Cleanup and rationalisation of authentication related code. Among other things,

fixes FS#99.

1 files changed, 68 insertions, 70 deletions

diff --git a/login.php b/login.php
index acff1833..d380017b 100644
--- a/login.php
+++ b/login.php
@@ -20,7 +20,7 @@
 
 */
 
-define('NO_SESSION','1');
+define('NO_SESSION', '1');
 require_once 'lib/init.php';
 
 /* We have to create a cookie here because IIS
@@ -35,8 +35,8 @@ Preference::init();
  * page if they aren't in the ACL
  */
 if (Config::get('access_control')) {
-	if (!Access::check_network('interface','','5')) {
-		debug_event('access_denied','Access Denied:' . $_SERVER['REMOTE_ADDR'] . ' is not in the Interface Access list','3');
+	if (!Access::check_network('interface', '', '5')) {
+		debug_event('access_denied', 'Access Denied:' . $_SERVER['REMOTE_ADDR'] . ' is not in the Interface Access list', '3');
 		access_denied();
 		exit();
 	}
@@ -48,8 +48,8 @@ unset($auth);
 /* Check for posted username and password, or appropriate environment
 variable if using HTTP auth */
 if (($_POST['username'] && $_POST['password']) ||
-(in_array('http',Config::get('auth_methods')) &&
-($_SERVER['REMOTE_USER'] || $_SERVER['HTTP_REMOTE_USER']))) {
+	(in_array('http', Config::get('auth_methods')) &&
+	($_SERVER['REMOTE_USER'] || $_SERVER['HTTP_REMOTE_USER']))) {
 
 	if ($_POST['rememberme']) {
 		vauth::create_remember_cookie();
@@ -57,62 +57,76 @@ if (($_POST['username'] && $_POST['password']) ||
 
 	/* If we are in demo mode let's force auth success */
 	if (Config::get('demo_mode')) {
-		$auth['success'] = 1;
-		$auth['info']['username'] = "Admin - DEMO";
-		$auth['info']['fullname'] = "Administrative User";
+		$auth['success']		= true;
+		$auth['info']['username']	= 'Admin - DEMO';
+		$auth['info']['fullname']	= 'Administrative User';
 		$auth['info']['offset_limit']	= 25;
 	}
 	else {
 		if ($_POST['username'] && $_POST['password']) {
-		$username = scrub_in($_POST['username']);
-		$password = scrub_in($_POST['password']);
+			$username = scrub_in($_POST['username']);
+			$password = $_POST['password'];
 		}
 		else {
 			if ($_SERVER['REMOTE_USER']) {
 				$username = $_SERVER['REMOTE_USER'];
 			}
-			else if ($_SERVER['HTTP_REMOTE_USER']) {
+			elseif ($_SERVER['HTTP_REMOTE_USER']) {
 				$username = $_SERVER['HTTP_REMOTE_USER'];
 			}
 			$password = '';
 		}
-		$auth = vauth::authenticate($username, $password);
-		$user = User::get_from_username($username);
 
-		if (!$auth['success']) {
-			debug_event('Login',scrub_out($username) . ' attempted to login and failed','1');
+		$auth = vauth::authenticate($username, $password);
+		
+		if ($auth['success']) {
+			$username = $auth['username'];
+		}
+		else {
+			debug_event('Login', scrub_out($username) . ' attempted to login and failed', '1');
+			Error::add('general', _('Error Username or Password incorrect, please try again'));
 		}
 
