/**
* Creates a user with provided auth data
*
* @param array $authResult
*
* @return bool|eZUser
*/
public static function createUser($authResult)
{
$ngConnectINI = eZINI::instance('ngconnect.ini');
$siteINI = eZINI::instance('site.ini');
$defaultUserPlacement = $ngConnectINI->variable('LoginMethod_' . $authResult['login_method'], 'DefaultUserPlacement');
$placementNode = eZContentObjectTreeNode::fetch($defaultUserPlacement);
if (!$placementNode instanceof eZContentObjectTreeNode) {
$defaultUserPlacement = $siteINI->variable('UserSettings', 'DefaultUserPlacement');
$placementNode = eZContentObjectTreeNode::fetch($defaultUserPlacement);
if (!$placementNode instanceof eZContentObjectTreeNode) {
return false;
}
}
$contentClass = eZContentClass::fetch($siteINI->variable('UserSettings', 'UserClassID'));
$userCreatorID = $siteINI->variable('UserSettings', 'UserCreatorID');
$defaultSectionID = $siteINI->variable('UserSettings', 'DefaultSectionID');
$db = eZDB::instance();
$db->begin();
$contentObject = $contentClass->instantiate($userCreatorID, $defaultSectionID);
$contentObject->store();
$nodeAssignment = eZNodeAssignment::create(array('contentobject_id' => $contentObject->attribute('id'), 'contentobject_version' => 1, 'parent_node' => $placementNode->attribute('node_id'), 'is_main' => 1));
$nodeAssignment->store();
$currentTimeStamp = eZDateTime::currentTimeStamp();
/** @var eZContentObjectVersion $version */
$version = $contentObject->currentVersion();
$version->setAttribute('modified', $currentTimeStamp);
$version->setAttribute('status', eZContentObjectVersion::STATUS_DRAFT);
$version->store();
$dataMap = $version->dataMap();
self::fillUserObject($version->dataMap(), $authResult);
if (!isset($dataMap['user_account'])) {
$db->rollback();
return false;
}
$userLogin = '******' . $authResult['login_method'] . '_' . $authResult['id'];
$userPassword = (string) rand() . 'ngconnect_' . $authResult['login_method'] . '_' . $authResult['id'] . (string) rand();
$userExists = false;
if (eZUser::requireUniqueEmail()) {
$userExists = eZUser::fetchByEmail($authResult['email']) instanceof eZUser;
}
if (empty($authResult['email']) || $userExists) {
$email = md5('ngconnect_' . $authResult['login_method'] . '_' . $authResult['id']) . '@localhost.local';
} else {
$email = $authResult['email'];
}
$user = new eZUser(array('contentobject_id' => $contentObject->attribute('id'), 'email' => $email, 'login' => $userLogin, 'password_hash' => md5("{$userLogin}\n{$userPassword}"), 'password_hash_type' => 1));
$user->store();
$userSetting = new eZUserSetting(array('is_enabled' => true, 'max_login' => 0, 'user_id' => $contentObject->attribute('id')));
$userSetting->store();
$dataMap['user_account']->setContent($user);
$dataMap['user_account']->store();
$operationResult = eZOperationHandler::execute('content', 'publish', array('object_id' => $contentObject->attribute('id'), 'version' => $version->attribute('version')));
if (array_key_exists('status', $operationResult) && $operationResult['status'] == eZModuleOperationInfo::STATUS_CONTINUE) {
$db->commit();
return $user;
}
$db->rollback();
return false;
}
/**
* (called for each obj attribute)
*/
public function checkObjectAttribute(array $contentObjectAttribute)
{
// we adopt the ez api instead of acting on raw data
$contentObjectAttribute = new eZContentObjectAttribute($contentObjectAttribute);
// for ezuser datatype, the user is always created even if attribute is set to nullable...
$warnings = array();
$userid = $contentObjectAttribute->attribute('contentobject_id');
$user = $contentObjectAttribute->attribute('content');
if (!$user) {
$warnings[] = "No ezuser {$userid} found" . $this->postfixErrorMsg($contentObjectAttribute);
}
$settings = eZUserSetting::fetch($userid);
if (!$settings) {
$warnings[] = "No settings found for user {$userid}" . $this->postfixErrorMsg($contentObjectAttribute);
}
return $warnings;
}
static function removeByUserID($userID)
{
eZPersistentObject::removeObject(eZUserSetting::definition(), array('user_id' => $userID));
}
function isEnabled($useCache = true)
{
if (isset($this->UserCache['info'][$this->ContentObjectID]['is_enabled']) && $useCache) {
return $this->UserCache['info'][$this->ContentObjectID]['is_enabled'];
}
$setting = eZUserSetting::fetch($this->attribute('contentobject_id'));
if ($setting and !$setting->attribute('is_enabled')) {
return false;
}
return true;
}
function isEnabled()
{
if ($this == eZUser::currentUser()) {
return true;
}
$setting = eZUserSetting::fetch($this->attribute('contentobject_id'));
if ($setting and !$setting->attribute('is_enabled')) {
return false;
}
return true;
}
private function updateUserStatus( $enabled = true )
{
$userSetting = eZUserSetting::fetch(
$this->userObject->attribute( 'id' )
);
$userSetting->setAttribute( 'is_enabled', (int)$enabled );
$userSetting->store();
$eZUser = eZUser::fetch( $this->userObject->attribute( 'id' ) );
if( $enabled )
$this->assertTrue( $eZUser->isEnabled() );
else
$this->assertFalse( $eZUser->isEnabled() );
}
/**
* Activate user with user or deactivate and create new eZUserAccountKey with user hash
* depending on $enableUser being true or not.
*
* @param int $userID
* @param string $userHash
* @param bool $enableUser
*
* @return array An array with operation status, always true if userID is ok
*/
public static function activation($userID, $userHash, $enableUser = false)
{
$user = eZUser::fetch($userID);
$userSetting = eZUserSetting::fetch($userID);
if ($user && $userSetting) {
$userChange = $userSetting->attribute('is_enabled') != $enableUser;
if ($enableUser) {
$userSetting->setAttribute('is_enabled', 1);
$userSetting->store();
eZUserAccountKey::removeByUserID($userID);
} else {
$userSetting->setAttribute('is_enabled', 0);
$userSetting->store();
$accountKey = eZUserAccountKey::createNew($userID, $userHash, time());
$accountKey->store();
}
if ($userChange) {
if (!$enableUser) {
eZUser::removeSessionData($userID);
}
eZContentCacheManager::clearContentCacheIfNeeded($userID);
}
return array('status' => true);
} else {
eZDebug::writeError("Failed to activate user {$userID} (could not fetch)", __METHOD__);
return array('status' => false);
}
}
* @package kernel
*/
$Module = $Params['Module'];
if (isset($Params["UserID"])) {
$UserID = $Params["UserID"];
}
$http = eZHTTPTool::instance();
$user = eZUser::fetch($UserID);
if (!$user) {
return $Module->handleError(eZError::KERNEL_NOT_AVAILABLE, 'kernel');
}
$userObject = $user->attribute('contentobject');
if (!$userObject) {
return $Module->handleError(eZError::KERNEL_NOT_AVAILABLE, 'kernel');
}
$userSetting = eZUserSetting::fetch($UserID);
if ($http->hasPostVariable("UpdateSettingButton")) {
$isEnabled = 0;
if ($http->hasPostVariable('max_login')) {
$maxLogin = $http->postVariable('max_login');
} else {
$maxLogin = $userSetting->attribute('max_login');
}
if ($http->hasPostVariable('is_enabled')) {
$isEnabled = 1;
}
if (eZOperationHandler::operationIsAvailable('user_setsettings')) {
$operationResult = eZOperationHandler::execute('user', 'setsettings', array('user_id' => $UserID, 'is_enabled' => $isEnabled, 'max_login' => $maxLogin));
} else {
eZUserOperationCollection::setSettings($UserID, $isEnabled, $maxLogin);
}
// execute operation to publish the user object
$publishResult = eZOperationHandler::execute('user', 'register', array('user_id' => $userID));
if ($publishResult['status'] === eZModuleOperationInfo::STATUS_HALTED) {
$isPending = true;
} else {
// Log in user
$user = eZUser::fetch($userID);
if ($user === null) {
return $Module->handleError(eZError::KERNEL_NOT_FOUND, 'kernel');
}
$user->loginCurrent();
}
} elseif ($mainNodeID) {
$userContentObject = eZContentObject::fetchByNodeID($mainNodeID);
if ($userContentObject instanceof eZContentObject) {
$userSetting = eZUserSetting::fetch($userContentObject->attribute('id'));
if ($userSetting !== null && $userSetting->attribute('is_enabled')) {
$alreadyActive = true;
}
}
}
// Template handling
$tpl = eZTemplate::factory();
$tpl->setVariable('module', $Module);
$tpl->setVariable('account_activated', $accountActivated);
$tpl->setVariable('already_active', $alreadyActive);
$tpl->setVariable('is_pending', $isPending);
// This line is deprecated, the correct name of the variable should
// be 'account_activated' as shown above.
// However it is kept for backwards compatibility.
$tpl->setVariable('account_avtivated', $accountActivated);
* File containing a script responsible for disabling user accounts with suspicious user login (containing < and >).
*
* @copyright Copyright (C) 1999-2013 eZ Systems AS. All rights reserved.
* @license http://www.gnu.org/licenses/gpl-2.0.txt GNU General Public License v2
* @version 2013.11
* @package update
*/
require 'autoload.php';
set_time_limit(0);
$cli = eZCLI::instance();
$script = eZScript::instance(array('description' => 'Script responsible for disabling user accounts with suspicious user login (containing < and >)', 'use-session' => false, 'use-modules' => false, 'use-extensions' => true));
$options = $script->getOptions('[disable]', '', array('-q' => 'Quiet mode', 'disable' => 'Disabling user accounts with suspicious user login.'));
$cli = eZCLI::instance();
$script->initialize();
$script->startup();
$db = eZDB::instance();
$rows = $db->arrayQuery("SELECT DISTINCT login FROM ezuser, ezuser_setting\n WHERE ( ezuser.login LIKE '%<%' OR ezuser.login LIKE '%>%' )\n AND ezuser.contentobject_id = ezuser_setting.user_id\n AND ezuser_setting.is_enabled = '1'");
$cli->output('Script found ' . count($rows) . ' user accounts with suspicious login.');
$cli->output('Login list');
foreach ($rows as $index => $row) {
$user = eZUser::fetchByName($row['login']);
$userSetting = eZUserSetting::fetch($user->attribute('contentobject_id'));
$cli->output($index + 1 . '. ' . $row['login']);
if ($options['disable']) {
$userSetting->setAttribute('is_enabled', 0);
$userSetting->store();
$cli->output('Disabled user account for login "' . $row['login'] . '" with ID "' . $user->attribute('contentobject_id') . "'");
}
}
$cli->output('Done.');
$script->shutdown();
/**
* Populates the user_account datatype with the correct values
* based upon the string passed in $string.
*
* The string that must be passed looks like the following :
* login|email|password_hash|hash_identifier|is_enabled
*
* Example:
* <code>
* foo|foo@ez.no|1234|md5_password|0
* </code>
*
* @param object $contentObjectAttribute A contentobject attribute of type user_account.
* @param string $string The string as described in the example.
