Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

Debug v18 - audit event not completely saved. Fix warnings

Browse Source
This commit is contained in:
Laurent Destailleur 2023-08-14 21:43:24 +02:00
parent 8d90abdc42
commit 4445d9b489
3 changed files with 244 additions and 232 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
htdocs/core/class/events.class.php
View File

@ -90,6 +90,12 @@ class Events // extends CommonObject
*/
public $prefix_session;
/**
* @var string Authentication method used for USER_LOGIN with success
*/
public $authentication_method;
// List of all Audit/Security events supported by triggers
public $eventstolog = array(
array('id'=>'USER_LOGIN', 'test'=>1),

8
htdocs/core/triggers/interface_20_all_Logevents.class.php
View File

@ -77,6 +77,9 @@ class InterfaceLogevents extends DolibarrTriggers
$date = dol_now();
$text = '';
$desc = '';
// Actions
if ($action == 'USER_LOGIN') {
dol_syslog("Trigger '".$this->name."' for action '$action' launched by ".__FILE__.". id=".$object->id);
@ -170,8 +173,8 @@ class InterfaceLogevents extends DolibarrTriggers
*/
// Add more information into desc from the context property
if (!empty($desc) && !empty($object->context['audit'])) {
$desc .= ' - '.$object->context['audit'];
if (!empty($object->context['audit'])) {
$desc .= (empty($desc) ? '' : ' - ').$object->context['audit'];
}
// Add entry in event table
@ -183,6 +186,7 @@ class InterfaceLogevents extends DolibarrTriggers
$event->label = $text;
$event->description = $desc;
$event->user_agent = (empty($_SERVER["HTTP_USER_AGENT"]) ? '' : $_SERVER["HTTP_USER_AGENT"]);
$event->authentication_method = (empty($object->context['authentication_method']) ? '' : $object->context['authentication_method']);
$result = $event->create($user);
if ($result > 0) {

462
htdocs/main.inc.php
View File

@ -104,9 +104,9 @@ function testSqlAndScriptInject($val, $type)
// Decode 'n', ...
return realCharForNumericEntities($m); }, $val);
// We clean html comments because some hacks try to obfuscate evil strings by inserting HTML comments. Example: on<!-- -->error=alert(1)
$val = preg_replace('/<!--[^>]*-->/', '', $val);
$val = preg_replace('/[\r\n\t]/', '', $val);
// We clean html comments because some hacks try to obfuscate evil strings by inserting HTML comments. Example: on<!-- -->error=alert(1)
$val = preg_replace('/<!--[^>]*-->/', '', $val);
$val = preg_replace('/[\r\n\t]/', '', $val);
} while ($oldval != $val);
//print "type = ".$type." after decoding: ".$val."\n";
@ -321,18 +321,18 @@ if (!empty($php_session_save_handler) && $php_session_save_handler == 'db') {
require_once 'core/lib/phpsessionin'.$php_session_save_handler.'.lib.php';
}
// Init session. Name of session is specific to Dolibarr instance.
// Must be done after the include of filefunc.inc.php so global variables of conf file are defined (like $dolibarr_main_instance_unique_id or $dolibarr_main_force_https).
// Note: the function dol_getprefix() is defined into functions.lib.php but may have been defined to return a different key to manage another area to protect.
$prefix = dol_getprefix('');
$sessionname = 'DOLSESSID_'.$prefix;
$sessiontimeout = 'DOLSESSTIMEOUT_'.$prefix;
// Init session. Name of session is specific to Dolibarr instance.
// Must be done after the include of filefunc.inc.php so global variables of conf file are defined (like $dolibarr_main_instance_unique_id or $dolibarr_main_force_https).
// Note: the function dol_getprefix() is defined into functions.lib.php but may have been defined to return a different key to manage another area to protect.
$prefix = dol_getprefix('');
$sessionname = 'DOLSESSID_'.$prefix;
$sessiontimeout = 'DOLSESSTIMEOUT_'.$prefix;
if (!empty($_COOKIE[$sessiontimeout])) {
ini_set('session.gc_maxlifetime', $_COOKIE[$sessiontimeout]);
}
// This create lock, released by session_write_close() or end of page.
// We need this lock as long as we read/write $_SESSION ['vars']. We can remove lock when finished.
// This create lock, released by session_write_close() or end of page.
// We need this lock as long as we read/write $_SESSION ['vars']. We can remove lock when finished.
if (!defined('NOSESSION')) {
if (PHP_VERSION_ID < 70300) {
session_set_cookie_params(0, '/', null, ((empty($dolibarr_main_force_https) && isHTTPS() === false) ? false : true), true); // Add tag secure and httponly on session cookie (same as setting session.cookie_httponly into php.ini). Must be called before the session_start.
@ -354,10 +354,10 @@ if (!defined('NOSESSION')) {
}
// Init the 6 global objects, this include will make the 'new Xxx()' and set properties for: $conf, $db, $langs, $user, $mysoc, $hookmanager
require_once 'master.inc.php';
// Init the 6 global objects, this include will make the 'new Xxx()' and set properties for: $conf, $db, $langs, $user, $mysoc, $hookmanager
require_once 'master.inc.php';
// If software has been locked. Only login $conf->global->MAIN_ONLY_LOGIN_ALLOWED is allowed.
