summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFelix Dörre <felix@dogcraft.de>2015-04-21 22:10:45 +0200
committerFelix Dörre <felix@dogcraft.de>2015-04-21 22:10:45 +0200
commit789164b7fe19751b597c1b41c52e9691e1587d5e (patch)
tree1c57fcecd0f43bb474220e9013cad98f5fade34d
parentc8ab3e8010d33158f127fe0c6a89966f9395898a (diff)
parent16cb7044fa31e618f969d6104d976a7bc087e1be (diff)
downloadcacert-devel-789164b7fe19751b597c1b41c52e9691e1587d5e.tar.gz
cacert-devel-789164b7fe19751b597c1b41c52e9691e1587d5e.tar.xz
cacert-devel-789164b7fe19751b597c1b41c52e9691e1587d5e.zip
Merge branch 'bug-1047' into bug-1050
-rw-r--r--includes/notary.inc.php61
-rwxr-xr-xscripts/db_migrations/version6.sh70
-rw-r--r--www/index.php18
3 files changed, 139 insertions, 10 deletions
diff --git a/includes/notary.inc.php b/includes/notary.inc.php
index 3b8e736..954029b 100644
--- a/includes/notary.inc.php
+++ b/includes/notary.inc.php
@@ -322,6 +322,63 @@ define('THAWTE_REVOCATION_DATETIME', '2010-11-16 00:00:00');
$rank_of_assuree = get_top_assuree_position($num_of_assurees);
}
+ /**
+ * Helper function to sum all assurance points received by the user
+ * @param int $userid
+ */
+ function get_received_assurance_points($userid)
+ {
+ $sum_points = 0;
+ $sum_experience = 0;
+ $res = get_received_assurances(intval($userid), $log);
+ while($row = mysql_fetch_assoc($res))
+ {
+ $fromuser = get_user(intval($row['from']));
+ calc_assurances($row, $sum_points, $sum_experience);
+ }
+ return $sum_points;
+ }
+
+ /**
+ * Helper function to sum all assurance points received by the user
+ * @param int $userid
+ */
+ function get_received_experience_points($userid)
+ {
+ $sum_points = 0;
+ $sum_experience = 0;
+ $res = get_received_assurances(intval($userid), $log);
+ while($row = mysql_fetch_assoc($res))
+ {
+ $fromuser = get_user(intval($row['from']));
+ calc_assurances($row, $sum_points, $sum_experience);
+ }
+ return $sum_experience;
+ }
+
+ /**
+ * Helper function to sum all points received by the user
+ * @param int $userid
+ */
+ function get_received_total_points($userid)
+ {
+ $sum_points = 0;
+ $sum_experience = 0;
+ $res = get_received_assurances(intval($userid), $log);
+ while($row = mysql_fetch_assoc($res))
+ {
+ $fromuser = get_user(intval($row['from']));
+ calc_assurances($row, $sum_points, $sum_experience);
+ }
+ return $sum_experience + $sum_points;
+ }
+
+ /**
+ * Updates the assurance points in $_SESSION['profile']
+ */
+ function update_points_in_profile(){
+ $_SESSION['profile']['points'] = get_received_total_points($_SESSION['profile']['id']);
+ }
// ************* html table definitions ******************
@@ -585,7 +642,7 @@ define('THAWTE_REVOCATION_DATETIME', '2010-11-16 00:00:00');
$log)
{
$sum_points = 0;
- $sumexperience = 0;
+ $sum_experience = 0;
$res = get_given_assurances(intval($userid), $log);
while($row = mysql_fetch_assoc($res))
{
@@ -615,7 +672,7 @@ define('THAWTE_REVOCATION_DATETIME', '2010-11-16 00:00:00');
$log)
{
$sum_points = 0;
- $sumexperience = 0;
+ $sum_experience = 0;
$res = get_received_assurances(intval($userid), $log);
while($row = mysql_fetch_assoc($res))
{
diff --git a/scripts/db_migrations/version6.sh b/scripts/db_migrations/version6.sh
new file mode 100755
index 0000000..dcba365
--- /dev/null
+++ b/scripts/db_migrations/version6.sh
@@ -0,0 +1,70 @@
+#!/bin/sh
+# LibreSSL - CAcert web application
+# Copyright (C) 2004-2011 CAcert Inc.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+
+
+
+# script to do database migrations
+
+set -e # script fails if any command fails
+
+STDIN=0
+STDOUT=1
+STDERR=2
+
+if [ "$1" = "--help" ]; then
+ cat >&$STDERR <<- USAGE
+ Usage: $0 [MYSQL_OPTIONS]
+ You have to specify all options needed by "mysql" as if you had started
+ the MySQL command line client directly (including the name of the
+ database to operate on). The MySQL user used has to have enough
+ privileges to do all necessary operations (among others CREATE, ALTER,
+ DROP, UPDATE, INSERT, DELETE).
