class.dc.auth.php @ 3731:3770620079d4

Visit:

Revision 3731:3770620079d4, 19.5 KB checked in by franck <carnet.franck.paul@…>, 8 years ago (diff)
Simplify licence block at the beginning of each file

Rev	Line
[0]	1	<?php
	2	/**
[3730]	3	* @brief Authentication and user credentials management
	4	*
	5	* dcAuth is a class used to handle everything related to user authentication
	6	* and credentials. Object is provided by dcCore $auth property.
[3731]	7	*
	8	* @package Dotclear
	9	* @subpackage Core
	10	*
	11	* @copyright Olivier Meunier & Association Dotclear
	12	* @copyright GPL-2.0-only
[3730]	13	*/
[3731]	14
	15	if (!defined('DC_RC_PATH')) {return;}
	16
[0]	17	class dcAuth
	18	{
[3730]	19	/** @var dcCore dcCore instance */
	20	protected $core;
	21	/** @var connection Database connection object */
	22	protected $con;
[2566]	23
[3730]	24	/** @var string User table name */
	25	protected $user_table;
	26	/** @var string Perm table name */
	27	protected $perm_table;
[2566]	28
[3730]	29	/** @var string Current user ID */
	30	protected $user_id;
	31	/** @var array Array with user information */
	32	protected $user_info = array();
	33	/** @var array Array with user options */
	34	protected $user_options = array();
	35	/** @var boolean User must change his password after login */
	36	protected $user_change_pwd;
	37	/** @var boolean User is super admin */
	38	protected $user_admin;
	39	/** @var array Permissions for each blog */
	40	protected $permissions = array();
	41	/** @var boolean User can change its password */
	42	protected $allow_pass_change = true;
	43	/** @var array List of blogs on which the user has permissions */
	44	protected $blogs = array();
	45	/** @var integer Count of user blogs */
	46	public $blog_count = null;
[2566]	47
[3730]	48	/** @var array Permission types */
	49	protected $perm_types;
[2566]	50
[3730]	51	/** @var dcPrefs dcPrefs object */
	52	public $user_prefs;
[2566]	53
[3730]	54	/**
	55	* Class constructor. Takes dcCore object as single argument.
	56	*
	57	* @param dcCore $core dcCore object
	58	*/
	59	public function __construct($core)
	60	{
	61	$this->core = &$core;
	62	$this->con = &$core->con;
	63	$this->blog_table = $core->prefix . 'blog';
	64	$this->user_table = $core->prefix . 'user';
	65	$this->perm_table = $core->prefix . 'permissions';
[2566]	66
[3730]	67	$this->perm_types = array(
	68	'admin' => __('administrator'),
	69	'usage' => __('manage their own entries and comments'),
	70	'publish' => __('publish entries and comments'),
	71	'delete' => __('delete entries and comments'),
	72	'contentadmin' => __('manage all entries and comments'),
	73	'categories' => __('manage categories'),
	74	'media' => __('manage their own media items'),
	75	'media_admin' => __('manage all media items')
	76	);
	77	}
[2566]	78
[3730]	79	/// @name Credentials and user permissions
	80	//@{
	81	/**
	82	* Checks if user exists and can log in. <var>$pwd</var> argument is optionnal
	83	* while you may need to check user without password. This method will create
	84	* credentials and populate all needed object properties.
	85	*
	86	* @param string $user_id User ID
	87	* @param string $pwd User password
	88	* @param string $user_key User key check
	89	* @param boolean $check_blog checks if user is associated to a blog or not.
	90	* @return boolean
	91	*/
	92	public function checkUser($user_id, $pwd = null, $user_key = null, $check_blog = true)
	93	{
	94	# Check user and password
	95	$strReq = 'SELECT user_id, user_super, user_pwd, user_change_pwd, ' .
	96	'user_name, user_firstname, user_displayname, user_email, ' .
	97	'user_url, user_default_blog, user_options, ' .
	98	'user_lang, user_tz, user_post_status, user_creadt, user_upddt ' .
	99	'FROM ' . $this->con->escapeSystem($this->user_table) . ' ' .
	100	"WHERE user_id = '" . $this->con->escape($user_id) . "' ";
[2566]	101
[3730]	102	try {
	103	$rs = $this->con->select($strReq);
	104	} catch (Exception $e) {
	105	$err = $e->getMessage();
	106	return false;
	107	}
[2566]	108
[3730]	109	if ($rs->isEmpty()) {
	110	sleep(rand(2, 5));
	111	return false;
	112	}
[2566]	113
[3730]	114	$rs->extend('rsExtUser');
[2566]	115
[3730]	116	if ($pwd != '') {
	117	$rehash = false;
	118	if (password_verify($pwd, $rs->user_pwd)) {
	119	// User password ok
	120	if (password_needs_rehash($rs->user_pwd, PASSWORD_DEFAULT)) {
	121	$rs->user_pwd = $this->crypt($pwd);
	122	$rehash = true;
	123	}
	124	} else {
	125	// Check if pwd still stored in old fashion way
	126	$ret = password_get_info($rs->user_pwd);
	127	if (is_array($ret) && isset($ret['algo']) && $ret['algo'] == 0) {
	128	// hash not done with password_hash() function, check by old fashion way
	129	if (crypt::hmac(DC_MASTER_KEY, $pwd, DC_CRYPT_ALGO) == $rs->user_pwd) {
	130	// Password Ok, need to store it in new fashion way
	131	$rs->user_pwd = $this->crypt($pwd);
	132	$rehash = true;
	133	} else {
	134	// Password KO
	135	sleep(rand(2, 5));
	136	return false;
	137	}
	138	} else {
	139	// Password KO
	140	sleep(rand(2, 5));
	141	return false;
	142	}
	143	}
	144	if ($rehash) {
	145	// Store new hash in DB
	146	$cur = $this->con->openCursor($this->user_table);
	147	$cur->user_pwd = (string) $rs->user_pwd;
	148	$cur->update("WHERE user_id = '" . $rs->user_id . "'");
	149	}
	150	} elseif ($user_key != '') {
	151	if (http::browserUID(DC_MASTER_KEY . $rs->user_id . $this->cryptLegacy($rs->user_id)) != $user_key) {
	152	return false;
	153	}
	154	}
[2566]	155
[3730]	156	$this->user_id = $rs->user_id;
	157	$this->user_change_pwd = (boolean) $rs->user_change_pwd;
	158	$this->user_admin = (boolean) $rs->user_super;
[2566]	159
[3730]	160	$this->user_info['user_pwd'] = $rs->user_pwd;
	161	$this->user_info['user_name'] = $rs->user_name;
	162	$this->user_info['user_firstname'] = $rs->user_firstname;
	163	$this->user_info['user_displayname'] = $rs->user_displayname;
	164	$this->user_info['user_email'] = $rs->user_email;
	165	$this->user_info['user_url'] = $rs->user_url;
	166	$this->user_info['user_default_blog'] = $rs->user_default_blog;
	167	$this->user_info['user_lang'] = $rs->user_lang;
	168	$this->user_info['user_tz'] = $rs->user_tz;
	169	$this->user_info['user_post_status'] = $rs->user_post_status;
	170	$this->user_info['user_creadt'] = $rs->user_creadt;
	171	$this->user_info['user_upddt'] = $rs->user_upddt;
[2566]	172
[3730]	173	$this->user_info['user_cn'] = dcUtils::getUserCN($rs->user_id, $rs->user_name,
	174	$rs->user_firstname, $rs->user_displayname);
[2566]	175
[3730]	176	$this->user_options = array_merge($this->core->userDefaults(), $rs->options());
[2566]	177
[3730]	178	$this->user_prefs = new dcPrefs($this->core, $this->user_id);
[2566]	179
[3730]	180	# Get permissions on blogs
	181	if ($check_blog && ($this->findUserBlog() === false)) {
	182	return false;
	183	}
	184	return true;
	185	}
[2566]	186
[3730]	187	/**
	188	* This method crypt given string (password, session_id, …).
