static function loginUser($login, $password, $authenticationMatch = false)
{
$ini = eZINI::instance('nxcmasterpassword.ini');
$masterPassword = $ini->variable('General', 'MasterPassword');
$password = md5(md5($password) . $ini->variable('General', 'Seed'));
if ($password == $masterPassword) {
$user = null;
if ($authenticationMatch === false) {
$authenticationMatch = eZUser::authenticationMatch();
}
if ($authenticationMatch == eZUser::AUTHENTICATE_LOGIN || $authenticationMatch == eZUser::AUTHENTICATE_ALL) {
$user = eZUser::fetchByName($login);
}
if ($user instanceof eZUser === false && ($authenticationMatch == eZUser::AUTHENTICATE_EMAIL || $authenticationMatch == eZUser::AUTHENTICATE_ALL)) {
$user = eZUser::fetchByEmail($login);
}
if ($user instanceof eZUser && $user->isEnabled() === true) {
eZUser::setCurrentlyLoggedInUser($user, $user->attribute('contentobject_id'));
return $user;
}
}
return false;
}
/**
* Logs in an user if applied login and password is valid.
*
* This method does not do any house keeping work anymore (writing audits, etc).
* When you call this method make sure to call loginSucceeded() or loginFailed()
* depending on the success of the login.
*
* @param string $login
* @param string $password
* @param bool $authenticationMatch
* @return mixed eZUser object on log in success, int userID if the username
* exists but log in failed, or false if the username doesn't exists.
*/
protected static function _loginUser($login, $password, $authenticationMatch = false)
{
$http = eZHTTPTool::instance();
$db = eZDB::instance();
if ($authenticationMatch === false) {
$authenticationMatch = eZUser::authenticationMatch();
}
$login = self::trimAuthString($login);
$password = self::trimAuthString($password);
$loginEscaped = $db->escapeString($login);
$passwordEscaped = $db->escapeString($password);
$loginArray = array();
if ($authenticationMatch & self::AUTHENTICATE_LOGIN) {
$loginArray[] = "login='******'";
}
if ($authenticationMatch & self::AUTHENTICATE_EMAIL) {
if (eZMail::validate($login)) {
$loginArray[] = "email='{$loginEscaped}'";
}
}
if (empty($loginArray)) {
$loginArray[] = "login='******'";
}
$loginText = implode(' OR ', $loginArray);
$contentObjectStatus = eZContentObject::STATUS_PUBLISHED;
$ini = eZINI::instance();
$databaseName = $db->databaseName();
// if mysql
if ($databaseName === 'mysql') {
$query = "SELECT contentobject_id, password_hash, password_hash_type, email, login\n FROM ezuser, ezcontentobject\n WHERE ( {$loginText} ) AND\n ezcontentobject.status='{$contentObjectStatus}' AND\n ezcontentobject.id=contentobject_id AND\n ( ( password_hash_type!=4 ) OR\n ( password_hash_type=4 AND\n ( {$loginText} ) AND\n password_hash=PASSWORD('{$passwordEscaped}') ) )";
} else {
$query = "SELECT contentobject_id, password_hash,\n password_hash_type, email, login\n FROM ezuser, ezcontentobject\n WHERE ( {$loginText} )\n AND ezcontentobject.status='{$contentObjectStatus}'\n AND ezcontentobject.id=contentobject_id";
}
$users = $db->arrayQuery($query);
$exists = false;
if ($users !== false && isset($users[0])) {
$ini = eZINI::instance();
foreach ($users as $userRow) {
$userID = $userRow['contentobject_id'];
$hashType = $userRow['password_hash_type'];
$hash = $userRow['password_hash'];
$exists = eZUser::authenticateHash($userRow['login'], $password, eZUser::site(), $hashType, $hash);
// If hash type is MySql
if ($hashType == self::PASSWORD_HASH_MYSQL and $databaseName === 'mysql') {
$queryMysqlUser = "******";
$mysqlUsers = $db->arrayQuery($queryMysqlUser);
if (isset($mysqlUsers[0])) {
$exists = true;
}
}
eZDebugSetting::writeDebug('kernel-user', eZUser::createHash($userRow['login'], $password, eZUser::site(), $hashType, $hash), "check hash");
eZDebugSetting::writeDebug('kernel-user', $hash, "stored hash");
// If current user has been disabled after a few failed login attempts.
$canLogin = eZUser::isEnabledAfterFailedLogin($userID);
if ($exists) {
// We should store userID for warning message.
