public function runAddUser(TBGRequest $request)
{
try {
if (!TBGContext::getScope()->hasUsersAvailable()) {
throw new Exception(TBGContext::getI18n()->__('This instance of The Bug Genie cannot add more users'));
}
if ($username = $request->getParameter('username')) {
$user = new TBGUser();
$user->setUsername($username);
$user->setRealname($username);
$user->setBuddyname($username);
$user->setEnabled();
$user->setActivated();
$user->setPassword(TBGUser::hashPassword(TBGUser::createPassword()));
$user->setJoined();
$user->save();
} else {
throw new Exception(TBGContext::getI18n()->__('Please enter a username'));
}
$this->getResponse()->setTemplate('configuration/findusers');
$this->too_short = false;
$this->created_user = true;
$this->users = array($user);
$this->total_results = 1;
$this->title = TBGContext::getI18n()->__('User %username% created', array('%username%' => $username));
$this->total_count = TBGUser::getUsersCount();
$this->more_available = TBGContext::getScope()->hasUsersAvailable();
} catch (Exception $e) {
$this->getResponse()->setHttpStatus(400);
return $this->renderJSON(array('failed' => true, 'error' => $e->getMessage()));
}
}
public function runAddUser(TBGRequest $request)
{
try {
if (!TBGContext::getScope()->hasUsersAvailable()) {
throw new Exception($this->getI18n()->__('This instance of The Bug Genie cannot add more users'));
}
if ($username = trim($request['username'])) {
if (!TBGUser::isUsernameAvailable($username)) {
if ($request->getParameter('mode') == 'import') {
$user = TBGUser::getByUsername($username);
$user->addScope(TBGContext::getScope());
return $this->renderJSON(array('imported' => true, 'message' => $this->getI18n()->__('The user was successfully added to this scope (pending user confirmation)')));
} elseif (TBGContext::getScope()->isDefault()) {
throw new Exception($this->getI18n()->__('This username already exists'));
} else {
$this->getResponse()->setHttpStatus(400);
return $this->renderJSON(array('allow_import' => true));
}
}
$user = new TBGUser();
$user->setUsername($username);
$user->setRealname($request->getParameter('realname', $username));
$user->setBuddyname($request->getParameter('buddyname', $username));
$user->setEmail($request->getParameter('email'));
$user->setGroup(TBGGroupsTable::getTable()->selectById((int) $request->getParameter('group_id', TBGSettings::get(TBGSettings::SETTING_USER_GROUP))));
$user->setEnabled();
$user->setActivated();
if ($request->hasParameter('password') && !(empty($request['password']) && empty($request['password_repeat']))) {
if (empty($request['password']) || $request['password'] != $request['password_repeat']) {
throw new Exception($this->getI18n()->__('Please enter the same password twice'));
}
$password = $request['password'];
$user->setPassword($password);
} else {
$password = TBGUser::createPassword();
$user->setPassword($password);
}
$user->setJoined();
$user->save();
foreach ((array) $request['teams'] as $team_id) {
$user->addToTeam(TBGTeamsTable::getTable()->selectById((int) $team_id));
}
TBGEvent::createNew('core', 'config.createuser.save', $user, array('password' => $password))->trigger();
} else {
throw new Exception($this->getI18n()->__('Please enter a username'));
}
$this->getResponse()->setTemplate('configuration/findusers');
$this->too_short = false;
$this->created_user = true;
$this->users = array($user);
$this->total_results = 1;
$this->title = $this->getI18n()->__('User %username created', array('%username' => $username));
$this->total_count = TBGUser::getUsersCount();
$this->more_available = TBGContext::getScope()->hasUsersAvailable();
} catch (Exception $e) {
$this->getResponse()->setHttpStatus(400);
