/**
* @expectedException \Exception
* @expectedExceptionMessage token_auth specified does not have Admin permission for idsite=1
*/
public function test_authenticateRequests_shouldThrowAnException_IfTokenIsNotValid()
{
$dummyToken = API::getInstance()->getTokenAuth('test', UsersManager::getPasswordHash('2'));
$superUserToken = $this->getSuperUserToken();
$requests = array($this->buildDummyRequest($superUserToken), $this->buildDummyRequest($dummyToken));
$this->requests->authenticateRequests($requests);
}
/**
* Create a user upon call from frontend
* This API method will be called from Controller of this module
*
* @param String $userLogin
* @param String $userPassword
* @param String $userEmail
* @return Boolean
*/
public function createUser($userLogin, $userPassword, $userEmail)
{
if ($userLogin and $userPassword) {
$userManager = UserManagerAPI::getInstance();
if (!$this->userManagerModel->userEmailExists($userEmail) and !$this->userManagerModel->userExists($userLogin)) {
$password = Common::unsanitizeInputValue($userPassword);
UserManager::checkPassword($password);
$passwordTransformed = UserManager::getPasswordHash($password);
$token_auth = $userManager->getTokenAuth($userEmail, $passwordTransformed);
try {
$this->userManagerModel->addUser($userEmail, $passwordTransformed, $userEmail, $userLogin, $token_auth, Date::now()->getDatetime());
return true;
} catch (Exception $e) {
//throw new Exception($e->getMessage());
$this->__errors[] = 'Error in creating the user in database.';
}
} else {
$this->__errors[] = 'User email already exists or the login name already exists';
}
}
return false;
}
private function createAdminUserForSite($idSite)
{
$login = '******';
$passwordHash = UsersManager::getPasswordHash('password');
$token = API::getInstance()->getTokenAuth($login, $passwordHash);
$user = new Model();
$user->addUser($login, $passwordHash, 'admin@piwik', 'alias', $token, '2014-01-01 00:00:00');
$user->addUserAccess($login, 'admin', array($idSite));
return $token;
}
public static function createSuperUser($removeExisting = true)
{
$login = self::ADMIN_USER_LOGIN;
$password = UsersManager::getPasswordHash(self::ADMIN_USER_PASSWORD);
$token = self::getTokenAuth();
$model = new \Piwik\Plugins\UsersManager\Model();
if ($removeExisting) {
$model->deleteUserOnly($login);
}
$user = $model->getUser($login);
if (empty($user)) {
$model->addUser($login, $password, '*****@*****.**', $login, $token, Date::now()->getDatetime());
} else {
$model->updateUser($login, $password, '*****@*****.**', $login, $token);
}
if (empty($user['superuser_access'])) {
$model->setSuperUserAccess($login, true);
}
return $model->getUserByTokenAuth($token);
}
/**
* Sets the password hash to use when authentication.
*
* @param string $passwordHash The password hash.
*/
public function setPasswordHash($passwordHash)
{
if ($passwordHash === null) {
$this->hashedPassword = null;
return;
}
// check that the password hash is valid (sanity check)
UsersManager::checkPasswordHash($passwordHash, Piwik::translate('Login_ExceptionPasswordMD5HashExpected'));
$this->hashedPassword = $passwordHash;
}
/**
* Saves password reset info and sends confirmation email.
*
* @param QuickForm2 $form
* @return array Error message(s) if an error occurs.
*/
private function resetPasswordFirstStep($form)
{
$loginMail = $form->getSubmitValue('form_login');
$password = $form->getSubmitValue('form_password');
// check the password
try {
UsersManager::checkPassword($password);
} catch (Exception $ex) {
return array($ex->getMessage());
}
// get the user's login
if ($loginMail === 'anonymous') {
return array(Piwik::translate('Login_InvalidUsernameEmail'));
}
$user = self::getUserInformation($loginMail);
if ($user === null) {
return array(Piwik::translate('Login_InvalidUsernameEmail'));
}
$login = $user['login'];
// if valid, store password information in options table, then...
Login::savePasswordResetInfo($login, $password);
// ... send email with confirmation link
try {
$this->sendEmailConfirmationLink($user);
} catch (Exception $ex) {
// remove password reset info
Login::removePasswordResetInfo($login);
return array($ex->getMessage() . Piwik::translate('Login_ContactAdmin'));
}
return null;
}
/**
* Updates a user in the database.
* Only login and password are required (case when we update the password).
* When the password changes, the key token for this user will change, which could break
* its API calls.
