Changeset 453


Ignore:
Timestamp:
Dec 31, 2013 5:10:26 AM (10 years ago)
Author:
anonymous
Message:

Reinstated priv->user_type conversion for legacy impementations; fixed hidden element array bug.

Location:
trunk/lib
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/lib/App.inc.php

    r452 r453  
    964964            // urlencode is not used here, not for form data!
    965965            $query_args = array_merge($this->_carry_queries, $one_time_carry_queries);
    966             foreach ($query_args as $key=>$val) {
    967                 printf('<input type="hidden" name="%s" value="%s" />', $key, $val);
    968             }
     966            foreach ($query_args as $key => $val) {
     967                if (is_array($val)) {
     968                    foreach ($val as $subval) {
     969                        printf('<input type="hidden" name="%s[]" value="%s" />', $key, $subval);
     970                    }
     971                } else {
     972                    printf('<input type="hidden" name="%s" value="%s" />', $key, $val);
     973                }
     974            }
     975            unset($query_args, $key, $val, $subval);
    969976        }
    970977

  • trunk/lib/Auth_SQL.inc.php

    r432 r453  
    44 * For details visit the project site: <http://trac.strangecode.com/codebase/>
    55 * Copyright 2001-2012 Strangecode, LLC
    6  * 
     6 *
    77 * This file is part of The Strangecode Codebase.
    88 *
     
    1111 * Free Software Foundation, either version 3 of the License, or (at your option)
    1212 * any later version.
    13  * 
     13 *
    1414 * The Strangecode Codebase is distributed in the hope that it will be useful, but
    1515 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
    1616 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
    1717 * details.
    18  * 
     18 *
    1919 * You should have received a copy of the GNU General Public License along with
    2020 * The Strangecode Codebase. If not, see <http://www.gnu.org/licenses/>.
     
    3939
    4040class Auth_SQL {
    41        
     41
    4242    // Namespace of this auth object.
    4343    var $_ns;
    44    
     44
    4545    // Static var for test.
    4646    var $_authentication_tested;
     
    130130    {
    131131        $app =& App::getInstance();
    132        
     132
    133133        $this->_ns = $namespace;
    134        
     134
    135135        // Initialize default parameters.
    136136        $this->setParam($this->_default_params);
     
    157157        $app =& App::getInstance();
    158158        $db =& DB::getInstance();
    159    
    160    
     159
     160
    161161        static $_db_tested = false;
    162162
     
    277277    {
    278278        $app =& App::getInstance();
    279    
     279
    280280        if (isset($this->_params[$param])) {
    281281            return $this->_params[$param];
     
    294294    {
    295295        $db =& DB::getInstance();
    296    
     296
    297297        $this->initDB();
    298298
     
    416416        $app =& App::getInstance();
    417417        $db =& DB::getInstance();
    418    
     418
    419419        $this->initDB();
    420420
     
    425425            return false;
    426426        }
    427        
     427
     428        // Convert 'priv' to 'user_type' nomenclature to support older implementations.
     429        if (isset($user_data['priv'])) {
     430            $user_data['user_type'] = $user_data['priv'];
     431        }
     432
    428433        // Register authenticated session.
    429434        $_SESSION['_auth_sql'][$this->_ns] = array(
     
    563568        $this->_authentication_tested = true;
    564569
    565         // Some users will access from networks with a changing IP number (i.e. behind a proxy server). 
     570        // Some users will access from networks with a changing IP number (i.e. behind a proxy server).
    566571        // These users must be allowed entry by adding their IP to the list of trusted_networks, or their usernames to the list of match_remote_ip_exempt_usernames.
    567572        if ($trusted_net = ipInRange(getRemoteAddr(), $this->_params['trusted_networks'])) {
     
    579584            $user_in_trusted_network = false;
    580585        }
    581        
     586
    582587        // Do we match the user's remote IP at all? Yes, if set in config and not disabled for specific user.
    583588        if ($this->getParam('match_remote_ip') && !$this->get('match_remote_ip_exempt')) {
    584589            $remote_ip_is_matched = (isset($_SESSION['_auth_sql'][$this->_ns]['remote_ip']) && $_SESSION['_auth_sql'][$this->_ns]['remote_ip'] == getRemoteAddr()) || $user_in_trusted_network;
    585590        } else {
    586             $app->logMsg(sprintf('User_id %s exempt from remote_ip match (comparing %s == %s)', 
     591            $app->logMsg(sprintf('User_id %s exempt from remote_ip match (comparing %s == %s)',
    587592                ($this->get('user_id') ? $this->get('user_id') . ' (' .  $this->get('username') . ')' : 'unknown'),
    588593                $_SESSION['_auth_sql'][$this->_ns]['remote_ip'],
     
