function signOn()
{
if (isset($_SERVER['REMOTE_USER']) && !empty($_SERVER['REMOTE_USER'])) {
// User was authenticated by the HTTP server
$username = $_SERVER['REMOTE_USER'];
} elseif (isset($_SERVER['REDIRECT_REMOTE_USER']) && !empty($_SERVER['REDIRECT_REMOTE_USER'])) {
$username = $_SERVER['REDIRECT_REMOTE_USER'];
}
if ($username) {
// Support ActiveDirectory domain specification with either
// "user@domain" or "domain\user" formats
if (strpos('@', $username) !== false) {
list($username, $domain) = explode('@', $username, 2);
} elseif (strpos('\\', $username) !== false) {
list($domain, $username) = explode('\\', $username, 2);
}
$username = trim(strtolower($username));
if (($user = new StaffSession($username)) && $user->getId()) {
return $user;
}
// TODO: Consider client sessions
}
}
function lookupAndSync($username)
{
if (($user = new StaffSession($username)) && $user->getId()) {
return $user;
}
// TODO: Auto-create users, etc.
}
function login($username, $passwd, &$errors, $strike = true)
{
global $ost, $cfg;
if ($_SESSION['_staff']['laststrike']) {
if (time() - $_SESSION['_staff']['laststrike'] < $cfg->getStaffLoginTimeout()) {
$errors['err'] = 'Max. failed login attempts reached';
$_SESSION['_staff']['laststrike'] = time();
//reset timer.
} else {
//Timeout is over.
//Reset the counter for next round of attempts after the timeout.
$_SESSION['_staff']['laststrike'] = null;
$_SESSION['_staff']['strikes'] = 0;
}
}
if (!$username || !$passwd || is_numeric($username)) {
$errors['err'] = 'Username and password required';
}
if ($errors) {
return false;
}
if (($user = new StaffSession(trim($username))) && $user->getId() && $user->check_passwd($passwd)) {
self::_do_login($user, $username);
Signal::send('auth.login.succeeded', $user);
$user->cancelResetTokens();
return $user;
}
$info = array('username' => $username, 'password' => $passwd);
Signal::send('auth.login.failed', null, $info);
//If we get to this point we know the login failed.
$_SESSION['_staff']['strikes'] += 1;
if (!$errors && $_SESSION['_staff']['strikes'] > $cfg->getStaffMaxLogins()) {
$errors['err'] = 'Forgot your login info? Contact Admin.';
$_SESSION['_staff']['laststrike'] = time();
$alert = 'Excessive login attempts by a staff member?' . "\n" . 'Username: '******'IP: ' . $_SERVER['REMOTE_ADDR'] . "\n" . 'TIME: ' . date('M j, Y, g:i a T') . "\n\n" . 'Attempts #' . $_SESSION['_staff']['strikes'] . "\n" . 'Timeout: ' . $cfg->getStaffLoginTimeout() / 60 . " minutes \n\n";
$ost->logWarning('Excessive login attempts (' . $username . ')', $alert, $cfg->alertONLoginError());
} elseif ($_SESSION['_staff']['strikes'] % 2 == 0) {
//Log every other failed login attempt as a warning.
$alert = 'Username: '******'IP: ' . $_SERVER['REMOTE_ADDR'] . "\n" . 'TIME: ' . date('M j, Y, g:i a T') . "\n\n" . 'Attempts #' . $_SESSION['_staff']['strikes'];
$ost->logWarning('Failed staff login attempt (' . $username . ')', $alert, false);
}
return false;
}
function signOn($errors = array())
{
global $ost;
if (!isset($_POST['userid']) || !isset($_POST['token'])) {
return false;
} elseif (!($_config = new Config('pwreset'))) {
return false;
} elseif (($staff = new StaffSession($_POST['userid'])) && !$staff->getId()) {
$errors['msg'] = __('Invalid user-id given');
} elseif (!($id = $_config->get($_POST['token'])) || $id != $staff->getId()) {
$errors['msg'] = __('Invalid reset token');
} elseif (!($ts = $_config->lastModified($_POST['token'])) && $ost->getConfig()->getPwResetWindow() < time() - strtotime($ts)) {
$errors['msg'] = __('Invalid reset token');
} elseif (!$staff->forcePasswdRest()) {
$errors['msg'] = __('Unable to reset password');
} else {
return $staff;
}
}
$msg = $msg ? $msg : 'Se Requiere Autenticación';
if ($_POST && (!empty($_POST['username']) && !empty($_POST['passwd']))) {
//$_SESSION['_staff']=array(); #Uncomment to disable login strikes.
