public function beforeRoute()
{
parent::beforeRoute();
$settings = \Admin\Models\Settings::fetch();
if (empty($settings->admin_menu_id)) {
$this->session->set('rebuild-menu.redirect', '/admin');
return $this->app->reroute('/admin/system/rebuildAdminMenu');
}
if (class_exists('\\Mailer\\Factory')) {
$mailer_settings = \Mailer\Models\Settings::fetch();
if (!$mailer_settings->emails_registered || date('Y-m-d', time()) > date('Y-m-d', $mailer_settings->emails_registered)) {
$result = \Dsc\System::instance()->trigger('onSystemRegisterEmails');
$mailer_settings->{'emails_registered'} = time();
$mailer_settings->save();
}
}
}
function validate($user, $pass, $challenge, $response)
{
parent::validate($user, $pass, $challenge, $response);
global $gBitDb;
if (empty($user) or empty($pass)) {
return USER_NOT_FOUND;
}
$this->mInfo["real_name"] = '';
// This needs fixing in the base code - real_name will only exist if a user has been identiied
// Use V3, which requires UTF-8:
$this->mConfig['version'] = 3;
$user_utf8 = utf8_encode($user);
if ($this->mConfig['reqcert']) {
// Skip the SSL certificate check:
// (This assumes PHP is using the OpenLDAP client library.)
putenv('LDAPTLS_REQCERT=never');
}
if ($this->mConfig['activedirectory']) {
$this->mConfig['attributes'] = (array) null;
$this->mConfig['userfilter'] = '(objectClass=' . $this->mConfig['useroc'] . ')';
$this->mConfig['groupfilter'] = '(objectClass=' . $this->mConfig['groupoc'] . ')';
$this->mConfig['groupscope'] = $this->mConfig['userscope'];
} else {
// Using bitweaver groups with LDAP still needs completing so disable for now
unset($this->mConfig['group']);
}
$a = new Auth('LDAP', $this->mConfig, "", false);
$a->_loadStorage();
// set up connection to ldap via user details
// First, try by username. If that fails, try by email address.
$success = $a->storage->fetchData($user_utf8, $pass, false);
if ($success == false) {
// The user wasn't found. Try again by email address:
$this->mConfig['userattrsto'] = $this->mConfig['userattr'];
// Keep this for later
$this->mConfig['userattr'] = $this->mConfig['email'];
// Tell PEAR::Auth() to look at the 'mail' attribute
// this needs testing better, should be no need to create second instance of Auth!
$a = new Auth('LDAP', $this->mConfig, "", false);
$a->_loadStorage();
// set up connection to ldap via user details
$success = $a->storage->fetchData($user_utf8, $pass, false);
if ($success == false) {
$this->mErrors['login'] = isset($a->storage->options['status']) ? $a->storage->options['status'] : 'Not authenticated';
return PASSWORD_INCORRECT;
}
}
// At this point, there was a successful ldap_bind() using the
// user's Distinguished Name (DN) and password for login.
// The call to ldap_get_attributes() has been saved into $a->getAuthData('attributes')
if ($this->mConfig['activedirectory']) {
// Active Directory does some things differently - mainly in the returns
$attributes = $a->getAuthData();
// Warning: ldap_get_attributes() uses case-sensitive array keys
$this->mInfo["login"] = $attributes[$this->mConfig['userattr']];
$this->mInfo["email"] = $attributes[$this->mConfig['email']];
$this->mInfo["real_name"] = empty($attributes[$this->mConfig['name']]) ? $this->mInfo["login"] : $attributes[$this->mConfig['name']];
} else {
$attributes = $a->getAuthData('attributes');
// Warning: ldap_get_attributes() uses case-sensitive array keys
$this->mInfo["login"] = $attributes[$this->mConfig['userattr']][0];
$this->mInfo["email"] = $attributes[$this->mConfig['email']][0];
$this->mInfo["real_name"] = empty($attributes[$this->mConfig['name']][0]) ? $this->mInfo["login"] : $attributes[$this->mConfig['name']][0];
}
// Note, the new (or updated) SQL user will be created by the calling BitUser class.
return USER_VALID;
// Success!
