When viewing your own profile page, you now get an "edit" link that take you to "My Account"
3 /* Reminder: always indent with 4 spaces (no tabs). */
4 // +---------------------------------------------------------------------------+
6 // +---------------------------------------------------------------------------+
9 // | User authentication module. |
10 // +---------------------------------------------------------------------------+
11 // | Copyright (C) 2000-2009 by the following authors: |
13 // | Authors: Tony Bibbs - tony AT tonybibbs DOT com |
14 // | Mark Limburg - mlimburg AT users DOT sourceforge DOT net |
15 // | Jason Whittenburg - jwhitten AT securitygeeks DOT com |
16 // | Dirk Haun - dirk AT haun-online DOT de |
17 // +---------------------------------------------------------------------------+
19 // | This program is free software; you can redistribute it and/or |
20 // | modify it under the terms of the GNU General Public License |
21 // | as published by the Free Software Foundation; either version 2 |
22 // | of the License, or (at your option) any later version. |
24 // | This program is distributed in the hope that it will be useful, |
25 // | but WITHOUT ANY WARRANTY; without even the implied warranty of |
26 // | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
27 // | GNU General Public License for more details. |
29 // | You should have received a copy of the GNU General Public License |
30 // | along with this program; if not, write to the Free Software Foundation, |
31 // | Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
33 // +---------------------------------------------------------------------------+
36 * This file handles user authentication
38 * @author Tony Bibbs <tony@tonybibbs.com>
39 * @author Mark Limburg <mlimburg@users.sourceforge.net>
40 * @author Jason Whittenburg
45 * Geeklog common function library
47 require_once 'lib-common.php';
48 require_once $_CONF['path_system'] . 'lib-user.php';
51 // Uncomment the line below if you need to debug the HTTP variables being passed
52 // to the script. This will sometimes cause errors but it will allow you to see
53 // the data being passed in a POST operation
55 // echo COM_debug($_POST);
58 * Shows a profile for a user
60 * This grabs the user profile for a given user and displays it
62 * @param int $uid User ID of profile to get
63 * @param int $msg Message to display (if != 0)
64 * @param string $plugin optional plugin name for message
65 * @return string HTML for user profile page
68 function userprofile($uid, $msg = 0, $plugin = '')
70 global $_CONF, $_TABLES, $_USER, $_IMAGE_TYPE,
71 $LANG01, $LANG04, $LANG09, $LANG28, $LANG_LOGIN, $LANG_ADMIN;
74 if (empty($_USER['username']) &&
75 (($_CONF['loginrequired'] == 1) || ($_CONF['profileloginrequired'] == 1))) {
76 $retval .= COM_siteHeader('menu', $LANG_LOGIN[1]);
77 $retval .= COM_startBlock($LANG_LOGIN[1], '',
78 COM_getBlockTemplate('_msg_block', 'header'));
79 $login = new Template($_CONF['path_layout'] . 'submit');
80 $login->set_file(array('login'=>'submitloginrequired.thtml'));
81 $login->set_var('xhtml', XHTML);
82 $login->set_var('login_message', $LANG_LOGIN[2]);
83 $login->set_var('site_url', $_CONF['site_url']);
84 $login->set_var('site_admin_url', $_CONF['site_admin_url']);
85 $login->set_var('layout_url', $_CONF['layout_url']);
86 $login->set_var('lang_login', $LANG_LOGIN[3]);
87 $login->set_var('lang_newuser', $LANG_LOGIN[4]);
88 $login->parse('output', 'login');
89 $retval .= $login->finish($login->get_var('output'));
90 $retval .= COM_endBlock(COM_getBlockTemplate('_msg_block', 'footer'));
91 $retval .= COM_siteFooter();
96 $result = DB_query("SELECT {$_TABLES['users']}.uid,username,fullname,regdate,homepage,about,location,pgpkey,photo,email,status FROM {$_TABLES['userinfo']},{$_TABLES['users']} WHERE {$_TABLES['userinfo']}.uid = {$_TABLES['users']}.uid AND {$_TABLES['users']}.uid = $uid");
97 $nrows = DB_numRows($result);
98 if ($nrows == 0) { // no such user
99 return COM_refresh($_CONF['site_url'] . '/index.php');
101 $A = DB_fetchArray($result);
103 if ($A['status'] == USER_ACCOUNT_DISABLED && !SEC_hasRights('user.edit')) {
104 COM_displayMessageAndAbort(30, '', 403, 'Forbidden');
107 $display_name = htmlspecialchars(COM_getDisplayName($uid, $A['username'],
110 $retval .= COM_siteHeader('menu', $LANG04[1] . ' ' . $display_name);
112 $retval .= COM_showMessage($msg, $plugin);
115 // format date/time to user preference
116 $curtime = COM_getUserDateTimeFormat($A['regdate']);
117 $A['regdate'] = $curtime[0];
119 $user_templates = new Template($_CONF['path_layout'] . 'users');
120 $user_templates->set_file(array('profile' => 'profile.thtml',
121 'row' => 'commentrow.thtml',
122 'strow' => 'storyrow.thtml'));
123 $user_templates->set_var('xhtml', XHTML);
124 $user_templates->set_var('site_url', $_CONF['site_url']);
125 $user_templates->set_var('start_block_userprofile',
126 COM_startBlock($LANG04[1] . ' ' . $display_name));
127 $user_templates->set_var('end_block', COM_endBlock());
128 $user_templates->set_var('lang_username', $LANG04[2]);
130 if ($_CONF['show_fullname'] == 1) {
131 if (empty($A['fullname'])) {
132 $username = $A['username'];
135 $username = $A['fullname'];
136 $fullname = $A['username'];
139 $username = $A['username'];
140 $fullname = $A['fullname'];
142 $username = htmlspecialchars($username);
143 $fullname = htmlspecialchars($fullname);
145 if ($A['status'] == USER_ACCOUNT_DISABLED) {
146 $username = sprintf('<s title="%s">%s</s>', $LANG28[42], $username);
147 if (!empty($fullname)) {
148 $fullname = sprintf('<s title="%s">%s</s>', $LANG28[42], $fullname);
152 $user_templates->set_var('username', $username);
153 $user_templates->set_var('user_fullname', $fullname);
155 if (!COM_isAnonUser() && ($_USER['uid'] == $uid)) {
156 $edit_icon = '<img src="' . $_CONF['layout_url'] . '/images/edit.'