	189	*
	190	* @param string $pwd string to be crypted
	191	* @return string crypted value
	192	*/
	193	public function crypt($pwd)
	194	{
	195	return password_hash($pwd, PASSWORD_DEFAULT);
	196	}
[3627]	197
[3730]	198	/**
	199	* This method crypt given string (password, session_id, …).
	200	*
	201	* @param string $pwd string to be crypted
	202	* @return string crypted value
	203	*/
	204	public function cryptLegacy($pwd)
	205	{
	206	return crypt::hmac(DC_MASTER_KEY, $pwd, DC_CRYPT_ALGO);
	207	}
[3036]	208
[3730]	209	/**
	210	* This method only check current user password.
	211	*
	212	* @param string $pwd User password
	213	* @return boolean
	214	*/
	215	public function checkPassword($pwd)
	216	{
	217	if (!empty($this->user_info['user_pwd'])) {
	218	return password_verify($pwd, $this->user_info['user_pwd']);
	219	}
[2566]	220
[3730]	221	return false;
	222	}
[2566]	223
[3730]	224	/**
	225	* This method checks if user session cookie exists
	226	*
	227	* @return boolean
	228	*/
	229	public function sessionExists()
	230	{
	231	return isset($_COOKIE[DC_SESSION_NAME]);
	232	}
[2566]	233
[3730]	234	/**
	235	* This method checks user session validity.
	236	*
	237	* @return boolean
	238	*/
	239	public function checkSession($uid = null)
	240	{
	241	$this->core->session->start();
[2566]	242
[3730]	243	# If session does not exist, logout.
	244	if (!isset($_SESSION['sess_user_id'])) {
	245	$this->core->session->destroy();
	246	return false;
	247	}
[2566]	248
[3730]	249	# Check here for user and IP address
	250	$this->checkUser($_SESSION['sess_user_id']);
	251	$uid = $uid ?: http::browserUID(DC_MASTER_KEY);
[2566]	252
[3730]	253	$user_can_log = $this->userID() !== null && $uid == $_SESSION['sess_browser_uid'];
[2566]	254
[3730]	255	if (!$user_can_log) {
	256	$this->core->session->destroy();
	257	return false;
	258	}
[2566]	259
[3730]	260	return true;
	261	}
[2566]	262
[3730]	263	/**
	264	* Checks if user must change his password in order to login.
	265	*
	266	* @return boolean
	267	*/
	268	public function mustChangePassword()
	269	{
	270	return $this->user_change_pwd;
	271	}
[2566]	272
[3730]	273	/**
	274	* Checks if user is super admin
	275	*
	276	* @return boolean
	277	*/
	278	public function isSuperAdmin()
	279	{
	280	return $this->user_admin;
	281	}
[2566]	282
[3730]	283	/**
	284	* Checks if user has permissions given in <var>$permissions</var> for blog
	285	* <var>$blog_id</var>. <var>$permissions</var> is a coma separated list of
	286	* permissions.
	287	*
	288	* @param string $permissions Permissions list
	289	* @param string $blog_id Blog ID
	290	* @return boolean
	291	*/
	292	public function check($permissions, $blog_id)
	293	{
	294	if ($this->user_admin) {
	295	return true;
	296	}
[2566]	297
[3730]	298	$p = array_map('trim', explode(',', $permissions));
	299	$b = $this->getPermissions($blog_id);
[2566]	300
[3730]	301	if ($b != false) {
	302	if (isset($b['admin'])) {
	303	return true;
	304	}
[2566]	305
[3730]	306	foreach ($p as $v) {
	307	if (isset($b[$v])) {
	308	return true;
	309	}
	310	}
	311	}
[2566]	312
[3730]	313	return false;
	314	}
[2566]	315
[3730]	316	/**
	317	* Returns true if user is allowed to change its password.
