[Summary view] [Print] [Text view]

   1  <?php
   2  // No direct call
   3  if( !defined( 'YOURLS_ABSPATH' ) ) die();
   4  
   5  $auth = yourls_is_valid_user();
   6  
   7  if( $auth !== true ) {
   8  
   9      // API mode,
  10      if ( yourls_is_API() ) {
  11          $format = ( isset($_REQUEST['format']) ? $_REQUEST['format'] : 'xml' );
  12          $callback = ( isset($_REQUEST['callback']) ? $_REQUEST['callback'] : '' );
  13          yourls_api_output( $format, array(
  14              'simple' => $auth,
  15              'message' => $auth,
  16              'errorCode' => '403',
  17              'callback' => $callback,
  18          ) );
  19  
  20      // Regular mode
  21      } else {
  22          yourls_login_screen( $auth );
  23      }
  24  
  25      die();
  26  }
  27  
  28  yourls_do_action( 'auth_successful' );
  29  
  30  /*
  31   * The following code is a shim that helps users store passwords securely in config.php
  32   * by storing a password hash and removing the plaintext or md5
  33   *
  34   * TODO: Remove this once real user management is implemented
  35   */
  36  
  37  // Did we just fail at encrypting passwords, or did we just notice md5 passwords?
  38  if ( isset( $_GET['dismiss'] ) ) {
  39      // Bold assumption: the user has either a md5 password or a hashing error. If they have both, they'll
  40      // see the 2 messages on successive page loads, and can dismiss each one separately.
  41  
  42      if ($_GET['dismiss'] == 'hasherror' ) {
  43          yourls_update_option('defer_hashing_error', time() + 86400 * 7); // now + 1 week
  44      }
  45  
  46      if ($_GET['dismiss'] == 'md5warning' ) {
  47          yourls_update_option('defer_md5_warning', time() + 86400 * 7); // now + 1 week
  48      }
  49  
  50  } else {
  51  
  52      // Encrypt passwords that are clear text
  53      if ( yourls_maybe_hash_passwords() ) {
  54          $hash = yourls_hash_passwords_now( YOURLS_CONFIGFILE );
  55          if ( $hash === true ) {
  56              // Hashing successful. Remove flag from DB if any.
  57              if( yourls_get_option( 'defer_hashing_error' ) ) {
  58                  yourls_delete_option('defer_hashing_error');
  59              }
  60          } else {
  61              // It failed, display message for first time or if last time was a week ago
  62              if ( time() > yourls_get_option( 'defer_hashing_error' ) or !yourls_get_option( 'defer_hashing_error' ) ) {
  63                  $message  = yourls_s( 'Could not auto-encrypt passwords. Error was: "%s".', $hash );
  64                  $message .= ' ';
  65                  $message .= yourls_s( '<a href="%s">Get help</a>.', 'http://yourls.org/userpassword' );
  66                  $message .= '</p><p>';
  67                  $message .= yourls_s( '<a href="%s">Click here</a> to dismiss this message for one week.', '?dismiss=hasherror' );
  68  
  69                  yourls_add_notice( $message );
  70              }
  71          }
  72      }
  73  
  74      // Warn about deprecated MD5 passwords
  75      if ( yourls_has_md5_passwords() ) {
  76          if ( time() > yourls_get_option( 'defer_md5_warning' ) or !yourls_get_option( 'defer_md5_warning' ) ) {
  77              $message  = yourls_s( 'Password stored as MD5 hash. Please update your config.php file to use more secure password hashes.' );
  78              $message .= ' ';
  79              $message .= yourls_s( '<a href="%s">Get help</a>.', 'http://yourls.org/userpassword' );
  80              $message .= '</p><p>';
  81              $message .= yourls_s( '<a href="%s">Click here</a> to dismiss this message for one week.', '?dismiss=md5warning' );
  82  
  83              yourls_add_notice( $message );
  84          }
  85      } else {
  86          // No md5 password, remove flag from DB if any.
  87          if( yourls_get_option( 'defer_md5_warning' ) ) {
  88              yourls_delete_option('defer_md5_warning');
  89          }
  90      }
  91  
  92  }