From e2c049c997c1829f4f71100bdbdbba9bf72b8868 Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Mon, 17 Jun 2013 16:11:23 -0400 Subject: [PATCH 01/44] [feature/auth-refactor] Provider Interface Skeleton Creates a skeleton of the authentication provider interface. PHPBB3-9734 --- phpBB/includes/auth/provider_interface.php | 32 ++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 phpBB/includes/auth/provider_interface.php diff --git a/phpBB/includes/auth/provider_interface.php b/phpBB/includes/auth/provider_interface.php new file mode 100644 index 0000000000..ac7bb311a3 --- /dev/null +++ b/phpBB/includes/auth/provider_interface.php @@ -0,0 +1,32 @@ + Date: Mon, 17 Jun 2013 16:35:06 -0400 Subject: [PATCH 02/44] [feature/auth-refactor] Auth Apache Provider Skeleton Creates a skeleton for Apache based authentication using the phpbb_auth_provider_interface named phpbb_auth_provider_apache. This brings over all code in auth_apache.php verbatim complete with all global variables currently in use. PHPBB3-9734 --- phpBB/includes/auth/provider_apache.php | 265 ++++++++++++++++++++++++ 1 file changed, 265 insertions(+) create mode 100644 phpBB/includes/auth/provider_apache.php diff --git a/phpBB/includes/auth/provider_apache.php b/phpBB/includes/auth/provider_apache.php new file mode 100644 index 0000000000..ca3bf41560 --- /dev/null +++ b/phpBB/includes/auth/provider_apache.php @@ -0,0 +1,265 @@ +is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER) || $user->data['username'] !== htmlspecialchars_decode($request->server('PHP_AUTH_USER'))) + { + return $user->lang['APACHE_SETUP_BEFORE_USE']; + } + return false; + } + + /** + * Login function + */ + public function login(&$username, &$password) + { + global $db, $request; + + // do not allow empty password + if (!$password) + { + return array( + 'status' => LOGIN_ERROR_PASSWORD, + 'error_msg' => 'NO_PASSWORD_SUPPLIED', + 'user_row' => array('user_id' => ANONYMOUS), + ); + } + + if (!$username) + { + return array( + 'status' => LOGIN_ERROR_USERNAME, + 'error_msg' => 'LOGIN_ERROR_USERNAME', + 'user_row' => array('user_id' => ANONYMOUS), + ); + } + + if (!$request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER)) + { + return array( + 'status' => LOGIN_ERROR_EXTERNAL_AUTH, + 'error_msg' => 'LOGIN_ERROR_EXTERNAL_AUTH_APACHE', + 'user_row' => array('user_id' => ANONYMOUS), + ); + } + + $php_auth_user = htmlspecialchars_decode($request->server('PHP_AUTH_USER')); + $php_auth_pw = htmlspecialchars_decode($request->server('PHP_AUTH_PW')); + + if (!empty($php_auth_user) && !empty($php_auth_pw)) + { + if ($php_auth_user !== $username) + { + return array( + 'status' => LOGIN_ERROR_USERNAME, + 'error_msg' => 'LOGIN_ERROR_USERNAME', + 'user_row' => array('user_id' => ANONYMOUS), + ); + } + + $sql = 'SELECT user_id, username, user_password, user_passchg, user_email, user_type + FROM ' . USERS_TABLE . " + WHERE username = '" . $db->sql_escape($php_auth_user) . "'"; + $result = $db->sql_query($sql); + $row = $db->sql_fetchrow($result); + $db->sql_freeresult($result); + + if ($row) + { + // User inactive... + if ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE) + { + return array( + 'status' => LOGIN_ERROR_ACTIVE, + 'error_msg' => 'ACTIVE_ERROR', + 'user_row' => $row, + ); + } + + // Successful login... + return array( + 'status' => LOGIN_SUCCESS, + 'error_msg' => false, + 'user_row' => $row, + ); + } + + // this is the user's first login so create an empty profile + return array( + 'status' => LOGIN_SUCCESS_CREATE_PROFILE, + 'error_msg' => false, + 'user_row' => user_row_apache($php_auth_user, $php_auth_pw), + ); + } + + // Not logged into apache + return array( + 'status' => LOGIN_ERROR_EXTERNAL_AUTH, + 'error_msg' => 'LOGIN_ERROR_EXTERNAL_AUTH_APACHE', + 'user_row' => array('user_id' => ANONYMOUS), + ); + } + + /** + * Autologin function + * + * @return array containing the user row or empty if no auto login should + * take place + */ + public function autologin() + { + global $db, $request; + + if (!$request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER)) + { + return array(); + } + + $php_auth_user = htmlspecialchars_decode($request->server('PHP_AUTH_USER')); + $php_auth_pw = htmlspecialchars_decode($request->server('PHP_AUTH_PW')); + + if (!empty($php_auth_user) && !empty($php_auth_pw)) + { + set_var($php_auth_user, $php_auth_user, 'string', true); + set_var($php_auth_pw, $php_auth_pw, 'string', true); + + $sql = 'SELECT * + FROM ' . USERS_TABLE . " + WHERE username = '" . $db->sql_escape($php_auth_user) . "'"; + $result = $db->sql_query($sql); + $row = $db->sql_fetchrow($result); + $db->sql_freeresult($result); + + if ($row) + { + return ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE) ? array() : $row; + } + + if (!function_exists('user_add')) + { + global $phpbb_root_path, $phpEx; + + include($phpbb_root_path . 'includes/functions_user.' . $phpEx); + } + + // create the user if he does not exist yet + user_add(user_row_apache($php_auth_user, $php_auth_pw)); + + $sql = 'SELECT * + FROM ' . USERS_TABLE . " + WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($php_auth_user)) . "'"; + $result = $db->sql_query($sql); + $row = $db->sql_fetchrow($result); + $db->sql_freeresult($result); + + if ($row) + { + return $row; + } + } + + return array(); + } + + /** + * This function generates an array which can be passed to the user_add + * function in order to create a user + * + * @param str $username The username of the new user. + * @param str $password The password of the new user. + * @return array Contains data that can be passed directly to + * the user_add function. + */ + private function user_row($username, $password) + { + global $db, $config, $user; + // first retrieve default group id + $sql = 'SELECT group_id + FROM ' . GROUPS_TABLE . " + WHERE group_name = '" . $db->sql_escape('REGISTERED') . "' + AND group_type = " . GROUP_SPECIAL; + $result = $db->sql_query($sql); + $row = $db->sql_fetchrow($result); + $db->sql_freeresult($result); + + if (!$row) + { + trigger_error('NO_GROUP'); + } + + // generate user account data + return array( + 'username' => $username, + 'user_password' => phpbb_hash($password), + 'user_email' => '', + 'group_id' => (int) $row['group_id'], + 'user_type' => USER_NORMAL, + 'user_ip' => $user->ip, + 'user_new' => ($config['new_member_post_limit']) ? 1 : 0, + ); + } + + /** + * The session validation function checks whether the user is still logged in + * + * @return boolean true if the given user is authenticated or false if + * the session should be closed + */ + public function validate_session(&$user) + { + global $request; + + // Check if PHP_AUTH_USER is set and handle this case + if ($request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER)) + { + $php_auth_user = $request->server('PHP_AUTH_USER'); + + return ($php_auth_user === $user['username']) ? true : false; + } + + // PHP_AUTH_USER is not set. A valid session is now determined by the user type (anonymous/bot or not) + if ($user['user_type'] == USER_IGNORE) + { + return true; + } + + return false; + } + + public function acp() + { + return; + } +} From 4917fd9ca7a372766ea1a2ec7d0726eba09d2fe1 Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Mon, 17 Jun 2013 16:41:56 -0400 Subject: [PATCH 03/44] [feature/auth-refactor] Database Auth Provider Skeleton Creates a skeleton of the database auth provider from auth_db.php. The functions are copied verbatim complete with globals and any existing errors. PHPBB3-9734 --- phpBB/includes/auth/provider_db.php | 309 ++++++++++++++++++++++++++++ 1 file changed, 309 insertions(+) create mode 100644 phpBB/includes/auth/provider_db.php diff --git a/phpBB/includes/auth/provider_db.php b/phpBB/includes/auth/provider_db.php new file mode 100644 index 0000000000..bba74fc2a3 --- /dev/null +++ b/phpBB/includes/auth/provider_db.php @@ -0,0 +1,309 @@ + status constant + * 'error_msg' => string + * 'user_row' => array + * ) + */ + public function login($username, $password, $ip = '', $browser = '', $forwarded_for = '') + { + global $db, $config; + global $request; + + // Auth plugins get the password untrimmed. + // For compatibility we trim() here. + $password = trim($password); + + // do not allow empty password + if (!$password) + { + return array( + 'status' => LOGIN_ERROR_PASSWORD, + 'error_msg' => 'NO_PASSWORD_SUPPLIED', + 'user_row' => array('user_id' => ANONYMOUS), + ); + } + + if (!$username) + { + return array( + 'status' => LOGIN_ERROR_USERNAME, + 'error_msg' => 'LOGIN_ERROR_USERNAME', + 'user_row' => array('user_id' => ANONYMOUS), + ); + } + + $username_clean = utf8_clean_string($username); + + $sql = 'SELECT user_id, username, user_password, user_passchg, user_pass_convert, user_email, user_type, user_login_attempts + FROM ' . USERS_TABLE . " + WHERE username_clean = '" . $db->sql_escape($username_clean) . "'"; + $result = $db->sql_query($sql); + $row = $db->sql_fetchrow($result); + $db->sql_freeresult($result); + + if (($ip && !$config['ip_login_limit_use_forwarded']) || + ($forwarded_for && $config['ip_login_limit_use_forwarded'])) + { + $sql = 'SELECT COUNT(*) AS attempts + FROM ' . LOGIN_ATTEMPT_TABLE . ' + WHERE attempt_time > ' . (time() - (int) $config['ip_login_limit_time']); + if ($config['ip_login_limit_use_forwarded']) + { + $sql .= " AND attempt_forwarded_for = '" . $db->sql_escape($forwarded_for) . "'"; + } + else + { + $sql .= " AND attempt_ip = '" . $db->sql_escape($ip) . "' "; + } + + $result = $db->sql_query($sql); + $attempts = (int) $db->sql_fetchfield('attempts'); + $db->sql_freeresult($result); + + $attempt_data = array( + 'attempt_ip' => $ip, + 'attempt_browser' => trim(substr($browser, 0, 149)), + 'attempt_forwarded_for' => $forwarded_for, + 'attempt_time' => time(), + 'user_id' => ($row) ? (int) $row['user_id'] : 0, + 'username' => $username, + 'username_clean' => $username_clean, + ); + $sql = 'INSERT INTO ' . LOGIN_ATTEMPT_TABLE . $db->sql_build_array('INSERT', $attempt_data); + $result = $db->sql_query($sql); + } + else + { + $attempts = 0; + } + + if (!$row) + { + if ($config['ip_login_limit_max'] && $attempts >= $config['ip_login_limit_max']) + { + return array( + 'status' => LOGIN_ERROR_ATTEMPTS, + 'error_msg' => 'LOGIN_ERROR_ATTEMPTS', + 'user_row' => array('user_id' => ANONYMOUS), + ); + } + + return array( + 'status' => LOGIN_ERROR_USERNAME, + 'error_msg' => 'LOGIN_ERROR_USERNAME', + 'user_row' => array('user_id' => ANONYMOUS), + ); + } + + $show_captcha = ($config['max_login_attempts'] && $row['user_login_attempts'] >= $config['max_login_attempts']) || + ($config['ip_login_limit_max'] && $attempts >= $config['ip_login_limit_max']); + + // If there are too much login attempts, we need to check for an confirm image + // Every auth module is able to define what to do by itself... + if ($show_captcha) + { + // Visual Confirmation handling + if (!class_exists('phpbb_captcha_factory', false)) + { + global $phpbb_root_path, $phpEx; + include ($phpbb_root_path . 'includes/captcha/captcha_factory.' . $phpEx); + } + + $captcha = phpbb_captcha_factory::get_instance($config['captcha_plugin']); + $captcha->init(CONFIRM_LOGIN); + $vc_response = $captcha->validate($row); + if ($vc_response) + { + return array( + 'status' => LOGIN_ERROR_ATTEMPTS, + 'error_msg' => 'LOGIN_ERROR_ATTEMPTS', + 'user_row' => $row, + ); + } + else + { + $captcha->reset(); + } + + } + + // If the password convert flag is set we need to convert it + if ($row['user_pass_convert']) + { + // enable super globals to get literal value + // this is needed to prevent unicode normalization + $super_globals_disabled = $request->super_globals_disabled(); + if ($super_globals_disabled) + { + $request->enable_super_globals(); + } + + // in phpBB2 passwords were used exactly as they were sent, with addslashes applied + $password_old_format = isset($_REQUEST['password']) ? (string) $_REQUEST['password'] : ''; + $password_old_format = (!STRIP) ? addslashes($password_old_format) : $password_old_format; + $password_new_format = $request->variable('password', '', true); + + if ($super_globals_disabled) + { + $request->disable_super_globals(); + } + + if ($password == $password_new_format) + { + if (!function_exists('utf8_to_cp1252')) + { + global $phpbb_root_path, $phpEx; + include($phpbb_root_path . 'includes/utf/data/recode_basic.' . $phpEx); + } + + // cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding + // plain md5 support left in for conversions from other systems. + if ((strlen($row['user_password']) == 34 && (phpbb_check_hash(md5($password_old_format), $row['user_password']) || phpbb_check_hash(md5(utf8_to_cp1252($password_old_format)), $row['user_password']))) + || (strlen($row['user_password']) == 32 && (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password']))) + { + $hash = phpbb_hash($password_new_format); + + // Update the password in the users table to the new format and remove user_pass_convert flag + $sql = 'UPDATE ' . USERS_TABLE . ' + SET user_password = \'' . $db->sql_escape($hash) . '\', + user_pass_convert = 0 + WHERE user_id = ' . $row['user_id']; + $db->sql_query($sql); + + $row['user_pass_convert'] = 0; + $row['user_password'] = $hash; + } + else + { + // Although we weren't able to convert this password we have to + // increase login attempt count to make sure this cannot be exploited + $sql = 'UPDATE ' . USERS_TABLE . ' + SET user_login_attempts = user_login_attempts + 1 + WHERE user_id = ' . (int) $row['user_id'] . ' + AND user_login_attempts < ' . LOGIN_ATTEMPTS_MAX; + $db->sql_query($sql); + + return array( + 'status' => LOGIN_ERROR_PASSWORD_CONVERT, + 'error_msg' => 'LOGIN_ERROR_PASSWORD_CONVERT', + 'user_row' => $row, + ); + } + } + } + + // Check password ... + if (!$row['user_pass_convert'] && phpbb_check_hash($password, $row['user_password'])) + { + // Check for old password hash... + if (strlen($row['user_password']) == 32) + { + $hash = phpbb_hash($password); + + // Update the password in the users table to the new format + $sql = 'UPDATE ' . USERS_TABLE . " + SET user_password = '" . $db->sql_escape($hash) . "', + user_pass_convert = 0 + WHERE user_id = {$row['user_id']}"; + $db->sql_query($sql); + + $row['user_password'] = $hash; + } + + $sql = 'DELETE FROM ' . LOGIN_ATTEMPT_TABLE . ' + WHERE user_id = ' . $row['user_id']; + $db->sql_query($sql); + + if ($row['user_login_attempts'] != 0) + { + // Successful, reset login attempts (the user passed all stages) + $sql = 'UPDATE ' . USERS_TABLE . ' + SET user_login_attempts = 0 + WHERE user_id = ' . $row['user_id']; + $db->sql_query($sql); + } + + // User inactive... + if ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE) + { + return array( + 'status' => LOGIN_ERROR_ACTIVE, + 'error_msg' => 'ACTIVE_ERROR', + 'user_row' => $row, + ); + } + + // Successful login... set user_login_attempts to zero... + return array( + 'status' => LOGIN_SUCCESS, + 'error_msg' => false, + 'user_row' => $row, + ); + } + + // Password incorrect - increase login attempts + $sql = 'UPDATE ' . USERS_TABLE . ' + SET user_login_attempts = user_login_attempts + 1 + WHERE user_id = ' . (int) $row['user_id'] . ' + AND user_login_attempts < ' . LOGIN_ATTEMPTS_MAX; + $db->sql_query($sql); + + // Give status about wrong password... + return array( + 'status' => ($show_captcha) ? LOGIN_ERROR_ATTEMPTS : LOGIN_ERROR_PASSWORD, + 'error_msg' => ($show_captcha) ? 'LOGIN_ERROR_ATTEMPTS' : 'LOGIN_ERROR_PASSWORD', + 'user_row' => $row, + ); + } + + public function autologin() + { + return; + } + + public function acp() + { + return; + } +} From 817813034032b8e94079f195db097f2377ae9ac3 Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Mon, 17 Jun 2013 16:50:01 -0400 Subject: [PATCH 04/44] [feature/auth-refactor] LDAP Auth Provider Skeleton Creates a ldap auth provider using code taken verbatim from auth_ldap.php. PHPBB3-9734 --- phpBB/includes/auth/provider_ldap.php | 358 ++++++++++++++++++++++++++ 1 file changed, 358 insertions(+) create mode 100644 phpBB/includes/auth/provider_ldap.php diff --git a/phpBB/includes/auth/provider_ldap.php b/phpBB/includes/auth/provider_ldap.php new file mode 100644 index 0000000000..fb2be5ae9d --- /dev/null +++ b/phpBB/includes/auth/provider_ldap.php @@ -0,0 +1,358 @@ +lang['LDAP_NO_LDAP_EXTENSION']; + } + + $config['ldap_port'] = (int) $config['ldap_port']; + if ($config['ldap_port']) + { + $ldap = @ldap_connect($config['ldap_server'], $config['ldap_port']); + } + else + { + $ldap = @ldap_connect($config['ldap_server']); + } + + if (!$ldap) + { + return $user->lang['LDAP_NO_SERVER_CONNECTION']; + } + + @ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); + @ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); + + if ($config['ldap_user'] || $config['ldap_password']) + { + if (!@ldap_bind($ldap, htmlspecialchars_decode($config['ldap_user']), htmlspecialchars_decode($config['ldap_password']))) + { + return $user->lang['LDAP_INCORRECT_USER_PASSWORD']; + } + } + + // ldap_connect only checks whether the specified server is valid, so the connection might still fail + $search = @ldap_search( + $ldap, + htmlspecialchars_decode($config['ldap_base_dn']), + ldap_user_filter($user->data['username']), + (empty($config['ldap_email'])) ? + array(htmlspecialchars_decode($config['ldap_uid'])) : + array(htmlspecialchars_decode($config['ldap_uid']), htmlspecialchars_decode($config['ldap_email'])), + 0, + 1 + ); + + if ($search === false) + { + return $user->lang['LDAP_SEARCH_FAILED']; + } + + $result = @ldap_get_entries($ldap, $search); + + @ldap_close($ldap); + + + if (!is_array($result) || sizeof($result) < 2) + { + return sprintf($user->lang['LDAP_NO_IDENTITY'], $user->data['username']); + } + + if (!empty($config['ldap_email']) && !isset($result[0][htmlspecialchars_decode($config['ldap_email'])])) + { + return $user->lang['LDAP_NO_EMAIL']; + } + + return false; + } + + /** + * Login function + */ + public function login(&$username, &$password) + { + global $db, $config, $user; + + // do not allow empty password + if (!$password) + { + return array( + 'status' => LOGIN_ERROR_PASSWORD, + 'error_msg' => 'NO_PASSWORD_SUPPLIED', + 'user_row' => array('user_id' => ANONYMOUS), + ); + } + + if (!$username) + { + return array( + 'status' => LOGIN_ERROR_USERNAME, + 'error_msg' => 'LOGIN_ERROR_USERNAME', + 'user_row' => array('user_id' => ANONYMOUS), + ); + } + + if (!@extension_loaded('ldap')) + { + return array( + 'status' => LOGIN_ERROR_EXTERNAL_AUTH, + 'error_msg' => 'LDAP_NO_LDAP_EXTENSION', + 'user_row' => array('user_id' => ANONYMOUS), + ); + } + + $config['ldap_port'] = (int) $config['ldap_port']; + if ($config['ldap_port']) + { + $ldap = @ldap_connect($config['ldap_server'], $config['ldap_port']); + } + else + { + $ldap = @ldap_connect($config['ldap_server']); + } + + if (!$ldap) + { + return array( + 'status' => LOGIN_ERROR_EXTERNAL_AUTH, + 'error_msg' => 'LDAP_NO_SERVER_CONNECTION', + 'user_row' => array('user_id' => ANONYMOUS), + ); + } + + @ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); + @ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); + + if ($config['ldap_user'] || $config['ldap_password']) + { + if (!@ldap_bind($ldap, htmlspecialchars_decode($config['ldap_user']), htmlspecialchars_decode($config['ldap_password']))) + { + return array( + 'status' => LOGIN_ERROR_EXTERNAL_AUTH, + 'error_msg' => 'LDAP_NO_SERVER_CONNECTION', + 'user_row' => array('user_id' => ANONYMOUS), + ); + } + } + + $search = @ldap_search( + $ldap, + htmlspecialchars_decode($config['ldap_base_dn']), + ldap_user_filter($username), + (empty($config['ldap_email'])) ? + array(htmlspecialchars_decode($config['ldap_uid'])) : + array(htmlspecialchars_decode($config['ldap_uid']), htmlspecialchars_decode($config['ldap_email'])), + 0, + 1 + ); + + $ldap_result = @ldap_get_entries($ldap, $search); + + if (is_array($ldap_result) && sizeof($ldap_result) > 1) + { + if (@ldap_bind($ldap, $ldap_result[0]['dn'], htmlspecialchars_decode($password))) + { + @ldap_close($ldap); + + $sql ='SELECT user_id, username, user_password, user_passchg, user_email, user_type + FROM ' . USERS_TABLE . " + WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'"; + $result = $db->sql_query($sql); + $row = $db->sql_fetchrow($result); + $db->sql_freeresult($result); + + if ($row) + { + unset($ldap_result); + + // User inactive... + if ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE) + { + return array( + 'status' => LOGIN_ERROR_ACTIVE, + 'error_msg' => 'ACTIVE_ERROR', + 'user_row' => $row, + ); + } + + // Successful login... set user_login_attempts to zero... + return array( + 'status' => LOGIN_SUCCESS, + 'error_msg' => false, + 'user_row' => $row, + ); + } + else + { + // retrieve default group id + $sql = 'SELECT group_id + FROM ' . GROUPS_TABLE . " + WHERE group_name = '" . $db->sql_escape('REGISTERED') . "' + AND group_type = " . GROUP_SPECIAL; + $result = $db->sql_query($sql); + $row = $db->sql_fetchrow($result); + $db->sql_freeresult($result); + + if (!$row) + { + trigger_error('NO_GROUP'); + } + + // generate user account data + $ldap_user_row = array( + 'username' => $username, + 'user_password' => phpbb_hash($password), + 'user_email' => (!empty($config['ldap_email'])) ? utf8_htmlspecialchars($ldap_result[0][htmlspecialchars_decode($config['ldap_email'])][0]) : '', + 'group_id' => (int) $row['group_id'], + 'user_type' => USER_NORMAL, + 'user_ip' => $user->ip, + 'user_new' => ($config['new_member_post_limit']) ? 1 : 0, + ); + + unset($ldap_result); + + // this is the user's first login so create an empty profile + return array( + 'status' => LOGIN_SUCCESS_CREATE_PROFILE, + 'error_msg' => false, + 'user_row' => $ldap_user_row, + ); + } + } + else + { + unset($ldap_result); + @ldap_close($ldap); + + // Give status about wrong password... + return array( + 'status' => LOGIN_ERROR_PASSWORD, + 'error_msg' => 'LOGIN_ERROR_PASSWORD', + 'user_row' => array('user_id' => ANONYMOUS), + ); + } + } + + @ldap_close($ldap); + + return array( + 'status' => LOGIN_ERROR_USERNAME, + 'error_msg' => 'LOGIN_ERROR_USERNAME', + 'user_row' => array('user_id' => ANONYMOUS), + ); + } + + public function autologin(); + + /** + * This function is used to output any required fields in the authentication + * admin panel. It also defines any required configuration table fields. + */ + public function acp(&$new) + { + global $user; + + $tpl = ' + +
+

' . $user->lang['LDAP_SERVER_EXPLAIN'] . '
+
+
+
+

' . $user->lang['LDAP_PORT_EXPLAIN'] . '
+
+
+
+

' . $user->lang['LDAP_DN_EXPLAIN'] . '
+
+
+
+

' . $user->lang['LDAP_UID_EXPLAIN'] . '
+
+
+
+

' . $user->lang['LDAP_USER_FILTER_EXPLAIN'] . '
+
+
+
+

' . $user->lang['LDAP_EMAIL_EXPLAIN'] . '
+
+
+
+

' . $user->lang['LDAP_USER_EXPLAIN'] . '
+
+
+
+

' . $user->lang['LDAP_PASSWORD_EXPLAIN'] . '
+
+
+ '; + + // These are fields required in the config table + return array( + 'tpl' => $tpl, + 'config' => array('ldap_server', 'ldap_port', 'ldap_base_dn', 'ldap_uid', 'ldap_user_filter', 'ldap_email', 'ldap_user', 'ldap_password') + ); + } + + /** + * Generates a filter string for ldap_search to find a user + * + * @param $username string Username identifying the searched user + * + * @return string A filter string for ldap_search + */ + public function user_filter($username) + { + global $config; + + $filter = '(' . $config['ldap_uid'] . '=' . ldap_escape(htmlspecialchars_decode($username)) . ')'; + if ($config['ldap_user_filter']) + { + $_filter = ($config['ldap_user_filter'][0] == '(' && substr($config['ldap_user_filter'], -1) == ')') ? $config['ldap_user_filter'] : "({$config['ldap_user_filter']})"; + $filter = "(&{$filter}{$_filter})"; + } + return $filter; + } + + /** + * Escapes an LDAP AttributeValue + */ + public function escape($string) + { + return str_replace(array('*', '\\', '(', ')'), array('\\*', '\\\\', '\\(', '\\)'), $string); + } +} From e64abea999f68b248cfe41ab22ac60abc9e2951f Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Tue, 18 Jun 2013 15:17:14 -0400 Subject: [PATCH 05/44] [feature/auth-refactor] Document the provider interface Provides basic documentation of the auth_provideR_interface. Changes the login method to login($username, $password) for consistency with the providers. acp() is not fully documented. It appears that it is meant to return an array of some sort and take in a variable by reference. PHPBB3-9734 --- phpBB/includes/auth/provider_interface.php | 32 +++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/phpBB/includes/auth/provider_interface.php b/phpBB/includes/auth/provider_interface.php index ac7bb311a3..8d966d8b3e 100644 --- a/phpBB/includes/auth/provider_interface.php +++ b/phpBB/includes/auth/provider_interface.php @@ -22,11 +22,41 @@ if (!defined('IN_PHPBB')) */ class phpbb_auth_provider_interface { + /** + * Checks whether the user is currently identified to the authentication + * provider. + * Called in acp_board while setting authentication plugins. + * + * @return boolean|string False if the user is identified, otherwise an + * error message. + */ public function init(); - public function login(); + /** + * Performs login. + * + * @param $username string The name of the user being authenticated. + * @param $password string The password of the user. + * @return array An associative array of the format: + * array( + * 'status' => status constant + * 'error_msg' => string + * 'user_row' => array + * ) + */ + public function login($username, $password); + /** + * Autologin function + * + * @return array containing the user row or empty if no auto login should + * take place + */ public function autologin(); + /** + * This function is used to output any required fields in the authentication + * admin panel. It also defines any required configuration table fields. + */ public function acp(); } From db27a8c67a9730384a912298a85a7bf38e506d7d Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Tue, 18 Jun 2013 15:32:18 -0400 Subject: [PATCH 06/44] [feature/auth-refactor] Fix comment block indentation Comment block indentation was off by one space on the provider_* files due to being incorrectly copied over from the auth_* files. PHPBB3-9734 --- phpBB/includes/auth/provider_apache.php | 52 ++++++++++++------------- phpBB/includes/auth/provider_db.php | 30 +++++++------- phpBB/includes/auth/provider_ldap.php | 34 ++++++++-------- 3 files changed, 58 insertions(+), 58 deletions(-) diff --git a/phpBB/includes/auth/provider_apache.php b/phpBB/includes/auth/provider_apache.php index ca3bf41560..bb25e502a6 100644 --- a/phpBB/includes/auth/provider_apache.php +++ b/phpBB/includes/auth/provider_apache.php @@ -23,12 +23,12 @@ if (!defined('IN_PHPBB')) class phpbb_auth_provider_apache implements phpbb_auth_provider_interface { /** - * Checks whether the user is identified to apache - * Only allow changing authentication to apache if the user is identified - * Called in acp_board while setting authentication plugins - * - * @return boolean|string false if the user is identified and else an error message - */ + * Checks whether the user is identified to apache + * Only allow changing authentication to apache if the user is identified + * Called in acp_board while setting authentication plugins + * + * @return boolean|string false if the user is identified and else an error message + */ public function init() { global $user, $request; @@ -41,8 +41,8 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface } /** - * Login function - */ + * Login function + */ public function login(&$username, &$password) { global $db, $request; @@ -133,11 +133,11 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface } /** - * Autologin function - * - * @return array containing the user row or empty if no auto login should - * take place - */ + * Autologin function + * + * @return array containing the user row or empty if no auto login should + * take place + */ public function autologin() { global $db, $request; @@ -194,14 +194,14 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface } /** - * This function generates an array which can be passed to the user_add - * function in order to create a user - * - * @param str $username The username of the new user. - * @param str $password The password of the new user. - * @return array Contains data that can be passed directly to - * the user_add function. - */ + * This function generates an array which can be passed to the user_add + * function in order to create a user + * + * @param str $username The username of the new user. + * @param str $password The password of the new user. + * @return array Contains data that can be passed directly to + * the user_add function. + */ private function user_row($username, $password) { global $db, $config, $user; @@ -232,11 +232,11 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface } /** - * The session validation function checks whether the user is still logged in - * - * @return boolean true if the given user is authenticated or false if - * the session should be closed - */ + * The session validation function checks whether the user is still logged in + * + * @return boolean true if the given user is authenticated or false if + * the session should be closed + */ public function validate_session(&$user) { global $request; diff --git a/phpBB/includes/auth/provider_db.php b/phpBB/includes/auth/provider_db.php index bba74fc2a3..c55837c685 100644 --- a/phpBB/includes/auth/provider_db.php +++ b/phpBB/includes/auth/provider_db.php @@ -30,21 +30,21 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface } /** - * Login function - * - * @param string $username - * @param string $password - * @param string $ip IP address the login is taking place from. Used to - * limit the number of login attempts per IP address. - * @param string $browser The user agent used to login - * @param string $forwarded_for X_FORWARDED_FOR header sent with login request - * @return array A associative array of the format - * array( - * 'status' => status constant - * 'error_msg' => string - * 'user_row' => array - * ) - */ + * Login function + * + * @param string $username + * @param string $password + * @param string $ip IP address the login is taking place from. Used to + * limit the number of login attempts per IP address. + * @param string $browser The user agent used to login + * @param string $forwarded_for X_FORWARDED_FOR header sent with login request + * @return array A associative array of the format + * array( + * 'status' => status constant + * 'error_msg' => string + * 'user_row' => array + * ) + */ public function login($username, $password, $ip = '', $browser = '', $forwarded_for = '') { global $db, $config; diff --git a/phpBB/includes/auth/provider_ldap.php b/phpBB/includes/auth/provider_ldap.php index fb2be5ae9d..3c54ba212c 100644 --- a/phpBB/includes/auth/provider_ldap.php +++ b/phpBB/includes/auth/provider_ldap.php @@ -25,10 +25,10 @@ if (!defined('IN_PHPBB')) class phpbb_auth_provider_db implements phpbb_auth_provider_interface { /** - * Connect to ldap server - * Only allow changing authentication to ldap if we can connect to the ldap server - * Called in acp_board while setting authentication plugins - */ + * Connect to ldap server + * Only allow changing authentication to ldap if we can connect to the ldap server + * Called in acp_board while setting authentication plugins + */ public function init() { global $config, $user; @@ -100,8 +100,8 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface } /** - * Login function - */ + * Login function + */ public function login(&$username, &$password) { global $db, $config, $user; @@ -278,9 +278,9 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface public function autologin(); /** - * This function is used to output any required fields in the authentication - * admin panel. It also defines any required configuration table fields. - */ + * This function is used to output any required fields in the authentication + * admin panel. It also defines any required configuration table fields. + */ public function acp(&$new) { global $user; @@ -329,12 +329,12 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface } /** - * Generates a filter string for ldap_search to find a user - * - * @param $username string Username identifying the searched user - * - * @return string A filter string for ldap_search - */ + * Generates a filter string for ldap_search to find a user + * + * @param $username string Username identifying the searched user + * + * @return string A filter string for ldap_search + */ public function user_filter($username) { global $config; @@ -349,8 +349,8 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface } /** - * Escapes an LDAP AttributeValue - */ + * Escapes an LDAP AttributeValue + */ public function escape($string) { return str_replace(array('*', '\\', '(', ')'), array('\\*', '\\\\', '\\(', '\\)'), $string); From 57689948e252ef3240b2c20be95923d6a0635ca9 Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Tue, 18 Jun 2013 15:39:51 -0400 Subject: [PATCH 07/44] [feature/auth-refactor] Make Apache consistent with interface Makes the provider_apache consistent with the provider_interface by removing the pass-by-reference of $username and $password. PHPBB3-9734 --- phpBB/includes/auth/provider_apache.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/includes/auth/provider_apache.php b/phpBB/includes/auth/provider_apache.php index bb25e502a6..01aa9400fd 100644 --- a/phpBB/includes/auth/provider_apache.php +++ b/phpBB/includes/auth/provider_apache.php @@ -43,7 +43,7 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface /** * Login function */ - public function login(&$username, &$password) + public function login($username, $password) { global $db, $request; From 204c640c773e707845859d103b74d64596de402d Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Tue, 18 Jun 2013 15:57:31 -0400 Subject: [PATCH 08/44] [feature/auth-refactor] Make LDAP consistent with interface Makes the provider_ldap consistent with the provider_interface except for the acp() method which has not yet been finalized. Renames phpbb_auth_provider_ldap::user_filter to phpbb_auth_provider_ldap::ldap_user_filter to maintain the original name of the function from auth_ldap. PHPBB3-9734 --- phpBB/includes/auth/provider_ldap.php | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/phpBB/includes/auth/provider_ldap.php b/phpBB/includes/auth/provider_ldap.php index 3c54ba212c..3636c7ae6d 100644 --- a/phpBB/includes/auth/provider_ldap.php +++ b/phpBB/includes/auth/provider_ldap.php @@ -68,7 +68,7 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface $search = @ldap_search( $ldap, htmlspecialchars_decode($config['ldap_base_dn']), - ldap_user_filter($user->data['username']), + $this->ldap_user_filter($user->data['username']), (empty($config['ldap_email'])) ? array(htmlspecialchars_decode($config['ldap_uid'])) : array(htmlspecialchars_decode($config['ldap_uid']), htmlspecialchars_decode($config['ldap_email'])), @@ -102,7 +102,7 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface /** * Login function */ - public function login(&$username, &$password) + public function login($username, $password) { global $db, $config, $user; @@ -171,7 +171,7 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface $search = @ldap_search( $ldap, htmlspecialchars_decode($config['ldap_base_dn']), - ldap_user_filter($username), + $this->ldap_user_filter($username), (empty($config['ldap_email'])) ? array(htmlspecialchars_decode($config['ldap_uid'])) : array(htmlspecialchars_decode($config['ldap_uid']), htmlspecialchars_decode($config['ldap_email'])), @@ -275,7 +275,10 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface ); } - public function autologin(); + public function autologin() + { + return; + } /** * This function is used to output any required fields in the authentication @@ -335,7 +338,7 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface * * @return string A filter string for ldap_search */ - public function user_filter($username) + public function ldap_user_filter($username) { global $config; From 0432c3273992cf44b711fad92d442c81016a96c1 Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Tue, 18 Jun 2013 16:07:23 -0400 Subject: [PATCH 09/44] [feature/auth-refactor] Make DB auth consistent with interface Makes provider_db consistent with provider_interface. Removes $ip, $browser, and $forwarded_for from the arguments of phpbb_auth_provider_db::login() as these are provided by the global variable $user. PHPBB3-9734 --- phpBB/includes/auth/provider_db.php | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-) diff --git a/phpBB/includes/auth/provider_db.php b/phpBB/includes/auth/provider_db.php index c55837c685..9e865f4b5b 100644 --- a/phpBB/includes/auth/provider_db.php +++ b/phpBB/includes/auth/provider_db.php @@ -34,10 +34,6 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface * * @param string $username * @param string $password - * @param string $ip IP address the login is taking place from. Used to - * limit the number of login attempts per IP address. - * @param string $browser The user agent used to login - * @param string $forwarded_for X_FORWARDED_FOR header sent with login request * @return array A associative array of the format * array( * 'status' => status constant @@ -45,10 +41,10 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface * 'user_row' => array * ) */ - public function login($username, $password, $ip = '', $browser = '', $forwarded_for = '') + public function login($username, $password) { global $db, $config; - global $request; + global $request, $user; // Auth plugins get the password untrimmed. // For compatibility we trim() here. @@ -82,19 +78,19 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface $row = $db->sql_fetchrow($result); $db->sql_freeresult($result); - if (($ip && !$config['ip_login_limit_use_forwarded']) || - ($forwarded_for && $config['ip_login_limit_use_forwarded'])) + if (($user->ip && !$config['ip_login_limit_use_forwarded']) || + ($user->forwarded_for && $config['ip_login_limit_use_forwarded'])) { $sql = 'SELECT COUNT(*) AS attempts FROM ' . LOGIN_ATTEMPT_TABLE . ' WHERE attempt_time > ' . (time() - (int) $config['ip_login_limit_time']); if ($config['ip_login_limit_use_forwarded']) { - $sql .= " AND attempt_forwarded_for = '" . $db->sql_escape($forwarded_for) . "'"; + $sql .= " AND attempt_forwarded_for = '" . $db->sql_escape($user->forwarded_for) . "'"; } else { - $sql .= " AND attempt_ip = '" . $db->sql_escape($ip) . "' "; + $sql .= " AND attempt_ip = '" . $db->sql_escape($user->ip) . "' "; } $result = $db->sql_query($sql); @@ -102,9 +98,9 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface $db->sql_freeresult($result); $attempt_data = array( - 'attempt_ip' => $ip, - 'attempt_browser' => trim(substr($browser, 0, 149)), - 'attempt_forwarded_for' => $forwarded_for, + 'attempt_ip' => $user->ip, + 'attempt_browser' => trim(substr($user->browser, 0, 149)), + 'attempt_forwarded_for' => $user->forwarded_for, 'attempt_time' => time(), 'user_id' => ($row) ? (int) $row['user_id'] : 0, 'username' => $username, From 7bdab205a13380242ef2469d192abc22b48010d8 Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Tue, 18 Jun 2013 16:55:35 -0400 Subject: [PATCH 10/44] [feature/auth-refactor] Refactor login to use new interface Refactors auth.php to use the provider_interface during login. PHPBB-9734 --- phpBB/includes/auth/auth.php | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/phpBB/includes/auth/auth.php b/phpBB/includes/auth/auth.php index 2535247571..009e621e13 100644 --- a/phpBB/includes/auth/auth.php +++ b/phpBB/includes/auth/auth.php @@ -932,10 +932,11 @@ class phpbb_auth $method = trim(basename($config['auth_method'])); include_once($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx); - $method = 'login_' . $method; - if (function_exists($method)) + $class = 'phpbb_auth_provider_' . $method; + if (class_exists($class)) { - $login = $method($username, $password, $user->ip, $user->browser, $user->forwarded_for); + $provider = new $class(); + $login = $provider->login($username, $password); // If the auth module wants us to create an empty profile do so and then treat the status as LOGIN_SUCCESS if ($login['status'] == LOGIN_SUCCESS_CREATE_PROFILE) From 553c300688818c36acc4d579762b3eb428d27321 Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Wed, 19 Jun 2013 14:20:29 -0400 Subject: [PATCH 11/44] [feature/auth-refactor] Fix typos causing changes to not work Replaces short tags with long tags. Fixes the interface to be an interface and not class in the file. Removes unnecessary include_once from auth.php. PHPBB-9734 --- phpBB/includes/auth/auth.php | 1 - phpBB/includes/auth/provider_apache.php | 2 +- phpBB/includes/auth/provider_db.php | 2 +- phpBB/includes/auth/provider_interface.php | 4 ++-- phpBB/includes/auth/provider_ldap.php | 2 +- 5 files changed, 5 insertions(+), 6 deletions(-) diff --git a/phpBB/includes/auth/auth.php b/phpBB/includes/auth/auth.php index 009e621e13..ab84619977 100644 --- a/phpBB/includes/auth/auth.php +++ b/phpBB/includes/auth/auth.php @@ -930,7 +930,6 @@ class phpbb_auth global $config, $db, $user, $phpbb_root_path, $phpEx; $method = trim(basename($config['auth_method'])); - include_once($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx); $class = 'phpbb_auth_provider_' . $method; if (class_exists($class)) diff --git a/phpBB/includes/auth/provider_apache.php b/phpBB/includes/auth/provider_apache.php index 01aa9400fd..a923fb4265 100644 --- a/phpBB/includes/auth/provider_apache.php +++ b/phpBB/includes/auth/provider_apache.php @@ -1,4 +1,4 @@ - Date: Wed, 19 Jun 2013 14:57:11 -0400 Subject: [PATCH 12/44] [feature/auth-refactor] Refactor acp_board for new auth interface Partially refactors acp_board for the new authentication interface. Leaves some questionable if statements in the file. Modifies the interface to correctly impletment the acp() method. Modifies each provider to comply with the above mentioned interface modification. PHPBB3-9734 --- phpBB/includes/acp/acp_board.php | 35 +++++++++++----------- phpBB/includes/auth/provider_apache.php | 2 +- phpBB/includes/auth/provider_db.php | 2 +- phpBB/includes/auth/provider_interface.php | 2 +- phpBB/includes/auth/provider_ldap.php | 4 +-- 5 files changed, 22 insertions(+), 23 deletions(-) diff --git a/phpBB/includes/acp/acp_board.php b/phpBB/includes/acp/acp_board.php index 6881e03fdb..9407d81575 100644 --- a/phpBB/includes/acp/acp_board.php +++ b/phpBB/includes/acp/acp_board.php @@ -530,9 +530,9 @@ class acp_board { while (($file = readdir($dp)) !== false) { - if (preg_match('#^auth_(.*?)\.' . $phpEx . '$#', $file)) + if (preg_match('#^provider_(.*?)\.' . $phpEx . '$#', $file) && !preg_match('#^provider_interface\.' . $phpEx . '$#', $file)) { - $auth_plugins[] = basename(preg_replace('#^auth_(.*?)\.' . $phpEx . '$#', '\1', $file)); + $auth_plugins[] = basename(preg_replace('#^provider_(.*?)\.' . $phpEx . '$#', '\1', $file)); } } closedir($dp); @@ -544,14 +544,13 @@ class acp_board $old_auth_config = array(); foreach ($auth_plugins as $method) { - if ($method && file_exists($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx)) + if ($method) { - include_once($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx); - - $method = 'acp_' . $method; - if (function_exists($method)) + $class = 'phpbb_auth_provider_' . $method; + if (class_exists($class)) { - if ($fields = $method($this->new_config)) + $provider = new $class(); + if ($fields = $provider->acp($this->new_config)) { // Check if we need to create config fields for this plugin and save config when submit was pressed foreach ($fields['config'] as $field) @@ -585,14 +584,13 @@ class acp_board if ($submit && (($cfg_array['auth_method'] != $this->new_config['auth_method']) || $updated_auth_settings)) { $method = basename($cfg_array['auth_method']); - if ($method && in_array($method, $auth_plugins)) + if ($method) { - include_once($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx); - - $method = 'init_' . $method; - if (function_exists($method)) + $class = 'phpbb_auth_provider_' . $method; + if (class_exists($class)) { - if ($error = $method()) + $provider = new $class(); + if ($error = $provider->init()) { foreach ($old_auth_config as $config_name => $config_value) { @@ -685,12 +683,13 @@ class acp_board foreach ($auth_plugins as $method) { - if ($method && file_exists($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx)) + if ($method) { - $method = 'acp_' . $method; - if (function_exists($method)) + $class = 'phpbb_auth_provider_' . $method; + if (class_exists($class)) { - $fields = $method($this->new_config); + $provider = new $class(); + $fields = $provider->acp($this->new_config); if ($fields['tpl']) { diff --git a/phpBB/includes/auth/provider_apache.php b/phpBB/includes/auth/provider_apache.php index a923fb4265..2d26b85877 100644 --- a/phpBB/includes/auth/provider_apache.php +++ b/phpBB/includes/auth/provider_apache.php @@ -258,7 +258,7 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface return false; } - public function acp() + public function acp($new) { return; } diff --git a/phpBB/includes/auth/provider_db.php b/phpBB/includes/auth/provider_db.php index 60ea105236..df935fcd73 100644 --- a/phpBB/includes/auth/provider_db.php +++ b/phpBB/includes/auth/provider_db.php @@ -298,7 +298,7 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface return; } - public function acp() + public function acp($new) { return; } diff --git a/phpBB/includes/auth/provider_interface.php b/phpBB/includes/auth/provider_interface.php index 3dd1dba9be..a789dccce7 100644 --- a/phpBB/includes/auth/provider_interface.php +++ b/phpBB/includes/auth/provider_interface.php @@ -58,5 +58,5 @@ interface phpbb_auth_provider_interface * This function is used to output any required fields in the authentication * admin panel. It also defines any required configuration table fields. */ - public function acp(); + public function acp($new); } diff --git a/phpBB/includes/auth/provider_ldap.php b/phpBB/includes/auth/provider_ldap.php index 4d0e68233b..c1f5b3e186 100644 --- a/phpBB/includes/auth/provider_ldap.php +++ b/phpBB/includes/auth/provider_ldap.php @@ -22,7 +22,7 @@ if (!defined('IN_PHPBB')) * * @package auth */ -class phpbb_auth_provider_db implements phpbb_auth_provider_interface +class phpbb_auth_provider_ldap implements phpbb_auth_provider_interface { /** * Connect to ldap server @@ -284,7 +284,7 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface * This function is used to output any required fields in the authentication * admin panel. It also defines any required configuration table fields. */ - public function acp(&$new) + public function acp($new) { global $user; From f4def220ce00a6be06857d5bd9f164473c0411c4 Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Wed, 19 Jun 2013 15:12:00 -0400 Subject: [PATCH 13/44] [feature/auth-refactor] Refactor session for new auth interface Refactors phpbb_session to use the new auth interface. PHPBB3-9734 --- phpBB/includes/session.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 6bc71da0c1..85ca8abf3d 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -568,12 +568,12 @@ class phpbb_session } $method = basename(trim($config['auth_method'])); - include_once($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx); - $method = 'autologin_' . $method; - if (function_exists($method)) + $class = 'phpbb_auth_provider_' . $method; + if (class_exists($class)) { - $this->data = $method(); + $provider = new $class(); + $this->data = $class->autologin(); if (sizeof($this->data)) { From 8214e6e8377b0858092e48aba3ba2a01994be47f Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Wed, 19 Jun 2013 15:32:20 -0400 Subject: [PATCH 14/44] [feature/auth-refactor] Finish refactoring auth plugins I believe that this commit should have final minimal changes needed to replace the old auth plugins with the refactored auth plugins. Added a few more elements to the interface based on the old auth plugins. Documentation is not complete and need works on these new elements. PHPBB3-9734 --- phpBB/includes/auth/provider_apache.php | 7 ++++++- phpBB/includes/auth/provider_db.php | 10 ++++++++++ phpBB/includes/auth/provider_interface.php | 19 +++++++++++++++++++ phpBB/includes/auth/provider_ldap.php | 10 ++++++++++ phpBB/includes/session.php | 19 ++++++++++--------- 5 files changed, 55 insertions(+), 10 deletions(-) diff --git a/phpBB/includes/auth/provider_apache.php b/phpBB/includes/auth/provider_apache.php index 2d26b85877..2ba76e26a9 100644 --- a/phpBB/includes/auth/provider_apache.php +++ b/phpBB/includes/auth/provider_apache.php @@ -237,7 +237,7 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface * @return boolean true if the given user is authenticated or false if * the session should be closed */ - public function validate_session(&$user) + public function validate_session($user) { global $request; @@ -262,4 +262,9 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface { return; } + + public function logout($data, $new_session) + { + return; + } } diff --git a/phpBB/includes/auth/provider_db.php b/phpBB/includes/auth/provider_db.php index df935fcd73..e24e701911 100644 --- a/phpBB/includes/auth/provider_db.php +++ b/phpBB/includes/auth/provider_db.php @@ -302,4 +302,14 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface { return; } + + public function logout($data, $new_session) + { + return; + } + + public function validate_session($user) + { + return; + } } diff --git a/phpBB/includes/auth/provider_interface.php b/phpBB/includes/auth/provider_interface.php index a789dccce7..534f198c21 100644 --- a/phpBB/includes/auth/provider_interface.php +++ b/phpBB/includes/auth/provider_interface.php @@ -57,6 +57,25 @@ interface phpbb_auth_provider_interface /** * This function is used to output any required fields in the authentication * admin panel. It also defines any required configuration table fields. + * + * @param type $new */ public function acp($new); + + /** + * Special logout function. + * + * @param type $data + * @param type $new_session + */ + public function logout($data, $new_session); + + /** + * The session validation function checks whether the user is still logged in. + * + * @param type $user + * @return boolean true if the given user is authenticated, false if the + * session should be closed, or null if not implemented. + */ + public function validate_session($user); } diff --git a/phpBB/includes/auth/provider_ldap.php b/phpBB/includes/auth/provider_ldap.php index c1f5b3e186..8270f50440 100644 --- a/phpBB/includes/auth/provider_ldap.php +++ b/phpBB/includes/auth/provider_ldap.php @@ -358,4 +358,14 @@ class phpbb_auth_provider_ldap implements phpbb_auth_provider_interface { return str_replace(array('*', '\\', '(', ')'), array('\\*', '\\\\', '\\(', '\\)'), $string); } + + public function logout($data, $new_session) + { + return; + } + + public function validate_session($user) + { + return; + } } diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 85ca8abf3d..f12ba1329c 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -402,12 +402,13 @@ class phpbb_session // Check whether the session is still valid if we have one $method = basename(trim($config['auth_method'])); - include_once($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx); - $method = 'validate_session_' . $method; - if (function_exists($method)) + $class = 'phpbb_auth_provider_' . $method; + if (class_exists($class)) { - if (!$method($this->data)) + $provider = new $class(); + $ret = $provider->validate_session($this->data); + if ($ret !== null && !$ret) { $session_expired = true; } @@ -573,7 +574,7 @@ class phpbb_session if (class_exists($class)) { $provider = new $class(); - $this->data = $class->autologin(); + $this->data = $provider->autologin(); if (sizeof($this->data)) { @@ -893,12 +894,12 @@ class phpbb_session // Allow connecting logout with external auth method logout $method = basename(trim($config['auth_method'])); - include_once($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx); - $method = 'logout_' . $method; - if (function_exists($method)) + $class = 'phpbb_auth_provider_' . $method; + if (class_exists($class)) { - $method($this->data, $new_session); + $provider = new $class(); + $provider->logout($this->data, $new_session); } if ($this->data['user_id'] != ANONYMOUS) From 0633666e2b5e39a7ebf7d2a68dc4c1b4dbbc0db1 Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Thu, 20 Jun 2013 16:46:25 -0400 Subject: [PATCH 15/44] [feature/auth-refactor] Fix LDAP conversion error I messed up when converting over auth_ldap this commit fixes that error. I have not been able to extensively test ldap due to not having ldap set up on this computer yet. Apache authentication appears to work. PHPBB3-9734 --- phpBB/includes/auth/provider_ldap.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/phpBB/includes/auth/provider_ldap.php b/phpBB/includes/auth/provider_ldap.php index 8270f50440..ee9b8100ee 100644 --- a/phpBB/includes/auth/provider_ldap.php +++ b/phpBB/includes/auth/provider_ldap.php @@ -338,11 +338,11 @@ class phpbb_auth_provider_ldap implements phpbb_auth_provider_interface * * @return string A filter string for ldap_search */ - public function ldap_user_filter($username) + private function ldap_user_filter($username) { global $config; - $filter = '(' . $config['ldap_uid'] . '=' . ldap_escape(htmlspecialchars_decode($username)) . ')'; + $filter = '(' . $config['ldap_uid'] . '=' . $this->ldap_escape(htmlspecialchars_decode($username)) . ')'; if ($config['ldap_user_filter']) { $_filter = ($config['ldap_user_filter'][0] == '(' && substr($config['ldap_user_filter'], -1) == ')') ? $config['ldap_user_filter'] : "({$config['ldap_user_filter']})"; @@ -354,7 +354,7 @@ class phpbb_auth_provider_ldap implements phpbb_auth_provider_interface /** * Escapes an LDAP AttributeValue */ - public function escape($string) + private function ldap_escape($string) { return str_replace(array('*', '\\', '(', ')'), array('\\*', '\\\\', '\\(', '\\)'), $string); } From 6601c3d64e7a3a57a6c956ee0eba19523b04e52f Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Thu, 20 Jun 2013 21:29:16 -0400 Subject: [PATCH 16/44] [feature/auth-refactor] Start turning auth providers into services Creates auth_provider.yml and includes auth_providers.yml in services.yml. PHPBB3-9734 --- phpBB/config/auth_providers.yml | 1 + phpBB/config/services.yml | 1 + 2 files changed, 2 insertions(+) create mode 100644 phpBB/config/auth_providers.yml diff --git a/phpBB/config/auth_providers.yml b/phpBB/config/auth_providers.yml new file mode 100644 index 0000000000..0baad47661 --- /dev/null +++ b/phpBB/config/auth_providers.yml @@ -0,0 +1 @@ +services: diff --git a/phpBB/config/services.yml b/phpBB/config/services.yml index bb96953bcf..4b272c6abd 100644 --- a/phpBB/config/services.yml +++ b/phpBB/config/services.yml @@ -5,6 +5,7 @@ imports: - { resource: migrator.yml } - { resource: avatars.yml } - { resource: feed.yml } + - { resource: auth_providers.yml } services: auth: From 24825b9dc8cd94204da4180a044dbeab563d5563 Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Thu, 20 Jun 2013 21:55:25 -0400 Subject: [PATCH 17/44] [feature/auth-refactor] Turn provider_db into a service Removes globals from provider_db and turns it into a service. PHPBB3-9734 --- phpBB/config/auth_providers.yml | 17 +++++ phpBB/includes/auth/provider_db.php | 98 +++++++++++++++++------------ 2 files changed, 74 insertions(+), 41 deletions(-) diff --git a/phpBB/config/auth_providers.yml b/phpBB/config/auth_providers.yml index 0baad47661..e702ec665a 100644 --- a/phpBB/config/auth_providers.yml +++ b/phpBB/config/auth_providers.yml @@ -1 +1,18 @@ services: + auth.provider.db: + class: phpbb_auth_provider_db + arguments: + - @dbal.conn + - @config + - @request + - @user + - %core.root_path% + - %core.php_ext% + auth.provider.apache: + class: phpbb_auth_provider_apache + arguments: + + auth.provider.ldap: + class: phpbb_auth_provider_ldap + arguments: + diff --git a/phpBB/includes/auth/provider_db.php b/phpBB/includes/auth/provider_db.php index e24e701911..aaf9cda735 100644 --- a/phpBB/includes/auth/provider_db.php +++ b/phpBB/includes/auth/provider_db.php @@ -24,6 +24,27 @@ if (!defined('IN_PHPBB')) */ class phpbb_auth_provider_db implements phpbb_auth_provider_interface { + + /** + * Database Authentication Constructor + * + * @param phpbb_db_driver $db + * @param phpbb_config $config + * @param phpbb_request $request + * @param phpbb_user $user + * @param string $phpbb_root_path + * @param string $phpEx + */ + public function __construct(phpbb_db_driver $db, phpbb_config $config, phpbb_request $request, phpbb_user $user, $phpbb_root_path, $phpEx) + { + $this->db = $db; + $this->config = $config; + $this->request = $request; + $this->user = $user; + $this->phpbb_root_path = $phpbb_root_path; + $this->phpEx = $phpEx; + } + public function init() { return; @@ -43,9 +64,6 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface */ public function login($username, $password) { - global $db, $config; - global $request, $user; - // Auth plugins get the password untrimmed. // For compatibility we trim() here. $password = trim($password); @@ -73,41 +91,41 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface $sql = 'SELECT user_id, username, user_password, user_passchg, user_pass_convert, user_email, user_type, user_login_attempts FROM ' . USERS_TABLE . " - WHERE username_clean = '" . $db->sql_escape($username_clean) . "'"; - $result = $db->sql_query($sql); - $row = $db->sql_fetchrow($result); - $db->sql_freeresult($result); + WHERE username_clean = '" . $this->db->sql_escape($username_clean) . "'"; + $result = $this->db->sql_query($sql); + $row = $this->db->sql_fetchrow($result); + $this->db->sql_freeresult($result); - if (($user->ip && !$config['ip_login_limit_use_forwarded']) || - ($user->forwarded_for && $config['ip_login_limit_use_forwarded'])) + if (($this->user->ip && !$this->config['ip_login_limit_use_forwarded']) || + ($this->user->forwarded_for && $this->config['ip_login_limit_use_forwarded'])) { $sql = 'SELECT COUNT(*) AS attempts FROM ' . LOGIN_ATTEMPT_TABLE . ' - WHERE attempt_time > ' . (time() - (int) $config['ip_login_limit_time']); - if ($config['ip_login_limit_use_forwarded']) + WHERE attempt_time > ' . (time() - (int) $this->config['ip_login_limit_time']); + if ($this->config['ip_login_limit_use_forwarded']) { - $sql .= " AND attempt_forwarded_for = '" . $db->sql_escape($user->forwarded_for) . "'"; + $sql .= " AND attempt_forwarded_for = '" . $this->db->sql_escape($this->user->forwarded_for) . "'"; } else { - $sql .= " AND attempt_ip = '" . $db->sql_escape($user->ip) . "' "; + $sql .= " AND attempt_ip = '" . $this->db->sql_escape($this->user->ip) . "' "; } - $result = $db->sql_query($sql); - $attempts = (int) $db->sql_fetchfield('attempts'); - $db->sql_freeresult($result); + $result = $this->db->sql_query($sql); + $attempts = (int) $this->db->sql_fetchfield('attempts'); + $this->db->sql_freeresult($result); $attempt_data = array( - 'attempt_ip' => $user->ip, - 'attempt_browser' => trim(substr($user->browser, 0, 149)), - 'attempt_forwarded_for' => $user->forwarded_for, + 'attempt_ip' => $this->user->ip, + 'attempt_browser' => trim(substr($this->user->browser, 0, 149)), + 'attempt_forwarded_for' => $this->user->forwarded_for, 'attempt_time' => time(), 'user_id' => ($row) ? (int) $row['user_id'] : 0, 'username' => $username, 'username_clean' => $username_clean, ); - $sql = 'INSERT INTO ' . LOGIN_ATTEMPT_TABLE . $db->sql_build_array('INSERT', $attempt_data); - $result = $db->sql_query($sql); + $sql = 'INSERT INTO ' . LOGIN_ATTEMPT_TABLE . $this->db->sql_build_array('INSERT', $attempt_data); + $result = $this->db->sql_query($sql); } else { @@ -116,7 +134,7 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface if (!$row) { - if ($config['ip_login_limit_max'] && $attempts >= $config['ip_login_limit_max']) + if ($this->config['ip_login_limit_max'] && $attempts >= $this->config['ip_login_limit_max']) { return array( 'status' => LOGIN_ERROR_ATTEMPTS, @@ -132,8 +150,8 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface ); } - $show_captcha = ($config['max_login_attempts'] && $row['user_login_attempts'] >= $config['max_login_attempts']) || - ($config['ip_login_limit_max'] && $attempts >= $config['ip_login_limit_max']); + $show_captcha = ($this->config['max_login_attempts'] && $row['user_login_attempts'] >= $this->config['max_login_attempts']) || + ($this->config['ip_login_limit_max'] && $attempts >= $this->config['ip_login_limit_max']); // If there are too much login attempts, we need to check for an confirm image // Every auth module is able to define what to do by itself... @@ -142,11 +160,10 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface // Visual Confirmation handling if (!class_exists('phpbb_captcha_factory', false)) { - global $phpbb_root_path, $phpEx; - include ($phpbb_root_path . 'includes/captcha/captcha_factory.' . $phpEx); + include ($this->phpbb_root_path . 'includes/captcha/captcha_factory.' . $this->phpEx); } - $captcha = phpbb_captcha_factory::get_instance($config['captcha_plugin']); + $captcha = phpbb_captcha_factory::get_instance($this->config['captcha_plugin']); $captcha->init(CONFIRM_LOGIN); $vc_response = $captcha->validate($row); if ($vc_response) @@ -169,28 +186,27 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface { // enable super globals to get literal value // this is needed to prevent unicode normalization - $super_globals_disabled = $request->super_globals_disabled(); + $super_globals_disabled = $this->request->super_globals_disabled(); if ($super_globals_disabled) { - $request->enable_super_globals(); + $this->request->enable_super_globals(); } // in phpBB2 passwords were used exactly as they were sent, with addslashes applied $password_old_format = isset($_REQUEST['password']) ? (string) $_REQUEST['password'] : ''; $password_old_format = (!STRIP) ? addslashes($password_old_format) : $password_old_format; - $password_new_format = $request->variable('password', '', true); + $password_new_format = $this->request->variable('password', '', true); if ($super_globals_disabled) { - $request->disable_super_globals(); + $this->request->disable_super_globals(); } if ($password == $password_new_format) { if (!function_exists('utf8_to_cp1252')) { - global $phpbb_root_path, $phpEx; - include($phpbb_root_path . 'includes/utf/data/recode_basic.' . $phpEx); + include($this->phpbb_root_path . 'includes/utf/data/recode_basic.' . $this->phpEx); } // cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding @@ -202,10 +218,10 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface // Update the password in the users table to the new format and remove user_pass_convert flag $sql = 'UPDATE ' . USERS_TABLE . ' - SET user_password = \'' . $db->sql_escape($hash) . '\', + SET user_password = \'' . $this->db->sql_escape($hash) . '\', user_pass_convert = 0 WHERE user_id = ' . $row['user_id']; - $db->sql_query($sql); + $this->db->sql_query($sql); $row['user_pass_convert'] = 0; $row['user_password'] = $hash; @@ -218,7 +234,7 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface SET user_login_attempts = user_login_attempts + 1 WHERE user_id = ' . (int) $row['user_id'] . ' AND user_login_attempts < ' . LOGIN_ATTEMPTS_MAX; - $db->sql_query($sql); + $this->db->sql_query($sql); return array( 'status' => LOGIN_ERROR_PASSWORD_CONVERT, @@ -239,17 +255,17 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface // Update the password in the users table to the new format $sql = 'UPDATE ' . USERS_TABLE . " - SET user_password = '" . $db->sql_escape($hash) . "', + SET user_password = '" . $this->db->sql_escape($hash) . "', user_pass_convert = 0 WHERE user_id = {$row['user_id']}"; - $db->sql_query($sql); + $this->db->sql_query($sql); $row['user_password'] = $hash; } $sql = 'DELETE FROM ' . LOGIN_ATTEMPT_TABLE . ' WHERE user_id = ' . $row['user_id']; - $db->sql_query($sql); + $this->db->sql_query($sql); if ($row['user_login_attempts'] != 0) { @@ -257,7 +273,7 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface $sql = 'UPDATE ' . USERS_TABLE . ' SET user_login_attempts = 0 WHERE user_id = ' . $row['user_id']; - $db->sql_query($sql); + $this->db->sql_query($sql); } // User inactive... @@ -283,7 +299,7 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface SET user_login_attempts = user_login_attempts + 1 WHERE user_id = ' . (int) $row['user_id'] . ' AND user_login_attempts < ' . LOGIN_ATTEMPTS_MAX; - $db->sql_query($sql); + $this->db->sql_query($sql); // Give status about wrong password... return array( From c253189e85f780d50aa82c483b432717a967bb1c Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Thu, 20 Jun 2013 22:11:24 -0400 Subject: [PATCH 18/44] [feature/auth-refactor] Convert provider_ldap to a service Removes globals from provider_ldap and converts it into a service. PHPBB3-9734 --- phpBB/config/auth_providers.yml | 4 +- phpBB/includes/auth/provider_ldap.php | 122 ++++++++++++++------------ 2 files changed, 67 insertions(+), 59 deletions(-) diff --git a/phpBB/config/auth_providers.yml b/phpBB/config/auth_providers.yml index e702ec665a..e4855d2b95 100644 --- a/phpBB/config/auth_providers.yml +++ b/phpBB/config/auth_providers.yml @@ -15,4 +15,6 @@ services: auth.provider.ldap: class: phpbb_auth_provider_ldap arguments: - + - @dbal.conn + - @config + - @user diff --git a/phpBB/includes/auth/provider_ldap.php b/phpBB/includes/auth/provider_ldap.php index ee9b8100ee..67d8d8335f 100644 --- a/phpBB/includes/auth/provider_ldap.php +++ b/phpBB/includes/auth/provider_ldap.php @@ -24,6 +24,20 @@ if (!defined('IN_PHPBB')) */ class phpbb_auth_provider_ldap implements phpbb_auth_provider_interface { + /** + * LDAP Authentication Constructor + * + * @param phpbb_db_driver $db + * @param phpbb_config $config + * @param phpbb_user $user + */ + public function __construct(phpbb_db_driver $db, phpbb_config $config, phpbb_user $user) + { + $this->db = $db; + $this->config = $config; + $this->user = $user; + } + /** * Connect to ldap server * Only allow changing authentication to ldap if we can connect to the ldap server @@ -31,54 +45,52 @@ class phpbb_auth_provider_ldap implements phpbb_auth_provider_interface */ public function init() { - global $config, $user; - if (!@extension_loaded('ldap')) { - return $user->lang['LDAP_NO_LDAP_EXTENSION']; + return $this->user->lang['LDAP_NO_LDAP_EXTENSION']; } - $config['ldap_port'] = (int) $config['ldap_port']; - if ($config['ldap_port']) + $this->config['ldap_port'] = (int) $this->config['ldap_port']; + if ($this->config['ldap_port']) { - $ldap = @ldap_connect($config['ldap_server'], $config['ldap_port']); + $ldap = @ldap_connect($this->config['ldap_server'], $this->config['ldap_port']); } else { - $ldap = @ldap_connect($config['ldap_server']); + $ldap = @ldap_connect($this->config['ldap_server']); } if (!$ldap) { - return $user->lang['LDAP_NO_SERVER_CONNECTION']; + return $this->user->lang['LDAP_NO_SERVER_CONNECTION']; } @ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); @ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); - if ($config['ldap_user'] || $config['ldap_password']) + if ($this->config['ldap_user'] || $this->config['ldap_password']) { - if (!@ldap_bind($ldap, htmlspecialchars_decode($config['ldap_user']), htmlspecialchars_decode($config['ldap_password']))) + if (!@ldap_bind($ldap, htmlspecialchars_decode($this->config['ldap_user']), htmlspecialchars_decode($this->config['ldap_password']))) { - return $user->lang['LDAP_INCORRECT_USER_PASSWORD']; + return $this->user->lang['LDAP_INCORRECT_USER_PASSWORD']; } } // ldap_connect only checks whether the specified server is valid, so the connection might still fail $search = @ldap_search( $ldap, - htmlspecialchars_decode($config['ldap_base_dn']), - $this->ldap_user_filter($user->data['username']), - (empty($config['ldap_email'])) ? - array(htmlspecialchars_decode($config['ldap_uid'])) : - array(htmlspecialchars_decode($config['ldap_uid']), htmlspecialchars_decode($config['ldap_email'])), + htmlspecialchars_decode($this->config['ldap_base_dn']), + $this->ldap_user_filter($this->user->data['username']), + (empty($this->config['ldap_email'])) ? + array(htmlspecialchars_decode($this->config['ldap_uid'])) : + array(htmlspecialchars_decode($this->config['ldap_uid']), htmlspecialchars_decode($this->config['ldap_email'])), 0, 1 ); if ($search === false) { - return $user->lang['LDAP_SEARCH_FAILED']; + return $this->user->lang['LDAP_SEARCH_FAILED']; } $result = @ldap_get_entries($ldap, $search); @@ -88,12 +100,12 @@ class phpbb_auth_provider_ldap implements phpbb_auth_provider_interface if (!is_array($result) || sizeof($result) < 2) { - return sprintf($user->lang['LDAP_NO_IDENTITY'], $user->data['username']); + return sprintf($this->user->lang['LDAP_NO_IDENTITY'], $this->user->data['username']); } - if (!empty($config['ldap_email']) && !isset($result[0][htmlspecialchars_decode($config['ldap_email'])])) + if (!empty($this->config['ldap_email']) && !isset($result[0][htmlspecialchars_decode($this->config['ldap_email'])])) { - return $user->lang['LDAP_NO_EMAIL']; + return $this->user->lang['LDAP_NO_EMAIL']; } return false; @@ -104,8 +116,6 @@ class phpbb_auth_provider_ldap implements phpbb_auth_provider_interface */ public function login($username, $password) { - global $db, $config, $user; - // do not allow empty password if (!$password) { @@ -134,14 +144,14 @@ class phpbb_auth_provider_ldap implements phpbb_auth_provider_interface ); } - $config['ldap_port'] = (int) $config['ldap_port']; - if ($config['ldap_port']) + $this->config['ldap_port'] = (int) $this->config['ldap_port']; + if ($this->config['ldap_port']) { - $ldap = @ldap_connect($config['ldap_server'], $config['ldap_port']); + $ldap = @ldap_connect($this->config['ldap_server'], $this->config['ldap_port']); } else { - $ldap = @ldap_connect($config['ldap_server']); + $ldap = @ldap_connect($this->config['ldap_server']); } if (!$ldap) @@ -156,9 +166,9 @@ class phpbb_auth_provider_ldap implements phpbb_auth_provider_interface @ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); @ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); - if ($config['ldap_user'] || $config['ldap_password']) + if ($this->config['ldap_user'] || $this->config['ldap_password']) { - if (!@ldap_bind($ldap, htmlspecialchars_decode($config['ldap_user']), htmlspecialchars_decode($config['ldap_password']))) + if (!@ldap_bind($ldap, htmlspecialchars_decode($this->config['ldap_user']), htmlspecialchars_decode($this->config['ldap_password']))) { return array( 'status' => LOGIN_ERROR_EXTERNAL_AUTH, @@ -170,11 +180,11 @@ class phpbb_auth_provider_ldap implements phpbb_auth_provider_interface $search = @ldap_search( $ldap, - htmlspecialchars_decode($config['ldap_base_dn']), + htmlspecialchars_decode($this->config['ldap_base_dn']), $this->ldap_user_filter($username), - (empty($config['ldap_email'])) ? - array(htmlspecialchars_decode($config['ldap_uid'])) : - array(htmlspecialchars_decode($config['ldap_uid']), htmlspecialchars_decode($config['ldap_email'])), + (empty($this->config['ldap_email'])) ? + array(htmlspecialchars_decode($this->config['ldap_uid'])) : + array(htmlspecialchars_decode($this->config['ldap_uid']), htmlspecialchars_decode($this->config['ldap_email'])), 0, 1 ); @@ -189,10 +199,10 @@ class phpbb_auth_provider_ldap implements phpbb_auth_provider_interface $sql ='SELECT user_id, username, user_password, user_passchg, user_email, user_type FROM ' . USERS_TABLE . " - WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'"; - $result = $db->sql_query($sql); - $row = $db->sql_fetchrow($result); - $db->sql_freeresult($result); + WHERE username_clean = '" . $this->db->sql_escape(utf8_clean_string($username)) . "'"; + $result = $this->db->sql_query($sql); + $row = $this->db->sql_fetchrow($result); + $this->db->sql_freeresult($result); if ($row) { @@ -220,11 +230,11 @@ class phpbb_auth_provider_ldap implements phpbb_auth_provider_interface // retrieve default group id $sql = 'SELECT group_id FROM ' . GROUPS_TABLE . " - WHERE group_name = '" . $db->sql_escape('REGISTERED') . "' + WHERE group_name = '" . $this->db->sql_escape('REGISTERED') . "' AND group_type = " . GROUP_SPECIAL; - $result = $db->sql_query($sql); - $row = $db->sql_fetchrow($result); - $db->sql_freeresult($result); + $result = $this->db->sql_query($sql); + $row = $this->db->sql_fetchrow($result); + $this->db->sql_freeresult($result); if (!$row) { @@ -235,11 +245,11 @@ class phpbb_auth_provider_ldap implements phpbb_auth_provider_interface $ldap_user_row = array( 'username' => $username, 'user_password' => phpbb_hash($password), - 'user_email' => (!empty($config['ldap_email'])) ? utf8_htmlspecialchars($ldap_result[0][htmlspecialchars_decode($config['ldap_email'])][0]) : '', + 'user_email' => (!empty($this->config['ldap_email'])) ? utf8_htmlspecialchars($ldap_result[0][htmlspecialchars_decode($this->config['ldap_email'])][0]) : '', 'group_id' => (int) $row['group_id'], 'user_type' => USER_NORMAL, - 'user_ip' => $user->ip, - 'user_new' => ($config['new_member_post_limit']) ? 1 : 0, + 'user_ip' => $this->user->ip, + 'user_new' => ($this->config['new_member_post_limit']) ? 1 : 0, ); unset($ldap_result); @@ -286,40 +296,38 @@ class phpbb_auth_provider_ldap implements phpbb_auth_provider_interface */ public function acp($new) { - global $user; - $tpl = '
-

' . $user->lang['LDAP_SERVER_EXPLAIN'] . '
+

' . $this->user->lang['LDAP_SERVER_EXPLAIN'] . '
-

' . $user->lang['LDAP_PORT_EXPLAIN'] . '
+

' . $this->user->lang['LDAP_PORT_EXPLAIN'] . '
-

' . $user->lang['LDAP_DN_EXPLAIN'] . '
+

' . $this->user->lang['LDAP_DN_EXPLAIN'] . '
-

' . $user->lang['LDAP_UID_EXPLAIN'] . '
+

' . $this->user->lang['LDAP_UID_EXPLAIN'] . '
-

' . $user->lang['LDAP_USER_FILTER_EXPLAIN'] . '
+

' . $this->user->lang['LDAP_USER_FILTER_EXPLAIN'] . '
-

' . $user->lang['LDAP_EMAIL_EXPLAIN'] . '
+

' . $this->user->lang['LDAP_EMAIL_EXPLAIN'] . '
-

' . $user->lang['LDAP_USER_EXPLAIN'] . '
+

' . $this->user->lang['LDAP_USER_EXPLAIN'] . '
-

' . $user->lang['LDAP_PASSWORD_EXPLAIN'] . '
+

' . $this->user->lang['LDAP_PASSWORD_EXPLAIN'] . '
'; @@ -340,12 +348,10 @@ class phpbb_auth_provider_ldap implements phpbb_auth_provider_interface */ private function ldap_user_filter($username) { - global $config; - - $filter = '(' . $config['ldap_uid'] . '=' . $this->ldap_escape(htmlspecialchars_decode($username)) . ')'; - if ($config['ldap_user_filter']) + $filter = '(' . $this->config['ldap_uid'] . '=' . $this->ldap_escape(htmlspecialchars_decode($username)) . ')'; + if ($this->config['ldap_user_filter']) { - $_filter = ($config['ldap_user_filter'][0] == '(' && substr($config['ldap_user_filter'], -1) == ')') ? $config['ldap_user_filter'] : "({$config['ldap_user_filter']})"; + $_filter = ($this->config['ldap_user_filter'][0] == '(' && substr($this->config['ldap_user_filter'], -1) == ')') ? $this->config['ldap_user_filter'] : "({$this->config['ldap_user_filter']})"; $filter = "(&{$filter}{$_filter})"; } return $filter; From c9062fc1ee9bade7c2b4d84c99b3b71a78d5570c Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Thu, 20 Jun 2013 22:21:22 -0400 Subject: [PATCH 19/44] [feature/auth-refactor] Convert provider_apache to a service Removes globals from provider_apache and turns it into a service. PHPBB3-9734 --- phpBB/config/auth_providers.yml | 7 +- phpBB/includes/auth/provider_apache.php | 89 ++++++++++++++----------- 2 files changed, 55 insertions(+), 41 deletions(-) diff --git a/phpBB/config/auth_providers.yml b/phpBB/config/auth_providers.yml index e4855d2b95..e91fd8ff99 100644 --- a/phpBB/config/auth_providers.yml +++ b/phpBB/config/auth_providers.yml @@ -11,7 +11,12 @@ services: auth.provider.apache: class: phpbb_auth_provider_apache arguments: - + - @dbal.conn + - @config + - @request + - @user + - %core.root_path% + - %core.php_ext% auth.provider.ldap: class: phpbb_auth_provider_ldap arguments: diff --git a/phpBB/includes/auth/provider_apache.php b/phpBB/includes/auth/provider_apache.php index 2ba76e26a9..adb1fb6cea 100644 --- a/phpBB/includes/auth/provider_apache.php +++ b/phpBB/includes/auth/provider_apache.php @@ -22,6 +22,26 @@ if (!defined('IN_PHPBB')) */ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface { + /** + * Apache Authentication Constructor + * + * @param phpbb_db_driver $db + * @param phpbb_config $config + * @param phpbb_request $request + * @param phpbb_user $user + * @param string $phpbb_root_path + * @param string $phpEx + */ + public function __construct(phpbb_db_driver $db, phpbb_config $config, phpbb_request $request, phpbb_user $user, $phpbb_root_path, $phpEx) + { + $this->db = $db; + $this->config = $config; + $this->request = $request; + $this->user = $user; + $this->phpbb_root_path = $phpbb_root_path; + $this->phpEx = $phpEx; + } + /** * Checks whether the user is identified to apache * Only allow changing authentication to apache if the user is identified @@ -31,11 +51,9 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface */ public function init() { - global $user, $request; - - if (!$request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER) || $user->data['username'] !== htmlspecialchars_decode($request->server('PHP_AUTH_USER'))) + if (!$this->request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER) || $this->user->data['username'] !== htmlspecialchars_decode($this->request->server('PHP_AUTH_USER'))) { - return $user->lang['APACHE_SETUP_BEFORE_USE']; + return $this->user->lang['APACHE_SETUP_BEFORE_USE']; } return false; } @@ -45,8 +63,6 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface */ public function login($username, $password) { - global $db, $request; - // do not allow empty password if (!$password) { @@ -66,7 +82,7 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface ); } - if (!$request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER)) + if (!$this->request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER)) { return array( 'status' => LOGIN_ERROR_EXTERNAL_AUTH, @@ -75,8 +91,8 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface ); } - $php_auth_user = htmlspecialchars_decode($request->server('PHP_AUTH_USER')); - $php_auth_pw = htmlspecialchars_decode($request->server('PHP_AUTH_PW')); + $php_auth_user = htmlspecialchars_decode($this->request->server('PHP_AUTH_USER')); + $php_auth_pw = htmlspecialchars_decode($this->request->server('PHP_AUTH_PW')); if (!empty($php_auth_user) && !empty($php_auth_pw)) { @@ -91,10 +107,10 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface $sql = 'SELECT user_id, username, user_password, user_passchg, user_email, user_type FROM ' . USERS_TABLE . " - WHERE username = '" . $db->sql_escape($php_auth_user) . "'"; - $result = $db->sql_query($sql); - $row = $db->sql_fetchrow($result); - $db->sql_freeresult($result); + WHERE username = '" . $this->db->sql_escape($php_auth_user) . "'"; + $result = $this->db->sql_query($sql); + $row = $this->db->sql_fetchrow($result); + $this->db->sql_freeresult($result); if ($row) { @@ -140,15 +156,13 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface */ public function autologin() { - global $db, $request; - - if (!$request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER)) + if (!$this->request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER)) { return array(); } - $php_auth_user = htmlspecialchars_decode($request->server('PHP_AUTH_USER')); - $php_auth_pw = htmlspecialchars_decode($request->server('PHP_AUTH_PW')); + $php_auth_user = htmlspecialchars_decode($this->request->server('PHP_AUTH_USER')); + $php_auth_pw = htmlspecialchars_decode($this->request->server('PHP_AUTH_PW')); if (!empty($php_auth_user) && !empty($php_auth_pw)) { @@ -157,10 +171,10 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface $sql = 'SELECT * FROM ' . USERS_TABLE . " - WHERE username = '" . $db->sql_escape($php_auth_user) . "'"; - $result = $db->sql_query($sql); - $row = $db->sql_fetchrow($result); - $db->sql_freeresult($result); + WHERE username = '" . $this->db->sql_escape($php_auth_user) . "'"; + $result = $this->db->sql_query($sql); + $row = $this->db->sql_fetchrow($result); + $this->db->sql_freeresult($result); if ($row) { @@ -169,9 +183,7 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface if (!function_exists('user_add')) { - global $phpbb_root_path, $phpEx; - - include($phpbb_root_path . 'includes/functions_user.' . $phpEx); + include($this->phpbb_root_path . 'includes/functions_user.' . $this->phpEx); } // create the user if he does not exist yet @@ -179,10 +191,10 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface $sql = 'SELECT * FROM ' . USERS_TABLE . " - WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($php_auth_user)) . "'"; - $result = $db->sql_query($sql); - $row = $db->sql_fetchrow($result); - $db->sql_freeresult($result); + WHERE username_clean = '" . $this->db->sql_escape(utf8_clean_string($php_auth_user)) . "'"; + $result = $this->db->sql_query($sql); + $row = $this->db->sql_fetchrow($result); + $this->db->sql_freeresult($result); if ($row) { @@ -204,15 +216,14 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface */ private function user_row($username, $password) { - global $db, $config, $user; // first retrieve default group id $sql = 'SELECT group_id FROM ' . GROUPS_TABLE . " - WHERE group_name = '" . $db->sql_escape('REGISTERED') . "' + WHERE group_name = '" . $this->db->sql_escape('REGISTERED') . "' AND group_type = " . GROUP_SPECIAL; - $result = $db->sql_query($sql); - $row = $db->sql_fetchrow($result); - $db->sql_freeresult($result); + $result = $this->db->sql_query($sql); + $row = $this->db->sql_fetchrow($result); + $this->db->sql_freeresult($result); if (!$row) { @@ -226,8 +237,8 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface 'user_email' => '', 'group_id' => (int) $row['group_id'], 'user_type' => USER_NORMAL, - 'user_ip' => $user->ip, - 'user_new' => ($config['new_member_post_limit']) ? 1 : 0, + 'user_ip' => $this->user->ip, + 'user_new' => ($this->config['new_member_post_limit']) ? 1 : 0, ); } @@ -239,12 +250,10 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface */ public function validate_session($user) { - global $request; - // Check if PHP_AUTH_USER is set and handle this case - if ($request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER)) + if ($this->request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER)) { - $php_auth_user = $request->server('PHP_AUTH_USER'); + $php_auth_user = $this->request->server('PHP_AUTH_USER'); return ($php_auth_user === $user['username']) ? true : false; } From 95f38b457e6b00cbc3b15b7768d435d467f5bc2c Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Thu, 20 Jun 2013 22:50:35 -0400 Subject: [PATCH 20/44] [feature/auth-refactor] Create an auth.provider_collector service Creates an auth.provider_collector service for all auth providers. PHPBB3-9734 --- phpBB/config/auth_providers.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/phpBB/config/auth_providers.yml b/phpBB/config/auth_providers.yml index e91fd8ff99..bcc448e4d7 100644 --- a/phpBB/config/auth_providers.yml +++ b/phpBB/config/auth_providers.yml @@ -1,4 +1,10 @@ services: + auth.provider_collection: + class: phpbb_di_service_collection + arguments: + - @service_container + tags: + - { name: service_collection, tag: auth.provider } auth.provider.db: class: phpbb_auth_provider_db arguments: @@ -8,6 +14,8 @@ services: - @user - %core.root_path% - %core.php_ext% + tags: + - { name: auth.provider } auth.provider.apache: class: phpbb_auth_provider_apache arguments: @@ -17,9 +25,13 @@ services: - @user - %core.root_path% - %core.php_ext% + tags: + - { name: auth.provider } auth.provider.ldap: class: phpbb_auth_provider_ldap arguments: - @dbal.conn - @config - @user + tags: + - { name: auth.provider } From b8610c4b989fd1e4e9e310de776de38dfe4a09a2 Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Fri, 21 Jun 2013 18:04:11 -0400 Subject: [PATCH 21/44] [feature/auth-refactor] Refactor code to use services Refactors all loading of auth providers to use services instead of directly calling the class. PHPBB3-9734 --- phpBB/includes/acp/acp_board.php | 15 +++++------- phpBB/includes/auth/auth.php | 7 +++--- phpBB/includes/session.php | 42 ++++++++++++-------------------- 3 files changed, 24 insertions(+), 40 deletions(-) diff --git a/phpBB/includes/acp/acp_board.php b/phpBB/includes/acp/acp_board.php index 9407d81575..383e035817 100644 --- a/phpBB/includes/acp/acp_board.php +++ b/phpBB/includes/acp/acp_board.php @@ -546,10 +546,9 @@ class acp_board { if ($method) { - $class = 'phpbb_auth_provider_' . $method; - if (class_exists($class)) + $provider = $phpbb_container->get('auth.provider.' . $method); + if ($provider) { - $provider = new $class(); if ($fields = $provider->acp($this->new_config)) { // Check if we need to create config fields for this plugin and save config when submit was pressed @@ -586,10 +585,9 @@ class acp_board $method = basename($cfg_array['auth_method']); if ($method) { - $class = 'phpbb_auth_provider_' . $method; - if (class_exists($class)) + $provider = $phpbb_container->get('auth.provider.' . $method); + if ($provider) { - $provider = new $class(); if ($error = $provider->init()) { foreach ($old_auth_config as $config_name => $config_value) @@ -685,10 +683,9 @@ class acp_board { if ($method) { - $class = 'phpbb_auth_provider_' . $method; - if (class_exists($class)) + $provider = $phpbb_container->get('auth.provider.' . $method); + if ($provider) { - $provider = new $class(); $fields = $provider->acp($this->new_config); if ($fields['tpl']) diff --git a/phpBB/includes/auth/auth.php b/phpBB/includes/auth/auth.php index ab84619977..279959974d 100644 --- a/phpBB/includes/auth/auth.php +++ b/phpBB/includes/auth/auth.php @@ -927,14 +927,13 @@ class phpbb_auth */ function login($username, $password, $autologin = false, $viewonline = 1, $admin = 0) { - global $config, $db, $user, $phpbb_root_path, $phpEx; + global $config, $db, $user, $phpbb_root_path, $phpEx, $phpbb_container; $method = trim(basename($config['auth_method'])); - $class = 'phpbb_auth_provider_' . $method; - if (class_exists($class)) + $provider = $phpbb_container->get('auth.provider.' . $method); + if ($provider) { - $provider = new $class(); $login = $provider->login($username, $password); // If the auth module wants us to create an empty profile do so and then treat the status as LOGIN_SUCCESS diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index f12ba1329c..66bf053f7d 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -207,7 +207,7 @@ class phpbb_session function session_begin($update_session_page = true) { global $phpEx, $SID, $_SID, $_EXTRA_URL, $db, $config, $phpbb_root_path; - global $request; + global $request, $phpbb_container; // Give us some basic information $this->time_now = time(); @@ -403,15 +403,11 @@ class phpbb_session // Check whether the session is still valid if we have one $method = basename(trim($config['auth_method'])); - $class = 'phpbb_auth_provider_' . $method; - if (class_exists($class)) + $provider = $phpbb_container->get('auth.provider.' . $method); + $ret = $provider->validate_session($this->data); + if ($ret !== null && !$ret) { - $provider = new $class(); - $ret = $provider->validate_session($this->data); - if ($ret !== null && !$ret) - { - $session_expired = true; - } + $session_expired = true; } if (!$session_expired) @@ -505,7 +501,7 @@ class phpbb_session */ function session_create($user_id = false, $set_admin = false, $persist_login = false, $viewonline = true) { - global $SID, $_SID, $db, $config, $cache, $phpbb_root_path, $phpEx; + global $SID, $_SID, $db, $config, $cache, $phpbb_root_path, $phpEx, $phpbb_container; $this->data = array(); @@ -570,17 +566,13 @@ class phpbb_session $method = basename(trim($config['auth_method'])); - $class = 'phpbb_auth_provider_' . $method; - if (class_exists($class)) - { - $provider = new $class(); - $this->data = $provider->autologin(); + $provider = $phpbb_container->get('auth.provider.' . $method); + $this->data = $provider->autologin(); - if (sizeof($this->data)) - { - $this->cookie_data['k'] = ''; - $this->cookie_data['u'] = $this->data['user_id']; - } + if (sizeof($this->data)) + { + $this->cookie_data['k'] = ''; + $this->cookie_data['u'] = $this->data['user_id']; } // If we're presented with an autologin key we'll join against it. @@ -885,7 +877,7 @@ class phpbb_session */ function session_kill($new_session = true) { - global $SID, $_SID, $db, $config, $phpbb_root_path, $phpEx; + global $SID, $_SID, $db, $config, $phpbb_root_path, $phpEx, $phpbb_container; $sql = 'DELETE FROM ' . SESSIONS_TABLE . " WHERE session_id = '" . $db->sql_escape($this->session_id) . "' @@ -895,12 +887,8 @@ class phpbb_session // Allow connecting logout with external auth method logout $method = basename(trim($config['auth_method'])); - $class = 'phpbb_auth_provider_' . $method; - if (class_exists($class)) - { - $provider = new $class(); - $provider->logout($this->data, $new_session); - } + $provider = $phpbb_container->get('auth.provider.' . $method); + $provider->logout($this->data, $new_session); if ($this->data['user_id'] != ANONYMOUS) { From 80e2d65399e7dcf9b53dada4929d7194275721ad Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Mon, 24 Jun 2013 12:05:29 -0400 Subject: [PATCH 22/44] [feature/auth-refactor] Initial auth unit test provider_db Initial work on a unit test for the provider_db login function. Does not work currently. PHPBB3-9734 --- tests/auth/fixtures/user.xml | 33 +++++++++++++++++++++++++++ tests/auth/provider_db_test.php | 40 +++++++++++++++++++++++++++++++++ 2 files changed, 73 insertions(+) create mode 100644 tests/auth/fixtures/user.xml create mode 100644 tests/auth/provider_db_test.php diff --git a/tests/auth/fixtures/user.xml b/tests/auth/fixtures/user.xml new file mode 100644 index 0000000000..34584babbf --- /dev/null +++ b/tests/auth/fixtures/user.xml @@ -0,0 +1,33 @@ + + + + user_id + username + username_clean + user_password + user_passchg + user_pass_convert + user_email + user_type + user_login_attempts + user_permissions + user_sig + user_occ + user_interests + + 1 + foobar + foobar + $H$9E45lK6J8nLTSm9oJE5aNCSTFK9wqa/ + 0 + 0 + example@example.com + 0 + 0 + + + + + +
+ diff --git a/tests/auth/provider_db_test.php b/tests/auth/provider_db_test.php new file mode 100644 index 0000000000..c6355ae7f9 --- /dev/null +++ b/tests/auth/provider_db_test.php @@ -0,0 +1,40 @@ +createXMLDataSet(dirname(__FILE__).'/fixtures/user.xml'); + } + + public function test_login() + { + global $phpbb_root_path, $phpEx; + + $db = $this->new_dbal(); + $config = new phpbb_config(array( + 'ip_login_limit_max' => 0, + 'ip_login_limit_use_forwarded' => 0, + 'max_login_attempts' => 0, + )); + $request = $this->getMock('phpbb_request'); + $user = $this->getMock('phpbb_user'); + $provider = new phpbb_auth_provider_db($db, $config, $request, $user, $phpbb_root_path, $phpEx); + + $expected = array( + 'status' => LOGIN_SUCCESS, + 'error_msg' => false, + 'user_row' => '', + ); + $this->assertEquals($expected, $provider->login('example', 'example')); + } +} From 8e1a503f4437eb38de6a349a841db75648a81678 Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Tue, 25 Jun 2013 13:22:56 -0400 Subject: [PATCH 23/44] [feature/auth-refactor] Finish provider_db unit test for login Finishes the provider_db unit test for login. The test currently passes. PHPBB3-9734 --- tests/auth/provider_db_test.php | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/tests/auth/provider_db_test.php b/tests/auth/provider_db_test.php index c6355ae7f9..d876683f84 100644 --- a/tests/auth/provider_db_test.php +++ b/tests/auth/provider_db_test.php @@ -33,8 +33,18 @@ class phpbb_auth_provider_db_test extends phpbb_database_test_case $expected = array( 'status' => LOGIN_SUCCESS, 'error_msg' => false, - 'user_row' => '', + 'user_row' => array( + 'user_id' => '1', + 'username' => 'foobar', + 'user_password' => '$H$9E45lK6J8nLTSm9oJE5aNCSTFK9wqa/', + 'user_passchg' => '0', + 'user_pass_convert' => '0', + 'user_email' => 'example@example.com', + 'user_type' => '0', + 'user_login_attempts' => '0', + ), ); - $this->assertEquals($expected, $provider->login('example', 'example')); + + $this->assertEquals($expected, $provider->login('foobar', 'example')); } } From 91c80dfc8eed6ed3cfa90732087741c8433acabf Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Tue, 25 Jun 2013 13:34:43 -0400 Subject: [PATCH 24/44] [feature/auth-refactor] Skeleton of provider_apache_test Creates a skeleton of the tests for provider_apache. PHPBB3-9734 --- tests/auth/provider_apache_test.php | 49 +++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 tests/auth/provider_apache_test.php diff --git a/tests/auth/provider_apache_test.php b/tests/auth/provider_apache_test.php new file mode 100644 index 0000000000..d552c4131e --- /dev/null +++ b/tests/auth/provider_apache_test.php @@ -0,0 +1,49 @@ +new_dbal(); + $config = new phpbb_config(array()); + $request = $this->getMock('phpbb_request'); + $user = $this->getMock('phpbb_user'); + + $this->provider = new phpbb_auth_provider_apache($db, $config, $request, $user, $phpbb_root_path, $phpEx); + } + + public function getDataSet() + { + return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/user.xml'); + } + + public function test_init() + { + $this->markTestIncomplete(); + } + + public function test_login() + { + $this->markTestIncomplete(); + } + + public function test_validate_session() + { + $this->markTestIncomplete(); + } +} From e5de05d8dbbcf0a38aa5c1c2a872765b163ccb31 Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Tue, 25 Jun 2013 14:05:40 -0400 Subject: [PATCH 25/44] [feature/auth-refactor] Test for init on provider_apache Provides a test for the init() method of provider_apache. Appears to be failing due to an error with the mock request class. PHPBB3-9734 --- tests/auth/provider_apache_test.php | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/tests/auth/provider_apache_test.php b/tests/auth/provider_apache_test.php index d552c4131e..1530dcb746 100644 --- a/tests/auth/provider_apache_test.php +++ b/tests/auth/provider_apache_test.php @@ -12,6 +12,8 @@ require_once dirname(__FILE__).'/../../phpBB/includes/functions.php'; class phpbb_auth_provider_apache_test extends phpbb_database_test_case { protected $provider; + protected $user; + protected $request; protected function setup() { @@ -21,10 +23,10 @@ class phpbb_auth_provider_apache_test extends phpbb_database_test_case $db = $this->new_dbal(); $config = new phpbb_config(array()); - $request = $this->getMock('phpbb_request'); - $user = $this->getMock('phpbb_user'); + $this->request = $this->getMock('phpbb_request'); + $this->user = $this->getMock('phpbb_user'); - $this->provider = new phpbb_auth_provider_apache($db, $config, $request, $user, $phpbb_root_path, $phpEx); + $this->provider = new phpbb_auth_provider_apache($db, $config, $this->request, $this->user, $phpbb_root_path, $phpEx); } public function getDataSet() @@ -32,9 +34,15 @@ class phpbb_auth_provider_apache_test extends phpbb_database_test_case return $this->createXMLDataSet(dirname(__FILE__).'/fixtures/user.xml'); } + /** + * Test to see if a user is identified to Apache. Expects false if they are. + */ public function test_init() { - $this->markTestIncomplete(); + $this->user->data['username'] = 'foobar'; + $this->request->overwrite('PHP_AUTH_USER', 'foobar', phpbb_request_interface::SERVER); + + $this->assertFalse($this->provider->init()); } public function test_login() From 307dd9777b67e8a7628bb74eeba8cc55ab6a8f58 Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Tue, 25 Jun 2013 14:12:31 -0400 Subject: [PATCH 26/44] [feature/auth-refactor] Test login() for provider_apache Provides a test for the login() method for provider_apache. Appears to be failing due to an issue with the mock phpBB request class. PHPBB3-9734 --- tests/auth/provider_apache_test.php | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/tests/auth/provider_apache_test.php b/tests/auth/provider_apache_test.php index 1530dcb746..4773e4fdc3 100644 --- a/tests/auth/provider_apache_test.php +++ b/tests/auth/provider_apache_test.php @@ -47,7 +47,26 @@ class phpbb_auth_provider_apache_test extends phpbb_database_test_case public function test_login() { - $this->markTestIncomplete(); + $username = 'foobar'; + $password = 'example'; + + $this->request->overwrite('PHP_AUTH_USER', $username, phpbb_request_interface::SERVER); + $this->request->overwrite('PHP_AUTH_PW', $password, phpbb_request_interface::SERVER); + + $expected = array( + 'status' => LOGIN_SUCCESS, + 'error_msg' => false, + 'user_row' => array( + 'user_id' => '1', + 'username' => 'foobar', + 'user_password' => '$H$9E45lK6J8nLTSm9oJE5aNCSTFK9wqa/', + 'user_passchg' => '0', + 'user_email' => 'example@example.com', + 'user_type' => '0', + ), + ); + + $this->assertEquals($expected, $this->provider->login($username, $password)); } public function test_validate_session() From 9e04328545c933aa801c52c1567efd3d2e06fcf3 Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Tue, 25 Jun 2013 14:24:47 -0400 Subject: [PATCH 27/44] [feature/auth-refactor] Test autologin() on provider_apache Provides a test for the autologin() method of provider_apache that assumes the user already exists in the database. PHPBB3-9734 --- tests/auth/provider_apache_test.php | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/tests/auth/provider_apache_test.php b/tests/auth/provider_apache_test.php index 4773e4fdc3..6cfd676fc2 100644 --- a/tests/auth/provider_apache_test.php +++ b/tests/auth/provider_apache_test.php @@ -69,6 +69,34 @@ class phpbb_auth_provider_apache_test extends phpbb_database_test_case $this->assertEquals($expected, $this->provider->login($username, $password)); } + public function test_autologin() + { + $this->request->overwrite('PHP_AUTH_USER', 'foobar', phpbb_request_interface::SERVER); + $this->request->overwrite('PHP_AUTH_PW', 'example', phpbb_request_interface::SERVER); + + $expected = array( + 'status' => LOGIN_SUCCESS, + 'error_msg' => false, + 'user_row' => array( + 'user_id' => '1', + 'username' => 'foobar', + 'username_clean' => 'foobar', + 'user_password' => '$H$9E45lK6J8nLTSm9oJE5aNCSTFK9wqa/', + 'user_passchg' => '0', + 'user_pass_convert' => '0', + 'user_email' => 'example@example.com', + 'user_type' => '0', + 'user_login_attempts' => '0', + 'user_permission' => '', + 'user_sig' => '', + 'user_occ' => '', + 'user_interests' => '', + ), + ); + + $this->assertEquals($expected, $this->provider->autologin()); + } + public function test_validate_session() { $this->markTestIncomplete(); From 5444e5b6831d5ce87ff2adaf1f7b0e4788592bc3 Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Tue, 25 Jun 2013 14:28:16 -0400 Subject: [PATCH 28/44] [feature/auth-refactor] Test validate_session on provider_apache Provides a test for the validate_session() method of provider_apache. PHPBB3-9734 --- tests/auth/provider_apache_test.php | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tests/auth/provider_apache_test.php b/tests/auth/provider_apache_test.php index 6cfd676fc2..092b90bea3 100644 --- a/tests/auth/provider_apache_test.php +++ b/tests/auth/provider_apache_test.php @@ -99,6 +99,10 @@ class phpbb_auth_provider_apache_test extends phpbb_database_test_case public function test_validate_session() { - $this->markTestIncomplete(); + $user = $this->getMock('phpbb_user'); + $user->data['username'] = 'foobar'; + $this->request->overwrite('PHP_AUTH_USER', 'foobar', phpbb_request_interface::SERVER); + + $this->assertTrue($this->provider->validate_session($user)); } } From 5f3ed197e73550e78b37dd38496210737cf3f39d Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Tue, 25 Jun 2013 16:25:45 -0400 Subject: [PATCH 29/44] [feature/auth-refactor] Fix auth tests to use mock objects correctly PHPBB3-9734 --- tests/auth/provider_apache_test.php | 148 +++++++++++++++++++++++----- 1 file changed, 123 insertions(+), 25 deletions(-) diff --git a/tests/auth/provider_apache_test.php b/tests/auth/provider_apache_test.php index 092b90bea3..0ca6ef763e 100644 --- a/tests/auth/provider_apache_test.php +++ b/tests/auth/provider_apache_test.php @@ -40,7 +40,15 @@ class phpbb_auth_provider_apache_test extends phpbb_database_test_case public function test_init() { $this->user->data['username'] = 'foobar'; - $this->request->overwrite('PHP_AUTH_USER', 'foobar', phpbb_request_interface::SERVER); + $this->request->expects($this->once()) + ->method('is_set') + ->with('PHP_AUTH_USER', + phpbb_request_interface::SERVER) + ->will($this->returnValue(true)); + $this->request->expects($this->once()) + ->method('server') + ->with('PHP_AUTH_USER') + ->will($this->returnValue('foobar')); $this->assertFalse($this->provider->init()); } @@ -50,8 +58,19 @@ class phpbb_auth_provider_apache_test extends phpbb_database_test_case $username = 'foobar'; $password = 'example'; - $this->request->overwrite('PHP_AUTH_USER', $username, phpbb_request_interface::SERVER); - $this->request->overwrite('PHP_AUTH_PW', $password, phpbb_request_interface::SERVER); + $this->request->expects($this->once()) + ->method('is_set') + ->with('PHP_AUTH_USER', + phpbb_request_interface::SERVER) + ->will($this->returnValue(true)); + $this->request->expects($this->at(1)) + ->method('server') + ->with('PHP_AUTH_USER') + ->will($this->returnValue('foobar')); + $this->request->expects($this->at(2)) + ->method('server') + ->with('PHP_AUTH_PW') + ->will($this->returnValue('example')); $expected = array( 'status' => LOGIN_SUCCESS, @@ -71,27 +90,96 @@ class phpbb_auth_provider_apache_test extends phpbb_database_test_case public function test_autologin() { - $this->request->overwrite('PHP_AUTH_USER', 'foobar', phpbb_request_interface::SERVER); - $this->request->overwrite('PHP_AUTH_PW', 'example', phpbb_request_interface::SERVER); + $this->request->expects($this->once()) + ->method('is_set') + ->with('PHP_AUTH_USER', + phpbb_request_interface::SERVER) + ->will($this->returnValue(true)); + $this->request->expects($this->at(1)) + ->method('server') + ->with('PHP_AUTH_USER') + ->will($this->returnValue('foobar')); + $this->request->expects($this->at(2)) + ->method('server') + ->with('PHP_AUTH_PW') + ->will($this->returnValue('example')); $expected = array( - 'status' => LOGIN_SUCCESS, - 'error_msg' => false, - 'user_row' => array( - 'user_id' => '1', - 'username' => 'foobar', - 'username_clean' => 'foobar', - 'user_password' => '$H$9E45lK6J8nLTSm9oJE5aNCSTFK9wqa/', - 'user_passchg' => '0', - 'user_pass_convert' => '0', - 'user_email' => 'example@example.com', - 'user_type' => '0', - 'user_login_attempts' => '0', - 'user_permission' => '', - 'user_sig' => '', - 'user_occ' => '', - 'user_interests' => '', - ), + 'user_id' => '1', + 'user_type' => '0', + 'group_id' => '3', + 'user_permissions' => '', + 'user_perm_from' => '0', + 'user_ip' => '', + 'user_regdate' => '0', + 'username' => 'foobar', + 'username_clean' => 'foobar', + 'user_password' => '$H$9E45lK6J8nLTSm9oJE5aNCSTFK9wqa/', + 'user_passchg' => '0', + 'user_pass_convert' => '0', + 'user_email' => 'example@example.com', + 'user_email_hash' => '0', + 'user_birthday' => '', + 'user_lastvisit' => '0', + 'user_lastmark' => '0', + 'user_lastpost_time' => '0', + 'user_lastpage' => '', + 'user_last_confirm_key' => '', + 'user_last_search' => '0', + 'user_warnings' => '0', + 'user_last_warning' => '0', + 'user_login_attempts' => '0', + 'user_inactive_reason' => '0', + 'user_inactive_time' => '0', + 'user_posts' => '0', + 'user_lang' => '', + 'user_timezone' => 'UTC', + 'user_dateformat' => 'd M Y H:i', + 'user_style' => '0', + 'user_rank' => '0', + 'user_colour' => '', + 'user_new_privmsg' => '0', + 'user_unread_privmsg' => '0', + 'user_last_privmsg' => '0', + 'user_message_rules' => '0', + 'user_full_folder' => '-3', + 'user_emailtime' => '0', + 'user_topic_show_days' => '0', + 'user_topic_sortby_type' => 't', + 'user_topic_sortby_dir' => 'd', + 'user_post_show_days' => '0', + 'user_post_sortby_type' => 't', + 'user_post_sortby_dir' => 'a', + 'user_notify' => '0', + 'user_notify_pm' => '1', + 'user_notify_type' => '0', + 'user_allow_pm' => '1', + 'user_allow_viewonline' => '1', + 'user_allow_viewemail' => '1', + 'user_allow_massemail' => '1', + 'user_options' => '230271', + 'user_avatar' => '', + 'user_avatar_type' => '', + 'user_avatar_width' => '0', + 'user_avatar_height' => '0', + 'user_sig' => '', + 'user_sig_bbcode_uid' => '', + 'user_sig_bbcode_bitfield' => '', + 'user_from' => '', + 'user_icq' => '', + 'user_aim' => '', + 'user_yim' => '', + 'user_msnm' => '', + 'user_jabber' => '', + 'user_website' => '', + 'user_occ' => '', + 'user_interests' => '', + 'user_actkey' => '', + 'user_newpasswd' => '', + 'user_form_salt' => '', + 'user_new' => '1', + 'user_reminded' => '0', + 'user_reminded_time' => '0', ); $this->assertEquals($expected, $this->provider->autologin()); @@ -99,9 +187,19 @@ class phpbb_auth_provider_apache_test extends phpbb_database_test_case public function test_validate_session() { - $user = $this->getMock('phpbb_user'); - $user->data['username'] = 'foobar'; - $this->request->overwrite('PHP_AUTH_USER', 'foobar', phpbb_request_interface::SERVER); + $user = array( + 'username' => 'foobar', + 'user_type' + ); + $this->request->expects($this->once()) + ->method('is_set') + ->with('PHP_AUTH_USER', + phpbb_request_interface::SERVER) + ->will($this->returnValue(true)); + $this->request->expects($this->once()) + ->method('server') + ->with('PHP_AUTH_USER') + ->will($this->returnValue('foobar')); $this->assertTrue($this->provider->validate_session($user)); } From 4f3f0a8791cea806cc63cfe4709605ad63f8cbd4 Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Tue, 25 Jun 2013 21:56:58 -0400 Subject: [PATCH 30/44] [feature/auth-refactor] Remove references to old auth plugins Removes what is hopefully the last references to the old auth plugins in the code base. PHPBB3-9734 --- phpBB/includes/acp/acp_board.php | 38 ++++++++------------------------ 1 file changed, 9 insertions(+), 29 deletions(-) diff --git a/phpBB/includes/acp/acp_board.php b/phpBB/includes/acp/acp_board.php index 383e035817..1ac6697255 100644 --- a/phpBB/includes/acp/acp_board.php +++ b/phpBB/includes/acp/acp_board.php @@ -523,21 +523,11 @@ class acp_board { // Retrieve a list of auth plugins and check their config values $auth_plugins = array(); + $auth_providers = $phpbb_container->get('auth.provider_collection'); - $dp = @opendir($phpbb_root_path . 'includes/auth'); - - if ($dp) + foreach($auth_providers as $key => $value) { - while (($file = readdir($dp)) !== false) - { - if (preg_match('#^provider_(.*?)\.' . $phpEx . '$#', $file) && !preg_match('#^provider_interface\.' . $phpEx . '$#', $file)) - { - $auth_plugins[] = basename(preg_replace('#^provider_(.*?)\.' . $phpEx . '$#', '\1', $file)); - } - } - closedir($dp); - - sort($auth_plugins); + $auth_plugins[] = str_replace('auth.provider.', '', $key); } $updated_auth_settings = false; @@ -546,7 +536,7 @@ class acp_board { if ($method) { - $provider = $phpbb_container->get('auth.provider.' . $method); + $provider = $auth_providers['auth.provider.' . $method]; if ($provider) { if ($fields = $provider->acp($this->new_config)) @@ -585,7 +575,7 @@ class acp_board $method = basename($cfg_array['auth_method']); if ($method) { - $provider = $phpbb_container->get('auth.provider.' . $method); + $provider = $auth_providers['auth.provider.' . $method]; if ($provider) { if ($error = $provider->init()) @@ -683,7 +673,7 @@ class acp_board { if ($method) { - $provider = $phpbb_container->get('auth.provider.' . $method); + $provider = $auth_providers['auth.provider.' . $method]; if ($provider) { $fields = $provider->acp($this->new_config); @@ -709,23 +699,13 @@ class acp_board global $phpbb_root_path, $phpEx; $auth_plugins = array(); + $auth_providers = $phpbb_container->get('auth.provider_collection'); - $dp = @opendir($phpbb_root_path . 'includes/auth'); - - if (!$dp) + foreach($auth_providers as $key => $value) { - return ''; + $auth_plugins[] = str_replace('auth.provider.', '', $key); } - while (($file = readdir($dp)) !== false) - { - if (preg_match('#^auth_(.*?)\.' . $phpEx . '$#', $file)) - { - $auth_plugins[] = preg_replace('#^auth_(.*?)\.' . $phpEx . '$#', '\1', $file); - } - } - closedir($dp); - sort($auth_plugins); $auth_select = ''; From 09372d765d5adbca743063a7410b97abf4536015 Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Tue, 25 Jun 2013 22:01:00 -0400 Subject: [PATCH 31/44] [feature/auth-refactor] Remove old auth plugins PHPBB3-9734 --- phpBB/includes/auth/auth_apache.php | 247 -------------------- phpBB/includes/auth/auth_db.php | 289 ----------------------- phpBB/includes/auth/auth_ldap.php | 350 ---------------------------- 3 files changed, 886 deletions(-) delete mode 100644 phpBB/includes/auth/auth_apache.php delete mode 100644 phpBB/includes/auth/auth_db.php delete mode 100644 phpBB/includes/auth/auth_ldap.php diff --git a/phpBB/includes/auth/auth_apache.php b/phpBB/includes/auth/auth_apache.php deleted file mode 100644 index 10b288aa09..0000000000 --- a/phpBB/includes/auth/auth_apache.php +++ /dev/null @@ -1,247 +0,0 @@ -is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER) || $user->data['username'] !== htmlspecialchars_decode($request->server('PHP_AUTH_USER'))) - { - return $user->lang['APACHE_SETUP_BEFORE_USE']; - } - return false; -} - -/** -* Login function -*/ -function login_apache(&$username, &$password) -{ - global $db, $request; - - // do not allow empty password - if (!$password) - { - return array( - 'status' => LOGIN_ERROR_PASSWORD, - 'error_msg' => 'NO_PASSWORD_SUPPLIED', - 'user_row' => array('user_id' => ANONYMOUS), - ); - } - - if (!$username) - { - return array( - 'status' => LOGIN_ERROR_USERNAME, - 'error_msg' => 'LOGIN_ERROR_USERNAME', - 'user_row' => array('user_id' => ANONYMOUS), - ); - } - - if (!$request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER)) - { - return array( - 'status' => LOGIN_ERROR_EXTERNAL_AUTH, - 'error_msg' => 'LOGIN_ERROR_EXTERNAL_AUTH_APACHE', - 'user_row' => array('user_id' => ANONYMOUS), - ); - } - - $php_auth_user = htmlspecialchars_decode($request->server('PHP_AUTH_USER')); - $php_auth_pw = htmlspecialchars_decode($request->server('PHP_AUTH_PW')); - - if (!empty($php_auth_user) && !empty($php_auth_pw)) - { - if ($php_auth_user !== $username) - { - return array( - 'status' => LOGIN_ERROR_USERNAME, - 'error_msg' => 'LOGIN_ERROR_USERNAME', - 'user_row' => array('user_id' => ANONYMOUS), - ); - } - - $sql = 'SELECT user_id, username, user_password, user_passchg, user_email, user_type - FROM ' . USERS_TABLE . " - WHERE username = '" . $db->sql_escape($php_auth_user) . "'"; - $result = $db->sql_query($sql); - $row = $db->sql_fetchrow($result); - $db->sql_freeresult($result); - - if ($row) - { - // User inactive... - if ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE) - { - return array( - 'status' => LOGIN_ERROR_ACTIVE, - 'error_msg' => 'ACTIVE_ERROR', - 'user_row' => $row, - ); - } - - // Successful login... - return array( - 'status' => LOGIN_SUCCESS, - 'error_msg' => false, - 'user_row' => $row, - ); - } - - // this is the user's first login so create an empty profile - return array( - 'status' => LOGIN_SUCCESS_CREATE_PROFILE, - 'error_msg' => false, - 'user_row' => user_row_apache($php_auth_user, $php_auth_pw), - ); - } - - // Not logged into apache - return array( - 'status' => LOGIN_ERROR_EXTERNAL_AUTH, - 'error_msg' => 'LOGIN_ERROR_EXTERNAL_AUTH_APACHE', - 'user_row' => array('user_id' => ANONYMOUS), - ); -} - -/** -* Autologin function -* -* @return array containing the user row or empty if no auto login should take place -*/ -function autologin_apache() -{ - global $db, $request; - - if (!$request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER)) - { - return array(); - } - - $php_auth_user = htmlspecialchars_decode($request->server('PHP_AUTH_USER')); - $php_auth_pw = htmlspecialchars_decode($request->server('PHP_AUTH_PW')); - - if (!empty($php_auth_user) && !empty($php_auth_pw)) - { - set_var($php_auth_user, $php_auth_user, 'string', true); - set_var($php_auth_pw, $php_auth_pw, 'string', true); - - $sql = 'SELECT * - FROM ' . USERS_TABLE . " - WHERE username = '" . $db->sql_escape($php_auth_user) . "'"; - $result = $db->sql_query($sql); - $row = $db->sql_fetchrow($result); - $db->sql_freeresult($result); - - if ($row) - { - return ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE) ? array() : $row; - } - - if (!function_exists('user_add')) - { - global $phpbb_root_path, $phpEx; - - include($phpbb_root_path . 'includes/functions_user.' . $phpEx); - } - - // create the user if he does not exist yet - user_add(user_row_apache($php_auth_user, $php_auth_pw)); - - $sql = 'SELECT * - FROM ' . USERS_TABLE . " - WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($php_auth_user)) . "'"; - $result = $db->sql_query($sql); - $row = $db->sql_fetchrow($result); - $db->sql_freeresult($result); - - if ($row) - { - return $row; - } - } - - return array(); -} - -/** -* This function generates an array which can be passed to the user_add function in order to create a user -*/ -function user_row_apache($username, $password) -{ - global $db, $config, $user; - // first retrieve default group id - $sql = 'SELECT group_id - FROM ' . GROUPS_TABLE . " - WHERE group_name = '" . $db->sql_escape('REGISTERED') . "' - AND group_type = " . GROUP_SPECIAL; - $result = $db->sql_query($sql); - $row = $db->sql_fetchrow($result); - $db->sql_freeresult($result); - - if (!$row) - { - trigger_error('NO_GROUP'); - } - - // generate user account data - return array( - 'username' => $username, - 'user_password' => phpbb_hash($password), - 'user_email' => '', - 'group_id' => (int) $row['group_id'], - 'user_type' => USER_NORMAL, - 'user_ip' => $user->ip, - 'user_new' => ($config['new_member_post_limit']) ? 1 : 0, - ); -} - -/** -* The session validation function checks whether the user is still logged in -* -* @return boolean true if the given user is authenticated or false if the session should be closed -*/ -function validate_session_apache(&$user) -{ - global $request; - - // Check if PHP_AUTH_USER is set and handle this case - if ($request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER)) - { - $php_auth_user = $request->server('PHP_AUTH_USER'); - - return ($php_auth_user === $user['username']) ? true : false; - } - - // PHP_AUTH_USER is not set. A valid session is now determined by the user type (anonymous/bot or not) - if ($user['user_type'] == USER_IGNORE) - { - return true; - } - - return false; -} diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php deleted file mode 100644 index ac944532a5..0000000000 --- a/phpBB/includes/auth/auth_db.php +++ /dev/null @@ -1,289 +0,0 @@ - status constant -* 'error_msg' => string -* 'user_row' => array -* ) -*/ -function login_db($username, $password, $ip = '', $browser = '', $forwarded_for = '') -{ - global $db, $config; - global $request; - - // Auth plugins get the password untrimmed. - // For compatibility we trim() here. - $password = trim($password); - - // do not allow empty password - if (!$password) - { - return array( - 'status' => LOGIN_ERROR_PASSWORD, - 'error_msg' => 'NO_PASSWORD_SUPPLIED', - 'user_row' => array('user_id' => ANONYMOUS), - ); - } - - if (!$username) - { - return array( - 'status' => LOGIN_ERROR_USERNAME, - 'error_msg' => 'LOGIN_ERROR_USERNAME', - 'user_row' => array('user_id' => ANONYMOUS), - ); - } - - $username_clean = utf8_clean_string($username); - - $sql = 'SELECT user_id, username, user_password, user_passchg, user_pass_convert, user_email, user_type, user_login_attempts - FROM ' . USERS_TABLE . " - WHERE username_clean = '" . $db->sql_escape($username_clean) . "'"; - $result = $db->sql_query($sql); - $row = $db->sql_fetchrow($result); - $db->sql_freeresult($result); - - if (($ip && !$config['ip_login_limit_use_forwarded']) || - ($forwarded_for && $config['ip_login_limit_use_forwarded'])) - { - $sql = 'SELECT COUNT(*) AS attempts - FROM ' . LOGIN_ATTEMPT_TABLE . ' - WHERE attempt_time > ' . (time() - (int) $config['ip_login_limit_time']); - if ($config['ip_login_limit_use_forwarded']) - { - $sql .= " AND attempt_forwarded_for = '" . $db->sql_escape($forwarded_for) . "'"; - } - else - { - $sql .= " AND attempt_ip = '" . $db->sql_escape($ip) . "' "; - } - - $result = $db->sql_query($sql); - $attempts = (int) $db->sql_fetchfield('attempts'); - $db->sql_freeresult($result); - - $attempt_data = array( - 'attempt_ip' => $ip, - 'attempt_browser' => trim(substr($browser, 0, 149)), - 'attempt_forwarded_for' => $forwarded_for, - 'attempt_time' => time(), - 'user_id' => ($row) ? (int) $row['user_id'] : 0, - 'username' => $username, - 'username_clean' => $username_clean, - ); - $sql = 'INSERT INTO ' . LOGIN_ATTEMPT_TABLE . $db->sql_build_array('INSERT', $attempt_data); - $result = $db->sql_query($sql); - } - else - { - $attempts = 0; - } - - if (!$row) - { - if ($config['ip_login_limit_max'] && $attempts >= $config['ip_login_limit_max']) - { - return array( - 'status' => LOGIN_ERROR_ATTEMPTS, - 'error_msg' => 'LOGIN_ERROR_ATTEMPTS', - 'user_row' => array('user_id' => ANONYMOUS), - ); - } - - return array( - 'status' => LOGIN_ERROR_USERNAME, - 'error_msg' => 'LOGIN_ERROR_USERNAME', - 'user_row' => array('user_id' => ANONYMOUS), - ); - } - - $show_captcha = ($config['max_login_attempts'] && $row['user_login_attempts'] >= $config['max_login_attempts']) || - ($config['ip_login_limit_max'] && $attempts >= $config['ip_login_limit_max']); - - // If there are too much login attempts, we need to check for an confirm image - // Every auth module is able to define what to do by itself... - if ($show_captcha) - { - // Visual Confirmation handling - if (!class_exists('phpbb_captcha_factory', false)) - { - global $phpbb_root_path, $phpEx; - include ($phpbb_root_path . 'includes/captcha/captcha_factory.' . $phpEx); - } - - $captcha = phpbb_captcha_factory::get_instance($config['captcha_plugin']); - $captcha->init(CONFIRM_LOGIN); - $vc_response = $captcha->validate($row); - if ($vc_response) - { - return array( - 'status' => LOGIN_ERROR_ATTEMPTS, - 'error_msg' => 'LOGIN_ERROR_ATTEMPTS', - 'user_row' => $row, - ); - } - else - { - $captcha->reset(); - } - - } - - // If the password convert flag is set we need to convert it - if ($row['user_pass_convert']) - { - // enable super globals to get literal value - // this is needed to prevent unicode normalization - $super_globals_disabled = $request->super_globals_disabled(); - if ($super_globals_disabled) - { - $request->enable_super_globals(); - } - - // in phpBB2 passwords were used exactly as they were sent, with addslashes applied - $password_old_format = isset($_REQUEST['password']) ? (string) $_REQUEST['password'] : ''; - $password_old_format = (!STRIP) ? addslashes($password_old_format) : $password_old_format; - $password_new_format = $request->variable('password', '', true); - - if ($super_globals_disabled) - { - $request->disable_super_globals(); - } - - if ($password == $password_new_format) - { - if (!function_exists('utf8_to_cp1252')) - { - global $phpbb_root_path, $phpEx; - include($phpbb_root_path . 'includes/utf/data/recode_basic.' . $phpEx); - } - - // cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding - // plain md5 support left in for conversions from other systems. - if ((strlen($row['user_password']) == 34 && (phpbb_check_hash(md5($password_old_format), $row['user_password']) || phpbb_check_hash(md5(utf8_to_cp1252($password_old_format)), $row['user_password']))) - || (strlen($row['user_password']) == 32 && (md5($password_old_format) == $row['user_password'] || md5(utf8_to_cp1252($password_old_format)) == $row['user_password']))) - { - $hash = phpbb_hash($password_new_format); - - // Update the password in the users table to the new format and remove user_pass_convert flag - $sql = 'UPDATE ' . USERS_TABLE . ' - SET user_password = \'' . $db->sql_escape($hash) . '\', - user_pass_convert = 0 - WHERE user_id = ' . $row['user_id']; - $db->sql_query($sql); - - $row['user_pass_convert'] = 0; - $row['user_password'] = $hash; - } - else - { - // Although we weren't able to convert this password we have to - // increase login attempt count to make sure this cannot be exploited - $sql = 'UPDATE ' . USERS_TABLE . ' - SET user_login_attempts = user_login_attempts + 1 - WHERE user_id = ' . (int) $row['user_id'] . ' - AND user_login_attempts < ' . LOGIN_ATTEMPTS_MAX; - $db->sql_query($sql); - - return array( - 'status' => LOGIN_ERROR_PASSWORD_CONVERT, - 'error_msg' => 'LOGIN_ERROR_PASSWORD_CONVERT', - 'user_row' => $row, - ); - } - } - } - - // Check password ... - if (!$row['user_pass_convert'] && phpbb_check_hash($password, $row['user_password'])) - { - // Check for old password hash... - if (strlen($row['user_password']) == 32) - { - $hash = phpbb_hash($password); - - // Update the password in the users table to the new format - $sql = 'UPDATE ' . USERS_TABLE . " - SET user_password = '" . $db->sql_escape($hash) . "', - user_pass_convert = 0 - WHERE user_id = {$row['user_id']}"; - $db->sql_query($sql); - - $row['user_password'] = $hash; - } - - $sql = 'DELETE FROM ' . LOGIN_ATTEMPT_TABLE . ' - WHERE user_id = ' . $row['user_id']; - $db->sql_query($sql); - - if ($row['user_login_attempts'] != 0) - { - // Successful, reset login attempts (the user passed all stages) - $sql = 'UPDATE ' . USERS_TABLE . ' - SET user_login_attempts = 0 - WHERE user_id = ' . $row['user_id']; - $db->sql_query($sql); - } - - // User inactive... - if ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE) - { - return array( - 'status' => LOGIN_ERROR_ACTIVE, - 'error_msg' => 'ACTIVE_ERROR', - 'user_row' => $row, - ); - } - - // Successful login... set user_login_attempts to zero... - return array( - 'status' => LOGIN_SUCCESS, - 'error_msg' => false, - 'user_row' => $row, - ); - } - - // Password incorrect - increase login attempts - $sql = 'UPDATE ' . USERS_TABLE . ' - SET user_login_attempts = user_login_attempts + 1 - WHERE user_id = ' . (int) $row['user_id'] . ' - AND user_login_attempts < ' . LOGIN_ATTEMPTS_MAX; - $db->sql_query($sql); - - // Give status about wrong password... - return array( - 'status' => ($show_captcha) ? LOGIN_ERROR_ATTEMPTS : LOGIN_ERROR_PASSWORD, - 'error_msg' => ($show_captcha) ? 'LOGIN_ERROR_ATTEMPTS' : 'LOGIN_ERROR_PASSWORD', - 'user_row' => $row, - ); -} diff --git a/phpBB/includes/auth/auth_ldap.php b/phpBB/includes/auth/auth_ldap.php deleted file mode 100644 index 98355dd044..0000000000 --- a/phpBB/includes/auth/auth_ldap.php +++ /dev/null @@ -1,350 +0,0 @@ -lang['LDAP_NO_LDAP_EXTENSION']; - } - - $config['ldap_port'] = (int) $config['ldap_port']; - if ($config['ldap_port']) - { - $ldap = @ldap_connect($config['ldap_server'], $config['ldap_port']); - } - else - { - $ldap = @ldap_connect($config['ldap_server']); - } - - if (!$ldap) - { - return $user->lang['LDAP_NO_SERVER_CONNECTION']; - } - - @ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); - @ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); - - if ($config['ldap_user'] || $config['ldap_password']) - { - if (!@ldap_bind($ldap, htmlspecialchars_decode($config['ldap_user']), htmlspecialchars_decode($config['ldap_password']))) - { - return $user->lang['LDAP_INCORRECT_USER_PASSWORD']; - } - } - - // ldap_connect only checks whether the specified server is valid, so the connection might still fail - $search = @ldap_search( - $ldap, - htmlspecialchars_decode($config['ldap_base_dn']), - ldap_user_filter($user->data['username']), - (empty($config['ldap_email'])) ? - array(htmlspecialchars_decode($config['ldap_uid'])) : - array(htmlspecialchars_decode($config['ldap_uid']), htmlspecialchars_decode($config['ldap_email'])), - 0, - 1 - ); - - if ($search === false) - { - return $user->lang['LDAP_SEARCH_FAILED']; - } - - $result = @ldap_get_entries($ldap, $search); - - @ldap_close($ldap); - - - if (!is_array($result) || sizeof($result) < 2) - { - return sprintf($user->lang['LDAP_NO_IDENTITY'], $user->data['username']); - } - - if (!empty($config['ldap_email']) && !isset($result[0][htmlspecialchars_decode($config['ldap_email'])])) - { - return $user->lang['LDAP_NO_EMAIL']; - } - - return false; -} - -/** -* Login function -*/ -function login_ldap(&$username, &$password) -{ - global $db, $config, $user; - - // do not allow empty password - if (!$password) - { - return array( - 'status' => LOGIN_ERROR_PASSWORD, - 'error_msg' => 'NO_PASSWORD_SUPPLIED', - 'user_row' => array('user_id' => ANONYMOUS), - ); - } - - if (!$username) - { - return array( - 'status' => LOGIN_ERROR_USERNAME, - 'error_msg' => 'LOGIN_ERROR_USERNAME', - 'user_row' => array('user_id' => ANONYMOUS), - ); - } - - if (!@extension_loaded('ldap')) - { - return array( - 'status' => LOGIN_ERROR_EXTERNAL_AUTH, - 'error_msg' => 'LDAP_NO_LDAP_EXTENSION', - 'user_row' => array('user_id' => ANONYMOUS), - ); - } - - $config['ldap_port'] = (int) $config['ldap_port']; - if ($config['ldap_port']) - { - $ldap = @ldap_connect($config['ldap_server'], $config['ldap_port']); - } - else - { - $ldap = @ldap_connect($config['ldap_server']); - } - - if (!$ldap) - { - return array( - 'status' => LOGIN_ERROR_EXTERNAL_AUTH, - 'error_msg' => 'LDAP_NO_SERVER_CONNECTION', - 'user_row' => array('user_id' => ANONYMOUS), - ); - } - - @ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); - @ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); - - if ($config['ldap_user'] || $config['ldap_password']) - { - if (!@ldap_bind($ldap, htmlspecialchars_decode($config['ldap_user']), htmlspecialchars_decode($config['ldap_password']))) - { - return array( - 'status' => LOGIN_ERROR_EXTERNAL_AUTH, - 'error_msg' => 'LDAP_NO_SERVER_CONNECTION', - 'user_row' => array('user_id' => ANONYMOUS), - ); - } - } - - $search = @ldap_search( - $ldap, - htmlspecialchars_decode($config['ldap_base_dn']), - ldap_user_filter($username), - (empty($config['ldap_email'])) ? - array(htmlspecialchars_decode($config['ldap_uid'])) : - array(htmlspecialchars_decode($config['ldap_uid']), htmlspecialchars_decode($config['ldap_email'])), - 0, - 1 - ); - - $ldap_result = @ldap_get_entries($ldap, $search); - - if (is_array($ldap_result) && sizeof($ldap_result) > 1) - { - if (@ldap_bind($ldap, $ldap_result[0]['dn'], htmlspecialchars_decode($password))) - { - @ldap_close($ldap); - - $sql ='SELECT user_id, username, user_password, user_passchg, user_email, user_type - FROM ' . USERS_TABLE . " - WHERE username_clean = '" . $db->sql_escape(utf8_clean_string($username)) . "'"; - $result = $db->sql_query($sql); - $row = $db->sql_fetchrow($result); - $db->sql_freeresult($result); - - if ($row) - { - unset($ldap_result); - - // User inactive... - if ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE) - { - return array( - 'status' => LOGIN_ERROR_ACTIVE, - 'error_msg' => 'ACTIVE_ERROR', - 'user_row' => $row, - ); - } - - // Successful login... set user_login_attempts to zero... - return array( - 'status' => LOGIN_SUCCESS, - 'error_msg' => false, - 'user_row' => $row, - ); - } - else - { - // retrieve default group id - $sql = 'SELECT group_id - FROM ' . GROUPS_TABLE . " - WHERE group_name = '" . $db->sql_escape('REGISTERED') . "' - AND group_type = " . GROUP_SPECIAL; - $result = $db->sql_query($sql); - $row = $db->sql_fetchrow($result); - $db->sql_freeresult($result); - - if (!$row) - { - trigger_error('NO_GROUP'); - } - - // generate user account data - $ldap_user_row = array( - 'username' => $username, - 'user_password' => phpbb_hash($password), - 'user_email' => (!empty($config['ldap_email'])) ? utf8_htmlspecialchars($ldap_result[0][htmlspecialchars_decode($config['ldap_email'])][0]) : '', - 'group_id' => (int) $row['group_id'], - 'user_type' => USER_NORMAL, - 'user_ip' => $user->ip, - 'user_new' => ($config['new_member_post_limit']) ? 1 : 0, - ); - - unset($ldap_result); - - // this is the user's first login so create an empty profile - return array( - 'status' => LOGIN_SUCCESS_CREATE_PROFILE, - 'error_msg' => false, - 'user_row' => $ldap_user_row, - ); - } - } - else - { - unset($ldap_result); - @ldap_close($ldap); - - // Give status about wrong password... - return array( - 'status' => LOGIN_ERROR_PASSWORD, - 'error_msg' => 'LOGIN_ERROR_PASSWORD', - 'user_row' => array('user_id' => ANONYMOUS), - ); - } - } - - @ldap_close($ldap); - - return array( - 'status' => LOGIN_ERROR_USERNAME, - 'error_msg' => 'LOGIN_ERROR_USERNAME', - 'user_row' => array('user_id' => ANONYMOUS), - ); -} - -/** -* Generates a filter string for ldap_search to find a user -* -* @param $username string Username identifying the searched user -* -* @return string A filter string for ldap_search -*/ -function ldap_user_filter($username) -{ - global $config; - - $filter = '(' . $config['ldap_uid'] . '=' . ldap_escape(htmlspecialchars_decode($username)) . ')'; - if ($config['ldap_user_filter']) - { - $_filter = ($config['ldap_user_filter'][0] == '(' && substr($config['ldap_user_filter'], -1) == ')') ? $config['ldap_user_filter'] : "({$config['ldap_user_filter']})"; - $filter = "(&{$filter}{$_filter})"; - } - return $filter; -} - -/** -* Escapes an LDAP AttributeValue -*/ -function ldap_escape($string) -{ - return str_replace(array('*', '\\', '(', ')'), array('\\*', '\\\\', '\\(', '\\)'), $string); -} - -/** -* This function is used to output any required fields in the authentication -* admin panel. It also defines any required configuration table fields. -*/ -function acp_ldap(&$new) -{ - global $user; - - $tpl = ' - -
-

' . $user->lang['LDAP_SERVER_EXPLAIN'] . '
-
-
-
-

' . $user->lang['LDAP_PORT_EXPLAIN'] . '
-
-
-
-

' . $user->lang['LDAP_DN_EXPLAIN'] . '
-
-
-
-

' . $user->lang['LDAP_UID_EXPLAIN'] . '
-
-
-
-

' . $user->lang['LDAP_USER_FILTER_EXPLAIN'] . '
-
-
-
-

' . $user->lang['LDAP_EMAIL_EXPLAIN'] . '
-
-
-
-

' . $user->lang['LDAP_USER_EXPLAIN'] . '
-
-
-
-

' . $user->lang['LDAP_PASSWORD_EXPLAIN'] . '
-
-
- '; - - // These are fields required in the config table - return array( - 'tpl' => $tpl, - 'config' => array('ldap_server', 'ldap_port', 'ldap_base_dn', 'ldap_uid', 'ldap_user_filter', 'ldap_email', 'ldap_user', 'ldap_password') - ); -} From b78b6711c80f2a47f3ab71dde9b733e04d9b523d Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Tue, 25 Jun 2013 22:14:39 -0400 Subject: [PATCH 32/44] [feature/auth-refactor] Don't truncate name then reattach same thing PHPBB3-9734 --- phpBB/includes/acp/acp_board.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/phpBB/includes/acp/acp_board.php b/phpBB/includes/acp/acp_board.php index 1ac6697255..bff5a3e64d 100644 --- a/phpBB/includes/acp/acp_board.php +++ b/phpBB/includes/acp/acp_board.php @@ -527,7 +527,7 @@ class acp_board foreach($auth_providers as $key => $value) { - $auth_plugins[] = str_replace('auth.provider.', '', $key); + $auth_plugins[] = $key; } $updated_auth_settings = false; @@ -536,7 +536,7 @@ class acp_board { if ($method) { - $provider = $auth_providers['auth.provider.' . $method]; + $provider = $auth_providers[$method]; if ($provider) { if ($fields = $provider->acp($this->new_config)) @@ -575,7 +575,7 @@ class acp_board $method = basename($cfg_array['auth_method']); if ($method) { - $provider = $auth_providers['auth.provider.' . $method]; + $provider = $auth_providers[$method]; if ($provider) { if ($error = $provider->init()) @@ -673,7 +673,7 @@ class acp_board { if ($method) { - $provider = $auth_providers['auth.provider.' . $method]; + $provider = $auth_providers[$method]; if ($provider) { $fields = $provider->acp($this->new_config); From 3c394aee6208277eb852764ca6b4ef50e2832301 Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Tue, 25 Jun 2013 22:21:38 -0400 Subject: [PATCH 33/44] [feature/auth-refactor] Refactor auth in acp_board Changes the acp_board code to directly call the auth providers out of the $auth_providers variable that is populated by the phpbb_container. PHPBB3-9734 --- phpBB/includes/acp/acp_board.php | 25 +++---------------------- 1 file changed, 3 insertions(+), 22 deletions(-) diff --git a/phpBB/includes/acp/acp_board.php b/phpBB/includes/acp/acp_board.php index bff5a3e64d..d6bf2d637b 100644 --- a/phpBB/includes/acp/acp_board.php +++ b/phpBB/includes/acp/acp_board.php @@ -525,20 +525,10 @@ class acp_board $auth_plugins = array(); $auth_providers = $phpbb_container->get('auth.provider_collection'); - foreach($auth_providers as $key => $value) - { - $auth_plugins[] = $key; - } - $updated_auth_settings = false; $old_auth_config = array(); - foreach ($auth_plugins as $method) + foreach ($auth_providers as $provider) { - if ($method) - { - $provider = $auth_providers[$method]; - if ($provider) - { if ($fields = $provider->acp($this->new_config)) { // Check if we need to create config fields for this plugin and save config when submit was pressed @@ -566,8 +556,6 @@ class acp_board } } unset($fields); - } - } } if ($submit && (($cfg_array['auth_method'] != $this->new_config['auth_method']) || $updated_auth_settings)) @@ -575,7 +563,7 @@ class acp_board $method = basename($cfg_array['auth_method']); if ($method) { - $provider = $auth_providers[$method]; + $provider = $auth_providers['auth.provider.' . $method]; if ($provider) { if ($error = $provider->init()) @@ -669,13 +657,8 @@ class acp_board { $template->assign_var('S_AUTH', true); - foreach ($auth_plugins as $method) + foreach ($auth_provider as $provider) { - if ($method) - { - $provider = $auth_providers[$method]; - if ($provider) - { $fields = $provider->acp($this->new_config); if ($fields['tpl']) @@ -685,8 +668,6 @@ class acp_board ); } unset($fields); - } - } } } } From 08614e2b8540766037e13f3eb1e6d4d64eea7b46 Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Tue, 25 Jun 2013 22:25:40 -0400 Subject: [PATCH 34/44] [feature/auth-refactor] Fix indentation on acp_board PHPBB3-9734 --- phpBB/includes/acp/acp_board.php | 79 +++++++++++++++----------------- 1 file changed, 38 insertions(+), 41 deletions(-) diff --git a/phpBB/includes/acp/acp_board.php b/phpBB/includes/acp/acp_board.php index d6bf2d637b..5e8efaa60c 100644 --- a/phpBB/includes/acp/acp_board.php +++ b/phpBB/includes/acp/acp_board.php @@ -529,51 +529,48 @@ class acp_board $old_auth_config = array(); foreach ($auth_providers as $provider) { - if ($fields = $provider->acp($this->new_config)) + if ($fields = $provider->acp($this->new_config)) + { + // Check if we need to create config fields for this plugin and save config when submit was pressed + foreach ($fields['config'] as $field) + { + if (!isset($config[$field])) { - // Check if we need to create config fields for this plugin and save config when submit was pressed - foreach ($fields['config'] as $field) - { - if (!isset($config[$field])) - { - set_config($field, ''); - } - - if (!isset($cfg_array[$field]) || strpos($field, 'legend') !== false) - { - continue; - } - - $old_auth_config[$field] = $this->new_config[$field]; - $config_value = $cfg_array[$field]; - $this->new_config[$field] = $config_value; - - if ($submit) - { - $updated_auth_settings = true; - set_config($field, $config_value); - } - } + set_config($field, ''); } - unset($fields); + + if (!isset($cfg_array[$field]) || strpos($field, 'legend') !== false) + { + continue; + } + + $old_auth_config[$field] = $this->new_config[$field]; + $config_value = $cfg_array[$field]; + $this->new_config[$field] = $config_value; + + if ($submit) + { + $updated_auth_settings = true; + set_config($field, $config_value); + } + } + } + unset($fields); } if ($submit && (($cfg_array['auth_method'] != $this->new_config['auth_method']) || $updated_auth_settings)) { $method = basename($cfg_array['auth_method']); - if ($method) + if (array_key_exists('auth.provider.' . $method, $auth_providers)) { $provider = $auth_providers['auth.provider.' . $method]; - if ($provider) + if ($error = $provider->init()) { - if ($error = $provider->init()) + foreach ($old_auth_config as $config_name => $config_value) { - foreach ($old_auth_config as $config_name => $config_value) - { - set_config($config_name, $config_value); - } - trigger_error($error . adm_back_link($this->u_action), E_USER_WARNING); + set_config($config_name, $config_value); } + trigger_error($error . adm_back_link($this->u_action), E_USER_WARNING); } set_config('auth_method', basename($cfg_array['auth_method'])); } @@ -659,15 +656,15 @@ class acp_board foreach ($auth_provider as $provider) { - $fields = $provider->acp($this->new_config); + $fields = $provider->acp($this->new_config); - if ($fields['tpl']) - { - $template->assign_block_vars('auth_tpl', array( - 'TPL' => $fields['tpl']) - ); - } - unset($fields); + if ($fields['tpl']) + { + $template->assign_block_vars('auth_tpl', array( + 'TPL' => $fields['tpl']) + ); + } + unset($fields); } } } From 59929669f508f06b2440bf36af463851acbeb711 Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Tue, 25 Jun 2013 22:26:45 -0400 Subject: [PATCH 35/44] [feature/auth-refactor] Fix errors in acp_board Fixes errors introduced by the last several commits. PHPBB3-9734 --- phpBB/includes/acp/acp_board.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/phpBB/includes/acp/acp_board.php b/phpBB/includes/acp/acp_board.php index 5e8efaa60c..4a758207fd 100644 --- a/phpBB/includes/acp/acp_board.php +++ b/phpBB/includes/acp/acp_board.php @@ -654,7 +654,7 @@ class acp_board { $template->assign_var('S_AUTH', true); - foreach ($auth_provider as $provider) + foreach ($auth_providers as $provider) { $fields = $provider->acp($this->new_config); @@ -674,7 +674,7 @@ class acp_board */ function select_auth_method($selected_method, $key = '') { - global $phpbb_root_path, $phpEx; + global $phpbb_root_path, $phpEx, $phpbb_container; $auth_plugins = array(); $auth_providers = $phpbb_container->get('auth.provider_collection'); From 4afdd650cdea0a09da14e8dff23cee1b30e5980d Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Wed, 26 Jun 2013 00:02:03 -0400 Subject: [PATCH 36/44] [feature/auth-refactor] Removed no longer used variable PHPBB3-9734 --- phpBB/includes/acp/acp_board.php | 1 - 1 file changed, 1 deletion(-) diff --git a/phpBB/includes/acp/acp_board.php b/phpBB/includes/acp/acp_board.php index 4a758207fd..4d07f96c6f 100644 --- a/phpBB/includes/acp/acp_board.php +++ b/phpBB/includes/acp/acp_board.php @@ -522,7 +522,6 @@ class acp_board if ($mode == 'auth') { // Retrieve a list of auth plugins and check their config values - $auth_plugins = array(); $auth_providers = $phpbb_container->get('auth.provider_collection'); $updated_auth_settings = false; From 19bbf7b7de4a2575405b84c8a253cbf9de315b7c Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Wed, 26 Jun 2013 11:31:11 -0400 Subject: [PATCH 37/44] [feature/auth-refactor] Fix two session tests broken by changes PHPBB3-9734 --- tests/session/continue_test.php | 13 +++++++++++++ tests/session/init_test.php | 13 +++++++++++++ 2 files changed, 26 insertions(+) diff --git a/tests/session/continue_test.php b/tests/session/continue_test.php index ad78d92299..e5a7f7a4a1 100644 --- a/tests/session/continue_test.php +++ b/tests/session/continue_test.php @@ -53,7 +53,20 @@ class phpbb_session_continue_test extends phpbb_database_test_case */ public function test_session_begin_valid_session($session_id, $user_id, $user_agent, $ip, $expected_sessions, $expected_cookies, $message) { + global $phpbb_container, $phpbb_root_path, $phpEx; + $db = $this->new_dbal(); + $config = new phpbb_config(array()); + $request = $this->getMock('phpbb_request'); + $user = $this->getMock('phpbb_user'); + + $auth_provider = new phpbb_auth_provider_db($db, $config, $request, $user, $phpbb_root_path, $phpEx); + $phpbb_container = $this->getMock('Symfony\Component\DependencyInjection\ContainerInterface'); + $phpbb_container->expects($this->any()) + ->method('get') + ->with('auth.provider.db') + ->will($this->returnValue($auth_provider)); + $session_factory = new phpbb_session_testable_factory; $session_factory->set_cookies(array( '_sid' => $session_id, diff --git a/tests/session/init_test.php b/tests/session/init_test.php index 830de34ed0..43af8c554f 100644 --- a/tests/session/init_test.php +++ b/tests/session/init_test.php @@ -20,7 +20,20 @@ class phpbb_session_init_test extends phpbb_database_test_case public function test_login_session_create() { + global $phpbb_container, $phpbb_root_path, $phpEx; + $db = $this->new_dbal(); + $config = new phpbb_config(array()); + $request = $this->getMock('phpbb_request'); + $user = $this->getMock('phpbb_user'); + + $auth_provider = new phpbb_auth_provider_db($db, $config, $request, $user, $phpbb_root_path, $phpEx); + $phpbb_container = $this->getMock('Symfony\Component\DependencyInjection\ContainerInterface'); + $phpbb_container->expects($this->any()) + ->method('get') + ->with('auth.provider.db') + ->will($this->returnValue($auth_provider)); + $session_factory = new phpbb_session_testable_factory; $session = $session_factory->get_session($db); From 5af7d2b07f788f6795865225612175b65c596a4b Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Wed, 26 Jun 2013 21:45:16 -0400 Subject: [PATCH 38/44] [feature/auth-refactor] Change phpEx to php_ext in new classes PHPBB3-9734 --- phpBB/includes/auth/provider_apache.php | 8 ++++---- phpBB/includes/auth/provider_db.php | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/phpBB/includes/auth/provider_apache.php b/phpBB/includes/auth/provider_apache.php index adb1fb6cea..0a6811bbcb 100644 --- a/phpBB/includes/auth/provider_apache.php +++ b/phpBB/includes/auth/provider_apache.php @@ -30,16 +30,16 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface * @param phpbb_request $request * @param phpbb_user $user * @param string $phpbb_root_path - * @param string $phpEx + * @param string $php_ext */ - public function __construct(phpbb_db_driver $db, phpbb_config $config, phpbb_request $request, phpbb_user $user, $phpbb_root_path, $phpEx) + public function __construct(phpbb_db_driver $db, phpbb_config $config, phpbb_request $request, phpbb_user $user, $phpbb_root_path, $php_ext) { $this->db = $db; $this->config = $config; $this->request = $request; $this->user = $user; $this->phpbb_root_path = $phpbb_root_path; - $this->phpEx = $phpEx; + $this->php_ext = $php_ext; } /** @@ -183,7 +183,7 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface if (!function_exists('user_add')) { - include($this->phpbb_root_path . 'includes/functions_user.' . $this->phpEx); + include($this->phpbb_root_path . 'includes/functions_user.' . $this->php_ext); } // create the user if he does not exist yet diff --git a/phpBB/includes/auth/provider_db.php b/phpBB/includes/auth/provider_db.php index aaf9cda735..c8b0c44654 100644 --- a/phpBB/includes/auth/provider_db.php +++ b/phpBB/includes/auth/provider_db.php @@ -33,16 +33,16 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface * @param phpbb_request $request * @param phpbb_user $user * @param string $phpbb_root_path - * @param string $phpEx + * @param string $php_ext */ - public function __construct(phpbb_db_driver $db, phpbb_config $config, phpbb_request $request, phpbb_user $user, $phpbb_root_path, $phpEx) + public function __construct(phpbb_db_driver $db, phpbb_config $config, phpbb_request $request, phpbb_user $user, $phpbb_root_path, $php_ext) { $this->db = $db; $this->config = $config; $this->request = $request; $this->user = $user; $this->phpbb_root_path = $phpbb_root_path; - $this->phpEx = $phpEx; + $this->php_ext = $php_ext; } public function init() @@ -160,7 +160,7 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface // Visual Confirmation handling if (!class_exists('phpbb_captcha_factory', false)) { - include ($this->phpbb_root_path . 'includes/captcha/captcha_factory.' . $this->phpEx); + include ($this->phpbb_root_path . 'includes/captcha/captcha_factory.' . $this->php_ext); } $captcha = phpbb_captcha_factory::get_instance($this->config['captcha_plugin']); @@ -206,7 +206,7 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface { if (!function_exists('utf8_to_cp1252')) { - include($this->phpbb_root_path . 'includes/utf/data/recode_basic.' . $this->phpEx); + include($this->phpbb_root_path . 'includes/utf/data/recode_basic.' . $this->php_ext); } // cp1252 is phpBB2's default encoding, characters outside ASCII range might work when converted into that encoding From 24e323d59353810293dea41d6b9b4114dd627543 Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Thu, 27 Jun 2013 14:17:29 -0400 Subject: [PATCH 39/44] [feature/auth-refactor] Finish and clean up documentation PHPBB3-9734 --- phpBB/includes/auth/provider_apache.php | 26 +----------- phpBB/includes/auth/provider_db.php | 24 +++-------- phpBB/includes/auth/provider_interface.php | 46 ++++++++++++++-------- phpBB/includes/auth/provider_ldap.php | 21 +++------- 4 files changed, 43 insertions(+), 74 deletions(-) diff --git a/phpBB/includes/auth/provider_apache.php b/phpBB/includes/auth/provider_apache.php index 0a6811bbcb..054316db19 100644 --- a/phpBB/includes/auth/provider_apache.php +++ b/phpBB/includes/auth/provider_apache.php @@ -42,13 +42,6 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface $this->php_ext = $php_ext; } - /** - * Checks whether the user is identified to apache - * Only allow changing authentication to apache if the user is identified - * Called in acp_board while setting authentication plugins - * - * @return boolean|string false if the user is identified and else an error message - */ public function init() { if (!$this->request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER) || $this->user->data['username'] !== htmlspecialchars_decode($this->request->server('PHP_AUTH_USER'))) @@ -58,9 +51,6 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface return false; } - /** - * Login function - */ public function login($username, $password) { // do not allow empty password @@ -148,12 +138,6 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface ); } - /** - * Autologin function - * - * @return array containing the user row or empty if no auto login should - * take place - */ public function autologin() { if (!$this->request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER)) @@ -209,8 +193,8 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface * This function generates an array which can be passed to the user_add * function in order to create a user * - * @param str $username The username of the new user. - * @param str $password The password of the new user. + * @param string $username The username of the new user. + * @param string $password The password of the new user. * @return array Contains data that can be passed directly to * the user_add function. */ @@ -242,12 +226,6 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface ); } - /** - * The session validation function checks whether the user is still logged in - * - * @return boolean true if the given user is authenticated or false if - * the session should be closed - */ public function validate_session($user) { // Check if PHP_AUTH_USER is set and handle this case diff --git a/phpBB/includes/auth/provider_db.php b/phpBB/includes/auth/provider_db.php index c8b0c44654..e8fff26650 100644 --- a/phpBB/includes/auth/provider_db.php +++ b/phpBB/includes/auth/provider_db.php @@ -28,12 +28,12 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface /** * Database Authentication Constructor * - * @param phpbb_db_driver $db - * @param phpbb_config $config - * @param phpbb_request $request - * @param phpbb_user $user - * @param string $phpbb_root_path - * @param string $php_ext + * @param phpbb_db_driver $db + * @param phpbb_config $config + * @param phpbb_request $request + * @param phpbb_user $user + * @param string $phpbb_root_path + * @param string $php_ext */ public function __construct(phpbb_db_driver $db, phpbb_config $config, phpbb_request $request, phpbb_user $user, $phpbb_root_path, $php_ext) { @@ -50,18 +50,6 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface return; } - /** - * Login function - * - * @param string $username - * @param string $password - * @return array A associative array of the format - * array( - * 'status' => status constant - * 'error_msg' => string - * 'user_row' => array - * ) - */ public function login($username, $password) { // Auth plugins get the password untrimmed. diff --git a/phpBB/includes/auth/provider_interface.php b/phpBB/includes/auth/provider_interface.php index 534f198c21..2d1935f8f0 100644 --- a/phpBB/includes/auth/provider_interface.php +++ b/phpBB/includes/auth/provider_interface.php @@ -26,31 +26,33 @@ interface phpbb_auth_provider_interface * Checks whether the user is currently identified to the authentication * provider. * Called in acp_board while setting authentication plugins. + * Changing to an authentication provider will not be permitted in acp_board + * if there is an error. * * @return boolean|string False if the user is identified, otherwise an - * error message. + * error message, or null if not implemented. */ public function init(); /** * Performs login. * - * @param $username string The name of the user being authenticated. - * @param $password string The password of the user. - * @return array An associative array of the format: - * array( - * 'status' => status constant - * 'error_msg' => string - * 'user_row' => array - * ) + * @param string $username The name of the user being authenticated. + * @param string $password The password of the user. + * @return array An associative array of the format: + * array( + * 'status' => status constant + * 'error_msg' => string + * 'user_row' => array + * ) */ public function login($username, $password); /** * Autologin function * - * @return array containing the user row or empty if no auto login should - * take place + * @return array|null containing the user row, empty if no auto login + * should take place, or null if not impletmented. */ public function autologin(); @@ -58,22 +60,32 @@ interface phpbb_auth_provider_interface * This function is used to output any required fields in the authentication * admin panel. It also defines any required configuration table fields. * - * @param type $new + * @param array $new Contains the new configuration values that have + * been set in acp_board. + * @return array|null Returns null if not implemented or an array of the + * form: + * array( + * 'tpl' => string + * 'config' => array + * ) */ public function acp($new); /** - * Special logout function. + * Performs additional actions during logout. * - * @param type $data - * @param type $new_session + * @param array $data An array corresponding to + * phpbb_session::data + * @param boolean $new_session True for a new session, false for no new + * session. */ public function logout($data, $new_session); /** - * The session validation function checks whether the user is still logged in. + * The session validation function checks whether the user is still logged + * into phpBB. * - * @param type $user + * @param array $user * @return boolean true if the given user is authenticated, false if the * session should be closed, or null if not implemented. */ diff --git a/phpBB/includes/auth/provider_ldap.php b/phpBB/includes/auth/provider_ldap.php index 67d8d8335f..2140e7dd63 100644 --- a/phpBB/includes/auth/provider_ldap.php +++ b/phpBB/includes/auth/provider_ldap.php @@ -27,9 +27,9 @@ class phpbb_auth_provider_ldap implements phpbb_auth_provider_interface /** * LDAP Authentication Constructor * - * @param phpbb_db_driver $db - * @param phpbb_config $config - * @param phpbb_user $user + * @param phpbb_db_driver $db + * @param phpbb_config $config + * @param phpbb_user $user */ public function __construct(phpbb_db_driver $db, phpbb_config $config, phpbb_user $user) { @@ -38,11 +38,6 @@ class phpbb_auth_provider_ldap implements phpbb_auth_provider_interface $this->user = $user; } - /** - * Connect to ldap server - * Only allow changing authentication to ldap if we can connect to the ldap server - * Called in acp_board while setting authentication plugins - */ public function init() { if (!@extension_loaded('ldap')) @@ -111,9 +106,6 @@ class phpbb_auth_provider_ldap implements phpbb_auth_provider_interface return false; } - /** - * Login function - */ public function login($username, $password) { // do not allow empty password @@ -290,10 +282,6 @@ class phpbb_auth_provider_ldap implements phpbb_auth_provider_interface return; } - /** - * This function is used to output any required fields in the authentication - * admin panel. It also defines any required configuration table fields. - */ public function acp($new) { $tpl = ' @@ -359,6 +347,9 @@ class phpbb_auth_provider_ldap implements phpbb_auth_provider_interface /** * Escapes an LDAP AttributeValue + * + * @param string $string The string to be escaped + * @return string The escaped string */ private function ldap_escape($string) { From 27f0b9ff4359a60f98533aff2a87c1848d622d4c Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Fri, 28 Jun 2013 13:43:41 -0400 Subject: [PATCH 40/44] [feature/auth-refactor] Forgot @inheritdoc on methods PHPBB3-9734 --- phpBB/includes/auth/provider_apache.php | 18 ++++++++++++++++++ phpBB/includes/auth/provider_db.php | 18 ++++++++++++++++++ phpBB/includes/auth/provider_ldap.php | 18 ++++++++++++++++++ 3 files changed, 54 insertions(+) diff --git a/phpBB/includes/auth/provider_apache.php b/phpBB/includes/auth/provider_apache.php index 054316db19..5f6f2862b6 100644 --- a/phpBB/includes/auth/provider_apache.php +++ b/phpBB/includes/auth/provider_apache.php @@ -42,6 +42,9 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface $this->php_ext = $php_ext; } + /** + * {@inheritdoc} + */ public function init() { if (!$this->request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER) || $this->user->data['username'] !== htmlspecialchars_decode($this->request->server('PHP_AUTH_USER'))) @@ -51,6 +54,9 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface return false; } + /** + * {@inheritdoc} + */ public function login($username, $password) { // do not allow empty password @@ -138,6 +144,9 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface ); } + /** + * {@inheritdoc} + */ public function autologin() { if (!$this->request->is_set('PHP_AUTH_USER', phpbb_request_interface::SERVER)) @@ -226,6 +235,9 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface ); } + /** + * {@inheritdoc} + */ public function validate_session($user) { // Check if PHP_AUTH_USER is set and handle this case @@ -245,11 +257,17 @@ class phpbb_auth_provider_apache implements phpbb_auth_provider_interface return false; } + /** + * {@inheritdoc} + */ public function acp($new) { return; } + /** + * {@inheritdoc} + */ public function logout($data, $new_session) { return; diff --git a/phpBB/includes/auth/provider_db.php b/phpBB/includes/auth/provider_db.php index e8fff26650..a79d031048 100644 --- a/phpBB/includes/auth/provider_db.php +++ b/phpBB/includes/auth/provider_db.php @@ -45,11 +45,17 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface $this->php_ext = $php_ext; } + /** + * {@inheritdoc} + */ public function init() { return; } + /** + * {@inheritdoc} + */ public function login($username, $password) { // Auth plugins get the password untrimmed. @@ -297,21 +303,33 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface ); } + /** + * {@inheritdoc} + */ public function autologin() { return; } + /** + * {@inheritdoc} + */ public function acp($new) { return; } + /** + * {@inheritdoc} + */ public function logout($data, $new_session) { return; } + /** + * {@inheritdoc} + */ public function validate_session($user) { return; diff --git a/phpBB/includes/auth/provider_ldap.php b/phpBB/includes/auth/provider_ldap.php index 2140e7dd63..f67c1e9247 100644 --- a/phpBB/includes/auth/provider_ldap.php +++ b/phpBB/includes/auth/provider_ldap.php @@ -38,6 +38,9 @@ class phpbb_auth_provider_ldap implements phpbb_auth_provider_interface $this->user = $user; } + /** + * {@inheritdoc} + */ public function init() { if (!@extension_loaded('ldap')) @@ -106,6 +109,9 @@ class phpbb_auth_provider_ldap implements phpbb_auth_provider_interface return false; } + /** + * {@inheritdoc} + */ public function login($username, $password) { // do not allow empty password @@ -277,11 +283,17 @@ class phpbb_auth_provider_ldap implements phpbb_auth_provider_interface ); } + /** + * {@inheritdoc} + */ public function autologin() { return; } + /** + * {@inheritdoc} + */ public function acp($new) { $tpl = ' @@ -356,11 +368,17 @@ class phpbb_auth_provider_ldap implements phpbb_auth_provider_interface return str_replace(array('*', '\\', '(', ')'), array('\\*', '\\\\', '\\(', '\\)'), $string); } + /** + * {@inheritdoc} + */ public function logout($data, $new_session) { return; } + /** + * {@inheritdoc} + */ public function validate_session($user) { return; From 66118ea49e2dc1a54ce1a76fa4856ff158df9511 Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Mon, 1 Jul 2013 13:32:16 -0400 Subject: [PATCH 41/44] [feature/auth-refactor] A possible fix for the functional test failures I don't like this fix as it really shouldn't be needed. But it makes the functional tests pass. PHPBB3-9734 --- phpBB/includes/request/request.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/includes/request/request.php b/phpBB/includes/request/request.php index ae3c526d89..c0bb453c7c 100644 --- a/phpBB/includes/request/request.php +++ b/phpBB/includes/request/request.php @@ -79,7 +79,7 @@ class phpbb_request implements phpbb_request_interface // simulate request_order = GP $this->original_request = $this->input[phpbb_request_interface::REQUEST]; - $this->input[phpbb_request_interface::REQUEST] = $this->input[phpbb_request_interface::POST] + $this->input[phpbb_request_interface::GET]; + $this->input[phpbb_request_interface::REQUEST] = (array)$this->input[phpbb_request_interface::POST] + (array)$this->input[phpbb_request_interface::GET]; if ($disable_super_globals) { From f48effb00197a9ace8de82f3a961992215113257 Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Mon, 1 Jul 2013 22:37:55 -0400 Subject: [PATCH 42/44] [feature/auth-refactor] Fix the actual cause of test failures Enables super globals before the new container is instantiated in the final step of installation to prevent issues caused by trying to create a phpbb_request object when super globals are disabled. PHPBB3-9734 --- phpBB/includes/request/request.php | 2 +- phpBB/install/install_install.php | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/phpBB/includes/request/request.php b/phpBB/includes/request/request.php index c0bb453c7c..ae3c526d89 100644 --- a/phpBB/includes/request/request.php +++ b/phpBB/includes/request/request.php @@ -79,7 +79,7 @@ class phpbb_request implements phpbb_request_interface // simulate request_order = GP $this->original_request = $this->input[phpbb_request_interface::REQUEST]; - $this->input[phpbb_request_interface::REQUEST] = (array)$this->input[phpbb_request_interface::POST] + (array)$this->input[phpbb_request_interface::GET]; + $this->input[phpbb_request_interface::REQUEST] = $this->input[phpbb_request_interface::POST] + $this->input[phpbb_request_interface::GET]; if ($disable_super_globals) { diff --git a/phpBB/install/install_install.php b/phpBB/install/install_install.php index 5bf3f572d9..3d7b6f7c88 100644 --- a/phpBB/install/install_install.php +++ b/phpBB/install/install_install.php @@ -53,7 +53,7 @@ class install_install extends module function main($mode, $sub) { global $lang, $template, $language, $phpbb_root_path, $phpEx; - global $phpbb_container, $cache, $phpbb_log; + global $phpbb_container, $cache, $phpbb_log, $request; switch ($sub) { @@ -102,6 +102,9 @@ class install_install extends module break; case 'final': + // Enable super globals to prevent issues with the new phpbb_request object + $request->enable_super_globals(); + // Create a normal container now $phpbb_container = phpbb_create_default_container($phpbb_root_path, $phpEx); From 274308148991a498eab875826d6c7615acdef108 Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Tue, 2 Jul 2013 00:04:17 -0400 Subject: [PATCH 43/44] [feature/auth-refactor] Fix comment grammar PHPBB3-9734 --- phpBB/includes/auth/provider_db.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/phpBB/includes/auth/provider_db.php b/phpBB/includes/auth/provider_db.php index a79d031048..894041c9cf 100644 --- a/phpBB/includes/auth/provider_db.php +++ b/phpBB/includes/auth/provider_db.php @@ -147,7 +147,7 @@ class phpbb_auth_provider_db implements phpbb_auth_provider_interface $show_captcha = ($this->config['max_login_attempts'] && $row['user_login_attempts'] >= $this->config['max_login_attempts']) || ($this->config['ip_login_limit_max'] && $attempts >= $this->config['ip_login_limit_max']); - // If there are too much login attempts, we need to check for an confirm image + // If there are too many login attempts, we need to check for a confirm image // Every auth module is able to define what to do by itself... if ($show_captcha) { From f9672e9b45a0f0d26702ca0f55a884a24e21bf77 Mon Sep 17 00:00:00 2001 From: Joseph Warner Date: Tue, 2 Jul 2013 14:03:22 -0400 Subject: [PATCH 44/44] [feature/auth-refactor] Fix code style issue PHPBB3-9734 --- phpBB/includes/acp/acp_board.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/phpBB/includes/acp/acp_board.php b/phpBB/includes/acp/acp_board.php index 4d07f96c6f..24b913260b 100644 --- a/phpBB/includes/acp/acp_board.php +++ b/phpBB/includes/acp/acp_board.php @@ -660,8 +660,8 @@ class acp_board if ($fields['tpl']) { $template->assign_block_vars('auth_tpl', array( - 'TPL' => $fields['tpl']) - ); + 'TPL' => $fields['tpl'], + )); } unset($fields); }