X-Git-Url: http://git.roojs.org/?p=Pman.Core;a=blobdiff_plain;f=DataObjects%2FCore_person.php;h=5160b4e3ead0d217a4f6a128f2dbc39e12d374d3;hp=0b539edab0c9219329e130a7efda3e4b9c25300d;hb=HEAD;hpb=b7e42ad53307015efcb303498bee92eac9da635d diff --git a/DataObjects/Core_person.php b/DataObjects/Core_person.php index 0b539eda..4208198e 100644 --- a/DataObjects/Core_person.php +++ b/DataObjects/Core_person.php @@ -48,6 +48,8 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject public $phone_direct; // varchar(32) NOT NULL DEFAULT ''; public $countries; // VARCHAR(128) NULL; + public $language; + /* the code above is auto generated do not remove the tag below */ ###END_AUTOCODE @@ -56,7 +58,8 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject function owner() { - $p = DB_DataObject::Factory($this->tableName()); + // this might be a Person in some old code? + $p = DB_DataObject::Factory('core_person'); $p->get($this->owner_id); return $p; } @@ -250,9 +253,15 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject // ---------------- authentication / passwords and keys stuff ---------------- function isAuth() { - @session_start(); - + // do not start a session if we are using http auth... + // we have a situation where the app is behind a http access and is also login + // need to work out a way to handle that. $ff= HTML_FlexyFramework::get(); + if (php_sapi_name() != "cli" && (empty($_SERVER['PHP_AUTH_USER']) || !empty($ff->disable_http_auth))) { + @session_start(); + } + + $sesPrefix = $this->sesPrefix(); @@ -274,14 +283,16 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject } unset($_SESSION[get_class($this)][$sesPrefix .'-auth']); unset($_SESSION[get_class($this)][$sesPrefix .'-timeout']); - setcookie('Pman.timeout', -1, time() + (30*60), '/'); + //setcookie('Pman.timeout', -1, time() + (30*60), '/'); return false; } // http basic auth.. $u = DB_DataObject::factory($this->tableName()); - if (!empty($_SERVER['PHP_AUTH_USER']) + if (empty($ff->disable_http_auth) // http auth requests should not have this... + && + !empty($_SERVER['PHP_AUTH_USER']) && !empty($_SERVER['PHP_AUTH_PW']) && @@ -290,11 +301,15 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject $u->checkPassword($_SERVER['PHP_AUTH_PW']) ) { // logged in via http auth - - $_SESSION[get_class($this)][$sesPrefix .'-auth'] = serialize($u); + // http auth will not need session... + //$_SESSION[get_class($this)][$sesPrefix .'-auth'] = serialize($u); self::$authUser = $u; return true; } + + // at this point all http auth stuff is done, so we can init session + + //die("test init"); if (!$this->canInitializeSystem()) { // die("can not init"); @@ -306,16 +321,20 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject if (!empty($ff->Pman['local_autoauth']) && $ff->Pman['local_autoauth'] === true) { $auto_auth_allow = true; } - if ( - (!empty($_SERVER['SERVER_ADDR'])) && + if ( !empty($ff->Pman['local_autoauth']) + && + !empty($_SERVER['SERVER_ADDR']) && + !empty($_SERVER['REMOTE_ADDR']) && ( - $_SERVER['SERVER_ADDR'] == '127.0.0.1' && - $_SERVER['REMOTE_ADDR'] == '127.0.0.1' - ) - || - ( - $_SERVER['SERVER_ADDR'] == '::1' && - $_SERVER['REMOTE_ADDR'] == '::1' + ( + $_SERVER['SERVER_ADDR'] == '127.0.0.1' && + $_SERVER['REMOTE_ADDR'] == '127.0.0.1' + ) + || + ( + $_SERVER['SERVER_ADDR'] == '::1' && + $_SERVER['REMOTE_ADDR'] == '::1' + ) ) ){ @@ -323,10 +342,10 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject } - if (empty($_SERVER['PATH_INFO']) || $_SERVER['PATH_INFO'] == '/Login') { + if (empty($_SERVER['PATH_INFO']) || $_SERVER['PATH_INFO'] == '/Login') { $auto_auth_allow = false; } - //var_dump($auto_auth_allow); + //var_dump($auto_auth_allow); // local auth - $default_admin = false; if ($auto_auth_allow) { @@ -341,6 +360,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject "); if($member->find(true)){ $default_admin = DB_DataObject::factory($this->tableName()); + $default_admin->autoJoin(); if(!$default_admin->get($member->user_id)){ $default_admin = false; } @@ -349,9 +369,10 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject //var_dump($ff->Pman['local_autoauth']); var_dump($_SERVER); exit; $u = DB_DataObject::factory($this->tableName()); + $u->autoJoin(); $ff = HTML_FlexyFramework::get(); - if ($auto_auth_allow && + if ($auto_auth_allow && ($default_admin || $u->get('email', $ff->Pman['local_autoauth'])) ) { @@ -374,6 +395,9 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject $u = DB_DataObject::factory($this->tableName()); $u->whereAdd(' LENGTH(passwd) > 0'); $n = $u->count(); + if (empty($_SESSION[get_class($this)]) || !is_array($_SESSION[get_class($this)])) { + $_SESSION[get_class($this)] = array(); + } $_SESSION[get_class($this)][$sesPrefix .'-empty'] = $n; if (class_exists('PEAR')) { $error = PEAR::getStaticProperty('DB_DataObject','lastError'); @@ -410,7 +434,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject if (isset($_SESSION[get_class($this)][$sesPrefix .'-auth'])) { $_SESSION[get_class($this)][$sesPrefix .'-auth-timeout'] = time() + (30*60); // eg. 30 minutes - setcookie('Pman.timeout', time() + (30*60), time() + (30*60), '/'); + //setcookie('Pman.timeout', time() + (30*60), time() + (30*60), '/'); } // not really sure why it's cloned.. return clone (self::$authUser); @@ -490,7 +514,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject $d = $p->toArray(); $_SESSION[get_class($this)][$sesPrefix .'-auth-timeout'] = time() + (30*60); // eg. 30 minutes - setcookie('Pman.timeout', time() + (30*60), time() + (30*60), '/'); + //setcookie('Pman.timeout', time() + (30*60), time() + (30*60), '/'); //var_dump(array(get_class($this),$sesPrefix .'-auth')); $_SESSION[get_class($this)][$sesPrefix .'-auth'] = serialize((object)$d); @@ -510,11 +534,8 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject $this->isAuth(); // force session start.. $sesPrefix = $this->sesPrefix(); - $_SESSION[get_class($this)][$sesPrefix .'-auth-timeout'] = -1; - $_SESSION[get_class($this)][$sesPrefix .'-auth'] = ""; - self::$authUser = false; } @@ -527,7 +548,58 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject $month = $m > -1 ? date('Y-m') : date('Y-m', strtotime('LAST MONTH')); return md5(implode(',' , array($month, $this->email , $this->passwd, $this->id))); - } + } + /** + * When we generate autologin urls: + * eg. /Somesite/Test/12 + * it will generate: + * /Somesite/Test/12/{datetime}/{sha256(url + expires_datetime + password)} + * + * eg. genAutoLoginURL($sub, $expires) + */ + function genAutoLoginURL($url, $expires = false) + { + $expires = $expires === false ? strtotime("NOW + 1 WEEK") : $expires; + //echo serialize(array($url, $expires, $this->email, $this->passwd)); + //echo hash('sha256', serialize(array($url, $expires, $this->email, $this->passwd))); + + return $url.'/'.$this->id .'/'.$expires.'/'. + hash('sha256', + serialize( + array($url, $expires, $this->email,$this->passwd) + ) + ); + + } + + function validateAutoLogin($called) + { + $bits = explode("/",$called); + if (count($bits) < 4) { + return false; // unrelated. + } + $hash = array_pop($bits); + $time = array_pop($bits); + + $id = array_pop($bits); + if (!is_numeric($time) || !is_numeric($id)) { + return false; // wrong format. + } + $u = DB_DataObject::Factory($this->tableName()); + $u->get($id); + $url = implode("/", $bits); + if ($time < time()) { + return "Expired"; + } + //echo serialize(array('/'.$url, $time, $u->email, $u->passwd)); + //echo hash('sha256', serialize(array('/'.$url, $time, $u->email, $u->passwd))); + if ($hash == hash('sha256', serialize(array('/'.