move most of the login code into a controller

2025-11-28 02:20:41 +00:00 · 2019-01-11 08:53:04 +01:00 · 2019-01-11 08:53:04 +01:00 · b7ffaa878e
commit b7ffaa878e
parent c3ca1cb1f9
2 changed files with 209 additions and 150 deletions
--- a/controllers/class.Login.php
+++ b/controllers/class.Login.php
@ -21,14 +21,205 @@
 * @version    Release: @package_version@
 */
 class SeedDMS_Controller_Login extends SeedDMS_Controller_Common {
 	/**
 	 * @var array $user set if user could be logged in
 	 * @access protected
 	 */
 	static protected $user;
-	public function run() {
+	public function getUser() { /* {{{ */
 		return self::$user;
 	} /* }}} */
 	public function run() { /* {{{ */
 		$dms = $this->params['dms'];
 		$user = $this->params['user'];
 		$settings = $this->params['settings'];
 		$session = $this->params['session'];
 		$sesstheme = $this->params['sesstheme'];
 		$lang = $this->params['lang'];
 		$login = $this->params['login'];
 		$pwd = $this->params['pwd'];
-		if($this->callHook('postLogin')) {
+		self::$user = null;
 		/* The preLogin hook may set self::$user which will prevent any further
 		 * authentication process.
 		 */
 		if($this->callHook('preLogin')) {
 		}
-	}
+
 		$user = self::$user;
 		/* The password may only be empty if the guest user tries to log in.
 		 * There is just one guest account with id $settings->_guestID which
 		 * is allowed to log in without a password. All other guest accounts
 		 * are treated like regular logins
 		 */
 		if(!$user && $settings->_enableGuestLogin && (int) $settings->_guestID) {
 			$guestUser = $dms->getUser((int) $settings->_guestID);
 			if(($login != $guestUser->getLogin())) {
 				if ((!isset($pwd) || strlen($pwd)==0)) {
 					$this->setErrorMsg("login_error_text");
 					return false;
 				}
 			} else {
 				$user = $guestUser;
 			}
 		}
 		/* Run any additional authentication method. The hook must return a
 		 * valid user, if the authentication succeeded. If it fails, it must
 		 * return false and if the hook doesn't care at all, if must return null.
 		 */
 		$user = $this->callHook('authenticate');
 		if(false === $user) {
 			if(empty($this->errormsg))
 				$this->setErrorMsg("authentication_failed");
 			return false;
 		}
 		/* Deprecated: Run any additional authentication implemented in a hook */
 		if(!$user && isset($GLOBALS['SEEDDMS_HOOKS']['authentication'])) {
 			foreach($GLOBALS['SEEDDMS_HOOKS']['authentication'] as $authObj) {
 				if(!$user && method_exists($authObj, 'authenticate')) {
 					$user = $authObj->authenticate($dms, $settings, $login, $pwd);
 				}
 			}
 		}
 		/* Authenticate against LDAP server {{{ */
 		if (!$user && isset($settings->_ldapHost) && strlen($settings->_ldapHost)>0) {
 			require_once("../inc/inc.ClassLdapAuthentication.php");
 			$authobj = new SeedDMS_LdapAuthentication($dms, $settings);
 			$user = $authobj->authenticate($login, $pwd);
 		} /* }}} */
 		/* Authenticate against SeedDMS database {{{ */
 		if(!$user) {
 			require_once("../inc/inc.ClassDbAuthentication.php");
 			$authobj = new SeedDMS_DbAuthentication($dms, $settings);
 			$user = $authobj->authenticate($login, $pwd);
 		} /* }}} */
 		/* If the user is still not authenticated, then exit with an error */
 		if(!$user) {
 			$this->callHook('loginFailed');
 			$this->setErrorMsg("login_error_text");
 			return false;
 		}
 		self::$user = $user;
 		/* Check for other restrictions which prevent the user from login, though
 		 * the authentication was successfull.
