/**
* this is called when a user logs in
*
* @param STRING $name
* @param STRING $password
* @param STRING $fallback - is this authentication a fallback from a failed authentication
* @return boolean
*/
function loadUserOnLogin($name, $password, $fallback = false, $PARAMS = array())
{
global $login_error;
$GLOBALS['log']->debug("Starting user load for " . $name);
if (empty($name) || empty($password)) {
return false;
}
$input_hash = $password;
$passwordEncrypted = false;
if (!empty($PARAMS) && isset($PARAMS['passwordEncrypted']) && $PARAMS['passwordEncrypted']) {
$passwordEncrypted = true;
}
// if
if (!$passwordEncrypted) {
$input_hash = SugarAuthenticate::encodePassword($password);
}
// if
$user_id = $this->authenticateUser($name, $input_hash, $fallback);
if (empty($user_id)) {
$GLOBALS['log']->fatal('SECURITY: User authentication for ' . $name . ' failed');
return false;
}
$this->loadUserOnSession($user_id);
return true;
}
/**
* pre_login
*
* Override the pre_login function from SugarAuthenticate so that user is
* redirected to SAML entry point if other is not specified
*/
function pre_login()
{
parent::pre_login();
if (empty($_REQUEST['no_saml'])) {
SugarApplication::redirect('?entryPoint=SAML');
}
}
/**
* Called when a user requests to logout. Should invalidate the session and redirect
* to the login page.
*/
public function logout()
{
$GLOBALS['current_user']->call_custom_logic('before_logout');
$this->authController->logout();
LogicHook::initialize();
$GLOBALS['logic_hook']->call_custom_logic('Users', 'after_logout');
}
/**
* Get URL for external login
* @return string
*/
public function getLogoutUrl()
{
if ($this->isExternal()) {
return $this->authController->getLogoutUrl();
}
return false;
}
public function loginAuthenticate()
{
$user = $this->box->getCurrentUser();
if (empty($user)) {
SugarApplication::redirect($this->box->loginUrl());
}
if (parent::loginAuthenticate($user['email'], '', false)) {
// delete session when done
// $this->box->deleteSession();
return true;
}
return false;
}
/**
* Authenticates a user based on the username and password
* returns true if the user was authenticated false otherwise
* it also will load the user into current user if he was authenticated
*
* @param string $username
* @param string $password
* @return boolean
*/
function loginAuthenticate($username, $password, $fallback = false)
{
global $mod_strings;
session_unregister('login_error');
if ($this->userAuthenticate->loadUserOnLogin($username, $password, $fallback)) {
return $this->postLoginAuthenticate();
}
if (strtolower(get_class($this)) != 'sugarauthenticate') {
$sa = new SugarAuthenticate();
$error = !empty($_SESSION['login_error']) ? $_SESSION['login_error'] : '';
if ($sa->loginAuthenticate($username, $password, true)) {
return true;
}
$_SESSION['login_error'] = $error;
}
$_SESSION['login_user_name'] = $username;
$_SESSION['login_password'] = $password;
if (empty($_SESSION['login_error'])) {
$_SESSION['login_error'] = $mod_strings['ERR_INVALID_PASSWORD'];
}
return false;
}
/**
* this is called when a user logs in
*
* @param STRING $name
* @param STRING $password
* @return boolean
*/
function loadUserOnLogin($name, $password)
{
global $login_error;
$GLOBALS['log']->debug("Starting user load for " . $name);
if (empty($name) || empty($password)) {
return false;
}
$user_hash = SugarAuthenticate::encodePassword($password);
$user_id = $this->authenticateUser($name, $user_hash);
if (empty($user_id)) {
$GLOBALS['log']->fatal('SECURITY: User authentication for ' . $name . ' failed');
return false;
}
$this->loadUserOnSession($user_id);
return true;
}
/**
* this is called when a user logs in
*
* @param STRING $name
* @param STRING $password
* @return boolean
*/
function loadUserOnLogin($name, $password)
{
global $login_error;
Log::debug("Starting user load for " . $name);
if (empty($name) || empty($password)) {
return false;
}
if (empty($_SESSION['lastUserId'])) {
$input_hash = SugarAuthenticate::encodePassword($password);
$user_id = $this->authenticateUser($name, $input_hash);
if (empty($user_id)) {
Log::fatal('SECURITY: User authentication for ' . $name . ' failed');
return false;
}
}
if (empty($_SESSION['emailAuthToken'])) {
$_SESSION['lastUserId'] = $user_id;
$_SESSION['lastUserName'] = $name;
$_SESSION['emailAuthToken'] = '';
for ($i = 0; $i < $this->passwordLength; $i++) {
$_SESSION['emailAuthToken'] .= chr(mt_rand(48, 90));
}
$_SESSION['emailAuthToken'] = str_replace(array('<', '>'), array('#', '@'), $_SESSION['emailAuthToken']);