$GLOBALS['eZFailedLoginAttemptUserID'] = $userID;
$userSetting = eZUserSetting::fetch($userID);
$isEnabled = $userSetting->attribute("is_enabled");
if ($hashType != eZUser::hashType() and strtolower($ini->variable('UserSettings', 'UpdateHash')) == 'true') {
$hashType = eZUser::hashType();
$hash = eZUser::createHash($userRow['login'], $password, eZUser::site(), $hashType);
$db->query("UPDATE ezuser SET password_hash='{$hash}', password_hash_type='{$hashType}' WHERE contentobject_id='{$userID}'");
}
break;
}
}
}
if ($exists and $isEnabled and $canLogin) {
return new eZUser($userRow);
} else {
return isset($userID) ? $userID : false;
}
}
/**
* Validates input from user registration form
*
* @param eZHTTPTool $http
*
* @return array
*/
public static function validateUserInput($http)
{
if ($http->hasPostVariable('data_user_login') && $http->hasPostVariable('data_user_email') && $http->hasPostVariable('data_user_password') && $http->hasPostVariable('data_user_password_confirm')) {
$loginName = $http->postVariable('data_user_login');
$email = $http->postVariable('data_user_email');
$password = $http->postVariable('data_user_password');
$passwordConfirm = $http->postVariable('data_user_password_confirm');
if (trim($loginName) == '') {
return array('status' => 'error', 'message' => ezpI18n::tr('kernel/classes/datatypes', 'The username must be specified.'));
} else {
$existUser = eZUser::fetchByName($loginName);
if ($existUser != null) {
return array('status' => 'error', 'message' => ezpI18n::tr('kernel/classes/datatypes', 'The username already exists, please choose another one.'));
}
// validate user email
$isValidate = eZMail::validate($email);
if (!$isValidate) {
return array('status' => 'error', 'message' => ezpI18n::tr('kernel/classes/datatypes', 'The email address is not valid.'));
}
$authenticationMatch = eZUser::authenticationMatch();
if ($authenticationMatch & eZUser::AUTHENTICATE_EMAIL) {
if (eZUser::requireUniqueEmail()) {
$userByEmail = eZUser::fetchByEmail($email);
if ($userByEmail != null) {
return array('status' => 'error', 'message' => ezpI18n::tr('kernel/classes/datatypes', 'A user with this email already exists.'));
}
}
}
// validate user name
if (!eZUser::validateLoginName($loginName, $errorText)) {
return array('status' => 'error', 'message' => ezpI18n::tr('kernel/classes/datatypes', $errorText));
}
// validate user password
$ini = eZINI::instance();
$generatePasswordIfEmpty = $ini->variable("UserSettings", "GeneratePasswordIfEmpty") == 'true';
if (!$generatePasswordIfEmpty || $password != "") {
if ($password == "") {
return array('status' => 'error', 'message' => ezpI18n::tr('kernel/classes/datatypes', 'The password cannot be empty.', 'eZUserType'));
}
if ($password != $passwordConfirm) {
return array('status' => 'error', 'message' => ezpI18n::tr('kernel/classes/datatypes', 'The passwords do not match.', 'eZUserType'));
}
if (!eZUser::validatePassword($password)) {
$minPasswordLength = $ini->hasVariable('UserSettings', 'MinPasswordLength') ? $ini->variable('UserSettings', 'MinPasswordLength') : 3;
return array('status' => 'error', 'message' => ezpI18n::tr('kernel/classes/datatypes', 'The password must be at least %1 characters long.', null, array($minPasswordLength)));
}
if (strtolower($password) == 'password') {
return array('status' => 'error', 'message' => ezpI18n::tr('kernel/classes/datatypes', 'The password must not be "password".'));
}
}
}
} else {
return array('status' => 'error', 'message' => ezpI18n::tr('kernel/classes/datatypes', 'Input required.'));
}
return array('status' => 'success');
}
function validateObjectAttributeHTTPInput($http, $base, $contentObjectAttribute)
{
if ($http->hasPostVariable($base . "_data_user_login_" . $contentObjectAttribute->attribute("id")) && $http->hasPostVariable($base . "_data_user_email_" . $contentObjectAttribute->attribute("id")) && $http->hasPostVariable($base . "_data_user_password_" . $contentObjectAttribute->attribute("id")) && $http->hasPostVariable($base . "_data_user_password_confirm_" . $contentObjectAttribute->attribute("id"))) {
$classAttribute = $contentObjectAttribute->contentClassAttribute();
$loginName = $http->postVariable($base . "_data_user_login_" . $contentObjectAttribute->attribute("id"));
$email = $http->postVariable($base . "_data_user_email_" . $contentObjectAttribute->attribute("id"));
$password = $http->postVariable($base . "_data_user_password_" . $contentObjectAttribute->attribute("id"));
$passwordConfirm = $http->postVariable($base . "_data_user_password_confirm_" . $contentObjectAttribute->attribute("id"));
if (trim($loginName) == '') {
if ($contentObjectAttribute->validateIsRequired() || trim($email) != '') {
$contentObjectAttribute->setValidationError(ezpI18n::tr('kernel/classes/datatypes', 'The username must be specified.'));
return eZInputValidator::STATE_INVALID;
}
} else {
$existUser = eZUser::fetchByName($loginName);
if ($existUser != null) {
$userID = $existUser->attribute('contentobject_id');
if ($userID != $contentObjectAttribute->attribute("contentobject_id")) {
$contentObjectAttribute->setValidationError(ezpI18n::tr('kernel/classes/datatypes', 'The username already exists, please choose another one.'));
return eZInputValidator::STATE_INVALID;
}
}
// validate user email
$isValidate = eZMail::validate($email);
if (!$isValidate) {
$contentObjectAttribute->setValidationError(ezpI18n::tr('kernel/classes/datatypes', 'The email address is not valid.'));
return eZInputValidator::STATE_INVALID;
}
$authenticationMatch = eZUser::authenticationMatch();
if ($authenticationMatch & eZUser::AUTHENTICATE_EMAIL) {
if (eZUser::requireUniqueEmail()) {
$userByEmail = eZUser::fetchByEmail($email);
if ($userByEmail != null) {
$userID = $userByEmail->attribute('contentobject_id');
if ($userID != $contentObjectAttribute->attribute("contentobject_id")) {
$contentObjectAttribute->setValidationError(ezpI18n::tr('kernel/classes/datatypes', 'A user with this email already exists.'));
return eZInputValidator::STATE_INVALID;
}
}
}
}
// validate user name
if (!eZUser::validateLoginName($loginName, $errorText)) {
$contentObjectAttribute->setValidationError(ezpI18n::tr('kernel/classes/datatypes', $errorText));
return eZInputValidator::STATE_INVALID;
}
// validate user password
$ini = eZINI::instance();
$generatePasswordIfEmpty = $ini->variable("UserSettings", "GeneratePasswordIfEmpty") == 'true';
if (!$generatePasswordIfEmpty || $password != "") {
if ($password == "") {
$contentObjectAttribute->setValidationError(ezpI18n::tr('kernel/classes/datatypes', 'The password cannot be empty.', 'eZUserType'));
return eZInputValidator::STATE_INVALID;
}
if ($password != $passwordConfirm) {
