includes/session.inc

   1 <?php
   2 /**********************************************************************
   3         Copyright (C) FrontAccounting, LLC.
   4         Released under the terms of the GNU General Public License, GPL,
   5         as published by the Free Software Foundation, either version 3
   6         of the License, or (at your option) any later version.
   7         This program is distributed in the hope that it will be useful,
   8         but WITHOUT ANY WARRANTY; without even the implied warranty of
   9         MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
  10         See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
  11 ***********************************************************************/
  12 function output_html($text)
  13 {
  14         global $before_box, $Ajax, $messages;
  15         // Fatal errors are not send to error_handler,
  16         // so we must check the output
  17         if ($text && preg_match('/\bFatal error(<.*?>)?:(.*)/i', $text, $m)) {
  18                 $Ajax->aCommands = array();  // Don't update page via ajax on errors
  19                 $text = preg_replace('/\bFatal error(<.*?>)?:(.*)/i','', $text);
  20                 $messages[] = array(E_ERROR, $m[2], null, null);
  21         }
  22         $Ajax->run();
  23         return  in_ajax() ? fmt_errors() : ($before_box.fmt_errors().$text);
  24 }
  25 //----------------------------------------------------------------------------------------
  26
  27 function kill_login()
  28 {
  29         session_unset();
  30         session_destroy();
  31 }
  32 //----------------------------------------------------------------------------------------
  33
  34 function login_fail()
  35 {
  36         header("HTTP/1.1 401 Authorization Required");
  37         echo "<center><br><br><font size='5' color='red'><b>" . _("Incorrect Password") . "<b></font><br><br>";
  38         echo "<b>" . _("The user and password combination is not valid for the system.") . "<b><br><br>";
  39
  40         echo _("If you are not an authorized user, please contact your system administrator to obtain an account to enable you to use the system.");
  41         echo "<br><a href='javascript:history.go(-1)'>" . _("Back") . "</a>";
  42         echo "</center>";
  43
  44         kill_login();
  45         die();
  46 }
  47
  48 //----------------------------------------------------------------------------------------
  49
  50 function check_page_security($page_security)
  51 {
  52         if (!$_SESSION["wa_current_user"]->check_user_access())
  53         {
  54                 // notification after upgrade from pre-2.2 version
  55                 $msg = is_array($_SESSION["wa_current_user"]->role_set) ?
  56                         _("Please remove \$security_groups and \$security_headings arrays from config.php file!")
  57                         : _("Security settings have not been defined for your user account.")
  58                         . "<br>" . _("Please contact your system administrator.");
  59
  60                 page(_("Access denied"), false);
  61                         display_error($msg);
  62                 end_page();
  63                 kill_login();
  64                 exit;
  65         }
  66
  67         if (!$_SESSION["wa_current_user"]->can_access_page($page_security))
  68         {
  69                 // no_menu parameter guess here is ugly hack, but works for now.
  70                 // Better solution is to use global switch for menu, set before
  71                 // session.inc inclusion.
  72                 page(_("Access denied"), strpos($_SERVER['PHP_SELF'], '/view/'));
  73
  74                 echo "<center><br><br><br><b>";
  75                 echo _("The security settings on your account do not permit you to access this function");
  76                 echo "</b>";
  77                 echo "<br><br><br><br></center>";
  78                 end_page();
  79                 //kill_login();
  80                 exit;
  81         }
  82 }
  83
  84 //-----------------------------------------------------------------------------
  85 //      Removing magic quotes from nested arrays/variables
  86 //
  87 function strip_quotes($data)
  88 {
  89         if(get_magic_quotes_gpc()) {
  90                 if(is_array($data)) {
  91                         foreach($data as $k => $v) {
  92                                 $data[$k] = strip_quotes($data[$k]);
  93                         }
  94                 } else
  95                         return stripslashes($data);
  96         }
  97         return $data;
  98 }
  99
 100 //============================================================================
 101 //
 102 //
 103 function login_timeout()
 104 {
 105         if ($_SESSION["wa_current_user"]->logged) {
 106                 $tout = $_SESSION["wa_current_user"]->timeout;
 107                 if ($tout && (time() > $_SESSION["wa_current_user"]->last_act + $tout))
 108                 {
 109                         $_SESSION["wa_current_user"]->logged = false;
 110                 }
 111                 $_SESSION["wa_current_user"]->last_act = time();
 112         }
 113 }
 114 //============================================================================
 115 if (!isset($path_to_root))
 116 {
 117         $path_to_root = ".";
 118 }
 119
 120 // Prevent register_globals vulnerability
 121 if (isset($_GET['path_to_root']) || isset($_POST['path_to_root']))
 122         die("Restricted access");
 123
 124 include_once($path_to_root . "/frontaccounting.php");
 125 include_once($path_to_root . "/admin/db/security_db.inc");
 126 include_once($path_to_root . "/includes/current_user.inc");
 127 include_once($path_to_root . "/includes/lang/language.php");
 128 include_once($path_to_root . "/config_db.php");
 129 include_once($path_to_root . "/includes/ajax.inc");
 130 include_once($path_to_root . "/includes/ui/ui_msgs.inc");
 131
 132 /*
 133         Uncomment the setting below when using FA on shared hosting
 134         to avoid unexpeced session timeouts.