$msg = 'Datos Incorrectos';
if ($_SESSION['_staff']['laststrike']) {
if (time() - $_SESSION['_staff']['laststrike'] < $cfg->getStaffLoginTimeout()) {
$msg = 'Excesivos intentos fallidos de inicio de sesión';
$errors['err'] = 'Has llegado al máximo de intentos de conexión fallidos.';
} else {
//Timeout is over.
//Reset the counter for next round of attempts after the timeout.
$_SESSION['_staff']['laststrike'] = null;
$_SESSION['_staff']['strikes'] = 0;
}
}
if (!$errors && ($user = new StaffSession($_POST['username'])) && $user->getId() && $user->check_passwd($_POST['passwd'])) {
//update last login.
db_query('UPDATE ' . STAFF_TABLE . ' SET lastlogin=NOW() WHERE staff_id=' . db_input($user->getId()));
//Figure out where the user is headed - destination!
$dest = $_SESSION['_staff']['auth']['dest'];
//Now set session crap and lets roll baby!
$_SESSION['_staff'] = array();
//clear.
$_SESSION['_staff']['userID'] = $_POST['username'];
$user->refreshSession();
//set the hash.
$_SESSION['TZ_OFFSET'] = $user->getTZoffset();
$_SESSION['daylight'] = $user->observeDaylight();
Sys::log(LOG_DEBUG, 'Inicio de sesión de Staff', sprintf("%s Identificado como [%s]", $user->getUserName(), $_SERVER['REMOTE_ADDR']));
//Debug.
//Redirect to the original destination. (make sure it is not redirecting to login page.)
/* First order of the day is see if the user is logged in and with a valid session.
* User must be valid staff beyond this point
* ONLY super admins can access the helpdesk on offline state.
*/
if (!function_exists('staffLoginPage')) {
//Ajax interface can pre-declare the function to trap expired sessions.
function staffLoginPage($msg)
{
global $ost, $cfg;
$_SESSION['_staff']['auth']['dest'] = '/' . ltrim($_SERVER['REQUEST_URI'], '/');
$_SESSION['_staff']['auth']['msg'] = $msg;
require SCP_DIR . 'login.php';
exit;
}
}
$thisstaff = new StaffSession($_SESSION['_staff']['userID']);
//Set staff object.
//1) is the user Logged in for real && is staff.
if (!$thisstaff->getId() || !$thisstaff->isValid()) {
if (isset($_SESSION['_staff']['auth']['msg'])) {
$msg = $_SESSION['_staff']['auth']['msg'];
unset($_SESSION['_staff']['auth']['msg']);
} elseif (isset($_SESSION['_staff']['userID']) && !$thisstaff->isValid()) {
$msg = 'Session timed out due to inactivity';
} else {
$msg = 'Authentication Required';
}
staffLoginPage($msg);
exit;
}
//2) if not super admin..check system status and group status
$Id: $
**********************************************************************/
require_once '../main.inc.php';
if (!defined('INCLUDE_DIR')) {
die('Fatal Error. Kwaheri!');
}
require_once INCLUDE_DIR . 'class.staff.php';
$msg = $msg ? $msg : 'Authentication Required';
if ($_POST && (!empty($_POST['username']) && !empty($_POST['passwd']))) {
//$_SESSION['_staff']=array(); #Uncomment to disable login strikes.
$msg = 'Invalid login';
if ($_SESSION['_staff']['laststrike'] && time() - $_SESSION['_staff']['laststrike'] < 3 * 60) {
$msg = 'Max failed login Reached';
$errors['err'] = 'You\'ve reached maximum failed login attempts allowed.';
}
if (!$errors && ($user = new StaffSession($_POST['username'])) && $user->getId() && $user->check_passwd($_POST['passwd'])) {
db_query('UPDATE ' . STAFF_TABLE . ' SET lastlogin=NOW() WHERE staff_id=' . db_input($user->getId()));
//We got a matching user and the password matched!! Nice.
