| ︙ | | | ︙ | |
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
** Author contact information:
** drh@hwaci.com
** http://www.hwaci.com/drh/
**
*******************************************************************************
**
** This file contains code for generating the login and logout screens.
*/
#include "config.h"
#include "login.h"
#include <time.h>
/*
** Return the name of the login cookie
|
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
|
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
** Author contact information:
** drh@hwaci.com
** http://www.hwaci.com/drh/
**
*******************************************************************************
**
** This file contains code for generating the login and logout screens.
**
** Notes:
**
** There are two special-case user-ids: "anonymous" and "nobody".
** The capabilities of the nobody user are available to anyone,
** regardless of whether or not they are logged in. The capabilities
** of anonymous are only available after logging in, but the login
** screen displays the password for the anonymous login, so this
** should not prevent a human user from doing so.
**
** The nobody user has capabilities that you want spiders to have.
** The anonymous user has capabilities that you want people without
** logins to have.
**
** Of course, a sophisticated spider could easily circumvent the
** anonymous login requirement and walk the website. But that is
** not really the point. The anonymous login keeps search-engine
** crawlers and site download tools like wget from walking change
** logs and downloading diffs of very version of the archive that
** has ever existed, and things like that.
*/
#include "config.h"
#include "login.h"
#include <time.h>
/*
** Return the name of the login cookie
|
| ︙ | | | ︙ | |
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
** WEBPAGE: /logout
**
** Generate the login page
*/
void login_page(void){
const char *zUsername, *zPasswd, *zGoto;
const char *zNew1, *zNew2;
char *zErrMsg = "";
login_check_credentials();
zUsername = P("u");
zPasswd = P("p");
zGoto = PD("g","index");
if( P("out")!=0 ){
const char *zCookieName = login_cookie_name();
cgi_set_cookie(zCookieName, "", 0, -86400);
cgi_redirect(zGoto);
}
if( !g.isAnon && zPasswd && (zNew1 = P("n1"))!=0 && (zNew2 = P("n2"))!=0 ){
if( db_int(1, "SELECT 0 FROM user"
" WHERE uid=%d AND pw=%Q", g.userUid, zPasswd) ){
sleep(1);
zErrMsg =
@ <p><font color="red">
@ You entered an incorrect old password while attempting to change
@ your password. Your password is unchanged.
|
>
|
|
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
** WEBPAGE: /logout
**
** Generate the login page
*/
void login_page(void){
const char *zUsername, *zPasswd, *zGoto;
const char *zNew1, *zNew2;
const char *zAnonPw;
char *zErrMsg = "";
login_check_credentials();
zUsername = P("u");
zPasswd = P("p");
zGoto = PD("g","index");
if( P("out")!=0 ){
const char *zCookieName = login_cookie_name();
cgi_set_cookie(zCookieName, "", 0, -86400);
cgi_redirect(zGoto);
}
if( g.okPassword && zPasswd && (zNew1 = P("n1"))!=0 && (zNew2 = P("n2"))!=0 ){
if( db_int(1, "SELECT 0 FROM user"
" WHERE uid=%d AND pw=%Q", g.userUid, zPasswd) ){
sleep(1);
zErrMsg =
@ <p><font color="red">
@ You entered an incorrect old password while attempting to change
@ your password. Your password is unchanged.
|
| ︙ | | | ︙ | |
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
|
db_multi_exec(
"UPDATE user SET pw=%Q WHERE uid=%d", zNew1, g.userUid
);
cgi_redirect("index");
return;
}
}
if( zUsername!=0 && zPasswd!=0 && strcmp(zUsername,"anonymous")!=0 ){
int uid = db_int(0,
"SELECT uid FROM user"
" WHERE login=%Q AND pw=%Q", zUsername, zPasswd);
if( uid<=0 ){
sleep(1);
zErrMsg =
@ <p><font color="red">
@ You entered an unknown user or an incorrect password.