}
function validate($user, $pass, $challenge, $response)
{
parent::validate($user, $pass, $challenge, $response);
global $gBitSystem;
global $gBitDb;
$ret = SERVER_ERROR;
if (empty($user)) {
$this->mErrors['login'] = '******';
} elseif (empty($pass)) {
$this->mErrors['login'] = '******';
} else {
$loginVal = strtoupper($user);
// case insensitive login
$loginCol = ' UPPER(`' . (strpos($user, '@') ? 'email' : 'login') . '`)';
// first verify that the user exists
$query = "select `email`, `login`, `user_id`, `user_password` from `" . BIT_DB_PREFIX . "users_users` where " . $gBitDb->convertBinary() . " {$loginCol} = ?";
$result = $gBitDb->query($query, array($loginVal));
if (!$result->numRows()) {
$this->mErrors['login'] = '******';
} else {
$res = $result->fetchRow();
$userId = $res['user_id'];
$user = $res['login'];
// TikiWiki 1.8+ uses this bizarro conglomeration of fields to get the hash. this sucks for many reasons
$hash = md5(strtolower($user) . $pass . $res['email']);
$hash2 = md5($pass);
// next verify the password with 2 hashes methods, the old one (pass)) and the new one (login.pass;email)
// TODO - this needs cleaning up - wolff_borg
if (!$gBitSystem->isFeatureActive('feature_challenge') || empty($response)) {
$query = "select `user_id`, `hash` from `" . BIT_DB_PREFIX . "users_users` where " . $gBitDb->convertBinary() . " {$loginCol} = ? and (`hash`=? or `hash`=?)";
if ($row = $gBitDb->getRow($query, array($loginVal, $hash, $hash2))) {
// auto-update old hashes with simple and standard md5( password )
$hashUpdate = '';
if ($row['hash'] == $hash) {
$hashUpdate = 'hash=?, ';
$bindVars[] = $hash2;
}
$bindVars[] = $gBitSystem->getUTCTime();
$bindVars[] = $userId;
$query = "update `" . BIT_DB_PREFIX . "users_users` set {$hashUpdate} `last_login`=`current_login`, `current_login`=? where `user_id`=?";
$result = $gBitDb->query($query, $bindVars);
$ret = USER_VALID;
} else {
$ret = PASSWORD_INCORRECT;
$this->mErrors[] = 'Password incorrect';
}
} else {
// Use challenge-reponse method
// Compare pass against md5(user,challenge,hash)
$hash = $gBitDb->getOne("select `hash` from `" . BIT_DB_PREFIX . "users_users` where " . $gBitDb->convertBinary() . " {$loginCol} = ?", array($user));
if (!isset($_SESSION["challenge"])) {
$this->mErrors[] = 'Invalid challenge';
$ret = PASSWORD_INCORRECT;
}
//print("pass: $pass user: $user hash: $hash <br/>");
//print("challenge: ".$_SESSION["challenge"]." challenge: $challenge<br/>");
//print("response : $response<br/>");
if ($response == md5(strtolower($user) . $hash . $_SESSION["challenge"])) {
$ret = USER_VALID;
$this->updateLastLogin($userId);
} else {
$this->mErrors[] = 'Invalid challenge';
$ret = PASSWORD_INCORRECT;
}
}
}
if (!empty($userId)) {
$this->mInfo['user_id'] = $userId;
}
}
return $ret;
}
header('Location: ' . $url);
exit;
}
} else {
$gBitSystem->setHttpStatus(HttpStatusCodes::HTTP_BAD_REQUEST);
$gBitSmarty->assignByRef('errors', $newUser->mErrors);
}
$gBitSmarty->assignByRef('reg', $reg);
} else {
if ($gBitSystem->isFeatureActive('custom_user_fields')) {
$fields = explode(',', $gBitSystem->getConfig('custom_user_fields'));
trim_array($fields);
$gBitSmarty->assign('customFields', $fields);
}
for ($i = 0; $i < BaseAuth::getAuthMethodCount(); $i++) {
$instance = BaseAuth::init($i);
if ($instance && $instance->canManageAuth()) {
$auth_reg_fields = $instance->getRegistrationFields();
foreach (array_keys($auth_reg_fields) as $auth_field) {
$auth_reg_fields[$auth_field]['value'] = $auth_reg_fields[$auth_field]['default'];
}
$gBitSmarty->assign('auth_reg_fields', $auth_reg_fields);
break;
}
}
}
$languages = array();
$languages = $gBitLanguage->listLanguages();
$gBitSmarty->assignByRef('languages', $languages);
$gBitSmarty->assignByRef('gBitLanguage', $gBitLanguage);
// Get flags here
/**
* validate
*
* @param array $pUser
* @param array $pPass
* @param array $pChallenge
* @param array $pResponse
* @access public
* @return TRUE on success, FALSE on failure - mErrors will contain reason for failure
* @todo rewrite this mess. this is horrible stuff. - xing - Thursday Oct 16, 2008 09:47:20 CEST
*/
function validate($pUser, $pPass, $pChallenge, $pResponse)
{
global $gBitSystem;
// these will help us keep tabs of what is going on
$authValid = $authPresent = FALSE;
$createAuth = $gBitSystem->getConfig("users_create_user_auth", "n") == "y";
for ($i = 0; $i < BaseAuth::getAuthMethodCount(); $i++) {
$instance = BaseAuth::init($i);
if ($instance) {
$result = $instance->validate($pUser, $pPass, $pChallenge, $pResponse);
switch ($result) {
case USER_VALID:
unset($this->mErrors['login']);
$authPresent = TRUE;
$authValid = TRUE;
break;
case PASSWORD_INCORRECT:
// this mErrors assignment is CRUCIAL so that bit auth fails properly. DO NOT F**K WITH THIS unless you know what you are doing and have checked with me first. XOXOX - spiderr
// This might have broken other auth, but at this point, bw auth was TOTALLY busted. If you need to fix, please come find me.
