public $phone_direct; // varchar(32) NOT NULL DEFAULT '';
public $countries; // VARCHAR(128) NULL;
+ public $language;
+
/* the code above is auto generated do not remove the tag below */
###END_AUTOCODE
+
+ static $authUser = false;
+
function owner()
{
- $p = DB_DataObject::Factory($this->tableName());
+ // this might be a Person in some old code?
+ $p = DB_DataObject::Factory('core_person');
$p->get($this->owner_id);
return $p;
}
$sesPrefix = $this->sesPrefix();
+ self::$authUser = false;
$_SESSION[get_class($this)][$sesPrefix .'-auth'] = "";
return false;
// ---------------- authentication / passwords and keys stuff ----------------
function isAuth()
{
- @session_start();
-
+ // do not start a session if we are using http auth...
+ // we have a situation where the app is behind a http access and is also login
+ // need to work out a way to handle that.
$ff= HTML_FlexyFramework::get();
+ if (php_sapi_name() != "cli" && (empty($_SERVER['PHP_AUTH_USER']) || !empty($ff->disable_http_auth))) {
+ @session_start();
+ }
+
+
$sesPrefix = $this->sesPrefix();
+ if (self::$authUser) {
+ return self::$authUser;
+ }
+
+
if (!empty($_SESSION[get_class($this)][$sesPrefix .'-auth'])) {
// in session...
$a = unserialize($_SESSION[get_class($this)][$sesPrefix .'-auth']);
-
$u = DB_DataObject::factory($this->tableName());
+ $u->autoJoin();
if ($a->id && $u->get($a->id)) { //&& strlen($u->passwd)) {
-
- return $u->verifyAuth(); // got authentication...
-
-
+ if ($u->verifyAuth()) {
+ self::$authUser = $u;
+ return true;
+ }
}
-
unset($_SESSION[get_class($this)][$sesPrefix .'-auth']);
unset($_SESSION[get_class($this)][$sesPrefix .'-timeout']);
- setcookie('Pman.timeout', -1, time() + (30*60), '/');
-
+ //setcookie('Pman.timeout', -1, time() + (30*60), '/');
+ return false;
}
// http basic auth..
$u = DB_DataObject::factory($this->tableName());
- if (!empty($_SERVER['PHP_AUTH_USER'])
+ if (empty($ff->disable_http_auth) // http auth requests should not have this...
+ &&
+ !empty($_SERVER['PHP_AUTH_USER'])
&&
!empty($_SERVER['PHP_AUTH_PW'])
&&
&&
$u->checkPassword($_SERVER['PHP_AUTH_PW'])
) {
- $_SESSION[get_class($this)][$sesPrefix .'-auth'] = serialize($u);
+ // logged in via http auth
+ // http auth will not need session...
+ //$_SESSION[get_class($this)][$sesPrefix .'-auth'] = serialize($u);
+ self::$authUser = $u;
return true;
}
+
+ // at this point all http auth stuff is done, so we can init session
+
+
//die("test init");
if (!$this->canInitializeSystem()) {
// die("can not init");
if (!empty($ff->Pman['local_autoauth']) && $ff->Pman['local_autoauth'] === true) {
$auto_auth_allow = true;
}
- if (
- (!empty($_SERVER['SERVER_ADDR'])) &&
+ if ( !empty($ff->Pman['local_autoauth'])
+ &&
+ !empty($_SERVER['SERVER_ADDR']) &&
+ !empty($_SERVER['REMOTE_ADDR']) &&
(
- $_SERVER['SERVER_ADDR'] == '127.0.0.1' &&
- $_SERVER['REMOTE_ADDR'] == '127.0.0.1'
- )
- ||
- (
- $_SERVER['SERVER_ADDR'] == '::1' &&
- $_SERVER['REMOTE_ADDR'] == '::1'
+ (
+ $_SERVER['SERVER_ADDR'] == '127.0.0.1' &&
+ $_SERVER['REMOTE_ADDR'] == '127.0.0.1'
+ )
+ ||
+ (
+ $_SERVER['SERVER_ADDR'] == '::1' &&
