Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Newer
Older
100644 272 lines (240 sloc) 8.987 kb
bd552ac Renamed files to .php
Kenzaburo Ito authored
1 <?php
4d63b48 @siebrand Mantis -> MantisBT in file headers, comments, and elsewhere.
siebrand authored
2 # MantisBT - a php based bugtracking system
2669909 @giallu Merge back to HEAD the changes between tags:
giallu authored
3
4d63b48 @siebrand Mantis -> MantisBT in file headers, comments, and elsewhere.
siebrand authored
4 # MantisBT is free software: you can redistribute it and/or modify
2669909 @giallu Merge back to HEAD the changes between tags:
giallu authored
5 # it under the terms of the GNU General Public License as published by
6 # the Free Software Foundation, either version 2 of the License, or
7 # (at your option) any later version.
8 #
4d63b48 @siebrand Mantis -> MantisBT in file headers, comments, and elsewhere.
siebrand authored
9 # MantisBT is distributed in the hope that it will be useful,
2669909 @giallu Merge back to HEAD the changes between tags:
giallu authored
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
13 #
14 # You should have received a copy of the GNU General Public License
4d63b48 @siebrand Mantis -> MantisBT in file headers, comments, and elsewhere.
siebrand authored
15 # along with MantisBT. If not, see <http://www.gnu.org/licenses/>.
c305578 Just adding $Id$ CVS headers to all the files up to the point I've cl…
Julian Fitzell authored
16
526bbaa @grangeway Comment updates for phpdoc ( http://www.mantisforge.org/dev/phpdoc/ )…
grangeway authored
17 /**
18 * Login page POSTs results to login.php
19 * Check to see if the user is already logged in
20 *
21 * @package MantisBT
22 * @copyright Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org
c757c81 @dregad Update copyright year to 2012
dregad authored
23 * @copyright Copyright (C) 2002 - 2012 MantisBT Team - mantisbt-dev@lists.sourceforge.net
526bbaa @grangeway Comment updates for phpdoc ( http://www.mantisforge.org/dev/phpdoc/ )…
grangeway authored
24 * @link http://www.mantisbt.org
25 */
26 /**
4d63b48 @siebrand Mantis -> MantisBT in file headers, comments, and elsewhere.
siebrand authored
27 * MantisBT Core API's
526bbaa @grangeway Comment updates for phpdoc ( http://www.mantisforge.org/dev/phpdoc/ )…
grangeway authored
28 */
cfd6797 @vboctor - Replaced the use of / by DIRECTORY_SEPARATOR in a couple of places.
vboctor authored
29 require_once( 'core.php' );
30
bbebc4e login_page.php return param is ignored when already logged in
Lapinkiller authored
31 $f_error = gpc_get_bool( 'error' );
32 $f_cookie_error = gpc_get_bool( 'cookie_error' );
33 $f_return = string_sanitize_url( gpc_get_string( 'return', '' ) );
34 $f_username = gpc_get_string( 'username', '' );
35 $f_perm_login = gpc_get_bool( 'perm_login', false );
36 $f_secure_session = gpc_get_bool( 'secure_session', false );
a556dc0 @jreese Fix #9744: Allow users to turn off session validation at login time.
jreese authored
37 $f_secure_session_cookie = gpc_get_cookie( config_get_global( 'cookie_prefix' ) . '_secure_session', null );
38
39 $t_session_validation = ( ON == config_get_global( 'session_validation' ) );
41d4762 Added HTTP_AUTH authentication method.
int2str authored
40
bbebc4e login_page.php return param is ignored when already logged in
Lapinkiller authored
41 // If user is already authenticated and not anonymous
42 if( auth_is_user_authenticated() && !current_user_is_anonymous() ) {
43 // If return URL is specified redirect to it; otherwise use default page
5d1febb @dregad Fix syntax error
dregad authored
44 if( !is_blank( $f_return ) ) {
bbebc4e login_page.php return param is ignored when already logged in
Lapinkiller authored
45 print_header_redirect( $f_return, false, false, true );
46 }
47 else {
48 print_header_redirect( config_get( 'default_home_page' ) );
49 }
50 }
51
cbbd106 @grangeway add auth_automatic_logon_bypass_form
grangeway authored
52 # Check for automatic logon methods where we want the logon to just be handled by login.php
53 if ( auth_automatic_logon_bypass_form() ) {
41d4762 Added HTTP_AUTH authentication method.