$this->mErrors['login'] = '******';
$authPresent = TRUE;
break;
case USER_NOT_FOUND:
break;
}
if ($authValid) {
if (empty($instance->mInfo['email'])) {
$instance->mInfo['email'] = $pUser;
}
//If we're given a user_id then the user is already in the database:
if (!empty($instance->mInfo['user_id'])) {
$this->mUserId = $instance->mInfo['user_id'];
//Is the user already in the database:
} elseif ($this->mDb->getOne("SELECT COUNT(*) FROM `" . BIT_DB_PREFIX . "users_users` WHERE `login` = ?", array($instance->mLogin)) > 0) {
// Update Details
$authUserInfo = array('login' => $instance->mInfo['login'], 'password' => $instance->mInfo['password'], 'real_name' => $instance->mInfo['real_name'], 'email' => $instance->mInfo['email']);
$userInfo = $this->getUserInfo(array('login' => $pUser));
$this->mUserId = $userInfo['user_id'];
$this->store($authUserInfo);
$this->mErrors = array();
} else {
$authUserInfo = array('login' => $instance->mInfo['login'], 'password' => $instance->mInfo['password'], 'real_name' => $instance->mInfo['real_name'], 'email' => $instance->mInfo['email']);
// TODO somehow, mUserId gets set to -1 at this point - no idea how
// set to NULL to prevent overwriting Guest user - wolff_borg
$this->mUserId = NULL;
$this->store($authUserInfo);
}
if ($createAuth && $i > 0) {
// if the user was logged into this system and we should progate users down other auth methods
for ($j = $i; $i >= 0; $j--) {
$probMethodName = $gBitSystem->getConfig("users_auth_method_{$j}", $default);
if (!empty($probMethodName)) {
$probInstance = BaseAuth::init($probMethodName);
if ($probInstance && $probInstance->canManageAuth()) {
$result = $probInstance->validate($pUser, $pPass, $pChallenge, $pResponse);
if ($result == USER_VALID || $result == PASSWORD_INCORRECT) {
// see if we can create a new account
$userattr = $instance->getUserData();
if (empty($userattr['login'])) {
$userattr['login'] = $pUser;
}
if (empty($userattr['password'])) {
$userattr['password'] = $pPass;
}
$probInstance->createUser($userattr);
}
}
$this->mErrors = array_merge($this->mErrors, $probInstance->mErrors);
}
}
}
$this->mAuth = $instance;
break;
}
$this->mErrors = array_merge($this->mErrors, $instance->mErrors);
}
}
if ($this->mUserId != ANONYMOUS_USER_ID) {
$this->load();
//on first time login we run the users registation service
if ($this->mInfo['last_login'] == NULL) {
$this->invokeServices('users_register_function');
}
$this->updateLastLogin($this->mUserId);
}
return count($this->mErrors) == 0;
}
public static function getConfig()
{
global $gBitSystem;
$authSettings = array();
foreach (BaseAuth::getAuthMethods() as $meth_name => $method) {
$instance = BaseAuth::init($meth_name);
if ($instance) {
foreach ($instance->getSettings() as $op_id => $op) {
if (!empty($_REQUEST[$op_id])) {
if ($op['type'] == 'checkbox') {
simple_set_toggle($op_id, USERS_PKG_NAME);
} else {
simple_set_value($op_id, USERS_PKG_NAME);
}
}
$value = $gBitSystem->getConfig($op_id, $op['default']);
$op['value'] = $value;
$method['options'][$op_id] = $op;
}
$method['canManageAuth'] = $instance->canManageAuth();
$authSettings['avail'][$meth_name] = $method;
} elseif (is_object($instance)) {
$authSettings['err'][$meth_name] = implode("<br />", $instance->mErrors);
}
}
if (!empty($_REQUEST["loginprefs"])) {
$used = array();
for ($i = 0, $j = 0; $i < count($authSettings['avail']); $i++, $j++) {
$gBitSystem->storeConfig("users_auth_method_{$i}", null, USERS_PKG_NAME);
if (empty($_REQUEST["users_auth_method_{$i}"])) {
$j--;
} elseif (!empty($used[$_REQUEST["users_auth_method_{$i}"]])) {
$j--;
} else {
