gusucode.com > weenCompany闻名企业网站系统 4.0.0 繁体中英文 UTF8源码程序 > admin/authenticate.php
<?php
// +---------------------------------------------+
// | Copyright 2003-2005 weenCompany |
// | http://www.weentech.com |
// | This file may not be redistributed. |
// +---------------------------------------------+
if(!defined('IN_WEENCOMPANY'))
die('File not found!');
// ########################## LOAD ADMIN SESSION #############################
$userip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
define('USERIP', addslashes(substr($userip, 0, 15)));
define('USERAGENT', substr($_SERVER['HTTP_USER_AGENT'], 0, 252));
define('COOKIE_PREFIX', 'cwsa');
define('ONE_YEAR', 60*60*24*365);
$sessioncreated = false;
$loginerrors = array();
$usersettings = array();
if(!isset($mainsettings['admincookietimeout']) || !is_numeric($mainsettings['admincookietimeout']) || $mainsettings['admincookietimeout'] <= 0)
{
$mainsettings['admincookietimeout'] = 1800;
}
function CreateSession($userid)
{
global $DB;
$loggedin = $userid == 0 ? 0 : 1;
$session = array('sessionid' => md5(uniqid(USERIP)),
'userid' => intval($userid),
'ipaddress' => USERIP,
'useragent' => USERAGENT,
'lastactivity' => TIMENOW,
'location' => 'Admin Panel',
'loggedin' => $loggedin);
$DB->query("REPLACE INTO " . TABLE_PREFIX . "sessions (sessionid, userid, ipaddress, useragent, lastactivity, location, loggedin, admin)
VALUES ('" . addslashes($session['sessionid']) . "', '" . $session['userid'] . "', '" . addslashes($session['ipaddress']) . "',
'" . addslashes($session['useragent']) . "', '" . $session['lastactivity'] . "',
'" . addslashes($session['location']) . "', '" . $session['loggedin'] . "', 1) ");
$DB->query("REPLACE INTO " . OLDTABLE_PREFIX . "sessions (sessionid, userid, ipaddress, useragent, lastactivity, location, loggedin, admin)
VALUES ('" . addslashes($session['sessionid']) . "', '" . $session['userid'] . "', '" . addslashes($session['ipaddress']) . "',
'" . addslashes($session['useragent']) . "', '" . $session['lastactivity'] . "',
'" . addslashes($session['location']) . "', '" . $session['loggedin'] . "', 1) ");
setcookie(COOKIE_PREFIX . "sessionid", $session['sessionid'], TIMENOW + ONE_YEAR, "/");
return $session;
}
// ############################### USER SYSTEM ################################
// usersystem is fetched in core.php
// check and secure login info
if(isset($_POST['loginusername']) OR isset($_POST['loginpassword']))
{
// first secure the data
$_POST['loginusername'] = trim(strip_tags($_POST['loginusername']));
$_POST['loginpassword'] = trim(strip_tags($_POST['loginpassword']));
// the admin panel addslashes to post data, lets get rid of that here
// it's okay becuase addslashes is actually performed in the usersystem files
$_POST['loginusername'] = stripslashes($_POST['loginusername']);
// not needed for the password, it will be md5()'d
// the admin panel doesn't htmlspecialchars() post data, however if using IPB then
// we will have to htmlspecialchars($loginusername) becuase IPB stores usernames
// with specialchars as their entities in the database (ex: weenduck' = weenduck')
// it should also be noted that weencompany converts ' to '
// so if using IPB, not only will we htmlspecialchars but we have to fix the single quote
if($usersystem['name'] == 'Invision Power Board 2')
{
$_POST['loginusername'] = str_replace(''', ''', htmlspecialchars($_POST['loginusername'], ENT_QUOTES));
$_POST['loginpassword'] = str_replace(''', ''', htmlspecialchars($_POST['loginpassword'], ENT_QUOTES));
}
// switch database?
