1 | <?php |
||||
2 | |||||
3 | use Elgg\SystemMessagesService; |
||||
4 | use Elgg\Di\ServiceProvider; |
||||
5 | |||||
6 | /** |
||||
7 | * Elgg session management |
||||
8 | * Functions to manage logins |
||||
9 | * |
||||
10 | * @package Elgg.Core |
||||
11 | * @subpackage Session |
||||
12 | */ |
||||
13 | |||||
14 | /** |
||||
15 | * Gets Elgg's session object |
||||
16 | * |
||||
17 | * @return \ElggSession |
||||
18 | * @since 1.9 |
||||
19 | */ |
||||
20 | function elgg_get_session() { |
||||
21 | 163 | return _elgg_services()->session; |
|||
22 | } |
||||
23 | |||||
24 | /** |
||||
25 | * Return the current logged in user, or null if no user is logged in. |
||||
26 | * |
||||
27 | * @return \ElggUser|null |
||||
28 | */ |
||||
29 | function elgg_get_logged_in_user_entity() { |
||||
30 | 260 | return _elgg_services()->session->getLoggedInUser(); |
|||
31 | } |
||||
32 | |||||
33 | /** |
||||
34 | * Return the current logged in user by guid. |
||||
35 | * |
||||
36 | * @see elgg_get_logged_in_user_entity() |
||||
37 | * @return int |
||||
38 | */ |
||||
39 | function elgg_get_logged_in_user_guid() { |
||||
40 | 1255 | return _elgg_services()->session->getLoggedInUserGuid(); |
|||
41 | } |
||||
42 | |||||
43 | /** |
||||
44 | * Returns whether or not the user is currently logged in |
||||
45 | * |
||||
46 | * @return bool |
||||
47 | */ |
||||
48 | function elgg_is_logged_in() { |
||||
49 | 5389 | return _elgg_services()->session->isLoggedIn(); |
|||
50 | } |
||||
51 | |||||
52 | /** |
||||
53 | * Returns whether or not the viewer is currently logged in and an admin user. |
||||
54 | * |
||||
55 | * @return bool |
||||
56 | */ |
||||
57 | function elgg_is_admin_logged_in() { |
||||
58 | 39 | return _elgg_services()->session->isAdminLoggedIn(); |
|||
59 | } |
||||
60 | |||||
61 | /** |
||||
62 | * Check if the given user has full access. |
||||
63 | * |
||||
64 | * @todo: Will always return full access if the user is an admin. |
||||
65 | * |
||||
66 | * @param int $user_guid The user to check |
||||
67 | * |
||||
68 | * @return bool |
||||
69 | * @since 1.7.1 |
||||
70 | */ |
||||
71 | function elgg_is_admin_user($user_guid) { |
||||
72 | |||||
73 | $user_guid = (int) $user_guid; |
||||
74 | |||||
75 | $entity = get_user($user_guid); |
||||
76 | if (!$entity) { |
||||
77 | return false; |
||||
78 | } |
||||
79 | |||||
80 | return $entity->isAdmin(); |
||||
81 | } |
||||
82 | |||||
83 | /** |
||||
84 | * Perform user authentication with a given username and password. |
||||
85 | * |
||||
86 | * @warning This returns an error message on failure. Use the identical operator to check |
||||
87 | * for access: if (true === elgg_authenticate()) { ... }. |
||||
88 | * |
||||
89 | * |
||||
90 | * @see login |
||||
91 | * |
||||
92 | * @param string $username The username |
||||
93 | * @param string $password The password |
||||
94 | * |
||||
95 | * @return true|string True or an error message on failure |
||||
96 | * @access private |
||||
97 | */ |
||||
98 | function elgg_authenticate($username, $password) { |
||||
99 | 7 | $pam = new \ElggPAM('user'); |
|||
100 | 7 | $credentials = ['username' => $username, 'password' => $password]; |
|||
101 | 7 | $result = $pam->authenticate($credentials); |
|||
102 | 7 | if (!$result) { |
|||
103 | 2 | return $pam->getFailureMessage(); |
|||
104 | } |
||||
105 | 5 | return true; |
|||
106 | } |
||||
107 | |||||
108 | /** |
||||
109 | * Hook into the PAM system which accepts a username and password and attempts to authenticate |