* @return object The newly created eZUser object
*/
function fromString($contentObjectAttribute, $string)
{
if ($string == '') {
return true;
}
$userData = explode('|', $string);
if (count($userData) < 2) {
return false;
}
$login = $userData[0];
$email = $userData[1];
$userByUsername = eZUser::fetchByName($login);
if ($userByUsername && $userByUsername->attribute('contentobject_id') != $contentObjectAttribute->attribute('contentobject_id')) {
return false;
}
if (eZUser::requireUniqueEmail()) {
$userByEmail = eZUser::fetchByEmail($email);
if ($userByEmail && $userByEmail->attribute('contentobject_id') != $contentObjectAttribute->attribute('contentobject_id')) {
return false;
}
}
$user = eZUser::create($contentObjectAttribute->attribute('contentobject_id'));
$user->setAttribute('login', $login);
$user->setAttribute('email', $email);
if (isset($userData[2])) {
$user->setAttribute('password_hash', $userData[2]);
}
if (isset($userData[3])) {
$user->setAttribute('password_hash_type', eZUser::passwordHashTypeID($userData[3]));
}
if (isset($userData[4])) {
$userSetting = eZUserSetting::fetch($contentObjectAttribute->attribute('contentobject_id'));
$userSetting->setAttribute("is_enabled", (int) (bool) $userData[4]);
$userSetting->store();
}
$user->store();
return $user;
}
static function loginUser($login, $password, $authenticationMatch = false)
{
$http = eZHTTPTool::instance();
$db = eZDB::instance();
if ($authenticationMatch === false) {
$authenticationMatch = eZUser::authenticationMatch();
}
$loginEscaped = $db->escapeString($login);
$passwordEscaped = $db->escapeString($password);
$loginArray = array();
if ($authenticationMatch & eZUser::AUTHENTICATE_LOGIN) {
$loginArray[] = "login='******'";
}
if ($authenticationMatch & eZUser::AUTHENTICATE_EMAIL) {
$loginArray[] = "email='{$loginEscaped}'";
}
if (count($loginArray) == 0) {
$loginArray[] = "login='******'";
}
$loginText = implode(' OR ', $loginArray);
$contentObjectStatus = eZContentObject::STATUS_PUBLISHED;
$ini = eZINI::instance();
$textFileIni = eZINI::instance('textfile.ini');
$databaseName = $db->databaseName();
// if mysql
if ($databaseName === 'mysql') {
$query = "SELECT contentobject_id, password_hash, password_hash_type, email, login\n FROM ezuser, ezcontentobject\n WHERE ( {$loginText} ) AND\n ezcontentobject.status='{$contentObjectStatus}' AND\n ( ezcontentobject.id=contentobject_id OR ( password_hash_type=4 AND ( {$loginText} ) AND password_hash=PASSWORD('{$passwordEscaped}') ) )";
} else {
$query = "SELECT contentobject_id, password_hash, password_hash_type, email, login\n FROM ezuser, ezcontentobject\n WHERE ( {$loginText} ) AND\n ezcontentobject.status='{$contentObjectStatus}' AND\n ezcontentobject.id=contentobject_id";
}
$users = $db->arrayQuery($query);
$exists = false;
if (count($users) >= 1) {
foreach ($users as $userRow) {
$userID = $userRow['contentobject_id'];
$hashType = $userRow['password_hash_type'];
$hash = $userRow['password_hash'];
$exists = eZUser::authenticateHash($userRow['login'], $password, eZUser::site(), $hashType, $hash);
// If hash type is MySql
if ($hashType == eZUser::PASSWORD_HASH_MYSQL and $databaseName === 'mysql') {
$queryMysqlUser = "******";
$mysqlUsers = $db->arrayQuery($queryMysqlUser);
if (count($mysqlUsers) >= 1) {
$exists = true;
}
}
eZDebugSetting::writeDebug('kernel-user', eZUser::createHash($userRow['login'], $password, eZUser::site(), $hashType), "check hash");
eZDebugSetting::writeDebug('kernel-user', $hash, "stored hash");
// If current user has been disabled after a few failed login attempts.
$canLogin = eZUser::isEnabledAfterFailedLogin($userID);
if ($exists) {
// We should store userID for warning message.
$GLOBALS['eZFailedLoginAttemptUserID'] = $userID;
$userSetting = eZUserSetting::fetch($userID);
$isEnabled = $userSetting->attribute("is_enabled");
if ($hashType != eZUser::hashType() and strtolower($ini->variable('UserSettings', 'UpdateHash')) == 'true') {
$hashType = eZUser::hashType();
$hash = eZUser::createHash($login, $password, eZUser::site(), $hashType);
$db->query("UPDATE ezuser SET password_hash='{$hash}', password_hash_type='{$hashType}' WHERE contentobject_id='{$userID}'");
}
break;
}
}
}
if ($exists and $isEnabled and $canLogin) {
eZDebugSetting::writeDebug('kernel-user', $userRow, 'user row');
$user = new eZUser($userRow);
eZDebugSetting::writeDebug('kernel-user', $user, 'user');
$userID = $user->attribute('contentobject_id');
eZUser::updateLastVisit($userID);
eZUser::setCurrentlyLoggedInUser($user, $userID);
// Reset number of failed login attempts
eZUser::setFailedLoginAttempts($userID, 0);
return $user;
} else {
if ($textFileIni->variable('TextFileSettings', 'TextFileEnabled') == "true") {
$fileName = $textFileIni->variable('TextFileSettings', 'FileName');
$filePath = $textFileIni->variable('TextFileSettings', 'FilePath');
$defaultUserPlacement = $ini->variable("UserSettings", "DefaultUserPlacement");
$separator = $textFileIni->variable("TextFileSettings", "FileFieldSeparator");
$loginColumnNr = $textFileIni->variable("TextFileSettings", "LoginAttribute");
$passwordColumnNr = $textFileIni->variable("TextFileSettings", "PasswordAttribute");
$emailColumnNr = $textFileIni->variable("TextFileSettings", "EmailAttribute");
$lastNameColumnNr = $textFileIni->variable("TextFileSettings", "LastNameAttribute");
$firstNameColumnNr = $textFileIni->variable("TextFileSettings", "FirstNameAttribute");
if ($textFileIni->hasVariable('TextFileSettings', 'DefaultUserGroupType')) {
$UserGroupType = $textFileIni->variable('TextFileSettings', 'DefaultUserGroupType');
$UserGroup = $textFileIni->variable('TextFileSettings', 'DefaultUserGroup');
}
if ($UserGroupType != null) {
if ($UserGroupType == "name") {
$groupName = $UserGroup;
$groupQuery = "SELECT ezcontentobject_tree.node_id\n FROM ezcontentobject, ezcontentobject_tree\n WHERE ezcontentobject.name='{$groupName}'\n AND ezcontentobject.id=ezcontentobject_tree.contentobject_id";
$groupObject = $db->arrayQuery($groupQuery);
if (count($groupObject) > 0) {
$defaultUserPlacement = $groupObject[0]['node_id'];
}
} else {
if ($UserGroupType == "id") {
$groupID = $UserGroup;
$groupQuery = "SELECT ezcontentobject_tree.node_id\n FROM ezcontentobject, ezcontentobject_tree\n WHERE ezcontentobject.id='{$groupID}'\n AND ezcontentobject.id=ezcontentobject_tree.contentobject_id";
$groupObject = $db->arrayQuery($groupQuery);
if (count($groupObject) > 0) {
$defaultUserPlacement = $groupObject[0]['node_id'];
}
}
}
}
if ($filePath != "root" and $filePath != null) {
$fileName = $filePath . "/" . $fileName;
}
if (file_exists($fileName)) {
$handle = fopen($fileName, "r");
} else {
// Increase number of failed login attempts.
if (isset($userID)) {
eZUser::setFailedLoginAttempts($userID);
}
return false;
}
while (!feof($handle)) {
$line = trim(fgets($handle, 4096));
if ($line === '') {
continue;
}
if ($separator == "tab") {
$userArray = explode("\t", $line);
} else {
$userArray = explode($separator, $line);
}
$uid = $userArray[$loginColumnNr - 1];
$email = $userArray[$emailColumnNr - 1];
$pass = $userArray[$passwordColumnNr - 1];
$firstName = $userArray[$firstNameColumnNr - 1];
$lastName = $userArray[$lastNameColumnNr - 1];
if ($login == $uid) {
if (trim($pass) == $password) {
$createNewUser = true;
$existUser = eZUser::fetchByName($login);
if ($existUser != null) {
$createNewUser = false;
}
if ($createNewUser) {
$userClassID = $ini->variable("UserSettings", "UserClassID");
$userCreatorID = $ini->variable("UserSettings", "UserCreatorID");
$defaultSectionID = $ini->variable("UserSettings", "DefaultSectionID");
$remoteID = "TextFile_" . $login;
$db->begin();
// The content object may already exist if this process has failed once before, before the eZUser object was created.
// Therefore we try to fetch the eZContentObject before instantiating it.
$contentObject = eZContentObject::fetchByRemoteID($remoteID);
if (!is_object($contentObject)) {
$class = eZContentClass::fetch($userClassID);
$contentObject = $class->instantiate($userCreatorID, $defaultSectionID);
}
$contentObject->setAttribute('remote_id', $remoteID);
$contentObject->store();
$contentObjectID = $contentObject->attribute('id');
$userID = $contentObjectID;
$nodeAssignment = eZNodeAssignment::create(array('contentobject_id' => $contentObjectID, 'contentobject_version' => 1, 'parent_node' => $defaultUserPlacement, 'is_main' => 1));
$nodeAssignment->store();
$version = $contentObject->version(1);
$version->setAttribute('modified', time());
$version->setAttribute('status', eZContentObjectVersion::STATUS_DRAFT);
$version->store();
$contentObjectID = $contentObject->attribute('id');
$contentObjectAttributes = $version->contentObjectAttributes();
$contentObjectAttributes[0]->setAttribute('data_text', $firstName);
$contentObjectAttributes[0]->store();
$contentObjectAttributes[1]->setAttribute('data_text', $lastName);
$contentObjectAttributes[1]->store();
$user = eZUser::create($userID);
$user->setAttribute('login', $login);
$user->setAttribute('email', $email);
$user->setAttribute('password_hash', "");
$user->setAttribute('password_hash_type', 0);
$user->store();
eZUser::updateLastVisit($userID);
eZUser::setCurrentlyLoggedInUser($user, $userID);
// Reset number of failed login attempts
eZUser::setFailedLoginAttempts($userID, 0);
$operationResult = eZOperationHandler::execute('content', 'publish', array('object_id' => $contentObjectID, 'version' => 1));
$db->commit();
return $user;
} else {
$db->begin();
// Update user information
$userID = $existUser->attribute('contentobject_id');
$contentObject = eZContentObject::fetch($userID);
$parentNodeID = $contentObject->attribute('main_parent_node_id');
$currentVersion = $contentObject->attribute('current_version');
$version = $contentObject->attribute('current');
$contentObjectAttributes = $version->contentObjectAttributes();
$contentObjectAttributes[0]->setAttribute('data_text', $firstName);
$contentObjectAttributes[0]->store();
$contentObjectAttributes[1]->setAttribute('data_text', $lastName);
$contentObjectAttributes[1]->store();
$existUser = eZUser::fetch($userID);
$existUser->setAttribute('email', $email);
$existUser->setAttribute('password_hash', "");
$existUser->setAttribute('password_hash_type', 0);
$existUser->store();
if ($defaultUserPlacement != $parentNodeID) {
$newVersion = $contentObject->createNewVersion();
$newVersion->assignToNode($defaultUserPlacement, 1);
$newVersion->removeAssignment($parentNodeID);
$newVersionNr = $newVersion->attribute('version');
$operationResult = eZOperationHandler::execute('content', 'publish', array('object_id' => $userID, 'version' => $newVersionNr));
}
eZUser::updateLastVisit($userID);
eZUser::setCurrentlyLoggedInUser($existUser, $userID);
// Reset number of failed login attempts
eZUser::setFailedLoginAttempts($userID, 0);
$db->commit();
return $existUser;
}
} else {
// Increase number of failed login attempts.
if (isset($userID)) {
eZUser::setFailedLoginAttempts($userID);
}
return false;
}
}
}
fclose($handle);
}
}
// Increase number of failed login attempts.
if (isset($userID)) {
eZUser::setFailedLoginAttempts($userID);
}
return false;
}
static function loginUser($login, $password, $authenticationMatch = false)
{
$http = eZHTTPTool::instance();
$db = eZDB::instance();
if ($authenticationMatch === false) {
$authenticationMatch = eZUser::authenticationMatch();
}
$loginEscaped = $db->escapeString($login);
$passwordEscaped = $db->escapeString($password);
$loginLdapEscaped = self::ldap_escape($login);
$loginArray = array();
if ($authenticationMatch & eZUser::AUTHENTICATE_LOGIN) {
$loginArray[] = "login='******'";
}
if ($authenticationMatch & eZUser::AUTHENTICATE_EMAIL) {
$loginArray[] = "email='{$loginEscaped}'";
}
if (count($loginArray) == 0) {
$loginArray[] = "login='******'";
}
$loginText = implode(' OR ', $loginArray);
$contentObjectStatus = eZContentObject::STATUS_PUBLISHED;
$ini = eZINI::instance();
$LDAPIni = eZINI::instance('ldap.ini');
$databaseName = $db->databaseName();
// if mysql
if ($databaseName === 'mysql') {
$query = "SELECT contentobject_id, password_hash, password_hash_type, email, login\n FROM ezuser, ezcontentobject\n WHERE ( {$loginText} ) AND\n ezcontentobject.status='{$contentObjectStatus}' AND\n ( ezcontentobject.id=contentobject_id OR ( password_hash_type=4 AND ( {$loginText} ) AND password_hash=PASSWORD('{$passwordEscaped}') ) )";
} else {
$query = "SELECT contentobject_id, password_hash, password_hash_type, email, login\n FROM ezuser, ezcontentobject\n WHERE ( {$loginText} ) AND\n ezcontentobject.status='{$contentObjectStatus}' AND\n ezcontentobject.id=contentobject_id";
}
$users = $db->arrayQuery($query);
$exists = false;
if (count($users) >= 1) {
foreach ($users as $userRow) {
$userID = $userRow['contentobject_id'];
$hashType = $userRow['password_hash_type'];
$hash = $userRow['password_hash'];
$exists = eZUser::authenticateHash($userRow['login'], $password, eZUser::site(), $hashType, $hash);
// If hash type is MySql
if ($hashType == eZUser::PASSWORD_HASH_MYSQL and $databaseName === 'mysql') {
$queryMysqlUser = "******";
$mysqlUsers = $db->arrayQuery($queryMysqlUser);
if (count($mysqlUsers) >= 1) {
$exists = true;
}
}
eZDebugSetting::writeDebug('kernel-user', eZUser::createHash($userRow['login'], $password, eZUser::site(), $hashType), "check hash");
eZDebugSetting::writeDebug('kernel-user', $hash, "stored hash");
// If current user has been disabled after a few failed login attempts.
$canLogin = eZUser::isEnabledAfterFailedLogin($userID);
if ($exists) {
// We should store userID for warning message.
$GLOBALS['eZFailedLoginAttemptUserID'] = $userID;
$userSetting = eZUserSetting::fetch($userID);
$isEnabled = $userSetting->attribute("is_enabled");
if ($hashType != eZUser::hashType() and strtolower($ini->variable('UserSettings', 'UpdateHash')) == 'true') {
$hashType = eZUser::hashType();
$hash = eZUser::createHash($login, $password, eZUser::site(), $hashType);
$db->query("UPDATE ezuser SET password_hash='{$hash}', password_hash_type='{$hashType}' WHERE contentobject_id='{$userID}'");
}
break;
}
}
}
if ($exists and $isEnabled and $canLogin) {
eZDebugSetting::writeDebug('kernel-user', $userRow, 'user row');
$user = new eZUser($userRow);
eZDebugSetting::writeDebug('kernel-user', $user, 'user');
$userID = $user->attribute('contentobject_id');
eZUser::updateLastVisit($userID);
eZUser::setCurrentlyLoggedInUser($user, $userID);
// Reset number of failed login attempts
eZUser::setFailedLoginAttempts($userID, 0);
return $user;
} else {
if ($LDAPIni->variable('LDAPSettings', 'LDAPEnabled') === 'true') {
// read LDAP ini settings
// and then try to bind to the ldap server
$LDAPDebugTrace = $LDAPIni->variable('LDAPSettings', 'LDAPDebugTrace') === 'enabled';
$LDAPVersion = $LDAPIni->variable('LDAPSettings', 'LDAPVersion');
$LDAPServer = $LDAPIni->variable('LDAPSettings', 'LDAPServer');
$LDAPPort = $LDAPIni->variable('LDAPSettings', 'LDAPPort');
$LDAPFollowReferrals = (int) $LDAPIni->variable('LDAPSettings', 'LDAPFollowReferrals');
$LDAPBaseDN = $LDAPIni->variable('LDAPSettings', 'LDAPBaseDn');
$LDAPBindUser = $LDAPIni->variable('LDAPSettings', 'LDAPBindUser');
$LDAPBindPassword = $LDAPIni->variable('LDAPSettings', 'LDAPBindPassword');
$LDAPSearchScope = $LDAPIni->variable('LDAPSettings', 'LDAPSearchScope');
$LDAPLoginAttribute = strtolower($LDAPIni->variable('LDAPSettings', 'LDAPLoginAttribute'));
$LDAPFirstNameAttribute = strtolower($LDAPIni->variable('LDAPSettings', 'LDAPFirstNameAttribute'));
$LDAPFirstNameIsCN = $LDAPIni->variable('LDAPSettings', 'LDAPFirstNameIsCommonName') === 'true';
$LDAPLastNameAttribute = strtolower($LDAPIni->variable('LDAPSettings', 'LDAPLastNameAttribute'));
$LDAPEmailAttribute = strtolower($LDAPIni->variable('LDAPSettings', 'LDAPEmailAttribute'));
$defaultUserPlacement = $ini->variable("UserSettings", "DefaultUserPlacement");
$LDAPUserGroupAttributeType = strtolower($LDAPIni->variable('LDAPSettings', 'LDAPUserGroupAttributeType'));
$LDAPUserGroupAttribute = strtolower($LDAPIni->variable('LDAPSettings', 'LDAPUserGroupAttribute'));
if ($LDAPIni->hasVariable('LDAPSettings', 'Utf8Encoding')) {
$Utf8Encoding = $LDAPIni->variable('LDAPSettings', 'Utf8Encoding');
if ($Utf8Encoding == "true") {
$isUtf8Encoding = true;
} else {
$isUtf8Encoding = false;
}
} else {
$isUtf8Encoding = false;
}
if ($LDAPIni->hasVariable('LDAPSettings', 'LDAPSearchFilters')) {
$LDAPFilters = $LDAPIni->variable('LDAPSettings', 'LDAPSearchFilters');
}
if ($LDAPIni->hasVariable('LDAPSettings', 'LDAPUserGroupType') and $LDAPIni->hasVariable('LDAPSettings', 'LDAPUserGroup')) {
$LDAPUserGroupType = $LDAPIni->variable('LDAPSettings', 'LDAPUserGroupType');
$LDAPUserGroup = $LDAPIni->variable('LDAPSettings', 'LDAPUserGroup');
}
$LDAPFilter = "( &";
if (count($LDAPFilters) > 0) {
foreach (array_keys($LDAPFilters) as $key) {
$LDAPFilter .= "(" . $LDAPFilters[$key] . ")";
}
}
$LDAPEqualSign = trim($LDAPIni->variable('LDAPSettings', "LDAPEqualSign"));
$LDAPBaseDN = str_replace($LDAPEqualSign, "=", $LDAPBaseDN);
$LDAPFilter = str_replace($LDAPEqualSign, "=", $LDAPFilter);
$LDAPBindUser = str_replace($LDAPEqualSign, "=", $LDAPBindUser);
if ($LDAPDebugTrace) {
$debugArray = array('stage' => '1/5: Connecting and Binding to LDAP server', 'LDAPServer' => $LDAPServer, 'LDAPPort' => $LDAPPort, 'LDAPBindUser' => $LDAPBindUser, 'LDAPVersion' => $LDAPVersion);
// Set debug trace mode for ldap connections
if (function_exists('ldap_set_option')) {
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
}
eZDebug::writeNotice(var_export($debugArray, true), __METHOD__);
}
if (function_exists('ldap_connect')) {
$ds = ldap_connect($LDAPServer, $LDAPPort);
} else {
$ds = false;
}
if ($ds) {
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $LDAPVersion);
ldap_set_option($ds, LDAP_OPT_REFERRALS, $LDAPFollowReferrals);
if ($LDAPBindUser == '') {
$r = ldap_bind($ds);
} else {
$r = ldap_bind($ds, $LDAPBindUser, $LDAPBindPassword);
}
if (!$r) {
// Increase number of failed login attempts.
eZDebug::writeError('Cannot bind to LDAP server, might be something wronge with connetion or bind user!', __METHOD__);
if (isset($userID)) {
eZUser::setFailedLoginAttempts($userID);
}
$user = false;
return $user;
}
$LDAPFilter .= "({$LDAPLoginAttribute}={$loginLdapEscaped})";
$LDAPFilter .= ")";
ldap_set_option($ds, LDAP_OPT_SIZELIMIT, 0);
ldap_set_option($ds, LDAP_OPT_TIMELIMIT, 0);
$retrieveAttributes = array($LDAPLoginAttribute, $LDAPFirstNameAttribute, $LDAPLastNameAttribute, $LDAPEmailAttribute);
if ($LDAPUserGroupAttributeType) {
$retrieveAttributes[] = $LDAPUserGroupAttribute;
}
if ($LDAPDebugTrace) {
$debugArray = array('stage' => '2/5: finding user', 'LDAPFilter' => $LDAPFilter, 'retrieveAttributes' => $retrieveAttributes, 'LDAPSearchScope' => $LDAPSearchScope, 'LDAPBaseDN' => $LDAPBaseDN);
eZDebug::writeNotice(var_export($debugArray, true), __METHOD__);
}
if ($LDAPSearchScope == "one") {
$sr = ldap_list($ds, $LDAPBaseDN, $LDAPFilter, $retrieveAttributes);
} else {
if ($LDAPSearchScope == "base") {
$sr = ldap_read($ds, $LDAPBaseDN, $LDAPFilter, $retrieveAttributes);
} else {
$sr = ldap_search($ds, $LDAPBaseDN, $LDAPFilter, $retrieveAttributes);
}
}
$info = ldap_get_entries($ds, $sr);
if ($info['count'] > 1) {
// More than one user with same uid, not allow login.
eZDebug::writeWarning('More then one user with same uid, not allowed to login!', __METHOD__);
$user = false;
return $user;
} else {
if ($info['count'] < 1) {
// Increase number of failed login attempts.
if (isset($userID)) {
eZUser::setFailedLoginAttempts($userID);
}
// user DN was not found
eZDebug::writeWarning('User DN was not found!', __METHOD__);
$user = false;
return $user;
} else {
if ($LDAPDebugTrace) {
$debugArray = array('stage' => '3/5: real authentication of user', 'info' => $info);
eZDebug::writeNotice(var_export($debugArray, true), __METHOD__);
}
}
}
if (!$password) {
$password = crypt(microtime());
}
// is it real authenticated LDAP user?
if (!@ldap_bind($ds, $info[0]['dn'], $password)) {
// Increase number of failed login attempts.
if (isset($userID)) {
eZUser::setFailedLoginAttempts($userID);
}
eZDebug::writeWarning("User {$userID} failed to login!", __METHOD__);
$user = false;
return $user;
}
$extraNodeAssignments = array();
$userGroupClassID = $ini->variable("UserSettings", "UserGroupClassID");
// default user group assigning
if ($LDAPUserGroupType != null) {
if ($LDAPUserGroupType == "name") {
if (is_array($LDAPUserGroup)) {
foreach (array_keys($LDAPUserGroup) as $key) {
$groupName = $db->escapeString($LDAPUserGroup[$key]);
$groupQuery = "SELECT ezcontentobject_tree.node_id\n FROM ezcontentobject, ezcontentobject_tree\n WHERE ezcontentobject.name like '{$groupName}'\n AND ezcontentobject.id=ezcontentobject_tree.contentobject_id\n AND ezcontentobject.contentclass_id={$userGroupClassID}";
$groupObject = $db->arrayQuery($groupQuery);
if (count($groupObject) > 0 and $key == 0) {
$defaultUserPlacement = $groupObject[0]['node_id'];
} else {
if (count($groupObject) > 0) {
$extraNodeAssignments[] = $groupObject[0]['node_id'];
}
}
}
} else {
$groupName = $db->escapeString($LDAPUserGroup);
$groupQuery = "SELECT ezcontentobject_tree.node_id\n FROM ezcontentobject, ezcontentobject_tree\n WHERE ezcontentobject.name like '{$groupName}'\n AND ezcontentobject.id=ezcontentobject_tree.contentobject_id\n AND ezcontentobject.contentclass_id={$userGroupClassID}";
$groupObject = $db->arrayQuery($groupQuery);
if (count($groupObject) > 0) {
$defaultUserPlacement = $groupObject[0]['node_id'];
}
}
} else {
if ($LDAPUserGroupType == "id") {
if (is_array($LDAPUserGroup)) {
foreach (array_keys($LDAPUserGroup) as $key) {
$groupID = $LDAPUserGroup[$key];
$groupQuery = "SELECT ezcontentobject_tree.node_id\n FROM ezcontentobject, ezcontentobject_tree\n WHERE ezcontentobject.id='{$groupID}'\n AND ezcontentobject.id=ezcontentobject_tree.contentobject_id\n AND ezcontentobject.contentclass_id={$userGroupClassID}";
$groupObject = $db->arrayQuery($groupQuery);
if (count($groupObject) > 0 and $key == 0) {
$defaultUserPlacement = $groupObject[0]['node_id'];
} else {
if (count($groupObject) > 0) {
$extraNodeAssignments[] = $groupObject[0]['node_id'];
}
}
}
} else {
$groupID = $LDAPUserGroup;
$groupQuery = "SELECT ezcontentobject_tree.node_id\n FROM ezcontentobject, ezcontentobject_tree\n WHERE ezcontentobject.id='{$groupID}'\n AND ezcontentobject.id=ezcontentobject_tree.contentobject_id\n AND ezcontentobject.contentclass_id={$userGroupClassID}";
$groupObject = $db->arrayQuery($groupQuery);
if (count($groupObject) > 0) {
$defaultUserPlacement = $groupObject[0]['node_id'];
}
}
}
}
}
// read group mapping LDAP settings
