Browse Source

Small improvements

Phyks (Lucas Verney) 7 years ago
parent
commit
109aae4cbe
7 changed files with 68 additions and 9 deletions
  1. 0
    0
      doc/config.php.sample
  2. 16
    0
      inc/Ban.inc.php
  3. 15
    5
      inc/CSRF.inc.php
  4. 7
    1
      inc/Invoices.class.php
  5. 14
    2
      inc/Storage.class.php
  6. 15
    0
      inc/User.class.php
  7. 1
    1
      install.php

inc/config.php.sample → doc/config.php.sample View File


+ 16
- 0
inc/Ban.inc.php View File

@@ -1,11 +1,22 @@
1 1
 <?php
2
+    // Ban system from sebsauvage
3
+    // Usage :
4
+    // * Use ban_canLogin() to check wether the user CAN login or not
5
+    // * If true, test wether password is correct or not
6
+    // *    If true, call ban_loginOk()
7
+    // *    Else, call ban_loginFailed()
8
+    // * Else, reject auth
9
+
2 10
     define('DATA_DIR', 'data'); // Data subdirectory
3 11
     define('IPBANS_FILENAME', DATA_DIR.'/ipbans.php'); // File storage for failures and bans.
4 12
     define('BAN_AFTER', 5); // Ban IP after this many failures.
5 13
     define('BAN_DURATION', 1800); // Ban duration for IP address after login failures (in seconds) (1800 sec. = 30 minutes)
14
+
6 15
     if (!is_dir(DATA_DIR)) { mkdir(DATA_DIR,0705); chmod(DATA_DIR,0705); }
7 16
     if (!is_file(DATA_DIR.'/.htaccess')) { file_put_contents(DATA_DIR.'/.htaccess',"Allow from none\nDeny from all\n"); } // Protect data files.
8 17
 
18
+    // Logging function
19
+    // ================
9 20
     function logm($message)
10 21
     {
11 22
         $t = strval(date('Y/m/d_H:i:s')).' - '.$_SERVER["REMOTE_ADDR"].' - '.strval($message)."\n";
@@ -18,7 +29,9 @@
18 29
     // Several consecutive failed logins will ban the IP address for 30 minutes.
19 30
     if (!is_file(IPBANS_FILENAME)) file_put_contents(IPBANS_FILENAME, "<?php\n\$GLOBALS['IPBANS']=".var_export(array('FAILURES'=>array(),'BANS'=>array()),true).";\n?>");
20 31
     include IPBANS_FILENAME;
32
+
21 33
     // Signal a failed login. Will ban the IP if too many failures:
34
+    // ============================================================
22 35
     function ban_loginFailed()
23 36
     {
24 37
         $ip=$_SERVER["REMOTE_ADDR"]; $gb=$GLOBALS['IPBANS'];
@@ -34,6 +47,7 @@
34 47
     }
35 48
 
36 49
     // Signals a successful login. Resets failed login counter.
50
+    // ========================================================
37 51
     function ban_loginOk()
38 52
     {
39 53
         $ip=$_SERVER["REMOTE_ADDR"]; $gb=$GLOBALS['IPBANS'];
@@ -44,6 +58,7 @@
44 58
     }
45 59
 
46 60
     // Checks if the user CAN login. If 'true', the user can try to login.
61
+    // ===================================================================
47 62
     function ban_canLogin()
48 63
     {
49 64
         $ip=$_SERVER["REMOTE_ADDR"]; $gb=$GLOBALS['IPBANS'];
@@ -63,6 +78,7 @@
63 78
     }
64 79
 
65 80
     // Returns user IP
81
+    // ===============
66 82
     function user_ip()
67 83
     {
68 84
         $ip = $_SERVER["REMOTE_ADDR"];

