mirror of
https://github.com/phpbb/phpbb.git
synced 2025-06-28 06:08:52 +00:00
- added login error constant for various external auth failures
- completed auth plugin interface (init_method, login_method, autologin_method, validate_session_method, logout_method) - updated ldap and apache auth plugins to return an info array - added apache autologin git-svn-id: file:///svn/phpbb/trunk@5815 89ea8834-ac86-4346-8a33-228a782c2dd0
This commit is contained in:
Nils Adermann
parent
09073c368f
commit
478ab68a7e
5 changed files with 189 additions and 30 deletions
|
|
@ -32,17 +32,84 @@ function login_apache(&$username, &$password)
|
|||
{
|
||||
$sql = 'SELECT user_id, username, user_password, user_passchg, user_email, user_type
|
||||
FROM ' . USERS_TABLE . "
|
||||
WHERE username = '" . $db->sql_escape($username) . "'";
|
||||
WHERE username = '" . $db->sql_escape($php_auth_user) . "'";
|
||||
$result = $db->sql_query($sql);
|
||||
$row = $db->sql_fetchrow($result);
|
||||
$db->sql_freeresult($result);
|
||||
|
||||
if ($row)
|
||||
{
|
||||
// User inactive...
|
||||
if ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE)
|
||||
{
|
||||
return array(
|
||||
'status' => LOGIN_ERROR_ACTIVE,
|
||||
'error_msg' => 'ACTIVE_ERROR',
|
||||
'user_row' => $row,
|
||||
);
|
||||
}
|
||||
|
||||
// Successful login...
|
||||
return array(
|
||||
'status' => LOGIN_SUCCESS,
|
||||
'error_msg' => false,
|
||||
'user_row' => $row,
|
||||
);
|
||||
}
|
||||
|
||||
// the user does not exist
|
||||
return array(
|
||||
'status' => LOGIN_ERROR_USERNAME,
|
||||
'error_msg' => 'LOGIN_ERROR_USERNAME',
|
||||
'user_row' => array('user_id' => ANONYMOUS),
|
||||
);
|
||||
}
|
||||
|
||||
// Not logged into apache
|
||||
return array(
|
||||
'status' => LOGIN_ERROR_EXTERNAL_AUTH,
|
||||
'error_msg' => 'LOGIN_ERROR_EXTERNAL_AUTH_APACHE',
|
||||
'user_row' => array('user_id' => ANONYMOUS),
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* Autologin function
|
||||
*
|
||||
* @return array containing the user row or empty if no auto login should take place
|
||||
*/
|
||||
function autologin_apache()
|
||||
{
|
||||
global $db;
|
||||
|
||||
$php_auth_user = $_SERVER['PHP_AUTH_USER'];
|
||||
$php_auth_pw = $_SERVER['PHP_AUTH_PW'];
|
||||
|
||||
if ((!empty($php_auth_user)) && (!empty($php_auth_pw)))
|
||||
{
|
||||
$sql = 'SELECT *
|
||||
FROM ' . USERS_TABLE . "
|
||||
WHERE username = '" . $db->sql_escape($php_auth_user) . "'";
|
||||
$result = $db->sql_query($sql);
|
||||
|
||||
if ($row = $db->sql_fetchrow($result))
|
||||
{
|
||||
$db->sql_freeresult($result);
|
||||
return ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE) ? 0 : $row;
|
||||
return ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE) ? array() : $row;
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
return array();
|
||||
}
|
||||
|
||||
/**
|
||||
* The session validation function checks whether the user is still logged in
|
||||
*
|
||||
* @return boolean true if the given user is authenticated or false if the session should be closed
|
||||
*/
|
||||
function validate_session_apache(&$user)
|
||||
{
|
||||
return ($_SERVER['PHP_AUTH_USER'] == $user['username']) ? true : false;
|
||||
}
|
||||
|
||||
?>
|
||||
|
|
@ -70,12 +70,20 @@ function login_ldap(&$username, &$password)
|
|||
|
||||
if (!extension_loaded('ldap'))
|
||||
{
|
||||
return 'LDAP extension not available';
|
||||
return array(
|
||||
'status' => LOGIN_ERROR_EXTERNAL_AUTH,
|
||||
'error_msg' => 'LDAP_NO_LDAP_EXTENSION',
|
||||
'user_row' => array('user_id' => ANONYMOUS),
|
||||
);
|
||||
}
|
||||
|
||||
if (!($ldap = @ldap_connect($config['ldap_server'])))