int2str authored
54 $t_uri = "login.php";
55
c59ad8a @davidhicks Cleanup use of ampersands in internally generated URLs
davidhicks authored
56 if ( ON == config_get( 'allow_anonymous_login' ) ) {
41d4762 Added HTTP_AUTH authentication method.
int2str authored
57 $t_uri = "login_anon.php";
58 }
59
c59ad8a @davidhicks Cleanup use of ampersands in internally generated URLs
davidhicks authored
60 if ( !is_blank( $f_return ) ) {
61 $t_uri .= "?return=" . string_url( $f_return );
41d4762 Added HTTP_AUTH authentication method.
int2str authored
62 }
63
64 print_header_redirect( $t_uri );
65 exit;
66 }
67
2086710 @vboctor Fixes #9991: Skip search engines indexing of login page, sign up page…
vboctor authored
68 # Login page shouldn't be indexed by search engines
69 html_robots_noindex();
70
9f16c54 There's no point documenting this line by line.
Julian Fitzell authored
71 html_page_top1();
72 html_page_top2a();
bd552ac Renamed files to .php
Kenzaburo Ito authored
73
fe3f91c @thraxisp fix for 0000633: [bugtracker] email lost password page (masc)
thraxisp authored
74 echo '<br /><div align="center">';
75
76 # Display short greeting message
95807e9 @vboctor Added Mantis Logo to the top of the page when no custom top page is s…
vboctor authored
77 # echo lang_get( 'login_page_info' ) . '<br />';
fe3f91c @thraxisp fix for 0000633: [bugtracker] email lost password page (masc)
thraxisp authored
78
bd552ac Renamed files to .php
Kenzaburo Ito authored
79 # Only echo error message if error variable is set
a54ef68 - clean up login/logout/signup files
Julian Fitzell authored
80 if ( $f_error ) {
fe3f91c @thraxisp fix for 0000633: [bugtracker] email lost password page (masc)
thraxisp authored
81 echo '<font color="red">' . lang_get( 'login_error' ) . '</font>';
46c2f79 Added javascript autofocus to the login page.
Kenzaburo Ito authored
82 }
a54ef68 - clean up login/logout/signup files
Julian Fitzell authored
83 if ( $f_cookie_error ) {
18506eb miscellaneous cleanup
Julian Fitzell authored
84 echo lang_get( 'login_cookies_disabled' ) . '<br />';
bd552ac Renamed files to .php
Kenzaburo Ito authored
85 }
86
a556dc0 @jreese Fix #9744: Allow users to turn off session validation at login time.
jreese authored
87 # Determine if secure_session should default on or off?
88 # - If no errors, and no cookies set, default to on.
89 # - If no errors, but cookie is set, use the cookie value.
90 # - If errors, use the value passed in.
91 if ( $t_session_validation ) {
92 if ( !$f_error && !$f_cookie_error ) {
93 $t_default_secure_session = ( is_null( $f_secure_session_cookie ) ? true : $f_secure_session_cookie );
94 } else {
95 $t_default_secure_session = $f_secure_session;
96 }
97 }
98
fe3f91c @thraxisp fix for 0000633: [bugtracker] email lost password page (masc)
thraxisp authored
99 echo '</div>';
bd552ac Renamed files to .php
Kenzaburo Ito authored
100 ?>
101
18506eb miscellaneous cleanup
Julian Fitzell authored
102 <!-- Login Form BEGIN -->
9655dec changed P tags to BR. This will format better across more browsers. …
Kenzaburo Ito authored
103 <br />
bd552ac Renamed files to .php
Kenzaburo Ito authored
104 <div align="center">
d6843bb Remove f_ prefix from POST and GET field names. The variables should…
Julian Fitzell authored
105 <form name="login_form" method="post" action="login.php">
bc480a1 @davidhicks CSRF protection not needed for login/reauthentication
davidhicks authored
106 <?php # CSRF protection not required here - form does not result in modifications ?>
be36a98 Modified error messages to use $MANTIS_ERROR array
Kenzaburo Ito authored
107 <table class="width50" cellspacing="1">
bd552ac Renamed files to .php
Kenzaburo Ito authored
108 <tr>
cf56fda Added Anonymous Login patch.