+ You might need to enter the mysql password multiple times if you
+ specify the -p option.
+ USAGE
+ exit 1
+fi
+
+mysql_opt=" --batch --skip-column-names $@"
+
+schema_version=$( mysql $mysql_opt <<- 'SQL'
+
+ SELECT MAX(`version`) FROM `schema_version`;
+SQL
+)
+if [ $schema_version != 5 ]; then
+ cat >&$STDERR <<- ERROR
+ Error: database schema is not in the right version to do the migration!
+ Expected version: 5
+ ERROR
+ exit 2
+fi
+
+mysql $mysql_opt <<- 'SQL'
+ALTER TABLE `users` ADD `lastLoginAttempt` DATETIME NULL;
+system echo "added user column"
+
+ -- Update schema version number
+ INSERT INTO `schema_version`
+ (`version`, `when`) VALUES
+ ('6' , NOW() );
+SQL
+
+
+echo "Database successfully migrated to version 6"
+exit 0
+
diff --git a/www/index.php b/www/index.php
index e6fc06a..b54eb2f 100644
--- a/www/index.php
+++ b/www/index.php
@@ -191,7 +191,9 @@ require_once('../includes/notary.inc.php');
$query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
`password`=password('$pword')) and `verified`=1 and `deleted`=0 and `locked`=0";
$res = mysql_query($query);
- if(mysql_num_rows($res) > 0)
+ $query = "SELECT 1 FROM `users` WHERE `email`='$email' and (UNIX_TIMESTAMP(`lastLoginAttempt`) < UNIX_TIMESTAMP(CURRENT_TIMESTAMP) - 5 or `lastLoginAttempt` is NULL)" ;
+ $rateLimit = mysql_num_rows(mysql_query($query)) > 0;
+ if(mysql_num_rows($res) > 0 && $rateLimit)
{
$_SESSION['profile'] = "";
unset($_SESSION['profile']);
@@ -208,10 +210,8 @@ require_once('../includes/notary.inc.php');
L10n::set_translation($_SESSION['profile']['language']);
L10n::init_gettext();
}
- $query = "select sum(`points`) as `total` from `notary` where `to`='".intval($_SESSION['profile']['id'])."' and `deleted`=0 group by `to`";
- $res = mysql_query($query);
- $row = mysql_fetch_assoc($res);
- $_SESSION['profile']['points'] = $row['total'];
+ update_points_in_profile();
+
$_SESSION['profile']['loggedin'] = 1;
if($_SESSION['profile']['Q1'] == "" || $_SESSION['profile']['Q2'] == "" ||
$_SESSION['profile']['Q3'] == "" || $_SESSION['profile']['Q4'] == "" ||
@@ -231,14 +231,16 @@ require_once('../includes/notary.inc.php');
header("location: https://".$_SERVER['HTTP_HOST']."/account.php");
}
exit;
+ } else if($rateLimit){
+ $query = "update `users` set `lastLoginAttempt`=CURRENT_TIMESTAMP WHERE `email`='$email'";
+ mysql_query($query);
}
$query = "select * from `users` where `email`='$email' and (`password`=old_password('$pword') or `password`=sha1('$pword') or
`password`=password('$pword')) and `verified`=0 and `deleted`=0";
$res = mysql_query($query);
- if(mysql_num_rows($res) <= 0)
- {
- $_SESSION['_config']['errmsg'] = _("Incorrect email address and/or Pass Phrase.");
+ if(!$rateLimit || mysql_num_rows($res) <= 0) {
+ $_SESSION['_config']['errmsg'] = _("Login failed due to incorrect email address, wrong passphrase or because the rate limit of one login per 5 seconds was hit.");
} else {
$_SESSION['_config']['errmsg'] = _("Your account has not been verified yet, please check your email account for the signup messages.");
}