arman/science-ation
1
1
Fork 0
forked from science-ation/science-ation
Code Pull Requests Activity
science-ation/user_login.php

389 lines
12 KiB
PHP
Raw Normal View History

- New user and volunteer signup system
2007-11-16 06:30:42 +00:00
<?
/*
This file is part of the 'Science Fair In A Box' project
SFIAB Website: http://www.sfiab.ca
Copyright (C) 2005 Sci-Tech Ontario Inc <info@scitechontario.org>
Copyright (C) 2005 James Grant <james@lightbox.org>
Copyright (C) 2007 David Grant <dave@lightbox.org>
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public
License as published by the Free Software Foundation, version 2.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; see the file COPYING. If not, write to
the Free Software Foundation, Inc., 59 Temple Place - Suite 330,
Boston, MA 02111-1307, USA.
*/
?>
<?
require_once("common.inc.php");
require_once("user.inc.php");
- Fix multirole creation. If a user tries to create an account, and they already exist, they will be guided through the process of adding a role to their existing account. - Do a database update, and merge anyone who has managed to create 2 accounts into a single account. - Still testing this, but it seems to be working
2007-12-12 03:01:44 +00:00
function try_login($user, $pass)
- New user and volunteer signup system
2007-11-16 06:30:42 +00:00
{
/* Ensure sanity of inputs, user should be an email address, but it's stored
* in the username field */
- Fix multirole creation. If a user tries to create an account, and they already exist, they will be guided through the process of adding a role to their existing account. - Do a database update, and merge anyone who has managed to create 2 accounts into a single account. - Still testing this, but it seems to be working
2007-12-12 03:01:44 +00:00
/* FIXME: this shoudl be user_valid_email, but can't be yet, because
* we copy the usernames from the email field, and that field may
* contain a name too */
Cannot check for valid password when authenticating, because people might have passwords that dont match the "new" requirements Also simplify some of the code (why bother assigning temp vars just to compare?)
2007-11-19 21:28:15 +00:00
if(!isEmailAddress($user)) {
- New user and volunteer signup system
2007-11-16 06:30:42 +00:00
/* It's possible that it's a username */
Cannot check for valid password when authenticating, because people might have passwords that dont match the "new" requirements Also simplify some of the code (why bother assigning temp vars just to compare?)
2007-11-19 21:28:15 +00:00
if(!user_valid_user($user)) return false;
- New user and volunteer signup system
2007-11-16 06:30:42 +00:00
}
Cannot check for valid password when authenticating, because people might have passwords that dont match the "new" requirements Also simplify some of the code (why bother assigning temp vars just to compare?)
2007-11-19 21:28:15 +00:00
//we cannot check for a valid_password here, because converted users dont enforce password length of 6 which user_valid_password does.
//all we can do is check if its a length >0
//$x = user_valid_password($pass);
if(!strlen($pass))
return false;
- New user and volunteer signup system
2007-11-16 06:30:42 +00:00
- Fix multirole creation. If a user tries to create an account, and they already exist, they will be guided through the process of adding a role to their existing account. - Do a database update, and merge anyone who has managed to create 2 accounts into a single account. - Still testing this, but it seems to be working
2007-12-12 03:01:44 +00:00
$user = mysql_escape_string($user);
- New user and volunteer signup system
2007-11-16 06:30:42 +00:00
$q = mysql_query("SELECT id,username,password
FROM users
WHERE username='$user'
AND deleted='no'");
echo mysql_error();
if(mysql_num_rows($q) != 1) return false;
/* Ok.. see if the passwd matches */
$r = mysql_fetch_object($q);
if($r->password != $pass) return false;
/* Login successful */
return $r->id;
}
/* If there is no session, accept a type from the URL, else,
* if there is a session, always take the session's type. The idea is
* eventually, you'll never be able to see a login page if you're already
* logged in. */
$type = false;
if(isset($_SESSION['users_type'])) {
- Don't let the user see the login page if they're already login, instead, provide them with a message indicating how to logout.
2007-11-16 08:00:40 +00:00
/* They're already logged in */
- New user and volunteer signup system
2007-11-16 06:30:42 +00:00
$type = $_SESSION['users_type'];
- Don't let the user see the login page if they're already login, instead, provide them with a message indicating how to logout.