||||
110 | * it against a known user. |
||||
111 | * |
||||
112 | * @param array $credentials Associated array of credentials passed to |
||||
113 | * Elgg's PAM system. This function expects |
||||
114 | * 'username' and 'password' (cleartext). |
||||
115 | * |
||||
116 | * @return bool |
||||
117 | * @throws LoginException |
||||
118 | * @access private |
||||
119 | */ |
||||
120 | function pam_auth_userpass(array $credentials = []) { |
||||
121 | |||||
122 | 9 | if (!isset($credentials['username']) || !isset($credentials['password'])) { |
|||
123 | 2 | return false; |
|||
124 | } |
||||
125 | |||||
126 | 7 | $user = get_user_by_username($credentials['username']); |
|||
127 | 7 | if (!$user) { |
|||
128 | 1 | throw new \LoginException(_elgg_services()->translator->translate('LoginException:UsernameFailure')); |
|||
129 | } |
||||
130 | |||||
131 | 6 | $password_svc = _elgg_services()->passwords; |
|||
132 | 6 | $password = $credentials['password']; |
|||
133 | 6 | $hash = $user->password_hash; |
|||
134 | |||||
135 | 6 | if (check_rate_limit_exceeded($user->guid)) { |
|||
136 | throw new \LoginException(_elgg_services()->translator->translate('LoginException:AccountLocked')); |
||||
137 | } |
||||
138 | |||||
139 | 6 | if (!$password_svc->verify($password, $hash)) { |
|||
140 | 1 | log_login_failure($user->guid); |
|||
141 | 1 | throw new \LoginException(_elgg_services()->translator->translate('LoginException:PasswordFailure')); |
|||
142 | } |
||||
143 | |||||
144 | 5 | if ($password_svc->needsRehash($hash)) { |
|||
145 | $password_svc->forcePasswordReset($user, $password); |
||||
146 | } |
||||
147 | |||||
148 | 5 | return true; |
|||
149 | } |
||||
150 | |||||
151 | /** |
||||
152 | * Log a failed login for $user_guid |
||||
153 | * |
||||
154 | * @param int $user_guid User GUID |
||||
155 | * |
||||
156 | * @return bool |
||||
157 | */ |
||||
158 | function log_login_failure($user_guid) { |
||||
159 | 1 | $user_guid = (int) $user_guid; |
|||
160 | 1 | $user = get_entity($user_guid); |
|||
161 | |||||
162 | 1 | if (($user_guid) && ($user) && ($user instanceof \ElggUser)) { |
|||
163 | 1 | $fails = (int) $user->getPrivateSetting("login_failures"); |
|||
164 | 1 | $fails++; |
|||
165 | |||||
166 | 1 | $user->setPrivateSetting("login_failures", $fails); |
|||
167 | 1 | $user->setPrivateSetting("login_failure_$fails", time()); |
|||
168 | 1 | return true; |
|||
169 | } |
||||
170 | |||||
171 | return false; |
||||
172 | } |
||||
173 | |||||
174 | /** |
||||
175 | * Resets the fail login count for $user_guid |
||||
176 | * |
||||
177 | * @param int $user_guid User GUID |
||||
178 | * |
||||
179 | * @return bool true on success (success = user has no logged failed attempts) |
||||
180 | */ |
||||
181 | function reset_login_failure_count($user_guid) { |
||||
182 | 4 | $user_guid = (int) $user_guid; |
|||
183 | 4 | $user = get_entity($user_guid); |
|||
184 | |||||
185 | 4 | if (($user_guid) && ($user) && ($user instanceof \ElggUser)) { |
|||
186 | 4 | $fails = (int) $user->getPrivateSetting("login_failures"); |
|||
187 | |||||
188 | 4 | if ($fails) { |
|||
189 | for ($n = 1; $n <= $fails; $n++) { |
||||
190 | $user->removePrivateSetting("login_failure_$n"); |
||||
191 | } |
||||
192 | |||||
193 | $user->removePrivateSetting("login_failures"); |
||||
194 | |||||
195 | return true; |
||||
196 | } |
||||
197 | |||||
198 | // nothing to reset |
||||
199 | 4 | return true; |
|||
200 | } |
||||
201 | |||||
202 | return false; |
||||
203 | } |
||||
204 | |||||
205 | /** |
||||
206 | * Checks if the rate limit of failed logins has been exceeded for $user_guid. |
||||
207 | * |
||||
208 | * @param int $user_guid User GUID |
||||
209 | * |
||||
210 | * @return bool on exceeded limit. |
||||
211 | */ |
||||
212 | function check_rate_limit_exceeded($user_guid) { |
||||
213 | // 5 failures in 5 minutes causes temporary block on logins |
||||
214 | 6 | $limit = 5; |
|||
215 | 6 | $user_guid = (int) $user_guid; |
|||
216 | 6 | $user = get_entity($user_guid); |
|||
217 | |||||
218 | 6 | if (($user_guid) && ($user) && ($user instanceof \ElggUser)) { |
|||
219 | 6 | $fails = (int) $user->getPrivateSetting("login_failures"); |
|||
220 | 6 | if ($fails >= $limit) { |
|||
221 | $cnt = 0; |
||||
222 | $time = time(); |
||||
223 | for ($n = $fails; $n > 0; $n--) { |
||||
224 | $f = $user->getPrivateSetting("login_failure_$n"); |
||||
225 | if ($f > $time - (60 * 5)) { |
||||
226 | $cnt++; |
||||
227 | } |
||||
228 | |||||
229 | if ($cnt == $limit) { |
||||
230 | // Limit reached |
||||
231 | return true; |
||||
232 | } |
||||
233 | } |
||||
234 | } |
||||
235 | } |
||||
236 | |||||
237 | 6 | return false; |
|||
238 | } |
||||
239 | |||||
240 | /** |
||||
241 | * Set a cookie, but allow plugins to customize it first. |
||||
242 | * |
||||
243 | * To customize all cookies, register for the 'init:cookie', 'all' event. |
||||
244 | * |
||||
245 | * @param \ElggCookie $cookie The cookie that is being set |
||||
246 | * @return bool |
||||
247 | * @since 1.9 |
||||
248 | */ |
||||
249 | function elgg_set_cookie(\ElggCookie $cookie) { |
||||
250 | if (elgg_trigger_event('init:cookie', $cookie->name, $cookie)) { |
||||
251 | return setcookie($cookie->name, $cookie->value, $cookie->expire, $cookie->path, |
||||
252 | $cookie->domain, $cookie->secure, $cookie->httpOnly); |
||||
253 | } |
||||
254 | return false; |
||||
255 | } |
||||
256 | |||||
257 | /** |
||||
258 | * Logs in a specified \ElggUser. For standard registration, use in conjunction |
||||
259 | * with elgg_authenticate. |
||||
260 | * |
||||
261 | * @see elgg_authenticate |
||||
262 | * |
||||
263 | * @param \ElggUser $user A valid Elgg user object |
||||
264 | * @param boolean $persistent Should this be a persistent login? |
||||
265 | * |
||||
266 | * @return true or throws exception |
||||
267 | * @throws LoginException |
||||
268 | */ |
||||
269 | function login(\ElggUser $user, $persistent = false) { |
||||
270 | 6 | if ($user->isBanned()) { |
|||
271 | 1 | throw new \LoginException(elgg_echo('LoginException:BannedUser')); |
|||
272 | } |
||||
273 | |||||
274 | 5 | $session = _elgg_services()->session; |
|||
275 | |||||
276 | // give plugins a chance to reject the login of this user (no user in session!) |
||||
277 | 5 | if (!elgg_trigger_before_event('login', 'user', $user)) { |
|||
278 | 1 | throw new \LoginException(elgg_echo('LoginException:Unknown')); |
|||
279 | } |
||||
280 | |||||
281 | // #5933: set logged in user early so code in login event will be able to |
||||
282 | // use elgg_get_logged_in_user_entity(). |
||||
283 | 4 | $session->setLoggedInUser($user); |
|||
284 | |||||
285 | // if remember me checked, set cookie with token and store hash(token) for user |
||||
286 | 4 | if ($persistent) { |
|||
287 | _elgg_services()->persistentLogin->makeLoginPersistent($user); |
||||
288 | } |
||||
289 | |||||
290 | // User's privilege has been elevated, so change the session id (prevents session fixation) |
||||
291 | 4 | $session->migrate(); |
