includes/sessions.php
changeset 135 c5dbad7ec2d0
parent 133 af0f6ec48de3
child 142 ca9118d9c0f2
--- a/includes/sessions.php	Tue Sep 18 00:31:22 2007 -0400
+++ b/includes/sessions.php	Tue Sep 18 16:29:26 2007 -0400
@@ -151,7 +151,7 @@
    */
    
   //var $valid_username = '([A-Za-z0-9 \!\@\(\)-]+)';
-  var $valid_username = '([^<>_&\?\'"%\n\r\t\a]+)';
+  var $valid_username = '([^<>_&\?\'"%\n\r\t\a\/]+)';
    
   /**
    * What we're allowed to do as far as permissions go. This changes based on the value of the "auth" URI param.
@@ -578,19 +578,20 @@
     $success = false;
     
     // Escaped username
-    $db_username = $this->prepare_text(strtolower($username));
+    $db_username_lower = $this->prepare_text(strtolower($username));
+    $db_username       = $this->prepare_text($username);
     
     // Select the user data from the table, and decrypt that so we can verify the password
-    $this->sql('SELECT password,old_encryption,user_id,user_level,theme,style,temp_password,temp_password_time FROM '.table_prefix.'users WHERE lcase(username)=\''.$db_username.'\' OR username=\'' . $db_username . '\';');
+    $this->sql('SELECT password,old_encryption,user_id,user_level,theme,style,temp_password,temp_password_time FROM '.table_prefix.'users WHERE lcase(username)=\''.$db_username_lower.'\' OR username=\'' . $db_username . '\';');
     if($db->numrows() < 1)
     {
+      return "The username and/or password is incorrect.\n$db->latest_query";
       // This wasn't logged in <1.0.2, dunno how it slipped through
       if($level > USER_LEVEL_MEMBER)
         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary,page_text) VALUES(\'security\', \'admin_auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\', ' . intval($level) . ')');
       else
         $this->sql('INSERT INTO '.table_prefix.'logs(log_type,action,time_id,date_string,author,edit_summary) VALUES(\'security\', \'auth_bad\', '.time().', \''.date('d M Y h:i a').'\', \''.$db->escape($username).'\', \''.$db->escape($_SERVER['REMOTE_ADDR']).'\')');
         
-      return "The username and/or password is incorrect.";
     }
     $row = $db->fetchrow();
     
@@ -1401,6 +1402,7 @@
     $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE);
     
     if(!preg_match('#^'.$this->valid_username.'$#', $username)) return 'The username you chose contains invalid characters.';
+    $user_orig = $username;
     $username = $this->prepare_text($username);
     $email = $this->prepare_text($email);
     $real_name = $this->prepare_text($real_name);
@@ -1485,6 +1487,30 @@
       $this->sql('INSERT INTO '.table_prefix.'users_extra(user_id) VALUES(' . $user_id . ');');
     }
     
+    // Grant edit and very limited mod access to the userpage
+    $acl_data = array(
+        'read' => AUTH_ALLOW,
+        'view_source' => AUTH_ALLOW,
+        'edit_page' => AUTH_ALLOW,
+        'post_comments' => AUTH_ALLOW,
+        'edit_comments' => AUTH_ALLOW, // only allows editing own comments
+        'history_view' => AUTH_ALLOW,
+        'history_rollback' => AUTH_ALLOW,
+        'rename' => AUTH_ALLOW,
+        'delete_page' => AUTH_ALLOW,
+        'tag_create' => AUTH_ALLOW,
+        'tag_delete_own' => AUTH_ALLOW,
+        'tag_delete_other' => AUTH_ALLOW,
+        'edit_cat' => AUTH_ALLOW,
+        'create_page' => AUTH_ALLOW
+      );
+    $acl_data = $db->escape($this->perm_to_string($acl_data));
+    $userpage = $db->escape(sanitize_page_id($user_orig));
+    $cols = "target_type, target_id, page_id, namespace, rules";
+    $vals = ACL_TYPE_USER . ", $user_id, '$userpage', 'User', '$acl_data'";
+    $q = "INSERT INTO ".table_prefix."acl($cols) VALUES($vals);";
+    $this->sql($q);
+    
     // Require the account to be activated?
     if ( $coppa )
     {