diff options
| author | Karl 'vollmerk' Vollmer <vollmer@ampache.org> | 2008-07-26 07:43:18 +0000 |
|---|---|---|
| committer | Karl 'vollmerk' Vollmer <vollmer@ampache.org> | 2008-07-26 07:43:18 +0000 |
| commit | 392354df0a4f2c21aabad2f1b527448251a60f99 (patch) | |
| tree | ab34820cef4990e4139326ccd2e507c5731d216c | |
| parent | 975af37b254ebc74533f1562005dccf75ef0f021 (diff) | |
| download | ampache-392354df0a4f2c21aabad2f1b527448251a60f99.tar.gz ampache-392354df0a4f2c21aabad2f1b527448251a60f99.tar.bz2 ampache-392354df0a4f2c21aabad2f1b527448251a60f99.zip | |
switched to sha() password encryption not using sha2 because of limitations of amarok, also added some caching and fixed some misc bugs
| -rw-r--r-- | browse.php | 13 | ||||
| -rwxr-xr-x | docs/CHANGELOG | 4 | ||||
| -rw-r--r-- | index.php | 2 | ||||
| -rw-r--r-- | lib/class/browse.class.php | 2 | ||||
| -rw-r--r-- | lib/class/catalog.class.php | 2 | ||||
| -rw-r--r-- | lib/class/dba.class.php | 22 | ||||
| -rw-r--r-- | lib/class/error.class.php | 16 | ||||
| -rw-r--r-- | lib/class/rating.class.php | 8 | ||||
| -rw-r--r-- | lib/class/song.class.php | 9 | ||||
| -rw-r--r-- | lib/class/user.class.php | 12 | ||||
| -rw-r--r-- | lib/class/vauth.class.php | 63 | ||||
| -rw-r--r-- | login.php | 16 | ||||
| -rw-r--r-- | preferences.php | 18 | ||||
| -rw-r--r-- | register.php | 2 | ||||
| -rw-r--r-- | server/ajax.server.php | 15 | ||||
| -rw-r--r-- | server/index.ajax.php | 17 | ||||
| -rw-r--r-- | templates/footer.inc.php | 5 | ||||
| -rw-r--r-- | templates/show_account.inc.php | 8 | ||||
| -rw-r--r-- | templates/show_index.inc.php | 1 | ||||
| -rw-r--r-- | templates/show_preferences.inc.php | 11 | ||||
| -rw-r--r-- | templates/sidebar_home.inc.php | 2 |
21 files changed, 178 insertions, 70 deletions
@@ -35,10 +35,10 @@ require_once 'lib/init.php'; // so we've got a little switch here that creates the type.. this feels hackish... switch ($_REQUEST['action']) { + case 'tag': case 'file': case 'album': case 'artist': - case 'genre': case 'playlist': case 'live_stream': case 'song': @@ -59,17 +59,18 @@ switch($_REQUEST['action']) { Album::build_cache($album_ids); Browse::show_objects($album_ids); break; + case 'tag': + Browse::set_sort('count','ASC'); + $tags = Browse::get_objects(); + Tag::build_cache($tags); + Browse::show_objects($tags); + break; case 'artist': Browse::set_sort('name','ASC'); $artist_ids = Browse::get_objects(); Artist::build_cache($artist_ids); Browse::show_objects($artist_ids); break; - case 'genre': - Browse::set_sort('name','ASC'); - $genre_ids = Browse::get_objects(); - Browse::show_objects($genre_ids); - break; case 'song': Browse::set_sort('title','ASC'); $song_ids = Browse::get_objects(); diff --git a/docs/CHANGELOG b/docs/CHANGELOG index 823fe5d6..28e59d1a 100755 --- a/docs/CHANGELOG +++ b/docs/CHANGELOG @@ -4,6 +4,10 @@ -------------------------------------------------------------------------- v.3.5-Alpha1 + - Fixed home menu not always displaying the entire contents + - Fixed logic error with duplicate login setting which caused it + to only work if mysql auth was used + - Changed Passwords to SHA1 will prompt to reset password - Corrected some translation strings and added jp_JP (Thx momo-i) - Ignore filenames that start with . (hidden) solves an issue with mac filesystems @@ -32,7 +32,7 @@ $action = scrub_in($_REQUEST['action']); */ if (Config::get('refresh_limit') > 5) { $refresh_limit = Config::get('refresh_limit'); - $ajax_url = Config::get('ajax_url') . '?action=reloadnp'; + $ajax_url = Config::get('ajax_url') . '?page=index&action=reloadnp'; require_once Config::get('prefix') . '/templates/javascript_refresh.inc.php'; } diff --git a/lib/class/browse.class.php b/lib/class/browse.class.php index 3cb06b5b..750ea4c7 100644 --- a/lib/class/browse.class.php +++ b/lib/class/browse.class.php @@ -195,7 +195,7 @@ class Browse { case 'catalog': case 'album': case 'artist': - case 'genre': + case 'tag': case 'shoutbox': case 'live_stream': // Set it diff --git a/lib/class/catalog.class.php b/lib/class/catalog.class.php index e518c5b8..723d7c55 100644 --- a/lib/class/catalog.class.php +++ b/lib/class/catalog.class.php @@ -502,7 +502,7 @@ class Catalog { // Check to make sure the filename is of the expected charset if (function_exists('iconv')) { - if (strcmp($full_file,iconv(Config::get('site_charset'),Config::get('site_charset') . '//IGNORE',$full_file)) != '0') { + if (strcmp($full_file,iconv(Config::get('site_charset'),Config::get('site_charset'),$full_file)) != '0') { debug_event('read',$full_file . ' has non-' . Config::get('site_charset') . ' characters and can not be indexed','1'); Error::add('catalog_add',$full_file . ' ' . _('does not match site charset')); continue; diff --git a/lib/class/dba.class.php b/lib/class/dba.class.php index 4f97f6db..7cee79ed 100644 --- a/lib/class/dba.class.php +++ b/lib/class/dba.class.php @@ -68,6 +68,28 @@ class Dba { } // query /** + * read + * This is a wrapper for query, it's so that in the future if we ever wanted + * to split reads and writes we could + */ + public static function read($sql) { + + return self::query($sql); + + } // read + + /** + * write + * This is a wrapper for a write query, it is so that we can split out reads and + * writes if we want to + */ + public static function write($sql) { + + return self::query($sql); + + } // write + + /** * escape * This runs a escape on a variable so that it can be safely inserted * into the sql diff --git a/lib/class/error.class.php b/lib/class/error.class.php index 13f96882..2c4679ec 100644 --- a/lib/class/error.class.php +++ b/lib/class/error.class.php @@ -27,8 +27,8 @@ */ class Error { - public static $state = false; // set to one when an error occurs - public static $errors = array(); // Errors array key'd array with errors that have occured + private static $state = false; // set to one when an error occurs + private static $errors = array(); // Errors array key'd array with errors that have occured /** * __constructor @@ -81,6 +81,18 @@ class Error { } // add + /** + * occurred + * This returns true / false if an error has occured anywhere + */ + public static function occurred() { + + if (self::$state == '1') { return true; } + + return false; + + } // occurred + /** * get * This returns an error by name diff --git a/lib/class/rating.class.php b/lib/class/rating.class.php index 6d89b8fb..5d2f9bf2 100644 --- a/lib/class/rating.class.php +++ b/lib/class/rating.class.php @@ -64,26 +64,26 @@ class Rating extends database_object { * //FIXME: Improve logic so that misses get cached as average */ public static function build_cache($type, $ids) { - + $user_id = Dba::escape($GLOBALS['user']->id); $idlist = '(' . implode(',', $ids) . ')'; $sql = "SELECT `rating`, `object_id`,`rating`.`rating` FROM `rating` WHERE `user`='$user_id' AND `object_id` IN $idlist " . "AND `object_type`='$type'"; - $db_results = Dba::query($sql); + $db_results = Dba::read($sql); while ($row = Dba::fetch_assoc($db_results)) { $user[$row['object_id']] = $row['rating']; } $sql = "SELECT `rating`,`object_id` FROM `rating` WHERE `object_id` IN $idlist AND `object_type`='$type'"; - $db_results = Dba::query($sql); + $db_results = Dba::read($sql); while ($row = Dba::fetch_assoc($db_results)) { $rating[$row['object_id']]['rating'] += $row['rating']; $rating[$row['object_id']]['total']++; } - + foreach ($ids as $id) { parent::add_to_cache('rating_' . $type . '_user',$id,intval($user[$id])); diff --git a/lib/class/song.class.php b/lib/class/song.class.php index 806a81f9..b73ab1e8 100644 --- a/lib/class/song.class.php +++ b/lib/class/song.class.php @@ -86,7 +86,7 @@ class Song extends database_object { "addition_time FROM `song` " . "LEFT JOIN `tag_map` ON `tag_map`.`object_id`=`song`.`id` AND `tag_map`.`object_type`='song' " . "WHERE `song`.`id` IN $idlist"; - $db_results = Dba::query($sql); + $db_results = Dba::read($sql); while ($row = Dba::fetch_assoc($db_results)) { parent::add_to_cache('song',$row['id'],$row); @@ -100,9 +100,14 @@ class Song extends database_object { Tag::build_cache($tags); Tag::build_map_cache('song',$song_ids); + // If we're rating this then cache them as well + if (Config::get('ratings')) { + Rating::build_cache('song',$song_ids); + } + // Build a cache for the song's extended table $sql = "SELECT * FROM `song_data` WHERE `song_id` IN $idlist"; - $db_results = Dba::query($sql); + $db_results = Dba::read($sql); while ($row = Dba::fetch_assoc($db_results)) { parent::add_to_cache('song_data',$row['song_id'],$row); diff --git a/lib/class/user.class.php b/lib/class/user.class.php index 2cdcf251..4d50f5ba 100644 --- a/lib/class/user.class.php +++ b/lib/class/user.class.php @@ -360,7 +360,7 @@ class User extends database_object { Error::add('password',_("Error Passwords don't match")); } - if (Error::$state) { + if (Error::occurred()) { return false; } @@ -593,7 +593,7 @@ class User extends database_object { /* Now Insert this new user */ $sql = "INSERT INTO `user` (`username`, `fullname`, `email`, `password`, `access`, `create_date`) VALUES" . " ('$username','$fullname','$email',PASSWORD('$password'),'$access','" . time() ."')"; - $db_results = Dba::query($sql); + $db_results = Dba::write($sql); if (!$db_results) { return false; } @@ -613,9 +613,11 @@ class User extends database_object { */ public function update_password($new_password) { + $new_password = hash('sha1',$new_password); + $new_password = Dba::escape($new_password); - $sql = "UPDATE `user` SET `password`=PASSWORD('$new_password') WHERE `id`='$this->id'"; - $db_results = Dba::query($sql); + $sql = "UPDATE `user` SET `password`='$new_password' WHERE `id`='$this->id'"; + $db_results = Dba::write($sql); } // update_password @@ -641,7 +643,7 @@ class User extends database_object { /* Calculate their total Bandwidth Useage */ $sql = "SELECT `song`.`size` FROM `song` LEFT JOIN `object_count` ON `song`.`id`=`object_count`.`object_id` " . "WHERE `object_count`.`user`='$this->id' AND `object_count`.`object_type`='song'"; - $db_results = Dba::query($sql); + $db_results = Dba::read($sql); while ($r = Dba::fetch_assoc($db_results)) { $total = $total + $r['size']; diff --git a/lib/class/vauth.class.php b/lib/class/vauth.class.php index 400edf6d..c6189250 100644 --- a/lib/class/vauth.class.php +++ b/lib/class/vauth.class.php @@ -462,21 +462,59 @@ class vauth { } // authenticate /** - * mysql_auth - * This is a private function, it should only be called by authenticate + * mysql_auth + * This is the core function of authentication by ampache. It checks their current password + * and then tries to figure out if it can use the new SHA password hash or if it needs to fall + * back on the mysql method */ private static function mysql_auth($username,$password) { - $username = Dba::escape($username); - $password = Dba::escape($password); + $username = Dba::escape($username); + $password = Dba::escape($password); - $password_check_sql = "PASSWORD('$password')"; + if (!strlen($password) OR !strlen($username)) { + Error::add('general',_('Error Username or Password incorrect, please try again')); + return false; + } - // If they don't have a password kick em ou - if (!strlen($password)) { - Error::add('general','Error Username or Password incorrect, please try again'); - return false; - } + // We have to pull the password in order to figure out how to handle it *cry* + $sql = "SELECT `password` FROM `user` WHERE `username`='$username'"; + $db_results = Dba::read($sql); + $row = Dba::fetch_assoc($db_results); + + // If it's using the old method then roll with that + if (substr($row['password'],0,1) == '*' OR strlen($row['password']) < 32) { + $response = self::vieux_mysql_auth($username,$password); + return $response; + } + + // Use SHA1 for the password, we aren't using SHA2 because Amarok can't handle it *cry* + $password = hash('sha1',$password); + + $sql = "SELECT `username`,`id` FROM `user` WHERE `password`='$password' AND `username`='$username'"; + $db_results = Dba::read($sql); + + $row = Dba::fetch_assoc($db_results); + + if (!count($row)) { + Error::add('general',_('Error Username or Password incorrect, please try again')); + return false; + } + + $row['type'] = 'mysql'; + $row['success'] = true; + + return $row; + + } // mysql_auth + + /** + * vieux_mysql_auth + * This is a private function, it should only be called by authenticate + */ + private static function vieux_mysql_auth($username,$password) { + + $password_check_sql = "PASSWORD('$password')"; // This has to still be here because lots of people use old_password in their config file $sql = "SELECT `password` FROM `user` WHERE `username`='$username'"; @@ -498,7 +536,7 @@ class vauth { $results = Dba::fetch_assoc($db_results); if (!$results) { - Error::add('general','Error Username or Password incorrect, please try again'); + Error::add('general',_('Error Username or Password incorrect, please try again')); return false; } @@ -512,11 +550,12 @@ class vauth { } // if prevent_multiple_logins $results['type'] = 'mysql'; + $results['password'] = 'old'; $results['success'] = true; return $results; - } // mysql_auth + } // vieux_mysql_auth /** * ldap_auth @@ -99,13 +99,23 @@ if ($_POST['username'] && $_POST['password']) { /* If the authentication was a success */ if ($auth['success']) { + + // Generate the user we need for a few things + $user = User::get_from_username($username); + + if (Config::get('prevent_multiple_logins')) { + $current_ip = $user->is_logged_in(); + if ($current_ip != sprintf("%u",ip2long($_SERVER['REMOTE_ADDR']))) { + Error::add('general',_('User Already Logged in')); + require Config::get('prefix') . '/templates/show_login_form.inc.php'; + exit; + } + } // if prevent_multiple_logins + // $auth->info are the fields specified in the config file // to retrieve for each user vauth::session_create($auth); - // Generate the user we need for a few things - $user = User::get_from_username($username); - // // Not sure if it was me or php tripping out, // but naming this 'user' didn't work at all diff --git a/preferences.php b/preferences.php index 1962210e..9c28ed96 100644 --- a/preferences.php +++ b/preferences.php @@ -28,6 +28,11 @@ switch($_REQUEST['action']) { access_denied(); exit; } + + if (!Core::form_verify('update_preferences','post')) { + access_denied(); + exit; + } /* Reset the Theme */ if ($_REQUEST['method'] == 'admin') { @@ -53,6 +58,11 @@ switch($_REQUEST['action']) { exit; } + if (!Core::form_verify('update_preferences','post')) { + access_denied(); + exit; + } + update_preferences($_REQUEST['user_id']); header("Location: " . Config::get('web_path') . "/admin/users.php?action=show_preferences&user_id=" . scrub_out($_REQUEST['user_id'])); break; @@ -76,10 +86,16 @@ switch($_REQUEST['action']) { break; case 'update_user': // Make sure we're a user and they came from the form - if (!Access::check('interface','25') || $_POST['form_string'] != $_SESSION['forms']['account'] || !strlen($_SESSION['forms']['account'])) { + if (!Access::check('interface','25')) { access_denied(); exit; } + + if (!Core::form_verify('update_user','post')) { + access_denied(); + exit; + } + // Remove the value unset($_SESSION['forms']['account']); diff --git a/register.php b/register.php index 772d71f2..46bb3783 100644 --- a/register.php +++ b/register.php @@ -131,7 +131,7 @@ switch ($_REQUEST['action']) { } // If we've hit an error anywhere up there break! - if (Error::$state) { + if (Error::occurred()) { require_once Config::get('prefix') . '/templates/show_user_registration.inc.php'; break; } diff --git a/server/ajax.server.php b/server/ajax.server.php index 5e586895..5a7a8f7d 100644 --- a/server/ajax.server.php +++ b/server/ajax.server.php @@ -293,21 +293,6 @@ switch ($_REQUEST['action']) { $results['rightbar'] = ajax_include('rightbar.inc.php'); break; - /* reloading the now playing information */ - case 'reloadnp': - ob_start(); - show_now_playing(); - $results['now_playing'] = ob_get_contents(); - ob_clean(); - $data = Song::get_recently_played(); - if (count($data)) { - show_box_top(_('Recently Played')); - require_once Config::get('prefix') . '/templates/show_recently_played.inc.php'; - show_box_bottom(); - } - $results['recently_played'] = ob_get_contents(); - ob_end_clean(); - break; /* Setting ratings */ case 'set_rating': ob_start(); diff --git a/server/index.ajax.php b/server/index.ajax.php index e8029de2..2573e7d2 100644 --- a/server/index.ajax.php +++ b/server/index.ajax.php @@ -30,10 +30,23 @@ switch ($_REQUEST['action']) { if (count($albums)) { ob_start(); require_once Config::get('prefix') . '/templates/show_random_albums.inc.php'; - $results['random_selection'] = ob_get_contents(); - ob_end_clean(); + $results['random_selection'] = ob_get_clean(); } break; + case 'reloadnp': + ob_start(); + show_now_playing(); + $results['now_playing'] = ob_get_clean(); + ob_start(); + $data = Song::get_recently_played(); + Song::build_cache(array_keys($data)); + if (count($data)) { + show_box_top(_('Recently Played')); + require_once Config::get('prefix') . '/templates/show_recently_played.inc.php'; + show_box_bottom(); + } + $results['recently_played'] = ob_get_clean(); + break; case 'sidebar': switch ($_REQUEST['button']) { case 'home': diff --git a/templates/footer.inc.php b/templates/footer.inc.php index cef63c28..38090bfb 100644 --- a/templates/footer.inc.php +++ b/templates/footer.inc.php @@ -21,9 +21,10 @@ */ ?> <div style="clear:both;"></div> +<?php if ($_SESSION['userdata']['password'] == 'old') {?> + <span class="fatalerror"><?php echo _('Using Old Password Encryption, Please Reset your Password'); ?></span> +<?php } ?> </div> <!-- end id="content"--> -<!-- I really hate IE -</td></tr></table> --> </div> <!-- end id="maincontainer"--> <div id="footer"> <a href="http://www.ampache.org/index.php">Ampache v.<?php echo Config::get('version'); ?></a><br /> diff --git a/templates/show_account.inc.php b/templates/show_account.inc.php index 256898f7..eb371443 100644 --- a/templates/show_account.inc.php +++ b/templates/show_account.inc.php @@ -1,7 +1,7 @@ <?php /* - Copyright (c) 2001 - 2007 Ampache.org + Copyright (c) Ampache.org All rights reserved. This program is free software; you can redistribute it and/or @@ -19,10 +19,9 @@ */ // Because this is a reset of the persons password make the form a little more secure -$form_string = generate_password('32'); -$_SESSION['forms']['account'] = $form_string; ?