| Server IP : 134.29.175.74 / Your IP : 216.73.216.160 Web Server : nginx/1.10.2 System : Windows NT CST-WEBSERVER 10.0 build 19045 (Windows 10) i586 User : Administrator ( 0) PHP Version : 7.1.0 Disable Function : NONE MySQL : OFF | cURL : ON | WGET : OFF | Perl : OFF | Python : OFF | Sudo : OFF | Pkexec : OFF Directory : C:/nginx/html/Scheduler/User/ |
Upload File : |
<?
// User/authenticate.phpinc
t_Begin();
#if ( $_SERVER['REMOTE_ADDR'] == '134.29.173.110') $DEBUG_authenticate = true;
#if ( isset($_SESSION['userId']) && $_SESSION['userId'] == 1 ) $DEBUG_authenticate = true;
if ( !isset($DEBUG_authenticate) ) $DEBUG_authenticate = d_O();
#$DEBUG_authenticate = false;
if ( !isset($_SESSION['userId']) ) $_SESSION['userId'] = false; // Set $_SESSION['userId'] to false if unset.
if ( $DEBUG_authenticate ) {
d_Var('$DEBUG_authenticate',$DEBUG_authenticate);
d_Var("\$_SESSION['userId']",$_SESSION['userId']);
d_V(false,'');
}
switch ( $f['form'] ) { // switch task.
case 'form_login':
include("User/AuthenticateUser.phpinc");
d_Var('$loginAuthenticated',$loginAuthenticated,'');
d_Var('$authenticatedBy',$authenticatedBy,'');
@d_Var('$userRow',$userRow,'');
if ( $loginAuthenticated ) { // Was the user authenticated?
// Yes.
switch ( $authenticatedBy ) { // switch authenticatedBy.
case 'database':
$f['task'] = '';
if ( $userRow['userPassword'] ) { // Is there a pw in the db?
// Yes, verify the passwork is correct.
if (password_verify($f['password'], $userRow['userPassword'])) {
#echo 'Password is valid!';
} else {
#echo 'Invalid password.';
}
} else { // Is there a pw in the db?
// No, Ask the user to set a new pw.
require('User/passwordForm.phpinc');
} // Is there a pw in the db?
break;
case 'ldap':
// Match ldap data to site user.
// See if this is a user.
$query = "
SELECT userId
, userUsername
, userPassword
, userFirstname
, userMiddlename
, userLastname
, userNickname
, userEmailAddress
, userImage
, userInactive
, userLoginCount
, userLoginDate
, userLoginIPAddress
, userLoginIPDecimal
, userLoginPHPSESSID
, userNote
, AddedOn
, AddedBy
, ModifiedOn
, ModifiedBy
FROM `user`
WHERE userUsername = '".query_safe($userRow['userUsername'])."'
";
d_Var('userInfo',$query,'q');
$userInfo = query_info($query);
d_Var('$userInfo',$userInfo);
if ( $userInfo ) { // Is this a user?
// Yes, update user data and authenticate.
} else { // Is this a user?
// No, try to find a match.
$loginAuthenticated = false; // Do not authenticate.
$query = "
SELECT userId
, userUsername
, userPassword
, userFirstname
, userMiddlename
, userLastname
, userNickname
, userEmailAddress
, userImage
, userInactive
, userLoginCount
, userLoginDate
, userLoginIPAddress
, userLoginIPDecimal
, userLoginPHPSESSID
, userNote
, AddedOn
, AddedBy
, ModifiedOn
, ModifiedBy
FROM `user`
WHERE ( userFirstname = '".query_safe($userRow['userFirstname'])."' OR userNickname = '".query_safe($userRow['userFirstname'])."' )
AND userLastname = '".query_safe($userRow['userLastname'])."'
ORDER BY userFirstname, userLastname
";
d_Var('userResult',$query,'q');
$userResult = query_do($query);
$userCount = $GLOBALS['_QUERY']['count'];
d_Var('$userResult',$userResult);
if ( $userCount ) { // Are there any matches to Instructors?
// Yes,
if ( $userCount > 1 ) { // Did we get more than one match?
// Yes, try to refine the search.
// Check department. $userRow['department'] vs department.departmentName.
/** /
query_seek($userResult, 0);
while ($userInfo = query_row($userResult)) {
}
/**/
$userCount = 1; // Used to continue for now.
} // Did we get more than one match?
if ( $userCount == 1 ) { // Do we have only one possible user match?
// Yes, get user info.
query_seek($userResult, 0);
$userInfo = query_row($userResult);
d_Var('$userInfo',$userInfo);
// Show user page to check email.
pageHeader('Please verify your email address');
require('User/EmailVerificationAsk.phpinc');
// Create and send email.
require('User/SendVerificationeMail.phpinc');
pageFooter();
} else {
// No
} // Do we have only one possible user match?
} else {
// No, ask to contact site admin.
} // Are there any matches to Instructors?
} // Is this a user?
// Should use email verification.
// Get user info.
// Check for changes.
// Save changes.
