/**
* Returns a form to register a new user. No authentication required.
* @see DAV_Resource::method_GET
*/
public function method_GET()
{
$this->assert(BeeHub::PRIV_READ_CONTENT);
if (empty($_SERVER['HTTPS']) && APPLICATION_ENV !== BeeHub::ENVIRONMENT_DEVELOPMENT) {
throw new DAV_Status(DAV::HTTP_MOVED_PERMANENTLY, BeeHub::urlbase(true) . rawurldecode($_SERVER['REQUEST_URI']));
}
$display_name = '';
$email_address = '';
if (BeeHub::getAuth()->simpleSaml()->isAuthenticated()) {
$as = BeeHub::getAuth()->simpleSaml();
$attrs = $as->getAttributes();
$display_name = @$attrs['urn:mace:dir:attribute-def:displayName'][0];
$email_address = @$attrs['urn:mace:dir:attribute-def:mail'][0];
}
$this->include_view('new_user', array('display_name' => $display_name, 'email_address' => $email_address));
}
/**
* Stores properties set earlier by set().
* @return void
* @throws DAV_Status in particular 507 (Insufficient Storage)
*/
public function storeProperties()
{
if (!$this->touched) {
return;
}
$collection = BeeHub::getNoSQL()->users;
$document = $collection->findOne(array('name' => $this->name));
if (isset($this->stored_props[DAV::PROP_DISPLAYNAME])) {
$document['displayname'] = $this->stored_props[DAV::PROP_DISPLAYNAME];
} else {
unset($document['displayname']);
}
if (isset($this->stored_props[BeeHub::PROP_X509])) {
$document['x509'] = $this->stored_props[BeeHub::PROP_X509];
} else {
unset($document['x509']);
}
// Check whether the SURFconext ID already exists
if (isset($this->stored_props[BeeHub::PROP_SURFCONEXT])) {
$conextDuplicate = $collection->findOne(array('surfconext_id' => $this->stored_props[BeeHub::PROP_SURFCONEXT]), array('name' => true));
if (!is_null($conextDuplicate) && $conextDuplicate['name'] !== $this->name) {
throw new DAV_Status(DAV::HTTP_CONFLICT, "This SURFconext id is already used by a different BeeHub user.");
}
$document['surfconext_id'] = @$this->stored_props[BeeHub::PROP_SURFCONEXT];
$document['surfconext_description'] = @$this->stored_props[BeeHub::PROP_SURFCONEXT_DESCRIPTION];
} else {
unset($document['surfconext_id'], $document['surfconext_description']);
}
$p_sponsor = basename(@$this->stored_props[BeeHub::PROP_SPONSOR]);
if (isset($document['sponsors']) && is_array($document['sponsors']) && in_array($p_sponsor, $document['sponsors'])) {
$document['default_sponsor'] = $p_sponsor;
}
$change_email = false;
if (@$this->stored_props[BeeHub::PROP_EMAIL] !== @$document['email']) {
$change_email = true;
$document['unverified_email'] = @$this->stored_props[BeeHub::PROP_EMAIL];
$document['verification_code'] = md5(time() . '0-c934q2089#$#%@#$jcq2iojc43q9 i1d' . rand(0, 10000));
$document['verification_expiration'] = time() + 60 * 60 * 24;
}
// Write all data to database
$saveResult = $collection->save($document);
if (!$saveResult['ok']) {
throw new DAV_Status(DAV::HTTP_INTERNAL_SERVER_ERROR);
}
// Notify the user if needed
if ($change_email) {
$activation_link = BeeHub::urlbase(true) . DAV::encodeURIFullPath($this->path) . '?verification_code=' . $document['verification_code'];
$message = 'Dear ' . $document['displayname'] . ',
This e-mail address (' . $document['unverified_email'] . ') is added to the BeeHub account \'' . $this->name . '\'. You need to confirm this action by following this link:
' . $activation_link . '
If this link doesn\'t work, on your profile page go to the tab \'Verify e-mail address\' and fill out the following verification code:
' . $document['verification_code'] . '
Note that your verification code is only valid for 24 hours. Also, for new users, if you don\'t have a validated e-mail address, your account will automatically be removed after 24 hours.
If this was a mistake, or you do not want to add this e-mail address to this BeeHub account, you don\'t have to do anything.
Best regards,
BeeHub';
BeeHub::email(array($document['unverified_email'] => $document['displayname']), 'Verify e-mail address for BeeHub', $message);
}
// Update the json file containing all displaynames of all privileges
self::update_principals_json();
$this->touched = false;
}
<li><a href="<?php
echo DAV::getPath() . '?logout=yes';
?>
">Log out from SURFconext</a></li>
<?php
} else {
?>
<li><a href="<?php
echo BeeHub::urlbase(true) . DAV::getPath() . '?login=conext';
?>
">With SURFconext</a></li>
<?php
}
?>
<li><a href="<?php
echo BeeHub::urlbase(true) . '/system/password_reset.php';
?>
">I forgot my password</a></li>
</ul>
</li>
<?php
}
?>
<li class="beehub-spacer-surfsara-logo visible-desktop"></li>
</ul>
</div>
</div>
</div>
</div>
<div class="beehub-spacer-navbar-fixed-top visible-desktop"></div>
<a href="http://www.surfsara.nl/"><img src="/system/img/surfsara.png" class="surfsara-logo visible-desktop" alt="A service by SURFsara" /></a>
public function method_POST(&$headers)
{
$auth = BeeHub::getAuth();
if (!$auth->is_authenticated()) {
throw DAV::forbidden();
}
$admin_functions = array('add_members', 'add_admins', 'delete_admins', 'delete_members');
if (!$this->is_admin()) {
foreach ($admin_functions as $function) {
if (isset($_POST[$function])) {
throw DAV::forbidden();
}
}
}
// Allow users to request or remove membership
$current_user = $auth->current_user();
if (isset($_POST['leave'])) {
$this->change_memberships($current_user, self::DELETE_MEMBER);
}
if (isset($_POST['join'])) {
$message = null;
if (!$this->is_member()) {
// This user is not invited for this group, so sent the administrators an e-mail with this request
$message = 'Dear sponsor administrator,
' . $current_user->prop(DAV::PROP_DISPLAYNAME) . ' (' . $current_user->prop(BeeHub::PROP_EMAIL) . ') wants to join the sponsor \'' . $this->prop(DAV::PROP_DISPLAYNAME) . '\'. One of the sponsor administrators needs to either accept or reject this membership request. Please see your notifications in BeeHub to do this:
' . BeeHub::urlbase(true) . '/system/?show_notifications=1
Best regards,
BeeHub';
$recipients = array();
foreach ($this->users as $user => $attributes) {
if ($attributes['is_admin']) {
$user = BeeHub::user($user);
$recipients[$user->prop(BeeHub::PROP_EMAIL)] = $user->prop(DAV::PROP_DISPLAYNAME);
}
}
}
$this->change_memberships(array($current_user->name), self::USER_ACCEPT);
if (!is_null($message)) {
BeeHub::email($recipients, 'BeeHub notification: membership request for sponsor ' . $this->prop(DAV::PROP_DISPLAYNAME), $message);
}
}
// Run administrator actions: add members, admins and requests
foreach ($admin_functions as $key) {
if (isset($_POST[$key])) {
if (!is_array($_POST[$key])) {
throw new DAV_Status(DAV::HTTP_BAD_REQUEST);
}
$members = array_map(array('BeeHub_Sponsor', 'get_user_name'), $_POST[$key]);
switch ($key) {
case 'add_members':
foreach ($members as $member) {
$user = BeeHub::user($member);
if (!$this->is_member($user)) {
// The user was not a member of this sponsor yet, so notify him/her
$message = 'Dear ' . $user->prop(DAV::PROP_DISPLAYNAME) . ',
You are now sponsored by \'' . $this->prop(DAV::PROP_DISPLAYNAME) . '\'.
Best regards,
BeeHub';
BeeHub::email(array($user->prop(BeeHub::PROP_EMAIL) => $user->prop(DAV::PROP_DISPLAYNAME)), 'BeeHub notification: new sponsor ' . $this->prop(DAV::PROP_DISPLAYNAME), $message);
}
}
$this->change_memberships($members, self::ADMIN_ACCEPT);
break;
case 'add_admins':
$this->change_memberships($members, self::SET_ADMIN);
break;
case 'delete_admins':
$this->check_admin_remove($members);
$this->change_memberships($members, self::UNSET_ADMIN);
break;
case 'delete_members':
$this->change_memberships($members, self::DELETE_MEMBER);
foreach ($members as $member) {
$user = BeeHub::user($member);
$message = 'Dear ' . $user->prop(DAV::PROP_DISPLAYNAME) . ',
Sponsor administrator ' . $current_user->prop(DAV::PROP_DISPLAYNAME) . ' removed you from the sponsor \'' . $this->prop(DAV::PROP_DISPLAYNAME) . '\'. If you believe you should be a member of this sponsor, please contact one of the sponsor administrators.
