protected function setUp()
{
$o_dm = new Datamodel(true);
// PHPUnit seems to barf on the caching code if we don't instanciate a Datamodel instance
$o_dm->getTableNum("ca_objects");
// set up test role
$this->opt_role = new ca_user_roles();
$this->opt_role->setMode(ACCESS_WRITE);
$this->opt_role->set("name", "UnitTestRole");
$this->opt_role->set("code", "unit_test_role");
if (!$this->opt_role->insert()) {
print "ERROR inserting role: " . join(" ", $this->opt_role->getErrors()) . "\n";
}
$this->opt_role->setMode(ACCESS_READ);
// set up test user
$this->ops_username = "******";
$this->ops_password = "******";
$this->opt_user = new ca_users();
$this->opt_user->setMode(ACCESS_WRITE);
$this->opt_user->set(array('user_name' => $this->ops_username, 'password' => $this->ops_password, 'email' => '*****@*****.**', 'active' => 1, 'userclass' => 0, 'fname' => 'Test', 'lname' => "User"));
if (!$this->opt_user->insert()) {
print "ERROR inserting user: "******" ", $this->opt_user->getErrors()) . "\n";
}
$this->opt_user->addRoles("unit_test_role");
$this->opt_user->setMode(ACCESS_READ);
global $req, $resp;
$resp = new ResponseHTTP();
$req = new RequestHTTP($resp, array("dont_create_new_session" => true));
$this->assertInstanceOf('ca_users', $this->opt_user);
$this->assertInstanceOf('ca_user_roles', $this->opt_role);
}
public function processLogins()
{
if ($this->ops_base_name) {
// "merge" profile and its base
$va_logins = array();
if ($this->opo_base->logins) {
foreach ($this->opo_base->logins->children() as $vo_login) {
$vs_logins[self::getAttribute($vo_login, "user_name")] = $vo_login;
}
}
if ($this->opo_profile->logins) {
foreach ($this->opo_profile->logins->children() as $vo_login) {
$va_logins[self::getAttribute($vo_login, "user_name")] = $vo_login;
}
}
} else {
if ($this->opo_profile->logins) {
foreach ($this->opo_profile->logins->children() as $vo_login) {
$va_logins[self::getAttribute($vo_login, "user_name")] = $vo_login;
}
}
}
// If no logins are defined in the profile create an admin login with random password
if (!sizeof($va_logins)) {
$vs_password = $this->createAdminAccount();
return array('administrator' => $vs_password);
}
$va_login_info = array();
foreach ($va_logins as $vs_user_name => $vo_login) {
if (!($vs_password = trim((string) self::getAttribute($vo_login, "password")))) {
$vs_password = $this->getRandomPassword();
}
$t_user = new ca_users();
$t_user->setMode(ACCESS_WRITE);
$t_user->set('user_name', $vs_user_name = trim((string) self::getAttribute($vo_login, "user_name")));
$t_user->set('password', $vs_password);
$t_user->set('fname', trim((string) self::getAttribute($vo_login, "fname")));
$t_user->set('lname', trim((string) self::getAttribute($vo_login, "lname")));
$t_user->set('email', trim((string) self::getAttribute($vo_login, "email")));
$t_user->set('active', 1);
$t_user->set('userclass', 0);
$t_user->insert();
$va_roles = array();
if ($vo_login->role) {
foreach ($vo_login->role as $vo_role) {
$va_roles[] = trim((string) self::getAttribute($vo_role, "code"));
}
}
if (sizeof($va_roles)) {
$t_user->addRoles($va_roles);
}
$va_groups = array();
if ($vo_login->group) {
foreach ($vo_login->group as $vo_group) {
$va_groups[] = trim((string) self::getAttribute($vo_group, "code"));
}
}
if (sizeof($va_groups)) {
$t_user->addToGroups($va_groups);
}
if ($t_user->numErrors()) {
$this->addError("Errors adding login {$vs_user_name}: " . join("; ", $t_user->getErrors()));
return false;
}
$va_login_info[$vs_user_name] = $vs_password;
}
return $va_login_info;
}
function register()
{
if ($this->request->config->get('dont_allow_registration_and_login')) {
$this->notification->addNotification(_t("Registration is not enabled"), __NOTIFICATION_TYPE_ERROR__);
$this->redirect(caNavUrl($this->request, '', 'Front', 'Index'));
return;
}
MetaTagManager::setWindowTitle($this->request->config->get("app_display_name") . ": " . _t("Register"));
# logout user in case is already logged in
$this->request->deauthenticate();
$t_user = new ca_users();
$t_user->purify(true);
# --- process incoming registration attempt
$ps_email = $this->request->getParameter("email", pString);
$ps_fname = $this->request->getParameter("fname", pString);
$ps_lname = $this->request->getParameter("lname", pString);
$ps_password = $this->request->getParameter("password", pString);
$ps_password2 = $this->request->getParameter("password2", pString);
$ps_security = $this->request->getParameter("security", pString);
$va_errors = array();
if (!caCheckEmailAddress($ps_email)) {
$va_errors["email"] = _t("E-mail address is not valid.");
} else {
$t_user->set("email", $ps_email);
}
if (!$ps_fname) {
$va_errors["fname"] = _t("Please enter your first name");
} else {
$t_user->set("fname", $ps_fname);
}
if (!$ps_lname) {
$va_errors["lname"] = _t("Please enter your last name");
} else {
$t_user->set("lname", $ps_lname);
}
if (!$ps_password || !$ps_password2) {
$va_errors["password"] = _t("Please enter and re-type your password.");
} else {
if ($ps_password != $ps_password2) {
$va_errors["password"] = _t("Passwords do not match");
} else {
$t_user->set("password", $ps_password);
}
}
if (!$ps_security) {
$va_errors["security"] = _t("Please answer the security question.");
} else {
if ($ps_security != $_REQUEST["sum"]) {
$va_errors["security"] = _t("Your answer was incorrect, please try again");
}
}
// Check user profile responses
$va_profile_prefs = $t_user->getValidPreferences('profile');
if (is_array($va_profile_prefs) && sizeof($va_profile_prefs)) {
foreach ($va_profile_prefs as $vs_pref) {
$vs_pref_value = $this->request->getParameter('pref_' . $vs_pref, pString);
if (!$t_user->isValidPreferenceValue($vs_pref, $vs_pref_value)) {
$va_errors[$vs_pref] = join("; ", $t_user->getErrors());
$t_user->clearErrors();
}
}
}
# --- does deleted user login record for this user already exist?
# --- (look for active records only; inactive records will effectively block reregistration)
$vb_user_exists_but_is_deleted = false;
if ($t_user->load(array('user_name' => $ps_email))) {
if ((int) $t_user->get('userclass') == 255) {
if ($t_user->get('active') == 1) {
// yeah... so allow registration
$vb_user_exists_but_is_deleted = true;
} else {
// existing inactive user record blocks registration
$va_errors["email"] = _t("User cannot register");
}
} else {
// already valid login with this user name
$va_errors["email"] = _t("A user has already registered with this email address");
}
}
# get names of form fields
$va_fields = $t_user->getFormFields();
# loop through fields
foreach ($va_fields as $vs_f => $va_attr) {
switch ($vs_f) {
case "user_name":
if (!$vb_user_exists_but_is_deleted && !sizeof($va_errors)) {
# set field value
$t_user->set("user_name", $ps_email);
if ($t_user->numErrors() > 0) {
$va_errors[$vs_f] = join("; ", $t_user->getErrors());
}
}
break;
# -------------
# -------------
case "active":
if ($this->request->config->get('dont_approve_logins_on_registration')) {
$t_user->set("active", 0);
} else {
$t_user->set("active", 1);
}
break;
# -------------
# -------------
case "userclass":
$t_user->set("userclass", 1);
// 1=public-only
break;
# -------------
# -------------
default:
if (!$va_errors[$vs_f]) {
$t_user->set($vs_f, $_REQUEST[$vs_f]);
# set field values
if ($t_user->numErrors() > 0) {
$va_errors[$vs_f] = join("; ", $t_user->getErrors());
}
}
break;
# -------------
}
}
// Save user profile responses
if (is_array($va_profile_prefs) && sizeof($va_profile_prefs)) {
foreach ($va_profile_prefs as $vs_pref) {
$t_user->setPreference($vs_pref, $this->request->getParameter('pref_' . $vs_pref, pString));
}
}
if (sizeof($va_errors) == 0) {
# --- there are no errors so make new user record
$t_user->setMode(ACCESS_WRITE);
if ($vb_user_exists_but_is_deleted) {
$t_user->update();
} else {
$t_user->insert();
}
$pn_user_id = $t_user->get("user_id");
if ($t_user->numErrors()) {
$va_errors["register"] = join("; ", $t_user->getErrors());
} else {
# --- add default roles
if (($va_default_roles = $this->request->config->getList('registration_default_roles')) && sizeof($va_default_roles)) {
$t_user->addRoles($va_default_roles);
}
# --- user is joining a user group from a supplied link
if ($this->request->session->getVar("join_user_group_id")) {
if (!$t_user->inGroup($this->request->session->getVar("join_user_group_id"))) {
$t_user->addToGroups($this->request->session->getVar("join_user_group_id"));
$this->request->session->setVar("join_user_group_id", "");
$vs_group_message = _t(" You were added to the group");
} else {
$this->request->session->setVar("join_user_group_id", "");
$vs_group_message = _t(" You are already a member of the group");
}
}
# --- send email confirmation
$o_view = new View($this->request, array($this->request->getViewsDirectoryPath()));
# -- generate email subject line from template
$vs_subject_line = $o_view->render("mailTemplates/reg_conf_subject.tpl");
# -- generate mail text from template - get both the text and the html versions
$vs_mail_message_text = $o_view->render("mailTemplates/reg_conf.tpl");
$vs_mail_message_html = $o_view->render("mailTemplates/reg_conf_html.tpl");
caSendmail($t_user->get('email'), $this->request->config->get("ca_admin_email"), $vs_subject_line, $vs_mail_message_text, $vs_mail_message_html);
if ($this->request->config->get("email_notification_for_new_registrations")) {
# --- send email to admin
$o_view = new View($this->request, array($this->request->getViewsDirectoryPath()));
$o_view->setVar("t_user", $t_user);
# -- generate email subject line from template
$vs_subject_line = $o_view->render("mailTemplates/reg_admin_notification_subject.tpl");
# -- generate mail text from template - get both the text and the html versions
$vs_mail_message_text = $o_view->render("mailTemplates/reg_admin_notification.tpl");
$vs_mail_message_html = $o_view->render("mailTemplates/reg_admin_notification_html.tpl");
caSendmail($this->request->config->get("ca_admin_email"), $this->request->config->get("ca_admin_email"), $vs_subject_line, $vs_mail_message_text, $vs_mail_message_html);
}
$t_user = new ca_users();
$vs_action = $vs_controller = $vs_module_path = '';
if ($vs_default_action = $this->request->config->get('default_action')) {
$va_tmp = explode('/', $vs_default_action);
$vs_action = array_pop($va_tmp);
if (sizeof($va_tmp)) {
$vs_controller = array_pop($va_tmp);
}
if (sizeof($va_tmp)) {
$vs_module_path = join('/', $va_tmp);
}
} else {
$vs_controller = 'Splash';
$vs_action = 'Index';
}
$vs_url = caNavUrl($this->request, $vs_module_path, $vs_controller, $vs_action);
if ($t_user->get("active")) {
# log in the new user
$this->request->doAuthentication(array('dont_redirect' => true, 'user_name' => $ps_email, 'password' => $ps_password));
if ($this->request->isLoggedIn()) {
if ($this->request->isAjax()) {
$this->view->setVar("message", _t('Thank you for registering! You are now logged in.') . $vs_group_message);
$this->render("Form/reload_html.php");
return;
} else {
$this->notification->addNotification(_t('Thank you for registering! You are now logged in.') . $vs_group_message, __NOTIFICATION_TYPE_INFO__);
$this->response->setRedirect($vs_url);
}
} else {
$va_errors["register"] = _t("Login failed.");
}
} else {
# --- registration needs approval
$this->notification->addNotification(_t('Thank you for registering! Your account will be activated after review.') . $vs_group_message, __NOTIFICATION_TYPE_INFO__);
$this->response->setRedirect($vs_url);
}
}
}
if (sizeof($va_errors) > 0) {
$this->view->setVar('errors', $va_errors);
$this->registerForm($t_user);
}
}
public static function authenticate($ps_username, $ps_password = '', $pa_options = null)
{
$po_auth_config = Configuration::load(Configuration::load()->get('authentication_config'));
if (!function_exists("ldap_connect")) {
throw new OpenLDAPException(_t("PHP's LDAP module is required for LDAP authentication!"));
}
if (!$ps_username) {
return false;
}
// ldap config
$vs_ldaphost = $po_auth_config->get("ldap_host");
$vs_ldapport = $po_auth_config->get("ldap_port");
$vs_base_dn = $po_auth_config->get("ldap_base_dn");
$vs_user_ou = $po_auth_config->get("ldap_user_ou");
$vs_bind_rdn = self::postProcessLDAPConfigValue("ldap_bind_rdn_format", $ps_username, $vs_user_ou, $vs_base_dn);
$va_default_roles = $po_auth_config->get("ldap_users_default_roles");
if (!is_array($va_default_roles)) {
$va_default_roles = array();
}
$va_default_groups = $po_auth_config->get("ldap_users_default_groups");
if (!is_array($va_default_groups)) {
$va_default_groups = array();
}
$vo_ldap = ldap_connect($vs_ldaphost, $vs_ldapport);
ldap_set_option($vo_ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
if (!$vo_ldap) {
return false;
}
$vs_bind_rdn_filter = self::postProcessLDAPConfigValue("ldap_bind_rdn_filter", $ps_username, $vs_user_ou, $vs_base_dn);
if (strlen($vs_bind_rdn_filter) > 0) {
$vo_dn_search_results = ldap_search($vo_ldap, $vs_base_dn, $vs_bind_rdn_filter);
$va_dn_search_results = ldap_get_entries($vo_ldap, $vo_dn_search_results);
if (isset($va_dn_search_results[0]['dn'])) {
$vs_bind_rdn = $va_dn_search_results[0]['dn'];
}
}
// log in
$vo_bind = @ldap_bind($vo_ldap, $vs_bind_rdn, $ps_password);
if (!$vo_bind) {
// wrong credentials
if (ldap_get_option($vo_ldap, 0x32, $extended_error)) {
caLogEvent("ERR", "LDAP ERROR (" . ldap_errno($vo_ldap) . ") {$extended_error} [{$vs_bind_rdn}]", "OpenLDAP::Authenticate");
}
ldap_unbind($vo_ldap);
return false;
}
// check group membership
if (!self::isMemberinAtLeastOneGroup($ps_username, $vo_ldap)) {
ldap_unbind($vo_ldap);
return false;
}
// user role and group membership syncing with directory
$t_user = new ca_users();
if ($t_user->load($ps_username)) {
// don't try to sync roles for non-existing users (the first auth call is before the user is actually created)
if ($po_auth_config->get('ldap_sync_user_roles')) {
$va_expected_roles = array_merge($va_default_roles, self::getRolesToAddFromDirectory($ps_username, $vo_ldap));
foreach ($va_expected_roles as $vs_role) {
if (!$t_user->hasUserRole($vs_role)) {
$t_user->addRoles($vs_role);
}
}
foreach ($t_user->getUserRoles() as $vn_id => $va_role_info) {
if (!in_array($va_role_info['code'], $va_expected_roles)) {
$t_user->removeRoles($vn_id);
}
}
}
if ($po_auth_config->get('ldap_sync_user_groups')) {
$va_expected_groups = array_merge($va_default_groups, self::getGroupsToAddFromDirectory($ps_username, $vo_ldap));
foreach ($va_expected_groups as $vs_group) {
if (!$t_user->inGroup($vs_group)) {
$t_user->addToGroups($vs_group);
}
}
foreach ($t_user->getUserGroups() as $vn_id => $va_group_info) {
if (!in_array($va_group_info['code'], $va_expected_groups)) {
$t_user->removeFromGroups($vn_id);
}
}
}
}
ldap_unbind($vo_ldap);
return true;
}
function register()
{
