summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--includes/authentication.php32
-rw-r--r--login.php18
2 files changed, 34 insertions, 16 deletions
diff --git a/includes/authentication.php b/includes/authentication.php
index 9484f0fc93..73f60b1411 100644
--- a/includes/authentication.php
+++ b/includes/authentication.php
@@ -35,16 +35,10 @@ if (!defined('WT_WEBTREES')) {
exit;
}
-/**
- * authenticate a username and password
- *
- * This function takes the given <var>$username</var> and <var>$password</var> and authenticates
- * them against the database. The passwords are encrypted using the crypt() function.
- * The username is stored in the <var>$_SESSION["wt_user"]</var> session variable.
- * @param string $user_name the username for the user attempting to login
- * @param string $password the plain text password to test
- * @return the user_id if successful, false otherwise
- */
+// authenticate a username and password
+//
+// On success, store the user-id in the session and return it
+// On failure, return an error code
function authenticateUser($user_name, $password) {
// If we were already logged in, log out first
if (getUserId()) {
@@ -53,17 +47,29 @@ function authenticateUser($user_name, $password) {
if ($user_id=get_user_id($user_name)) {
if (check_user_password($user_id, $password)) {
- if (get_user_setting($user_id, 'verified') && get_user_setting($user_id, 'verified_by_admin') || get_user_setting($user_id, 'canadmin')) {
+ $is_admin=get_user_setting($user_id, 'canadmin');
+ $verified=get_user_setting($user_id, 'verified');
+ $approved=get_user_setting($user_id, 'verified_by_admin');
+ if ($verified && $approved || $is_admin) {
// Whenever we change our authorisation level change the session ID
Zend_Session::regenerateId();
$_SESSION['wt_user'] = $user_id;
AddToLog('Login successful', 'auth');
return $user_id;
+ } elseif (!$is_admin && !$verified) {
+ AddToLog('Login failed ->'.$user_name.'<- not verified', 'auth');
+ return -1;
+ } elseif (!$is_admin && !$approved) {
+ AddToLog('Login failed ->'.$user_name.'<- not approved', 'auth');
+ return -2;
}
+ } else {
+ AddToLog('Login failed ->'.$user_name.'<- bad password', 'auth');
+ return -3;
}
}
- AddToLog('Login failed ->'.$user_name.'<-', 'auth');
- return false;
+ AddToLog('Login failed ->'.$user_name.'<- bad username', 'auth');
+ return -4;
}
/**
diff --git a/login.php b/login.php
index 8a59958080..3af985fc2f 100644
--- a/login.php
+++ b/login.php
@@ -52,7 +52,20 @@ if (empty($url)) {
$message='';
if ($action=='login') {
- if ($user_id=authenticateUser($username, $password)) {
+ $user_id=authenticateUser($username, $password);
+ switch ($user_id) {
+ case -1: // not validated
+ $message=WT_I18N::translate('This account has not been verified. Please check your email for a verification message.');
+ break;
+ case -2: // not approved
+ $message=WT_I18N::translate('This account has not been approved. Please wait for an administrator to approve it.');
+ break;
+ case -3: // bad password
+ case -4: // bad username
+ $message=WT_I18N::translate('The username or password is incorrect.');
+ break;
+
+ default: // Success
if ($usertime) {
$_SESSION['usertime']=@strtotime($usertime);
} else {
@@ -105,10 +118,9 @@ if ($action=='login') {
$url .= "&ged=".$ged;
$url = str_replace(array("&&", ".php&", ".php?&"), array("&", ".php?", ".php?"), $url);
+ // Redirect to the target URL
header('Location: '.WT_SERVER_NAME.WT_SCRIPT_PATH.$url);
exit;
- } else {
- $message = WT_I18N::translate('Unable to authenticate user.');
}
} else {
$tSERVER_URL = preg_replace(array("'https?://'", "'www.'", "'/$'"), array("","",""), WT_SERVER_NAME.WT_SCRIPT_PATH);