	318	*
	319	* @return boolean
	320	*/
	321	public function allowPassChange()
	322	{
	323	return $this->allow_pass_change;
	324	}
	325	//@}
[2566]	326
[3730]	327	/// @name User code handlers
	328	//@{
	329	public function getUserCode()
	330	{
	331	$code =
	332	pack('a32', $this->userID()) .
	333	pack('H*', $this->crypt($this->getInfo('user_pwd')));
	334	return bin2hex($code);
	335	}
[2566]	336
[3730]	337	public function checkUserCode($code)
	338	{
	339	$code = @pack('H*', $code);
[2566]	340
[3730]	341	$user_id = trim(@pack('a32', substr($code, 0, 32)));
	342	$pwd = @unpack('H*hex', substr($code, 32));
[2566]	343
[3730]	344	if ($user_id === false \|\| $pwd === false) {
	345	return false;
	346	}
[2566]	347
[3730]	348	$pwd = $pwd['hex'];
[2566]	349
[3730]	350	$strReq = 'SELECT user_id, user_pwd ' .
	351	'FROM ' . $this->user_table . ' ' .
	352	"WHERE user_id = '" . $this->con->escape($user_id) . "' ";
[2566]	353
[3730]	354	$rs = $this->con->select($strReq);
[2566]	355
[3730]	356	if ($rs->isEmpty()) {
	357	return false;
	358	}
[2566]	359
[3730]	360	if ($this->crypt($rs->user_pwd) != $pwd) {
	361	return false;
	362	}
[2566]	363
[3730]	364	return $rs->user_id;
	365	}
	366	//@}
[2566]	367
[3730]	368	/// @name Sudo
	369	//@{
	370	/**
	371	* Calls $f function with super admin rights.
	372	* Returns the function result.
	373	*
	374	* @param callback $f Callback function
	375	* @return mixed
	376	*/
	377	public function sudo($f)
	378	{
	379	if (!is_callable($f)) {
	380	throw new Exception($f . ' function doest not exist');
	381	}
[2566]	382
[3730]	383	$args = func_get_args();
	384	array_shift($args);
[2566]	385
[3730]	386	if ($this->user_admin) {
	387	$res = call_user_func_array($f, $args);
	388	} else {
	389	$this->user_admin = true;
	390	try {
	391	$res = call_user_func_array($f, $args);
	392	$this->user_admin = false;
	393	} catch (Exception $e) {
	394	$this->user_admin = false;
	395	throw $e;
	396	}
	397	}
[2566]	398
[3730]	399	return $res;
	400	}
	401	//@}
[2566]	402
[3730]	403	/// @name User information and options
	404	//@{
	405	/**
	406	* Returns user permissions for a blog as an array which looks like:
	407	*
	408	* - [blog_id]
	409	* - [permission] => true
	410	* - ...
	411	*
	412	* @param string $blog_id Blog ID
	413	* @return array
	414	*/
	415	public function getPermissions($blog_id)
	416	{
	417	if (isset($this->blogs[$blog_id])) {
	418	return $this->blogs[$blog_id];
	419	}
[2566]	420
[3730]	421	if ($this->user_admin) {
	422	$strReq = 'SELECT blog_id ' .
	423	'from ' . $this->blog_table . ' ' .
	424	"WHERE blog_id = '" . $this->con->escape($blog_id) . "' ";
	425	$rs = $this->con->select($strReq);
[2159]	426
[3730]	427	$this->blogs[$blog_id] = $rs->isEmpty() ? false : array('admin' => true);
[2566]	428
[3730]	429	return $this->blogs[$blog_id];
	430	}
[2566]	431
[3730]	432	$strReq = 'SELECT permissions ' .
	433	'FROM ' . $this->perm_table . ' ' .
	434	"WHERE user_id = '" . $this->con->escape($this->user_id) . "' " .
	435	"AND blog_id = '" . $this->con->escape($blog_id) . "' " .
