Tony Marston Radicore logon.class.inc

1. <?php
2. /*
3. RADICORE software copyright 2003-2005 A J MARSTON <http://www.tonymarston.net>
4. RADICORE software copyright 2006-2008 Radicore Software Limited <http://www.radicore.org>
5.  
6. You do not own this software, you are simply granted a license to use it. Ownership of this software remains with the copyright holder.
7.  
8. This software is made available under the terms of version 3 the GNU Affero General Public License (AGPL) (http://www.gnu.org/licenses/agpl.html). If any derivative work is not also made available under the AGPL it will require a commercial license.
9.  
10. This software is made available at no charge. Any derivative work must also made available at no charge, otherwise it will require a commercial license.
11.  
12. For full details regarding the licensing structure, and the circumstances when a commercial license will be required, please refer to http://www.radicore.org/licensing.php
13. */
14. // *****************************************************************************
15. // Copyright 2003-2005 by A J Marston <http://www.tonymarston.net>
16. // Copyright 2006-2014 by Radicore Software Limited <http://www.radicore.org>
17. // *****************************************************************************
18. require_once 'mnu_user.class.inc';
19. class logon extends mnu_user
20. {
21.     // ****************************************************************************
22.     // this subclass is used by scripts: logon.php and error.inc
23.     // ****************************************************************************
24.     function user_logoff ($logon_user_id)
25.     // mark the current user as logged off.
26.     {
27.         $this->errors = array();
28.  
29.         $GLOBALS['task_id'] = 'logoff';
30.  
31.         $updatearray['user_id']       = $logon_user_id;
32.         $updatearray['in_use']        = $this->fieldspec['in_use']['false'];
33.         $updatearray['rdcaccount_id'] =& $_SESSION['rdcaccount_id'];
34.         $this->skip_validation        = true;
35.  
36.         $updatearray = $this->updateRecord($updatearray);
37.  
38.         return $this->errors;
39.  
40.     } // user_logoff
41.  
42.     // ****************************************************************************
43.     function user_logon ($logonarray, $external_auth_off=false)
44.     // validate the user_id and password from the logon screen
45.     {
46.         $this->errors = array();
47.  
48.         $GLOBALS['task_id'] = 'logon';
49.  
50.         $mnu_control =& RDCsingleton::getInstance('mnu_control');
51.  
52.         $login_type = $mnu_control->getControlData('login_type');
53.         if ($login_type == 'EMAIL') {
54.             // login using email address
55.             $this->fieldspec['email_addr']['required'] = 'y';
56.             if (!isset($logonarray['email_addr'])) {
57.                 $logonarray['email_addr'] = null;
58.             } // if
59.             unset($this->fieldspec['user_id']['required']);
60.             unset($logonarray['user_id']);
61.         } else {
62.             // default login is via USER_ID
63.             $this->fieldspec['user_id']['required'] = 'y';
64.             if (!isset($logonarray['user_id'])) {
65.                 $logonarray['user_id'] = null;
66.             } // if
67.             unset($this->fieldspec['email_addr']['required']);
68.             unset($logonarray['email_addr']);
69.         } // if
70.  
71.         // perform primary validation on the input
72.         $updatearray = $this->_validateUpdate($logonarray);
73.         if ($this->errors) {
74.             $this->fieldarray = $logonarray;
75.             return $this->errors;
76.         } // if
77.  
78.         if ($login_type == 'EMAIL') {
79.             $data = $this->getData("email_addr='{$logonarray['email_addr']}'");
80.             if (empty($data)) {
81.                 $this->errors[] = getLanguageText('sys0142'); // 'Security violation';
82.                 $this->PasswordRetries(NULL, $updatearray['user_password'], $logonarray['email_addr']);
83.                 $this->fieldarray = $logonarray;
84.                 return $this->errors;
85.             } else {
86.                 $updatearray['user_id'] = $data[0]['user_id'];
87.                 unset($updatearray['email_addr']);
88.             } // if
89.         } // if
90.  