return $this->renderJSON(array('error' => $e->getMessage()));
}
}
/**
* Load user fixtures for a specified scope
*
* @param TBGScope $scope
* @param TBGGroup $admin_group
* @param TBGGroup $user_group
* @param TBGGroup $guest_group
*/
public static function loadFixtures(TBGScope $scope, TBGGroup $admin_group, TBGGroup $user_group, TBGGroup $guest_group)
{
$adminuser = new TBGUser();
$adminuser->setUsername('administrator');
$adminuser->setRealname('Administrator');
$adminuser->setBuddyname('Admin');
$adminuser->setGroup($admin_group);
$adminuser->setPassword('admin');
$adminuser->setActivated();
$adminuser->setEnabled();
$adminuser->setAvatar('admin');
$adminuser->save();
$guestuser = new TBGUser();
$guestuser->setUsername('guest');
$guestuser->setRealname('Guest user');
$guestuser->setBuddyname('Guest user');
$guestuser->setGroup($guest_group);
$guestuser->setPassword('password');
// Settings not active yet
$guestuser->setActivated();
$guestuser->setEnabled();
$guestuser->save();
TBGSettings::saveSetting('defaultuserid', $guestuser->getID(), 'core', $scope->getID());
return array($guestuser->getID(), $adminuser->getID());
}
/**
* Import all valid users
*
* @param TBGRequest $request
*/
public function runImportUsers(TBGRequest $request)
{
$validgroups = TBGContext::getModule('auth_ldap')->getSetting('groups');
$base_dn = TBGContext::getModule('auth_ldap')->getSetting('b_dn');
$dn_attr = TBGContext::getModule('auth_ldap')->getSetting('dn_attr');
$username_attr = TBGContext::getModule('auth_ldap')->getSetting('u_attr');
$fullname_attr = TBGContext::getModule('auth_ldap')->getSetting('f_attr');
$buddyname_attr = TBGContext::getModule('auth_ldap')->getSetting('b_attr');
$email_attr = TBGContext::getModule('auth_ldap')->getSetting('e_attr');
$groups_members_attr = TBGContext::getModule('auth_ldap')->getSetting('g_attr');
$user_class = TBGContext::getModule('auth_ldap')->getSetting('u_type');
$group_class = TBGContext::getModule('auth_ldap')->getSetting('g_type');
$users = array();
$importcount = 0;
$updatecount = 0;
try {
/*
* Connect and bind to the control user
*/
$connection = TBGContext::getModule('auth_ldap')->connect();
TBGContext::getModule('auth_ldap')->bind($connection, TBGContext::getModule('auth_ldap')->getSetting('control_user'), TBGContext::getModule('auth_ldap')->getSetting('control_pass'));
/*
* Get a list of all users of a certain objectClass
*/
$fields = array($fullname_attr, $buddyname_attr, $username_attr, $email_attr, 'cn', $dn_attr);
$filter = '(objectClass=' . TBGLDAPAuthentication::getModule()->escape($user_class) . ')';
$results = ldap_search($connection, $base_dn, $filter, $fields);
if (!$results) {
TBGLogging::log('failed to search for users: ' . ldap_error($connection), 'ldap', TBGLogging::LEVEL_FATAL);
throw new Exception(TBGContext::geti18n()->__('Search failed: ') . ldap_error($connection));
}
$data = ldap_get_entries($connection, $results);
/*
* For every user that exists, process it.
*/
for ($i = 0; $i != $data['count']; $i++) {
$user_dn = $data[$i][strtolower($dn_attr)][0];
/*
* If groups are specified, perform group restriction tests
*/
if ($validgroups != '') {
/*
* We will repeat this for every group, but groups are supplied as a comma-separated list
*/
if (strstr($validgroups, ',')) {
$groups = explode(',', $validgroups);
} else {
$groups = array();
$groups[] = $validgroups;
}
// Assumed we are initially banned
$allowed = false;
foreach ($groups as $group) {
// No need to carry on looking if we have access
if ($allowed == true) {
continue;
}
/*
* Find the group we are looking for, we search the entire directory
* We want to find 1 group, if we don't get 1, silently ignore this group.
*/
$fields2 = array($groups_members_attr);
$filter2 = '(&(cn=' . TBGLDAPAuthentication::getModule()->escape($group) . ')(objectClass=' . TBGLDAPAuthentication::getModule()->escape($group_class) . '))';
$results2 = ldap_search($connection, $base_dn, $filter2, $fields2);
if (!$results2) {
TBGLogging::log('failed to search for user: '******'ldap', TBGLogging::LEVEL_FATAL);
throw new Exception(TBGContext::geti18n()->__('Search failed: ') . ldap_error($connection));
}
$data2 = ldap_get_entries($connection, $results2);
if ($data2['count'] != 1) {
continue;
}
/*
* Look through the group's member list. If we are found, grant access.
*/
foreach ($data2[0][strtolower($groups_members_attr)] as $member) {
$member = preg_replace('/(?<=,) +(?=[a-zA-Z])/', '', $member);
$user_dn = preg_replace('/(?<=,) +(?=[a-zA-Z])/', '', $user_dn);
if (!is_numeric($member) && strtolower($member) == strtolower($user_dn)) {
$allowed = true;
}
}
}
if ($allowed == false) {
continue;
}
}
$users[$i] = array();
/*
* Set user's properties.
* Realname is obtained from directory, if not found we set it to the username
* Email is obtained from directory, if not found we set it to blank
*/
if (!array_key_exists(strtolower($fullname_attr), $data[$i])) {
$users[$i]['realname'] = $data[$i]['cn'][0];
} else {
$users[$i]['realname'] = $data[$i][strtolower($fullname_attr)][0];
}
if (!array_key_exists(strtolower($buddyname_attr), $data[$i])) {
$users[$i]['buddyname'] = $data[$i]['cn'][0];
} else {
$users[$i]['buddyname'] = $data[$i][strtolower($buddyname_attr)][0];
}
if (!array_key_exists(strtolower($email_attr), $data[$i])) {
$users[$i]['email'] = '';
} else {
$users[$i]['email'] = $data[$i][strtolower($email_attr)][0];
}
$users[$i]['username'] = $data[$i][strtolower($username_attr)][0];
}
} catch (Exception $e) {
TBGContext::setMessage('module_error', TBGContext::getI18n()->__('Import failed'));
TBGContext::setMessage('module_error_details', $e->getMessage());
$this->forward(TBGContext::getRouting()->generate('configure_module', array('config_module' => 'auth_ldap')));
}
/*
* For every user that was found, either create a new user object, or update
* the existing one. This will update the created and updated counts as appropriate.
*/
foreach ($users as $ldapuser) {
$username = $ldapuser['username'];
$email = $ldapuser['email'];
$realname = $ldapuser['realname'];
$buddyname = $ldapuser['buddyname'];
try {
$user = TBGUser::getByUsername($username);
if ($user instanceof TBGUser) {
$user->setRealname($realname);
$user->setEmail($email);
// update email address
$user->save();
$updatecount++;
} else {
// create user
$user = new TBGUser();
$user->setUsername($username);
$user->setRealname($realname);
$user->setBuddyname($buddyname);
$user->setEmail($email);
$user->setEnabled();
$user->setActivated();
$user->setPassword($user->getJoinedDate() . $username);
$user->setJoined();
$user->save();
$importcount++;
}
} catch (Exception $e) {
ldap_unbind($connection);
TBGContext::setMessage('module_error', TBGContext::getI18n()->__('Import failed'));
TBGContext::setMessage('module_error_details', $e->getMessage());
$this->forward(TBGContext::getRouting()->generate('configure_module', array('config_module' => 'auth_ldap')));
}
}
ldap_unbind($connection);
TBGContext::setMessage('module_message', TBGContext::getI18n()->__('Import successful! %imp users imported, %upd users updated from LDAP', array('%imp' => $importcount, '%upd' => $updatecount)));
$this->forward(TBGContext::getRouting()->generate('configure_module', array('config_module' => 'auth_ldap')));
}
/**
* Registration logic
*
* @param TBGRequest $request
*/
public function runRegister(TBGRequest $request)
{
TBGContext::loadLibrary('common');
$i18n = TBGContext::getI18n();
try {
$username = mb_strtolower(trim($request['fieldusername']));
$buddyname = $request['buddyname'];
$email = mb_strtolower(trim($request['email_address']));
$confirmemail = mb_strtolower(trim($request['email_confirm']));
$security = $request['verification_no'];
$realname = $request['realname'];
$available = TBGUsersTable::getTable()->isUsernameAvailable($username);
$fields = array();
if (!$available) {
throw new Exception($i18n->__('This username is in use'));
}
if (!empty($buddyname) && !empty($email) && !empty($confirmemail) && !empty($security)) {
if ($email != $confirmemail) {
array_push($fields, 'email_address', 'email_confirm');
throw new Exception($i18n->__('The email address must be valid, and must be typed twice.'));
}
if ($security != $_SESSION['activation_number']) {
array_push($fields, 'verification_no');
throw new Exception($i18n->__('To prevent automatic sign-ups, enter the verification number shown below.'));
}
$email_ok = false;
$valid_domain = false;
if (tbg_check_syntax($email, "EMAIL")) {
$email_ok = true;
}
if ($email_ok && TBGSettings::get('limit_registration') != '') {
$allowed_domains = preg_replace('/[[:space:]]*,[[:space:]]*/', '|', TBGSettings::get('limit_registration'));
if (preg_match('/@(' . $allowed_domains . ')$/i', $email) == false) {
array_push($fields, 'email_address', 'email_confirm');
throw new Exception($i18n->__('Email adresses from this domain can not be used.'));
}
/*if (count($allowed_domains) > 0)
{
foreach ($allowed_domains as $allowed_domain)
{
$allowed_domain = '@' . trim($allowed_domain);
if (mb_strpos($email, $allowed_domain) !== false ) //mb_strpos checks if $to
{
$valid_domain = true;
break;
}
}
}
else
{
$valid_domain = true;
}*/
}
/*if ($valid_domain == false)
{
array_push($fields, 'email_address', 'email_confirm');
throw new Exception($i18n->__('Email adresses from this domain can not be used.'));
}*/
if ($email_ok == false) {
array_push($fields, 'email_address', 'email_confirm');
throw new Exception($i18n->__('The email address must be valid, and must be typed twice.'));
}
if ($security != $_SESSION['activation_number']) {
array_push($fields, 'verification_no');
throw new Exception($i18n->__('To prevent automatic sign-ups, enter the verification number shown below.'));
}
$password = TBGUser::createPassword();
$user = new TBGUser();
$user->setUsername($username);
$user->setRealname($realname);
$user->setBuddyname($buddyname);
$user->setGroup(TBGSettings::getDefaultGroup());
$user->setEnabled();
$user->setPassword($password);
$user->setEmail($email);
$user->setJoined();
$user->save();
if ($user->isActivated()) {
TBGContext::setMessage('auto_password', $password);
return $this->renderJSON(array('loginmessage' => $i18n->__('After pressing %continue, you need to set your password.', array('%continue' => $i18n->__('Continue'))), 'one_time_password' => $password, 'activated' => true));
}
return $this->renderJSON(array('loginmessage' => $i18n->__('The account has now been registered - check your email inbox for the activation email. Please be patient - this email can take up to two hours to arrive.'), 'activated' => false));
} else {
array_push($fields, 'email_address', 'email_confirm', 'buddyname', 'verification_no');
throw new Exception($i18n->__('You need to fill out all fields correctly.'));
}
} catch (Exception $e) {
$this->getResponse()->setHttpStatus(400);
return $this->renderJSON(array('error' => $i18n->__($e->getMessage()), 'fields' => $fields));
}
}
public function doLogin($username, $password, $mode = 1)
{
$validgroups = $this->getSetting('groups');
$base_dn = $this->getSetting('b_dn');
$dn_attr = $this->escape($this->getSetting('dn_attr'));
$username_attr = $this->escape($this->getSetting('u_attr'));
$fullname_attr = $this->escape($this->getSetting('f_attr'));
$buddyname_attr = $this->escape($this->getSetting('b_attr'));
$email_attr = $this->escape($this->getSetting('e_attr'));
$groups_members_attr = $this->escape($this->getSetting('g_attr'));
$user_class = TBGContext::getModule('auth_ldap')->getSetting('u_type');
$group_class = TBGContext::getModule('auth_ldap')->getSetting('g_type');
$email = null;
$integrated_auth = $this->getSetting('integrated_auth');
/*
* Do the LDAP check here.
*
* If a connection error or something, throw an exception and log
*
* If we can, set $mail and $realname to correct values from LDAP
* otherwise don't touch those variables.
*
* To log do:
* TBGLogging::log('error goes here', 'ldap', TBGLogging::LEVEL_FATAL);
*/
try {
/*
* First job is to connect to our control user (may be an anonymous bind)
* so we can find the user we want to log in as/validate.
*/
$connection = $this->connect();
$control_user = $this->getSetting('control_user');
$control_password = $this->getSetting('control_pass');
$this->bind($connection, $control_user, $control_password);
// Assume bind successful, otherwise we would have had an exception
/*
* Search for a user with the username specified. We search in the base_dn, so we can
* find users in multiple parts of the directory, and only return users of a specific
* class (default person).
*
* We want exactly 1 user to be returned. We get the user's full name, email, cn
* and dn.
*/
$fields = array($fullname_attr, $buddyname_attr, $email_attr, 'cn', $dn_attr);
$filter = '(&(objectClass=' . TBGLDAPAuthentication::getModule()->escape($user_class) . ')(' . $username_attr . '=' . $this->escape($username) . '))';
$results = ldap_search($connection, $base_dn, $filter, $fields);
if (!$results) {
TBGLogging::log('failed to search for user: '******'ldap', TBGLogging::LEVEL_FATAL);
throw new Exception(TBGContext::geti18n()->__('Search failed: ') . ldap_error($connection));
}
$data = ldap_get_entries($connection, $results);
// User does not exist
if ($data['count'] == 0) {
TBGLogging::log('could not find user ' . $username . ', class ' . $user_class . ', attribute ' . $username_attr, 'ldap', TBGLogging::LEVEL_FATAL);
throw new Exception(TBGContext::geti18n()->__('User does not exist in the directory'));
}
// If we have more than 1 user, something is seriously messed up...
if ($data['count'] > 1) {
TBGLogging::log('too many users for ' . $username . ', class ' . $user_class . ', attribute ' . $username_attr, 'ldap', TBGLogging::LEVEL_FATAL);
throw new Exception(TBGContext::geti18n()->__('This user was found multiple times in the directory, please contact your admimistrator'));
}
/*
* If groups are specified, perform group restriction tests
*/
if ($validgroups != '') {
/*
* We will repeat this for every group, but groups are supplied as a comma-separated list
*/
if (strstr($validgroups, ',')) {
$groups = explode(',', $validgroups);
} else {
$groups = array();
$groups[] = $validgroups;
}
// Assumed we are initially banned
$allowed = false;
foreach ($groups as $group) {
// No need to carry on looking if we have access
if ($allowed == true) {
continue;
}
/*
* Find the group we are looking for, we search the entire directory as per users (See that stuff)
* We want to find 1 group, if we don't get 1, silently ignore this group.
*/
$fields2 = array($groups_members_attr);
$filter2 = '(&(objectClass=' . TBGLDAPAuthentication::getModule()->escape($group_class) . ')(cn=' . $this->escape($group) . '))';
$results2 = ldap_search($connection, $base_dn, $filter2, $fields2);
if (!$results2) {
TBGLogging::log('failed to search for user after binding: ' . ldap_error($connection), 'ldap', TBGLogging::LEVEL_FATAL);
throw new Exception(TBGContext::geti18n()->__('Search failed ') . ldap_error($connection));
}
$data2 = ldap_get_entries($connection, $results2);
if ($data2['count'] != 1) {
continue;
}
/*
* Look through the group's member list. If we are found, grant access.
*/
foreach ($data2[0][strtolower($groups_members_attr)] as $member) {
$member = preg_replace('/(?<=,) +(?=[a-zA-Z])/', '', $member);
$user_dn = preg_replace('/(?<=,) +(?=[a-zA-Z])/', '', $data[0][strtolower($dn_attr)][0]);
if (!is_numeric($member) && strtolower($member) == strtolower($user_dn)) {
$allowed = true;
}
}
}
if ($allowed == false) {
throw new Exception(TBGContext::getI18n()->__('You are not a member of a group allowed to log in'));
}
}
/*
* Set user's properties.
* Realname is obtained from directory, if not found we set it to the username
* Email is obtained from directory, if not found we set it to blank
*/
if (!array_key_exists(strtolower($fullname_attr), $data[0])) {
$realname = $username;
} else {
$realname = $data[0][strtolower($fullname_attr)][0];
}
if (!array_key_exists(strtolower($buddyname_attr), $data[0])) {
$buddyname = $username;
} else {
$buddyname = $data[0][strtolower($buddyname_attr)][0];
}
if (!array_key_exists(strtolower($email_attr), $data[0])) {
$email = '';
} else {
$email = $data[0][strtolower($email_attr)][0];
}
/*
* If we are performing a non integrated authentication login,
* now bind to the user and see if the credentials
* are valid. We bind using the full DN of the user, so no need for DOMAIN\ stuff
* on Windows, and more importantly it fixes other servers.
*
* If the bind fails (exception), we throw a nicer exception and don't continue.
*/
if ($mode == 1 && !$integrated_auth) {
try {
if (!is_array($data[0][strtolower($dn_attr)])) {
$dn = $data[0][strtolower($dn_attr)];
} else {
$dn = $data[0][strtolower($dn_attr)][0];
}
$bind = $this->bind($connection, $this->escape($dn), $password);
} catch (Exception $e) {
throw new Exception(TBGContext::geti18n()->__('Your password was not accepted by the server'));
}
} elseif ($mode == 1) {
if (!isset($_SERVER[$this->getSetting('integrated_auth_header')]) || $_SERVER[$this->getSetting('integrated_auth_header')] != $username) {
throw new Exception(TBGContext::geti18n()->__('HTTP authentication internal error.'));
}
}
} catch (Exception $e) {
ldap_unbind($connection);
throw $e;
}
try {
/*
* Get the user object. If the user exists, update the user's
* data from the directory.
*/
$user = TBGUser::getByUsername($username);
if ($user instanceof TBGUser) {
$user->setBuddyname($buddyname);
$user->setRealname($realname);
$user->setPassword($user->getJoinedDate() . $username);
// update password
$user->setEmail($email);
// update email address
$user->save();
} else {
/*
* If not, and we are performing an initial login, create the user object
* if we are validating a log in, kick the user out as the session is invalid.
*/
if ($mode == 1) {
// create user
$user = new TBGUser();
$user->setUsername($username);
$user->setRealname('temporary');
$user->setBuddyname($username);
$user->setEmail('temporary');
$user->setEnabled();
$user->setActivated();
$user->setJoined();
$user->setPassword($user->getJoinedDate() . $username);
$user->save();
} else {
throw new Exception('User does not exist in TBG');
}
}
} catch (Exception $e) {
ldap_unbind($connection);
throw $e;
}
ldap_unbind($connection);
/*
* Set cookies and return user row for general operations.
*/
TBGContext::getResponse()->setCookie('tbg3_username', $username);
TBGContext::getResponse()->setCookie('tbg3_password', TBGUser::hashPassword($user->getJoinedDate() . $username, $user->getSalt()));
return TBGUsersTable::getTable()->getByUsername($username);
}