includes/session.inc

   1 <?php
   2 /**********************************************************************
   3         Copyright (C) FrontAccounting, LLC.
   4         Released under the terms of the GNU General Public License, GPL,
   5         as published by the Free Software Foundation, either version 3
   6         of the License, or (at your option) any later version.
   7         This program is distributed in the hope that it will be useful,
   8         but WITHOUT ANY WARRANTY; without even the implied warranty of
   9         MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
  10         See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
  11 ***********************************************************************/
  12 function output_html($text)
  13 {
  14         global $before_box, $Ajax, $messages;
  15         // Fatal errors are not send to error_handler,
  16         // so we must check the output
  17         if ($text && preg_match('/\bFatal error(<.*?>)?:(.*)/i', $text, $m)) {
  18                 $Ajax->aCommands = array();  // Don't update page via ajax on errors
  19                 $text = preg_replace('/\bFatal error(<.*?>)?:(.*)/i','', $text);
  20                 $messages[] = array(E_ERROR, $m[2], null, null);
  21         }
  22         $Ajax->run();
  23         return  in_ajax() ? fmt_errors() : ($before_box.fmt_errors().$text);
  24 }
  25 //----------------------------------------------------------------------------------------
  26
  27 function kill_login()
  28 {
  29         session_unset();
  30         session_destroy();
  31 }
  32 //----------------------------------------------------------------------------------------
  33
  34 function login_fail()
  35 {
  36         header("HTTP/1.1 401 Authorization Required");
  37         echo "<center><br><br><font size='5' color='red'><b>" . _("Incorrect Password") . "<b></font><br><br>";
  38         echo "<b>" . _("The user and password combination is not valid for the system.") . "<b><br><br>";
  39
  40         echo _("If you are not an authorized user, please contact your system administrator to obtain an account to enable you to use the system.");
  41         echo "<br><a href='javascript:history.go(-1)'>" . _("Back") . "</a>";
  42         echo "</center>";
  43
  44         kill_login();
  45         die();
  46 }
  47
  48 //----------------------------------------------------------------------------------------
  49
  50 function check_page_security($page_security)
  51 {
  52         if (!$_SESSION["wa_current_user"]->check_user_access())
  53         {
  54                 echo "<br><br><br><center>";
  55                 echo "<b>" . _("Security settings have not been defined for your user account.");
  56                 echo "<br>" . _("Please contact your system administrator.") . "</b>";
  57
  58                 kill_login();
  59                 exit;
  60         }
  61
  62         if (!$_SESSION["wa_current_user"]->can_access_page($page_security))
  63         {
  64                 page(_("Access denied"));
  65                 echo "<center><br><br><br><b>";
  66                 echo _("The security settings on your account do not permit you to access this function");
  67                 echo "</b>";
  68                 echo "<br><br><br><br></center>";
  69                 end_page();
  70                 //kill_login();
  71                 exit;
  72         }
  73 }
  74
  75 //-----------------------------------------------------------------------------
  76 //      Removing magic quotes from nested arrays/variables
  77 //
  78 function strip_quotes($data)
  79 {
  80         if(get_magic_quotes_gpc()) {
  81                 if(is_array($data)) {
  82                         foreach($data as $k => $v) {
  83                                 $data[$k] = strip_quotes($data[$k]);
  84                         }
  85                 } else
  86                         return stripslashes($data);
  87         }
  88         return $data;
  89 }
  90
  91 //============================================================================
  92 if (!isset($path_to_root))
  93 {
  94         $path_to_root = ".";
  95 }
  96
  97 // Prevent register_globals vulnerability
  98 if (isset($_GET['path_to_root']) || isset($_POST['path_to_root']))
  99         die("Restricted access");
 100
 101 include_once($path_to_root . "/frontaccounting.php");
 102 include_once($path_to_root . "/includes/current_user.inc");
 103 include_once($path_to_root . "/includes/lang/language.php");
 104 include_once($path_to_root . "/config_db.php");
 105 include_once($path_to_root . "/includes/ajax.inc");
 106 include_once($path_to_root . "/includes/ui/ui_msgs.inc");
 107
 108 /*
 109         Make sure this directory exists and is writable!
 110 //      $session_save_path = dirname(__FILE__).'/../tmp/';
 111 */
 112
 113 session_name('FrontAccounting');
 114 session_start();
 115 // this is to fix the "back-do-you-want-to-refresh" issue - thanx PHPFreaks
 116 header("Cache-control: private");
 117
 118 get_text::init();
 119
 120 // Page Initialisation
 121 if (!isset($_SESSION['languages']))
 122 {
 123         language::load_languages(); // sets also default $_SESSION['language']
 124 }
 125
 126 language::set_language($_SESSION['language']->code);
 127
 128 // include $Hooks object if locale file exists
 129 if(@include_once($path_to_root . "/lang/".$_SESSION['language']->code."/locale.inc"))
 130 {
 131         $Hooks = new Hooks();
 132 }
 133
 134 include_once($path_to_root . "/config.php");
 135 include_once($path_to_root . "/includes/main.inc");
 136
 137 // Ajax communication object
 138 $Ajax =& new Ajax();
 139
 140 // js/php validation rules container
 141 $Validate = array();
 142
 143 // intercept all output to destroy it in case of ajax call
 144 register_shutdown_function('ob_end_flush');
 145 ob_start('output_html',0);
 146
 147 // colect all error msgs
 148 set_error_handler('error_handler' /*, errtypes */);
 149
 150 if (!isset($_SESSION["wa_current_user"]))
 151         $_SESSION["wa_current_user"] = new current_user();
 152 set_global_connection();
 153
 154 if (!$_SESSION["wa_current_user"]->logged_in())
 155 {
 156         // Show login screen
 157         if (!isset($_POST["user_name_entry_field"]) or $_POST["user_name_entry_field"] == "")
 158         {
 159                 include($path_to_root . "/access/login.php");
 160                 $Ajax->redirect($path_to_root . "/access/login.php");
 161                 exit;
 162         } else {
 163                 $succeed = $_SESSION["wa_current_user"]->login($_POST["company_login_name"],
 164                         $_POST["user_name_entry_field"],
 165                         md5($_POST["password"]));
 166                 // select full vs fallback ui mode on login
 167                 $_SESSION["wa_current_user"]->ui_mode = $_POST['ui_mode'];
 168                 if (!$succeed)
 169                 {
 170                         // Incorrect password
 171                         login_fail();
 172                 }
 173                 $lang = $_SESSION['language'];
 174                 language::set_language($_SESSION['language']->code);
 175         }
 176 }
 177
 178 if (!isset($_SESSION["App"])) {
 179         $_SESSION["App"] = new front_accounting();
 180         $_SESSION["App"]->init();
 181 }
 182
 183 // Run with debugging messages for the system administrator(s) but not anyone else
 184 /*if (in_array(15, $security_groups[$_SESSION["AccessLevel"]])) {
 185         $debug = 1;
 186 } else {
 187         $debug = 0;
 188 }*/
 189
 190 //----------------------------------------------------------------------------------------
 191
 192 check_page_security($page_security);
 193
 194 // POST vars cleanup needed for direct reuse.
 195 // We quote all values later with db_escape() before db update.
 196         $_POST = strip_quotes($_POST);
 197
 198 ?>