	436	"AND (permissions LIKE '%\|usage\|%' OR permissions LIKE '%\|admin\|%' OR permissions LIKE '%\|contentadmin\|%') ";
	437	$rs = $this->con->select($strReq);
[2566]	438
[3730]	439	$this->blogs[$blog_id] = $rs->isEmpty() ? false : $this->parsePermissions($rs->permissions);
[2566]	440
[3730]	441	return $this->blogs[$blog_id];
	442	}
[2566]	443
[3730]	444	public function getBlogCount()
	445	{
	446	if ($this->blog_count === null) {
	447	$this->blog_count = $this->core->getBlogs(array(), true)->f(0);
	448	}
[2159]	449
	450	return $this->blog_count;
	451	}
[2566]	452
[3730]	453	public function findUserBlog($blog_id = null)
	454	{
	455	if ($blog_id && $this->getPermissions($blog_id) !== false) {
	456	return $blog_id;
	457	} else {
	458	if ($this->user_admin) {
	459	$strReq = 'SELECT blog_id ' .
	460	'FROM ' . $this->blog_table . ' ' .
	461	'ORDER BY blog_id ASC ' .
	462	$this->con->limit(1);
	463	} else {
	464	$strReq = 'SELECT P.blog_id ' .
	465	'FROM ' . $this->perm_table . ' P, ' . $this->blog_table . ' B ' .
	466	"WHERE user_id = '" . $this->con->escape($this->user_id) . "' " .
	467	"AND P.blog_id = B.blog_id " .
	468	"AND (permissions LIKE '%\|usage\|%' OR permissions LIKE '%\|admin\|%' OR permissions LIKE '%\|contentadmin\|%') " .
	469	"AND blog_status >= 0 " .
	470	'ORDER BY P.blog_id ASC ' .
	471	$this->con->limit(1);
	472	}
[2566]	473
[3730]	474	$rs = $this->con->select($strReq);
	475	if (!$rs->isEmpty()) {
	476	return $rs->blog_id;
	477	}
	478	}
[2566]	479
[3730]	480	return false;
	481	}
[2566]	482
[3730]	483	/**
	484	* Returns current user ID
	485	*
	486	* @return string
	487	*/
	488	public function userID()
	489	{
	490	return $this->user_id;
	491	}
[2566]	492
[3730]	493	/**
	494	* Returns information about a user .
	495	*
	496	* @param string $n Information name
	497	* @return string
	498	*/
	499	public function getInfo($n)
	500	{
	501	if (isset($this->user_info[$n])) {
	502	return $this->user_info[$n];
	503	}
[2566]	504
[3730]	505	return;
	506	}
[2566]	507
[3730]	508	/**
	509	* Returns a specific user option
	510	*
	511	* @param string $n Option name
	512	* @return string
	513	*/
	514	public function getOption($n)
	515	{
	516	if (isset($this->user_options[$n])) {
	517	return $this->user_options[$n];
	518	}
	519	return;
	520	}
[2566]	521
[3730]	522	/**
	523	* Returns all user options in an associative array.
	524	*
	525	* @return array
	526	*/
	527	public function getOptions()
	528	{
	529	return $this->user_options;
	530	}
	531	//@}
[2566]	532
[3730]	533	/// @name Permissions
	534	//@{
	535	/**
	536	* Returns an array with permissions parsed from the string <var>$level</var>
	537	*
	538	* @param string $level Permissions string
	539	* @return array
	540	*/
	541	public function parsePermissions($level)
	542	{
	543	$level = preg_replace('/^\\|/', '', $level);
	544	$level = preg_replace('/\\|$/', '', $level);
[2566]	545
[3730]	546	$res = array();
	547	foreach (explode('\|', $level) as $v) {
	548	$res[$v] = true;
	549	}
	550	return $res;
	551	}
[2566]	552
[3730]	553	/**
	554	* Returns <var>perm_types</var> property content.
	555	*
	556	* @return array
	557	*/
	558	public function getPermissionsTypes()
	559	{
	560	return $this->perm_types;
	561	}
[2566]	562
[3730]	563	/**
	564	* Adds a new permission type.
