forked from science-ation/science-ation
307 lines
9.0 KiB
PHP
307 lines
9.0 KiB
PHP
<?
|
|
/*
|
|
This file is part of the 'Science Fair In A Box' project
|
|
SFIAB Website: http://www.sfiab.ca
|
|
|
|
Copyright (C) 2005 Sci-Tech Ontario Inc <info@scitechontario.org>
|
|
Copyright (C) 2005 James Grant <james@lightbox.org>
|
|
Copyright (C) 2007 David Grant <dave@lightbox.org>
|
|
|
|
This program is free software; you can redistribute it and/or
|
|
modify it under the terms of the GNU General Public
|
|
License as published by the Free Software Foundation, version 2.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program; see the file COPYING. If not, write to
|
|
the Free Software Foundation, Inc., 59 Temple Place - Suite 330,
|
|
Boston, MA 02111-1307, USA.
|
|
*/
|
|
?>
|
|
<?
|
|
require_once("common.inc.php");
|
|
require_once("user.inc.php");
|
|
|
|
function try_login($user, $pass)
|
|
{
|
|
/* Ensure sanity of inputs, user should be an email address, but it's stored
|
|
* in the username field */
|
|
$x = isEmailAddress($user);
|
|
if($x == false) {
|
|
/* It's possible that it's a username */
|
|
if(user_valid_user($user) == false) return false;
|
|
}
|
|
$x = user_valid_password($pass);
|
|
if($x == false) return false;
|
|
|
|
$q = mysql_query("SELECT id,username,password
|
|
FROM users
|
|
WHERE username='$user'
|
|
AND deleted='no'");
|
|
echo mysql_error();
|
|
if(mysql_num_rows($q) != 1) return false;
|
|
|
|
/* Ok.. see if the passwd matches */
|
|
$r = mysql_fetch_object($q);
|
|
|
|
if($r->password != $pass) return false;
|
|
|
|
/* Login successful */
|
|
return $r->id;
|
|
}
|
|
|
|
/* If there is no session, accept a type from the URL, else,
|
|
* if there is a session, always take the session's type. The idea is
|
|
* eventually, you'll never be able to see a login page if you're already
|
|
* logged in. */
|
|
$type = false;
|
|
if(isset($_SESSION['users_type'])) {
|
|
$type = $_SESSION['users_type'];
|
|
} else {
|
|
$type = $_GET['type'];
|
|
/* user_types is in user.inc.php */
|
|
if(!in_array($type, $user_types)) $type = false;
|
|
}
|
|
|
|
$notice=$_GET['notice'];
|
|
|
|
switch($type) {
|
|
case 'volunteer':
|
|
// returns "notopenyet", "closed", or "open"
|
|
$reg_open = user_volunteer_registration_status();
|
|
break;
|
|
case 'committee':
|
|
$reg_open = 'notpermitted';
|
|
break;
|
|
case 'judge':
|
|
$reg_open = user_judge_registration_status();
|
|
break;
|
|
case 'student':
|
|
default:
|
|
$reg_open = 'closed';
|
|
break;
|
|
}
|
|
|
|
if($_POST['action']=="login" )
|
|
{
|
|
if($_POST['pass'] && $_POST['user'])
|
|
{
|
|
$id = try_login($_POST['user'], $_POST['pass']);
|
|
if($id == false) {
|
|
header("location: user_login.php?type=$type¬ice=login_failed");
|
|
exit;
|
|
} else {
|
|
$u = user_load($id);
|
|
$_SESSION['name']="{$u['firstname']} {$u['lastname']}";
