/**
* Gets the specifeid fields from the misc table
* @param array $fields - fields to get, null gets the lot
* @param string $errorString - error to generate on failure
* @param string $id - optinoal user id
* @return object
*/
protected function getMisc($fields, $errorString, $id = "")
{
if ($id == "") {
$where["UserId"] = $this->id;
} else {
$where["UserId"] = $id;
}
if (is_Array($fields)) {
$row = $this->db->getf($this->cfg->userMiscTable, $fields, $where, $errorString);
} else {
$row = $this->db->get($this->cfg->userMiscTable, $where, $errorString);
}
return $row;
}
/**
* Constructor
* @param string $pageAccessLevel - users allowed to access the page
* @param bool $pageCheckEquals - if true only this user type can access this page
* @param bool $doHistory - do history for this page
* @param ProtectConfig $config - Protected session configuration options
*/
public function __construct($pageAccessLevel = "", $pageCheckEquals = false, $doHistory = true, $config = false)
{
global $loginContent;
if ($config === false) {
$this->config = new \w34u\ssp\ProtectConfig();
} else {
$this->config = $config;
}
$this->cfg = Configuration::getConfiguration();
$this->db = SspDb::getConnection();
// set up db session handling
$handler = new SessionHandler();
session_set_save_handler(array($handler, 'open'), array($handler, 'close'), array($handler, 'read'), array($handler, 'write'), array($handler, 'destroy'), array($handler, 'gc'));
// the following prevents unexpected effects when using objects as save handlers
register_shutdown_function("session_write_close");
session_start();
$this->setupLanguage();
$this->maintenanceMode();
// turn off sql cacheing if it is set, but preserve the status to turn it back on after
if ($this->db->cache) {
$queryResultCacheing = true;
$this->db->cache = false;
} else {
$queryResultCacheing = false;
}
$pageAccessLevel = $this->checkParameters($pageAccessLevel, $pageCheckEquals);
if (isset($loginContent)) {
$_SESSION["SSP_LoginPageAddtionalContent"] = $loginContent;
}
// check https:// site, and if fail divert to correct url
if ($this->cfg->useSSL or $this->config->forceSSLPath) {
if (!isset($_SERVER['HTTPS']) or $_SERVER['HTTPS'] == "off") {
// script not called using https
SSP_Divert(SSP_Path(true, true));
}
}
$this->country = "";
// do any external routines before history is called
$this->autoLogin();
if ($doHistory) {
$this->pageHistory();
}
// get all session information for valid sessions
$query = sprintf("select * from %s where %s = ? and %s = ?", $this->cfg->sessionTable, $this->db->qt("SessionId"), $this->db->qt("SessionName"));
$values = array(session_id(), session_name());
$this->db->query($query, $values, "SSP session handling: Get session information");
if ($this->db->numRows() > 0) {
// get result if existing session
$sessionInfo = $this->db->fetchRow();
$newSession = false;
} else {
$newSession = true;
$this->log("New session started");
}
// process user information if logged in.
$userFault = false;
$needHigherLogin = false;
$userInfo = null;
if (!$newSession and trim($sessionInfo->UserId) != "") {
$where = array("UserId" => $sessionInfo->UserId);
$userInfo = $this->db->get($this->cfg->userTable, $where, "SSP Session: getting login data");
if ($this->db->numRows()) {
// user found
// check for login expiry
if ($sessionInfo->SessionTime + $this->cfg->loginExpiry > time()) {
$this->loggedIn = true;
$this->userId = $userInfo->UserId;
$this->userName = $userInfo->UserName;
$this->userAccessLevel = $userInfo->UserAccess;
if ($this->cfg->userLevels[$this->userAccessLevel] >= $this->cfg->adminLevel) {
// admin user
$this->admin = true;
}
$this->userEmail = SSP_decrypt($userInfo->UserEmail);
if (isset($userInfo->country) and trim($userInfo->country) != "") {
$this->country = $userInfo->country;
}
} else {
$this->log("Login expired");
$this->loggedIn = false;
$this->db->update($this->cfg->sessionTable, array('UserId' => ''), array('SessionId' => session_id(), 'SessionName' => session_name()), 'SSP Session: clearing user id from expired login');
}
} else {
$this->log("User not found from ID");
$userFault = true;
}
}
$pageAccess = $this->cfg->userLevels[$pageAccessLevel];
if ($this->loggedIn) {
// do security checking for user if logged in
// validate flags
$flagsValid = true;
foreach ($this->cfg->validUserFlags as $flagName => $validFlagValue) {
if ($userInfo->{$flagName} != $validFlagValue) {
$flagsValid = false;
$this->log("Invalid user flag " . $flagName . " value required: " . $validFlagValue . " actual: " . $userInfo->{$flagName});
break;
}
}
if (!$flagsValid) {
$userFault = true;
} elseif ($this->cfg->userLevels[$userInfo->UserAccess] < $pageAccess) {
// user does not have a high enough access level
$userFault = true;
$needHigherLogin = true;
// flag higher login needed
$this->log("User Access level not high enough Level: " . $userInfo->UserAccess . " " . $this->cfg->userLevels[$userInfo->UserAccess] . " Page " . $pageAccess);
} elseif ($pageCheckEquals and $this->cfg->userLevels[$userInfo->UserAccess] != $pageAccess) {
// user does not have the correct user access level
$userFault = true;
$needHigherLogin = true;
// flag different login needed
$this->log("User Access level not equal to the page's level");
} elseif ($this->cfg->checkIpAddress and SSP_trimIp($sessionInfo->SessionIp) !== SSP_trimIp($_SERVER["REMOTE_ADDR"])) {
// users IP address has changed
$userFault = true;
$this->log("User IP address changed " . SSP_paddIp($_SERVER["REMOTE_ADDR"]));
} elseif (($this->cfg->fixedIpAddress or $userInfo->UserIpCheck) and SSP_paddIp($sessionInfo->SessionUserIp) !== SSP_paddIp($_SERVER["REMOTE_ADDR"])) {
// user is at incorrect IP address
$userFault = true;
$this->log("User IP address incorrect, UserIP: " . SSP_paddIp($sessionInfo->SessionUserIp) . " Remote IP: " . SSP_paddIp($_SERVER["REMOTE_ADDR"]));
}
$userFault = $this->chackRandom($sessionInfo);
} else {
$this->log("User not logged in");
}
// handle user faults
$this->userFaultHandling($pageAccess, $userFault, $needHigherLogin, $queryResultCacheing);
// final setup of page
$this->finalSetup($userInfo);
// restore query cacheing mode
$this->db->cache = $queryResultCacheing;
}
