Finde ich gut. Ich habe mir die Funktion dann mal komplett angesehen.
Da ich natürlich dabei das eine oder andere Geheimnis des Login-Prozesses übersehen haben könnte, freue ich mich über Feedback. Danke.
- Es werden erst die Frontend-Accounts überprüft.
- Wurde ein Frontend-Account gefunden, werden die Backend-Accounts nicht mehr berücksichtigt.
- Wenn kein Account gefunden werden kann, wird auch nicht versucht, Gruppenrechte zu dem Account zu ermitteln. Es werden nur für Backend-Accounts Gruppenrechte ermittelt.
Code: Alles auswählen
function auth_validatelogin()
{
global $username, $password, $challenge, $response, $auth_handlers, $client;
$client = (int)$client;
if(isset($username))
{
$this->auth["uname"] = $username; ## This provides access for "loginform.ihtml"
} else if ($this->nobody) { ## provides for "default login cancel"
$uid = $this->auth["uname"] = $this->auth["uid"] = "nobody";
return $uid;
}
$uid = false;
/* Authentification via frontend users */
$this->db->query(sprintf("SELECT idfrontenduser, password FROM %s WHERE username = '%s' AND idclient='$client' AND active='1'",
$this->fe_database_table,
urlencode($username)));
if ($this->db->next_record())
{
$uid = $this->db->f("idfrontenduser");
$perm = "frontend";
$pass = $this->db->f("password");
}
if ($uid == false)
{
/* Authentification via backend users */
$this->db->query(sprintf("select user_id, perms, password from %s where username = '%s'",
$this->database_table,
addslashes($username)));
while($this->db->next_record())
{
$uid = $this->db->f("user_id");
$perm = $this->db->f("perms");
$pass = $this->db->f("password"); ## Password is stored as a md5 hash
if (is_array($auth_handlers))
{
if (in_array($pass, $auth_handlers))
{
$success = call_user_func($pass, $username, $password);
if ($success)
{
$uid = md5($username);
$pass = md5($password);
}
}
}
}
if ($uid !== false) {
$this->db->query(sprintf("select A.group_id as group_id, A.perms as perms ".
"from %s AS A, %s AS B where A.group_id = B.group_id AND ".
"B.user_id = '%s'",
$this->group_table,
$this->member_table,
$uid));
/* Deactivated: Backend user would be sysadmin when logged on as frontend user
* (and perms would be checked), see http://www.contenido.org/forum/viewtopic.php?p=85666#85666
$perm = "sysadmin"; */
if ($perm != "")
{
$gperm[] = $perm;
}
while ($this->db->next_record())
{
$gperm[] = $this->db->f("perms");
}
if (is_array($gperm))
{
$perm = implode(",",$gperm);
}
}
}
if ($uid == false)
{
## Account not found, sleep and exit
sleep(5);
return false;
} else {
if ($response == "") ## True when JS is disabled
{
if (md5($password) != $pass) ## md5 hash for non-JavaScript browsers
{
sleep(5);
return false;
} else {
$this->auth["perm"] = $perm;
return $uid;
}
}
$expected_response = md5("$username:$pass:$challenge");
if ($expected_response != $response) ## Response is set, JS is enabled
{
sleep(5);
return false;
} else {
$this->auth["perm"] = $perm;
return $uid;
}
}
}
Noch nicht getestet.
Gruß
HerrB