Talenttic_survey/CATI_Tool
2
0
Fork 0
mirror of https://github.com/ACSPRI/queXS synced 2024-04-02 12:12:16 +00:00
Code Issues Releases Activity
Files
009c111d699bc0da6da07db7b9d950c63bf703ca
CATI_Tool/include/limesurvey/admin/login_check.php

255 lines
12 KiB
PHP
Raw Blame History

<?php
/*
* LimeSurvey
* Copyright (C) 2007 The LimeSurvey Project Team / Carsten Schmitz
* All rights reserved.
* License: GNU/GPL License v2 or later, see LICENSE.php
* LimeSurvey is free software. This version may have been modified pursuant
* to the GNU General Public License, and as distributed it includes or
* is derivative of works licensed under the GNU General Public License or
* other free or open source software licenses.
* See COPYRIGHT.php for copyright notices and details.
*
* $Id: login_check.php 12211 2012-01-26 17:02:27Z shnoulle $
*/
if (!isset($dbprefix) || isset($_REQUEST['dbprefix'])) {die("Cannot run this script directly");}
if (!isset($action)) {$action=returnglobal('action');}
/*
* New feature since version 1.81: One time passwords
* The user can call the limesurvey login at /limesurvey/admin and pass username and
* a one time password which was previously written into the users table (column one_time_pw) by
* an external application.
* Furthermore there is a setting in config-defaults which has to be turned on (default = off)
* to enable the usage of one time passwords.
*/
//check if data was passed by URL
if(isset($_GET['user']) && isset($_GET['onepass']))
{
//take care of passed data
$user = sanitize_user($_GET['user']);
$pw = sanitize_paranoid_string(md5($_GET['onepass']));
//check if setting $use_one_time_passwords exists in config file
if(isset($use_one_time_passwords))
{
//$use_one_time_passwords switched OFF but data was passed by URL: Show error message
if($use_one_time_passwords === false)
{
//create an error message
$loginsummary = "<br />".$clang->gT("Data for username and one time password was received but the usage of one time passwords is disabled at your configuration settings. Please add the following line to config.php to enable one time passwords: ")."<br />";
$loginsummary .= '<br /><em>$use_one_time_passwords = true;</em><br />';
$loginsummary .= "<br /><br /><a href='$scriptname'>".$clang->gT("Continue")."</a><br />&nbsp;\n";
}
//Data was passed, using one time passwords is enabled
else
{
//check if user exists in DB
$query = "SELECT uid, users_name, password, one_time_pw, dateformat, full_name, htmleditormode, questionselectormode, templateeditormode FROM ".db_table_name('users')." WHERE users_name=".$connect->qstr($user);
$ADODB_FETCH_MODE = ADODB_FETCH_ASSOC; //Checked
$result = $connect->SelectLimit($query, 1) or safe_die ($query."<br />".$connect->ErrorMsg());
if(!$result)
{
echo "<br />".$connect->ErrorMsg();
}
if ($result->RecordCount() < 1)
{
// wrong or unknown username
$loginsummary = sprintf($clang->gT("No one-time password found for user %s"),htmlspecialchars($user))."<br />";
if ($sessionhandler=='db')
{
adodb_session_regenerate_id();
}
else
{
session_regenerate_id();
}
}
else
{
//get one time pw from db
$srow = $result->FetchRow();
$otpw = $srow['one_time_pw'];
//check if passed password and one time password from database DON'T match
if($pw != $otpw)
{
//no match -> warning
$loginsummary = "<p>".$clang->gT("Passed single-use password was wrong or user doesn't exist")."<br />";
$loginsummary .= "<br /><br /><a href='$scriptname'>".$clang->gT("Continue")."</a><br />&nbsp;\n";
}
//both passwords match
else
{
//delete one time password in database
$uquery = "UPDATE ".db_table_name('users')."