Kenzaburo Ito authored
109 <td class="form-title">
a54ef68 - clean up login/logout/signup files
Julian Fitzell authored
110 <?php
18506eb miscellaneous cleanup
Julian Fitzell authored
111 if ( !is_blank( $f_return ) ) {
a54ef68 - clean up login/logout/signup files
Julian Fitzell authored
112 ?>
26e63e8 6474: Calls to htmlspecialchars should take into account the current …
Jeroen Latour authored
113 <input type="hidden" name="return" value="<?php echo string_html_specialchars( $f_return ) ?>" />
a54ef68 - clean up login/logout/signup files
Julian Fitzell authored
114 <?php
115 }
9f9a338 @vboctor Fixed a parse error
vboctor authored
116 echo lang_get( 'login_title' ) ?>
bd552ac Renamed files to .php
Kenzaburo Ito authored
117 </td>
cf56fda Added Anonymous Login patch.
Kenzaburo Ito authored
118 <td class="right">
119 <?php
a54ef68 - clean up login/logout/signup files
Julian Fitzell authored
120 if ( ON == config_get( 'allow_anonymous_login' ) ) {
c59ad8a @davidhicks Cleanup use of ampersands in internally generated URLs
davidhicks authored
121 print_bracket_link( 'login_anon.php?return=' . string_url( $f_return ), lang_get( 'login_anonymously' ) );
cf56fda Added Anonymous Login patch.
Kenzaburo Ito authored
122 }
123 ?>
124 </td>
bd552ac Renamed files to .php
Kenzaburo Ito authored
125 </tr>
126 <tr class="row-1">
a556dc0 @jreese Fix #9744: Allow users to turn off session validation at login time.
jreese authored
127 <td class="category">
9158b78 @vboctor Removed colons from field titles for consistency.
vboctor authored
128 <?php echo lang_get( 'username' ) ?>
bd552ac Renamed files to .php
Kenzaburo Ito authored
129 </td>
a556dc0 @jreese Fix #9744: Allow users to turn off session validation at login time.
jreese authored
130 <td>
5353b24 @dregad Renaming the db field length constants
dregad authored
131 <input type="text" name="username" size="32" maxlength="<?php echo DB_FIELD_SIZE_USERNAME;?>" value="<?php echo string_attribute( $f_username ); ?>" />
bd552ac Renamed files to .php
Kenzaburo Ito authored
132 </td>
133 </tr>
134 <tr class="row-2">
135 <td class="category">
9158b78 @vboctor Removed colons from field titles for consistency.
vboctor authored
136 <?php echo lang_get( 'password' ) ?>
bd552ac Renamed files to .php
Kenzaburo Ito authored
137 </td>
138 <td>
9c7fffb @dregad Issue #13163: cosmetic changes and fixing comments
dregad authored
139 <input type="password" name="password" size="32" maxlength="<?php echo auth_get_password_max_size(); ?>" />
bd552ac Renamed files to .php
Kenzaburo Ito authored
140 </td>
141 </tr>
5698617 @dregad Fix #4465: Add config to disable 'save login' feature
dregad authored
142 <?php
143 if( ON == config_get( 'allow_permanent_cookie' ) ) {
144 ?>
bd552ac Renamed files to .php
Kenzaburo Ito authored
145 <tr class="row-1">
146 <td class="category">
9158b78 @vboctor Removed colons from field titles for consistency.