+ $_SERVER['REMOTE_ADDR'] == '::1'
+ )
)
){
}
- if (empty($_SERVER['PATH_INFO']) || $_SERVER['PATH_INFO'] == '/Login') {
+ if (empty($_SERVER['PATH_INFO']) || $_SERVER['PATH_INFO'] == '/Login') {
$auto_auth_allow = false;
}
- //var_dump($auto_auth_allow);
+ //var_dump($auto_auth_allow);
// local auth -
$default_admin = false;
if ($auto_auth_allow) {
");
if($member->find(true)){
$default_admin = DB_DataObject::factory($this->tableName());
+ $default_admin->autoJoin();
if(!$default_admin->get($member->user_id)){
$default_admin = false;
}
//var_dump($ff->Pman['local_autoauth']); var_dump($_SERVER); exit;
$u = DB_DataObject::factory($this->tableName());
+ $u->autoJoin();
$ff = HTML_FlexyFramework::get();
- if ($auto_auth_allow &&
+ if ($auto_auth_allow &&
($default_admin || $u->get('email', $ff->Pman['local_autoauth']))
) {
$user = $default_admin ? $default_admin->toArray() : $u->toArray();
+ // if we request other URLS.. then we get auto logged in..
+ self::$authUser = $default_admin ? $default_admin : $u;;
//$_SESSION[get_class($this)][$sesPrefix .'-auth'] = serialize((object) $user);
return true;
}
$u = DB_DataObject::factory($this->tableName());
$u->whereAdd(' LENGTH(passwd) > 0');
$n = $u->count();
+ if (empty($_SESSION[get_class($this)]) || !is_array($_SESSION[get_class($this)])) {
+ $_SESSION[get_class($this)] = array();
+ }
$_SESSION[get_class($this)][$sesPrefix .'-empty'] = $n;
if (class_exists('PEAR')) {
$error = PEAR::getStaticProperty('DB_DataObject','lastError');
//var_dump(array(get_class($this),$sesPrefix .'-auth'));
- if (!empty($_SESSION[get_class($this)][$sesPrefix .'-auth'])) {
- $a = unserialize($_SESSION[get_class($this)][$sesPrefix .'-auth']);
-
- $u = DB_DataObject::factory($this->tableName()); // allow extending this ...
- $u->autoJoin();
- if ($u->get($a->id)) { /// && strlen($u->passwd)) { // should work out the pid .. really..
-
+ if (self::$authUser) {
+
+ if (isset($_SESSION[get_class($this)][$sesPrefix .'-auth'])) {
$_SESSION[get_class($this)][$sesPrefix .'-auth-timeout'] = time() + (30*60); // eg. 30 minutes
- setcookie('Pman.timeout', time() + (30*60), time() + (30*60), '/');
-
- $user = clone ($u);
- return clone($user);
-
+ //setcookie('Pman.timeout', time() + (30*60), time() + (30*60), '/');
}
- unset($_SESSION[get_class($this)][$sesPrefix .'-auth']);
- unset($_SESSION[get_class($this)][$sesPrefix .'-timeout']);
- setcookie('Pman.timeout', -1, time() + (30*60), '/');
+ // not really sure why it's cloned..
+ return clone (self::$authUser);
+
}
$d = $p->toArray();
$_SESSION[get_class($this)][$sesPrefix .'-auth-timeout'] = time() + (30*60); // eg. 30 minutes
- setcookie('Pman.timeout', time() + (30*60), time() + (30*60), '/');
+ //setcookie('Pman.timeout', time() + (30*60), time() + (30*60), '/');
//var_dump(array(get_class($this),$sesPrefix .'-auth'));
$_SESSION[get_class($this)][$sesPrefix .'-auth'] = serialize((object)$d);
+
+ $pp = DB_DAtaObject::Factory($this->tableName());
+ $pp->get($this->pid());
+ $pp->autoJoin();
+
+ self::$authUser = $pp;
// ensure it's written so that ajax calls can fetch it..