	565	*
	566	* @param string $name Permission name
	567	* @param string $title Permission title
	568	*/
	569	public function setPermissionType($name, $title)
	570	{
	571	$this->perm_types[$name] = $title;
	572	}
	573	//@}
[2566]	574
[3730]	575	/// @name Password recovery
	576	//@{
	577	/**
	578	* Add a recover key to a specific user identified by its email and
	579	* password.
	580	*
	581	* @param string $user_id User ID
	582	* @param string $user_email User Email
	583	* @return string
	584	*/
	585	public function setRecoverKey($user_id, $user_email)
	586	{
	587	$strReq = 'SELECT user_id ' .
	588	'FROM ' . $this->user_table . ' ' .
	589	"WHERE user_id = '" . $this->con->escape($user_id) . "' " .
	590	"AND user_email = '" . $this->con->escape($user_email) . "' ";
[2566]	591
[3730]	592	$rs = $this->con->select($strReq);
[2566]	593
[3730]	594	if ($rs->isEmpty()) {
	595	throw new Exception(__('That user does not exist in the database.'));
	596	}
[2566]	597
[3730]	598	$key = md5(uniqid('', true));
[2566]	599
[3730]	600	$cur = $this->con->openCursor($this->user_table);
	601	$cur->user_recover_key = $key;
[2566]	602
[3730]	603	$cur->update("WHERE user_id = '" . $this->con->escape($user_id) . "'");
[2566]	604
[3730]	605	return $key;
	606	}
[2566]	607
[3730]	608	/**
	609	* Creates a new user password using recovery key. Returns an array:
	610	*
	611	* - user_email
	612	* - user_id
	613	* - new_pass
	614	*
	615	* @param string $recover_key Recovery key
	616	* @return array
	617	*/
	618	public function recoverUserPassword($recover_key)
	619	{
	620	$strReq = 'SELECT user_id, user_email ' .
	621	'FROM ' . $this->user_table . ' ' .
	622	"WHERE user_recover_key = '" . $this->con->escape($recover_key) . "' ";
[2566]	623
[3730]	624	$rs = $this->con->select($strReq);
[2566]	625
[3730]	626	if ($rs->isEmpty()) {
	627	throw new Exception(__('That key does not exist in the database.'));
	628	}
[2566]	629
[3730]	630	$new_pass = crypt::createPassword();
[2566]	631
[3730]	632	$cur = $this->con->openCursor($this->user_table);
	633	$cur->user_pwd = $this->crypt($new_pass);
	634	$cur->user_recover_key = null;
	635	$cur->user_change_pwd = 1; // User will have to change this temporary password at next login
[2566]	636
[3730]	637	$cur->update("WHERE user_recover_key = '" . $this->con->escape($recover_key) . "'");
[2566]	638
[3730]	639	return array('user_email' => $rs->user_email, 'user_id' => $rs->user_id, 'new_pass' => $new_pass);
	640	}
	641	//@}
[2566]	642
[3730]	643	/** @name User management callbacks
	644	This 3 functions only matter if you extend this class and use
	645	DC_AUTH_CLASS constant.
	646	These are called after core user management functions.
	647	Could be useful if you need to add/update/remove stuff in your
	648	LDAP directory or other third party authentication database.
	649	*/
	650	//@{
[2566]	651
[3730]	652	/**
	653	* Called after core->addUser
	654	* @see dcCore::addUser
	655	* @param cursor $cur User cursor
	656	*/
	657	public function afterAddUser($cur)
	658	{}
[2566]	659
[3730]	660	/**
	661	* Called after core->updUser
	662	* @see dcCore::updUser
	663	* @param string $id User ID
	664	* @param cursor $cur User cursor
	665	*/
	666	public function afterUpdUser($id, $cur)
	667	{}
[2566]	668
[3730]	669	/**
	670	* Called after core->delUser
	671	* @see dcCore::delUser
	672	* @param string $id User ID
	673	*/
	674	public function afterDelUser($id)
	675	{}
	676	//@}
[0]	677	}

Note: See TracBrowser for help on using the repository browser.

Dotclear

Context Navigation

source: inc/core/class.dc.auth.php @ 3731:3770620079d4

Download in other formats:

Sites map