|
||||
{
|
||||
return 'Could not connect to LDAP server';
|
||||
return array(
|
||||
'status' => LOGIN_ERROR_EXTERNAL_AUTH,
|
||||
'error_msg' => 'LDAP_NO_SERVER_CONNECTION',
|
||||
'user_row' => array('user_id' => ANONYMOUS),
|
||||
);
|
||||
}
|
||||
|
||||
@ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
|
||||
|
|
@ -93,18 +101,49 @@ function login_ldap(&$username, &$password)
|
|||
FROM ' . USERS_TABLE . "
|
||||
WHERE username = '" . $db->sql_escape($username) . "'";
|
||||
$result = $db->sql_query($sql);
|
||||
$row = $db->sql_fetchrow($result);
|
||||
$db->sql_freeresult($result);
|
||||
|
||||
if ($row = $db->sql_fetchrow($result))
|
||||
if ($row)
|
||||
{
|
||||
$db->sql_freeresult($result);
|
||||
return ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE) ? 0 : $row;
|
||||
// User inactive...
|
||||
if ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE)
|
||||
{
|
||||
return array(
|
||||
'status' => LOGIN_ERROR_ACTIVE,
|
||||
'error_msg' => 'ACTIVE_ERROR',
|
||||
'user_row' => $row,
|
||||
);
|
||||
}
|
||||
|
||||
// Successful login... set user_login_attempts to zero...
|
||||
return array(
|
||||
'status' => LOGIN_SUCCESS,
|
||||
'error_msg' => false,
|
||||
'user_row' => $row,
|
||||
);
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
@ldap_close($ldap);
|
||||
|
||||
// Give status about wrong password...
|
||||
return array(
|
||||
'status' => LOGIN_ERROR_PASSWORD,
|
||||
'error_msg' => 'LOGIN_ERROR_PASSWORD',
|
||||
'user_row' => array('user_id' => ANONYMOUS),
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
@ldap_close($ldap);
|
||||
|
||||
return false;
|
||||
return array(
|
||||
'status' => LOGIN_ERROR_USERNAME,
|
||||
'error_msg' => 'LOGIN_ERROR_USERNAME',
|
||||
'user_row' => array('user_id' => ANONYMOUS),
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -147,12 +186,13 @@ function admin_ldap(&$new)
|
|||
* their username, password, etc. ... should be up to the plugin what data
|
||||
* is updated.
|
||||
*
|
||||
* @todo implement this functionality (probably 3.2)
|
||||
*
|
||||
* @param new|update|delete $mode defining the action to take on user updates
|
||||
*/
|
||||
function usercp_ldap($mode)
|
||||
{
|
||||
global $db, $config;
|
||||
|
||||
}
|
||||
|
||||
?>
|
||||
|
|
@ -43,6 +43,7 @@ define('LOGIN_ERROR_USERNAME', 10);
|
|||
define('LOGIN_ERROR_PASSWORD', 11);
|
||||
define('LOGIN_ERROR_ACTIVE', 12);
|
||||
define('LOGIN_ERROR_ATTEMPTS', 13);
|
||||
define('LOGIN_ERROR_EXTERNAL_AUTH', 14);
|
||||
|
||||
// Group settings
|
||||
define('GROUP_OPEN', 0);
|
||||
|
|
|
|||
|
|
@ -151,7 +151,7 @@ class session
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
// Is session_id is set or session_id is set and matches the url param if required
|
||||
if (!empty($this->session_id) && (!defined('NEED_SID') || (isset($_GET['sid']) && $this->session_id === $_GET['sid'])))
|
||||
{
|
||||
|
|
@ -170,7 +170,7 @@ class session
|
|||
// Validate IP length according to admin ... enforces an IP
|
||||
// check on bots if admin requires this
|
||||
// $quadcheck = ($config['ip_check_bot'] && $this->data['user_type'] & USER_BOT) ? 4 : $config['ip_check'];
|
||||
|
||||
|
||||
$s_ip = implode('.', array_slice(explode('.', $this->data['session_ip']), 0, $config['ip_check']));
|
||||
$u_ip = implode('.', array_slice(explode('.', $this->ip), 0, $config['ip_check']));
|
||||
|
||||
|
|
@ -180,20 +180,40 @@ class session
|
|||
if ($u_ip === $s_ip && $s_browser === $u_browser)
|
||||
{
|
||||
$session_expired = false;
|
||||
|
||||
// Check the session length timeframe if autologin is not enabled.
|
||||
// Else check the autologin length... and also removing those having autologin enabled but no longer allowed board-wide.
|
||||
if (!$this->data['session_autologin'])
|
||||
|
||||
// Check whether the session is still valid if we have one
|
||||
$method = trim($config['auth_method']);
|
||||
|
||||
if (file_exists($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx))
|
||||
{
|
||||
if ($this->data['session_time'] < $this->time_now - ($config['session_length'] + 60))
|
||||
include_once($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx);
|
||||
|
||||
$method = 'validate_session_' . $method;
|
||||
if (function_exists($method))
|
||||
{
|
||||
if (!$method($this->data))
|
||||
{
|
||||
$session_expired = true;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (!$session_expired)
|
||||
{
|
||||
// Check the session length timeframe if autologin is not enabled.
|
||||
// Else check the autologin length... and also removing those having autologin enabled but no longer allowed board-wide.
|
||||
if (!$this->data['session_autologin'])
|
||||
{
|
||||
if ($this->data['session_time'] < $this->time_now - ($config['session_length'] + 60))
|
||||
{
|
||||
$session_expired = true;
|
||||
}
|
||||
}
|
||||
else if (!$config['allow_autologin'] || ($config['max_autologin_time'] && $this->data['session_time'] < $this->time_now - (86400 * (int) $config['max_autologin_time']) + 60))
|
||||
{
|
||||
$session_expired = true;
|
||||
}
|
||||
}
|
||||
else if (!$config['allow_autologin'] || ($config['max_autologin_time'] && $this->data['session_time'] < $this->time_now - (86400 * (int) $config['max_autologin_time']) + 60))
|
||||
{
|
||||
$session_expired = true;
|
||||
}
|
||||
|
||||
if (!$session_expired)
|
||||
{
|
||||
|
|
@ -236,7 +256,7 @@ class session
|
|||
*/
|
||||
function session_create($user_id = false, $set_admin = false, $persist_login = false, $viewonline = true)
|
||||
{
|
||||
global $SID, $db, $config, $cache;
|
||||
global $SID, $db, $config, $cache, $phpbb_root_path, $phpEx;
|
||||
|
||||
$this->data = array();
|
||||
|
||||
|
|
@ -292,10 +312,29 @@ class session
|
|||
break;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
$method = trim($config['auth_method']);
|
||||
|
||||
if (file_exists($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx))
|
||||
{
|
||||
include_once($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx);
|
||||
|
||||
$method = 'autologin_' . $method;
|
||||
if (function_exists($method))
|
||||
{
|
||||
$this->data = $method();
|
||||
|
||||
if (sizeof($this->data))
|
||||
{
|
||||
$this->cookie_data['k'] = '';
|
||||
$this->cookie_data['u'] = $this->data['user_id'];
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// If we're presented with an autologin key we'll join against it.
|
||||
// Else if we've been passed a user_id we'll grab data based on that
|
||||
if (isset($this->cookie_data['k']) && $this->cookie_data['k'] && $this->cookie_data['u'])
|
||||
if (isset($this->cookie_data['k']) && $this->cookie_data['k'] && $this->cookie_data['u'] && !sizeof($this->data))
|
||||
{
|
||||
$sql = 'SELECT u.*
|
||||
FROM ' . USERS_TABLE . ' u, ' . SESSIONS_KEYS_TABLE . ' k
|
||||
|
|
@ -308,7 +347,7 @@ class session
|
|||
$this->data = $db->sql_fetchrow($result);
|
||||
$db->sql_freeresult($result);
|
||||
}
|
||||
else if ($user_id !== false)
|
||||
else if ($user_id !== false && !sizeof($this->data))
|
||||
{
|
||||
$this->cookie_data['k'] = '';
|
||||
$this->cookie_data['u'] = $user_id;
|
||||
|
|
@ -488,13 +527,27 @@ class session
|
|||
*/
|
||||
function session_kill()
|
||||
{
|
||||
global $SID, $db, $config;
|
||||
global $SID, $db, $config, $phpbb_root_path, $phpEx;
|
||||
|
||||
$sql = 'DELETE FROM ' . SESSIONS_TABLE . "
|
||||
WHERE session_id = '" . $db->sql_escape($this->session_id) . "'
|
||||
AND session_user_id = " . (int) $this->data['user_id'];
|
||||
$db->sql_query($sql);
|
||||
|
||||
// Allow connecting logout with external auth method logout
|
||||
$method = trim($config['auth_method']);
|
||||
|
||||
if (file_exists($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx))
|
||||
{
|
||||
include_once($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx);
|
||||
|
||||
$method = 'logout_' . $method;
|
||||
if (function_exists($method))
|
||||
{
|
||||
$method($this->data);
|
||||
}
|
||||
}
|
||||
|
||||
if ($this->data['user_id'] != ANONYMOUS)
|
||||
{
|
||||
// Delete existing session, update last visit info first!
|
||||
|
|
@ -538,8 +591,6 @@ class session
|
|||
$SID = '?sid=';
|
||||
$this->session_id = '';
|
||||
|
||||
// Trigger EVENT_END_SESSION
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
|
|
@ -910,7 +961,7 @@ class user extends session
|
|||
|
||||
// We include common language file here to not load it every time a custom language file is included
|
||||
$lang = &$this->lang;
|
||||
if ((@include $this->lang_path . "common.$phpEx") === false)
|
||||
if ((include $this->lang_path . "common.$phpEx") === false)
|
||||
{
|
||||
die("Language file " . $this->lang_path . "common.$phpEx" . " couldn't be opened.");
|
||||
}
|
||||
|
|
@ -940,7 +991,6 @@ class user extends session
|
|||
AND i.imageset_id = s.imageset_id";
|
||||
$result = $db->sql_query($sql, 3600);
|
||||
$this->theme = $db->sql_fetchrow($result);
|
||||
$db->sql_freeresult($result);
|
||||
|
||||
// User has wrong style
|
||||
if (!$this->theme && $style == $this->data['user_style'])
|
||||
|
|
|
|||
|
|
@ -235,6 +235,7 @@ $lang = array_merge($lang, array(
|
|||
'LOGIN_CONFIRMATION' => 'Confirmation of login',
|
||||
'LOGIN_CONFIRM_EXPLAIN' => 'To prevent brute forcing accounts the board administrator requires you to enter a confirmation code after a maximum amount of failed logins. The code is displayed in the image you should see below. If you are visually impaired or cannot otherwise read this code please contact the %sBoard Administrator%s.',
|
||||
'LOGIN_ERROR_ATTEMPTS' => 'You exceeded the maximum allowed number of login attempts. In addition to your username and password you now have to additionally confirm the image you see below.',
|
||||
'LOGIN_ERROR_EXTERNAL_AUTH_APACHE' => 'You have not been authenticated by apache.',
|
||||
'LOGIN_ERROR_PASSWORD' => 'You have specified an incorrect password. Please check your password and try again. If you continue to have problems please contact a board administrator.',
|
||||
'LOGIN_ERROR_USERNAME' => 'You have specified an incorrect username. Please check your username and try again. If you continue to have problems please contact a board administrator.',
|
||||
'LOGIN_FORUM' => 'To view or post in this forum you must enter a password.',
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue