X-Git-Url: http://git.polytechnique.org/?a=blobdiff_plain;f=include%2Fxorg%2Fsession.inc.php;h=6e8b3e84ff43a26142068c36884e81d43b0d43a8;hb=32111f706bcbf1d3244f64b7928b37bbc5210ab0;hp=96382fea3a8c292b3743790678d7787d0af31e30;hpb=b0b937fdb5cb3d4758d054ce9eb02d184f430ccc;p=platal.git diff --git a/include/xorg/session.inc.php b/include/xorg/session.inc.php index 96382fe..6e8b3e8 100644 --- a/include/xorg/session.inc.php +++ b/include/xorg/session.inc.php @@ -1,6 +1,6 @@ log("view_page", $_SERVER['REQUEST_URI']); } - set_skin(); - $_SESSION['session'] = new XorgSession; } // }}} - // {{{ function destroy() + // {{{ public static function destroy() - function destroy() { + public static function destroy() + { S::destroy(); XorgSession::init(); } // }}} - // {{{ function doAuth() + // {{{ public static function doAuth() - /** Try to do an authentication. - * - * @param page the calling page (by reference) - */ - function doAuth($new_name = false) + public static function doAuth($new_name = false) { - global $globals; - if (S::identified()) { // ok, c'est bon, on n'a rien à faire - return true; - } + global $globals; + if (S::identified()) { // ok, c'est bon, on n'a rien à faire + return true; + } - if (Env::has('username') && Env::has('response') && S::has('challenge')) - { - // si on vient de recevoir une identification par passwordpromptscreen.tpl - // ou passwordpromptscreenlogged.tpl - $uname = Env::get('username'); + if (!Env::has('username') || !Env::has('response') + || !S::has('challenge')) + { + return false; + } - if (Env::get('domain') == "alias") { + // si on vient de recevoir une identification par passwordpromptscreen.tpl + // ou passwordpromptscreenlogged.tpl + if (S::has('suid')) { + $suid = S::v('suid'); + $login = $uname = $suid['forlife']; + $redirect = false; + } else { + $uname = Env::v('username'); + if (Env::v('domain') == "alias") { $res = XDB::query( "SELECT redirect FROM virtual @@ -79,119 +84,143 @@ class XorgSession } } else { $login = $uname; + $redirect = false; } + } - $field = (!$redirect && preg_match('/^\d*$/', $uname)) ? 'id' : 'alias'; - $res = XDB::query( - "SELECT u.user_id, u.password - FROM auth_user_md5 AS u - INNER JOIN aliases AS a ON ( a.id=u.user_id AND type!='homonyme' ) - WHERE a.$field = {?} AND u.perms IN('admin','user')", $login); - - $logger =& S::v('log'); - if (list($uid, $password) = $res->fetchOneRow()) { - require_once('secure_hash.inc.php'); - $expected_response=hash_encrypt("$uname:$password:".S::v('challenge')); - // le password de la base est peut-être encore encodé en md5 - if (Env::get('response') != $expected_response) { - $new_password = hash_xor(Env::get('xorpass'), $password); - $expected_response = hash_encrypt("$uname:$new_password:".S::v('challenge')); - if (Env::get('response') == $expected_response) { - XDB::execute("UPDATE auth_user_md5 SET password = {?} WHERE user_id = {?}", $new_password, $uid); - } - } - if (Env::get('response') == $expected_response) { - if (Env::has('domain')) { - if (($domain = Env::get('domain', 'login')) == 'alias') { - setcookie('ORGdomain', "alias", (time()+25920000), '/', '', 0); - } else { - setcookie('ORGdomain', '', (time()-3600), '/', '', 0); - } - // pour que la modification soit effective dans le reste de la page - $_COOKIE['ORGdomain'] = $domain; + $field = (!$redirect && preg_match('/^\d*$/', $uname)) ? 'id' : 'alias'; + $res = XDB::query( + "SELECT u.user_id, u.password + FROM auth_user_md5 AS u + INNER JOIN aliases AS a ON ( a.id=u.user_id AND type!='homonyme' ) + WHERE a.$field = {?} AND u.perms IN('admin','user')", $login); + + $logger = S::v('log'); + if (list($uid, $password) = $res->fetchOneRow()) { + require_once('secure_hash.inc.php'); + $expected_response = hash_encrypt("$uname:$password:".S::v('challenge')); + // le password de la base est peut-être encore encodé en md5 + if (Env::v('response') != $expected_response) { + $new_password = hash_xor(Env::v('xorpass'), $password); + $expected_response = hash_encrypt("$uname:$new_password:".S::v('challenge')); + if (Env::v('response') == $expected_response) { + XDB::execute("UPDATE auth_user_md5 SET password = {?