class.dc.auth.php @ 3761:849987324197

Visit:

Revision 3761:849987324197, 19.9 KB checked in by franck <carnet.franck.paul@…>, 7 years ago (diff)
Apply SQL Statement in DC code, work in progress

Line
1	<?php
2	/**
3	* @brief Authentication and user credentials management
4	*
5	* dcAuth is a class used to handle everything related to user authentication
6	* and credentials. Object is provided by dcCore $auth property.
7	*
8	* @package Dotclear
9	* @subpackage Core
10	*
11	* @copyright Olivier Meunier & Association Dotclear
12	* @copyright GPL-2.0-only
13	*/
14
15	if (!defined('DC_RC_PATH')) {return;}
16
17	class dcAuth
18	{
19	/** @var dcCore dcCore instance */
20	protected $core;
21	/** @var connection Database connection object */
22	protected $con;
23
24	/** @var string User table name */
25	protected $user_table;
26	/** @var string Perm table name */
27	protected $perm_table;
28
29	/** @var string Current user ID */
30	protected $user_id;
31	/** @var array Array with user information */
32	protected $user_info = array();
33	/** @var array Array with user options */
34	protected $user_options = array();
35	/** @var boolean User must change his password after login */
36	protected $user_change_pwd;
37	/** @var boolean User is super admin */
38	protected $user_admin;
39	/** @var array Permissions for each blog */
40	protected $permissions = array();
41	/** @var boolean User can change its password */
42	protected $allow_pass_change = true;
43	/** @var array List of blogs on which the user has permissions */
44	protected $blogs = array();
45	/** @var integer Count of user blogs */
46	public $blog_count = null;
47
48	/** @var array Permission types */
49	protected $perm_types;
50
51	/** @var dcPrefs dcPrefs object */
52	public $user_prefs;
53
54	/**
55	* Class constructor. Takes dcCore object as single argument.
56	*
57	* @param dcCore $core dcCore object
58	*/
59	public function __construct($core)
60	{
61	$this->core = &$core;
62	$this->con = &$core->con;
63	$this->blog_table = $core->prefix . 'blog';
64	$this->user_table = $core->prefix . 'user';
65	$this->perm_table = $core->prefix . 'permissions';
66
67	$this->perm_types = array(
68	'admin' => __('administrator'),
69	'usage' => __('manage their own entries and comments'),
70	'publish' => __('publish entries and comments'),
71	'delete' => __('delete entries and comments'),
72	'contentadmin' => __('manage all entries and comments'),
73	'categories' => __('manage categories'),
74	'media' => __('manage their own media items'),
75	'media_admin' => __('manage all media items')
76	);
77	}
78
79	/// @name Credentials and user permissions
80	//@{
81	/**
82	* Checks if user exists and can log in. <var>$pwd</var> argument is optionnal
83	* while you may need to check user without password. This method will create
84	* credentials and populate all needed object properties.
85	*
86	* @param string $user_id User ID
87	* @param string $pwd User password
88	* @param string $user_key User key check
89	* @param boolean $check_blog checks if user is associated to a blog or not.
90	* @return boolean
91	*/
92	public function checkUser($user_id, $pwd = null, $user_key = null, $check_blog = true)
93	{
94	# Check user and password
95	$sql = new dcSelectStatement($this->core, 'coreAuthCheckUser');
96	$sql
97	->columns(array('user_id', 'user_super', 'user_pwd', 'user_change_pwd', 'user_name', 'user_firstname',
98	'user_displayname', 'user_email', 'user_url', 'user_default_blog', 'user_options', 'user_lang',
99	'user_tz', 'user_post_status', 'user_creadt', 'user_upddt'))
100	->from($this->user_table)
101	->where('user_id = ' . $sql->quote($user_id));
102
103	try {
104	$rs = $this->con->select($sql->statement());
105	} catch (Exception $e) {
106	$err = $e->getMessage();
107	return false;
108	}
109
110	if ($rs->isEmpty()) {
111	sleep(rand(2, 5));
112	return false;
113	}
114
115	$rs->extend('rsExtUser');
116
117	if ($pwd != '') {
118	$rehash = false;
119	if (password_verify($pwd, $rs->user_pwd)) {
120	// User password ok
121	if (password_needs_rehash($rs->user_pwd, PASSWORD_DEFAULT)) {
122	$rs->user_pwd = $this->crypt($pwd);
123	$rehash = true;
124	}
125	} else {
126	// Check if pwd still stored in old fashion way
127	$ret = password_get_info($rs->user_pwd);
128	if (is_array($ret) && isset($ret['algo']) && $ret['algo'] == 0) {
129	// hash not done with password_hash() function, check by old fashion way
130	if (crypt::hmac(DC_MASTER_KEY, $pwd, DC_CRYPT_ALGO) == $rs->user_pwd) {
131	// Password Ok, need to store it in new fashion way
132	$rs->user_pwd = $this->crypt($pwd);
133	$rehash = true;
134	} else {
135	// Password KO
136	sleep(rand(2, 5));
137	return false;
138	}
139	} else {
140	// Password KO
141	sleep(rand(2, 5));
142	return false;
143	}
144	}
145	if ($rehash) {
146	// Store new hash in DB
147	$cur = $this->con->openCursor($this->user_table);
148	$cur->user_pwd = (string) $rs->user_pwd;
149
150	$sql = new dcUpdateStatement($this->core, 'coreAuthCheckUser');
151	$sql->where('user_id = ' . $sql->quote($rs->user_id));
152	$cur->update($sql->whereStatement());
153	}
154	} elseif ($user_key != '') {
155	if (http::browserUID(DC_MASTER_KEY . $rs->user_id . $this->cryptLegacy($rs->user_id)) != $user_key) {
156	return false;
157	}
158	}
159
160	$this->user_id = $rs->user_id;
161	$this->user_change_pwd = (boolean) $rs->user_change_pwd;
162	$this->user_admin = (boolean) $rs->user_super;
163
164	$this->user_info['user_pwd'] = $rs->user_pwd;
165	$this->user_info['user_name'] = $rs->user_name;
166	$this->user_info['user_firstname'] = $rs->user_firstname;
167	$this->user_info['user_displayname'] = $rs->user_displayname;
168	$this->user_info['user_email'] = $rs->user_email;
169	$this->user_info['user_url'] = $rs->user_url;
170	$this->user_info['user_default_blog'] = $rs->user_default_blog;
171	$this->user_info['user_lang'] = $rs->user_lang;
172	$this->user_info['user_tz'] = $rs->user_tz;
173	$this->user_info['user_post_status'] = $rs->user_post_status;
174	$this->user_info['user_creadt'] = $rs->user_creadt;
175	$this->user_info['user_upddt'] = $rs->user_upddt;
176
177	$this->user_info['user_cn'] = dcUtils::getUserCN($rs->user_id, $rs->user_name,
178	$rs->user_firstname, $rs->user_displayname);
179
180	$this->user_options = array_merge($this->core->userDefaults(), $rs->options());
181
182	$this->user_prefs = new dcPrefs($this->core, $this->user_id);
183
184	# Get permissions on blogs
185	if ($check_blog && ($this->findUserBlog() === false)) {
186	return false;
187	}
188	return true;
189	}
190
191	/**
192	* This method crypt given string (password, session_id, …).
193	*
194	* @param string $pwd string to be crypted
195	* @return string crypted value
196	*/
197	public function crypt($pwd)
198	{
199	return password_hash($pwd, PASSWORD_DEFAULT);
200	}
201
202	/**
203	* This method crypt given string (password, session_id, …).
204	*
205	* @param string $pwd string to be crypted
206	* @return string crypted value
207	*/
208	public function cryptLegacy($pwd)
209	{
210	return crypt::hmac(DC_MASTER_KEY, $pwd, DC_CRYPT_ALGO);
211	}
212
213	/**
214	* This method only check current user password.
215	*
216	* @param string $pwd User password
217	* @return boolean
218	*/
219	public function checkPassword($pwd)
220	{
221	if (!empty($this->user_info['user_pwd'])) {
222	return password_verify($pwd, $this->user_info['user_pwd']);
223	}
224
225	return false;
226	}
227
