* Copyright 2001-2002, 2009, Roland Mas
* Copyright 2004-2005, GForge, LLC
*
- * This file is part of FusionForge.
- *
- * FusionForge is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published
- * by the Free Software Foundation; either version 2 of the License,
- * or (at your option) any later version.
- *
- * FusionForge is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with FusionForge; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
- * USA
+ * This file is part of FusionForge. FusionForge is free software;
+ * you can redistribute it and/or modify it under the terms of the
+ * GNU General Public License as published by the Free Software
+ * Foundation; either version 2 of the Licence, or (at your option)
+ * any later version.
+ *
+ * FusionForge is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with FusionForge; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
*/
require_once $gfcommon.'include/account.php';
$session_ser = getStringFromCookie('session_ser');
/**
- * session_build_session_cookie() - Construct session cookie for the user
+ * session_build_session_token() - Construct session token for the user
*
* @param int User_id of the logged in user
- * @return cookie value
+ * @return string token value
*/
-function session_build_session_cookie($user_id) {
+function session_build_session_token($user_id) {
+ if (!$user_id) {
+ return '';
+ }
+
$session_serial = $user_id.'-*-'.time().'-*-'.getStringFromServer('REMOTE_ADDR').'-*-'.getStringFromServer('HTTP_USER_AGENT');
$session_serial_hash = md5($session_serial.forge_get_config('session_key'));
- $session_serial_cookie = base64_encode($session_serial).'-*-'.$session_serial_hash;
- return $session_serial_cookie;
+ $session_serial_token = base64_encode($session_serial).'-*-'.$session_serial_hash;
+ return $session_serial_token;
}
/**
- * session_get_session_cookie_hash() - Get hash of session cookie
+ * session_get_hash_from_token() - Get hash of session token
*
* This hash can be used as a key to identify session, e.g. in DB.
*
- * @param string Value of the session cookie
+ * @param string Value of the session token
* @return hash
*/
-function session_get_session_cookie_hash($session_cookie) {
- list ($junk, $hash) = explode('-*-', $session_cookie);
+function session_get_hash_from_token($session_token) {
+ list ($junk, $hash) = explode('-*-', $session_token);
return $hash;
}
/**
- * session_check_session_cookie() - Check that session cookie passed from user is ok
+ * session_check_session_token() - Check that session token passed from user is ok
*
- * @param string Value of the session cookie
- * @return user_id if cookie is ok, false otherwise
+ * @param string Value of the session token
+ * @return user_id if token is ok, false otherwise
*/
-function session_check_session_cookie($session_cookie) {
+function session_check_session_token($session_token) {
+ if ($session_token == '') {
+ return false;
+ }
- list ($session_serial, $hash) = explode('-*-', $session_cookie);
+ list ($session_serial, $hash) = explode('-*-', $session_token);
$session_serial = base64_decode($session_serial);
$new_hash = md5($session_serial.forge_get_config('session_key'));
if (trim($user_agent) != getStringFromServer('HTTP_USER_AGENT')) {
return false;
}
- if (($GLOBALS['sys_session_expire'] > 0) &&
- ($time - time() >= $GLOBALS['sys_session_expire'])) {
+ if ((forge_get_config('session_expire') > 0) &&
+ ($time - time() >= forge_get_config('session_expire'))) {
return false;
}
*
*/
function session_logout() {
-
- // delete both session and username cookies
- // NB: cookies must be deleted with the same scope parameters they were set with
- //
- session_cookie('session_ser', '');
-
+ plugin_hook('close_auth_session');
RBACEngine::getInstance()->invalidateRoleCaches() ;
return true;
}
return session_login_valid_dbonly ($loginname, $passwd, $allowpending) ;
}
-function session_login_valid_dbonly ($loginname, $passwd, $allowpending) {
- global $feedback,$userstatus;
+function session_login_valid_dbonly($loginname, $passwd, $allowpending=false) {
+ return session_check_credentials_in_database($loginname, $passwd, $allowpending);
+}
+
+function session_check_credentials_in_database($loginname, $passwd, $allowpending=false) {
+ global $warning_msg ,$userstatus;
// Try to get the users from the database using user_id and (MD5) user_pw
if (forge_get_config('require_unique_email')) {
}
if (!$res || db_numrows($res) < 1) {
// No user by that name
- $feedback=_('Invalid Password Or User Name');
+ $warning_msg = _('Invalid Password Or User Name');
return false;
} else {
// There is a user with the provided user_name/email, but the MD5 passwds do not match
if (crypt ($passwd, $usr['unix_pw']) != $usr['unix_pw']) {
// Even the (crypt) unix_pw does not patch
// This one has clearly typed a bad passwd
- $feedback=_('Invalid Password Or User Name');
+ $warning_msg = _('Invalid Password Or User Name');
return false;
}
// User exists, (crypt) unix_pw matches
$res = db_query_params ('UPDATE users SET user_pw=$1 WHERE user_id=$2',
array (md5($passwd),
$usr['user_id'])) ;
- return session_login_valid_dbonly($loginname, $passwd, $allowpending) ;
+ return session_check_credentials_in_database($loginname, $passwd, $allowpending) ;
}
} else {
// If we're here, then the user has typed a password matching the (MD5) user_pw
$res = db_query_params ('UPDATE users SET unix_pw=$1 WHERE user_id=$2',
array (account_genunixpw($passwd),
$usr['user_id'])) ;
- return session_login_valid_dbonly($loginname, $passwd, $allowpending) ;
+ return session_check_credentials_in_database($loginname, $passwd, $allowpending) ;
} else {
// Invalidate (MD5) user_pw, refuse authentication
$res = db_query_params ('UPDATE users SET user_pw=$1 WHERE user_id=$2',
array ('OUT OF DATE',
$usr['user_id'])) ;
- $feedback=_('Invalid Password Or User Name');
+ $warning_msg =_('Invalid Password Or User Name');
return false;
}
}
if ($allowpending && ($usr['status'] == 'P')) {
//1;
} else {
- if ($usr['status'] == 'S') {
+ if ($usr['status'] == 'S') {
//acount suspended
- $feedback = _('Account Suspended');
+ $warning_msg = _('Account Suspended');
return false;
}
- if ($usr['status'] == 'P') {
+ if ($usr['status'] == 'P') {
//account pending
- $feedback = _('Account Pending');
+ $warning_msg = _('Account Pending');
return false;
- }
- if ($usr['status'] == 'D') {
+ }
+ if ($usr['status'] == 'D') {
//account deleted
- $feedback = _('Account Deleted');
+ $warning_msg = _('Account Deleted');
return false;
}
if ($usr['status'] != 'A') {
//unacceptable account flag
- $feedback = _('Account Not Active');
+ $warning_msg = _('Account Not Active');
return false;
}
}
//create a new session
- session_set_new(db_result($res,0,'user_id'));
+ session_set_new(db_result($res, 0, 'user_id'));
return true;
}
} else {
$eoldip = explode(".",$oldip);
$enewip = explode(".",$newip);
-
+
// require same class b subnet
- return ( ($eoldip[0] == $enewip[0])
+ return ( ($eoldip[0] == $enewip[0])
&& ($eoldip[1] == $enewip[1]) ) ;
}
}
}
/**
- * session_cookie() - Set a session cookie
+ * session_set_cookie() - Set a session cookie
*
* Set a cookie with default temporal scope of the current browser session
* and URL space of the current webserver
* @param string Expiration time in UNIX seconds (default 0)
* @return true/false
*/
-function session_cookie($name ,$value, $domain = '', $expiration = 0) {
+function session_set_cookie($name ,$value, $domain = '', $expiration = 0) {
if (php_sapi_name() != 'cli') {
if ( $expiration != 0){
setcookie($name, $value, time() + $expiration, '/', $domain, 0);
* @return never returns
*/
function session_redirect($loc) {
- header('Location: '.util_make_url ($loc));
+ session_redirect_external(util_make_url ($loc));
+ exit;
+}
+
+/**
+ * session_redirect_external() - Redirect browser to a (potentially external) URL
+ *
+ * @param string Absolute URL, not necessarily within the site
+ * @return never returns
+ */
+function session_redirect_external($url) {
+ header('Location: '.$url);
print("\n\n");
exit;
}
*/
function session_require($req, $reason='') {
if (!session_loggedin()) {
- exit_not_logged_in();
+ exit_not_logged_in();
}
-
+
$user =& user_get_object(user_getid());
if (! $user->isActive()) {
session_logout();
exit_permission_denied($reason,'');
}
}
- } else if ($req['isloggedin']) {
- //no need to check as long as the check is present at top of function
} else {
exit_permission_denied($reason,'');
}
function session_require_perm ($section, $reference, $action = NULL, $reason='') {
if (!forge_check_perm ($section, $reference, $action)) {
exit_permission_denied ($reason,'');
- }
+ }
}
/**
*/
function session_require_global_perm ($section, $action = NULL, $reason='') {
if (!forge_check_global_perm ($section, $action)) {
+ if (!$reason) {
+ $reason = sprintf (_('Permission denied. The %s administrators will have to grant you permission to view this page.'),
+ forge_get_config ('forge_name')) ;
+ }
exit_permission_denied ($reason,'');
- }
+ }
}
/**
* @return none
*/
function session_set_new($user_id) {
- global $G_SESSION,$session_ser;
-
- // set session cookie
- //
- $cookie = session_build_session_cookie($user_id);
- session_cookie("session_ser", $cookie, "", $GLOBALS['sys_session_expire']);
- $session_ser=$cookie;
+ $token = session_build_session_token($user_id);
- $res = db_query_params ('SELECT count(*) as c FROM user_session WHERE session_hash =$1',
- array (session_get_session_cookie_hash($cookie))) ;
+ $res = db_query_params ('SELECT count(*) as c FROM user_session WHERE session_hash = $1',
+ array (session_get_hash_from_token($token))) ;
if (!$res || db_result($res,0,'c') < 1) {
db_query_params ('INSERT INTO user_session (session_hash,ip_addr,time,user_id) VALUES ($1,$2,$3,$4)',
- array (session_get_session_cookie_hash($cookie),
+ array (session_get_hash_from_token($token),
getStringFromServer('REMOTE_ADDR'),
time(),
$user_id)) ;
}
// check uniqueness of the session_hash in the database
- //
$res = session_getdata($user_id);
if (!$res) {
else if (db_numrows($res) < 1) {
exit_error(_('Could not fetch user session data'),'');
} else {
+ session_set_internal ($user_id, $res) ;
+ }
+}
- //set up the new user object
- //
- $G_SESSION = user_get_object($user_id,$res);
- if ($G_SESSION) {
- $G_SESSION->setLoggedIn(true);
- }
+function session_set_internal ($user_id, $res=false) {
+ global $G_SESSION ;
+
+ $G_SESSION = user_get_object($user_id,$res);
+ if ($G_SESSION) {
+ $G_SESSION->setLoggedIn(true);
}
RBACEngine::getInstance()->invalidateRoleCaches() ;
function session_getdata($user_id) {
return db_query_params ('SELECT u.*,sl.language_id, sl.name, sl.filename, sl.classname, sl.language_code, t.dirname, t.fullname
FROM users u, supported_languages sl, themes t
- WHERE u.language=sl.language_id
+ WHERE u.language=sl.language_id
AND u.theme_id=t.theme_id
AND u.user_id=$1',
array ($user_id)) ;
* @return none
*/
function session_set() {
- plugin_hook('session_set_entry');
global $G_SESSION;
- global $session_ser, $session_key;
+ global $session_ser;
// assume bad session_hash and session. If all checks work, then allow
// otherwise make new session
$id_is_good = false;
- // If user says he's logged in (by presenting cookie), check that
- if ($session_ser) {
+ $params = array();
+ // pass the session_ser from cookie to the auth plugins
+ // (see AuthBuiltinPlugin::checkAuthSession() or likes)
+ // expect FORGE_AUTH_AUTHORITATIVE_ACCEPT, FORGE_AUTH_AUTHORITATIVE_REJECT or FORGE_AUTH_NOT_AUTHORITATIVE
+ // in results
+ $params['auth_token'] = $session_ser;
+ $params['results'] = array();
+ plugin_hook_by_reference('check_auth_session', $params);
+
+ $seen_yes = false;
+ $seen_no = false;
+ foreach ($params['results'] as $p => $r) {
+ if ($r == FORGE_AUTH_AUTHORITATIVE_ACCEPT) {
+ $seen_yes = true;
+ } elseif ($r == FORGE_AUTH_AUTHORITATIVE_REJECT) {
+ $seen_no = true;
+ }
+ }
+ if ($seen_yes && !$seen_no) {
+ // see AuthBuiltinPlugin::fetchAuthUser() or likes
+ // expect user object in results
+ $params = array();
+ $params['results'] = NULL;
+ plugin_hook_by_reference('fetch_authenticated_user', $params);
+ $user = $params['results'];
+
+ if ($user) {
+ $params = array();
+ $params['username'] = $user->getUnixName();
+ $params['event'] = 'every-page';
+ plugin_hook('sync_account_info', $params);
+
+ $user->setLoggedIn(true);
+ $G_SESSION = $user;
+ } else {
+ $G_SESSION=false;
+ }
+ }
+ // TODO: else... what ?
