gusucode.com > weenCompany闻名企业网站系统 4.0.0 繁体中英文 UTF8源码程序 > admin/authenticate.php
<?php // +---------------------------------------------+ // | Copyright 2003-2005 weenCompany | // | http://www.weentech.com | // | This file may not be redistributed. | // +---------------------------------------------+ if(!defined('IN_WEENCOMPANY')) die('File not found!'); // ########################## LOAD ADMIN SESSION ############################# $userip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR ); define('USERIP', addslashes(substr($userip, 0, 15))); define('USERAGENT', substr($_SERVER['HTTP_USER_AGENT'], 0, 252)); define('COOKIE_PREFIX', 'cwsa'); define('ONE_YEAR', 60*60*24*365); $sessioncreated = false; $loginerrors = array(); $usersettings = array(); if(!isset($mainsettings['admincookietimeout']) || !is_numeric($mainsettings['admincookietimeout']) || $mainsettings['admincookietimeout'] <= 0) { $mainsettings['admincookietimeout'] = 1800; } function CreateSession($userid) { global $DB; $loggedin = $userid == 0 ? 0 : 1; $session = array('sessionid' => md5(uniqid(USERIP)), 'userid' => intval($userid), 'ipaddress' => USERIP, 'useragent' => USERAGENT, 'lastactivity' => TIMENOW, 'location' => 'Admin Panel', 'loggedin' => $loggedin); $DB->query("REPLACE INTO " . TABLE_PREFIX . "sessions (sessionid, userid, ipaddress, useragent, lastactivity, location, loggedin, admin) VALUES ('" . addslashes($session['sessionid']) . "', '" . $session['userid'] . "', '" . addslashes($session['ipaddress']) . "', '" . addslashes($session['useragent']) . "', '" . $session['lastactivity'] . "', '" . addslashes($session['location']) . "', '" . $session['loggedin'] . "', 1) "); $DB->query("REPLACE INTO " . OLDTABLE_PREFIX . "sessions (sessionid, userid, ipaddress, useragent, lastactivity, location, loggedin, admin) VALUES ('" . addslashes($session['sessionid']) . "', '" . $session['userid'] . "', '" . addslashes($session['ipaddress']) . "', '" . addslashes($session['useragent']) . "', '" . $session['lastactivity'] . "', '" . addslashes($session['location']) . "', '" . $session['loggedin'] . "', 1) "); setcookie(COOKIE_PREFIX . "sessionid", $session['sessionid'], TIMENOW + ONE_YEAR, "/"); return $session; } // ############################### USER SYSTEM ################################ // usersystem is fetched in core.php // check and secure login info if(isset($_POST['loginusername']) OR isset($_POST['loginpassword'])) { // first secure the data $_POST['loginusername'] = trim(strip_tags($_POST['loginusername'])); $_POST['loginpassword'] = trim(strip_tags($_POST['loginpassword'])); // the admin panel addslashes to post data, lets get rid of that here // it's okay becuase addslashes is actually performed in the usersystem files $_POST['loginusername'] = stripslashes($_POST['loginusername']); // not needed for the password, it will be md5()'d // the admin panel doesn't htmlspecialchars() post data, however if using IPB then // we will have to htmlspecialchars($loginusername) becuase IPB stores usernames // with specialchars as their entities in the database (ex: weenduck' = weenduck') // it should also be noted that weencompany converts ' to ' // so if using IPB, not only will we htmlspecialchars but we have to fix the single quote if($usersystem['name'] == 'Invision Power Board 2') { $_POST['loginusername'] = str_replace(''', ''', htmlspecialchars($_POST['loginusername'], ENT_QUOTES)); $_POST['loginpassword'] = str_replace(''', ''', htmlspecialchars($_POST['loginpassword'], ENT_QUOTES)); } // switch database? if($usersystem['dbname'] != $dbname) { // weenCompany is being integrated with a Forum in a different database $DB->select_db($usersystem['dbname']); require($rootpath . ADMIN_DIR.'/login/adminlogin_' . $usersystem['queryfile']); $usersettings = LoginUser($_POST['loginusername'], $_POST['loginpassword']); $DB->select_db($dbname); if(!is_array($usersettings)) { $loginerrors[] = $usersettings; $kickuser = true; } else { $session = CreateSession($usersettings['userid']); } } else { // weenCompany may be integrated with a forum in the same database, // or is using the weenCompany User System require($rootpath . ADMIN_DIR.'/login/adminlogin_' . $usersystem['queryfile']); $usersettings = LoginUser($_POST['loginusername'], $_POST['loginpassword']); if(!is_array($usersettings)) { $loginerrors[] = $usersettings; $kickuser = true; } else { $session = CreateSession($usersettings['userid']); } } } else if (isset($_GET['logout'])) { setcookie(COOKIE_PREFIX . "sessionid", "", TIMENOW + ONE_YEAR, "/"); if($session['userid'] > 0) { $DB->query("DELETE FROM " . TABLE_PREFIX . "sessions WHERE userid = $session[userid] AND admin = 1"); } if(!empty($sessionid)) { // delete sessions with same sessionid $DB->query("DELETE FROM " . TABLE_PREFIX . "sessions WHERE sessionid = '" . addslashes($sessionid) . "'"); } } else { // ############################## FIND SESSIONID ############################### if(!empty($_POST['s'])) { $sessionid = $_POST['s']; } else if(!empty($_GET['s'])) { $sessionid = $_GET['s']; } else { $sessionid = isset($_COOKIE[COOKIE_PREFIX . 'sessionid']) ? $_COOKIE[COOKIE_PREFIX . 'sessionid'] : ''; } // ############################# CHECK IF SESSION ############################## if(!empty($sessionid)) { $sql = "SELECT * FROM " . TABLE_PREFIX . "sessions WHERE sessionid = '$sessionid' AND lastactivity > " . (TIMENOW - $mainsettings['admincookietimeout']) . " AND useragent = '" . addslashes(USERAGENT) . "' AND admin = 1"; $session = $DB->query_first($sql); } if(isset($session)) { $DB->query("UPDATE " . TABLE_PREFIX . "sessions SET useragent = '" . addslashes(USERAGENT) . "', lastactivity = " . TIMENOW . ", location = '$location' WHERE sessionid = '" . addslashes($session['sessionid']) . "' "); // switch database? if($usersystem['dbname'] != $dbname) { // weenCompany is being integrated with a Forum in a different database $DB->select_db($usersystem['dbname']); require($rootpath . ADMIN_DIR.'/login/adminlogin_' . $usersystem['queryfile']); $usersettings = GetUser($session['userid']); $DB->select_db($dbname); } else { // weenCompany may be integrated with a forum in the same database, // or is using the weenCompany User System require($rootpath . ADMIN_DIR.'/login/adminlogin_' . $usersystem['queryfile']); $usersettings = GetUser($session['userid']); } } } // This will also delete 'normal' weenCompany sessions but that's OK $DB->query("DELETE FROM " . TABLE_PREFIX . "sessions WHERE lastactivity < " . intval(TIMENOW - $mainsettings['admincookietimeout'])); if(count($usersettings) <= 0) { $usersettings = array('userid' => -1, 'usergroupids' => '', 'username' => '', 'loggedin' => 0, 'email' => '', 'timezoneoffset' => 0, 'dstonoff' => 0, 'dstauto' => 0, 'sessionurl' => ''); } unset($userinfo); $userinfo = GetUserInfo($usersettings); unset($usersettings); // ############################# AUTHENTICATE USER ############################# if($userinfo['userid'] > 0) { // kick user if not admin or mod if(!$userinfo['adminaccess'] AND count($userinfo['moduleadminids']) == 0 AND count($userinfo['custommoduleadminids']) == 0) { $kickuser = true; $loginerrors[] = '<b>無權進入後臺管理!</b>'; } } else { $kickuser = true; } // is the user a moderator? if(count($userinfo['moduleadminids']) != 0 OR count($userinfo['custommoduleadminids']) != 0) { // and does this moderator have access to this page? if(!$userinfo['adminaccess'] AND !defined('MOD_ACCESS')) { $kickuser = true; $loginerrors[] = '進入失敗: 無權進入此頁!'; } } // if mod, then make sure he has access to the module if(!$userinfo['adminaccess']) { // check if the user is in a module if(isset($_GET['moduleid']) AND !@in_array($_GET['moduleid'], $userinfo['moduleadminids'])) { $kickuser = true; $loginerrors[] = '進入失敗: 無權進入此模塊!'; } // check if the user is in a custom module if(isset($_GET['custommoduleid']) AND !@in_array($_GET['custommoduleid'], $userinfo['custommoduleadminids'])) { $kickuser = true; $loginerrors[] = '進入失敗: 無權進入此模塊!'; } if(defined('CUSTOM_MODULE') AND !is_numeric($_GET['custommoduleid']) AND !is_numeric($_POST['custommoduleid'])) { $kickuser = true; $loginerrors[] = '進入失敗: 無權進入此模塊!'; } } if(isset($kickuser) OR isset($_GET['login'])) { if(defined('ADMIN_LOGIN') OR $_GET['login']) { LogIn(); exit; } else { header("Location: index.php"); exit; } } // ############################# LOAD ADMIN STYLE ############################## $stylefolder = 'advanced'; $stylepath = 'styles/' . $stylefolder . '/'; ?>