$url, $time*1, $u->email, $u->passwd)))) { + $u->login(); + return $u; + } + return false; + } + function checkTwoFactorAuthentication($val) { @@ -595,6 +667,9 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject function company() { + if (empty($this->company_id)) { + return false; + } $x = DB_DataObject::factory('core_company'); $x->autoJoin(); $x->get($this->company_id); @@ -620,27 +695,29 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject if (!func_num_args()) { return $this->lang; } - $val = array_shift(func_get_args()); + $ar = func_get_args(); + $val = array_shift($ar); if ($val == $this->lang) { return; } $uu = clone($this); $this->lang = $val; $this->update($uu); + if(!empty(self::$authUser) && self::$authUser->id == $this->id) { + self::$authUser->lang = $this->lang; + } return $this->lang; } function authUserArray() { - $aur = $this->toArray(); if ($this->id < 1) { return $aur; } - //DB_DataObject::debugLevel(1); $c = DB_Dataobject::factory('core_company'); $im = DB_Dataobject::factory('Images'); @@ -687,12 +764,31 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject $aur['require_oath'] = 1; $s = DB_DataObject::Factory('core_setting'); - $oath_require = $s->lookup('core', 'two_factor_authentication_requirement'); + $oath_require = $s->lookup('core', 'two_factor_auth_required'); $aur['require_oath'] = $oath_require ? $oath_require->val : 0; + $aur['core_person_settings'] = $this->settings(); + return $aur; } + function settings($return_obj = false) + { + $cs = DB_DataObject::factory('core_person_settings'); + $cs->setFrom(array( + 'person_id' => $this->id + )); + return $return_obj ? $cs->fetchAll() : $cs->fetchAll('scope', 'data');; + } + function toRooSingleArray($authUser, $request) + { + $ret = $this->toArray(); + foreach( $this->settings() as $k=>$v) { + $ret['core_person_settings['. $k .']'] = $v; + } + + return $ret; + } // ----------PERMS------ ---------------- function getPerms() { @@ -805,7 +901,11 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject $roo->jerr('Fail to generate QR Code'); } - $roo->jok($qrcode); + $roo->jdata(array( + 'secret' => $hash, + 'image' => $qrcode, + 'issuer' => $person->qrCodeIssuer() + )); } if(!empty($q['two_factor_auth_code'])) { @@ -928,11 +1028,30 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject )" ); } + if(!empty($q['in_group_starts'])){ + + $v = $this->escape($q['in_group_starts']); + + $this->whereAdd(" + $tn_p.id IN ( + SELECT + DISTINCT(user_id) FROM $tn_gm + LEFT JOIN + $tn_g + ON + $tn_g.id = $tn_gm.group_id + WHERE + $tn_g.name LIKE '{$v}%' + )" + ); + } + + // #2307 Search Country!! if (!empty($q['query']['in_country'])) { // DB_DataObject::debugLevel(1); - $inc = $q['query']['in_country']; + $inc = $this->escape($q['query']['in_country']); $this->whereAdd("$tn_p.countries LIKE '%{$inc}%'"); } @@ -998,6 +1117,15 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject {$this->tableName()}.name LIKE '%{$this->escape($q['query']['name'])}%' "); } + + if(!empty($q['query']['name_or_email'])){ + $v = $this->escape($q['query']['name_or_email']); + $this->whereAdd(" + {$this->tableName()}.name LIKE '%{$v}%' + OR + {$this->tableName()}.email LIKE '%{$v}%' + "); + } if(!empty($q['query']['name_starts'])){ $this->whereAdd(" {$this->tableName()}.name LIKE '{$this->escape($q['query']['name_starts'])}%' @@ -1077,7 +1205,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject if (!