//Now set session crap and lets roll baby!
$_SESSION['_staff'] = array();
//clear.
$_SESSION['_staff']['userID'] = $_POST['username'];
$user->refreshSession();
//set the hash.
$_SESSION['TZ_OFFSET'] = $user->getTZoffset();
$_SESSION['daylight'] = $cfg->observeDaylightSaving();
//Redirect to the original destination. (make sure it is not redirecting to login page.)
$dest = $_POST['dest'] && !strstr($_POST['dest'], 'login.php') ? $_POST['dest'] : 'index.php';
@header("Location: {$dest}");
require 'index.php';
//Just incase header is messed up.
// Check version
$errors['err'] = ' Nothing to do! System already upgraded';
$inc = 'upgradedone.inc.php';
} elseif ($_SESSION['abort']) {
// Check if already aborted
die('Upgrade already aborted! Restore previous version and start all over again (logout required) or get help.');
} elseif ((double) phpversion() < 5.1) {
// Too old PHP installation
$errors['err'] = 'PHP installation seriously out of date. PHP 5.2+ is required.';
$wrninc = 'php.inc.php';
} elseif (!ini_get('short_open_tag') && (double) phpversion() < 5.4) {
// Check PHP version
$errors['err'] = 'Short open tag disabled! - with PHP version prior to 5.4 Katak Support requires it turned on.';
$wrninc = 'shortopentag.inc.php';
} elseif ($_POST && !$errors) {
if ($adminloggedin || ($thisuser = new StaffSession($_POST['username'])) && $thisuser->getId() && $thisuser->check_passwd($_POST['password'])) {
switch ($cfg->getVersion()) {
case '0.9':
//upgrading from ver. 0.9.x.
$schema = './inc/ktk-upgrade-0.9.sql';
break;
case '1.0':
//upgrading from ver. 1.0.x.
$schema = './inc/ktk-upgrade-1.0.sql';
break;
default:
$schema = '';
// This leads to an error in loading the schema
}
$vars = $errors = array();
if (!load_sql_schema($schema, $errors) && !$errors['err']) {
$msg=$_SESSION['_staff']['auth']['msg'];
$msg=$msg?$msg:'Authentication Required';
if($_POST && (!empty($_POST['username']) && !empty($_POST['passwd']))){
//$_SESSION['_staff']=array(); #Uncomment to disable login strikes.
$msg='Invalid login';
if($_SESSION['_staff']['laststrike']) {
if((time()-$_SESSION['_staff']['laststrike'])<$cfg->getStaffLoginTimeout()) {
$msg='Excessive failed login attempts';
$errors['err']='You\'ve reached maximum failed login attempts allowed.';
}else{ //Timeout is over.
//Reset the counter for next round of attempts after the timeout.
$_SESSION['_staff']['laststrike']=null;
$_SESSION['_staff']['strikes']=0;
}
}
if(!$errors && ($user=new StaffSession($_POST['username'])) && $user->getId() && $user->check_passwd($_POST['passwd'])){
//update last login.
db_query('UPDATE '.STAFF_TABLE.' SET lastlogin=NOW() WHERE staff_id='.db_input($user->getId()));
//Figure out where the user is headed - destination!
$dest=$_SESSION['_staff']['auth']['dest'];
//Now set session crap and lets roll baby!
$_SESSION['_staff']=array(); //clear.
$_SESSION['_staff']['userID']=$_POST['username'];
$user->refreshSession(); //set the hash.
$_SESSION['TZ_OFFSET']=$user->getTZoffset();
$_SESSION['daylight']=$user->observeDaylight();
Sys::log(LOG_DEBUG,'Staff login',sprintf("%s logged in [%s]",$user->getUserName(),$_SERVER['REMOTE_ADDR'])); //Debug.
//Redirect to the original destination. (make sure it is not redirecting to login page.)
$dest=($dest && (!strstr($dest,'login.php') && !strstr($dest,'ajax.php')))?$dest:'index.php';
session_write_close();
session_regenerate_id();
function signOn()
{
if (isset($_SESSION[':cas']['user'])) {
if (($staff = StaffSession::lookup($this->cas->getEmail())) && $staff->getId()) {
if (!$staff instanceof StaffSession) {
// osTicket <= v1.9.7 or so
$staff = new StaffSession($staff->getId());
}
return $staff;
} else {
$_SESSION['_staff']['auth']['msg'] = 'Have your administrator create a local account';
}
}
}
function login($username, $passwd, &$errors, $strike = true)
{
global $ost, $cfg;
if ($_SESSION['_staff']['laststrike']) {
if (time() - $_SESSION['_staff']['laststrike'] < $cfg->getStaffLoginTimeout()) {
$errors['err'] = 'You\'ve reached maximum failed login attempts allowed.';
} else {
//Timeout is over.
//Reset the counter for next round of attempts after the timeout.
$_SESSION['_staff']['laststrike'] = null;
$_SESSION['_staff']['strikes'] = 0;
}
}
if (!$errors && ($user = new StaffSession($username)) && $user->getId() && $user->check_passwd($passwd)) {
//update last login && password reset stuff.
$sql = 'UPDATE ' . STAFF_TABLE . ' SET lastlogin=NOW() ';
if ($user->isPasswdResetDue() && !$user->isAdmin()) {
$sql .= ',change_passwd=1';
}
$sql .= ' WHERE staff_id=' . db_input($user->getId());
db_query($sql);
//Now set session crap and lets roll baby!
$_SESSION['_staff'] = array();
//clear.
$_SESSION['_staff']['userID'] = $username;
$user->refreshSession();
//set the hash.
$_SESSION['TZ_OFFSET'] = $user->getTZoffset();
$_SESSION['TZ_DST'] = $user->observeDaylight();
$ost->logDebug('Staff login', sprintf("%s logged in [%s]", $user->getUserName(), $_SERVER['REMOTE_ADDR']));
//Debug.
$sid = session_id();
//Current ID
session_regenerate_id(TRUE);
//Destroy old session ID - needed for PHP version < 5.1.0 TODO: remove when we move to php 5.3 as min. requirement.
if (($session = $ost->getSession()) && is_object($session) && $sid) {
$session->destroy($sid);
}
session_write_close();
return $user;
}
//If we get to this point we know the login failed.
$_SESSION['_staff']['strikes'] += 1;
if (!$errors && $_SESSION['_staff']['strikes'] > $cfg->getStaffMaxLogins()) {
$errors['err'] = 'Forgot your login info? Contact Admin.';
$_SESSION['_staff']['laststrike'] = time();
$alert = 'Excessive login attempts by a staff member?' . "\n" . 'Username: '******'username'] . "\n" . 'IP: ' . $_SERVER['REMOTE_ADDR'] . "\n" . 'TIME: ' . date('M j, Y, g:i a T') . "\n\n" . 'Attempts #' . $_SESSION['_staff']['strikes'] . "\n" . 'Timeout: ' . $cfg->getStaffLoginTimeout() / 60 . " minutes \n\n";
$ost->logWarning('Excessive login attempts (' . $_POST['username'] . ')', $alert, $cfg->alertONLoginError());
} elseif ($_SESSION['_staff']['strikes'] % 2 == 0) {
//Log every other failed login attempt as a warning.
$alert = 'Username: '******'username'] . "\n" . 'IP: ' . $_SERVER['REMOTE_ADDR'] . "\n" . 'TIME: ' . date('M j, Y, g:i a T') . "\n\n" . 'Attempts #' . $_SESSION['_staff']['strikes'];
$ost->logWarning('Failed staff login attempt (' . $_POST['username'] . ')', $alert, false);
}
return false;
}
}
switch ($_POST['do']) {
case 'sendmail':
if ($staff = Staff::lookup($_POST['userid'])) {
if (!$staff->sendResetEmail()) {
$tpl = 'pwreset.sent.php';
}
} else {
$msg = 'Unable to verify username ' . Format::htmlchars($_POST['userid']);
}
break;
case 'newpasswd':
// TODO: Compare passwords
$tpl = 'pwreset.login.php';
$_config = new Config('pwreset');
if (($staff = new StaffSession($_POST['userid'])) && !$staff->getId()) {
$msg = 'Invalid user-id given';
} elseif (!($id = $_config->get($_POST['token'])) || $id != $staff->getId()) {
$msg = 'Invalid reset token';
} elseif (!($ts = $_config->lastModified($_POST['token'])) && $ost->getConfig()->getPwResetWindow() < time() - strtotime($ts)) {
$msg = 'Invalid reset token';
} elseif (!$staff->forcePasswdRest()) {
$msg = 'Unable to reset password';
} else {
$info = array('page' => 'index.php');
Signal::send('auth.pwreset.login', $staff, $info);
Staff::_do_login($staff, $_POST['userid']);
$_SESSION['_staff']['reset-token'] = $_POST['token'];
header('Location: ' . $info['page']);
exit;
}
$msg = isset($msg) ? $msg : _('Authentication Required');
if ($_POST && (!empty($_POST['username']) && !empty($_POST['passwd']))) {
//$_SESSION['_staff']=array(); #Uncomment to disable login strikes.
$msg = _('Invalid login');
if ($_SESSION['_staff']['laststrike']) {
if (time() - $_SESSION['_staff']['laststrike'] < $cfg->getStaffLoginTimeout()) {
$msg = _('Excessive failed login attempts');
$errors['err'] = _('You\'ve reached maximum failed login attempts allowed.');
} else {
//Timeout is over.
//Reset the counter for next round of attempts after the timeout.
$_SESSION['_staff']['laststrike'] = null;
$_SESSION['_staff']['strikes'] = 0;
}
}
if (!$errors && ($user = new StaffSession($_POST['username'])) && $user->getId() && $user->check_passwd($_POST['passwd'])) {
//update last login.
$user->update_lastlogin($user->getId());
//Figure out where the user is headed - destination!
$dest = $_SESSION['_staff']['auth']['dest'];
//Now set session crap and lets roll baby!
$_SESSION['_staff'] = array();
//clear.
$_SESSION['_staff']['userID'] = $_POST['username'];
$user->refreshSession();
//set the hash.
$_SESSION['TZ_OFFSET'] = $user->getTZoffset();
$_SESSION['daylight'] = $user->observeDaylight();
Sys::log(LOG_DEBUG, 'Staff login', sprintf('%s ' . _('logged in'), $user->getUserName()), $user->getUserName());
//Debug
//Redirect to the original destination. (make sure it is not redirecting to login page.)
function authOrCreate($username)
{
global $cfg;
switch ($this->type) {
case 'staff':
if (($user = StaffSession::lookup($username)) && $user->getId()) {
if (!$user instanceof StaffSession) {
// osTicket <= v1.9.7 or so
$user = new StaffSession($user->getId());
}
return $user;
} else {
$staff_groups = preg_split('/;|,/', $config->get('multiauth-staff-group'));
$chkgroup;
foreach ($staff_groups as $staff_group) {
if ($ldap->checkGroup($name, $staff_group)) {
$chkgroup = true;
break;
}
}
$config = $this->getConfig();
if ($config->get('multiauth-staff-register') && $chkgroup) {
if (!($info = $this->lookup($username, false))) {
return;
}
$errors = array();
$staff = array();
$staff['username'] = $info['username'];
$staff['firstname'] = $info['first'];
$staff['lastname'] = $info['last'];
$staff['email'] = $info['email'];
$staff['isadmin'] = 0;
$staff['isactive'] = 1;
$staff['group_id'] = 1;
$staff['dept_id'] = 1;
$staff['welcome_email'] = "on";
$staff['timezone_id'] = 8;
$staff['isvisible'] = 1;
Staff::create($staff, $errors);
if (($user = StaffSession::lookup($username)) && $user->getId()) {
if (!$user instanceof StaffSession) {
$user = new StaffSession($user->getId());
}
return $user;
}
}
}
break;
case 'client':
// Lookup all the information on the user. Try to get the email
// addresss as well as the username when looking up the user
// locally.
if (!($info = $this->search($username)[0])) {
return;
}
$acct = ClientAccount::lookupByUsername($username);
if ($acct && $acct->getId()) {
$client = new ClientSession(new EndUser($acct->getUser()));
}
if (!$client) {
$info['name'] = $info['first'] . " " . $info['last'];
$client = new ClientCreateRequest($this, $username, $info);
//if (!$cfg || !$cfg->isClientRegistrationEnabled() && self::$config->get('multiauth-force-register')) {
// return $client->attemptAutoRegister();
//}
}
return $client;
}
return null;
}