2 if(!defined('sugarEntry') || !sugarEntry) die('Not A Valid Entry Point');
3 /*********************************************************************************
4 * SugarCRM Community Edition is a customer relationship management program developed by
5 * SugarCRM, Inc. Copyright (C) 2004-2011 SugarCRM Inc.
7 * This program is free software; you can redistribute it and/or modify it under
8 * the terms of the GNU Affero General Public License version 3 as published by the
9 * Free Software Foundation with the addition of the following permission added
10 * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
11 * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY
12 * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
14 * This program is distributed in the hope that it will be useful, but WITHOUT
15 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
16 * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
19 * You should have received a copy of the GNU Affero General Public License along with
20 * this program; if not, see http://www.gnu.org/licenses or write to the Free
21 * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
24 * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road,
25 * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com.
27 * The interactive user interfaces in modified source and object code versions
28 * of this program must display Appropriate Legal Notices, as required under
29 * Section 5 of the GNU Affero General Public License version 3.
31 * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
32 * these Appropriate Legal Notices must retain the display of the "Powered by
33 * SugarCRM" logo. If the display of the logo is not reasonably feasible for
34 * technical reasons, the Appropriate Legal Notices must display the words
35 * "Powered by SugarCRM".
36 ********************************************************************************/
42 * This file is used to control the authentication process.
43 * It will call on the user authenticate and controll redirection
44 * based on the users validation
47 class SugarAuthenticate{
48 var $userAuthenticateClass = 'SugarAuthenticateUser';
49 var $authenticationDir = 'SugarAuthenticate';
51 * Constructs SugarAuthenticate
52 * This will load the user authentication class
54 * @return SugarAuthenticate
56 function SugarAuthenticate(){
57 require_once('modules/Users/authentication/'. $this->authenticationDir . '/'. $this->userAuthenticateClass . '.php');
58 $this->userAuthenticate = new $this->userAuthenticateClass();
62 * Authenticates a user based on the username and password
63 * returns true if the user was authenticated false otherwise
64 * it also will load the user into current user if he was authenticated
66 * @param string $username
67 * @param string $password
70 function loginAuthenticate($username, $password, $fallback=false, $PARAMS = array ()){
72 unset($_SESSION['login_error']);
74 $usr_id=$usr->retrieve_user_id($username);
75 $usr->retrieve($usr_id);
76 $_SESSION['login_error']='';
77 $_SESSION['waiting_error']='';
78 $_SESSION['hasExpiredPassword']='0';
79 if ($this->userAuthenticate->loadUserOnLogin($username, $password, $fallback, $PARAMS)) {
80 require_once('modules/Users/password_utils.php');
81 if(hasPasswordExpired($username)) {
82 $_SESSION['hasExpiredPassword'] = '1';
84 // now that user is authenticated, reset loginfailed
85 if ($usr->getPreference('loginfailed') != '' && $usr->getPreference('loginfailed') != 0) {
86 $usr->setPreference('loginfailed','0');
87 $usr->savePreferencesToDB();
89 return $this->postLoginAuthenticate();
94 if(!empty($usr_id) && $res['lockoutexpiration'] > 0){
95 if (($logout=$usr->getPreference('loginfailed'))=='')
96 $usr->setPreference('loginfailed','1');
98 $usr->setPreference('loginfailed',$logout+1);
99 $usr->savePreferencesToDB();
102 if(strtolower(get_class($this)) != 'sugarauthenticate'){
103 $sa = new SugarAuthenticate();
104 $error = (!empty($_SESSION['login_error']))?$_SESSION['login_error']:'';
105 if($sa->loginAuthenticate($username, $password, true, $PARAMS)){
108 $_SESSION['login_error'] = $error;
112 $_SESSION['login_user_name'] = $username;
113 $_SESSION['login_password'] = $password;
114 if(empty($_SESSION['login_error'])){
115 $_SESSION['login_error'] = translate('ERR_INVALID_PASSWORD', 'Users');
123 * Once a user is authenticated on login this function will be called. Populate the session with what is needed and log anything that needs to be logged
126 function postLoginAuthenticate(){
128 global $reset_theme_on_default_user, $reset_language_on_default_user, $sugar_config;
129 //THIS SECTION IS TO ENSURE VERSIONS ARE UPTODATE
131 require_once ('modules/Versions/CheckVersions.php');
132 $invalid_versions = get_invalid_versions();
133 if (!empty ($invalid_versions)) {
134 if (isset ($invalid_versions['Rebuild Relationships'])) {
135 unset ($invalid_versions['Rebuild Relationships']);
137 // flag for pickup in DisplayWarnings.php
138 $_SESSION['rebuild_relationships'] = true;
141 if (isset ($invalid_versions['Rebuild Extensions'])) {
142 unset ($invalid_versions['Rebuild Extensions']);
144 // flag for pickup in DisplayWarnings.php
145 $_SESSION['rebuild_extensions'] = true;
148 $_SESSION['invalid_versions'] = $invalid_versions;
152 //just do a little house cleaning here
153 unset($_SESSION['login_password']);
154 unset($_SESSION['login_error']);
155 unset($_SESSION['login_user_name']);
