/**
* Find if the given member id and password is valid. If username is NULL, then the member id is used instead.
* All authorisation, cookies, and form-logins, are passed through this function.
* Some forums do cookie logins differently, so a Boolean is passed in to indicate whether it is a cookie login.
*
* @param ?SHORT_TEXT The member username (NULL: don't use this in the authentication - but look it up using the ID if needed)
* @param ?MEMBER The member id (NULL: use member name)
* @param MD5 The md5-hashed password
* @param string The raw password
* @param boolean Whether this is a cookie login, determines how the hashed password is treated for the value passed in
* @return array A map of 'id' and 'error'. If 'id' is NULL, an error occurred and 'error' is set
*/
function forum_authorise_login($username, $userid, $password_hashed, $password_raw, $cookie_login = false)
{
$out = array();
$out['id'] = NULL;
require_code('ocf_members');
require_code('ocf_groups');
if (!function_exists('require_lang')) {
require_code('lang');
}
if (!function_exists('do_lang_tempcode')) {
require_code('tempcode');
}
if (!function_exists('require_lang')) {
return $out;
}
require_lang('ocf');
require_code('mail');
$skip_auth = false;
if ($userid === NULL) {
$rows = $this->connection->query('SELECT * FROM ' . $this->connection->get_table_prefix() . 'f_members WHERE ' . db_string_equal_to('m_username', $username), 1);
if (!array_key_exists(0, $rows) && get_option('one_per_email_address') == '1') {
$rows = $this->connection->query('SELECT * FROM ' . $this->connection->get_table_prefix() . 'f_members WHERE ' . db_string_equal_to('m_email_address', $username) . ' ORDER BY id ASC', 1);
}
if (array_key_exists(0, $rows)) {
$this->MEMBER_ROWS_CACHED[$rows[0]['id']] = $rows[0];
$userid = $rows[0]['id'];
}
} else {
$rows[0] = $this->get_member_row($userid);
}
// LDAP to the rescue if we couldn't get a row
global $LDAP_CONNECTION;
if (!array_key_exists(0, $rows) && $LDAP_CONNECTION !== NULL && $userid === NULL) {
// See if LDAP has it -- if so, we can add
$test = ocf_is_on_ldap($username);
if (!$test) {
$out['error'] = is_null($username) ? do_lang_tempcode('USER_NO_EXIST') : do_lang_tempcode('_USER_NO_EXIST', escape_html($username));
return $out;
}
$test_auth = ocf_ldap_authorise_login($username, $password_raw);
if ($test_auth['m_pass_hash_salted'] == '!!!') {
$out['error'] = do_lang_tempcode('USER_BAD_PASSWORD');
return $out;
}
if ($test) {
require_code('ocf_members_action');
require_code('ocf_members_action2');
$completion_form_submitted = trim(post_param('email_address', '')) != '';
if (!$completion_form_submitted && get_value('no_finish_profile') !== '1') {
@ob_end_clean();
if (!function_exists('do_header')) {
require_code('site');
}
$middle = ocf_member_external_linker_ask($username, 'ldap', ocf_ldap_guess_email($username));
$tpl = globalise($middle, NULL, '', true);
$tpl->evaluate_echo();
exit;
} else {
$userid = ocf_member_external_linker($username, uniqid('', true), 'ldap');
$row = $this->get_member_row($userid);
}
}
}
if (!array_key_exists(0, $rows) || $rows[0] === NULL) {
$out['error'] = is_null($username) ? do_lang_tempcode('USER_NO_EXIST') : do_lang_tempcode('_USER_NO_EXIST', escape_html($username));
return $out;
}
$row = $rows[0];
// Now LDAP can kick in and get the correct hash
if (ocf_is_ldap_member($userid)) {
//$rows[0]['m_pass_hash_salted']=ocf_get_ldap_hash($userid);
// Doesn't exist any more? This is a special case - the 'LDAP member' exists in our DB, but not LDAP. It has been deleted from LDAP or LDAP server has jumped
/*if (is_null($rows[0]['m_pass_hash_salted']))
{
$out['error']=(do_lang_tempcode('_USER_NO_EXIST',$username));
return $out;
} No longer appropriate with new authentication mode - instead we just have to give an invalid password message */
$row = array_merge($row, ocf_ldap_authorise_login($username, $password_hashed));
}
if (addon_installed('unvalidated')) {
if ($row['m_validated'] == 0) {
$out['error'] = do_lang_tempcode('USER_NOT_VALIDATED_STAFF');
return $out;
}
}
if ($row['m_validated_email_confirm_code'] != '') {
$out['error'] = do_lang_tempcode('USER_NOT_VALIDATED_EMAIL');
return $out;
}
if ($this->is_banned($row['id'])) {
$out['error'] = do_lang_tempcode('USER_BANNED');
return $out;
}
// Check password
if (!$skip_auth) {
// Choose a compatibility screen.
