Xibo

Merge lp:~dangarner/xibo/396735 into lp:xibo/1.0

  1. 396735
  2. Merge into halley
Proposed by Dan Garner
Status: Merged
Merged at revision: not available
Proposed branch: lp:~dangarner/xibo/396735
Merge into: lp:xibo/1.0
Diff against target: None lines
To merge this branch: bzr merge lp:~dangarner/xibo/396735
Reviewer Review Type Date Requested Status
Xibo Maintainters Pending
Review via email: mp+8784@code.launchpad.net
To post a comment you must log in.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'server/lib/app/session.class.php'
--- server/lib/app/session.class.php 2008-12-19 22:10:39 +0000
+++ server/lib/app/session.class.php 2009-07-07 20:01:49 +0000
@@ -29,7 +29,8 @@
29 29
30 public $isExpired = 1;30 public $isExpired = 1;
3131
32 function __construct(database $db) {32 function __construct(database $db)
33 {
33 $this->db =& $db;34 $this->db =& $db;
34 35
35 session_set_save_handler(array(&$this, 'open'),36 session_set_save_handler(array(&$this, 'open'),
@@ -64,38 +65,27 @@
64 {65 {
65 $db =& $this->db;66 $db =& $this->db;
66 67
67 $userAgent = $_SERVER['HTTP_USER_AGENT'];68 $userAgent = Kit::GetParam('HTTP_USER_AGENT', $_SERVER, _STRING, 'No user agent');
68 $remoteAddr = $_SERVER['REMOTE_ADDR'];69 $remoteAddr = Kit::GetParam('REMOTE_ADDR', $_SERVER, _STRING);
70 $securityToken = Kit::GetParam('SecurityToken', _POST, _STRING, null);
69 71
70 $this->key = $key;72 $this->key = $key;
71 $newExp = time() + $this->max_lifetime;73 $newExp = time() + $this->max_lifetime;
72 74
73 $this->gc($this->max_lifetime);75 $this->gc($this->max_lifetime);
74 76
75 if(isset($_POST['SecurityToken'])) 77 // Get this session
76 {
77 $securityToken = validate($_POST['SecurityToken']);
78
79 if (!$securityToken)
80 {
81 log_entry($db, "error", "Invalid Security Token");
82 $securityToken = null;
83 }
84 }
85 else
86 {
87 $securityToken = null;
88 }
89
90 $SQL = " SELECT session_data, IsExpired, SecurityToken FROM session ";78 $SQL = " SELECT session_data, IsExpired, SecurityToken FROM session ";
91 $SQL .= " WHERE session_id = '$key' ";79 $SQL .= " WHERE session_id = '%s' ";
92 $SQL .= " AND RemoteAddr = '$remoteAddr' ";80 $SQL .= " AND UserAgent = '%s' ";
93 81
94 if (!$result = $db->query($SQL));82 $SQL = sprintf($SQL, $db->escape_string($key), $db->escape_string($userAgent));
83
84 $result = $db->query($SQL);
95 85
96 if ($db->num_rows($result) != 0) 86 if ($db->num_rows($result) != 0)
97 {87 {
98 88 // Get the row
99 $row = $db->get_row($result);89 $row = $db->get_row($result);
100 90
101 // We have the Key and the Remote Address.91 // We have the Key and the Remote Address.
@@ -109,10 +99,10 @@
109 // We have a security token, so dont require a login99 // We have a security token, so dont require a login
110 $this->isExpired = 0;100 $this->isExpired = 0;
111 101
112 if (!$db->query("UPDATE session SET session_expiration = $newExp, isExpired = 0 WHERE session_id = '$key' "))102 if (!$db->query(sprintf("UPDATE session SET session_expiration = $newExp, isExpired = 0 WHERE session_id = '%s' ", $db->escape_string($key))))
113 {103 {
114 log_entry($db, "error", $db->error());104 log_entry($db, "error", $db->error());
115 } 105 }
116 }106 }
117 else107 else
118 {108 {
@@ -123,49 +113,55 @@
123 }113 }
124 114
125 // Either way - update this SESSION so that the security token is NULL115 // Either way - update this SESSION so that the security token is NULL
126 $db->query("UPDATE session SET SecurityToken = NULL WHERE session_id = '$key' ");116 $db->query(sprintf("UPDATE session SET SecurityToken = NULL WHERE session_id = '%s' ", $db->escape_string($key)));
127 117
128 return($row[0]);118 return($row[0]);
129 }119 }
130 else {120 else
121 {
131 $empty = '';122 $empty = '';
132 return settype($empty, "string");123 return settype($empty, "string");
133 }124 }
134 }125 }
135 126
136 function write($key, $val) {127 function write($key, $val)
137 128 {
138 $db =& $this->db;129 $db =& $this->db;
139
140 $val = addslashes($val);
141 130
142 $newExp = time() + $this->max_lifetime;131 $newExp = time() + $this->max_lifetime;
143 $lastaccessed = date("Y-m-d H:i:s");132 $lastaccessed = date("Y-m-d H:i:s");
144 $userAgent = $_SERVER['HTTP_USER_AGENT'];133 $userAgent = Kit::GetParam('HTTP_USER_AGENT', $_SERVER, _STRING, 'No user agent');
145 $remoteAddr = $_SERVER['REMOTE_ADDR'];134 $remoteAddr = Kit::GetParam('REMOTE_ADDR', $_SERVER, _STRING);
146 135
147 $result = $db->query("SELECT session_id FROM session WHERE session_id = '$key'");136 $result = $db->query(sprintf("SELECT session_id FROM session WHERE session_id = '%s'", $db->escape_string($key)));
148 137
149 if ($db->num_rows($result) == 0) 138 if ($db->num_rows($result) == 0)
150 {139 {
151 //INSERT140 //INSERT
152 $SQL = "INSERT INTO session (session_id, session_data, session_expiration, LastAccessed, LastPage, userID, IsExpired, UserAgent, RemoteAddr) 141 $SQL = "INSERT INTO session (session_id, session_data, session_expiration, LastAccessed, LastPage, userID, IsExpired, UserAgent, RemoteAddr)
153 VALUES ('$key','$val',$newExp,'$lastaccessed','login', NULL, 0, '$userAgent', '$remoteAddr')";142 VALUES ('%s', '%s', %d, '%s', 'login', NULL, 0, '%s', '%s')";
143
144 $SQL = sprintf($SQL, $db->escape_string($key), $db->escape_string($val), $newExp, $db->escape_string($lastaccessed), $db->escape_string($userAgent), $db->escape_string($remoteAddr));
154 }145 }
155 else 146 else
156 {147 {
157 //UPDATE148 //UPDATE
158 $SQL = "UPDATE session SET ";149 $SQL = "UPDATE session SET ";
159 $SQL .= " session_data = '$val', ";150 $SQL .= " session_data = '%s', ";
160 $SQL .= " session_expiration = '$newExp', ";151 $SQL .= " session_expiration = %d, ";
161 $SQL .= " lastaccessed = '$lastaccessed' ";152 $SQL .= " lastaccessed = '%s', ";
162 $SQL .= " WHERE session_id = '$key' ";153 $SQL .= " RemoteAddr = '%s' ";
154 $SQL .= " WHERE session_id = '%s' ";
155
156 $SQL = sprintf($SQL, $db->escape_string($val), $newExp, $db->escape_string($lastaccessed), $db->escape_string($remoteAddr), $db->escape_string($key));
163 }157 }
164 158
165 if(!$db->query($SQL)) {159 if(!$db->query($SQL))
160 {
166 log_entry($db, "error", $db->error());161 log_entry($db, "error", $db->error());
167 return(false);162 return(false);
168 }163 }
164
169 return true;165 return true;
170 }166 }
171167
@@ -173,7 +169,7 @@
173 {169 {
174 $db =& $this->db;170 $db =& $this->db;
175 171
176 $SQL = "UPDATE session SET IsExpired = 1 WHERE session_id = '$key'";172 $SQL = sprintf("UPDATE session SET IsExpired = 1 WHERE session_id = '%s'", $db->escape_string($key));
177 173
178 $result = $db->query("$SQL"); 174 $result = $db->query("$SQL");
179 175
@@ -193,26 +189,32 @@
193 {189 {
194 $db =& $this->db;190 $db =& $this->db;
195 191
196 $SQL = "UPDATE session SET userID = $userid WHERE session_id = '$key' ";192 $SQL = sprintf("UPDATE session SET userID = %d WHERE session_id = '%s' ",$userid, $db->escape_string($key));
197 193
198 if(!$db->query($SQL)) {194 if(!$db->query($SQL))
195 {
199 trigger_error($db->error(), E_USER_NOTICE);196 trigger_error($db->error(), E_USER_NOTICE);
200 return(false);197 return(false);
201 }198 }
202 return true;199 return true;
203 }200 }
204 201
205 // Update the session (after login)202 /**
206 static function RegenerateSessionID() 203 * Updates the session ID with a new one
204 * @return
205 */
206 public function RegenerateSessionID($oldSessionID)
207 {207 {
208 $old_sess_id = session_id();208 $db =& $this->db;
209 209
210 session_regenerate_id(false);210 session_regenerate_id(false);
211 211
212 $new_sess_id = session_id();212 $new_sess_id = session_id();
213
214 $this->key = $new_sess_id;
213 215
214 $query = "UPDATE `session` SET `session_id` = '$new_sess_id' WHERE session_id = '$old_sess_id'";216 $query = sprintf("UPDATE session SET session_id = '%s' WHERE session_id = '%s'", $db->escape_string($new_sess_id), $db->escape_string($oldSessionID));
215 mysql_query($query);217 $db->query($query);
216 }218 }
217 219
218 function set_page($key, $lastpage) 220 function set_page($key, $lastpage)
@@ -221,9 +223,10 @@
221 223
222 $_SESSION['pagename'] = $lastpage;224 $_SESSION['pagename'] = $lastpage;
223 225
224 $SQL = "UPDATE session SET LastPage = '$lastpage' WHERE session_id = '$key' ";226 $SQL = sprintf("UPDATE session SET LastPage = '%s' WHERE session_id = '%s' ", $db->escape_string($lastpage), $db->escape_string($key));
225 227
226 if(!$db->query($SQL)) {228 if(!$db->query($SQL))
229 {
227 trigger_error($db->error(), E_USER_NOTICE);230 trigger_error($db->error(), E_USER_NOTICE);
228 return(false);231 return(false);
229 }232 }
@@ -236,7 +239,7 @@
236239
237 $this->isExpired = $isExpired;240 $this->isExpired = $isExpired;
238 241
239 $SQL = "UPDATE session SET IsExpired = $this->isExpired WHERE session_id = '$this->key'";242 $SQL = sprintf("UPDATE session SET IsExpired = $this->isExpired WHERE session_id = '%s'", $db->escape_string($this->key));
240 243
241 if (!$db->query($SQL))244 if (!$db->query($SQL))
242 {245 {
@@ -248,7 +251,7 @@
248 {251 {
249 $db =& $this->db;252 $db =& $this->db;
250 253
251 $SQL = "UPDATE session SET securityToken = '$token' WHERE session_id = '$this->key'";254 $SQL = sprintf("UPDATE session SET securityToken = '%s' WHERE session_id = '%s'", $db->escape_string($token), $db->escape_string($this->key));
252 255
253 if (!$db->query($SQL))256 if (!$db->query($SQL))
254 {257 {
255258
=== modified file 'server/lib/pages/report.class.php'
--- server/lib/pages/report.class.php 2009-03-13 10:10:07 +0000
+++ server/lib/pages/report.class.php 2009-07-07 19:44:46 +0000
@@ -210,9 +210,7 @@
210 <td>$ip</td>210 <td>$ip</td>
211 <td>$browser</td>211 <td>$browser</td>
212 <td>212 <td>
213 <div class="buttons">213 <button class="XiboFormButton" href="index.php?p=report&q=ConfirmLogout&userid=$userID"><span>Logout</span></a>
214 <a class="neutral" href="index.php?p=report&q=ConfirmLogout&userid=$userID" onclick="return init_button(this,'Logout User', exec_filter_callback, set_form_size(450,150))"><span>Logout</span></a>
215 </div>
216 </td>214 </td>
217 </tr>215 </tr>
218END;216END;
@@ -234,14 +232,15 @@
234 $userID = Kit::GetParam('userid', _GET, _INT);232 $userID = Kit::GetParam('userid', _GET, _INT);
235 233
236 $form = <<<END234 $form = <<<END
237 <form class="dialog_form" method="post" action="index.php?p=report&q=LogoutUser">235 <form class="XiboForm" method="post" action="index.php?p=report&q=LogoutUser">
238 <input type="hidden" name="userid" value="userid" />236 <input type="hidden" name="userid" value="userid" />
239 <p>Are you sure you want to logout this user?</p>237 <p>Are you sure you want to logout this user?</p>
240 <input type="submit" value="Yes">238 <input type="submit" value="Yes">
241 <input type="submit" value="No" onclick="$('#div_dialog').dialog('close');return false; ">239 <input type="submit" value="No" onclick="$('#div_dialog').dialog('close');return false; ">
242 </form>240 </form>
243END;241END;
244 $arh->SetFormSubmitResponse($form);242
243 $arh->SetFormRequestResponse($form, 'Logout User', '450px', '300px');
245 $arh->Respond();244 $arh->Respond();
246 }245 }
247 246
248247
=== modified file 'server/modules/module_user_general.php'
--- server/modules/module_user_general.php 2009-03-25 19:36:36 +0000
+++ server/modules/module_user_general.php 2009-07-07 20:01:49 +0000
@@ -89,8 +89,6 @@
89 89
90 $sql = sprintf("SELECT UserID, UserName, UserPassword, usertypeid, groupID FROM user WHERE UserName = '%s' AND UserPassword = '%s'", $db->escape_string($username), $db->escape_string($password));90 $sql = sprintf("SELECT UserID, UserName, UserPassword, usertypeid, groupID FROM user WHERE UserName = '%s' AND UserPassword = '%s'", $db->escape_string($username), $db->escape_string($password));
91 91
92 Debug::LogEntry($db, 'audit', $sql);
93
94 if(!$result = $db->query($sql)) trigger_error('A database error occurred while checking your login details.', E_USER_ERROR);92 if(!$result = $db->query($sql)) trigger_error('A database error occurred while checking your login details.', E_USER_ERROR);
9593
96 if ($db->num_rows($result)==0) 94 if ($db->num_rows($result)==0)
@@ -122,6 +120,7 @@
122 $db->query($SQL) or trigger_error("Can not write last accessed info.", E_USER_ERROR);120 $db->query($SQL) or trigger_error("Can not write last accessed info.", E_USER_ERROR);
123121
124 $session->setIsExpired(0);122 $session->setIsExpired(0);
123 $session->RegenerateSessionID(session_id());
125124
126 return true;125 return true;
127 }126 }

Subscribers

People subscribed via source and target branches