$this->isAuth(); // force session start..
$sesPrefix = $this->sesPrefix();
-
$_SESSION[get_class($this)][$sesPrefix .'-auth-timeout'] = -1;
-
$_SESSION[get_class($this)][$sesPrefix .'-auth'] = "";
+ self::$authUser = false;
}
function genPassKey ($t)
$month = $m > -1 ? date('Y-m') : date('Y-m', strtotime('LAST MONTH'));
return md5(implode(',' , array($month, $this->email , $this->passwd, $this->id)));
- }
+ }
+ /**
+ * When we generate autologin urls:
+ * eg. /Somesite/Test/12
+ * it will generate:
+ * /Somesite/Test/12/{datetime}/{sha256(url + expires_datetime + password)}
+ *
+ * eg. genAutoLoginURL($sub, $expires)
+ */
+ function genAutoLoginURL($url, $expires = false)
+ {
+ $expires = $expires === false ? strtotime("NOW + 1 WEEK") : $expires;
+ //echo serialize(array($url, $expires, $this->email, $this->passwd));
+ //echo hash('sha256', serialize(array($url, $expires, $this->email, $this->passwd)));
+
+ return $url.'/'.$this->id .'/'.$expires.'/'.
+ hash('sha256',
+ serialize(
+ array($url, $expires, $this->email,$this->passwd)
+ )
+ );
+
+ }
+
+ function validateAutoLogin($called)
+ {
+ $bits = explode("/",$called);
+ if (count($bits) < 4) {
+ return false; // unrelated.
+ }
+ $hash = array_pop($bits);
+ $time = array_pop($bits);
+
+ $id = array_pop($bits);
+ if (!is_numeric($time) || !is_numeric($id)) {
+ return false; // wrong format.
+ }
+ $u = DB_DataObject::Factory($this->tableName());
+ $u->get($id);
+ $url = implode("/", $bits);
+ if ($time < time()) {
+ return "Expired";
+ }
+ //echo serialize(array('/'.$url, $time, $u->email, $u->passwd));
+ //echo hash('sha256', serialize(array('/'.$url, $time, $u->email, $u->passwd)));
+ if ($hash == hash('sha256', serialize(array('/'.$url, $time*1, $u->email, $u->passwd)))) {
+ $u->login();
+ return $u;
+ }
+ return false;
+ }
+
function checkTwoFactorAuthentication($val)
{
function company()
{
+ if (empty($this->company_id)) {
+ return false;
+ }
$x = DB_DataObject::factory('core_company');
$x->autoJoin();
$x->get($this->company_id);
if (!func_num_args()) {
return $this->lang;
}
- $val = array_shift(func_get_args());
+ $ar = func_get_args();
+ $val = array_shift($ar);
if ($val == $this->lang) {
return;
}
$uu = clone($this);
$this->lang = $val;
$this->update($uu);
+ if(!empty(self::$authUser) && self::$authUser->id == $this->id) {
+ self::$authUser->lang = $this->lang;
+ }
return $this->lang;
}
function authUserArray()
{
-
$aur = $this->toArray();
if ($this->id < 1) {
return $aur;
}
-
//DB_DataObject::debugLevel(1);
$c = DB_Dataobject::factory('core_company');
$im = DB_Dataobject::factory('Images');
$aur['require_oath'] = 1;
$s = DB_DataObject::Factory('core_setting');
- $oath_require = $s->lookup('core', 'two_factor_authentication_requirement');
+ $oath_require = $s->lookup('core', 'two_factor_auth_required');
$aur['require_oath'] = $oath_require ? $oath_require->val : 0;