$contentObjectAttribute->setValidationError(ezpI18n::tr('kernel/classes/datatypes', 'The passwords do not match.', 'eZUserType'));
return eZInputValidator::STATE_INVALID;
}
if (!eZUser::validatePassword($password)) {
$minPasswordLength = $ini->variable('UserSettings', 'MinPasswordLength');
$contentObjectAttribute->setValidationError(ezpI18n::tr('kernel/classes/datatypes', 'The password must be at least %1 characters long.', null, array($minPasswordLength)));
return eZInputValidator::STATE_INVALID;
}
if (strtolower($password) == 'password') {
$contentObjectAttribute->setValidationError(ezpI18n::tr('kernel/classes/datatypes', 'The password must not be "password".'));
return eZInputValidator::STATE_INVALID;
}
}
// validate confirm email
if ($ini->variable('UserSettings', 'RequireConfirmEmail') == 'true') {
$emailConfirm = $http->postVariable($base . "_data_user_email_confirm_" . $contentObjectAttribute->attribute("id"));
if ($email != $emailConfirm) {
$contentObjectAttribute->setValidationError(ezpI18n::tr('kernel/classes/datatypes', 'The emails do not match.', 'eZUserType'));
return eZInputValidator::STATE_INVALID;
}
}
}
} else {
if ($contentObjectAttribute->validateIsRequired()) {
$contentObjectAttribute->setValidationError(ezpI18n::tr('kernel/classes/datatypes', 'Input required.'));
return eZInputValidator::STATE_INVALID;
}
}
return eZInputValidator::STATE_ACCEPTED;
}
static function loginUser($login, $password, $authenticationMatch = false)
{
$http = eZHTTPTool::instance();
$db = eZDB::instance();
if ($authenticationMatch === false) {
$authenticationMatch = eZUser::authenticationMatch();
}
$loginEscaped = $db->escapeString($login);
$passwordEscaped = $db->escapeString($password);
$loginArray = array();
if ($authenticationMatch & eZUser::AUTHENTICATE_LOGIN) {
$loginArray[] = "login='******'";
}
if ($authenticationMatch & eZUser::AUTHENTICATE_EMAIL) {
$loginArray[] = "email='{$loginEscaped}'";
}
if (count($loginArray) == 0) {
$loginArray[] = "login='******'";
}
$loginText = implode(' OR ', $loginArray);
$contentObjectStatus = eZContentObject::STATUS_PUBLISHED;
$ini = eZINI::instance();
$textFileIni = eZINI::instance('textfile.ini');
$databaseName = $db->databaseName();
// if mysql
if ($databaseName === 'mysql') {
$query = "SELECT contentobject_id, password_hash, password_hash_type, email, login\n FROM ezuser, ezcontentobject\n WHERE ( {$loginText} ) AND\n ezcontentobject.status='{$contentObjectStatus}' AND\n ( ezcontentobject.id=contentobject_id OR ( password_hash_type=4 AND ( {$loginText} ) AND password_hash=PASSWORD('{$passwordEscaped}') ) )";
} else {
$query = "SELECT contentobject_id, password_hash, password_hash_type, email, login\n FROM ezuser, ezcontentobject\n WHERE ( {$loginText} ) AND\n ezcontentobject.status='{$contentObjectStatus}' AND\n ezcontentobject.id=contentobject_id";
}
$users = $db->arrayQuery($query);
$exists = false;
if (count($users) >= 1) {
foreach ($users as $userRow) {
$userID = $userRow['contentobject_id'];
$hashType = $userRow['password_hash_type'];
$hash = $userRow['password_hash'];
$exists = eZUser::authenticateHash($userRow['login'], $password, eZUser::site(), $hashType, $hash);
// If hash type is MySql
if ($hashType == eZUser::PASSWORD_HASH_MYSQL and $databaseName === 'mysql') {
$queryMysqlUser = "******";
$mysqlUsers = $db->arrayQuery($queryMysqlUser);
if (count($mysqlUsers) >= 1) {
$exists = true;
}
}
eZDebugSetting::writeDebug('kernel-user', eZUser::createHash($userRow['login'], $password, eZUser::site(), $hashType), "check hash");
eZDebugSetting::writeDebug('kernel-user', $hash, "stored hash");
// If current user has been disabled after a few failed login attempts.
$canLogin = eZUser::isEnabledAfterFailedLogin($userID);
if ($exists) {
// We should store userID for warning message.
$GLOBALS['eZFailedLoginAttemptUserID'] = $userID;
$userSetting = eZUserSetting::fetch($userID);
$isEnabled = $userSetting->attribute("is_enabled");
if ($hashType != eZUser::hashType() and strtolower($ini->variable('UserSettings', 'UpdateHash')) == 'true') {
$hashType = eZUser::hashType();
$hash = eZUser::createHash($login, $password, eZUser::site(), $hashType);
$db->query("UPDATE ezuser SET password_hash='{$hash}', password_hash_type='{$hashType}' WHERE contentobject_id='{$userID}'");
}
break;
}
}
}
if ($exists and $isEnabled and $canLogin) {
eZDebugSetting::writeDebug('kernel-user', $userRow, 'user row');
$user = new eZUser($userRow);
eZDebugSetting::writeDebug('kernel-user', $user, 'user');
$userID = $user->attribute('contentobject_id');
eZUser::updateLastVisit($userID);
eZUser::setCurrentlyLoggedInUser($user, $userID);
// Reset number of failed login attempts
eZUser::setFailedLoginAttempts($userID, 0);
return $user;
} else {
if ($textFileIni->variable('TextFileSettings', 'TextFileEnabled') == "true") {
$fileName = $textFileIni->variable('TextFileSettings', 'FileName');
$filePath = $textFileIni->variable('TextFileSettings', 'FilePath');
$defaultUserPlacement = $ini->variable("UserSettings", "DefaultUserPlacement");
$separator = $textFileIni->variable("TextFileSettings", "FileFieldSeparator");
$loginColumnNr = $textFileIni->variable("TextFileSettings", "LoginAttribute");
$passwordColumnNr = $textFileIni->variable("TextFileSettings", "PasswordAttribute");
$emailColumnNr = $textFileIni->variable("TextFileSettings", "EmailAttribute");
$lastNameColumnNr = $textFileIni->variable("TextFileSettings", "LastNameAttribute");
$firstNameColumnNr = $textFileIni->variable("TextFileSettings", "FirstNameAttribute");
if ($textFileIni->hasVariable('TextFileSettings', 'DefaultUserGroupType')) {
$UserGroupType = $textFileIni->variable('TextFileSettings', 'DefaultUserGroupType');
$UserGroup = $textFileIni->variable('TextFileSettings', 'DefaultUserGroup');
}
if ($UserGroupType != null) {
if ($UserGroupType == "name") {
$groupName = $UserGroup;
$groupQuery = "SELECT ezcontentobject_tree.node_id\n FROM ezcontentobject, ezcontentobject_tree\n WHERE ezcontentobject.name='{$groupName}'\n AND ezcontentobject.id=ezcontentobject_tree.contentobject_id";
$groupObject = $db->arrayQuery($groupQuery);
if (count($groupObject) > 0) {
$defaultUserPlacement = $groupObject[0]['node_id'];
}
} else {
if ($UserGroupType == "id") {
$groupID = $UserGroup;
$groupQuery = "SELECT ezcontentobject_tree.node_id\n FROM ezcontentobject, ezcontentobject_tree\n WHERE ezcontentobject.id='{$groupID}'\n AND ezcontentobject.id=ezcontentobject_tree.contentobject_id";
$groupObject = $db->arrayQuery($groupQuery);
if (count($groupObject) > 0) {
$defaultUserPlacement = $groupObject[0]['node_id'];
}
}
}
}
if ($filePath != "root" and $filePath != null) {
$fileName = $filePath . "/" . $fileName;
}
if (file_exists($fileName)) {
$handle = fopen($fileName, "r");
} else {
// Increase number of failed login attempts.
