public static function userDelete(\GO\Base\Model\User $user)
{
$dbxUser = Model\User::model()->findByPk($user->id);
if ($dbxUser) {
$dbxUser->delete();
}
}
public function testModel()
{
$someModel = new Model\User();
$this->assertEquals('model\\user', $someModel->model());
}
/**
* Logs a user in.
*
* @param string $username
* @param string $password
* @return Model\User or false on failure.
*/
public function login($username, $password, $countLogin = true)
{
if (!$this->fireEvent('beforelogin', array($username, $password, $countLogin))) {
return false;
}
$user = Model\User::model()->findSingleByAttribute('username', $username);
$success = true;
if (!$user) {
\GO::debug("LOGIN: User " . $username . " not found");
$success = false;
} elseif (!$user->enabled) {
\GO::debug("LOGIN: User " . $username . " is disabled");
$success = false;
} elseif (!$user->checkPassword($password)) {
\GO::debug("LOGIN: Incorrect password for " . $username);
$success = false;
}
$str = "LOGIN ";
$str .= $success ? "SUCCESS" : "FAILED";
$str .= " for user: \"" . $username . "\" from IP: ";
if (isset($_SERVER['REMOTE_ADDR'])) {
$str .= $_SERVER['REMOTE_ADDR'];
} else {
$str .= 'unknown';
}
\GO::infolog($str);
\GO::debug($str);
if (!$success) {
return false;
} else {
$this->_user = $user;
$this->setCurrentUser($user->id);
if ($countLogin) {
$user->lastlogin = time();
$user->logins++;
$user->save(true);
$this->clearUserTempFiles();
}
$this->fireEvent('login', array($username, $password, $user, $countLogin));
//A PHP variable named “session.use_only_cookies” controls the behaviour
//of session_start(). When this variable is enabled (true) then session_start() on-
//ly uses the cookies of a request for retrieving the session ID. If this variable is disa-
//bled, then GET or POST requests can contain the session ID and can be used for
//session fixation. This PHP variable was added in PHP 4.3.0 but is enabled by default
//only since PHP 5.3.0. Environments with previous PHP versions, as well as non-
//default PHP configurations are vulnerable to the session fixation attack described in
//this finding if further measures are not taken.
//In addition to only accepting session IDs in the form of cookies, the application
//should force the re-generation of session IDs upon successful user authentication.
//This way, an attacker would not be able to create a session ID that will be reused by
//the application to identify a valid authenticated session. This is possible in PHP by
//using the session_regenerate_id() function.
if (PHP_SAPI != 'cli' && !defined('GO_NO_SESSION')) {
session_regenerate_id();
}
if ($countLogin) {
$this->_log(\GO\Log\Model\Log::ACTION_LOGIN);
}
\GO::session()->values['countLogin'] = $countLogin;
return $user;
}
}