} WHERE user_id = {?}", + $new_password, $uid); + } + } + if (Env::v('response') == $expected_response) { + if (Env::has('domain')) { + if (($domain = Env::v('domain', 'login')) == 'alias') { + setcookie('ORGdomain', "alias", (time()+25920000), '/', '', 0); + } else { + setcookie('ORGdomain', '', (time()-3600), '/', '', 0); } + // pour que la modification soit effective dans le reste de la page + $_COOKIE['ORGdomain'] = $domain; + } - S::kill('challenge'); + S::kill('challenge'); + if ($logger) { + $logger->log('auth_ok'); + } + if (!start_connexion($uid, true)) { + return false; + } + if (Env::v('remember', 'false') == 'true') { + $cookie = hash_encrypt(S::v('password')); + setcookie('ORGaccess',$cookie,(time()+25920000),'/','',0); if ($logger) { - $logger->log('auth_ok'); + $logger->log("cookie_on"); } - start_connexion($uid, true); - if (Env::get('remember', 'false') == 'true') { - $cookie = hash_encrypt(S::v('password')); - setcookie('ORGaccess',$cookie,(time()+25920000),'/','',0); - if ($logger) { - $logger->log("cookie_on"); - } - } else { - setcookie('ORGaccess', '', time() - 3600, '/', '', 0); + } else { + setcookie('ORGaccess', '', time() - 3600, '/', '', 0); - if ($logger) { - $logger->log("cookie_off"); - } + if ($logger) { + $logger->log("cookie_off"); } - return true; - } elseif ($logger) { - $logger->log('auth_fail','bad password'); } + return true; } elseif ($logger) { - $logger->log('auth_fail','bad login'); + $logger->log('auth_fail','bad password'); } - } + } elseif ($logger) { + $logger->log('auth_fail','bad login'); + } - global $page; - $page->doLogin($new_name); + return false; } // }}} - // {{{ function doAuthCookie() + // {{{ public static function doAuthCookie() /** Try to do a cookie-based authentication. * * @param page the calling page (by reference) */ - function doAuthCookie(&$page) + public static function doAuthCookie() + { - if (S::logged()) { - return; + if (S::logged()) { + return true; } - if (Env::has('username') and Env::has('response')) { - return XorgSession::doAuth(); + if (Env::has('username') and Env::has('response')) { + return XorgSession::doAuth(); } - if ($r = try_cookie()) { - return XorgSession::doAuth(($r > 0)); + if ($r = try_cookie()) { + return XorgSession::doAuth(($r > 0)); } + + return false; + } + + // }}} + // {{{ public static function make_perms() + + public static function &make_perms($perm) + { + $flags = new FlagSet(); + if ($perm == 'disabled' || $perm == 'ext') { + return $flags; + } + $flags->addFlag(PERMS_USER); + if ($perm == 'admin') { + $flags->addFlag(PERMS_ADMIN); + } + return $flags; } // }}} } -// }}} // {{{ function try_cookie() -/** réalise la récupération de $_SESSION pour qqn avec cookie +/** réalise la récupération de $_SESSION pour qqn avec cookie * @return int 0 if all OK, -1 if no cookie, 1 if cookie with bad hash, * -2 should not happen */ function try_cookie() { - if (Cookie::get('ORGaccess') == '' or !Cookie::has('ORGuid')) { - return -1; + if (Cookie::v('ORGaccess') == '' or !Cookie::has('ORGuid')) { + return -1; } $res = @XDB::query( - "SELECT user_id,password FROM auth_user_md5 WHERE user_id = {?} AND perms IN('admin','user')", - Cookie::getInt('ORGuid') - ); + "SELECT user_id,password FROM auth_user_md5 + WHERE user_id = {?} AND perms IN('admin','user')", + Cookie::i('ORGuid')); + if ($res->numRows() != 0) { - list($uid, $password) = $res->fetchOneRow(); - require_once('secure_hash.inc.php'); - $expected_value = hash_encrypt($password); - if ($expected_value == Cookie::get('ORGaccess')) { - start_connexion($uid, false); - return 0; - } else { + list($uid, $password) = $res->fetchOneRow(); + require_once('secure_hash.inc.php'); + $expected_value = hash_encrypt($password); + if ($expected_value == Cookie::v('ORGaccess')) { + if (!start_connexion($uid, false)) { + return -3; + } + return 0; + } else { return 1; } } @@ -202,21 +231,22 @@ function try_cookie() // }}} // {{{ function start_connexion() -/** place les variables de session dépendants de auth_user_md5 - * et met à jour les dates de dernière