X-Git-Url: http://wagnertech.de/gitweb/gitweb.cgi/timetracker.git/blobdiff_plain/725af06a89e5a7014dfdc9081222f313a58a6bb6..HEAD:/WEB-INF/lib/ttRegistrator.class.php?ds=sidebyside diff --git a/WEB-INF/lib/ttRegistrator.class.php b/WEB-INF/lib/ttRegistrator.class.php index 8e755837..e054fe00 100644 --- a/WEB-INF/lib/ttRegistrator.class.php +++ b/WEB-INF/lib/ttRegistrator.class.php @@ -26,6 +26,9 @@ // | https://www.anuko.com/time_tracker/credits.htm // +----------------------------------------------------------------------+ +import('ttUserHelper'); +import('ttRoleHelper'); + // ttRegistrator class is used to register a user in Time Tracker. class ttRegistrator { var $user_name = null; // User name. @@ -67,7 +70,7 @@ class ttRegistrator { function validate() { global $i18n; - if (!ttValidString($this->group_name, true)) + if (!ttValidString($this->group_name)) $this->err->add($i18n->get('error.field'), $i18n->get('label.group_name')); if (!ttValidString($this->currency, true)) $this->err->add($i18n->get('error.field'), $i18n->get('label.currency')); @@ -83,6 +86,8 @@ class ttRegistrator { $this->err->add($i18n->get('error.not_equal'), $i18n->get('label.password'), $i18n->get('label.confirm_password')); if (!ttValidEmail($this->email, true)) $this->err->add($i18n->get('error.field'), $i18n->get('label.email')); + if (!ttUserHelper::canAdd()) + $this->err->add($i18n->get('error.user_count')); } // The register function registers a user in Time Tracker. @@ -115,7 +120,6 @@ class ttRegistrator { return false; } - import('ttRoleHelper'); if (!ttRoleHelper::createPredefinedRoles($this->group_id, $this->lang)) { $err->add($i18n->get('error.db')); return false; @@ -124,7 +128,7 @@ class ttRegistrator { $this->user_id = $this->createUser(); if (!$this->user_id) { - $err->add($i18n->get('error.db')); + $this->err->add($i18n->get('error.db')); return false; } @@ -141,13 +145,16 @@ class ttRegistrator { function createGroup() { $mdb2 = getConnection(); + $group_key = $mdb2->quote(ttRandomString()); $name = $mdb2->quote($this->group_name); $currency = $mdb2->quote($this->currency); $lang = $mdb2->quote($this->lang); + $plugins = $mdb2->quote(defined('DEFAULT_PLUGINS') ? DEFAULT_PLUGINS : null); $created = 'now()'; $created_ip = $mdb2->quote($_SERVER['REMOTE_ADDR']); - $sql = "insert into tt_groups (name, currency, lang, created, created_ip) values($name, $currency, $lang, $created, $created_ip)"; + $sql = "insert into tt_groups (group_key, name, currency, lang, plugins, created, created_ip)". + " values($group_key, $name, $currency, $lang, $plugins, $created, $created_ip)"; $affected = $mdb2->exec($sql); if (is_a($affected, 'PEAR_Error')) return false; @@ -208,13 +215,28 @@ class ttRegistrator { return true; } - // registeredRecently determines if we already have a successful recent registration from user IP. - // "recent" means "within the last minute" and is set in a query by the following condition: - // "and created > now() - interval 1 minute". Change if necessary. + // registeredRecently determines if we already have successful recent registration(s) from user IP. + // "recent" means the following: + // - 2 or more registrations during last 10 minutes, or + // - 1 registration during last minute. + // + // This offers some level of protection from bot registrations. function registeredRecently() { $mdb2 = getConnection(); $ip_part = ' created_ip = '.$mdb2->quote($_SERVER['REMOTE_ADDR']); + $sql = 'select count(*) as cnt from tt_groups where '.$ip_part.' and created > now() - interval 10 minute'; + $res = $mdb2->query($sql); + if (is_a($res, 'PEAR_Error')) + return false; + $val = $res->fetchRow(); + if ($val['cnt'] == 0) + return false; // No registrations in last 10 minutes. + if ($val['cnt'] >= 2) + return true; // 2 or more registrations in last 10 mintes. + + // If we are here, there was exactly one registration during last 10 minutes. + // Determine if it occurred within the last minute in a separate query. $sql = 'select created from tt_groups where '.$ip_part.' and created > now() - interval 1 minute'; $res = $mdb2->query($sql); if (is_a($res, 'PEAR_Error'))