if($usersystem['dbname'] != $dbname)
{
// weenCompany is being integrated with a Forum in a different database
$DB->select_db($usersystem['dbname']);
require($rootpath . ADMIN_DIR.'/login/adminlogin_' . $usersystem['queryfile']);
$usersettings = LoginUser($_POST['loginusername'], $_POST['loginpassword']);
$DB->select_db($dbname);
if(!is_array($usersettings))
{
$loginerrors[] = $usersettings;
$kickuser = true;
}
else
{
$session = CreateSession($usersettings['userid']);
}
}
else
{
// weenCompany may be integrated with a forum in the same database,
// or is using the weenCompany User System
require($rootpath . ADMIN_DIR.'/login/adminlogin_' . $usersystem['queryfile']);
$usersettings = LoginUser($_POST['loginusername'], $_POST['loginpassword']);
if(!is_array($usersettings))
{
$loginerrors[] = $usersettings;
$kickuser = true;
}
else
{
$session = CreateSession($usersettings['userid']);
}
}
}
else if (isset($_GET['logout']))
{
setcookie(COOKIE_PREFIX . "sessionid", "", TIMENOW + ONE_YEAR, "/");
if($session['userid'] > 0)
{
$DB->query("DELETE FROM " . TABLE_PREFIX . "sessions WHERE userid = $session[userid] AND admin = 1");
}
if(!empty($sessionid))
{
// delete sessions with same sessionid
$DB->query("DELETE FROM " . TABLE_PREFIX . "sessions WHERE sessionid = '" . addslashes($sessionid) . "'");
}
}
else
{
// ############################## FIND SESSIONID ###############################
if(!empty($_POST['s']))
{
$sessionid = $_POST['s'];
}
else if(!empty($_GET['s']))
{
$sessionid = $_GET['s'];
}
else
{
$sessionid = isset($_COOKIE[COOKIE_PREFIX . 'sessionid']) ? $_COOKIE[COOKIE_PREFIX . 'sessionid'] : '';
}
// ############################# CHECK IF SESSION ##############################
if(!empty($sessionid))
{
$sql = "SELECT * FROM " . TABLE_PREFIX . "sessions
WHERE sessionid = '$sessionid'
AND lastactivity > " . (TIMENOW - $mainsettings['admincookietimeout']) . "
AND useragent = '" . addslashes(USERAGENT) . "'
AND admin = 1";
$session = $DB->query_first($sql);
}
if(isset($session))
{
$DB->query("UPDATE " . TABLE_PREFIX . "sessions SET useragent = '" . addslashes(USERAGENT) . "',
lastactivity = " . TIMENOW . ",
location = '$location'
WHERE sessionid = '" . addslashes($session['sessionid']) . "' ");
// switch database?
if($usersystem['dbname'] != $dbname)
{
// weenCompany is being integrated with a Forum in a different database
$DB->select_db($usersystem['dbname']);
require($rootpath . ADMIN_DIR.'/login/adminlogin_' . $usersystem['queryfile']);
$usersettings = GetUser($session['userid']);
$DB->select_db($dbname);
}
else
{
// weenCompany may be integrated with a forum in the same database,
// or is using the weenCompany User System
require($rootpath . ADMIN_DIR.'/login/adminlogin_' . $usersystem['queryfile']);
$usersettings = GetUser($session['userid']);
}
}
}
// This will also delete 'normal' weenCompany sessions but that's OK
$DB->query("DELETE FROM " . TABLE_PREFIX . "sessions WHERE lastactivity < " . intval(TIMENOW - $mainsettings['admincookietimeout']));
if(count($usersettings) <= 0)
{
$usersettings = array('userid' => -1,
'usergroupids' => '',
'username' => '',
'loggedin' => 0,
'email' => '',
'timezoneoffset' => 0,
'dstonoff' => 0,
'dstauto' => 0,
'sessionurl' => '');
}
unset($userinfo);
$userinfo = GetUserInfo($usersettings);
unset($usersettings);
// ############################# AUTHENTICATE USER #############################
if($userinfo['userid'] > 0)
{
// kick user if not admin or mod
if(!$userinfo['adminaccess'] AND count($userinfo['moduleadminids']) == 0 AND count($userinfo['custommoduleadminids']) == 0)
{
$kickuser = true;
$loginerrors[] = '<b>無權進入後臺管理!</b>';
}
}
else
{
$kickuser = true;
}
// is the user a moderator?
if(count($userinfo['moduleadminids']) != 0 OR count($userinfo['custommoduleadminids']) != 0)
{
// and does this moderator have access to this page?
if(!$userinfo['adminaccess'] AND !defined('MOD_ACCESS'))
{
$kickuser = true;
$loginerrors[] = '進入失敗: 無權進入此頁!';
}
}
// if mod, then make sure he has access to the module
if(!$userinfo['adminaccess'])
{
// check if the user is in a module
if(isset($_GET['moduleid']) AND !@in_array($_GET['moduleid'], $userinfo['moduleadminids']))
{
$kickuser = true;
$loginerrors[] = '進入失敗: 無權進入此模塊!';
}
// check if the user is in a custom module
if(isset($_GET['custommoduleid']) AND !@in_array($_GET['custommoduleid'], $userinfo['custommoduleadminids']))
{
$kickuser = true;
$loginerrors[] = '進入失敗: 無權進入此模塊!';
}
if(defined('CUSTOM_MODULE') AND !is_numeric($_GET['custommoduleid']) AND !is_numeric($_POST['custommoduleid']))
{
$kickuser = true;
$loginerrors[] = '進入失敗: 無權進入此模塊!';
}
}
if(isset($kickuser) OR isset($_GET['login']))
{
if(defined('ADMIN_LOGIN') OR $_GET['login'])
{
LogIn();
exit;
}
else
{
header("Location: index.php");
exit;
}
}
// ############################# LOAD ADMIN STYLE ##############################
$stylefolder = 'advanced';
$stylepath = 'styles/' . $stylefolder . '/';
?>