mods/ldap/login.php

   1 <?php
   2 /****************************************************************/
   3 /* ATutor                                                                                                               */
   4 /****************************************************************/
   5 /* Copyright (c) 2002-2008 by Greg Gay & Joel Kronenberg        */
   6 /* Adaptive Technology Resource Centre / University of Toronto  */
   7 /* http://atutor.ca                                                                                             */
   8 /*                                                              */
   9 /* This program is free software. You can redistribute it and/or*/
  10 /* modify it under the terms of the GNU General Public License  */
  11 /* as published by the Free Software Foundation.                                */
  12 /****************************************************************/
  13 // $Id: login.php 7396 2008-04-15 19:46:57Z cindy $
  14
  15 $_user_location = 'public';
  16 define('AT_INCLUDE_PATH', 'include/');
  17 require (AT_INCLUDE_PATH.'vitals.inc.php');
  18 /*
  19 smal
  20 09-09-2008
  21 Add aditional libraries required by ATutor.ldap.mod
  22 */
  23 require ('admin/ldap_lib.php');
  24 require (AT_INCLUDE_PATH.'lib/rsa.inc.php');
  25
  26
  27 if (isset($_GET['course'])) {
  28         $_GET['course'] = intval($_GET['course']);
  29 } else {
  30         $_GET['course'] = 0;
  31 }
  32
  33 // check if we have a cookie
  34 if (!$msg->containsFeedbacks()) {
  35         if (isset($_COOKIE['ATLogin'])) {
  36                 $cookie_login = $_COOKIE['ATLogin'];
  37         }
  38         if (isset($_COOKIE['ATPass'])) {
  39                 $cookie_pass  = $_COOKIE['ATPass'];
  40         }
  41 }
  42
  43 if (isset($cookie_login, $cookie_pass) && !isset($_POST['submit'])) {
  44         /* auto login */
  45         $this_login             = $cookie_login;
  46         $this_password  = $cookie_pass;
  47         $auto_login             = 1;
  48         $used_cookie    = true;
  49 } else if (isset($_POST['submit'])) {
  50         /* form post login */
  51         $this_password = $_POST['form_password_hidden'];
  52         $this_login             = $_POST['form_login'];
  53         $auto_login             = isset($_POST['auto']) ? intval($_POST['auto']) : 0;
  54         $used_cookie    = false;
  55         $hash_password = $addslashes($_POST['form_hash_password']);
  56         /*
  57         smal
  58         09-09-2008
  59         RSA Decoded, required by ldap.mod
  60         */
  61         $auth_string = rsa_decode(PRIVATE_KEY, $_POST['form_password_ldap']);
  62
  63         if ($auth_string = rsa_decode(PRIVATE_KEY, $_POST['form_password_ldap'])){
  64                 if(check_valid_login($auth_string)){
  65                         $this_password_ldap = check_valid_login($auth_string);
  66                         clear_auth_cookie();
  67                 }else{
  68                         $msg->addError('INVALID_LOGIN_RSA_TIMEOUT');
  69                         header('Location: login.php');
  70                         exit;
  71                 }
  72         }else{
  73                 $msg->addError('INVALID_LOGIN_RSA');
  74                 header('Location: login.php');
  75                 exit;
  76         }
  77
  78 }
  79
  80
  81 if (isset($this_login, $this_password)) {
  82         if (version_compare(PHP_VERSION, '5.1.0', '>=')) {
  83                 session_regenerate_id(TRUE);
  84         }
  85
  86
  87         if ($_GET['course']) {
  88                 $_POST['form_course_id'] = intval($_GET['course']);
  89         } else {
  90                 $_POST['form_course_id'] = intval($_POST['form_course_id']);
  91         }
  92         $this_login    = $addslashes($this_login);
  93         $this_password = $addslashes($this_password);
  94
  95         if ($used_cookie) {
  96                 // check if that cookie is valid
  97                 //$sql = "SELECT member_id, login, first_name, second_name, last_name, preferences, password AS pass, language, status FROM ".TABLE_PREFIX."members WHERE login='$this_login' AND password='$this_password'";
  98                 $sql = "SELECT member_id, login, first_name, second_name, last_name, preferences,password AS pass, language, status FROM ".TABLE_PREFIX."members WHERE login='$this_login' AND SHA1(CONCAT(password, '$tstu_salt'))='$this_password'";
  99         } else {
 100 //echo DB_PASSWORD;
 101 //exit;
 102                 $sql = "SELECT member_id, login, first_name, second_name, last_name, preferences, language, status, password AS pass FROM ".TABLE_PREFIX."members WHERE (login='$this_login' OR email='$this_login') AND SHA1(CONCAT(password, '$_SESSION[token]'))='$this_password'";
 103         }
 104         $result = mysql_query($sql, $db);
 105
 106         if (($row = mysql_fetch_assoc($result)) && ($row['status'] == AT_STATUS_UNCONFIRMED)) {
 107                 $msg->addError('NOT_CONFIRMED');
 108         } else if ($row && $row['status'] == AT_STATUS_DISABLED) {
 109                 $msg->addError('ACCOUNT_DISABLED');
 110         } else if ($row) {
 111                 $_SESSION['valid_user'] = true;
 112                 $_SESSION['member_id']  = intval($row['member_id']);
 113                 $_SESSION['login']              = $row['login'];
 114                 assign_session_prefs(unserialize(stripslashes($row['preferences'])));
 115                 $_SESSION['is_guest']   = 0;
 116                 $_SESSION['lang']               = $row['language'];
 117                 $_SESSION['course_id']  = 0;
 118
 119                 if ($auto_login == 1) {
 120                         $parts = parse_url($_base_href);
 121                         // update the cookie.. increment to another 2 days
 122                         $cookie_expire = time()+172800;
 123                         setcookie('ATLogin', $this_login, $cookie_expire, $parts['path'], $parts['host'], 0);
 124                         setcookie('ATPass',  sha1($row['pass'].$tstu_salt),  $cookie_expire, $parts['path'], $parts['host'], 0);
 125                 }
 126
 127                 $sql = "UPDATE ".TABLE_PREFIX."members SET creation_date=creation_date, last_login=NOW() WHERE member_id=$_SESSION[member_id]";
 128                 mysql_query($sql, $db);
 129
 130                 $msg->addFeedback('LOGIN_SUCCESS');
 131                 header('Location: bounce.php?course='.$_POST['form_course_id']);
 132                 exit;
 133         } else {
 134                 // check if it's an admin login.
