public function authenticate($username, $password) { if (empty(\GO::config()->ldap_peopledn)) { \GO::debug('LDAPAUTH: Aborting because the following required value is not set: $config["ldap_peopledn"]'); return true; } $record = \GO\Ldapauth\Model\Person::findByUsername($username); if (!$record) { \GO::debug("LDAPAUTH: No LDAP entry found for " . $username); //return true here because this should not block normal authentication return true; } //$authenticated = $ldapConn->bind($record->getDn(), $password); if (!$record->authenticate($password)) { $str = "LOGIN FAILED for user: \"" . $username . "\" from IP: "; if (isset($_SERVER['REMOTE_ADDR'])) { $str .= $_SERVER['REMOTE_ADDR']; } else { $str .= 'unknown'; } \GO::infolog($str); return false; } \GO::debug("LDAPAUTH: LDAP authentication SUCCESS for " . $username); if (!empty(GO::config()->ldap_create_mailbox_domains)) { if (!GO::modules()->serverclient) { throw new Exception("The serverclient module must be installed and configured when using \$config['GO::config()->ldap_create_mailbox_domains']. See https://www.group-office.com/wiki/Mailserver#Optionally_install_the_serverclient"); } $_POST['serverclient_domains'] = GO::config()->ldap_create_mailbox_domains; } else { GO::debug("LDAPAUTH: Found LDAP entry found for " . $username); // GO::debug($record->getAttributes()); } $user = $this->syncUserWithLdapRecord($record, $password); if (!$user) { return false; } try { $this->_checkEmailAccounts($user, $password); } catch (Exception $e) { // GO::debug("LDAPAUTH: Failed to create or update e-mail account!\n\n".(string) $e); trigger_error("LDAPAUTH: Failed to create or update e-mail account for user " . $user->username . "\n\n" . $e->getMessage()); } }
protected function actionSwitch($params) { // // if(!\GO::user()->isAdmin()) // throw new \Exception("This feature is for admins only!"); $oldUsername = \GO::user()->username; $debug = !empty(\GO::session()->values['debug']); $user = \GO\Base\Model\User::model()->findByPk($params['user_id']); \GO::session()->values = array(); //clear session \GO::session()->setCurrentUser($user->id); //\GO::session()->setCompatibilitySessionVars(); if ($debug) { \GO::session()->values['debug'] = $debug; } \GO::infolog("ADMIN logged-in as user: \"" . $user->username . "\" from IP: " . $_SERVER['REMOTE_ADDR']); if (\GO::modules()->isInstalled('log')) { \GO\Log\Model\Log::create('switchuser', "'" . $oldUsername . "' logged in as '" . $user->username . "'"); } $this->redirect(); }
/** * Logs a user in. * * @param string $username * @param string $password * @return Model\User or false on failure. */ public function login($username, $password, $countLogin = true) { if (!$this->fireEvent('beforelogin', array($username, $password, $countLogin))) { return false; } $user = Model\User::model()->findSingleByAttribute('username', $username); $success = true; if (!$user) { \GO::debug("LOGIN: User " . $username . " not found"); $success = false; } elseif (!$user->enabled) { \GO::debug("LOGIN: User " . $username . " is disabled"); $success = false; } elseif (!$user->checkPassword($password)) { \GO::debug("LOGIN: Incorrect password for " . $username); $success = false; } $str = "LOGIN "; $str .= $success ? "SUCCESS" : "FAILED"; $str .= " for user: \"" . $username . "\" from IP: "; if (isset($_SERVER['REMOTE_ADDR'])) { $str .= $_SERVER['REMOTE_ADDR']; } else { $str .= 'unknown'; } \GO::infolog($str); \GO::debug($str); if (!$success) { return false; } else { $this->_user = $user; $this->setCurrentUser($user->id); if ($countLogin) { $user->lastlogin = time(); $user->logins++; $user->save(true); $this->clearUserTempFiles(); } $this->fireEvent('login', array($username, $password, $user, $countLogin)); //A PHP variable named “session.use_only_cookies” controls the behaviour //of session_start(). When this variable is enabled (true) then session_start() on- //ly uses the cookies of a request for retrieving the session ID. If this variable is disa- //bled, then GET or POST requests can contain the session ID and can be used for //session fixation. This PHP variable was added in PHP 4.3.0 but is enabled by default //only since PHP 5.3.0. Environments with previous PHP versions, as well as non- //default PHP configurations are vulnerable to the session fixation attack described in //this finding if further measures are not taken. //In addition to only accepting session IDs in the form of cookies, the application //should force the re-generation of session IDs upon successful user authentication. //This way, an attacker would not be able to create a session ID that will be reused by //the application to identify a valid authenticated session. This is possible in PHP by //using the session_regenerate_id() function. if (PHP_SAPI != 'cli' && !defined('GO_NO_SESSION')) { session_regenerate_id(); } if ($countLogin) { $this->_log(\GO\Log\Model\Log::ACTION_LOGIN); } \GO::session()->values['countLogin'] = $countLogin; return $user; } }
} //check if GO is installed if (empty($_REQUEST['r']) && PHP_SAPI != 'cli') { if (\GO::user() && isset($_SESSION['GO_SESSION']['after_login_url'])) { $url = \GO::session()->values['after_login_url']; unset(\GO::session()->values['after_login_url']); header('Location: ' . $url); exit; } $installed = true; if (!\GO::config()->get_config_file() || empty(\GO::config()->db_user)) { $installed = false; } else { $stmt = \GO::getDbConnection()->query("SHOW TABLES"); if (!$stmt->rowCount()) { $installed = false; } } if (!$installed) { header('Location: ' . \GO::config()->host . 'install/'); exit; } //check for database upgrades $mtime = \GO::config()->get_setting('upgrade_mtime'); if ($mtime != \GO::config()->mtime) { \GO::infolog("Running system update"); header('Location: ' . \GO::url('maintenance/upgrade')); exit; } } \GO::router()->runController();