From a12758f7eb85596daf01b2ea45bf6f20e7d09a0e Mon Sep 17 00:00:00 2001 From: kenchan0130 Date: Mon, 6 Jan 2020 15:17:24 +0900 Subject: [PATCH 1/2] When using oauth, link using login column data instead of email column. --- lib/functions/doAuthorize.php | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/lib/functions/doAuthorize.php b/lib/functions/doAuthorize.php index 69f72d21b1..a2583a10e7 100644 --- a/lib/functions/doAuthorize.php +++ b/lib/functions/doAuthorize.php @@ -58,11 +58,7 @@ function doAuthorize(&$db,$login,$pwd,$options=null) { $user = new tlUser(); $user->login = $login; $searchBy = tlUser::USER_O_SEARCH_BYLOGIN; - if( $isOauth ) { - $user->emailAddress = $login; - $searchBy = tlUser::USER_O_SEARCH_BYEMAIL; - } - $loginExists = ( $user->readFromDB( $db, $searchBy ) >= tl::OK ); + $loginExists = ( $user->readFromDB( $db, $searchBy ) >= tl::OK ); } if( $loginExists ) { @@ -146,11 +142,6 @@ function doAuthorize(&$db,$login,$pwd,$options=null) { $user = new tlUser(); $user->login = $login; $searchBy = tlUser::USER_O_SEARCH_BYLOGIN; - if( $isOauth ) { - $user->emailAddress = $login; - $user->login = null; - $searchBy = tlUser::USER_O_SEARCH_BYEMAIL; - } $user->readFromDB($db,$searchBy); // Need to do set COOKIE following Mantis model From 153baeb1bf510a06af32da3ab97f1c7e8e681505 Mon Sep 17 00:00:00 2001 From: kenchan0130 Date: Mon, 6 Jan 2020 15:17:51 +0900 Subject: [PATCH 2/2] Format doAuthorize code --- lib/functions/doAuthorize.php | 142 +++++++++++++++++----------------- 1 file changed, 71 insertions(+), 71 deletions(-) diff --git a/lib/functions/doAuthorize.php b/lib/functions/doAuthorize.php index a2583a10e7..8328fef6f5 100644 --- a/lib/functions/doAuthorize.php +++ b/lib/functions/doAuthorize.php @@ -1,14 +1,14 @@ tl::ERROR, 'msg' => null); - $_SESSION['locale'] = TL_DEFAULT_LOCALE; + $_SESSION['locale'] = TL_DEFAULT_LOCALE; if( null == $options ) { - $options = new stdClass(); + $options = new stdClass(); $options->doSessionExistsCheck = true; $options->auth = null; } @@ -42,8 +42,8 @@ function doAuthorize(&$db,$login,$pwd,$options=null) { $doChecks = true; if($login == '') { $doChecks = false; - $result['msg'] = ' '; - } + $result['msg'] = ' '; + } $isOauth = false; if( property_exists($options, 'auth') ) { @@ -65,7 +65,7 @@ function doAuthorize(&$db,$login,$pwd,$options=null) { $loginExpired = false; $checkDate = !is_null($user->expiration_date); $checkDate = $checkDate && (trim($user->expiration_date) != ''); - + if( $checkDate ) { $now = strtotime(date_format(date_create(),'Y-m-d')); $exd = strtotime($user->expiration_date); @@ -73,8 +73,8 @@ function doAuthorize(&$db,$login,$pwd,$options=null) { // Expired! $loginExpired = true; $result['msg'] = lang_get('tluser_account_expired'); - } - } + } + } } if( $loginExists ) { @@ -92,15 +92,15 @@ function doAuthorize(&$db,$login,$pwd,$options=null) { } } } - } + } // Think not using else make things a little bit clear // Will Try To Create a New User if( FALSE == $loginExists ) { $authCfg = config_get('authentication'); $forceUserCreation = false; - - $user = new tlUser(); + + $user = new tlUser(); $user->login = $login; $user->isActive = true; @@ -110,28 +110,28 @@ function doAuthorize(&$db,$login,$pwd,$options=null) { $user->emailAddress = $login; $user->firstName = $options->givenName; $user->lastName = $options->familyName; - + } else { if( $authCfg['ldap_automatic_user_creation'] ) { $user->authentication = 'LDAP'; // force for auth_does_password_match $check = auth_does_password_match($db,$user,$pwd); - + if( $check->status_ok ) { $forceUserCreation = true; $uf = getUserFieldsFromLDAP($user->login, $authCfg['ldap'][$check->ldap_index]); - + $user->emailAddress = $uf->emailAddress; $user->firstName = $uf->firstName; $user->lastName = $uf->lastName; - } + } } - } + } if( $forceUserCreation ) { // Anyway, write a password on the DB. $fake = 'the quick brown fox jumps over the lazy dog'; - $user->setPassword( $fake ); + $user->setPassword( $fake ); $doLogin = ($user->writeToDB($db) == tl::OK); } @@ -145,7 +145,7 @@ function doAuthorize(&$db,$login,$pwd,$options=null) { $user->readFromDB($db,$searchBy); // Need to do set COOKIE following Mantis model - $ckCfg = config_get('cookie'); + $ckCfg = config_get('cookie'); $ckObj = new stdClass(); $ckObj->name = config_get('auth_cookie'); @@ -154,28 +154,28 @@ function doAuthorize(&$db,$login,$pwd,$options=null) { // IMPORTANT DEVELOPMENT DEBUG NOTICE // From PHP Manual - // setcookie() defines a cookie to be sent along with the rest of the HTTP headers. - // Like other headers, cookies must be sent BEFORE ANY OUTPUT from your script - // (this is a protocol restriction). This requires that you place calls to this function + // setcookie() defines a cookie to be sent along with the rest of the HTTP headers. + // Like other headers, cookies must be sent BEFORE ANY OUTPUT from your script + // (this is a protocol restriction). This requires that you place calls to this function // prior to any output, including and tags as well as any whitespace. // tlSetCookie($ckObj); // Disallow two sessions within one browser - if ($options->doSessionExistsCheck && + if ($options->doSessionExistsCheck && isset($_SESSION['currentUser']) && !is_null($_SESSION['currentUser'])) { - $result['msg'] = lang_get('login_msg_session_exists1') . - ' ' . + $result['msg'] = lang_get('login_msg_session_exists1') . + ' ' . lang_get('logout_link') . '' . lang_get('login_msg_session_exists2'); - } else { + } else { // Setting user's session information $_SESSION['currentUser'] = $user; $_SESSION['lastActivity'] = time(); - + $g_tlLogger->endTransaction(); $g_tlLogger->startTransaction(); setUserSession($db,$user->login, $user->dbID,$user->globalRoleID,$user->emailAddress,$user->locale,null); - + $result['status'] = tl::OK; } } @@ -184,7 +184,7 @@ function doAuthorize(&$db,$login,$pwd,$options=null) { } -/** +/** * for SSL Cliente Certificate we can not check password but * 1. login exists * 2. SSL context exist @@ -199,9 +199,9 @@ function doSSOClientCertificate(&$dbHandler,$apache_mod_ssl_env,$authCfg=null) $ret = array('status' => tl::ERROR, 'msg' => null, 'checkedBy' => __FUNCTION_); if( !isset($apache_mod_ssl_env['SSL_PROTOCOL']) ) { - return $ret; + return $ret; } - + // With this we trust SSL is enabled => go ahead with login control $authCfg = is_null($authCfg) ? config_get('authentication') : $authCfg; @@ -209,11 +209,11 @@ function doSSOClientCertificate(&$dbHandler,$apache_mod_ssl_env,$authCfg=null) if( !is_null($login) ) { $user = new tlUser(); $user->login = $login; - $login_exists = ($user->readFromDB($dbHandler,tlUser::USER_O_SEARCH_BYLOGIN) >= tl::OK); + $login_exists = ($user->readFromDB($dbHandler,tlUser::USER_O_SEARCH_BYLOGIN) >= tl::OK); if( $login_exists && $user->isActive) { // Need to do set COOKIE following Mantis model - $ckCfg = config_get('cookie'); + $ckCfg = config_get('cookie'); $ckObj = new stdClass(); $ckObj->name = config_get('auth_cookie'); @@ -224,17 +224,17 @@ function doSSOClientCertificate(&$dbHandler,$apache_mod_ssl_env,$authCfg=null) // Disallow two sessions within one browser if (isset($_SESSION['currentUser']) && !is_null($_SESSION['currentUser'])) { - $ret['msg'] = lang_get('login_msg_session_exists1') . - ' ' . - lang_get('logout_link') . '' . + $ret['msg'] = lang_get('login_msg_session_exists1') . + ' ' . + lang_get('logout_link') . '' . lang_get('login_msg_session_exists2'); } else - { + { // Setting user's session information $_SESSION['currentUser'] = $user; $_SESSION['lastActivity'] = time(); - + $g_tlLogger->endTransaction(); $g_tlLogger->startTransaction(); setUserSession($dbHandler,$user->login, $user->dbID,$user->globalRoleID, @@ -246,13 +246,13 @@ function doSSOClientCertificate(&$dbHandler,$apache_mod_ssl_env,$authCfg=null) { logAuditEvent(TLS("audit_login_failed",$login,$_SERVER['REMOTE_ADDR']), "LOGIN_FAILED",$user->dbID,"users"); - } + } } return $ret; } -/** +/** * @return array * obj->status_ok = true/false * obj->msg = message to explain what has happened to a human being. @@ -263,7 +263,7 @@ function auth_does_password_match(&$db,&$userObj,$cleartext_password) $ret = new stdClass(); $ret->status_ok = false; $ret->msg = sprintf(lang_get('unknown_authentication_method'),$authCfg['method']); - + $authMethod = $userObj->authentication; switch ($userObj->authentication) { case 'DB': @@ -283,13 +283,13 @@ function auth_does_password_match(&$db,&$userObj,$cleartext_password) $msg[ERROR_LDAP_USER_NOT_FOUND] = lang_get('error_ldap_user_not_found'); $msg[ERROR_LDAP_BIND_FAILED] = lang_get('error_ldap_bind_failed'); $msg[ERROR_LDAP_START_TLS_FAILED] = lang_get('error_ldap_start_tls_failed'); - + $xx = ldap_authenticate($userObj->login, $cleartext_password); $ret->status_ok = $xx->status_ok; $ret->msg = $xx->status_ok ? 'ok' : $msg[$xx->status_code]; $ret->ldap_index = $xx->ldap_index; break; - + case 'MD5': case 'DB': default: @@ -308,14 +308,14 @@ function auth_does_password_match(&$db,&$userObj,$cleartext_password) */ function getUserFieldsFromLDAP($login,$ldapCfg) { - $k2l = array('emailAddress' => 'email', 'firstName' => 'firstname', 'lastName' => 'surname'); + $k2l = array('emailAddress' => 'email', 'firstName' => 'firstname', 'lastName' => 'surname'); $ret = new stdClass(); - + foreach($k2l as $p => $ldf) { $ret->$p = ldap_get_field_from_username($ldapCfg,$login, strtolower($ldapCfg['ldap_' . $ldf . '_field'])); - } + } // Defaults $k2l = array('firstName' => $login,'lastName' => $login, 'emailAddress' => 'no_mail_configured@on_ldapserver.org'); @@ -323,15 +323,15 @@ function getUserFieldsFromLDAP($login,$ldapCfg) { if( is_null($ret->$prop) || strlen($ret->$prop) == 0 ) { - $ret->$prop = $val; + $ret->$prop = $val; } - } + } return $ret; -} +} -/** +/** * * */ @@ -346,21 +346,21 @@ function doSSOWebServerVar(&$dbHandler,$authCfg=null) if( isset($_SERVER[$authCfg['SSO_uid_field']]) ) { $userIdentity = trim($_SERVER[$authCfg['SSO_uid_field']]); - } + } if( !is_null($userIdentity) && $userIdentity != '' ) { $tables = tlObject::getDBTables(array('users')); - $sql = "/* $debugMsg */" . + $sql = "/* $debugMsg */" . "SELECT login,role_id,email,first,last,active " . - "FROM {$tables['users']} " . - "WHERE active = 1 AND " . + "FROM {$tables['users']} " . + "WHERE active = 1 AND " . " {$authCfg['SSO_user_target_dbfield']} = '". $dbHandler->prepare_string($userIdentity) . "'"; $rs = $dbHandler->get_recordset($sql); - + $login_exists = !is_null($rs) && ($accountQty =count($rs)) == 1; $loginKO = true; @@ -376,9 +376,9 @@ function doSSOWebServerVar(&$dbHandler,$authCfg=null) if( !is_null($xx) ) { $ret = $xx; - } - } - } + } + } + } if( $loginKO ) { if($accountQty > 1) { @@ -387,7 +387,7 @@ function doSSOWebServerVar(&$dbHandler,$authCfg=null) $authCfg['SSO_user_target_dbfield']); } else { $ret['msg'] = TLS("audit_login_failed_silence",$_SERVER['REMOTE_ADDR']); - } + } logAuditEvent($result['msg'], "LOGIN_FAILED","users"); } } @@ -404,7 +404,7 @@ function doSessionSetUp(&$dbHandler,&$userObj) { $ret = null; // Need to do set COOKIE following Mantis model - $ckCfg = config_get('cookie'); + $ckCfg = config_get('cookie'); $ckObj = new stdClass(); $ckObj->name = config_get('auth_cookie'); @@ -416,22 +416,22 @@ function doSessionSetUp(&$dbHandler,&$userObj) { // Block two sessions within one browser if (isset($_SESSION['currentUser']) && !is_null($_SESSION['currentUser'])) { - $ret['msg'] = lang_get('login_msg_session_exists1') . - ' ' . - lang_get('logout_link') . '' . lang_get('login_msg_session_exists2'); + $ret['msg'] = lang_get('login_msg_session_exists1') . + ' ' . + lang_get('logout_link') . '' . lang_get('login_msg_session_exists2'); } else - { + { // Setting user's session information $_SESSION['currentUser'] = $userObj; $_SESSION['lastActivity'] = time(); - + $g_tlLogger->endTransaction(); $g_tlLogger->startTransaction(); setUserSessionFromObj($dbHandler,$userObj); $ret['status'] = tl::OK; } - - return $ret; + + return $ret; }