157 . $_IMAGE_TYPE . '" alt="' . $LANG01[48]
158 . '" title="' . $LANG01[48] . '"' . XHTML . '>';
159 $edit_link_url = COM_createLink($edit_icon,
160 $_CONF['site_url'] . '/usersettings.php');
161 $user_templates->set_var('edit_icon', $edit_icon);
162 $user_templates->set_var('edit_link', $edit_link_url);
163 $user_templates->set_var('user_edit', $edit_link_url);
164 } elseif (SEC_hasRights('user.edit')) {
165 $edit_icon = '<img src="' . $_CONF['layout_url'] . '/images/edit.'
166 . $_IMAGE_TYPE . '" alt="' . $LANG_ADMIN['edit']
167 . '" title="' . $LANG_ADMIN['edit'] . '"' . XHTML . '>';
168 $edit_link_url = COM_createLink($edit_icon,
169 "{$_CONF['site_admin_url']}/user.php?mode=edit&uid={$A['uid']}");
170 $user_templates->set_var('edit_icon', $edit_icon);
171 $user_templates->set_var('edit_link', $edit_link_url);
172 $user_templates->set_var('user_edit', $edit_link_url);
175 if (isset ($A['photo']) && empty ($A['photo'])) {
176 $A['photo'] = '(none)'; // user does not have a photo
178 $photo = USER_getPhoto ($uid, $A['photo'], $A['email'], -1);
179 $user_templates->set_var ('user_photo', $photo);
181 $user_templates->set_var ('lang_membersince', $LANG04[67]);
182 $user_templates->set_var ('user_regdate', $A['regdate']);
183 $user_templates->set_var ('lang_email', $LANG04[5]);
184 $user_templates->set_var ('user_id', $uid);
185 $user_templates->set_var ('uid', $uid);
186 $user_templates->set_var ('lang_sendemail', $LANG04[81]);
187 $user_templates->set_var ('lang_homepage', $LANG04[6]);
188 $user_templates->set_var ('user_homepage', COM_killJS ($A['homepage']));
189 $user_templates->set_var ('lang_location', $LANG04[106]);
190 $user_templates->set_var ('user_location', strip_tags ($A['location']));
191 $user_templates->set_var ('lang_bio', $LANG04[7]);
192 $user_templates->set_var ('user_bio', nl2br (stripslashes ($A['about'])));
193 $user_templates->set_var ('lang_pgpkey', $LANG04[8]);
194 $user_templates->set_var ('user_pgp', nl2br ($A['pgpkey']));
195 $user_templates->set_var ('start_block_last10stories',
196 COM_startBlock ($LANG04[82] . ' ' . $display_name));
197 $user_templates->set_var ('start_block_last10comments',
198 COM_startBlock($LANG04[10] . ' ' . $display_name));
199 $user_templates->set_var ('start_block_postingstats',
200 COM_startBlock ($LANG04[83] . ' ' . $display_name));
201 $user_templates->set_var ('lang_title', $LANG09[16]);
202 $user_templates->set_var ('lang_date', $LANG09[17]);
204 // for alternative layouts: use these as headlines instead of block titles
205 $user_templates->set_var ('headline_last10stories', $LANG04[82]);
206 $user_templates->set_var ('headline_last10comments', $LANG04[10]);
207 $user_templates->set_var ('headline_postingstats', $LANG04[83]);
209 $result = DB_query ("SELECT tid FROM {$_TABLES['topics']}"
210 . COM_getPermSQL ());
211 $nrows = DB_numRows ($result);
213 for ($i = 0; $i < $nrows; $i++) {
214 $T = DB_fetchArray ($result);
217 $topics = "'" . implode ("','", $tids) . "'";
219 // list of last 10 stories by this user
220 if (count($tids) > 0) {
221 $sql = "SELECT sid,title,UNIX_TIMESTAMP(date) AS unixdate FROM {$_TABLES['stories']} WHERE (uid = $uid) AND (draft_flag = 0) AND (date <= NOW()) AND (tid IN ($topics))" . COM_getPermSQL ('AND');
222 $sql .= " ORDER BY unixdate DESC LIMIT 10";
223 $result = DB_query ($sql);
224 $nrows = DB_numRows ($result);
229 for ($i = 0; $i < $nrows; $i++) {
230 $C = DB_fetchArray ($result);
231 $user_templates->set_var ('cssid', ($i % 2) + 1);
232 $user_templates->set_var ('row_number', ($i + 1) . '.');
233 $articleUrl = COM_buildUrl ($_CONF['site_url']
234 . '/article.php?story=' . $C['sid']);
235 $user_templates->set_var ('article_url', $articleUrl);
236 $C['title'] = str_replace ('$', '$', $C['title']);
237 $user_templates->set_var ('story_title',
239 stripslashes ($C['title']),
241 array ('class'=>'b'))
243 $storytime = COM_getUserDateTimeFormat ($C['unixdate']);
244 $user_templates->set_var ('story_date', $storytime[0]);
245 $user_templates->parse ('story_row', 'strow', true);
248 $user_templates->set_var ('story_row',
249 '<tr><td>' . $LANG01[37] . '</td></tr>');
252 // list of last 10 comments by this user
254 if (count($tids) > 0) {
255 // first, get a list of all stories the current visitor has access to
256 $sql = "SELECT sid FROM {$_TABLES['stories']} WHERE (draft_flag = 0) AND (date <= NOW()) AND (tid IN ($topics))" . COM_getPermSQL ('AND');
257 $result = DB_query($sql);
258 $numsids = DB_numRows($result);
259 for ($i = 1; $i <= $numsids; $i++) {
260 $S = DB_fetchArray ($result);
261 $sidArray[] = $S['sid'];
265 $sidList = implode("', '",$sidArray);
266 $sidList = "'$sidList'";
268 // then, find all comments by the user in those stories
269 $sql = "SELECT sid,title,cid,UNIX_TIMESTAMP(date) AS unixdate FROM {$_TABLES['comments']} WHERE (uid = $uid) GROUP BY sid,title,cid,UNIX_TIMESTAMP(date)";
271 // SQL NOTE: Using a HAVING clause is usually faster than a where if the
272 // field is part of the select
273 // if (!empty ($sidList)) {
274 // $sql .= " AND (sid in ($sidList))";
276 if (!empty ($sidList)) {
277 $sql .= " HAVING sid in ($sidList)";
279 $sql .= " ORDER BY unixdate DESC LIMIT 10";
281 $result = DB_query($sql);
282 $nrows = DB_numRows($result);
284 for ($i = 0; $i < $nrows; $i++) {
285 $C = DB_fetchArray ($result);
286 $user_templates->set_var ('cssid', ($i % 2) + 1);
287 $user_templates->set_var ('row_number', ($i + 1) . '.');
288 $C['title'] = str_replace ('$', '$', $C['title']);
289 $comment_url = $_CONF['site_url'] .
