summaryrefslogtreecommitdiff
path: root/inc/auth.php
diff options
context:
space:
mode:
authorAndreas Gohr <andi@splitbrain.org>2012-11-30 12:30:40 +0100
committerAndreas Gohr <andi@splitbrain.org>2012-11-30 12:30:40 +0100
commitd14415e37072dbe16077efd700aee5bd33707b54 (patch)
tree062c3c190039ac9490f56598b0ee116de18c2480 /inc/auth.php
parent2ed38036a53a489d2fcadc46ce601f8c876fca31 (diff)
parent38479cbba628ee76a92ff5f3c974cfa8e6ce9e61 (diff)
downloadrpg-d14415e37072dbe16077efd700aee5bd33707b54.tar.gz
rpg-d14415e37072dbe16077efd700aee5bd33707b54.tar.bz2
Merge branch 'master' into subscription
* master: (175 commits) some coding style improvements added .idea project folder to gitignore use correct setUp method and parent calls. Correct German plugin manager translation (download != install) correct return in sendDigest() Fix case-insensitive match in ACL checking GeSHi update to 1.0.8.11 ignore empty header on mail sending remove empty BCC/CC mail headers Galician language update some welcome page changes Combine subsequent calls to strtr into a single transformation changed semicolon to colon in link to welcome page to make it less confusing fixed wrong sidebar showing in namespaces when sidebar is disabled Typo fix for TL;DR removed a bunch of outdated and irrelevant networking acronyms added another place to look for logo to make it more consistent (FS#2656) French language update Czech language update compat js findPosX/y more closely mimic historical function ... Conflicts: inc/auth.php inc/common.php inc/subscription.php lib/exe/indexer.php
Diffstat (limited to 'inc/auth.php')
-rw-r--r--inc/auth.php67
1 files changed, 37 insertions, 30 deletions
diff --git a/inc/auth.php b/inc/auth.php
index 3fb937613..54d2cd50a 100644
--- a/inc/auth.php
+++ b/inc/auth.php
@@ -65,7 +65,7 @@ function auth_setup() {
nice_die($lang['authmodfailed']);
}
- if(!$auth) return false;
+ if(!isset($auth) || !$auth) return false;
// do the login either by cookie or provided credentials XXX
$INPUT->set('http_credentials', false);
@@ -299,7 +299,7 @@ function auth_createToken() {
*
* This is neither unique nor unfakable - still it adds some
* security. Using the first part of the IP makes sure
- * proxy farms like AOLs are stil okay.
+ * proxy farms like AOLs are still okay.
*
* @author Andreas Gohr <andi@splitbrain.org>
*
@@ -313,6 +313,7 @@ function auth_browseruid() {
$uid .= $_SERVER['HTTP_ACCEPT_LANGUAGE'];
$uid .= $_SERVER['HTTP_ACCEPT_CHARSET'];
$uid .= substr($ip, 0, strpos($ip, '.'));
+ $uid = strtolower($uid);
return md5($uid);
}
@@ -534,9 +535,10 @@ function auth_aclcheck($id, $user, $groups) {
return AUTH_ADMIN;
}
- $ci = '';
- if(!$auth->isCaseSensitive()) $ci = 'ui';
-
+ if(!$auth->isCaseSensitive()) {
+ $user = utf8_strtolower($user);
+ $groups = array_map('utf8_strtolower', $groups);
+ }
$user = $auth->cleanUser($user);
$groups = array_map(array($auth, 'cleanGroup'), (array) $groups);
$user = auth_nameencode($user);
@@ -560,11 +562,14 @@ function auth_aclcheck($id, $user, $groups) {
}
//check exact match first
- $matches = preg_grep('/^'.preg_quote($id, '/').'\s+(\S+)\s+/'.$ci, $AUTH_ACL);
+ $matches = preg_grep('/^'.preg_quote($id, '/').'\s+(\S+)\s+/u', $AUTH_ACL);
if(count($matches)) {
foreach($matches as $match) {
$match = preg_replace('/#.*$/', '', $match); //ignore comments
$acl = preg_split('/\s+/', $match);
+ if(!$auth->isCaseSensitive() && $acl[1] !== '@ALL') {
+ $acl[1] = utf8_strtolower($acl[1]);
+ }
if(!in_array($acl[1], $groups)) {
continue;
}
@@ -587,11 +592,14 @@ function auth_aclcheck($id, $user, $groups) {
}
do {
- $matches = preg_grep('/^'.preg_quote($path, '/').'\s+(\S+)\s+/'.$ci, $AUTH_ACL);
+ $matches = preg_grep('/^'.preg_quote($path, '/').'\s+(\S+)\s+/u', $AUTH_ACL);
if(count($matches)) {
foreach($matches as $match) {
$match = preg_replace('/#.*$/', '', $match); //ignore comments
$acl = preg_split('/\s+/', $match);
+ if(!$auth->isCaseSensitive() && $acl[1] !== '@ALL') {
+ $acl[1] = utf8_strtolower($acl[1]);
+ }
if(!in_array($acl[1], $groups)) {
continue;
}
@@ -733,63 +741,62 @@ function register() {
global $conf;
/* @var auth_basic $auth */
global $auth;
+ global $INPUT;
- if(!$_POST['save']) return false;
+ if(!$INPUT->post->bool('save')) return false;
if(!actionOK('register')) return false;
- //clean username
- $_POST['login'] = trim($auth->cleanUser($_POST['login']));
+ // gather input
+ $login = trim($auth->cleanUser($INPUT->post->str('login')));
+ $fullname = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/', '', $INPUT->post->str('fullname')));
+ $email = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/', '', $INPUT->post->str('email')));
+ $pass = $INPUT->post->str('pass');
+ $passchk = $INPUT->post->str('passchk');
- //clean fullname and email
- $_POST['fullname'] = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/', '', $_POST['fullname']));
- $_POST['email'] = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/', '', $_POST['email']));
-
- if(empty($_POST['login']) ||
- empty($_POST['fullname']) ||
- empty($_POST['email'])
- ) {
+ if(empty($login) || empty($fullname) || empty($email)) {
msg($lang['regmissing'], -1);
return false;
}
if($conf['autopasswd']) {
$pass = auth_pwgen(); // automatically generate password
- } elseif(empty($_POST['pass']) ||
- empty($_POST['passchk'])
- ) {
+ } elseif(empty($pass) || empty($passchk)) {
msg($lang['regmissing'], -1); // complain about missing passwords
return false;
- } elseif($_POST['pass'] != $_POST['passchk']) {
+ } elseif($pass != $passchk) {
msg($lang['regbadpass'], -1); // complain about misspelled passwords
return false;
- } else {
- $pass = $_POST['pass']; // accept checked and valid password
}
//check mail
- if(!mail_isvalid($_POST['email'])) {
+ if(!mail_isvalid($email)) {
msg($lang['regbadmail'], -1);
return false;
}
//okay try to create the user
- if(!$auth->triggerUserMod('create', array($_POST['login'], $pass, $_POST['fullname'], $_POST['email']))) {
+ if(!$auth->triggerUserMod('create', array($login, $pass, $fullname, $email))) {
msg($lang['reguexists'], -1);
return false;
}
- $subscription = new Subscription();
+ // create substitutions for use in notification email
+ $substitutions = array(
+ 'NEWUSER' => $_POST['login'],
+ 'NEWNAME' => $_POST['fullname'],
+ 'NEWEMAIL' => $_POST['email'],
+ );
if(!$conf['autopasswd']) {
msg($lang['regsuccess2'], 1);
- $subscription->send_register($_POST['login'], $_POST['fullname'], $_POST['email']);
+ notify('', 'register', '', $_POST['login'], false, $substitutions);
return true;
}
// autogenerated password? then send him the password
- if(auth_sendPassword($_POST['login'], $pass)) {
+ if(auth_sendPassword($login, $pass)) {
msg($lang['regsuccess'], 1);
- $subscription->send_register($_POST['login'], $_POST['fullname'], $_POST['email']);
+ notify('', 'register', '', $_POST['login'], false, $substitutions);
return true;
} else {
msg($lang['regmailfail'], -1);