// If software has been locked. Only login $conf->global->MAIN_ONLY_LOGIN_ALLOWED is allowed.
if (!empty($conf->global->MAIN_ONLY_LOGIN_ALLOWED)) {
$ok = 0;
if ((!session_id() || !isset($_SESSION["dol_login"])) && !isset($_POST["username"]) && !empty($_SERVER["GATEWAY_INTERFACE"])) {
@ -387,10 +387,10 @@ if (!empty($conf->global->MAIN_ONLY_LOGIN_ALLOWED)) {
}
// Activate end of page function
register_shutdown_function('dol_shutdown');
// Activate end of page function
register_shutdown_function('dol_shutdown');
// Load debugbar
// Load debugbar
if (isModEnabled('debugbar') && !GETPOST('dol_use_jmobile') && empty($_SESSION['dol_use_jmobile'])) {
global $debugbar;
include_once DOL_DOCUMENT_ROOT.'/debugbar/class/DebugBar.php';
@ -404,7 +404,7 @@ if (isModEnabled('debugbar') && !GETPOST('dol_use_jmobile') && empty($_SESSION['
$debugbar['time']->startMeasure('pageaftermaster', 'Page generation (after environment init)');
}
// Detection browser
// Detection browser
if (isset($_SERVER["HTTP_USER_AGENT"])) {
$tmp = getBrowserInfo($_SERVER["HTTP_USER_AGENT"]);
$conf->browser->name = $tmp['browsername'];
@ -419,20 +419,20 @@ if (isset($_SERVER["HTTP_USER_AGENT"])) {
}
}
// If theme is forced
// If theme is forced
if (GETPOST('theme', 'aZ09')) {
$conf->theme = GETPOST('theme', 'aZ09');
$conf->css = "/theme/".$conf->theme."/style.css.php";
}
// Set global MAIN_OPTIMIZEFORTEXTBROWSER (must be before login part)
// Set global MAIN_OPTIMIZEFORTEXTBROWSER (must be before login part)
if (GETPOST('textbrowser', 'int') || (!empty($conf->browser->name) && $conf->browser->name == 'lynxlinks')) { // If we must enable text browser
$conf->global->MAIN_OPTIMIZEFORTEXTBROWSER = 1;
}
// Force HTTPS if required ($conf->file->main_force_https is 0/1 or 'https dolibarr root url')
// $_SERVER["HTTPS"] is 'on' when link is https, otherwise $_SERVER["HTTPS"] is empty or 'off'
if (!empty($conf->file->main_force_https) && (empty($_SERVER["HTTPS"]) || $_SERVER["HTTPS"] != 'on')) {
// Force HTTPS if required ($conf->file->main_force_https is 0/1 or 'https dolibarr root url')
// $_SERVER["HTTPS"] is 'on' when link is https, otherwise $_SERVER["HTTPS"] is empty or 'off'
if (!empty($conf->file->main_force_https) && (empty($_SERVER["HTTPS"]) || $_SERVER["HTTPS"] != 'on') && !defined('NOHTTPSREDIRECT')) {
$newurl = '';
if (is_numeric($conf->file->main_force_https)) {
if ($conf->file->main_force_https == '1' && !empty($_SERVER["SCRIPT_URI"])) { // If SCRIPT_URI supported by server
@ -474,7 +474,7 @@ if (!defined('NOLOGIN') && !defined('NOIPCHECK') && !empty($dolibarr_main_restri
}
}
// Loading of additional presentation includes
// Loading of additional presentation includes
if (!defined('NOREQUIREHTML')) {
require_once DOL_DOCUMENT_ROOT.'/core/class/html.form.class.php'; // Need 660ko memory (800ko in 2.2)
}
@ -482,20 +482,20 @@ if (!defined('NOREQUIREAJAX')) {
require_once DOL_DOCUMENT_ROOT.'/core/lib/ajax.lib.php'; // Need 22ko memory
}
// If install or upgrade process not done or not completely finished, we call the install page.
// If install or upgrade process not done or not completely finished, we call the install page.
if (!empty($conf->global->MAIN_NOT_INSTALLED) || !empty($conf->global->MAIN_NOT_UPGRADED)) {
dol_syslog("main.inc: A previous install or upgrade was not complete. Redirect to install page.", LOG_WARNING);
header("Location: ".DOL_URL_ROOT."/install/index.php");
exit;
}
// If an upgrade process is required, we call the install page.
// If an upgrade process is required, we call the install page.
if ((!empty($conf->global->MAIN_VERSION_LAST_UPGRADE) && ($conf->global->MAIN_VERSION_LAST_UPGRADE != DOL_VERSION))
|| (empty($conf->global->MAIN_VERSION_LAST_UPGRADE) && !empty($conf->global->MAIN_VERSION_LAST_INSTALL) && ($conf->global->MAIN_VERSION_LAST_INSTALL != DOL_VERSION))) {
$versiontocompare = empty($conf->global->MAIN_VERSION_LAST_UPGRADE) ? $conf->global->MAIN_VERSION_LAST_INSTALL : $conf->global->MAIN_VERSION_LAST_UPGRADE;
require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php';
$dolibarrversionlastupgrade = preg_split('/[.-]/', $versiontocompare);
$dolibarrversionprogram = preg_split('/[.-]/', DOL_VERSION);
$rescomp = versioncompare($dolibarrversionprogram, $dolibarrversionlastupgrade);
|| (empty($conf->global->MAIN_VERSION_LAST_UPGRADE) && !empty($conf->global->MAIN_VERSION_LAST_INSTALL) && ($conf->global->MAIN_VERSION_LAST_INSTALL != DOL_VERSION))) {
$versiontocompare = empty($conf->global->MAIN_VERSION_LAST_UPGRADE) ? $conf->global->MAIN_VERSION_LAST_INSTALL : $conf->global->MAIN_VERSION_LAST_UPGRADE;
require_once DOL_DOCUMENT_ROOT.'/core/lib/admin.lib.php';
$dolibarrversionlastupgrade = preg_split('/[.-]/', $versiontocompare);
$dolibarrversionprogram = preg_split('/[.-]/', DOL_VERSION);
$rescomp = versioncompare($dolibarrversionprogram, $dolibarrversionlastupgrade);
if ($rescomp > 0) { // Programs have a version higher than database.