290 '/comment.php?mode=view&cid=' . $C['cid'];
291 $user_templates->set_var ('comment_title',
293 stripslashes ($C['title']),
295 array ('class'=>'b'))
297 $commenttime = COM_getUserDateTimeFormat ($C['unixdate']);
298 $user_templates->set_var ('comment_date', $commenttime[0]);
299 $user_templates->parse ('comment_row', 'row', true);
302 $user_templates->set_var('comment_row','<tr><td>' . $LANG01[29] . '</td></tr>');
305 // posting stats for this user
306 $user_templates->set_var ('lang_number_stories', $LANG04[84]);
307 $sql = "SELECT COUNT(*) AS count FROM {$_TABLES['stories']} WHERE (uid = $uid) AND (draft_flag = 0) AND (date <= NOW())" . COM_getPermSQL ('AND');
308 $result = DB_query($sql);
309 $N = DB_fetchArray ($result);
310 $user_templates->set_var ('number_stories', COM_numberFormat ($N['count']));
311 $user_templates->set_var ('lang_number_comments', $LANG04[85]);
312 $sql = "SELECT COUNT(*) AS count FROM {$_TABLES['comments']} WHERE (uid = $uid)";
313 if (!empty ($sidList)) {
314 $sql .= " AND (sid in ($sidList))";
316 $result = DB_query ($sql);
317 $N = DB_fetchArray ($result);
318 $user_templates->set_var ('number_comments', COM_numberFormat($N['count']));
319 $user_templates->set_var ('lang_all_postings_by',
320 $LANG04[86] . ' ' . $display_name);
322 // Call custom registration function if enabled and exists
323 if ($_CONF['custom_registration'] && function_exists ('CUSTOM_userDisplay') ) {
324 $user_templates->set_var ('customfields', CUSTOM_userDisplay ($uid));
326 PLG_profileVariablesDisplay ($uid, $user_templates);
328 $user_templates->parse ('output', 'profile');
329 $retval .= $user_templates->finish ($user_templates->get_var ('output'));
331 $retval .= PLG_profileBlocksDisplay ($uid);
332 $retval .= COM_siteFooter ();
338 * Emails password to a user
340 * This will email the given user their password.
342 * @param string $username Username for which to get and email password
343 * @param int $msg Message number of message to show when done
344 * @return string Optionally returns the HTML for the default form if the user info can't be found
347 function emailpassword ($username, $msg = 0)
349 global $_CONF, $_TABLES, $LANG04;
353 $username = addslashes ($username);
354 // don't retrieve any remote users!
355 $result = DB_query ("SELECT uid,email,status FROM {$_TABLES['users']} WHERE username = '$username' AND ((remoteservice is null) OR (remoteservice = ''))");
356 $nrows = DB_numRows ($result);
358 $A = DB_fetchArray ($result);
359 if (($_CONF['usersubmission'] == 1) && ($A['status'] == USER_ACCOUNT_AWAITING_APPROVAL))
361 return COM_refresh ($_CONF['site_url'] . '/index.php?msg=48');
364 $mailresult = USER_createAndSendPassword ($username, $A['email'], $A['uid']);
366 if ($mailresult == false) {
367 $retval = COM_refresh ("{$_CONF['site_url']}/index.php?msg=85");
369 $retval = COM_refresh ("{$_CONF['site_url']}/index.php?msg=$msg");
371 $retval = COM_refresh ("{$_CONF['site_url']}/index.php?msg=1");
374 $retval = COM_siteHeader ('menu', $LANG04[17])
375 . defaultform ($LANG04[17])
383 * User request for a new password - send email with a link and request id
385 * @param username string name of user who requested the new password
386 * @return string form or meta redirect
389 function requestpassword($username)
391 global $_CONF, $_TABLES, $LANG04;
396 $result = DB_query ("SELECT uid,email,passwd,status FROM {$_TABLES['users']} WHERE username = '$username' AND ((remoteservice IS NULL) OR (remoteservice=''))");
397 $nrows = DB_numRows ($result);
399 $A = DB_fetchArray ($result);
400 if (($_CONF['usersubmission'] == 1) && ($A['status'] == USER_ACCOUNT_AWAITING_APPROVAL)) {
401 return COM_refresh ($_CONF['site_url'] . '/index.php?msg=48');
403 $reqid = substr (md5 (uniqid (rand (), 1)), 1, 16);
404 DB_change ($_TABLES['users'], 'pwrequestid', "$reqid",
407 $mailtext = sprintf ($LANG04[88], $username);
408 $mailtext .= $_CONF['site_url'] . '/users.php?mode=newpwd&uid=' . $A['uid'] . '&rid=' . $reqid . "\n\n";
409 $mailtext .= $LANG04[89];
410 $mailtext .= "{$_CONF['site_name']}\n";
411 $mailtext .= "{$_CONF['site_url']}\n";
413 $subject = $_CONF['site_name'] . ': ' . $LANG04[16];
414 if ($_CONF['site_mail'] !== $_CONF['noreply_mail']) {
415 $mailfrom = $_CONF['noreply_mail'];
416 $mailtext .= LB . LB . $LANG04[159];
418 $mailfrom = $_CONF['site_mail'];
420 if (COM_mail ($A['email'], $subject, $mailtext, $mailfrom)) {
421 $msg = 55; // message sent
423 $msg = 85; // problem sending the email
426 $retval .= COM_refresh ($_CONF['site_url'] . "/index.php?msg=$msg");
427 COM_updateSpeedlimit ('password');
429 $retval .= COM_siteHeader ('menu', $LANG04[17])
430 . defaultform ($LANG04[17]) . COM_siteFooter ();
437 * Display a form where the user can enter a new password.
439 * @param uid int user id
440 * @param requestid string request id for password change
441 * @return string new password form
444 function newpasswordform ($uid, $requestid)
446 global $_CONF, $_TABLES, $LANG04;
448 $pwform = new Template ($_CONF['path_layout'] . 'users');
449 $pwform->set_file (array ('newpw' => 'newpassword.thtml'));
450 $pwform->set_var ( 'xhtml', XHTML );
451 $pwform->set_var ('site_url', $_CONF['site_url']);
452 $pwform->set_var ('layout_url', $_CONF['layout_url']);
454 $pwform->set_var ('user_id', $uid);
455 $pwform->set_var ('user_name', DB_getItem ($_TABLES['users'], 'username',
457 $pwform->set_var ('request_id', $requestid);
459 $pwform->set_var ('lang_explain', $LANG04[90]);
460 $pwform->set_var ('lang_username', $LANG04[2]);
461 $pwform->set_var ('lang_newpassword', $LANG04[4]);
462 $pwform->set_var ('lang_newpassword_conf', $LANG04[108]);
463 $pwform->set_var ('lang_setnewpwd', $LANG04[91]);
465 $retval = COM_startBlock ($LANG04[92]);
466 $retval .= $pwform->finish ($pwform->parse ('output', 'newpw'));
467 $retval .= COM_endBlock ();
475 * Creates a user with the give username and email address
477 * @param string $username username to create user for
478 * @param string $email email address to assign to user
479 * @param string $email_conf confirmation email address check
480 * @return string HTML for the form again if error occurs, otherwise nothing.
483 function createuser ($username, $email, $email_conf)
485 global $_CONF, $_TABLES, $LANG01, $LANG04;
489 $username = trim ($username);
490 $email = trim ($email);
491 $email_conf = trim ($email_conf);
493 if (!isset ($_CONF['disallow_domains'])) {
494 $_CONF['disallow_domains'] = '';
497 if (COM_isEmail ($email) && !empty ($username) && ($email === $email_conf)
498 && !USER_emailMatches ($email, $_CONF['disallow_domains'])
499 && (strlen ($username) <= 16)) {
501 $ucount = DB_count ($_TABLES['users'], 'username',
502 addslashes ($username));
503 $ecount = DB_count ($_TABLES['users'], 'email', addslashes ($email));
505 if ($ucount == 0 AND $ecount == 0) {
507 // For Geeklog, it would be okay to create this user now. But check
508 // with a custom userform first, if one exists.
509 if ($_CONF['custom_registration'] &&
510 function_exists ('CUSTOM_userCheck')) {
511 $ret = CUSTOM_userCheck ($username, $email);
513 // no, it's not okay with the custom userform
514 $retval = COM_siteHeader ('menu')
515 . CUSTOM_userForm ($ret['string'])
522 // Let plugins have a chance to decide what to do before creating the user, return errors.
523 $msg = PLG_itemPreSave ('registration', $username);
525 $retval .= COM_siteHeader ('menu', $LANG04[22]);
526 if ($_CONF['custom_registration'] && function_exists ('CUSTOM_userForm')) {
527 $retval .= CUSTOM_userForm ($msg);
529 $retval .= newuserform ($msg);
531 $retval .= COM_siteFooter();
536 $uid = USER_createAccount ($username, $email);
538 if ($_CONF['usersubmission'] == 1) {
539 if (DB_getItem ($_TABLES['users'], 'status', "uid = $uid")
540 == USER_ACCOUNT_AWAITING_APPROVAL) {
541 $retval = COM_refresh ($_CONF['site_url']
542 . '/index.php?msg=48');
544 $retval = emailpassword ($username, 1);
547 $retval = emailpassword ($username, 1);
552 $retval .= COM_siteHeader ('menu', $LANG04[22]);
553 if ($_CONF['custom_registration'] &&
554 function_exists ('CUSTOM_userForm')) {
555 $retval .= CUSTOM_userForm ($LANG04[19]);
557 $retval .= newuserform ($LANG04[19]);
559 $retval .= COM_siteFooter ();
561 } else if ($email !== $email_conf) {
563 $retval .= COM_siteHeader ('menu', $LANG04[22]);
564 if ($_CONF['custom_registration'] && function_exists('CUSTOM_userForm')) {
565 $retval .= CUSTOM_userForm ($msg);
567 $retval .= newuserform ($msg);
569 $retval .= COM_siteFooter();
570 } else { // invalid username or email address
572 if ((empty ($username)) || (strlen($username) > 16)) {
573 $msg = $LANG01[32]; // invalid username
575 $msg = $LANG04[18]; // invalid email address
577 $retval .= COM_siteHeader ('menu', $LANG04[22]);
578 if ($_CONF['custom_registration'] && function_exists('CUSTOM_userForm')) {
579 $retval .= CUSTOM_userForm ($msg);
581 $retval .= newuserform ($msg);
583 $retval .= COM_siteFooter();
590 * Shows the user login form after failed attempts to either login or access a page
593 * @return string HTML for login form
596 function loginform ($hide_forgotpw_link = false, $statusmode = -1)
598 global $_CONF, $LANG01, $LANG04;
602 $user_templates = new Template ($_CONF['path_layout'] . 'users');
603 $user_templates->set_file('login', 'loginform.thtml');
604 $user_templates->set_var( 'xhtml', XHTML );
605 $user_templates->set_var('site_url', $_CONF['site_url']);
606 if ($statusmode == 0) {
607 $user_templates->set_var('start_block_loginagain', COM_startBlock($LANG04[114]));
608 $user_templates->set_var('lang_message', $LANG04[115]);
609 } elseif ($statusmode == 2) {
610 $user_templates->set_var('start_block_loginagain', COM_startBlock($LANG04[116]));
611 $user_templates->set_var('lang_message', $LANG04[117]);
613 $user_templates->set_var('start_block_loginagain', COM_startBlock($LANG04[65]));
614 if ($_CONF['disable_new_user_registration']) {
615 $user_templates->set_var('lang_newreglink', '');
617 $user_templates->set_var('lang_newreglink', $LANG04[123]);
619 $user_templates->set_var('lang_message', $LANG04[66]);
622 $user_templates->set_var('lang_username', $LANG04[2]);
623 $user_templates->set_var('lang_password', $LANG01[57]);
624 if ($hide_forgotpw_link) {
625 $user_templates->set_var('lang_forgetpassword', '');
627 $user_templates->set_var('lang_forgetpassword', $LANG04[25]);
629 $user_templates->set_var('lang_login', $LANG04[80]);
630 $user_templates->set_var('end_block', COM_endBlock());
632 // 3rd party remote authentification.
