From 109aae4cbe87228e8e31b8a01bdba64679328072 Mon Sep 17 00:00:00 2001
From: Phyks <webmaster@phyks.me>
Date: Mon, 26 Aug 2013 09:52:04 +0200
Subject: [PATCH] Small improvements

---
 {inc => doc}/config.php.sample |  0
 inc/Ban.inc.php                | 16 ++++++++++++++++
 inc/CSRF.inc.php               | 20 +++++++++++++++-----
 inc/Invoices.class.php         |  8 +++++++-
 inc/Storage.class.php          | 16 ++++++++++++++--
 inc/User.class.php             | 15 +++++++++++++++
 install.php                    |  2 +-
 7 files changed, 68 insertions(+), 9 deletions(-)
 rename {inc => doc}/config.php.sample (100%)

diff --git a/inc/config.php.sample b/doc/config.php.sample
similarity index 100%
rename from inc/config.php.sample
rename to doc/config.php.sample
diff --git a/inc/Ban.inc.php b/inc/Ban.inc.php
index e9dcd4b..942070a 100644
--- a/inc/Ban.inc.php
+++ b/inc/Ban.inc.php
@@ -1,11 +1,22 @@
 <?php
+    // Ban system from sebsauvage
+    // Usage :
+    // * Use ban_canLogin() to check wether the user CAN login or not
+    // * If true, test wether password is correct or not
+    // *    If true, call ban_loginOk()
+    // *    Else, call ban_loginFailed()
+    // * Else, reject auth
+
     define('DATA_DIR', 'data'); // Data subdirectory
     define('IPBANS_FILENAME', DATA_DIR.'/ipbans.php'); // File storage for failures and bans.
     define('BAN_AFTER', 5); // Ban IP after this many failures.
     define('BAN_DURATION', 1800); // Ban duration for IP address after login failures (in seconds) (1800 sec. = 30 minutes)
+
     if (!is_dir(DATA_DIR)) { mkdir(DATA_DIR,0705); chmod(DATA_DIR,0705); }
     if (!is_file(DATA_DIR.'/.htaccess')) { file_put_contents(DATA_DIR.'/.htaccess',"Allow from none\nDeny from all\n"); } // Protect data files.
 
+    // Logging function
+    // ================
     function logm($message)
     {
         $t = strval(date('Y/m/d_H:i:s')).' - '.$_SERVER["REMOTE_ADDR"].' - '.strval($message)."\n";
@@ -18,7 +29,9 @@
     // Several consecutive failed logins will ban the IP address for 30 minutes.
     if (!is_file(IPBANS_FILENAME)) file_put_contents(IPBANS_FILENAME, "<?php\n\$GLOBALS['IPBANS']=".var_export(array('FAILURES'=>array(),'BANS'=>array()),true).";\n?>");
     include IPBANS_FILENAME;
+
     // Signal a failed login. Will ban the IP if too many failures:
+    // ============================================================
     function ban_loginFailed()
     {
         $ip=$_SERVER["REMOTE_ADDR"]; $gb=$GLOBALS['IPBANS'];
@@ -34,6 +47,7 @@
     }
 
     // Signals a successful login. Resets failed login counter.
+    // ========================================================
     function ban_loginOk()
     {
         $ip=$_SERVER["REMOTE_ADDR"]; $gb=$GLOBALS['IPBANS'];
@@ -44,6 +58,7 @@
     }
 
     // Checks if the user CAN login. If 'true', the user can try to login.
+    // ===================================================================
     function ban_canLogin()
     {
         $ip=$_SERVER["REMOTE_ADDR"]; $gb=$GLOBALS['IPBANS'];
@@ -63,6 +78,7 @@
     }
 
     // Returns user IP
+    // ===============
     function user_ip()
     {
         $ip = $_SERVER["REMOTE_ADDR"];
diff --git a/inc/CSRF.inc.php b/inc/CSRF.inc.php
index 8586b6c..6420b20 100644
--- a/inc/CSRF.inc.php
+++ b/inc/CSRF.inc.php
@@ -1,21 +1,31 @@
 <?php
     // Generates a token against CSRF
+    // ==============================
     function generate_token($name = '')
     {
-        if(session_id() == '') session_start();
+        if(session_id() == '')
+            session_start();
+
         $token = uniqid(rand(), true);
+
         $_SESSION[$name.'_token'] = $token;
         $_SESSION[$name.'_token_time'] = time();
+
         return $token;
     }
 
     // Checks that the anti-CSRF token is correct
+    // ==========================================
     function check_token($time, $name = '')
     {
-        if(session_id() == '') session_start();
-        if(isset($_SESSION[$name.'_token']) && isset($_SESSION[$name.'_token_time']) && isset($_POST['token']))
-            if($_SESSION[$name.'_token'] == $_POST['token'])
-                if($_SESSION[$name.'_token_time'] >= (time() - $time))
+        if(session_id() == '')
+            session_start();
+
+        if(isset($_SESSION[$name.'_token']) && isset($_SESSION[$name.'_token_time']) && isset($_POST['token'])) {
+            if($_SESSION[$name.'_token'] == $_POST['token']) {
+                if($_SESSION[$name.'_token_time'] >= (time() - (int) $time))
                     return true;
+            }
+        }
         return false;
     }
diff --git a/inc/Invoices.class.php b/inc/Invoices.class.php
index 3249bf0..05aa780 100644
--- a/inc/Invoices.class.php
+++ b/inc/Invoices.class.php
@@ -1,4 +1,5 @@
 <?php
+    // TODO : Users in
     require_once('data/config.php');
     require_once('Storage.class.php');
 
