static function check_user_name($user_name)
{
if (identity::lookup_user_by_name($user_name)) {
return true;
}
$user = ORM::factory("pending_user")->where("name", "=", $user_name)->find();
return $user->loaded();
}
public function index()
{
$username = Input::instance()->post("user");
$password = Input::instance()->post("password");
$user = identity::lookup_user_by_name($username);
if (empty($user) || !identity::is_correct_password($user, $password)) {
throw new Rest_Exception("Forbidden", 403);
}
$key = rest::get_access_token($user->id);
rest::reply($key->access_key);
}
static function gallery_ready()
{
$sso_username = Input::instance()->server("REMOTE_USER");
$user = Session::instance()->get("user");
if (empty($user) || $user->name != $sso_username) {
try {
identity::set_active_user(identity::lookup_user_by_name($sso_username));
} catch (Exception $e) {
Kohana_Log::add("error", "Couldn't authenticate as {$sso_username}: " . $e->getMessage() . "\n" . $e->getTraceAsString());
}
}
}
public function index()
{
$username = Input::instance()->post("user");
$password = Input::instance()->post("password");
if (empty($username) || auth::too_many_failures($username)) {
throw new Rest_Exception("Forbidden", 403);
}
$user = identity::lookup_user_by_name($username);
if (empty($user) || !identity::is_correct_password($user, $password)) {
module::event("user_login_failed", $username);
throw new Rest_Exception("Forbidden", 403);
}
auth::login($user);
rest::reply(rest::access_key());
}
static function user_auth_failed($user_name)
{
$log_failed_logins = module::get_var("user_info", "log_failed_logins");
if ($log_failed_logins == "Yes") {
$user_info = ORM::factory("user_info");
if (identity::lookup_user_by_name($user_name)) {
$user_info->user_id = identity::lookup_user_by_name($user_name)->id;
} else {
$user_info->user_id = "";
}
$user_info->user_name = $user_name;
$user_info->ip_address = $_SERVER['REMOTE_ADDR'];
$user_info->time_stamp = time();
$user_info->action = "Failed Login";
$user_info->save();
}
}
private function _authenticate()
{
$auth = new Sabre_HTTP_BasicAuth();
$auth->setRealm(item::root()->title);
$authResult = $auth->getUserPass();
list($username, $password) = $authResult;
if (!$username || !$password) {
$auth->requireLogin();
return false;
}
$user = identity::lookup_user_by_name($username);
if (empty($user) || !identity::is_correct_password($user, $password)) {
$auth->requireLogin();
return false;
}
identity::set_active_user($user);
return true;
}
private function _auth($url)
{
$form = auth::get_login_form($url);
$valid = $form->validate();
if ($valid) {
$user = identity::lookup_user_by_name($form->login->inputs["name"]->value);
if (empty($user) || !identity::is_correct_password($user, $form->login->password->value)) {
log::warning("user", t("Failed login for %name", array("name" => $form->login->inputs["name"]->value)));
$form->login->inputs["name"]->add_error("invalid_login", 1);
$valid = false;
}
}
if ($valid) {
auth::login($user);
}
// Either way, regenerate the session id to avoid session trapping
Session::instance()->regenerate();
return array($valid, $form);
}
/**
* Import a single user.
*/
static function import_user(&$queue)
{
$messages = array();
$g2_user_id = array_shift($queue);
if (self::map($g2_user_id)) {
return t("User with id: %id already imported, skipping", array("id" => $g2_user_id));
}
if (g2(GalleryCoreApi::isAnonymousUser($g2_user_id))) {
self::set_map($g2_user_id, identity::guest()->id, "group");
return t("Skipping anonymous user");
}
$g2_admin_group_id = g2(GalleryCoreApi::getPluginParameter("module", "core", "id.adminGroup"));
try {
$g2_user = g2(GalleryCoreApi::loadEntitiesById($g2_user_id));
} catch (Exception $e) {
throw new G2_Import_Exception(t("Failed to import Gallery 2 user with id: %id\n%exception", array("id" => $g2_user_id, "exception" => (string) $e)), $e);
}
$g2_groups = g2(GalleryCoreApi::fetchGroupsForUser($g2_user->getId()));
$user = identity::lookup_user_by_name($g2_user->getUsername());
if ($user) {
$messages[] = t("Loaded existing user: '******'.", array("name" => $user->name));
} else {
$email = $g2_user->getEmail();
if (empty($email) || !valid::email($email)) {
$email = "*****@*****.**";
}
try {
$user = identity::create_user($g2_user->getUserName(), $g2_user->getFullName(), $g2_user->getHashedPassword(), $email);
} catch (Exception $e) {
throw new G2_Import_Exception(t("Failed to create user: '******' (id: %id)", array("name" => $g2_user->getUserName(), "id" => $g2_user_id)), $e, $messages);
}
if (class_exists("User_Model") && $user instanceof User_Model) {
// This will work if G2's password is a PasswordHash password as well.
