Attached Files | login.php.diff [^] (7,406 bytes) 2009-06-16 15:37 [Show Content] [Hide Content]--- C:\Users\mtf-us\AppData\Local\Temp\login.php-revBASE.svn001.tmp.php Tue Jun 16 07:34:39 2009
+++ J:\Sit\Sit-SVN\login.php Tue Jun 16 07:33:34 2009
@@ -175,81 +175,83 @@
$portalpassword = cleanvar($_REQUEST['password']);
// Have a look if this is a contact trying to login via ldap
- if ($CONFIG['use_ldap']) authenticateLDAPCustomer($username, $portalpassword );
+ //not sure if this next check will break anything in normal logins but needs to be done as this function does have a return value for success which was ignored before.
+ if ($CONFIG['use_ldap'] && authenticateLDAPCustomer($username, $portalpassword )) //changed due to small bug - if user logs in with blank password, and if LDAP either updates a blank or never sets the user is still logged in even though the password is incorrect, essentially we need to validate return value of this function for success and not just rely on next SQL check
+ {
+ //we need plaintext and md5 as contacts created pre 3.35 will be in plaintext
+ $sql = "SELECT * FROM `{$dbContacts}` WHERE username='{$username}' AND (password='{$portalpassword}' OR password=MD5('{$portalpassword}')) LIMIT 1";
+ $result = mysql_query($sql);
+ if (mysql_error()) trigger_error(mysql_error(),E_USER_WARNING);
+ if (mysql_num_rows($result) >= 1)
+ {
+ $contact = mysql_fetch_object($result);
- //we need plaintext and md5 as contacts created pre 3.35 will be in plaintext
- $sql = "SELECT * FROM `{$dbContacts}` WHERE username='{$username}' AND (password='{$portalpassword}' OR password=MD5('{$portalpassword}')) LIMIT 1";
- $result = mysql_query($sql);
- if (mysql_error()) trigger_error(mysql_error(),E_USER_WARNING);
- if (mysql_num_rows($result) >= 1)
- {
- $contact = mysql_fetch_object($result);
+ // Customer session
+ // Valid user
+ $_SESSION['portalauth'] = TRUE;
+ $_SESSION['contactid'] = $contact->id;
+ $_SESSION['siteid'] = $contact->siteid;
+ $_SESSION['style'] = $CONFIG['portal_interface_style'];
+ $_SESSION['contracts'] = array();
+ $_SESSION['auth'] = FALSE;
- // Customer session
- // Valid user
- $_SESSION['portalauth'] = TRUE;
- $_SESSION['contactid'] = $contact->id;
- $_SESSION['siteid'] = $contact->siteid;
- $_SESSION['style'] = $CONFIG['portal_interface_style'];
- $_SESSION['contracts'] = array();
- $_SESSION['auth'] = FALSE;
+ //get admin contracts
+ if (admin_contact_contracts($_SESSION['contactid'], $_SESSION['siteid']) != NULL)
+ {
+ $admincontracts = admin_contact_contracts($_SESSION['contactid'], $_SESSION['siteid']);
+ $_SESSION['usertype'] = 'admin';
+ }
- //get admin contracts
- if (admin_contact_contracts($_SESSION['contactid'], $_SESSION['siteid']) != NULL)
- {
- $admincontracts = admin_contact_contracts($_SESSION['contactid'], $_SESSION['siteid']);
- $_SESSION['usertype'] = 'admin';
- }
+ //get named contact contracts
+ if (contact_contracts($_SESSION['contactid'], $_SESSION['siteid']) != NULL)
+ {
+ $contactcontracts = contact_contracts($_SESSION['contactid'], $_SESSION['siteid']);
+ if (!isset($_SESSION['usertype']))
+ {
+ $_SESSION['usertype'] = 'contact';
+ }
+ }
- //get named contact contracts
- if (contact_contracts($_SESSION['contactid'], $_SESSION['siteid']) != NULL)
- {
- $contactcontracts = contact_contracts($_SESSION['contactid'], $_SESSION['siteid']);