    593598
    594599        // Test login with information stored in session. Skip IP matching for users from trusted networks.
    595         if (isset($_SESSION['_auth_sql'][$this->_ns]['authenticated']) 
     600        if (isset($_SESSION['_auth_sql'][$this->_ns]['authenticated'])
    596601            && true === $_SESSION['_auth_sql'][$this->_ns]['authenticated']
    597602            && isset($_SESSION['_auth_sql'][$this->_ns]['username'])
     
    671676    {
    672677        $app =& App::getInstance();
    673    
     678
    674679        if (!$this->isLoggedIn()) {
    675680            // Display message for requiring login. (RaiseMsg will ignore empty strings.)
     
    694699        $app =& App::getInstance();
    695700        $db =& DB::getInstance();
    696    
     701
    697702        $this->initDB();
    698703
     
    730735            $user_id = isset($user_id) ? $user_id : $this->getVal('user_id');
    731736            $qid = $db->query("
    732                 SELECT 1 
     737                SELECT 1
    733738                FROM " . $this->_params['db_table'] . "
    734739                WHERE blocked = 'true'
     
    745750    {
    746751        $db =& DB::getInstance();
    747    
     752
    748753        $this->initDB();
    749    
     754
    750755        if ($this->getParam('blocking')) {
    751756            // Get user_id if specified.
     
    769774    {
    770775        $db =& DB::getInstance();
    771    
     776
    772777        $this->initDB();
    773778
     
    789794    {
    790795        $db =& DB::getInstance();
    791    
     796
    792797        $this->initDB();
    793798
     
    846851    {
    847852        $app =& App::getInstance();
    848        
     853
    849854        // Existing password hashes rely on the same key/salt being used to compare encryptions.
    850855        // Don't change this (or the value applied to signing_key) unless you know existing hashes or signatures will not be affected!
    851856        $more_salt = 'B36D18E5-3FE4-4D58-8150-F26642852B81';
    852        
     857
    853858        switch ($this->_params['encryption_type']) {
    854859        case AUTH_ENCRYPT_PLAINTEXT :
     
    868873            $hash = sha1($app->getParam('signing_key') . $password . $more_salt);
    869874            // Increase key strength by 12 bits.
    870             for ($i=0; $i < 4096; $i++) { 
    871                 $hash = sha1($hash); 
    872             } 
     875            for ($i=0; $i < 4096; $i++) {
     876                $hash = sha1($hash);
     877            }
    873878            return $hash;
    874879            break;
     
    882887            $hash = md5($app->getParam('signing_key') . $password . $more_salt);
    883888            // Increase key strength by 12 bits.
    884             for ($i=0; $i < 4096; $i++) { 
    885                 $hash = md5($hash); 
    886             } 
     889            for ($i=0; $i < 4096; $i++) {
     890                $hash = md5($hash);
     891            }
    887892            return $hash;
    888893            break;
     
    902907        $app =& App::getInstance();
    903908        $db =& DB::getInstance();
    904    
     909
    905910        $this->initDB();
    906911
     
    909914
    910915        // Get old password.
    911         $qid = $db->query(" 
     916        $qid = $db->query("
    912917            SELECT userpass
    913918            FROM " . $this->_params['db_table'] . "
     
    918923            return false;
    919924        }
    920        
     925
    921926        // Compare old with new to ensure we're actually *changing* the password.
    922927        $encrypted_password = $this->encryptPassword($password);
     
    932937            WHERE " . $this->_params['db_primary_key'] . " = '" . $db->escapeString($user_id) . "'
    933938        ");
    934        
     939
    935940        if (mysql_affected_rows($db->getDBH()) != 1) {
    936941            $app->logMsg(sprintf('Failed to update password for user_id %s', $user_id), LOG_WARNING, __FILE__, __LINE__);
    937942            return false;
    938943        }
    939        
     944
    940945        return true;
    941946    }
     
    952957        $app =& App::getInstance();
    953958        $db =& DB::getInstance();
    954    
     959
    955960        $this->initDB();
    956961
     
    10391044    {
    10401045        $app =& App::getInstance();
    1041    
     1046
    10421047        // return true; /// WTF?
    10431048        $zone_members = preg_split('/,\s*/', $security_zone);
Note: See TracChangeset for help on using the changeset viewer.