# logout user in case is already logged in
$this->request->deauthenticate();
$t_user = new ca_users();
# --- process incoming registration attempt
$ps_email = strip_tags($this->request->getParameter("email", pString));
$ps_fname = strip_tags($this->request->getParameter("fname", pString));
$ps_lname = strip_tags($this->request->getParameter("lname", pString));
$ps_password = $this->request->getParameter("password", pString);
$ps_password2 = $this->request->getParameter("password2", pString);
$ps_security = $this->request->getParameter("security", pString);
$va_errors = array();
if (!caCheckEmailAddress($ps_email)) {
$va_errors["email"] = _t("E-mail address is not valid.");
} else {
$t_user->set("email", $ps_email);
}
if (!$ps_fname) {
$va_errors["fname"] = _t("Please enter your first name");
} else {
$t_user->set("fname", $ps_fname);
}
if (!$ps_lname) {
$va_errors["lname"] = _t("Please enter your last name");
} else {
$t_user->set("lname", $ps_lname);
}
if (!$ps_password || !$ps_password2) {
$va_errors["password"] = _t("Please enter and re-type your password.");
} else {
if ($ps_password != $ps_password2) {
$va_errors["password"] = _t("Passwords do not match");
} else {
$t_user->set("password", $ps_password);
}
}
if (!$ps_security) {
$va_errors["security"] = _t("Please answer the security question.");
} else {
if ($ps_security != $_REQUEST["sum"]) {
$va_errors["security"] = _t("Your answer was incorrect, please try again");
}
}
// Check user profile responses
$va_profile_prefs = $t_user->getValidPreferences('profile');
if (is_array($va_profile_prefs) && sizeof($va_profile_prefs)) {
foreach ($va_profile_prefs as $vs_pref) {
$vs_pref_value = $this->request->getParameter('pref_' . $vs_pref, pString);
if (!$t_user->isValidPreferenceValue($vs_pref, $vs_pref_value)) {
$va_errors[$vs_pref] = join("; ", $t_user->getErrors());
$t_user->clearErrors();
}
}
}
# --- does deleted user login record for this user already exist?
# --- (look for active records only; inactive records will effectively block reregistration)
$vb_user_exists_but_is_deleted = false;
if ($t_user->load(array('user_name' => $ps_email))) {
if ((int) $t_user->get('userclass') == 255) {
if ($t_user->get('active') == 1) {
// yeah... so allow registration
$vb_user_exists_but_is_deleted = true;
} else {
// existing inactive user record blocks registration
$va_errors["email"] = _t("User cannot register");
}
} else {
// already valid login with this user name
$va_errors["email"] = _t("A user has already registered with this email address");
}
}
# get names of form fields
$va_fields = $t_user->getFormFields();
# loop through fields
foreach ($va_fields as $vs_f => $va_attr) {
switch ($vs_f) {
case "user_name":
if (!$vb_user_exists_but_is_deleted && !sizeof($va_errors)) {
# set field value
$t_user->set("user_name", $ps_email);
if ($t_user->numErrors() > 0) {
$va_errors[$vs_f] = join("; ", $t_user->getErrors());
}
}
break;
# -------------
# -------------
case "active":
$t_user->set("active", 1);
break;
# -------------
# -------------
case "userclass":
$t_user->set("userclass", 1);
// 1=public-only
break;
# -------------
# -------------
default:
if (!$va_errors[$vs_f]) {
$t_user->set($vs_f, $_REQUEST[$vs_f]);
# set field values
if ($t_user->numErrors() > 0) {
$va_errors[$vs_f] = join("; ", $t_user->getErrors());
}
}
break;
# -------------
}
}
// Save user profile responses
if (is_array($va_profile_prefs) && sizeof($va_profile_prefs)) {
foreach ($va_profile_prefs as $vs_pref) {
$t_user->setPreference($vs_pref, $this->request->getParameter('pref_' . $vs_pref, pString));
}
}
if (sizeof($va_errors) == 0) {
# --- there are no errors so make new user record
$t_user->setMode(ACCESS_WRITE);