91.         if (is_True($external_auth_off)) {
92.             // do not use External Authentication
93.             $auth_array['authentication'] = 'INTERNAL';
94.         } else {
95.             $auth_array = $mnu_control->getControlData('authentication');
96.             if (empty($auth_array)) {
97.                 $auth_array['authentication'] = 'INTERNAL';  // data missing, so use this default
98.             } // if
99.             if ($auth_array['authentication'] != 'INTERNAL') {
100.                 // external authentication is turned ON globally, but is it turned off for this USER or ROLE
101.                 $this->sql_select = 'mnu_user.user_id, mnu_user_role.role_id'
102.                                   . ", CASE WHEN mnu_user.is_external_auth_off='Y' THEN 'Y' ELSE mnu_role.is_external_auth_off END AS is_external_auth_off";
103.                 $this->sql_from   = 'mnu_user'
104.                                   ." LEFT JOIN mnu_user_role ON (mnu_user_role.user_id=mnu_user.user_id AND mnu_user_role.is_primary='Y')"
105.                                   .' LEFT JOIN mnu_role ON (mnu_role.role_id=mnu_user_role.role_id)';
106.                 $where = "mnu_user.user_id='" .addslashes($logonarray['user_id']) ."'";
107.                 $fieldarray = $this->getData_raw($where);
108.                 if (is_True($fieldarray[0]['is_external_auth_off'])) {
109.                     $auth_array['authentication'] = 'INTERNAL';
110.                 } // if
111.             } // if
112.             if ($auth_array['authentication'] != 'INTERNAL') {
113.                 $this->fieldspec['user_password']['size'] = 40;
114.             } // if
115.         } // if
116.  
117.         // if there are errors do not display unencrypted passwords
118.         $logonarray['user_password'] = '';
119.  
120.         $this->fieldarray = $updatearray;
121.         if (!empty($this->errors)) return $this->errors;
122.  
123.         $logon_password = $updatearray['user_password'];
124.         $logon_user_id  = $updatearray['user_id'];
125.  
126.         // find out if user passwords are encrypted or not
127.         $encrypt_flag = $mnu_control->getControlData('pswd_encrypt');
128.  
129.         if ($auth_array['authentication'] != 'INTERNAL') {
130.             // no need to encrypt the password
131.         } elseif ($encrypt_flag == true) {
132.             // encrypt the password to include in database lookup
133.             $crypt_obj =& RDCsingleton::getInstance('encryption_class');
134.             $spec = $this->fieldspec['user_password'];
135.             $logon_password = $crypt_obj->encrypt($logon_user_id, $logon_password, $spec['size']);
136.             if ($crypt_obj->errors) {
137.                 return $crypt_obj->errors;
138.             } // if
139.             //$logon_password = addslashes($logon_password);
140.             unset ($crypt_obj);
141.         } // if
142.  
143.         $ip_address = getRealIPAddress();
144.  
145.         // join to MNU_ROLE to obtain start_task_id
146.         $this->sql_select = 'mnu_user.user_id, user_name, start_date, end_date, is_disabled, pswd_count, pswd_chg_date, language_code, email_addr, rdcaccount_id, external_id, party_id, user_timezone, mnu_user_role.role_id, mnu_role.start_task_id ';
147.         $this->sql_from   = 'mnu_user'
148.                           ." LEFT JOIN mnu_user_role ON (mnu_user_role.user_id=mnu_user.user_id AND mnu_user_role.is_primary='Y')"
149.                           .' LEFT JOIN mnu_role ON (mnu_role.role_id=mnu_user_role.role_id)';
150.         $where = "mnu_user.user_id='" .addslashes($logon_user_id) ."'";
151.         $user_id = addslashes($logon_user_id);
152.         // lookup on MNU_USER_IP_ADDRESS to see if this IP address is valid
153.         $this->sql_select .= ", CASE WHEN (SELECT count(ip_address) FROM mnu_user_ip_address WHERE user_id='$user_id') = 0 THEN true"
154.                                   ." WHEN (SELECT count(ip_address) FROM mnu_user_ip_address WHERE user_id='$user_id' AND ip_address='$ip_address') = 1 THEN true"
155.                                   ." ELSE false"
156.                              ." END AS ip_address_valid";
157.         $this->sql_select .= ", (SELECT GROUP_CONCAT(role_id ORDER BY role_id SEPARATOR ',') FROM mnu_user_role WHERE user_id=mnu_user.user_id) AS role_list";
158.         // fetch the user's language with any date formats
159.         $this->sql_select .= ', mnu_language.input_date_format, mnu_language.output_date_format';
160.         $this->sql_from   .= " LEFT JOIN mnu_language ON ( mnu_language.language_id=COALESCE(mnu_user.language_code, '{$_SESSION['default_language']}'))";
161.         if ($auth_array['authentication'] == 'INTERNAL') {
162.             // include user_password in selection criteria
163.             $where .= " AND user_password='" .addslashes($logon_password) ."'";
164.         } // if
165.         $fieldarray = $this->getData_raw($where);
166.         if ($this->numrows <> 1) {
167.             $this->errors[] = getLanguageText('sys0142'); // 'Security violation';
168.             $this->PasswordRetries($logon_user_id, $updatearray['user_password']);
169.             $this->fieldarray = $logonarray;
170.             return $this->errors;
171.         } // if
172.  