156 unset($_SESSION['ACL']);
158 //set the server unique key
159 if (isset ($sugar_config['unique_key']))$_SESSION['unique_key'] = $sugar_config['unique_key'];
162 if (isset ($reset_language_on_default_user) && $reset_language_on_default_user && $GLOBALS['current_user']->user_name == $sugar_config['default_user_name']) {
163 $authenticated_user_language = $sugar_config['default_language'];
165 $authenticated_user_language = isset($_REQUEST['login_language']) ? $_REQUEST['login_language'] : (isset ($_REQUEST['ck_login_language_20']) ? $_REQUEST['ck_login_language_20'] : $sugar_config['default_language']);
168 $_SESSION['authenticated_user_language'] = $authenticated_user_language;
170 $GLOBALS['log']->debug("authenticated_user_language is $authenticated_user_language");
172 // Clear all uploaded import files for this user if it exists
174 $tmp_file_name = $sugar_config['import_dir']."IMPORT_".$GLOBALS['current_user']->id;
176 if (file_exists($tmp_file_name)) {
177 unlink($tmp_file_name);
186 * On every page hit this will be called to ensure a user is authenticated
189 function sessionAuthenticate(){
191 global $module, $action, $allowed_actions;
192 $authenticated = false;
193 $allowed_actions = array ("Authenticate", "Login"); // these are actions where the user/server keys aren't compared
194 if (isset ($_SESSION['authenticated_user_id'])) {
196 $GLOBALS['log']->debug("We have an authenticated user id: ".$_SESSION["authenticated_user_id"]);
198 $authenticated = $this->postSessionAuthenticate();
201 if (isset ($action) && isset ($module) && $action == "Authenticate" && $module == "Users") {
202 $GLOBALS['log']->debug("We are authenticating user now");
204 $GLOBALS['log']->debug("The current user does not have a session. Going to the login page");
207 $_REQUEST['action'] = $action;
208 $_REQUEST['module'] = $module;
210 if (empty ($GLOBALS['current_user']->id) && !in_array($action, $allowed_actions)) {
212 $GLOBALS['log']->debug("The current user is not logged in going to login page");
215 $_REQUEST['action'] = $action;
216 $_REQUEST['module'] = $module;
220 if($authenticated && ((empty($_REQUEST['module']) || empty($_REQUEST['action'])) || ($_REQUEST['module'] != 'Users' || $_REQUEST['action'] != 'Logout'))){
223 return $authenticated;
230 * Called after a session is authenticated - if this returns false the sessionAuthenticate will return false and destroy the session
231 * and it will load the current user
235 function postSessionAuthenticate(){
237 global $action, $allowed_actions, $sugar_config;
238 $_SESSION['userTime']['last'] = time();
239 $user_unique_key = (isset ($_SESSION['unique_key'])) ? $_SESSION['unique_key'] : '';
240 $server_unique_key = (isset ($sugar_config['unique_key'])) ? $sugar_config['unique_key'] : '';
242 //CHECK IF USER IS CROSSING SITES
243 if (($user_unique_key != $server_unique_key) && (!in_array($action, $allowed_actions)) && (!isset ($_SESSION['login_error']))) {
246 $post_login_nav = '';
247 if (!empty ($record) && !empty ($action) && !empty ($module)) {
248 $post_login_nav = "&login_module=".$module."&login_action=".$action."&login_record=".$record;
250 $GLOBALS['log']->debug('Destroying Session User has crossed Sites');
251 header("Location: index.php?action=Login&module=Users".$post_login_nav);
254 if (!$this->userAuthenticate->loadUserOnSession($_SESSION['authenticated_user_id'])) {
256 header("Location: index.php?action=Login&module=Users&loginErrorMessage=LBL_SESSION_EXPIRED");
257 $GLOBALS['log']->debug('Current user session does not exist redirecting to login');
260 $GLOBALS['log']->debug('Current user is: '.$GLOBALS['current_user']->user_name);
265 * Make sure a user isn't stealing sessions so check the ip to ensure that the ip address hasn't dramatically changed
268 function validateIP() {
269 global $sugar_config;
270 // grab client ip address
271 $clientIP = query_client_ip();
273 // check to see if config entry is present, if not, verify client ip
274 if (!isset ($sugar_config['verify_client_ip']) || $sugar_config['verify_client_ip'] == true) {
275 // check to see if we've got a current ip address in $_SESSION
276 // and check to see if the session has been hijacked by a foreign ip
277 if (isset ($_SESSION["ipaddress"])) {
278 $session_parts = explode(".", $_SESSION["ipaddress"]);
279 $client_parts = explode(".", $clientIP);
280 if(count($session_parts) < 4) {
284 // match class C IP addresses
285 for ($i = 0; $i < 3; $i ++) {
286 if ($session_parts[$i] == $client_parts[$i]) {
295 // we have a different IP address
296 if ($_SESSION["ipaddress"] != $clientIP && empty ($classCheck)) {
297 $GLOBALS['log']->fatal("IP Address mismatch: SESSION IP: {$_SESSION['ipaddress']} CLIENT IP: {$clientIP}");
299 die("Your session was terminated due to a significant change in your IP address. <a href=\"{$sugar_config['site_url']}\">Return to Home</a>");
302 $_SESSION["ipaddress"] = $clientIP;
312 * Called when a user requests to logout
318 header('Location: index.php?module=Users&action=Login');
324 * Encodes a users password. This is a static function and can be called at any time.
326 * @param STRING $password
327 * @return STRING $encoded_password
329 function encodePassword($password){
330 return strtolower(md5($password));
334 * If a user may change there password through the Sugar UI
337 function canChangePassword(){
341 * If a user may change there user name through the Sugar UI
344 function canChangeUserName(){