228	/**
229	* This method checks if user session cookie exists
230	*
231	* @return boolean
232	*/
233	public function sessionExists()
234	{
235	return isset($_COOKIE[DC_SESSION_NAME]);
236	}
237
238	/**
239	* This method checks user session validity.
240	*
241	* @return boolean
242	*/
243	public function checkSession($uid = null)
244	{
245	$this->core->session->start();
246
247	# If session does not exist, logout.
248	if (!isset($_SESSION['sess_user_id'])) {
249	$this->core->session->destroy();
250	return false;
251	}
252
253	# Check here for user and IP address
254	$this->checkUser($_SESSION['sess_user_id']);
255	$uid = $uid ?: http::browserUID(DC_MASTER_KEY);
256
257	$user_can_log = $this->userID() !== null && $uid == $_SESSION['sess_browser_uid'];
258
259	if (!$user_can_log) {
260	$this->core->session->destroy();
261	return false;
262	}
263
264	return true;
265	}
266
267	/**
268	* Checks if user must change his password in order to login.
269	*
270	* @return boolean
271	*/
272	public function mustChangePassword()
273	{
274	return $this->user_change_pwd;
275	}
276
277	/**
278	* Checks if user is super admin
279	*
280	* @return boolean
281	*/
282	public function isSuperAdmin()
283	{
284	return $this->user_admin;
285	}
286
287	/**
288	* Checks if user has permissions given in <var>$permissions</var> for blog
289	* <var>$blog_id</var>. <var>$permissions</var> is a coma separated list of
290	* permissions.
291	*
292	* @param string $permissions Permissions list
293	* @param string $blog_id Blog ID
294	* @return boolean
295	*/
296	public function check($permissions, $blog_id)
297	{
298	if ($this->user_admin) {
299	return true;
300	}
301
302	$p = array_map('trim', explode(',', $permissions));
303	$b = $this->getPermissions($blog_id);
304
305	if ($b != false) {
306	if (isset($b['admin'])) {
307	return true;
308	}
309
310	foreach ($p as $v) {
311	if (isset($b[$v])) {
312	return true;
313	}
314	}
315	}
316
317	return false;
318	}
319
320	/**
321	* Returns true if user is allowed to change its password.
322	*
323	* @return boolean
324	*/
325	public function allowPassChange()
326	{
327	return $this->allow_pass_change;
328	}
329	//@}
330
331	/// @name User code handlers
332	//@{
333	public function getUserCode()
334	{
335	$code =
336	pack('a32', $this->userID()) .
337	pack('H*', $this->crypt($this->getInfo('user_pwd')));
338	return bin2hex($code);
339	}
340
341	public function checkUserCode($code)
342	{
343	$code = @pack('H*', $code);
344
345	$user_id = trim(@pack('a32', substr($code, 0, 32)));
346	$pwd = @unpack('H*hex', substr($code, 32));
347
348	if ($user_id === false \|\| $pwd === false) {
349	return false;
350	}
351
352	$pwd = $pwd['hex'];
353
354	$strReq = 'SELECT user_id, user_pwd ' .
355	'FROM ' . $this->user_table . ' ' .
356	"WHERE user_id = '" . $this->con->escape($user_id) . "' ";
357
358	$rs = $this->con->select($strReq);
359
360	if ($rs->isEmpty()) {
361	return false;
362	}
363
364	if ($this->crypt($rs->user_pwd) != $pwd) {
365	return false;
366	}
367
368	return $rs->user_id;
369	}
370	//@}
371
372	/// @name Sudo
373	//@{
374	/**
375	* Calls $f function with super admin rights.
376	* Returns the function result.
377	*
378	* @param callback $f Callback function
379	* @return mixed
380	*/
381	public function sudo($f)
382	{
383	if (!is_callable($f)) {
384	throw new Exception($f . ' function doest not exist');
385	}
386
387	$args = func_get_args();
388	array_shift($args);
389
390	if ($this->user_admin) {
391	$res = call_user_func_array($f, $args);
392	} else {
393	$this->user_admin = true;
394	try {
395	$res = call_user_func_array($f, $args);
396	$this->user_admin = false;
397	} catch (Exception $e) {
398	$this->user_admin = false;