SET one_time_pw=''
WHERE users_name='".db_quote($user)."'";
$uresult = $connect->Execute($uquery);
//data necessary for following functions
$_SESSION['user'] = $srow['users_name'];
$_SESSION['checksessionpost'] = sRandomChars(10);
$_SESSION['loginID'] = $srow['uid'];
$_SESSION['dateformat'] = $srow['dateformat'];
$_SESSION['htmleditormode'] = $srow['htmleditormode'];
$_SESSION['questionselectormode'] = $srow['questionselectormode'];
$_SESSION['templateeditormode'] = $srow['templateeditormode'];
$_SESSION['full_name'] = $srow['full_name'];
GetSessionUserRights($_SESSION['loginID']);
// Check if the user has changed his default password
if (strtolower($srow['password'])=='password')
{
$_SESSION['pw_notify']=true;
$_SESSION['flashmessage']=$clang->gT("Warning: You are still using the default password ('password'). Please change your password and re-login again.");
}
else
{
$_SESSION['pw_notify']=false;
}
//delete passed information
unset($_GET['user']);
unset($_GET['onepass']);
} //else -> passwords match
} //else -> password found
} //else -> one time passwords enabled
} //else -> one time passwords set
} //else -> data was passed by URL
// check data for login
if( isset($_POST['user']) && isset($_POST['password']) ||
($action == "forgotpass") || ($action == "login") ||
($action == "logout") ||
($useWebserverAuth === true && !isset($_SESSION['loginID'])) )
{
include("usercontrol.php");
}
// login form
if(!isset($_SESSION['loginID']) && $action != "forgotpass" && ($action != "logout" || ($action == "logout" && !isset($_SESSION['loginID'])))) // && $action != "login") // added by Dennis
{
if($action == "forgotpassword")
{
$loginsummary = '
<form class="form-signin" name="forgotpassword" id="forgotpassword" method="post" action="'.$homeurl.'/admin.php" >
<h2>'.$clang->gT('You have to enter user name and email.').'</h2><p><br /> <br />
<label for="user">'.$clang->gT('Username').'</label><input name="user" id="user" class="form-control" placeholder="User name" required autofocus type="text" size="60" maxlength="60" value="" />
<label for="email">'.$clang->gT('Email').'</label><input name="email" id="email" class="form-control" placeholder="Email" required type="text" size="60" maxlength="60" value="" /></p>
<input type="hidden" name="action" value="forgotpass" />
<p><button class="action btn btn-lg btn-primary btn-block" type="submit">'.$clang->gT('Check Data').'</button></p>
<p><a href="'.$scriptname.'">'.$clang->gT('Main Admin Screen').'</a></p>
</form>
';
}
elseif (!isset($loginsummary))
{ // could be at login or after logout
$refererargs=''; // If this is a direct access to admin.php, no args are given
// If we are called from a link with action and other args set, get them
if (isset($_SERVER['QUERY_STRING']) && $_SERVER['QUERY_STRING'])
{
$refererargs = html_escape($_SERVER['QUERY_STRING']);
}
//include("database.php");
$sIp = getIPAddress();
$query = "SELECT * FROM ".db_table_name('failed_login_attempts'). " WHERE ip='$sIp';";
$ADODB_FETCH_MODE = ADODB_FETCH_ASSOC;
$result = $connect->query($query) or safe_die ($query."<br />".$connect->ErrorMsg());
$bCannotLogin = false;
$intNthAttempt = 0;
if ($result!==false && $result->RecordCount() >= 1)
{
$field = $result->FetchRow();
$intNthAttempt = $field['number_attempts'];
if ($intNthAttempt>=$maxLoginAttempt){
$bCannotLogin = true;
}
$iLastAttempt = strtotime($field['last_attempt']);
if (time() > $iLastAttempt + $timeOutTime){
$bCannotLogin = false;
$query = "DELETE FROM ".db_table_name('failed_login_attempts'). " WHERE ip='$sIp';";
$result = $connect->query($query) or safe_die ($query."<br />".$connect->ErrorMsg());
}
}
$loginsummary ="";
if (!$bCannotLogin)
{
if (!isset($logoutsummary))
{
$loginsummary = "<form name='loginform' id='loginform' class='form-signin' method='post' action='$homeurl/admin.php' ><h2>".$clang->gT("You have to login first.")."</h2><p><br /> <br />";
}
else
{
$loginsummary = "<form name='loginform' id='loginform' class='form-signin' method='post' action='$homeurl/admin.php' ><br /><strong>".$logoutsummary."</strong><br /> <br />";
}
$loginsummary .= "<label for='user'>".$clang->gT("Username")."</label>
<input class='form-control' placeholder='User name' required autofocus name='user' id='user' type='text' size='40' maxlength='40' value='' />
<label for='password'>".$clang->gT("Password")."</label>
<input name='password' id='password' class='form-control' placeholder='Password' required type='password' size='40' maxlength='40' />
<label for='loginlang'>".$clang->gT("Language")."</label>
<select id='loginlang' class='form-control' name='loginlang'>\n";
$loginsummary .='<option value="default" selected="selected">'.$clang->gT('Default').'</option>';
$lan=array();
foreach (getlanguagedata(true) as $langkey=>$languagekind)
{
array_push($lan,$langkey);
}
foreach (getlanguagedata(true) as $langkey=>$languagekind)
{
//The following conditional statements select the browser language in the language drop down box and echoes the other options.
$loginsummary .= "\t\t\t\t<option value='$langkey'>".$languagekind['nativedescription']." - ".$languagekind['description']."</option>\n";
}
$loginsummary .= "\t\t\t</select>\n
<p><input type='hidden' name='action' value='login' />
<input type='hidden' name='refererargs' value='".$refererargs."' />
<button class='action btn btn-lg btn-primary btn-block' type='submit'>".$clang->gT("Login")."</button>";
}
else{
$loginsummary .= "<p>".sprintf($clang->gT("You have exceeded you maximum login attempts. Please wait %d minutes before trying again"),($timeOutTime/60))."<br /></p>";
}
if ($display_user_password_in_email === true)
{
$loginsummary .= "<p><a href='$scriptname?action=forgotpassword'>".$clang->gT("Forgot Your Password?")."</a><br />&nbsp;\n";
}
$loginsummary .= " </form><br /><p>";
$loginsummary .= " <script type='text/javascript'>\n";
$loginsummary .= " document.getElementById('user').focus();\n";
$loginsummary .= " </script>\n";
}
}
Reference in New Issue View Git Blame Copy Permalink