Skip to content

Commit

Permalink
version 3.6.3-rc7
Browse files Browse the repository at this point in the history
  • Loading branch information
@alvarotm01
alvarotm01 committed Oct 1, 2018
1 parent 6d02a07 commit a143e14
Show file tree
Hide file tree
Showing 196 changed files with 16,097 additions and 9,808 deletions.
163 changes: 121 additions & 42 deletions application/controllers/AccessController.class.php
View file
Expand Up @@ -27,7 +27,7 @@ function __construct() {
* @param void
* @return null
*/
function login() {
function login($data_form_api = null) {
include_once ROOT . "/library/browser/Browser.php";
if (Browser::instance()->getBrowser() == Browser::BROWSER_IE && Browser::instance()->getVersion() < 7) {
flash_error(lang("ie browser outdated"));
Expand Down Expand Up @@ -56,7 +56,15 @@ function login() {
$this->redirectTo($ref_controller, $ref_action, $ref_params);
} // if

$login_data = array_var($_POST, 'login');

$form_submitted = false;
if(!is_null($data_form_api)){
$login_data = $data_form_api;
} else {
$login_data = array_var($_POST, 'login');
$form_submitted = is_array($login_data);
}

$localization = array_var($_POST, 'configOptionSelect');

if(!is_array($login_data)) {
Expand All @@ -67,8 +75,11 @@ function login() {
} // if

tpl_assign('login_data', $login_data);

if(is_array(array_var($_POST, 'login'))) {
$errors = array();

// process the data sent by the form or given by parameter
if($form_submitted || !is_null($data_form_api)) {

$username = array_var($login_data, 'username');
$password = array_var($login_data, 'password');
$remember = array_var($login_data, 'remember') == 'checked';
Expand All @@ -79,37 +90,60 @@ function login() {
$sec_logs = AdministrationLogs::getLastLogs(AdministrationLogs::ADM_LOG_CATEGORY_SECURITY, "invalid login", array_var($_SERVER, 'REMOTE_ADDR'), 10, "`created_on` > '".$from_time->toMySQL()."'");
if (is_array($sec_logs) && count($sec_logs) >= 5) {
AdministrationLogs::createLog("invalid login", array_var($_SERVER, 'REMOTE_ADDR'), AdministrationLogs::ADM_LOG_CATEGORY_SECURITY);
tpl_assign('error', new Error(lang('invalid login data')));
$this->render();

if (!is_null($data_form_api)){
$errors[] = lang('invalid login data');
}else{
tpl_assign('error', new Error(lang('invalid login data')));
$this->render();
}


}
}

if(trim($username) == '') {
AdministrationLogs::createLog("invalid login", array_var($_SERVER, 'REMOTE_ADDR'), AdministrationLogs::ADM_LOG_CATEGORY_SECURITY);
tpl_assign('error', new Error(lang('username value missing')));
$this->render();

if (!is_null($data_form_api)){
$errors[] = lang('username value missing');
}else{
tpl_assign('error', new Error(lang('username value missing')));
$this->render();
}

} // if

if(trim($password) == '') {
AdministrationLogs::createLog("invalid login", array_var($_SERVER, 'REMOTE_ADDR'), AdministrationLogs::ADM_LOG_CATEGORY_SECURITY);
tpl_assign('error', new Error(lang('password value missing')));
$this->render();

if (!is_null($data_form_api)){
$errors[] = lang('password value missing');
}else{
tpl_assign('error', new Error(lang('password value missing')));
$this->render();
}

} // if

if (preg_match(EMAIL_FORMAT, $username)) {
$user = Contacts::getByEmail($username);
$user = Contacts::getByEmail($username, null, true);

} else {
$user = Contacts::getByUsername($username);
}
if(!($user instanceof Contact && $user->isUser()) || $user->getDisabled()) {
AdministrationLogs::createLog("invalid login", array_var($_SERVER, 'REMOTE_ADDR'), AdministrationLogs::ADM_LOG_CATEGORY_SECURITY);
tpl_assign('error', new Error(lang('invalid login data')));
$this->render();

if (!is_null($data_form_api)){
$errors[] = lang('invalid login data');
return array('status'=>false,'msg'=>'session inactive','error'=>$errors);
}else{
tpl_assign('error', new Error(lang('invalid login data')));
$this->render();
}

} // if

$userIsValidPassword = false;
// If ldap authentication is enabled ldap.config.php will return true.
// If ldap authentication is enabled ldap.config.php will return trsue.
$config_ldap_file_path = ROOT . '/config/ldap.config.php';
$config_ldap_is_set = file_exists($config_ldap_file_path) && include_once($config_ldap_file_path);
if($config_ldap_is_set === true) {
Expand All @@ -118,20 +152,25 @@ function login() {
if (!$userIsValidPassword){
$userIsValidPassword = $user->isValidPassword($password);
}

