discuz X3登陆流程分析php
公司最近要将discuz论坛升级至最新版discuz X3。可是公司要用本身的通行证同步登录。故必需要知道discuzX3的登陆流程及原理,才能进行二次开发。mysql
1、涉及到的文件
sql
discuzX3/source/template/default/member/login.htm
数据库
discuzX3/member.php安全
discuzX3/source/module/member/member_logging.phpide
discuzX3/source/class/class_member.php
函数
discuzX3/source/function/function_member.php
ui
discuzX3/uc_client/client.phpthis
discuzX3/uc_client/control/user.phpspa
2、流程(注意:流程顺序也是按照上面文件依次向下)
一、前台输入帐号/email,密码登陆,根据login.htm里面的form action=“xxxx”看到将数据提交到member.php中处理。
二、流入member_logging.php
三、流入class_member.php中的on_login()方法进行处理(大约在30行)。大约在87行:
$result = userlogin($_GET['username'], $_GET['password'], $_GET['questionid'], $_GET['answer'], $this->setting['autoidselect'] ? 'auto' : $_GET['loginfield'], $_G['clientip']);
将数据丢入到function_member.php中处理。
四、流入function_member.php中大约第14行userlogin()方法。
大约33行:
if($isuid == 3) {
if(!strcmp(dintval($username), $username) && getglobal('setting/uidlogin')) {
$return['ucresult'] = uc_user_login($username, $password, 1, 1, $questionid, $answer, $ip);
} elseif(isemail($username)) {
$return['ucresult'] = uc_user_login($username, $password, 2, 1, $questionid, $answer, $ip);
}
if($return['ucresult'][0] <= 0 && $return['ucresult'][0] != -3) {
$return['ucresult'] = uc_user_login(addslashes($username), $password, 0, 1, $questionid, $answer, $ip);
}
}
else {
$return['ucresult'] = uc_user_login(addslashes($username), $password, $isuid, 1, $questionid, $answer, $ip);
}
五、流入client.php大于304行。
function uc_user_login($username, $password, $isuid = 0, $checkques = 0, $questionid = '', $answer = '') {
$isuid = intval($isuid);
$return = call_user_func(UC_API_FUNC, 'user', 'login', array('username'=>$username, 'password'=>$password, 'isuid'=>$isuid, 'checkques'=>$checkques, 'questionid'=>$questionid, 'answer'=>$answer));
return UC_CONNECT == 'mysql' ? $return : uc_unserialize($return);
}
六、最后流入user.php大约106行,onlogin()方法作最终的帐号密码正确性验证。
function onlogin() {
$this->init_input();
$isuid = $this->input('isuid');
$username = $this->input('username');
$password = $this->input('password');
$checkques = $this->input('checkques');
$questionid = $this->input('questionid');
$answer = $this->input('answer');
if($isuid == 1) {
$user = $_ENV['user']->get_user_by_uid($username);
} elseif($isuid == 2) {
$user = $_ENV['user']->get_user_by_email($username);
} else {
$user = $_ENV['user']->get_user_by_username($username);//从数据库中获取用户数据
}
//showmessage($user['password']);
$passwordmd5 = preg_match('/^\w{32}$/', $password) ? $password : md5($password);
if(empty($user)) {
$status = -1; //用户不存在,或者被删除
}
//elseif($user['password'] != md5($passwordmd5.$user['salt'])) {
//$status = -2; //密码错
//}
//elseif($checkques && $user['secques'] != '' && $user['secques'] != $_ENV['user']->quescrypt($questionid, $answer)) {
//$status = -3; //安全提问错
//}
else {
$status = $user['uid'];
}
$merge = $status != -1 && !$isuid && $_ENV['user']->check_mergeuser($username) ? 1 : 0;
return array($status, $user['username'], $password, $user['email'], $merge);
}