/**
* Used to vaidate a user's credentials. (uname, pass)
* @param array $creds the uname and password passed in as an array.
* @return bool
*/
function validateCredentials($creds)
{
$pwent = posix_getpwnam(strtolower($creds['uname']));
if ($pwent == false) {
API::Error("Invalid Username/Password");
}
$cryptpw = crypt($creds['password'], $pwent['passwd']);
if ($cryptpw == $pwent['passwd']) {
API::DEBUG("[Auth_NIS::validateCredentials] returning TRUE", 8);
$_SESSION['authed_user'] = $pwent['uid'];
$this->authed_user = $pwent['uid'];
$names = explode(" ", $pwent['gecos'], 2);
$names['fname'] = $names[0];
$names['lname'] = $names[1];
unset($names[1]);
unset($names[0]);
$prefs = new Prefs();
if ($prefs->checkUID($this->authed_user, $this->config->prefs_auto, NULL, $names)) {
return TRUE;
} else {
API::Error("Username Not Valid in system. Error: 3304");
}
}
return FALSE;
}
/**
* checks the input for validity according to what should be in the table
* returning an array of errors or NULL if no errors occur.
* NOTE: This function may modify it's argument.
*
*@access public
*@param array $data the array of data to check
*@return array
*/
public function check_input(&$data)
{
$errors = array();
if ($this->action != 'edit') {
/*
if(preg_match('/![a-zA-Z0-9.-_]/', $data['uname'])) {
$errors[] = "Invalid User Name!";
}
$this->where_clause(new WhereClause('uname', $data['uname']));
if($this->getAll() != NULL) {
$errors[] = "Username already exists!.";
}
if(strlen($data['uname']) > 32) {
$errors[] = "Username too long!";
}*/
}
$security_violation = false;
if ($this->action == 'edit') {
if (isset($data['set_perms'])) {
if (!self::$CertisInst->Perms->checkPerm($this->authed_user, 'perms_admin')) {
$errors[] = "You do not have permissions to change permissions.";
$security_violation = true;
error_log("[Prefs::check_input()] Security Violation (perms_admin) ERR_SEC. ");
}
} elseif ($data['uid'] != $this->authed_user) {
if (!self::$CertisInst->Perms->checkPerm($this->authed_user, 'user_admin')) {
$errors[] = "You do not have permissions to change other user's info.";
$security_violation = true;
error_log("[Prefs::check_input()] Security Violation (user_admin) ERR_SEC. ");
}
}
}
if (count($errors) > 0) {
// slightly different redirect here, because security issues redirect
// us to index.
if ($security_violation === TRUE) {
// security violation, log some info.
error_log(" - IP " . $_SERVER['REMOTE_ADDR']);
error_log(" - user " . $this->authed_user);
error_log(" - session destroyed.(ERR_SEC_DESTROY)");
// effectively log off the user
$_SESSION['authed_user'] = NULL;
$this->authed_user = NULL;
// set display messages to the user.
API::Error($errors);
// redirect them to the home page.
API::Redirect("/");
}
return $errors;
} else {
return NULL;
}
}
public function loginAction()
{
if (isset($_POST['login'])) {
$creds = array();
$creds['uname'] = $_POST['uname'];
$creds['password'] = md5($_POST['password']);
if ($this->_model->validateCredentials($creds)) {
API::Redirect("/");
} else {
API::Error("Invalid Username/Passord for login.");
}
}
$this->addModuleTemplate('auth', 'login_frm');
}
public function loginAction()
{
if (isset($_POST['login'])) {
$creds = array();
$creds['uname'] = $_POST['uname'];
$creds['password'] = $_POST['password'];
if ($this->_model->validateCredentials($creds)) {
API::DEBUG("[Auth_LDAPController::loginAction] PHPSESSID = " . session_id(), 8);
API::Redirect("/");
} else {
API::Error("Invalid Username/Password");
}
}
API::DEBUG("[Auth_LDAPController::loginAction] adding login form to template stack");
$this->addModuleTemplate(strtolower(self::$config->auth_class), 'login_frm');
}
/**
* default action processing new requests passed in from the display action. Does
* not use a template. Uses the 'set_data' function on the model object of the implementing
* class to do data verification.
*
* @return none
*/
public function newAction()
{
# process the new entry form.
# check the post data and filter it.
if (isset($_POST['cancel'])) {
API::Redirect(API::printUrl($this->_redirect));
}
$input_check = $this->_model->check_input($_POST);
if (is_array($input_check)) {
API::Error($input_check);
// redirect to index and displayed an error there.