$_SESSION['login_error'] = 'Please Enter Your User Name and Emailed Session Token';
$this->sendEmailPassword($user_id, $_SESSION['emailAuthToken']);
return false;
} else {
if (strcmp($name, $_SESSION['lastUserName']) == 0 && strcmp($password, $_SESSION['emailAuthToken']) == 0) {
$this->loadUserOnSession($_SESSION['lastUserId']);
unset($_SESSION['lastUserId']);
unset($_SESSION['lastUserName']);
unset($_SESSION['emailAuthToken']);
return true;
}
}
$_SESSION['login_error'] = 'Please Enter Your User Name and Emailed Session Token';
return false;
}
/**
* Authenticates a user based on the username and password
* returns true if the user was authenticated false otherwise
* it also will load the user into current user if he was authenticated
*
* @param string $username
* @param string $password
* @return boolean
*/
function loginAuthenticate($username, $password, $fallback = false, $PARAMS = array())
{
global $mod_strings;
unset($_SESSION['login_error']);
$usr = new user();
$usr_id = $usr->retrieve_user_id($username);
$usr->retrieve($usr_id);
$_SESSION['login_error'] = '';
$_SESSION['waiting_error'] = '';
$_SESSION['hasExpiredPassword'] = '******';
if ($this->userAuthenticate->loadUserOnLogin($username, $password, $fallback, $PARAMS)) {
require_once 'modules/Users/password_utils.php';
if (hasPasswordExpired($username)) {
$_SESSION['hasExpiredPassword'] = '******';
}
// now that user is authenticated, reset loginfailed
if ($usr->getPreference('loginfailed') != '' && $usr->getPreference('loginfailed') != 0) {
$usr->setPreference('loginfailed', '0');
$usr->savePreferencesToDB();
}
return $this->postLoginAuthenticate();
} else {
if (!empty($usr_id) && $res['lockoutexpiration'] > 0) {
if (($logout = $usr->getPreference('loginfailed')) == '') {
$usr->setPreference('loginfailed', '1');
} else {
$usr->setPreference('loginfailed', $logout + 1);
}
$usr->savePreferencesToDB();
}
}
if (strtolower(get_class($this)) != 'sugarauthenticate') {
$sa = new SugarAuthenticate();
$error = !empty($_SESSION['login_error']) ? $_SESSION['login_error'] : '';
if ($sa->loginAuthenticate($username, $password, true, $PARAMS)) {
return true;
}
$_SESSION['login_error'] = $error;
}
$_SESSION['login_user_name'] = $username;
$_SESSION['login_password'] = $password;
if (empty($_SESSION['login_error'])) {
$_SESSION['login_error'] = translate('ERR_INVALID_PASSWORD', 'Users');
}
return false;
}
/**
* Constructs LDAPAuthenticate
* This will load the user authentication class
*
* @return LDAPAuthenticate
*/
function LDAPAuthenticate()
{
parent::SugarAuthenticate();
}
/**
* Constructs EmailAuthenticate
* This will load the user authentication class
*
* @return EmailAuthenticate
*/
function EmailAuthenticate()
{
parent::SugarAuthenticate();
}
/**
* pre_login
*
* Override the pre_login function from SugarAuthenticate so that user is
* redirected to SAML entry point if other is not specified
*/
function pre_login()
{
parent::pre_login();
$this->redirectToLogin($GLOBALS['app']);
}
/**
* Constructs LDAPAuthenticate
* This will load the user authentication class
*
* @return LDAPAuthenticate
*/
function __construct()
{
parent::__construct();
}
/**
* Authenticates a user based on the username and password
* returns true if the user was authenticated false otherwise
* it also will load the user into current user if he was authenticated
*
* @param string $username
* @param string $password
* @return boolean
*/
function loginAuthenticate($username, $password, $fallback = false, $PARAMS = array())
{
global $app_strings;
unset($_SESSION['login_error']);
$res = $GLOBALS['sugar_config']['passwordsetting'];
$usr = BeanFactory::getBean('Users');
$usr->retrieve_by_string_fields(array('user_name' => $username));
$_SESSION['login_error'] = '';
$_SESSION['waiting_error'] = '';
$_SESSION['hasExpiredPassword'] = '******';
$usr->reloadPreferences();
// if there is too many login attempts
if (!empty($usr->id) && $res['lockoutexpiration'] > 0 && $usr->getPreference('loginfailed') >= $res['lockoutexpirationlogin'] && !$usr->portal_only) {
// if there is a lockout time set
if ($res['lockoutexpiration'] == '2') {
// lockout date is now if not set
if (($logout_time = $usr->getPreference('logout_time')) == '') {
$usr->setPreference('logout_time', TimeDate::getInstance()->nowDb());
$logout_time = $usr->getPreference('logout_time');
}
// Bug # 45922 - calculating the expiretime properly
$stim = strtotime($logout_time);
$mins = $res['lockoutexpirationtime'] * $res['lockoutexpirationtype'];