+ $aur['core_person_settings'] = $this->settings();
+
return $aur;
}
+ function settings($return_obj = false)
+ {
+ $cs = DB_DataObject::factory('core_person_settings');
+ $cs->setFrom(array(
+ 'person_id' => $this->id
+ ));
+ return $return_obj ? $cs->fetchAll() : $cs->fetchAll('scope', 'data');;
+ }
+ function toRooSingleArray($authUser, $request)
+ {
+ $ret = $this->toArray();
+ foreach( $this->settings() as $k=>$v) {
+ $ret['core_person_settings['. $k .']'] = $v;
+ }
+
+ return $ret;
+ }
// ----------PERMS------ ----------------
function getPerms()
{
$roo->jerr('Fail to generate QR Code');
}
- $roo->jok($qrcode);
+ $roo->jdata(array(
+ 'secret' => $hash,
+ 'image' => $qrcode,
+ 'issuer' => $person->qrCodeIssuer()
+ ));
}
if(!empty($q['two_factor_auth_code'])) {
)"
);
}
+ if(!empty($q['in_group_starts'])){
+
+ $v = $this->escape($q['in_group_starts']);
+
+ $this->whereAdd("
+ $tn_p.id IN (
+ SELECT
+ DISTINCT(user_id) FROM $tn_gm
+ LEFT JOIN
+ $tn_g
+ ON
+ $tn_g.id = $tn_gm.group_id
+ WHERE
+ $tn_g.name LIKE '{$v}%'
+ )"
+ );
+ }
+
+
// #2307 Search Country!!
if (!empty($q['query']['in_country'])) {
// DB_DataObject::debugLevel(1);
- $inc = $q['query']['in_country'];
+ $inc = $this->escape($q['query']['in_country']);
$this->whereAdd("$tn_p.countries LIKE '%{$inc}%'");
}
{$this->tableName()}.name LIKE '%{$this->escape($q['query']['name'])}%'
");
}
+
+ if(!empty($q['query']['name_or_email'])){
+ $v = $this->escape($q['query']['name_or_email']);
+ $this->whereAdd("
+ {$this->tableName()}.name LIKE '%{$v}%'
+ OR
+ {$this->tableName()}.email LIKE '%{$v}%'
+ ");
+ }
if(!empty($q['query']['name_starts'])){
$this->whereAdd("
{$this->tableName()}.name LIKE '{$this->escape($q['query']['name_starts'])}%'
if (!$roo->hasPerm('Core.Projects_All', 'S')) {
$peps = $p->people($pids);
- $this->whereAddIn("{$tn}.id", $peps, 'int');
+ $this->whereAddIn("{$this->tableName()}.id", $peps, 'int');
}
}
LENGTH({$this->tableName()}.oath_key) AS length_oath_key
");
}
+ if (isset($q['_with_group_membership'])) {
+ $this->selectAddGroupMemberships();
+ }
-
+ }
+
+ function selectAddGroupMemberships()
+ {
+ $this->selectAdd("
+
+ COALESCE((
+ SELECT
+ GROUP_CONCAT( CASE WHEN core_group.display_name = '' THEN core_group.name ELSE core_group.display_name END separator '\n')
+ FROM
+ core_group_member
+ LEFT JOIN
+ core_group
+ ON
+ core_group.id = core_group_member.group_id
+ WHERE
+ core_group_member.user_id = core_person.id
+ ORDER BY
+ core_group.display_name ASC
+ ), '') as member_of");
}
function setFromRoo($ar, $roo)
{
- $this->setFrom($ar);
+ $this->setFrom($ar);
if(!empty($ar['_enable_oath_key'])){
$oath_key = $this->generateOathKey();
}
// this only applies to our owner company..
$c = $this->company();
- if (empty($c->comptype_name) || $c->comptype_name != 'OWNER') {
+ if (empty($c) || empty($c->comptype_name) || $c->comptype_name != 'OWNER') {
return true;
}
// determine if it's staff!!!
