forked from osTicket/osTicket
-
Notifications
You must be signed in to change notification settings - Fork 0
/
login.php
156 lines (137 loc) · 5.69 KB
/
login.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
<?php
/*********************************************************************
login.php
User access link recovery
TODO: This is a temp. fix to allow for collaboration in lieu of real
username and password coming in 1.8.2
Peter Rotich <[email protected]>
Copyright (c) 2006-2013 osTicket
http://www.osticket.com
Released under the GNU General Public License WITHOUT ANY WARRANTY.
See LICENSE.TXT for details.
vim: expandtab sw=4 ts=4 sts=4:
**********************************************************************/
require_once('client.inc.php');
if(!defined('INCLUDE_DIR')) die('Fatal Error');
define('CLIENTINC_DIR',INCLUDE_DIR.'client/');
define('OSTCLIENTINC',TRUE); //make includes happy
require_once(INCLUDE_DIR.'class.client.php');
require_once(INCLUDE_DIR.'class.ticket.php');
if ($cfg->getClientRegistrationMode() == 'disabled'
|| isset($_POST['lticket']))
$inc = 'accesslink.inc.php';
else
$inc = 'login.inc.php';
$suggest_pwreset = false;
// Check the CSRF token, and ensure that future requests will have to use a
// different CSRF token. This will help ward off both parallel and serial
// brute force attacks, because new tokens will have to be requested for
// each attempt.
if ($_POST) {
// Check CSRF token
if (!$ost->checkCSRFToken())
Http::response(400, __('Valid CSRF Token Required'));
// Rotate the CSRF token (original cannot be reused)
$ost->getCSRF()->rotate();
}
if ($_POST && isset($_POST['luser'])) {
if (!$_POST['luser'])
$errors['err'] = __('Valid username or email address is required');
elseif (($user = UserAuthenticationBackend::process(trim($_POST['luser']),
$_POST['lpasswd'], $errors))) {
if ($user instanceof ClientCreateRequest) {
if ($cfg && $cfg->isClientRegistrationEnabled()) {
// Attempt to automatically register
if ($user->attemptAutoRegister())
Http::redirect('tickets.php');
// Auto-registration failed. Show the user the info we have
$inc = 'register.inc.php';
$user_form = UserForm::getUserForm()->getForm($user->getInfo());
}
else {
$errors['err'] = __('Access Denied. Contact your help desk administrator to have an account registered for you');
// fall through to show login page again
}
}
else {
Http::redirect($_SESSION['_client']['auth']['dest']
?: 'tickets.php');
}
} elseif(!$errors['err']) {
$errors['err'] = sprintf('%s - %s', __('Invalid username or password'), __('Please try again!'));
}
$suggest_pwreset = true;
}
elseif ($_POST && isset($_POST['lticket'])) {
if (!Validator::is_email($_POST['lemail']))
$errors['err'] = __('Valid email address and ticket number required');
elseif (($user = UserAuthenticationBackend::process($_POST['lemail'],
$_POST['lticket'], $errors))) {
// If email address verification is not required, then provide
// immediate access to the ticket!
if (!$cfg->isClientEmailVerificationRequired())
Http::redirect('tickets.php');
// This will succeed as it is checked in the authentication backend
$ticket = Ticket::lookupByNumber($_POST['lticket'], $_POST['lemail']);
// We're using authentication backend so we can guard aganist brute
// force attempts (which doesn't buy much since the link is emailed)
if ($ticket) {
$ticket->sendAccessLink($user);
$msg = sprintf(__("%s - access link sent to your email!"),
Format::htmlchars($user->getName()->getFirst()));
$_POST = null;
} else {
$errors['err'] = sprintf('%s - %s',
__('Invalid email or ticket number'),
__('Please try again!'));
}
} elseif(!$errors['err']) {
$errors['err'] = sprintf('%s - %s', __('Invalid email or ticket number'), __('Please try again!'));
}
}
elseif (isset($_GET['do'])) {
switch($_GET['do']) {
case 'ext':
// Lookup external backend
if ($bk = UserAuthenticationBackend::getBackend($_GET['bk'])) {
$result = $bk->triggerAuth();
if ($result instanceof AccessDenied) {
$errors['err'] = $result->getMessage();
}
}
}
}
elseif ($user = UserAuthenticationBackend::processSignOn($errors, false)) {
// Users from the ticket access link
if ($user && $user instanceof TicketUser && $user->getTicketId())
Http::redirect('tickets.php?id='.$user->getTicketId());
// Users imported from an external auth backend
elseif ($user instanceof ClientCreateRequest) {
if ($cfg && $cfg->isClientRegistrationEnabled()) {
// Attempt to automatically register
if ($user->attemptAutoRegister())
Http::redirect('tickets.php');
// Unable to auto-register. Fill in what we have and let the
// user complete the info
$inc = 'register.inc.php';
}
else {
$errors['err'] = __('Access Denied. Contact your help desk administrator to have an account registered for you');
// fall through to show login page again
}
}
elseif ($user instanceof AuthenticatedUser) {
Http::redirect($_SESSION['_client']['auth']['dest']
?: 'tickets.php');
}
}
if (!$nav) {
$nav = new UserNav();
$nav->setActiveNav('status');
}
// Browsers shouldn't suggest saving that username/password
Http::response(422);
require CLIENTINC_DIR.'header.inc.php';
require CLIENTINC_DIR.$inc;
require CLIENTINC_DIR.'footer.inc.php';
?>