public static function getInstitutionalUserQuota($userID) { // TODO: config $dev = Z_ENV_TESTING_SITE ? "_test" : ""; $databaseName = "zotero_www{$dev}"; // Get maximum institutional quota by e-mail domain $sql = "SELECT IFNULL(MAX(storageQuota), 0) FROM {$databaseName}.users_email\n\t\t\t\tJOIN {$databaseName}.storage_institutions ON (SUBSTRING_INDEX(email, '@', -1)=domain)\n\t\t\t\tWHERE userID=?"; try { $institutionalDomainQuota = Zotero_WWW_DB_2::valueQuery($sql, $userID); } catch (Exception $e) { Z_Core::logError("WARNING: {$e} -- retrying on primary"); $institutionalDomainQuota = Zotero_WWW_DB_1::valueQuery($sql, $userID); } // Get maximum institutional quota by e-mail address $sql = "SELECT IFNULL(MAX(storageQuota), 0) FROM {$databaseName}.users_email\n\t\t\t\tJOIN {$databaseName}.storage_institution_email USING (email)\n\t\t\t\tJOIN {$databaseName}.storage_institutions USING (institutionID)\n\t\t\t\tWHERE userID=?"; try { $institutionalEmailQuota = Zotero_WWW_DB_2::valueQuery($sql, $userID); } catch (Exception $e) { Z_Core::logError("WARNING: {$e} -- retrying on primary"); $institutionalEmailQuota = Zotero_WWW_DB_1::valueQuery($sql, $userID); } $quota = max($institutionalDomainQuota, $institutionalEmailQuota); return $quota ? $quota : false; }
private static function getUsernameFromWWW($userID) { $sql = "SELECT username FROM users WHERE userID=?"; try { $username = Zotero_WWW_DB_2::valueQuery($sql, $userID); } catch (Exception $e) { Z_Core::logError("WARNING: {$e} -- retrying on primary"); $username = Zotero_WWW_DB_1::valueQuery($sql, $userID); } if (!$username) { throw new Exception("User {$userID} not found", Z_ERROR_USER_NOT_FOUND); } return $username; }
private function getUserPrivacy($userID) { if (isset($this->userPrivacy[$userID])) { return $this->userPrivacy[$userID]; } if (Z_ENV_DEV_SITE) { // Hard-coded test values $privacy = array(); switch ($userID) { case 1: $privacy['library'] = true; $privacy['notes'] = true; break; case 2: $privacy['library'] = false; $privacy['notes'] = false; break; default: throw new Exception("External requests disabled on dev site"); } $this->userPrivacy[$userID] = $privacy; return $privacy; } $sql = "SELECT metaKey, metaValue FROM users_meta WHERE userID=? AND metaKey LIKE 'privacy_publish%'"; try { $rows = Zotero_WWW_DB_2::query($sql, $userID); } catch (Exception $e) { Z_Core::logError("WARNING: {$e} -- retrying on primary"); $rows = Zotero_WWW_DB_1::query($sql, $userID); } $privacy = array('library' => false, 'notes' => false); foreach ($rows as $row) { $privacy[strtolower(substr($row['metaKey'], 15))] = (bool) (int) $row['metaValue']; } $this->userPrivacy[$userID] = $privacy; return $privacy; }
public static function authenticate($data) { $salt = Z_CONFIG::$AUTH_SALT; // TODO: config $dev = Z_ENV_TESTING_SITE ? "_test" : ""; $databaseName = "zotero_www{$dev}"; $username = $data['username']; $password = $data['password']; $isEmailAddress = strpos($username, '@') !== false; $cacheKey = 'userAuthHash_' . hash('sha256', $username . $password); $userID = Z_Core::$MC->get($cacheKey); if ($userID) { return $userID; } // Username if (!$isEmailAddress) { $sql = "SELECT userID, username, password AS hash FROM {$databaseName}.users WHERE username=?"; $params = [$username]; } else { $sql = "SELECT userID, username, password AS hash FROM {$databaseName}.users\n\t\t\t WHERE username = ?\n\t\t\t UNION\n\t\t\t SELECT userID, username, password AS hash FROM {$databaseName}.users\n\t\t\t WHERE email = ?\n\t\t\t ORDER BY username = ? DESC"; $params = [$username, $username, $username]; } try { $retry = true; $rows = Zotero_WWW_DB_2::query($sql, $params); if (!$rows) { $retry = false; $rows = Zotero_WWW_DB_1::query($sql, $params); } } catch (Exception $e) { if ($retry) { Z_Core::logError("WARNING: {$e} -- retrying on primary"); $rows = Zotero_WWW_DB_1::query($sql, $params); } } if (!$rows) { return false; } $found = false; foreach ($rows as $row) { // Try bcrypt $found = password_verify($password, $row['hash']); // Try salted SHA1 if (!$found) { $found = sha1($salt . $password) == $row['hash']; } // Try MD5 if (!$found) { $found = md5($password) == $row['hash']; } if ($found) { $foundRow = $row; break; } } if (!$found) { return false; } self::updateUser($foundRow['userID'], $foundRow['username']); Z_Core::$MC->set($cacheKey, $foundRow['userID'], 60); return $foundRow['userID']; }
public static function authenticate($data) { $salt = Z_CONFIG::$AUTH_SALT; // TODO: config $dev = Z_ENV_TESTING_SITE ? "_test" : ""; $databaseName = "zotero_www{$dev}"; $username = $data['username']; $password = $data['password']; $isEmailAddress = strpos($username, '@') !== false; $cacheKey = 'userAuthHash_' . sha1($username . $salt . $password); $userID = Z_Core::$MC->get($cacheKey); if ($userID) { return $userID; } // Query the database looking for a salted SHA1 password $passwordSha1 = sha1($salt . $password); if (!$isEmailAddress) { // Try username $sql = "SELECT userID, username FROM {$databaseName}.users\n\t\t\t\t\t WHERE username = ? AND password = ?\n\t\t\t\t\t LIMIT 1"; $params = array($username, $passwordSha1); try { $retry = true; $row = Zotero_WWW_DB_2::rowQuery($sql, $params); if (!$row) { $retry = false; $row = Zotero_WWW_DB_1::rowQuery($sql, $params); } } catch (Exception $e) { if ($retry) { Z_Core::logError("WARNING: {$e} -- retrying on primary"); $row = Zotero_WWW_DB_1::rowQuery($sql, $params); } } } else { // Try both username and e-mail address $sql = "SELECT userID, username FROM {$databaseName}.users\n\t\t\t\t\t WHERE username = ? AND password = ?\n\t\t\t\t\t UNION\n\t\t\t\t\t SELECT userID, username FROM {$databaseName}.users\n\t\t\t\t\t WHERE email = ? AND password = ?\n\t\t\t\t\t ORDER BY username = ? DESC\n\t\t\t\t\t LIMIT 1"; $params = array($username, $passwordSha1, $username, $passwordSha1, $username); try { $retry = true; $row = Zotero_WWW_DB_2::rowQuery($sql, $params); if (!$row) { $retry = false; $row = Zotero_WWW_DB_1::rowQuery($sql, $params); } } catch (Exception $e) { if ($retry) { Z_Core::logError("WARNING: {$e} -- retrying on primary"); $row = Zotero_WWW_DB_1::rowQuery($sql, $params); } } } // If not found, check for an MD5 password if (!$row) { $passwordMd5 = md5($password); if (!$isEmailAddress) { // Try username $sql = "SELECT userID, username FROM {$databaseName}.users\n\t\t\t\t\t\t WHERE username = ? AND password = ? LIMIT 1"; $params = array($username, $passwordMd5); try { $row = Zotero_WWW_DB_2::rowQuery($sql, $params); } catch (Exception $e) { Z_Core::logError("WARNING: {$e} -- retrying on primary"); $row = Zotero_WWW_DB_1::rowQuery($sql, $params); } } else { // Try both username and e-mail address $sql = "SELECT userID, username FROM {$databaseName}.users\n\t\t\t\t\t\t WHERE username = ? AND password = ?\n\t\t\t\t\t\t UNION\n\t\t\t\t\t\t SELECT userID, username FROM {$databaseName}.users\n\t\t\t\t\t\t WHERE email = ? AND password = ?\n\t\t\t\t\t\t ORDER BY username = ? DESC\n\t\t\t\t\t\t LIMIT 1"; $params = array($username, $passwordMd5, $username, $passwordMd5, $username); try { $row = Zotero_WWW_DB_2::rowQuery($sql, $params); } catch (Exception $e) { Z_Core::logError("WARNING: {$e} -- retrying on primary"); $row = Zotero_WWW_DB_1::rowQuery($sql, $params); } } } if (!$row) { return false; } self::updateUser($row['userID'], $row['username']); Z_Core::$MC->set($cacheKey, $row['userID'], 60); return $row['userID']; }