plugins/admin/UserManager.php
changeset 801 eb8b23f11744
parent 770 62fed244fa1c
child 832 7152ca0a0ce9
equal deleted inserted replaced
800:9cdfe82c56cd 801:eb8b23f11744
     1 <?php
     1 <?php
     2 
     2 
     3 /*
     3 /*
     4  * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between
     4  * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between
     5  * Version 1.1.5 (Caoineag alpha 5)
     5  * Version 1.1.6 (Caoineag beta 1)
     6  * Copyright (C) 2006-2008 Dan Fuhry
     6  * Copyright (C) 2006-2008 Dan Fuhry
     7  *
     7  *
     8  * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License
     8  * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License
     9  * as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
     9  * as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
    10  *
    10  *
    74           $errors[] = $lang->get('acpum_err_illegal_username');
    74           $errors[] = $lang->get('acpum_err_illegal_username');
    75         
    75         
    76         $password = false;
    76         $password = false;
    77         if ( $_POST['changing_pw'] == 'yes' )
    77         if ( $_POST['changing_pw'] == 'yes' )
    78         {
    78         {
    79           $aes = AESCrypt::singleton(AES_BITS, AES_BLOCKSIZE);
    79           $password = $session->get_aes_post('new_password');
    80           if ( $_POST['dh_supported'] === 'true' )
       
    81           {
       
    82             $my_public = $_POST['dh_public'];
       
    83             $remote_public = $_POST['dh_mypublic'];
       
    84             
       
    85             // Check the key
       
    86             if ( !preg_match('/^[0-9]+$/', $my_public) || !preg_match('/^[0-9]+$/', $remote_public) )
       
    87             {
       
    88               $errors[] = $lang->get('user_err_dh_key_not_numeric');
       
    89             }
       
    90             else
       
    91             {
       
    92               // We have our own public key - cross reference it with the private key in the database
       
    93               $q = $db->sql_query('SELECT private_key, key_id FROM ' . table_prefix . "diffiehellman WHERE public_key = '$my_public';");
       
    94               if ( !$q )
       
    95                 $db->_die();
       
    96               
       
    97               if ( $db->numrows() < 1 )
       
    98               {
       
    99                 $errors[] = $lang->get('user_err_dh_key_not_found');
       
   100               }
       
   101               else
       
   102               {
       
   103                 list($my_private, $key_id) = $db->fetchrow_num($q);
       
   104                 $db->free_result();
       
   105                 // now that we have this key it can be disposed of
       
   106                 $q = $db->sql_query("DELETE FROM " . table_prefix . "diffiehellman WHERE key_id = $key_id;");
       
   107                 if ( !$q )
       
   108                   $db->_die();
       
   109                 // get the shared secret
       
   110                 $dh_secret = dh_gen_shared_secret($my_private, $remote_public);
       
   111                 global $_math;
       
   112                 $dh_secret = $_math->str($dh_secret);
       
   113                 
       
   114                 // make sure we calculated everything right
       
   115                 $secret_check = sha1($dh_secret);
       
   116                 if ( $secret_check !== $_POST['crypt_key'] )
       
   117                 {
       
   118                   // uh-oh.
       
   119                   $errors[] = $lang->get('user_err_dh_key_not_found');
       
   120                 }
       
   121                 else
       
   122                 {
       
   123                   $aes_key = substr(sha256($dh_secret), 0, ( AES_BITS / 4 ));
       
   124                   $aes_key = hexdecode($aes_key);
       
   125                   $password = $aes->decrypt($_POST['crypt_data'], $aes_key, ENC_HEX);
       
   126                 }
       
   127               }
       
   128             }
       
   129           }
       
   130           else if ( $_POST['dh_supported'] === 'false' )
       
   131           {
       
   132             $key_hex_md5 = $_POST['crypt_key'];
       
   133             $key_hex = $session->fetch_public_key($key_hex_md5);
       
   134             if ( $key_hex )
       
