diff options
| author | Lester Caine <lester@lsces.co.uk> | 2026-05-15 15:42:51 +0100 |
|---|---|---|
| committer | Lester Caine <lester@lsces.co.uk> | 2026-05-15 15:42:51 +0100 |
| commit | 02a3c1e025dfcac83f04a4d08599e3e361b94997 (patch) | |
| tree | a8c41f2fc8476881b3f7bf2ddb402baa2da17142 /auth | |
| parent | 513bc9e03522f0bfc0e307a8e40a517e746de2bc (diff) | |
| download | users-02a3c1e025dfcac83f04a4d08599e3e361b94997.tar.gz users-02a3c1e025dfcac83f04a4d08599e3e361b94997.tar.bz2 users-02a3c1e025dfcac83f04a4d08599e3e361b94997.zip | |
To simplyfy maintenence BitUser classes have been retired and active code base defaulted to ROLE_MODEL
Diffstat (limited to 'auth')
| -rwxr-xr-x | auth/imap/auth.php | 113 | ||||
| -rwxr-xr-x | auth/ldap/auth.php | 299 | ||||
| -rwxr-xr-x | auth/locate/auth.php | 143 | ||||
| -rwxr-xr-x | auth/multisites/auth.php | 2 |
4 files changed, 1 insertions, 556 deletions
diff --git a/auth/imap/auth.php b/auth/imap/auth.php deleted file mode 100755 index 2887254..0000000 --- a/auth/imap/auth.php +++ /dev/null @@ -1,113 +0,0 @@ -<?php -/** - * $Header$ - * - * @package users - */ - -/** - * Class that manages the imap autentication method - * - * @package users - * @subpackage auth - */ -namespace Bitweaver\Users; - -use Bitweaver\KernelTools; - -class IMAPAuth extends BaseAuth { - - function __construct() { - parent::__construct('imap'); - } - - function validate($user,$pass,$challenge,$response) { - parent::validate($user,$pass,$challenge,$response); - $mailbox = '{' . $this->mConfig['server']; - if ($this->mConfig["ssl"]) { - $mailbox .= "/ssl"; - if ($this->mConfig["sslvalidate"]) { - $mailbox .= "/validate-cert"; - } else { - $mailbox .= "/novalidate-cert"; - } - } - $mailbox .= ':'.$this->mConfig["port"].'}INBOX'; - - $imapauth = @imap_open($mailbox,$user , $pass); - if (!$imapauth) { - $this->mErrors['login']=imap_errors(); - $ret=USER_NOT_FOUND; - } else { - $ret=USER_VALID; - $this->mInfo["real_name"] = $user; - if(empty($this->mConfig["email"])) { - $this->mInfo["email"] = $user; - } else { - $info=['login'=>$user]; - $replace_func = create_function('$matches','$info = '.var_export($info,true).'; - $m = $matches[0]; - $m = substr($m,1,strlen($m)-2); - if(empty($info[$m])) return ""; - return strtolower($info[$m]);'); - $this->mInfo["email"] = preg_replace_callback('/%.*?%/',$replace_func,$this->mConfig["email"]); - } - imap_close($imapauth); - } - return $ret; - } - - function isSupported() { - $ret = true; - if (!function_exists('imap_open')) { - $this->mErrors['support']=KernelTools::tra("IMAP Authentication is not supported as PHP IMAP Extention not loaded."); - $ret = false; - } - return $ret; - } - - function createUser(&$userattr) { - $this->mErrors['create']=KernelTools::tra("Cannot create users in an IMAP Server."); - return false; - } - - function canManageAuth() { - $this->mErrors[]=KernelTools::tra("Cannot create users in an IMAP Server."); - return false; - } - - function getSettings() { - return [ - 'users_imap_server' => [ - 'label' => "IMAP Server", - 'type' => "text", - 'note' => "", - 'default' => '', - ], - 'users_imap_ssl' => [ - 'label' => "Connect Using SSL", - 'type' => "checkbox", - 'note' => "", - 'default' => 'y', - ], - 'users_imap_sslvalidate' => [ - 'label' => "Require SSL Certificate to be valid", - 'type' => "checkbox", - 'note' => "", - 'default' => 'n', - ], - 'users_imap_port' => [ - 'label' => "IMAP Port", - 'type' => "text", - 'note' => "", - 'default' => '993', - ], - 'users_imap_email' => [ - 'label' => "LDAP User E-Mail Address", - 'type' => "text", - 'note' => "If empty the login is used.<br />Otherwise all %login% is replaced with the login name, and the result used as the email address.