The 2 x if conditions added a security measure to avoid path traversals,
should languageBase or languageUser ever be set to something malicious
such as (eg ../../../../../../../etc/passwd)
However, it meant that the ICEcoder dir and the doc root dir paths had
to both start the same, and so be in the same location really. It was
previously a benefit to have them possibly contain different paths, but
this security point restricts this.
We can remove these 2 if conditions however and simply wrap the 2 array
values with basename(), so we take only the trailing file name and so
avoid path traversal issues.
Causes file locking issues if allowed to be called from anywhere
Because we only call from index.php now, also need dirname(___FILE___)
to complete paths
configCreateDate set if 0 now on every load, not just save
14 full days setup (1296000 - 1 sec), so doesn't start by showing 13
days (and 23 hrs, 59 secs)
If configCreateDate == 0, $tRemaining is the $tPeriod
If there has been a change of language, set a bool flag for a reload
later
Save languageUser to file also on settings update
realpath checking on language file name also, dies if fails
We should indeed only output if index.php and top.iceRoot is updated
after a settings change in settings-update.php (top.docRoot only changes
if you manually change the file, in which case a reload is needed and
this is picked up again from scratch).
Avoids having something output to the browser in places where we don't
want it, such as the new file-control-xhr.php file. Temporary
console.log for now as reminder to finish checking this out.
Moved huge chunks of isolated code to their own files
Reordered and improved remaining code
Lots of die messages added to stop code continuing after a header
location
!loginRequired now also setting loggedIn = true as demoMode does
Boot user to new login page instead of back to this page
loginRequired added to final elseif condition
Added 2 big notes re probably showing he login screen and continuing
with what we're doing
Because we may include this file from a couple of dirs and I'd rather it
continued to be run from lib/settings.php. By doing it this way round,
we're ensuring this, as lib/lib/settings.php won't exist.
By doing this we don't end up with a lib/lib path issue
Used longhand if else statement instead of ternary for clarity
Also added die to stop it going any further and having a new header
location replace this one
Increase salt from 9 to 12 chars to move along with technology
Replace all backslashes with 2. This means we escape PHP and then JS to
ensure we will maintain \n instead of ending up with a line break
Don't display errors, just silently log them
Don't produce warnings if we can't session_start due to headers already
being sent
Test if the mb_detect_encoding function exists before using
$configSettings is a seperate file now, containing the array of settings
we have buried in this file
Renamed user template, so change of filename here
Also using $configUsersTemplate to be clearer about things
To make things simpler, everything is now just called password rather
than accountPassword etc
settings.php also now gone back to checking for the existance of the
$_POST password rather than looking for a submit button named 'set
password'. This obviously wouldn't work as that's not the name of the
button on the settings screen, it's 'update'
On logout event, include that process
Settings template file is now config___template.php
Create new if statement for login success and fail, plus run processes
for each event
On new user setup, run that process
If multiUser, always show the checkUpdates box as we don't know if we're
setting up a new user or logging in, so have to assume it's a new user
and allow this setting to show
Session accountUsername is now just username
Settings filename now may contain the username if available from a post
or session var
setPWorLogin is now login by default, set password if we create a new
config file
Instead of the posted accountPassword value, we now look to the value of
the submit button and if it contains 'set password' or not
Set session username to the posted value on login or set password and
set to itself on every load
accountPassword form field now just password
Focus on the username or password field, depending on the 1st one shown
on page
Set the value of the submit button to 'set password / login' if
multiUser
