Merge branch 'master' of https://vcs.wybt.net/engelsystem/git

author: Philip Häusler <msquare@notrademark.de> 2012-12-12 22:11:46 +0100
committer: Philip Häusler <msquare@notrademark.de> 2012-12-12 22:11:46 +0100
commit: 518f8d0d586280de05d5b21417a9d61a94dd1c01 (patch)
tree: f5dbbc05f7ad6490dfe9586a5f3d4304ab537204 /includes
parent: 572a986e480c5273742720f888010950a15be029 (diff)
parent: db95fe6485f13c0041bbafbb0004b171cd9122e7 (diff)
6 files changed, 91 insertions, 68 deletions
diff --git a/includes/pages/admin_user.php b/includes/pages/admin_user.php
index 3c26062b..d9f5d749 100644
--- a/includes/pages/admin_user.php
+++ b/includes/pages/admin_user.php
@@ -240,7 +240,7 @@ function admin_user() {
 
         case 'change_pw' :
           if ($_REQUEST['new_pw'] != "" && $_REQUEST['new_pw'] == $_REQUEST['new_pw2']) {
-            sql_query("UPDATE `User` SET `Passwort`='" . sql_escape(PassCrypt($_REQUEST['new_pw'])) . "' WHERE `UID`=" . sql_escape($id) . " LIMIT 1");
+            set_password($id, $_REQUEST['new_pw']);
             $html .= success("Passwort neu gesetzt.", true);
           } else {
             $html .= error("Die Eingaben müssen übereinstimmen und dürfen nicht leer sein!", true);
diff --git a/includes/pages/guest_login.php b/includes/pages/guest_login.php
index c75327de..db479388 100644
--- a/includes/pages/guest_login.php
+++ b/includes/pages/guest_login.php
@@ -71,10 +71,8 @@ function guest_register() {
       }
     }
 
-    if (isset ($_REQUEST['password']) && strlen($_REQUEST['password']) >= 6) {
-      if ($_REQUEST['password'] == $_REQUEST['password2']) {
-        $password_hash = PassCrypt($_REQUEST['password']);
-      } else {
+    if (isset ($_REQUEST['password']) && strlen($_REQUEST['password']) >= MIN_PASSWORD_LENGTH) {
+      if ($_REQUEST['password'] != $_REQUEST['password2']) {
         $ok = false;
         $msg .= error(Get_Text("makeuser_error_password1"), true);
       }
@@ -112,9 +110,10 @@ function guest_register() {
           "', `email`='" . sql_escape($mail) . "', `ICQ`='" . sql_escape($icq) . "', `jabber`='" . sql_escape($jabber) . "', `Size`='" . sql_escape($tshirt_size) .
           "', `Passwort`='" . sql_escape($password_hash) . "', `kommentar`='" . sql_escape($comment) . "', `Hometown`='" . sql_escape($hometown) . "', `CreateDate`=NOW(), `Sprache`='" . sql_escape($_SESSION["Sprache"]) . "'");
 
-      // Assign user-group
+      // Assign user-group and set password
       $user_id = sql_id();
       sql_query("INSERT INTO `UserGroups` SET `uid`=" . sql_escape($user_id) . ", `group_id`=-2");
+      set_password($user_id, $_REQUEST['password']);
 
       // Assign angel-types
       foreach ($selected_angel_types as $selected_angel_type_id)
@@ -176,7 +175,7 @@ function guest_login() {
       if (count($login_user) > 0) {
         $login_user = $login_user[0];
         if (isset ($_REQUEST['password'])) {
-          if ($login_user['Passwort'] != PassCrypt($_REQUEST['password'])) {
+          if (!verify_password($_REQUEST['password'], $login_user['Passwort'], $login_user['UID'])) {
             $ok = false;
             $msg .= error(Get_Text("pub_index_pass_no_ok"), true);
           }
diff --git a/includes/pages/user_myshifts.php b/includes/pages/user_myshifts.php
index a4de1c1b..390b3b01 100644
--- a/includes/pages/user_myshifts.php
+++ b/includes/pages/user_myshifts.php
@@ -58,9 +58,9 @@ function user_myshifts() {
 			$shift = $shift[0];
 			if (($shift['start'] - time() < $LETZTES_AUSTRAGEN * 60) || in_array('user_shifts_admin', $privileges)) {
 				sql_query("DELETE FROM `ShiftEntry` WHERE `id`=" . sql_escape($id) . " LIMIT 1");
-				$msg .= success("Du wurdest aus der Schicht ausgetragen.", true);
+				$msg .= success(Get_Text("pub_myshifts_signed_off"), true);
 			} else
-				$msg .= error("Es ist zu spät um sich aus der Schicht auszutragen. Frage ggf. einen Orga.", true);
+				$msg .= error(Get_Text("pub_myshifts_too_late"), true);
 		} else
 			redirect(page_link_to('user_myshifts'));
 	}
@@ -78,24 +78,25 @@ function user_myshifts() {
 		$html .= '<td>' . $shift['name'] . '</td>';
 		$html .= '<td>' . $shift['Comment'] . '</td>';
 		$html .= '<td>';
-		$html .= '<a href="' . page_link_to('user_myshifts') . '&edit=' . $shift['id'] . '">bearbeiten</a>';
+		$html .= '<a href="' . page_link_to('user_myshifts') . '&edit=' . $shift['id'] . '">' . Get_Text('edit') . '</a>';
 		if ($shift['start'] - time() > $LETZTES_AUSTRAGEN * 60)
-			$html .= ' | <a href="' . page_link_to('user_myshifts') . '&cancel=' . $shift['id'] . '">austragen</a>';
+			$html .= ' | <a href="' . page_link_to('user_myshifts') . '&cancel=' . $shift['id'] . '">' . Get_Text('sign_off') . '</a>';
 		$html .= '</td>';
 		$html .= '</tr>';
 	}
 	if ($html == "")
-		$html = '<tr><td>Keine...</td><td></td><td></td><td></td><td></td><td>Gehe zum <a href="' . page_link_to('user_shifts') . '">Schichtplan</a> um Dich für Schichten einzutragen.</td></tr>';
+		$html = '<tr><td>' . ucfirst(Get_Text('none')) . '...</td><td></td><td></td><td></td><td></td><td>' . sprintf(Get_Text('pub_myshifts_goto_shifts'), page_link_to('user_shifts')) . '</td></tr>';
 
 	if ($shifts_user['ical_key'] == "")
 		user_reset_ical_key($shifts_user);
 
 	return msg().template_render('../templates/user_myshifts.html', array (
-		'h' => $LETZTES_AUSTRAGEN,
+		'intro' => sprintf(Get_Text('pub_myshifts_intro'), $LETZTES_AUSTRAGEN),
 		'shifts' => $html,
 		'msg' => $msg,
-		'ical_link' => page_link_to_absolute('ical') . '&key=' . $shifts_user['ical_key'],
-		'reset_link' => page_link_to('user_myshifts') . '&reset'
-	));
+		'ical_text' => sprintf(Get_Text('inc_schicht_ical_text'),
+			page_link_to_absolute('ical') . '&key=' . $shifts_user['ical_key'],
+			page_link_to('user_myshifts') . '&reset'),
+));
 }
-?>
-\ No newline at end of file
+?>
diff --git a/includes/pages/user_settings.php b/includes/pages/user_settings.php
index 5ea4af27..cfeb38cf 100644
--- a/includes/pages/user_settings.php
+++ b/includes/pages/user_settings.php
@@ -114,29 +114,17 @@ function user_settings() {
 	elseif (isset ($_REQUEST['submit_password'])) {
 		$ok = true;
 
-		if (!isset ($_REQUEST['password']) || $user['Passwort'] != PassCrypt($_REQUEST['password'])) {
-			$ok = false;
+		if (!isset ($_REQUEST['password']) || !verify_password($_REQUEST['password'], $user['Passwort'], $user['UID']))
 			$msg .= error(Get_Text(30), true);
-		}
-
-		if (isset ($_REQUEST['new_password']) && strlen($_REQUEST['new_password']) >= 6) {
-			if ($_REQUEST['new_password'] == $_REQUEST['new_password2']) {
-				$password_hash = PassCrypt($_REQUEST['new_password']);
-			} else {
-				$ok = false;
-				$msg .= error(Get_Text("makeuser_error_password1"), true);
-			}
-		} else {
-			$ok = false;
-			$msg .= error(Get_Text("makeuser_error_password2"), true);
-		}
-
-		if ($ok) {
-			sql_query("UPDATE `User` SET `Passwort`='" . sql_escape($password_hash) . "' WHERE `UID`=" . sql_escape($user['UID']));
-
+		elseif (strlen($_REQUEST['new_password']) <= MIN_PASSWORD_LENGTH)
+			$msg .= error(Get_Text("makeuser_error_password2"));
+		elseif ($_REQUEST['new_password'] != $_REQUEST['new_password2'])
+			$msg .= error(Get_Text("makeuser_error_password1"), true);
+		elseif(set_password($user['UID'], $_REQUEST['new_password']))
 			success("Password saved.");
-			redirect(page_link_to('user_settings'));
-		}
+		else
+			error("Failed setting password.");
+		redirect(page_link_to('user_settings'));
 	}
 	elseif (isset ($_REQUEST['submit_theme'])) {
 		$ok = true;
diff --git a/includes/pages/user_shifts.php b/includes/pages/user_shifts.php
index c144733d..785fc8ab 100644
--- a/includes/pages/user_shifts.php
+++ b/includes/pages/user_shifts.php
@@ -268,14 +268,16 @@ function view_user_shifts() {
     $types = sql_select("SELECT `id`, `name` FROM `AngelTypes`");
   else
     $types = sql_select("SELECT `AngelTypes`.`id`, `AngelTypes`.`name` FROM `UserAngelTypes` JOIN `AngelTypes` ON (`UserAngelTypes`.`angeltype_id` = `AngelTypes`.`id`) WHERE `UserAngelTypes`.`user_id` = " . sql_escape($user['UID']) . " AND (`AngelTypes`.`restricted` = 0 OR NOT `UserAngelTypes`.`confirm_user_id` IS NULL)");
+  if (empty($types))
+    $types = sql_select("SELECT `id`, `name` FROM `AngelTypes` WHERE `restricted` = 0");
   $filled = array (
     array (
       'id' => '1',
-      'name' => 'Volle'
+      'name' => Get_Text('occupied')
     ),
     array (
       'id' => '0',
-      'name' => 'Freie'
+      'name' => Get_Text('free')
     )
   );
 
@@ -347,9 +349,10 @@ function view_user_shifts() {
       $query .= "`shift_id` = " . sql_escape($shift['SID']);
     else
       $query .= "`room_id` = " . sql_escape($shift['RID']);
-    $query .= "		AND `count` > 0
-    AND `angel_type_id` IN (" . implode(',', $_SESSION['user_shifts']['types']) . ")
-    ORDER BY `AngelTypes`.`name`";
+    $query .= "		AND `count` > 0 ";
+    if (!empty($_SESSION['user_shifts']['types']))
+      $query .= "AND `angel_type_id` IN (" . implode(',', $_SESSION['user_shifts']['types']) . ") ";
+    $query .= "ORDER BY `AngelTypes`.`name`";
     $angeltypes = sql_select($query);
 
     if (count($angeltypes) > 0) {
@@ -363,12 +366,15 @@ function view_user_shifts() {
           else
             $entry_list[] = $entry['Nick'];
         }
+        // do we need more angles of this type?
         if ($angeltype['count'] - count($entries) > 0) {
-          if ((time() < $shift['end'] && !$my_shift) || in_array('user_shifts_admin', $privileges)) {
-            $entry_list[] = '<a href="' . page_link_to('user_shifts') . '&shift_id=' . $shift['SID'] . '&type_id=' . $angeltype['id'] . '">' . ($angeltype['count'] - count($entries)) . ' Helfer' . ($angeltype['count'] - count($entries) != 1 ? '' : '') . ' gebraucht &raquo;</a>';
-          } else {
-            $entry_list[] = ($angeltype['count'] - count($entries)) . ' Helfer gebraucht';
-          }
+          $inner_text = ($angeltype['count'] - count($entries)) . ' ' . Get_Text($angeltype['count'] - count($entries) == 1 ? 'helper' : 'helpers') . ' ' . Get_Text('needed');
+          // is the shift still running or alternatively is the user shift admin?
+          if ((time() < $shift['end'] && !$my_shift) || in_array('user_shifts_admin', $privileges))
+            $entry_list[] = '<a href="' . page_link_to('user_shifts') . '&shift_id=' . $shift['SID'] . '&type_id=' . $angeltype['id'] . '">' . $inner_text . ' &raquo;</a>';
+          else
+            $entry_list[] = $inner_text;
+          unset($inner_text);
           $is_free = true;
         }
 
@@ -391,13 +397,16 @@ function view_user_shifts() {
     user_reset_ical_key($user);
 
   return msg() . template_render('../templates/user_shifts.html', array (
-    'room_select' => make_select($rooms, $_SESSION['user_shifts']['rooms'], "rooms", "Räume"),
-    'day_select' => make_select($days, $_SESSION['user_shifts']['days'], "days", "Tage"),
-    'type_select' => make_select($types, $_SESSION['user_shifts']['types'], "types", "Aufgaben"),
-    'filled_select' => make_select($filled, $_SESSION['user_shifts']['filled'], "filled", "Besetzung"),
+    'room_select' => make_select($rooms, $_SESSION['user_shifts']['rooms'], "rooms", ucfirst(Get_Text("rooms"))),
+    'day_select' => make_select($days, $_SESSION['user_shifts']['days'], "days", ucfirst(Get_Text("days"))),
+    'type_select' => make_select($types, $_SESSION['user_shifts']['types'], "types", ucfirst(Get_Text("tasks")) . '<sup>1</sup>'),
+    'filled_select' => make_select($filled, $_SESSION['user_shifts']['filled'], "filled", ucfirst(Get_Text("occupancy"))),
+    'task_notice' => '<sup>1</sup>' . Get_Text("pub_schichtplan_tasks_notice"),
     'shifts_table' => $shifts_table,
-    'ical_link' => make_user_shifts_ical_link($user['ical_key']),
-    'reset_link' => page_link_to('user_myshifts') . '&reset'
+    'ical_text' => sprintf(Get_Text('inc_schicht_ical_text'), make_user_shifts_ical_link($user['ical_key']), page_link_to('user_myshifts') . '&reset'),
+    'header1' => ucfirst(Get_Text("time")) . "/" . ucfirst(Get_Text("room")),
+    'header2' => ucfirst(Get_Text("entries")),
+    'filter' => ucfirst(Get_Text("to_filter")),
   ));
 }
 
@@ -430,8 +439,8 @@ function make_select($items, $selected, $name, $title = null) {
   $html .= implode("\n", $html_items);
   $html .= '</ul>' . "\n";
   $html .= buttons(array (
-    button("javascript: check_all('selection_" . $name . "')", "Alle", ""),
-    button("javascript: uncheck_all('selection_" . $name . "')", "Keine", "")
+    button("javascript: check_all('selection_" . $name . "')", Get_Text("all"), ""),
+    button("javascript: uncheck_all('selection_" . $name . "')", Get_Text("none"), "")
   ));
   $html .= '</div>' . "\n";
   return $html;
diff --git a/includes/sys_auth.php b/includes/sys_auth.php
index e1869029..68cf17e4 100644
--- a/includes/sys_auth.php
+++ b/includes/sys_auth.php
@@ -28,15 +28,40 @@ function load_auth() {
 	$privileges = isset ($user) ? privileges_for_user($user['UID']) : privileges_for_group(-1);
 }
 
