private function authenticateWithTokenOrHashToken($token, $login)
{
$user = $this->userModel->getUser($login);
if (!empty($user['token_auth']) && (SessionInitializer::getHashTokenAuth($login, $user['token_auth']) === $token || $user['token_auth'] === $token)) {
return $this->authenticationSuccess($user);
}
return new AuthResult(AuthResult::FAILURE, $login, $token);
}
/**
* Authenticates user
*
* @return \Piwik\AuthResult
*/
public function authenticate()
{
$httpLogin = $this->getHttpAuthLogin();
if (!empty($httpLogin)) {
$user = $this->userModel->getUser($httpLogin);
if (empty($user)) {
return new AuthResult(AuthResult::FAILURE, $httpLogin, null);
}
$code = !empty($user['superuser_access']) ? AuthResult::SUCCESS_SUPERUSER_AUTH_CODE : AuthResult::SUCCESS;
return new AuthResult($code, $httpLogin, $user['token_auth']);
}
return parent::authenticate();
}
/**
* Checks if the provided CURRENT password is correct and calls the parent
* class function if so. Otherwise provides error message.
*
* @see the parent class function for parameters and return value
*/
public function recordUserSettings()
{
try {
$passwordCurrent = Common::getRequestvar('passwordCurrent', false);
$passwordCurrent = Crypto::decrypt($passwordCurrent);
// Note: Compare loosely, so both, "" (password input empty; forms send strings)
// and "password input not sent" are covered - see
// https://secure.php.net/manual/en/types.comparisons.php
if ($passwordCurrent != "") {
$userName = Piwik::getCurrentUserLogin();
// gets username as string or "anonymous"
// see Piwik\Plugins\Login\Auth for used password hash function
// (in setPassword()) and access to hashed password (in getTokenAuthSecret())
if ($userName != 'anonymous') {
$model = new Model();
$user = $model->getUser($userName);
if (UsersManagerEncrypted::getPasswordHash($passwordCurrent) === $user['password']) {
$toReturn = parent::recordUserSettings();
} else {
throw new Exception(Piwik::translate('UsersManagerEncrypted_CurrentPasswordIncorrect'));
}
} else {
throw new Exception(Piwik::translate('UsersManagerEncrypted_UserNotAuthenticated'));
}
} else {
throw new Exception(Piwik::translate('UsersManagerEncrypted_CurrentPasswordNotProvided'));
}
} catch (Exception $e) {
$response = new ResponseBuilder(Common::getRequestVar('format'));
$toReturn = $response->getResponseException($e);
}
return $toReturn;
}
/**
* Returns the user information (login, password md5, alias, email, date_registered, etc.)
*
* @param string $userLogin the user login
*
* @return array the user information
*/
public function getUser($userLogin)
{
Piwik::checkUserHasSuperUserAccessOrIsTheUser($userLogin);
$this->checkUserExists($userLogin);
$user = $this->model->getUser($userLogin);
return $this->userFilter->filterUser($user);
}
/**
* Authenticates user
*
* @return AuthResult
*/
public function authenticate()
{
if (!empty($this->md5Password)) {
// favor authenticating by password
$this->token_auth = UsersManagerAPI::getInstance()->getTokenAuth($this->login, $this->getTokenAuthSecret());
}
if (is_null($this->login)) {
$model = new Model();
$user = $model->getUserByTokenAuth($this->token_auth);
if (!empty($user['login'])) {
$code = $user['superuser_access'] ? AuthResult::SUCCESS_SUPERUSER_AUTH_CODE : AuthResult::SUCCESS;
return new AuthResult($code, $user['login'], $this->token_auth);
}
} else {
if (!empty($this->login)) {
$model = new Model();
$user = $model->getUser($this->login);
if (!empty($user['token_auth']) && (SessionInitializer::getHashTokenAuth($this->login, $user['token_auth']) === $this->token_auth || $user['token_auth'] === $this->token_auth)) {
$this->setTokenAuth($user['token_auth']);
$code = !empty($user['superuser_access']) ? AuthResult::SUCCESS_SUPERUSER_AUTH_CODE : AuthResult::SUCCESS;
return new AuthResult($code, $this->login, $user['token_auth']);
}
}
}
return new AuthResult(AuthResult::FAILURE, $this->login, $this->token_auth);
}
/**
* Authenticates user
*
* @return AuthResult