API::redirect(API::printUrl($this->_redirect));
}
// all hooks will stack their errors onto the API::Error stack
// but WILL NOT redirect.
API::callHooks(self::$module, 'validate', 'controller', $_POST);
if (API::hasErrors()) {
API::redirect(API::printUrl($this->_redirect));
}
// set the id into the post var for any hooks.
$_POST['id'] = $this->_model->set_data($_POST, TRUE);
// auto call the hooks for this module/action
API::callHooks(self::$module, 'save', 'controller', $_POST);
if (isset($this->params['redir'])) {
API::Redirect($this->params['redir']);
}
API::redirect(API::printUrl($this->_redirect));
}
// only run this code if the class specified in config
// for authentication is present. And if the request
// coming in is not for the auth_class module itself.
// The second part keeps things from going crazy.
if (class_exists($CertisInst->config->auth_class) && $CertisInst->module != strtolower($CertisInst->config->auth_class)) {
// include the authentication module's controller.php file
include _SYSTEM_ . "/modules/" . strtolower($CertisInst->config->auth_class) . "/controller.php";
// instantiate the auth controller class
$classname = $CertisInst->config->auth_class . "Controller";
$auth_controller = new $classname();
$auth_controller->authCheckAction();
}
if (!class_exists($CertisInst->config->auth_class)) {
$CertisInst->module = '';
$CertisInst->action = 'error';
API::Error('FATAL ERROR: Unable to find Authentication Class');
}
}
API::DEBUG("[__SYSTEM__] index.php: authentication check done.");
$controller = null;
if (!empty($CertisInst->module)) {
if (preg_match("/\\.\\./", $CertisInst->module)) {
error_log("[index.php] FATAL ERROR! SOMEONE TRIED TO ESCAPE! " . $CertisInst->module);
print "UNAUTHORIZED!!!!!!";
exit(1);
}
// first check to see if the module exists.
if (!file_exists(_SYSTEM_ . "/modules/" . $CertisInst->module)) {
error_log("[index.php] Unable to find requested module: " . $CertisInst->module);
API::Redirect("/");
}
/**
* Used to vaidate a user's credentials. (uname, password)
* @param array $creds the uname and password passed in as an array.
* @return bool
*/
function validateCredentials($creds)
{
global $conf;
if (!$this->_connectLDAP()) {
return false;
} else {
# see if you can find the user
$search_res = $this->_searchUser($creds['uname']);
if ($search_res != NULL) {
if (!is_array($search_res)) {
error_log("LDAP - Something went wrong with the LDAP search.");
return false;
}
# get the user attributs
$userdn = $search_res[0];
$user_attrs = $search_res[1];
# Bind with old password
error_log("UserDN: " . $userdn);
$bind = ldap_bind($this->ldap, $userdn, $creds['password']);
$errno = ldap_errno($this->ldap);
if ($errno == 49 && $ad_mode) {
if (ldap_get_option($this->ldap, 0x32, $extended_error)) {
error_log("LDAP - Bind user extended_error {$extended_error} (" . ldap_error($this->ldap) . ")");
$extended_error = explode(', ', $extended_error);
if (strpos($extended_error[2], '773')) {
error_log("LDAP - Bind user password needs to be changed");
$errno = 0;
return false;
}
if (strpos($extended_error[2], '532') and $ad_options['change_expired_password']) {
error_log("LDAP - Bind user password is expired");
$errno = 0;
return false;
}
unset($extended_error);
}
}
if ($errno) {
error_log("LDAP - Bind user error {$errno} (" . ldap_error($this->ldap) . ")");
return false;
} else {
// got a good bind, user is valid. Let's populate some stuff
$this->authed_user = $user_attrs[$conf->auth_ldap->uid_attr];
$names = array();
$names['fname'] = $user_attrs[$conf->auth_ldap->fname_attr];
$names['lname'] = $user_attrs[$conf->auth_ldap->lname_attr];
$prefs = new Prefs();
if ($prefs->checkUID($this->authed_user, $conf->prefs_auto, NULL, $names)) {
$_SESSION['authed_user'] = $this->authed_user;
API::Debug("auth_ldap: checkUID passed");
return true;
} else {
API::Error("Username Not Valid in system. Error: 3304");
}
}
}
}
return FALSE;
}