+ 15
- 5
inc/CSRF.inc.php View File

@@ -1,21 +1,31 @@
1 1
 <?php
2 2
     // Generates a token against CSRF
3
+    // ==============================
3 4
     function generate_token($name = '')
4 5
     {
5
-        if(session_id() == '') session_start();
6
+        if(session_id() == '')
7
+            session_start();
8
+
6 9
         $token = uniqid(rand(), true);
10
+
7 11
         $_SESSION[$name.'_token'] = $token;
8 12
         $_SESSION[$name.'_token_time'] = time();
13
+
9 14
         return $token;
10 15
     }
11 16
 
12 17
     // Checks that the anti-CSRF token is correct
18
+    // ==========================================
13 19
     function check_token($time, $name = '')
14 20
     {
15
-        if(session_id() == '') session_start();
16
-        if(isset($_SESSION[$name.'_token']) && isset($_SESSION[$name.'_token_time']) && isset($_POST['token']))
17
-            if($_SESSION[$name.'_token'] == $_POST['token'])
18
-                if($_SESSION[$name.'_token_time'] >= (time() - $time))
21
+        if(session_id() == '')
22
+            session_start();
23
+
24
+        if(isset($_SESSION[$name.'_token']) && isset($_SESSION[$name.'_token_time']) && isset($_POST['token'])) {
25
+            if($_SESSION[$name.'_token'] == $_POST['token']) {
26
+                if($_SESSION[$name.'_token_time'] >= (time() - (int) $time))
19 27
                     return true;
28
+            }
29
+        }
20 30
         return false;
21 31
     }

+ 7
- 1
inc/Invoices.class.php View File

@@ -1,4 +1,5 @@
1 1
 <?php
2
+    // TODO : Users in
2 3
     require_once('data/config.php');
3 4
     require_once('Storage.class.php');
4 5
 
@@ -14,6 +15,8 @@
14 15
             'what'=>'text'
15 16
             );
16 17
 
18
+        // Getters
19
+        // =======
17 20
         public function getId() {
18 21
             return $this->id;
19 22
         }
@@ -38,6 +41,8 @@
38 41
             return $this->what;
39 42
         }
40 43
 
44
+        // Setters
45
+        // =======
41 46
         public function setId($id) {
42 47
             $this->id = (int) $id;
43 48
         }
@@ -65,7 +70,8 @@
65 70
             $this->what = $what;
66 71
         }
67 72
 
68
-
73
+        // Load overload => TODO
74
+        // =============
69 75
         public function load_invoices($fields = NULL) {
70 76
             $return = array();
71 77
             $invoices = $this->load($fields);

+ 14
- 2
inc/Storage.class.php View File

@@ -12,7 +12,8 @@ class Storage {
12 12
         $this->disconnect();
13 13
     }
14 14
 
15
-    //Connect / Disconnect functions
15
+    // Connection functions
16
+    // ====================
16 17
     public function connect() {
17 18
         $this->connection = new PDO('mysql:host='.MYSQL_HOST.';dbname='.MYSQL_DB, MYSQL_LOGIN, MYSQL_PASSWORD);
18 19
         $this->connection->query('SET NAMES utf8');
@@ -22,7 +23,8 @@ class Storage {
22 23
         $this->connection = null;
23 24
     }
24 25
 
25
-    //Function to get and set vars
26
+    // Getters
27
+    // =======
26 28
     public function getHost() {
27 29
         return $this->host;
28 30
     }
@@ -39,6 +41,8 @@ class Storage {
39 41
         return $this->db;
40 42
     }
41 43
 
44
+    // Setters
45
+    // =======
42 46
     public function setHost($host) {
43 47
         $this->host = host;
44 48
     }
@@ -55,6 +59,8 @@ class Storage {
55 59
         $this->db = $db;
56 60
     }
57 61
 
62
+    // Translates types in class to SQL types
63
+    // ======================================
58 64
     public function typeToSQL($type) {
59 65
         $return = false;
60 66
         switch($type) {
@@ -86,6 +92,8 @@ class Storage {
86 92
         }
87 93
     }
88 94
 
95
+    // Load function
96
+    // =============
89 97
     public function load($fields = NULL) {
90 98
         $query = 'SELECT ';
91 99
         $i = false;
@@ -118,6 +126,8 @@ class Storage {
118 126
         return $query->fetchAll();
119 127
     }
120 128
 
129
+    // Storing function
130
+    // ================
121 131
     public function save() {
122 132
         if(!empty($this->id)) {
123 133
             $query = 'UPDATE '.MYSQL_PREFIX.$this->TABLE_NAME.' SET ';
@@ -172,6 +182,8 @@ class Storage {
172 182
         $this->id = (!isset($this->id) ? $this->connection->lastInsertId() : $this->id);
173 183
     }
174 184
 
185
+    // Delete function
186
+    // ===============
175 187
     public function delete() {
176 188
         $query = 'DELETE FROM '.MYSQL_PREFIX.$this->TABLE_NAME.' WHERE ';
177 189
 

+ 15
- 0
inc/User.class.php View File

@@ -17,6 +17,8 @@ class User extends Storage {
17 17
         parent::__construct();
18 18
     }
19 19
 
20
+    // Getters
21
+    // =======
20 22
     public function getLogin() {
21 23
         return $this->login;
22 24
     }
@@ -33,6 +35,8 @@ class User extends Storage {
33 35
         return $this->admin;
34 36
     }
35 37
 
38
+    // Setters
39
+    // =======
36 40
     public function setId($id) {
37 41
         $this->id = (int) $id;
38 42
     }
@@ -53,6 +57,8 @@ class User extends Storage {
53 57
         $this->admin = (bool) $admin;
54 58
     }
55 59
 
60
+    // Password functions
61
+    // ==================
56 62
     public function encrypt($text) {
57 63
         return crypt($text, SALT);
58 64
     }
@@ -61,6 +67,8 @@ class User extends Storage {
61 67
         return User::encrypt($password) == $this->password;
62 68
     }
63 69
 
70
+    // Check if a user exists by login and load it
71
+    // ===========================================
64 72
     public function exists() {
65 73
         $user_data = $this->load(array('login'=>$this->login));
66 74
         if(count($user_data) == 1) {
@@ -76,6 +84,8 @@ class User extends Storage {
76 84
         }
77 85
     }
78 86
 
87
+    // Session storage
88
+    // ===============
79 89
     public function sessionStore() {
80 90
         return serialize(array('id'=>$this->id, 'login'=>$this->login, 'display_name'=>$this->display_name, 'password'=>$this->password, 'admin'=>$this->admin));
81 91
     }
@@ -93,6 +103,8 @@ class User extends Storage {
93 103
         $this->setAdmin($user_data['admin']);
94 104
     }
95 105
 
106
+    // Load overload => TODO
107
+    // =============
96 108
     public function load_users($fields = NULL) {
97 109
         $return = array();
98 110
         $users = $this->load($fields);
@@ -121,6 +133,9 @@ class User extends Storage {
121 133
         }
122 134
     }
123 135
 
136
+    // Check wether a user already exists or not 
137
+    // (a user = aunique login and display_name)
138
+    // =========================================
124 139
     public function isUnique() {
125 140
         if(count($this->load_users(array('login'=>$this->login))) == 0 && count($this->load_users(array('display_name'=>$this->display_name)))) {
126 141
             return true;

+ 1
- 1
install.php View File

@@ -1,7 +1,7 @@
1 1
 <?php
2 2
     require_once('inc/CSRF.inc.php');
3 3
 
4
-    if(file_exists('data/config.php')) exit("Your Bouffe@Ulm instance is already configured. You should either delete data/config.php to access this page or delete the install.php for security reasons if you are ok with the configuration.");
4
+    if(file_exists('data/config.php')) exit('<p>Your Bouffe@Ulm instance is already configured. You should either delete data/config.php to access this page or delete the install.php for security reasons if you are ok with the configuration.<br/><a href="index.php">Go to your instance</a>.</p>');
5 5
 
6 6
     if(!function_exists("file_get_contents") && !function_exists("file_put_contents")) {
7 7
         $error = "Functions <em>file_get_contents</em> and <em>file_put_contents</em> seems to not be available on your PHP installation. You should enable them first.";