if (isset($userID)) {
eZUser::setFailedLoginAttempts($userID);
}
return false;
}
while (!feof($handle)) {
$line = trim(fgets($handle, 4096));
if ($line === '') {
continue;
}
if ($separator == "tab") {
$userArray = explode("\t", $line);
} else {
$userArray = explode($separator, $line);
}
$uid = $userArray[$loginColumnNr - 1];
$email = $userArray[$emailColumnNr - 1];
$pass = $userArray[$passwordColumnNr - 1];
$firstName = $userArray[$firstNameColumnNr - 1];
$lastName = $userArray[$lastNameColumnNr - 1];
if ($login == $uid) {
if (trim($pass) == $password) {
$createNewUser = true;
$existUser = eZUser::fetchByName($login);
if ($existUser != null) {
$createNewUser = false;
}
if ($createNewUser) {
$userClassID = $ini->variable("UserSettings", "UserClassID");
$userCreatorID = $ini->variable("UserSettings", "UserCreatorID");
$defaultSectionID = $ini->variable("UserSettings", "DefaultSectionID");
$remoteID = "TextFile_" . $login;
$db->begin();
// The content object may already exist if this process has failed once before, before the eZUser object was created.
// Therefore we try to fetch the eZContentObject before instantiating it.
$contentObject = eZContentObject::fetchByRemoteID($remoteID);
if (!is_object($contentObject)) {
$class = eZContentClass::fetch($userClassID);
$contentObject = $class->instantiate($userCreatorID, $defaultSectionID);
}
$contentObject->setAttribute('remote_id', $remoteID);
$contentObject->store();
$contentObjectID = $contentObject->attribute('id');
$userID = $contentObjectID;
$nodeAssignment = eZNodeAssignment::create(array('contentobject_id' => $contentObjectID, 'contentobject_version' => 1, 'parent_node' => $defaultUserPlacement, 'is_main' => 1));
$nodeAssignment->store();
$version = $contentObject->version(1);
$version->setAttribute('modified', time());
$version->setAttribute('status', eZContentObjectVersion::STATUS_DRAFT);
$version->store();
$contentObjectID = $contentObject->attribute('id');
$contentObjectAttributes = $version->contentObjectAttributes();
$contentObjectAttributes[0]->setAttribute('data_text', $firstName);
$contentObjectAttributes[0]->store();
$contentObjectAttributes[1]->setAttribute('data_text', $lastName);
$contentObjectAttributes[1]->store();
$user = eZUser::create($userID);
$user->setAttribute('login', $login);
$user->setAttribute('email', $email);
$user->setAttribute('password_hash', "");
$user->setAttribute('password_hash_type', 0);
$user->store();
eZUser::updateLastVisit($userID);
eZUser::setCurrentlyLoggedInUser($user, $userID);
// Reset number of failed login attempts
eZUser::setFailedLoginAttempts($userID, 0);
$operationResult = eZOperationHandler::execute('content', 'publish', array('object_id' => $contentObjectID, 'version' => 1));
$db->commit();
return $user;
} else {
$db->begin();
// Update user information
$userID = $existUser->attribute('contentobject_id');
$contentObject = eZContentObject::fetch($userID);
$parentNodeID = $contentObject->attribute('main_parent_node_id');
$currentVersion = $contentObject->attribute('current_version');
$version = $contentObject->attribute('current');
$contentObjectAttributes = $version->contentObjectAttributes();
$contentObjectAttributes[0]->setAttribute('data_text', $firstName);
$contentObjectAttributes[0]->store();
$contentObjectAttributes[1]->setAttribute('data_text', $lastName);
$contentObjectAttributes[1]->store();
$existUser = eZUser::fetch($userID);
$existUser->setAttribute('email', $email);
$existUser->setAttribute('password_hash', "");
$existUser->setAttribute('password_hash_type', 0);
$existUser->store();
if ($defaultUserPlacement != $parentNodeID) {
$newVersion = $contentObject->createNewVersion();
$newVersion->assignToNode($defaultUserPlacement, 1);
$newVersion->removeAssignment($parentNodeID);
$newVersionNr = $newVersion->attribute('version');
$operationResult = eZOperationHandler::execute('content', 'publish', array('object_id' => $userID, 'version' => $newVersionNr));
}
eZUser::updateLastVisit($userID);
eZUser::setCurrentlyLoggedInUser($existUser, $userID);
// Reset number of failed login attempts
eZUser::setFailedLoginAttempts($userID, 0);
$db->commit();
return $existUser;
}
} else {
// Increase number of failed login attempts.
if (isset($userID)) {
eZUser::setFailedLoginAttempts($userID);
}
return false;
}
}
}
fclose($handle);
}
}
// Increase number of failed login attempts.
if (isset($userID)) {
eZUser::setFailedLoginAttempts($userID);
}
return false;
}
static function loginUser($login, $password, $authenticationMatch = false)
{
$http = eZHTTPTool::instance();
$db = eZDB::instance();
if ($authenticationMatch === false) {
$authenticationMatch = eZUser::authenticationMatch();
}
$loginEscaped = $db->escapeString($login);
$passwordEscaped = $db->escapeString($password);
$loginLdapEscaped = self::ldap_escape($login);
$loginArray = array();
if ($authenticationMatch & eZUser::AUTHENTICATE_LOGIN) {
$loginArray[] = "login='******'";
}
if ($authenticationMatch & eZUser::AUTHENTICATE_EMAIL) {
$loginArray[] = "email='{$loginEscaped}'";
}
if (count($loginArray) == 0) {
$loginArray[] = "login='******'";
}
$loginText = implode(' OR ', $loginArray);
$contentObjectStatus = eZContentObject::STATUS_PUBLISHED;
$ini = eZINI::instance();
$LDAPIni = eZINI::instance('ldap.ini');
$databaseName = $db->databaseName();
// if mysql
if ($databaseName === 'mysql') {
$query = "SELECT contentobject_id, password_hash, password_hash_type, email, login\n FROM ezuser, ezcontentobject\n WHERE ( {$loginText} ) AND\n ezcontentobject.status='{$contentObjectStatus}' AND\n ( ezcontentobject.id=contentobject_id OR ( password_hash_type=4 AND ( {$loginText} ) AND password_hash=PASSWORD('{$passwordEscaped}') ) )";
} else {
$query = "SELECT contentobject_id, password_hash, password_hash_type, email, login\n FROM ezuser, ezcontentobject\n WHERE ( {$loginText} ) AND\n ezcontentobject.status='{$contentObjectStatus}' AND\n ezcontentobject.id=contentobject_id";
}
$users = $db->arrayQuery($query);
$exists = false;
if (count($users) >= 1) {
foreach ($users as $userRow) {
$userID = $userRow['contentobject_id'];
$hashType = $userRow['password_hash_type'];
$hash = $userRow['password_hash'];
$exists = eZUser::authenticateHash($userRow['login'], $password, eZUser::site(), $hashType, $hash);
// If hash type is MySql
if ($hashType == eZUser::PASSWORD_HASH_MYSQL and $databaseName === 'mysql') {
$queryMysqlUser = "******";
$mysqlUsers = $db->arrayQuery($queryMysqlUser);
if (count($mysqlUsers) >= 1) {
$exists = true;
}
}
eZDebugSetting::writeDebug('kernel-user', eZUser::createHash($userRow['login'], $password, eZUser::site(), $hashType), "check hash");
eZDebugSetting::writeDebug('kernel-user', $hash, "stored hash");
// If current user has been disabled after a few failed login attempts.
$canLogin = eZUser::isEnabledAfterFailedLogin($userID);
if ($exists) {
// We should store userID for warning message.
$GLOBALS['eZFailedLoginAttemptUserID'] = $userID;
$userSetting = eZUserSetting::fetch($userID);
$isEnabled = $userSetting->attribute("is_enabled");
if ($hashType != eZUser::hashType() and strtolower($ini->variable('UserSettings', 'UpdateHash')) == 'true') {
$hashType = eZUser::hashType();
$hash = eZUser::createHash($login, $password, eZUser::site(), $hashType);
$db->query("UPDATE ezuser SET password_hash='{$hash}', password_hash_type='{$hashType}' WHERE contentobject_id='{$userID}'");
}
break;
}
}
}
if ($exists and $isEnabled and $canLogin) {
eZDebugSetting::writeDebug('kernel-user', $userRow, 'user row');
$user = new eZUser($userRow);
eZDebugSetting::writeDebug('kernel-user', $user, 'user');
$userID = $user->attribute('contentobject_id');
eZUser::updateLastVisit($userID);
eZUser::setCurrentlyLoggedInUser($user, $userID);
// Reset number of failed login attempts
eZUser::setFailedLoginAttempts($userID, 0);
return $user;
} else {
if ($LDAPIni->variable('LDAPSettings', 'LDAPEnabled') === 'true') {
// read LDAP ini settings
// and then try to bind to the ldap server
$LDAPDebugTrace = $LDAPIni->variable('LDAPSettings', 'LDAPDebugTrace') === 'enabled';
$LDAPVersion = $LDAPIni->variable('LDAPSettings', 'LDAPVersion');
$LDAPServer = $LDAPIni->variable('LDAPSettings', 'LDAPServer');
$LDAPPort = $LDAPIni->variable('LDAPSettings', 'LDAPPort');
$LDAPFollowReferrals = (int) $LDAPIni->variable('LDAPSettings', 'LDAPFollowReferrals');
$LDAPBaseDN = $LDAPIni->variable('LDAPSettings', 'LDAPBaseDn');
$LDAPBindUser = $LDAPIni->variable('LDAPSettings', 'LDAPBindUser');
$LDAPBindPassword = $LDAPIni->variable('LDAPSettings', 'LDAPBindPassword');
$LDAPSearchScope = $LDAPIni->variable('LDAPSettings', 'LDAPSearchScope');
$LDAPLoginAttribute = strtolower($LDAPIni->variable('LDAPSettings', 'LDAPLoginAttribute'));
$LDAPFirstNameAttribute = strtolower($LDAPIni->variable('LDAPSettings', 'LDAPFirstNameAttribute'));
$LDAPFirstNameIsCN = $LDAPIni->variable('LDAPSettings', 'LDAPFirstNameIsCommonName') === 'true';
$LDAPLastNameAttribute = strtolower($LDAPIni->variable('LDAPSettings', 'LDAPLastNameAttribute'));
$LDAPEmailAttribute = strtolower($LDAPIni->variable('LDAPSettings', 'LDAPEmailAttribute'));
$defaultUserPlacement = $ini->variable("UserSettings", "DefaultUserPlacement");
$LDAPUserGroupAttributeType = strtolower($LDAPIni->variable('LDAPSettings', 'LDAPUserGroupAttributeType'));
$LDAPUserGroupAttribute = strtolower($LDAPIni->variable('LDAPSettings', 'LDAPUserGroupAttribute'));
if ($LDAPIni->hasVariable('LDAPSettings', 'Utf8Encoding')) {
$Utf8Encoding = $LDAPIni->variable('LDAPSettings', 'Utf8Encoding');
if ($Utf8Encoding == "true") {
$isUtf8Encoding = true;
} else {
$isUtf8Encoding = false;
}
} else {
$isUtf8Encoding = false;
}
if ($LDAPIni->hasVariable('LDAPSettings', 'LDAPSearchFilters')) {
$LDAPFilters = $LDAPIni->variable('LDAPSettings', 'LDAPSearchFilters');
}
if ($LDAPIni->hasVariable('LDAPSettings', 'LDAPUserGroupType') and $LDAPIni->hasVariable('LDAPSettings', 'LDAPUserGroup')) {
$LDAPUserGroupType = $LDAPIni->variable('LDAPSettings', 'LDAPUserGroupType');
$LDAPUserGroup = $LDAPIni->variable('LDAPSettings', 'LDAPUserGroup');
}
$LDAPFilter = "( &";
if (count($LDAPFilters) > 0) {
foreach (array_keys($LDAPFilters) as $key) {
$LDAPFilter .= "(" . $LDAPFilters[$key] . ")";
}
}
$LDAPEqualSign = trim($LDAPIni->variable('LDAPSettings', "LDAPEqualSign"));
$LDAPBaseDN = str_replace($LDAPEqualSign, "=", $LDAPBaseDN);
$LDAPFilter = str_replace($LDAPEqualSign, "=", $LDAPFilter);
$LDAPBindUser = str_replace($LDAPEqualSign, "=", $LDAPBindUser);
if ($LDAPDebugTrace) {
$debugArray = array('stage' => '1/5: Connecting and Binding to LDAP server', 'LDAPServer' => $LDAPServer, 'LDAPPort' => $LDAPPort, 'LDAPBindUser' => $LDAPBindUser, 'LDAPVersion' => $LDAPVersion);
// Set debug trace mode for ldap connections
if (function_exists('ldap_set_option')) {
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
}
eZDebug::writeNotice(var_export($debugArray, true), __METHOD__);
}
if (function_exists('ldap_connect')) {
$ds = ldap_connect($LDAPServer, $LDAPPort);
} else {
$ds = false;
}
if ($ds) {
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $LDAPVersion);
ldap_set_option($ds, LDAP_OPT_REFERRALS, $LDAPFollowReferrals);
if ($LDAPBindUser == '') {
$r = ldap_bind($ds);
} else {
$r = ldap_bind($ds, $LDAPBindUser, $LDAPBindPassword);
}
if (!$r) {
// Increase number of failed login attempts.
eZDebug::writeError('Cannot bind to LDAP server, might be something wronge with connetion or bind user!', __METHOD__);
if (isset($userID)) {
eZUser::setFailedLoginAttempts($userID);
}
$user = false;
return $user;
}
$LDAPFilter .= "({$LDAPLoginAttribute}={$loginLdapEscaped})";
$LDAPFilter .= ")";
ldap_set_option($ds, LDAP_OPT_SIZELIMIT, 0);
ldap_set_option($ds, LDAP_OPT_TIMELIMIT, 0);
$retrieveAttributes = array($LDAPLoginAttribute, $LDAPFirstNameAttribute, $LDAPLastNameAttribute, $LDAPEmailAttribute);
if ($LDAPUserGroupAttributeType) {
$retrieveAttributes[] = $LDAPUserGroupAttribute;
}
if ($LDAPDebugTrace) {
$debugArray = array('stage' => '2/5: finding user', 'LDAPFilter' => $LDAPFilter, 'retrieveAttributes' => $retrieveAttributes, 'LDAPSearchScope' => $LDAPSearchScope, 'LDAPBaseDN' => $LDAPBaseDN);
eZDebug::writeNotice(var_export($debugArray, true), __METHOD__);
}
if ($LDAPSearchScope == "one") {
$sr = ldap_list($ds, $LDAPBaseDN, $LDAPFilter, $retrieveAttributes);
} else {
if ($LDAPSearchScope == "base") {
$sr = ldap_read($ds, $LDAPBaseDN, $LDAPFilter, $retrieveAttributes);
} else {
$sr = ldap_search($ds, $LDAPBaseDN, $LDAPFilter, $retrieveAttributes);
}
}
$info = ldap_get_entries($ds, $sr);
if ($info['count'] > 1) {
// More than one user with same uid, not allow login.
eZDebug::writeWarning('More then one user with same uid, not allowed to login!', __METHOD__);
$user = false;
return $user;
} else {
if ($info['count'] < 1) {
// Increase number of failed login attempts.
if (isset($userID)) {
eZUser::setFailedLoginAttempts($userID);
}
// user DN was not found
eZDebug::writeWarning('User DN was not found!', __METHOD__);
$user = false;
return $user;
} else {
if ($LDAPDebugTrace) {
$debugArray = array('stage' => '3/5: real authentication of user', 'info' => $info);
eZDebug::writeNotice(var_export($debugArray, true), __METHOD__);
}
}
}
if (!$password) {
$password = crypt(microtime());
}
// is it real authenticated LDAP user?
if (!@ldap_bind($ds, $info[0]['dn'], $password)) {
// Increase number of failed login attempts.
if (isset($userID)) {
eZUser::setFailedLoginAttempts($userID);
}
eZDebug::writeWarning("User {$userID} failed to login!", __METHOD__);
$user = false;
return $user;
}
$extraNodeAssignments = array();
$userGroupClassID = $ini->variable("UserSettings", "UserGroupClassID");
// default user group assigning
if ($LDAPUserGroupType != null) {
if ($LDAPUserGroupType == "name") {
if (is_array($LDAPUserGroup)) {
foreach (array_keys($LDAPUserGroup) as $key) {
$groupName = $db->escapeString($LDAPUserGroup[$key]);
$groupQuery = "SELECT ezcontentobject_tree.node_id\n FROM ezcontentobject, ezcontentobject_tree\n WHERE ezcontentobject.name like '{$groupName}'\n AND ezcontentobject.id=ezcontentobject_tree.contentobject_id\n AND ezcontentobject.contentclass_id={$userGroupClassID}";
$groupObject = $db->arrayQuery($groupQuery);
if (count($groupObject) > 0 and $key == 0) {
$defaultUserPlacement = $groupObject[0]['node_id'];
} else {
if (count($groupObject) > 0) {
$extraNodeAssignments[] = $groupObject[0]['node_id'];
}
}
}
} else {
$groupName = $db->escapeString($LDAPUserGroup);
$groupQuery = "SELECT ezcontentobject_tree.node_id\n FROM ezcontentobject, ezcontentobject_tree\n WHERE ezcontentobject.name like '{$groupName}'\n AND ezcontentobject.id=ezcontentobject_tree.contentobject_id\n AND ezcontentobject.contentclass_id={$userGroupClassID}";
$groupObject = $db->arrayQuery($groupQuery);
if (count($groupObject) > 0) {
$defaultUserPlacement = $groupObject[0]['node_id'];
}
}
} else {
if ($LDAPUserGroupType == "id") {
if (is_array($LDAPUserGroup)) {
foreach (array_keys($LDAPUserGroup) as $key) {
$groupID = $LDAPUserGroup[$key];
$groupQuery = "SELECT ezcontentobject_tree.node_id\n FROM ezcontentobject, ezcontentobject_tree\n WHERE ezcontentobject.id='{$groupID}'\n AND ezcontentobject.id=ezcontentobject_tree.contentobject_id\n AND ezcontentobject.contentclass_id={$userGroupClassID}";
$groupObject = $db->arrayQuery($groupQuery);
if (count($groupObject) > 0 and $key == 0) {
$defaultUserPlacement = $groupObject[0]['node_id'];
} else {
if (count($groupObject) > 0) {
$extraNodeAssignments[] = $groupObject[0]['node_id'];
}
}
}
} else {
$groupID = $LDAPUserGroup;
$groupQuery = "SELECT ezcontentobject_tree.node_id\n FROM ezcontentobject, ezcontentobject_tree\n WHERE ezcontentobject.id='{$groupID}'\n AND ezcontentobject.id=ezcontentobject_tree.contentobject_id\n AND ezcontentobject.contentclass_id={$userGroupClassID}";
$groupObject = $db->arrayQuery($groupQuery);
if (count($groupObject) > 0) {
$defaultUserPlacement = $groupObject[0]['node_id'];
}
}
}
}
}
// read group mapping LDAP settings
$LDAPGroupMappingType = $LDAPIni->variable('LDAPSettings', 'LDAPGroupMappingType');
$LDAPUserGroupMap = $LDAPIni->variable('LDAPSettings', 'LDAPUserGroupMap');
if (!is_array($LDAPUserGroupMap)) {
$LDAPUserGroupMap = array();
}
// group mapping constants
$ByMemberAttribute = 'SimpleMapping';
// by group's member attributes (with mapping)
$ByMemberAttributeHierarhicaly = 'GetGroupsTree';
// by group's member attributes hierarhically
$ByGroupAttribute = 'UseGroupAttribute';
// by user's group attribute (old style)
$groupMappingTypes = array($ByMemberAttribute, $ByMemberAttributeHierarhicaly, $ByGroupAttribute);
$userData =& $info[0];
// default mapping using old style
if (!in_array($LDAPGroupMappingType, $groupMappingTypes)) {
$LDAPGroupMappingType = $ByGroupAttribute;
}
if ($LDAPDebugTrace) {
$debugArray = array('stage' => '4/5: group mapping init', 'LDAPUserGroupType' => $LDAPUserGroupType, 'LDAPGroupMappingType' => $LDAPGroupMappingType, 'LDAPUserGroup' => $LDAPUserGroup, 'defaultUserPlacement' => $defaultUserPlacement, 'extraNodeAssignments' => $extraNodeAssignments);
eZDebug::writeNotice(var_export($debugArray, true), __METHOD__);
}
if ($LDAPGroupMappingType == $ByMemberAttribute or $LDAPGroupMappingType == $ByMemberAttributeHierarhicaly) {
$LDAPGroupBaseDN = $LDAPIni->variable('LDAPSettings', 'LDAPGroupBaseDN');
$LDAPGroupBaseDN = str_replace($LDAPEqualSign, '=', $LDAPGroupBaseDN);
$LDAPGroupClass = $LDAPIni->variable('LDAPSettings', 'LDAPGroupClass');
$LDAPGroupNameAttribute = strtolower($LDAPIni->variable('LDAPSettings', 'LDAPGroupNameAttribute'));
$LDAPGroupMemberAttribute = strtolower($LDAPIni->variable('LDAPSettings', 'LDAPGroupMemberAttribute'));
$LDAPGroupDescriptionAttribute = strtolower($LDAPIni->variable('LDAPSettings', 'LDAPGroupDescriptionAttribute'));
$groupSearchingDepth = $LDAPGroupMappingType == '1' ? 1 : 1000;
// now, get all parents for currently ldap authenticated user
$requiredParams = array();
$requiredParams['LDAPLoginAttribute'] = $LDAPLoginAttribute;
$requiredParams['LDAPGroupBaseDN'] = $LDAPGroupBaseDN;
$requiredParams['LDAPGroupClass'] = $LDAPGroupClass;
$requiredParams['LDAPGroupNameAttribute'] = $LDAPGroupNameAttribute;
$requiredParams['LDAPGroupMemberAttribute'] = $LDAPGroupMemberAttribute;
$requiredParams['LDAPGroupDescriptionAttribute'] = $LDAPGroupDescriptionAttribute;
$requiredParams['ds'] =& $ds;
if ($LDAPIni->variable('LDAPSettings', 'LDAPGroupRootNodeId') !== '') {
$requiredParams['TopUserGroupNodeID'] = $LDAPIni->variable('LDAPSettings', 'LDAPGroupRootNodeId');
} else {
$requiredParams['TopUserGroupNodeID'] = 5;
}
$groupsTree = array();
$stack = array();
$newfilter = '(&(objectClass=' . $LDAPGroupClass . ')(' . $LDAPGroupMemberAttribute . '=' . $userData['dn'] . '))';
$groupsTree[$userData['dn']] = array('data' => &$userData, 'parents' => array(), 'children' => array());
eZLDAPUser::getUserGroupsTree($requiredParams, $newfilter, $userData['dn'], $groupsTree, $stack, $groupSearchingDepth);
$userRecord =& $groupsTree[$userData['dn']];
if ($LDAPGroupMappingType == $ByMemberAttribute) {
if (count($userRecord['parents']) > 0) {
$remappedGroupNames = array();
foreach (array_keys($userRecord['parents']) as $key) {
$parentGroup =& $userRecord['parents'][$key];
if (isset($parentGroup['data'][$LDAPGroupNameAttribute])) {
$ldapGroupName = $parentGroup['data'][$LDAPGroupNameAttribute];
if (is_array($ldapGroupName)) {
$ldapGroupName = $ldapGroupName['count'] > 0 ? $ldapGroupName[0] : '';
}
// remap group name and check that group exists
if (array_key_exists($ldapGroupName, $LDAPUserGroupMap)) {
$remmapedGroupName = $db->escapeString($LDAPUserGroupMap[$ldapGroupName]);
$groupQuery = "SELECT ezcontentobject_tree.node_id\n FROM ezcontentobject, ezcontentobject_tree\n WHERE ezcontentobject.name like '{$remmapedGroupName}'\n AND ezcontentobject.id=ezcontentobject_tree.contentobject_id\n AND ezcontentobject.contentclass_id={$userGroupClassID}";
$groupRow = $db->arrayQuery($groupQuery);
if (count($groupRow) > 0) {
$userRecord['new_parents'][] = $groupRow[0]['node_id'];
}
}
}
}
}
} else {
if ($LDAPGroupMappingType == $ByMemberAttributeHierarhicaly) {
$stack = array();
self::goAndPublishGroups($requiredParams, $userData['dn'], $groupsTree, $stack, $groupSearchingDepth, true);
}
}
if (isset($userRecord['new_parents']) and count($userRecord['new_parents']) > 0) {
$defaultUserPlacement = $userRecord['new_parents'][0];
$extraNodeAssignments = array_merge($extraNodeAssignments, $userRecord['new_parents']);
}
} else {
if ($LDAPGroupMappingType == $ByGroupAttribute) {
if ($LDAPUserGroupAttributeType) {
// Should we create user groups that are specified in LDAP, but not found in eZ Publish?