173.         // logon OK, so clear retry values
174.         unset($_SESSION['logon_retries']);
175.  
176.         $fieldarray = $fieldarray[0];
177.  
178.         if (strlen($fieldarray['language_code']) > 0) {
179.             // user has a pre-set language code
180.             $_SESSION['user_language'] = strtolower($fieldarray['language_code']);
181.         } else {
182.             $_SESSION['user_language'] = $_SESSION['default_language'];
183.         } // if
184.  
185.         $fieldarray['user_password'] = '';
186.         if (is_True($fieldarray['is_disabled'])) {
187.             $this->errors[] = getLanguageText('sys0143'); // 'This user has been disabled';
188.             $this->fieldarray = $logonarray;
189.             return $this->errors;
190.         } // if
191.  
192.         $today = getTimeStamp('date');
193.         if ($fieldarray['end_date'] < $today) {
194.             // 'This user has an end date which is in the past'
195.             $this->errors[] = getLanguageText('sys0144');
196.             $this->fieldarray = $logonarray;
197.             return $this->errors;
198.         } // if
199.  
200.         if ($fieldarray['start_date'] > $today) {
201.             // 'This user has a start date which is in the future'
202.             $this->errors[] = getLanguageText('sys0145');
203.             $this->fieldarray = $logonarray;
204.             return $this->errors;
205.         } // if
206.  
207.         if (empty($fieldarray['role_id']) OR empty($fieldarray['role_list'])) {
208.             // 'This user does not have a primary role'
209.             $this->errors[] = getLanguageText('sys0230');
210.             $this->fieldarray = $logonarray;
211.             return $this->errors;
212.         } // if
213.  
214.         if (empty($fieldarray['start_task_id'])) {
215.             // 'This user does not have a starting task'
216.             $this->errors[] = getLanguageText('sys0231');
217.             $this->fieldarray = $logonarray;
218.             return $this->errors;
219.         } // if
220.  
221.         if (!is_True($fieldarray['ip_address_valid'])) {
222.             // 'This IP address is not valid for this user'
223.             $this->errors[] = getLanguageText('sys0200', $ip_address);
224.             $this->fieldarray = $logonarray;
225.             return $this->errors;
226.         } // if
227.  
228.         if (!empty($_SESSION['timezone_server'])) {
229.             if (!empty($fieldarray['user_timezone']) AND $fieldarray['user_timezone'] != $_SESSION['timezone_server']) {
230.                 // put this user's time zone in a permanent cookie (for use in the shutdown function)
231.                 setcookie("timezone_client", $fieldarray['user_timezone'], time()+7776000, '/');
232.                 // save it so that it can be reproduced when moving between HTTP and HTTPS protocols
233.                 $_SESSION['cookie_data']['timezone_client'] = $fieldarray['user_timezone'];
234.                 $_SESSION['cookie_time']['timezone_client'] = time()+7776000;
235.             } else {
236.                 // delete this cookie
237.                 setcookie("timezone_client", '', time()-42000, '/');
238.                 unset($_SESSION['cookie_data']['timezone_client']);
239.             } // if
240.         } // if
241.  
