public function index() {
ContentNegotiator::disable();
BasicAuth::disable();
$request_count = count($_REQUEST);
$get_count = count($_GET);
$post_count = count($_POST);
$request = '';
foreach ($_REQUEST as $key=>$value) {
$request .= "\t\t<request_item name=\"$key\">$value</request_item>\n";
}
$get = '';
foreach ($_GET as $key => $value) {
$get .= "\t\t<get_item name=\"$key\">$value</get_item>\n";
}
$post = '';
foreach ($_POST as $key => $value) {
$post .= "\t\t<post_item name=\"$key\">$value</post_item>\n";
}
$out = <<<XML
<?xml version="1.0"?>
<test>
<request count="$request_count">
$request </request>
<get count="$get_count">
$get </get>
<post count="$post_count">
$post </post>
</test>
XML;
header('Content-type: text/xml');
echo $out;
}
/**
* Initialisation function that is run before any action on the controller is called.
*
* @uses BasicAuth::requireLogin()
*/
public function init()
{
if ($this->basicAuthEnabled) {
BasicAuth::protect_site_if_necessary();
}
// This is used to test that subordinate controllers are actually calling parent::init() - a common bug
$this->baseInitCalled = true;
}
function addInfo($key, $val = null)
{
if ($key == 'password') {
return $this;
}
// skip password field
return parent::addInfo($key, $val);
}
public function setUpOnce()
{
parent::setUpOnce();
Restrictable::set_enabled(false);
BasicAuth::protect_entire_site(false);
// needs to be done this way to work around SS bug
// include_once dirname(dirname(__FILE__)).'/extensions/Restrictable.php';
// Object::add_extension('PrivateObject', 'Restrictable');
}
public function pageLoad()
{
$login = BasicAuth::validate();
if (empty($login) || !isset($login)) {
$this->redirect('login');
return;
}
$this->content['custom_html'] = Lang::get('WELCOME', $login);
}
public function initLogin()
{
App::import('vendor', array('db', 'api.basic_auth'));
$id = BasicAuth::getCurrentUser();
if (false === $id) {
$this->controller->error(ECode::$LOGIN_ERROR);
}
$this->isLogin = $id !== 'guest';
if ('guest' !== $id) {
$ret = Forum::checkBanIP($id, $this->from);
switch ($ret) {
case 1:
$this->controller->error(ECode::$LOGIN_IPBAN);
break;
case 2:
$this->controller->error(ECode::$LOGIN_EPOS);
break;
case 3:
$this->controller->error(ECode::$LOGIN_ERROR);
break;
}
}
$db = DB::getInstance();
if ($u = $db->one('select id, utmpnum, utmpkey from pl_api_session where id=?', array($id))) {
if (Forum::initUser($u['id'], intval($u['utmpnum']), intval($u['utmpkey']))) {
$val = array('expire' => time() + $this->_expire);
$db->update('pl_api_session', $val, 'where id=?', array($u['id']));
return;
}
}
$ret = Forum::setUser(true);
switch ($ret) {
case -1:
$this->controller->error(ECode::$LOGIN_MULLOGIN);
case 1:
$this->controller->error(ECode::$LOGIN_MAX);
case 3:
$this->controller->error(ECode::$LOGIN_IDBAN);
case 4:
$this->controller->error(ECode::$LOGIN_IPBAN);
case 5:
$this->controller->error(ECode::$LOGIN_FREQUENT);
case 7:
$this->controller->error(ECode::$LOGIN_NOPOS);
}
User::update();
$user = User::getInstance();
if ($u) {
$val = array('utmpnum' => $user->index, 'utmpkey' => $user->utmpkey, 'expire' => time() + $this->_expire);
$db->update('pl_api_session', $val, 'where id=?', array($user->userid));
} else {
$val = array('k' => array('id', 'utmpnum', 'utmpkey', 'expire'), 'v' => array(array($user->userid, $user->index, $user->utmpkey, time() + $this->_expire)));
$db->insert('pl_api_session', $val);
}
}
/**
* @return \Member
*/
protected static function getBasicAuthMember()
{
$realm = \Config::inst()->get('HttpAuth', 'Realm');
$permissionCode = \Config::inst()->get('HttpAuth', 'PermissionCode');
$isRunningTests = class_exists('SapphireTest', false) && \SapphireTest::is_running_test();
$tryUsingSessionLogin = $isRunningTests || \Config::inst()->get('HttpAuth', 'TryUsingSessionLogin');
try {
$member = \BasicAuth::requireLogin($realm, $permissionCode, $tryUsingSessionLogin);
return $member;
} catch (\Exception $ex) {
return null;
}
}
/**
* Initialisation function that is run before any action on the controller is called.
