includes/session.inc

   1 <?php
   2 /**********************************************************************
   3         Copyright (C) FrontAccounting, LLC.
   4         Released under the terms of the GNU General Public License, GPL,
   5         as published by the Free Software Foundation, either version 3
   6         of the License, or (at your option) any later version.
   7         This program is distributed in the hope that it will be useful,
   8         but WITHOUT ANY WARRANTY; without even the implied warranty of
   9         MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
  10         See the License here <http://www.gnu.org/licenses/gpl-3.0.html>.
  11 ***********************************************************************/
  12 function output_html($text)
  13 {
  14         global $before_box, $Ajax, $messages;
  15         // Fatal errors are not send to error_handler,
  16         // so we must check the output
  17         if ($text && preg_match('/\bFatal error(<.*?>)?:(.*)/i', $text, $m)) {
  18                 $Ajax->aCommands = array();  // Don't update page via ajax on errors
  19                 $text = preg_replace('/\bFatal error(<.*?>)?:(.*)/i','', $text);
  20                 $messages[] = array(E_ERROR, $m[2], null, null);
  21         }
  22         $Ajax->run();
  23         return  in_ajax() ? fmt_errors() : ($before_box.fmt_errors().$text);
  24 }
  25 //----------------------------------------------------------------------------------------
  26
  27 function kill_login()
  28 {
  29         session_unset();
  30         session_destroy();
  31 }
  32 //----------------------------------------------------------------------------------------
  33
  34 function login_fail()
  35 {
  36         global $path_to_root;
  37
  38         header("HTTP/1.1 401 Authorization Required");
  39         echo "<center><br><br><font size='5' color='red'><b>" . _("Incorrect Password") . "<b></font><br><br>";
  40         echo "<b>" . _("The user and password combination is not valid for the system.") . "<b><br><br>";
  41
  42         echo _("If you are not an authorized user, please contact your system administrator to obtain an account to enable you to use the system.");
  43         echo "<br><a href='$path_to_root/index.php'>" . _("Try again") . "</a>";
  44         echo "</center>";
  45
  46         kill_login();
  47         die();
  48 }
  49
  50 //----------------------------------------------------------------------------------------
  51
  52 function check_page_security($page_security)
  53 {
  54         if (!$_SESSION["wa_current_user"]->check_user_access())
  55         {
  56                 // notification after upgrade from pre-2.2 version
  57                 $msg = $_SESSION["wa_current_user"]->old_db ?
  58                          _("Security settings have not been defined for your user account.")
  59                                 . "<br>" . _("Please contact your system administrator.")
  60                         : _("Please remove \$security_groups and \$security_headings arrays from config.php file!");
  61
  62                 display_error($msg);
  63                 end_page();
  64                 kill_login();
  65                 exit;
  66         }
  67
  68         if (!$_SESSION["wa_current_user"]->can_access_page($page_security))
  69         {
  70
  71                 echo "<center><br><br><br><b>";
  72                 echo _("The security settings on your account do not permit you to access this function");
  73                 echo "</b>";
  74                 echo "<br><br><br><br></center>";
  75                 end_page();
  76                 exit;
  77         }
  78 }
  79
  80 //-----------------------------------------------------------------------------
  81 //      Removing magic quotes from nested arrays/variables
  82 //
  83 function strip_quotes($data)
  84 {
  85         if(get_magic_quotes_gpc()) {
  86                 if(is_array($data)) {
  87                         foreach($data as $k => $v) {
  88                                 $data[$k] = strip_quotes($data[$k]);
  89                         }
  90                 } else
  91                         return stripslashes($data);
  92         }
  93         return $data;
  94 }
  95
  96 //============================================================================
  97 //
  98 //
  99 function login_timeout()
 100 {
 101         // skip timeout on logout page
 102         if ($_SESSION["wa_current_user"]->logged) {
 103                 $tout = $_SESSION["wa_current_user"]->timeout;
 104                 if ($tout && (time() > $_SESSION["wa_current_user"]->last_act + $tout))
 105                 {
 106                         $_SESSION["wa_current_user"]->logged = false;
 107                 }
 108                 $_SESSION["wa_current_user"]->last_act = time();
 109         }
 110 }
 111 //============================================================================
 112 if (!isset($path_to_root))
 113 {
 114         $path_to_root = ".";
 115 }
 116
 117 // Prevent register_globals vulnerability
 118 if (isset($_GET['path_to_root']) || isset($_POST['path_to_root']))
 119         die("Restricted access");
 120
 121 include_once($path_to_root . "/includes/current_user.inc");
 122 include_once($path_to_root . "/frontaccounting.php");
 123 include_once($path_to_root . "/admin/db/security_db.inc");
 124 include_once($path_to_root . "/includes/lang/language.php");
 125 include_once($path_to_root . "/config_db.php");
 126 include_once($path_to_root . "/includes/ajax.inc");
 127 include_once($path_to_root . "/includes/ui/ui_msgs.inc");
 128
 129 /*
 130         Uncomment the setting below when using FA on shared hosting
 131         to avoid unexpeced session timeouts.
