首先是這個session.inc,會話處理,在頁面跳轉的時候執行權限設定的,這個文件相當重要
/* $Revision: 1.48 $ */
//版本說明
if (!isset($PathPrefix)) {
$PathPrefix='';
}
//設置程序的路徑
include($PathPrefix . 'config.php');
//引入config.php配置文件
if (isset($SessionSavePath)){
session_save_path($SessionSavePath);
}
//如果有設置SessionSavePath,則將其賦給設置命令session_save_path
ini_set('session.gc_Maxlifetime',$SessionLifeTime);
ini_set('max_execution_time',$MaximumExecutionTime);
//同上
session_start();
//會話開始
include($PathPrefix . 'includes/LanguageSetup.php');
include($PathPrefix . 'includes/ConnectDB.inc');
include($PathPrefix . 'includes/DateFunctions.inc');
//將三個文件引入languagesetup.php為語言設置,connectdb.inc為數據庫連接,//datefuntions.inc為日期操作的相當函婁
// Un comment to turn off attempts counter
//$_SESSION['AttemptsCounter'] = 0;
if (!isset($_SESSION['AttemptsCounter'])){
$_SESSION['AttemptsCounter'] = 0;
}
//此處為邊接此數的初值,5次連接失敗后賬號就關閉
if (!isset($AllowAnyone)){ /* only do security checks if AllowAnyone is not true */
//此處為安檢
if (!isset($_SESSION['AccessLevel']) OR $_SESSION['AccessLevel'] == '' OR
(isset($_POST['UserNameEntryField']) AND $_POST['UserNameEntryField'] != '')) {
/* if not logged in */
$_SESSION['AccessLevel'] = '';
$_SESSION['CustomerID'] = '';
$_SESSION['UserBranch'] = '';
$_SESSION['Module'] = '';
$_SESSION['PageSize'] = '';
$_SESSION['UserStockLocation'] = '';
$_SESSION['AttemptsCounter']++;
$theme = 'professional';
//如果沒有登入,則將關鍵的幾個session置為空,此處的判斷的變量有兩個,一個為$_session['AccessLevel']此為登入成功后設置的session,而$_POST['UsernameEntryFeld']則為輸入的用戶名,當輸入用戶名點了login且用戶名不為空時或session中沒有值時,將相應的session清空。
// Show login screen
if (!isset($_POST['UserNameEntryField']) or $_POST['UserNameEntryField'] == '') {
include($PathPrefix . 'includes/Login.php');
exit;
}
//如果用戶名都沒有則顯示login畫面
$sql = "SELECT www_users.fullaccess,
www_users.customerid,
www_users.lastvisitdate,
www_users.pagesize,
www_users.defaultlocation,
www_users.branchcode,
www_users.modulesallowed,
www_users.blocked,
www_users.realname,
www_users.theme,
www_users.displayrecordsmax,
www_users.userid,
www_users.language
FROM www_users
WHERE www_users.userid='" . DB_escape_string($_POST['UserNameEntryField']) . "'
AND (www_users.password='" . CryptPass(DB_escape_string($_POST['Password'])) . "'
OR www_users.password='" . DB_escape_string($_POST['Password']) . "')";
$Auth_Result = DB_query($sql, $db);
//以上為根據用戶名和密碼連到數據庫,取出記錄
// Populate session variables with data base results
if (DB_num_rows($Auth_Result) > 0) {
//如果有記錄,則將結果集賦給$myrow
$myrow = DB_fetch_row($Auth_Result);
if ($myrow[7]==1){
//the account is blocked
die(include($PathPrefix . 'includes/FailedLogin.php'));
}
//如果$myrow[7]為1,則表示該賬號已禁用,則退出
/*reset the attempts counter on successful login */
$_SESSION['AttemptsCounter'] = 0;
$_SESSION['AccessLevel'] = $myrow[0];
$_SESSION['CustomerID'] = $myrow[1];
$_SESSION['UserBranch'] = $myrow[5];
$_SESSION['DefaultPageSize'] = $myrow[3];
$_SESSION['UserStockLocation'] = $myrow[4];
$_SESSION['ModulesEnabled'] = explode(",", $myrow[6]);
$_SESSION['UsersRealName'] = $myrow[8];
$_SESSION['Theme'] = $myrow[9];
$_SESSION['UserID'] = $myrow[11];
$_SESSION['Language'] = $myrow[12];
if ($myrow[10] > 0) {
$_SESSION['DisplayRecordsMax'] = $myrow[10];
} else {
$_SESSION['DisplayRecordsMax'] = $_SESSION['DefaultDisplayRecordsMax']; // default comes from config.php
}
//將記錄集中的值賦給相應的session
$sql = "UPDATE www_users SET lastvisitdate='". date("Y-m-d H:i:s") ."'
WHERE www_users.userid='" . DB_escape_string($_POST['UserNameEntryField']) . "'
AND www_users.password='" . CryptPass(DB_escape_string($_POST['Password'])) ."'";
$Auth_Result = DB_query($sql, $db);
//將登入信息更新
/*get the security tokens that the user has access to */
$sql = 'SELECT tokenid FROM securitygroups
WHERE secroleid = ' . $_SESSION['AccessLevel'];
$Sec_Result = DB_query($sql, $db);
$_SESSION['AllowedPageSecurityTokens'] = array();
if (DB_num_rows($Sec_Result)==0){
$title = _('Account Error Report');
include($PathPrefix . 'includes/header.inc');
echo '
';
prnMsg(_('Your user role does not have any access defined for webERP. There is an error in the security setup for this user account'),'error');
include($PathPrefix . 'includes/footer.inc');
exit;
} else {
$i=0;
while ($myrow = DB_fetch_row($Sec_Result)){
$_SESSION['AllowedPageSecurityTokens'][$i] = $myrow[0];
$i++;
}
}
echo "
";
//根據$_session['accesslevel'],得到tokenid並賦給$_session['allowedpagesecuritytokens']
exit;
} else { // Incorrect password
// 5 login attempts, show failed login screen
if (!isset($_SESSION['AttemptsCounter'])) {
$_SESSION['AttemptsCounter'] = 0;
} elseif ($_SESSION['AttemptsCounter'] >= 5 AND isset($_POST['UserNameEntryField'])) {
/*User blocked from future accesses until sysadmin releases */
$sql = "UPDATE www_users
SET blocked=1
WHERE www_users.userid='" . $_POST['UserNameEntryField'] . "'";
$Auth_Result = DB_query($sql, $db);
die(include($PathPrefix . 'includes/FailedLogin.php'));
}
$demo_text = " . _('incorrect password') . '
' . _('The user/password combination') . '
' . _('is not a valid user of the system') . '';
die(include($PathPrefix . 'includes/Login.php'));
}
} // End of userid/password check
} /* only do security checks if AllowAnyone is not true */
/*User is logged in so get configuration parameters - save in session*/
include($PathPrefix . 'includes/GetConfig.php');
if(isset($_SESSION['DB_Maintenance'])){
if ($_SESSION['DB_Maintenance']!=0) {
if (DateDiff(Date($_SESSION['DefaultDateFormat']),
ConvertSQLDate($_SESSION['DB_Maintenance_LastRun'])
,'d') > $_SESSION['DB_Maintenance']){
/*Do the DB maintenance routing for the DB_type selected */
DB_Maintenance($db);
$_SESSION['DB_Maintenance_LastRun'] = Date('Y-m-d');
}
}
}
If (isset($_POST['Theme'])) {
$_SESSION['Theme'] = $_POST['Theme'];
$theme = $_POST['Theme'];
} elseif (!isset($_SESSION['Theme'])) {
$theme = $_SESSION['DefaultTheme'];
$_SESSION['Theme'] = $_SESSION['DefaultTheme'];
} else {
$theme = $_SESSION['Theme'];
}
if ($_SESSION['HTTPS_Only']==1){
if ($_SERVER['HTTPS']!='on'){
prnMsg(_('webERP is configured to allow only secure socket connections. Pages must be called with https://') . ' .....','error');
exit;
}
}
// Run with debugging messages for the system administrator(s) but not anyone else
if (in_array(15, $_SESSION['AllowedPageSecurityTokens'])) {
$debug = 1;
} else {
$debug = 0;
}
// Now check that the user as logged in has access to the page being called. The $PageSecurity
// value must be set in the script before header.inc is included. $SecurityGroups is an array of
// arrays defining access for each group of users. These definitions can be modified by a system admin under setup
if (!is_array($_SESSION['AllowedPageSecurityTokens']) AND !isset($AllowAnyone)) {
$title = _('Account Error Report');
include($PathPrefix . 'includes/header.inc');
echo '
';
prnMsg(_('Security settings have not been defined for your user account. Please advise your system administrator. It could also be that there is a session problem with your PHP web server'),'error');
include($PathPrefix . 'includes/footer.inc');
exit;
}
if (!isset($AllowAnyone)){
if ((!in_array($PageSecurity, $_SESSION['AllowedPageSecurityTokens']) OR !isset($PageSecurity))) {
$title = _('Security Permissions Problem');
include($PathPrefix . 'includes/header.inc');
echo '
';
echo '[size=+1] [size=+1]' . _('The security settings on your account do not permit you to access this function') . '';
echo ' |
';
include($PathPrefix . 'includes/footer.inc');
exit;
}
}
function CryptPass( $Password ) {
global $CryptFunction;
if ( $CryptFunction == 'sha1' ) {
return sha1($Password);
} elseif ( $CryptFunction == 'md5' ) {
return md5($Password);
} else {
return $Password;
}
}
?> |
發表於 2010-6-28 02:29
|