Changeset 570 for branches/1.1dev/lib


Ignore:
Timestamp:
Nov 4, 2016 8:37:17 PM (8 years ago)
Author:
anonymous
Message:

Added missing default config values. Removed unused auth config.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • branches/1.1dev/lib/AuthSQL.inc.php

    r205 r570  
    2323    {
    2424        global $CFG;
    25        
     25
    2626        // The name of this auth session.
    2727        $this->_params['auth_name'] = isset($params['auth_name']) ? $params['auth_name'] : '';
    28        
     28
    2929        // The database table containing users to authenticate.
    3030        $this->_params['user_tbl'] = isset($params['user_tbl']) ? $params['user_tbl'] : 'user_tbl';
    31        
     31
    3232        // The name of the primary key for the user_tbl.
    3333        $this->_params['user_id_column'] = isset($params['user_id_column']) ? $params['user_id_column'] : 'user_id';
    34        
     34
    3535        // The name of the username key for the user_tbl.
    3636        $this->_params['username_column'] = isset($params['username_column']) ? $params['username_column'] : 'username';
    37        
     37
    3838        // If using the login_tbl feature, specify the login_tbl. The primary key must match the primary key for the user_tbl.
    3939        $this->_params['login_tbl'] = isset($params['login_tbl']) ? $params['login_tbl'] : 'login_tbl';
    40        
     40
    4141        // The type of encryption to use for passwords stored in the user_tbl. Use 'md5' or 'crypt'.
    4242        $this->_params['encryption_type'] = isset($params['encryption_type']) ? $params['encryption_type'] : 'md5';
     
    4848        // This applies to admins and users. In seconds. 21600 seconds = 6 hours.
    4949        $this->_params['login_timeout'] = isset($params['login_timeout']) ? $params['login_timeout'] : $CFG->login_timeout;
    50        
     50
    5151        // The maximum amount of time a user is allowed to be idle before their session expires. They will be forced to login again if they expire.
    5252        // This applies to admins and users. In seconds. 3600 seconds = 1 hour.
     
    5656        // Days and hours, like this: 'DD:HH'
    5757        $this->_params['login_abuse_timeframe'] = isset($params['login_abuse_timeframe']) ? $params['login_abuse_timeframe'] : $CFG->login_abuse_timeframe;
    58 
    59         // When an account is accessed from this many different IPs, the user's password is reset and they are issued a warning.
    60         $this->_params['login_abuse_warning_ips'] = isset($params['login_abuse_warning_ips']) ? $params['login_abuse_warning_ips'] : $CFG->login_abuse_warning_ips;
    6158
    6259        // The number of warnings a user will receive (and their password reset each time) before their account is completely blocked.
     
    7168        $this->_params['login_abuse_ip_bitmask'] = isset($params['login_abuse_ip_bitmask']) ? $params['login_abuse_ip_bitmask'] : $CFG->login_abuse_ip_bitmask;
    7269
    73         // Specify usernames to exclude from the account abuse detection system. This is specified as a hardcoded array provided at 
     70        // Specify usernames to exclude from the account abuse detection system. This is specified as a hardcoded array provided at
    7471        // class instantiation time, or can be saved in the user_tbl under the login_abuse_exempt field.
    7572        $this->_params['login_abuse_exempt_usernames'] = isset($params['login_abuse_exempt_usernames']) && is_array($params['login_abuse_exempt_usernames']) ? $params['login_abuse_exempt_usernames'] : $CFG->login_abuse_exempt_usernames;
    76        
     73
    7774        $this->_params['trusted_networks'] = isset($params['trusted_networks']) && is_array($params['trusted_networks']) ? $params['trusted_networks'] : $CFG->trusted_networks;
    7875
    7976        // Feature: Allow user accounts to be blocked? Requires the user table to have the columns 'blocked' and 'blocked_reason'
    8077        $this->_params['features']['blocking'] = isset($params['features']['blocking']) ? $params['features']['blocking'] : false;
    81        
     78
    8279        // Feature: Use a login_tbl to detect excessive logins. This requires blocking to be enabled.
    8380        $this->_params['features']['abuse_detection'] = isset($params['features']['abuse_detection']) ? $params['features']['abuse_detection'] : false;
    84        
     81
    8582        // Array of usernames which are exempt from remote_ip matching. Users behind proxy servers should be appended to this array so their shifting remote IP will not log them out.
    8683        $this->_params['match_remote_ip_exempt_usernames'] = isset($params['match_remote_ip_exempt_usernames']) && is_array($params['match_remote_ip_exempt_usernames']) ? $params['match_remote_ip_exempt_usernames'] : $CFG->match_remote_ip_exempt_usernames;
     
    8885        // Feature: Match the user's current remote IP against the one they logged in with.
    8986        $this->_params['features']['match_remote_ip'] = isset($params['features']['match_remote_ip']) ? $params['features']['match_remote_ip'] : true;
    90        
     87
    9188        $this->_auth_name = '_auth_' . $this->_params['auth_name'];
    9289    }
     
    10097    {
    10198        dbQuery("
    102             UPDATE " . $this->_params['user_tbl'] . " SET 
     99            UPDATE " . $this->_params['user_tbl'] . " SET
    103100            seconds_online = seconds_online + (UNIX_TIMESTAMP() - UNIX_TIMESTAMP(last_access_datetime)),
    104101            last_login_datetime = '0000-00-00 00:00:00'
     
    145142        }
    146143    }
    147    
     144
    148145    /**
    149146     * Set the features of an auth object.
     
    186183     */
    187184    function authenticate($username, $password)
    188     {       
     185    {
    189186        // Query DB for user matching credentials.
    190187        $qid = dbQuery("
    191             SELECT *, " . $this->_params['user_id_column'] . " AS user_id 
     188            SELECT *, " . $this->_params['user_id_column'] . " AS user_id
    192189            FROM " . $this->_params['user_tbl'] . "
    193190            WHERE BINARY username = '" . mysql_real_escape_string($username) . "'
    194191            AND BINARY userpass = '" . mysql_real_escape_string($this->encryptPassword($password)) . "'
    195192        ");
    196        
     193
    197194        // Return user data if found.
    198195        if ($user_data = mysql_fetch_assoc($qid)) {
     
    237234            'user_data'             => $user_data
    238235        );
    239        
     236
    240237        /**
    241238         * Check if the account is blocked, respond in context to reason. Cancel the login if blocked.
     
    243240        if ($this->getFeature('blocking')) {
    244241            if (!empty($user_data['blocked'])) {
    245                
     242
    246243                logMsg(sprintf('Login failed, blocked account. User: %s (%s) Reason: %s', $user_data['user_id'], $username, $user_data['blocked_reason']), LOG_NOTICE, __FILE__, __LINE__);
    247                
     244
    248245                switch ($user_data['blocked_reason']) {
    249246                    case 'account abuse' :
     
    254251                        break;
    255252                }
    256                
     253
    257254                // No login: user is blocked!
    258255                $this->clearAuth();
     
    260257            }
    261258        }
    262        
     259
    263260        /**
    264261         * Check the login_tbl for too many logins under this account.
     
    298295            dbQuery("
    299296                INSERT INTO " . $this->_params['login_tbl'] . " (
    300                     " . $this->_params['user_id_column'] . ", 
    301                     login_datetime, 
     297                    " . $this->_params['user_id_column'] . ",
     298                    login_datetime,
    302299                    remote_ip_binary
    303300                ) VALUES (
     
    308305            ");
    309306        }
    310        
     307
    311308        // Update user table with this login.
    312309        dbQuery("
     
    317314            WHERE " . $this->_params['user_id_column'] . " = '" . $this->getVal('user_id') . "'
    318315        ");
    319        
     316
    320317        // We're logged-in!
    321318        return true;
     
    344341            return (mysql_num_rows($qid) > 0);
    345342        }
    346        
     343
    347344        // User login test need only be run once per script execution. We cache the result in the session.
    348345        if ($this->_authentication_tested && isset($_SESSION[$this->_auth_name]['authenticated'])) {
    349346            return $_SESSION[$this->_auth_name]['authenticated'];
    350347        }
    351        
     348
    352349        // Tesing login should occur once. This is the first time. Set flag.
    353350        $this->_authentication_tested = true;
    354        
     351
    355352        // Some users will access from networks with changing IP number (i.e. behind a proxy server). These users must be allowed entry be adding their IP to the list of trusted_networks.
    356353        if ($trusted_net = ipInRange(getRemoteAddr(), $this->_params['trusted_networks'])) {
    357354            $user_in_trusted_network = true;
    358             logMsg(sprintf('%s%s accessing from trusted network %s', 
    359                 ucfirst($this->_params['auth_name']), 
     355            logMsg(sprintf('%s%s accessing from trusted network %s',
     356                ucfirst($this->_params['auth_name']),
    360357                ($this->getVal('user_id') ? ' ' . $this->getVal('user_id') . ' (' .  $this->getVal('username') . ')' : ''),
    361358                $trusted_net
     
    363360        } else if (preg_match('/proxy.aol.com$/i', getRemoteAddr(true))) {
    364361            $user_in_trusted_network = true;
    365             logMsg(sprintf('%s%s accessing from trusted network proxy.aol.com', 
    366                 ucfirst($this->_params['auth_name']), 
     362            logMsg(sprintf('%s%s accessing from trusted network proxy.aol.com',
     363                ucfirst($this->_params['auth_name']),
    367364                ($this->getVal('user_id') ? ' ' . $this->getVal('user_id') . ' (' .  $this->getVal('username') . ')' : '')
    368365            ), LOG_NOTICE, __FILE__, __LINE__);
     
    370367            $user_in_trusted_network = false;
    371368        }
    372        
     369
    373370        // Do we match the user's remote IP at all? Yes, if set in config and not disabled for specific user.
    374371        if ($this->getFeature('match_remote_ip') && !$this->getVal('match_remote_ip_exempt')) {
    375372            $remote_ip_is_matched = ($_SESSION[$this->_auth_name]['remote_ip'] == getRemoteAddr() || $user_in_trusted_network);
    376373        } else {
    377             logMsg(sprintf('%s%s exempt from remote_ip match.', 
    378                 ucfirst($this->_params['auth_name']), 
     374            logMsg(sprintf('%s%s exempt from remote_ip match.',
     375                ucfirst($this->_params['auth_name']),
    379376                ($this->getVal('user_id') ? ' ' . $this->getVal('user_id') . ' (' .  $this->getVal('username') . ')' : '')
    380377            ), LOG_DEBUG, __FILE__, __LINE__);
    381378            $remote_ip_is_matched = true;
    382379        }
    383        
     380
    384381        // Test login with information stored in session. Skip IP matching for users from trusted networks.
    385382        if (true === $_SESSION[$this->_auth_name]['authenticated']
     
    394391            // Update the DB with the last_access_datetime and increment the seconds_online.
    395392            dbQuery("
    396                 UPDATE " . $this->_params['user_tbl'] . " SET 
     393                UPDATE " . $this->_params['user_tbl'] . " SET
    397394                seconds_online = seconds_online + (UNIX_TIMESTAMP() - UNIX_TIMESTAMP(last_access_datetime)) + 1,
    398395                last_access_datetime = '" . $this->getVal('last_access_datetime') . "'
     
    408405            // User is authenticated, but login has expired.
    409406            raiseMsg(sprintf(_("Your %s session has closed. You need to log-in again."), strtolower($this->_params['auth_name'])), MSG_NOTICE, __FILE__, __LINE__);
    410            
     407
    411408            // Log the reason for login expiration.
    412409            $expire_reasons = array();
     
    460457     * This sets the 'blocked' field for a user in the user_tbl, and also
    461458     * adds an optional reason
    462      * 
     459     *
    463460     * @param  string   $reason      The reason for blocking the account.
    464461     */
     
    470467                logMsg(sprintf('Blocked reason provided is greater than 255 characters: %s', $reason), LOG_WARNING, __FILE__, __LINE__);
    471468            }
    472            
     469
    473470            // Get user_id if specified.
    474471            $user_id = isset($user_id) ? $user_id : $this->getVal('user_id');
     
    483480
    484481    /**
    485      * Unblocks a user in the user_tbl, and clears any blocked_reason. 
     482     * Unblocks a user in the user_tbl, and clears any blocked_reason.
    486483     */
    487484    function unblockAccount($user_id=null)
     
    507504     */
    508505    function usernameExists($username)
    509     {   
     506    {
    510507        $qid = dbQuery("SELECT 1 FROM " . $this->_params['user_tbl'] . " WHERE username = '" . mysql_real_escape_string($username) . "'");
    511508        return (mysql_num_rows($qid) > 0);
     
    520517     */
    521518    function getUsername($user_id)
    522     {   
     519    {
    523520        $qid = dbQuery("SELECT " . $this->_params['username_column'] . " FROM " . $this->_params['user_tbl'] . " WHERE " . $this->_params['user_id_column'] . " = '" . mysql_real_escape_string($user_id) . "'");
    524521        if (list($username) = mysql_fetch_row($qid)) {
     
    560557        return $str;
    561558    }
    562    
     559
    563560    /**
    564561     *
     
    570567            return $password;
    571568            break;
    572            
     569
    573570        case 'crypt' :
    574571            return crypt($password, crypt($password));
    575572            break;
    576            
     573
    577574        case 'sha1' :
    578575            if (function_exists('sha1')) { // Only in PHP 4.3.0+
     
    580577                break;
    581578            }
    582            
     579
    583580        case 'md5' :
    584581        default :
     