<br />Please remember to include the @ sign", - 'default' => "%login%@redhat.com", - ], - ]; - } -} diff --git a/auth/ldap/auth.php b/auth/ldap/auth.php deleted file mode 100755 index 709e5e7..0000000 --- a/auth/ldap/auth.php +++ /dev/null @@ -1,299 +0,0 @@ -<?php -/** - * $Header$ - * - * @package users - */ - -/** - * required setup - */ -namespace Bitweaver\Users; - -use Bitweaver\KernelTools; - -if (file_exists(UTIL_PKG_INCLUDE_PATH."pear/Auth/Auth.php")) { - require_once (UTIL_PKG_INCLUDE_PATH."pear/Auth/Auth.php"); -} else { -// THIS may need changing if a different PEAR installation is used - include_once("Auth/Auth.php"); -} - -/** - * Class that manages the PEAR:ldap autentication method - * - * @package users - * @subpackage auth - */ -class LDAPAuth extends BaseAuth { - function __construct() { - parent::__construct('ldap'); - } - - function validate($user,$pass,$challenge,$response) { - parent::validate($user,$pass,$challenge,$response); - global $gBitDb; - - if ( empty($user) or empty($pass) ) { - return USER_NOT_FOUND; - } - - $this->mInfo["real_name"] = ''; // This needs fixing in the base code - real_name will only exist if a user has been identiied - - // Use V3, which requires UTF-8: - $this->mConfig['version'] = 3; - $user_utf8 = utf8_encode( $user ); - - if ( $this->mConfig['reqcert'] ) { - // Skip the SSL certificate check: - // (This assumes PHP is using the OpenLDAP client library.) - putenv('LDAPTLS_REQCERT=never'); - } - - if ( $this->mConfig['activedirectory'] ) { - $this->mConfig['attributes'] = (array) null; - $this->mConfig['userfilter'] = '(objectClass='.$this->mConfig['useroc'].')'; - $this->mConfig['groupfilter'] = '(objectClass='.$this->mConfig['groupoc'].')'; - $this->mConfig['groupscope'] = $this->mConfig['userscope']; - } else { - // Using bitweaver groups with LDAP still needs completing so disable for now - unset($this->mConfig['group']); - } - - $a = new \Auth('LDAP', $this->mConfig, "", false); - $a->_loadStorage(); // set up connection to ldap via user details - - // First, try by username. If that fails, try by email address. - $success = $a->storage->fetchData($user_utf8, $pass, false); - - if ($success == false) { - // The user wasn't found. Try again by email address: - $this->mConfig['userattrsto'] = $this->mConfig['userattr']; // Keep this for later - $this->mConfig['userattr'] = $this->mConfig['email']; // Tell PEAR::Auth() to look at the 'mail' attribute - - // this needs testing better, should be no need to create second instance of Auth! - $a = new \Auth('LDAP', $this->mConfig, "", false); - $a->_loadStorage(); // set up connection to ldap via user details - - $success = $a->storage->fetchData($user_utf8, $pass, false); - if ($success == false) { - $this->mErrors['login'] = $a->storage->options['status'] ?? 'Not authenticated'; - return PASSWORD_INCORRECT; - } - } - - // At this point, there was a successful ldap_bind() using the - // user's Distinguished Name (DN) and password for login. - // The call to ldap_get_attributes() has been saved into $a->getAuthData('attributes') - - if ( $this->mConfig['activedirectory'] ) { - // Active Directory does some things differently - mainly in the returns - $attributes = $a->getAuthData(); - // Warning: ldap_get_attributes() uses case-sensitive array keys - $this->mInfo["login"] = $attributes[ $this->mConfig['userattr'] ]; - $this->mInfo["email"] = $attributes[ $this->mConfig['email'] ]; - $this->mInfo["real_name"] = empty($attributes[$this->mConfig['name']]) ? $this->mInfo["login"] : $attributes[$this->mConfig['name']]; - } - else { - $attributes = $a->getAuthData('attributes'); - // Warning: ldap_get_attributes() uses case-sensitive array keys - $this->mInfo["login"] = $attributes[ $this->mConfig['userattr'] ][0]; - $this->mInfo["email"] = $attributes[ $this->mConfig['email'] ][0]; - $this->mInfo["real_name"] = empty($attributes[$this->mConfig['name']][0]) ? $this->mInfo["login"] : $attributes[$this->mConfig['name']][0]; - } - // Note, the new (or updated) SQL user will be created by the calling BitUser class. - - return USER_VALID; // Success! - - } - - function isSupported() { - $ret = true; - if (!class_exists("Auth")) { - $this->mErrors['support']=KernelTools::tra("LDAP Authentication is not supported as PEAR Package Auth is not availible."); - $ret = false; - } - if (!function_exists('ldap_connect')) { - $this->mErrors['support']=KernelTools::tra("LDAP Authentication is not supported as PHP LDAP Extention not loaded."); - $ret = false; - } - return $ret; - } - - // create a new user in the Auth directory - function createUser(&$userattr) { - global $gBitDb; - // set additional attributes here - if (empty($userattr["email"])) { - $userattr["email"] = $gBitDb->getOne("select `email` from `".BIT_DB_PREFIX."users_users` where `login`=?", [$userattr["login"]]); - } - // set the Auth options - $a = new \Auth("LDAP", $this->mConfig); - // check if the login correct - if ($a->addUser($userattr["login"], $userattr["password"], $userattr) === true) { - return true; - } - // otherwise use the error status given back - $this->mErrors['create'] = $a->getStatus(); - return false; - - } - - function canManageAuth() { - return true; - } - - function getSettings() { - global $gBitUser; - $listHash = []; - - // Roles are not inteneded to match with ldap groups - // This area needs a closer look if it needs to be used - $groups = []; - $groups = $gBitUser->getAllGroups($listHash); - $groupsD = []; - foreach ($groups as $g) { - $groupsD[$g['group_id']]= "{$g['group_name']} ( {$g['group_desc']} )"; - } - $groups = $groupsD; - return [ - 'users_ldap_url' => [ - 'label' => "LDAP Connection URL", - 'type' => "text", - 'note' => "You can specify an LDAP URL, like ldap://localhost/ or ldaps://some-server/.", - 'default' => '', - ], - 'users_ldap_host' => [ - 'label' => "LDAP Host", - 'type' => "text", - 'note' => "Instead of a URL, you can specify a hostname and port explicitly. Give either a URL, or else a hostname/port (but not both).", - 'default' => 'localhost', - ], - 'users_ldap_port' => [ - 'label' => "LDAP Port", - 'type' => "text", - 'note' => "", - 'default' => '389', - ], - 'users_ldap_start_tls' => [ - 'label' => "Use Start-TLS?", - 'type' => "checkbox", - 'note' => "Please note there is a difference between ldaps:// and Start-TLS for ldap. Start-TLS uses port 389, while ldaps:// uses port 636. Both encrypted LDAP (with Start-TLS) and unencrypted LDAP can run on port 389 concurrently.", - 'default' => 'y', - ], - 'users_ldap_reqcert' => [ - 'label' => "Skip the SSL Cert validation?", - 'type' => "checkbox", - 'note' => "If Start-TLS is checked, then your LDAP server needs a trusted SSL cert -- unless you check this option, in which case you can use a self-signed (untrusted) cert.", - 'default' => 'y', - ], - 'users_ldap_referrals' => [ - 'label' => "Use Referrals?", - 'type' => "checkbox", - 'note' => "This should probably be 'yes'. (Only applies to LDAP V3 servers.)", - 'default' => 'y', - ], - 'users_ldap_basedn' => [ - 'label' => "LDAP Base DN", - 'type' => "text", - 'note' => "", - 'default' => '', - ], - 'users_ldap_userdn' => [ - 'label' => "LDAP User DN", - 'type' => "text", - 'note' => "", - 'default' => '', - ], - 'users_ldap_userattr' => [ - 'label' => "LDAP User Attribute", - 'type' => "text", - 'note' => "The LDAP Attribute to use for the user's login in Bitweaver. (This is the first attribute searched when the user logs in.)", - 'default' => 'uid', - ], - 'users_ldap_email' => [ - 'label' => "LDAP User E-Mail Address", - 'type' => "text", - 'note' => "The LDAP Attribute to use for the user's email address in Bitweaver. (This is the second attribute