1: <?php
  2: 
  3: /**
  4:  * This file contains the backend authentication handler class.
  5:  *
  6:  * @package    Core
  7:  * @subpackage Authentication
  8:  * @author     Dominik Ziegler
  9:  * @copyright  four for business AG <www.4fb.de>
 10:  * @license    http://www.contenido.org/license/LIZENZ.txt
 11:  * @link       http://www.4fb.de
 12:  * @link       http://www.contenido.org
 13:  */
 14: 
 15: defined('CON_FRAMEWORK') || die('Illegal call: Missing framework initialization - request aborted.');
 16: 
 17: /**
 18:  * This class is the backend authentication handler for CONTENIDO.
 19:  *
 20:  * @package    Core
 21:  * @subpackage Authentication
 22:  */
 23: class cAuthHandlerBackend extends cAuthHandlerAbstract {
 24: 
 25:     /**
 26:      * Constructor to create an instance of this class.
 27:      *
 28:      * Automatically sets the lifetime of the authentication to the
 29:      * configured value.
 30:      */
 31:     public function __construct() {
 32:         $cfg = cRegistry::getConfig();
 33:         $this->_lifetime = (int) $cfg['backend']['timeout'];
 34:         if ($this->_lifetime == 0) {
 35:             $this->_lifetime = 15;
 36:         }
 37:     }
 38: 
 39:     /**
 40:      * Handle the pre authentication.
 41:      *
 42:      * There is no pre authentication in backend so false is returned.
 43:      *
 44:      * @see cAuthHandlerAbstract::preAuthorize()
 45:      * @return false
 46:      */
 47:     public function preAuthorize() {
 48:         return false;
 49:     }
 50: 
 51:     /**
 52:      * Display the login form.
 53:      * Includes a file which displays the login form.
 54:      *
 55:      * @see cAuthHandlerAbstract::displayLoginForm()
 56:      */
 57:     public function displayLoginForm() {
 58:         // @TODO  We need a better solution for this.
 59:         //        One idea could be to set the request/response type in
 60:         //        global $cfg array instead of checking $_REQUEST['ajax']
 61:         //        everywhere...
 62:         if (isset($_REQUEST['ajax']) && $_REQUEST['ajax'] != '') {
 63:             $oAjax = new cAjaxRequest();
 64:             $sReturn = $oAjax->handle('authentication_fail');
 65:             echo $sReturn;
 66:         } else {
 67:             include(cRegistry::getBackendPath() . 'main.loginform.php');
 68:         }
 69:     }
 70: 
 71:     /**
 72:      * Validate the credentials.
 73:      *
 74:      * Validate the users input against source and return a valid user
 75:      * ID or false.
 76:      *
 77:      * @see cAuthHandlerAbstract::validateCredentials()
 78:      * @return string|false
 79:      */
 80:     public function validateCredentials() {
 81:         $username = $_POST['username'];
 82:         $password = $_POST['password'];
 83:         $formtimestamp = $_POST['formtimestamp'];
 84: 
 85:         // add slashes if they are not automatically added
 86:         if (cRegistry::getConfigValue('simulate_magic_quotes') !== true) {
 87:             // backward compatiblity of passwords
 88:             $password = addslashes($password);
 89:             // avoid sql injection in query by username on cApiUserCollection select string
 90:             $username = addslashes($username);
 91:         }
 92: 
 93:         $groupPerm = array();
 94: 
 95:         if ($password == '') {
 96:             return false;
 97:         }
 98: 
 99:         if (($formtimestamp + (60 * 15)) < time()) {
100:             return false;
101:         }
102: 
103:         if (isset($username)) {
104:             $this->auth['uname'] = $username;
105:         } else if ($this->_defaultNobody == true) {
106:             $uid = $this->auth['uname'] = $this->auth['uid'] = self::AUTH_UID_NOBODY;
107: 
108:             return $uid;
109:         }
110: 
111:         $uid = false;
112:         $perm = false;
113:         $pass = false;
114:         $salt = false;
115: 
116:         $userColl = new cApiUserCollection();
117:         $where = "username = '" . $username . "'";
118:         $where .= " AND (valid_from <= NOW() OR valid_from = '0000-00-00 00:00:00' OR valid_from is NULL)";
119:         $where .= " AND (valid_to >= NOW() OR valid_to = '0000-00-00 00:00:00' OR valid_to is NULL)";
120: 
121:         $maintenanceMode = getSystemProperty('maintenance', 'mode');
122:         if ($maintenanceMode == 'enabled') {
123:             $where .= " AND perms = 'sysadmin'";
124:         }
125: 
126:         $userColl->select($where);
127: 
128:         while (($item = $userColl->next()) !== false) {
129:             $uid = $item->get('user_id');
130:             $perm = $item->get('perms');
131:             // password is stored as a sha256 hash
132:             $pass = $item->get('password');
133:             $salt = $item->get("salt");
134:         }
135: 
136:         if ($uid == false || hash("sha256", md5($password) . $salt) != $pass) {
137:             // No user found, sleep and exit
138:             sleep(5);
139: 
140:             return false;
141:         }
142: 
143:         if ($perm != '') {
144:             $groupPerm[] = $perm;
145:         }
146: 
147:         $groupColl = new cApiGroupCollection();
148:         $groups = $groupColl->fetchByUserID($uid);
149:         foreach ($groups as $group) {
150:             $groupPerm[] = $group->get('perms');
151:         }
152: 
153:         $perm = implode(',', $groupPerm);
154: 
155:         $this->auth['perm'] = $perm;
156: 
157:         return $uid;
158:     }
159: 
160:     /**
161:      * Log the successful authentication.
162:      *
163:      * @see cAuthHandlerAbstract::logSuccessfulAuth()
164:      */
165:     public function logSuccessfulAuth() {
166:         global $client, $lang, $saveLoginTime;
167: 
168:         $perm = new cPermission();
169: 
170:         // Find the first accessible client and language for the user
171:         $clientLangColl = new cApiClientLanguageCollection();
172:         $clientLangColl->select();
173: 
174:         $bFound = false;
175:         while ($bFound == false) {
176:             if (($item = $clientLangColl->next()) === false) {
177:                 break;
178:             }
179: 
180:             $iTmpClient = $item->get('idclient');
181:             $iTmpLang = $item->get('idlang');
182: 
183:             if ($perm->have_perm_client_lang($iTmpClient, $iTmpLang)) {
184:                 $client = $iTmpClient;
185:                 $lang = $iTmpLang;
186:                 $bFound = true;
187:             }
188:         }
189: 
190:         if (!is_numeric($client) || !is_numeric($lang)) {
191:             return;
192:         }
193: 
194:         $idaction = $perm->getIDForAction('login');
195: 
196:         $authInfo = $this->getAuthInfo();
197:         $uid = $authInfo['uid'];
198: 
199:         // create a actionlog entry
200:         $actionLogCol = new cApiActionlogCollection();
201:         $actionLogCol->create($uid, $client, $lang, $idaction, 0);
202: 
203:         $sess = cRegistry::getSession();
204:         $sess->register('saveLoginTime');
205:         $saveLoginTime = true;
206:     }
207: 
208:     /**
209:      * Returns true if a user is logged in.
210:      *
211:      * @see cAuthHandlerAbstract::isLoggedIn()
212:      * @return bool
213:      */
214:     public function isLoggedIn() {
215:         $authInfo = $this->getAuthInfo();
216: 
217:         if(isset($authInfo['uid'])) {
218:             $user = new cApiUser($authInfo['uid']);
219: 
220:             return $user->get('user_id') != '';
221:         } else {
222:             return false;
223:         }
224:     }
225: 
226: }
227: