=se.START_DATE
AND (CURRENT_DATE<=se.END_DATE OR se.END_DATE IS NULL)
AND UPPER(s.USERNAME)=UPPER('" . $username . "')" );
if ( $student_RET
&& match_password( $student_RET[1]['PASSWORD'], $_REQUEST['PASSWORD'] ) )
{
unset( $_REQUEST['PASSWORD'], $_POST['PASSWORD'] );
}
else
{
// Student may be inactive or not verified, see below for corresponding errors.
$student_RET = DBGet( "SELECT s.USERNAME,s.STUDENT_ID,
s.LAST_LOGIN,s.FAILED_LOGIN,se.START_DATE,s.PASSWORD
FROM STUDENTS s,STUDENT_ENROLLMENT se
WHERE se.STUDENT_ID=s.STUDENT_ID
AND se.SYEAR='" . Config( 'SYEAR' ) . "'
AND (CURRENT_DATE<=se.END_DATE OR se.END_DATE IS NULL)
AND UPPER(s.USERNAME)=UPPER('" . $username . "')" );
if ( ! $student_RET
|| ! match_password( $student_RET[1]['PASSWORD'], $_REQUEST['PASSWORD'] ) )
{
$student_RET = false;
}
}
}
$login_status = '';
$is_banned = false;
if ( Config( 'FAILED_LOGIN_LIMIT' ) )
{
// Failed login ban if >= X failed attempts within 10 minutes.
$failed_login_RET = DBGet( "SELECT
COUNT(CASE WHEN STATUS IS NULL OR STATUS='B' THEN 1 END) AS FAILED_COUNT,
COUNT(CASE WHEN STATUS='B' THEN 1 END) AS BANNED_COUNT
FROM ACCESS_LOG
WHERE LOGIN_TIME > (CURRENT_TIMESTAMP - INTERVAL '10 minutes')
AND USER_AGENT='" . DBEscapeString( $_SERVER['HTTP_USER_AGENT'] ) . "'
AND IP_ADDRESS='" . ( isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ?
$_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'] ) . "'" );
if ( $failed_login_RET[1]['BANNED_COUNT']
|| $failed_login_RET[1]['FAILED_COUNT'] >= Config( 'FAILED_LOGIN_LIMIT' ) )
{
// Ban in every case.
$is_banned = true;
$login_RET = $student_RET = false;
// Banned status code: B.
$login_status = 'B';
}
}
// Admin, teacher or parent: initiate session.
if ( $login_RET
&& ( $login_RET[1]['PROFILE'] === 'admin'
|| $login_RET[1]['PROFILE'] === 'teacher'
|| $login_RET[1]['PROFILE'] === 'parent' ) )
{
$_SESSION['STAFF_ID'] = $login_RET[1]['STAFF_ID'];
// Invalidate any active Student session.
unset( $_SESSION['STUDENT_ID'] );
$_SESSION['LAST_LOGIN'] = $login_RET[1]['LAST_LOGIN'];
$failed_login = $login_RET[1]['FAILED_LOGIN'];
$login_status = 'Y';
}
// User with No access profile.
elseif ( $login_RET
&& $login_RET[1]['PROFILE'] == 'none' )
{
$error[] = _( 'Your account has not yet been activated.' ) . ' '
. _( 'You will be notified when it has been verified by a school administrator.' );
}
// Student account inactive (today < Attendance start date).
elseif ( $student_RET
&& DBDate() < $student_RET[1]['START_DATE'] )
{
$error[] = _( 'Your account has not yet been activated.' );
}
// Student account not verified (enrollment school + start date + last login are NULL).
elseif ( $student_RET
&& ! $student_RET[1]['START_DATE']
&& ! $student_RET[1]['LAST_LOGIN'] )
{
$error[] = _( 'Your account has not yet been activated.' ) . ' '
. _( 'You will be notified when it has been verified by a school administrator.' );
}
// Student: initiate session.
elseif ( $student_RET )
{
$_SESSION['STUDENT_ID'] = $student_RET[1]['STUDENT_ID'];
// Invalidate any active User session.
unset( $_SESSION['STAFF_ID'] );
$_SESSION['LAST_LOGIN'] = $student_RET[1]['LAST_LOGIN'];
$failed_login = $student_RET[1]['FAILED_LOGIN'];
$login_status = 'Y';
}
// Failed login.
else
{
DBQuery( "UPDATE STAFF
SET FAILED_LOGIN=" . db_case( array( 'FAILED_LOGIN', "''", '1', 'FAILED_LOGIN+1' ) ) . "
WHERE UPPER(USERNAME)=UPPER('" . $username . "')
AND SYEAR='" . Config( 'SYEAR' ) . "';
UPDATE STUDENTS
SET FAILED_LOGIN=" . db_case( array( 'FAILED_LOGIN', "''", '1', 'FAILED_LOGIN+1' ) ) . "
WHERE UPPER(USERNAME)=UPPER('" . $username . "')" );
if ( $is_banned )
{
// Failed login: ban because >= 6 attempts within 10 minutes.
$error[] = _( 'Too many Failed Login Attempts.' ) . ' '
. _( 'Please try logging in later.' );
}
else
{
$error[] = _( 'Incorrect username or password.' ) . ' '
. _( 'Please try logging in again.' );
}
}
// Access Log.
if ( ! function_exists( 'AccessLogRecord' ) )
{
DBQuery( "INSERT INTO ACCESS_LOG
(SYEAR,USERNAME,PROFILE,LOGIN_TIME,IP_ADDRESS,USER_AGENT,STATUS)
values('" . Config( 'SYEAR' ) . "',
'" . $username . "',
'" . User( 'PROFILE' ) . "',
CURRENT_TIMESTAMP,
'" . ( isset( $_SERVER['HTTP_X_FORWARDED_FOR'] ) ?
$_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'] ) . "',
'" . DBEscapeString( $_SERVER['HTTP_USER_AGENT'] ) .
"','" . $login_status . "' )" );
}
// Set current SchoolYear on login.
if ( $login_status === 'Y'
&& ! UserSyear() )
{
$_SESSION['UserSyear'] = Config( 'SYEAR' );
}
// @since 2.9.8 Login check action hook.
do_action( 'index.php|login_check', $username );
if ( HasFirstLoginForm() )
{
// First Login.
header( 'Location: index.php?locale=' . $_SESSION['locale'] . '&modfunc=first-login' );
exit;
}
// Set LAST_LOGIN, reset FAILED_LOGIN.
if ( $login_status === 'Y'
&& User( 'STAFF_ID' ) )
{
DBQuery( "UPDATE STAFF
SET LAST_LOGIN=CURRENT_TIMESTAMP,FAILED_LOGIN=NULL
WHERE STAFF_ID='" . User( 'STAFF_ID' ) . "'" );
}
elseif ( $login_status === 'Y' )
{
DBQuery( "UPDATE STUDENTS
SET LAST_LOGIN=CURRENT_TIMESTAMP,FAILED_LOGIN=NULL
WHERE STUDENT_ID='" . $_SESSION['STUDENT_ID'] . "'" );
}
}
// FJ create account.
elseif ( isset( $_REQUEST['create_account'] ) )
{
$include = false;
unset( $_SESSION['STAFF_ID'], $_SESSION['STUDENT_ID'] );
if ( $_REQUEST['create_account'] === 'user'
&& Config( 'CREATE_USER_ACCOUNT' ) )
{
$include = 'Users/User.php';
if ( UserStaffID() )
{
unset( $_SESSION['staff_id'] );
}
}
elseif ( $_REQUEST['create_account'] === 'student'
&& Config( 'CREATE_STUDENT_ACCOUNT' ) )
{
$include = 'Students/Student.php';
// @since 6.0 Create Student Account: add school_id param to URL.
if ( ! empty( $_REQUEST['school_id'] ) )
{
$_SESSION['UserSchool'] = DBGetOne( "SELECT ID FROM SCHOOLS
WHERE SYEAR='" . Config( 'SYEAR' ) . "'
AND ID='" . (int) $_REQUEST['school_id'] . "'" );
}
if ( ! UserSchool() )
{
RedirectURL( 'school_id' );
// @since 6.3 Create Student Account Default School.
// @link https://stackoverflow.com/questions/1250156/how-do-i-return-rows-with-a-specific-value-first#comment-67097263
$sql_order_by = Config( 'CREATE_STUDENT_ACCOUNT_DEFAULT_SCHOOL' ) ?
"ID='" . Config( 'CREATE_STUDENT_ACCOUNT_DEFAULT_SCHOOL' ) . "' DESC,ID" : "ID";
$_SESSION['UserSchool'] = DBGetOne( "SELECT ID FROM SCHOOLS
WHERE SYEAR='" . Config( 'SYEAR' ) . "'
ORDER BY " . $sql_order_by );
}
if ( UserStudentID() )
{
unset( $_SESSION['student_id'] );
}
}
if ( ! $include )
{
// Do not use RedirectURL() here (no JS loaded).
header( 'Location: index.php' );
}
else
{
if ( ! isset( $_REQUEST['modfunc'] ) )
{
$_REQUEST['modfunc'] = false;
}
$_REQUEST['modname'] = false;
$_ROSARIO['page'] = 'create-account';
Warehouse( 'header' );
$_ROSARIO['allow_edit'] = true;
require_once 'modules/' . $include;
Warehouse( 'footer' );
if ( UserSchool() )
{
// Unset UserSchool() so we get correct Config values if next request changes school.
unset( $_SESSION['UserSchool'] );
}
}
}
// Login screen.
if ( empty( $_SESSION['STAFF_ID'] )
&& empty( $_SESSION['STUDENT_ID'] )
&& ! isset( $_REQUEST['create_account'] ) )
{
$_ROSARIO['page'] = 'login';
Warehouse( 'header' );
PopTable(
'header',
sprintf( _( '%s Login' ), Config( 'NAME' ) )
);
if ( isset( $_REQUEST['reason'] ) )
{
if ( $_REQUEST['reason'] == 'javascript' )
{
$note[] = sprintf(
_( 'You must have javascript enabled to use %s.' ),
Config( 'NAME' )
);
}
// FJ check accept cookies.
elseif ( $_REQUEST['reason'] == 'cookie' )
{
$note[] = sprintf(
_( 'You must accept cookies to use %s.' ),
Config( 'NAME' )
);
}
// FJ create account.
elseif ( $_REQUEST['reason'] == 'account_created' )
{
$note[] = _( 'Your account has been created.' ) . ' '
. _( 'You will be notified when it has been verified by a school administrator.' ) . ' '
. _( 'You will then be able to log in.' );
}
// @since 5.9 Automatic Student Account Activation.
elseif ( $_REQUEST['reason'] == 'account_activated' )
{
$note[] = _( 'Your account has been created.' );
}
// Password recovery.
elseif ( $_REQUEST['reason'] == 'password_reset' )
{
$note[] = _( 'If you supplied a correct email address then please check your email for the password reset instructions.' );
}
}
echo ErrorMessage( $error );
echo ErrorMessage( $note, 'note' );
?>
; ?>/logo.png)