- if (!isset($_SESSION['usertype']))
- {
- $_SESSION['usertype'] = 'contact';
- }
- }
+ //get other contracts
+ if (all_contact_contracts($_SESSION['contactid'], $_SESSION['siteid']) != NULL)
+ {
+ $allcontracts = all_contact_contracts($_SESSION['contactid'], $_SESSION['siteid']);
+ if (!isset($_SESSION['usertype']))
+ {
+ $_SESSION['usertype'] = 'user';
+ }
+ }
- //get other contracts
- if (all_contact_contracts($_SESSION['contactid'], $_SESSION['siteid']) != NULL)
- {
- $allcontracts = all_contact_contracts($_SESSION['contactid'], $_SESSION['siteid']);
- if (!isset($_SESSION['usertype']))
- {
- $_SESSION['usertype'] = 'user';
- }
- }
+ $_SESSION['contracts'] = array_merge((array)$admincontracts, (array)$contactcontracts, (array)$allcontracts);
- $_SESSION['contracts'] = array_merge((array)$admincontracts, (array)$contactcontracts, (array)$allcontracts);
+ //get entitlement
+ $sql = "SELECT m.*, p.name, ";
+ $sql .= "(m.incident_quantity - m.incidents_used) AS availableincidents ";
+ $sql .= "FROM `{$dbSupportContacts}` AS sc, `{$dbMaintenance}` AS m, `{$dbProducts}` AS p ";
+ $sql .= "WHERE m.product=p.id ";
+ $sql .= "AND sc.contactid='{$_SESSION['contactid']}' AND sc.maintenanceid=m.id ";
+ $sql .= "AND (expirydate > (UNIX_TIMESTAMP(NOW()) - 15778463) OR expirydate = -1) ";
+ $sql .= "AND m.site = {$_SESSION['siteid']} ";
+ $sql .= "UNION SELECT m.*, p.name, ";
+ $sql .= "(m.incident_quantity - m.incidents_used) AS availableincidents ";
+ $sql .= "FROM `{$dbSupportContacts}` AS sc, `{$dbMaintenance}` AS m, `{$dbProducts}` AS p ";
+ $sql .= "WHERE m.product=p.id ";
+ $sql .= "AND m.allcontactssupported = 'yes' ";
+ $sql .= "AND (expirydate > (UNIX_TIMESTAMP(NOW()) - 15778463) OR expirydate = -1) ";
+ $sql .= "AND m.site = {$_SESSION['siteid']} ";
+ $sql .= "ORDER BY expirydate DESC ";
- //get entitlement
- $sql = "SELECT m.*, p.name, ";
- $sql .= "(m.incident_quantity - m.incidents_used) AS availableincidents ";
- $sql .= "FROM `{$dbSupportContacts}` AS sc, `{$dbMaintenance}` AS m, `{$dbProducts}` AS p ";
- $sql .= "WHERE m.product=p.id ";
- $sql .= "AND sc.contactid='{$_SESSION['contactid']}' AND sc.maintenanceid=m.id ";
- $sql .= "AND (expirydate > (UNIX_TIMESTAMP(NOW()) - 15778463) OR expirydate = -1) ";
- $sql .= "AND m.site = {$_SESSION['siteid']} ";
- $sql .= "UNION SELECT m.*, p.name, ";
- $sql .= "(m.incident_quantity - m.incidents_used) AS availableincidents ";
- $sql .= "FROM `{$dbSupportContacts}` AS sc, `{$dbMaintenance}` AS m, `{$dbProducts}` AS p ";
- $sql .= "WHERE m.product=p.id ";
- $sql .= "AND m.allcontactssupported = 'yes' ";
- $sql .= "AND (expirydate > (UNIX_TIMESTAMP(NOW()) - 15778463) OR expirydate = -1) ";
- $sql .= "AND m.site = {$_SESSION['siteid']} ";
- $sql .= "ORDER BY expirydate DESC ";
+ $contractresult = mysql_query($sql);
+ if (mysql_error()) trigger_error(mysql_error(),E_USER_WARNING);
+ while ($contract = mysql_fetch_object($contractresult))
+ {
+ $_SESSION['entitlement'][] = $contract;
+ }
- $contractresult = mysql_query($sql);
- if (mysql_error()) trigger_error(mysql_error(),E_USER_WARNING);
- while ($contract = mysql_fetch_object($contractresult))
- {
- $_SESSION['entitlement'][] = $contract;
- }
-
- header("Location: portal/");
- exit;
- }
+ header("Location: portal/");
+ exit;
+ }
+ }
else
{
// Login failure
|