if ($vb_user_exists_but_is_deleted) {
$t_user->update();
} else {
$t_user->insert();
}
$pn_user_id = $t_user->get("user_id");
if ($t_user->numErrors()) {
$va_errors["register"] = join("; ", $t_user->getErrors());
} else {
# --- add default roles
if (($va_default_roles = $this->request->config->getList('registration_default_roles')) && sizeof($va_default_roles)) {
$t_user->addRoles($va_default_roles);
}
# --- send email confirmation
# -- generate email subject line from template
ob_start();
require $this->request->getViewsDirectoryPath() . "/mailTemplates/reg_conf_subject.tpl";
$vs_subject_line = ob_get_contents();
ob_end_clean();
# -- generate mail text from template - get both the text and the html versions
ob_start();
require $this->request->getViewsDirectoryPath() . "/mailTemplates/reg_conf.tpl";
$vs_mail_message_text = ob_get_contents();
ob_end_clean();
ob_start();
require $this->request->getViewsDirectoryPath() . "/mailTemplates/reg_conf_html.tpl";
$vs_mail_message_html = ob_get_contents();
ob_end_clean();
caSendmail($t_user->get('email'), $this->request->config->get("ca_admin_email"), $vs_subject_line, $vs_mail_message_text, $vs_mail_message_html);
$t_user = new ca_users();
# log in the new user
$this->request->doAuthentication(array('dont_redirect' => true, 'user_name' => $ps_email, 'password' => $ps_password));
if ($this->request->isLoggedIn()) {
# --- login successful so redirect to search page
$this->notification->addNotification(_t('Thank you for registering! You are now logged in.'), __NOTIFICATION_TYPE_INFO__);
$vo_session = $this->request->getSession();
$vs_last_page = $vo_session->getVar('site_last_page');
$vo_session->setVar('site_last_page', "");
switch ($vs_last_page) {
case "Sets":
$this->response->setRedirect(caNavUrl($this->request, "", "Sets", "addItem", array("object_id" => $vo_session->getVar('site_last_page_object_id'))));
break;
# --------------------
# --------------------
case "ObjectDetail":
$this->response->setRedirect(caNavUrl($this->request, "Detail", "Object", "Show", array("object_id" => $vo_session->getVar('site_last_page_object_id'))));
break;
# --------------------
# --------------------
default:
$this->response->setRedirect(caNavUrl($this->request, "", "", ""));
break;
# --------------------
}
} else {
$va_errors["register"] = _t("Login failed.");
}
}
} else {
$this->view->setVar('reg_errors', $va_errors);
}
$this->form($t_user);
}
private function syncWithDirectory($ps_username)
{
$va_default_roles = $this->getConfigValue("ldap_users_default_roles", array());
$va_default_groups = $this->getConfigValue("ldap_users_default_groups", array());
$t_user = new ca_users();
// don't try to sync roles for non-existing users (the first auth call is before the user is actually created)
if (!$t_user->load($ps_username)) {
return;
}
if ($this->getConfigValue('ldap_sync_user_roles')) {
$va_expected_roles = array_merge($va_default_roles, $this->getRolesToAddFromDirectory($ps_username));
foreach ($va_expected_roles as $vs_role) {
if (!$t_user->hasUserRole($vs_role)) {
$t_user->addRoles($vs_role);
}
}
foreach ($t_user->getUserRoles() as $vn_id => $va_role_info) {
if (!in_array($va_role_info['code'], $va_expected_roles)) {
$t_user->removeRoles($vn_id);
}
}
}
if ($this->getConfigValue('ldap_sync_user_groups')) {
$va_expected_groups = array_merge($va_default_groups, $this->getGroupsToAddFromDirectory($ps_username));
foreach ($va_expected_groups as $vs_group) {
if (!$t_user->inGroup($vs_group)) {
$t_user->addToGroups($vs_group);
}
}
foreach ($t_user->getUserGroups() as $vn_id => $va_group_info) {
if (!in_array($va_group_info['code'], $va_expected_groups)) {
$t_user->removeFromGroups($vn_id);
}
}
}
}