242.         if ($auth_array['authentication'] != 'INTERNAL') {
243.             if (empty($fieldarray['external_id'])) {
244.                 $fieldarray['external_id'] = $logon_user_id;
245.             } // if
246.             if ($auth_array['authentication'] == 'RADIUS') {
247.                 $radius = RDCsingleton::getInstance('radius_class');
248.                 $result = $radius->authenticate($fieldarray['external_id'], $logon_password);
249.                 if ($result == RADIUS_ACCESS_ACCEPT) {
250.                     // continue
251.                 } else {
252.                     // 'RADIUS authentication has failed'
253.                     $this->errors[] = getLanguageText('sys0174');
254.                     $this->fieldarray = $logonarray;
255.                     return $this->errors;
256.                 } // if
257.             } elseif ($auth_array['authentication'] == 'LDAP') {
258.                 $ldap = RDCsingleton::getInstance('ldap_class');
259.                 $result = $ldap->authenticate($fieldarray['external_id'], $logon_password);
260.                 if ($result === true) {
261.                     // continue
262.                 } else {
263.                     // 'LDAP authentication has failed'
264.                     $this->errors[] = getLanguageText('sys0176');
265.                     $this->errors[] = getLanguageText('sys0177', $result);
266.                     $this->fieldarray = $logonarray;
267.                     return $this->errors;
268.                 } // if
269.             } // if
270.         } // if
271.  
272.         // make logon data available throughout the session
273.         $_SESSION['logon_user_id']      = $logon_user_id;
274.         $_SESSION['logon_user_name']    = $fieldarray['user_name'];
275.         $_SESSION['role_id']            = $fieldarray['role_id'];
276.         $_SESSION['logon_email_addr']   = $fieldarray['email_addr'];
277.         $_SESSION['rdcaccount_id']      = $fieldarray['rdcaccount_id'];
278.         $_SESSION['logon_party_id']     = $fieldarray['party_id'];
279.         $_SESSION['start_task_id']      = $fieldarray['start_task_id'];
280.         $_SESSION['date_format_input']  = $fieldarray['input_date_format'];
281.         $_SESSION['date_format_output'] = $fieldarray['output_date_format'];
282.         //$_SESSION['selection_lock']   = true;
283.  
284.         // save list of roles from MNU_USER_ROLE table
285.         $array = explode(',', $fieldarray['role_list']);
286.         if (!empty($array)) {
287.             $_SESSION['role_list'] = "'".implode("','", $array)."'";
288.         } else {
289.             $_SESSION['role_list'] = "'".$fieldarray['role_id']."'";
290.         } // if
291.  
292.         // store locale data based on user's preferred language
293.         $_SESSION['locale_name'] = saveLocaleFormat($_SESSION['user_language']);
294.  
295.         // make a permanent copy in session data as global data may be changed
296.         $_SESSION['localeconv'] = $GLOBALS['localeconv'];
297.  
298.         if (!empty($_SESSION['timezone_server'])) {
299.             $_SESSION['timezone_client'] = $fieldarray['user_timezone'];
300.         } // if
301.  
302.         // update user record to show that he/she has logged in
303.         $updatearray['user_id']       = $logon_user_id;
304.         $updatearray['rdcaccount_id'] = $fieldarray['rdcaccount_id'];
305.         $updatearray['pswd_count']    = $fieldarray['pswd_count'] + 1;
306.         $updatearray['logon_date']    = getTimeStamp('date');
307.         $updatearray['logon_time']    = getTimeStamp('time');
308.         $updatearray['in_use']        = true;
309.         $updatearray['ip_address']    = $ip_address;
310.         unset($updatearray['user_password']);
311.  
312.         $updatearray = $this->updateRecord($updatearray);
313.  
314.         if (empty($this->errors)) {
315.             if ($auth_array['authentication'] == 'INTERNAL') {
316.                 // find out if user needs to change his password
317.                 if ($mnu_control->getControlData('pswd_change', $updatearray)) {
318.                     $next['task_id']  = 'mnu_user(upd1)b';
319.                     $next['where']    = "user_id='$logon_user_id'";
320.                     $next['action']   = 'OK';
321.                     // 'You must change your password';
322.                     $next['messages'] = getLanguageText('sys0146');
323.                     // this is processed by scriptnext() and scriptprevious()
324.                     append2ScriptSequence($next);
325.                 } else {
326.                     // find out is the user's password is due to expire in the near future
327.                     if ($expiry_msg = $mnu_control->getControlData('pswd_expires', $updatearray)) {
328.                         $this->messages[] = $expiry_msg;
329.                     } // if
330.                 } // if
331.             } // if
332.         } else {
333.             // an error has occurred, so remove redundant data before screen is redisplayed
334.             if ($login_type == 'EMAIL') {
335.                 unset($fieldarray['user_id']);
336.             } else {
337.                 unset($fieldarray['email_addr']);
338.             } // if
339.         } // if
340.  
341.         // show MOTD (Message of the Day) screen
342.         //$motd['task_id']  = 'mnu_motd(show)';
343.         //$motd['where']    = "motd_id IS NOT NULL";
344.         //append2ScriptSequence($motd);
345.  
346.         $data = $mnu_control->getControlData('pagination');
347.         $_SESSION['pagination_width'] = $data['pagination_width'];
348.         $_SESSION['scrolling_width']  = $data['scrolling_width'];
349.  
350.         // save this data inside this object
351.         $this->fieldarray = $fieldarray;
352.  
353.         $_SESSION['empty_tables'] = $this->findEmptyTables($logon_user_id);
354.  
355.         return $this->errors;
356.  
357.     } // user_logon
358.  
359.     // ****************************************************************************
360.     function PasswordRetries ($user_id, $user_password, $email_addr=null)
361.     // password has been rejected, so increment count for this user, and if it
362.     // exceeds the value in $limit then disable this user (this prevents a
363.     // hacker from trying multiple guesses)
364.     // ALSO: write record to audit_logon_errors
365.     {
366.         // log this failed attempt in 'audit_logon_errors' table
367.         $auditobj =& RDCsingleton::getInstance('audit_logon_errors');
368.  
369.         $audit_data['user_id']       = $user_id;
370.         $audit_data['email_addr']    = $email_addr;
371.         $audit_data['user_password'] = $user_password;
372.         //$audit_data['ip_address']    = $_SERVER['REMOTE_ADDR'];
373.         $audit_data['ip_address']    = getRealIPAddress();
374.         $audit_data = $auditobj->insertRecord($audit_data);
375.         if ($auditobj->errors) {
376.             $this->errors = array_merge($this->errors, $auditobj->errors);
377.         } // if
378.  
379.         // get count of password attempts
380.         $mnu_control =& RDCsingleton::getInstance('mnu_control');
381.  
382.         $max_retries = $mnu_control->getControlData('pswd_retries');
383.  
384.         if (isset($_SESSION['logon_retries'])) {
385.             if ($_SESSION['logon_retries']['user_id'] <> $user_id) {
386.                 // change of user_id, so initialize counter
387.                 $_SESSION['logon_retries']['user_id'] = $user_id;
388.                 $_SESSION['logon_retries']['count']   = 0;
389.             } // if
390.         } else {
391.             // first failure, so initialize counter
392.             $_SESSION['logon_retries']['user_id'] = $user_id;
393.             $_SESSION['logon_retries']['count']   = 0;
394.         } // if
395.  
396.         $_SESSION['logon_retries']['count']++;
397.  
398.         // slow down the response to confuse any robots which might be sniffing
399.         $interval = (int)$_SESSION['logon_retries']['count']-1;
400.         sleep($interval);
401.  
402.         if ($max_retries > 0) {
403.             // a limit has been set on the number of retries
404.             if ($_SESSION['logon_retries']['count'] > $max_retries) {
405.                 $errors = $this->errors;
406.                 // limit exceeded, so disable user
407.                 $fieldarray = $this->getData_raw("mnu_user.user_id='$user_id'");
408.                 if ($this->numrows == 1) {
409.                     $_SESSION['logon_user_id'] = $user_id;
410.                     $fieldarray[0]['is_disabled'] = true;
411.                     $fieldarray = $this->updateRecord($fieldarray);
412.                     if (($this->errors)) {
413.                         $errors = array_merge($errors, $this->errors);
414.                     } // if
415.                     $errors[] = getLanguageText('e0003'); // 'Retry count exceeded.';
416.                     $errors[] = getLanguageText('e0001'); // 'This user has been disabled.';
417.                     unset($_SESSION['logon_retries']);
418.                     unset($_SESSION['logon_user_id']);
419.                 } // if
420.                 $this->errors = $errors;
421.             } // if
422.         } // if
423.  