vboctor authored
147 <?php echo lang_get( 'save_login' ) ?>
bd552ac Renamed files to .php
Kenzaburo Ito authored
148 </td>
149 <td>
a556dc0 @jreese Fix #9744: Allow users to turn off session validation at login time.
jreese authored
150 <input type="checkbox" name="perm_login" <?php echo ( $f_perm_login ? 'checked="checked" ' : '' ) ?>/>
bd552ac Renamed files to .php
Kenzaburo Ito authored
151 </td>
152 </tr>
5698617 @dregad Fix #4465: Add config to disable 'save login' feature
dregad authored
153 <?php
154 }
155
156 if ( $t_session_validation ) {
157 ?>
a556dc0 @jreese Fix #9744: Allow users to turn off session validation at login time.
jreese authored
158 <tr class="row-2">
159 <td class="category">
160 <?php echo lang_get( 'secure_session' ) ?>
161 </td>
162 <td>
163 <input type="checkbox" name="secure_session" <?php echo ( $t_default_secure_session ? 'checked="checked" ' : '' ) ?>/>
0081838 @siebrand Take span class out of message
siebrand authored
164 <?php echo '<span class="small">' . lang_get( 'secure_session_long' ) . '</span>' ?>
a556dc0 @jreese Fix #9744: Allow users to turn off session validation at login time.
jreese authored
165 </td>
166 </tr>
167 <?php } ?>
bd552ac Renamed files to .php
Kenzaburo Ito authored
168 <tr>
169 <td class="center" colspan="2">
ff82370 Enh #3735: New CSS class for HTML Form Buttons
Jeroen Latour authored
170 <input type="submit" class="button" value="<?php echo lang_get( 'login_button' ) ?>" />
bd552ac Renamed files to .php
Kenzaburo Ito authored
171 </td>
172 </tr>
173 </table>
4d4ee05 fixing form tags for xzhtml compliance
Kenzaburo Ito authored
174 </form>
bd552ac Renamed files to .php
Kenzaburo Ito authored
175 </div>
176
3ba5058 @vboctor Fixed #2517: Security Warnings [on login page if admin folder is acce…
vboctor authored
177 <?php
dd5c1ff @grangeway PRINT->echo
grangeway authored
178 echo '<br /><div align="center">';
3ba5058 @vboctor Fixed #2517: Security Warnings [on login page if admin folder is acce…
vboctor authored
179 print_signup_link();
a256ece @siebrand * Replace &nbsp; with HTML5 compliant &#160;
siebrand authored
180 echo '&#160;';
fe3f91c @thraxisp fix for 0000633: [bugtracker] email lost password page (masc)
thraxisp authored
181 print_lost_password_link();
dd5c1ff @grangeway PRINT->echo
grangeway authored
182 echo '</div>';
3ba5058 @vboctor Fixed #2517: Security Warnings [on login page if admin folder is acce…
vboctor authored
183
184 #
185 # Do some checks to warn administrators of possible security holes.
186 # Since this is considered part of the admin-checks, the strings are not translated.
187 #
188
dab322f @jreese Added 'admin_checks' configuration to prevent displaying login page w…
jreese authored
189 if ( config_get_global( 'admin_checks' ) == ON ) {
3ba5058 @vboctor Fixed #2517: Security Warnings [on login page if admin folder is acce…
vboctor authored
190
dab322f @jreese Added 'admin_checks' configuration to prevent displaying login page w…
jreese authored
191 # Generate a warning if administrator/root is valid.
192 $t_admin_user_id = user_get_id_by_name( 'administrator' );
193 if ( $t_admin_user_id !== false ) {
194 if ( user_is_enabled( $t_admin_user_id ) && auth_does_password_match( $t_admin_user_id, 'root' ) ) {
6984292 @grangeway 0003838: HTML Beautification
grangeway authored
195 echo '<div class="warning" align="center">', "\n";
55b3af5 @siebrand Add localisation for errors from login_page.php
siebrand authored
196 echo "\t", '<p><font color="red">', lang_get( 'warning_default_administrator_account_present' ), '</font></p>', "\n";
6984292 @grangeway 0003838: HTML Beautification
grangeway authored
197 echo '</div>', "\n";
9067c39 @thraxisp add database update check back in only if admin directory is accessible.
thraxisp authored
198 }
898299a @grangeway Only check for 'old' updates if db version is 0.
grangeway authored
199 }
ad1d089 @vboctor Disabled the check for database schema, it generates too many queries…
vboctor authored
200
dab322f @jreese Added 'admin_checks' configuration to prevent displaying login page w…
jreese authored
201 # Check if the admin directory is available and is readable.
