1: <?php
  2: 
  3: /**
  4:  * This file contains the backend authentication handler class.
  5:  *
  6:  * @package    Core
  7:  * @subpackage Authentication
  8:  * @author     Dominik Ziegler
  9:  * @copyright  four for business AG <www.4fb.de>
 10:  * @license    http://www.contenido.org/license/LIZENZ.txt
 11:  * @link       http://www.4fb.de
 12:  * @link       http://www.contenido.org
 13:  */
 14: 
 15: defined('CON_FRAMEWORK') || die('Illegal call: Missing framework initialization - request aborted.');
 16: 
 17: /**
 18:  * This class is the backend authentication handler for CONTENIDO.
 19:  *
 20:  * @package    Core
 21:  * @subpackage Authentication
 22:  */
 23: class cAuthHandlerBackend extends cAuthHandlerAbstract {
 24: 
 25:     /**
 26:      * Constructor of the backend authentication handler.
 27:      *
 28:      * Automatically sets the lifetime of the authentication to the configured
 29:      * value.
 30:      */
 31:     public function __construct() {
 32:         $cfg = cRegistry::getConfig();
 33:         $this->_lifetime = (int) $cfg['backend']['timeout'];
 34:         if ($this->_lifetime == 0) {
 35:             $this->_lifetime = 15;
 36:         }
 37:     }
 38: 
 39:     /**
 40:      * Handle the pre authentication.
 41:      *
 42:      * There is no pre authentication in backend so false is returned.
 43:      *
 44:      * @see cAuthHandlerAbstract::preAuthorize()
 45:      * @return false
 46:      */
 47:     public function preAuthorize() {
 48:         return false;
 49:     }
 50: 
 51:     /**
 52:      * Display the login form.
 53:      * Includes a file which displays the login form.
 54:      *
 55:      * @see cAuthHandlerAbstract::displayLoginForm()
 56:      */
 57:     public function displayLoginForm() {
 58:         // @TODO  We need a better solution for this. One idea could be to set the request/response
 59:         //        type in global $cfg array instead of checking $_REQUEST['ajax'] everywhere...
 60:         if (isset($_REQUEST['ajax']) && $_REQUEST['ajax'] != '') {
 61:             $oAjax = new cAjaxRequest();
 62:             $sReturn = $oAjax->handle('authentication_fail');
 63:             echo $sReturn;
 64:         } else {
 65:             include(cRegistry::getBackendPath() . 'main.loginform.php');
 66:         }
 67:     }
 68: 
 69:     /**
 70:      * Validate the credentials.
 71:      *
 72:      * Validate the users input against source and return a valid user ID or false.
 73:      *
 74:      * @see cAuthHandlerAbstract::validateCredentials()
 75:      * @return string|false
 76:      */
 77:     public function validateCredentials() {
 78:         $username = $_POST['username'];
 79:         $password = $_POST['password'];
 80:         $formtimestamp = $_POST['formtimestamp'];
 81: 
 82:         // add slashes if they are not automatically added
 83:         if (cRegistry::getConfigValue('simulate_magic_quotes') !== true) {
 84:             // backward compatiblity of passwords
 85:             $password = addslashes($password);
 86:             // avoid sql injection in query by username on cApiUserCollection select string
 87:             $username = addslashes($username);
 88:         }
 89: 
 90:         $groupPerm = array();
 91: 
 92:         if ($password == '') {
 93:             return false;
 94:         }
 95: 
 96:         if (($formtimestamp + (60 * 15)) < time()) {
 97:             return false;
 98:         }
 99: 
100:         if (isset($username)) {
101:             $this->auth['uname'] = $username;
102:         } else if ($this->_defaultNobody == true) {
103:             $uid = $this->auth['uname'] = $this->auth['uid'] = self::AUTH_UID_NOBODY;
104: 
105:             return $uid;
106:         }
107: 
108:         $uid = false;
109:         $perm = false;
110:         $pass = false;
111:         $salt = false;
112: 
113:         $userColl = new cApiUserCollection();
114:         $where = "username = '" . $username . "'";
115:         $where .= " AND (valid_from <= NOW() OR valid_from = '0000-00-00 00:00:00' OR valid_from is NULL)";
116:         $where .= " AND (valid_to >= NOW() OR valid_to = '0000-00-00 00:00:00' OR valid_to is NULL)";
117: 
118:         $maintenanceMode = getSystemProperty('maintenance', 'mode');
119:         if ($maintenanceMode == 'enabled') {
120:             $where .= " AND perms = 'sysadmin'";
121:         }
122: 
123:         $userColl->select($where);
124: 
125:         while (($item = $userColl->next()) !== false) {
126:             $uid = $item->get('user_id');
127:             $perm = $item->get('perms');
128:             $pass = $item->get('password'); // Password is stored as a sha256 hash
129:             $salt = $item->get("salt");
130:         }
131: 
132:         if ($uid == false || hash("sha256", md5($password) . $salt) != $pass) {
133:             // No user found, sleep and exit
134:             sleep(5);
135: 
136:             return false;
137:         }
138: 
139:         if ($perm != '') {
140:             $groupPerm[] = $perm;
141:         }
142: 
143:         $groupColl = new cApiGroupCollection();
144:         $groups = $groupColl->fetchByUserID($uid);
145:         foreach ($groups as $group) {
146:             $groupPerm[] = $group->get('perms');
147:         }
148: 
149:         $perm = implode(',', $groupPerm);
150: 
151:         $this->auth['perm'] = $perm;
152: 
153:         return $uid;
154:     }
155: 
156:     /**
157:      * Log the successful authentication.
158:      *
159:      * @see cAuthHandlerAbstract::logSuccessfulAuth()
160:      */
161:     public function logSuccessfulAuth() {
162:         global $client, $lang, $saveLoginTime;
163: 
164:         $perm = new cPermission();
165: 
166:         // Find the first accessible client and language for the user
167:         $clientLangColl = new cApiClientLanguageCollection();
168:         $clientLangColl->select();
169: 
170:         $bFound = false;
171:         while ($bFound == false) {
172:             if (($item = $clientLangColl->next()) === false) {
173:                 break;
174:             }
175: 
176:             $iTmpClient = $item->get('idclient');
177:             $iTmpLang = $item->get('idlang');
178: 
179:             if ($perm->have_perm_client_lang($iTmpClient, $iTmpLang)) {
180:                 $client = $iTmpClient;
181:                 $lang = $iTmpLang;
182:                 $bFound = true;
183:             }
184:         }
185: 
186:         if (!is_numeric($client) || !is_numeric($lang)) {
187:             return;
188:         }
189: 
190:         $idaction = $perm->getIDForAction('login');
191: 
192:         $authInfo = $this->getAuthInfo();
193:         $uid = $authInfo['uid'];
194: 
195:         // create a actionlog entry
196:         $actionLogCol = new cApiActionlogCollection();
197:         $actionLogCol->create($uid, $client, $lang, $idaction, 0);
198: 
199:         $sess = cRegistry::getSession();
200:         $sess->register('saveLoginTime');
201:         $saveLoginTime = true;
202:     }
203: 
204:     /**
205:      * Returns true if a user is logged in.
206:      *
207:      * @see cAuthHandlerAbstract::isLoggedIn()
208:      * @return bool
209:      */
210:     public function isLoggedIn() {
211:         $authInfo = $this->getAuthInfo();
212: 
213:         if(isset($authInfo['uid'])) {
214:             $user = new cApiUser($authInfo['uid']);
215: 
216:             return $user->get('user_id') != '';
217:         } else {
218:             return false;
219:         }
220:     }
221: 
222: }
223: