2 # MantisBT - A PHP based bugtracking system
4 # MantisBT is free software: you can redistribute it and/or modify
5 # it under the terms of the GNU General Public License as published by
6 # the Free Software Foundation, either version 2 of the License, or
7 # (at your option) any later version.
9 # MantisBT is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 # GNU General Public License for more details.
14 # You should have received a copy of the GNU General Public License
15 # along with MantisBT. If not, see <http://www.gnu.org/licenses/>.
18 * Login page POSTs results to login.php
19 * Check to see if the user is already logged in
22 * @copyright Copyright (C) 2000 - 2002 Kenzaburo Ito - kenito@300baud.org
23 * @copyright Copyright (C) 2002 - 2010 MantisBT Team - mantisbt-dev@lists.sourceforge.net
24 * @link http://www.mantisbt.org
27 * @uses authentication_api.php
28 * @uses config_api.php
29 * @uses constant_inc.php
30 * @uses current_user_api.php
31 * @uses database_api.php
36 * @uses string_api.php
38 * @uses utility_api.php
41 require_once( 'core.php' );
42 require_api( 'authentication_api.php' );
43 require_api( 'config_api.php' );
44 require_api( 'constant_inc.php' );
45 require_api( 'current_user_api.php' );
46 require_api( 'database_api.php' );
47 require_api( 'gpc_api.php' );
48 require_api( 'html_api.php' );
49 require_api( 'lang_api.php' );
50 require_api( 'print_api.php' );
51 require_api( 'string_api.php' );
52 require_api( 'user_api.php' );
53 require_api( 'utility_api.php' );
55 if ( auth_is_user_authenticated() && !current_user_is_anonymous() ) {
56 print_header_redirect( config_get( 'default_home_page' ) );
59 $f_error = gpc_get_bool( 'error' );
60 $f_cookie_error = gpc_get_bool( 'cookie_error' );
61 $f_return = string_sanitize_url( gpc_get_string( 'return', '' ) );
62 $f_username = gpc_get_string( 'username', '' );
63 $f_perm_login = gpc_get_bool( 'perm_login', false );
64 $f_secure_session = gpc_get_bool( 'secure_session', false );
65 $f_secure_session_cookie = gpc_get_cookie( config_get_global( 'cookie_prefix' ) . '_secure_session', null );
67 $t_session_validation = ( ON
== config_get_global( 'session_validation' ) );
69 # Check for automatic logon methods where we want the logon to just be handled by login.php
70 if ( auth_automatic_logon_bypass_form() ) {
73 if ( ON
== config_get( 'allow_anonymous_login' ) ) {
74 $t_uri = "login_anon.php";
77 if ( !is_blank( $f_return ) ) {
78 $t_uri .= "?return=" . string_url( $f_return );
81 print_header_redirect( $t_uri );
85 # Login page shouldn't be indexed by search engines
86 html_robots_noindex();
91 echo '<br /><div align="center">';
93 # Display short greeting message
94 # echo lang_get( 'login_page_info' ) . '<br />';
96 # Only echo error message if error variable is set
98 echo '<font color="red">' . lang_get( 'login_error' ) . '</font>';
100 if ( $f_cookie_error ) {
101 echo lang_get( 'login_cookies_disabled' ) . '<br />';
104 # Determine if secure_session should default on or off?
105 # - If no errors, and no cookies set, default to on.
106 # - If no errors, but cookie is set, use the cookie value.
107 # - If errors, use the value passed in.
108 if ( $t_session_validation ) {
109 if ( !$f_error && !$f_cookie_error ) {
110 $t_default_secure_session = ( is_null( $f_secure_session_cookie ) ?
true : $f_secure_session_cookie );
112 $t_default_secure_session = $f_secure_session;
119 <!-- Login Form BEGIN
-->
122 <form name
="login_form" method
="post" action
="login.php">
123 <?php
# CSRF protection not required here - form does not result in modifications ?>
124 <table
class="width50" cellspacing
="1">
126 <td
class="form-title">
128 if ( !is_blank( $f_return ) ) {
130 <input type
="hidden" name
="return" value
="<?php echo string_html_specialchars( $f_return ) ?>" />
133 echo lang_get( 'login_title' ) ?
>
137 if ( ON
== config_get( 'allow_anonymous_login' ) ) {
138 print_bracket_link( 'login_anon.php?return=' . string_url( $f_return ), lang_get( 'login_anonymously' ) );
144 <td
class="category">
145 <?php
echo lang_get( 'username' ) ?
>
148 <input type
="text" name
="username" size
="28" maxlength
="<?php echo USERLEN;?>" value
="<?php echo string_attribute( $f_username ); ?>" />
152 <td
class="category">
153 <?php
echo lang_get( 'password' ) ?
>
156 <input type
="password" name
="password" size
="16" maxlength
="<?php echo PASSLEN;?>" />
160 <td
class="category">
161 <?php
echo lang_get( 'save_login' ) ?
>
164 <input type
="checkbox" name
="perm_login" <?php
echo ( $f_perm_login ?
'checked="checked" ' : '' ) ?
>/>
167 <?php
if ( $t_session_validation ) { ?
>
169 <td
class="category">
170 <?php
echo lang_get( 'secure_session' ) ?
>
173 <input type
="checkbox" name
="secure_session" <?php
echo ( $t_default_secure_session ?
'checked="checked" ' : '' ) ?
>/>
174 <?php
echo '<span class="small">' . lang_get( 'secure_session_long' ) . '</span>' ?
>
179 <td
class="center" colspan
="2">
180 <input type
="submit" class="button" value
="<?php echo lang_get( 'login_button' ) ?>" />
188 echo '<br /><div align="center">';
191 print_lost_password_link();
195 # Do some checks to warn administrators of possible security holes.
196 # Since this is considered part of the admin-checks, the strings are not translated.
199 if ( config_get_global( 'admin_checks' ) == ON
) {
201 # Generate a warning if administrator/root is valid.
202 $t_admin_user_id = user_get_id_by_name( 'administrator' );
203 if ( $t_admin_user_id !== false ) {
204 if ( user_is_enabled( $t_admin_user_id ) && auth_does_password_match( $t_admin_user_id, 'root' ) ) {
205 echo '<div class="warning" align="center">', "\n";
206 echo "\t", '<p><font color="red">', lang_get( 'warning_default_administrator_account_present' ), '</font></p>', "\n";
211 # Check if the admin directory is available and is readable.
212 $t_admin_dir = dirname( __FILE__
) . DIRECTORY_SEPARATOR
. 'admin' . DIRECTORY_SEPARATOR
;
213 if ( is_dir( $t_admin_dir ) && is_readable( $t_admin_dir ) ) {
214 echo '<div class="warning" align="center">', "\n";
215 echo '<p><font color="red">', lang_get( 'warning_admin_directory_present' ), '</font></p>', "\n";
218 # since admin directory and db_upgrade lists are available check for missing db upgrades
219 # Check for db upgrade for versions < 1.0.0 using old upgrader
220 $t_db_version = config_get( 'database_version' , 0 );
221 # if db version is 0, we haven't moved to new installer.
222 if ( $t_db_version == 0 ) {
223 $t_upgrade_count = 0;
224 if ( db_table_exists( db_get_table( 'upgrade' ) ) ) {
225 $query = "SELECT COUNT(*) from " . db_get_table( 'upgrade' ) . ";";
226 $result = db_query_bound( $query );
227 if ( db_num_rows( $result ) > 0 ) {
228 $t_upgrade_count = (int)db_result( $result );
232 if ( $t_upgrade_count > 0 ) { # table exists, check for number of updates
234 # new config table database version is 0.
235 # old upgrade tables exist.
236 # assume user is upgrading from <1.0 and therefore needs to update to 1.x before upgrading to 1.2
237 echo '<div class="warning" align="center">';
238 echo '<p><font color="red">', lang_get( 'error_database_version_out_of_date_1' ), '</font></p>';
241 # old upgrade tables do not exist, yet config database_version is 0
242 echo '<div class="warning" align="center">';
243 echo '<p><font color="red">', lang_get( 'error_database_no_schema_version' ), '</font></p>';
248 # Check for db upgrade for versions > 1.0.0 using new installer and schema
249 require_once( 'admin' . DIRECTORY_SEPARATOR
. 'schema.php' );
250 $t_upgrades_reqd = count( $upgrade ) - 1;
252 if ( ( 0 < $t_db_version ) &&
253 ( $t_db_version != $t_upgrades_reqd ) ) {
255 if ( $t_db_version < $t_upgrades_reqd ) {
256 echo '<div class="warning" align="center">';
257 echo '<p><font color="red">', lang_get( 'error_database_version_out_of_date_2' ), '</font></p>';
260 echo '<div class="warning" align="center">';
261 echo '<p><font color="red">', lang_get( 'error_code_version_out_of_date' ), '</font></p>';
267 } # if 'admin_checks'
270 <!-- Autofocus JS
-->
271 <?php
if ( ON
== config_get( 'use_javascript' ) ) { ?
>
272 <script type
="text/javascript" language
="JavaScript">
274 window
.document
.login_form
.<?php
if ( is_blank( $f_username ) ) { echo 'username'; } else { echo 'password'; } ?
>.focus();
280 html_page_bottom1a( __FILE__
);