|
|
$_SESSION['username']=$u['username'];
|
|
$_SESSION['email']=$u['email'];
|
|
$_SESSION['users_id']=$u['id'];
|
|
$_SESSION['users_type']=$u['type'];
|
|
|
|
/* Check for an expired password */
|
|
$now = date('Y-m-d H:i:s');
|
|
if($now > $u['passwordexpiry']) {
|
|
$_SESSION['password_expired'] = true;
|
|
/* The main page (or any other user page) will catch this now and
|
|
* require them to set a password */
|
|
}
|
|
|
|
/* FIXME: call a type sepcific function
|
|
to set type specific session variables */
|
|
|
|
mysql_query("UPDATE users SET lastlogin=NOW()
|
|
WHERE id={$u['id']}");
|
|
|
|
if(count($u['types']) > 1) {
|
|
$_SESSION['multirole'] = true;
|
|
header("location: user_multirole.php");
|
|
} else {
|
|
$_SESSION['multirole'] = false;
|
|
header("location: {$type}_main.php");
|
|
}
|
|
|
|
exit;
|
|
}
|
|
|
|
}
|
|
header("location: user_login.php?type=$type¬ice=login_failed");
|
|
exit;
|
|
}
|
|
else if($_GET['action']=="logout")
|
|
{
|
|
/* Do these explicitly because i'm paranoid */
|
|
unset($_SESSION['name']);
|
|
unset($_SESSION['username']);
|
|
unset($_SESSION['email']);
|
|
unset($_SESSION['users_id']);
|
|
unset($_SESSION['users_type']);
|
|
/* Take care of anything else */
|
|
$keys = array_keys($_SESSION);
|
|
foreach($keys as $k) unset($_SESSION[$k]);
|
|
|
|
header("location: user_login.php?type=$type¬ice=logged_out");
|
|
exit;
|
|
}
|
|
else if($_GET['action']=="recover")
|
|
{
|
|
send_header("{$user_what[$type]} - Password Recovery",
|
|
array("{$user_what[$type]} Login" => "user_login.php?type=$type"));
|
|
|
|
$recover_link = "user_login.php?type=$type&action=recover";
|
|
|
|
?>
|
|
<br />
|
|
<?=i18n('Password recovery will reset your password to a new random password, and then email you that password. Enter your name and email address below, then click on the \'Reset\' button. The name and email must exactly match the ones you used to register. Sometimes the email takes a few minutes to send so be patient.')?><br />
|
|
<br />
|
|
<form method="post" action="user_login.php?type=<?=$type?>">
|
|
<input type="hidden" name="action" value="recoverconfirm" />
|
|
<table>
|
|
<tr><td>
|
|
<?=i18n("First Name")?>:</td><td><input type="text" size="20" name="fn" />
|
|
</td></tr>
|
|
<tr><td>
|
|
<?=i18n("Last Name")?>:</td><td><input type="text" size="20" name="ln" />
|
|
</td></tr>
|
|
<tr><td>
|
|
<?=i18n("Email")?>:</td><td><input type="text" size="20" name="email" />
|
|
</td></tr>
|
|
<tr><td colspan="2">
|
|
<input type="submit" value="<?=i18n("Reset my password")?>" />
|
|
</td></tr></table>
|
|
<br />
|
|
</form>
|
|
<br />
|
|
<div style="font-size: 0.75em;">
|
|
<?=i18n('If you didn\'t register using an email address and you have lost your password, please contact the committee to have your password reset.')?></div><br />
|
|
<?