$owncomp = DB_DataObject::Factory('core_company');
$owncomp->get('comptype', 'OWNER');
- $isStaff = ($au->company_id == $owncomp->id);
-
+ $editor_is_staff = ($au->company_id == $owncomp->id);
+
+ if (!$editor_is_staff) {
+ // non staff editing should not user roo/isPerm?
+ return false; // no permission if user is not staff!?
+
+ }
+
+ $this_is_staff = ($this->company_id == $owncomp->id);
- if (!$isStaff) {
+ /*
+ if (!$this_is_staff ) {
// - can not change company!!!
if ($changes &&
//return $this->company_id == $au->company_id;
}
-
+ */
// yes, only owner company can mess with this...
// extra case change passwod?
case 'P': //??? password
// standard perms -- for editing + if the user is dowing them selves..
- $ret = $isStaff ? $au->hasPerm("Core.Staff", "E") : $au->hasPerm("Core.Person", "E");
- return $ret || $au->id == $this->id;
+ $ret = $this_is_staff ? $au->hasPerm("Core.Staff", "E") : $au->hasPerm("Core.Person", "E");
+ return $ret || $au->id == $this->id; // can change own data?
default:
- return $isStaff ? $au->hasPerm("Core.Staff", $lvl) : $au->hasPerm("Core.Person", $lvl);
+ return $this_is_staff ? $au->hasPerm("Core.Staff", $lvl) : $au->hasPerm("Core.Person", $lvl);
+
+
}
return false;
function beforeInsert($req, $roo)
{
+ if (!empty($req['_bulk_update_passwords'])) {
+ $this->bulkUpdatePasswords($req['_bulk_update_passwords'], $roo);
+ return;
+ }
+
$p = DB_DataObject::factory('core_person');
if ($roo->authUser->id > -1 || $p->count() > 1) {
+ $pp = DB_DataObject::factory('core_person');
+ $pp->whereAdd('LOWER(email) = "' . $pp->escape(strtolower(trim($this->email))) . '"');
+ if ($pp->count()){
+ $roo->jerror("NOTICE-DUPE-EMAIL", "that email already exists in the database");
+ }
+
+
return;
}
$c = DB_DataObject::Factory('core_company');
$this->company_id = $c->id;
$this->email = trim($this->email);
+
+
+
+
+
}
function onInsert($req, $roo)
$pd->company_id = $this->company_id;
$pd->insert();
}
-
+ if (!empty($req['core_person_settings'])) {
+ $this->updateSettings($req['core_person_settings'], $roo);
+ }
+ }
+
+ function onUpdate($old, $req,$roo, $event)
+ {
+ if (!empty($req['core_person_settings'])) {
+ $this->updateSettings($req['core_person_settings'], $roo);
+ }
+ }
+
+ // there should really be a registry of valid scope values!?
+ function updateSettings($ar, $roo)
+ {
+ //DB_DataObject::debugLevel(1);
+ $old = array();
+ foreach($this->settings(true) as $o) {
+ $old[$o->scope] = $o;
+ }
+ foreach($ar as $k=>$v) {
+ if (isset($old[$k])) {
+ $oo = clone($old[$k]);
+ $old[$k]->data = $v;
+ $old[$k]->update($oo);
+ continue;
+ }
+ $cs = DB_DataObject::Factory('core_person_settings');
+ $cs->setFrom(array(
+ 'person_id' =>$this->id,
+ 'scope' => $k,
+ 'data' => $v
+ ));
+ $cs->insert();
+ }
+ // we dont delete old stuff....
}
+
function importFromArray($roo, $persons, $opts)
{
if (empty($opts['prefix'])) {
$ff= HTML_FlexyFramework::get();
$appname = empty($ff->appNameShort) ? $ff->project : $ff->project . '-' . $ff->appNameShort;
-
$dname = method_exists($this, 'getDatabaseConnection') ? $this->getDatabaseConnection()->dsn['database'] : $this->databaseNickname();
-
$sesPrefix = $appname.'-' .get_class($this) .'-' . $dname;
return $sesPrefix;
}
- function loginPublic()
+ function loginPublic() // used where???