*/
public function authenticate()
{
$logger = StaticContainer::get('Psr\\Log\\LoggerInterface');
$model = new Model();
$user = $model->getUser($this->login);
if (!$user) {
$user = $model->getUserByTokenAuth($this->token_auth);
if (!$user) {
$logger->info("Creating user " . $this->login);
$model->addUser($this->login, $this->getTokenAuthSecret(), $this->email, $this->alias, $this->token_auth, Date::now()->getDatetime());
$user = $model->getUser($this->login);
}
}
$accessCode = $user['superuser_access'] ? AuthResult::SUCCESS_SUPERUSER_AUTH_CODE : AuthResult::SUCCESS;
$this->login = $user['login'];
if ($this->getViewableUserStatus() || $this->getSuperUserStatus()) {
$site_ids = $this->getDefaultSiteIds();
$current_accesses = array();
foreach ($site_ids as $site_id) {
$accesses = $model->getUsersAccessFromSite($site_id);
foreach ($accesses as $user => $access) {
if ($this->login == $user && ($access == "view" || $access == 'admin')) {
$current_accesses[] = $site_id;
}
}
}
$new_accesses = array();
foreach ($site_ids as $site_id) {
if (!in_array($site_id, $current_accesses)) {
$new_accesses[] = $site_id;
}
}
if (count($new_accesses) > 0) {
$logger->info("Adding default site ids to " . $this->login);
$model->addUserAccess($this->login, "view", $new_accesses);
}
}
$is_superuser = $this->getSuperUserStatus();
$model->setSuperUserAccess($this->login, $is_superuser);
return new AuthResult($accessCode, $this->login, $this->token_auth);
}
/**
* Returns the user's API token.
*
* If the username/password combination is incorrect an invalid token will be returned.
*
* @param string $userLogin Login
* @param string $md5Password hashed string of the password (using current hash function; MD5-named for historical reasons)
* @return string
*/
public function getTokenAuth($userLogin, $md5Password)
{
UsersManager::checkPasswordHash($md5Password, Piwik::translate('UsersManager_ExceptionPasswordMD5HashExpected'));
$user = $this->model->getUser($userLogin);
if (!$this->password->verify($md5Password, $user['password'])) {
return md5($userLogin . microtime(true) . Common::generateUniqId());
}
if ($this->password->needsRehash($user['password'])) {
$this->updateUser($userLogin, $this->password->hash($md5Password));
}
return $user['token_auth'];
}
protected function getUserForLogin()
{
if (empty($this->userForLogin)) {
if (!empty($this->login)) {
$this->userForLogin = $this->usersModel->getUser($this->login);
} else {
if (!empty($this->token_auth)) {
$this->userForLogin = $this->usersModel->getUserByTokenAuth($this->token_auth);
} else {
throw new Exception("Cannot get user details, neither login nor token auth are set.");
}
}
}
return $this->userForLogin;
}
/**
* Authenticates user
*
* @return AuthResult
*/
public function authenticate()
{
if (is_null($this->login)) {
$model = new Model();
$user = $model->getUserByTokenAuth($this->token_auth);
if (!empty($user['login'])) {
$code = $user['superuser_access'] ? AuthResult::SUCCESS_SUPERUSER_AUTH_CODE : AuthResult::SUCCESS;
return new AuthResult($code, $user['login'], $this->token_auth);
}
} else {
if (!empty($this->login)) {
$model = new Model();
$user = $model->getUser($this->login);
if (!empty($user['token_auth']) && ($this->getHashTokenAuth($this->login, $user['token_auth']) === $this->token_auth || $user['token_auth'] === $this->token_auth)) {
$this->setTokenAuth($user['token_auth']);
$code = !empty($user['superuser_access']) ? AuthResult::SUCCESS_SUPERUSER_AUTH_CODE : AuthResult::SUCCESS;
return new AuthResult($code, $this->login, $user['token_auth']);
}
}
}
return new AuthResult(AuthResult::FAILURE, $this->login, $this->token_auth);
}
protected function setReplyToAsSender(Mail $mail, array $report)
{
if (Config::getInstance()->General['scheduled_reports_replyto_is_user_email_and_alias']) {
if (isset($report['login'])) {
$userModel = new UserModel();
$user = $userModel->getUser($report['login']);
$mail->setReplyTo($user['email'], $user['alias']);
}
}
}