2007-11-16 08:00:40 +00:00
/* If they're not trying to logout, don't let them see the login page */
if($_GET['action'] != 'logout') {
header("location: {$type}_main.php?notice=already_logged_in");
exit;
}
- New user and volunteer signup system
2007-11-16 06:30:42 +00:00
} else {
$type = $_GET['type'];
/* user_types is in user.inc.php */
if(!in_array($type, $user_types)) $type = false;
}
$notice=$_GET['notice'];
- Fix multirole creation. If a user tries to create an account, and they already exist, they will be guided through the process of adding a role to their existing account. - Do a database update, and merge anyone who has managed to create 2 accounts into a single account. - Still testing this, but it seems to be working
2007-12-12 03:01:44 +00:00
$redirect = $_GET['redirect'];
$redirect_data = $_GET['redirectdata'];
switch($redirect) {
case 'roleadd':
$redirect_url = "&redirect=$redirect&redirectdata=$redirectdata";
break;
case 'roleattached':
$redirect_url = "&redirect=$redirect";
break;
default:
$redirect_url = '';
break;
}
- New user and volunteer signup system
2007-11-16 06:30:42 +00:00
switch($type) {
case 'volunteer':
// returns "notopenyet", "closed", or "open"
$reg_open = user_volunteer_registration_status();
break;
case 'committee':
$reg_open = 'notpermitted';
break;
case 'judge':
- Quick hack, disable all the user_login.php login types, except volunteer, until we move over the otehr types
2007-11-16 08:02:47 +00:00
exit;
- New user and volunteer signup system
2007-11-16 06:30:42 +00:00
$reg_open = user_judge_registration_status();
break;
case 'student':
default:
- Quick hack, disable all the user_login.php login types, except volunteer, until we move over the otehr types
2007-11-16 08:02:47 +00:00
exit;
- New user and volunteer signup system
2007-11-16 06:30:42 +00:00
$reg_open = 'closed';
break;
}
if($_POST['action']=="login" )
{
if($_POST['pass'] && $_POST['user'])
{
- Fix multirole creation. If a user tries to create an account, and they already exist, they will be guided through the process of adding a role to their existing account. - Do a database update, and merge anyone who has managed to create 2 accounts into a single account. - Still testing this, but it seems to be working
2007-12-12 03:01:44 +00:00
$id = try_login($_POST['user'], $_POST['pass']);
- New user and volunteer signup system
2007-11-16 06:30:42 +00:00
if($id == false) {
- Fix multirole creation. If a user tries to create an account, and they already exist, they will be guided through the process of adding a role to their existing account. - Do a database update, and merge anyone who has managed to create 2 accounts into a single account. - Still testing this, but it seems to be working
2007-12-12 03:01:44 +00:00
header("location: user_login.php?type=$type&notice=login_failed$redirect_url");
- New user and volunteer signup system
2007-11-16 06:30:42 +00:00
exit;
} else {
$u = user_load($id);
- Fix login check for an expired password - Allow user_personal.php to handle committee members - Add password field if the editer in user_personal has access_super - Allow a committee member to edit anyone in user_personal.php - Convert auth_required to user_auth_required, and check for both a user type and an access level (if committee) - Convert the committee to the new user system (BIG change :) - Remove the ^M from admin/committees.php
2007-11-17 21:59:59 +00:00
/* Make sure $type is in their types */
if(!in_array($type, $u['types'])) {
/* Huh, someone is fudging with the HTML, get
* out before touching the session */
header("location: index.php");
exit;
}
- New user and volunteer signup system
2007-11-16 06:30:42 +00:00
$_SESSION['name']="{$u['firstname']} {$u['lastname']}";
$_SESSION['username']=$u['username'];
$_SESSION['email']=$u['email'];
$_SESSION['users_id']=$u['id'];
- Fix login check for an expired password - Allow user_personal.php to handle committee members - Add password field if the editer in user_personal has access_super - Allow a committee member to edit anyone in user_personal.php - Convert auth_required to user_auth_required, and check for both a user type and an access level (if committee) - Convert the committee to the new user system (BIG change :) - Remove the ^M from admin/committees.php
2007-11-17 21:59:59 +00:00
$_SESSION['users_type']=$type;
- New user and volunteer signup system
2007-11-16 06:30:42 +00:00
/* Check for an expired password */
- Fix login check for an expired password - Allow user_personal.php to handle committee members - Add password field if the editer in user_personal has access_super - Allow a committee member to edit anyone in user_personal.php - Convert auth_required to user_auth_required, and check for both a user type and an access level (if committee) - Convert the committee to the new user system (BIG change :) - Remove the ^M from admin/committees.php
2007-11-17 21:59:59 +00:00
if($u['passwordexpiry'] == NULL) {
unset($_SESSION['password_expired']);
} else {
$now = date('Y-m-d H:i:s');
if($now > $u['passwordexpiry']) {
$_SESSION['password_expired'] = true;
/* The main page (or any other user page) will catch this now and
* require them to set a password */
}
- New user and volunteer signup system
2007-11-16 06:30:42 +00:00
}
- Fix login check for an expired password - Allow user_personal.php to handle committee members - Add password field if the editer in user_personal has access_super - Allow a committee member to edit anyone in user_personal.php - Convert auth_required to user_auth_required, and check for both a user type and an access level (if committee) - Convert the committee to the new user system (BIG change :) - Remove the ^M from admin/committees.php
2007-11-17 21:59:59 +00:00
/* Call login functions for each type, so multirole
* users can easily switch */
foreach($u['types'] as $t) {
if(is_callable("user_{$t}_login")) {
call_user_func_array("user_{$t}_login", array($u));
}
}
- New user and volunteer signup system
2007-11-16 06:30:42 +00:00
mysql_query("UPDATE users SET lastlogin=NOW()
WHERE id={$u['id']}");
- Fix login check for an expired password - Allow user_personal.php to handle committee members - Add password field if the editer in user_personal has access_super - Allow a committee member to edit anyone in user_personal.php - Convert auth_required to user_auth_required, and check for both a user type and an access level (if committee) - Convert the committee to the new user system (BIG change :) - Remove the ^M from admin/committees.php
2007-11-17 21:59:59 +00:00
/* Setup multirole so a multirole user can switch if they want to
* without logging in/out */
- Fix a bug in multirole
2007-11-19 17:11:47 +00:00
if(count($u['types']) > 1) {
- New user and volunteer signup system
2007-11-16 06:30:42 +00:00
$_SESSION['multirole'] = true;
} else {
$_SESSION['multirole'] = false;
}
- Fix multirole creation. If a user tries to create an account, and they already exist, they will be guided through the process of adding a role to their existing account. - Do a database update, and merge anyone who has managed to create 2 accounts into a single account. - Still testing this, but it seems to be working
2007-12-12 03:01:44 +00:00
/* See if there is a redirect, and do that instead of
* taking them to their main page */
if($redirect != '') {
switch($redirect) {
case 'roleadd':
if(!in_array($multirole_data, $user_types))
$multirole_data = '';
header("location: user_multirole.php?action=add&type=$multirole_data");
exit;
case 'roleattached':
header("location: {$type}_main.php?notice=attached");
exit;
}
}
- Fix login check for an expired password - Allow user_personal.php to handle committee members - Add password field if the editer in user_personal has access_super - Allow a committee member to edit anyone in user_personal.php - Convert auth_required to user_auth_required, and check for both a user type and an access level (if committee) - Convert the committee to the new user system (BIG change :) - Remove the ^M from admin/committees.php
2007-11-17 21:59:59 +00:00
/* Now finally, take them to whatever main page they logged in for */
header("location: {$type}_main.php");
- New user and volunteer signup system
2007-11-16 06:30:42 +00:00
exit;
}
}
header("location: user_login.php?type=$type&notice=login_failed");
exit;
}
else if($_GET['action']=="logout")
{
/* Do these explicitly because i'm paranoid */
unset($_SESSION['name']);
unset($_SESSION['username']);
unset($_SESSION['email']);
unset($_SESSION['users_id']);
unset($_SESSION['users_type']);
/* Take care of anything else */
$keys = array_keys($_SESSION);
foreach($keys as $k) unset($_SESSION[$k]);
- Fix multirole creation. If a user tries to create an account, and they already exist, they will be guided through the process of adding a role to their existing account. - Do a database update, and merge anyone who has managed to create 2 accounts into a single account. - Still testing this, but it seems to be working
2007-12-12 03:01:44 +00:00
if($notice != 'login_multirole') $notice = 'logged_out';