399	throw $e;
400	}
401	}
402
403	return $res;
404	}
405	//@}
406
407	/// @name User information and options
408	//@{
409	/**
410	* Returns user permissions for a blog as an array which looks like:
411	*
412	* - [blog_id]
413	* - [permission] => true
414	* - ...
415	*
416	* @param string $blog_id Blog ID
417	* @return array
418	*/
419	public function getPermissions($blog_id)
420	{
421	if (isset($this->blogs[$blog_id])) {
422	return $this->blogs[$blog_id];
423	}
424
425	if ($this->user_admin) {
426	$strReq = 'SELECT blog_id ' .
427	'from ' . $this->blog_table . ' ' .
428	"WHERE blog_id = '" . $this->con->escape($blog_id) . "' ";
429	$rs = $this->con->select($strReq);
430
431	$this->blogs[$blog_id] = $rs->isEmpty() ? false : array('admin' => true);
432
433	return $this->blogs[$blog_id];
434	}
435
436	$strReq = 'SELECT permissions ' .
437	'FROM ' . $this->perm_table . ' ' .
438	"WHERE user_id = '" . $this->con->escape($this->user_id) . "' " .
439	"AND blog_id = '" . $this->con->escape($blog_id) . "' " .
440	"AND (permissions LIKE '%\|usage\|%' OR permissions LIKE '%\|admin\|%' OR permissions LIKE '%\|contentadmin\|%') ";
441	$rs = $this->con->select($strReq);
442
443	$this->blogs[$blog_id] = $rs->isEmpty() ? false : $this->parsePermissions($rs->permissions);
444
445	return $this->blogs[$blog_id];
446	}
447
448	public function getBlogCount()
449	{
450	if ($this->blog_count === null) {
451	$this->blog_count = $this->core->getBlogs(array(), true)->f(0);
452	}
453
454	return $this->blog_count;
455	}
456
457	public function findUserBlog($blog_id = null)
458	{
459	if ($blog_id && $this->getPermissions($blog_id) !== false) {
460	return $blog_id;
461	} else {
462	if ($this->user_admin) {
463	$strReq = 'SELECT blog_id ' .
464	'FROM ' . $this->blog_table . ' ' .
465	'ORDER BY blog_id ASC ' .
466	$this->con->limit(1);
467	} else {
468	$strReq = 'SELECT P.blog_id ' .
469	'FROM ' . $this->perm_table . ' P, ' . $this->blog_table . ' B ' .
470	"WHERE user_id = '" . $this->con->escape($this->user_id) . "' " .
471	"AND P.blog_id = B.blog_id " .
472	"AND (permissions LIKE '%\|usage\|%' OR permissions LIKE '%\|admin\|%' OR permissions LIKE '%\|contentadmin\|%') " .
473	"AND blog_status >= 0 " .
474	'ORDER BY P.blog_id ASC ' .
475	$this->con->limit(1);
476	}
477
478	$rs = $this->con->select($strReq);
479	if (!$rs->isEmpty()) {
480	return $rs->blog_id;
481	}
482	}
483
484	return false;
485	}
486
487	/**
488	* Returns current user ID
489	*
490	* @return string
491	*/
492	public function userID()
493	{
494	return $this->user_id;
495	}
496
497	/**
498	* Returns information about a user .
499	*
500	* @param string $n Information name
501	* @return string
502	*/
503	public function getInfo($n)
504	{
505	if (isset($this->user_info[$n])) {
506	return $this->user_info[$n];
507	}
508
509	return;
510	}
511
512	/**
513	* Returns a specific user option
514	*
515	* @param string $n Option name
516	* @return string
517	*/
518	public function getOption($n)
519	{
520	if (isset($this->user_options[$n])) {
521	return $this->user_options[$n];
522	}
523	return;
524	}
525
526	/**
527	* Returns all user options in an associative array.
528	*
529	* @return array
530	*/
531	public function getOptions()
532	{
533	return $this->user_options;
534	}
535	//@}
536
537	/// @name Permissions
538	//@{
539	/**
540	* Returns an array with permissions parsed from the string <var>$level</var>
541	*
542	* @param string $level Permissions string
543	* @return array
544	*/
545	public function parsePermissions($level)
546	{
547	$level = preg_replace('/^\\|/', '', $level);
548	$level = preg_replace('/\\|$/', '', $level);
549
550	$res = array();
551	foreach (explode('\|', $level) as $v) {
552	$res[$v] = true;