$createMissingGroups = $LDAPIni->variable('LDAPSettings', 'LDAPCreateMissingGroups') === 'enabled';
if ($LDAPIni->variable('LDAPSettings', 'LDAPGroupRootNodeId') !== '') {
$parentNodeID = $LDAPIni->variable('LDAPSettings', 'LDAPGroupRootNodeId');
} else {
$parentNodeID = 5;
}
$groupAttributeCount = $info[0][$LDAPUserGroupAttribute]['count'];
if ($LDAPUserGroupAttributeType == "name") {
for ($i = 0; $i < $groupAttributeCount; $i++) {
if ($isUtf8Encoding) {
$groupName = utf8_decode($info[0][$LDAPUserGroupAttribute][$i]);
} else {
$groupName = $info[0][$LDAPUserGroupAttribute][$i];
}
// Save group node id to either defaultUserPlacement or extraNodeAssignments
self::getNodeAssignmentsForGroupName($groupName, $i == 0, $defaultUserPlacement, $extraNodeAssignments, $createMissingGroups, $parentNodeID);
}
} else {
if ($LDAPUserGroupAttributeType == "id") {
for ($i = 0; $i < $groupAttributeCount; $i++) {
if ($isUtf8Encoding) {
$groupID = utf8_decode($info[0][$LDAPUserGroupAttribute][$i]);
} else {
$groupID = $info[0][$LDAPUserGroupAttribute][$i];
}
$groupName = "LDAP {$groupID}";
// Save group node id to either defaultUserPlacement or extraNodeAssignments
self::getNodeAssignmentsForGroupName($groupName, $i == 0, $defaultUserPlacement, $extraNodeAssignments, $createMissingGroups, $parentNodeID);
}
} else {
if ($LDAPUserGroupAttributeType == "dn") {
for ($i = 0; $i < $groupAttributeCount; $i++) {
$groupDN = $info[0][$LDAPUserGroupAttribute][$i];
$groupName = self::getGroupNameByDN($ds, $groupDN);
if ($groupName) {
// Save group node id to either defaultUserPlacement or extraNodeAssignments
self::getNodeAssignmentsForGroupName($groupName, $i == 0, $defaultUserPlacement, $extraNodeAssignments, $createMissingGroups, $parentNodeID);
}
}
} else {
eZDebug::writeError("Bad LDAPUserGroupAttributeType '{$LDAPUserGroupAttributeType}'. It must be either 'name', 'id' or 'dn'.", __METHOD__);
$user = false;
return $user;
}
}
}
}
}
}
// remove ' last_name' from first_name if cn is used for first name
if ($LDAPFirstNameIsCN && isset($userData[$LDAPFirstNameAttribute]) && isset($userData[$LDAPLastNameAttribute])) {
$userData[$LDAPFirstNameAttribute][0] = str_replace(' ' . $userData[$LDAPLastNameAttribute][0], '', $userData[$LDAPFirstNameAttribute][0]);
}
if (isset($userData[$LDAPEmailAttribute])) {
$LDAPuserEmail = $userData[$LDAPEmailAttribute][0];
} else {
if (trim($LDAPIni->variable('LDAPSettings', 'LDAPEmailEmptyAttributeSuffix'))) {
$LDAPuserEmail = $login . $LDAPIni->variable('LDAPSettings', 'LDAPEmailEmptyAttributeSuffix');
} else {
$LDAPuserEmail = false;
}
}
$userAttributes = array('login' => $login, 'first_name' => isset($userData[$LDAPFirstNameAttribute]) ? $userData[$LDAPFirstNameAttribute][0] : false, 'last_name' => isset($userData[$LDAPLastNameAttribute]) ? $userData[$LDAPLastNameAttribute][0] : false, 'email' => $LDAPuserEmail);
if ($LDAPDebugTrace) {
$debugArray = array('stage' => '5/5: storing user', 'userAttributes' => $userAttributes, 'isUtf8Encoding' => $isUtf8Encoding, 'defaultUserPlacement' => $defaultUserPlacement, 'extraNodeAssignments' => $extraNodeAssignments);
eZDebug::writeNotice(var_export($debugArray, true), __METHOD__);
}
$oldUser = clone eZUser::currentUser();
$existingUser = eZLDAPUser::publishUpdateUser($extraNodeAssignments, $defaultUserPlacement, $userAttributes, $isUtf8Encoding);
if (is_object($existingUser)) {
eZUser::setCurrentlyLoggedInUser($existingUser, $existingUser->attribute('contentobject_id'));
} else {
eZUser::setCurrentlyLoggedInUser($oldUser, $oldUser->attribute('contentobject_id'));
}
ldap_close($ds);
return $existingUser;
} else {
eZDebug::writeError('Cannot initialize connection for LDAP server', __METHOD__);
$user = false;
return $user;
}
} else {
// Increase number of failed login attempts.
if (isset($userID)) {
eZUser::setFailedLoginAttempts($userID);
}
eZDebug::writeWarning('User does not exist or LDAP is not enabled in php', __METHOD__);
$user = false;
return $user;
}
}
}
