X-Git-Url: http://git.roojs.org/?p=Pman.Core;a=blobdiff_plain;f=DataObjects%2FCore_person.php;h=5160b4e3ead0d217a4f6a128f2dbc39e12d374d3;hp=75db3259e1c56c6d6ba38acd0e3bcb866a73df32;hb=c8c28ad4fd428d676f271af4142af913d47f755a;hpb=8bad102e8a64f02a79417dcddb8a607bb78a1fff diff --git a/DataObjects/Core_person.php b/DataObjects/Core_person.php index 75db3259..5160b4e3 100644 --- a/DataObjects/Core_person.php +++ b/DataObjects/Core_person.php @@ -50,10 +50,14 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject /* the code above is auto generated do not remove the tag below */ ###END_AUTOCODE + + static $authUser = false; + function owner() { - $p = DB_DataObject::Factory($this->tableName()); + // this might be a Person in some old code? + $p = DB_DataObject::Factory('core_person'); $p->get($this->owner_id); return $p; } @@ -232,6 +236,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject $sesPrefix = $this->sesPrefix(); + self::$authUser = false; $_SESSION[get_class($this)][$sesPrefix .'-auth'] = ""; return false; @@ -252,22 +257,26 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject $sesPrefix = $this->sesPrefix(); + if (self::$authUser) { + return self::$authUser; + } + + if (!empty($_SESSION[get_class($this)][$sesPrefix .'-auth'])) { // in session... $a = unserialize($_SESSION[get_class($this)][$sesPrefix .'-auth']); - $u = DB_DataObject::factory($this->tableName()); + $u->autoJoin(); if ($a->id && $u->get($a->id)) { //&& strlen($u->passwd)) { - - return $u->verifyAuth(); // got authentication... - - + if ($u->verifyAuth()) { + self::$authUser = $u; + return true; + } } - unset($_SESSION[get_class($this)][$sesPrefix .'-auth']); unset($_SESSION[get_class($this)][$sesPrefix .'-timeout']); setcookie('Pman.timeout', -1, time() + (30*60), '/'); - + return false; } // http basic auth.. @@ -281,7 +290,10 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject && $u->checkPassword($_SERVER['PHP_AUTH_PW']) ) { - $_SESSION[get_class($this)][$sesPrefix .'-auth'] = serialize($u); + // logged in via http auth + // http auth will not need session... + //$_SESSION[get_class($this)][$sesPrefix .'-auth'] = serialize($u); + self::$authUser = $u; return true; } //die("test init"); @@ -291,23 +303,38 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject } - // local auth - - $default_admin = false; - if (!empty($ff->Pman['local_autoauth']) && - ($ff->Pman['local_autoauth'] === true) && - (!empty($_SERVER['SERVER_ADDR'])) && - ( - ( - $_SERVER['SERVER_ADDR'] == '127.0.0.1' && - $_SERVER['REMOTE_ADDR'] == '127.0.0.1' - ) - || + $auto_auth_allow = false; + if (!empty($ff->Pman['local_autoauth']) && $ff->Pman['local_autoauth'] === true) { + $auto_auth_allow = true; + } + if ( !empty($ff->Pman['local_autoauth']) + && + !empty($_SERVER['SERVER_ADDR']) && + !empty($_SERVER['REMOTE_ADDR']) && ( - $_SERVER['SERVER_ADDR'] == '::1' && - $_SERVER['REMOTE_ADDR'] == '::1' + ( + $_SERVER['SERVER_ADDR'] == '127.0.0.1' && + $_SERVER['REMOTE_ADDR'] == '127.0.0.1' + ) + || + ( + $_SERVER['SERVER_ADDR'] == '::1' && + $_SERVER['REMOTE_ADDR'] == '::1' + ) ) - ) - ) { + + ){ + $auto_auth_allow = true; + } + + + if (empty($_SERVER['PATH_INFO']) || $_SERVER['PATH_INFO'] == '/Login') { + $auto_auth_allow = false; + } + //var_dump($auto_auth_allow); + // local auth - + $default_admin = false; + if ($auto_auth_allow) { $group = DB_DataObject::factory('core_group'); $group->get('name', 'Administrators'); @@ -319,6 +346,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject "); if($member->find(true)){ $default_admin = DB_DataObject::factory($this->tableName()); + $default_admin->autoJoin(); if(!$default_admin->get($member->user_id)){ $default_admin = false; } @@ -327,27 +355,18 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject //var_dump($ff->Pman['local_autoauth']); var_dump($_SERVER); exit; $u = DB_DataObject::factory($this->tableName()); + $u->autoJoin(); $ff = HTML_FlexyFramework::get(); - if (!empty($ff->Pman['local_autoauth']) && - (!empty($_SERVER['SERVER_ADDR'])) && - ( - ( - $_SERVER['SERVER_ADDR'] == '127.0.0.1' && - $_SERVER['REMOTE_ADDR'] == '127.0.0.1' - ) - || - ( - $_SERVER['SERVER_ADDR'] == '::1' && - $_SERVER['REMOTE_ADDR'] == '::1' - ) - ) && + if ($auto_auth_allow && ($default_admin || $u->get('email', $ff->Pman['local_autoauth'])) ) { $user = $default_admin ? $default_admin->toArray() : $u->toArray(); - $_SESSION[get_class($this)][$sesPrefix .'-auth'] = serialize((object) $user); + // if we request other URLS.. then we get auto logged in.. + self::$authUser = $default_admin ? $default_admin : $u;; + //$_SESSION[get_class($this)][$sesPrefix .'-auth'] = serialize((object) $user); return true; } @@ -370,10 +389,9 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject } } if (!$n){ // authenticated as there are no users in the system... - return true; + return true; } - - return false; + return false; } @@ -395,23 +413,15 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject //var_dump(array(get_class($this),$sesPrefix .'-auth')); - if (!empty($_SESSION[get_class($this)][$sesPrefix .'-auth'])) { - $a = unserialize($_SESSION[get_class($this)][$sesPrefix .'-auth']); - - $u = DB_DataObject::factory($this->tableName()); // allow extending this ... - $u->autoJoin(); - if ($u->get($a->id)) { /// && strlen($u->passwd)) { // should work out the pid .. really.. - + if (self::$authUser) { + + if (isset($_SESSION[get_class($this)][$sesPrefix .'-auth'])) { $_SESSION[get_class($this)][$sesPrefix .'-auth-timeout'] = time() + (30*60); // eg. 30 minutes setcookie('Pman.timeout', time() + (30*60), time() + (30*60), '/'); - - $user = clone ($u); - return clone($user); - } - unset($_SESSION[get_class($this)][$sesPrefix .'-auth']); - unset($_SESSION[get_class($this)][$sesPrefix .'-timeout']); - setcookie('Pman.timeout', -1, time() + (30*60), '/'); + // not really sure why it's cloned.. + return clone (self::$authUser); + } @@ -491,6 +501,12 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject //var_dump(array(get_class($this),$sesPrefix .'-auth')); $_SESSION[get_class($this)][$sesPrefix .'-auth'] = serialize((object)$d); + + $pp = DB_DAtaObject::Factory($this->tableName()); + $pp->get($this->pid()); + $pp->autoJoin(); + + self::$authUser = $pp; // ensure it's written so that ajax calls can fetch it.. @@ -506,6 +522,8 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject $_SESSION[get_class($this)][$sesPrefix .'-auth'] = ""; + self::$authUser = false; + } function genPassKey ($t) { @@ -520,10 +538,9 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject function checkTwoFactorAuthentication($val) { - // also used in login - return true; + // also used in login require_once 'System.php'; if( @@ -539,7 +556,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject return false; } - $cmd = "{$oathtool} --totp --base32 {$this->oath_key}"; + $cmd = "{$oathtool} --totp --base32 " . escapeshellarg($this->oath_key); $password = exec($cmd); @@ -585,6 +602,9 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject function company() { + if (empty($this->company_id)) { + return false; + } $x = DB_DataObject::factory('core_company'); $x->autoJoin(); $x->get($this->company_id); @@ -610,7 +630,8 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject if (!func_num_args()) { return $this->lang; } - $val = array_shift(func_get_args()); + $ar = func_get_args(); + $val = array_shift($ar); if ($val == $this->lang) { return; } @@ -623,14 +644,12 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject function authUserArray() { - $aur = $this->toArray(); if ($this->id < 1) { return $aur; } - //DB_DataObject::debugLevel(1); $c = DB_Dataobject::factory('core_company'); $im = DB_Dataobject::factory('Images'); @@ -674,16 +693,20 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject $aur['oath_key'] = ''; $aur['oath_key_enable'] = !empty($this->oath_key); + $aur['require_oath'] = 1; $s = DB_DataObject::Factory('core_setting'); - $oath_require = $s->lookup('core', 'two_factor_authentication_requirement'); - - if(!empty($oath_require)) { - - } + $oath_require = $s->lookup('core', 'two_factor_auth_required'); + $aur['require_oath'] = $oath_require ? $oath_require->val : 0; + $aur['core_person_settings'] = array(); + + $core_person_settings = DB_DataObject::factory('core_person_settings'); + $core_person_settings->setFrom(array( + 'person_id' => $this->id + )); - $aur['disable_oath'] = (bool)$oath_require ? 1 : 0; + $aur['core_person_settings'] = $core_person_settings->fetchAll('scope', 'data'); return $aur; } @@ -800,7 +823,11 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject $roo->jerr('Fail to generate QR Code'); } - $roo->jok($qrcode); + $roo->jdata(array( + 'secret' => $hash, + 'image' => $qrcode, + 'issuer' => $person->qrCodeIssuer() + )); } if(!empty($q['two_factor_auth_code'])) { @@ -1110,13 +1137,33 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject LENGTH({$this->tableName()}.oath_key) AS length_oath_key "); } + if (isset($q['_with_group_membership'])) { + $this->selectAddGroupMemberships(); + } - + } + + function selectAddGroupMemberships() + { + $this->selectAdd(" + + COALESCE(( + SELECT + GROUP_CONCAT( core_group.name separator '\n') + FROM + core_group_member + LEFT JOIN + core_group + ON + core_group.id = core_group_member.group_id + WHERE + core_group_member.user_id = core_person.id + ), '') as member_of"); } function setFromRoo($ar, $roo) { - $this->setFrom($ar); + $this->setFrom($ar); if(!empty($ar['_enable_oath_key'])){ $oath_key = $this->generateOathKey(); @@ -1137,7 +1184,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject } // this only applies to our owner company.. $c = $this->company(); - if (empty($c->comptype_name) || $c->comptype_name != 'OWNER') { + if (empty($c) || empty($c->comptype_name) || $c->comptype_name != 'OWNER') { return true; } @@ -1414,7 +1461,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject return $sesPrefix; } - function loginPublic() + function loginPublic() // used where??? { $this->isAuth(); // force session start.. @@ -1459,8 +1506,7 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject return false; } - $issuer = (empty($this->name)) ? - rawurlencode('ROOJS') : rawurlencode($this->name); + $issuer = rawurlencode($this->qrCodeIssuer()); $uri = "otpauth://totp/{$issuer}:{$this->email}?secret={$hash}&issuer={$issuer}&algorithm=SHA1&digits=6&period=30"; @@ -1480,4 +1526,32 @@ class Pman_Core_DataObjects_Core_person extends DB_DataObject return "data:image/png;base64,{$base64}"; } + function qrCodeIssuer() + { + $pg= HTML_FlexyFramework::get()->page; + + $issuer = (empty($pg->company->name)) ? 'ROOJS' : "{$pg->company->name}"; + + return $issuer; + } + + static function test_ADMIN_PASSWORD_RESET($pg, $to) + { + $ff = HTML_FlexyFramework::get(); + $person = DB_DataObject::Factory('core_person'); + $person->id = -1; + + return array( + 'HTTP_HOST' => $_SERVER['SERVER_NAME'], + 'person' => $person, + 'authFrom' => 'FAKE_LINK', + 'authKey' => 'FAKE_KEY', + + 'rcpts' => $to->email, + ); + + return $content; + } + + }