diff options
author | Nils Adermann <naderman@naderman.de> | 2006-04-21 22:41:05 +0000 |
---|---|---|
committer | Nils Adermann <naderman@naderman.de> | 2006-04-21 22:41:05 +0000 |
commit | 478ab68a7eb609de10fd6f9e874d7387f5842cb8 (patch) | |
tree | e85fe2edec0c96d3243a6159e9442d3b49fef2a1 /phpBB | |
parent | 09073c368f6e8e7c4dd76d9cc19c02079ff2c7ed (diff) | |
download | forums-478ab68a7eb609de10fd6f9e874d7387f5842cb8.tar forums-478ab68a7eb609de10fd6f9e874d7387f5842cb8.tar.gz forums-478ab68a7eb609de10fd6f9e874d7387f5842cb8.tar.bz2 forums-478ab68a7eb609de10fd6f9e874d7387f5842cb8.tar.xz forums-478ab68a7eb609de10fd6f9e874d7387f5842cb8.zip |
- added login error constant for various external auth failures
- completed auth plugin interface (init_method, login_method, autologin_method, validate_session_method, logout_method)
- updated ldap and apache auth plugins to return an info array
- added apache autologin
git-svn-id: file:///svn/phpbb/trunk@5815 89ea8834-ac86-4346-8a33-228a782c2dd0
Diffstat (limited to 'phpBB')
-rw-r--r-- | phpBB/includes/auth/auth_apache.php | 73 | ||||
-rw-r--r-- | phpBB/includes/auth/auth_ldap.php | 54 | ||||
-rw-r--r-- | phpBB/includes/constants.php | 1 | ||||
-rw-r--r-- | phpBB/includes/session.php | 88 | ||||
-rw-r--r-- | phpBB/language/en/common.php | 1 |
5 files changed, 188 insertions, 29 deletions
diff --git a/phpBB/includes/auth/auth_apache.php b/phpBB/includes/auth/auth_apache.php index b35ec09db0..ac362bdeb0 100644 --- a/phpBB/includes/auth/auth_apache.php +++ b/phpBB/includes/auth/auth_apache.php @@ -32,17 +32,84 @@ function login_apache(&$username, &$password) { $sql = 'SELECT user_id, username, user_password, user_passchg, user_email, user_type FROM ' . USERS_TABLE . " - WHERE username = '" . $db->sql_escape($username) . "'"; + WHERE username = '" . $db->sql_escape($php_auth_user) . "'"; + $result = $db->sql_query($sql); + $row = $db->sql_fetchrow($result); + $db->sql_freeresult($result); + + if ($row) + { + // User inactive... + if ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE) + { + return array( + 'status' => LOGIN_ERROR_ACTIVE, + 'error_msg' => 'ACTIVE_ERROR', + 'user_row' => $row, + ); + } + + // Successful login... + return array( + 'status' => LOGIN_SUCCESS, + 'error_msg' => false, + 'user_row' => $row, + ); + } + + // the user does not exist + return array( + 'status' => LOGIN_ERROR_USERNAME, + 'error_msg' => 'LOGIN_ERROR_USERNAME', + 'user_row' => array('user_id' => ANONYMOUS), + ); + } + + // Not logged into apache + return array( + 'status' => LOGIN_ERROR_EXTERNAL_AUTH, + 'error_msg' => 'LOGIN_ERROR_EXTERNAL_AUTH_APACHE', + 'user_row' => array('user_id' => ANONYMOUS), + ); +} + +/** +* Autologin function +* +* @return array containing the user row or empty if no auto login should take place +*/ +function autologin_apache() +{ + global $db; + + $php_auth_user = $_SERVER['PHP_AUTH_USER']; + $php_auth_pw = $_SERVER['PHP_AUTH_PW']; + + if ((!empty($php_auth_user)) && (!empty($php_auth_pw))) + { + $sql = 'SELECT * + FROM ' . USERS_TABLE . " + WHERE username = '" . $db->sql_escape($php_auth_user) . "'"; $result = $db->sql_query($sql); if ($row = $db->sql_fetchrow($result)) { $db->sql_freeresult($result); - return ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE) ? 0 : $row; + return ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE) ? array() : $row; } } - return false; + return array(); +} + +/** +* The session validation function checks whether the user is still logged in +* +* @return boolean true if the given user is authenticated or false if the session should be closed +*/ +function validate_session_apache(&$user) +{ + return ($_SERVER['PHP_AUTH_USER'] == $user['username']) ? true : false; } ?>
\ No newline at end of file diff --git a/phpBB/includes/auth/auth_ldap.php b/phpBB/includes/auth/auth_ldap.php index 17c29cc5e6..e6d783313f 100644 --- a/phpBB/includes/auth/auth_ldap.php +++ b/phpBB/includes/auth/auth_ldap.php @@ -70,12 +70,20 @@ function login_ldap(&$username, &$password) if (!extension_loaded('ldap')) { - return 'LDAP extension not available'; + return array( + 'status' => LOGIN_ERROR_EXTERNAL_AUTH, + 'error_msg' => 'LDAP_NO_LDAP_EXTENSION', + 'user_row' => array('user_id' => ANONYMOUS), + ); } if (!($ldap = @ldap_connect($config['ldap_server']))) { - return 'Could not connect to LDAP server'; + return array( + 'status' => LOGIN_ERROR_EXTERNAL_AUTH, + 'error_msg' => 'LDAP_NO_SERVER_CONNECTION', + 'user_row' => array('user_id' => ANONYMOUS), + ); } @ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); @@ -93,18 +101,49 @@ function login_ldap(&$username, &$password) FROM ' . USERS_TABLE . " WHERE username = '" . $db->sql_escape($username) . "'"; $result = $db->sql_query($sql); + $row = $db->sql_fetchrow($result); + $db->sql_freeresult($result); - if ($row = $db->sql_fetchrow($result)) + if ($row) { - $db->sql_freeresult($result); - return ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE) ? 0 : $row; + // User inactive... + if ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE) + { + return array( + 'status' => LOGIN_ERROR_ACTIVE, + 'error_msg' => 'ACTIVE_ERROR', + 'user_row' => $row, + ); + } + + // Successful login... set user_login_attempts to zero... + return array( + 'status' => LOGIN_SUCCESS, + 'error_msg' => false, + 'user_row' => $row, + ); } } + else + { + @ldap_close($ldap); + + // Give status about wrong password... + return array( + 'status' => LOGIN_ERROR_PASSWORD, + 'error_msg' => 'LOGIN_ERROR_PASSWORD', + 'user_row' => array('user_id' => ANONYMOUS), + ); + } } @ldap_close($ldap); - return false; + return array( + 'status' => LOGIN_ERROR_USERNAME, + 'error_msg' => 'LOGIN_ERROR_USERNAME', + 'user_row' => array('user_id' => ANONYMOUS), + ); } /** @@ -147,12 +186,13 @@ function admin_ldap(&$new) * their username, password, etc. ... should be up to the plugin what data * is updated. * +* @todo implement this functionality (probably 3.2) +* * @param new|update|delete $mode defining the action to take on user updates */ function usercp_ldap($mode) { global $db, $config; - } ?>
\ No newline at end of file diff --git a/phpBB/includes/constants.php b/phpBB/includes/constants.php index 27f47d8bbb..2d6dd04da2 100644 --- a/phpBB/includes/constants.php +++ b/phpBB/includes/constants.php @@ -43,6 +43,7 @@ define('LOGIN_ERROR_USERNAME', 10); define('LOGIN_ERROR_PASSWORD', 11); define('LOGIN_ERROR_ACTIVE', 12); define('LOGIN_ERROR_ATTEMPTS', 13); +define('LOGIN_ERROR_EXTERNAL_AUTH', 14); // Group settings define('GROUP_OPEN', 0); diff --git a/phpBB/includes/session.php b/phpBB/includes/session.php index 4c08d0ce5b..793aad75f8 100644 --- a/phpBB/includes/session.php +++ b/phpBB/includes/session.php @@ -151,7 +151,7 @@ class session } } } - + // Is session_id is set or session_id is set and matches the url param if required if (!empty($this->session_id) && (!defined('NEED_SID') || (isset($_GET['sid']) && $this->session_id === $_GET['sid']))) { @@ -170,7 +170,7 @@ class session // Validate IP length according to admin ... enforces an IP // check on bots if admin requires this // $quadcheck = ($config['ip_check_bot'] && $this->data['user_type'] & USER_BOT) ? 4 : $config['ip_check']; - + $s_ip = implode('.', array_slice(explode('.', $this->data['session_ip']), 0, $config['ip_check'])); $u_ip = implode('.', array_slice(explode('.', $this->ip), 0, $config['ip_check'])); @@ -180,19 +180,39 @@ class session if ($u_ip === $s_ip && $s_browser === $u_browser) { $session_expired = false; - - // Check the session length timeframe if autologin is not enabled. - // Else check the autologin length... and also removing those having autologin enabled but no longer allowed board-wide. - if (!$this->data['session_autologin']) + + // Check whether the session is still valid if we have one + $method = trim($config['auth_method']); + + if (file_exists($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx)) { - if ($this->data['session_time'] < $this->time_now - ($config['session_length'] + 60)) + include_once($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx); + + $method = 'validate_session_' . $method; + if (function_exists($method)) { - $session_expired = true; + if (!$method($this->data)) + { + $session_expired = true; + } } } - else if (!$config['allow_autologin'] || ($config['max_autologin_time'] && $this->data['session_time'] < $this->time_now - (86400 * (int) $config['max_autologin_time']) + 60)) + + if (!$session_expired) { - $session_expired = true; + // Check the session length timeframe if autologin is not enabled. + // Else check the autologin length... and also removing those having autologin enabled but no longer allowed board-wide. + if (!$this->data['session_autologin']) + { + if ($this->data['session_time'] < $this->time_now - ($config['session_length'] + 60)) + { + $session_expired = true; + } + } + else if (!$config['allow_autologin'] || ($config['max_autologin_time'] && $this->data['session_time'] < $this->time_now - (86400 * (int) $config['max_autologin_time']) + 60)) + { + $session_expired = true; + } } if (!