From 12c514d8c5367c492a598d2f5f2c30bbec71e0ee Mon Sep 17 00:00:00 2001 From: james Date: Wed, 16 Feb 2005 20:04:12 +0000 Subject: [PATCH] refactor some of the authenticaiton code into the .inc.php add a password changer check for expired passwords and force changing if expired --- register_judges.inc.php | 31 +++++++++ register_judges.php | 9 ++- register_judges_expertise.php | 15 ----- register_judges_main.php | 18 +----- register_judges_password.php | 115 ++++++++++++++++++++++++++++++++++ register_judges_personal.php | 15 ----- 6 files changed, 156 insertions(+), 47 deletions(-) create mode 100644 register_judges_password.php diff --git a/register_judges.inc.php b/register_judges.inc.php index 0de6abf..a1951d8 100644 --- a/register_judges.inc.php +++ b/register_judges.inc.php @@ -73,6 +73,37 @@ function expertiseStatus() return "incomplete"; +} + + + //authenticate based on email address and registration number from the SESSION + if(! ($_SESSION['email'] && $_SESSION['judges_id']) ) + { + header("Location: register_judges.php"); + exit; + } + + $q=mysql_query("SELECT * FROM judges WHERE email='".$_SESSION['email']."' AND id='".$_SESSION['judges_id']."' AND deleted='no'"); + echo mysql_error(); + + if(mysql_num_rows($q)==0) + { + header("Location: register_judges.php?action=logout"); + exit; + } + $judgeinfo=mysql_fetch_object($q); + + +//only check for password expiry if we are NOT on the change password page, otherwise we create endless redirect loops +if(!strstr($_SERVER['PHP_SELF'],"register_judges_password.php")) +{ + //check for expired password + $q=mysql_query("SELECT id FROM judges WHERE email='".$_SESSION['email']."' AND id='".$_SESSION['judges_id']."' AND deleted='no' AND passwordexpiry<=NOW()"); + if(mysql_num_rows($q)) + { + $_SESSION['judges_password_expired']=true; + header("Location: register_judges_password.php"); + } } ?> diff --git a/register_judges.php b/register_judges.php index 839a09d..46235cd 100644 --- a/register_judges.php +++ b/register_judges.php @@ -41,7 +41,7 @@ } else { - mysql_query("INSERT INTO judges (email,password) VALUES ('".$_SESSION['email']."','".$_POST['pass1']."')"); + mysql_query("INSERT INTO judges (email,password,created) VALUES ('".$_SESSION['email']."','".$_POST['pass1']."',NOW())"); $id=mysql_insert_id(); $_SESSION['judges_id']=$id; @@ -64,6 +64,8 @@ { $r=mysql_fetch_object($q); $_SESSION['judges_id']=$r->id; + $_SESSION['judges_lastlogin']=$r->lastlogin; + mysql_query("UPDATE judges SET lastlogin=NOW() WHERE id='$r->id'"); header("Location: register_judges_main.php"); } else @@ -86,10 +88,15 @@ { unset($_SESSION['email']); unset($_SESSION['judges_id']); + unset($_SESSION['judges_lastlogin']); + unset($_SESSION['judges_password_expired']); send_header("Judges Registration"); echo notice(i18n("You have been successfully logged out")); } + if($_SESSION['email'] && $_SESSION['judges_id']) + header("Location: register_judges_main.php"); + send_header("Judges Registration"); diff --git a/register_judges_expertise.php b/register_judges_expertise.php index 888e376..5504923 100644 --- a/register_judges_expertise.php +++ b/register_judges_expertise.php @@ -25,21 +25,6 @@ require("common.inc.php"); include "register_judges.inc.php"; - //authenticate based on email address and registration number from the SESSION - if(! ($_SESSION['email'] && $_SESSION['judges_id']) ) - { - header("Location: register_judges.php"); - exit; - } - - $q=mysql_query("SELECT id FROM judges WHERE email='".$_SESSION['email']."' AND id='".$_SESSION['judges_id']."'"); - echo mysql_error(); - - if(mysql_num_rows($q)==0) - { - header("Location: register_judges.php?action=logout"); - exit; - } //send the header send_header("Judges Registration - Areas of Expertise Information"); diff --git a/register_judges_main.php b/register_judges_main.php index 8d14049..fcd4ed5 100644 --- a/register_judges_main.php +++ b/register_judges_main.php @@ -25,22 +25,6 @@ require("common.inc.php"); include "register_judges.inc.php"; - //authenticate based on email address and registration number from the SESSION - if(! ($_SESSION['email'] && $_SESSION['judges_id']) ) - { - header("Location: register_judges.php"); - exit; - } - - $q=mysql_query("SELECT * FROM judges WHERE email='".$_SESSION['email']."' AND id='".$_SESSION['judges_id']."' AND deleted='no'"); - echo mysql_error(); - - if(mysql_num_rows($q)==0) - { - header("Location: register_judges.php?action=logout"); - exit; - } - $judgeinfo=mysql_fetch_object($q); send_header("Judges Registration"); if($_GET['action']=="activate") @@ -162,6 +146,8 @@ echo ""; +echo "