-function PassCrypt($passwort) {
-	global $crypt_system;
-
-	switch ($crypt_system) {
-		case "crypt" :
-			return "{crypt}" . crypt($passwort, "77");
-		case "md5" :
-			return md5($passwort);
+// generate a salt (random string) of arbitrary length suitable for the use with crypt()
+function generate_salt($length = 16) {
+	$alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+	$salt = "";
+	for ($i = 0; $i < $length; $i++) {
+		$salt .= $alphabet[rand(0, strlen($alphabet)-1)];
 	}
+	return $salt;
+}
+
+// set the password of a user
+function set_password($uid, $password) {
+	$res = sql_query("UPDATE `User` SET `Passwort` = '" . sql_escape(crypt($password, CRYPT_ALG . '$' . generate_salt(16) . '$')) . "' WHERE `UID` = " . intval($uid) . " LIMIT 1");
+	return $res && (mysql_affected_rows() > 0);
+}
+
+// verify a password given a precomputed salt.
+// if $uid is given and $salt is an old-style salt (plain md5), we convert it automatically
+function verify_password($password, $salt, $uid = false) {
+	$correct = false;
+	if (substr($salt, 0, 1) == '$') // new-style crypt()
+		$correct = crypt($password, $salt) == $salt;
+	elseif (substr($salt, 0, 7) == '{crypt}') // old-style crypt() with DES and static salt - not used anymore
+		$correct = crypt($password, '77') == $salt;
+	elseif (strlen($salt) == 32) // old-style md5 without salt - not used anymore
+		$correct = md5($password) == $salt;
+
+	if($correct && substr($salt, 0, strlen(CRYPT_ALG)) != CRYPT_ALG && $uid) {
+		// this password is stored in another format than we want it to be.
+		// let's update it!
+		// we duplicate the query from the above set_password() function to have the extra safety of checking the old hash
+		sql_query("UPDATE `User` SET `Passwort` = '" . sql_escape(crypt($password, CRYPT_ALG . '$' . generate_salt() . '$')) . "' WHERE `UID` = " . intval($uid) . " AND `Passwort` = '" . sql_escape($salt) . "' LIMIT 1");
+	}
+	return $correct;
 }
 
 // JSON Authorisierungs-Schnittstelle
@@ -50,11 +75,12 @@ function json_auth_service() {
 	$SourceOuth = $_REQUEST['so'];
 
 	if (isset ($CurrentExternAuthPass) && $SourceOuth == $CurrentExternAuthPass) {
-		$sql = "SELECT * FROM `User` WHERE `Nick`='" . sql_escape($User) . "'";
-		$Erg = sql_query($sql);
+		$sql = "SELECT `UID`, `Passwort` FROM `User` WHERE `Nick`='" . sql_escape($User) . "'";
+		$Erg = sql_select($sql);
 
-		if (mysql_num_rows($Erg) == 1) {
-			if (mysql_result($Erg, 0, "Passwort") == PassCrypt($Pass)) {
+		if (count($Erg) == 1) {
+			$Erg = $Erg[0];
+			if (verify_password($Pass, $Erg["Passwort"], $Erg["UID"])) {
 				$UID = mysql_result($Erg, 0, "UID");
 
 				$user_privs = sql_select("SELECT `Privileges`.`name` FROM `User` JOIN `UserGroups` ON (`User`.`UID` = `UserGroups`.`uid`) JOIN `GroupPrivileges` ON (`UserGroups`.`group_id` = `GroupPrivileges`.`group_id`) JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `User`.`UID`=" . sql_escape($UID) . ";");
author	Philip Häusler <msquare@notrademark.de>	2012-12-12 22:11:46 +0100
committer	Philip Häusler <msquare@notrademark.de>	2012-12-12 22:11:46 +0100
commit	518f8d0d586280de05d5b21417a9d61a94dd1c01 (patch)
tree	f5dbbc05f7ad6490dfe9586a5f3d4304ab537204 /includes
parent	572a986e480c5273742720f888010950a15be029 (diff)
parent	db95fe6485f13c0041bbafbb0004b171cd9122e7 (diff)