1<?php
2# MantisBT - A PHP based bugtracking system
3
4# MantisBT is free software: you can redistribute it and/or modify
5# it under the terms of the GNU General Public License as published by
6# the Free Software Foundation, either version 2 of the License, or
7# (at your option) any later version.
8#
9# MantisBT is distributed in the hope that it will be useful,
10# but WITHOUT ANY WARRANTY; without even the implied warranty of
11# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12# GNU General Public License for more details.
13#
14# You should have received a copy of the GNU General Public License
15# along with MantisBT.  If not, see <http://www.gnu.org/licenses/>.
16
17/**
18 * Login page accepts username and posts results to login_password_page.php,
19 * which may take the users credential or redirect to a plugin specific page.
20 *
21 * This page also offers features like anonymous login and signup.
22 *
23 * @package MantisBT
24 * @copyright Copyright 2000 - 2002  Kenzaburo Ito - kenito@300baud.org
25 * @copyright Copyright 2002  MantisBT Team - mantisbt-dev@lists.sourceforge.net
26 * @link http://www.mantisbt.org
27 *
28 * @uses core.php
29 * @uses authentication_api.php
30 * @uses config_api.php
31 * @uses constant_inc.php
32 * @uses current_user_api.php
33 * @uses database_api.php
34 * @uses gpc_api.php
35 * @uses html_api.php
36 * @uses lang_api.php
37 * @uses print_api.php
38 * @uses string_api.php
39 * @uses user_api.php
40 * @uses utility_api.php
41 */
42
43require_once( 'core.php' );
44require_api( 'authentication_api.php' );
45require_api( 'config_api.php' );
46require_api( 'constant_inc.php' );
47require_api( 'current_user_api.php' );
48require_api( 'database_api.php' );
49require_api( 'gpc_api.php' );
50require_api( 'html_api.php' );
51require_api( 'lang_api.php' );
52require_api( 'print_api.php' );
53require_api( 'string_api.php' );
54require_api( 'user_api.php' );
55require_api( 'utility_api.php' );
56require_css( 'login.css' );
57
58$f_error                 = gpc_get_bool( 'error' );
59$f_cookie_error          = gpc_get_bool( 'cookie_error' );
60$f_return                = string_sanitize_url( gpc_get_string( 'return', '' ) );
61$f_username              = gpc_get_string( 'username', '' );
62$f_secure_session        = gpc_get_bool( 'secure_session', false );
63$f_secure_session_cookie = gpc_get_cookie( config_get_global( 'cookie_prefix' ) . '_secure_session', null );
64
65# Set username to blank if invalid to prevent possible XSS exploits
66$t_username = auth_prepare_username( $f_username );
67
68if( config_get_global( 'email_login_enabled' ) ) {
69	$t_username_label = lang_get( 'username_or_email' );
70} else {
71	$t_username_label = lang_get( 'username' );
72}
73
74$t_show_signup =
75	( auth_signup_enabled() ) &&
76	( LDAP != config_get_global( 'login_method' ) ) &&
77	( ON == config_get( 'enable_email_notification' ) );
78
79$t_show_anonymous_login = auth_anonymous_enabled();
80
81$t_form_title = lang_get( 'login_title' );
82
83# If user is already authenticated and not anonymous
84if( auth_is_user_authenticated() && !current_user_is_anonymous() ) {
85	# If return URL is specified redirect to it; otherwise use default page
86	if( !is_blank( $f_return ) ) {
87		print_header_redirect( $f_return, false, false, true );
88	} else {
89		print_header_redirect( config_get_global( 'default_home_page' ) );
90	}
91}
92
93# Check for automatic logon methods where we want the logon to just be handled by login.php
94if( auth_automatic_logon_bypass_form() ) {
95	$t_uri = 'login.php';
96
97	if( auth_anonymous_enabled() ) {
98		$t_uri = 'login_anon.php';
99	}
100
101	if( !is_blank( $f_return ) ) {
102		$t_uri .= '?return=' . string_url( $f_return );
103	}
104
105	print_header_redirect( $t_uri );
106	exit;
107}
108
109# Login page shouldn't be indexed by search engines
110html_robots_noindex();
111
112layout_login_page_begin();
113?>
114
115<div class="col-md-offset-3 col-md-6 col-sm-10 col-sm-offset-1">
116	<div class="login-container">
117		<div class="space-12 hidden-480"></div>
118		<?php layout_login_page_logo() ?>
119		<div class="space-24 hidden-480"></div>
120<?php
121if( $f_error || $f_cookie_error ) {
122	echo '<div class="alert alert-danger">';
123
124	# Only echo error message if error variable is set
125	if( $f_error ) {
126		echo '<p>' . lang_get( 'login_error' ) . '</p>';
127	}
128
129	if( $f_cookie_error ) {
130		echo '<p>' . lang_get( 'login_cookies_disabled' ) . '</p>';
131	}
132
133	echo '</div>';
134}
135
136$t_warnings = array();
137$t_upgrade_required = false;
138
139if( config_get_global( 'admin_checks' ) == ON ) {
140	# Check if the admin directory is accessible
141	$t_admin_dir = dirname( __FILE__ ) . '/admin';
142	$t_admin_dir_is_accessible = @file_exists( $t_admin_dir . '/.' );
143	if( $t_admin_dir_is_accessible ) {
144		$t_warnings[] = lang_get( 'warning_admin_directory_present' );
145	}
146
147	# Generate a warning if default user administrator/root is valid.
148	$t_admin_user_id = user_get_id_by_name( 'administrator' );
149	if( $t_admin_user_id !== false ) {
150		if( user_is_enabled( $t_admin_user_id ) && auth_does_password_match( $t_admin_user_id, 'root' ) ) {
151			$t_warnings[] = lang_get( 'warning_default_administrator_account_present' );
152		}
153	}
154
155	/**
156	 * Display Warnings for enabled debugging / developer settings
157	 * @param string $p_type    Message Type.
158	 * @param string $p_setting Setting.
159	 * @param string $p_value   Value.
160	 * @return string
161	 */
162	function debug_setting_message ( $p_type, $p_setting, $p_value ) {
163		return sprintf( lang_get( 'warning_change_setting' ), $p_setting, $p_value )
164			. sprintf( lang_get( 'word_separator' ) )
165			. sprintf( lang_get( "warning_${p_type}_hazard" ) );
166	}
167
168	$t_config = 'show_detailed_errors';
169	if( config_get_global( $t_config ) != OFF ) {
170		$t_warnings[] = debug_setting_message( 'security', $t_config, 'OFF' );
171	}
172
173	# since admin directory and db_upgrade lists are available check for missing db upgrades
174	# if db version is 0, we do not have a valid database.
175	$t_db_version = config_get( 'database_version', 0, ALL_USERS, ALL_PROJECTS );
176	if( $t_db_version == 0 ) {
177		$t_warnings[] = lang_get( 'error_database_no_schema_version' );
178	}
179
180	# Check for db upgrade for versions > 1.0.0 using new installer and schema
181	if( $t_admin_dir_is_accessible ) {
182		require_once( 'admin/schema.php' );
183		$t_upgrades_reqd = count( $g_upgrade ) - 1;
184
185		if( ( 0 < $t_db_version ) &&
186			( $t_db_version != $t_upgrades_reqd ) ) {
187
188			if( $t_db_version < $t_upgrades_reqd ) {
189				$t_warnings[] = lang_get( 'error_database_version_out_of_date_2'
190				);
191				$t_upgrade_required = true;
192			}
193			else {
194				$t_warnings[] = lang_get( 'error_code_version_out_of_date' );
195			}
196		}
197	}
198}
199?>
200
201<div class="position-relative">
202	<div class="signup-box visible widget-box no-border" id="login-box">
203		<div class="widget-body">
204			<div class="widget-main">
205				<h4 class="header lighter bigger">
206					<?php print_icon( 'fa-sign-in', 'ace-icon' ); ?>
207					<?php echo $t_form_title ?>
208				</h4>
209				<div class="space-10"></div>
210	<form id="login-form" method="post" action="<?php echo AUTH_PAGE_CREDENTIAL ?>">
211		<fieldset>
212
213			<?php
214			if( !is_blank( $f_return ) ) {
215				echo '<input type="hidden" name="return" value="', string_html_specialchars( $f_return ), '" />';
216			}
217
218			if( $t_upgrade_required ) {
219				echo '<input type="hidden" name="install" value="true" />';
220			}
221
222			# CSRF protection not required here - form does not result in modifications
223			?>
224
225			<label for="username" class="block clearfix">
226				<span class="block input-icon input-icon-right">
227					<input id="username" name="username" type="text" placeholder="<?php echo $t_username_label ?>"
228						   size="32" maxlength="<?php echo DB_FIELD_SIZE_USERNAME;?>" value="<?php echo string_attribute( $t_username ); ?>"
229						   class="form-control autofocus">
230					<?php print_icon( 'fa-user', 'ace-icon' ); ?>
231				</span>
232			</label>
233
234			<div class="space-10"></div>
235
236			<input type="submit" class="width-40 pull-right btn btn-success btn-inverse bigger-110" value="<?php echo lang_get( 'login' ) ?>" />
237		</fieldset>
238	</form>
239
240<?php
241#
242# Do some checks to warn administrators of possible security holes.
243#
244
245if( count( $t_warnings ) > 0 ) {
246	echo '<div class="space-10"></div>';
247	echo '<div class="alert alert-warning">';
248	foreach( $t_warnings AS $t_warning ) {
249		echo '<p>' . $t_warning . '</p>';
250	}
251	echo '</div>';
252}
253?>
254</div>
255
256<?php
257if( $t_show_anonymous_login || $t_show_signup ) {
258	echo '<div class="toolbar center">';
259
260	if( $t_show_anonymous_login ) {
261		echo '<a class="back-to-login-link pull-right" href="login_anon.php?return=' . string_url( $f_return ) . '">' . lang_get( 'login_anonymously' ) . '</a>';
262	}
263
264	if( $t_show_signup ) {
265		echo '<a class="back-to-login-link pull-left" href="signup_page.php">', lang_get( 'signup_link' ), '</a>';
266	}
267
268	echo '<div class="clearfix"></div>';
269	echo '</div>';
270}
271?>
272
273		</div>
274</div>
275</div>
276</div>
277</div>
278
279<?php
280layout_login_page_end();
281