/** * Test for issue #16322: eZTextFileUser makes user names with newline (with patch) */ public function testLoginWrongUsername() { $userClass = eZUserLoginHandler::instance('textfile'); $user = $userClass->loginUser('wrong username', 'wrong password'); // the username and password were not accepted $this->assertEquals(false, $user instanceof eZUser); }
/** * Checks authentication for the given $user. * * This method checks the given user/password credentials encapsulated in * $data. Returns true if the user was succesfully recognized and the * password is valid for him, false otherwise. In case no username and/or * password was provided in the request, empty strings are provided as the * parameters of this method. * * @param ezcWebdavBasicAuth $data * @return bool */ public function authenticateBasic(ezcWebdavBasicAuth $data) { $loginHandler = 'standard'; eZWebDAVContentBackend::appendLogEntry("Got username: {$data->username}"); // added by @ds to fix problems with IE6 SP2 if (preg_match('(^' . preg_quote($_SERVER['SERVER_NAME']) . '(.+))', $data->username, $matches) > 0) { $data->username = $matches[1]; } eZWebDAVContentBackend::appendLogEntry("Processed to username: {$data->username}"); $userClass = eZUserLoginHandler::instance($loginHandler); $user = $userClass->loginUser($data->username, $data->password); if (!$user instanceof eZUser) { return false; } eZWebDAVContentBackend::appendLogEntry("AuthenticatedBasic"); return true; }
function ezp_authandexec($user, $password, $functionName, $params) { $server = $GLOBALS['ggws_server']; // replicate here logic found in user/login $ini = eZINI::instance(); if ($ini->hasVariable('UserSettings', 'LoginHandler')) { $loginHandlers = $ini->variable('UserSettings', 'LoginHandler'); } else { $loginHandlers = array('standard'); } foreach ($loginHandlers as $loginHandler) { $userClass = eZUserLoginHandler::instance($loginHandler); $user = $userClass->loginUser($user, $password); if ($user instanceof eZUser) { // do we need to check this, really? //$hasAccessToSite = $user->canLoginToSiteAccess( $GLOBALS['eZCurrentAccess'] ); //if ( $hasAccessToSite ) //{ // check if new user has access to the actual ws $access = ggeZWebservices::checkAccess($functionName, $user); if (!$access) { return new ggWebservicesFault(ggWebservicesServer::INVALIDAUTHERROR, ggWebservicesServer::INVALIDAUTHSTRING); } if ($server->isInternalRequest($functionName)) { return $server->handleInternalRequest($functionName, $params); } else { return $server->handleRequest($functionName, $params); } //} //else //{ // $user->logoutCurrent(); // // @todo ... // //return $module->handleError( eZError::KERNEL_ACCESS_DENIED, 'kernel' ); // return new ggWebservicesFault( ggWebservicesServer::INVALIDAUTHERROR, ggWebservicesServer::INVALIDAUTHSTRING ); //} } } return new ggWebservicesFault(ggWebservicesServer::INVALIDAUTHERROR, ggWebservicesServer::INVALIDAUTHSTRING); }
/** * Test for issue #16328: Wrong hash stored in database on hash update in ezUser.php */ public function testPasswordHashSamePasswordToUser() { // Get the password_hash $db = eZDB::instance(); $rows = $db->arrayQuery("SELECT * FROM ezuser where login = '******'"); if (count($rows) !== 1) { $this->fail("User {$this->username} is not in database."); } // Not used in this test $passwordHashMD5Password = $rows[0]['password_hash']; // Above it was only the setup for the test, the real test begins now // Set HashType to md5_user (password_hash in the ezuser table is updated again) ezpINIHelper::setINISetting('site.ini', 'UserSettings', 'HashType', 'md5_user'); // Login the user with email instead of username $userClass = eZUserLoginHandler::instance('standard'); $user = $userClass->loginUser($this->email, $this->password); // Verify that the email and password were accepted if (!$user instanceof eZUser) { $this->fail("User {$this->email} is not in database."); } // Get the password_hash $db = eZDB::instance(); $rows = $db->arrayQuery("SELECT * FROM ezuser where login = '******'"); $passwordHashMD5User = $rows[0]['password_hash']; // The value that is expected to be saved in the ezuser table after updating the HashType to md5_user // (using the username and not the email address, which caused issue #16328) $hashMD5Expected = md5("{$this->username}\n{$this->password}"); // Verify that the 2 password hashes saved above are the same $this->assertEquals($hashMD5Expected, $passwordHashMD5User); // Verify that the user can still login with username $userClass = eZUserLoginHandler::instance('standard'); $user = $userClass->loginUser($this->username, $this->password); // Verify that the username and password were accepted if (!$user instanceof eZUser) { $this->fail("User {$this->username} is not in database."); } }
static function checkUser(&$siteBasics, &$url) { $http = eZHTTPTool::instance(); if (!$http->hasSessionVariable(self::STEP)) { $http->setSessionVariable(self::STEP, self::STEP_PRE_CHECK_USER_INFO); } $loginStep =& $http->sessionVariable(self::STEP); if ($http->hasSessionVariable(self::FORCE_LOGIN) && $loginStep < self::STEP_PRE_COLLECT_USER_INFO) { $loginStep = self::STEP_PRE_COLLECT_USER_INFO; } switch ($loginStep) { case self::STEP_PRE_CHECK_USER_INFO: $ini = eZINI::instance(); $handlerList = array('standard'); if ($ini->hasVariable('UserSettings', 'LoginHandler')) { $handlerList = $ini->variable('UserSettings', 'LoginHandler'); } if ($http->hasSessionVariable(self::LAST_HANDLER_NAME)) { $http->removeSessionVariable(self::LAST_HANDLER_NAME); } foreach ($handlerList as $handler) { $userObject = eZUserLoginHandler::instance($handler); if ($userObject) { $check = $userObject->checkUser($siteBasics, $url); if ($check === null) { eZUserLoginHandler::sessionCleanup(); return null; } $http->setSessionVariable(self::LAST_CHECK_REDIRECT, $check); $http->setSessionVariable(self::LAST_HANDLER_NAME, $handler); } } $http->setSessionVariable(self::STEP, self::STEP_PRE_COLLECT_USER_INFO); return eZUserLoginHandler::checkUser($siteBasics, $url); break; case self::STEP_PRE_COLLECT_USER_INFO: $http->setSessionVariable(self::STEP, self::STEP_POST_COLLECT_USER_INFO); $handler = null; if ($http->hasSessionVariable(self::LAST_HANDLER_NAME)) { $handlerName = $http->sessionVariable(self::LAST_HANDLER_NAME); $handler = eZUserLoginHandler::instance($handlerName); } if ($handler) { return $handler->preCollectUserInfo(); } else { $redirect =& $http->sessionVariable(self::LAST_CHECK_REDIRECT); if (!$redirect) { $redirect = array('module' => 'user', 'function' => 'login'); } return $redirect; } break; case self::STEP_POST_COLLECT_USER_INFO: $http->setSessionVariable(self::STEP, self::STEP_LOGIN_USER); $handler = null; if ($http->hasSessionVariable(self::LAST_HANDLER_NAME)) { $handlerName = $http->sessionVariable(self::LAST_HANDLER_NAME); $handler = eZUserLoginHandler::instance($handlerName); } if ($handler) { // Use specified login handler to handle Login info input if (!$handler->postCollectUserInfo()) { eZUserLoginHandler::sessionCleanup(); eZHTTPTool::redirect('/'); eZExecution::cleanExit(); } } return eZUserLoginHandler::checkUser($siteBasics, $url); break; case self::STEP_LOGIN_USER: $ini = eZINI::instance(); $handlerList = array('standard'); if ($ini->hasVariable('UserSettings', 'LoginHandler')) { $handlerList = $ini->variable('UserSettings', 'LoginHandler'); } $userInfoArray =& $http->sessionVariable(self::USER_INFO); $http->removeSessionVariable(self::USER_INFO); if ($http->hasSessionVariable(self::FORCE_LOGIN)) { $http->removeSessionVariable(self::FORCE_LOGIN); } $user = null; if (is_array($userInfoArray) and $userInfoArray['login'] and $userInfoArray['password']) { foreach ($handlerList as $handler) { $userObject = eZUserLoginHandler::instance($handler); if ($userObject) { $user = $userObject->loginUser($userInfoArray['login'], $userInfoArray['password']); if (is_subclass_of($user, 'eZUser')) { eZUserLoginHandler::sessionCleanup(); return null; } else { if (is_array($user)) { eZUserLoginHandler::sessionCleanup(); return $user; } } } } } $http->setSessionVariable(self::STEP, self::STEP_PRE_CHECK_USER_INFO); return eZUserLoginHandler::checkUser($siteBasics, $url); break; } }
if ($userLogin != '') { if ($http->hasSessionVariable("RedirectAfterLogin", false)) { $http->removeSessionVariable('RedirectAfterLogin'); } if ($ini->hasVariable('UserSettings', 'LoginHandler')) { $loginHandlers = $ini->variable('UserSettings', 'LoginHandler'); } else { $loginHandlers = array('standard'); } $hasAccessToSite = true; if ($http->hasPostVariable('Cookie') && $ini->hasVariable('Session', 'RememberMeTimeout') && ($rememberMeTimeout = $ini->variable('Session', 'RememberMeTimeout'))) { eZSession::setCookieParams($rememberMeTimeout); } foreach (array_keys($loginHandlers) as $key) { $loginHandler = $loginHandlers[$key]; $userClass = eZUserLoginHandler::instance($loginHandler); if (!is_object($userClass)) { continue; } $user = $userClass->loginUser($userLogin, $userPassword); if ($user instanceof eZUser) { $hasAccessToSite = $user->canLoginToSiteAccess($GLOBALS['eZCurrentAccess']); if (!$hasAccessToSite) { $user->logoutCurrent(); $user = null; $siteAccessName = $GLOBALS['eZCurrentAccess']['name']; $siteAccessAllowed = false; } break; } }
/** * Logins with $username and $password and returns the userID. * * @param string $username * @param string $password * @return int */ public function loginEZPUser($username, $password) { $userClass = eZUserLoginHandler::instance('standard'); $user = $userClass->loginUser('admin', 'publish'); if (!$user instanceof eZUser) { return false; } $user = eZUser::currentUser(); $userId = $user->attribute("contentobject_id"); return $userId; }