projects / platal.git / blob
? search:


ea6fa2179a56d72d07ceaeae88786572c4f82c3a
[platal.git] / include / xorg / session.inc.php
1 <?php
2 /***************************************************************************
3 * Copyright (C) 2003-2008 Polytechnique.org *
4 * http://opensource.polytechnique.org/ *
5 * *
6 * This program is free software; you can redistribute it and/or modify *
7 * it under the terms of the GNU General Public License as published by *
8 * the Free Software Foundation; either version 2 of the License, or *
9 * (at your option) any later version. *
10 * *
11 * This program is distributed in the hope that it will be useful, *
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of *
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
14 * GNU General Public License for more details. *
15 * *
16 * You should have received a copy of the GNU General Public License *
17 * along with this program; if not, write to the Free Software *
18 * Foundation, Inc., *
19 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
20 ***************************************************************************/
21
22 require_once 'xorg.misc.inc.php';
23
24 class XorgSession
25 {
26 // {{{ public static function init
27
28 public static function init()
29 {
30 S::init();
31 if (!S::has('uid')) {
32 try_cookie();
33 }
34 if ((check_ip('dangerous') && S::has('uid')) || check_account()) {
35 $_SESSION['log']->log("view_page", $_SERVER['REQUEST_URI']);
36 }
37 }
38
39 // }}}
40 // {{{ public static function destroy()
41
42 public static function destroy()
43 {
44 S::destroy();
45 XorgSession::init();
46 }
47
48 // }}}
49 // {{{ public static function doAuth()
50
51 public static function doAuth($new_name = false)
52 {
53 global $globals;
54 if (S::identified()) { // ok, c'est bon, on n'a rien à faire
55 return true;
56 }
57
58 if (!Env::has('username') || !Env::has('response')
59 || !S::has('challenge'))
60 {
61 return false;
62 }
63
64 // si on vient de recevoir une identification par passwordpromptscreen.tpl
65 // ou passwordpromptscreenlogged.tpl
66 if (S::has('suid')) {
67 $suid = S::v('suid');
68 $login = $uname = $suid['hruid'];
69 $redirect = false;
70 } else {
71 $uname = Env::v('username');
72
73 if (Env::v('domain') == "alias") {
74 $res = XDB::query(
75 "SELECT redirect
76 FROM virtual
77 INNER JOIN virtual_redirect USING(vid)
78 WHERE alias LIKE {?}", $uname."@".$globals->mail->alias_dom);
79 $redirect = $res->fetchOneCell();
80 if ($redirect) {
81 $login = substr($redirect, 0, strpos($redirect, '@'));
82 } else {
83 $login = "";
84 }
85 } else {
86 $login = $uname;
87 $redirect = false;
88 }
89 }
90
91 $field = (!$redirect && preg_match('/^\d*$/', $uname)) ? 'id' : 'alias';
92 $res = XDB::query(
93 "SELECT u.user_id, u.password
94 FROM auth_user_md5 AS u
95 INNER JOIN aliases AS a ON ( a.id=u.user_id AND type!='homonyme' )
96 WHERE a.$field = {?} AND u.perms IN('admin','user')", $login);
97
98 $logger = S::v('log');
99 if (list($uid, $password) = $res->fetchOneRow()) {
100 require_once('secure_hash.inc.php');
101 $expected_response = hash_encrypt("$uname:$password:".S::v('challenge'));
102 // le password de la base est peut-être encore encodé en md5
103 if (Env::v('response') != $expected_response) {
104 $new_password = hash_xor(Env::v('xorpass'), $password);
105 $expected_response = hash_encrypt("$uname:$new_password:".S::v('challenge'));