*
* @see addUser() for all the parameters
*/
public function updateUser($userLogin, $password = false, $email = false, $alias = false, $_isPasswordHashed = false)
{
Piwik::checkUserIsSuperUserOrTheUser($userLogin);
$this->checkUserIsNotAnonymous($userLogin);
$this->checkUserIsNotSuperUser($userLogin);
$userInfo = $this->getUser($userLogin);
if (empty($password)) {
$password = $userInfo['password'];
} else {
$password = Common::unsanitizeInputValue($password);
if (!$_isPasswordHashed) {
UsersManager::checkPassword($password);
$password = UsersManager::getPasswordHash($password);
}
}
if (empty($alias)) {
$alias = $userInfo['alias'];
}
if (empty($email)) {
$email = $userInfo['email'];
}
if ($email != $userInfo['email']) {
$this->checkEmail($email);
}
$alias = $this->getCleanAlias($alias, $userLogin);
$token_auth = $this->getTokenAuth($userLogin, $password);
$db = Db::get();
$db->update(Common::prefixTable("user"), array('password' => $password, 'alias' => $alias, 'email' => $email, 'token_auth' => $token_auth), "login = '******'");
Cache::deleteTrackerCache();
/**
* Triggered after an existing user has been updated.
*
* @param string $userLogin The user's login handle.
*/
Piwik::postEvent('UsersManager.updateUser.end', array($userLogin));
}
private function updateUserPassword()
{
$user = $this->getUserForLogin();
$passwordHash = UsersManager::getPasswordHash($this->password);
$newTokenAuth = $this->usersManagerAPI->getTokenAuth($this->login, $passwordHash);
$this->usersModel->updateUser($this->login, $passwordHash, $user['email'], $user['alias'], $newTokenAuth);
// make sure cookie has correct token auth
$this->userForLogin['password'] = $passwordHash;
$this->token_auth = $this->userForLogin['token_auth'] = $newTokenAuth;
}
/**
* Stores password reset info for a specific login.
*
* @param string $login The user login for whom a password change was requested.
* @param string $password The new password to set.
*/
public static function savePasswordResetInfo($login, $password)
{
$optionName = self::getPasswordResetInfoOptionName($login);
$optionData = UsersManager::getPasswordHash($password);
Option::set($optionName, $optionData);
}
/**
* Updates a user in the database.
* Only login and password are required (case when we update the password).
* When the password changes, the key token for this user will change, which could break
* its API calls.
*
* @see addUser() for all the parameters
*/
public function updateUser($userLogin, $password = false, $email = false, $alias = false, $_isPasswordHashed = false)
{
Piwik::checkUserHasSuperUserAccessOrIsTheUser($userLogin);
$this->checkUserIsNotAnonymous($userLogin);
$userInfo = $this->getUser($userLogin);
$passwordHasBeenUpdated = false;
if (empty($password)) {
$password = $userInfo['password'];
} else {
$password = Common::unsanitizeInputValue($password);
if (!$_isPasswordHashed) {
UsersManager::checkPassword($password);
$password = UsersManager::getPasswordHash($password);
}
$passwordHasBeenUpdated = true;
}
if (empty($alias)) {
$alias = $userInfo['alias'];
}
if (empty($email)) {
$email = $userInfo['email'];
}
if ($email != $userInfo['email']) {
$this->checkEmail($email);
}
$alias = $this->getCleanAlias($alias, $userLogin);
$token_auth = $this->getTokenAuth($userLogin, $password);
$this->model->updateUser($userLogin, $password, $email, $alias, $token_auth);
Cache::deleteTrackerCache();
/**
* Triggered after an existing user has been updated.
* Event notify about password change.
*
* @param string $userLogin The user's login handle.
* @param boolean $passwordHasBeenUpdated Flag containing information about password change.
*/
Piwik::postEvent('UsersManager.updateUser.end', array($userLogin, $passwordHasBeenUpdated, $email, $password, $alias));
}
/**
* Stores password reset info for a specific login.
*
* @param string $login The user login for whom a password change was requested.
* @param string $newPassword The new password to set.
*/
private function savePasswordResetInfo($login, $newPassword)
{
$optionName = $this->getPasswordResetInfoOptionName($login);
$optionData = UsersManager::getPasswordHash($newPassword);
Option::set($optionName, $optionData);
}
/**
* Generates a unique MD5 for the given login & password
*
* @param string $userLogin Login
* @param string $md5Password hashed string of the password (using current hash function; MD5-named for historical reasons)
* @return string
*/
public function getTokenAuth($userLogin, $md5Password)
{
UsersManager::checkPasswordHash($md5Password, Piwik::translate('UsersManager_ExceptionPasswordMD5HashExpected'));
return md5($userLogin . $md5Password);
}
/**
* Returns the user's API token.
*
* If the username/password combination is incorrect an invalid token will be returned.
*
* @param string $userLogin Login
* @param string $md5Password hashed string of the password (using current hash function; MD5-named for historical reasons)
* @return string
*/
public function getTokenAuth($userLogin, $md5Password)
{
UsersManager::checkPasswordHash($md5Password, Piwik::translate('UsersManager_ExceptionPasswordMD5HashExpected'));
$user = $this->model->getUser($userLogin);
if (!$this->password->verify($md5Password, $user['password'])) {
return md5($userLogin . microtime(true) . Common::generateUniqId());
}
if ($this->password->needsRehash($user['password'])) {
$this->updateUser($userLogin, $this->password->hash($md5Password));
}
return $user['token_auth'];
}