#d_End();
break;
} // switch authenticatedBy.
// BEGIN Create $_SESSION['user'] variables.
// Create $_SESSION['user'] variables from user table.
foreach ( $userRow as $key => $value ) {
if ( strpos($key,'user') === 0 && $key != 'userId' && !stristr($key, 'password') && !stristr($key, 'pw') ) {
$_SESSION['user'][substr($key,4)] = $value;
}
}
$_SESSION['userId'] = $userRow['userId'];
$_SESSION['user']['userId'] = $userRow['userId'];
$_SESSION['user']['trueId'] = $userRow['userId'];
if ( !$_SESSION['user']['Nickname'] ) {
$_SESSION['user']['Fullname'] = trim($userRow['userFirstname']." ".trim($userRow['userMiddlename']." ".$userRow['userLastname']));
} else {
$_SESSION['user']['Fullname'] = trim($userRow['userNickname']." ".$userRow['userLastname']);
$_SESSION['user']['Firstname'] = $userRow['userNickname'];
}
$_SESSION['user']['permission'] = array();
$_SESSION['user']['permission'][] = 'USER';
if ( $_SESSION['user']['Username'] != 'Admin' ) {
// Get userpermissions for this user.
$query = "
SELECT userpermissionName
FROM `userpermission`
INNER JOIN user_userpermission ON user_userpermission.userpermissionId = userpermission.userpermissionId
WHERE userId = ".$_SESSION['user']['userId']."
ORDER BY userpermissionName
";
// Get departments for this user.
$queryDept = "
SELECT department.departmentId
, departmentCode
FROM `user_department`
JOIN `department` ON user_department.departmentId = department.departmentId
WHERE userId = ".$_SESSION['user']['userId']."
ORDER BY departmentCode
";
} else {
// Get all userpermissions for Admin user.
$query = "
SELECT userpermissionName
FROM `userpermission`
ORDER BY userpermissionName
";
// Get departments for Admin user.
$queryDept = "
SELECT departmentId
, departmentCode
FROM `department`
ORDER BY departmentCode
";
}
// Add permissions to user variables.
$user_userpermissionResult = query_do($query);
d_Var('$user_userpermissionResult',$user_userpermissionResult,'');
$user_userpermissionCount = $GLOBALS['_QUERY']['count'];
if ($user_userpermissionCount) {
query_seek($user_userpermissionResult, 0);
while ($user_userpermissionInfo = query_row($user_userpermissionResult)) {
$_SESSION['user']['permission'][] = $user_userpermissionInfo['userpermissionName'];
}
} else {
$user_userpermissionInfo = '';
}
// Add departments to user variables.
$user_departmentResult = query_do($queryDept);
$user_departmentCount = $GLOBALS['_QUERY']['count'];
if ($user_departmentCount) {
query_seek($user_departmentResult, 0);
while ($user_departmentInfo = query_row($user_departmentResult)) {
$_SESSION['user']['department'][$user_departmentInfo['departmentCode']] = $user_departmentInfo['departmentId'];
}
} else {
$user_departmentInfo = '';
}
// Save scheduleId.
$_SESSION['user']['scheduleId'] = $userRow['scheduleId'];
// Create $_SESSION['user'] variables from userdata table.
require('User/userdataInfo.phpinc');
// END Create $_SESSION['user'] variables.
// Save login data.
$f['userLoginDate'] = currentDateTime();
$f['userLoginCount'] = ($_SESSION['user']['LoginCount']) ? $_SESSION['user']['LoginCount']+1 : 1;
// Calc decimal IP address.
$octet = explode(".",$_SERVER['REMOTE_ADDR']);
#d_Var('$octet', $octet, 'd');
if (isset($octet[3])) {
$f['userLoginIPDecimal'] = $octet[0]*256*256*256 + $octet[1]*256*256 + $octet[2]*256 + $octet[3];
} else {
$f['userLoginIPDecimal'] = 0;
}
$query = "
UPDATE `user`
SET userLoginCount = ".$f['userLoginCount']."
, userLoginDate = '".query_safe($f['userLoginDate'])."'
, userLoginIPAddress = '".query_safe($_SERVER['REMOTE_ADDR'])."'
, userLoginIPDecimal = ".$f['userLoginIPDecimal']."
, userLoginPHPSESSID = '".$_COOKIE['PHPSESSID']."'
WHERE userId = ".$_SESSION['user']['trueId']."
";
$userUpdate = query_do($query);
} // Was the user NOT authenticated?
if ( !$loginAuthenticated ) {
// No, the user was not authenticated, so re-display login page.
if ($DEBUG_authenticate) echo "<b>".basename(__FILE__).":".__LINE__.":</b> User is not authenticated, so display login page.<br>\n";
$f_error = "Invalid Login. The Username and/or Password is incorrect.";
include("User/loginForm.phpinc");
} // Was the user authenticated?
break;
case 'form_password':
require('User/userPasswordVerify.phpinc');
if ($f_error == "") {
// new password verified, so enter it into the database.