$used[$_REQUEST["users_auth_method_{$i}"]] = "stored_{$j}";
$gBitSystem->storeConfig("users_auth_method_{$j}", $_REQUEST["users_auth_method_{$i}"], USERS_PKG_NAME);
}
}
}
$canManageAuth = false;
for ($i = 0; $i < count($authSettings['avail']); $i++) {
$default = "";
if ($i == 0) {
$default = "bit";
}
$authSettings['avail_method'][$i]['value'] = $gBitSystem->getConfig("users_auth_method_{$i}", $default);
if (!$canManageAuth && !empty($authSettings['avail_method'][$i]['value'])) {
$canManageAuth = $authSettings['avail'][$authSettings['avail_method'][$i]['value']]['canManageAuth'];
}
}
if ($gBitSystem->getConfig('users_allow_register', 'y') == 'y' && !$canManageAuth) {
$authSettings['err']['bit_reg'] = "Registration is enabled but there are no Auth Methods that support this, Registration won't work!";
}
$method['active'] = BaseAuth::isActive($meth_name);
return $authSettings;
}
simple_set_toggle($feature, USERS_PKG_NAME);
}
}
}
$httpSettings = array('site_https_login' => array('label' => "Allow secure (https) login", 'type' => "checkbox", 'note' => ""), 'site_https_login_required' => array('label' => "Require secure (https) login", 'type' => "checkbox", 'note' => ""), 'site_http_domain' => array('label' => "HTTP server name", 'type' => "text", 'note' => ""), 'site_http_port' => array('label' => "HTTP port", 'type' => "text", 'note' => ""), 'site_http_prefix' => array('label' => "HTTP URL prefix", 'type' => "text", 'note' => ""), 'site_https_domain' => array('label' => "HTTPS server name", 'type' => "text", 'note' => ""), 'site_https_port' => array('label' => "HTTPS port", 'type' => "text", 'note' => ""), 'site_https_prefix' => array('label' => "HTTPS URL prefix", 'type' => "text", 'note' => ""));
$gBitSmarty->assign('httpSettings', $httpSettings);
if (!empty($_REQUEST["httpprefs"])) {
foreach (array_keys($httpSettings) as $feature) {
if ($httpSettings[$feature]['type'] == 'text') {
simple_set_value($feature, USERS_PKG_NAME);
} else {
simple_set_toggle($feature, USERS_PKG_NAME);
}
}
}
$listHash = array();
// This needs to be made more generic so that it picks up all plugins
// Could not see where the 'auth_ldap' was defined in the $options['avail'] array
$options = BaseAuth::getConfig();
if (!empty($_REQUEST["auth_ldap"])) {
$option_ldap = $options['avail']['ldap']['options'];
foreach (array_keys($option_ldap) as $feature) {
if ($option_ldap[$feature]['type'] == 'text') {
simple_set_value($feature, USERS_PKG_NAME);
} else {
simple_set_toggle($feature, USERS_PKG_NAME);
}
}
}
$gBitSmarty->assign('authSettings', BaseAuth::getConfig());
function validate($user, $pass, $challenge, $response)
{
parent::validate($user, $pass, $challenge, $response);
$mailbox = '{' . $this->mConfig['server'];
if ($this->mConfig["ssl"]) {
$mailbox .= "/ssl";
if ($this->mConfig["sslvalidate"]) {
$mailbox .= "/validate-cert";
} else {
$mailbox .= "/novalidate-cert";
}
}
$mailbox .= ':' . $this->mConfig["port"] . '}INBOX';
$imapauth = @imap_open($mailbox, $user, $pass);
if (!$imapauth) {
$this->mErrors['login'] = imap_errors();
$ret = USER_NOT_FOUND;
} else {
$ret = USER_VALID;
$this->mInfo["real_name"] = $user;
if (empty($this->mConfig["email"])) {
$this->mInfo["email"] = $user;
} else {
$info = array('login' => $user);
$replace_func = create_function('$matches', '$info = ' . var_export($info, true) . ';
$m = $matches[0];
$m = substr($m,1,strlen($m)-2);
if(empty($info[$m])) return "";
return strtolower($info[$m]);');
$this->mInfo["email"] = preg_replace_callback('/%.*?%/', $replace_func, $this->mConfig["email"]);
}
imap_close($imapauth);
}
return $ret;
}
