search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
SOAP API: do not try to unserialize an invalid filter
[mantis.git] / login_page.php
blob4949ed6ecb58f4db6a85bc1e2c5c609274262bb2
1 <?php
2 # MantisBT - A PHP based bugtracking system
3
4 # MantisBT is free software: you can redistribute it and/or modify
5 # it under the terms of the GNU General Public License as published by
6 # the Free Software Foundation, either version 2 of the License, or
7 # (at your option) any later version.
8 #
9 # MantisBT is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
13 #
14 # You should have received a copy of the GNU General Public License
15 # along with MantisBT. If not, see <http://www.gnu.org/licenses/>.
16
17 /**
18 * Login page POSTs results to login.php
19 * Check to see if the user is already logged in
20 *
21 * @package MantisBT
22 * @copyright Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org
23 * @copyright Copyright (C) 2002 - 2011 MantisBT Team - mantisbt-dev@lists.sourceforge.net
24 * @link http://www.mantisbt.org
25 *
26 * @uses core.php
27 * @uses authentication_api.php
28 * @uses config_api.php
29 * @uses constant_inc.php
30 * @uses current_user_api.php
31 * @uses database_api.php
32 * @uses gpc_api.php
33 * @uses html_api.php
34 * @uses lang_api.php
35 * @uses print_api.php
36 * @uses string_api.php
37 * @uses user_api.php
38 * @uses utility_api.php
39 */
40
41 /**
42 * MantisBT Core API's
43 */
44 require_once( 'core.php' );
45 require_api( 'authentication_api.php' );
46 require_api( 'config_api.php' );
47 require_api( 'constant_inc.php' );
48 require_api( 'current_user_api.php' );
49 require_api( 'database_api.php' );
50 require_api( 'gpc_api.php' );
51 require_api( 'html_api.php' );
52 require_api( 'lang_api.php' );
53 require_api( 'print_api.php' );
54 require_api( 'string_api.php' );
55 require_api( 'user_api.php' );
56 require_api( 'utility_api.php' );
57 require_css( 'login.css' );
58
59 if ( auth_is_user_authenticated() && !current_user_is_anonymous() ) {
60 print_header_redirect( config_get( 'default_home_page' ) );
61 }
62
63 $f_error = gpc_get_bool( 'error' );
64 $f_cookie_error = gpc_get_bool( 'cookie_error' );
65 $f_return = string_sanitize_url( gpc_get_string( 'return', '' ) );
66 $f_username = gpc_get_string( 'username', '' );
67 $f_perm_login = gpc_get_bool( 'perm_login', false );
68 $f_secure_session = gpc_get_bool( 'secure_session', false );
69 $f_secure_session_cookie = gpc_get_cookie( config_get_global( 'cookie_prefix' ) . '_secure_session', null );
70
71 $t_session_validation = ( ON == config_get_global( 'session_validation' ) );
72
73 # Check for automatic logon methods where we want the logon to just be handled by login.php
74 if ( auth_automatic_logon_bypass_form() ) {
75 $t_uri = "login.php";
76
77 if ( ON == config_get( 'allow_anonymous_login' ) ) {
78 $t_uri = "login_anon.php";
79 }
80
81 if ( !is_blank( $f_return ) ) {
82 $t_uri .= "?return=" . string_url( $f_return );
83 }
84
85 print_header_redirect( $t_uri );
86 exit;
87 }
88
89 # Determine if secure_session should default on or off?
90 # - If no errors, and no cookies set, default to on.
91 # - If no errors, but cookie is set, use the cookie value.
92 # - If errors, use the value passed in.
93 if ( $t_session_validation ) {
94 if ( !$f_error && !$f_cookie_error ) {
95 $t_default_secure_session = ( is_null( $f_secure_session_cookie ) ? true : $f_secure_session_cookie );
96 } else {
97 $t_default_secure_session = $f_secure_session;
98 }
99 }
100
101 # Determine whether the username or password field should receive automatic focus.
102 $t_username_field_autofocus = 'autofocus';
103 $t_password_field_autofocus = '';
104 if ( $f_username ) {
105 $t_username_field_autofocus = '';
106 $t_password_field_autofocus = 'autofocus';
107 }
108
109 # Login page shouldn't be indexed by search engines
110 html_robots_noindex();
111
112 html_page_top1();
113 html_page_top2a();
114
115 if( $f_error || $f_cookie_error ) {
116 echo '<div class="important-msg">';
117 echo '<ul>';
118
119 # Display short greeting message
120 # echo lang_get( 'login_page_info' ) . '<br />';
121
122 # Only echo error message if error variable is set
123 if ( $f_error ) {
124 echo '<li>' . lang_get( 'login_error' ) . '</li>';
125 }
126 if ( $f_cookie_error ) {
127 echo '<li>' . lang_get( 'login_cookies_disabled' ) . '</li>';
128 }
129 echo '</ul>';
130 echo '</div>';
131 }
132 ?>
133
134 <!-- Login Form BEGIN -->
135 <div id="login-div" class="form-container">
136 <form id="login-form" method="post" action="login.php">
137 <fieldset>
138 <legend><span><?php echo lang_get( 'login_title' ) ?></span></legend>
139 <?php
140 if ( !is_blank( $f_return ) ) {
141 echo '<input type="hidden" name="return" value="', string_html_specialchars( $f_return ), '" />';
142 }
143 # CSRF protection not required here - form does not result in modifications
144 echo '<ul id="login-links">';
145
146 if ( ON == config_get( 'allow_anonymous_login' ) ) {
147 echo '<li><a href="login_anon.php?return=' . string_url( $f_return ) . '">' . lang_get( 'login_anonymously' ) . '</a></li>';
148 }
149
150 if ( ( ON == config_get_global( 'allow_signup' ) ) &&
151 ( LDAP != config_get_global( 'login_method' ) ) &&
152 ( ON == config_get( 'enable_email_notification' ) )
153 ) {
154 echo '<li><a href="signup_page.php">', lang_get( 'signup_link' ), '</a></li>';
155 }
156 # lost password feature disabled or reset password via email disabled -> stop here!
157 if ( ( LDAP != config_get_global( 'login_method' ) ) &&
158 ( ON == config_get( 'lost_password_feature' ) ) &&
159 ( ON == config_get( 'send_reset_password' ) ) &&
160 ( ON == config_get( 'enable_email_notification' ) ) ) {
161 echo '<li><a href="lost_pwd_page.php">', lang_get( 'lost_password_link' ), '</a></li>';
162 }
163 ?>
164 </ul>
165 <div class="field-container <?php echo helper_alternate_class_no_attribute(); ?>">
166 <label for="username"><span><?php echo lang_get( 'username' ) ?></span></label>
167 <span class="input"><input id="username" type="text" name="username" size="32" maxlength="<?php echo USERLEN;?>" value="<?php echo string_attribute( $f_username ); ?>" class="<?php echo $t_username_field_autofocus ?>" /></span>
168 <span class="label-style"></span>
169 </div>
170 <div class="field-container <?php echo helper_alternate_class_no_attribute(); ?>">
171 <label for="password"><span><?php echo lang_get( 'password' ) ?></span></label>
172 <span class="input"><input id="password" type="password" name="password" size="16" maxlength="<?php echo PASSLEN;?>" class="<?php echo $t_password_field_autofocus ?>" /></span>
173 <span class="label-style"></span>
174 </div>
175 <div class="field-container <?php echo helper_alternate_class_no_attribute(); ?>">
176 <label for="remember-login"><span><?php echo lang_get( 'save_login' ) ?></span></label>
177 <span class="input"><input id="remember-login" type="checkbox" name="perm_login" <?php echo ( $f_perm_login ? 'checked="checked" ' : '' ) ?>/></span>
178 <span class="label-style"></span>
179 </div>
180 <?php if ( $t_session_validation ) { ?>
181 <div class="field-container <?php echo helper_alternate_class_no_attribute(); ?>">
182 <label id="secure-session-label" for="secure-session"><span><?php echo lang_get( 'secure_session' ) ?></span></label>
183 <span class="input">
184 <input id="secure-session" type="checkbox" name="secure_session" <?php echo ( $t_default_secure_session ? 'checked="checked" ' : '' ) ?>/>
185 <span id="session-msg"><?php echo lang_get( 'secure_session_long' ); ?></span>
186 </span>
187 <span class="label-style"></span>
188 </div>
189 <?php } ?>
190 <span class="submit-button"><input type="submit" class="button" value="<?php echo lang_get( 'login_button' ) ?>" /></span>
191 </fieldset>
192 </form>
193 </div>
194
195 <?php
196 #
197 # Do some checks to warn administrators of possible security holes.
