Friendica Communications Platform (please note that this is a clone of the repository at github, issues are handled there) https://friendi.ca
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

414 lines
12 KiB

11 years ago
11 years ago
11 years ago
10 years ago
11 years ago
11 years ago
  1. <?php
  2. function authenticate_success($user_record, $login_initial = false, $interactive = false, $login_refresh = false) {
  3. $a = get_app();
  4. $_SESSION['uid'] = $user_record['uid'];
  5. $_SESSION['theme'] = $user_record['theme'];
  6. $_SESSION['mobile-theme'] = get_pconfig($user_record['uid'], 'system', 'mobile_theme');
  7. $_SESSION['authenticated'] = 1;
  8. $_SESSION['page_flags'] = $user_record['page-flags'];
  9. $_SESSION['my_url'] = $a->get_baseurl() . '/profile/' . $user_record['nickname'];
  10. $_SESSION['my_address'] = $user_record['nickname'] . '@' . substr($a->get_baseurl(),strpos($a->get_baseurl(),'://')+3);
  11. $_SESSION['addr'] = $_SERVER['REMOTE_ADDR'];
  12. $a->user = $user_record;
  13. if($interactive) {
  14. if($a->user['login_date'] === '0000-00-00 00:00:00') {
  15. $_SESSION['return_url'] = 'profile_photo/new';
  16. $a->module = 'profile_photo';
  17. info( t("Welcome ") . $a->user['username'] . EOL);
  18. info( t('Please upload a profile photo.') . EOL);
  19. }
  20. else
  21. info( t("Welcome back ") . $a->user['username'] . EOL);
  22. }
  23. $member_since = strtotime($a->user['register_date']);
  24. if(time() < ($member_since + ( 60 * 60 * 24 * 14)))
  25. $_SESSION['new_member'] = true;
  26. else
  27. $_SESSION['new_member'] = false;
  28. if(strlen($a->user['timezone'])) {
  29. date_default_timezone_set($a->user['timezone']);
  30. $a->timezone = $a->user['timezone'];
  31. }
  32. $master_record = $a->user;
  33. if((x($_SESSION,'submanage')) && intval($_SESSION['submanage'])) {
  34. $r = q("select * from user where uid = %d limit 1",
  35. intval($_SESSION['submanage'])
  36. );
  37. if(count($r))
  38. $master_record = $r[0];
  39. }
  40. $r = q("SELECT `uid`,`username`,`nickname` FROM `user` WHERE `password` = '%s' AND `email` = '%s' AND `account_removed` = 0 ",
  41. dbesc($master_record['password']),
  42. dbesc($master_record['email'])
  43. );
  44. if($r && count($r))
  45. $a->identities = $r;
  46. else
  47. $a->identities = array();
  48. $r = q("select `user`.`uid`, `user`.`username`, `user`.`nickname`
  49. from manage INNER JOIN user on manage.mid = user.uid where `user`.`account_removed` = 0
  50. and `manage`.`uid` = %d",
  51. intval($master_record['uid'])
  52. );
  53. if($r && count($r))
  54. $a->identities = array_merge($a->identities,$r);
  55. if($login_initial)
  56. logger('auth_identities: ' . print_r($a->identities,true), LOGGER_DEBUG);
  57. if($login_refresh)
  58. logger('auth_identities refresh: ' . print_r($a->identities,true), LOGGER_DEBUG);
  59. $r = q("SELECT * FROM `contact` WHERE `uid` = %d AND `self` = 1 LIMIT 1",
  60. intval($_SESSION['uid']));
  61. if(count($r)) {
  62. $a->contact = $r[0];
  63. $a->cid = $r[0]['id'];
  64. $_SESSION['cid'] = $a->cid;
  65. }
  66. header('X-Account-Management-Status: active; name="' . $a->user['username'] . '"; id="' . $a->user['nickname'] .'"');
  67. if($login_initial || $login_refresh) {
  68. $l = get_browser_language();
  69. q("UPDATE `user` SET `login_date` = '%s', `language` = '%s' WHERE `uid` = %d",
  70. dbesc(datetime_convert()),
  71. dbesc($l),
  72. intval($_SESSION['uid'])
  73. );
  74. // Set the login date for all identities of the user
  75. q("UPDATE `user` SET `login_date` = '%s' WHERE `password` = '%s' AND `email` = '%s' AND `account_removed` = 0",
  76. dbesc(datetime_convert()),
  77. dbesc($master_record['password']),
  78. dbesc($master_record['email'])
  79. );
  80. }
  81. if($login_initial) {
  82. call_hooks('logged_in', $a->user);
  83. if(($a->module !== 'home') && isset($_SESSION['return_url']))
  84. goaway($a->get_baseurl() . '/' . $_SESSION['return_url']);
  85. }
  86. }
  87. function can_write_wall(&$a,$owner) {
  88. static $verified = 0;
  89. if((! (local_user())) && (! (remote_user())))
  90. return false;
  91. $uid = local_user();
  92. if(($uid) && ($uid == $owner)) {
  93. return true;
  94. }
  95. if(remote_user()) {
  96. // use remembered decision and avoid a DB lookup for each and every display item
  97. // DO NOT use this function if there are going to be multiple owners
  98. // We have a contact-id for an authenticated remote user, this block determines if the contact
  99. // belongs to this page owner, and has the necessary permissions to post content
  100. if($verified === 2)
  101. return true;
  102. elseif($verified === 1)
  103. return false;
  104. else {
  105. $cid = 0;
  106. if(is_array($_SESSION['remote'])) {
  107. foreach($_SESSION['remote'] as $visitor) {
  108. if($visitor['uid'] == $owner) {
  109. $cid = $visitor['cid'];
  110. break;
  111. }
  112. }
  113. }
  114. if(! $cid)
  115. return false;
  116. $r = q("SELECT `contact`.*, `user`.`page-flags` FROM `contact` INNER JOIN `user` on `user`.`uid` = `contact`.`uid`
  117. WHERE `contact`.`uid` = %d AND `contact`.`id` = %d AND `contact`.`blocked` = 0 AND `contact`.`pending` = 0
  118. AND `user`.`blockwall` = 0 AND `readonly` = 0 AND ( `contact`.`rel` IN ( %d , %d ) OR `user`.`page-flags` = %d ) LIMIT 1",
  119. intval($owner),
  120. intval($cid),
  121. intval(CONTACT_IS_SHARING),
  122. intval(CONTACT_IS_FRIEND),
  123. intval(PAGE_COMMUNITY)
  124. );
  125. if(count($r)) {
  126. $verified = 2;
  127. return true;
  128. }
  129. else {
  130. $verified = 1;
  131. }
  132. }
  133. }
  134. return false;
  135. }
  136. function permissions_sql($owner_id,$remote_verified = false,$groups = null) {
  137. $local_user = local_user();
  138. $remote_user = remote_user();
  139. /**
  140. * Construct permissions
  141. *
  142. * default permissions - anonymous user
  143. */
  144. $sql = " AND allow_cid = ''
  145. AND allow_gid = ''
  146. AND deny_cid = ''
  147. AND deny_gid = ''
  148. ";
  149. /**
  150. * Profile owner - everything is visible
  151. */
  152. if(($local_user) && ($local_user == $owner_id)) {
  153. $sql = '';
  154. }
  155. /**
  156. * Authenticated visitor. Unless pre-verified,
  157. * check that the contact belongs to this $owner_id
  158. * and load the groups the visitor belongs to.
  159. * If pre-verified, the caller is expected to have already
  160. * done this and passed the groups into this function.
  161. */
  162. elseif($remote_user) {
  163. if(! $remote_verified) {
  164. $r = q("SELECT id FROM contact WHERE id = %d AND uid = %d AND blocked = 0 LIMIT 1",
  165. intval($remote_user),
  166. intval($owner_id)
  167. );
  168. if(count($r)) {
  169. $remote_verified = true;
  170. $groups = init_groups_visitor($remote_user);
  171. }
  172. }
  173. if($remote_verified) {
  174. $gs = '<<>>'; // should be impossible to match
  175. if(is_array($groups) && count($groups)) {
  176. foreach($groups as $g)
  177. $gs .= '|<' . intval($g) . '>';
  178. }
  179. /*$sql = sprintf(
  180. " AND ( allow_cid = '' OR allow_cid REGEXP '<%d>' )
  181. AND ( deny_cid = '' OR NOT deny_cid REGEXP '<%d>' )
  182. AND ( allow_gid = '' OR allow_gid REGEXP '%s' )
  183. AND ( deny_gid = '' OR NOT deny_gid REGEXP '%s')
  184. ",
  185. intval($remote_user),
  186. intval($remote_user),
  187. dbesc($gs),
  188. dbesc($gs)
  189. );*/
  190. $sql = sprintf(
  191. " AND ( NOT (deny_cid REGEXP '<%d>' OR deny_gid REGEXP '%s')
  192. AND ( allow_cid REGEXP '<%d>' OR allow_gid REGEXP '%s' OR ( allow_cid = '' AND allow_gid = '') )
  193. )
  194. ",
  195. intval($remote_user),
  196. dbesc($gs),
  197. intval($remote_user),
  198. dbesc($gs)
  199. );
  200. }
  201. }
  202. return $sql;
  203. }
  204. function item_permissions_sql($owner_id,$remote_verified = false,$groups = null) {
  205. $local_user = local_user();
  206. $remote_user = remote_user();
  207. /**
  208. * Construct permissions
  209. *
  210. * default permissions - anonymous user
  211. */
  212. $sql = " AND `item`.allow_cid = ''
  213. AND `item`.allow_gid = ''
  214. AND `item`.deny_cid = ''
  215. AND `item`.deny_gid = ''
  216. AND `item`.private = 0
  217. ";
  218. /**
  219. * Profile owner - everything is visible
  220. */
  221. if($local_user && ($local_user == $owner_id)) {
  222. $sql = '';
  223. }
  224. /**
  225. * Authenticated visitor. Unless pre-verified,
  226. * check that the contact belongs to this $owner_id
  227. * and load the groups the visitor belongs to.
  228. * If pre-verified, the caller is expected to have already
  229. * done this and passed the groups into this function.
  230. */
  231. elseif($remote_user) {
  232. if(! $remote_verified) {
  233. $r = q("SELECT id FROM contact WHERE id = %d AND uid = %d AND blocked = 0 LIMIT 1",
  234. intval($remote_user),
  235. intval($owner_id)
  236. );
  237. if(count($r)) {
  238. $remote_verified = true;
  239. $groups = init_groups_visitor($remote_user);
  240. }
  241. }
  242. if($remote_verified) {
  243. $gs = '<<>>'; // should be impossible to match
  244. if(is_array($groups) && count($groups)) {
  245. foreach($groups as $g)
  246. $gs .= '|<' . intval($g) . '>';
  247. }
  248. $sql = sprintf(
  249. /*" AND ( private = 0 OR ( private in (1,2) AND wall = 1 AND ( allow_cid = '' OR allow_cid REGEXP '<%d>' )
  250. AND ( deny_cid = '' OR NOT deny_cid REGEXP '<%d>' )
  251. AND ( allow_gid = '' OR allow_gid REGEXP '%s' )
  252. AND ( deny_gid = '' OR NOT deny_gid REGEXP '%s')))
  253. ",
  254. intval($remote_user),
  255. intval($remote_user),
  256. dbesc($gs),
  257. dbesc($gs)
  258. */
  259. " AND ( `item`.private = 0 OR ( `item`.private in (1,2) AND `item`.`wall` = 1
  260. AND ( NOT (`item`.deny_cid REGEXP '<%d>' OR `item`.deny_gid REGEXP '%s')
  261. AND ( `item`.allow_cid REGEXP '<%d>' OR `item`.allow_gid REGEXP '%s' OR ( `item`.allow_cid = '' AND `item`.allow_gid = '')))))
  262. ",
  263. intval($remote_user),
  264. dbesc($gs),
  265. intval($remote_user),
  266. dbesc($gs)
  267. );
  268. }
  269. }
  270. return $sql;
  271. }
  272. /*
  273. * Functions used to protect against Cross-Site Request Forgery
  274. * The security token has to base on at least one value that an attacker can't know - here it's the session ID and the private key.
  275. * In this implementation, a security token is reusable (if the user submits a form, goes back and resubmits the form, maybe with small changes;
  276. * or if the security token is used for ajax-calls that happen several times), but only valid for a certain amout of time (3hours).
  277. * The "typename" seperates the security tokens of different types of forms. This could be relevant in the following case:
  278. * A security token is used to protekt a link from CSRF (e.g. the "delete this profile"-link).
  279. * If the new page contains by any chance external elements, then the used security token is exposed by the referrer.
  280. * Actually, important actions should not be triggered by Links / GET-Requests at all, but somethimes they still are,
  281. * so this mechanism brings in some damage control (the attacker would be able to forge a request to a form of this type, but not to forms of other types).
  282. */
  283. function get_form_security_token($typename = '') {
  284. $a = get_app();
  285. $timestamp = time();
  286. $sec_hash = hash('whirlpool', $a->user['guid'] . $a->user['prvkey'] . session_id() . $timestamp . $typename);
  287. return $timestamp . '.' . $sec_hash;
  288. }
  289. function check_form_security_token($typename = '', $formname = 'form_security_token') {
  290. if (!x($_REQUEST, $formname)) return false;
  291. $hash = $_REQUEST[$formname];
  292. $max_livetime = 10800; // 3 hours
  293. $a = get_app();
  294. $x = explode('.', $hash);
  295. if (time() > (IntVal($x[0]) + $max_livetime)) return false;
  296. $sec_hash = hash('whirlpool', $a->user['guid'] . $a->user['prvkey'] . session_id() . $x[0] . $typename);
  297. return ($sec_hash == $x[1]);
  298. }
  299. function check_form_security_std_err_msg() {
  300. return t('The form security token was not correct. This probably happened because the form has been opened for too long (>3 hours) before submitting it.') . EOL;
  301. }
  302. function check_form_security_token_redirectOnErr($err_redirect, $typename = '', $formname = 'form_security_token') {
  303. if (!check_form_security_token($typename, $formname)) {
  304. $a = get_app();
  305. logger('check_form_security_token failed: user ' . $a->user['guid'] . ' - form element ' . $typename);
  306. logger('check_form_security_token failed: _REQUEST data: ' . print_r($_REQUEST, true), LOGGER_DATA);
  307. notice( check_form_security_std_err_msg() );
  308. goaway($a->get_baseurl() . $err_redirect );
  309. }
  310. }
  311. function check_form_security_token_ForbiddenOnErr($typename = '', $formname = 'form_security_token') {
  312. if (!check_form_security_token($typename, $formname)) {
  313. $a = get_app();
  314. logger('check_form_security_token failed: user ' . $a->user['guid'] . ' - form element ' . $typename);
  315. logger('check_form_security_token failed: _REQUEST data: ' . print_r($_REQUEST, true), LOGGER_DATA);
  316. header('HTTP/1.1 403 Forbidden');
  317. killme();
  318. }
  319. }
  320. // Returns an array of group id's this contact is a member of.
  321. // This array will only contain group id's related to the uid of this
  322. // DFRN contact. They are *not* neccessarily unique across the entire site.
  323. if(! function_exists('init_groups_visitor')) {
  324. function init_groups_visitor($contact_id) {
  325. $groups = array();
  326. $r = q("SELECT `gid` FROM `group_member`
  327. WHERE `contact-id` = %d ",
  328. intval($contact_id)
  329. );
  330. if(count($r)) {
  331. foreach($r as $rr)
  332. $groups[] = $rr['gid'];
  333. }
  334. return $groups;
  335. }}