) . '")') ; | ||||
| } | ||||
| // Remove invalid characters from username. Permit only alpha, underscore, period, at, hypen | ||||
| function sanitize_username( $username ) { | ||||
| return preg_replace('|[^a-z_.@-]|i', '', $username); | ||||
| } | ||||
| // Attempt to login with a username and password. If from cookies, set already_hashed = true. | ||||
| function mt_login($username, $password, $already_hashed = false) { | ||||
| global $error,$mtdb; | ||||
| if ( '' == $username ) | ||||
| return false; | ||||
| if ( '' == $password ) { | ||||
| $error = ('<strong>ERROR</strong>: The password field is empty.'); | ||||
| return false; | ||||
| } | ||||
| $username = sanitize_username( $username ); | ||||
| $login = $mtdb->getRow( 'SELECT id,name,email,nameplate,default_image,default_link,password FROM contributor WHERE name = "' . mysql_real_escape_string($username) . '"'); | ||||
| if (!$login) { | ||||
| $error = ('<strong>ERROR</strong>: Invalid username or password.'); | ||||
| adminlog("Failed login attempt from ".$_SERVER['REMOTE_ADDR']." for $username.", MTS_LOGIN, MTA_CHANGE); | ||||
| //logthis ('AUTH: Failed login attempt from ' . $_SERVER["REMOTE_ADDR"], var_export( $_SERVER, true ) ); | ||||
| return false; | ||||
| } else { | ||||
| // If the password is already_md5, it has been double hashed. | ||||
| // Otherwise, it is plain text. | ||||
| if ( $already_hashed && $username == $login->name && $login->password == $password) { | ||||
| global $currentuser; | ||||
| $currentuser=$login; | ||||
| return true; | ||||
| } | ||||
| if (!$already_hashed) { | ||||
| $passhash = mt_hash_password($password); | ||||
| if( $username == $login->name && $passhash == $login->password ) { | ||||
| global $currentuser; | ||||
| $currentuser=$login; | ||||
| return true; | ||||
| } | ||||
| } | ||||
| $error = ('<strong>ERROR</strong>: Invalid username or password.'); | ||||
| adminlog("Failed login attempt from ".$_SERVER['REMOTE_ADDR']." for $username.", MTS_LOGIN, MTA_CHANGE); | ||||
| //logthis ('AUTH: Failed login attempt from ' . $_SERVER["REMOTE_ADDR"], var_export( $_SERVER, true ) ); | ||||
| return false; | ||||
| } | ||||
| } | ||||
| // Attempt to login using cookies with failback to HTTP Basic Auth. If that fails, return a 401 to the browser. | ||||
| function auth_basic() { | ||||
| if ( !empty($_COOKIE[USER_COOKIE]) && mt_login($_COOKIE[USER_COOKIE], $_COOKIE[PASS_COOKIE], true) ) | ||||
| return; | ||||
| // Either there is no cookie or the cookie is not valid | ||||
| if (!isset($_SERVER['PHP_AUTH_USER']) || !mt_login($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) ) { | ||||
| header('WWW-Authenticate: Basic realm="My Realm"'); | ||||
| header('HTTP/1.0 401 Unauthorized'); | ||||
| die('You do not have permission to view this page.'); | ||||
| } | ||||
| } | ||||
| // Attempt to login using cookies. If that fails, redirect to login.php to get credentials. | ||||
| function auth_redirect($showloginui=true) { | ||||
| // Checks if a user is logged in, if not redirects them to the login page | ||||
| if ( (!empty($_COOKIE[USER_COOKIE]) && | ||||
| !mt_login($_COOKIE[USER_COOKIE], $_COOKIE[PASS_COOKIE], true)) || | ||||
| (empty($_COOKIE[USER_COOKIE])) ) { | ||||
| nocache_headers(); | ||||
| if($showloginui) _redirect( ADMIN_PATH . '/login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI'])); | ||||
| die('You do not have permission to view this page.'); | ||||
| } | ||||
| } | ||||
| // Safe redirect, defaults to Temporary | ||||
| function _redirect($location, $status = 302) { | ||||
| $location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%]|i', '', $location); | ||||
| $strip = array('%0d', '%0a'); | ||||
| $location = str_replace($strip, '', $location); | ||||
| if ( substr(php_sapi_name(), 0, 3) != 'cgi' ) | ||||
| header('Status: '.$status); // This causes problems on IIS and some FastCGI setups | ||||
| header("Location: $location"); | ||||
| die(); | ||||
| } | ||||
| // When doing redirect to login form, ensure headers are never cached. | ||||
| function nocache_headers() { | ||||
| @ header('Expires: Wed, 11 Jan 1984 05:00:00 GMT'); | ||||
| @ header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT'); | ||||
| @ header('Cache-Control: no-cache, must-revalidate, max-age=0'); | ||||
| @ header('Pragma: no-cache'); | ||||
| } | ||||
| ?> | ||||