633 if ($_CONF['user_login_method']['3rdparty'] && !$_CONF['usersubmission']) {
634 $modules = SEC_collectRemoteAuthenticationModules();
635 if (count($modules) == 0) {
636 $user_templates->set_var('services', '');
638 if (!$_CONF['user_login_method']['standard'] &&
639 (count($modules) == 1)) {
640 $select = '<input type="hidden" name="service" value="'
641 . $modules[0] . '"' . XHTML . '>' . $modules[0];
644 $select = '<select name="service">';
645 if ($_CONF['user_login_method']['standard']) {
646 $select .= '<option value="">' . $_CONF['site_name']
649 foreach ($modules as $service) {
650 $select .= '<option value="' . $service . '">' . $service
653 $select .= '</select>';
656 $user_templates->set_file('services', 'services.thtml');
657 $user_templates->set_var('lang_service', $LANG04[121]);
658 $user_templates->set_var('select_service', $select);
659 $user_templates->parse('output', 'services');
660 $user_templates->set_var('services',
661 $user_templates->finish($user_templates->get_var('output')));
664 $user_templates->set_var('services', '');
667 // OpenID remote authentification.
668 if ($_CONF['user_login_method']['openid'] && ($_CONF['usersubmission'] == 0)
669 && !$_CONF['disable_new_user_registration']) {
670 $user_templates->set_file('openid_login', '../loginform_openid.thtml');
671 $user_templates->set_var('lang_openid_login', $LANG01[128]);
672 $user_templates->set_var('input_field_size', 40);
673 $app_url = isset($_SERVER['SCRIPT_URI']) ? $_SERVER['SCRIPT_URI'] : 'http://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
674 $user_templates->set_var('app_url', $app_url);
675 $user_templates->parse('output', 'openid_login');
676 $user_templates->set_var('openid_login',
677 $user_templates->finish($user_templates->get_var('output')));
679 $user_templates->set_var('openid_login', '');
682 $user_templates->parse('output', 'login');
684 $retval .= $user_templates->finish($user_templates->get_var('output'));
690 * Shows the user registration form
692 * @param int $msg message number to show
693 * @param string $referrer page to send user to after registration
694 * @return string HTML for user registration page
696 function newuserform ($msg = '')
698 global $_CONF, $LANG04;
703 $retval .= COM_startBlock ($LANG04[21], '',
704 COM_getBlockTemplate ('_msg_block', 'header'))
706 . COM_endBlock (COM_getBlockTemplate ('_msg_block', 'footer'));
708 $user_templates = new Template($_CONF['path_layout'] . 'users');
709 $user_templates->set_file('regform', 'registrationform.thtml');
710 $user_templates->set_var( 'xhtml', XHTML );
711 $user_templates->set_var('site_url', $_CONF['site_url']);
712 $user_templates->set_var('site_admin_url', $_CONF['site_admin_url']);
713 $user_templates->set_var('layout_url', $_CONF['layout_url']);
714 $user_templates->set_var('start_block', COM_startBlock($LANG04[22]));
715 $user_templates->set_var('lang_instructions', $LANG04[23]);
716 $user_templates->set_var('lang_username', $LANG04[2]);
717 $user_templates->set_var('lang_email', $LANG04[5]);
718 $user_templates->set_var('lang_email_conf', $LANG04[124]);
719 $user_templates->set_var('lang_warning', $LANG04[24]);
720 $user_templates->set_var('lang_register', $LANG04[27]);
721 PLG_templateSetVars ('registration', $user_templates);
722 $user_templates->set_var('end_block', COM_endBlock());
725 if (!empty ($_POST['username'])) {
726 $username = COM_applyFilter ($_POST['username']);
728 $user_templates->set_var ('username', $username);
731 if (!empty ($_POST['email'])) {
732 $email = COM_applyFilter ($_POST['email']);
734 $user_templates->set_var ('email', $email);
737 if (!empty ($_POST['email_conf'])) {
738 $email_conf = COM_applyFilter ($_POST['email_conf']);
740 $user_templates->set_var ('email_conf', $email_conf);
743 $user_templates->parse('output', 'regform');
744 $retval .= $user_templates->finish($user_templates->get_var('output'));
750 * Shows the password retrieval form
752 * @return string HTML for form used to retrieve user's password
755 function getpasswordform()
757 global $_CONF, $LANG04;
761 $user_templates = new Template($_CONF['path_layout'] . 'users');
762 $user_templates->set_file('form', 'getpasswordform.thtml');
763 $user_templates->set_var( 'xhtml', XHTML );
764 $user_templates->set_var('site_url', $_CONF['site_url']);
765 $user_templates->set_var('site_admin_url', $_CONF['site_admin_url']);
766 $user_templates->set_var('layout_url', $_CONF['layout_url']);
767 $user_templates->set_var('start_block_forgetpassword', COM_startBlock($LANG04[25]));
768 $user_templates->set_var('lang_instructions', $LANG04[26]);
769 $user_templates->set_var('lang_username', $LANG04[2]);
770 $user_templates->set_var('lang_email', $LANG04[5]);
771 $user_templates->set_var('lang_emailpassword', $LANG04[28]);
772 $user_templates->set_var('end_block', COM_endBlock());
773 $user_templates->parse('output', 'form');
775 $retval .= $user_templates->finish($user_templates->get_var('output'));
781 * Account does not exist - show both the login and register forms
783 * @param string $msg message to display if one is needed
784 * @return string HTML for form
787 function defaultform($msg)
789 global $_CONF, $LANG04;
794 $retval .= COM_showMessageText($msg, $LANG04[21]);
797 $retval .= loginform(true);
799 if (! $_CONF['disable_new_user_registration']) {
800 $retval .= newuserform();
803 $retval .= getpasswordform();
809 * Display message after a login error
811 * @param int $msg message number for custom handler
812 * @param string $message_title title for the message box
813 * @param string $message_text text of the message box
814 * @return void function does not return!
817 function displayLoginErrorAndAbort($msg, $message_title, $message_text)
821 if ($_CONF['custom_registration'] &&
822 function_exists('CUSTOM_loginErrorHandler')) {
823 // Typically this will be used if you have a custom main site page
824 // and need to control the login process
825 CUSTOM_loginErrorHandler($msg);
827 $retval = COM_siteHeader('menu', $message_title)
828 . COM_startBlock($message_title, '',
829 COM_getBlockTemplate('_msg_block', 'header'))
831 . COM_endBlock(COM_getBlockTemplate('_msg_block', 'footer'))
834 header($_SERVER['SERVER_PROTOCOL'] . ' 403 Forbidden');
835 header('Status: 403 Forbidden');
845 if (isset ($_REQUEST['mode'])) {
846 $mode = $_REQUEST['mode'];
855 if (!empty ($_USER['uid']) AND $_USER['uid'] > 1) {
856 SESS_endUserSession ($_USER['uid']);
857 PLG_logoutUser ($_USER['uid']);
859 SEC_setCookie($_CONF['cookie_session'], '', time() - 10000);
860 SEC_setCookie($_CONF['cookie_password'], '', time() - 10000);
861 SEC_setCookie($_CONF['cookie_name'], '', time() - 10000);
862 $display = COM_refresh($_CONF['site_url'] . '/index.php?msg=8');
866 $uid = COM_applyFilter ($_GET['uid'], true);
867 if (is_numeric ($uid) && ($uid > 0)) {
869 if (isset($_GET['msg'])) {
870 $msg = COM_applyFilter($_GET['msg'], true);
873 if (($msg > 0) && isset($_GET['plugin'])) {
874 $plugin = COM_applyFilter($_GET['plugin']);
876 $display .= userprofile($uid, $msg, $plugin);
878 $display .= COM_refresh ($_CONF['site_url'] . '/index.php');
883 $username = COM_applyFilter ($_GET['username']);
884 if (!empty ($username)) {
885 $username = addslashes ($username);
886 $uid = DB_getItem ($_TABLES['users'], 'uid', "username = '$username'");
888 $display .= userprofile ($uid);
890 $display .= COM_refresh ($_CONF['site_url'] . '/index.php');
893 $display .= COM_refresh ($_CONF['site_url'] . '/index.php');
898 if ($_CONF['disable_new_user_registration']) {
899 $display .= COM_siteHeader ('menu', $LANG04[22]);
900 $display .= COM_startBlock ($LANG04[22], '',
901 COM_getBlockTemplate ('_msg_block', 'header'))
903 . COM_endBlock (COM_getBlockTemplate ('_msg_block', 'footer'));
904 $display .= COM_siteFooter ();
906 $email = COM_applyFilter ($_POST['email']);
907 $email_conf = COM_applyFilter ($_POST['email_conf']);
908 $display .= createuser(COM_applyFilter ($_POST['username']), $email, $email_conf);
913 $display .= COM_siteHeader ('menu', $LANG04[25]);
914 if ($_CONF['passwordspeedlimit'] == 0) {
915 $_CONF['passwordspeedlimit'] = 300; // 5 minutes
917 COM_clearSpeedlimit ($_CONF['passwordspeedlimit'], 'password');
918 $last = COM_checkSpeedlimit ('password');
920 $display .= COM_startBlock ($LANG12[26], '',
921 COM_getBlockTemplate ('_msg_block', 'header'))
922 . sprintf ($LANG04[93], $last, $_CONF['passwordspeedlimit'])
923 . COM_endBlock (COM_getBlockTemplate ('_msg_block', 'footer'));
925 $display .= getpasswordform ();
927 $display .= COM_siteFooter ();
931 $uid = COM_applyFilter ($_GET['uid'], true);
932 $reqid = COM_applyFilter ($_GET['rid']);
933 if (!empty ($uid) && is_numeric ($uid) && ($uid > 0) &&
934 !empty ($reqid) && (strlen ($reqid) == 16)) {
935 $valid = DB_count ($_TABLES['users'], array ('uid', 'pwrequestid'),
936 array ($uid, $reqid));
938 $display .= COM_siteHeader ('menu', $LANG04[92]);
939 $display .= newpasswordform ($uid, $reqid);
940 $display .= COM_siteFooter ();
941 } else { // request invalid or expired
942 $display .= COM_siteHeader ('menu', $LANG04[25]);
943 $display .= COM_showMessage (54);
944 $display .= getpasswordform ();
945 $display .= COM_siteFooter ();
948 // this request doesn't make sense - ignore it
949 $display = COM_refresh ($_CONF['site_url']);
954 if ( (empty ($_POST['passwd']))
955 or ($_POST['passwd'] != $_POST['passwd_conf']) ) {
956 $display = COM_refresh ($_CONF['site_url']
957 . '/users.php?mode=newpwd&uid=' . $_POST['uid']
958 . '&rid=' . $_POST['rid']);
960 $uid = COM_applyFilter ($_POST['uid'], true);
961 $reqid = COM_applyFilter ($_POST['rid']);
962 if (!empty ($uid) && is_numeric ($uid) && ($uid > 0) &&
963 !empty ($reqid) && (strlen ($reqid) == 16)) {
964 $valid = DB_count ($_TABLES['users'], array ('uid', 'pwrequestid'),
965 array ($uid, $reqid));
967 $passwd = SEC_encryptPassword($_POST['passwd']);
968 DB_change ($_TABLES['users'], 'passwd', "$passwd",
970 DB_delete ($_TABLES['sessions'], 'uid', $uid);
971 DB_change ($_TABLES['users'], 'pwrequestid', "NULL",
973 $display = COM_refresh ($_CONF['site_url'] . '/users.php?msg=53');
974 } else { // request invalid or expired
975 $display .= COM_siteHeader ('menu', $LANG04[25]);
976 $display .= COM_showMessage (54);
977 $display .= getpasswordform ();
978 $display .= COM_siteFooter ();
981 // this request doesn't make sense - ignore it
982 $display = COM_refresh ($_CONF['site_url']);
988 if ($_CONF['passwordspeedlimit'] == 0) {
989 $_CONF['passwordspeedlimit'] = 300; // 5 minutes
991 COM_clearSpeedlimit ($_CONF['passwordspeedlimit'], 'password');
992 $last = COM_checkSpeedlimit ('password');
994 $display .= COM_siteHeader ('menu', $LANG12[26])
995 . COM_startBlock ($LANG12[26], '',
996 COM_getBlockTemplate ('_msg_block', 'header'))
997 . sprintf ($LANG04[93], $last, $_CONF['passwordspeedlimit'])
998 . COM_endBlock (COM_getBlockTemplate ('_msg_block', 'footer'))
1001 $username = COM_applyFilter ($_POST['username']);
1002 $email = COM_applyFilter ($_POST['email']);
1003 if (empty ($username) && !empty ($email)) {
1004 $username = DB_getItem ($_TABLES['users'], 'username',
1005 "email = '$email' AND ((remoteservice IS NULL) OR (remoteservice = ''))");
1007 if (!empty ($username)) {
1008 $display .= requestpassword($username);
1010 $display = COM_refresh ($_CONF['site_url']
1011 . '/users.php?mode=getpassword');
1017 $display .= COM_siteHeader ('menu', $LANG04[22]);
1018 if ($_CONF['disable_new_user_registration']) {
1019 $display .= COM_startBlock ($LANG04[22], '',
1020 COM_getBlockTemplate ('_msg_block', 'header'))
1022 . COM_endBlock (COM_getBlockTemplate ('_msg_block', 'footer'));
1024 // Call custom registration and account record create function
1025 // if enabled and exists
1026 if ($_CONF['custom_registration'] AND (function_exists('CUSTOM_userForm'))) {
1027 $display .= CUSTOM_userForm();
1029 $display .= newuserform();
1032 $display .= COM_siteFooter();
1037 // prevent dictionary attacks on passwords
1038 COM_clearSpeedlimit($_CONF['login_speedlimit'], 'login');
1039 if (COM_checkSpeedlimit('login', $_CONF['login_attempts']) > 0) {
1040 displayLoginErrorAndAbort(82, $LANG12[26], $LANG04[112]);
1044 if (isset ($_POST['loginname'])) {
1045 $loginname = COM_applyFilter ($_POST['loginname']);
1048 if (isset ($_POST['passwd'])) {
1049 $passwd = $_POST['passwd'];
1052 if (isset ($_POST['service'])) {
1053 $service = COM_applyFilter($_POST['service']);
1056 if (!empty($loginname) && !empty($passwd) && empty($service)) {
1057 if (empty($service) && $_CONF['user_login_method']['standard']) {
1058 $status = SEC_authenticate($loginname, $passwd, $uid);
1063 } elseif (( $_CONF['usersubmission'] == 0) && $_CONF['user_login_method']['3rdparty'] && ($service != '')) {
1064 /* Distributed Authentication */
1065 //pass $loginname by ref so we can change it ;-)
1066 $status = SEC_remoteAuthentication($loginname, $passwd, $service, $uid);
1068 } elseif ($_CONF['user_login_method']['openid'] &&
1069 ($_CONF['usersubmission'] == 0) &&
1070 !$_CONF['disable_new_user_registration'] &&
1071 (isset($_GET['openid_login']) && ($_GET['openid_login'] == '1'))) {
1072 // Here we go with the handling of OpenID authentification.
1074 $query = array_merge($_GET, $_POST);
1076 if (isset($query['identity_url']) &&
1077 ($query['identity_url'] != 'http://')) {
1078 $property = sprintf('%x', crc32($query['identity_url']));
1079 COM_clearSpeedlimit($_CONF['login_speedlimit'], 'openid');
1080 if (COM_checkSpeedlimit('openid', $_CONF['login_attempts'],
1082 displayLoginErrorAndAbort(82, $LANG12[26], $LANG04[112]);
1086 require_once $_CONF['path_system'] . 'classes/openidhelper.class.php';
1088 $consumer = new SimpleConsumer();
1089 $handler = new SimpleActionHandler($query, $consumer);
1091 if (isset($query['identity_url']) && $query['identity_url'] != 'http://') {
1092 $identity_url = $query['identity_url'];
1093 $ret = $consumer->find_identity_info($identity_url);
1095 COM_updateSpeedlimit('login');
1096 $property = sprintf('%x', crc32($query['identity_url']));
1097 COM_updateSpeedlimit('openid', $property);
1098 COM_errorLog('Unable to find an OpenID server for the identity URL ' . $identity_url);
1099 echo COM_refresh($_CONF['site_url'] . '/users.php?msg=89');
1102 // Found identity server info.