$user->hashed_password = $g2_user->getHashedPassword();
}
$messages[] = t("Created user: '******'.", array("name" => $user->name));
if ($email == "*****@*****.**") {
$messages[] = t("Fixed invalid email (was '%invalid_email')", array("invalid_email" => $g2_user->getEmail()));
}
}
$user->locale = $g2_user->getLanguage();
foreach ($g2_groups as $g2_group_id => $g2_group_name) {
if ($g2_group_id == $g2_admin_group_id) {
$user->admin = true;
$messages[] = t("Added 'admin' flag to user");
} else {
$group = identity::lookup_group(self::map($g2_group_id));
$user->add($group);
$messages[] = t("Added user to group '%group'.", array("group" => $group->name));
}
}
try {
$user->save();
self::set_map($g2_user->getId(), $user->id, "user");
} catch (Exception $e) {
throw new G2_Import_Exception(t("Failed to create user: '******'", array("name" => $user->name)), $e, $messages);
}
return $messages;
}
public function moved_items_inherit_new_permissions_test()
{
identity::set_active_user(identity::lookup_user_by_name("admin"));
$public_album = test::random_album();
$public_photo = test::random_photo($public_album);
access::allow(identity::everybody(), "view", $public_album);
access::allow(identity::everybody(), "edit", $public_album);
item::root()->reload();
// Account for MPTT changes
$private_album = test::random_album();
access::deny(identity::everybody(), "view", $private_album);
access::deny(identity::everybody(), "edit", $private_album);
$private_photo = test::random_photo($private_album);
// Make sure that we now have a public photo and private photo.
$this->assert_true(access::group_can(identity::everybody(), "view", $public_photo));
$this->assert_false(access::group_can(identity::everybody(), "view", $private_photo));
// Swap the photos
item::move($public_photo, $private_album);
$private_album->reload();
// Reload to get new MPTT pointers and cached perms.
$public_album->reload();
$private_photo->reload();
$public_photo->reload();
item::move($private_photo, $public_album);
$private_album->reload();
// Reload to get new MPTT pointers and cached perms.
$public_album->reload();
$private_photo->reload();
$public_photo->reload();
// Make sure that the public_photo is now private, and the private_photo is now public.
$this->assert_false(access::group_can(identity::everybody(), "view", $public_photo));
$this->assert_false(access::group_can(identity::everybody(), "edit", $public_photo));
$this->assert_true(access::group_can(identity::everybody(), "view", $private_photo));
$this->assert_true(access::group_can(identity::everybody(), "edit", $private_photo));
}
/**
* Import a single user.
*/
static function import_user(&$queue)
{
$g2_user_id = array_shift($queue);
if (self::map($g2_user_id)) {
return t("User with id: %id already imported, skipping", array("id" => $g2_user_id));
}
if (g2(GalleryCoreApi::isAnonymousUser($g2_user_id))) {
self::set_map($g2_user_id, identity::guest()->id);
return t("Skipping anonymous user");
}
$g2_admin_group_id = g2(GalleryCoreApi::getPluginParameter("module", "core", "id.adminGroup"));
try {
$g2_user = g2(GalleryCoreApi::loadEntitiesById($g2_user_id));
} catch (Exception $e) {
return t("Failed to import Gallery 2 user with id: %id\n%exception", array("id" => $g2_user_id, "exception" => $e->__toString()));
}
$g2_groups = g2(GalleryCoreApi::fetchGroupsForUser($g2_user->getId()));
try {
$user = identity::create_user($g2_user->getUsername(), $g2_user->getfullname(), "");
$message = t("Created user: '******'.", array("name" => $user->name));
} catch (Exception $e) {
// @todo For now we assume this is a "duplicate user" exception
$user = identity::lookup_user_by_name($g2_user->getUsername());
$message = t("Loaded existing user: '******'.", array("name" => $user->name));
}
$user->hashed_password = $g2_user->getHashedPassword();
$user->email = $g2_user->getEmail();
$user->locale = $g2_user->getLanguage();
foreach ($g2_groups as $g2_group_id => $g2_group_name) {
if ($g2_group_id == $g2_admin_group_id) {
$user->admin = true;
$message .= t("\n\tAdded 'admin' flag to user");
} else {
$group = identity::lookup_group(self::map($g2_group_id));
$user->add($group);
$message .= t("\n\tAdded user to group '%group'.", array("group" => $group->name));
}
}
$user->save();
self::set_map($g2_user->getId(), $user->id);
return $message;
}
public function first($hash)
{
$pending_user = ORM::factory("pending_user")->where("hash", "=", $hash)->where("state", "=", 2)->find();
if ($pending_user->loaded()) {
// @todo add a request date to the pending user table and check that it hasn't expired
$user = identity::lookup_user_by_name($pending_user->name);
if (!empty($user)) {
auth::login($user);
Session::instance()->set("registration_first_usage", true);
$pending_user->delete();
}
url::redirect(item::root()->abs_url());
} else {
message::warning(t("Your account is ready to use so please login."));
}
url::redirect(item::root()->abs_url());
}
public function __construct($name, $pass)
{
$user = identity::lookup_user_by_name($name);
$this->result = identity::is_correct_password($user, $pass);
}
public function moved_items_inherit_new_permissions_test()
{
identity::set_active_user(identity::lookup_user_by_name("admin"));
$root = ORM::factory("item", 1);
$public_album = album::create($root, rand(), "public album");
$public_photo = photo::create($public_album, MODPATH . "gallery/images/gallery.png", "", "");
access::allow(identity::everybody(), "view", $public_album);
$root->reload();
// Account for MPTT changes
$private_album = album::create($root, rand(), "private album");
access::deny(identity::everybody(), "view", $private_album);
$private_photo = photo::create($private_album, MODPATH . "gallery/images/gallery.png", "", "");
// Make sure that we now have a public photo and private photo.
$this->assert_true(access::group_can(identity::everybody(), "view", $public_photo));
$this->assert_false(access::group_can(identity::everybody(), "view", $private_photo));
// Swap the photos
item::move($public_photo, $private_album);
$private_album->reload();
// Reload to get new MPTT pointers and cached perms.
$public_album->reload();
$private_photo->reload();
$public_photo->reload();
item::move($private_photo, $public_album);
$private_album->reload();
// Reload to get new MPTT pointers and cached perms.
$public_album->reload();
$private_photo->reload();
$public_photo->reload();
// Make sure that the public_photo is now private, and the private_photo is now public.
$this->assert_false(access::group_can(identity::everybody(), "view", $public_photo));
$this->assert_true(access::group_can(identity::everybody(), "view", $private_photo));
}
/**
* authenticate the user
*
* @param string $url
* @return boolean
*/
private function _auth($url)
{
$form = auth::get_login_form($url);
$validform = $form->validate();
$valid = false;
if ($validform) {
// retrieve the values from the form
$name = $form->login->inputs["name"]->value;
$pass = $form->login->password->value;
// do we have a user?
$user = identity::lookup_user_by_name($name);
$validuser = empty($user) ? false : true;
// is the user authentic?
$checkpass = $this->_checkpass($name, $pass);
/*
* we are concerned with these three possibilities:
* 1. there is no valid user or no valid password
* 2. there is no valid user but a valid password
* 3. there is a valid user and a valid password
*/
// 1. there is no valid user or no valid password: error
if (!$validuser || !$checkpass) {
$form->login->inputs["name"]->add_error("invalid_login", 1);
$name = $form->login->inputs["name"]->value;
log::warning("user", t("Failed login for %name", array("name" => $name)));
module::event("user_auth_failed", $name);
}
// 2. there is no valid user but a valid password: create account if allowed
if (!$validuser && $checkpass && $this->create_account) {
$account = $this->pam_auth->getAccount();
if ($account) {
$password = md5(uniqid(mt_rand(), true));
$new_user = identity::create_user($account->name, $account->full_name, $password, $account->email);
$new_user->url = '';
$new_user->admin = false;
$new_user->guest = false;
$new_user->save();
$user = identity::lookup_user_by_name($account->name);
$validuser = empty($user) ? false : true;
}
}
// 3. there is a valid user and a valid password: load user account
if ($validuser && $checkpass) {
auth::login($user);
$valid = true;
}
}
// regenerate the session id to avoid session trapping
Session::instance()->regenerate();
return array($valid, $form);
}