 135         Make sure this directory exists and is writable!
 136 */
 137 //ini_set('session.save_path', dirname(__FILE__).'/../tmp/');
 138
 139 ini_set('session.gc_maxlifetime', 36000); // 10hrs
 140
 141 session_name('FrontAccounting');
 142 session_start();
 143 // this is to fix the "back-do-you-want-to-refresh" issue - thanx PHPFreaks
 144 header("Cache-control: private");
 145
 146 get_text::init();
 147
 148 // Page Initialisation
 149 if (!isset($_SESSION['languages']))
 150 {
 151         language::load_languages(); // sets also default $_SESSION['language']
 152 }
 153
 154 language::set_language($_SESSION['language']->code);
 155
 156 // include $Hooks object if locale file exists
 157 if(@include_once($path_to_root . "/lang/".$_SESSION['language']->code."/locale.inc"))
 158 {
 159         $Hooks = new Hooks();
 160 }
 161
 162 include_once($path_to_root . "/includes/access_levels.inc");
 163 include_once($path_to_root . "/config.php");
 164 include_once($path_to_root . "/includes/main.inc");
 165
 166 // Ajax communication object
 167 $Ajax =& new Ajax();
 168
 169 // js/php validation rules container
 170 $Validate = array();
 171 // bindings for editors
 172 $Editors = array();
 173 // page help. Currently help for function keys.
 174 $Pagehelp = array();
 175
 176 // intercept all output to destroy it in case of ajax call
 177 register_shutdown_function('end_flush');
 178 ob_start('output_html',0);
 179
 180 // colect all error msgs
 181 set_error_handler('error_handler' /*, errtypes */);
 182
 183 if (!isset($_SESSION["wa_current_user"]))
 184         $_SESSION["wa_current_user"] = new current_user();
 185
 186 set_global_connection();
 187
 188 login_timeout();
 189
 190 if (!$_SESSION["wa_current_user"]->logged_in())
 191 {
 192         // Show login screen
 193         if (!isset($_POST["user_name_entry_field"]) or $_POST["user_name_entry_field"] == "")
 194         {
 195                 if (strstr($_SERVER['PHP_SELF'], 'timeout.php') == false)
 196                         $_SESSION['timeout'] = array( 'uri'=> $_SERVER['REQUEST_URI'],
 197                                 'post' => $_POST);
 198
 199                 if (!in_ajax()) {
 200                         include($path_to_root . "/access/login.php");
 201                 } else {
 202                         // ajax update of current page elements - open login window in popup
 203                         // to not interfere with ajaxified page.
 204                         $Ajax->popup($path_to_root . "/access/timeout.php");
 205                 }
 206                 exit;
 207         } else {
 208                 $succeed = $_SESSION["wa_current_user"]->login($_POST["company_login_name"],
 209                         $_POST["user_name_entry_field"],
 210                         md5($_POST["password"]));
 211                 // select full vs fallback ui mode on login
 212                 $_SESSION["wa_current_user"]->ui_mode = $_POST['ui_mode'];
 213                 if (!$succeed)
 214                 {
 215                         // Incorrect password
 216                         login_fail();
 217                 }
 218                 $lang = $_SESSION['language'];
 219                 language::set_language($_SESSION['language']->code);
 220         }
 221 }
 222
 223 if (!isset($_SESSION["App"])) {
 224         $_SESSION["App"] = new front_accounting();
 225         $_SESSION["App"]->init();
 226 }
 227
 228 //----------------------------------------------------------------------------------------
 229
 230 check_page_security($page_security);
 231
 232 // POST vars cleanup needed for direct reuse.
 233 // We quote all values later with db_escape() before db update.
 234         $_POST = strip_quotes($_POST);
 235
 236 ?>