 		 */
 		$userid = $user->getID();
 		if (($userid == $settings->_guestID) && (!$settings->_enableGuestLogin)) {
 			$this->setErrorMsg("guest_login_disabled");
 			return false;
 		}
 		// Check if account is disabled
 		if($user->isDisabled()) {
 			$this->setErrorMsg("login_disabled_text");
 			return false;
 		}
 		// control admin IP address if required
 		if ($user->isAdmin() && ($_SERVER['REMOTE_ADDR'] != $settings->_adminIP ) && ( $settings->_adminIP != "") ){
 			$this->setErrorMsg("invalid_user_id");
 			return false;
 		}
 		/* Run any additional checks which may prevent login */
 		if(false === $this->callHook('restrictLogin', $user)) {
 			if(empty($this->errormsg))
 				$this->setErrorMsg("login_restrictions_apply");
 			return false;
 		}
 		if(!$user && isset($GLOBALS['SEEDDMS_HOOKS']['authentication'])) {
 			foreach($GLOBALS['SEEDDMS_HOOKS']['authentication'] as $authObj) {
 				if(!$user && method_exists($authObj, 'authenticate')) {
 					$user = $authObj->authenticate($dms, $settings, $login, $pwd);
 				}
 			}
 		}
 		/* Clear login failures if login was successful */
 		$user->clearLoginFailures();
 		// Capture the user's language and theme settings.
 		if (isset($_REQUEST["lang"]) && strlen($_REQUEST["lang"])>0 && is_numeric(array_search($_REQUEST["lang"],getLanguages())) ) {
 			$lang = $_REQUEST["lang"];
 			$user->setLanguage($lang);
 		}
 		else {
 			$lang = $user->getLanguage();
 			if (strlen($lang)==0) {
 				$lang = $settings->_language;
 				$user->setLanguage($lang);
 			}
 		}
 		if ($sesstheme) {
 			$user->setTheme($sesstheme);
 		}
 		else {
 			$sesstheme = $user->getTheme();
 			if (strlen($sesstheme)==0) {
 				$sesstheme = $settings->_theme;
 		//		$user->setTheme($sesstheme);
 			}
 		}
 		// Delete all sessions that are more than 1 week or the configured
 		// cookie lifetime old. Probably not the most
 		// reliable place to put this check -- move to inc.Authentication.php?
 		if($settings->_cookieLifetime)
 			$lifetime = intval($settings->_cookieLifetime);
 		else
 			$lifetime = 7*86400;
 		if(!$session->deleteByTime($lifetime)) {
 			$this->setErrorMsg("error_occured");
 			return false;
 		}
 		if (isset($_COOKIE["mydms_session"])) {
 			/* This part will never be reached unless the session cookie is kept,
 			 * but op.Logout.php deletes it. Keeping a session could be a good idea
 			 * for retaining the clipboard data, but the user id in the session should
 			 * be set to 0 which is not possible due to foreign key constraints.
 			 * So for now op.Logout.php will delete the cookie as always
 			 */
 			/* Load session */
 			$dms_session = $_COOKIE["mydms_session"];
 			if(!$resArr = $session->load($dms_session)) {
 				/* Turn off http only cookies if jumploader is enabled */
 				setcookie("mydms_session", $dms_session, time()-3600, $settings->_httpRoot, null, null, !$settings->_enableLargeFileUpload); //delete cookie
 				header("Location: " . $settings->_httpRoot . "out/out.Login.php?referuri=".$refer);
 				exit;
 			} else {
 				$session->updateAccess($dms_session);
 				$session->setUser($userid);
 			}
 		} else {
 			// Create new session in database
 			if(!$id = $session->create(array('userid'=>$userid, 'theme'=>$sesstheme, 'lang'=>$lang))) {
 				$this->setErrorMsg("error_occured");
 				return false;
 			}
 			// Set the session cookie.
 			if($settings->_cookieLifetime)
 				$lifetime = time() + intval($settings->_cookieLifetime);
 			else
 				$lifetime = 0;
 			setcookie("mydms_session", $id, $lifetime, $settings->_httpRoot, null, null, !$settings->_enableLargeFileUpload);
 		}
 		if($this->callHook('postLogin', $user)) {
 		}
 		return true;
 	} /* }}} */
 }
--- a/op/op.Login.php
+++ b/op/op.Login.php
@ -31,21 +31,20 @@ include("../inc/inc.ClassController.php");
 include $settings->_rootDir . "languages/" . $settings->_language . "/lang.inc";
-function _printMessage($heading, $message) { /* {{{ */
+function _printMessage($message) { /* {{{ */
 	global $session, $dms, $theme;
 	header("Location:../out/out.Login.php?msg=".urlencode($message));
 	exit;
 	UI::exitError($heading, $message, true);
 	return;
 } /* }}} */
 $tmp = explode('.', basename($_SERVER['SCRIPT_FILENAME']));
 $controller = Controller::factory($tmp[1], array('dms'=>$dms));
 $sesstheme = '';
 if (isset($_REQUEST["sesstheme"]) && strlen($_REQUEST["sesstheme"])>0 && is_numeric(array_search($_REQUEST["sesstheme"],UI::getStyles())) ) {
 	$theme = $_REQUEST["sesstheme"];
 	$sesstheme = $_REQUEST["sesstheme"];
 }
 if (isset($_REQUEST["login"])) {
@ -54,7 +53,7 @@ if (isset($_REQUEST["login"])) {
 }
 if (!isset($login) || strlen($login)==0) {
-	_printMessage(getMLText("login_error_title"),	getMLText("login_not_given")."\n");
+	_printMessage(getMLText("login_not_given")."\n");
 	exit;
 }
@ -66,147 +65,8 @@ if(isset($_POST['pwd'])) {
 	}
 }
 /* Initialy set $user to false. It will contain a valid user record
 * if the user is a guest user or authentication will succeed.
 */
 $user = false;
 /* The password may only be empty if the guest user tries to log in.
 * There is just one guest account with id $settings->_guestID which
 * is allowed to log in without a password. All other guest accounts
 * are treated like regular logins
 */
 if($settings->_enableGuestLogin && (int) $settings->_guestID) {
 	$guestUser = $dms->getUser((int) $settings->_guestID);
 	if(($login != $guestUser->getLogin())) {
 		if ((!isset($pwd) || strlen($pwd)==0)) {
 			_printMessage(getMLText("login_error_title"),	getMLText("login_error_text")."\n");
 			exit;
 		}
 	} else {
 		$user = $guestUser;
 	}
 }
 if(!$user && isset($GLOBALS['SEEDDMS_HOOKS']['authentication'])) {
 	foreach($GLOBALS['SEEDDMS_HOOKS']['authentication'] as $authObj) {
 		if(!$user && method_exists($authObj, 'authenticate')) {
 			$user = $authObj->authenticate($dms, $settings, $login, $pwd);
 		}
 	}
 }
 /* Authenticate against LDAP server {{{ */
 if (!$user && isset($settings->_ldapHost) && strlen($settings->_ldapHost)>0) {
 	require_once("../inc/inc.ClassLdapAuthentication.php");
 	$authobj = new SeedDMS_LdapAuthentication($dms, $settings);
 	$user = $authobj->authenticate($login, $pwd);
 } /* }}} */
 /* Authenticate against SeedDMS database {{{ */
 if(!$user) {
 	require_once("../inc/inc.ClassDbAuthentication.php");
 	$authobj = new SeedDMS_DbAuthentication($dms, $settings);
 	$user = $authobj->authenticate($login, $pwd);
 } /* }}} */
 if(!$user) {
 	_printMessage(getMLText("login_error_title"),	getMLText("login_error_text"));
 	exit;
 }
 $userid = $user->getID();
 if (($userid == $settings->_guestID) && (!$settings->_enableGuestLogin)) {
 	_printMessage(getMLText("login_error_title"),	getMLText("guest_login_disabled"));
 	exit;
 }
 // Check if account is disabled
 if($user->isDisabled()) {
 	_printMessage(getMLText("login_disabled_title"), getMLText("login_disabled_text"));
 	exit;
 }
 // control admin IP address if required
 if ($user->isAdmin() && ($_SERVER['REMOTE_ADDR'] != $settings->_adminIP ) && ( $settings->_adminIP != "") ){
 	_printMessage(getMLText("login_error_title"),	getMLText("invalid_user_id"));
 	exit;
 }
 /* Clear login failures if login was successful */
 $user->clearLoginFailures();
 // Capture the user's language and theme settings.
 if (isset($_REQUEST["lang"]) && strlen($_REQUEST["lang"])>0 && is_numeric(array_search($_REQUEST["lang"],getLanguages())) ) {
 	$lang = $_REQUEST["lang"];
 	$user->setLanguage($lang);
 }
 else {
 	$lang = $user->getLanguage();
 	if (strlen($lang)==0) {
 		$lang = $settings->_language;
 		$user->setLanguage($lang);
 	}
 }
 if (isset($_REQUEST["sesstheme"]) && strlen($_REQUEST["sesstheme"])>0 && is_numeric(array_search($_REQUEST["sesstheme"],UI::getStyles())) ) {
 	$sesstheme = $_REQUEST["sesstheme"];
 	$user->setTheme($sesstheme);
 }
 else {
 	$sesstheme = $user->getTheme();
 	if (strlen($sesstheme)==0) {
 		$sesstheme = $settings->_theme;
 //		$user->setTheme($sesstheme);
 	}
 }
 $session = new SeedDMS_Session($db);
 // Delete all sessions that are more than 1 week or the configured
 // cookie lifetime old. Probably not the most
 // reliable place to put this check -- move to inc.Authentication.php?
 if($settings->_cookieLifetime)
 	$lifetime = intval($settings->_cookieLifetime);
 else
 	$lifetime = 7*86400;
 if(!$session->deleteByTime($lifetime)) {
 	_printMessage(getMLText("login_error_title"), getMLText("error_occured").": ".$db->getErrorMsg());
 	exit;
 }
 if (isset($_COOKIE["mydms_session"])) {
 	/* This part will never be reached unless the session cookie is kept,
 	 * but op.Logout.php deletes it. Keeping a session could be a good idea
 	 * for retaining the clipboard data, but the user id in the session should
 	 * be set to 0 which is not possible due to foreign key constraints.
 	 * So for now op.Logout.php will delete the cookie as always
 	 */
 	/* Load session */
 	$dms_session = $_COOKIE["mydms_session"];
 	if(!$resArr = $session->load($dms_session)) {
 		/* Turn off http only cookies if jumploader is enabled */
 		setcookie("mydms_session", $dms_session, time()-3600, $settings->_httpRoot, null, null, !$settings->_enableLargeFileUpload); //delete cookie
 		header("Location: " . $settings->_httpRoot . "out/out.Login.php?referuri=".$refer);
 		exit;
 	} else {
 		$session->updateAccess($dms_session);
 		$session->setUser($userid);
 	}
 } else {
 	// Create new session in database
 	if(!$id = $session->create(array('userid'=>$userid, 'theme'=>$sesstheme, 'lang'=>$lang))) {
 		_printMessage(getMLText("login_error_title"), getMLText("error_occured").": ".$db->getErrorMsg());
 		exit;
 	}
 	// Set the session cookie.
 	if($settings->_cookieLifetime)
 		$lifetime = time() + intval($settings->_cookieLifetime);
 	else
 		$lifetime = 0;
 	setcookie("mydms_session", $id, $lifetime, $settings->_httpRoot, null, null, !$settings->_enableLargeFileUpload);
 }
 // TODO: by the PHP manual: The superglobals $_GET and $_REQUEST are already decoded.
 // Using urldecode() on an element in $_GET or $_REQUEST could have unexpected and dangerous results.
@ -219,9 +79,17 @@ else if (isset($_GET["referuri"]) && strlen($_GET["referuri"])>0) {
 add_log_line();
-$controller->setParam('user', $user);
+$controller->setParam('login', $login);
 $controller->setParam('pwd', $pwd);
 $controller->setParam('lang', $lang);
 $controller->setParam('sesstheme', $sesstheme);
 $controller->setParam('session', $session);
-$controller->run();
+if(!$controller->run()) {
 	_printMessage(getMLText($controller->getErrorMsg()), getMLText($controller->getErrorMsg())."\n");
 	exit;
 }
 $user = $controller->getUser();
 if (isset($referuri) && strlen($referuri)>0) {
 //	header("Location: http".((isset($_SERVER['HTTPS']) && (strcmp($_SERVER['HTTPS'],'off')!=0)) ? "s" : "")."://".$_SERVER['HTTP_HOST'] . $referuri);