$LDAPGroupMappingType = $LDAPIni->variable('LDAPSettings', 'LDAPGroupMappingType');
$LDAPUserGroupMap = $LDAPIni->variable('LDAPSettings', 'LDAPUserGroupMap');
if (!is_array($LDAPUserGroupMap)) {
$LDAPUserGroupMap = array();
}
// group mapping constants
$ByMemberAttribute = 'SimpleMapping';
// by group's member attributes (with mapping)
$ByMemberAttributeHierarhicaly = 'GetGroupsTree';
// by group's member attributes hierarhically
$ByGroupAttribute = 'UseGroupAttribute';
// by user's group attribute (old style)
$groupMappingTypes = array($ByMemberAttribute, $ByMemberAttributeHierarhicaly, $ByGroupAttribute);
$userData =& $info[0];
// default mapping using old style
if (!in_array($LDAPGroupMappingType, $groupMappingTypes)) {
$LDAPGroupMappingType = $ByGroupAttribute;
}
if ($LDAPDebugTrace) {
$debugArray = array('stage' => '4/5: group mapping init', 'LDAPUserGroupType' => $LDAPUserGroupType, 'LDAPGroupMappingType' => $LDAPGroupMappingType, 'LDAPUserGroup' => $LDAPUserGroup, 'defaultUserPlacement' => $defaultUserPlacement, 'extraNodeAssignments' => $extraNodeAssignments);
eZDebug::writeNotice(var_export($debugArray, true), __METHOD__);
}
if ($LDAPGroupMappingType == $ByMemberAttribute or $LDAPGroupMappingType == $ByMemberAttributeHierarhicaly) {
$LDAPGroupBaseDN = $LDAPIni->variable('LDAPSettings', 'LDAPGroupBaseDN');
$LDAPGroupBaseDN = str_replace($LDAPEqualSign, '=', $LDAPGroupBaseDN);
$LDAPGroupClass = $LDAPIni->variable('LDAPSettings', 'LDAPGroupClass');
$LDAPGroupNameAttribute = strtolower($LDAPIni->variable('LDAPSettings', 'LDAPGroupNameAttribute'));
$LDAPGroupMemberAttribute = strtolower($LDAPIni->variable('LDAPSettings', 'LDAPGroupMemberAttribute'));
$LDAPGroupDescriptionAttribute = strtolower($LDAPIni->variable('LDAPSettings', 'LDAPGroupDescriptionAttribute'));
$groupSearchingDepth = $LDAPGroupMappingType == '1' ? 1 : 1000;
// now, get all parents for currently ldap authenticated user
$requiredParams = array();
$requiredParams['LDAPLoginAttribute'] = $LDAPLoginAttribute;
$requiredParams['LDAPGroupBaseDN'] = $LDAPGroupBaseDN;
$requiredParams['LDAPGroupClass'] = $LDAPGroupClass;
$requiredParams['LDAPGroupNameAttribute'] = $LDAPGroupNameAttribute;
$requiredParams['LDAPGroupMemberAttribute'] = $LDAPGroupMemberAttribute;
$requiredParams['LDAPGroupDescriptionAttribute'] = $LDAPGroupDescriptionAttribute;
$requiredParams['ds'] =& $ds;
if ($LDAPIni->variable('LDAPSettings', 'LDAPGroupRootNodeId') !== '') {
$requiredParams['TopUserGroupNodeID'] = $LDAPIni->variable('LDAPSettings', 'LDAPGroupRootNodeId');
} else {
$requiredParams['TopUserGroupNodeID'] = 5;
}
$groupsTree = array();
$stack = array();
$newfilter = '(&(objectClass=' . $LDAPGroupClass . ')(' . $LDAPGroupMemberAttribute . '=' . $userData['dn'] . '))';
$groupsTree[$userData['dn']] = array('data' => &$userData, 'parents' => array(), 'children' => array());
eZLDAPUser::getUserGroupsTree($requiredParams, $newfilter, $userData['dn'], $groupsTree, $stack, $groupSearchingDepth);
$userRecord =& $groupsTree[$userData['dn']];
if ($LDAPGroupMappingType == $ByMemberAttribute) {
if (count($userRecord['parents']) > 0) {
$remappedGroupNames = array();
foreach (array_keys($userRecord['parents']) as $key) {
$parentGroup =& $userRecord['parents'][$key];
if (isset($parentGroup['data'][$LDAPGroupNameAttribute])) {
$ldapGroupName = $parentGroup['data'][$LDAPGroupNameAttribute];
if (is_array($ldapGroupName)) {
$ldapGroupName = $ldapGroupName['count'] > 0 ? $ldapGroupName[0] : '';
}
// remap group name and check that group exists
if (array_key_exists($ldapGroupName, $LDAPUserGroupMap)) {
$remmapedGroupName = $db->escapeString($LDAPUserGroupMap[$ldapGroupName]);
$groupQuery = "SELECT ezcontentobject_tree.node_id\n FROM ezcontentobject, ezcontentobject_tree\n WHERE ezcontentobject.name like '{$remmapedGroupName}'\n AND ezcontentobject.id=ezcontentobject_tree.contentobject_id\n AND ezcontentobject.contentclass_id={$userGroupClassID}";
$groupRow = $db->arrayQuery($groupQuery);
if (count($groupRow) > 0) {
$userRecord['new_parents'][] = $groupRow[0]['node_id'];
}
}
}
}
}
} else {
if ($LDAPGroupMappingType == $ByMemberAttributeHierarhicaly) {
$stack = array();
self::goAndPublishGroups($requiredParams, $userData['dn'], $groupsTree, $stack, $groupSearchingDepth, true);
}
}
if (isset($userRecord['new_parents']) and count($userRecord['new_parents']) > 0) {
$defaultUserPlacement = $userRecord['new_parents'][0];
$extraNodeAssignments = array_merge($extraNodeAssignments, $userRecord['new_parents']);
}
} else {
if ($LDAPGroupMappingType == $ByGroupAttribute) {
if ($LDAPUserGroupAttributeType) {
// Should we create user groups that are specified in LDAP, but not found in eZ Publish?
