]> CyberLeo.Net >> Repos - Github/sugarcrm.git/blob - modules/Users/authentication/SugarAuthenticate/SugarAuthenticate.php
projects / Github / sugarcrm.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Release 6.4.0
[Github/sugarcrm.git] / modules / Users / authentication / SugarAuthenticate / SugarAuthenticate.php
1 <?php
2 if(!defined('sugarEntry') || !sugarEntry) die('Not A Valid Entry Point');
3 /*********************************************************************************
4  * SugarCRM Community Edition is a customer relationship management program developed by
5  * SugarCRM, Inc. Copyright (C) 2004-2011 SugarCRM Inc.
6  * 
7  * This program is free software; you can redistribute it and/or modify it under
8  * the terms of the GNU Affero General Public License version 3 as published by the
9  * Free Software Foundation with the addition of the following permission added
10  * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
11  * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY
12  * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
13  * 
14  * This program is distributed in the hope that it will be useful, but WITHOUT
15  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
16  * FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
17  * details.
18  * 
19  * You should have received a copy of the GNU Affero General Public License along with
20  * this program; if not, see http://www.gnu.org/licenses or write to the Free
21  * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
22  * 02110-1301 USA.
23  * 
24  * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road,
25  * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com.
26  * 
27  * The interactive user interfaces in modified source and object code versions
28  * of this program must display Appropriate Legal Notices, as required under
29  * Section 5 of the GNU Affero General Public License version 3.
30  * 
31  * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
32  * these Appropriate Legal Notices must retain the display of the "Powered by
33  * SugarCRM" logo. If the display of the logo is not reasonably feasible for
34  * technical reasons, the Appropriate Legal Notices must display the words
35  * "Powered by SugarCRM".
36  ********************************************************************************/
37
38
39
40
41 /**
42  * This file is used to control the authentication process.
43  * It will call on the user authenticate and controll redirection
44  * based on the users validation
45  *
46  */
47 class SugarAuthenticate{
48         var $userAuthenticateClass = 'SugarAuthenticateUser';
49         var $authenticationDir = 'SugarAuthenticate';
50         /**
51          * Constructs SugarAuthenticate
52          * This will load the user authentication class
53          *
54          * @return SugarAuthenticate
55          */
56         function SugarAuthenticate()
57         {
58             // check in custom dir first, in case someone want's to override an auth controller
59                 if (file_exists('custom/modules/Users/authentication/'.$this->authenticationDir.'/' . $this->userAuthenticateClass . '.php')) {
60             require_once('custom/modules/Users/authentication/'.$this->authenticationDir.'/' . $this->userAuthenticateClass . '.php');
61         }
62         elseif (file_exists('modules/Users/authentication/'.$this->authenticationDir.'/' . $this->userAuthenticateClass . '.php')) {
63             require_once('modules/Users/authentication/'.$this->authenticationDir.'/' . $this->userAuthenticateClass . '.php');
64         }
65
66         $this->userAuthenticate = new $this->userAuthenticateClass();
67         }
68         /**
69          * Authenticates a user based on the username and password
70          * returns true if the user was authenticated false otherwise
71          * it also will load the user into current user if he was authenticated
72          *
73          * @param string $username
74          * @param string $password
75          * @return boolean
76          */
77         function loginAuthenticate($username, $password, $fallback=false, $PARAMS = array ()){
78                 global $mod_strings;
79                 unset($_SESSION['login_error']);
80                 $usr= new user();
81                 $usr_id=$usr->retrieve_user_id($username);
82                 $usr->retrieve($usr_id);
83                 $_SESSION['login_error']='';
84                 $_SESSION['waiting_error']='';
85                 $_SESSION['hasExpiredPassword']='0';
86                 if ($this->userAuthenticate->loadUserOnLogin($username, $password, $fallback, $PARAMS)) {
87                         require_once('modules/Users/password_utils.php');
88                         if(hasPasswordExpired($username)) {
89                                 $_SESSION['hasExpiredPassword'] = '1';
90                         }
91                         // now that user is authenticated, reset loginfailed
92                         if ($usr->getPreference('loginfailed') != '' && $usr->getPreference('loginfailed') != 0) {
93                                 $usr->setPreference('loginfailed','0');
94                                 $usr->savePreferencesToDB();
95                         }
96                         return $this->postLoginAuthenticate();
97
98                 }
99                 else
100                 {
101                         if(!empty($usr_id) && $res['lockoutexpiration'] > 0){
102                                 if (($logout=$usr->getPreference('loginfailed'))=='')
103                                 $usr->setPreference('loginfailed','1');
104                         else
105                                 $usr->setPreference('loginfailed',$logout+1);
106                         $usr->savePreferencesToDB();
107                 }
108                 }
109                 if(strtolower(get_class($this)) != 'sugarauthenticate'){
110                         $sa = new SugarAuthenticate();
111                         $error = (!empty($_SESSION['login_error']))?$_SESSION['login_error']:'';
112                         if($sa->loginAuthenticate($username, $password, true, $PARAMS)){
113                                 return true;
114                         }
115                         $_SESSION['login_error'] = $error;
116                 }