searched when the user logs in.)", - 'default' => 'mail', - ], - 'users_ldap_name' => [ - 'label' => "LDAP User Display Name", - 'type' => "text", - 'note' => "The LDAP Attribute to use for the user's Full Name in Bitweaver.", - 'default' => 'displayName', - ], - 'users_ldap_useroc' => [ - 'label' => "LDAP User OC", - 'type' => "text", - 'note' => "", - 'default' => '(objectClass=inetOrgPerson)', - ], - 'users_ldap_groupdn' => [ - 'label' => "LDAP Group DN", - 'type' => "text", - 'note' => "", - 'default' => '', - ], - 'users_ldap_groupattr' => [ - 'label' => "LDAP Group Atribute", - 'type' => "text", - 'note' => "", - 'default' => 'cn', - ], - 'users_ldap_groupoc' => [ - 'label' => "LDAP Group OC", - 'type' => "text", - 'note' => "", - 'default' => '(objectClass=groupOfUniqueNames)', - ], - 'users_ldap_memberattr' => [ - 'label' => "LDAP Member Attribute", - 'type' => "text", - 'note' => "", - 'default' => 'uniqueMember', - ], - 'users_ldap_memberisdn' => [ - 'label' => "LDAP Member Is DN", - 'type' => "checkbox", - 'note' => "", - 'default' => 'n', - ], - 'users_ldap_binddn' => [ - 'label' => "LDAP Bind DN", - 'type' => "text", - 'note' => "This DN will be used to search the LDAP directory for users. If left blank, 'anonymous bind' is used.", - 'default' => '', - ], - 'users_ldap_bindpw' => [ - 'label' => "LDAP Bind Pwd", - 'type' => "password", - 'note' => "", - 'default' => '', - ], - 'users_ldap_userscope' => [ - 'label' => "LDAP Scope to use when searching for users", - 'type' => "option", - 'note' => "", - 'default' => 'sub', - 'options' => [ - 'sub' => "Sub", - 'one' => "One", - 'base' => "Base", - ], - ], - 'users_ldap_group' => [ - 'label' => "LDAP Group Requirement", - 'type' => "text", - 'note' => "If this is specified, then the LDAP user must also be a member of this LDAP group to connect.", - 'default' => '', - ], - 'users_ldap_activedirectory' => [ - 'label' => "Active Directory?", - 'type' => "checkbox", - 'note' => "", - 'default' => 'n', - ], - ]; - } -}
\ No newline at end of file diff --git a/auth/locate/auth.php b/auth/locate/auth.php deleted file mode 100755 index 77197f5..0000000 --- a/auth/locate/auth.php +++ /dev/null @@ -1,143 +0,0 @@ -<?php -/** - * $Header$ - * - * @package users - */ - -/** - * Class that manages the bitweaver autentication method with additional modifications - * for access managed via machine name - * This is used to idenitfy counter locations in sites where location related activity takes place - * such as anouncment and direction displays - * - * @package users - * @subpackage auth - */ -namespace Bitweaver\Users; - -class LocateAuth extends BaseAuth { - - function __construct() { - parent::__construct('locate'); - } - - function validate($user,$pass,$challenge,$response) { - parent::validate($user,$pass,$challenge,$response); - global $gBitSystem; - global $gBitDb; - global $gMultisites; - - $ret = SERVER_ERROR; - if( empty( $user ) ) { - $this->mErrors['login'] = 'User not found'; - } elseif( empty( $pass ) ) { - $this->mErrors['login'] = 'Password incorrect'; - } else { - $loginVal = strtoupper( $user ); // case insensitive login - $loginCol = ' UPPER(`'.(strpos( $user, '@' ) ? 'email' : 'login').'`)'; - // first verify that the user exists - $query = "select `email`, `login`, `user_id`, `user_password` from `".BIT_DB_PREFIX."users_users` where " . $gBitDb->convertBinary(). " $loginCol = ?"; - $result = $gBitDb->query( $query, [ $loginVal ] ); - if( !$result->numRows() ) { - $this->mErrors['login'] = 'User not found'; - } else { - $res = $result->fetchRow(); - $userId = $res['user_id']; - $user = $res['login']; - // TikiWiki 1.8+ uses this bizarro conglomeration of fields to get the hash. this sucks for many reasons - $hash = md5( strtolower($user) . $pass . $res['email']); - $hash2 = md5($pass); - // next verify the password with 2 hashes methods, the old one (pass)) and the new one (login.pass;email) - // TODO - this needs cleaning up - wolff_borg - if( !$gBitSystem->isFeatureActive( 'feature_challenge' ) || empty($response) ) { - $query = "select `user_id`, `content_id`, `hash` from `".BIT_DB_PREFIX."users_users` where " . $gBitDb->convertBinary(). " $loginCol = ? and (`hash`=? or `hash`=?)"; - if ( $row = $gBitDb->getRow( $query, [ $loginVal, $hash, $hash2 ] ) ) { - // auto-update old hashes with simple and standard md5( password ) - $hashUpdate = ''; - if( $row['hash'] == $hash ) { - $hashUpdate = 'hash=?, '; - $bindVars[] = $hash2; - } - $bindVars[] = $gBitSystem->getUTCTime(); - $bindVars[] = $userId; - $query = "update `".BIT_DB_PREFIX."users_users` set $hashUpdate `last_login`=`current_login`, `current_login`=? where `user_id`=?"; - $result = $gBitDb->query($query, $bindVars ); -// Modify this to check machine name against managed locations -// $query = "select `multisite_id` from `".BIT_DB_PREFIX."multisite_content` where `content_id` = ?"; -// $sites = $gBitDb->getAll($query, array( $row['content_id'] ) ); -// if ( !$sites ) { - $ret=USER_VALID; -/* } else { - // This will allow for additional by site checking in future - // Currently only a single site per user_id is allowed - $ret=PASSWORD_INCORRECT; - foreach ( $sites as $id ) { - if ( $id['multisite_id'] == $gMultisites->mMultisiteId ) { - $ret=USER_VALID; - } - } - if ( $ret == PASSWORD_INCORRECT ) { - $this->mErrors[] = 'You are not authorized on this area of the site'; - } - } -*/ - } else { - $ret=PASSWORD_INCORRECT; - $this->mErrors[] = 'Password incorrect'; - } - } else { - // Use challenge-reponse method - // Compare pass against md5(user,challenge,hash) - $hash = $gBitDb->getOne("select `hash` from `".BIT_DB_PREFIX."users_users` where " . $gBitDb->convertBinary(). " $loginCol = ?", [ $user ] ); - if (!isset($_SESSION["challenge"])) { - $this->mErrors[] = 'Invalid challenge'; - $ret=PASSWORD_INCORRECT; - } - //print("pass: $pass user: $user hash: $hash <br/>"); - //print("challenge: ".$_SESSION["challenge"]." challenge: $challenge<br/>"); - //print("response : $response<br/>"); - if ($response == md5( strtolower($user) . $hash . $_SESSION["challenge"]) ) { - $ret = USER_VALID; - $this->updateLastLogin( $userId ); - } else { - $this->mErrors[] = 'Invalid challenge'; - $ret=PASSWORD_INCORRECT; - } - } - } - if (!empty($userId)) { - $this->mInfo['user_id']=$userId; - } - } - return( $ret ); - } - - function canManageAuth() { - global $gBitSystem; - if( $gBitSystem->isPackageActive( 'contact' ) ) { - return TRUE; - } - return FALSE; - - } - - function isSupported() { - global $gBitSystem; - if( $gBitSystem->isPackageActive( 'contact' ) ) { - return TRUE; - } - return FALSE; - - } - - function createUser( &$pUserHash ) { - //$authUserInfo = array( 'login' => $instance->mInfo['login'], 'password' => $instance->mInfo['password'], 'real_name' => $instance->mInfo['real_name'], 'email' => $instance->mInfo['email'] ); - $u = new BitPermUser(); - - if( !$u->store( $pUserHash ) ) { - $this->mErrors = array_merge($this->mErrors,$u->mErrors); - } - return $u->mUserId; - } -} diff --git a/auth/multisites/auth.php b/auth/multisites/auth.php index cf44c0d..98cb74b 100755 --- a/auth/multisites/auth.php +++ b/auth/multisites/auth.php @@ -128,7 +128,7 @@ class MultisitesAuth extends BaseAuth { function createUser( &$pUserHash ) { //$authUserInfo = array( 'login' => $instance->mInfo['login'], 'password' => $instance->mInfo['password'], 'real_name' => $instance->mInfo['real_name'], 'email' => $instance->mInfo['email'] ); - $u = new BitPermUser(); + $u = new RolePermUser(); if( !$u->store( $pUserHash ) ) { $this->mErrors = array_merge($this->mErrors,$u->mErrors); |