424.         return;
425.  
426.     } // PasswordRetries
427.  
428.     // ****************************************************************************
429.     function findEmptyTables ($user_id)
430.     // Find any empty tables to avoid reading them again in this session
431.     {
432.         $array = array();
433.  
434.         $count = $this->getCount("SELECT COUNT(*) FROM mnu_task_ip_address");
435.         if ($count == 0) {
436.             $array['mnu_task_ip_address'] = true;
437.         } // if
438.  
439.         $count = $this->getCount("SELECT COUNT(*) FROM mnu_user_ip_address WHERE user_id='$user_id'");
440.         if ($count == 0) {
441.             $array['mnu_user_ip_address'] = true;
442.         } // if
443.  
444.         $count = $this->getCount("SELECT COUNT(*) FROM mnu_time_limit_role");
445.         if ($count == 0) {
446.             $array['mnu_time_limit_role'] = true;
447.         } // if
448.  
449.         $count = $this->getCount("SELECT COUNT(*) FROM mnu_time_limit_user WHERE user_id='$user_id'");
450.         if ($count == 0) {
451.             $array['mnu_time_limit_user'] = true;
452.         } // if
453.  
454.         $count = $this->getCount("SELECT COUNT(*) FROM mnu_control WHERE record_id='SYSTEM' AND field_id LIKE 'SHUTDOWN%' AND field_value IS NOT NULL");
455.         if ($count == 0) {
456.             $array['SYSTEM_SHUTDOWN'] = true;
457.         } // if
458.  
459.         return $array;
460.  
461.     } // findEmptyTables
462.  
463.     // ****************************************************************************
464.     function _cm_changeConfig ($where, $fieldarray)
465.     // Change the table configuration for the duration of this instance.
466.     // $where = a string in SQL 'where' format.
467.     // $fieldarray = the contents of $where as an array.
468.     {
469.         // this is here just to override the method in the parent class
470.  
471.         return $fieldarray;
472.  
473.     } // _cm_changeConfig
474.  
475.     // ****************************************************************************
476.     function _cm_getInitialData ($fieldarray)
477.     // Perform custom processing for the getInitialData method.
478.     // $fieldarray contains data from the initial $where clause.
479.     {
480.         $where = '';
481.         $where = $this->_cm_changeConfig($where, $fieldarray);
482.  
483.         // get list of fields which are defined in the current screen
484.         foreach ($GLOBALS['screen_structure']['main']['fields'] as $key => $value) {
485.             $fieldlist[] = key($value);
486.         } // foreach
487.  
488.         // remove everything from $fieldspec except these fields
489.         foreach ($this->fieldspec as $fieldname => $spec) {
490.             if (in_array($fieldname, $fieldlist)) {
491.                 $fieldarray[$fieldname] = null;
492.             } else {
493.                 unset($this->fieldspec[$fieldname]);
494.             } // if
495.         } // foreach
496.  
497.         // remove field(s) and data depending on 'login_type'
498.         $dbobject =& RDCsingleton::getInstance('mnu_control');
499.         $login_type = $dbobject->getControlData('login_type');
500.  
501.         switch ($login_type) {
502.             case 'USER':
503.                 unset($this->fieldspec['email_addr']);
504.                 unset($fieldarray['email_addr']);
505.                 break;
506.  
507.             case 'EMAIL':
508.                 unset($this->fieldspec['user_id']);
509.                 unset($fieldarray['user_id']);
510.                 break;
511.  
512.             default:
513.                 break;
514.         } // switch
515.  
516.         return $fieldarray;
517.  
518.     } // _cm_getInitialData
519.  
520.     // ****************************************************************************
521.     function _cm_pre_updateRecord ($fieldarray)
522.     // perform custom processing before database record is updated.
523.     // errors are added to $this->errors.
524.     {
525.         // this replaces the function in the parent class
526.  
527.         return $fieldarray;
528.  
529.     } // _cm_pre_updateRecord
530.  
531. // ****************************************************************************
532. } // end class
533. // ****************************************************************************
534.  
535. ?>