$session_expired) @@ -236,7 +256,7 @@ class session */ function session_create($user_id = false, $set_admin = false, $persist_login = false, $viewonline = true) { - global $SID, $db, $config, $cache; + global $SID, $db, $config, $cache, $phpbb_root_path, $phpEx; $this->data = array(); @@ -292,10 +312,29 @@ class session break; } } - + + $method = trim($config['auth_method']); + + if (file_exists($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx)) + { + include_once($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx); + + $method = 'autologin_' . $method; + if (function_exists($method)) + { + $this->data = $method(); + + if (sizeof($this->data)) + { + $this->cookie_data['k'] = ''; + $this->cookie_data['u'] = $this->data['user_id']; + } + } + } + // If we're presented with an autologin key we'll join against it. // Else if we've been passed a user_id we'll grab data based on that - if (isset($this->cookie_data['k']) && $this->cookie_data['k'] && $this->cookie_data['u']) + if (isset($this->cookie_data['k']) && $this->cookie_data['k'] && $this->cookie_data['u'] && !sizeof($this->data)) { $sql = 'SELECT u.* FROM ' . USERS_TABLE . ' u, ' . SESSIONS_KEYS_TABLE . ' k @@ -308,7 +347,7 @@ class session $this->data = $db->sql_fetchrow($result); $db->sql_freeresult($result); } - else if ($user_id !== false) + else if ($user_id !== false && !sizeof($this->data)) { $this->cookie_data['k'] = ''; $this->cookie_data['u'] = $user_id; @@ -488,13 +527,27 @@ class session */ function session_kill() { - global $SID, $db, $config; + global $SID, $db, $config, $phpbb_root_path, $phpEx; $sql = 'DELETE FROM ' . SESSIONS_TABLE . " WHERE session_id = '" . $db->sql_escape($this->session_id) . "' AND session_user_id = " . (int) $this->data['user_id']; $db->sql_query($sql); + // Allow connecting logout with external auth method logout + $method = trim($config['auth_method']); + + if (file_exists($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx)) + { + include_once($phpbb_root_path . 'includes/auth/auth_' . $method . '.' . $phpEx); + + $method = 'logout_' . $method; + if (function_exists($method)) + { + $method($this->data); + } + } + if ($this->data['user_id'] != ANONYMOUS) { // Delete existing session, update last visit info first! @@ -538,8 +591,6 @@ class session $SID = '?sid='; $this->session_id = ''; - // Trigger EVENT_END_SESSION - return true; } @@ -910,7 +961,7 @@ class user extends session // We include common language file here to not load it every time a custom language file is included $lang = &$this->lang; - if ((@include $this->lang_path . "common.$phpEx") === false) + if ((include $this->lang_path . "common.$phpEx") === false) { die("Language file " . $this->lang_path . "common.$phpEx" . " couldn't be opened."); } @@ -940,7 +991,6 @@ class user extends session AND i.imageset_id = s.imageset_id"; $result = $db->sql_query($sql, 3600); $this->theme = $db->sql_fetchrow($result); - $db->sql_freeresult($result); // User has wrong style if (!$this->theme && $style == $this->data['user_style']) diff --git a/phpBB/language/en/common.php b/phpBB/language/en/common.php index e2a2722a9f..43289507b4 100644 --- a/phpBB/language/en/common.php +++ b/phpBB/language/en/common.php @@ -235,6 +235,7 @@ $lang = array_merge($lang, array( 'LOGIN_CONFIRMATION' => 'Confirmation of login', 'LOGIN_CONFIRM_EXPLAIN' => 'To prevent brute forcing accounts the board administrator requires you to enter a confirmation code after a maximum amount of failed logins. The code is displayed in the image you should see below. If you are visually impaired or cannot otherwise read this code please contact the %sBoard Administrator%s.', 'LOGIN_ERROR_ATTEMPTS' => 'You exceeded the maximum allowed number of login attempts. In addition to your username and password you now have to additionally confirm the image you see below.', + 'LOGIN_ERROR_EXTERNAL_AUTH_APACHE' => 'You have not been authenticated by apache.', 'LOGIN_ERROR_PASSWORD' => 'You have specified an incorrect password. Please check your password and try again. If you continue to have problems please contact a board administrator.', 'LOGIN_ERROR_USERNAME' => 'You have specified an incorrect username. Please check your username and try again. If you continue to have problems please contact a board administrator.', 'LOGIN_FORUM' => 'To view or post in this forum you must enter a password.', |