// Note that almost all cookie logins are the same. This is because the cookie logins use OCF cookies, regardless of compatibility scheme.
$password_compatibility_scheme = $row['m_password_compat_scheme'];
switch ($password_compatibility_scheme) {
case 'remote':
// This will work too - we're logging in with the username of a remote profile, so no resynching will happen
// This will work too - we're logging in with the username of a remote profile, so no resynching will happen
case '':
// ocPortal style salted MD5 algorithm
if ($cookie_login) {
if ($password_hashed !== $row['m_pass_hash_salted']) {
require_code('tempcode');
// This can be incidental even in fast AJAX scripts, if an old invalid cookie is present, so we need tempcode for do_lang_tempcode
$out['error'] = do_lang_tempcode('USER_BAD_PASSWORD');
return $out;
}
} else {
if (md5($row['m_pass_salt'] . $password_hashed) !== $row['m_pass_hash_salted']) {
$out['error'] = do_lang_tempcode('USER_BAD_PASSWORD');
return $out;
}
}
break;
case 'plain':
if ($password_hashed !== md5($row['m_pass_hash_salted'])) {
$out['error'] = do_lang_tempcode('USER_BAD_PASSWORD');
return $out;
}
break;
case 'md5':
// Old style plain md5 (also works if both are unhashed: used for LDAP)
if ($password_hashed !== $row['m_pass_hash_salted'] && $password_hashed != '!!!') {
$out['error'] = do_lang_tempcode('USER_BAD_PASSWORD');
return $out;
}
break;
/* case 'httpauth':
// This is handled in get_member() */
break;
case 'ldap':
if ($password_hashed !== $row['m_pass_hash_salted']) {
$out['error'] = do_lang_tempcode('USER_BAD_PASSWORD');
return $out;
}
break;
default:
$path = get_file_base() . '/sources_custom/hooks/systems/ocf_auth/' . $password_compatibility_scheme . '.php';
if (!file_exists($path)) {
$path = get_file_base() . '/sources/hooks/systems/ocf_auth/' . $password_compatibility_scheme . '.php';
}
if (!file_exists($path)) {
$out['error'] = do_lang_tempcode('UNKNOWN_AUTH_SCHEME_IN_DB');
return $out;
}
require_code('hooks/systems/ocf_auth/' . $password_compatibility_scheme);
$ob = object_factory('Hook_ocf_auth_' . $password_compatibility_scheme);
$error = $ob->auth($username, $userid, $password_hashed, $password_raw, $cookie_login, $row);
if (!is_null($error)) {
$out['error'] = $error;
return $out;
}
break;
}
}
// Ok, authorised basically, but we need to see if this is a valid login IP
if (ocf_get_best_group_property($this->get_members_groups($row['id']), 'enquire_on_new_ips') == 1) {
global $SENT_OUT_VALIDATE_NOTICE;
$ip = get_ip_address(3);
$test2 = $this->connection->query_value_null_ok('f_member_known_login_ips', 'i_val_code', array('i_member_id' => $row['id'], 'i_ip' => $ip));
if ((is_null($test2) || $test2 != '') && !compare_ip_address($ip, $row['m_ip_address'])) {
if (!$SENT_OUT_VALIDATE_NOTICE) {
if (!is_null($test2)) {
$this->connection->query_delete('f_member_known_login_ips', array('i_member_id' => $row['id'], 'i_ip' => $ip), '', 1);
}
$code = !is_null($test2) ? $test2 : uniqid('', true);
$this->connection->query_insert('f_member_known_login_ips', array('i_val_code' => $code, 'i_member_id' => $row['id'], 'i_ip' => $ip));
$url = find_script('validateip') . '?code=' . $code;
$url_simple = find_script('validateip');
require_code('comcode');
$mail = do_lang('IP_VERIFY_MAIL', comcode_escape($url), comcode_escape(get_ip_address()), array($url_simple, $code), get_lang($row['id']));
$email_address = $row['m_email_address'];
if ($email_address == '') {
$email_address = get_option('staff_address');
}
if (running_script('index')) {
mail_wrap(do_lang('IP_VERIFY_MAIL_SUBJECT', NULL, NULL, NULL, get_lang($row['id'])), $mail, array($email_address), $row['m_username'], '', '', 1);
}
$SENT_OUT_VALIDATE_NOTICE = true;
}
$out['error'] = do_lang_tempcode('REQUIRES_IP_VALIDATION');
return $out;
}
}
$this->ocf_flood_control($row['id']);
$out['id'] = $row['id'];
return $out;
}
/**
* Check to see if an IP address is banned.
*
* @param string The IP address to check for banning (potentially encoded with *'s)
* @return boolean Whether the IP address is banned
*/
function ip_banned($ip)
{
if (!addon_installed('securitylogging')) {
return false;
}
$ip4 = strpos($ip, '.') !== false;
if ($ip4) {
$ip_parts = explode('.', $ip);
} else {
$ip_parts = explode(':', $ip);
}
global $SITE_INFO;
if (isset($SITE_INFO['known_suexec']) && $SITE_INFO['known_suexec'] == '1' || is_writable_wrap(get_file_base() . '/.htaccess')) {
$bans = array();
$ban_count = preg_match_all('#\\ndeny from (.*)#', file_get_contents(get_file_base() . '/.htaccess'), $bans);
$ip_bans = array();
for ($i = 0; $i < $ban_count; $i++) {
$ip_bans[] = array('ip' => $bans[1][$i]);
}
} else {
$ip_bans = persistant_cache_get('IP_BANS');
if (!is_array($ip_bans)) {
$ip_bans = $GLOBALS['SITE_DB']->query('SELECT ip FROM ' . get_table_prefix() . 'usersubmitban_ip', NULL, NULL, true);
if (!is_null($ip_bans)) {
persistant_cache_set('IP_BANS', $ip_bans);
}
}
if (is_null($ip_bans)) {
critical_error('DATABASE_FAIL');
}
}
$self_ip = NULL;
foreach ($ip_bans as $ban) {
if ($ip4 && compare_ip_address_ip4($ban['ip'], $ip_parts) || !$ip4 && compare_ip_address_ip6($ban['ip'], $ip_parts)) {
if (is_null($self_ip)) {
$self_host = ocp_srv('HTTP_HOST');
if ($self_host == '' || preg_match('#^localhost[\\.\\:$]#', $self_host) != 0) {
$self_ip = '';
} else {
if (preg_match('#(\\s|,|^)gethostbyname(\\s|$|,)#i', @ini_get('disable_functions')) == 0) {
$self_ip = gethostbyname($self_host);
} else {
$self_ip = '';
}
if ($self_ip == '') {
$self_ip = ocp_srv('SERVER_ADDR');
}
}
}
if ($self_ip != '' && compare_ip_address($ban['ip'], $self_ip)) {
continue;
}
if (compare_ip_address($ban['ip'], '127.0.0.1')) {
continue;
}
if (compare_ip_address($ban['ip'], 'fe00:0000:0000:0000:0000:0000:0000:0000')) {
continue;
}
return true;
}
}
return false;
}
/**
* Ban the specified IP address.
*
* @param IP The IP address to ban
* @param LONG_TEXT Explanation for ban
*/
function ban_ip($ip, $descrip = '')
{
$ban = trim($ip);
if ($ban != '' && !compare_ip_address($ban, get_ip_address())) {
require_code('failure');
add_ip_ban($ban, $descrip);
} elseif (compare_ip_address($ban, get_ip_address())) {
attach_message(do_lang_tempcode('AVOIDING_BANNING_SELF'), 'warn');
}
}