*
* @uses BasicAuth::requireLogin()
*/
function init() {
if($this->basicAuthEnabled) BasicAuth::protect_site_if_necessary();
// Directly access the session variable just in case the Group or Member tables don't yet exist
if(Session::get('loggedInAs') && Security::database_is_ready()) {
$member = Member::currentUser();
if($member) {
if(!headers_sent()) Cookie::set("PastMember", true, 90, null, null, false, true);
DB::query("UPDATE \"Member\" SET \"LastVisited\" = " . DB::getConn()->now() . " WHERE \"ID\" = $member->ID", null);
}
}
// This is used to test that subordinate controllers are actually calling parent::init() - a common bug
$this->baseInitCalled = true;
}
/**
* Initialisation function that is run before any action on the controller is called.
*
* @uses BasicAuth::requireLogin()
*/
public function init()
{
if ($this->basicAuthEnabled) {
BasicAuth::protect_site_if_necessary();
}
// Directly access the session variable just in case the Group or Member tables don't yet exist
if (Member::config()->log_last_visited) {
Deprecation::notice('4.0', 'Member::$LastVisited is deprecated. From 4.0 onwards you should implement this as a custom extension');
if (Session::get('loggedInAs') && Security::database_is_ready() && ($member = Member::currentUser())) {
DB::prepared_query(sprintf('UPDATE "Member" SET "LastVisited" = %s WHERE "ID" = ?', DB::get_conn()->now()), array($member->ID));
}
}
// This is used to test that subordinate controllers are actually calling parent::init() - a common bug
$this->baseInitCalled = true;
}
function __construct($pasword)
{
self::$password = $pasword;
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header('WWW-Authenticate: Basic realm="This is a password protected area, please submit your password to enter."');
header('HTTP/1.0 401 Unauthorized');
echo 'Not authorised.';
exit;
} else {
if ($_SERVER['PHP_AUTH_PW'] != self::$password) {
echo 'Not authorised.';
exit;
}
}
}
function setUp()
{
parent::setUp();
$this->mainSession = new TestSession();
// Disable theme, if necessary
if ($this->stat('disable_themes')) {
SSViewer::set_theme(null);
}
// Switch to draft site, if necessary
if ($this->stat('use_draft_site')) {
$this->useDraftSite();
}
// Unprotect the site, tests are running with the assumption it's off. They will enable it on a case-by-case basis.
BasicAuth::protect_entire_site(false);
SecurityToken::disable();
}
/**
* If not logged in attempt HTTP auth and check permission, otherwise check logged in members permission
* @throws PermissionFailureException
* @return ReplicantAction this
*/
public function checkPerm()
{
if (!($member = Member::currentUserID())) {
if ($member = BasicAuth::requireLogin("Replicant", static::$required_permission, true)) {
$member->logIn();
$res = true;
}
} else {
$res = Permission::check(static::$required_permission);
}
if (!$res) {
$this->failed("Permission Failure: " . static::$required_permission)->output();
throw new PermissionFailureException("Not allowed to " . static::$required_permission);
}
return $this;
}
/**
* Initialisation function that is run before any action on the controller is called.
*
* @uses BasicAuth::requireLogin()
*/
function init() {
// Test and development sites should be secured, via basic-auth
if(Director::isTest() && $this->basicAuthEnabled && Security::database_is_ready()) {
BasicAuth::requireLogin("SilverStripe test website. Use your CMS login", "ADMIN");
}
// Directly access the session variable just in case the Group or Member tables don't yet exist
if(Session::get('loggedInAs') && Security::database_is_ready()) {
if($member = Member::currentUser()) {
Cookie::set("PastMember", true);
DB::query("UPDATE Member SET LastVisited = NOW() WHERE ID = $member->ID", null);
}
}
// This is used to test that subordinate controllers are actually calling parent::init() - a common bug
$this->baseInitCalled = true;
}
/**
* Initialisation function that is run before any action on the controller is called.
*
* @uses BasicAuth::requireLogin()
*/
function init()
{
if ($this->basicAuthEnabled) {
BasicAuth::protect_site_if_necessary();
}
// Directly access the session variable just in case the Group or Member tables don't yet exist
if (Session::get('loggedInAs') && Security::database_is_ready()) {
if ($member = Member::currentUser()) {
if (!headers_sent()) {
Cookie::set("PastMember", true);
}
DB::query("UPDATE Member SET LastVisited = NOW() WHERE ID = {$member->ID}", null);
}
}
// This is used to test that subordinate controllers are actually calling parent::init() - a common bug
$this->baseInitCalled = true;
}
public function setUp()
{
// Skip calling FunctionalTest directly.
if (get_class($this) == "FunctionalTest") {
$this->skipTest = true;
}
parent::setUp();
$this->mainSession = new TestSession();
// Disable theme, if necessary
if (static::get_disable_themes()) {
Config::inst()->update('SSViewer', 'theme', null);
}
// Switch to draft site, if necessary
if (static::get_use_draft_site()) {
$this->useDraftSite();
}
// Unprotect the site, tests are running with the assumption it's off. They will enable it on a case-by-case
// basis.
BasicAuth::protect_entire_site(false);
SecurityToken::disable();
}
function index($request)
{
// For 2.3 and 2.4 compatibility
$bt = defined('DB::USE_ANSI_SQL') ? "\"" : "`";
BasicAuth::enable();
BasicAuth::requireLogin("CMS RSS feed access. Use your CMS login", "CMS_ACCESS_CMSMain");
$member = $this->getBasicAuthMember();
// Due to a bug in 2.3.0 we can't get the information that we need from $request
$params = Director::urlParams();
// Default value
if (!isset($params['Data']) || !$params['Data']) {
$params['Data'] = 'all';
}
switch ($params['Data']) {
case 'all':
$changes = $this->changes();
break;
case 'page':
if ((int) $params['PageID']) {
$changes = $this->changes("{$bt}SiteTree{$bt}.{$bt}ID{$bt} = " . (int) $params['PageID']);
} else {
return new HTTPResponse("<h1>Bad Page ID</h1><p>Bad page ID when getting RSS feed of changes to a page.</p>", 400);
}
break;
default:
user_error("CMSChangeTracker Data param value '{$params['Data']}' not implemented; this is probably due to a bad URL rule.", E_USER_ERROR);
}
$processedChanges = new DataObjectSet();
foreach ($changes as $change) {
if ($change->canEdit($member)) {
$author = DataObject::get_by_id("Member", $change->AuthorID);
$verbed = $change->Version == 1 ? "created" : "edited";
if ($author) {
$changeTitle = "'{$change->Title}' {$verbed} by {$author->FirstName} {$author->Surname}";
$changeAuthor = "{$author->FirstName} {$author->Surname}";
$firstParagraph = "{$author->FirstName} {$author->Surname} (<a href=\"mailto:{$author->Email}\">{$author->Email}</a>) has {$verbed} the '{$change->Title}' page.";
} else {
$changeTitle = "'{$change->Title}' {$verbed}";
$changeAuthor = "";
$firstParagraph = "The '{$change->Title}' page has been {$verbed}.";
}
$actionLinks = "";
$cmsLink = Director::absoluteURL("admin/show/{$change->ID}");
$actionLinks .= "<li><a href=\"{$cmsLink}\">Edit in CMS</a></li>\n";
$page = DataObject::get_by_id('SiteTree', $change->ID);
if ($page) {
$link = $page->AbsoluteLink();
$actionLinks .= "<li><a href=\"{$link}\">See the page on site</a></li>\n";
}
if ($change->Version > 1) {
$prevVersion = $change->Version - 1;
$diffLink = Director::absoluteURL("admin/compareversions/{$change->ID}/?From={$prevVersion}&To={$change->Version}");
$actionLinks .= "<li><a href=\"{$diffLink}\">See the changes in CMS</a></li>\n";
}
$changeDescription = <<<HTML
<p>{$firstParagraph}</p>
<h3>Actions and links</h3>
<ul>
\t{$actionLinks}
</ul>
HTML;
$processedChange = new CMSChangeTracker_Change(array("ChangeTitle" => $changeTitle, "Author" => $changeAuthor, "Content" => $changeDescription, "Link" => $change->Link() . "version/{$change->Version}"));
$processedChanges->push($processedChange);
}
}
$feed = new RSSFeed($processedChanges, Director::absoluteURL("admin/"), "SilverStripe Content Changes", "", "ChangeTitle");
return $feed->outputToBrowser();
}
protected function logout($args)
{
BasicAuth::logout();
}
<?php
session_start();
/* Aquire neccessary libs */
require_once "external/class.auth.module.core.php";
require_once "external/class.database.mysql.external.php";
/* Declare classes */
$Auth = new BasicAuth();
$DB = new Database($config['db_host'], $config['db_user'], $config['db_pass'], $config['db_name']);
$sessionCurrentStatus = false;
/* Handle login request */
if (isset($_POST['login']) and isset($_POST['password'])) {
$providedName = $_POST['login'];
$providedPassword = $_POST['password'];
/* Find if users exists */
$userName = $DB->escapeData($providedName);
$userParameters = $DB->getData("users", "WHERE login='******'");
if (count($userParameters) == 0) {
/* DO SOMETHING IN THAT CASE */
} else {
$Authenticated = $Auth->AuthOnSSHA($providedPassword, $userParameters[0]['password']);
if ($Authenticated) {
$Auth->sessionEstablish($userParameters[0]);
unset($_POST);
header("Location: " . $config['system_root']);
die;
} else {
/* DO SOMETHING IN THAT CASE */
}
}
}
/**
* This function will return true if the site is in a test environment.
* For information about environment types, see {@link Director::set_environment_type()}.
*/
static function isTest()
{
// Use ?isTest=1 to get test access on the live server, or explicitly set your environment
if (isset($_GET['isTest'])) {
if (Security::database_is_ready()) {
BasicAuth::requireLogin("SilverStripe developer access. Use your CMS login", "ADMIN");
$_SESSION['isTest'] = $_GET['isTest'];
} else {
return true;
}
}
if (self::isDev()) {
return false;
}
if (self::$environment_type) {
return self::$environment_type == 'test';
}
// Check if we are running on one of the test servers
if (isset($_SERVER['HTTP_HOST']) && in_array($_SERVER['HTTP_HOST'], Director::$test_servers)) {
return true;
}
return false;
}
public function invalid()
{
BasicAuth::protect_entire_site(false);
$out = <<<XML
<?xml version="1.0"?>
<test>
\t<fail><invalid>
</test>
XML;
header('Content-type: text/xml');
echo $out;
}
<?php
global $project;
$project = 'mysite';
global $database;
$database = 'SS_ssnewdocstest';
require_once 'conf/ConfigureFromEnv.php';
MySQLDatabase::set_connection_charset('utf8');
// This line set's the current theme. More themes can be
// downloaded from http://www.silverstripe.org/themes/
SSViewer::set_theme('docs');
// enable nested URLs for this site (e.g. page/sub-page/)
SiteTree::enable_nested_urls();
// render the user documentation first
Director::addRules(20, array('Security//$Action/$ID/$OtherID' => 'Security'));
DocumentationViewer::set_link_base('');
DocumentationViewer::$check_permission = false;
Director::addRules(10, array('$Action' => 'DocumentationViewer', '' => '->current/en/cms'));
DocumentationService::set_automatic_registration(false);
DocumentationService::register("cms", realpath("../../master/cms/docs/"), '2.4');
// We want this to be reviewed by the whole community
BasicAuth::protect_entire_site(false);
if (!isset($database) || !$database) {
// if SS_DATABASE_CHOOSE_NAME
if (defined('SS_DATABASE_CHOOSE_NAME') && SS_DATABASE_CHOOSE_NAME) {
$loopCount = (int) SS_DATABASE_CHOOSE_NAME;
$databaseDir = dirname($_SERVER['SCRIPT_FILENAME']);
for ($i = 0; $i < $loopCount; $i++) {
$databaseDir = dirname($databaseDir);
}
$database = "SS_" . basename($databaseDir);
$database = str_replace('.', '', $database);
}
}
if (defined('SS_DATABASE_USERNAME') && defined('SS_DATABASE_PASSWORD')) {
global $databaseConfig;
$databaseConfig = array("type" => "MySQLDatabase", "server" => defined('SS_DATABASE_SERVER') ? SS_DATABASE_SERVER : 'localhost', "username" => SS_DATABASE_USERNAME, "password" => SS_DATABASE_PASSWORD, "database" => (defined('SS_DATABASE_PREFIX') ? SS_DATABASE_PREFIX : '') . $database . (defined('SS_DATABASE_SUFFIX') ? SS_DATABASE_SUFFIX : ''));
}
if (defined('SS_SEND_ALL_EMAILS_TO')) {
Email::send_all_emails_to(SS_SEND_ALL_EMAILS_TO);
}
if (defined('SS_DEFAULT_ADMIN_USERNAME')) {
if (!defined('SS_DEFAULT_ADMIN_PASSWORD')) {
user_error("SS_DEFAULT_ADMIN_PASSWORD must be defined in your _ss_environment.php, if SS_DEFAULT_ADMIN_USERNAME is defined. See http://doc.silverstripe.com/doku.php?id=environment-management for more infomration", E_USER_ERROR);
}
Security::setDefaultAdmin(SS_DEFAULT_ADMIN_USERNAME, SS_DEFAULT_ADMIN_PASSWORD);
}
if (defined('SS_USE_BASIC_AUTH') && SS_USE_BASIC_AUTH) {
BasicAuth::protect_entire_site();
}
if (defined('SS_ERROR_LOG')) {
Debug::log_errors_to(SS_ERROR_LOG);
}
public function init()
{
BasicAuth::protect_entire_site(true, null);
parent::init();
}
function basicauthlogin()
{
$member = BasicAuth::requireLogin("SilverStripe login", 'ADMIN');
$member->LogIn();
}
/**
* Enable protection of the entire site with basic authentication.
