国内流行的内容管理系统(CMS)多端全媒体解决方案 https://www.dedebiz.com
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

495 lines
15KB

  1. <?php
  2. if (!defined('DEDEINC')) exit('dedebiz');
  3. /**
  4. * 管理员登录
  5. *
  6. * @version $id:userlogin.class.php 15:59 2010年7月5日 tianya $
  7. * @package DedeBIZ.Libraries
  8. * @copyright Copyright (c) 2022 DedeBIZ.COM
  9. * @license https://www.dedebiz.com/license
  10. * @link https://www.dedebiz.com
  11. */
  12. session_start();
  13. /**
  14. * 检验用户是否有权使用某功能,这个函数是一个回值函数CheckPurview函数只是对他回值的一个处理过程
  15. *
  16. * @access public
  17. * @param string $n 功能名称
  18. * @return mix 如果具有则返回TRUE
  19. */
  20. function TestPurview($n)
  21. {
  22. $rs = FALSE;
  23. $purview = $GLOBALS['cuserLogin']->getPurview();
  24. if (preg_match('/admin_AllowAll/i', $purview)) {
  25. return TRUE;
  26. }
  27. if ($n == '') {
  28. return TRUE;
  29. }
  30. if (!isset($GLOBALS['groupRanks'])) {
  31. $GLOBALS['groupRanks'] = explode(' ', $purview);
  32. }
  33. $ns = explode(',', $n);
  34. foreach ($ns as $n) {
  35. //只要找到一个匹配的权限,即可认为用户有权浏览此页面
  36. if ($n == '') {
  37. continue;
  38. }
  39. if (in_array($n, $GLOBALS['groupRanks'])) {
  40. $rs = TRUE;
  41. break;
  42. }
  43. }
  44. return $rs;
  45. }
  46. /**
  47. * 对权限检测后返回操作对话框
  48. *
  49. * @access public
  50. * @param string $n 功能名称
  51. * @return string
  52. */
  53. function CheckPurview($n)
  54. {
  55. if (!TestPurview($n)) {
  56. ShowMsg("您没有权限执行此操作<br><br><a href='javascript:history.go(-1);'>点击返回上一页</a>", 'javascript:;');
  57. exit();
  58. }
  59. }
  60. /**
  61. * 是否没权限限制(超级管理员)
  62. *
  63. * @access public
  64. * @param string
  65. * @return bool
  66. */
  67. function TestAdmin()
  68. {
  69. $purview = $GLOBALS['cuserLogin']->getPurview();
  70. if (preg_match('/admin_AllowAll/i', $purview)) {
  71. return TRUE;
  72. } else {
  73. return FALSE;
  74. }
  75. }
  76. $DedeUserCatalogs = array();
  77. /**
  78. * 检测用户是否有权限操作某栏目
  79. *
  80. * @access public
  81. * @param int $cid 栏目id
  82. * @param string $msg 返回消息
  83. * @return string
  84. */
  85. function CheckCatalog($cid, $msg)
  86. {
  87. global $cfg_admin_channel, $admin_catalogs;
  88. if ($cfg_admin_channel == 'all' || TestAdmin()) {
  89. return TRUE;
  90. }
  91. if (!in_array($cid, $admin_catalogs)) {
  92. ShowMsg(" $msg <br><br><a href='javascript:history.go(-1);'>点击返回上一页</a>", 'javascript:;');
  93. exit();
  94. }
  95. return TRUE;
  96. }
  97. /**
  98. * 发布文档临时附件信息缓存、发文档前先清空附件信息
  99. * 发布文档时涉及的附件保存到缓存里,完成后把它与文档关连
  100. *
  101. * @access public
  102. * @param string $fid 文件ID
  103. * @param string $filename 文件名称
  104. * @return void
  105. */
  106. function AddMyAddon($fid, $filename)
  107. {
  108. $cacheFile = DEDEDATA.'/cache/addon-'.session_id().'.inc';
  109. if (!file_exists($cacheFile)) {
  110. $fp = fopen($cacheFile, 'w');
  111. fwrite($fp, '<'.'?php'."\r\n");
  112. fwrite($fp, "\$myaddons = array();\r\n");
  113. fwrite($fp, "\$maNum = 0;\r\n");
  114. fclose($fp);
  115. }
  116. include($cacheFile);
  117. $fp = fopen($cacheFile, 'a');
  118. $arrPos = $maNum;
  119. $maNum++;
  120. fwrite($fp, "\$myaddons[\$maNum] = array('$fid', '$filename');\r\n");
  121. fwrite($fp, "\$maNum = $maNum;\r\n");
  122. fclose($fp);
  123. }
  124. /**
  125. * 清理附件,如果关连的文档id,先把上一批附件传给这个文档id
  126. *
  127. * @access public
  128. * @param string $aid 文档id
  129. * @param string $title 文档标题
  130. * @return empty
  131. */
  132. function ClearMyAddon($aid = 0, $title = '')
  133. {
  134. global $dsql;
  135. $cacheFile = DEDEDATA.'/cache/addon-'.session_id().'.inc';
  136. $_SESSION['bigfile_info'] = array();
  137. $_SESSION['file_info'] = array();
  138. if (!file_exists($cacheFile)) {
  139. return;
  140. }
  141. //把附件与文档关连
  142. if (!empty($aid)) {
  143. include($cacheFile);
  144. foreach ($myaddons as $addons) {
  145. if (!empty($title)) {
  146. $dsql->ExecuteNoneQuery("Update `#@__uploads` set arcid='$aid',title='$title' where aid='{$addons[0]}'");
  147. } else {
  148. $dsql->ExecuteNoneQuery("Update `#@__uploads` set arcid='$aid' where aid='{$addons[0]}' ");
  149. }
  150. }
  151. }
  152. @unlink($cacheFile);
  153. }
  154. /**
  155. * 登录类
  156. *
  157. * @package userLogin
  158. * @subpackage DedeBIZ.Libraries
  159. * @link https://www.dedebiz.com
  160. */
  161. class userLogin
  162. {
  163. var $userName = '';
  164. var $userPwd = '';
  165. var $userID = '';
  166. var $adminDir = '';
  167. var $userType = '';
  168. var $userChannel = '';
  169. var $userPurview = '';
  170. var $keepUserIDTag = 'dede_admin_id';
  171. var $keepUserTypeTag = 'dede_admin_type';
  172. var $keepUserChannelTag = 'dede_admin_channel';
  173. var $keepUserNameTag = 'dede_admin_name';
  174. var $keepUserPurviewTag = 'dede_admin_purview';
  175. var $keepAdminStyleTag = 'dede_admin_style';
  176. var $adminStyle = 'DedeBIZ';
  177. //php5构造函数
  178. function __construct($admindir = '')
  179. {
  180. global $admin_path;
  181. if (isset($_SESSION[$this->keepUserIDTag])) {
  182. $this->userID = $_SESSION[$this->keepUserIDTag];
  183. $this->userType = $_SESSION[$this->keepUserTypeTag];
  184. $this->userChannel = $_SESSION[$this->keepUserChannelTag];
  185. $this->userName = $_SESSION[$this->keepUserNameTag];
  186. $this->userPurview = $_SESSION[$this->keepUserPurviewTag];
  187. $this->adminStyle = $_SESSION[$this->keepAdminStyleTag];
  188. }
  189. if ($admindir != '') {
  190. $this->adminDir = $admindir;
  191. } else {
  192. $this->adminDir = $admin_path;
  193. }
  194. }
  195. function userLogin($admindir = '')
  196. {
  197. $this->__construct($admindir);
  198. }
  199. /**
  200. * 检验用户是否正确
  201. *
  202. * @access public
  203. * @param string $username 用户名
  204. * @param string $userpwd 密码
  205. * @return string
  206. */
  207. function checkUser($username, $userpwd)
  208. {
  209. global $dsql;
  210. //只允许用户名和密码用0-9,a-z,A-Z,'@','_','.','-'这些字符
  211. $this->userName = preg_replace("/[^0-9a-zA-Z_@!\.-]/", '', $username);
  212. $this->userPwd = preg_replace("/[^0-9a-zA-Z_@!\.-]/", '', $userpwd);
  213. $pwd = substr(md5($this->userPwd), 5, 20);
  214. $dsql->SetQuery("SELECT admin.*,atype.purviews FROM `#@__admin` admin LEFT JOIN `#@__admintype` atype ON atype.`rank`=admin.usertype WHERE admin.userid LIKE '".$this->userName."' LIMIT 0,1");
  215. $dsql->Execute();
  216. $row = $dsql->GetObject();
  217. if (!isset($row->pwd)) {
  218. return -1;
  219. } else if (!empty($row->pwd_new) && !password_verify($this->userPwd, $row->pwd_new)) {
  220. $this->loginError($row->id);
  221. return -2;
  222. } else if (!empty($row->pwd) && $pwd != $row->pwd) {
  223. $this->loginError($row->id);
  224. return -2;
  225. } else {
  226. $upsql = "";
  227. if (empty($row->pwd_new) && function_exists('password_hash')) {
  228. //升级密码
  229. $newpwd = password_hash($this->userPwd, PASSWORD_BCRYPT);
  230. $upsql .= ",pwd='',pwd_new='{$newpwd}'";
  231. }
  232. $loginip = GetIP();
  233. $this->userID = $row->id;
  234. $this->userType = $row->usertype;
