class.dc.auth.php @ 3874:ab8368569446

Visit:

Revision 3874:ab8368569446, 19.4 KB checked in by franck <carnet.franck.paul@…>, 7 years ago (diff)
short notation for array (array() → [])

Line
1	<?php
2	/**
3	* @brief Authentication and user credentials management
4	*
5	* dcAuth is a class used to handle everything related to user authentication
6	* and credentials. Object is provided by dcCore $auth property.
7	*
8	* @package Dotclear
9	* @subpackage Core
10	*
11	* @copyright Olivier Meunier & Association Dotclear
12	* @copyright GPL-2.0-only
13	*/
14
15	if (!defined('DC_RC_PATH')) {return;}
16
17	class dcAuth
18	{
19	/** @var dcCore dcCore instance */
20	protected $core;
21	/** @var connection Database connection object */
22	protected $con;
23
24	/** @var string User table name */
25	protected $user_table;
26	/** @var string Perm table name */
27	protected $perm_table;
28
29	/** @var string Current user ID */
30	protected $user_id;
31	/** @var array Array with user information */
32	protected $user_info = [];
33	/** @var array Array with user options */
34	protected $user_options = [];
35	/** @var boolean User must change his password after login */
36	protected $user_change_pwd;
37	/** @var boolean User is super admin */
38	protected $user_admin;
39	/** @var array Permissions for each blog */
40	protected $permissions = [];
41	/** @var boolean User can change its password */
42	protected $allow_pass_change = true;
43	/** @var array List of blogs on which the user has permissions */
44	protected $blogs = [];
45	/** @var integer Count of user blogs */
46	public $blog_count = null;
47
48	/** @var array Permission types */
49	protected $perm_types;
50
51	/** @var dcPrefs dcPrefs object */
52	public $user_prefs;
53
54	/**
55	* Class constructor. Takes dcCore object as single argument.
56	*
57	* @param dcCore $core dcCore object
58	*/
59	public function __construct($core)
60	{
61	$this->core = &$core;
62	$this->con = &$core->con;
63	$this->blog_table = $core->prefix . 'blog';
64	$this->user_table = $core->prefix . 'user';
65	$this->perm_table = $core->prefix . 'permissions';
66
67	$this->perm_types = [
68	'admin' => __('administrator'),
69	'usage' => __('manage their own entries and comments'),
70	'publish' => __('publish entries and comments'),
71	'delete' => __('delete entries and comments'),
72	'contentadmin' => __('manage all entries and comments'),
73	'categories' => __('manage categories'),
74	'media' => __('manage their own media items'),
75	'media_admin' => __('manage all media items')
76	];
77	}
78
79	/// @name Credentials and user permissions
80	//@{
81	/**
82	* Checks if user exists and can log in. <var>$pwd</var> argument is optionnal
83	* while you may need to check user without password. This method will create
84	* credentials and populate all needed object properties.
85	*
86	* @param string $user_id User ID
87	* @param string $pwd User password
88	* @param string $user_key User key check
89	* @param boolean $check_blog checks if user is associated to a blog or not.
90	* @return boolean
91	*/
92	public function checkUser($user_id, $pwd = null, $user_key = null, $check_blog = true)
93	{
94	# Check user and password
95	$strReq = 'SELECT user_id, user_super, user_pwd, user_change_pwd, ' .
96	'user_name, user_firstname, user_displayname, user_email, ' .
97	'user_url, user_default_blog, user_options, ' .
98	'user_lang, user_tz, user_post_status, user_creadt, user_upddt ' .
99	'FROM ' . $this->con->escapeSystem($this->user_table) . ' ' .
100	"WHERE user_id = '" . $this->con->escape($user_id) . "' ";
101
102	try {
103	$rs = $this->con->select($strReq);
104	} catch (Exception $e) {
105	$err = $e->getMessage();
106	return false;
107	}
108
109	if ($rs->isEmpty()) {
110	sleep(rand(2, 5));
111	return false;
112	}
113
114	$rs->extend('rsExtUser');
115
116	if ($pwd != '') {
117	$rehash = false;
118	if (password_verify($pwd, $rs->user_pwd)) {
119	// User password ok
120	if (password_needs_rehash($rs->user_pwd, PASSWORD_DEFAULT)) {
121	$rs->user_pwd = $this->crypt($pwd);
122	$rehash = true;
123	}
124	} else {
125	// Check if pwd still stored in old fashion way
126	$ret = password_get_info($rs->user_pwd);
127	if (is_array($ret) && isset($ret['algo']) && $ret['algo'] == 0) {
128	// hash not done with password_hash() function, check by old fashion way
129	if (crypt::hmac(DC_MASTER_KEY, $pwd, DC_CRYPT_ALGO) == $rs->user_pwd) {
130	// Password Ok, need to store it in new fashion way
131	$rs->user_pwd = $this->crypt($pwd);
132	$rehash = true;
133	} else {
134	// Password KO
135	sleep(rand(2, 5));
136	return false;
137	}
138	} else {
139	// Password KO
140	sleep(rand(2, 5));
141	return false;
142	}
143	}
144	if ($rehash) {
145	// Store new hash in DB
146	$cur = $this->con->openCursor($this->user_table);
147	$cur->user_pwd = (string) $rs->user_pwd;
148	$cur->update("WHERE user_id = '" . $rs->user_id . "'");
149	}
150	} elseif ($user_key != '') {
151	if (http::browserUID(DC_MASTER_KEY . $rs->user_id . $this->cryptLegacy($rs->user_id)) != $user_key) {
152	return false;
153	}
154	}
155
156	$this->user_id = $rs->user_id;
157	$this->user_change_pwd = (boolean) $rs->user_change_pwd;
158	$this->user_admin = (boolean) $rs->user_super;
159
160	$this->user_info['user_pwd'] = $rs->user_pwd;
161	$this->user_info['user_name'] = $rs->user_name;
162	$this->user_info['user_firstname'] = $rs->user_firstname;
163	$this->user_info['user_displayname'] = $rs->user_displayname;
164	$this->user_info['user_email'] = $rs->user_email;
165	$this->user_info['user_url'] = $rs->user_url;
166	$this->user_info['user_default_blog'] = $rs->user_default_blog;
167	$this->user_info['user_lang'] = $rs->user_lang;
168	$this->user_info['user_tz'] = $rs->user_tz;
169	$this->user_info['user_post_status'] = $rs->user_post_status;
170	$this->user_info['user_creadt'] = $rs->user_creadt;
171	$this->user_info['user_upddt'] = $rs->user_upddt;
172
173	$this->user_info['user_cn'] = dcUtils::getUserCN($rs->user_id, $rs->user_name,
174	$rs->user_firstname, $rs->user_displayname);
175
176	$this->user_options = array_merge($this->core->userDefaults(), $rs->options());
177
178	$this->user_prefs = new dcPrefs($this->core, $this->user_id);
179
180	# Get permissions on blogs
181	if ($check_blog && ($this->findUserBlog() === false)) {
182	return false;
183	}
184	return true;
185	}
186
187	/**
188	* This method crypt given string (password, session_id, …).
189	*
190	* @param string $pwd string to be crypted
191	* @return string crypted value
192	*/
193	public function crypt($pwd)
194	{
195	return password_hash($pwd, PASSWORD_DEFAULT);
196	}
197
198	/**
199	* This method crypt given string (password, session_id, …).
200	*
201	* @param string $pwd string to be crypted
202	* @return string crypted value
203	*/
204	public function cryptLegacy($pwd)
205	{
206	return crypt::hmac(DC_MASTER_KEY, $pwd, DC_CRYPT_ALGO);
207	}
208
209	/**
210	* This method only check current user password.
211	*
212	* @param string $pwd User password
213	* @return boolean
214	*/
215	public function checkPassword($pwd)
216	{
217	if (!empty($this->user_info['user_pwd'])) {
218	return password_verify($pwd, $this->user_info['user_pwd']);
219	}
220
221	return false;
222	}
223
224	/**
225	* This method checks if user session cookie exists
226	*
227	* @return boolean
228	*/
229	public function sessionExists()
230	{
231	return isset($_COOKIE[DC_SESSION_NAME]);
232	}
233
234	/**
235	* This method checks user session validity.
236	*
237	* @return boolean
238	*/
239	public function checkSession($uid = null)
240	{
241	$this->core->session->start();
242
243	# If session does not exist, logout.
244	if (!isset($_SESSION['sess_user_id'])) {
245	$this->core->session->destroy();
246	return false;
247	}
248
249	# Check here for user and IP address
250	$this->checkUser($_SESSION['sess_user_id']);
251	$uid = $uid ?: http::browserUID(DC_MASTER_KEY);
252
253	$user_can_log = $this->userID() !== null && $uid == $_SESSION['sess_browser_uid'];
254
255	if (!$user_can_log) {
256	$this->core->session->destroy();
257	return false;
258	}
259
260	return true;
261	}
262
263	/**
264	* Checks if user must change his password in order to login.
265	*
266	* @return boolean
267	*/
268	public function mustChangePassword()
269	{
270	return $this->user_change_pwd;
271	}
272
273	/**
274	* Checks if user is super admin
275	*
276	* @return boolean
277	*/
278	public function isSuperAdmin()
279	{
280	return $this->user_admin;
281	}
282
283	/**
284	* Checks if user has permissions given in <var>$permissions</var> for blog
285	* <var>$blog_id</var>. <var>$permissions</var> is a coma separated list of
286	* permissions.
287	*
288	* @param string $permissions Permissions list
289	* @param string $blog_id Blog ID
290	* @return boolean
291	*/
292	public function check($permissions, $blog_id)
293	{
294	if ($this->user_admin) {
295	return true;
296	}
297
298	$p = array_map('trim', explode(',', $permissions));
299	$b = $this->getPermissions($blog_id);
300
301	if ($b != false) {
302	if (isset($b['admin'])) {
303	return true;
304	}
305
306	foreach ($p as $v) {
307	if (isset($b[$v])) {
308	return true;
309	}
310	}
311	}
312
313	return false;
314	}
315
316	/**
317	* Returns true if user is allowed to change its password.
318	*
319	* @return boolean
320	*/
321	public function allowPassChange()
322	{
323	return $this->allow_pass_change;
324	}
325	//@}
326
327	/// @name User code handlers
328	//@{
329	public function getUserCode()
330	{
331	$code =
332	pack('a32', $this->userID()) .
333	pack('H*', $this->crypt($this->getInfo('user_pwd')));
334	return bin2hex($code);
335	}
336
337	public function checkUserCode($code)
338	{
339	$code = @pack('H*', $code);
340
341	$user_id = trim(@pack('a32', substr($code, 0, 32)));
342	$pwd = @unpack('H*hex', substr($code, 32));
343
344	if ($user_id === false \|\| $pwd === false) {
345	return false;
346	}
347
348	$pwd = $pwd['hex'];
349
350	$strReq = 'SELECT user_id, user_pwd ' .
351	'FROM ' . $this->user_table . ' ' .
352	"WHERE user_id = '" . $this->con->escape($user_id) . "' ";
353
354	$rs = $this->con->select($strReq);
355
356	if ($rs->isEmpty()) {
357	return false;
358	}
359
360	if ($this->crypt($rs->user_pwd) != $pwd) {
361	return false;
362	}
363
364	return $rs->user_id;
365	}
366	//@}
367
368	/// @name Sudo
369	//@{
370	/**
371	* Calls $f function with super admin rights.
372	* Returns the function result.
373	*
374	* @param callback $f Callback function
375	* @return mixed
376	*/
377	public function sudo($f, ...$args)
378	{
379	if (!is_callable($f)) {
380	throw new Exception($f . ' function doest not exist');
381	}
382
383	if ($this->user_admin) {
384	$res = call_user_func_array($f, $args);
385	} else {
386	$this->user_admin = true;
387	try {
388	$res = call_user_func_array($f, $args);
389	$this->user_admin = false;
390	} catch (Exception $e) {
391	$this->user_admin = false;
392	throw $e;
393	}
394	}
395
396	return $res;
397	}
398	//@}
399
400	/// @name User information and options
401	//@{
402	/**
403	* Returns user permissions for a blog as an array which looks like:
404	*
405	* - [blog_id]
406	* - [permission] => true
407	* - ...
408	*
409	* @param string $blog_id Blog ID
410	* @return array
411	*/
412	public function getPermissions($blog_id)
413	{
414	if (isset($this->blogs[$blog_id])) {
415	return $this->blogs[$blog_id];
416	}
417
418	if ($this->user_admin) {
419	$strReq = 'SELECT blog_id ' .
420	'from ' . $this->blog_table . ' ' .
421	"WHERE blog_id = '" . $this->con->escape($blog_id) . "' ";
422	$rs = $this->con->select($strReq);
423
424	$this->blogs[$blog_id] = $rs->isEmpty() ? false : ['admin' => true];
425
426	return $this->blogs[$blog_id];
427	}
428
429	$strReq = 'SELECT permissions ' .
430	'FROM ' . $this->perm_table . ' ' .
431	"WHERE user_id = '" . $this->con->escape($this->user_id) . "' " .
432	"AND blog_id = '" . $this->con->escape($blog_id) . "' " .
433	"AND (permissions LIKE '%\|usage\|%' OR permissions LIKE '%\|admin\|%' OR permissions LIKE '%\|contentadmin\|%') ";
434	$rs = $this->con->select($strReq);
435
436	$this->blogs[$blog_id] = $rs->isEmpty() ? false : $this->parsePermissions($rs->permissions);
437
438	return $this->blogs[$blog_id];
439	}
440
441	public function getBlogCount()
442	{
443	if ($this->blog_count === null) {
444	$this->blog_count = $this->core->getBlogs([], true)->f(0);
445	}
446
447	return $this->blog_count;
448	}
449
450	public function findUserBlog($blog_id = null)
451	{
452	if ($blog_id && $this->getPermissions($blog_id) !== false) {
453	return $blog_id;
454	} else {
455	if ($this->user_admin) {
456	$strReq = 'SELECT blog_id ' .
457	'FROM ' . $this->blog_table . ' ' .
458	'ORDER BY blog_id ASC ' .
459	$this->con->limit(1);
460	} else {
461	$strReq = 'SELECT P.blog_id ' .
462	'FROM ' . $this->perm_table . ' P, ' . $this->blog_table . ' B ' .
463	"WHERE user_id = '" . $this->con->escape($this->user_id) . "' " .
464	"AND P.blog_id = B.blog_id " .
465	"AND (permissions LIKE '%\|usage\|%' OR permissions LIKE '%\|admin\|%' OR permissions LIKE '%\|contentadmin\|%') " .
466	"AND blog_status >= 0 " .
467	'ORDER BY P.blog_id ASC ' .
468	$this->con->limit(1);
469	}
470
471	$rs = $this->con->select($strReq);
472	if (!$rs->isEmpty()) {
473	return $rs->blog_id;
474	}
475	}
476
477	return false;
478	}
479
480	/**
481	* Returns current user ID
482	*
483	* @return string
484	*/
485	public function userID()
486	{
487	return $this->user_id;
488	}
489
490	/**
491	* Returns information about a user .
492	*
493	* @param string $n Information name
494	* @return string
495	*/
496	public function getInfo($n)
497	{
498	if (isset($this->user_info[$n])) {
499	return $this->user_info[$n];
500	}
501
502	return;
503	}
504
505	/**
506	* Returns a specific user option
507	*
508	* @param string $n Option name
509	* @return string
510	*/
511	public function getOption($n)
512	{
513	if (isset($this->user_options[$n])) {
514	return $this->user_options[$n];
515	}
516	return;
517	}
518
519	/**
520	* Returns all user options in an associative array.
521	*
522	* @return array
523	*/
524	public function getOptions()
525	{
526	return $this->user_options;
527	}
528	//@}
529
530	/// @name Permissions
531	//@{
532	/**
533	* Returns an array with permissions parsed from the string <var>$level</var>
534	*
535	* @param string $level Permissions string
536	* @return array
537	*/
538	public function parsePermissions($level)
539	{
540	$level = preg_replace('/^\\|/', '', $level);
541	$level = preg_replace('/\\|$/', '', $level);
542
543	$res = [];
544	foreach (explode('\|', $level) as $v) {
545	$res[$v] = true;
546	}
547	return $res;
548	}
549
550	/**
551	* Returns <var>perm_types</var> property content.
552	*
553	* @return array
554	*/
555	public function getPermissionsTypes()
556	{
557	return $this->perm_types;
558	}
559
560	/**
561	* Adds a new permission type.
562	*
563	* @param string $name Permission name
564	* @param string $title Permission title
565	*/
566	public function setPermissionType($name, $title)
567	{
568	$this->perm_types[$name] = $title;
569	}
570	//@}
571
572	/// @name Password recovery
573	//@{
574	/**
575	* Add a recover key to a specific user identified by its email and
576	* password.
577	*
578	* @param string $user_id User ID
579	* @param string $user_email User Email
580	* @return string
581	*/
582	public function setRecoverKey($user_id, $user_email)
583	{
584	$strReq = 'SELECT user_id ' .
585	'FROM ' . $this->user_table . ' ' .
586	"WHERE user_id = '" . $this->con->escape($user_id) . "' " .
587	"AND user_email = '" . $this->con->escape($user_email) . "' ";
588
589	$rs = $this->con->select($strReq);
590
591	if ($rs->isEmpty()) {
592	throw new Exception(__('That user does not exist in the database.'));
593	}
594
595	$key = md5(uniqid('', true));
596
597	$cur = $this->con->openCursor($this->user_table);
598	$cur->user_recover_key = $key;
599
600	$cur->update("WHERE user_id = '" . $this->con->escape($user_id) . "'");
601
602	return $key;
603	}
604
605	/**
606	* Creates a new user password using recovery key. Returns an array:
607	*
608	* - user_email
609	* - user_id
610	* - new_pass
611	*
612	* @param string $recover_key Recovery key
613	* @return array
614	*/
615	public function recoverUserPassword($recover_key)
616	{
617	$strReq = 'SELECT user_id, user_email ' .
618	'FROM ' . $this->user_table . ' ' .
619	"WHERE user_recover_key = '" . $this->con->escape($recover_key) . "' ";
620
621	$rs = $this->con->select($strReq);
622
623	if ($rs->isEmpty()) {
624	throw new Exception(__('That key does not exist in the database.'));
625	}
626
627	$new_pass = crypt::createPassword();
628
629	$cur = $this->con->openCursor($this->user_table);
630	$cur->user_pwd = $this->crypt($new_pass);
631	$cur->user_recover_key = null;
632	$cur->user_change_pwd = 1; // User will have to change this temporary password at next login
633
634	$cur->update("WHERE user_recover_key = '" . $this->con->escape($recover_key) . "'");
635
636	return ['user_email' => $rs->user_email, 'user_id' => $rs->user_id, 'new_pass' => $new_pass];
637	}
638	//@}
639
640	/** @name User management callbacks
641	This 3 functions only matter if you extend this class and use
642	DC_AUTH_CLASS constant.
643	These are called after core user management functions.
644	Could be useful if you need to add/update/remove stuff in your
645	LDAP directory or other third party authentication database.
646	*/
647	//@{
648
649	/**
650	* Called after core->addUser
651	* @see dcCore::addUser
652	* @param cursor $cur User cursor
653	*/
654	public function afterAddUser($cur)
655	{}
656
657	/**
658	* Called after core->updUser
659	* @see dcCore::updUser
660	* @param string $id User ID
661	* @param cursor $cur User cursor
662	*/
663	public function afterUpdUser($id, $cur)
664	{}
665
666	/**
667	* Called after core->delUser
668	* @see dcCore::delUser
669	* @param string $id User ID
670	*/
671	public function afterDelUser($id)
672	{}
673	//@}
674	}

Note: See TracBrowser for help on using the repository browser.

Dotclear

Context Navigation

source: inc/core/class.dc.auth.php @ 3874:ab8368569446

Download in other formats:

Sites map