-		if ($user->disabled == '1') {
+		$user = User::get_from_username($username);
+
+		if ($user->disabled) {
 			$auth['success'] = false;
-			Error::add('general',_('User Disabled please contact Admin'));
-			debug_event('Login',scrub_out($username) . ' is disabled and attempted to login','1');
+			Error::add('general', _('User Disabled please contact Admin'));
+			debug_event('Login', scrub_out($username) . ' is disabled and attempted to login', '1');
 		} // if user disabled
-
-
-		elseif (!$user->username AND $auth['success']) {
-			/* This is run if we want to auto_create users who don't exist (usefull for non mysql auth) */
-			if (Config::get('auto_create')) {
-
-				$access = Config::get('auto_user') ? User::access_name_to_level(Config::get('auto_user')) : '5';
-				$name = $auth['name'];
-				$email = $auth['email'];
-
-				/* Attempt to create the user */
-				if (!$user->create($username, $name, $email,hash('sha256',mt_rand()), $access)) {
-					$auth['success'] = false;
-					Error::add('general',_('Unable to create new account'));
-				}
-				else {
-					$user = new User($username);
-				}
-			} // End if auto_create
-
+		elseif (Config::get('prevent_multiple_logins')) {
+			$session_ip = $user->is_logged_in();
+			$current_ip = inet_pton($_SERVER['REMOTE_ADDR']);
+			if ($current_ip && ($current_ip != $session_ip)) {
+				$auth['success'] = false;
+				Error::add('general',_('User Already Logged in'));
+				debug_event('Login', scrub_out($username) . ' is already logged in from ' . $session_ip . ' and attempted to login from ' . $current_ip, '1');
+			} // if logged in multiple times
+		} // if prevent multiple logins
+		elseif (Config::get('auto_create') && $auth['success'] &&
+			! $user->username) {
+			/* This is run if we want to autocreate users who don't
+			exist (useful for non-mysql auth) */
+			$access	= Config::get('auto_user') 
+				? User::access_name_to_level(Config::get('auto_user')) 
+				: '5';
+			$name	= $auth['name'];
+			$email	= $auth['email'];
+
+			/* Attempt to create the user */
+			if (User::create($username, $name, $email, 
+				hash('sha256', mt_rand()), $access)) {
+				$user = User::get_from_username($username);
+			}
 			else {
 				$auth['success'] = false;
-				Error::add('general',_('No local account found'));
+				Error::add('general', _('Unable to create new account'));
 			}
-		} // else user isn't disabled
+		} // End if auto_create
+		elseif (!$user->username) {
+			$auth['success'] = false;
+			Error::add('general', _('No local account found'));
+		}
 
 	} // if we aren't in demo mode
 
@@ -120,51 +134,35 @@ if (($_POST['username'] && $_POST['password']) ||
 
 /* If the authentication was a success */
 if ($auth['success']) {
-
-	// Generate the user we need for a few things
-	$user = User::get_from_username($username);
-
-	if (Config::get('prevent_multiple_logins')) {
-		$current_ip = $user->is_logged_in();
-		if ($current_ip AND $current_ip != inet_pton($_SERVER['REMOTE_ADDR'])) {
-			Error::add('general',_('User Already Logged in'));
-			require Config::get('prefix') . '/templates/show_login_form.inc.php';
-			exit;
-		}
-	} // if prevent_multiple_logins
-
 	// $auth->info are the fields specified in the config file
 	//   to retrieve for each user
 	vauth::session_create($auth);
 
-	//
 	// Not sure if it was me or php tripping out,
 	//   but naming this 'user' didn't work at all
-	//
 	$_SESSION['userdata'] = $auth;
 
-	//
 	// Record the IP of this person!
-	//
 	if (Config::get('track_user_ip')) {
 		$user->insert_ip_history();
 	}
 
-	/* Make sure they are actually trying to get to this site and don't try to redirect them back into
-	 * an admin section
-	**/
-	if (substr($_POST['referrer'],0,strlen(Config::get('web_path'))) == Config::get('web_path') AND
-		!strstr($_POST['referrer'],"install.php") AND
-		!strstr($_POST['referrer'],"login.php") AND
-		!strstr($_POST['referrer'],'logout.php') AND
-		!strstr($_POST['referrer'],"update.php") AND
-		!strstr($_POST['referrer'],"activate.php") AND
-		!strstr($_POST['referrer'],"admin")) {
-
-			header("Location: " . $_POST['referrer']);
+	/* Make sure they are actually trying to get to this site and don't try 
+	 * to redirect them back into an admin section
+	 */
+	$web_path = Config::get('web_path');
+	if ((substr($_POST['referrer'], 0, strlen($web_path)) == $web_path) &&
+		strpos($_POST['referrer'], 'install.php')	=== false &&
+		strpos($_POST['referrer'], 'login.php')		=== false &&
+		strpos($_POST['referrer'], 'logout.php')	=== false &&
+		strpos($_POST['referrer'], 'update.php')	=== false &&
+		strpos($_POST['referrer'], 'activate.php')	=== false &&
+		strpos($_POST['referrer'], 'admin')		=== false ) {
+
+			header('Location: ' . $_POST['referrer']);
 			exit();
 	} // if we've got a referrer
-	header("Location: " . Config::get('web_path') . "/index.php");
+	header('Location: ' . Config::get('web_path') . '/index.php');
 	exit();
 } // auth success