$userPasswordHash = password_hash($f['password'], PASSWORD_DEFAULT);
$query = "
UPDATE `user`
SET userPassword = '".query_safe($userPasswordHash)."'
WHERE userId = ".$f['userId'] ."
";
d_Var('$query',$query,'q');
$userUpdate = query_do($query);
//headerLocation();
} else {
// new password is not verified, so display new password page.
include("User/passwordForm.phpinc");
}
$f['task'] = '';
break;
default:
} // switch task.
if ( $DEBUG_authenticate ) {
#d_Var("\$_SESSION['userId']",$_SESSION['userId']);
#include('common/pageFooter.phpinc');
}
if ( !isset($authorizedPermissions) ) {
$authorizedPermissions = 'USER'; // $authorizedPermissions is unset so set to default: 'USER'.
if ( $DEBUG_authenticate ) {
d_Line("\$authorizedPermissions is unset and has been set to default: 'USER'.");
}
}
if ( $DEBUG_authenticate ) {
d_Var('$authorizedPermissions',$authorizedPermissions);
}
if ( $DEBUG_authenticate ) d_On();
if ($DEBUG_authenticate) {
echo "<br>\n";
echo "<b>";
echo "\$_SERVER['REMOTE_ADDR']=",$_SERVER['REMOTE_ADDR'],' ',basename(__FILE__),':',__LINE__,"<br>\n";
echo "\$_SERVER['HTTP_HOST']=",$_SERVER['HTTP_HOST'],' ',basename(__FILE__),':',__LINE__,"<br>\n";
echo "</b>";
echo "<br>\n";
//exit;
}
/**/
// BEGIN Authenticate the page.
if ( !listFind($authorizedPermissions,'PUBLIC') ) { // Is this a NOT a PUBLIC page?
// Page is not PUBLIC, check if user logged in.
if ( $_SESSION['userId'] ) { // Is the userId known?
/** /
// The user is logged in, verify login with database.
if ($DEBUG_authenticate) d_Line("User logged in, verify login with database.");
$query = "
SELECT userLoggedIn
FROM user
WHERE userId = ".$_SESSION['userId']."
AND userLoggedIn = 1
";
$userLoggedInResult = query_do($query);
$userLoggedInResultCount = $_SESSION['qry']['count'];
/**/
$userLoggedInResultCount = true; // Database currently does not track if user is logged in.
if ( $userLoggedInResultCount ) { // Is the user currently logged in?
if ($DEBUG_authenticate) d_Line('User logged into database, check if userStudentId is set.');
// Still logged in, update userhistory.
#if ($DEBUG_authenticate) d_Line("Still logged in, update userhistory.");
#include('User/userLoginHistory.phpinc');
if ($DEBUG_authenticate) d_Line('Check authorizedPermissions access.');
$authorizedByPermissions = false;
if ($DEBUG_authenticate) d_Line('User permissions: '.array_to_list($_SESSION['user']['permission']).'.');
//if (!isset($_SESSION['user']['permission'])) { $_SESSION['user']['permission'] = array(); }
foreach ( $_SESSION['user']['permission'] as $permission ) {
if ( listFind($authorizedPermissions,$permission) ) { $authorizedByPermissions = $permission; }
}
if ( $authorizedByPermissions ) { // Was the user authorized by permission?
// User authenticated by permission.
if ($DEBUG_authenticate) d_Line('<span class="pv_ua">User authenticated. User in '.$authorizedByPermissions.' permission.</span>');
} else { // Was the user authorized by permission?
// User not authenticated by permission, check if ADMIN authentication is allowed.
if ($DEBUG_authenticate) d_Line('User not authenticated by list ('.$authorizedPermissions.'), check if ADMIN authentication is allowed.');
// Check if user is ADMIN.
if ( in_array('ADMIN',$_SESSION['user']['permission']) ) {
if ($DEBUG_authenticate) d_Line('<span class="pv_ua">User authenticated. User is ADMIN.</span>');
} else {
if ($DEBUG_authenticate) d_Line('<span class="pv_un">User not authenticated. User not ADMIN.</span>');
// May need to set pageAuthorized and call this later.
include('common/unauthorized.phpinc');
}
} // Was the user authorized by permission?
} else { // Is the user currently logged in?
// No, ask for login.
if ($DEBUG_authenticate) d_Line('<span class="pv_un">User not authenticated. User is not logged into database. Show Login form.</span>');
include("User/loginForm.phpinc");
} // Is the user currently logged in?
} else { // Is the userId known?
// No, ask for login.
if ($DEBUG_authenticate) d_Line('<span class="pv_un">User is not logged in. Show Login form.</span>');
include("User/loginForm.phpinc");
} // Is the userId known?
// END Authenticate page.
} else { // Is this a NOT a PUBLIC page?
// The page is PUBLIC so do nothing.
if ($DEBUG_authenticate) d_Line('<span class="pv_ua">User authenticated. The page is PUBLIC.</span>.','h');
} // Is this a NOT a PUBLIC page?
// END Authenticate the page.
/**/
t_End();
?>