 132         Make sure this directory exists and is writable!
 133 */
 134 //ini_set('session.save_path', dirname(__FILE__).'/../tmp/');
 135
 136 ini_set('session.gc_maxlifetime', 36000); // 10hrs
 137
 138 session_name('FrontAccounting');
 139 session_start();
 140 // this is to fix the "back-do-you-want-to-refresh" issue - thanx PHPFreaks
 141 header("Cache-control: private");
 142
 143 get_text_init();
 144
 145 // Page Initialisation
 146 if (!isset($_SESSION['languages']))
 147 {
 148         load_languages(); // sets also default $_SESSION['language']
 149 }
 150
 151 $_SESSION['language']->set_language($_SESSION['language']->code);
 152
 153 // include $Hooks object if locale file exists
 154 if(@include_once($path_to_root . "/lang/".$_SESSION['language']->code."/locale.inc"))
 155 {
 156         $Hooks = new Hooks();
 157 }
 158
 159 include_once($path_to_root . "/includes/access_levels.inc");
 160 include_once($path_to_root . "/config.php");
 161 include_once($path_to_root . "/includes/main.inc");
 162
 163 // Ajax communication object
 164 $Ajax =& new Ajax();
 165
 166 // js/php validation rules container
 167 $Validate = array();
 168 // bindings for editors
 169 $Editors = array();
 170 // page help. Currently help for function keys.
 171 $Pagehelp = array();
 172
 173 $SysPrefs = new sys_prefs();
 174
 175 $Refs = new references();
 176
 177 // intercept all output to destroy it in case of ajax call
 178 register_shutdown_function('end_flush');
 179 ob_start('output_html',0);
 180
 181 // colect all error msgs
 182 set_error_handler('error_handler' /*, errtypes */);
 183
 184 if (!isset($_SESSION["wa_current_user"]))
 185         $_SESSION["wa_current_user"] = new current_user();
 186
 187 set_global_connection();
 188
 189 // logout.php is the only page we should have always
 190 // accessable regardless of access level and current login status.
 191 if (strstr($_SERVER['PHP_SELF'], 'logout.php') == false){
 192
 193         login_timeout();
 194
 195         if (!$_SESSION["wa_current_user"]->logged_in())
 196         {
 197                 // Show login screen
 198                 if (!isset($_POST["user_name_entry_field"]) or $_POST["user_name_entry_field"] == "")
 199                 {
 200                         $_SESSION['timeout'] = array( 'uri'=> $_SERVER['REQUEST_URI'],
 201                                 'post' => $_POST);
 202
 203                         if (!in_ajax()) {
 204                                 include($path_to_root . "/access/login.php");
 205                         } else {
 206                                 // ajax update of current page elements - open login window in popup
 207                                 // to not interfere with ajaxified page.
 208                                 $Ajax->popup($path_to_root . "/access/timeout.php");
 209                         }
 210                         exit;
 211                 } else {
 212                         $succeed = $_SESSION["wa_current_user"]->login($_POST["company_login_name"],
 213                                 $_POST["user_name_entry_field"], md5($_POST["password"]));
 214                         // select full vs fallback ui mode on login
 215                         $_SESSION["wa_current_user"]->ui_mode = $_POST['ui_mode'];
 216                         if (!$succeed)
 217                         {
 218                         // Incorrect password
 219                                 login_fail();
 220                         }
 221                         $lang = &$_SESSION['language'];
 222                         $lang->set_language($_SESSION['language']->code);
 223                 }
 224         }
 225
 226         include_once($path_to_root . '/company/'.user_company().'/installed_extensions.php');
 227
 228         if (!isset($_SESSION["App"])) {
 229                 $_SESSION["App"] = new front_accounting();
 230                 $_SESSION["App"]->init();
 231         }
 232
 233         /*
 234         This call is necessary only at:
 235         . on any page with non-standard security areas
 236         . in security roles editor
 237         To be optmized  after.
 238         */
 239         add_access_extensions();
 240
 241 }
 242 // POST vars cleanup needed for direct reuse.
 243 // We quote all values later with db_escape() before db update.
 244         $_POST = strip_quotes($_POST);
 245
 246 ?>