$expiretime = TimeDate::getInstance()->fromDb($logout_time)->modify("+{$mins} minutes")->asDb();
// Test if the user is still locked out and return a error message
if (TimeDate::getInstance()->nowDb() < $expiretime) {
$usr->setPreference('lockout', '1');
$_SESSION['login_error'] = $app_strings['LBL_LOGIN_ATTEMPTS_OVERRUN'] . ' ';
$_SESSION['login_error'] .= $app_strings['LBL_LOGIN_LOGIN_TIME_ALLOWED'] . ' ';
$lol = strtotime($expiretime) - strtotime(TimeDate::getInstance()->nowDb());
switch (true) {
case floor($lol / 86400) != 0:
$_SESSION['login_error'] .= floor($lol / 86400) . $app_strings['LBL_LOGIN_LOGIN_TIME_DAYS'];
break;
case floor($lol / 3600) != 0:
$_SESSION['login_error'] .= floor($lol / 3600) . $app_strings['LBL_LOGIN_LOGIN_TIME_HOURS'];
break;
case floor($lol / 60) != 0:
$_SESSION['login_error'] .= floor($lol / 60) . $app_strings['LBL_LOGIN_LOGIN_TIME_MINUTES'];
break;
case floor($lol) != 0:
$_SESSION['login_error'] .= floor($lol) . $app_strings['LBL_LOGIN_LOGIN_TIME_SECONDS'];
break;
}
$usr->savePreferencesToDB();
return false;
} else {
$usr->setPreference('lockout', '');
$usr->setPreference('loginfailed', '0');
$usr->setPreference('logout_time', '');
$usr->savePreferencesToDB();
}
} else {
$usr->setPreference('lockout', '1');
$_SESSION['login_error'] = $app_strings['LBL_LOGIN_ATTEMPTS_OVERRUN'];
$_SESSION['waiting_error'] = $app_strings['LBL_LOGIN_ADMIN_CALL'];
$usr->savePreferencesToDB();
return false;
}
}
if ($this->userAuthenticate->loadUserOnLogin($username, $password, $fallback, $PARAMS)) {
require_once 'modules/Users/password_utils.php';
if (hasPasswordExpired($username, true)) {
$_SESSION['hasExpiredPassword'] = '******';
}
// now that user is authenticated, reset loginfailed
if ($usr->getPreference('loginfailed') != '' && $usr->getPreference('loginfailed') != 0) {
$usr->setPreference('loginfailed', '0');
$usr->savePreferencesToDB();
}
$this->updateUserLastLogin($usr);
return $this->postLoginAuthenticate();
} else {
if (!empty($usr->id) && isset($res['lockoutexpiration']) && $res['lockoutexpiration'] > 0) {
if (($logout = $usr->getPreference('loginfailed')) == '') {
$usr->setPreference('loginfailed', '1');
} else {
$usr->setPreference('loginfailed', $logout + 1);
}
$usr->savePreferencesToDB();
}
}
if (strtolower(get_class($this)) != 'sugarauthenticate') {
$sa = new SugarAuthenticate();
$error = !empty($_SESSION['login_error']) ? $_SESSION['login_error'] : '';
if ($sa->loginAuthenticate($username, $password, true, $PARAMS)) {
return true;
}
$_SESSION['login_error'] = $error;
}
$_SESSION['login_user_name'] = $username;
$_SESSION['login_password'] = $password;
if (empty($_SESSION['login_error'])) {
$_SESSION['login_error'] = translate('ERR_INVALID_PASSWORD', 'Users');
}
return false;
}
/**
* Authenticates a user based on the username and password
* returns true if the user was authenticated false otherwise
* it also will load the user into current user if he was authenticated
*
* @param string $username
* @param string $password
* @return boolean
*/
function loginAuthenticate($username, $password, $fallback = false)
{
global $mod_strings;
session_unregister('login_error');
$usr = new user();
$usr_id = $usr->retrieve_user_id($username);
$usr->retrieve($usr_id);
$_SESSION['login_error'] = '';
$_SESSION['waiting_error'] = '';
$_SESSION['hasExpiredPassword'] = '******';
if ($this->userAuthenticate->loadUserOnLogin($username, $password, $fallback)) {
require_once 'modules/Users/password_utils.php';
if (hasPasswordExpired($username)) {
$_SESSION['hasExpiredPassword'] = '******';
}
return $this->postLoginAuthenticate();
} else {
if (!empty($usr_id)) {
if (($logout = $usr->getPreference('loginfailed')) == '') {
$usr->setPreference('loginfailed', '1');
} else {
$usr->setPreference('loginfailed', $logout + 1);
}
$usr->savePreferencesToDB();
}
}
if (strtolower(get_class($this)) != 'sugarauthenticate') {
$sa = new SugarAuthenticate();
$error = !empty($_SESSION['login_error']) ? $_SESSION['login_error'] : '';
if ($sa->loginAuthenticate($username, $password, true)) {
return true;
}
$_SESSION['login_error'] = $error;
}
$_SESSION['login_user_name'] = $username;
$_SESSION['login_password'] = $password;
if (empty($_SESSION['login_error'])) {
$_SESSION['login_error'] = $mod_strings['ERR_INVALID_PASSWORD'];
}
return false;
}
/**
* Constructs SAMLAuthenticate
* This will load the user authentication class
*
* @return SAMLAuthenticate
*/
function SAMLAuthenticate()
{
parent::SugarAuthenticate();
}
function LatchAuthenticate()
{
parent::SugarAuthenticate();
}