 135                 $sql = "SELECT login, `privileges`, language FROM ".TABLE_PREFIX."admins WHERE login='$this_login' AND SHA1(CONCAT(password, '$_SESSION[token]'))='$this_password' AND `privileges`>0";
 136                 $result = mysql_query($sql, $db);
 137
 138                 if ($row = mysql_fetch_assoc($result)) {
 139                         $sql = "UPDATE ".TABLE_PREFIX."admins SET last_login=NOW() WHERE login='$this_login'";
 140                         mysql_query($sql, $db);
 141
 142                         $_SESSION['login']              = $row['login'];
 143                         $_SESSION['valid_user'] = true;
 144                         $_SESSION['course_id']  = -1;
 145                         $_SESSION['privileges'] = intval($row['privileges']);
 146                         $_SESSION['lang'] = $row['language'];
 147
 148                         write_to_log(AT_ADMIN_LOG_UPDATE, 'admins', mysql_affected_rows($db), $sql);
 149
 150                         $msg->addFeedback('LOGIN_SUCCESS');
 151
 152                         header('Location: admin/index.php');
 153                         exit;
 154
 155                 } else {
 156                         /*
 157                         smal
 158                         09-09-2008
 159                         Add LDAP auth provided by ATutor.ldap.mod
 160                         */
 161                         if (ldap_bind_connect($this_login,$this_password_ldap)){
 162                                 if ($arr = get_ldap_entry_info($this_login,$this_password_ldap, $hash_password)){
 163                                         if (insert_user_info($arr)){
 164                                                 $sql = "SELECT member_id, login, preferences, language, status FROM ".TABLE_PREFIX."members WHERE login='$this_login'";
 165                                                 $result = mysql_query($sql, $db);
 166                                                 if (($row = mysql_fetch_assoc($result)) && ($row['status'] == AT_STATUS_UNCONFIRMED)) {
 167                                                         $msg->addError('NOT_CONFIRMED');
 168                                                 } else if ($row && $row['status'] == AT_STATUS_DISABLED) {
 169                                                         $msg->addError('ACCOUNT_DISABLED');
 170                                                 } else if ($row) {
 171                                                         $_SESSION['valid_user'] = true;
 172                                                         $_SESSION['member_id']  = intval($row['member_id']);
 173                                                         $_SESSION['login']= get_login($_SESSION['member_id']);
 174                                                         assign_session_prefs(unserialize(stripslashes($row['preferences'])));
 175                                                         $_SESSION['is_guest']   = 0;
 176                                                         $_SESSION['lang']               = $row['language'];
 177                                                         $_SESSION['course_id']  = 0;
 178                                                         add_ldap_log('YOUR LDAP SERVER'); #Define LDAP server name or Null
 179                                                 }
 180                                                 $msg->addFeedback('LOGIN_SUCCESS');
 181                                                 header('Location: bounce.php?course='.$_POST['form_course_id']);
 182                                                 exit;
 183                                         }else{
 184                                                 $msg->addError('INVALID_LOGIN');
 185                                         }
 186                                 }
 187                         }
 188                 }
 189         }
 190 }
 191
 192 $_SESSION['session_test'] = TRUE;
 193
 194 if (isset($_SESSION['member_id'])) {
 195         $sql = "DELETE FROM ".TABLE_PREFIX."users_online WHERE member_id=$_SESSION[member_id]";
 196         $result = @mysql_query($sql, $db);
 197 }
 198
 199 unset($_SESSION['login']);
 200 unset($_SESSION['valid_user']);
 201 unset($_SESSION['member_id']);
 202 unset($_SESSION['is_admin']);
 203 unset($_SESSION['course_id']);
 204 unset($_SESSION['is_super_admin']);
 205 unset($_SESSION['dd_question_ids']);
 206
 207 // Refresh the security token
 208 refresh_token();
 209
 210 $_SESSION['prefs']['PREF_FORM_FOCUS'] = 1;
 211
 212 /*****************************/
 213 /* template starts down here */
 214
 215 $onload = 'document.form.form_login.focus();';
 216
 217 $savant->assign('course_id', $_GET['course']);
 218
 219 if (isset($_GET['course']) && $_GET['course']) {
 220         $savant->assign('title',  ' '._AT('to1').' '.$system_courses[$_GET['course']]['title']);
 221 } else {
 222         $savant->assign('title',  ' ');
 223 }
 224
 225 header('P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"');
 226 $savant->display('login.tmpl.php');
 227 ?>