1103 list($identity_url, $server_id, $server_url) = $ret;
1105 // Redirect the user-agent to the OpenID server
1106 // which we are requesting information from.
1107 header('Location: ' . $consumer->handle_request(
1108 $server_id, $server_url,
1109 oidUtil::append_args($_CONF['site_url'] . '/users.php',
1110 array('openid_login' => '1',
1111 'open_id' => $identity_url)), // Return to.
1112 $_CONF['site_url'], // Trust root.
1114 "email,nickname,fullname")); // Required fields.
1117 } elseif (isset($query['openid.mode']) || isset($query['openid_mode'])) {
1119 if (isset($query['openid.mode'])) {
1120 $openid_mode = $query['openid.mode'];
1121 } else if(isset($query['openid_mode'])) {
1122 $openid_mode = $query['openid_mode'];
1124 if ($openid_mode == 'cancel') {
1125 COM_updateSpeedlimit('login');
1126 echo COM_refresh($_CONF['site_url'] . '/users.php?msg=90');
1129 $openid = $handler->getOpenID();
1130 $req = new ConsumerRequest($openid, $query, 'GET');
1131 $response = $consumer->handle_response($req);
1132 $response->doAction($handler);
1135 COM_updateSpeedlimit('login');
1136 echo COM_refresh($_CONF['site_url'] . '/users.php?msg=91');
1143 if ($status == USER_ACCOUNT_ACTIVE) { // logged in AOK.
1144 DB_change($_TABLES['users'],'pwrequestid',"NULL",'uid',$uid);
1145 $userdata = SESS_getUserDataFromId($uid);
1147 $sessid = SESS_newSession($_USER['uid'], $_SERVER['REMOTE_ADDR'], $_CONF['session_cookie_timeout'], $_CONF['cookie_ip']);
1148 SESS_setSessionCookie($sessid, $_CONF['session_cookie_timeout'], $_CONF['cookie_session'], $_CONF['cookie_path'], $_CONF['cookiedomain'], $_CONF['cookiesecure']);
1149 PLG_loginUser ($_USER['uid']);
1151 // Now that we handled session cookies, handle longterm cookie
1152 if (!isset($_COOKIE[$_CONF['cookie_name']]) || !isset($_COOKIE['password'])) {
1153 // Either their cookie expired or they are new
1154 $cooktime = COM_getUserCookieTimeout();
1156 COM_errorLog("Trying to set permanent cookie with time of $cooktime",1);
1158 if ($cooktime > 0) {
1159 // They want their cookie to persist for some amount of time so set it now
1161 COM_errorLog('Trying to set permanent cookie',1);
1163 SEC_setCookie($_CONF['cookie_name'], $_USER['uid'],
1164 time() + $cooktime);
1165 SEC_setCookie($_CONF['cookie_password'],
1166 SEC_encryptPassword($passwd), time() + $cooktime);
1169 $userid = $_COOKIE[$_CONF['cookie_name']];
1170 if (empty ($userid) || ($userid == 'deleted')) {
1173 $userid = COM_applyFilter ($userid, true);
1176 COM_errorLog ('NOW trying to set permanent cookie',1);
1177 COM_errorLog ('Got '.$userid.' from perm cookie in users.php',1);
1179 // Create new session
1180 $userdata = SESS_getUserDataFromId ($userid);
1183 COM_errorLog ('Got '.$_USER['username'].' for the username in user.php',1);
1189 // Now that we have users data see if their theme cookie is set.
1191 if (! empty($_USER['theme'])) {
1192 setcookie($_CONF['cookie_theme'], $_USER['theme'],
1193 time() + 31536000, $_CONF['cookie_path'],
1194 $_CONF['cookiedomain'], $_CONF['cookiesecure']);
1197 if (!empty($_SERVER['HTTP_REFERER'])
1198 && (strstr($_SERVER['HTTP_REFERER'], '/users.php') === false)
1199 && (substr($_SERVER['HTTP_REFERER'], 0,
1200 strlen($_CONF['site_url'])) == $_CONF['site_url'])) {
1201 $indexMsg = $_CONF['site_url'] . '/index.php?msg=';
1202 if (substr ($_SERVER['HTTP_REFERER'], 0, strlen ($indexMsg)) == $indexMsg) {
1203 $display .= COM_refresh ($_CONF['site_url'] . '/index.php');
1205 // If user is trying to login - force redirect to index.php
1206 if (strstr ($_SERVER['HTTP_REFERER'], 'mode=login') === false) {
1207 $display .= COM_refresh ($_SERVER['HTTP_REFERER']);
1209 $display .= COM_refresh ($_CONF['site_url'] . '/index.php');
1213 $display .= COM_refresh ($_CONF['site_url'] . '/index.php');
1216 // On failed login attempt, update speed limit
1217 if (!empty($loginname) || !empty($passwd) || !empty($service)) {
1218 COM_updateSpeedlimit('login');
1221 $display .= COM_siteHeader('menu');
1223 if (isset ($_REQUEST['msg'])) {
1224 $msg = COM_applyFilter ($_REQUEST['msg'], true);
1229 $display .= COM_showMessage($msg);
1234 // Got bad account info from registration process, show error
1235 // message and display form again
1236 if ($_CONF['custom_registration'] AND (function_exists('CUSTOM_userForm'))) {
1237 $display .= CUSTOM_userForm ();
1239 $display .= newuserform ();
1243 // check to see if this was the last allowed attempt
1244 if (COM_checkSpeedlimit('login', $_CONF['login_attempts']) > 0) {
1245 displayLoginErrorAndAbort(82, $LANG04[113], $LANG04[112]);
1246 } else { // Show login form
1247 if(($msg != 69) && ($msg != 70)) {
1248 if ($_CONF['custom_registration'] AND function_exists('CUSTOM_loginErrorHandler')) {
1249 // Typically this will be used if you have a custom main site page and need to control the login process
1250 $display .= CUSTOM_loginErrorHandler($msg);
1252 $display .= loginform(false, $status);
1259 $display .= COM_siteFooter();
1264 COM_output($display);