+
+ $re = RBACEngine::getInstance();
+ $re->invalidateRoleCaches() ;
+}
+
+/**
+ * Re initializes a session, trusting a non-sufficient plugin only temporarily
+ *
+ * The checkAuthSession of the Auth plugin will have to acknowledge the 'sufficient_forced' param in 'check_auth_session' hook
+ * @param string $authpluginname
+ */
+function session_set_for_authplugin($authpluginname) {
+ global $G_SESSION;
+ global $session_ser;
- $user_id = session_check_session_cookie($session_ser);
+ // assume bad session_hash and session. If all checks work, then allow
+ // otherwise make new session
+ $id_is_good = false;
- if ($user_id) {
+ $params = array();
+ // pass the session_ser from cookie to the auth plugins
+ // (see AuthBuiltinPlugin::checkAuthSession() or likes)
+ // expect FORGE_AUTH_AUTHORITATIVE_ACCEPT, FORGE_AUTH_AUTHORITATIVE_REJECT or FORGE_AUTH_NOT_AUTHORITATIVE
+ // in results
+ $params['sufficient_forced'] = $authpluginname;
- $result = session_getdata($user_id);
+ $params['auth_token'] = $session_ser;
+ $params['results'] = array();
- if (db_numrows($result) > 0) {
- $id_is_good = true;
- }
- }
- } // else (hash does not exist) or (session hash is bad)
+ plugin_hook_by_reference('check_auth_session', $params);
- if ($id_is_good) {
- $G_SESSION = user_get_object($user_id, $result);
- if ($G_SESSION) {
- $G_SESSION->setLoggedIn(true);
+ $seen_yes = false;
+ foreach ($params['results'] as $p => $r) {
+ if ($r == FORGE_AUTH_AUTHORITATIVE_ACCEPT) {
+ $seen_yes = true;
}
- } else {
- $G_SESSION=false;
+ }
+
+ if ($seen_yes) {
+ //echo "user ok\n";
+ // see AuthBuiltinPlugin::fetchAuthUser() or likes
+ // expect user object in results
+ $params = array();
+ $params['results'] = NULL;
+
+ plugin_hook_by_reference('fetch_authenticated_user', $params);
- // if there was bad session cookie, kill it and the user cookie
- //
- if ($session_ser) {
- session_logout();
+ $user = $params['results'];
+
+ if ($user) {
+ $params = array();
+ $params['username'] = $user->getUnixName();
+ $params['event'] = 'every-page';
+ plugin_hook('sync_account_info', $params);
+
+ $user->setLoggedIn(true);echo "user:".$user->getUnixName();
+ $G_SESSION = $user;
+
+ } else {
+ $G_SESSION=false;
}
}
- plugin_hook('session_set_return');
+ // TODO: else... what ?
- RBACEngine::getInstance()->invalidateRoleCaches() ;
+ $re = RBACEngine::getInstance();
+ //print_r($re->getGlobalRoles());
+ //print_r($re->getPublicRoles());
+ $re->invalidateRoleCaches() ;
+ //print_r($re->getAvailableRoles());
+
+
}
-//TODO - this should be generalized and used for pre.php,
-//SOAP, forum_gateway.php, tracker_gateway.php, etc to
+//TODO - this should be generalized and used for pre.php,
+//SOAP, forum_gateway.php, tracker_gateway.php, etc to
//setup languages
function session_continue($sessionKey) {
global $session_ser;
$session_ser = $sessionKey;
session_set();
setup_gettext_from_context();
+ setup_tz_from_context();
$LUSER =& session_get_user();
if (!is_object($LUSER) || $LUSER->isError()) {
return false;
} else {
- putenv('TZ='. $LUSER->getTimeZone());
return true;
}
}
+function setup_tz_from_context() {
+ $LUSER =& session_get_user();
+ if (!is_object($LUSER) || $LUSER->isError()) {
+ $tz = forge_get_config('default_timezone');
+ } else {
+ $tz = $LUSER->getTimeZone();
+ }
+ putenv ('TZ='. $tz);
+ date_default_timezone_set($tz);
+}
+
/**
* session_get_user() - Wrapper function to return the User object for the logged in user.
- *
+ *
* @return User
* @access public
*/