*
* This log-in uses the Member database for authentication, but doesn't interfere with the
* regular log-in form. This can be useful for test sites, where you want to hide the site
* away from prying eyes, but still be able to test the regular log-in features of the site.
*
* If you are including conf/ConfigureFromEnv.php in your _config.php file, you can also enable
* this feature by adding this line to your _ss_environment.php:
*
* define('SS_USE_BASIC_AUTH', true);
*
* @param boolean $protect Set this to false to disable protection.
* @param String $code {@link Permission} code that is required from the user.
* Defaults to "ADMIN". Set to NULL to just require a valid login, regardless
* of the permission codes a user has.
*/
static function protect_entire_site($protect = true, $code = 'ADMIN', $message = null)
{
self::$entire_site_protected = $protect;
self::$entire_site_protected_code = $code;
if ($message) {
self::$entire_site_protected_message = $message;
}
}
/**
* Standard method, not in use.
*/
function index()
{
BasicAuth::disable();
return "failed";
}
/**
* Initialisation function that is run before any action on the controller is called.
*/
function init()
{
// Test and development sites should be secured, via basic-auth
if (ClassInfo::hasTable("Group") && ClassInfo::hasTable("Member") && Director::isTest() && $this->basicAuthEnabled) {
BasicAuth::requireLogin("SilverStripe test website. Use your CMS login", "ADMIN");
}
//
Cookie::set("PastVisitor", true);
// ClassInfo::hasTable() called to ensure that we're not in a very-first-setup stage
if (ClassInfo::hasTable("Group") && ClassInfo::hasTable("Member") && ($member = Member::currentUser())) {
Cookie::set("PastMember", true);
DB::query("UPDATE Member SET LastVisited = NOW() WHERE ID = {$member->ID}", null);
}
// This is used to test that subordinate controllers are actually calling parent::init() - a common bug
$this->baseInitCalled = true;
}
/**
* @static
* @param SimpleXMLElement $xml
* @return Auth
*/
public static function fromXML(SimpleXMLElement $xml)
{
$auth = new Auth();
$auth->id = (string) $xml->id;
$auth->apiContext = (string) $xml->apiContext['id'];
$auth->authKeyAuth = AuthKeyAuth::fromXML($xml->authKeyAuth);
$auth->basicAuth = BasicAuth::fromXML($xml->basicAuth);
$auth->ipWhiteListAuth = IpWhiteListAuth::fromXML($xml->ipWhiteListAuth);
$auth->wsseAuth = WSSEAuth::fromXML($xml->wsseAuth);
$auth->policyContext = (string) $xml->policyContext['id'];
$auth->status = current($xml->status);
$auth->type = AuthType::fromXML($xml->type);
$auth->tdrData = TdrData::fromXML($xml->tdr);
if ($xml->properties && $xml->properties->property) {
foreach ($xml->properties->property as $prop) {
$auth->properties[(string) $prop['name']] = (string) $prop;
}
}
if (!empty($auth->properties)) {
ksort($auth->properties);
}
if ($xml->headerTransformations && $xml->headerTransformations->headerTransformation) {
foreach ($xml->headerTransformations->headerTransformation as $transform) {
$auth->headerTransformations[] = HeaderTransformation::fromXML($transform);
}
}
return $auth;
}
public function init()
{
BasicAuth::protect_entire_site(false);
parent::init();
}
/**
* Set the message for basic auth challenges
*
* @param String $message the message to display (optional)
* @return String the currently defined message
*/
public static function message($message = NULL)
{
if (!is_null($message)) {
self::$message = $message;
}
return self::$message;
}