$roo->hasPerm('Core.Projects_All', 'S')) { $peps = $p->people($pids); - $this->whereAddIn("{$tn}.id", $peps, 'int'); + $this->whereAddIn("{$this->tableName()}.id", $peps, 'int'); } } @@ -1115,13 +1243,35 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject LENGTH({$this->tableName()}.oath_key) AS length_oath_key "); } - + if (isset($q['_with_group_membership'])) { + $this->selectAddGroupMemberships(); + } } + function selectAddGroupMemberships() + { + $this->selectAdd(" + + COALESCE(( + SELECT + GROUP_CONCAT( CASE WHEN core_group.display_name = '' THEN core_group.name ELSE core_group.display_name END separator '\n') + FROM + core_group_member + LEFT JOIN + core_group + ON + core_group.id = core_group_member.group_id + WHERE + core_group_member.user_id = core_person.id + ORDER BY + core_group.display_name ASC + ), '') as member_of"); + } + function setFromRoo($ar, $roo) { - $this->setFrom($ar); + $this->setFrom($ar); if(!empty($ar['_enable_oath_key'])){ $oath_key = $this->generateOathKey(); @@ -1142,7 +1292,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject } // this only applies to our owner company.. $c = $this->company(); - if (empty($c->comptype_name) || $c->comptype_name != 'OWNER') { + if (empty($c) || empty($c->comptype_name) || $c->comptype_name != 'OWNER') { return true; } @@ -1235,10 +1385,18 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject // determine if it's staff!!! $owncomp = DB_DataObject::Factory('core_company'); $owncomp->get('comptype', 'OWNER'); - $isStaff = ($au->company_id == $owncomp->id); - + $editor_is_staff = ($au->company_id == $owncomp->id); + + if (!$editor_is_staff) { + // non staff editing should not user roo/isPerm? + return false; // no permission if user is not staff!? + + } + + $this_is_staff = ($this->company_id == $owncomp->id); - if (!$isStaff) { + /* + if (!$this_is_staff ) { // - can not change company!!! if ($changes && @@ -1262,7 +1420,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject //return $this->company_id == $au->company_id; } - + */ // yes, only owner company can mess with this... @@ -1273,11 +1431,13 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject // extra case change passwod? case 'P': //??? password // standard perms -- for editing + if the user is dowing them selves.. - $ret = $isStaff ? $au->hasPerm("Core.Staff", "E") : $au->hasPerm("Core.Person", "E"); - return $ret || $au->id == $this->id; + $ret = $this_is_staff ? $au->hasPerm("Core.Staff", "E") : $au->hasPerm("Core.Person", "E"); + return $ret || $au->id == $this->id; // can change own data? default: - return $isStaff ? $au->hasPerm("Core.Staff", $lvl) : $au->hasPerm("Core.Person", $lvl); + return $this_is_staff ? $au->hasPerm("Core.Staff", $lvl) : $au->hasPerm("Core.Person", $lvl); + + } return false; @@ -1285,8 +1445,20 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject function beforeInsert($req, $roo) { + if (!empty($req['_bulk_update_passwords'])) { + $this->bulkUpdatePasswords($req['_bulk_update_passwords'], $roo); + return; + } + $p = DB_DataObject::factory('core_person'); if ($roo->authUser->id > -1 || $p->count() > 1) { + $pp = DB_DataObject::factory('core_person'); + $pp->whereAdd('LOWER(email) = "' . $pp->escape(strtolower(trim($this->email))) . '"'); + if ($pp->count()){ + $roo->jerror("NOTICE-DUPE-EMAIL", "that email already exists in the database"); + } + + return; } $c = DB_DataObject::Factory('core_company'); @@ -1299,6 +1471,11 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject $this->company_id = $c->id; $this->email = trim($this->email); + + + + + } function onInsert($req, $roo) @@ -1332,9 +1509,45 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject $pd->company_id = $this->company_id; $pd->insert(); } - + if (!empty($req['core_person_settings'])) { + $this->updateSettings($req['core_person_settings'], $roo); + } } + function onUpdate($old, $req,$roo, $event) + { + if (!empty($req['core_person_settings'])) { + $this->updateSettings($req['core_person_settings'], $roo); + } + } + + // there should really be a registry of valid scope values!? + function updateSettings($ar, $roo) + { + //DB_DataObject::debugLevel(1); + $old = array(); + foreach($this->settings(true) as $o) { + $old[$o->scope] = $o; + } + foreach($ar as $k=>$v) { + if (isset($old[$k])) { + $oo = clone($old[$k]); + $old[$k]->data = $v; + $old[$k]->update($oo); + continue; + } + $cs = DB_DataObject::Factory('core_person_settings'); + $cs->setFrom(array( + 'person_id' =>$this->id, + 'scope' => $k, + 'data' => $v + )); + $cs->insert(); + } + // we dont delete old stuff.... + } + + function importFromArray($roo, $persons, $opts) { if (empty($opts['prefix'])) { @@ -1411,9 +1624,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject $ff= HTML_FlexyFramework::get(); $appname = empty($ff->appNameShort) ? $ff->project : $ff->project . '-' . $ff->appNameShort; - $dname = method_exists($this, 'getDatabaseConnection') ? $this->getDatabaseConnection()->dsn['database'] : $this->databaseNickname(); - $sesPrefix = $appname.'-' .get_class($this) .'-' . $dname; return $sesPrefix; @@ -1422,9 +1633,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject function loginPublic() // used where??? { $this->isAuth(); // force session start.. - $db = $this->getDatabaseConnection(); - $ff = HTML_FlexyFramework::get(); if(empty($ff->Pman) || empty($ff->Pman['login_public'])){ @@ -1444,6 +1653,16 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject function beforeUpdate($old, $q, $roo) { $this->email = trim($this->email); + + $p = DB_DataObject::factory('core_person'); + if ($roo->authUser->id > -1 || $p->count() > 1) { + $pp = DB_DataObject::factory('core_person'); + $pp->whereAdd('LOWER(email) = "' . $pp->escape(strtolower(trim($this->email))) . '"'); + $pp->whereAdd('id != ' . $old->id); + if ($pp->count()){ + $roo->jerror("NOTICE-DUPE-EMAIL", "that email already exists in the database"); + } + } } function generateOathKey() @@ -1464,8 +1683,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject return false; } - $issuer = (empty($this->name)) ? - rawurlencode('ROOJS') : rawurlencode($this->name); + $issuer = rawurlencode($this->qrCodeIssuer()); $uri = "otpauth://totp/{$issuer}:{$this->email}?secret={$hash}&issuer={$issuer}&algorithm=SHA1&digits=6&period=30"; @@ -1485,4 +1703,88 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject return "data:image/png;base64,{$base64}"; } + function qrCodeIssuer() + { + $pg= HTML_FlexyFramework::get()->page; + + $issuer = (empty($pg->company->name)) ? 'ROOJS' : "{$pg->company->name}"; + + return $issuer; + } + + static function test_ADMIN_PASSWORD_RESET($pg, $to) + { + $ff = HTML_FlexyFramework::get(); + $person = DB_DataObject::Factory('core_person'); + $person->id = -1; + + return array( + 'HTTP_HOST' => $_SERVER['SERVER_NAME'], + 'person' => $person, + 'authFrom' => 'FAKE_LINK', + 'authKey' => 'FAKE_KEY', + + 'rcpts' => $to->email, + ); + + return $content; + } + function bulkUpdatePasswords($data, $roo) + { + + if ( !$roo->hasPerm("Core.Staff", "E")) { + $roo->jerr("permission denied"); + } + $rows = explode("\n",$data); + $upd = array(); + $bad = array(); + + foreach($rows as $i=>$row) { + if (!strlen(trim($row))) { + continue; + } + $bits = preg_split('/\s+/', trim($row)); + if (count($bits) != 2) { + $bad[] = "Invalid line: {$row}"; + continue; + } + // validate. + $upd[strtolower($bits[0])] = $bits[1]; + + } + if (empty($upd)) { + + $roo->jerr(empty($bad) ? "No rows to update": ("ERRORS: ". implode("\n", $bad))); + return; + } + // next fetch them all. + $p = DB_DataObject::factory('core_person'); + $p->whereAddIn('email', array_keys($upd), 'string'); + foreach($p->fetchAll() as $p) { + $map[strtolower($p->email)] = $p; + } + foreach($upd as $k=>$nv) { + if (!isset($map[$k])) { + $bad[] = "Missing account with email: " . $k; + continue; + } + if ($map[$k]->id == $roo->authUser->id) { + $bad[] = "You can not update your own password here: " . $k; + continue; + } + } + if (!empty($bad)) { + $roo->jerr("ERRORS: ". implode("\n", $bad)); + return; + } + foreach($map as $k => $p) { + $pp = clone($p); + $p->setPassword($upd[$k]); + $p->update($pp); + } + $roo->jok("Updated"); + + + } + }