202 $t_admin_dir = dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'admin' . DIRECTORY_SEPARATOR;
77de677 @davidhicks Fix #12607: Improve admin directory check on login_page
davidhicks authored
203 if ( is_dir( $t_admin_dir ) ) {
dab322f @jreese Added 'admin_checks' configuration to prevent displaying login page w…
jreese authored
204 echo '<div class="warning" align="center">', "\n";
55b3af5 @siebrand Add localisation for errors from login_page.php
siebrand authored
205 echo '<p><font color="red">', lang_get( 'warning_admin_directory_present' ), '</font></p>', "\n";
dab322f @jreese Added 'admin_checks' configuration to prevent displaying login page w…
jreese authored
206 echo '</div>', "\n";
77de677 @davidhicks Fix #12607: Improve admin directory check on login_page
davidhicks authored
207 }
208 if ( is_dir( $t_admin_dir ) && is_readable( $t_admin_dir ) && is_executable( $t_admin_dir ) && @file_exists( "$t_admin_dir/." ) ) {
5cf7970 @grangeway Consistency update
grangeway authored
209 # since admin directory and db_upgrade lists are available check for missing db upgrades
dab322f @jreese Added 'admin_checks' configuration to prevent displaying login page w…
jreese authored
210 # Check for db upgrade for versions < 1.0.0 using old upgrader
211 $t_db_version = config_get( 'database_version' , 0 );
212 # if db version is 0, we haven't moved to new installer.
213 if ( $t_db_version == 0 ) {
165c12d @grangeway shorten upgrade check logic
grangeway authored
214 $t_upgrade_count = 0;
dab322f @jreese Added 'admin_checks' configuration to prevent displaying login page w…
jreese authored
215 if ( db_table_exists( db_get_table( 'mantis_upgrade_table' ) ) ) {
216 $query = "SELECT COUNT(*) from " . db_get_table( 'mantis_upgrade_table' ) . ";";
217 $result = db_query_bound( $query );
165c12d @grangeway shorten upgrade check logic
grangeway authored
218 if ( db_num_rows( $result ) > 0 ) {
dab322f @jreese Added 'admin_checks' configuration to prevent displaying login page w…
jreese authored
219 $t_upgrade_count = (int)db_result( $result );
220 }
221 }
ad1d089 @vboctor Disabled the check for database schema, it generates too many queries…
vboctor authored
222
dab322f @jreese Added 'admin_checks' configuration to prevent displaying login page w…
jreese authored
223 if ( $t_upgrade_count > 0 ) { # table exists, check for number of updates
5cf7970 @grangeway Consistency update
grangeway authored
224
dab322f @jreese Added 'admin_checks' configuration to prevent displaying login page w…
jreese authored
225 # new config table database version is 0.
5cf7970 @grangeway Consistency update
grangeway authored
226 # old upgrade tables exist.