   135             {
       
   136               $key_bin = hexdecode($key_hex);
       
   137               $data_hex = $_POST['crypt_data'];
       
   138               $password = $aes->decrypt($data_hex, $key_bin, ENC_HEX);
       
   139             }
       
   140           }
       
   141           else
       
   142           {
       
   143             $errors[] = $lang->get('acpum_err_no_aes_key');
       
   144           }
       
   145         }
    80         }
   146         
    81         
   147         $email = $_POST['email'];
    82         $email = $_POST['email'];
   148         if ( !preg_match('/^(?:[\w\d]+\.?)+@((?:(?:[\w\d]\-?)+\.)+\w{2,4}|localhost)$/', $email) )
    83         if ( !preg_match('/^(?:[\w\d]+\.?)+@((?:(?:[\w\d]\-?)+\.)+\w{2,4}|localhost)$/', $email) )
   149           $errors[] = $lang->get('acpum_err_illegal_email');
    84           $errors[] = $lang->get('acpum_err_illegal_email');
   937           {
   872           {
   938             var form = document.forms['useredit_{UUID}'];
   873             var form = document.forms['useredit_{UUID}'];
   939             <!-- BEGINNOT same_user -->
   874             <!-- BEGINNOT same_user -->
   940             if ( form.changing_pw.value == 'yes' )
   875             if ( form.changing_pw.value == 'yes' )
   941             {
   876             {
   942               if ( form.new_password.value != form.new_password_confirm.value )
   877               return runEncryption(true);
   943               {
       
   944                 alert(\$lang.get('user_reg_err_alert_password_nomatch'));
       
   945                 return false;
       
   946               }
       
   947               form.new_password_confirm.value = '';
       
   948               runEncryption();
       
   949             }
   878             }
   950             <!-- END same_user -->
   879             <!-- END same_user -->
   951             return true;
   880             return true;
   952           }
   881           }
   953         </script>
   882         </script>
  1001                     <div id="userform_{UUID}_pwform" style="display: none;">
   930                     <div id="userform_{UUID}_pwform" style="display: none;">
  1002                       <!-- BEGIN same_user -->
   931                       <!-- BEGIN same_user -->
  1003                         {lang:acpum_msg_same_user_password} <a href="#" onclick="userform_{UUID}_chpasswd_cancel(); return false;">{lang:etc_cancel}</a>
   932                         {lang:acpum_msg_same_user_password} <a href="#" onclick="userform_{UUID}_chpasswd_cancel(); return false;">{lang:etc_cancel}</a>
  1004                       <!-- BEGINELSE same_user -->
   933                       <!-- BEGINELSE same_user -->
  1005                       <input type="hidden" name="changing_pw" value="no" />
   934                       <input type="hidden" name="changing_pw" value="no" />
  1006                       <input type="hidden" name="challenge_data" value="{MD5_CHALLENGE}" />
   935                       {AES_FORM}
  1007                       <input type="hidden" name="use_crypt" value="no" />
       
  1008                       <input type="hidden" name="crypt_key" value="{PUBLIC_KEY}" />
       
  1009                       <input type="hidden" name="crypt_data" value="" />
       
  1010                       <input type="hidden" name="dh_supported" value="{DH_SUPPORTED}" />
       
  1011                       <input type="hidden" name="dh_public" value="{DH_PUBLIC}" />
       