@@ -14,6 +15,8 @@
             'what'=>'text'
             );
 
+        // Getters
+        // =======
         public function getId() {
             return $this->id;
         }
@@ -38,6 +41,8 @@
             return $this->what;
         }
 
+        // Setters
+        // =======
         public function setId($id) {
             $this->id = (int) $id;
         }
@@ -65,7 +70,8 @@
             $this->what = $what;
         }
 
-
+        // Load overload => TODO
+        // =============
         public function load_invoices($fields = NULL) {
             $return = array();
             $invoices = $this->load($fields);
diff --git a/inc/Storage.class.php b/inc/Storage.class.php
index 712c5a8..6dac485 100644
--- a/inc/Storage.class.php
+++ b/inc/Storage.class.php
@@ -12,7 +12,8 @@ class Storage {
         $this->disconnect();
     }
 
-    //Connect / Disconnect functions
+    // Connection functions
+    // ====================
     public function connect() {
         $this->connection = new PDO('mysql:host='.MYSQL_HOST.';dbname='.MYSQL_DB, MYSQL_LOGIN, MYSQL_PASSWORD);
         $this->connection->query('SET NAMES utf8');
@@ -22,7 +23,8 @@ class Storage {
         $this->connection = null;
     }
 
-    //Function to get and set vars
+    // Getters
+    // =======
     public function getHost() {
         return $this->host;
     }
@@ -39,6 +41,8 @@ class Storage {
         return $this->db;
     }
 
+    // Setters
+    // =======
     public function setHost($host) {
         $this->host = host;
     }
@@ -55,6 +59,8 @@ class Storage {
         $this->db = $db;
     }
 
+    // Translates types in class to SQL types
+    // ======================================
     public function typeToSQL($type) {
         $return = false;
         switch($type) {
@@ -86,6 +92,8 @@ class Storage {
         }
     }
 
+    // Load function
+    // =============
     public function load($fields = NULL) {
         $query = 'SELECT ';
         $i = false;
@@ -118,6 +126,8 @@ class Storage {
         return $query->fetchAll();
     }
 
+    // Storing function
+    // ================
     public function save() {
         if(!empty($this->id)) {
             $query = 'UPDATE '.MYSQL_PREFIX.$this->TABLE_NAME.' SET ';
@@ -172,6 +182,8 @@ class Storage {
         $this->id = (!isset($this->id) ? $this->connection->lastInsertId() : $this->id);
     }
 
+    // Delete function
+    // ===============
     public function delete() {
         $query = 'DELETE FROM '.MYSQL_PREFIX.$this->TABLE_NAME.' WHERE ';
 
diff --git a/inc/User.class.php b/inc/User.class.php
index 9cdafbf..c60b5f4 100644
--- a/inc/User.class.php
+++ b/inc/User.class.php
@@ -17,6 +17,8 @@ class User extends Storage {
         parent::__construct();
     }
 
+    // Getters
+    // =======
     public function getLogin() {
         return $this->login;
     }
@@ -33,6 +35,8 @@ class User extends Storage {
         return $this->admin;
     }
 
+    // Setters
+    // =======
     public function setId($id) {
         $this->id = (int) $id;
     }
@@ -53,6 +57,8 @@ class User extends Storage {
         $this->admin = (bool) $admin;
     }
 
+    // Password functions
+    // ==================
     public function encrypt($text) {
         return crypt($text, SALT);
     }
@@ -61,6 +67,8 @@ class User extends Storage {
         return User::encrypt($password) == $this->password;
     }
 
+    // Check if a user exists by login and load it
+    // ===========================================
     public function exists() {
         $user_data = $this->load(array('login'=>$this->login));
         if(count($user_data) == 1) {
@@ -76,6 +84,8 @@ class User extends Storage {
         }
     }
 
+    // Session storage
+    // ===============
     public function sessionStore() {
         return serialize(array('id'=>$this->id, 'login'=>$this->login, 'display_name'=>$this->display_name, 'password'=>$this->password, 'admin'=>$this->admin));
     }
@@ -93,6 +103,8 @@ class User extends Storage {
         $this->setAdmin($user_data['admin']);
     }
 
+    // Load overload => TODO
+    // =============
     public function load_users($fields = NULL) {
         $return = array();
         $users = $this->load($fields);
@@ -121,6 +133,9 @@ class User extends Storage {
         }
     }
 
+    // Check wether a user already exists or not 
+    // (a user = aunique login and display_name)
+    // =========================================
     public function isUnique() {
         if(count($this->load_users(array('login'=>$this->login))) == 0 && count($this->load_users(array('display_name'=>$this->display_name)))) {
             return true;
diff --git a/install.php b/install.php
index f7c554d..7826415 100644
--- a/install.php
+++ b/install.php
@@ -1,7 +1,7 @@
 <?php
     require_once('inc/CSRF.inc.php');
 
-    if(file_exists('data/config.php')) exit("Your Bouffe@Ulm instance is already configured. You should either delete data/config.php to access this page or delete the install.php for security reasons if you are ok with the configuration.");
+    if(file_exists('data/config.php')) exit('<p>Your Bouffe@Ulm instance is already configured. You should either delete data/config.php to access this page or delete the install.php for security reasons if you are ok with the configuration.<br/><a href="index.php">Go to your instance</a>.</p>');
 
     if(!function_exists("file_get_contents") && !function_exists("file_put_contents")) {
         $error = "Functions <em>file_get_contents</em> and <em>file_put_contents</em> seems to not be available on your PHP installation. You should enable them first.";