- Fix login check for an expired password - Allow user_personal.php to handle committee members - Add password field if the editer in user_personal has access_super - Allow a committee member to edit anyone in user_personal.php - Convert auth_required to user_auth_required, and check for both a user type and an access level (if committee) - Convert the committee to the new user system (BIG change :) - Remove the ^M from admin/committees.php
2007-11-17 21:59:59 +00:00
if($type != '')
- Fix multirole creation. If a user tries to create an account, and they already exist, they will be guided through the process of adding a role to their existing account. - Do a database update, and merge anyone who has managed to create 2 accounts into a single account. - Still testing this, but it seems to be working
2007-12-12 03:01:44 +00:00
header("location: user_login.php?type=$type&notice=$notice$redirect_url");
- New user and volunteer signup system
2007-11-16 06:30:42 +00:00
exit;
}
else if($_GET['action']=="recover")
{
send_header("{$user_what[$type]} - Password Recovery",
array("{$user_what[$type]} Login" => "user_login.php?type=$type"));
$recover_link = "user_login.php?type=$type&action=recover";
?>
<br />
<?=i18n('Password recovery will reset your password to a new random password, and then email you that password. Enter your name and email address below, then click on the \'Reset\' button. The name and email must exactly match the ones you used to register. Sometimes the email takes a few minutes to send so be patient.')?><br />
<br />
<form method="post" action="user_login.php?type=<?=$type?>">
<input type="hidden" name="action" value="recoverconfirm" />
<table>
<tr><td>
<?=i18n("First Name")?>:</td><td><input type="text" size="20" name="fn" />
</td></tr>
<tr><td>
<?=i18n("Last Name")?>:</td><td><input type="text" size="20" name="ln" />
</td></tr>
<tr><td>
<?=i18n("Email")?>:</td><td><input type="text" size="20" name="email" />
</td></tr>
<tr><td colspan="2">
<input type="submit" value="<?=i18n("Reset my password")?>" />
</td></tr></table>
<br />
</form>
<br />
<div style="font-size: 0.75em;">
<?=i18n('If you didn\'t register using an email address and you have lost your password, please contact the committee to have your password reset.')?></div><br />
<?
}
else if($_POST['action'] == "recoverconfirm")
{
/* Process a recover */
$email = $_POST['email'];
- Fix multirole creation. If a user tries to create an account, and they already exist, they will be guided through the process of adding a role to their existing account. - Do a database update, and merge anyone who has managed to create 2 accounts into a single account. - Still testing this, but it seems to be working
2007-12-12 03:01:44 +00:00
if(user_valid_email($email)) {
- New user and volunteer signup system
2007-11-16 06:30:42 +00:00
/* valid email address */
- Fix multirole creation. If a user tries to create an account, and they already exist, they will be guided through the process of adding a role to their existing account. - Do a database update, and merge anyone who has managed to create 2 accounts into a single account. - Still testing this, but it seems to be working
2007-12-12 03:01:44 +00:00
$e = mysql_escape_string($email);
$q=mysql_query("SELECT * FROM users WHERE email='$e'");
- New user and volunteer signup system
2007-11-16 06:30:42 +00:00
$r=mysql_fetch_object($q);
if($r) {
$fn = trim($_POST['fn']);
$ln = trim($_POST['ln']);
/* Check name match */
if(strcasecmp($r->firstname, $fn)!=0 || strcasecmp($r->lastname, $ln)!=0) {
header("Location: user_login.php?type=$type&notice=recover_name_error");
exit;
}
$password = '';
$pchars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
for($x=0;$x<12;$x++) $password .= $pchars{rand(0,61)};
- Fix login check for an expired password - Allow user_personal.php to handle committee members - Add password field if the editer in user_personal has access_super - Allow a committee member to edit anyone in user_personal.php - Convert auth_required to user_auth_required, and check for both a user type and an access level (if committee) - Convert the committee to the new user system (BIG change :) - Remove the ^M from admin/committees.php
2007-11-17 21:59:59 +00:00
/* Save their old password so it can be recovered if someone is just trying
* to reset someones password */
mysql_query("UPDATE users SET oldpassword=password WHERE id={$r->id}");
/* Set the new password, and force it to expire */
- New user and volunteer signup system
2007-11-16 06:30:42 +00:00
mysql_query("UPDATE users SET password='$password',passwordexpiry='0000-00-00' WHERE id={$r->id}");
/* volunteer_recover_password, judge_recover_password, student_recover_password,
committee_recover_password */
email_send("{$type}_recover_password",
$email,
array("FAIRNAME"=>i18n($config['fairname'])),
array( "PASSWORD"=>$password,
"EMAIL"=>$email)
);
- Fix login check for an expired password - Allow user_personal.php to handle committee members - Add password field if the editer in user_personal has access_super - Allow a committee member to edit anyone in user_personal.php - Convert auth_required to user_auth_required, and check for both a user type and an access level (if committee) - Convert the committee to the new user system (BIG change :) - Remove the ^M from admin/committees.php
2007-11-17 21:59:59 +00:00
- New user and volunteer signup system
2007-11-16 06:30:42 +00:00
header("Location: user_login.php?type=$type&notice=recover_sent");
exit;
} else {
header("Location: user_login.php?type=$type&notice=recover_email_error");
exit;
}
}
header("Location: user_login.php?type=$type&notice=email_error");
exit;
}
else
{
send_header("{$user_what[$type]} - Login", array());
switch($notice) {
case 'created_sent':
echo happy(i18n("Your new password has been sent to your email address. Please check your email and use the password to login"));
break;
case 'recover_sent':
echo notice(i18n("Your password has been sent to your email address"));
break;
case 'recover_email_error':
echo error(i18n("Could not find your email address for recovery"));
break;
case 'recover_name_error':
echo error(i18n("The name you entered does not match the one in your account"));
break;
case 'email_error':
echo error(i18n("Email address error"));
break;
case 'login_failed':
echo error(i18n("Invalid Email/Password"));
break;
case 'auth_required':
echo error(i18n("You must login to view that page"));
break;
case 'logged_out':
echo notice(i18n("You have been successfully logged out"));
break;
- Fix multirole creation. If a user tries to create an account, and they already exist, they will be guided through the process of adding a role to their existing account. - Do a database update, and merge anyone who has managed to create 2 accounts into a single account. - Still testing this, but it seems to be working
2007-12-12 03:01:44 +00:00
case 'login_multirole':
echo notice(i18n("You have been successfully logged out"));
echo notice(i18n("Now login to finish adding the new role to your account"));
break;
case 'multirole':
echo notice(i18n("Your email address already exists. Please login to your existing account below and you will be redirected to the multi-role creation page to complete your registration request."));
break;
- New user and volunteer signup system
2007-11-16 06:30:42 +00:00
}
$recover_link = "user_login.php?type=$type&action=recover";
$new_link = "user_new.php?type=$type";
?>
- Fix multirole creation. If a user tries to create an account, and they already exist, they will be guided through the process of adding a role to their existing account. - Do a database update, and merge anyone who has managed to create 2 accounts into a single account. - Still testing this, but it seems to be working
2007-12-12 03:01:44 +00:00
<form method="post" action="user_login.php?type=<?="$type$redirect_url"?>">
- New user and volunteer signup system
2007-11-16 06:30:42 +00:00
<input type="hidden" name="action" value="login" />
<table><tr><td>
<?=i18n("Email")?>:</td><td><input type="text" size="20" name="user" />
</td></tr><tr><td>
<?=i18n("Password")?>:</td><td><input type="password" size="20" name="pass" />
</td></tr>
<tr><td colspan=2>
<input type="submit" value=<?=i18n("Login")?> />
</td></tr>
</table>
</form>
<br />
<div style="font-size: 0.75em;">
<?=i18n("If you have lost or forgotten your password, or have misplaced the email with your initial password, please <a href=\"$recover_link\">click here to recover it</a>")?>.</div><br />
<br />
<?
switch($reg_open) {
case 'notopenyet':
echo i18n("Registration for the %1 %2 has not yet opened",
array( $config['FAIRYEAR'],
$config['fairname']),
array("Fair year","Fair name")
);
break;
case 'open':
echo i18n("If you would like to register as a new {$user_what[$type]}, <a href=\"$new_link\">click here</a>.<br />");
break;
case 'closed':
echo i18n("Registration for the %1 %2 is now closed",
array( $config['FAIRYEAR'],
$config['fairname']),
array("Fair year","Fair name")
);
break;
case 'notpermitted':
default:
break;
}
}
send_footer();
?>
Copy Permalink