@ </font></p>
;
}else{
char *zCookie;
const char *zCookieName = login_cookie_name();
const char *zIpAddr = PD("REMOTE_ADDR","nil");
int expires;
zCookie = db_text(0, "SELECT '%d/' || hex(randomblob(25))", uid);
expires = atoi(zExpire)*3600;
cgi_set_cookie(zCookieName, zCookie, 0, expires);
db_multi_exec(
"UPDATE user SET cookie=%Q, ipaddr=%Q, "
" cexpire=julianday('now')+%d/86400.0 WHERE uid=%d",
zCookie, zIpAddr, expires, uid
);
cgi_redirect(zGoto);
}
}
style_header("Login/Logout");
@ %s(zErrMsg)
@ <form action="login" method="POST">
if( P("g") ){
|
|
|
<
|
>
|
>
>
>
|
<
|
|
|
|
|
|
>
|
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
|
db_multi_exec(
"UPDATE user SET pw=%Q WHERE uid=%d", zNew1, g.userUid
);
cgi_redirect("index");
return;
}
}
if( zUsername!=0 && zPasswd!=0 ){
int uid = db_int(0,
"SELECT uid FROM user"
" WHERE login=%Q AND pw=%Q", zUsername, zPasswd);
if( uid<=0 || strcmp(zUsername,"nobody")==0 ){
sleep(1);
zErrMsg =
@ <p><font color="red">
@ You entered an unknown user or an incorrect password.
@ </font></p>
;
}else{
char *zCookie;
const char *zCookieName = login_cookie_name();
const char *zExpire = db_get("cookie-expire","8766");
int expires = atoi(zExpire)*3600;
const char *zIpAddr = PD("REMOTE_ADDR","nil");
if( strcmp(zUsername, "anonymous")==0 ){
cgi_set_cookie(zCookieName, "anonymous", 0, expires);
}else{
zCookie = db_text(0, "SELECT '%d/' || hex(randomblob(25))", uid);
cgi_set_cookie(zCookieName, zCookie, 0, expires);
db_multi_exec(
"UPDATE user SET cookie=%Q, ipaddr=%Q, "
" cexpire=julianday('now')+%d/86400.0 WHERE uid=%d",
zCookie, zIpAddr, expires, uid
);
}
cgi_redirect(zGoto);
}
}
style_header("Login/Logout");
@ %s(zErrMsg)
@ <form action="login" method="POST">
if( P("g") ){
|
| ︙ | | | ︙ | |
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
|
@ <td><input type="password" name="p" value="" size=30></td>
@ </tr>
@ <tr>
@ <td></td>
@ <td><input type="submit" name="in" value="Login"></td>
@ </tr>
@ </table>
if( g.isAnon || g.zLogin==0 || g.zLogin[0]==0 ){
@ <p>To login
}else{
@ <p>You are current logged in as <b>%h(g.zLogin)</b></p>
@ <p>To change your login to a different user
}
@ enter the user-id and password at the left and press the
@ "Login" button. Your user name will be stored in a browser cookie.
@ You must configure your web browser to accept cookies in order for
@ the login to take.</p>
if( db_exists("SELECT uid FROM user WHERE login='anonymous'") ){
@ <p>This server is configured to allow limited access to users
@ who are not logged in.</p>
}
if( !g.isAnon ){
@ <br clear="both"><hr>
@ <p>To log off the system (and delete your login cookie)
@ press the following button:<br>
@ <input type="submit" name="out" value="Logout"></p>
}
@ </form>
if( !g.isAnon ){
@ <br clear="both"><hr>
@ <p>To change your password, enter your old password and your
@ new password twice below then press the "Change Password"
@ button.</p>
@ <form action="login" method="POST">
@ <table>
@ <tr><td align="right">Old Password:</td>
|
|
>
>
|
<
>
>
>
|
>
>
>
|
>
|
|
|
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
|
@ <td><input type="password" name="p" value="" size=30></td>
@ </tr>
@ <tr>
@ <td></td>
@ <td><input type="submit" name="in" value="Login"></td>
@ </tr>
@ </table>
if( g.zLogin==0 ){
@ <p>To login
}else{
@ <p>You are current logged in as <b>%h(g.zLogin)</b></p>
@ <p>To change your login to a different user
}
@ enter the user-id and password at the left and press the
@ "Login" button. Your user name will be stored in a browser cookie.
@ You must configure your web browser to accept cookies in order for
@ the login to take.</p>
if( g.zLogin==0 ){
zAnonPw = db_text(0, "SELECT pw FROM user"
" WHERE login='anonymous'"
" AND cap!=''");
if( zAnonPw ){
@ <p>If you do not have a user-id, enter "<b>anonymous</b>" with a
@ password of "<b>%h(zAnonPw)</b>".</p>
}else{
@ <p>A valid user-id and password is required. Anonymous access
@ is not allowed on this installation.</p>
}
}
if( g.zLogin ){
@ <br clear="both"><hr>
@ <p>To log off the system (and delete your login cookie)
@ press the following button:<br>
@ <input type="submit" name="out" value="Logout"></p>
}
@ </form>
if( g.okPassword ){
@ <br clear="both"><hr>
@ <p>To change your password, enter your old password and your
@ new password twice below then press the "Change Password"
@ button.</p>
@ <form action="login" method="POST">
@ <table>
@ <tr><td align="right">Old Password:</td>
|
| ︙ | | | ︙ | |
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
|
void login_check_credentials(void){
int uid = 0;
const char *zCookie;
const char *zRemoteAddr;
const char *zCap = 0;
/* Only run this check once. */
if( g.zLogin!=0 ) return;
/* If the HTTP connection is coming over 127.0.0.1 and if
** local login is disabled, then there is no need to check
** user credentials.
*/
zRemoteAddr = PD("REMOTE_ADDR","nil");
if( strcmp(zRemoteAddr, "127.0.0.1")==0
&& db_get_int("authenticate-localhost",1)==0 ){
uid = db_int(0, "SELECT uid FROM user WHERE cap LIKE '%%s%%'");
g.zLogin = db_text("?", "SELECT login FROM user WHERE uid=%d", uid);
zCap = "s";
g.noPswd = 1;
g.isAnon = 0;
if( uid==0 ){
if( (zCookie = P(login_cookie_name()))!=0 ){
}else{
uid = db_int(0, "SELECT uid FROM user WHERE login='anonymous'");
}
}
if( uid==0 ){
g.isAnon = 1;
g.zLogin = "";
zCap = db_get("nologin-cap","onrj");
}else if( zCap==0 ){
Stmt s;
db_prepare(&s, "SELECT login, cap FROM user WHERE uid=%d", uid);
db_step(&s);
g.zLogin = db_column_malloc(&s, 0);
zCap = db_column_malloc(&s, 1);
g.isAnon = 0;
db_finalize(&s);
}
g.userUid = uid;
login_set_capabilities(zCap);
}
/*
** Set the global capability flags based on a capability string.
*/
void login_set_capabilities(const char *zCap){
|
|
<
<
|
>
|
|
>
|
|
>
>
|
>
|
|
|
|
|
<
|
|
>
|
|
>
>
|
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
|
void login_check_credentials(void){
int uid = 0;
const char *zCookie;
const char *zRemoteAddr;
const char *zCap = 0;
/* Only run this check once. */
if( g.userUid!=0 ) return;
/* If the HTTP connection is coming over 127.0.0.1 and if
** local login is disabled, then there is no need to check
** user credentials.
*/
zRemoteAddr = PD("REMOTE_ADDR","nil");
if( strcmp(zRemoteAddr, "127.0.0.1")==0
&& db_get_int("authenticate-localhost",1)==0 ){
uid = db_int(0, "SELECT uid FROM user WHERE cap LIKE '%%s%%'");
g.zLogin = db_text("?", "SELECT login FROM user WHERE uid=%d", uid);
zCap = "s";
g.noPswd = 1;
}
/* Check the login cookie to see if it matches a known valid user.
*/
if( uid==0 && (zCookie = P(login_cookie_name()))!=0 ){
if( isdigit(zCookie[0]) ){
uid = db_int(0,
"SELECT uid FROM user"
" WHERE uid=%d"
" AND cookie=%Q"
" AND ipaddr=%Q"
" AND cexpire>julianday('now')",
atoi(zCookie), zCookie, zRemoteAddr
);
}else if( zCookie[0]=='a' ){
uid = db_int(0, "SELECT uid FROM user WHERE login='anonymous'");
}
}
if( uid==0 ){
uid = db_int(0, "SELECT uid FROM user WHERE login='nobody'");
if( uid==0 ){
uid = -1;
zCap = "";
}
}
if( zCap==0 ){
if( uid ){
Stmt s;
db_prepare(&s, "SELECT login, cap FROM user WHERE uid=%d", uid);
db_step(&s);
g.zLogin = db_column_malloc(&s, 0);
zCap = db_column_malloc(&s, 1);
db_finalize(&s);
}
if( zCap==0 ){
zCap = "";
}
}
g.userUid = uid;
login_set_capabilities(zCap);
}
/*
** Set the global capability flags based on a capability string.
*/
void login_set_capabilities(const char *zCap){
|
| ︙ | | | ︙ | |