projects / fa-stable.git / blob
? search:


65b62f55dc348d6767951f47b55594c91229eddd
[fa-stable.git] / includes / session.inc
1 <?php
2 /**********************************************************************
3         Copyright (C) FrontAccounting, LLC.
4         Released under the terms of the GNU General Public License, GPL,
5         as published by the Free Software Foundation, either version 3
6         of the License, or (at your option) any later version.
7         This program is distributed in the hope that it will be useful,
8         but WITHOUT ANY WARRANTY; without even the implied warranty of
9         MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
10         See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
11 ***********************************************************************/
12 function output_html($text)
13 {
14         global $before_box, $Ajax, $messages;
15         // Fatal errors are not send to error_handler,
16         // so we must check the output
17         if ($text && preg_match('/\bFatal error(<.*?>)?:(.*)/i', $text, $m)) {
18                 $Ajax->aCommands = array();  // Don't update page via ajax on errors
19                 $text = preg_replace('/\bFatal error(<.*?>)?:(.*)/i','', $text);
20                 $messages[] = array(E_ERROR, $m[2], null, null);
21         }
22         $Ajax->run();
23         return  in_ajax() ? fmt_errors() : ($before_box.fmt_errors().$text);
24 }
25 //----------------------------------------------------------------------------------------
26
27 function kill_login()
28 {
29         session_unset();
30         session_destroy();
31 }
32 //----------------------------------------------------------------------------------------
33
34 function login_fail()
35 {
36         header("HTTP/1.1 401 Authorization Required");
37         echo "<center><br><br><font size='5' color='red'><b>" . _("Incorrect Password") . "<b></font><br><br>";
38         echo "<b>" . _("The user and password combination is not valid for the system.") . "<b><br><br>";
39
40         echo _("If you are not an authorized user, please contact your system administrator to obtain an account to enable you to use the system.");
41         echo "<br><a href='javascript:history.go(-1)'>" . _("Back") . "</a>";
42         echo "</center>";
43
44         kill_login();
45         die();
46 }
47
48 //----------------------------------------------------------------------------------------
49
50 function check_page_security($page_security)
51 {
52         if (!$_SESSION["wa_current_user"]->check_user_access())
53         {
54                 echo "<br><br><br><center>";
55                 echo "<b>" . _("Security settings have not been defined for your user account.");
56                 echo "<br>" . _("Please contact your system administrator.") . "</b>";
57
58                 kill_login();
59                 exit;
60         }
61
62         if (!$_SESSION["wa_current_user"]->can_access_page($page_security))
63         {
64                 // no_menu parameter guess here is ugly hack, but works for now.
65                 // Better solution is to use global switch for menu, set before 
66                 // session.inc inclusion.
67                 page(_("Access denied"), strpos($_SERVER['PHP_SELF'], '/view/'));
68
69                 echo "<center><br><br><br><b>";
70                 echo _("The security settings on your account do not permit you to access this function");
71                 echo "</b>";
72                 echo "<br><br><br><br></center>";
73                 end_page();
74                 //kill_login();
75                 exit;
76         }
77 }
78
79 //-----------------------------------------------------------------------------
80 //      Removing magic quotes from nested arrays/variables
81 //
82 function strip_quotes($data)
83 {
84         if(get_magic_quotes_gpc()) {
85                 if(is_array($data)) {
86                         foreach($data as $k => $v) {
87                                 $data[$k] = strip_quotes($data[$k]);
88                         }
89                 } else
90                         return stripslashes($data);
91         }
92         return $data;
93 }
94
95 //============================================================================
96 if (!isset($path_to_root))
97 {
98         $path_to_root = ".";
99 }
100
101 // Prevent register_globals vulnerability
102 if (isset($_GET['path_to_root']) || isset($_POST['path_to_root']))
103         die("Restricted access");
104
105 include_once($path_to_root . "/frontaccounting.php");
106 include_once($path_to_root . "/includes/current_user.inc");
107 include_once($path_to_root . "/includes/lang/language.php");
108 include_once($path_to_root . "/config_db.php");
109 include_once($path_to_root . "/includes/ajax.inc");
110 include_once($path_to_root . "/includes/ui/ui_msgs.inc");
111
112 /*
113         Make sure this directory exists and is writable!
114 //      $session_save_path = dirname(__FILE__).'/../tmp/';
115 */
116
117 session_name('FrontAccounting');
118 session_start();
119 // this is to fix the "back-do-you-want-to-refresh" issue - thanx PHPFreaks
120 header("Cache-control: private");
121
122 get_text::init();
123
124 // Page Initialisation
125 if (!isset($_SESSION['languages'])) 
126 {
127         language::load_languages(); // sets also default $_SESSION['language']
128 }
129
130 language::set_language($_SESSION['language']->code);
131
132 // include $Hooks object if locale file exists
133 if(@include_once($path_to_root . "/lang/".$_SESSION['language']->code."/locale.inc")) 
134 {
135         $Hooks = new Hooks();
136 }
137
138 include_once($path_to_root . "/config.php");
139 include_once($path_to_root . "/includes/main.inc");
140
141 // Ajax communication object
142 $Ajax =& new Ajax();
143
144 // js/php validation rules container
145 $Validate = array();
146
147 // intercept all output to destroy it in case of ajax call
148 register_shutdown_function('end_flush');
149 ob_start('output_html',0);
150
151 // colect all error msgs
152 set_error_handler('error_handler' /*, errtypes */);
153
154 if (!isset($_SESSION["wa_current_user"]))
155         $_SESSION["wa_current_user"] = new current_user();
156 set_global_connection();
157
158 if (!$_SESSION["wa_current_user"]->logged_in())
159 {
160         // Show login screen
161         if (!isset($_POST["user_name_entry_field"]) or $_POST["user_name_entry_field"] == "")
162         {
163                 include($path_to_root . "/access/login.php");
164                 $Ajax->redirect($path_to_root . "/access/login.php");
165                 exit;
166         } else {
167                 $succeed = $_SESSION["wa_current_user"]->login($_POST["company_login_name"],
168                         $_POST["user_name_entry_field"],
169                         md5($_POST["password"]));
170                 // select full vs fallback ui mode on login
171                 $_SESSION["wa_current_user"]->ui_mode = $_POST['ui_mode'];
172                 if (!$succeed)
173                 {
174                         // Incorrect password
175                         login_fail();
176                 }
177                 $lang = $_SESSION['language'];
178                 language::set_language($_SESSION['language']->code);
179         }
180 }
181
182 if (!isset($_SESSION["App"])) {
183         $_SESSION["App"] = new front_accounting();
184         $_SESSION["App"]->init();
185 }
186
187 // Run with debugging messages for the system administrator(s) but not anyone else
188 /*if (in_array(15, $security_groups[$_SESSION["AccessLevel"]])) {
189         $debug = 1;
190 } else {
191         $debug = 0;
192 }*/
193
194 //----------------------------------------------------------------------------------------
195
196 check_page_security($page_security);
197
198 // POST vars cleanup needed for direct reuse.
199 // We quote all values later with db_escape() before db update.
200         $_POST = strip_quotes($_POST);
201
202 ?>
FrontAccounting stable branch