X-Git-Url: http://git.roojs.org/?a=blobdiff_plain;f=DataObjects%2FCore_person.php;h=629edd67d2f7f26db18b17ceea50eeac96a1b4b1;hb=54fe24a4cd94d465ef1508219b477b02e58b2989;hp=2bcb0e4c44233e3db5902f407d2c1662e43491b0;hpb=be1565ef6c9c340a83a774d2198c2831705ff499;p=Pman.Core diff --git a/DataObjects/Core_person.php b/DataObjects/Core_person.php index 2bcb0e4c..629edd67 100644 --- a/DataObjects/Core_person.php +++ b/DataObjects/Core_person.php @@ -291,12 +291,12 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject } - // local auth - - $default_admin = false; - if (!empty($ff->Pman['local_autoauth']) && - ($ff->Pman['local_autoauth'] === true) && - (!empty($_SERVER['SERVER_ADDR'])) && - ( + $auto_auth_allow = false; + if (!empty($ff->Pman['local_autoauth']) && $ff->Pman['local_autoauth'] === true) { + $auto_auth_allow = true; + } + if ( + (!empty($_SERVER['SERVER_ADDR'])) && ( $_SERVER['SERVER_ADDR'] == '127.0.0.1' && $_SERVER['REMOTE_ADDR'] == '127.0.0.1' @@ -306,8 +306,19 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject $_SERVER['SERVER_ADDR'] == '::1' && $_SERVER['REMOTE_ADDR'] == '::1' ) - ) - ) { + + ){ + $auto_auth_allow = true; + } + + + if (empty($_SERVER['PATH_INFO']) || $_SERVER['PATH_INFO'] == '/Login') { + $auto_auth_allow = false; + } + + // local auth - + $default_admin = false; + if ($auto_auth_allow) { $group = DB_DataObject::factory('core_group'); $group->get('name', 'Administrators'); @@ -329,7 +340,8 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject $u = DB_DataObject::factory($this->tableName()); $ff = HTML_FlexyFramework::get(); - if (!empty($ff->Pman['local_autoauth']) && + if (!empty($ff->Pman['local_autoauth']) && + ($ff->Pman['local_autoauth'] === true) && (!empty($_SERVER['SERVER_ADDR'])) && ( ( @@ -518,15 +530,16 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject return md5(implode(',' , array($month, $this->email , $this->passwd, $this->id))); } - function checkTwoFactorAuthentication($val, $oath_key) + function checkTwoFactorAuthentication($val) { - // also used in login + + // also used in login require_once 'System.php'; if( empty($this->id) || - empty($oath_key) + empty($this->oath_key) ) { return false; } @@ -537,7 +550,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject return false; } - $cmd = "{$oathtool} --totp --base32 {$oath_key}"; + $cmd = "{$oathtool} --totp --base32 " . escapeshellarg($this->oath_key); $password = exec($cmd); @@ -672,9 +685,11 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject $aur['oath_key'] = ''; $aur['oath_key_enable'] = !empty($this->oath_key); + $aur['require_oath'] = 1; $s = DB_DataObject::Factory('core_setting'); - $aur['disable_oath'] = (bool) $s->lookup('core', 'two_factor_authentication') ? 0 : 1; + $oath_require = $s->lookup('core', 'two_factor_authentication_requirement'); + $aur['require_oath'] = $oath_require ? $oath_require->val : 0; return $aur; } @@ -767,7 +782,6 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject { //DB_DataObject::DebugLevel(1); if(!empty($q['_to_qr_code'])){ - $person = DB_DataObject::factory('Core_person'); $person->id = $q['id']; @@ -775,10 +789,15 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject $roo->jerr('_invalid_person'); } - $hash = $this->getOathKey(); + $hash = $this->generateOathKey(); - $_SESSION[__CLASS__] = isset($_SESSION[__CLASS__]) ? $_SESSION[__CLASS__] : array(); - $_SESSION[__CLASS__]['oath'] = isset($_SESSION[__CLASS__]['oath']) ? $_SESSION[__CLASS__]['oath'] : array(); + $_SESSION[__CLASS__] = + isset($_SESSION[__CLASS__]) ? + $_SESSION[__CLASS__] : array(); + $_SESSION[__CLASS__]['oath'] = + isset($_SESSION[__CLASS__]['oath']) ? + $_SESSION[__CLASS__]['oath'] : array(); + $_SESSION[__CLASS__]['oath'][$person->id] = $hash; $qrcode = $person->generateQRCode($hash); @@ -791,21 +810,14 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject } if(!empty($q['two_factor_auth_code'])) { - $person = DB_DataObject::factory('core_person'); $person->get($q['id']); + $o = clone($person); + $person->oath_key = $_SESSION[__CLASS__]['oath'][$person->id]; - if($person->checkTwoFactorAuthentication( - $q['two_factor_auth_code'], - $_SESSION[__CLASS__]['oath'][$person->id] - )) { - - $o = clone($person); - $person->oath_key = $_SESSION[__CLASS__]['oath'][$person->id]; + if($person->checkTwoFactorAuthentication($q['two_factor_auth_code'])) { $person->update($o); - unset($_SESSION[__CLASS__]['oath'][$person->id]); - $roo->jok('DONE'); } @@ -813,7 +825,6 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject } if(!empty($q['oath_key_disable'])) { - $person = DB_DataObject::factory('core_person'); $person->get($q['id']); @@ -1114,7 +1125,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject $this->setFrom($ar); if(!empty($ar['_enable_oath_key'])){ - $oath_key = $this->getOathKey(); + $oath_key = $this->generateOathKey(); } if (!empty($ar['passwd1'])) { @@ -1436,7 +1447,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject $this->email = trim($this->email); } - function getOathKey() + function generateOathKey() { require 'Base32.php';