553	}
554	return $res;
555	}
556
557	/**
558	* Returns <var>perm_types</var> property content.
559	*
560	* @return array
561	*/
562	public function getPermissionsTypes()
563	{
564	return $this->perm_types;
565	}
566
567	/**
568	* Adds a new permission type.
569	*
570	* @param string $name Permission name
571	* @param string $title Permission title
572	*/
573	public function setPermissionType($name, $title)
574	{
575	$this->perm_types[$name] = $title;
576	}
577	//@}
578
579	/// @name Password recovery
580	//@{
581	/**
582	* Add a recover key to a specific user identified by its email and
583	* password.
584	*
585	* @param string $user_id User ID
586	* @param string $user_email User Email
587	* @return string
588	*/
589	public function setRecoverKey($user_id, $user_email)
590	{
591	$strReq = 'SELECT user_id ' .
592	'FROM ' . $this->user_table . ' ' .
593	"WHERE user_id = '" . $this->con->escape($user_id) . "' " .
594	"AND user_email = '" . $this->con->escape($user_email) . "' ";
595
596	$rs = $this->con->select($strReq);
597
598	if ($rs->isEmpty()) {
599	throw new Exception(__('That user does not exist in the database.'));
600	}
601
602	$key = md5(uniqid('', true));
603
604	$cur = $this->con->openCursor($this->user_table);
605	$cur->user_recover_key = $key;
606
607	$cur->update("WHERE user_id = '" . $this->con->escape($user_id) . "'");
608
609	return $key;
610	}
611
612	/**
613	* Creates a new user password using recovery key. Returns an array:
614	*
615	* - user_email
616	* - user_id
617	* - new_pass
618	*
619	* @param string $recover_key Recovery key
620	* @return array
621	*/
622	public function recoverUserPassword($recover_key)
623	{
624	$sql = new dcSelectStatement($this->core, 'coreAuthRecoverUserPwd');
625	$sql
626	->columns(array('user_id', 'user_email'))
627	->from($this->user_table)
628	->where('user_recover_key = ' . $sql->quote($recover_key));
629
630	$rs = $this->con->select($strReq);
631
632	if ($rs->isEmpty()) {
633	throw new Exception(__('That key does not exist in the database.'));
634	}
635
636	$new_pass = crypt::createPassword();
637
638	$cur = $this->con->openCursor($this->user_table);
639	$cur->user_pwd = $this->crypt($new_pass);
640	$cur->user_recover_key = null;
641	$cur->user_change_pwd = 1; // User will have to change this temporary password at next login
642
643	$sql = new dcUpdateStatement($this->core, 'coreAuthRecoverUserPwd');
644	$sql->where('user_recover_key = ' . $sql->quote($recover_key));
645	$cur->update($sql->whereStatement());
646
647	return array('user_email' => $rs->user_email, 'user_id' => $rs->user_id, 'new_pass' => $new_pass);
648	}
649	//@}
650
651	/** @name User management callbacks
652	This 3 functions only matter if you extend this class and use
653	DC_AUTH_CLASS constant.
654	These are called after core user management functions.
655	Could be useful if you need to add/update/remove stuff in your
656	LDAP directory or other third party authentication database.
657	*/
658	//@{
659
660	/**
661	* Called after core->addUser
662	* @see dcCore::addUser
663	* @param cursor $cur User cursor
664	*/
665	public function afterAddUser($cur)
666	{}
667
668	/**
669	* Called after core->updUser
670	* @see dcCore::updUser
671	* @param string $id User ID
672	* @param cursor $cur User cursor
673	*/
674	public function afterUpdUser($id, $cur)
675	{}
676
677	/**
678	* Called after core->delUser
679	* @see dcCore::delUser
680	* @param string $id User ID
681	*/
682	public function afterDelUser($id)
683	{}
684	//@}
685	}

Note: See TracBrowser for help on using the repository browser.

Dotclear

Context Navigation

source: inc/core/class.dc.auth.php @ 3761:849987324197

Download in other formats:

Sites map