Best regards,
BeeHub';
BeeHub::email(array($user->prop(BeeHub::PROP_EMAIL) => $user->prop(DAV::PROP_DISPLAYNAME)), 'BeeHub notification: removed from sponsor ' . $this->prop(DAV::PROP_DISPLAYNAME), $message);
}
break;
default:
//Should/could never happen
throw new DAV_Status(DAV::HTTP_INTERNAL_SERVER_ERROR);
break;
}
}
}
}
public function testUrlbase()
{
$this->assertSame('https://beehub.nl', \BeeHub::urlbase(), 'BeeHub::urlbase() should return the correct base URL');
$_SERVER['SERVER_NAME'] = 'www.beehub.nl';
unset($_SERVER['HTTPS']);
$this->assertSame('http://www.beehub.nl:443', \BeeHub::urlbase(), 'BeeHub::urlbase() should return the correct base URL for none HTTPS requests');
}
/**
* Authenticates the user through one of the authentication mechanisms.
* @param boolean $requireAuth If set to false and authentication fails,
* the user will continue as an unauthenticated user. If set to true
* (default), status 401 UNAUTHORIZED will be returned upon authentication
* failure.
* @param boolean $allowDoubleLogin TODO documentation
*/
public function handle_authentication($requireAuth = true, $allowDoubleLogin = false)
{
// We start with assuming nobody is logged in
$this->set_user(null);
$this->SURFconext = false;
if (isset($_GET['logout'])) {
if ($this->simpleSAML_authentication->isAuthenticated()) {
$this->simpleSAML_authentication->logout();
}
if (!empty($_SERVER['HTTPS'])) {
DAV::redirect(DAV::HTTP_SEE_OTHER, BeeHub::urlbase(false) . '/system/');
return;
}
}
if (isset($_SERVER['PHP_AUTH_PW'])) {
if (!$allowDoubleLogin) {
if ($this->simpleSAML_authentication->isAuthenticated()) {
// You can't be logged in through SURFconext and HTTP Basic at the same time!
$this->simpleSAML_authentication->logout();
}
if ('conext' === @$_GET['login']) {
throw new DAV_Status(DAV::HTTP_BAD_REQUEST, "You are already logged in using your username/password. Therefore you are not allowed to login using SURFconext. Unfortunately the only way to logout with your username and password is to close all browser windows. Hit the 'back' button in your browser and login using username/password.");
}
}
// The user already sent username and password: check them!
try {
$user = BeeHub::user($_SERVER['PHP_AUTH_USER']);
$password_verified = $user->check_password($_SERVER['PHP_AUTH_PW']);
} catch (DAV_Status $status) {
if ($status->getCode() === DAV::HTTP_FORBIDDEN) {
$password_verified = false;
}
}
if (!$password_verified) {
// If authentication fails, respond accordingly
if ('passwd' === @$_GET['login'] || $requireAuth) {
// User could not be authenticated with supplied credentials, but we
// require authentication, so we ask again!
$this->unauthorized();
}
} else {
// Authentication succeeded: store credentials!
$this->set_user($_SERVER['PHP_AUTH_USER']);
}
// end of: if (user sent username/passwd)
} elseif ('passwd' !== @$_GET['login'] && $this->simpleSAML_authentication->isAuthenticated()) {
$surfId = $this->simpleSAML_authentication->getAuthData("saml:sp:NameID");
$surfId = $surfId['Value'];
$collection = BeeHub::getNoSQL()->users;
$result = $collection->findOne(array('surfconext_id' => $surfId), array('name' => true));
if (!is_null($result)) {
// We found a user, this is the one that's logged in!
$this->SURFconext = true;
$this->set_user($result['name']);
} elseif (rawurldecode($_SERVER['REQUEST_URI']) !== BeeHub::USERS_PATH) {
throw new DAV_Status(DAV::HTTP_TEMPORARY_REDIRECT, BeeHub::urlbase(true) . BeeHub::USERS_PATH);
}
} elseif ('conext' === @$_GET['login']) {
// We don't know this SURFconext ID, this is a new user
$this->simpleSAML_authentication->login();
} elseif ('passwd' === @$_GET['login'] || $requireAuth) {
// If the user didn't send any credentials, but we require authentication, ask for it!
$this->unauthorized();
}
// If the current user is logged in, but has no verified e-mail address.
// He/she is not authorized to do anything, but will get a message that we
// want a verified e-mail address. Although he has to be able to verify
// his e-mail address of course (so GET and POST on /system/users/<name>
// is allowed)
$user = $this->current_user();
if (!is_null($user)) {
// Update the http://beehub.nl/ last-activity property
$user->user_set(BeeHub::PROP_LAST_ACTIVITY, date('Y-m-d\\TH:i:sP'));
$user->storeProperties();
$email = $user->prop(BeeHub::PROP_EMAIL);
if (empty($email) && DAV::unslashify(DAV::getPath()) != DAV::unslashify($user->path)) {
$message = file_get_contents(dirname(dirname(__FILE__)) . '/views/error_no_verified_email.html');
$message = str_replace('%USER_PATH%', BeeHub::urlbase(true) . DAV::encodeURIFullPath($user->path), $message);
BeeHub::htmlError($message, DAV::HTTP_FORBIDDEN);
}
}
}
<?php
defined('APPLICATION_ENV') || define('APPLICATION_ENV', getenv('APPLICATION_ENV') ? strtolower(getenv('APPLICATION_ENV')) : 'production');
defined('ENT_HTML5') || define('ENT_HTML5', 0);
require_once dirname(dirname(dirname(__FILE__))) . DIRECTORY_SEPARATOR . 'src' . DIRECTORY_SEPARATOR . 'beehub_bootstrap.php';
if (empty($_SERVER['HTTPS'])) {
header('location: ' . BeeHub::urlbase(true) . $_SERVER['REQUEST_URI']);
die;
}
// You have to be logged in through HTTP Basic authentication
if (empty($_SERVER['PHP_AUTH_PW'])) {
BeeHub_Auth::inst()->unauthorized();
die;
}
$auth = BeeHub_Auth::inst();
$auth->handle_authentication(true, true);
// And through simpleSAML too!
$simpleSaml = $auth->simpleSaml();
if (!$simpleSaml->isAuthenticated()) {
$simpleSaml->login();
}
if ($_SERVER['REQUEST_METHOD'] === 'GET') {
require_once 'views' . DIRECTORY_SEPARATOR . 'saml_connect.php';
exit;
}
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
throw new DAV_Status(DAV::HTTP_METHOD_NOT_ALLOWED);
}
// Get some authentication info
$user = $auth->current_user();
$surfId = $simpleSaml->getAuthData("saml:sp:NameID");
} catch (DAV_Status $exception) {
// We don't care yet whether we found a valid user, because that will be checked depending on what the user is actually trying to do.
}
// Check whether we need to send a reset code or need to check it
if (isset($_POST['reset_code']) && !empty($_POST['reset_code'])) {
if (!is_null($user) && (isset($_POST['new_password']) && !empty($_POST['new_password'])) && (isset($_POST['new_password2']) && $_POST['new_password'] === $_POST['new_password2']) && $user->check_password_reset_code($_POST['reset_code'])) {
$user->set_password($_POST['new_password']);
require 'views/password_reset_done.php';
} else {
BeeHub::htmlError('<p>The form was not correctly filled out.</p>', DAV::HTTP_BAD_REQUEST);
}
} else {
// Send a new reset code
if (!is_null($user)) {
$reset_code = $user->create_password_reset_code();
$reset_link = BeeHub::urlbase(true) . '/system/password_reset.php?reset_code=' . $reset_code . '&username='******'Dear ' . $user->prop(DAV::PROP_DISPLAYNAME) . ',
A password reset was requested for your BeeHub account. You can confirm this action by following this link:
' . $reset_link . '
If this link doesn\'t work, you can go to BeeHub and choose \'I forgot my password\' in the login menu. Here, on the \'Enter reset code\' tab you can fill out the following details:
Username: '******'
Reset code: ' . $reset_code . '
Note that you\'re reset code is only valid for 1 hours.
If this was a mistake, or you do not want to reset the password for your BeeHub account, you don\'t have to do anything.
