1<?php 2# MantisBT - A PHP based bugtracking system 3 4# MantisBT is free software: you can redistribute it and/or modify 5# it under the terms of the GNU General Public License as published by 6# the Free Software Foundation, either version 2 of the License, or 7# (at your option) any later version. 8# 9# MantisBT is distributed in the hope that it will be useful, 10# but WITHOUT ANY WARRANTY; without even the implied warranty of 11# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12# GNU General Public License for more details. 13# 14# You should have received a copy of the GNU General Public License 15# along with MantisBT. If not, see <http://www.gnu.org/licenses/>. 16 17/** 18 * Login page accepts username and posts results to login_password_page.php, 19 * which may take the users credential or redirect to a plugin specific page. 20 * 21 * This page also offers features like anonymous login and signup. 22 * 23 * @package MantisBT 24 * @copyright Copyright 2000 - 2002 Kenzaburo Ito - kenito@300baud.org 25 * @copyright Copyright 2002 MantisBT Team - mantisbt-dev@lists.sourceforge.net 26 * @link http://www.mantisbt.org 27 * 28 * @uses core.php 29 * @uses authentication_api.php 30 * @uses config_api.php 31 * @uses constant_inc.php 32 * @uses current_user_api.php 33 * @uses database_api.php 34 * @uses gpc_api.php 35 * @uses html_api.php 36 * @uses lang_api.php 37 * @uses print_api.php 38 * @uses string_api.php 39 * @uses user_api.php 40 * @uses utility_api.php 41 */ 42 43require_once( 'core.php' ); 44require_api( 'authentication_api.php' ); 45require_api( 'config_api.php' ); 46require_api( 'constant_inc.php' ); 47require_api( 'current_user_api.php' ); 48require_api( 'database_api.php' ); 49require_api( 'gpc_api.php' ); 50require_api( 'html_api.php' ); 51require_api( 'lang_api.php' ); 52require_api( 'print_api.php' ); 53require_api( 'string_api.php' ); 54require_api( 'user_api.php' ); 55require_api( 'utility_api.php' ); 56require_css( 'login.css' ); 57 58$f_error = gpc_get_bool( 'error' ); 59$f_cookie_error = gpc_get_bool( 'cookie_error' ); 60$f_return = string_sanitize_url( gpc_get_string( 'return', '' ) ); 61$f_username = gpc_get_string( 'username', '' ); 62$f_secure_session = gpc_get_bool( 'secure_session', false ); 63$f_secure_session_cookie = gpc_get_cookie( config_get_global( 'cookie_prefix' ) . '_secure_session', null ); 64 65# Set username to blank if invalid to prevent possible XSS exploits 66$t_username = auth_prepare_username( $f_username ); 67 68if( config_get_global( 'email_login_enabled' ) ) { 69 $t_username_label = lang_get( 'username_or_email' ); 70} else { 71 $t_username_label = lang_get( 'username' ); 72} 73 74$t_show_signup = 75 ( auth_signup_enabled() ) && 76 ( LDAP != config_get_global( 'login_method' ) ) && 77 ( ON == config_get( 'enable_email_notification' ) ); 78 79$t_show_anonymous_login = auth_anonymous_enabled(); 80 81$t_form_title = lang_get( 'login_title' ); 82 83# If user is already authenticated and not anonymous 84if( auth_is_user_authenticated() && !current_user_is_anonymous() ) { 85 # If return URL is specified redirect to it; otherwise use default page 86 if( !is_blank( $f_return ) ) { 87 print_header_redirect( $f_return, false, false, true ); 88 } else { 89 print_header_redirect( config_get_global( 'default_home_page' ) ); 90 } 91} 92 93# Check for automatic logon methods where we want the logon to just be handled by login.php 94if( auth_automatic_logon_bypass_form() ) { 95 $t_uri = 'login.php'; 96 97 if( auth_anonymous_enabled() ) { 98 $t_uri = 'login_anon.php'; 99 } 100 101 if( !is_blank( $f_return ) ) { 102 $t_uri .= '?return=' . string_url( $f_return ); 103 } 104 105 print_header_redirect( $t_uri ); 106 exit; 107} 108 109# Login page shouldn't be indexed by search engines 110html_robots_noindex(); 111 112layout_login_page_begin(); 113?> 114 115<div class="col-md-offset-3 col-md-6 col-sm-10 col-sm-offset-1"> 116 <div class="login-container"> 117 <div class="space-12 hidden-480"></div> 118 <?php layout_login_page_logo() ?> 119 <div class="space-24 hidden-480"></div> 120<?php 121if( $f_error || $f_cookie_error ) { 122 echo '<div class="alert alert-danger">'; 123 124 # Only echo error message if error variable is set 125 if( $f_error ) { 126 echo '<p>' . lang_get( 'login_error' ) . '</p>'; 127 } 128 129 if( $f_cookie_error ) { 130 echo '<p>' . lang_get( 'login_cookies_disabled' ) . '</p>'; 131 } 132 133 echo '</div>'; 134} 135 136$t_warnings = array(); 137$t_upgrade_required = false; 138 139if( config_get_global( 'admin_checks' ) == ON ) { 140 # Check if the admin directory is accessible 141 $t_admin_dir = dirname( __FILE__ ) . '/admin'; 142 $t_admin_dir_is_accessible = @file_exists( $t_admin_dir . '/.' ); 143 if( $t_admin_dir_is_accessible ) { 144 $t_warnings[] = lang_get( 'warning_admin_directory_present' ); 145 } 146 147 # Generate a warning if default user administrator/root is valid. 148 $t_admin_user_id = user_get_id_by_name( 'administrator' ); 149 if( $t_admin_user_id !== false ) { 150 if( user_is_enabled( $t_admin_user_id ) && auth_does_password_match( $t_admin_user_id, 'root' ) ) { 151 $t_warnings[] = lang_get( 'warning_default_administrator_account_present' ); 152 } 153 } 154 155 /** 156 * Display Warnings for enabled debugging / developer settings 157 * @param string $p_type Message Type. 158 * @param string $p_setting Setting. 159 * @param string $p_value Value. 160 * @return string 161 */ 162 function debug_setting_message ( $p_type, $p_setting, $p_value ) { 163 return sprintf( lang_get( 'warning_change_setting' ), $p_setting, $p_value ) 164 . sprintf( lang_get( 'word_separator' ) ) 165 . sprintf( lang_get( "warning_${p_type}_hazard" ) ); 166 } 167 168 $t_config = 'show_detailed_errors'; 169 if( config_get_global( $t_config ) != OFF ) { 170 $t_warnings[] = debug_setting_message( 'security', $t_config, 'OFF' ); 171 } 172 173 # since admin directory and db_upgrade lists are available check for missing db upgrades 174 # if db version is 0, we do not have a valid database. 175 $t_db_version = config_get( 'database_version', 0, ALL_USERS, ALL_PROJECTS ); 176 if( $t_db_version == 0 ) { 177 $t_warnings[] = lang_get( 'error_database_no_schema_version' ); 178 } 179 180 # Check for db upgrade for versions > 1.0.0 using new installer and schema 181 if( $t_admin_dir_is_accessible ) { 182 require_once( 'admin/schema.php' ); 183 $t_upgrades_reqd = count( $g_upgrade ) - 1; 184 185 if( ( 0 < $t_db_version ) && 186 ( $t_db_version != $t_upgrades_reqd ) ) { 187 188 if( $t_db_version < $t_upgrades_reqd ) { 189 $t_warnings[] = lang_get( 'error_database_version_out_of_date_2' 190 ); 191 $t_upgrade_required = true; 192 } 193 else { 194 $t_warnings[] = lang_get( 'error_code_version_out_of_date' ); 195 } 196 } 197 } 198} 199?> 200 201<div class="position-relative"> 202 <div class="signup-box visible widget-box no-border" id="login-box"> 203 <div class="widget-body"> 204 <div class="widget-main"> 205 <h4 class="header lighter bigger"> 206 <?php print_icon( 'fa-sign-in', 'ace-icon' ); ?> 207 <?php echo $t_form_title ?> 208 </h4> 209 <div class="space-10"></div> 210 <form id="login-form" method="post" action="<?php echo AUTH_PAGE_CREDENTIAL ?>"> 211 <fieldset> 212 213 <?php 214 if( !is_blank( $f_return ) ) { 215 echo '<input type="hidden" name="return" value="', string_html_specialchars( $f_return ), '" />'; 216 } 217 218 if( $t_upgrade_required ) { 219 echo '<input type="hidden" name="install" value="true" />'; 220 } 221 222 # CSRF protection not required here - form does not result in modifications 223 ?> 224 225 <label for="username" class="block clearfix"> 226 <span class="block input-icon input-icon-right"> 227 <input id="username" name="username" type="text" placeholder="<?php echo $t_username_label ?>" 228 size="32" maxlength="<?php echo DB_FIELD_SIZE_USERNAME;?>" value="<?php echo string_attribute( $t_username ); ?>" 229 class="form-control autofocus"> 230 <?php print_icon( 'fa-user', 'ace-icon' ); ?> 231 </span> 232 </label> 233 234 <div class="space-10"></div> 235 236 <input type="submit" class="width-40 pull-right btn btn-success btn-inverse bigger-110" value="<?php echo lang_get( 'login' ) ?>" /> 237 </fieldset> 238 </form> 239 240<?php 241# 242# Do some checks to warn administrators of possible security holes. 243# 244 245if( count( $t_warnings ) > 0 ) { 246 echo '<div class="space-10"></div>'; 247 echo '<div class="alert alert-warning">'; 248 foreach( $t_warnings AS $t_warning ) { 249 echo '<p>' . $t_warning . '</p>'; 250 } 251 echo '</div>'; 252} 253?> 254</div> 255 256<?php 257if( $t_show_anonymous_login || $t_show_signup ) { 258 echo '<div class="toolbar center">'; 259 260 if( $t_show_anonymous_login ) { 261 echo '<a class="back-to-login-link pull-right" href="login_anon.php?return=' . string_url( $f_return ) . '">' . lang_get( 'login_anonymously' ) . '</a>'; 262 } 263 264 if( $t_show_signup ) { 265 echo '<a class="back-to-login-link pull-left" href="signup_page.php">', lang_get( 'signup_link' ), '</a>'; 266 } 267 268 echo '<div class="clearfix"></div>'; 269 echo '</div>'; 270} 271?> 272 273 </div> 274</div> 275</div> 276</div> 277</div> 278 279<?php 280layout_login_page_end(); 281