mirror of
https://github.com/slawkens/myaac.git
synced 2025-10-17 19:23:27 +02:00
Feature/new router (#165)
* Remove unneeded escape * Fix guild back buttons (change logo & motd) * small adjustment in news.php * Fix create character when admin (any case is allowed now) * Fix forum table style (boards & thread view) * Small improvement to plugins.enabled check * [WIP] nikic/fast-route implementation I will describe it more in Pull Request * Optimisations & fixes. * Fix path - should not be absolute * Add PLUGINS to Twig path * Don't hide "Install Plugin" Box by default * Update package-lock.json * nothing important, just early exit & fixes Fix creature display * fix premium_ends_at for tfs 1.3+ * Move pages * Move pages tbc * $db->select: make $where parameter optional, allows to get all records * Add some error box to error * fix parse error * Rewriting the router v2 To be more flexible * small fixes * fix & add admin icons * Move mass_* pages to correct folder * fix logout hook 2 * Delete accountmanagement.php * This code wasn't used * Add missing var * Add redirect_from && redirect_to to router options + Also add * for all methods shortcut * Remove comments Not allowed in normal json * Allow admin pages included into plugins dir * block access to some files * Fix admin logout * Fix #178 * feature: mail confirmed reward Suggested by @EPuncker # Conflicts: # system/hooks.php * remove misleading comment * adjust required version according to composer.json * fix duplicated word * Adjustments & fixed to mass actions * Add password confirm, and change text type to password * Add list of Open Source Software MyAAC is using * Fix signature * Show First, Second instead of numbers * fix base dir detection * fix double ACTION define + undefined URI in template * new function> escapeHtml + fix css in admin menus * fix changelog add * fix news adding, rename const to NEWS_* * Add verify to pages, add messages, limits, fix add * fix "Please fill all input" * add required input to admin pages * shorten some expressions with ?? * shorten code + fix conversion (int) * Move account_types to config, account.web_flags to common.php * Update example.json * feature: router aliases * shorten some code + const convert * remove wrong char * fix signature on custom basedir * fix: mass teleport position validation (#214) * fix: mass teleport position validation * fix: max position * Fix execute in CLI * fix warning in reload cache in dev mode * Configurable admin panel folder * feature: plugin require more options with comma * $config_account_salt -> USE_ACCOUNT_SALT * fix forum show_thread * Update show_thread.php --------- Co-authored-by: Gabriel Pedro <gpedro@users.noreply.github.com>
This commit is contained in:
slawkens
233
system/login.php
233
system/login.php
@@ -11,11 +11,6 @@ defined('MYAAC') or die('Direct access not allowed!');
|
||||
$logged = false;
|
||||
$logged_flags = 0;
|
||||
|
||||
$action = isset($_REQUEST['action']) ? strtolower($_REQUEST['action']) : '';
|
||||
if(!defined('ACTION')) {
|
||||
define('ACTION', $action);
|
||||
}
|
||||
|
||||
// stay-logged with sessions
|
||||
$current_session = getSession('account');
|
||||
if($current_session !== false)
|
||||
@@ -33,152 +28,130 @@ if($current_session !== false)
|
||||
}
|
||||
}
|
||||
|
||||
if(ACTION === 'logout' && !isset($_REQUEST['account_login'])) {
|
||||
if(isset($account_logged) && $account_logged->isLoaded()) {
|
||||
if($hooks->trigger(HOOK_LOGOUT,['account_id' => $account_logged->getId()])) {
|
||||
unsetSession('account');
|
||||
unsetSession('password');
|
||||
unsetSession('remember_me');
|
||||
|
||||
$logged = false;
|
||||
unset($account_logged);
|
||||
|
||||
if(isset($_REQUEST['redirect']))
|
||||
{
|
||||
header('Location: ' . urldecode($_REQUEST['redirect']));
|
||||
exit;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
else
|
||||
// new login with data from form
|
||||
if(!$logged && isset($_POST['account_login'], $_POST['password_login']))
|
||||
{
|
||||
// new login with data from form
|
||||
if(!$logged && isset($_POST['account_login'], $_POST['password_login']))
|
||||
$login_account = $_POST['account_login'];
|
||||
$login_password = $_POST['password_login'];
|
||||
$remember_me = isset($_POST['remember_me']);
|
||||
if(!empty($login_account) && !empty($login_password))
|
||||
{
|
||||
$login_account = $_POST['account_login'];
|
||||
$login_password = $_POST['password_login'];
|
||||
$remember_me = isset($_POST['remember_me']);
|
||||
if(!empty($login_account) && !empty($login_password))
|
||||
if($cache->enabled())
|
||||
{
|
||||
if($cache->enabled())
|
||||
$tmp = '';
|
||||
if($cache->fetch('failed_logins', $tmp))
|
||||
{
|
||||
$tmp = '';
|
||||
if($cache->fetch('failed_logins', $tmp))
|
||||
$tmp = unserialize($tmp);
|
||||
$to_remove = array();
|
||||
foreach($tmp as $ip => $t)
|
||||
{
|
||||
$tmp = unserialize($tmp);
|
||||
$to_remove = array();
|
||||
foreach($tmp as $ip => $t)
|
||||
{
|
||||
if(time() - $t['last'] >= 5 * 60)
|
||||
$to_remove[] = $ip;
|
||||
}
|
||||
|
||||
foreach($to_remove as $ip)
|
||||
unset($tmp[$ip]);
|
||||
}
|
||||
else
|
||||
$tmp = array();
|
||||
|
||||
$ip = $_SERVER['REMOTE_ADDR'];
|
||||
$t = isset($tmp[$ip]) ? $tmp[$ip] : NULL;
|
||||
}
|
||||
|
||||
if(config('recaptcha_enabled') && !config('account_create_auto_login'))
|
||||
{
|
||||
require_once LIBS . 'GoogleReCAPTCHA.php';
|
||||
if (!GoogleReCAPTCHA::verify('login')) {
|
||||
$errors[] = GoogleReCAPTCHA::getErrorMessage();
|
||||
}
|
||||
}
|
||||
|
||||
$account_logged = new OTS_Account();
|
||||
if (config('account_login_by_email')) {
|
||||
$account_logged->findByEMail($login_account);
|
||||
}
|
||||
|
||||
if (!config('account_login_by_email') || config('account_login_by_email_fallback')) {
|
||||
if(USE_ACCOUNT_NAME) {
|
||||
$account_logged->find($login_account);
|
||||
} else {
|
||||
$account_logged->load($login_account, true);
|
||||
}
|
||||
}
|
||||
|
||||
$config_salt_enabled = $db->hasColumn('accounts', 'salt');
|
||||
if($account_logged->isLoaded() && encrypt(($config_salt_enabled ? $account_logged->getCustomField('salt') : '') . $login_password) == $account_logged->getPassword()
|
||||
&& (!isset($t) || $t['attempts'] < 5)
|
||||
)
|
||||
{
|
||||
setSession('account', $account_logged->getNumber());
|
||||
setSession('password', encrypt(($config_salt_enabled ? $account_logged->getCustomField('salt') : '') . $login_password));
|
||||
if($remember_me) {
|
||||
setSession('remember_me', true);
|
||||
if(time() - $t['last'] >= 5 * 60)
|
||||
$to_remove[] = $ip;
|
||||
}
|
||||
|
||||
$logged = true;
|
||||
$logged_flags = $account_logged->getWebFlags();
|
||||
|
||||
if(isset($_POST['admin']) && !admin()) {
|
||||
$errors[] = 'This account has no admin privileges.';
|
||||
unsetSession('account');
|
||||
unsetSession('password');
|
||||
unsetSession('remember_me');
|
||||
$logged = false;
|
||||
}
|
||||
else {
|
||||
$account_logged->setCustomField('web_lastlogin', time());
|
||||
}
|
||||
|
||||
$hooks->trigger(HOOK_LOGIN, array('account' => $account_logged, 'password' => $login_password, 'remember_me' => $remember_me));
|
||||
foreach($to_remove as $ip)
|
||||
unset($tmp[$ip]);
|
||||
}
|
||||
else
|
||||
{
|
||||
$hooks->trigger(HOOK_LOGIN_ATTEMPT, array('account' => $login_account, 'password' => $login_password, 'remember_me' => $remember_me));
|
||||
$tmp = array();
|
||||
|
||||
$errorMessage = getAccountLoginByLabel() . ' or password is not correct.';
|
||||
$ip = $_SERVER['REMOTE_ADDR'];
|
||||
$t = $tmp[$ip] ?? null;
|
||||
}
|
||||
|
||||
// temporary solution for blocking failed login attempts
|
||||
if($cache->enabled())
|
||||
{
|
||||
if(isset($t))
|
||||
{
|
||||
$t['attempts']++;
|
||||
$t['last'] = time();
|
||||
|
||||
if($t['attempts'] >= 5)
|
||||
$errors[] = 'A wrong password has been entered 5 times in a row. You are unable to log into your account for the next 5 minutes. Please wait.';
|
||||
else
|
||||
$errors[] = $errorMessage;
|
||||
}
|
||||
else
|
||||
{
|
||||
$t = array('attempts' => 1, 'last' => time());
|
||||
$errors[] = $errorMessage;
|
||||
}
|
||||
|
||||
$tmp[$ip] = $t;
|
||||
$cache->set('failed_logins', serialize($tmp), 60 * 60); // save for 1 hour
|
||||
}
|
||||
else {
|
||||
$errors[] = $errorMessage;
|
||||
}
|
||||
if(config('recaptcha_enabled') && !config('account_create_auto_login'))
|
||||
{
|
||||
require_once LIBS . 'GoogleReCAPTCHA.php';
|
||||
if (!GoogleReCAPTCHA::verify('login')) {
|
||||
$errors[] = GoogleReCAPTCHA::getErrorMessage();
|
||||
}
|
||||
}
|
||||
else {
|
||||
$errors[] = 'Please enter your ' . getAccountLoginByLabel() . ' and password.';
|
||||
|
||||
$account_logged = new OTS_Account();
|
||||
if (config('account_login_by_email')) {
|
||||
$account_logged->findByEMail($login_account);
|
||||
}
|
||||
|
||||
if (!config('account_login_by_email') || config('account_login_by_email_fallback')) {
|
||||
if(USE_ACCOUNT_NAME) {
|
||||
$account_logged->find($login_account);
|
||||
} else {
|
||||
$account_logged->load($login_account, true);
|
||||
}
|
||||
}
|
||||
|
||||
if($account_logged->isLoaded() && encrypt((USE_ACCOUNT_SALT ? $account_logged->getCustomField('salt') : '') . $login_password) == $account_logged->getPassword()
|
||||
&& (!isset($t) || $t['attempts'] < 5)
|
||||
)
|
||||
{
|
||||
setSession('account', $account_logged->getNumber());
|
||||
setSession('password', encrypt((USE_ACCOUNT_SALT ? $account_logged->getCustomField('salt') : '') . $login_password));
|
||||
if($remember_me) {
|
||||
setSession('remember_me', true);
|
||||
}
|
||||
|
||||
$logged = true;
|
||||
$logged_flags = $account_logged->getWebFlags();
|
||||
|
||||
if(isset($_POST['admin']) && !admin()) {
|
||||
$errors[] = 'This account has no admin privileges.';
|
||||
unsetSession('account');
|
||||
unsetSession('password');
|
||||
unsetSession('remember_me');
|
||||
$logged = false;
|
||||
}
|
||||
else {
|
||||
$account_logged->setCustomField('web_lastlogin', time());
|
||||
}
|
||||
|
||||
$hooks->trigger(HOOK_LOGIN, array('account' => $account_logged, 'password' => $login_password, 'remember_me' => $remember_me));
|
||||
}
|
||||
else
|
||||
{
|
||||
$hooks->trigger(HOOK_LOGIN_ATTEMPT, array('account' => $login_account, 'password' => $login_password, 'remember_me' => $remember_me));
|
||||
|
||||
$errorMessage = getAccountLoginByLabel() . ' or password is not correct.';
|
||||
|
||||
// temporary solution for blocking failed login attempts
|
||||
if($cache->enabled())
|
||||
{
|
||||
if(isset($t))
|
||||
{
|
||||
$t['attempts']++;
|
||||
$t['last'] = time();
|
||||
|
||||
if($t['attempts'] >= 5)
|
||||
$errors[] = 'A wrong password has been entered 5 times in a row. You are unable to log into your account for the next 5 minutes. Please wait.';
|
||||
else
|
||||
$errors[] = $errorMessage;
|
||||
}
|
||||
else
|
||||
{
|
||||
$t = array('attempts' => 1, 'last' => time());
|
||||
$errors[] = $errorMessage;
|
||||
}
|
||||
|
||||
$tmp[$ip] = $t;
|
||||
$cache->set('failed_logins', serialize($tmp), 60 * 60); // save for 1 hour
|
||||
}
|
||||
else {
|
||||
$errors[] = $errorMessage;
|
||||
}
|
||||
}
|
||||
}
|
||||
else {
|
||||
$errors[] = 'Please enter your ' . getAccountLoginByLabel() . ' and password.';
|
||||
|
||||
if($logged) {
|
||||
$logged_flags = $account_logged->getWebFlags();
|
||||
$twig->addGlobal('logged', true);
|
||||
$twig->addGlobal('account_logged', $account_logged);
|
||||
$hooks->trigger(HOOK_LOGIN_ATTEMPT, array('account' => $login_account, 'password' => $login_password, 'remember_me' => $remember_me));
|
||||
}
|
||||
}
|
||||
|
||||
if($logged) {
|
||||
$logged_flags = $account_logged->getWebFlags();
|
||||
$twig->addGlobal('logged', true);
|
||||
$twig->addGlobal('account_logged', $account_logged);
|
||||
}
|
||||
|
||||
setSession('last_visit', time());
|
||||
if(defined('PAGE')) {
|
||||
setSession('last_page', PAGE);
|
||||
|
||||
Reference in New Issue
Block a user