{
$this->isAuth(); // force session start..
-
$db = $this->getDatabaseConnection();
-
$ff = HTML_FlexyFramework::get();
if(empty($ff->Pman) || empty($ff->Pman['login_public'])){
function beforeUpdate($old, $q, $roo)
{
$this->email = trim($this->email);
+
+ $p = DB_DataObject::factory('core_person');
+ if ($roo->authUser->id > -1 || $p->count() > 1) {
+ $pp = DB_DataObject::factory('core_person');
+ $pp->whereAdd('LOWER(email) = "' . $pp->escape(strtolower(trim($this->email))) . '"');
+ $pp->whereAdd('id != ' . $old->id);
+ if ($pp->count()){
+ $roo->jerror("NOTICE-DUPE-EMAIL", "that email already exists in the database");
+ }
+ }
}
function generateOathKey()
return false;
}
- $issuer = (empty($this->name)) ?
- rawurlencode('ROOJS') : rawurlencode($this->name);
+ $issuer = rawurlencode($this->qrCodeIssuer());
$uri = "otpauth://totp/{$issuer}:{$this->email}?secret={$hash}&issuer={$issuer}&algorithm=SHA1&digits=6&period=30";
return "data:image/png;base64,{$base64}";
}
+ function qrCodeIssuer()
+ {
+ $pg= HTML_FlexyFramework::get()->page;
+
+ $issuer = (empty($pg->company->name)) ? 'ROOJS' : "{$pg->company->name}";
+
+ return $issuer;
+ }
+
+ static function test_ADMIN_PASSWORD_RESET($pg, $to)
+ {
+ $ff = HTML_FlexyFramework::get();
+ $person = DB_DataObject::Factory('core_person');
+ $person->id = -1;
+
+ return array(
+ 'HTTP_HOST' => $_SERVER['SERVER_NAME'],
+ 'person' => $person,
+ 'authFrom' => 'FAKE_LINK',
+ 'authKey' => 'FAKE_KEY',
+
+ 'rcpts' => $to->email,
+ );
+
+ return $content;
+ }
+ function bulkUpdatePasswords($data, $roo)
+ {
+
+ if ( !$roo->hasPerm("Core.Staff", "E")) {
+ $roo->jerr("permission denied");
+ }
+ $rows = explode("\n",$data);
+ $upd = array();
+ $bad = array();
+
+ foreach($rows as $i=>$row) {
+ if (!strlen(trim($row))) {
+ continue;
+ }
+ $bits = preg_split('/\s+/', trim($row));
+ if (count($bits) != 2) {
+ $bad[] = "Invalid line: {$row}";
+ continue;
+ }
+ // validate.
+ $upd[strtolower($bits[0])] = $bits[1];
+
+ }
+ if (empty($upd)) {
+
+ $roo->jerr(empty($bad) ? "No rows to update": ("ERRORS: ". implode("\n", $bad)));
+ return;
+ }
+ // next fetch them all.
+ $p = DB_DataObject::factory('core_person');
+ $p->whereAddIn('email', array_keys($upd), 'string');
+ foreach($p->fetchAll() as $p) {
+ $map[strtolower($p->email)] = $p;
+ }
+ foreach($upd as $k=>$nv) {
+ if (!isset($map[$k])) {
+ $bad[] = "Missing account with email: " . $k;
+ continue;
+ }
+ if ($map[$k]->id == $roo->authUser->id) {
+ $bad[] = "You can not update your own password here: " . $k;
+ continue;
+ }
+ }
+ if (!empty($bad)) {
+ $roo->jerr("ERRORS: ". implode("\n", $bad));
+ return;
+ }
+ foreach($map as $k => $p) {
+ $pp = clone($p);
+ $p->setPassword($upd[$k]);
+ $p->update($pp);
+ }
+ $roo->jok("Updated");
+
+
+ }
+
}
projects / Pman.Core / blobdiff