  235. $this->userChannel = $row->typeid;
  236. $this->userName = $row->uname;
  237. $this->userPurview = $row->purviews;
  238. $inquery = "UPDATE `#@__admin` SET loginip='$loginip',logintime='".time()."'{$upsql},loginerr=0 WHERE id='".$row->id."'";
  239. $dsql->ExecuteNoneQuery($inquery);
  240. $sql = "UPDATE `#@__member` SET logintime=".time().", loginip='$loginip' WHERE mid=".$row->id;
  241. $dsql->ExecuteNoneQuery($sql);
  242. return 1;
  243. }
  244. }
  245. /**
  246. * 是否需要验证码
  247. *
  248. * @param mixed $username
  249. * @return bool
  250. */
  251. function isNeedCheckCode($username)
  252. {
  253. $num = $this->getLoginError($username);
  254. return $num >= 3 ? true : false;
  255. }
  256. /**
  257. * 1分钟以内登录错误的次数
  258. *
  259. * @param mixed $username
  260. * @return int 登录错误次数
  261. */
  262. function getLoginError($username)
  263. {
  264. global $dsql;
  265. if (!TableHasField("#@__admin", "loginerr")) {
  266. return 0;
  267. }
  268. $this->userName = preg_replace("/[^0-9a-zA-Z_@!\.-]/", '', $username);
  269. $row = $dsql->GetOne("SELECT loginerr,logintime FROM `#@__admin` WHERE userid LIKE '$this->userName'");
  270. if (is_array($row)) {
  271. //1分钟内如果输错3次则需要验证码
  272. return (time() - (int)$row['logintime']) < 60 ? (int)$row['loginerr'] : 0;
  273. } else {
  274. return -1;
  275. }
  276. }
  277. /**
  278. * 记录登录错误
  279. *
  280. * @return void
  281. */
  282. function loginError($adminid)
  283. {
  284. global $dsql;
  285. $loginip = GetIP();
  286. $inquery = "UPDATE `#@__admin` SET loginip='$loginip',logintime='".time()."',loginerr=loginerr+1 WHERE id='".$adminid."'";
  287. $dsql->ExecuteNoneQuery($inquery);
  288. }
  289. /**
  290. * 保持用户的会话状态
  291. *
  292. * @access public
  293. * @return int 成功返回 1,失败返回 -1
  294. */
  295. function keepUser()
  296. {
  297. if ($this->userID != '' && $this->userType != '') {
  298. global $admincachefile, $adminstyle;
  299. if (empty($adminstyle)) $adminstyle = 'DedeBIZ';
  300. @session_register($this->keepUserIDTag);
  301. $_SESSION[$this->keepUserIDTag] = $this->userID;
  302. @session_register($this->keepUserTypeTag);
  303. $_SESSION[$this->keepUserTypeTag] = $this->userType;
  304. @session_register($this->keepUserChannelTag);
  305. $_SESSION[$this->keepUserChannelTag] = $this->userChannel;
  306. @session_register($this->keepUserNameTag);
  307. $_SESSION[$this->keepUserNameTag] = $this->userName;
  308. @session_register($this->keepUserPurviewTag);
  309. $_SESSION[$this->keepUserPurviewTag] = $this->userPurview;
  310. @session_register($this->keepAdminStyleTag);
  311. $_SESSION[$this->keepAdminStyleTag] = $adminstyle;
  312. PutCookie('DedeUserID', $this->userID, 3600 * 24, '/');
  313. PutCookie('DedeLoginTime', time(), 3600 * 24, '/');
  314. $this->ReWriteAdminChannel();
  315. return 1;
  316. } else {
  317. return -1;
  318. }
  319. }
  320. /**
  321. * 重写用户权限栏目
  322. *
  323. * @access public
  324. * @return void
  325. */
  326. function ReWriteAdminChannel()
  327. {
  328. //$this->userChannel
  329. $cacheFile = DEDEDATA.'/cache/admincat_'.$this->userID.'.inc';
  330. //管理员管理的栏目列表
  331. $typeid = trim($this->userChannel);
  332. if (empty($typeid) || $this->getUserType() >= 10) {
  333. $firstConfig = "\$cfg_admin_channel = 'all';\r\n\$admin_catalogs = array();\r\n";
  334. } else {
  335. $firstConfig = "\$cfg_admin_channel = 'array';\r\n";
  336. }
  337. $fp = fopen($cacheFile, 'w');
  338. fwrite($fp, '<'.'?php'."\r\n");
  339. fwrite($fp, $firstConfig);
  340. if (!empty($typeid)) {
  341. $typeids = explode(',', $typeid);
  342. $typeid = '';
  343. foreach ($typeids as $tid) {
  344. $typeid .= ($typeid == '' ? GetSonIdsUL($tid) : ','.GetSonIdsUL($tid));
  345. }
  346. $typeids = explode(',', $typeid);
  347. $typeidsnew = array_unique($typeids);
  348. $typeid = join(',', $typeidsnew);
  349. fwrite($fp, "\$admin_catalogs = array($typeid);\r\n");
  350. }
  351. fwrite($fp, '?'.'>');
  352. fclose($fp);
  353. }
  354. /**
  355. * 结束用户的会话状态
  356. *
  357. * @access public
  358. * @return void
  359. */
  360. function exitUser()
  361. {
  362. ClearMyAddon();
  363. @session_unregister($this->keepUserIDTag);
  364. @session_unregister($this->keepUserTypeTag);
  365. @session_unregister($this->keepUserChannelTag);
  366. @session_unregister($this->keepUserNameTag);
  367. @session_unregister($this->keepUserPurviewTag);
  368. DropCookie('dedeAdmindir');
  369. DropCookie('DedeUserID');
  370. DropCookie('DedeLoginTime');
  371. $_SESSION = array();
  372. }
  373. /**
  374. * 获得用户管理栏目的值
  375. *
  376. * @access public
  377. * @return array
  378. */
  379. function getUserChannel()
  380. {
  381. if ($this->userChannel != '') {
  382. return $this->userChannel;
  383. } else {
  384. return '';
  385. }
  386. }
  387. /**
  388. * 获得用户的权限值
  389. *
  390. * @access public
  391. * @return int
  392. */
  393. function getUserType()
  394. {
  395. if ($this->userType != '') {
  396. return $this->userType;
  397. } else {
  398. return -1;
  399. }
  400. }
  401. /**
  402. * 获取用户权限值
  403. *
  404. * @access public
  405. * @return int
  406. */
  407. function getUserRank()
  408. {
  409. return $this->getUserType();
  410. }
  411. /**
  412. * 获得用户的id
  413. *
  414. * @access public
  415. * @return int
  416. */
  417. function getUserID()
  418. {
  419. if ($this->userID != '') {
  420. return $this->userID;
  421. } else {
  422. return -1;
  423. }
  424. }
  425. /**
  426. * 获得用户的名称
  427. *
  428. * @access public
  429. * @return string
  430. */
  431. function getUserName()
  432. {
  433. if ($this->userName != '') {
  434. return $this->userName;
  435. } else {
  436. return -1;
  437. }
  438. }
  439. /**
  440. * 用户权限表
  441. *
  442. * @access public
  443. * @return string
  444. */
  445. function getPurview()
  446. {
  447. return $this->userPurview;
  448. }
  449. }
  450. /**
  451. * 获得某id的所有下级id
  452. *
  453. * @access public
  454. * @param int $id 栏目id
  455. * @param int $channel 栏目id
  456. * @param int $addthis 是否加入当前这个栏目
  457. * @return string
  458. */
  459. function GetSonIdsUL($id, $channel = 0, $addthis = TRUE)
  460. {
  461. global $cfg_Cs;
  462. $GLOBALS['idArray'] = array();
  463. if (!is_array($cfg_Cs)) {
  464. require_once(DEDEDATA."/cache/inc_catalog_base.inc");
  465. }
  466. GetSonIdsLogicUL($id, $cfg_Cs, $channel, $addthis);
  467. $rquery = join(',', $GLOBALS['idArray']);
  468. return $rquery;
  469. }
  470. /**
  471. * 递归逻辑
  472. *
  473. * @access public
  474. * @param int $id 栏目id
  475. * @param array $sArr 缓存数组
  476. * @param int $channel 栏目id
  477. * @param int $addthis 是否加入当前这个栏目
  478. * @return string
  479. */
  480. function GetSonIdsLogicUL($id, $sArr, $channel = 0, $addthis = FALSE)
  481. {
  482. if ($id != 0 && $addthis) {
  483. $GLOBALS['idArray'][$id] = $id;
  484. }
  485. foreach ($sArr as $k => $v) {
  486. if ($v[0] == $id && ($channel == 0 || $v[1] == $channel)) {
  487. GetSonIdsLogicUL($k, $sArr, $channel, TRUE);
  488. }
  489. }
  490. }