|
|
}
|
|
else if($_POST['action'] == "recoverconfirm")
|
|
{
|
|
/* Process a recover */
|
|
$email = $_POST['email'];
|
|
if(isEmailAddress($email)) {
|
|
/* valid email address */
|
|
$q=mysql_query("SELECT * FROM users WHERE email='$email'");
|
|
$r=mysql_fetch_object($q);
|
|
if($r) {
|
|
$fn = trim($_POST['fn']);
|
|
$ln = trim($_POST['ln']);
|
|
|
|
/* Check name match */
|
|
if(strcasecmp($r->firstname, $fn)!=0 || strcasecmp($r->lastname, $ln)!=0) {
|
|
header("Location: user_login.php?type=$type¬ice=recover_name_error");
|
|
exit;
|
|
}
|
|
|
|
$password = '';
|
|
$pchars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
|
|
for($x=0;$x<12;$x++) $password .= $pchars{rand(0,61)};
|
|
|
|
mysql_query("UPDATE users SET password='$password',passwordexpiry='0000-00-00' WHERE id={$r->id}");
|
|
|
|
/* volunteer_recover_password, judge_recover_password, student_recover_password,
|
|
committee_recover_password */
|
|
email_send("{$type}_recover_password",
|
|
$email,
|
|
array("FAIRNAME"=>i18n($config['fairname'])),
|
|
array( "PASSWORD"=>$password,
|
|
"EMAIL"=>$email)
|
|
);
|
|
header("Location: user_login.php?type=$type¬ice=recover_sent");
|
|
exit;
|
|
} else {
|
|
header("Location: user_login.php?type=$type¬ice=recover_email_error");
|
|
exit;
|
|
}
|
|
}
|
|
header("Location: user_login.php?type=$type¬ice=email_error");
|
|
exit;
|
|
}
|
|
else
|
|
{
|
|
|
|
send_header("{$user_what[$type]} - Login", array());
|
|
|
|
switch($notice) {
|
|
case 'created_sent':
|
|
echo happy(i18n("Your new password has been sent to your email address. Please check your email and use the password to login"));
|
|
break;
|
|
case 'recover_sent':
|
|
echo notice(i18n("Your password has been sent to your email address"));
|
|
break;
|
|
case 'recover_email_error':
|
|
echo error(i18n("Could not find your email address for recovery"));
|
|
break;
|
|
case 'recover_name_error':
|
|
echo error(i18n("The name you entered does not match the one in your account"));
|
|
break;
|
|
case 'email_error':
|
|
echo error(i18n("Email address error"));
|
|
break;
|
|
case 'login_failed':
|
|
echo error(i18n("Invalid Email/Password"));
|
|
break;
|
|
case 'auth_required':
|
|
echo error(i18n("You must login to view that page"));
|
|
break;
|
|
case 'logged_out':
|
|
echo notice(i18n("You have been successfully logged out"));
|
|
break;
|
|
}
|
|
|
|
$recover_link = "user_login.php?type=$type&action=recover";
|
|
$new_link = "user_new.php?type=$type";
|
|
|
|
?>
|
|
<form method="post" action="user_login.php?type=<?=$type?>">
|
|
<input type="hidden" name="action" value="login" />
|
|
<table><tr><td>
|
|
<?=i18n("Email")?>:</td><td><input type="text" size="20" name="user" />
|
|
</td></tr><tr><td>
|
|
<?=i18n("Password")?>:</td><td><input type="password" size="20" name="pass" />
|
|
</td></tr>
|
|
<tr><td colspan=2>
|
|
<input type="submit" value=<?=i18n("Login")?> />
|
|
</td></tr>
|
|
</table>
|
|
</form>
|
|
|
|
<br />
|
|
<div style="font-size: 0.75em;">
|
|
<?=i18n("If you have lost or forgotten your password, or have misplaced the email with your initial password, please <a href=\"$recover_link\">click here to recover it</a>")?>.</div><br />
|
|
<br />
|
|
<?
|
|
switch($reg_open) {
|
|
case 'notopenyet':
|
|
echo i18n("Registration for the %1 %2 has not yet opened",
|
|
array( $config['FAIRYEAR'],
|
|
$config['fairname']),
|
|
array("Fair year","Fair name")
|
|
);
|
|
break;
|
|
case 'open':
|
|
echo i18n("If you would like to register as a new {$user_what[$type]}, <a href=\"$new_link\">click here</a>.<br />");
|
|
break;
|
|
|
|
case 'closed':
|
|
echo i18n("Registration for the %1 %2 is now closed",
|
|
array( $config['FAIRYEAR'],
|
|
$config['fairname']),
|
|
array("Fair year","Fair name")
|
|
);
|
|
break;
|
|
case 'notpermitted':
|
|
default:
|
|
break;
|
|
}
|
|
|
|
}
|
|
|
|
send_footer();
|
|
?>
|
|
|