  1012                       <input type="hidden" name="dh_mypublic" value="" />
       
  1013                       <table border="0" style="background-color: transparent;" cellspacing="0" cellpadding="0">
   936                       <table border="0" style="background-color: transparent;" cellspacing="0" cellpadding="0">
  1014                         <tr>
   937                         <tr>
  1015                           <td colspan="2">
   938                           <td colspan="2">
  1016                             <b>{lang:acpum_field_password_title}</b>
   939                             <b>{lang:acpum_field_password_title}</b>
  1017                           </td>
   940                           </td>
  1344       // @error One or more required parameters not set
  1267       // @error One or more required parameters not set
  1345       return 'Admin_UserManager_SmartForm::render: Invalid parameter ($form->email)';
  1268       return 'Admin_UserManager_SmartForm::render: Invalid parameter ($form->email)';
  1346     }
  1269     }
  1347     
  1270     
  1348     $form_action = makeUrlNS('Special', 'Administration', 'module=' . $paths->cpage['module'], true);
  1271     $form_action = makeUrlNS('Special', 'Administration', 'module=' . $paths->cpage['module'], true);
  1349     $aes_javascript = $session->aes_javascript("useredit_$this->uuid", 'new_password', 'use_crypt', 'crypt_key', 'crypt_data', 'challenge_data', 'dh_supported', 'dh_public', 'dh_mypublic');
  1272     $aes_javascript = $session->aes_javascript("useredit_$this->uuid", 'new_password');
  1350     
       
  1351     // FIXME should this be in logic rather than presentation code?
       
  1352     if ( $dh_supported )
       
  1353     {
       
  1354       global $_math;
       
  1355       
       
  1356       $dh_key_priv = dh_gen_private();
       
  1357       $dh_key_pub = dh_gen_public($dh_key_priv);
       
  1358       $dh_key_priv = $_math->str($dh_key_priv);
       
  1359       $dh_key_pub = $_math->str($dh_key_pub);
       
  1360       // store the keys in the DB for later fetching
       
  1361       $q = $db->sql_query('INSERT INTO ' . table_prefix . "diffiehellman( public_key, private_key ) VALUES ( '$dh_key_pub', '$dh_key_priv' );");
       
  1362       if ( !$q )
       
  1363         $db->_die();
       
  1364     }
       
  1365     else
       
  1366     {
       
  1367       $dh_key_pub = '';
       
  1368     }
       
  1369     
  1273     
  1370     // build rank list
  1274     // build rank list
  1371     $q = $db->sql_query('SELECT rank_id, rank_title FROM ' . table_prefix . 'ranks');
  1275     $q = $db->sql_query('SELECT rank_id, rank_title FROM ' . table_prefix . 'ranks');
  1372     if ( !$q )
  1276     if ( !$q )
  1373       $db->_die();
  1277       $db->_die();
  1380     $parser->assign_vars(array(
  1284     $parser->assign_vars(array(
  1381         'UUID' => $this->uuid,
  1285         'UUID' => $this->uuid,
  1382         'USERNAME' => $this->username,
  1286         'USERNAME' => $this->username,
  1383         'EMAIL' => $this->email,
  1287         'EMAIL' => $this->email,
  1384         'USER_ID' => $this->user_id,
  1288         'USER_ID' => $this->user_id,
  1385         'MD5_CHALLENGE' => $session->dss_rand(),
  1289         'AES_FORM' => $session->generate_aes_form(),
  1386         'PUBLIC_KEY' => $session->rijndael_genkey(),
       
  1387         'DH_SUPPORTED' => ( $dh_supported ? 'true' : 'false' ),
       
  1388         'DH_PUBLIC' => $dh_key_pub,
       
  1389         'REAL_NAME' => $this->real_name,
  1290         'REAL_NAME' => $this->real_name,
  1390         'SIGNATURE_FIELD' => $template->tinymce_textarea('signature', $this->signature, 10, 50),
  1291         'SIGNATURE_FIELD' => $template->tinymce_textarea('signature', $this->signature, 10, 50),
  1391         'USER_TITLE' => $this->user_title,
  1292         'USER_TITLE' => $this->user_title,
  1392         'USER_LEVEL_MEMBER' => USER_LEVEL_CHPREF,
  1293         'USER_LEVEL_MEMBER' => USER_LEVEL_CHPREF,
  1393         'USER_LEVEL_MOD' => USER_LEVEL_MOD,
  1294         'USER_LEVEL_MOD' => USER_LEVEL_MOD,