aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--README.md13
-rw-r--r--config.php.example18
-rw-r--r--dbinit.sql1
-rwxr-xr-xlogin.php84
-rwxr-xr-xregister.php21
-rw-r--r--verify.php105
6 files changed, 193 insertions, 49 deletions
diff --git a/README.md b/README.md
index b7441af..556781f 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,7 @@
-# arfnet2-csti
-ARFNET2 Client, Service, Ticket and Invoice management system
+# arfnet2-cstims
+ARFNET2 Client, Service, Ticket and Invoice Management System
+
+Depends on PHPMailer
```
User types:
@@ -23,11 +25,14 @@ FILES:
logout.php -> login.php
stops session
+ verify.php -> login.php
+ from a link, has the base64 code generated at registration sent to email for verification
+
client.php -> { order.php, openticket.php }
shows ordered services and opened tickets
helpdesk.php
view, self-assign and close tickets
- accounting.php
+ accountant.php
view invoices and change status
admin.php -> { manageusers.php, manageservices.php, managetickets.php }
shows users, services, tickets and invoices
@@ -58,7 +63,7 @@ FILES:
SQL:
Tables:
users User logins
- id autoincrement, username, password (hash), email, email verification code, user type { client, helpdesk, accountant, admin }, register date
+ id autoincrement, username, password (hash), email, email verification code, status { verified, unverified }, type { client, helpdesk, accountant, admin }, register date
services Available services and management notes etc
id autoincrement, name, type, billing, description
orders
diff --git a/config.php.example b/config.php.example
index 5057641..6520aaa 100644
--- a/config.php.example
+++ b/config.php.example
@@ -6,6 +6,12 @@ define('DB_SERVER', 'hostname');
define('DB_USERNAME', 'username');
define('DB_PASSWORD', 'password');
define('DB_NAME', 'dbname');
+
+define('MAIL_SERVER', 'mail.example.com');
+define('MAIL_PORT', 587);
+define('MAIL_USER', 'user');
+define('MAIL_PASSWORD', 'password');
+define('MAIL_FROM', 'system@example.com');
/* Attempt to connect to MySQL database */
$link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
@@ -14,4 +20,16 @@ $link = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
if($link === false){
die("ERROR: Could not connect. " . mysqli_connect_error());
}
+
+$mailer = new PHPMailer();
+$mailer->isSMTP();
+$mailer->SMTPDebug = SMTP::DEBUG_SERVER;
+$mailer->Host = MAIL_SERVER;
+$mailer->Port = MAIL_PORT;
+$mailer->SMTPAuth = true;
+$mailer->Username = MAIL_USER;
+$mailer->Password = MAIL_PASSWORD;
+$mailer->setFrom(MAIL_FROM);
+$mailer->isHTML(false);
+
?>
diff --git a/dbinit.sql b/dbinit.sql
index 95cdf2f..5a989ab 100644
--- a/dbinit.sql
+++ b/dbinit.sql
@@ -6,6 +6,7 @@ CREATE TABLE `arfnet2`.`users` (
`password` VARCHAR(255) NOT NULL ,
`email` VARCHAR(127) NOT NULL ,
`verifycode` VARCHAR(31) NOT NULL ,
+ `status` ENUM('verified','unverified') NOT NULL DEFAULT 'unverified' ,
`type` ENUM('client','helpdesk','accountant','admin') NOT NULL ,
`regdate` TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP ,
PRIMARY KEY (`id`)
diff --git a/login.php b/login.php
index 214eb2e..c7c4115 100755
--- a/login.php
+++ b/login.php
@@ -3,8 +3,8 @@
session_start();
// Check if the user is already logged in, if yes then redirect him to welcome page
-if(isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] === true){
- header("location: welcome.php");
+if (isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] === true) {
+ header("location: /".$_SESSION["type"].".php");
exit;
}
@@ -18,35 +18,29 @@ $username_err = $password_err = "";
// Processing form data when form is submitted
if($_SERVER["REQUEST_METHOD"] == "POST"){
// Validate username
- if(empty(trim($_POST["username"]))){
- $username_err = "Please enter username.";
- } else{
- if (preg_match("[a-zA-Z0-9_]+", $_POST["username"]) == 1) {
- $username_err = "Invalid username.";
- }
- else {
- $username = trim($_POST["username"]);
- }
- }
+ if (empty($_POST["username"]))
+ $username_err = "Enter a username.";
+ else if (preg_match("/[a-zA-Z0-9_]+/", $_POST["username"]) != 1)
+ $username_err = "Invalid username.";
+ else
+ $username = $_POST["username"];
- // Validated password
- if(empty(trim($_POST["password"]))){
- $password_err = "Please enter your password.";
- } else{
- if (preg_match("[a-zA-Z0-9_]+", $_POST["password"]) == 1) {
- $username_err = "Invalid password.";
- }
- else {
- $password = trim($_POST["password"]);
- }
- }
+ // Validate password
+ if (empty($_POST["password"]))
+ $password_err = "Enter a password.";
+ else if (strlen($_POST["password"]) < 8)
+ $password_err = "Password must have at least 8 characters.";
+ else if (preg_match("/[a-zA-Z0-9!@^*$%&)(=+çñÇ][}{\-.,_:;]+/", $_POST["password"]) != false)
+ $password_err = "Password must be in the format [a-zA-Z0-9!@^*$%&)(=+çñÇ][}{-.,_:;].";
+ else
+ $password = $_POST["password"];
// Validate credentials
- if(empty($username_err) && empty($password_err)){
+ if (empty($username_err) && empty($password_err)) {
// Prepare a select statement
- $sql = "SELECT id, username, password FROM users WHERE username = ?";
+ $sql = "SELECT id, username, password, status, type FROM users WHERE username = ?";
- if($stmt = mysqli_prepare($link, $sql)){
+ if ($stmt = mysqli_prepare($link, $sql)) {
// Bind variables to the prepared statement as parameters
mysqli_stmt_bind_param($stmt, "s", $param_username);
@@ -54,29 +48,33 @@ if($_SERVER["REQUEST_METHOD"] == "POST"){
$param_username = $username;
// Attempt to execute the prepared statement
- if(mysqli_stmt_execute($stmt)){
+ if (mysqli_stmt_execute($stmt)){
// Store result
mysqli_stmt_store_result($stmt);
// Check if username exists, if yes then verify password
- if(mysqli_stmt_num_rows($stmt) == 1){
+ if (mysqli_stmt_num_rows($stmt) == 1) {
// Bind result variables
- mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password);
- if(mysqli_stmt_fetch($stmt)){
- if(password_verify($password, $hashed_password)){
- // Password is correct, so start a new session
- session_start();
-
- // Store data in session variables
- $_SESSION["loggedin"] = true;
- $_SESSION["id"] = $id;
- $_SESSION["username"] = $username;
+ mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password, $status, $type);
+ if (mysqli_stmt_fetch($stmt)){
+ if (password_verify($password, $hashed_password)) {
+ // Password is correct, check verification
+ if ($status == "verified") {
+ session_start();
- // Redirect user to welcome page
- header("location: welcome.php");
- } else{
- // Display an error message if password is not valid
- $password_err = "The password you entered was not valid.";
+ // Store data in session variables
+ $_SESSION["loggedin"] = true;
+ $_SESSION["id"] = $id;
+ $_SESSION["username"] = $username;
+ $_SESSION["type"] = $type;
+
+ // Redirect user to appropiate page
+ header("location: /".$type.".php");
+ } else {
+ $username_err = "Unverified account, check your email.";
+ }
+ } else {
+ $password_err = "Incorrect password.";
}
}
} else{
diff --git a/register.php b/register.php
index 37565c5..3ef957a 100755
--- a/register.php
+++ b/register.php
@@ -1,13 +1,28 @@
<?php
+// Dependency
+
+function send_verification_email($rcpt, $code) {
+ global $mailer;
+ $mailer->addAddress($rcpt);
+ $mailer->Subject = 'ARFNET Email Verification';
+ $mailer->Body = "Welcome to ARFNET\n\nUse the following link to verify your email address\n\n"
+ ."https://".DOMAIN."/verify.php?code=".$code
+ ."\n\n--\nARFNET Client, Service, Ticket and Invoice Management System\nhttps://arf20.com";
+ if (!$mailer->send()) {
+ echo 'Mailer Error [ask arf20]: ' . $mailer->ErrorInfo;
+ }
+}
+
// Include config file
require_once "config.php";
// Define variables and initialize with empty values
$username = $password = $confirm_password = $email = "";
$username_err = $password_err = $confirm_password_err = $email_err = "";
+$verification_mail_sent = false;
// Processing form data when form is submitted
-if ($_SERVER["REQUEST_METHOD"] == "POST"){
+if ($_SERVER["REQUEST_METHOD"] == "POST") {
// Validate username
if (empty($_POST["username"]))
$username_err = "Enter a username.";
@@ -84,7 +99,8 @@ if ($_SERVER["REQUEST_METHOD"] == "POST"){
// Attempt to execute the prepared statement
if (mysqli_stmt_execute($stmt)) {
// Send verification email
-
+ send_verification_email($email, $param_verifycode);
+ $verification_mail_sent = true;
// Redirect to login page
header("location: login.php");
} else {
@@ -142,6 +158,7 @@ if ($_SERVER["REQUEST_METHOD"] == "POST"){
<input type="submit" class="btn btn-primary" value="Submit">
</div>
<p><a href="login.php">Login</a>.</p>
+ <?php if ($verification_mail_sent) echo 'Verification email sent.'; ?>
</form>
</div>
</main>
diff --git a/verify.php b/verify.php
new file mode 100644
index 0000000..5382f4f
--- /dev/null
+++ b/verify.php
@@ -0,0 +1,105 @@
+<?php
+// Initialize the session
+session_start();
+
+// Check if the user is already logged in, if yes then redirect him to welcome page
+if (isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] === true) {
+ header("location: /".$_SESSION["type"].".php");
+ exit;
+}
+
+// Include config file
+require_once "config.php";
+
+// Define variables and initialize with empty values
+$code = "";
+$code_err = "";
+$verification_success = false;
+
+// Processing form data when form is submitted
+if ($_SERVER["REQUEST_METHOD"] == "GET") {
+ $code_err = "Invalid code.";
+ if (isset($_GET["code"]) && (strlen($_GET["code"]) == 16)) {
+ $code_err = "";
+ $code = $_GET["code"];
+ }
+
+ // Validate credentials
+ if (empty($code_err)) {
+ // Prepare a select statement
+ $sql = "SELECT id, username, status, type FROM users WHERE verifycode = ?";
+
+ if ($stmt = mysqli_prepare($link, $sql)) {
+ // Bind variables to the prepared statement as parameters
+ mysqli_stmt_bind_param($stmt, "s", $param_code);
+
+ // Set parameters
+ $param_code = $code;
+
+ // Attempt to execute the prepared statement
+ if (mysqli_stmt_execute($stmt)) {
+ // Store result
+ mysqli_stmt_store_result($stmt);
+
+ // Check if username exists, if yes then verify password
+ if (mysqli_stmt_num_rows($stmt) == 1) {
+ // Bind result variables
+ mysqli_stmt_bind_result($stmt, $id, $username, $status, $type);
+ if (mysqli_stmt_fetch($stmt)){
+ if ($status == "unverified") {
+ // set verified
+ $sql = "UPDATE users SET status = 'verified' WHERE id = ?";
+ if ($stmt = mysqli_prepare($link, $sql)) {
+ mysqli_stmt_bind_param($stmt, "s", $param_id);
+ $param_id = $id;
+ if (mysqli_stmt_execute($stmt) && mysqli_stmt_affected_rows($stmt) == 1) {
+ $verification_success = true;
+ } else {
+ echo "SQL error, ask arf20.";
+ }
+ }
+ } else {
+ $code_err = "Already verified.";
+ }
+ }
+ } else {
+ // Display an error message if username doesn't exist
+ $code_err = "Code does not exist.";
+ }
+ } else{
+ echo "Oops! Something went wrong. Please try again later.";
+ }
+
+ // Close statement
+ mysqli_stmt_close($stmt);
+ }
+ }
+
+ // Close connection
+ mysqli_close($link);
+}
+?>
+
+<!DOCTYPE html>
+<html lang="en">
+ <head>
+ <meta charset="UTF-8">
+ <title>CSTIMS Login</title>
+ <link rel="stylesheet" type="text/css" href="/style.css">
+ </head>
+ <body>
+ <header><a href="https://arf20.com/">
+ <img src="arfnet_logo.png" width="64"><span class="title"><strong>ARFNET</strong></span>
+ </a></header>
+ <hr>
+ <main>
+ <div class="wrapper">
+ <h2>CSTIMS Verification</h2>
+ <?php
+ if ($verification_success) echo "Verification successful, welcome to ARFNET $username.";
+ else echo "Verification failed: ".$code_err;
+ ?>
+ </div>
+ </main>
+ </body>
+</html>