106 if (Env::v('response') == $expected_response) {
107 XDB::execute("UPDATE auth_user_md5 SET password = {?} WHERE user_id = {?}",
108 $new_password, $uid);
109 }
110 }
111 if (Env::v('response') == $expected_response) {
112 if (Env::has('domain')) {
113 if (($domain = Env::v('domain', 'login')) == 'alias') {
114 setcookie('ORGdomain', "alias", (time()+25920000), '/', '', 0);
115 } else {
116 setcookie('ORGdomain', '', (time()-3600), '/', '', 0);
117 }
118 // pour que la modification soit effective dans le reste de la page
119 $_COOKIE['ORGdomain'] = $domain;
120 }
121
122 S::kill('challenge');
123 if ($logger) {
124 $logger->log('auth_ok');
125 }
126 if (!start_connexion($uid, true)) {
127 return false;
128 }
129 if (Env::v('remember', 'false') == 'true') {
130 $cookie = hash_encrypt(S::v('password'));
131 setcookie('ORGaccess',$cookie,(time()+25920000),'/','',0);
132 if ($logger) {
133 $logger->log("cookie_on");
134 }
135 } else {
136 setcookie('ORGaccess', '', time() - 3600, '/', '', 0);
137
138 if ($logger) {
139 $logger->log("cookie_off");
140 }
141 }
142 return true;
143 } elseif ($logger) {
144 $logger->log('auth_fail','bad password');
145 }
146 } elseif ($logger) {
147 $logger->log('auth_fail','bad login');
148 }
149
150 return false;
151 }
152
153 // }}}
154 // {{{ public static function doAuthCookie()
155
156 /** Try to do a cookie-based authentication.
157 *
158 * @param page the calling page (by reference)
159 */
160 public static function doAuthCookie()
161
162 {
163 if (S::logged()) {
164 return true;
165 }
166
167 if (Env::has('username') and Env::has('response')) {
168 return XorgSession::doAuth();
169 }
170
171 if ($r = try_cookie()) {
172 return XorgSession::doAuth(($r > 0));
173 }
174
175 return false;
176 }
177
178 // }}}
179 // {{{ public static function make_perms()
180
181 public static function &make_perms($perm)
182 {
183 $flags = new FlagSet();
184 if ($perm == 'disabled' || $perm == 'ext') {
185 return $flags;
186 }
187 $flags->addFlag(PERMS_USER);
188 if ($perm == 'admin') {
189 $flags->addFlag(PERMS_ADMIN);
190 }
191 return $flags;
192 }
193
194 // }}}
195 }
196
197 // {{{ function try_cookie()
198
199 /** réalise la récupération de $_SESSION pour qqn avec cookie
200 * @return int 0 if all OK, -1 if no cookie, 1 if cookie with bad hash,
201 * -2 should not happen
202 */
203 function try_cookie()
204 {
205 if (Cookie::v('ORGaccess') == '' or !Cookie::has('ORGuid')) {
206 return -1;
207 }
208
209 $res = @XDB::query(
210 "SELECT user_id,password FROM auth_user_md5
211 WHERE user_id = {?} AND perms IN('admin','user')",
212 Cookie::i('ORGuid'));
213
214 if ($res->numRows() != 0) {
215 list($uid, $password) = $res->fetchOneRow();
216 require_once('secure_hash.inc.php');
217 $expected_value = hash_encrypt($password);
218 if ($expected_value == Cookie::v('ORGaccess')) {
219 if (!start_connexion($uid, false)) {
220 return -3;
221 }
222 return 0;
223 } else {
224 return 1;
225 }
226 }
227
228 return -2;
229 }
230
231 // }}}
232 // {{{ function start_connexion()
233
234 /** place les variables de session dépendants de auth_user_md5
235 * et met à jour les dates de dernière connexion si nécessaire
236 * @return void
237 * @see controlpermanent.inc.php controlauthentication.inc.php
238 */
239 function start_connexion ($uid, $identified)
240 {
241 global $globals;
242
243 // Fetches user's data.
244 $res = XDB::query("
245 SELECT u.user_id AS uid, prenom, prenom_ini, nom, nom_ini, nom_usage, perms, promo, promo_sortie,
246 matricule, password, FIND_IN_SET('femme', u.flags) AS femme,
247 u.hruid, CONCAT(a.alias, '@{$globals->mail->domain}') AS forlife, CONCAT(a2.alias, '@{$globals->mail->domain}') AS bestalias,
248 q.core_mail_fmt AS mail_fmt, UNIX_TIMESTAMP(q.banana_last) AS banana_last, q.watch_last, q.core_rss_hash,
249 FIND_IN_SET('watch', u.flags) AS watch_account, q.last_version
250 FROM auth_user_md5 AS u
251 INNER JOIN auth_user_quick AS q USING(user_id)
252 INNER JOIN aliases AS a ON (u.user_id = a.id AND a.type = 'a_vie')
253 INNER JOIN aliases AS a2 ON (u.user_id = a2.id AND FIND_IN_SET('bestalias', a2.flags))
254 WHERE u.user_id = {?} AND u.perms IN('admin','user')", $uid);
255
256 // Fetches last connection information.
257 $sess = $res->fetchOneAssoc();
258 $res = XDB::query("SELECT UNIX_TIMESTAMP(s.start) AS lastlogin, s.host
259 FROM logger.sessions AS s
260 WHERE s.uid = {?} AND s.suid = 0
261 ORDER BY s.start DESC
262 LIMIT 1", $uid);
263 if ($res->numRows()) {
264 $sess = array_merge($sess, $res->fetchOneAssoc());
265 }
266
267 // Sets up special environment for suid sessions, and sets up the logger.
268 $suid = S::v('suid');
269 if ($suid) {
270 $logger = new CoreLogger($uid, $suid['uid']);
271 $logger->log("suid_start", S::v('hruid') . " by {$suid['uid']}");
272 $sess['suid'] = $suid;
273 } else {
274 $logger = S::v('log', new CoreLogger($uid));
275 $logger->log("connexion", Env::v('n'));
276 setcookie('ORGuid', $uid, (time()+25920000), '/', '', 0);
277 }
278
279 // Finally sets up the PHP session.
280 $_SESSION = array_merge($_SESSION, $sess);
281 $_SESSION['log'] = $logger;
282 $_SESSION['auth'] = ($identified ? AUTH_MDP : AUTH_COOKIE);
283 $_SESSION['perms'] =& XorgSession::make_perms($_SESSION['perms']);
284
285 // Checks for watched users / ip addresses.
286 $mail_subject = null;
287 if (check_account()) {
288 $mail_subject = "Connexion d'un utilisateur surveillé";
289 }
290 if (check_ip('unsafe')) {
291 if ($mail_subject) {
292 $mail_subject .= ' - ';
293 }
294 $mail_subject .= "Une IP surveillee a tente de se connecter";
295 if (check_ip('ban')) {
296 send_warning_mail($mail_subject);
297 $_SESSION = array();
298 $_SESSION['perms'] = new FlagSet();
299 global $page;
300 $newpage = false;
301 if (!$page) {
302 require_once 'xorg.inc.php';
303 new_skinned_page('platal/index.tpl');
304 $newpage = true;
305 }
306 $page->trigError("Une erreur est survenue lors de la procédure d'authentification. "
307 ."Merci de contacter au plus vite "
308 ."<a href='mailto:support@polytechnique.org'>support@polytechnique.org</a>");
309 if ($newpage) {
310 $page->run();
311 }
312 return false;
313 }
314 }
315 if ($mail_subject) {
316 send_warning_mail($mail_subject);
317 }
318
319 // Miscellaneous environment setup.
320 set_skin();
321 update_NbNotifs();
322 check_redirect();
323 return true;
324 }
325
326 // }}}
327
328 function set_skin()
329 {
330 global $globals;
331 if (S::logged() && (!S::has('skin') || S::has('suid'))) {
332 $uid = S::v('uid');
333 $res = XDB::query("SELECT skin_tpl
334 FROM auth_user_quick AS a
335 INNER JOIN skins AS s ON a.skin = s.id
336 WHERE user_id = {?} AND skin_tpl != ''", $uid);
337 if ($_SESSION['skin'] = $res->fetchOneCell()) {
338 return;
339 }
340 }
341 }
342
343 // vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8:
344 ?>
plat/al