$createMissingGroups = $LDAPIni->variable('LDAPSettings', 'LDAPCreateMissingGroups') === 'enabled';
if ($LDAPIni->variable('LDAPSettings', 'LDAPGroupRootNodeId') !== '') {
$parentNodeID = $LDAPIni->variable('LDAPSettings', 'LDAPGroupRootNodeId');
} else {
$parentNodeID = 5;
}
$groupAttributeCount = $info[0][$LDAPUserGroupAttribute]['count'];
if ($LDAPUserGroupAttributeType == "name") {
for ($i = 0; $i < $groupAttributeCount; $i++) {
if ($isUtf8Encoding) {
$groupName = utf8_decode($info[0][$LDAPUserGroupAttribute][$i]);
} else {
$groupName = $info[0][$LDAPUserGroupAttribute][$i];
}
// Save group node id to either defaultUserPlacement or extraNodeAssignments
self::getNodeAssignmentsForGroupName($groupName, $i == 0, $defaultUserPlacement, $extraNodeAssignments, $createMissingGroups, $parentNodeID);
}
} else {
if ($LDAPUserGroupAttributeType == "id") {
for ($i = 0; $i < $groupAttributeCount; $i++) {
if ($isUtf8Encoding) {
$groupID = utf8_decode($info[0][$LDAPUserGroupAttribute][$i]);
} else {
$groupID = $info[0][$LDAPUserGroupAttribute][$i];
}
$groupName = "LDAP {$groupID}";
// Save group node id to either defaultUserPlacement or extraNodeAssignments
self::getNodeAssignmentsForGroupName($groupName, $i == 0, $defaultUserPlacement, $extraNodeAssignments, $createMissingGroups, $parentNodeID);
}
} else {
if ($LDAPUserGroupAttributeType == "dn") {
for ($i = 0; $i < $groupAttributeCount; $i++) {
$groupDN = $info[0][$LDAPUserGroupAttribute][$i];
$groupName = self::getGroupNameByDN($ds, $groupDN);
if ($groupName) {
// Save group node id to either defaultUserPlacement or extraNodeAssignments
self::getNodeAssignmentsForGroupName($groupName, $i == 0, $defaultUserPlacement, $extraNodeAssignments, $createMissingGroups, $parentNodeID);
}
}
} else {
eZDebug::writeError("Bad LDAPUserGroupAttributeType '{$LDAPUserGroupAttributeType}'. It must be either 'name', 'id' or 'dn'.", __METHOD__);
$user = false;
return $user;
}
}
}
}
}
}
// remove ' last_name' from first_name if cn is used for first name
if ($LDAPFirstNameIsCN && isset($userData[$LDAPFirstNameAttribute]) && isset($userData[$LDAPLastNameAttribute])) {
$userData[$LDAPFirstNameAttribute][0] = str_replace(' ' . $userData[$LDAPLastNameAttribute][0], '', $userData[$LDAPFirstNameAttribute][0]);
}
if (isset($userData[$LDAPEmailAttribute])) {
$LDAPuserEmail = $userData[$LDAPEmailAttribute][0];
} else {
if (trim($LDAPIni->variable('LDAPSettings', 'LDAPEmailEmptyAttributeSuffix'))) {
$LDAPuserEmail = $login . $LDAPIni->variable('LDAPSettings', 'LDAPEmailEmptyAttributeSuffix');
} else {
$LDAPuserEmail = false;
}
}
$userAttributes = array('login' => $login, 'first_name' => isset($userData[$LDAPFirstNameAttribute]) ? $userData[$LDAPFirstNameAttribute][0] : false, 'last_name' => isset($userData[$LDAPLastNameAttribute]) ? $userData[$LDAPLastNameAttribute][0] : false, 'email' => $LDAPuserEmail);
if ($LDAPDebugTrace) {
$debugArray = array('stage' => '5/5: storing user', 'userAttributes' => $userAttributes, 'isUtf8Encoding' => $isUtf8Encoding, 'defaultUserPlacement' => $defaultUserPlacement, 'extraNodeAssignments' => $extraNodeAssignments);
eZDebug::writeNotice(var_export($debugArray, true), __METHOD__);
}
$oldUser = clone eZUser::currentUser();
$existingUser = eZLDAPUser::publishUpdateUser($extraNodeAssignments, $defaultUserPlacement, $userAttributes, $isUtf8Encoding);
if (is_object($existingUser)) {
eZUser::setCurrentlyLoggedInUser($existingUser, $existingUser->attribute('contentobject_id'));
} else {
eZUser::setCurrentlyLoggedInUser($oldUser, $oldUser->attribute('contentobject_id'));
}
ldap_close($ds);
return $existingUser;
} else {
eZDebug::writeError('Cannot initialize connection for LDAP server', __METHOD__);
$user = false;
return $user;
}
} else {
// Increase number of failed login attempts.
if (isset($userID)) {
eZUser::setFailedLoginAttempts($userID);
}
eZDebug::writeWarning('User does not exist or LDAP is not enabled in php', __METHOD__);
$user = false;
return $user;
}
}
}