connexion si nécessaire +/** place les variables de session dépendants de auth_user_md5 + * et met à jour les dates de dernière connexion si nécessaire * @return void * @see controlpermanent.inc.php controlauthentication.inc.php */ function start_connexion ($uid, $identified) { $res = XDB::query(" - SELECT u.user_id AS uid, prenom, nom, perms, promo, matricule, password, FIND_IN_SET('femme', u.flags) AS femme, + SELECT u.user_id AS uid, prenom, nom, nom_usage, perms, promo, matricule, password, FIND_IN_SET('femme', u.flags) AS femme, UNIX_TIMESTAMP(s.start) AS lastlogin, s.host, a.alias AS forlife, a2.alias AS bestalias, - q.core_mail_fmt AS mail_fmt, UNIX_TIMESTAMP(q.banana_last) AS banana_last, q.watch_last, q.core_rss_hash + q.core_mail_fmt AS mail_fmt, UNIX_TIMESTAMP(q.banana_last) AS banana_last, q.watch_last, q.core_rss_hash, + FIND_IN_SET('watch', u.flags) AS watch_account, q.last_version FROM auth_user_md5 AS u INNER JOIN auth_user_quick AS q USING(user_id) - INNER JOIN aliases AS a ON (u.user_id = a.id AND a.type='a_vie') - INNER JOIN aliases AS a2 ON (u.user_id = a2.id AND FIND_IN_SET('bestalias',a2.flags)) + INNER JOIN aliases AS a ON (u.user_id = a.id AND a.type='a_vie') + INNER JOIN aliases AS a2 ON (u.user_id = a2.id AND FIND_IN_SET('bestalias',a2.flags)) LEFT JOIN logger.sessions AS s ON (s.uid=u.user_id AND s.suid=0) WHERE u.user_id = {?} AND u.perms IN('admin','user') ORDER BY s.start DESC @@ -225,47 +255,72 @@ function start_connexion ($uid, $identified) $suid = S::v('suid'); if ($suid) { - $logger = new DiogenesCoreLogger($uid, $suid); - $logger->log("suid_start", S::v('forlife')." by {$suid['uid']}"); + $logger = new CoreLogger($uid, $suid['uid']); + $logger->log("suid_start", S::v('forlife')." by {$suid['uid']}"); $sess['suid'] = $suid; } else { - $logger = S::v('log', new DiogenesCoreLogger($uid)); - $logger->log("connexion", $_SERVER['PHP_SELF']); + $logger = S::v('log', new CoreLogger($uid)); + $logger->log("connexion", Env::v('n')); setcookie('ORGuid', $uid, (time()+25920000), '/', '', 0); } - $_SESSION = $sess; + $_SESSION = array_merge($_SESSION, $sess); $_SESSION['log'] = $logger; $_SESSION['auth'] = ($identified ? AUTH_MDP : AUTH_COOKIE); + $_SESSION['perms'] =& XorgSession::make_perms($_SESSION['perms']); + $mail_subject = null; + if (check_account()) { + $mail_subject = "Connexion d'un utilisateur surveillé"; + } + if (check_ip('unsafe')) { + if ($mail_subject) { + $mail_subject .= ' - '; + } + $mail_subject .= "Une IP surveillee a tente de se connecter"; + if (check_ip('ban')) { + send_warning_mail($mail_subject); + $_SESSION = array(); + $_SESSION['perms'] = new FlagSet(); + global $page; + $newpage = false; + if (!$page) { + require_once 'xorg.inc.php'; + new_skinned_page('platal/index.tpl'); + $newpage = true; + } + $page->trig("Une erreur est survenue lors de la procédure d'authentification. " + ."Merci de contacter au plus vite " + ."support@polytechnique.org"); + if ($newpage) { + $page->run(); + } + return false; + } + } + if ($mail_subject) { + send_warning_mail($mail_subject); + } set_skin(); + check_redirect(); + return true; } // }}} -// {{{ function set_skin() function set_skin() { global $globals; - if (S::logged() && $globals->skin->enable) { + if (S::logged() && !S::has('skin')) { $uid = S::v('uid'); - $res = XDB::query("SELECT skin,skin_tpl - FROM auth_user_quick AS a - INNER JOIN skins AS s ON a.skin=s.id - WHERE user_id = {?} AND skin_tpl != ''", $uid); - if (list($_SESSION['skin_id'], $_SESSION['skin']) = $res->fetchOneRow()) { + $res = XDB::query("SELECT skin_tpl + FROM auth_user_quick AS a + INNER JOIN skins AS s ON a.skin = s.id + WHERE user_id = {?} AND skin_tpl != ''", $uid); + if ($_SESSION['skin'] = $res->fetchOneCell()) { return; } } - if ($globals->skin->enable) { - $_SESSION['skin'] = $globals->skin->def_tpl; - $_SESSION['skin_id'] = $globals->skin->def_id; - } else { - $_SESSION['skin'] = 'default.tpl'; - $_SESSION['skin_id'] = -1; - } } -// }}} - -// vim:set et sw=4 sts=4 sws=4 foldmethod=marker: +// vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8: ?>