"; +echo "".i18n("Change Password").""; echo "
"; echo "".i18n("Logout").""; diff --git a/register_judges_password.php b/register_judges_password.php new file mode 100644 index 0000000..16093ac --- /dev/null +++ b/register_judges_password.php @@ -0,0 +1,115 @@ + + Copyright (C) 2005 James Grant + + This program is free software; you can redistribute it and/or + modify it under the terms of the GNU General Public + License as published by the Free Software Foundation, version 2. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; see the file COPYING. If not, write to + the Free Software Foundation, Inc., 59 Temple Place - Suite 330, + Boston, MA 02111-1307, USA. +*/ +?> +<< ".i18n("Back to Judges Registration Summary (discard changes)")."
"; + echo "
"; + } + + if($_POST['action']=="save") + { + //first, lets see if they choosed the same password again (bad bad bad) + $q=mysql_query("SELECT password FROM judges WHERE id='".$_SESSION['judges_id']."' AND email='".$_SESSION['email']."' AND password='".$_POST['pass1']."'"); + if(mysql_num_rows($q)) + { + echo error(i18n("You cannot choose the same password again. Please choose a different password")); + } + //now make sure their password is good + else if(!$_POST['pass1']) + { + echo error(i18n("New Password is required")); + } + else if(!$_POST['pass2']) + { + echo error(i18n("Confirm New Password is required")); + } + else if($_POST['pass1'] != $_POST['pass2']) + { + echo error(i18n("Passwords do not match")); + } + else + { + if($config['judges_password_expiry_days']>0) + { + $ex="passwordexpiry=DATE_ADD(CURDATE(),INTERVAL ".$config['judges_password_expiry_days']." DAY)"; + + } + else + { + $ex="passwordexpiry=NULL"; + } + mysql_query("UPDATE judges SET password='".$_POST['pass1']."', $ex WHERE id='".$_SESSION['judges_id']."' AND email='".$_SESSION['email']."'"); + echo happy(i18n("Password successfully changed")); + if($_SESSION['judges_password_expired']) + { + unset($_SESSION['judges_password_expired']); + echo "<< ".i18n("Back to Judges Registration Summary (discard changes)")."
"; + echo "
"; + } + } + } + else + { + if($_SESSION['judges_password_expired']) + echo error(i18n("Your password has expired. You must choose a new password now")); + + } + echo "
\n"; + echo "\n"; + echo "\n"; + + echo "
"; + echo "
"; + echo ""; + echo ""; + echo "
"; + echo i18n("Enter New Password:"); + echo ""; + echo ""; + echo "
"; + echo i18n("Confirm New Password:"); + echo ""; + echo ""; + echo "
"; + + +echo ""; +echo "\n"; +echo "
"; + +if(!$_SESSION['judges_password_expired']) +{ + echo "
"; + echo "<< ".i18n("Back to Judges Registration Summary (discard changes)")."
"; +} + +send_footer(); +?> diff --git a/register_judges_personal.php b/register_judges_personal.php index d49dd7b..56ca370 100644 --- a/register_judges_personal.php +++ b/register_judges_personal.php @@ -25,21 +25,6 @@ require("common.inc.php"); include "register_judges.inc.php"; - //authenticate based on email address and registration number from the SESSION - if(! ($_SESSION['email'] && $_SESSION['judges_id']) ) - { - header("Location: register_judges.php"); - exit; - } - - $q=mysql_query("SELECT id FROM judges WHERE email='".$_SESSION['email']."' AND id='".$_SESSION['judges_id']."'"); - echo mysql_error(); - - if(mysql_num_rows($q)==0) - { - header("Location: register_judges.php?action=logout"); - exit; - } //send the header send_header("Judges Registration - Personal Information");