198 # Since this is considered part of the admin-checks, the strings are not translated.
199 #
200
201 if ( config_get_global( 'admin_checks' ) == ON ) {
202 $t_warnings = array();
203
204 # Generate a warning if administrator/root is valid.
205 $t_admin_user_id = user_get_id_by_name( 'administrator' );
206 if ( $t_admin_user_id !== false ) {
207 if ( user_is_enabled( $t_admin_user_id ) && auth_does_password_match( $t_admin_user_id, 'root' ) ) {
208 $t_warnings[] = lang_get( 'warning_default_administrator_account_present' );
209 }
210 }
211
212 # Check if the admin directory is available and is readable.
213 $t_admin_dir = dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'admin' . DIRECTORY_SEPARATOR;
214 if ( is_dir( $t_admin_dir ) ) {
215 $t_warnings[] = lang_get( 'warning_admin_directory_present' );
216 }
217 if ( is_dir( $t_admin_dir ) && is_readable( $t_admin_dir ) && is_executable( $t_admin_dir ) && @file_exists( "$t_admin_dir/." ) ) {
218 # since admin directory and db_upgrade lists are available check for missing db upgrades
219 # Check for db upgrade for versions < 1.0.0 using old upgrader
220 $t_db_version = config_get( 'database_version' , 0 );
221 # if db version is 0, we haven't moved to new installer.
222 if ( $t_db_version == 0 ) {
223 $t_upgrade_count = 0;
224 if ( db_table_exists( db_get_table( 'upgrade' ) ) ) {
225 $query = "SELECT COUNT(*) from " . db_get_table( 'upgrade' ) . ";";
226 $result = db_query_bound( $query );
227 if ( db_num_rows( $result ) > 0 ) {
228 $t_upgrade_count = (int)db_result( $result );
229 }
230 }
231
232 if ( $t_upgrade_count > 0 ) { # table exists, check for number of updates
233
234 # new config table database version is 0.
235 # old upgrade tables exist.
236 # assume user is upgrading from <1.0 and therefore needs to update to 1.x before upgrading to 1.2
237 $t_warnings[] = lang_get( 'error_database_version_out_of_date_1' );
238 } else {
239 # old upgrade tables do not exist, yet config database_version is 0
240 $t_warnings[] = lang_get( 'error_database_no_schema_version' );
241 }
242 }
243
244 # Check for db upgrade for versions > 1.0.0 using new installer and schema
245 require_once( 'admin' . DIRECTORY_SEPARATOR . 'schema.php' );
246 $t_upgrades_reqd = count( $upgrade ) - 1;
247
248 if ( ( 0 < $t_db_version ) &&
249 ( $t_db_version != $t_upgrades_reqd ) ) {
250
251 if ( $t_db_version < $t_upgrades_reqd ) {
252 $t_warnings[] = lang_get( 'error_database_version_out_of_date_2' );
253 } else {
254 $t_warnings[] = lang_get( 'error_code_version_out_of_date' );
255 }
256 }
257 }
258 if( count( $t_warnings ) > 0 ) {
259 echo '<div class="important-msg">';
260 echo '<ul>';
261 foreach( $t_warnings AS $t_warning ) {
262 echo '<li>' . $t_warning . '</li>';
263 }
264 echo '</ul>';
265 echo '</div>';
266 }
267 } # if 'admin_checks'
268
269 html_page_bottom1a( __FILE__ );