protected function init()
 {
     parent::init();
     if (!Director::is_cli() && !Permission::check('ADMIN')) {
         return Security::permissionFailure();
     }
 }
 public function getEditForm($id = null, $fields = null)
 {
     // TODO Duplicate record fetching (see parent implementation)
     if (!$id) {
         $id = $this->currentPageID();
     }
     $form = parent::getEditForm($id);
     // TODO Duplicate record fetching (see parent implementation)
     $record = $this->getRecord($id);
     if ($record && !$record->canView()) {
         return Security::permissionFailure($this);
     }
     $memberList = GridField::create('Members', false, Member::get(), $memberListConfig = GridFieldConfig_RecordEditor::create()->addComponent(new GridFieldButtonRow('after'))->addComponent(new GridFieldExportButton('buttons-after-left')))->addExtraClass("members_grid");
     if ($record && method_exists($record, 'getValidator')) {
         $validator = $record->getValidator();
     } else {
         $validator = Member::singleton()->getValidator();
     }
     $memberListConfig->getComponentByType('GridFieldDetailForm')->setValidator($validator);
     $groupList = GridField::create('Groups', false, Group::get(), GridFieldConfig_RecordEditor::create());
     $columns = $groupList->getConfig()->getComponentByType('GridFieldDataColumns');
     $columns->setDisplayFields(array('Breadcrumbs' => singleton('SilverStripe\\Security\\Group')->fieldLabel('Title')));
     $columns->setFieldFormatting(array('Breadcrumbs' => function ($val, $item) {
         return Convert::raw2xml($item->getBreadcrumbs(' > '));
     }));
     $fields = new FieldList($root = new TabSet('Root', $usersTab = new Tab('Users', _t('SecurityAdmin.Users', 'Users'), new LiteralField('MembersCautionText', sprintf('<div class="alert alert-warning" role="alert">%s</div>', _t('SecurityAdmin.MemberListCaution', 'Caution: Removing members from this list will remove them from all groups and the database'))), $memberList), $groupsTab = new Tab('Groups', singleton('SilverStripe\\Security\\Group')->i18n_plural_name(), $groupList)), new HiddenField('ID', false, 0));
     // Add import capabilities. Limit to admin since the import logic can affect assigned permissions
     if (Permission::check('ADMIN')) {
         $fields->addFieldsToTab('Root.Users', array(new HeaderField(_t('SecurityAdmin.IMPORTUSERS', 'Import users'), 3), new LiteralField('MemberImportFormIframe', sprintf('<iframe src="%s" id="MemberImportFormIframe" width="100%%" height="250px" frameBorder="0">' . '</iframe>', $this->Link('memberimport')))));
         $fields->addFieldsToTab('Root.Groups', array(new HeaderField(_t('SecurityAdmin.IMPORTGROUPS', 'Import groups'), 3), new LiteralField('GroupImportFormIframe', sprintf('<iframe src="%s" id="GroupImportFormIframe" width="100%%" height="250px" frameBorder="0">' . '</iframe>', $this->Link('groupimport')))));
     }
     // Tab nav in CMS is rendered through separate template
     $root->setTemplate('CMSTabSet');
     // Add roles editing interface
     if (Permission::check('APPLY_ROLES')) {
         $rolesField = GridField::create('Roles', false, PermissionRole::get(), GridFieldConfig_RecordEditor::create());
         $rolesTab = $fields->findOrMakeTab('Root.Roles', _t('SecurityAdmin.TABROLES', 'Roles'));
         $rolesTab->push($rolesField);
     }
     $actionParam = $this->getRequest()->param('Action');
     if ($actionParam == 'groups') {
         $groupsTab->addExtraClass('ui-state-active');
     } elseif ($actionParam == 'users') {
         $usersTab->addExtraClass('ui-state-active');
     } elseif ($actionParam == 'roles') {
         $rolesTab->addExtraClass('ui-state-active');
     }
     $actions = new FieldList();
     $form = Form::create($this, 'EditForm', $fields, $actions)->setHTMLID('Form_EditForm');
     $form->addExtraClass('cms-edit-form');
     $form->setTemplate($this->getTemplatesWithSuffix('_EditForm'));
     // Tab nav in CMS is rendered through separate template
     if ($form->Fields()->hasTabset()) {
         $form->Fields()->findOrMakeTab('Root')->setTemplate('CMSTabSet');
     }
     $form->addExtraClass('center ss-tabset cms-tabset ' . $this->BaseCSSClasses());
     $form->setAttribute('data-pjax-fragment', 'CurrentForm');
     $this->extend('updateEditForm', $form);
     return $form;
 }
 public function run($request)
 {
     $algo = Security::config()->password_encryption_algorithm;
     if ($algo == 'none') {
         $this->debugMessage('Password encryption disabled');
         return;
     }
     // Are there members with a clear text password?
     $members = Member::get()->where(array('"Member"."PasswordEncryption"' => 'none', '"Member"."Password" IS NOT NULL'));
     if (!$members) {
         $this->debugMessage('No passwords to encrypt');
         return;
     }
     // Encrypt the passwords...
     $this->debugMessage('Encrypting all passwords');
     $this->debugMessage(sprintf('The passwords will be encrypted using the %s algorithm', $algo));
     foreach ($members as $member) {
         // Force the update of the member record, as new passwords get
         // automatically encrypted according to the settings, this will do all
         // the work for us
         $member->PasswordEncryption = $algo;
         $member->forceChange();
         $member->write();
         $this->debugMessage(sprintf('Encrypted credentials for member #%d;', $member->ID));
     }
 }
 public function preRequest(HTTPRequest $request, Session $session, DataModel $model)
 {
     // Bootstrap session so that Session::get() accesses the right instance
     $dummyController = new Controller();
     $dummyController->setSession($session);
     $dummyController->setRequest($request);
     $dummyController->pushCurrent();
     // Block non-authenticated users from setting the stage mode
     if (!Versioned::can_choose_site_stage($request)) {
         $permissionMessage = sprintf(_t("ContentController.DRAFT_SITE_ACCESS_RESTRICTION", 'You must log in with your CMS password in order to view the draft or archived content. ' . '<a href="%s">Click here to go back to the published site.</a>'), Convert::raw2xml(Controller::join_links(Director::baseURL(), $request->getURL(), "?stage=Live")));
         // Force output since RequestFilter::preRequest doesn't support response overriding
         $response = Security::permissionFailure($dummyController, $permissionMessage);
         $session->inst_save();
         $dummyController->popCurrent();
         // Prevent output in testing
         if (class_exists('SilverStripe\\Dev\\SapphireTest', false) && SapphireTest::is_running_test()) {
             throw new HTTPResponse_Exception($response);
         }
         $response->output();
         die;
     }
     Versioned::choose_site_stage();
     $dummyController->popCurrent();
     return true;
 }
 public function init()
 {
     parent::init();
     $canAccess = Director::isDev() || Director::is_cli() || Permission::check("ADMIN");
     if (!$canAccess) {
         return Security::permissionFailure($this);
     }
 }
 protected function init()
 {
     parent::init();
     // Unless called from the command line, all CliControllers need ADMIN privileges
     if (!Director::is_cli() && !Permission::check("ADMIN")) {
         return Security::permissionFailure();
     }
 }
 protected function init()
 {
     parent::init();
     $isRunningTests = class_exists('SilverStripe\\Dev\\SapphireTest', false) && SapphireTest::is_running_test();
     $canAccess = Director::isDev() || Director::is_cli() && !$isRunningTests || Permission::check("ADMIN");
     if (!$canAccess) {
         Security::permissionFailure($this);
     }
 }
 public function setUp()
 {
     parent::setUp();
     // Fixtures assume Email is the field used to identify the log in identity
     Member::config()->unique_identifier_field = 'Email';
     Security::$force_database_is_ready = true;
     // Prevents Member test subclasses breaking ready test
     Member::config()->lock_out_after_incorrect_logins = 10;
 }
 public function testDefaultAdmin()
 {
     $adminMembers = Permission::get_members_by_permission('ADMIN');
     $this->assertEquals(0, $adminMembers->count());
     $admin = Member::default_admin();
     $this->assertInstanceOf('SilverStripe\\Security\\Member', $admin);
     $this->assertTrue(Permission::checkMember($admin, 'ADMIN'));
     $this->assertEquals($admin->Email, Security::default_admin_username());
     $this->assertNull($admin->Password);
 }
 /**
  * Require basic authentication.  Will request a username and password if none is given.
  *
  * Used by {@link Controller::init()}.
  *
  * @throws HTTPResponse_Exception
  *
  * @param string $realm
  * @param string|array $permissionCode Optional
  * @param boolean $tryUsingSessionLogin If true, then the method with authenticate against the
  *  session log-in if those credentials are disabled.
  * @return Member|bool $member
  */
 public static function requireLogin($realm, $permissionCode = null, $tryUsingSessionLogin = true)
 {
     $isRunningTests = class_exists('SilverStripe\\Dev\\SapphireTest', false) && SapphireTest::is_running_test();
     if (!Security::database_is_ready() || Director::is_cli() && !$isRunningTests) {
         return true;
     }
     /*
      * Enable HTTP Basic authentication workaround for PHP running in CGI mode with Apache
      * Depending on server configuration the auth header may be in HTTP_AUTHORIZATION or
      * REDIRECT_HTTP_AUTHORIZATION
      *
      * The follow rewrite rule must be in the sites .htaccess file to enable this workaround
      * RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
      */
     $authHeader = isset($_SERVER['HTTP_AUTHORIZATION']) ? $_SERVER['HTTP_AUTHORIZATION'] : (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) ? $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] : null);
     $matches = array();
     if ($authHeader && preg_match('/Basic\\s+(.*)$/i', $authHeader, $matches)) {
         list($name, $password) = explode(':', base64_decode($matches[1]));
         $_SERVER['PHP_AUTH_USER'] = strip_tags($name);
         $_SERVER['PHP_AUTH_PW'] = strip_tags($password);
     }
     $member = null;
     if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) {
         $member = MemberAuthenticator::authenticate(array('Email' => $_SERVER['PHP_AUTH_USER'], 'Password' => $_SERVER['PHP_AUTH_PW']), null);
     }
     if (!$member && $tryUsingSessionLogin) {
         $member = Member::currentUser();
     }
     // If we've failed the authentication mechanism, then show the login form
     if (!$member) {
         $response = new HTTPResponse(null, 401);
         $response->addHeader('WWW-Authenticate', "Basic realm=\"{$realm}\"");
         if (isset($_SERVER['PHP_AUTH_USER'])) {
             $response->setBody(_t('BasicAuth.ERRORNOTREC', "That username / password isn't recognised"));
         } else {
             $response->setBody(_t('BasicAuth.ENTERINFO', "Please enter a username and password."));
         }
         // Exception is caught by RequestHandler->handleRequest() and will halt further execution
         $e = new HTTPResponse_Exception(null, 401);
         $e->setResponse($response);
         throw $e;
     }
     if ($permissionCode && !Permission::checkMember($member->ID, $permissionCode)) {
         $response = new HTTPResponse(null, 401);
         $response->addHeader('WWW-Authenticate', "Basic realm=\"{$realm}\"");
         if (isset($_SERVER['PHP_AUTH_USER'])) {
             $response->setBody(_t('BasicAuth.ERRORNOTADMIN', "That user is not an administrator."));
         }
         // Exception is caught by RequestHandler->handleRequest() and will halt further execution
         $e = new HTTPResponse_Exception(null, 401);
         $e->setResponse($response);
         throw $e;
     }
     return $member;
 }
 public function run($request)
 {
     if (!Permission::check('ADMIN') && !Director::is_cli()) {
         $response = Security::permissionFailure();
         if ($response) {
             $response->output();
         }
         die;
     }
     SapphireTest::delete_all_temp_dbs();
 }
 public function testCleartextPasswordsAreHashedWithDefaultAlgo()
 {
     $loader = new MemberCsvBulkLoader();
     $results = $loader->load($this->getCurrentRelativePath() . '/MemberCsvBulkLoaderTest_cleartextpws.csv');
     $member = $results->Created()->First();
     $memberID = $member->ID;
     DataObject::flush_and_destroy_cache();
     $member = DataObject::get_by_id('SilverStripe\\Security\\Member', $memberID);
     // TODO Direct getter doesn't work, wtf!
     $this->assertEquals(Security::config()->password_encryption_algorithm, $member->getField('PasswordEncryption'));
     $result = $member->checkPassword('mypassword');
     $this->assertTrue($result->valid());
 }
 protected function init()
 {
     parent::init();
     // We allow access to this controller regardless of live-status or ADMIN permission only
     // if on CLI or with the database not ready. The latter makes it less errorprone to do an
     // initial schema build without requiring a default-admin login.
     // Access to this controller is always allowed in "dev-mode", or of the user is ADMIN.
     $isRunningTests = class_exists('SapphireTest', false) && SapphireTest::is_running_test();
     $canAccess = Director::isDev() || !Security::database_is_ready() || Director::is_cli() && !$isRunningTests || Permission::check("ADMIN");
     if (!$canAccess) {
         return Security::permissionFailure($this, "This page is secured and you need administrator rights to access it. " . "Enter your credentials below and we will send you right along.");
     }
 }
 public function __construct(Controller $controller, $name)
 {
     // Set default fields
     $fields = new FieldList(HiddenField::create("AuthenticationMethod", null, $this->authenticator_class, $this), HiddenField::create('tempid', null, $controller->getRequest()->requestVar('tempid')), PasswordField::create("Password", _t('Member.PASSWORD', 'Password')), LiteralField::create('forgotPassword', sprintf('<p id="ForgotPassword"><a href="%s" target="_top">%s</a></p>', $this->getExternalLink('lostpassword'), _t('CMSMemberLoginForm.BUTTONFORGOTPASSWORD', "Forgot password?"))));
     if (Security::config()->autologin_enabled) {
         $fields->push(CheckboxField::create("Remember", _t('Member.REMEMBERME', "Remember me next time?")));
     }
     // Determine returnurl to redirect to parent page
     $logoutLink = $this->getExternalLink('logout');
     if ($returnURL = $controller->getRequest()->requestVar('BackURL')) {
         $logoutLink = Controller::join_links($logoutLink, '?BackURL=' . urlencode($returnURL));
     }
     // Make actions
     $actions = new FieldList(FormAction::create('dologin', _t('CMSMemberLoginForm.BUTTONLOGIN', "Log back in")), LiteralField::create('doLogout', sprintf('<p id="doLogout"><a href="%s" target="_top">%s</a></p>', $logoutLink, _t('CMSMemberLoginForm.BUTTONLOGOUT', "Log out"))));
     parent::__construct($controller, $name, $fields, $actions);
 }
 protected function init()
 {
     parent::init();
     // Special case for dev/build: Defer permission checks to DatabaseAdmin->init() (see #4957)
     $requestedDevBuild = stripos($this->getRequest()->getURL(), 'dev/build') === 0 && stripos($this->getRequest()->getURL(), 'dev/build/defaults') === false;
     // We allow access to this controller regardless of live-status or ADMIN permission only
     // if on CLI.  Access to this controller is always allowed in "dev-mode", or of the user is ADMIN.
     $canAccess = $requestedDevBuild || Director::isDev() || Director::is_cli() || Permission::check("ADMIN");
     if (!$canAccess) {
         Security::permissionFailure($this);
         return;
     }
     // check for valid url mapping
     // lacking this information can cause really nasty bugs,
     // e.g. when running Director::test() from a FunctionalTest instance
     global $_FILE_TO_URL_MAPPING;
     if (Director::is_cli()) {
         if (isset($_FILE_TO_URL_MAPPING)) {
             $testPath = BASE_PATH;
             $matched = false;
             while ($testPath && $testPath != "/" && !preg_match('/^[A-Z]:\\\\$/', $testPath)) {
                 if (isset($_FILE_TO_URL_MAPPING[$testPath])) {
                     $matched = true;
                     break;
                 }
                 $testPath = dirname($testPath);
             }
             if (!$matched) {
                 echo 'Warning: You probably want to define ' . 'an entry in $_FILE_TO_URL_MAPPING that covers "' . Director::baseFolder() . '"' . "\n";
             }
         } else {
             echo 'Warning: You probably want to define $_FILE_TO_URL_MAPPING in ' . 'your _ss_environment.php as instructed on the "sake" page of the doc.silverstripe.org wiki' . "\n";
         }
     }
     // Backwards compat: Default to "draft" stage, which is important
     // for tasks like dev/build which call DataObject->requireDefaultRecords(),
     // but also for other administrative tasks which have assumptions about the default stage.
     Versioned::set_stage(Versioned::DRAFT);
 }
 /**
  * Log login attempt
  * TODO We could handle this with an extension
  *
  * @param array $data
  * @param Member $member
  * @param bool $success
  */
 protected static function record_login_attempt($data, $member, $success)
 {
     if (!Security::config()->login_recording) {
         return;
     }
     // Check email is valid
     $email = isset($data['Email']) ? $data['Email'] : null;
     if (is_array($email)) {
         throw new InvalidArgumentException("Bad email passed to MemberAuthenticator::authenticate(): {$email}");
     }
     $attempt = new LoginAttempt();
     if ($success) {
         // successful login (member is existing with matching password)
         $attempt->MemberID = $member->ID;
         $attempt->Status = 'Success';
         // Audit logging hook
         $member->extend('authenticated');
     } else {
         // Failed login - we're trying to see if a user exists with this email (disregarding wrong passwords)
         $attempt->Status = 'Failure';
         if ($member) {
             // Audit logging hook
             $attempt->MemberID = $member->ID;
             $member->extend('authenticationFailed');
         } else {
             // Audit logging hook
             Member::singleton()->extend('authenticationFailedUnknownUser', $data);
         }
     }
     $attempt->Email = $email;
     $attempt->IP = Controller::curr()->getRequest()->getIP();
     $attempt->write();
 }
 /**
  * Test that the default admin can be authenticated
  */
 public function testDefaultAdmin()
 {
     // Make form
     $controller = new Security();
     $form = new Form($controller, 'Form', new FieldList(), new FieldList());
     // Test correct login
     $result = MemberAuthenticator::authenticate(array('Email' => 'admin', 'Password' => 'password'), $form);
     $this->assertNotEmpty($result);
     $this->assertEquals($result->Email, Security::default_admin_username());
     $this->assertEmpty($form->Message());
     // Test incorrect login
     $form->clearMessage();
     $result = MemberAuthenticator::authenticate(array('Email' => 'admin', 'Password' => 'notmypassword'), $form);
     $this->assertEmpty($result);
     $this->assertEquals('The provided details don&#039;t seem to be correct. Please try again.', $form->Message());
     $this->assertEquals('bad', $form->MessageType());
 }
 /**
  * Forgot password form handler method.
  * Called when the user clicks on "I've lost my password".
  * Extensions can use the 'forgotPassword' method to veto executing
  * the logic, by returning FALSE. In this case, the user will be redirected back
  * to the form without further action. It is recommended to set a message
  * in the form detailing why the action was denied.
  *
  * @param array $data Submitted data
  * @return SS_HTTPResponse
  */
 public function forgotPassword($data)
 {
     // Ensure password is given
     if (empty($data['Email'])) {
         $this->sessionMessage(_t('Member.ENTEREMAIL', 'Please enter an email address to get a password reset link.'), 'bad');
         $this->controller->redirect('Security/lostpassword');
         return;
     }
     // Find existing member
     $member = Member::get()->filter("Email", $data['Email'])->first();
     // Allow vetoing forgot password requests
     $results = $this->extend('forgotPassword', $member);
     if ($results && is_array($results) && in_array(false, $results, true)) {
         return $this->controller->redirect('Security/lostpassword');
     }
     if ($member) {
         $token = $member->generateAutologinTokenAndStoreHash();
         /** @var Email $e */
         $e = Email::create();
         $e->setSubject(_t('Member.SUBJECTPASSWORDRESET', "Your password reset link", 'Email subject'));
         $e->setTemplate('ForgotPasswordEmail');
         $e->populateTemplate($member);
         $e->populateTemplate(array('PasswordResetLink' => Security::getPasswordResetLink($member, $token)));
         $e->setTo($member->Email);
         $e->send();
         $this->controller->redirect('Security/passwordsent/' . urlencode($data['Email']));
     } elseif ($data['Email']) {
         // Avoid information disclosure by displaying the same status,
         // regardless wether the email address actually exists
         $this->controller->redirect('Security/passwordsent/' . rawurlencode($data['Email']));
     } else {
         $this->sessionMessage(_t('Member.ENTEREMAIL', 'Please enter an email address to get a password reset link.'), 'bad');
         $this->controller->redirect('Security/lostpassword');
     }
 }
Ejemplo n.º 19
0
        DB::connect($databaseConfig);
    }
    // Check if a token is requesting a redirect
    if (!$reloadToken) {
        return;
    }
    // Otherwise, we start up the session if needed
    if (!isset($_SESSION) && Session::request_contains_session_id()) {
        Session::start();
    }
    // Next, check if we're in dev mode, or the database doesn't have any security data, or we are admin
    if (Director::isDev() || !Security::database_is_ready() || Permission::check('ADMIN')) {
        return $reloadToken->reloadWithToken();
    }
    // Fail and redirect the user to the login page
    $loginPage = Director::absoluteURL(Security::config()->login_url);
    $loginPage .= "?BackURL=" . urlencode($_SERVER['REQUEST_URI']);
    header('location: ' . $loginPage, true, 302);
    die;
})->thenIfErrored(function () use($reloadToken) {
    if ($reloadToken) {
        $reloadToken->reloadWithToken();
    }
})->execute();
global $databaseConfig;
// Redirect to the installer if no database is selected
if (!isset($databaseConfig) || !isset($databaseConfig['database']) || !$databaseConfig['database']) {
    if (!file_exists(BASE_PATH . '/install.php')) {
        header($_SERVER['SERVER_PROTOCOL'] . " 500 Server Error");
        die('SilverStripe Framework requires a $databaseConfig defined.');
    }
    // For SQlite3 memory databases (mainly for testing purposes)
    if (defined('SS_DATABASE_MEMORY')) {
        $databaseConfig["memory"] = SS_DATABASE_MEMORY;
    }
}
if (defined('SS_SEND_ALL_EMAILS_TO')) {
    Email::config()->send_all_emails_to = SS_SEND_ALL_EMAILS_TO;
}
if (defined('SS_SEND_ALL_EMAILS_FROM')) {
    Email::config()->send_all_emails_from = SS_SEND_ALL_EMAILS_FROM;
}
if (defined('SS_DEFAULT_ADMIN_USERNAME')) {
    if (!defined('SS_DEFAULT_ADMIN_PASSWORD')) {
        user_error("SS_DEFAULT_ADMIN_PASSWORD must be defined in your _ss_environment.php," . "if SS_DEFAULT_ADMIN_USERNAME is defined.  See " . "http://doc.silverstripe.org/framework/en/topics/environment-management for more information", E_USER_ERROR);
    } else {
        Security::setDefaultAdmin(SS_DEFAULT_ADMIN_USERNAME, SS_DEFAULT_ADMIN_PASSWORD);
    }
}
if (defined('SS_USE_BASIC_AUTH') && SS_USE_BASIC_AUTH) {
    BasicAuth::config()->entire_site_protected = SS_USE_BASIC_AUTH;
}
if (defined('SS_ERROR_LOG')) {
    $logger = Injector::inst()->get('Logger');
    if ($logger instanceof Logger) {
        $logger->pushHandler(new StreamHandler(BASE_PATH . '/' . SS_ERROR_LOG, Logger::WARNING));
    } else {
        user_error("SS_ERROR_LOG setting only works with Monolog, you are using another logger", E_USER_WARNING);
    }
}
// Allow database adapters to handle their own configuration
DatabaseAdapterRegistry::autoconfigure();
 public function setUp()
 {
     //nest config and injector for each test so they are effectively sandboxed per test
     Config::nest();
     Injector::nest();
     $this->originalReadingMode = Versioned::get_reading_mode();
     // We cannot run the tests on this abstract class.
     if (get_class($this) == "SapphireTest") {
         $this->markTestSkipped(sprintf('Skipping %s ', get_class($this)));
         return;
     }
     // Mark test as being run
     $this->originalIsRunningTest = self::$is_running_test;
     self::$is_running_test = true;
     // i18n needs to be set to the defaults or tests fail
     i18n::set_locale(Config::inst()->get('i18n', 'default_locale'));
     i18n::config()->date_format = null;
     i18n::config()->time_format = null;
     // Set default timezone consistently to avoid NZ-specific dependencies
     date_default_timezone_set('UTC');
     // Remove password validation
     $this->originalMemberPasswordValidator = Member::password_validator();
     $this->originalRequirements = Requirements::backend();
     Member::set_password_validator(null);
     Config::inst()->update('Cookie', 'report_errors', false);
     if (class_exists('SilverStripe\\CMS\\Controllers\\RootURLController')) {
         RootURLController::reset();
     }
     if (class_exists('Translatable')) {
         Translatable::reset();
     }
     Versioned::reset();
     DataObject::reset();
     if (class_exists('SilverStripe\\CMS\\Model\\SiteTree')) {
         SiteTree::reset();
     }
     Hierarchy::reset();
     if (Controller::has_curr()) {
         Controller::curr()->setSession(Injector::inst()->create('Session', array()));
     }
     Security::$database_is_ready = null;
     // Add controller-name auto-routing
     Config::inst()->update('Director', 'rules', array('$Controller//$Action/$ID/$OtherID' => '*'));
     $fixtureFile = static::get_fixture_file();
     $prefix = defined('SS_DATABASE_PREFIX') ? SS_DATABASE_PREFIX : 'ss_';
     // Todo: this could be a special test model
     $this->model = DataModel::inst();
     // Set up fixture
     if ($fixtureFile || $this->usesDatabase) {
         if (!self::using_temp_db()) {
             self::create_temp_db();
         }
         singleton('SilverStripe\\ORM\\DataObject')->flushCache();
         self::empty_temp_db();
         foreach ($this->requireDefaultRecordsFrom as $className) {
             $instance = singleton($className);
             if (method_exists($instance, 'requireDefaultRecords')) {
                 $instance->requireDefaultRecords();
             }
             if (method_exists($instance, 'augmentDefaultRecords')) {
                 $instance->augmentDefaultRecords();
             }
         }
         if ($fixtureFile) {
             $pathForClass = $this->getCurrentAbsolutePath();
             $fixtureFiles = is_array($fixtureFile) ? $fixtureFile : array($fixtureFile);
             $i = 0;
             foreach ($fixtureFiles as $fixtureFilePath) {
                 // Support fixture paths relative to the test class, rather than relative to webroot
                 // String checking is faster than file_exists() calls.
                 $isRelativeToFile = strpos('/', $fixtureFilePath) === false || preg_match('/^\\.\\./', $fixtureFilePath);
                 if ($isRelativeToFile) {
                     $resolvedPath = realpath($pathForClass . '/' . $fixtureFilePath);
                     if ($resolvedPath) {
                         $fixtureFilePath = $resolvedPath;
                     }
                 }
                 $fixture = Injector::inst()->create('YamlFixture', $fixtureFilePath);
                 $fixture->writeInto($this->getFixtureFactory());
                 $this->fixtures[] = $fixture;
                 // backwards compatibility: Load first fixture into $this->fixture
                 if ($i == 0) {
                     $this->fixture = $fixture;
                 }
                 $i++;
             }
         }
         $this->logInWithPermission("ADMIN");
     }
     // Preserve memory settings
     $this->originalMemoryLimit = ini_get('memory_limit');
     // turn off template debugging
     Config::inst()->update('SSViewer', 'source_file_comments', false);
     // Clear requirements
     Requirements::clear();
     // Set up email
     $this->originalMailer = Email::mailer();
     $this->mailer = new TestMailer();
     Injector::inst()->registerService($this->mailer, 'Mailer');
     Config::inst()->remove('Email', 'send_all_emails_to');
 }
 public function setUp()
 {
     //nest config and injector for each test so they are effectively sandboxed per test
     Config::nest();
     Injector::nest();
     $this->originalReadingMode = Versioned::get_reading_mode();
     // We cannot run the tests on this abstract class.
     if (get_class($this) == __CLASS__) {
         $this->markTestSkipped(sprintf('Skipping %s ', get_class($this)));
         return;
     }
     // Mark test as being run
     $this->originalIsRunningTest = self::$is_running_test;
     self::$is_running_test = true;
     // i18n needs to be set to the defaults or tests fail
     i18n::set_locale(i18n::config()->get('default_locale'));
     i18n::config()->date_format = null;
     i18n::config()->time_format = null;
     // Set default timezone consistently to avoid NZ-specific dependencies
     date_default_timezone_set('UTC');
     // Remove password validation
     $this->originalMemberPasswordValidator = Member::password_validator();
     $this->originalRequirements = Requirements::backend();
     Member::set_password_validator(null);
     Cookie::config()->update('report_errors', false);
     if (class_exists('SilverStripe\\CMS\\Controllers\\RootURLController')) {
         RootURLController::reset();
     }
     if (class_exists('Translatable')) {
         Translatable::reset();
     }
     Versioned::reset();
     DataObject::reset();
     if (class_exists('SilverStripe\\CMS\\Model\\SiteTree')) {
         SiteTree::reset();
     }
     Hierarchy::reset();
     if (Controller::has_curr()) {
         Controller::curr()->setSession(Session::create(array()));
     }
     Security::$database_is_ready = null;
     // Add controller-name auto-routing
     // @todo Fix to work with namespaced controllers
     Director::config()->update('rules', array('$Controller//$Action/$ID/$OtherID' => '*'));
     $fixtureFiles = $this->getFixturePaths();
     // Todo: this could be a special test model
     $this->model = DataModel::inst();
     // Set up fixture
     if ($fixtureFiles || $this->usesDatabase) {
         if (!self::using_temp_db()) {
             self::create_temp_db();
         }
         DataObject::singleton()->flushCache();
         self::empty_temp_db();
         foreach ($this->requireDefaultRecordsFrom as $className) {
             $instance = singleton($className);
             if (method_exists($instance, 'requireDefaultRecords')) {
                 $instance->requireDefaultRecords();
             }
             if (method_exists($instance, 'augmentDefaultRecords')) {
                 $instance->augmentDefaultRecords();
             }
         }
         foreach ($fixtureFiles as $fixtureFilePath) {
             $fixture = YamlFixture::create($fixtureFilePath);
             $fixture->writeInto($this->getFixtureFactory());
         }
         $this->logInWithPermission("ADMIN");
     }
     // Preserve memory settings
     $this->originalMemoryLimit = ini_get('memory_limit');
     // turn off template debugging
     SSViewer::config()->update('source_file_comments', false);
     // Clear requirements
     Requirements::clear();
     // Set up email
     $this->mailer = new TestMailer();
     Injector::inst()->registerService($this->mailer, 'SilverStripe\\Control\\Email\\Mailer');
     Email::config()->remove('send_all_emails_to');
 }
 public function index()
 {
     if (!Permission::check('ADMIN')) {
         return Security::permissionFailure($this);
     }
     return 'Success';
 }
 /**
  * Calls {@link SiteTree->getCMSFields()}
  *
  * @param Int $id
  * @param FieldList $fields
  * @return Form
  */
 public function getEditForm($id = null, $fields = null)
 {
     if (!$id) {
         $id = $this->currentPageID();
     }
     if (is_object($id)) {
         $record = $id;
     } else {
         $record = $this->getRecord($id);
         if ($record && !$record->canView()) {
             return Security::permissionFailure($this);
         }
     }
     if ($record) {
         $fields = $fields ? $fields : $record->getCMSFields();
         if ($fields == null) {
             user_error("getCMSFields() returned null  - it should return a FieldList object.\n\t\t\t\t\tPerhaps you forgot to put a return statement at the end of your method?", E_USER_ERROR);
         }
         // Add hidden fields which are required for saving the record
         // and loading the UI state
         if (!$fields->dataFieldByName('ClassName')) {
             $fields->push(new HiddenField('ClassName'));
         }
         $tree_class = $this->stat('tree_class');
         if ($tree_class::has_extension(Hierarchy::class) && !$fields->dataFieldByName('ParentID')) {
             $fields->push(new HiddenField('ParentID'));
         }
         // Added in-line to the form, but plucked into different view by frontend scripts.
         if ($record instanceof CMSPreviewable) {
             /** @skipUpgrade */
             $navField = new LiteralField('SilverStripeNavigator', $this->getSilverStripeNavigator());
             $navField->setAllowHTML(true);
             $fields->push($navField);
         }
         if ($record->hasMethod('getAllCMSActions')) {
             $actions = $record->getAllCMSActions();
         } else {
             $actions = $record->getCMSActions();
             // add default actions if none are defined
             if (!$actions || !$actions->count()) {
                 if ($record->hasMethod('canEdit') && $record->canEdit()) {
                     $actions->push(FormAction::create('save', _t('CMSMain.SAVE', 'Save'))->addExtraClass('ss-ui-action-constructive')->setAttribute('data-icon', 'accept'));
                 }
                 if ($record->hasMethod('canDelete') && $record->canDelete()) {
                     $actions->push(FormAction::create('delete', _t('ModelAdmin.DELETE', 'Delete'))->addExtraClass('ss-ui-action-destructive'));
                 }
             }
         }
         // Use <button> to allow full jQuery UI styling
         $actionsFlattened = $actions->dataFields();
         if ($actionsFlattened) {
             /** @var FormAction $action */
             foreach ($actionsFlattened as $action) {
                 $action->setUseButtonTag(true);
             }
         }
         $negotiator = $this->getResponseNegotiator();
         $form = Form::create($this, "EditForm", $fields, $actions)->setHTMLID('Form_EditForm');
         $form->addExtraClass('cms-edit-form');
         $form->loadDataFrom($record);
         $form->setTemplate($this->getTemplatesWithSuffix('_EditForm'));
         $form->setAttribute('data-pjax-fragment', 'CurrentForm');
         $form->setValidationResponseCallback(function () use($negotiator, $form) {
             $request = $this->getRequest();
             if ($request->isAjax() && $negotiator) {
                 $form->setupFormErrors();
                 $result = $form->forTemplate();
                 return $negotiator->respond($request, array('CurrentForm' => function () use($result) {
                     return $result;
                 }));
             }
         });
         // Announce the capability so the frontend can decide whether to allow preview or not.
         if ($record instanceof CMSPreviewable) {
             $form->addExtraClass('cms-previewable');
         }
         $form->addExtraClass('fill-height');
         // Set this if you want to split up tabs into a separate header row
         // if($form->Fields()->hasTabset()) {
         // 	$form->Fields()->findOrMakeTab('Root')->setTemplate('SilverStripe\\Forms\\CMSTabSet');
         // }
         // Add a default or custom validator.
         // @todo Currently the default Validator.js implementation
         //  adds javascript to the document body, meaning it won't
         //  be included properly if the associated fields are loaded
         //  through ajax. This means only serverside validation
         //  will kick in for pages+validation loaded through ajax.
         //  This will be solved by using less obtrusive javascript validation
         //  in the future, see http://open.silverstripe.com/ticket/2915 and
         //  http://open.silverstripe.com/ticket/3386
         if ($record->hasMethod('getCMSValidator')) {
             $validator = $record->getCMSValidator();
             // The clientside (mainly LeftAndMain*.js) rely on ajax responses
             // which can be evaluated as javascript, hence we need
             // to override any global changes to the validation handler.
             if ($validator != NULL) {
                 $form->setValidator($validator);
             }
         } else {
             $form->unsetValidator();
         }
         if ($record->hasMethod('canEdit') && !$record->canEdit()) {
             $readonlyFields = $form->Fields()->makeReadonly();
             $form->setFields($readonlyFields);
         }
     } else {
         $form = $this->EmptyForm();
     }
     return $form;
 }
Ejemplo n.º 25
0
 /**
  * Cleanup function to reset all the Filename fields.  Visit File/fixfiles to call.
  */
 public function fixfiles()
 {
     if (!Permission::check('ADMIN')) {
         return Security::permissionFailure($this);
     }
     $files = DataObject::get("File");
     foreach ($files as $file) {
         $file->updateFilesystem();
         echo "<li>", $file->Filename;
         $file->write();
     }
     echo "<p>Done!";
 }
 public function getIncludeTemplate($name)
 {
     return array("CMSSecurity_{$name}") + parent::getIncludeTemplate($name);
 }
Ejemplo n.º 27
0
    /**
     * Check if the user has permissions to run URL debug tools,
     * else redirect them to log in.
     */
    public static function require_developer_login()
    {
        if (Director::isDev()) {
            return;
        }
        if (isset($_SESSION['loggedInAs'])) {
            // We have to do some raw SQL here, because this method is called in Object::defineMethods().
            // This means we have to be careful about what objects we create, as we don't want Object::defineMethods()
            // being called again.
            // This basically calls Permission::checkMember($_SESSION['loggedInAs'], 'ADMIN');
            // @TODO - Rewrite safely using DataList::filter
            $memberID = $_SESSION['loggedInAs'];
            $permission = DB::prepared_query('
				SELECT "ID" FROM "Permission"
				INNER JOIN "Group_Members" ON "Permission"."GroupID" = "Group_Members"."GroupID"
				WHERE "Permission"."Code" = ?
				AND "Permission"."Type" = ?
				AND "Group_Members"."MemberID" = ?', array('ADMIN', Permission::GRANT_PERMISSION, $memberID))->value();
            if ($permission) {
                return;
            }
        }
        // This basically does the same as
        // Security::permissionFailure(null, "You need to login with developer access to make use of debugging tools.")
        // We have to do this because of how early this method is called in execution.
        $_SESSION['SilverStripe\\Security\\Security']['Message']['message'] = "You need to login with developer access to make use of debugging tools.";
        $_SESSION['SilverStripe\\Security\\Security']['Message']['type'] = 'warning';
        $_SESSION['BackURL'] = $_SERVER['REQUEST_URI'];
        header($_SERVER['SERVER_PROTOCOL'] . " 302 Found");
        header("Location: " . Director::baseURL() . Security::login_url());
        die;
    }
Ejemplo n.º 28
0
 /**
  * Event handler called before writing to the database.
  */
 public function onBeforeWrite()
 {
     if ($this->SetPassword) {
         $this->Password = $this->SetPassword;
     }
     // If a member with the same "unique identifier" already exists with a different ID, don't allow merging.
     // Note: This does not a full replacement for safeguards in the controller layer (e.g. in a registration form),
     // but rather a last line of defense against data inconsistencies.
     $identifierField = Member::config()->unique_identifier_field;
     if ($this->{$identifierField}) {
         // Note: Same logic as Member_Validator class
         $filter = array("\"{$identifierField}\"" => $this->{$identifierField});
         if ($this->ID) {
             $filter[] = array('"Member"."ID" <> ?' => $this->ID);
         }
         $existingRecord = DataObject::get_one('SilverStripe\\Security\\Member', $filter);
         if ($existingRecord) {
             throw new ValidationException(ValidationResult::create(false, _t('Member.ValidationIdentifierFailed', 'Can\'t overwrite existing member #{id} with identical identifier ({name} = {value}))', 'Values in brackets show "fieldname = value", usually denoting an existing email address', array('id' => $existingRecord->ID, 'name' => $identifierField, 'value' => $this->{$identifierField}))));
         }
     }
     // We don't send emails out on dev/tests sites to prevent accidentally spamming users.
     // However, if TestMailer is in use this isn't a risk.
     if ((Director::isLive() || Email::mailer() instanceof TestMailer) && $this->isChanged('Password') && $this->record['Password'] && $this->config()->notify_password_change) {
         /** @var Email $e */
         $e = Email::create();
         $e->setSubject(_t('Member.SUBJECTPASSWORDCHANGED', "Your password has been changed", 'Email subject'));
         $e->setTemplate('ChangePasswordEmail');
         $e->populateTemplate($this);
         $e->setTo($this->Email);
         $e->send();
     }
     // The test on $this->ID is used for when records are initially created.
     // Note that this only works with cleartext passwords, as we can't rehash
     // existing passwords.
     if (!$this->ID && $this->Password || $this->isChanged('Password')) {
         // Password was changed: encrypt the password according the settings
         $encryption_details = Security::encrypt_password($this->Password, $this->Salt, $this->PasswordEncryption ? $this->PasswordEncryption : Security::config()->password_encryption_algorithm, $this);
         // Overwrite the Password property with the hashed value
         $this->Password = $encryption_details['password'];
         $this->Salt = $encryption_details['salt'];
         $this->PasswordEncryption = $encryption_details['algorithm'];
         // If we haven't manually set a password expiry
         if (!$this->isChanged('PasswordExpiry')) {
             // then set it for us
             if (self::config()->password_expiry_days) {
                 $this->PasswordExpiry = date('Y-m-d', time() + 86400 * self::config()->password_expiry_days);
             } else {
                 $this->PasswordExpiry = null;
             }
         }
     }
     // save locale
     if (!$this->Locale) {
         $this->Locale = i18n::get_locale();
     }
     parent::onBeforeWrite();
 }
 /**
  * Handles URL requests.
  *
  *  - ViewableData::handleRequest() iterates through each rule in {@link self::$url_handlers}.
  *  - If the rule matches, the named method will be called.
  *  - If there is still more URL to be processed, then handleRequest()
  *    is called on the object that that method returns.
  *
  * Once all of the URL has been processed, the final result is returned.
  * However, if the final result is an array, this
  * array is interpreted as being additional template data to customise the
  * 2nd to last result with, rather than an object
  * in its own right.  This is most frequently used when a Controller's
  * action will return an array of data with which to
  * customise the controller.
  *
  * @param SS_HTTPRequest $request The object that is reponsible for distributing URL parsing
  * @param DataModel $model
  * @return SS_HTTPResponse|RequestHandler|string|array
  */
 public function handleRequest(SS_HTTPRequest $request, DataModel $model)
 {
     // $handlerClass is used to step up the class hierarchy to implement url_handlers inheritance
     $handlerClass = $this->class ? $this->class : get_class($this);
     if ($this->brokenOnConstruct) {
         user_error("parent::__construct() needs to be called on {$handlerClass}::__construct()", E_USER_WARNING);
     }
     $this->setRequest($request);
     $this->setDataModel($model);
     $match = $this->findAction($request);
     // If nothing matches, return this object
     if (!$match) {
         return $this;
     }
     // Start to find what action to call. Start by using what findAction returned
     $action = $match['action'];
     // We used to put "handleAction" as the action on controllers, but (a) this could only be called when
     // you had $Action in your rule, and (b) RequestHandler didn't have one. $Action is better
     if ($action == 'handleAction') {
         // TODO Fix LeftAndMain usage
         // Deprecation::notice('3.2.0', 'Calling handleAction directly is deprecated - use $Action instead');
         $action = '$Action';
     }
     // Actions can reference URL parameters, eg, '$Action/$ID/$OtherID' => '$Action',
     if ($action[0] == '$') {
         $action = str_replace("-", "_", $request->latestParam(substr($action, 1)));
     }
     if (!$action) {
         if (isset($_REQUEST['debug_request'])) {
             Debug::message("Action not set; using default action method name 'index'");
         }
         $action = "index";
     } else {
         if (!is_string($action)) {
             user_error("Non-string method name: " . var_export($action, true), E_USER_ERROR);
         }
     }
     $classMessage = Director::isLive() ? 'on this handler' : 'on class ' . get_class($this);
     try {
         if (!$this->hasAction($action)) {
             return $this->httpError(404, "Action '{$action}' isn't available {$classMessage}.");
         }
         if (!$this->checkAccessAction($action) || in_array(strtolower($action), array('run', 'doInit'))) {
             return $this->httpError(403, "Action '{$action}' isn't allowed {$classMessage}.");
         }
         $result = $this->handleAction($request, $action);
     } catch (SS_HTTPResponse_Exception $e) {
         return $e->getResponse();
     } catch (PermissionFailureException $e) {
         $result = Security::permissionFailure(null, $e->getMessage());
     }
     if ($result instanceof SS_HTTPResponse && $result->isError()) {
         if (isset($_REQUEST['debug_request'])) {
             Debug::message("Rule resulted in HTTP error; breaking");
         }
         return $result;
     }
     // If we return a RequestHandler, call handleRequest() on that, even if there is no more URL to
     // parse. It might have its own handler. However, we only do this if we haven't just parsed an
     // empty rule ourselves, to prevent infinite loops. Also prevent further handling of controller
     // actions which return themselves to avoid infinite loops.
     $matchedRuleWasEmpty = $request->isEmptyPattern($match['rule']);
     $resultIsRequestHandler = is_object($result) && $result instanceof RequestHandler;
     if ($this !== $result && !$matchedRuleWasEmpty && $resultIsRequestHandler) {
         $returnValue = $result->handleRequest($request, $model);
         // Array results can be used to handle
         if (is_array($returnValue)) {
             $returnValue = $this->customise($returnValue);
         }
         return $returnValue;
         // If we return some other data, and all the URL is parsed, then return that
     } else {
         if ($request->allParsed()) {
             return $result;
             // But if we have more content on the URL and we don't know what to do with it, return an error.
         } else {
             return $this->httpError(404, "I can't handle sub-URLs {$classMessage}.");
         }
     }
     return $this;
 }
Ejemplo n.º 30
0
 /**
  * Register that we've had a permission failure trying to view the given page
  *
  * This will redirect to a login page.
  * If you don't provide a messageSet, a default will be used.
  *
  * @param Controller $controller The controller that you were on to cause the permission
  *                               failure.
  * @param string|array $messageSet The message to show to the user. This
  *                                 can be a string, or a map of different
  *                                 messages for different contexts.
  *                                 If you pass an array, you can use the
  *                                 following keys:
  *                                   - default: The default message
  *                                   - alreadyLoggedIn: The message to
  *                                                      show if the user
  *                                                      is already logged
  *                                                      in and lacks the
  *                                                      permission to
  *                                                      access the item.
  *
  * The alreadyLoggedIn value can contain a '%s' placeholder that will be replaced with a link
  * to log in.
  * @return SS_HTTPResponse
  */
 public static function permissionFailure($controller = null, $messageSet = null)
 {
     self::set_ignore_disallowed_actions(true);
     if (!$controller) {
         $controller = Controller::curr();
     }
     if (Director::is_ajax()) {
         $response = $controller ? $controller->getResponse() : new SS_HTTPResponse();
         $response->setStatusCode(403);
         if (!Member::currentUser()) {
             $response->setBody(_t('ContentController.NOTLOGGEDIN', 'Not logged in'));
             $response->setStatusDescription(_t('ContentController.NOTLOGGEDIN', 'Not logged in'));
             // Tell the CMS to allow re-aunthentication
             if (CMSSecurity::enabled()) {
                 $response->addHeader('X-Reauthenticate', '1');
             }
         }
         return $response;
     }
     // Prepare the messageSet provided
     if (!$messageSet) {
         if ($configMessageSet = static::config()->get('default_message_set')) {
             $messageSet = $configMessageSet;
         } else {
             $messageSet = array('default' => _t('Security.NOTEPAGESECURED', "That page is secured. Enter your credentials below and we will send " . "you right along."), 'alreadyLoggedIn' => _t('Security.ALREADYLOGGEDIN', "You don't have access to this page.  If you have another account that " . "can access that page, you can log in again below.", "%s will be replaced with a link to log in."));
         }
     }
     if (!is_array($messageSet)) {
         $messageSet = array('default' => $messageSet);
     }
     $member = Member::currentUser();
     // Work out the right message to show
     if ($member && $member->exists()) {
         $response = $controller ? $controller->getResponse() : new SS_HTTPResponse();
         $response->setStatusCode(403);
         //If 'alreadyLoggedIn' is not specified in the array, then use the default
         //which should have been specified in the lines above
         if (isset($messageSet['alreadyLoggedIn'])) {
             $message = $messageSet['alreadyLoggedIn'];
         } else {
             $message = $messageSet['default'];
         }
         // Somewhat hackish way to render a login form with an error message.
         $me = new Security();
         $form = $me->LoginForm();
         $form->sessionMessage($message, 'warning');
         Session::set('MemberLoginForm.force_message', 1);
         $loginResponse = $me->login();
         if ($loginResponse instanceof SS_HTTPResponse) {
             return $loginResponse;
         }
         $response->setBody((string) $loginResponse);
         $controller->extend('permissionDenied', $member);
         return $response;
     } else {
         $message = $messageSet['default'];
     }
     Session::set("Security.Message.message", $message);
     Session::set("Security.Message.type", 'warning');
     Session::set("BackURL", $_SERVER['REQUEST_URI']);
     // TODO AccessLogEntry needs an extension to handle permission denied errors
     // Audit logging hook
     $controller->extend('permissionDenied', $member);
     return $controller->redirect(Config::inst()->get('SilverStripe\\Security\\Security', 'login_url') . "?BackURL=" . urlencode($_SERVER['REQUEST_URI']));
 }