1: <?php
  2: /**
  3:  * This file contains the backend authentication handler class.
  4:  *
  5:  * @package    Core
  6:  * @subpackage Authentication
  7:  * @version    SVN Revision $Rev:$
  8:  *
  9:  * @author     Dominik Ziegler
 10:  * @copyright  four for business AG <www.4fb.de>
 11:  * @license    http://www.contenido.org/license/LIZENZ.txt
 12:  * @link       http://www.4fb.de
 13:  * @link       http://www.contenido.org
 14:  */
 15: 
 16: defined('CON_FRAMEWORK') || die('Illegal call: Missing framework initialization - request aborted.');
 17: 
 18: /**
 19:  * This class contains the methods for the backend authentication in CONTENIDO.
 20:  *
 21:  * @package    Core
 22:  * @subpackage Authentication
 23:  */
 24: class cAuthHandlerBackend extends cAuthHandlerAbstract {
 25: 
 26:     /**
 27:      * Constructor of the backend auth handler.
 28:      * Automatically sets the lifetime of the authentication to the configured
 29:      * value.
 30:      */
 31:     public function __construct() {
 32:         $cfg = cRegistry::getConfig();
 33:         $this->_lifetime = (int)$cfg['backend']['timeout'];
 34: 
 35:         if ($this->_lifetime == 0) {
 36:             $this->_lifetime = 15;
 37:         }
 38:     }
 39: 
 40:     public function preAuthorize() {
 41:         // there is no pre authorization in backend
 42:         return false;
 43:     }
 44: 
 45:     public function displayLoginForm() {
 46:         // @TODO  We need a better solution for this. One idea could be to set the request/response
 47:         //        type in global $cfg array instead of checking $_REQUEST['ajax'] everywhere...
 48:         if (isset($_REQUEST['ajax']) && $_REQUEST['ajax'] != '') {
 49:             $oAjax = new cAjaxRequest();
 50:             $sReturn = $oAjax->handle('authentication_fail');
 51:             echo $sReturn;
 52:         } else {
 53:             include(cRegistry::getBackendPath() . 'main.loginform.php');
 54:         }
 55:     }
 56: 
 57:     public function validateCredentials() {
 58:         $username = $_POST['username'];
 59:         $password = $_POST['password'];
 60:         $formtimestamp = $_POST['formtimestamp'];
 61: 
 62:         $groupPerm = array();
 63: 
 64:         if ($password == '') {
 65:             return false;
 66:         }
 67: 
 68:         if (($formtimestamp + (60 * 15)) < time()) {
 69:             return false;
 70:         }
 71: 
 72:         if (isset($username)) {
 73:             $this->auth['uname'] = $username;
 74:         } else if ($this->_defaultNobody == true) {
 75:             $uid = $this->auth['uname'] = $this->auth['uid'] = self::AUTH_UID_NOBODY;
 76: 
 77:             return $uid;
 78:         }
 79: 
 80:         $uid = false;
 81:         $perm = false;
 82:         $pass = false;
 83:         $salt = false;
 84: 
 85:         $userColl = new cApiUserCollection();
 86:         $where = "username = '" . $username . "'";
 87:         $where .= " AND (valid_from <= NOW() OR valid_from = '0000-00-00' OR valid_from is NULL)";
 88:         $where .= " AND (valid_to >= NOW() OR valid_to = '0000-00-00' OR valid_to is NULL)";
 89: 
 90:         $maintenanceMode = getSystemProperty('maintenance', 'mode');
 91:         if ($maintenanceMode == 'enabled') {
 92:             $where .= " AND perms = 'sysadmin'";
 93:         }
 94: 
 95:         $userColl->select($where);
 96: 
 97:         while (($item = $userColl->next()) !== false) {
 98:             $uid = $item->get('user_id');
 99:             $perm = $item->get('perms');
100:             $pass = $item->get('password'); // Password is stored as a sha256 hash
101:             $salt = $item->get("salt");
102:         }
103: 
104:         if ($uid == false || hash("sha256", md5($password) . $salt) != $pass) {
105:             // No user found, sleep and exit
106:             sleep(5);
107: 
108:             return false;
109:         }
110: 
111:         if ($perm != '') {
112:             $groupPerm[] = $perm;
113:         }
114: 
115:         $groupColl = new cApiGroupCollection();
116:         $groups = $groupColl->fetchByUserID($uid);
117:         foreach ($groups as $group) {
118:             $groupPerm[] = $group->get('perms');
119:         }
120: 
121:         $perm = implode(',', $groupPerm);
122: 
123:         $this->auth['perm'] = $perm;
124: 
125:         return $uid;
126:     }
127: 
128:     public function logSuccessfulAuth() {
129:         global $client, $lang, $saveLoginTime;
130: 
131:         $perm = new cPermission();
132: 
133:         // Find the first accessible client and language for the user
134:         $clientLangColl = new cApiClientLanguageCollection();
135:         $clientLangColl->select();
136: 
137:         $bFound = false;
138:         while ($bFound == false) {
139:             if (($item = $clientLangColl->next()) === false) {
140:                 break;
141:             }
142: 
143:             $iTmpClient = $item->get('idclient');
144:             $iTmpLang = $item->get('idlang');
145: 
146:             if ($perm->have_perm_client_lang($iTmpClient, $iTmpLang)) {
147:                 $client = $iTmpClient;
148:                 $lang = $iTmpLang;
149:                 $bFound = true;
150:             }
151:         }
152: 
153:         if (!is_numeric($client) || !is_numeric($lang)) {
154:             return;
155:         }
156: 
157:         $idaction = $perm->getIDForAction('login');
158: 
159:         $authInfo = $this->getAuthInfo();
160:         $uid = $authInfo['uid'];
161: 
162:         // create a actionlog entry
163:         $actionLogCol = new cApiActionlogCollection();
164:         $actionLogCol->create($uid, $client, $lang, $idaction, 0);
165: 
166:         $sess = cRegistry::getSession();
167:         $sess->register('saveLoginTime');
168:         $saveLoginTime = true;
169:     }
170: 
171: }
172: