Small improvements

This commit is contained in:
Phyks 2013-08-26 09:52:04 +02:00
parent 2e2233eb81
commit 109aae4cbe
7 changed files with 68 additions and 9 deletions

View File

@ -1,11 +1,22 @@
<?php <?php
// Ban system from sebsauvage
// Usage :
// * Use ban_canLogin() to check wether the user CAN login or not
// * If true, test wether password is correct or not
// * If true, call ban_loginOk()
// * Else, call ban_loginFailed()
// * Else, reject auth
define('DATA_DIR', 'data'); // Data subdirectory define('DATA_DIR', 'data'); // Data subdirectory
define('IPBANS_FILENAME', DATA_DIR.'/ipbans.php'); // File storage for failures and bans. define('IPBANS_FILENAME', DATA_DIR.'/ipbans.php'); // File storage for failures and bans.
define('BAN_AFTER', 5); // Ban IP after this many failures. define('BAN_AFTER', 5); // Ban IP after this many failures.
define('BAN_DURATION', 1800); // Ban duration for IP address after login failures (in seconds) (1800 sec. = 30 minutes) define('BAN_DURATION', 1800); // Ban duration for IP address after login failures (in seconds) (1800 sec. = 30 minutes)
if (!is_dir(DATA_DIR)) { mkdir(DATA_DIR,0705); chmod(DATA_DIR,0705); } if (!is_dir(DATA_DIR)) { mkdir(DATA_DIR,0705); chmod(DATA_DIR,0705); }
if (!is_file(DATA_DIR.'/.htaccess')) { file_put_contents(DATA_DIR.'/.htaccess',"Allow from none\nDeny from all\n"); } // Protect data files. if (!is_file(DATA_DIR.'/.htaccess')) { file_put_contents(DATA_DIR.'/.htaccess',"Allow from none\nDeny from all\n"); } // Protect data files.
// Logging function
// ================
function logm($message) function logm($message)
{ {
$t = strval(date('Y/m/d_H:i:s')).' - '.$_SERVER["REMOTE_ADDR"].' - '.strval($message)."\n"; $t = strval(date('Y/m/d_H:i:s')).' - '.$_SERVER["REMOTE_ADDR"].' - '.strval($message)."\n";
@ -18,7 +29,9 @@
// Several consecutive failed logins will ban the IP address for 30 minutes. // Several consecutive failed logins will ban the IP address for 30 minutes.
if (!is_file(IPBANS_FILENAME)) file_put_contents(IPBANS_FILENAME, "<?php\n\$GLOBALS['IPBANS']=".var_export(array('FAILURES'=>array(),'BANS'=>array()),true).";\n?>"); if (!is_file(IPBANS_FILENAME)) file_put_contents(IPBANS_FILENAME, "<?php\n\$GLOBALS['IPBANS']=".var_export(array('FAILURES'=>array(),'BANS'=>array()),true).";\n?>");
include IPBANS_FILENAME; include IPBANS_FILENAME;
// Signal a failed login. Will ban the IP if too many failures: // Signal a failed login. Will ban the IP if too many failures:
// ============================================================
function ban_loginFailed() function ban_loginFailed()
{ {
$ip=$_SERVER["REMOTE_ADDR"]; $gb=$GLOBALS['IPBANS']; $ip=$_SERVER["REMOTE_ADDR"]; $gb=$GLOBALS['IPBANS'];
@ -34,6 +47,7 @@
} }
// Signals a successful login. Resets failed login counter. // Signals a successful login. Resets failed login counter.
// ========================================================
function ban_loginOk() function ban_loginOk()
{ {
$ip=$_SERVER["REMOTE_ADDR"]; $gb=$GLOBALS['IPBANS']; $ip=$_SERVER["REMOTE_ADDR"]; $gb=$GLOBALS['IPBANS'];
@ -44,6 +58,7 @@
} }
// Checks if the user CAN login. If 'true', the user can try to login. // Checks if the user CAN login. If 'true', the user can try to login.
// ===================================================================
function ban_canLogin() function ban_canLogin()
{ {
$ip=$_SERVER["REMOTE_ADDR"]; $gb=$GLOBALS['IPBANS']; $ip=$_SERVER["REMOTE_ADDR"]; $gb=$GLOBALS['IPBANS'];
@ -63,6 +78,7 @@
} }
// Returns user IP // Returns user IP
// ===============
function user_ip() function user_ip()
{ {
$ip = $_SERVER["REMOTE_ADDR"]; $ip = $_SERVER["REMOTE_ADDR"];

View File

@ -1,21 +1,31 @@
<?php <?php
// Generates a token against CSRF // Generates a token against CSRF
// ==============================
function generate_token($name = '') function generate_token($name = '')
{ {
if(session_id() == '') session_start(); if(session_id() == '')
session_start();
$token = uniqid(rand(), true); $token = uniqid(rand(), true);
$_SESSION[$name.'_token'] = $token; $_SESSION[$name.'_token'] = $token;
$_SESSION[$name.'_token_time'] = time(); $_SESSION[$name.'_token_time'] = time();
return $token; return $token;
} }
// Checks that the anti-CSRF token is correct // Checks that the anti-CSRF token is correct
// ==========================================
function check_token($time, $name = '') function check_token($time, $name = '')
{ {
if(session_id() == '') session_start(); if(session_id() == '')
if(isset($_SESSION[$name.'_token']) && isset($_SESSION[$name.'_token_time']) && isset($_POST['token'])) session_start();
if($_SESSION[$name.'_token'] == $_POST['token'])
if($_SESSION[$name.'_token_time'] >= (time() - $time)) if(isset($_SESSION[$name.'_token']) && isset($_SESSION[$name.'_token_time']) && isset($_POST['token'])) {
if($_SESSION[$name.'_token'] == $_POST['token']) {
if($_SESSION[$name.'_token_time'] >= (time() - (int) $time))
return true; return true;
}
}
return false; return false;
} }

View File

@ -1,4 +1,5 @@
<?php <?php
// TODO : Users in
require_once('data/config.php'); require_once('data/config.php');
require_once('Storage.class.php'); require_once('Storage.class.php');
@ -14,6 +15,8 @@
'what'=>'text' 'what'=>'text'
); );
// Getters
// =======
public function getId() { public function getId() {
return $this->id; return $this->id;
} }
@ -38,6 +41,8 @@
return $this->what; return $this->what;
} }
// Setters
// =======
public function setId($id) { public function setId($id) {
$this->id = (int) $id; $this->id = (int) $id;
} }
@ -65,7 +70,8 @@
$this->what = $what; $this->what = $what;
} }
// Load overload => TODO
// =============
public function load_invoices($fields = NULL) { public function load_invoices($fields = NULL) {
$return = array(); $return = array();
$invoices = $this->load($fields); $invoices = $this->load($fields);

View File

@ -12,7 +12,8 @@ class Storage {
$this->disconnect(); $this->disconnect();
} }
//Connect / Disconnect functions // Connection functions
// ====================
public function connect() { public function connect() {
$this->connection = new PDO('mysql:host='.MYSQL_HOST.';dbname='.MYSQL_DB, MYSQL_LOGIN, MYSQL_PASSWORD); $this->connection = new PDO('mysql:host='.MYSQL_HOST.';dbname='.MYSQL_DB, MYSQL_LOGIN, MYSQL_PASSWORD);
$this->connection->query('SET NAMES utf8'); $this->connection->query('SET NAMES utf8');
@ -22,7 +23,8 @@ class Storage {
$this->connection = null; $this->connection = null;
} }
//Function to get and set vars // Getters
// =======
public function getHost() { public function getHost() {
return $this->host; return $this->host;
} }
@ -39,6 +41,8 @@ class Storage {
return $this->db; return $this->db;
} }
// Setters
// =======
public function setHost($host) { public function setHost($host) {
$this->host = host; $this->host = host;
} }
@ -55,6 +59,8 @@ class Storage {
$this->db = $db; $this->db = $db;
} }
// Translates types in class to SQL types
// ======================================
public function typeToSQL($type) { public function typeToSQL($type) {
$return = false; $return = false;
switch($type) { switch($type) {
@ -86,6 +92,8 @@ class Storage {
} }
} }
// Load function
// =============
public function load($fields = NULL) { public function load($fields = NULL) {
$query = 'SELECT '; $query = 'SELECT ';
$i = false; $i = false;
@ -118,6 +126,8 @@ class Storage {
return $query->fetchAll(); return $query->fetchAll();
} }
// Storing function
// ================
public function save() { public function save() {
if(!empty($this->id)) { if(!empty($this->id)) {
$query = 'UPDATE '.MYSQL_PREFIX.$this->TABLE_NAME.' SET '; $query = 'UPDATE '.MYSQL_PREFIX.$this->TABLE_NAME.' SET ';
@ -172,6 +182,8 @@ class Storage {
$this->id = (!isset($this->id) ? $this->connection->lastInsertId() : $this->id); $this->id = (!isset($this->id) ? $this->connection->lastInsertId() : $this->id);
} }
// Delete function
// ===============
public function delete() { public function delete() {
$query = 'DELETE FROM '.MYSQL_PREFIX.$this->TABLE_NAME.' WHERE '; $query = 'DELETE FROM '.MYSQL_PREFIX.$this->TABLE_NAME.' WHERE ';

View File

@ -17,6 +17,8 @@ class User extends Storage {
parent::__construct(); parent::__construct();
} }
// Getters
// =======
public function getLogin() { public function getLogin() {
return $this->login; return $this->login;
} }
@ -33,6 +35,8 @@ class User extends Storage {
return $this->admin; return $this->admin;
} }
// Setters
// =======
public function setId($id) { public function setId($id) {
$this->id = (int) $id; $this->id = (int) $id;
} }
@ -53,6 +57,8 @@ class User extends Storage {
$this->admin = (bool) $admin; $this->admin = (bool) $admin;
} }
// Password functions
// ==================
public function encrypt($text) { public function encrypt($text) {
return crypt($text, SALT); return crypt($text, SALT);
} }
@ -61,6 +67,8 @@ class User extends Storage {
return User::encrypt($password) == $this->password; return User::encrypt($password) == $this->password;
} }
// Check if a user exists by login and load it
// ===========================================
public function exists() { public function exists() {
$user_data = $this->load(array('login'=>$this->login)); $user_data = $this->load(array('login'=>$this->login));
if(count($user_data) == 1) { if(count($user_data) == 1) {
@ -76,6 +84,8 @@ class User extends Storage {
} }
} }
// Session storage
// ===============
public function sessionStore() { public function sessionStore() {
return serialize(array('id'=>$this->id, 'login'=>$this->login, 'display_name'=>$this->display_name, 'password'=>$this->password, 'admin'=>$this->admin)); return serialize(array('id'=>$this->id, 'login'=>$this->login, 'display_name'=>$this->display_name, 'password'=>$this->password, 'admin'=>$this->admin));
} }
@ -93,6 +103,8 @@ class User extends Storage {
$this->setAdmin($user_data['admin']); $this->setAdmin($user_data['admin']);
} }
// Load overload => TODO
// =============
public function load_users($fields = NULL) { public function load_users($fields = NULL) {
$return = array(); $return = array();
$users = $this->load($fields); $users = $this->load($fields);
@ -121,6 +133,9 @@ class User extends Storage {
} }
} }
// Check wether a user already exists or not
// (a user = aunique login and display_name)
// =========================================
public function isUnique() { public function isUnique() {
if(count($this->load_users(array('login'=>$this->login))) == 0 && count($this->load_users(array('display_name'=>$this->display_name)))) { if(count($this->load_users(array('login'=>$this->login))) == 0 && count($this->load_users(array('display_name'=>$this->display_name)))) {
return true; return true;

View File

@ -1,7 +1,7 @@
<?php <?php
require_once('inc/CSRF.inc.php'); require_once('inc/CSRF.inc.php');
if(file_exists('data/config.php')) exit("Your Bouffe@Ulm instance is already configured. You should either delete data/config.php to access this page or delete the install.php for security reasons if you are ok with the configuration."); if(file_exists('data/config.php')) exit('<p>Your Bouffe@Ulm instance is already configured. You should either delete data/config.php to access this page or delete the install.php for security reasons if you are ok with the configuration.<br/><a href="index.php">Go to your instance</a>.</p>');
if(!function_exists("file_get_contents") && !function_exists("file_put_contents")) { if(!function_exists("file_get_contents") && !function_exists("file_put_contents")) {
$error = "Functions <em>file_get_contents</em> and <em>file_put_contents</em> seems to not be available on your PHP installation. You should enable them first."; $error = "Functions <em>file_get_contents</em> and <em>file_put_contents</em> seems to not be available on your PHP installation. You should enable them first.";