Hook::fire('additional_login_validations', array('user' => $user), $userIsValidPassword);

if (!$userIsValidPassword) {
AdministrationLogs::createLog("invalid login", array_var($_SERVER, 'REMOTE_ADDR'), AdministrationLogs::ADM_LOG_CATEGORY_SECURITY);
tpl_assign('error', new Error(lang('invalid login data')));
$this->render();

if (!is_null($data_form_api)){
$errors[] = lang('invalid login data');
return array('status'=>false,'msg'=>'session inactive','error'=>$errors);
}else{
tpl_assign('error', new Error(lang('invalid login data')));
$this->render();
}

} // if

//Start change user language
if ($localization != 'Default' && self::check_valid_localization($localization)) {
set_user_config_option('localization',$localization,$user->getId());
}

$ref_controller = null;
$ref_action = null;
$ref_params = array();
Expand All @@ -152,7 +191,6 @@ function login() {
} // if
} // if
if(!count($ref_params)) $ref_params = null;

if(ContactPasswords::validatePassword($password)){
$newest_password = ContactPasswords::getNewestContactPassword($user->getId());
if(!$newest_password instanceof ContactPassword){
Expand All @@ -164,37 +202,78 @@ function login() {
$user_password->save();
}else{
if(ContactPasswords::isContactPasswordExpired($user->getId())){
$this->redirectTo('access', 'change_password',
array('id' => $user->getId(),
'msg' => 'expired',
'ref_c' => $ref_controller,
'ref_a' => $ref_action,
$ref_params));

if (!is_null($data_form_api)){
$errors[] = lang('invalid login data');
return array('status'=>false,'msg'=>'session inactive','error'=>$errors);
}else{
$this->redirectTo('access', 'change_password',
array('id' => $user->getId(),
'msg' => 'expired',
'ref_c' => $ref_controller,
'ref_a' => $ref_action,
$ref_params));
}


}
}
}else{
$this->redirectTo('access', 'change_password',
array('id' => $user->getId(),
'msg' => 'invalid',
'ref_c' => $ref_controller,
'ref_a' => $ref_action,
$ref_params));

if (!is_null($data_form_api)){
$errors[] = lang('invalid login data');
return array('status'=>false,'msg'=>'session inactive','error'=>$errors);
}else{
$this->redirectTo('access', 'change_password',
array('id' => $user->getId(),
'msg' => 'invalid',
'ref_c' => $ref_controller,
'ref_a' => $ref_action,
$ref_params));
}

}



try {
CompanyWebsite::instance()->logUserIn($user, $remember);
$ip = get_ip_address();
ApplicationLogs::createLog($user,ApplicationLogs::ACTION_LOGIN,false,false,true,$ip);
} catch(Exception $e) {
tpl_assign('error', new Error(lang('invalid login data')));
$this->render();


if (!is_null($data_form_api)){
$errors[] = lang('invalid login data');
return array('status'=>false,'msg'=>'session inactive','error'=>$errors);
}else{
tpl_assign('error', new Error(lang('invalid login data')));
$this->render();
}


} // try

if($ref_controller && $ref_action) {
$this->redirectTo($ref_controller, $ref_action, $ref_params);

if (!is_null($data_form_api)){
return array('status'=>true,'msg'=>'vpi');
}else{
$this->redirectTo($ref_controller, $ref_action, $ref_params);
}

} else {
$this->redirectTo('access', 'index');

if (!is_null($data_form_api)){

if(function_exists('logged_user') && (logged_user() instanceof Contact && logged_user()->isUser())) {
return array('status'=>true,'msg'=>'session active','contact'=>logged_user()->getId());
}else{
return array('status'=>false,'msg'=>'session inactive','error'=>$errors);
}

}else{
$this->redirectTo('access', 'index');
}

} // if
} // if
} // login
Expand Down Expand Up @@ -452,7 +531,7 @@ function forgot_password() {
$this->render();
} // if

$user = Contacts::getByEmail($your_email);
$user = Contacts::getByEmail($your_email, null, true);
if(!($user instanceof Contact && $user->isUser()) || $user->getDisabled()) {
flash_error(lang('email address not in use', $your_email));
$this->redirectTo('access', 'forgot_password');
Expand Down
4 changes: 2 additions & 2 deletions application/controllers/AccountController.class.php
View file
Expand Up @@ -424,8 +424,8 @@ function update_permissions() {

tpl_assign('module_permissions_info', $module_permissions_info);
tpl_assign('all_modules_info', $all_modules_info);
if (!$system_permissions instanceof SystemPermission) {
$system_permissions = new SystemPermission();
if (!$system_permissions instanceof SystemPermission) {
$system_permissions = new SystemPermission();
}
tpl_assign('system_permissions', $system_permissions);

Expand Down
10 changes: 8 additions & 2 deletions application/controllers/AdministrationController.class.php
View file
Expand Up @@ -220,9 +220,15 @@ function custom_properties() {

$object_types = array();
$ordered_object_types = array();
$object_types_tmp = ObjectTypes::instance()->findAll(array("conditions" => "`type` IN ('$ot_types_str') AND `name` <> 'template_task' AND name <> 'template_milestone' AND `name` <> 'file revision'", "order" => "name"));
// get all object types, exclude object types of disabled plugins
$object_types_tmp = ObjectTypes::instance()->findAll(array(
"conditions" => "`type` IN ('$ot_types_str')
AND IF(plugin_id IS NULL OR plugin_id=0, true, (SELECT p.is_activated FROM ".TABLE_PREFIX."plugins p WHERE p.id=plugin_id) = true)
AND `name` <> 'template_task' AND name <> 'template_milestone' AND `name` <> 'file revision'",
"order" => "name"
));
foreach ($object_types_tmp as $ot) {
$ordered_object_types[$ot->getId()] = lang($ot->getName() . "s");
$ordered_object_types[$ot->getId()] = $ot->getPluralObjectTypeName();
$object_types[$ot->getId()] = $ot->getName();
}
asort($ordered_object_types, SORT_STRING);
Expand Down
60 changes: 56 additions & 4 deletions application/controllers/ApiController.class.php
View file
Expand Up @@ -135,6 +135,19 @@ private function list_members($request) {
$start = (!empty($request['args']['start'])) ? $request['args']['start'] : 0;
$limit = (!empty($request['args']['limit'])) ? $request['args']['limit'] : null;
$name = (!empty($request['args']['name'])) ? $request['args']['name'] : "";

// escape name
$name = mysql_real_escape_string($name);
// escape service
$service = mysql_real_escape_string($service);

// allow only numeric in start and limit parameters
if (!is_numeric($start)) {
$start = 0;
}
if (!is_numeric($limit)) {
$limit = null;
}

$members = array();
$type = ObjectTypes::instance()->findByName($service);
Expand All @@ -150,7 +163,7 @@ private function list_members($request) {
);
$extra_conditions = null;
if ($name!=""){
$extra_conditions = "AND name LIKE '%".$name."%'";
$extra_conditions = "AND mem.name LIKE '%".$name."%'";
}
$params = array('dim_id' => $dimension_id, 'type_id' => $typeId, 'start'=>$start, 'limit'=>$limit, 'extra_conditions' => $extra_conditions);
$memberController = new MemberController();
Expand Down Expand Up @@ -225,6 +238,31 @@ private function listing($request) {
$members = (!empty($request['args']['members']) && count(empty($request['args']['members']))) ? $request['args']['members'] : null;
$start = (!empty($request['args']['start'])) ? $request['args']['start'] : 0;
$limit = (!empty($request['args']['limit'])) ? $request['args']['limit'] : null;

// escape order parameters
if ($order) {
$order = mysql_real_escape_string($order);
if (!in_array(strtolower($order_dir), array("asc","desc"))) {
$order_dir = "asc";
}
} else {
$order_dir = "";
}

// allow only numeric in $members parameter
if ($members && is_array($members)) {
$members = array_filter($members, 'is_numeric');
} else {
$members = null;
}

// allow only numeric in start and limit parameters
if (!is_numeric($start)) {
$start = 0;
}
if (!is_numeric($limit)) {
$limit = null;
}

$query_options = array(
//'ignore_context' => true,
Expand All @@ -237,22 +275,25 @@ private function listing($request) {
);

// COMMON FILTERS: For all content Types
if (!empty($request['args']['created_by_id'])) {
// only numeric for created by id
if (!empty($request['args']['created_by_id']) && is_numeric($request['args']['created_by_id'])) {
$query_options['extra_conditions'] = " AND created_by_id = " . $request['args']['created_by_id'] . " ";
}

// TYPE DEPENDENT FILTERS :
switch ($service) {

case 'ProjectTasks' :
if (!empty($request['args']['assigned_to'])) {
// only numeric for assigned to
if (!empty($request['args']['assigned_to']) && is_numeric($request['args']['assigned_to'])) {
$query_options['extra_conditions'] = " AND assigned_to_contact_id = " . $request['args']['assigned_to'] . " ";
}

$task_status_condition = "";
$now = DateTimeValueLib::now()->format('Y-m-j 00:00:00');

if (isset($request['args']['status'])) {
// only numeric for status parameter
if (isset($request['args']['status']) && is_numeric($request['args']['status'])) {
$status = (int) $request['args']['status'];
} else {
$status = 1; // Read Filters Config options in the API? think about this..
Expand Down Expand Up @@ -298,6 +339,17 @@ private function listing($request) {
}
break;
}// Case ProjectTasks


$object_managers = DB::executeAll("SELECT handler_class
FROM ".TABLE_PREFIX."object_types
WHERE `type` IN ('content_object','dimension_object')");
$object_managers = array_flat($object_managers);

// allow only object classes in the $service parameter
if (!in_array($service, $object_managers)) {
throw new Error("Invalid service");
}


eval('$service_instance = '.$service.'::instance();');
Expand Down

0 comments on commit a143e14

Please sign in to comment.