> <?php Error::display('general'); ?> +<form method="post" name="preferences" action="<?php echo Config::get('web_path'); ?>/preferences.php?action=update_user" enctype="multipart/form-data"> <table class="tabledata"> <tr> <td><?php echo _('Name'); ?>:</td> @@ -58,8 +57,7 @@ $_SESSION['forms']['account'] = $form_string; </table> <div class="formValidation"> <input type="hidden" name="user_id" value="<?php echo scrub_out($client->id); ?>" /> - <input type="hidden" name="action" value="update_user" /> + <?php echo Core::form_register('update_user'); ?> <input type="hidden" name="tab" value="<?php echo scrub_out($_REQUEST['tab']); ?>" /> - <input type="hidden" name="form_string" value="<?php echo $form_string; ?>" /> <input class="button" type="submit" value="<?php echo _('Update Account'); ?>" /> </div> diff --git a/templates/show_index.inc.php b/templates/show_index.inc.php index 605b4d42..497b1b3b 100644 --- a/templates/show_index.inc.php +++ b/templates/show_index.inc.php @@ -41,6 +41,7 @@ <div id="recently_played"> <?php $data = Song::get_recently_played(); + Song::build_cache(array_keys($data)); show_box_top(_('Recently Played')); require_once Config::get('prefix') . '/templates/show_recently_played.inc.php'; show_box_bottom(); diff --git a/templates/show_preferences.inc.php b/templates/show_preferences.inc.php index af331ab4..89fe61b8 100644 --- a/templates/show_preferences.inc.php +++ b/templates/show_preferences.inc.php @@ -26,17 +26,16 @@ ?> <?php show_box_top(_('Editing') . ' ' . $fullname . ' ' . _('preferences'),'box box_preferences'); ?> -<form method="post" name="preferences" action="<?php echo Config::get('web_path'); ?>/preferences.php?action=update_preferences" enctype="multipart/form-data"> -<?php -if ($_REQUEST['tab'] != 'account' && $_REQUEST['tab'] != 'modules') { - show_preference_box($preferences[$_REQUEST['tab']]); +<?php if ($_REQUEST['tab'] != 'account' && $_REQUEST['tab'] != 'modules') { ?> -?> +<form method="post" name="preferences" action="<?php echo Config::get('web_path'); ?>/preferences.php?action=update_preferences" enctype="multipart/form-data"> +<?php show_preference_box($preferences[$_REQUEST['tab']]); ?> <div class="formValidation"> <input class="button" type="submit" value="<?php echo _('Update Preferences'); ?>" /> + <?php echo Core::form_register('update_preference'); ?> <input type="hidden" name="tab" value="<?php echo scrub_out($_REQUEST['tab']); ?>" /> <input type="hidden" name="method" value="<?php echo scrub_out($_REQUEST['action']); ?>" /> - <?php if ($GLOBALS['user']->has_access('100')) { ?> + <?php if (Access::check('interface','100')) { ?> <input type="hidden" name="user_id" value="<?php echo scrub_out($_REQUEST['user_id']); ?>" /> <?php } ?> </div> diff --git a/templates/sidebar_home.inc.php b/templates/sidebar_home.inc.php index 1a44da06..ed059ece 100644 --- a/templates/sidebar_home.inc.php +++ b/templates/sidebar_home.inc.php @@ -70,6 +70,7 @@ $ajax_info = Config::get('ajax_url'); $web_path = Config::get('web_path'); <?php } // if playlist_type ?> </div> </li> +<?php } ?> <li><h4><?php echo _('Playlist'); ?></h4> <ul class="sb3" id="sb_home_info"> <li id="sb_home_info_CurrentlyPlaying"><a href="<?php echo $web_path; ?>/index.php"><?php echo _('Currently Playing'); ?></a></li> @@ -95,5 +96,4 @@ $ajax_info = Config::get('ajax_url'); $web_path = Config::get('web_path'); <li id="sb_home_random_advanced"><a href="<?php echo $web_path; ?>/random.php?action=advanced"><?php echo _('Advanced'); ?></a></li> </ul> </li> -<?php } ?> </ul> |