if (empty($conf->global->MAIN_NO_UPGRADE_REDIRECT_ON_LEVEL_3_CHANGE) || $rescomp < 3) {
// We did not add "&& $rescomp < 3" because we want upgrade process for build upgrades
@ -506,7 +506,7 @@ if ((!empty($conf->global->MAIN_VERSION_LAST_UPGRADE) && ($conf->global->MAIN_VE
}
}
// Creation of a token against CSRF vulnerabilities
// Creation of a token against CSRF vulnerabilities
if (!defined('NOTOKENRENEWAL') && !defined('NOSESSION')) {
// No token renewal on .css.php, .js.php and .json.php (even if the NOTOKENRENEWAL was not provided)
if (!preg_match('/\.(css|js|json)\.php$/', $_SERVER["PHP_SELF"])) {
@ -526,9 +526,9 @@ if (!defined('NOTOKENRENEWAL') && !defined('NOSESSION')) {
}
}
//dol_syslog("aaaa - ".defined('NOCSRFCHECK')." - ".$dolibarr_nocsrfcheck." - ".$conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN." - ".$_SERVER['REQUEST_METHOD']." - ".GETPOST('token', 'alpha'));
//dol_syslog("aaaa - ".defined('NOCSRFCHECK')." - ".$dolibarr_nocsrfcheck." - ".$conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN." - ".$_SERVER['REQUEST_METHOD']." - ".GETPOST('token', 'alpha'));
// Check validity of token, only if option MAIN_SECURITY_CSRF_WITH_TOKEN enabled or if constant CSRFCHECK_WITH_TOKEN is set into page
// Check validity of token, only if option MAIN_SECURITY_CSRF_WITH_TOKEN enabled or if constant CSRFCHECK_WITH_TOKEN is set into page
if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt('MAIN_SECURITY_CSRF_WITH_TOKEN')) || defined('CSRFCHECK_WITH_TOKEN')) {
// Array of action code where CSRFCHECK with token will be forced (so token must be provided on url request)
$sensitiveget = false;
@ -538,7 +538,7 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt(
$sensitiveget = true;
}
} elseif (getDolGlobalInt('MAIN_SECURITY_CSRF_WITH_TOKEN') >= 2) {
// Few GET actions coded with a &token into url are processed as sensitive.
// Few GET actions coded with a &token into url are also processed as sensitive.
$arrayofactiontoforcetokencheck = array(
'activate',
'doprev', 'donext', 'dvprev', 'dvnext',
@ -561,10 +561,10 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt(
$sensitiveget ||
GETPOSTISSET('massaction') ||
((GETPOSTISSET('actionlogin') || GETPOSTISSET('action')) && defined('CSRFCHECK_WITH_TOKEN'))
) {
// If token is not provided or empty, error (we are in case it is mandatory)
) {
// If token is not provided or empty, error (we are in case it is mandatory)
if (!GETPOST('token', 'alpha') || GETPOST('token', 'alpha') == 'notrequired') {
top_httphead();
top_httphead();
if (GETPOST('uploadform', 'int')) {
dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"]) ? '' : $_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused. File size too large or not provided.");
$langs->loadLangs(array("errors", "install"));
@ -585,41 +585,41 @@ if ((!defined('NOCSRFCHECK') && empty($dolibarr_nocsrfcheck) && getDolGlobalInt(
print " into setup).\n";
}
}
die;
die;
}
}
$sessiontokenforthisurl = (empty($_SESSION['token']) ? '' : $_SESSION['token']);
// TODO Get the sessiontokenforthisurl into an array of session token (one array per base URL so we can use the CSRF per page and we keep ability for several tabs per url in a browser)
$sessiontokenforthisurl = (empty($_SESSION['token']) ? '' : $_SESSION['token']);
// TODO Get the sessiontokenforthisurl into an array of session token (one array per base URL so we can use the CSRF per page and we keep ability for several tabs per url in a browser)
if (GETPOSTISSET('token') && GETPOST('token') != 'notrequired' && GETPOST('token', 'alpha') != $sessiontokenforthisurl) {
dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"]) ? '' : $_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused by CSRF protection (invalid token), so we disable POST and some GET parameters - referer=".(empty($_SERVER['HTTP_REFERER'])?'':$_SERVER['HTTP_REFERER']).", action=".GETPOST('action', 'aZ09').", _GET|POST['token']=".GETPOST('token', 'alpha'), LOG_WARNING);
//dol_syslog("_SESSION['token']=".$sessiontokenforthisurl, LOG_DEBUG);
// Do not output anything on standard output because this create problems when using the BACK button on browsers. So we just set a message into session.
dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"]) ? '' : $_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"]." refused by CSRF protection (invalid token), so we disable POST and some GET parameters - referer=".(empty($_SERVER['HTTP_REFERER'])?'':$_SERVER['HTTP_REFERER']).", action=".GETPOST('action', 'aZ09').", _GET|POST['token']=".GETPOST('token', 'alpha'), LOG_WARNING);
//dol_syslog("_SESSION['token']=".$sessiontokenforthisurl, LOG_DEBUG);
// Do not output anything on standard output because this create problems when using the BACK button on browsers. So we just set a message into session.
if (!defined('NOTOKENRENEWAL')) {
// If the page is not a page that disable the token renewal, we report a warning message to explain token has epired.
setEventMessages('SecurityTokenHasExpiredSoActionHasBeenCanceledPleaseRetry', null, 'warnings', '', 1);
}
$savid = null;
$savid = null;
if (isset($_POST['id'])) {
$savid = ((int) $_POST['id']);
}
unset($_POST);
unset($_GET['confirm']);
unset($_GET['action']);
unset($_GET['confirmmassaction']);
unset($_GET['massaction']);
unset($_GET['token']); // TODO Make a redirect if we have a token in url to remove it ?
unset($_POST);
unset($_GET['confirm']);
unset($_GET['action']);
unset($_GET['confirmmassaction']);
unset($_GET['massaction']);
unset($_GET['token']); // TODO Make a redirect if we have a token in url to remove it ?
if (isset($savid)) {
$_POST['id'] = ((int) $savid);
}
// So rest of code can know something was wrong here
$_GET['errorcode'] = 'InvalidToken';
// So rest of code can know something was wrong here
$_GET['errorcode'] = 'InvalidToken';
}
// Note: There is another CSRF protection into the filefunc.inc.php
// Note: There is another CSRF protection into the filefunc.inc.php
}
// Disable modules (this must be after session_start and after conf has been loaded)
// Disable modules (this must be after session_start and after conf has been loaded)
if (GETPOSTISSET('disablemodules')) {
$_SESSION["disablemodules"] = GETPOST('disablemodules', 'alpha');
}
@ -644,8 +644,8 @@ if (!empty($_SESSION["disablemodules"])) {
}
}
// Set current modulepart
$modulepart = explode("/", $_SERVER["PHP_SELF"]);
// Set current modulepart
$modulepart = explode("/", $_SERVER["PHP_SELF"]);
if (is_array($modulepart) && count($modulepart) > 0) {
foreach ($conf->modules as $module) {
if (in_array($module, $modulepart)) {
@ -659,10 +659,10 @@ if (is_array($modulepart)) {
}
/*
* Phase authentication / login
*/
$login = '';
/*
* Phase authentication / login
*/
$login = '';
if (!defined('NOLOGIN')) {
// $authmode lists the different method of identification to be tested in order of preference.
// Example: 'http', 'dolibarr', 'ldap', 'http,forceuser', '...'
@ -751,7 +751,7 @@ if (!defined('NOLOGIN')) {
$test = false;
// Call trigger for the "security events" log
$user->trigger_mesg = 'ErrorBadValueForCode - login='.GETPOST("username", "alpha", 2);
$user->context['audit'] = 'ErrorBadValueForCode - login='.GETPOST("username", "alpha", 2);
// Call trigger
$result = $user->call_trigger('USER_LOGIN_FAILED', $user);
@ -860,7 +860,7 @@ if (!defined('NOLOGIN')) {
}
// Call trigger for the "security events" log
$user->trigger_mesg = $langs->trans("ErrorBadLoginPassword").' - login='.GETPOST("username", "alpha", 2);
$user->context['audit'] = $langs->trans("ErrorBadLoginPassword").' - login='.GETPOST("username", "alpha", 2);
// Call trigger
$result = $user->call_trigger('USER_LOGIN_FAILED', $user);
@ -915,18 +915,18 @@ if (!defined('NOLOGIN')) {
$_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorCantLoadUserFromDolibarrDatabase", $login);
$user->trigger_mesg = 'ErrorCantLoadUserFromDolibarrDatabase - login='.$login;
$user->context['audit'] = 'ErrorCantLoadUserFromDolibarrDatabase - login='.$login;
} elseif ($resultFetchUser < 0) {
$_SESSION["dol_loginmesg"] = $user->error;
$user->trigger_mesg = $user->error;
$user->context['audit'] = $user->error;
} else {
// Load translation files required by the page
$langs->loadLangs(array('main', 'errors'));
$_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorLoginDateValidity");
$user->trigger_mesg = $langs->trans("ErrorLoginDateValidity").' - login='.$login;
$user->context['audit'] = $langs->trans("ErrorLoginDateValidity").' - login='.$login;
}
// Call trigger
@ -979,11 +979,11 @@ if (!defined('NOLOGIN')) {
|| ($user->status != $user::STATUS_ENABLED)
|| ($user->isNotIntoValidityDateRange())) {
if ($resultFetchUser <= 0) {
// Account has been removed after login
dol_syslog("Can't load user even if session logged. _SESSION['dol_login']=".$login, LOG_WARNING);
// Account has been removed after login
dol_syslog("Can't load user even if session logged. _SESSION['dol_login']=".$login, LOG_WARNING);
} elseif ($user->flagdelsessionsbefore && !empty($_SESSION["dol_logindate"]) && $user->flagdelsessionsbefore > $_SESSION["dol_logindate"]) {
// Session is no more valid
dol_syslog("The user has a date for session invalidation = ".$user->flagdelsessionsbefore." and a session date = ".$_SESSION["dol_logindate"].". We must invalidate its sessions.");
// Session is no more valid
dol_syslog("The user has a date for session invalidation = ".$user->flagdelsessionsbefore." and a session date = ".$_SESSION["dol_logindate"].". We must invalidate its sessions.");
} elseif ($user->status != $user::STATUS_ENABLED) {
// User is not enabled
dol_syslog("The user login is disabled");
@ -991,46 +991,46 @@ if (!defined('NOLOGIN')) {
// User validity dates are no more valid
dol_syslog("The user login has a validity between [".$user->datestartvalidity." and ".$user->dateendvalidity."], curren date is ".dol_now());
}
session_destroy();
session_set_cookie_params(0, '/', null, (empty($dolibarr_main_force_https) ? false : true), true); // Add tag secure and httponly on session cookie
session_name($sessionname);
session_start();
session_destroy();
session_set_cookie_params(0, '/', null, (empty($dolibarr_main_force_https) ? false : true), true); // Add tag secure and httponly on session cookie
session_name($sessionname);
session_start();
if ($resultFetchUser == 0) {
$langs->loadLangs(array('main', 'errors'));
$_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorCantLoadUserFromDolibarrDatabase", $login);
$user->trigger_mesg = 'ErrorCantLoadUserFromDolibarrDatabase - login='.$login;
$user->context['audit'] = 'ErrorCantLoadUserFromDolibarrDatabase - login='.$login;
} elseif ($resultFetchUser < 0) {
$_SESSION["dol_loginmesg"] = $user->error;
$user->trigger_mesg = $user->error;
$user->context['audit'] = $user->error;
} else {
$langs->loadLangs(array('main', 'errors'));
$_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorSessionInvalidatedAfterPasswordChange");
$user->trigger_mesg = 'ErrorUserSessionWasInvalidated - login='.$login;
$user->context['audit'] = 'ErrorUserSessionWasInvalidated - login='.$login;
}
// Call trigger
$result = $user->call_trigger('USER_LOGIN_FAILED', $user);
// Call trigger
$result = $user->call_trigger('USER_LOGIN_FAILED', $user);
if ($result < 0) {
$error++;
}
// End call triggers
// End call triggers
// Hooks on failed login
$action = '';
$hookmanager->initHooks(array('login'));
$parameters = array('dol_authmode' => (isset($dol_authmode) ? $dol_authmode : ''), 'dol_loginmesg' => $_SESSION["dol_loginmesg"]);
$reshook = $hookmanager->executeHooks('afterLoginFailed', $parameters, $user, $action); // Note that $action and $object may have been modified by some hooks
// Hooks on failed login
$action = '';
$hookmanager->initHooks(array('login'));
$parameters = array('dol_authmode' => (isset($dol_authmode) ? $dol_authmode : ''), 'dol_loginmesg' => $_SESSION["dol_loginmesg"]);
$reshook = $hookmanager->executeHooks('afterLoginFailed', $parameters, $user, $action); // Note that $action and $object may have been modified by some hooks
if ($reshook < 0) {
$error++;
}
$paramsurl = array();
$paramsurl = array();
if (GETPOST('textbrowser', 'int')) {
$paramsurl[] = 'textbrowser='.GETPOST('textbrowser', 'int');
}
@ -1040,8 +1040,8 @@ if (!defined('NOLOGIN')) {
if (GETPOST('lang', 'aZ09')) {
$paramsurl[] = 'lang='.GETPOST('lang', 'aZ09');
}
header('Location: '.DOL_URL_ROOT.'/index.php'.(count($paramsurl) ? '?'.implode('&', $paramsurl) : ''));
exit;
header('Location: '.DOL_URL_ROOT.'/index.php'.(count($paramsurl) ? '?'.implode('&', $paramsurl) : ''));
exit;
} else {
// Initialize technical object to manage hooks of page. Note that conf->hooks_modules contains array of hook context
$hookmanager->initHooks(array('main'));
@ -1134,9 +1134,11 @@ if (!defined('NOLOGIN')) {
$user->update_last_login_date();
$loginfo = 'TZ='.$_SESSION["dol_tz"].';TZString='.$_SESSION["dol_tz_string"].';Screen='.$_SESSION["dol_screenwidth"].'x'.$_SESSION["dol_screenheight"];
$loginfo .= ' - authmode='.$dol_authmode.' - entity='.$conf->entity;
// Call triggers for the "security events" log
$user->trigger_mesg = $loginfo;
$user->context['audit'] = $loginfo;
$user->context['authentication_method'] = $dol_authmode;
// Call trigger
$result = $user->call_trigger('USER_LOGIN', $user);
@ -1232,13 +1234,13 @@ if (!defined('NOLOGIN')) {
}
// Case forcing style from url
// Case forcing style from url
if (GETPOST('theme', 'aZ09')) {
$conf->theme = GETPOST('theme', 'aZ09', 1);
$conf->css = "/theme/".$conf->theme."/style.css.php";
}
// Set javascript option
// Set javascript option
if (GETPOST('nojs', 'int')) { // If javascript was not disabled on URL
$conf->use_javascript_ajax = 0;
} else {
@ -1247,15 +1249,15 @@ if (GETPOST('nojs', 'int')) { // If javascript was not disabled on URL
}
}
// Set MAIN_OPTIMIZEFORTEXTBROWSER for user (must be after login part)
// Set MAIN_OPTIMIZEFORTEXTBROWSER for user (must be after login part)
if (empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER) && !empty($user->conf->MAIN_OPTIMIZEFORTEXTBROWSER)) {
$conf->global->MAIN_OPTIMIZEFORTEXTBROWSER = $user->conf->MAIN_OPTIMIZEFORTEXTBROWSER;
}
// set MAIN_OPTIMIZEFORCOLORBLIND for user
$conf->global->MAIN_OPTIMIZEFORCOLORBLIND = empty($user->conf->MAIN_OPTIMIZEFORCOLORBLIND) ? '' : $user->conf->MAIN_OPTIMIZEFORCOLORBLIND;
// set MAIN_OPTIMIZEFORCOLORBLIND for user
$conf->global->MAIN_OPTIMIZEFORCOLORBLIND = empty($user->conf->MAIN_OPTIMIZEFORCOLORBLIND) ? '' : $user->conf->MAIN_OPTIMIZEFORCOLORBLIND;
// Set terminal output option according to conf->browser.
// Set terminal output option according to conf->browser.
if (GETPOST('dol_hide_leftmenu', 'int') || !empty($_SESSION['dol_hide_leftmenu'])) {
$conf->dol_hide_leftmenu = 1;
}
@ -1271,24 +1273,24 @@ if (GETPOST('dol_no_mouse_hover', 'int') || !empty($_SESSION['dol_no_mouse_hover
if (GETPOST('dol_use_jmobile', 'int') || !empty($_SESSION['dol_use_jmobile'])) {
$conf->dol_use_jmobile = 1;
}
// If not on Desktop
// If not on Desktop
if (!empty($conf->browser->layout) && $conf->browser->layout != 'classic') {
$conf->dol_no_mouse_hover = 1;
}
// If on smartphone or optmized for small screen
// If on smartphone or optmized for small screen
if ((!empty($conf->browser->layout) && $conf->browser->layout == 'phone')
|| (!empty($_SESSION['dol_screenwidth']) && $_SESSION['dol_screenwidth'] < 400)
|| (!empty($_SESSION['dol_screenheight']) && $_SESSION['dol_screenheight'] < 400
|| !empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER))
) {
$conf->dol_optimize_smallscreen = 1;
|| (!empty($_SESSION['dol_screenwidth']) && $_SESSION['dol_screenwidth'] < 400)
|| (!empty($_SESSION['dol_screenheight']) && $_SESSION['dol_screenheight'] < 400
|| !empty($conf->global->MAIN_OPTIMIZEFORTEXTBROWSER))
) {
$conf->dol_optimize_smallscreen = 1;
if (isset($conf->global->PRODUIT_DESC_IN_FORM) && $conf->global->PRODUIT_DESC_IN_FORM == 1) {
$conf->global->PRODUIT_DESC_IN_FORM_ACCORDING_TO_DEVICE = 0;
$conf->global->PRODUIT_DESC_IN_FORM_ACCORDING_TO_DEVICE = 0;
}
}
// Replace themes bugged with jmobile with eldy
// Replace themes bugged with jmobile with eldy
if (!empty($conf->dol_use_jmobile) && in_array($conf->theme, array('bureau2crea', 'cameleo', 'amarok'))) {
$conf->theme = 'eldy';
$conf->css = "/theme/".$conf->theme."/style.css.php";
@ -1326,28 +1328,28 @@ if (!defined('NOLOGIN')) {
$user->getrights();
}
dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"]) ? '' : $_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"].' - action='.GETPOST('action', 'aZ09').', massaction='.GETPOST('massaction', 'aZ09').(defined('NOTOKENRENEWAL') ? ' NOTOKENRENEWAL='.constant('NOTOKENRENEWAL') : ''), LOG_NOTICE);
//Another call for easy debugg
//dol_syslog("Access to ".$_SERVER["PHP_SELF"].' '.$_SERVER["HTTP_REFERER"].' GET='.join(',',array_keys($_GET)).'->'.join(',',$_GET).' POST:'.join(',',array_keys($_POST)).'->'.join(',',$_POST));
dol_syslog("--- Access to ".(empty($_SERVER["REQUEST_METHOD"]) ? '' : $_SERVER["REQUEST_METHOD"].' ').$_SERVER["PHP_SELF"].' - action='.GETPOST('action', 'aZ09').', massaction='.GETPOST('massaction', 'aZ09').(defined('NOTOKENRENEWAL') ? ' NOTOKENRENEWAL='.constant('NOTOKENRENEWAL') : ''), LOG_NOTICE);
//Another call for easy debugg
//dol_syslog("Access to ".$_SERVER["PHP_SELF"].' '.$_SERVER["HTTP_REFERER"].' GET='.join(',',array_keys($_GET)).'->'.join(',',$_GET).' POST:'.join(',',array_keys($_POST)).'->'.join(',',$_POST));
// Load main languages files
// Load main languages files
if (!defined('NOREQUIRETRAN')) {
// Load translation files required by page
$langs->loadLangs(array('main', 'dict'));
}
// Define some constants used for style of arrays
$bc = array(0=>'class="impair"', 1=>'class="pair"');
$bcdd = array(0=>'class="drag drop oddeven"', 1=>'class="drag drop oddeven"');
$bcnd = array(0=>'class="nodrag nodrop nohover"', 1=>'class="nodrag nodrop nohoverpair"'); // Used for tr to add new lines
$bctag = array(0=>'class="impair tagtr"', 1=>'class="pair tagtr"');
// Define some constants used for style of arrays
$bc = array(0=>'class="impair"', 1=>'class="pair"');
$bcdd = array(0=>'class="drag drop oddeven"', 1=>'class="drag drop oddeven"');
$bcnd = array(0=>'class="nodrag nodrop nohover"', 1=>'class="nodrag nodrop nohoverpair"'); // Used for tr to add new lines
$bctag = array(0=>'class="impair tagtr"', 1=>'class="pair tagtr"');
// Define messages variables
$mesg = ''; $warning = ''; $error = 0;
// deprecated, see setEventMessages() and dol_htmloutput_events()
$mesgs = array(); $warnings = array(); $errors = array();
// Define messages variables
$mesg = ''; $warning = ''; $error = 0;
// deprecated, see setEventMessages() and dol_htmloutput_events()
$mesgs = array(); $warnings = array(); $errors = array();
// Constants used to defined number of lines in textarea
// Constants used to defined number of lines in textarea
if (empty($conf->browser->firefox)) {
define('ROWS_1', 1);
define('ROWS_2', 2);
@ -1370,9 +1372,9 @@ if (empty($conf->browser->firefox)) {
define('ROWS_9', 8);
}
$heightforframes = 50;
$heightforframes = 50;
// Init menu manager
// Init menu manager
if (!defined('NOREQUIREMENU')) {
if (empty($user->socid)) { // If internal user or not defined
$conf->standard_menu = (empty($conf->global->MAIN_MENU_STANDARD_FORCED) ? (empty($conf->global->MAIN_MENU_STANDARD) ? 'eldy_menu.php' : $conf->global->MAIN_MENU_STANDARD) : $conf->global->MAIN_MENU_STANDARD_FORCED);
@ -1414,7 +1416,7 @@ if (!empty(GETPOST('seteventmessages', 'alpha'))) {
}
}
// Functions
// Functions
if (!function_exists("llxHeader")) {
/**
@ -1484,13 +1486,13 @@ if (!function_exists("llxHeader")) {
}
/**
* Show HTTP header. Called by top_htmlhead().
*
* @param string $contenttype Content type. For example, 'text/html'
* @param int $forcenocache Force disabling of cache for the page
* @return void
*/
/**
* Show HTTP header. Called by top_htmlhead().
*
* @param string $contenttype Content type. For example, 'text/html'
* @param int $forcenocache Force disabling of cache for the page
* @return void
*/
function top_httphead($contenttype = 'text/html', $forcenocache = 0)
{
global $db, $conf, $hookmanager;
@ -1607,21 +1609,21 @@ function top_httphead($contenttype = 'text/html', $forcenocache = 0)
//header("anti-csrf-token: ".newToken());
}
/**
* Ouput html header of a page. It calls also top_httphead()
* This code is also duplicated into security2.lib.php::dol_loginfunction
*
* @param string $head Optionnal head lines
* @param string $title HTML title
* @param int $disablejs Disable js output
* @param int $disablehead Disable head output
* @param array $arrayofjs Array of complementary js files
* @param array $arrayofcss Array of complementary css files
* @param int $disableforlogin Do not load heavy js and css for login pages
* @param int $disablenofollow Disable nofollow tag for meta robots
* @param int $disablenoindex Disable noindex tag for meta robots
* @return void
*/
/**
* Ouput html header of a page. It calls also top_httphead()
* This code is also duplicated into security2.lib.php::dol_loginfunction
*
* @param string $head Optionnal head lines
* @param string $title HTML title
* @param int $disablejs Disable js output
* @param int $disablehead Disable head output
* @param array $arrayofjs Array of complementary js files
* @param array $arrayofcss Array of complementary css files
* @param int $disableforlogin Do not load heavy js and css for login pages
* @param int $disablenofollow Disable nofollow tag for meta robots
* @param int $disablenoindex Disable noindex tag for meta robots
* @return void
*/
function top_htmlhead($head, $title = '', $disablejs = 0, $disablehead = 0, $arrayofjs = '', $arrayofcss = '', $disableforlogin = 0, $disablenofollow = 0, $disablenoindex = 0)
{
global $db, $conf, $langs, $user, $mysoc, $hookmanager;
@ -2017,22 +2019,22 @@ function top_htmlhead($head, $title = '', $disablejs = 0, $disablehead = 0, $arr
}
/**
* Show an HTML header + a BODY + The top menu bar
*
* @param string $head Lines in the HEAD
* @param string $title Title of web page
* @param string $target Target to use in menu links (Example: '' or '_top')
* @param int $disablejs Do not output links to js (Ex: qd fonction utilisee par sous formulaire Ajax)
* @param int $disablehead Do not output head section
* @param array $arrayofjs Array of js files to add in header
* @param array $arrayofcss Array of css files to add in header
* @param string $morequerystring Query string to add to the link "print" to get same parameters (use only if autodetect fails)
* @param string $helppagename Name of wiki page for help ('' by default).
* Syntax is: For a wiki page: EN:EnglishPage|FR:FrenchPage|ES:SpanishPage|DE:GermanPage
* For other external page: http://server/url
* @return void
*/
/**
* Show an HTML header + a BODY + The top menu bar
*
* @param string $head Lines in the HEAD
* @param string $title Title of web page
* @param string $target Target to use in menu links (Example: '' or '_top')
* @param int $disablejs Do not output links to js (Ex: qd fonction utilisee par sous formulaire Ajax)
* @param int $disablehead Do not output head section
* @param array $arrayofjs Array of js files to add in header
* @param array $arrayofcss Array of css files to add in header
* @param string $morequerystring Query string to add to the link "print" to get same parameters (use only if autodetect fails)
* @param string $helppagename Name of wiki page for help ('' by default).
* Syntax is: For a wiki page: EN:EnglishPage|FR:FrenchPage|ES:SpanishPage|DE:GermanPage
* For other external page: http://server/url
* @return void
*/
function top_menu($head, $title = '', $target = '', $disablejs = 0, $disablehead = 0, $arrayofjs = '', $arrayofcss = '', $morequerystring = '', $helppagename = '')
{
global $user, $conf, $langs, $db;
@ -2270,13 +2272,13 @@ function top_menu($head, $title = '', $target = '', $disablejs = 0, $disablehead
}
/**
* Build the tooltip on user login
*
* @param int $hideloginname Hide login name. Show only the image.
* @param string $urllogout URL for logout (Will use DOL_URL_ROOT.'/user/logout.php?token=...' if empty)
* @return string HTML content
*/
/**
* Build the tooltip on user login
*
* @param int $hideloginname Hide login name. Show only the image.
* @param string $urllogout URL for logout (Will use DOL_URL_ROOT.'/user/logout.php?token=...' if empty)
* @return string HTML content
*/
function top_menu_user($hideloginname = 0, $urllogout = '')
{
global $langs, $conf, $db, $hookmanager, $user, $mysoc;
@ -2554,11 +2556,11 @@ function top_menu_user($hideloginname = 0, $urllogout = '')
return $btnUser;
}
/**
* Build the tooltip on top menu quick add
*
* @return string HTML content
*/
/**
* Build the tooltip on top menu quick add
*
* @return string HTML content
*/
function top_menu_quickadd()
{
global $conf, $langs;
@ -2615,11 +2617,11 @@ function top_menu_quickadd()
return $html;
}
/**
* Generate list of quickadd items
*
* @return string HTML output
*/
/**
* Generate list of quickadd items
*
* @return string HTML output
*/
function printDropdownQuickadd()
{
global $conf, $user, $langs, $hookmanager;
@ -2794,11 +2796,11 @@ function printDropdownQuickadd()
return $dropDownQuickAddHtml;
}
/**
* Build the tooltip on top menu bookmark
*
* @return string HTML content
*/
/**
* Build the tooltip on top menu bookmark
*
* @return string HTML content
*/
function top_menu_bookmark()
{
global $langs, $conf, $db, $user;
@ -2877,11 +2879,11 @@ function top_menu_bookmark()
return $html;
}
/**
* Build the tooltip on top menu tsearch
*
* @return string HTML content
*/
/**
* Build the tooltip on top menu tsearch
*
* @return string HTML content
*/
function top_menu_search()
{
global $langs, $conf, $db, $user, $hookmanager;
@ -3040,20 +3042,20 @@ function top_menu_search()
return $html;
}
/**
* Show left menu bar
*
* @param array $menu_array_before Table of menu entries to show before entries of menu handler. This param is deprectaed and must be provided to ''.
* @param string $helppagename Name of wiki page for help ('' by default).
* Syntax is: For a wiki page: EN:EnglishPage|FR:FrenchPage|ES:SpanishPage|DE:GermanPage
* For other external page: http://server/url
* @param string $notused Deprecated. Used in past to add content into left menu. Hooks can be used now.
* @param array $menu_array_after Table of menu entries to show after entries of menu handler
* @param int $leftmenuwithoutmainarea Must be set to 1. 0 by default for backward compatibility with old modules.
* @param string $title Title of web page
* @param string $acceptdelayedhtml 1 if caller request to have html delayed content not returned but saved into global $delayedhtmlcontent (so caller can show it at end of page to avoid flash FOUC effect)
* @return void
*/
/**
* Show left menu bar
*
* @param array $menu_array_before Table of menu entries to show before entries of menu handler. This param is deprectaed and must be provided to ''.
* @param string $helppagename Name of wiki page for help ('' by default).
* Syntax is: For a wiki page: EN:EnglishPage|FR:FrenchPage|ES:SpanishPage|DE:GermanPage
* For other external page: http://server/url
* @param string $notused Deprecated. Used in past to add content into left menu. Hooks can be used now.
* @param array $menu_array_after Table of menu entries to show after entries of menu handler
* @param int $leftmenuwithoutmainarea Must be set to 1. 0 by default for backward compatibility with old modules.
* @param string $title Title of web page
* @param string $acceptdelayedhtml 1 if caller request to have html delayed content not returned but saved into global $delayedhtmlcontent (so caller can show it at end of page to avoid flash FOUC effect)
* @return void
*/
function left_menu($menu_array_before, $helppagename = '', $notused = '', $menu_array_after = '', $leftmenuwithoutmainarea = 0, $title = '', $acceptdelayedhtml = 0)
{
global $user, $conf, $langs, $db, $form;
@ -3298,12 +3300,12 @@ function left_menu($menu_array_before, $helppagename = '', $notused = '', $menu_
}
/**
* Begin main area
*
* @param string $title Title
* @return void
*/
/**
* Begin main area
*
* @param string $title Title
* @return void
*/
function main_area($title = '')
{
global $conf, $langs, $hookmanager;
@ -3359,13 +3361,13 @@ function main_area($title = '')
}
/**
* Return helpbaseurl, helppage and mode
*
* @param string $helppagename Page name ('EN:xxx,ES:eee,FR:fff,DE:ddd...' or 'http://localpage')
* @param Translate $langs Language
* @return array Array of help urls
*/
/**
* Return helpbaseurl, helppage and mode
*
* @param string $helppagename Page name ('EN:xxx,ES:eee,FR:fff,DE:ddd...' or 'http://localpage')
* @param Translate $langs Language
* @return array Array of help urls
*/
function getHelpParamFor($helppagename, $langs)
{
$helpbaseurl = '';
@ -3410,22 +3412,22 @@ function getHelpParamFor($helppagename, $langs)
}
/**
* Show a search area.
* Used when the javascript quick search is not used.
*
* @param string $urlaction Url post
* @param string $urlobject Url of the link under the search box
* @param string $title Title search area
* @param string $htmlmorecss Add more css
* @param string $htmlinputname Field Name input form
* @param string $accesskey Accesskey
* @param string $prefhtmlinputname Complement for id to avoid multiple same id in the page
* @param string $img Image to use
* @param string $showtitlebefore Show title before input text instead of into placeholder. This can be set when output is dedicated for text browsers.
* @param string $autofocus Set autofocus on field
* @return string
*/
/**
* Show a search area.
* Used when the javascript quick search is not used.
*
* @param string $urlaction Url post
* @param string $urlobject Url of the link under the search box
* @param string $title Title search area
* @param string $htmlmorecss Add more css
* @param string $htmlinputname Field Name input form
* @param string $accesskey Accesskey
* @param string $prefhtmlinputname Complement for id to avoid multiple same id in the page
* @param string $img Image to use
* @param string $showtitlebefore Show title before input text instead of into placeholder. This can be set when output is dedicated for text browsers.
* @param string $autofocus Set autofocus on field
* @return string
*/
function printSearchForm($urlaction, $urlobject, $title, $htmlmorecss, $htmlinputname, $accesskey = '', $prefhtmlinputname = '', $img = '', $showtitlebefore = 0, $autofocus = 0)
{
global $conf, $langs, $user;