    589586
    590587    /**
    591      * 
     588     *
    592589     */
    593590    function setPassword($user_id=null, $password)
    594     {       
     591    {
    595592        // Get user_id if specified.
    596593        $user_id = isset($user_id) ? $user_id : $this->getVal('user_id');
    597        
     594
    598595        // Issue the password change query.
    599596        dbQuery("
    600             UPDATE " . $this->_params['user_tbl'] . " 
     597            UPDATE " . $this->_params['user_tbl'] . "
    601598            SET userpass = '" . mysql_real_escape_string($this->encryptPassword($password)) . "'
    602599            WHERE " . $this->_params['user_id_column'] . " = '" . mysql_real_escape_string($user_id) . "'
     
    615612    {
    616613        global $CFG;
    617        
     614
    618615        // Get user_id if specified.
    619616        $user_id = isset($user_id) ? $user_id : $this->getVal('user_id');
    620        
     617
    621618        // Reset password of a specific user.
    622619        $qid = dbQuery("
     
    628625        // Get new password.
    629626        $password = $this->generatePassword();
    630        
     627
    631628        // Issue the password change query.
    632629        dbQuery("
    633             UPDATE " . $this->_params['user_tbl'] . " 
     630            UPDATE " . $this->_params['user_tbl'] . "
    634631            SET userpass = '" . mysql_real_escape_string($this->encryptPassword($password)) . "'
    635632            WHERE " . $this->_params['user_id_column'] . " = '" . mysql_real_escape_string($user_id) . "'
     
    641638            mail($user_data['email'], $email_subject, $email_body, "From: $CFG->site_name <$CFG->site_email>\r\n", $CFG->envelope_sender_address);
    642639        }
    643    
     640
    644641        return array('username'=>$user_data['username'], 'userpass'=>$password);
    645642    }
    646    
     643
    647644    /**
    648645     * If the current user has access to the specified $security_zone, return true.
    649      * If the optional $priv is supplied, test that against the zone. 
     646     * If the optional $priv is supplied, test that against the zone.
    650647     *
    651648     * @param  constant $security_zone   string of comma delimited priviliges for the zone
     
    658655        $zone_members = preg_split('/,\s*/', $security_zone);
    659656        $priv = empty($priv) ? $this->getVal('priv') : $priv;
    660        
    661         // If the current user's privilege level is NOT in that array or if the 
     657
     658        // If the current user's privilege level is NOT in that array or if the
    662659        // user has no privilege, return false. Otherwise the user is clear.
    663660        if (!in_array($priv, $zone_members) || empty($priv)) {
     
    667664        }
    668665    }
    669    
     666
    670667    /**
    671668     * This function tests a list of arguments $security_zone against the priv that the current user has.
    672      * If the user doesn't have one of the supplied privs, die. 
     669     * If the user doesn't have one of the supplied privs, die.
    673670     *
    674671     * @param  constant $security_zone   string of comma delimited priviliges for the zone
     
    677674    {
    678675        $zone_members = preg_split('/,\s*/', $security_zone);
    679    
    680         /* If the current user's privilege level is NOT in that array or if the 
     676
     677        /* If the current user's privilege level is NOT in that array or if the
    681678         * user has no privilege, DIE with a message. */
    682679        if (!in_array($this->getVal('priv'), $zone_members) || !$this->getVal('priv')) {
     
    691688// CIDR cheatsheet
    692689//
    693 // Netmask              Netmask (binary)                 CIDR     Notes   
     690// Netmask              Netmask (binary)                 CIDR     Notes
    694691// _____________________________________________________________________________
    695692// 255.255.255.255  11111111.11111111.11111111.11111111  /32  Host (single addr)
     
    702699// 255.255.255.128  11111111.11111111.11111111.10000000  /25  126  useable
    703700// 255.255.255.0    11111111.11111111.11111111.00000000  /24 "Class C" 254 useable
    704 // 
     701//
    705702// 255.255.254.0    11111111.11111111.11111110.00000000  /23    2  Class C's
    706703// 255.255.252.0    11111111.11111111.11111100.00000000  /22    4  Class C's
     
    711708// 255.255.128.0    11111111.11111111.10000000.00000000  /17  128  Class C's
    712709// 255.255.0.0      11111111.11111111.00000000.00000000  /16  "Class B"
    713 //     
     710//
    714711// 255.254.0.0      11111111.11111110.00000000.00000000  /15    2  Class B's
    715712// 255.252.0.0      11111111.11111100.00000000.00000000  /14    4  Class B's
     
    720717// 255.128.0.0      11111111.10000000.00000000.00000000  /9   128  Class B's
    721718// 255.0.0.0        11111111.00000000.00000000.00000000  /8   "Class A"
    722 //   
     719//
    723720// 254.0.0.0        11111110.00000000.00000000.00000000  /7
    724721// 252.0.0.0        11111100.00000000.00000000.00000000  /6
Note: See TracChangeset for help on using the changeset viewer.