+function check_faillog()
+{
+ global $login_delay, $login_faillog, $login_max_attempts;
+
+ $user = $_SESSION["wa_current_user"]->user;
+
+ if (@$login_delay && (@$login_faillog[$user][$_SERVER['REMOTE_ADDR']] >= @$login_max_attempts) && (time() < $login_faillog[$user]['last'] + $login_delay))
+ return true;
+
+ return false;
+}
+/*
+ Simple brute force attack detection is performed before connection to company database is open. Therefore access counters have to be stored in file.
+ Login attempts counter is created for every new user IP, which partialy prevent DOS attacks.
+*/
+function write_login_filelog($login, $result)
+{
+ global $login_faillog, $login_max_attempts, $path_to_root;
+
+ $user = $_SESSION["wa_current_user"]->user;
+
+ $ip = $_SERVER['REMOTE_ADDR'];
+
+ if (!isset($login_faillog[$user][$ip]) || $result) // init or reset on successfull login
+ $login_faillog[$user] = array($ip => 0, 'last' => '');
+
+ if (!$result)
+ {
+ if ($login_faillog[$user][$ip] < @$login_max_attempts) {
+
+ $login_faillog[$user][$ip]++;
+ } else {
+ $login_faillog[$user][$ip] = 0; // comment out to restart counter only after successfull login.
+ error_log(sprintf(_("Brute force attack on account '%s' detected. Access for non-logged users temporarily blocked." ), $login));
+ }
+ $login_faillog[$user]['last'] = time();
+ }
+
+ $msg = "<?php\n";
+ $msg .= "/*\n";
+ $msg .= "Login attempts info.\n";
+ $msg .= "*/\n";
+ $msg .= "\$login_faillog = " .var_export($login_faillog, true). ";\n";
+
+ $filename = $path_to_root."/tmp/faillog.php";
+
+ if ((!file_exists($filename) && is_writable($path_to_root)) || is_writable($filename))
+ {
+ file_put_contents($filename, $msg);
+ }
+}
+
+//----------------------------------------------------------------------------------------
+
+function check_page_security($page_security)
+{
+ global $SysPrefs;
+
+ $msg = '';
+
+ if (!$_SESSION["wa_current_user"]->check_user_access())
+ {
+ // notification after upgrade from pre-2.2 version
+ $msg = $_SESSION["wa_current_user"]->old_db ?
+ _("Security settings have not been defined for your user account.")
+ . "<br>" . _("Please contact your system administrator.")
+ : _("Please remove \$security_groups and \$security_headings arrays from config.php file!");
+ } elseif (!$_SESSION['SysPrefs']->db_ok && !$_SESSION["wa_current_user"]->can_access('SA_SOFTWAREUPGRADE')) {
+ $msg = _('Access to application has been blocked until database upgrade is completed by system administrator.');
+ }
+
+ if ($msg){
+ display_error($msg);
+ end_page(@$_REQUEST['popup']);
+ kill_login();
+ exit;
+ }
+
+ if (!$_SESSION["wa_current_user"]->can_access_page($page_security))
+ {
+
+ echo "<center><br><br><br><b>";
+ echo _("The security settings on your account do not permit you to access this function");
+ echo "</b>";
+ echo "<br><br><br><br></center>";
+ end_page(@$_REQUEST['popup']);
+ exit;
+ }
+ if (!$_SESSION['SysPrefs']->db_ok
+ && !in_array($page_security, array('SA_SOFTWAREUPGRADE', 'SA_OPEN', 'SA_BACKUP')))
+ {
+ display_error(_('System is blocked after source upgrade until database is updated on System/Software Upgrade page'));
+ end_page();
+ exit;
+ }
+
+}
+/*
+ Helper function for setting page security level depeding on
+ GET start variable and/or some value stored in session variable.
+ Before the call $page_security should be set to default page_security value.
+*/
+function set_page_security($value=null, $trans = array(), $gtrans = array())
+{
+ global $page_security;
+
+ // first check is this is not start page call
+ foreach($gtrans as $key => $area)
+ if (isset($_GET[$key])) {
+ $page_security = $area;
+ return;
+ }
+
+ // then check session value
+ if (isset($trans[$value])) {
+ $page_security = $trans[$value];
+ return;
+ }
+}
+