dab322f @jreese Added 'admin_checks' configuration to prevent displaying login page w…
jreese authored
227 # assume user is upgrading from <1.0 and therefore needs to update to 1.x before upgrading to 1.2
228 echo '<div class="warning" align="center">';
55b3af5 @siebrand Add localisation for errors from login_page.php
siebrand authored
229 echo '<p><font color="red">', lang_get( 'error_database_version_out_of_date_1' ), '</font></p>';
dab322f @jreese Added 'admin_checks' configuration to prevent displaying login page w…
jreese authored
230 echo '</div>';
231 } else {
232 # old upgrade tables do not exist, yet config database_version is 0
233 echo '<div class="warning" align="center">';
55b3af5 @siebrand Add localisation for errors from login_page.php
siebrand authored
234 echo '<p><font color="red">', lang_get( 'error_database_no_schema_version' ), '</font></p>';
dab322f @jreese Added 'admin_checks' configuration to prevent displaying login page w…
jreese authored
235 echo '</div>';
236 }
237 }
da26ffc @vboctor Fixed #7985: Database Schema that is more up-to-date than code is rep…
vboctor authored
238
dab322f @jreese Added 'admin_checks' configuration to prevent displaying login page w…
jreese authored
239 # Check for db upgrade for versions > 1.0.0 using new installer and schema
ad372b4 @grangeway DIRECTORY_SEPARATOR should be used instead of / \
grangeway authored
240 require_once( 'admin' . DIRECTORY_SEPARATOR . 'schema.php' );
96a1579 @grangeway sizeof->count
grangeway authored
241 $t_upgrades_reqd = count( $upgrade ) - 1;
dab322f @jreese Added 'admin_checks' configuration to prevent displaying login page w…
jreese authored
242
243 if ( ( 0 < $t_db_version ) &&
244 ( $t_db_version != $t_upgrades_reqd ) ) {
245
246 if ( $t_db_version < $t_upgrades_reqd ) {
247 echo '<div class="warning" align="center">';
55b3af5 @siebrand Add localisation for errors from login_page.php
siebrand authored
248 echo '<p><font color="red">', lang_get( 'error_database_version_out_of_date_2' ), '</font></p>';
dab322f @jreese Added 'admin_checks' configuration to prevent displaying login page w…
jreese authored
249 echo '</div>';
250 } else {
251 echo '<div class="warning" align="center">';
55b3af5 @siebrand Add localisation for errors from login_page.php
siebrand authored
252 echo '<p><font color="red">', lang_get( 'error_code_version_out_of_date' ), '</font></p>';
dab322f @jreese Added 'admin_checks' configuration to prevent displaying login page w…
jreese authored
253 echo '</div>';
254 }
da26ffc @vboctor Fixed #7985: Database Schema that is more up-to-date than code is rep…
vboctor authored
255 }
ad1d089 @vboctor Disabled the check for database schema, it generates too many queries…
vboctor authored
256 }
dab322f @jreese Added 'admin_checks' configuration to prevent displaying login page w…
jreese authored
257
258 } # if 'admin_checks'
3ba5058 @vboctor Fixed #2517: Security Warnings [on login page if admin folder is acce…
vboctor authored
259 ?>
bd552ac Renamed files to .php
Kenzaburo Ito authored
260
b21457a removed html style comments from javascript code
Kenzaburo Ito authored
261 <!-- Autofocus JS -->
980630b @grangeway Enforce use_javascript, add html comment tags around javascript, onCl…
grangeway authored
262 <?php if ( ON == config_get( 'use_javascript' ) ) { ?>
0feefea changed input tags to have the proper empty tag format for XTHML comp…
Kenzaburo Ito authored
263 <script type="text/javascript" language="JavaScript">
980630b @grangeway Enforce use_javascript, add html comment tags around javascript, onCl…
grangeway authored
264 <!--
ac71e94 @vboctor Fixes #10505: On Login failure, keep user name populated and place th…
vboctor authored
265 window.document.login_form.<?php if ( is_blank( $f_username ) ) { echo 'username'; } else { echo 'password'; } ?>.focus();
5701173 @thraxisp messsed up javascript closing comments
thraxisp authored
266 // -->
46c2f79 Added javascript autofocus to the login page.
Kenzaburo Ito authored
267 </script>
980630b @grangeway Enforce use_javascript, add html comment tags around javascript, onCl…
grangeway authored
268 <?php } ?>
46c2f79 Added javascript autofocus to the login page.
Kenzaburo Ito authored
269
5cf7970 @grangeway Consistency update
grangeway authored
270 <?php
a556dc0 @jreese Fix #9744: Allow users to turn off session validation at login time.
jreese authored
271 html_page_bottom1a( __FILE__ );
Something went wrong with that request. Please try again.