|||
292 | |||||
293 | 4 | $user->setLastLogin(); |
|||
294 | 4 | reset_login_failure_count($user->guid); |
|||
295 | |||||
296 | 4 | elgg_trigger_after_event('login', 'user', $user); |
|||
297 | |||||
298 | 4 | return true; |
|||
299 | } |
||||
300 | |||||
301 | /** |
||||
302 | * Log the current user out |
||||
303 | * |
||||
304 | * @return bool |
||||
305 | */ |
||||
306 | function logout() { |
||||
307 | $session = _elgg_services()->session; |
||||
308 | $user = $session->getLoggedInUser(); |
||||
309 | if (!$user) { |
||||
310 | return false; |
||||
311 | } |
||||
312 | |||||
313 | if (!elgg_trigger_before_event('logout', 'user', $user)) { |
||||
314 | return false; |
||||
315 | } |
||||
316 | |||||
317 | _elgg_services()->persistentLogin->removePersistentLogin(); |
||||
318 | |||||
319 | // pass along any messages into new session |
||||
320 | $old_msg = $session->get(SystemMessagesService::SESSION_KEY, []); |
||||
321 | $session->invalidate(); |
||||
322 | $session->set(SystemMessagesService::SESSION_KEY, $old_msg); |
||||
323 | |||||
324 | elgg_trigger_after_event('logout', 'user', $user); |
||||
325 | |||||
326 | return true; |
||||
327 | } |
||||
328 | |||||
329 | /** |
||||
330 | * Initializes the session and checks for the remember me cookie |
||||
331 | * |
||||
332 | * @param ServiceProvider $services Services |
||||
333 | * @return bool |
||||
334 | * @throws SecurityException |
||||
335 | * @access private |
||||
336 | */ |
||||
337 | function _elgg_session_boot(ServiceProvider $services) { |
||||
338 | 4777 | $services->timer->begin([__FUNCTION__]); |
|||
339 | |||||
340 | 4777 | $session = $services->session; |
|||
341 | 4777 | $session->start(); |
|||
342 | |||||
343 | // test whether we have a user session |
||||
344 | 4777 | if ($session->has('guid')) { |
|||
345 | /** @var ElggUser $user */ |
||||
346 | $user = $services->entityTable->get($session->get('guid'), 'user'); |
||||
347 | if (!$user) { |
||||
348 | // OMG user has been deleted. |
||||
349 | $session->invalidate(); |
||||
350 | forward(''); |
||||
351 | } |
||||
352 | |||||
353 | $services->persistentLogin->replaceLegacyToken($user); |
||||
354 | } else { |
||||
355 | 4777 | $user = $services->persistentLogin->bootSession(); |
|||
356 | } |
||||
357 | |||||
358 | 4777 | if ($user) { |
|||
359 | $session->setLoggedInUser($user); |
||||
360 | $user->setLastAction(); |
||||
361 | |||||
362 | // logout a user with open session who has been banned |
||||
363 | if ($user->isBanned()) { |
||||
364 | logout(); |
||||
365 | return false; |
||||
366 | } |
||||
367 | } |
||||
368 | |||||
369 | 4777 | $services->timer->end([__FUNCTION__]); |
|||
370 | 4777 | return true; |
|||
371 | } |
||||
372 | |||||
373 | /** |
||||
374 | * @see \Elgg\Application::loadCore Do not do work here. Just register for events. |
||||
375 | */ |
||||
376 | return function(\Elgg\EventsService $events, \Elgg\HooksRegistrationService $hooks) { |
||||
0 ignored issues
–
show
The parameter
$events is not used and could be removed.
(
Ignorable by Annotation
)
If this is a false-positive, you can also ignore this issue in your code via the
This check looks for parameters that have been defined for a function or method, but which are not used in the method body.
Loading history...
|
|||||
377 | 18 | register_pam_handler('pam_auth_userpass'); |
|||
378 | }; |
||||
379 |
This check looks for parameters that have been defined for a function or method, but which are not used in the method body.