'" . date("Y-m-d H:i:s",time() - 3600) . "' and location='".hpa_escape_string($_SERVER["REMOTE_ADDR"])."'".
" and (description='password fail' or description='card fail' or description='user fail' or description='workstation fail')");
// " group by location");
if ($ip_login_count > 5){
if ($_SESSION["chk"] != $_REQUEST["chk"]){
$_SESSION["auth"] = false;
security_log($cname, "robot chk fail"); return "robot fail";
} else {
security_log($cname, "robot fail"); return "robot fail";
}
}
$cname = hpa_escape_string($cname);
if ( $t = hpa_fields("sec_users", "*", "username='".$cname."' and state=1") ){
if ($t["passwd"] == md5($ccode)){ // pass ok
reload_userdata($t);
if (!SITEMODE && canaccess("[webuser]", true)){ // lock out webusers from backend
$_SESSION["auth"] = false;
$_SESSION["userdata"] = false;
security_log($cname, "off limits"); return "off limits";
}
security_log($cname, "login success"); return "ok";
} else { // password not ok
$_SESSION["auth"] = false;
security_log($cname, "password fail"); return "password fail";
}
} else { // user not found
$_SESSION["auth"] = false;
security_log($cname, "user fail"); return "user not found";
}
}
// ---------
function authenticate_barcard($barcard){
if (hpa_field("vir_access", "loginmode", "idstring='".hpa_escape_string($_COOKIE["DEXTOP_".SITENAME."_ID"])."'") != "barcard")
return "loginmode error";
if ($t = hpa_fields("sec_users_card", "*", "cardcode='".hpa_escape_string($_REQUEST["barcard"])."' and pin='".intval($_REQUEST["pin"])."'")){
if ($tt = hpa_fields("sec_users", "*", "id=".$t["users_id"]." and state=1")){
reload_userdata($tt);
$_SESSION["userdata"] = $tt;
$_SESSION["auth"] = true; // set login state
security_log($cname, "login success"); return "ok";
} else {
$_SESSION["auth"] = false;
security_log($cname, "user fail"); return "user not found";
}
} else
return "card fail";
}
// ---------
function reload_userdata($dat=false){
if ($dat===false){
$sql = hpa_query("select * from sec_users where id='".$_SESSION["userdata"]["id"]."'");
if ( hpa_affected_rows($sql) > 0 )
$dat = hpa_fetch_array($sql);
else
return false;
}
$_SESSION["auth"] = true; // set login state
$_SESSION["userdata"] = $dat;
$_SESSION["userdata"]["passwd"] = "";
$_SESSION["userdata"]["groups"] = sec_cache_groups($_SESSION["userdata"]["id"], 1);
foreach(explode(",", USEREXTRAS) as $t){
if ($t!=""){
$sql = hpa_query("select * from sec_users_".$t." where users_id='".$_SESSION["userdata"]["id"]."'");
if ( hpa_affected_rows($sql) > 0 ){
$tt = hpa_fetch_array($sql);
unset($tt["users_id"]);
$_SESSION["userdata"][$t] = $tt;
}
}
}
}
// ---------
function logout(){
if ($_SESSION["auth"]==true){
security_log($_SESSION["userdata"]["username"],"logout success");
$_SESSION = array();
session_unset();
session_destroy();
session_write_close();
setcookie(session_name(),'',0,'/');
session_regenerate_id(true);
session_start();
}
}
// ---------
function canaccess($access, $noadmin = false, $default = false) {
if ($access=="!") return false; // all denied, for dev mods
$access = trim($access,",");
if ($access!="notauthenticated" && $access!="nem bejelentkezettek" && !$noadmin)
$access = "[admin],".$access; // admin group can access anything
if (trim($access)=="") $access = $default!=""?$default:"nobody";
$access = explode(",", trim($access, ","));
// negate access
foreach($access as $v){
if (substr($v,0,1)=="!" && strlen($v) > 1){
$v = substr($v, 1);
if ($v==$_SESSION["userdata"]["username"]) return false;
if (substr($v,0,1)=="["){
$v = substr($v, 1, strlen($v) - 2);
if (array_search($v, $_SESSION["userdata"]["groups"])!==false) return false;
}
}
}
// access
foreach($access as $v){
if (trim($v)!="" && substr($v,0,1)!="!"){
if ($v=="nobody" || $v=="senki") return false;
if ($v=="anybody" || $v=="bárki") return true;
if ($v=="authenticated" || $v=="bejelentkezettek") return $_SESSION["auth"];
if ($v=="notauthenticated" || $v=="nem bejelentkezettek") return !$_SESSION["auth"];
if ($v==$_SESSION["userdata"]["username"]) return $_SESSION["auth"];
if (substr($v,0,1)=="[" && is_array($_SESSION["userdata"]["groups"])){
$v = substr($v, 1, strlen($v) - 2);
if (array_search($v, $_SESSION["userdata"]["groups"])!==false) return true;
}
}
}
return false;
} // /canaccess
// ---------
function sec_cache_groups($uid, $mode = 0){ // extract all groups recursively
$ki = array();
$tmp = hpa_fields_array("sec_groups", "id,name", "id in (select groups_id from sec_groups_con where target_id='".$uid."' and type='".$mode."')", "id");
if (!is_array($tmp)) return false;
while($g = array_shift($tmp)){
if (!array_key_exists($g["id"], $ki)){
$t = hpa_fields_array("sec_groups", "id,name", "id in (select target_id from sec_groups_con where groups_id='".$g["id"]."' and type=0)", "id");
if (is_array($t))
$tmp = array_merge($tmp, $t);
$ki[$g["id"]] = $g["name"];
}
}
return $ki;
}
// ---------
function sec_extract_groups($uid){ // extract all groups recursively
$ki = array();
$tmp = hpa_fields_array("sec_groups_con", "target_id as a", "groups_id='".$uid."' and type='0'", "target_id");
if (!is_array($tmp)) return array();
while($g = array_shift($tmp)){
if (!array_key_exists($g["a"], $ki)){
$t = hpa_fields_array("sec_groups_con", "target_id as a", "groups_id='".$g["a"]."' and type=0", "target_id");
if (is_array($t))
$tmp = array_merge($tmp, $t);
$ki[$g["a"]] = $g["a"];
}
}
return $ki;
}
// ---------
function get_members($gid){
$usrs = array();
$t = hpa_fields_array("sec_groups_con", "target_id", "type=1 and groups_id=".intval($gid), "target_id");
if (is_array($t)){
foreach($t as $i=>$tt)
$usrs[] = $i;
}
return $usrs;
}
// ---------
function get_users($access){
$grps = array(); $usrs = array(); $ngrps = array(); $nusrs = array();
// separate negates
foreach(explode(",", $access) as $e){
$e = trim($e);
if ($e=="") continue;
if (substr($e, 0, 1) != "!"){
if (substr($e,0,1)=="["){
$i = hpa_field("sec_groups", "id", "name='".hpa_escape_string(substr($e, 1, strlen($e) - 2))."'");
$grps[$i] = $i;
} else $usrs[] = hpa_field("sec_users", "id", "username='".hpa_escape_string($e)."'");
} else{
$e = ltrim($e, "!");
if (substr($e,0,1)=="["){
$i = hpa_field("sec_groups", "id", "name='".hpa_escape_string(substr($e, 1, strlen($e) - 2))."'");
$ngrps[$i] = $i;
} else $nusrs[] = hpa_field("sec_users", "id", "username='".hpa_escape_string($e)."'");
}
} // foreach explode
// extract groups
$t = $grps;
foreach($t as $g) $grps = array_merge($grps, sec_extract_groups($g));
// extract negategroups
$t = $ngrps;
foreach($t as $g) $ngrps = array_merge($ngrps, sec_extract_groups($g));
// extract users
foreach($grps as $g) $usrs = array_merge($usrs, get_members($g));
// extract negategroups
foreach($ngrps as $g) $nusrs = array_merge($nusrs, get_members($g));
/* $usrs = array_flip($usrs);
foreach($nusrs as $v) unset($usrs[$v]);
return array_flip($usrs);
*/
return array_diff($usrs,$nusrs);
}
// ---------
function user($idorname){
if (is_numeric($idorname))
$u = hpa_fields("sec_users","id,username","id=".intval($idorname));
else
$u = hpa_fields("sec_users","id,username","username='".hpa_escape_string($idorname)."'");
if (is_array($u)){
if (canaccess("[admin],[user]"))
return ''.$u["username"].'';
else
return ''.$u["username"].'';
} else
return 'Ismeretlen';
}
// ---------
function getperson( $id = 0 ){
if ($id==0) $id=$_SESSION["userdata"]["id"];
$r = hpa_fields("users","*","id=".intval($id));
foreach(explode(",", USEREXTRAS) as $t){
if ($t!=""){
if ($tt = hpa_fields("sec_users_".$t, "*", "users_id='".$_SESSION["userdata"]["id"]."'")){
unset($tt["users_id"]);
$r[$t] = $tt;
}
}
}
return $r;
}
// ---------
function codegen($len=10){
$c="1234567890abcdefghijklmnoppqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYX";
for($i=0;$i<$len;$i++)
$acode.=substr($c,intval(rand(0,strlen($c)-1)),1);
return $acode;
}
// ---------
function security_log($uname,$description){
$sqle = hpa_query("insert into sec_log (cdate,uname,description,location) values ('".date("Y-m-d H:i:s")."','".hpa_escape_string($uname)."','".hpa_escape_string($description)."','".$_SERVER["REMOTE_ADDR"]."')");
}
// ---------
function validatename($uname){
if ($uname=="" ||
is_numeric(strpos($uname,"[")) ||
is_numeric(strpos($uname,"]")) ||
is_numeric(strpos($uname,"!")) ||
is_numeric(strpos($uname,"*")) ||
is_numeric(strpos($uname,"&")) ||
is_numeric(strpos($uname,";")) ||
is_numeric(strpos($uname,"/")) ||
is_numeric(strpos($uname,"\\")) ||
array_search($uname,array("admin","system","application","master","administrator","root"))!==false ||
$uname!=strip_tags($uname) ||
$uname!=strip_tags(urldecode($uname))
)
return false;
return true;
}
?>"Alap template");
$module_conf["usecommonfiles"]= true;
$module_conf["enableiframes"] = true;
$module_conf["styleclass"] = true;
$module_conf["cidedit"] = true;
?>$v){
if (canaccess($v["access"])){
$vis = (!isset($v["visible"]) || ($v["visible"] && isset($v["visible"])));
$sel = "";
$target = $v["target"]=="-"?$v["target_url"]:$v["target"];
$mp = "";
if ($target!=""){ // fixed page
$sel = ($target==$page?"sel":"");
if ($vis)
$mp = (function_exists("menupoint")?menupoint($target, $v["title"], $level, $target==$page, $v["class"]!=""?$v["class"]:""):
'");
else
$mp = " ";
} else { // static-cms data
$sel = ("content.php?cid=".$v["id"]==$page?"sel":"");
if ($vis)
$mp = (function_exists("menupoint")? menupoint("content.php?cid=" . $v["id"], $v["title"], $level, "content.php?cid=".$v["id"]==$page, $v["class"]!=""?$v["class"]:""):
'");
else
$mp = " ";
}
$draw = ($sel!="" && $vis)?true:$draw;
if (is_array($v["elements"]) && $vis){ // draw submenu
$t = _draw_menu($v["elements"], $level+1, ($sel!=""?true:false));
if ($t != ""){
$ki .= str_replace("[class]", "menu_open", $mp).$t;
$draw = true;
$mp = "";
} else {
$ki .= str_replace("[class]", "", $mp);
$mp = "";
}
}
if ($v["submenufunction"]!="" && $vis){ // draw submenu
@include_once($v["submenuinclude"]);
$tt = $v["submenufunction"];
if (function_exists($tt)){
$t = $tt($page, $level+1, $sel, $class, $v["target"]);
if ($t != ""){
$ki .= str_replace("[class]", "menu_open", $mp).$t;
$mp = "";
$draw = true;
} else {
$ki .= str_replace("[class]", "", $mp);
$mp = "";
}
}
}
$ki .= str_replace(" [class]", "", $mp); // else case
}
}
if ($draw || $level==0 || $forcedraw)
return $ki;
}
// drawpath
function drawpath($menu,$delim,$page,$level=0){
global $PAGEPATH;
$ki = "";
foreach($menu as $n=>$v){
if (canaccess($v["access"])){
if (is_array($v["elements"])) // draw submenu
$t = drawpath($v["elements"], $delim, $page, $level+1);
if ($v["submenufunction"]!=""){ // draw submenu
@include_once($v["submenuinclude"]);
$tt = $v["pathfunction"];
if (function_exists($tt))
$t = $tt($delim, $page, $level+1, $v["target"]);
}
$target = $v["target"]=="-"?$v["target_url"]:$v["target"];
if ($target!="" && ($t!="" || $page==$target)) // fixed page
$ki .= ''.$v["title"]."";
elseif ("content.php?cid=".$v["id"]==$page || $t!="" ) // static-cms data
$ki .= '' . $v["title"] . "";
if ($t!="")
return $ki .$delim. $t;
} // /access
} // /foreach
if ($PAGEPATH != "" && $ki!="")
$ki .= $delim . str_replace("", $delim, $PAGEPATH);
return $ki;
}
// ------- draw title
function drawtitle($menu, $delim, $page){
global $PAGEPATH;
$ki = "";
foreach($menu as $n=>$v){
if (canaccess($v["access"])){
if (is_array($v["elements"])) // draw submenu
$t = drawtitle($v["elements"], $delim, $page );
$target = $v["target"]=="-"?$v["target_url"]:$v["target"];
if ($target!="" && ($t!="" || $page==$target)) // fixed page
$ki .= $v["title"];
elseif ("content.php?cid=".$v["id"]==$page || $t!="" ) // static-cms data
$ki .= $v["title"];
if ($t!="")
return $ki .$delim. $t;
} // /access
} // /foreach
if ($PAGEPATH != "" && $ki !="")
$ki .= str_replace("", $delim, strip_tags($PAGEPATH));
return $ki;
}
// ------- get title
function gettitle($menu, $page){
$ki = "";
foreach($menu as $n=>$v){
if (is_array($v["elements"])) // draw submenu
$t = gettitle($v["elements"], $page );
if ($v["submenufunction"]!=""){ // draw submenu
@include_once($v["menuinclude"]);
$tt = $v["pathfunction"];
if (function_exists($tt)){
$t = $tt("|", $page, $level+1,$v["target"]);
if (substr_count($t,"|")>0)
$t = substr($t,strrpos($t,"|")+1);
}
}
$target = $v["target"]=="-"?$v["target_url"]:$v["target"];
if ($target!="" && $t=="" && $page==$target) // fixed page
$t = $v["title"];
elseif ("content.php?cid=".$v["id"]==$page && $t=="" ) // static-cms data
$t = $v["title"];
if ($t!="")
return $t;
}
return $ki;
}
// ----- get submenu by path
function getsubmenu_bypath($menupath){
global $menu;
$path = explode("/",$menupath);
$t = array("elements"=>$menu);
foreach($path as $p){
$t = $t["elements"][$p];
}
return $t["elements"];
}
// ----- get submenu
function getsubmenu($menu,$levelfromtop=-1,$level=0,&$top_target="",&$top_title=""){
global $page;
foreach($menu as $n=>$v){
if (canaccess($v["access"])){
$target = ($v["target"]=="-"?$v["target_url"]:$v["target"]);
if ($target==$page || $page=="content.php?cid=".$v["id"]){
$top_target = "content.php?cid=".$v["id"];
$top_title = $v["title"];
return $v["elements"];
}
if (is_array($v["elements"])){
$t = getsubmenu($v["elements"], $levelfromtop, $level + 1, $top_target, $top_title);
if ($t !== false){
$top_target = "content.php?cid=".$v["id"];
$top_title = $v["title"];
if ($levelfromtop!=-1 && $levelfromtop==$level)
return $v["elements"];
else
return $t;
}
} // id elements
} // canaccess
}// foreach
return false;
}
// ----- get latest modified content elements
function content_getmods($path="",$field="mdate",$doutime=false,$level=0){
global $module_conf;
$ki=array();
if ($path != "")
$menu = getsubmenu_bypath($path);
else
global $menu;
if (!is_array($menu))
return $ki;
foreach ($menu as $n=>$v){
if (canaccess($v["access"])){
if ($v["target"]==""){
if (file_exists($module_conf["dir"]."/". $v["id"] ."/content.data.php")){
include($module_conf["dir"]."/". $v["id"] ."/content.data.php");
if (is_array($content_data["versions"])){
foreach($content_data["versions"] as $nb=>$vb){
if ($vb["approved"] == true)
$ki[$v["id"]] = array(
"title" => $v["title"],
$field => ($doutime?strtotime($vb[$field]):$vb[$field]),
"childnum" => (is_array($v["elements"])?count($v["elements"]):0),
"level" => $level
);
}
}
}
}
if (is_array($v["elements"]))
$ki = array_merge($ki, content_getmods(trim($path."/".$n,"/"), $field, $doutime,$level+1));
} // canaccess
} // foreach
return $ki;
}
// ----- get page
if ($page==""){
if (isset($_REQUEST["cid"]) && basename($_SERVER["PHP_SELF"])=="content.php")
$page = "content.php?cid=" . basename($_REQUEST["cid"]);
else
$page = basename($_SERVER["PHP_SELF"]);
}
?>