117
118
119                 $_SESSION['login_user_name'] = $username;
120                 $_SESSION['login_password'] = $password;
121                 if(empty($_SESSION['login_error'])){
122                         $_SESSION['login_error'] = translate('ERR_INVALID_PASSWORD', 'Users');
123                 }
124
125                 return false;
126
127         }
128
129         /**
130          * Once a user is authenticated on login this function will be called. Populate the session with what is needed and log anything that needs to be logged
131          *
132          */
133         function postLoginAuthenticate(){
134
135                 global $reset_theme_on_default_user, $reset_language_on_default_user, $sugar_config;
136                 //THIS SECTION IS TO ENSURE VERSIONS ARE UPTODATE
137
138                 require_once ('modules/Versions/CheckVersions.php');
139                 $invalid_versions = get_invalid_versions();
140                 if (!empty ($invalid_versions)) {
141                         if (isset ($invalid_versions['Rebuild Relationships'])) {
142                                 unset ($invalid_versions['Rebuild Relationships']);
143
144                                 // flag for pickup in DisplayWarnings.php
145                                 $_SESSION['rebuild_relationships'] = true;
146                         }
147
148                         if (isset ($invalid_versions['Rebuild Extensions'])) {
149                                 unset ($invalid_versions['Rebuild Extensions']);
150
151                                 // flag for pickup in DisplayWarnings.php
152                                 $_SESSION['rebuild_extensions'] = true;
153                         }
154
155                         $_SESSION['invalid_versions'] = $invalid_versions;
156                 }
157
158
159                 //just do a little house cleaning here
160                 unset($_SESSION['login_password']);
161                 unset($_SESSION['login_error']);
162                 unset($_SESSION['login_user_name']);
163                 unset($_SESSION['ACL']);
164
165                 //set the server unique key
166                 if (isset ($sugar_config['unique_key']))$_SESSION['unique_key'] = $sugar_config['unique_key'];
167
168                 //set user language
169                 if (isset ($reset_language_on_default_user) && $reset_language_on_default_user && $GLOBALS['current_user']->user_name == $sugar_config['default_user_name']) {
170                         $authenticated_user_language = $sugar_config['default_language'];
171                 } else {
172                         $authenticated_user_language = isset($_REQUEST['login_language']) ? $_REQUEST['login_language'] : (isset ($_REQUEST['ck_login_language_20']) ? $_REQUEST['ck_login_language_20'] : $sugar_config['default_language']);
173                 }
174
175                 $_SESSION['authenticated_user_language'] = $authenticated_user_language;
176
177                 $GLOBALS['log']->debug("authenticated_user_language is $authenticated_user_language");
178
179                 // Clear all uploaded import files for this user if it exists
180         require_once('modules/Import/ImportCacheFiles.php');
181         $tmp_file_name = ImportCacheFiles::getImportDir()."/IMPORT_" . $GLOBALS['current_user']->id;
182
183                 if (file_exists($tmp_file_name)) {
184                         unlink($tmp_file_name);
185                 }
186
187                 return true;
188         }
189
190         /**
191          * On every page hit this will be called to ensure a user is authenticated
192          * @return boolean
193          */
194         function sessionAuthenticate(){
195
196                 global $module, $action, $allowed_actions;
197                 $authenticated = false;
198                 $allowed_actions = array ("Authenticate", "Login"); // these are actions where the user/server keys aren't compared
199                 if (isset ($_SESSION['authenticated_user_id'])) {
200
201                         $GLOBALS['log']->debug("We have an authenticated user id: ".$_SESSION["authenticated_user_id"]);
202
203                         $authenticated = $this->postSessionAuthenticate();
204
205                 } else
206                 if (isset ($action) && isset ($module) && $action == "Authenticate" && $module == "Users") {
207                         $GLOBALS['log']->debug("We are authenticating user now");
208                 } else {
209                         $GLOBALS['log']->debug("The current user does not have a session.  Going to the login page");
210                         $action = "Login";
211                         $module = "Users";
212                         $_REQUEST['action'] = $action;
213                         $_REQUEST['module'] = $module;
214                 }
215                 if (empty ($GLOBALS['current_user']->id) && !in_array($action, $allowed_actions)) {
216
217                         $GLOBALS['log']->debug("The current user is not logged in going to login page");
218                         $action = "Login";
219                         $module = "Users";
220                         $_REQUEST['action'] = $action;
221                         $_REQUEST['module'] = $module;
222
223                 }
224
225                 if($authenticated && ((empty($_REQUEST['module']) || empty($_REQUEST['action'])) || ($_REQUEST['module'] != 'Users' || $_REQUEST['action'] != 'Logout'))){
226                         $this->validateIP();
227                 }
228                 return $authenticated;
229         }
230
231
232
233
234         /**
235          * Called after a session is authenticated - if this returns false the sessionAuthenticate will return false and destroy the session
236          * and it will load the  current user
237          * @return boolean
238          */
239
240         function postSessionAuthenticate(){
241
242                 global $action, $allowed_actions, $sugar_config;
243                 $_SESSION['userTime']['last'] = time();
244                 $user_unique_key = (isset ($_SESSION['unique_key'])) ? $_SESSION['unique_key'] : '';
245                 $server_unique_key = (isset ($sugar_config['unique_key'])) ? $sugar_config['unique_key'] : '';
246
247                 //CHECK IF USER IS CROSSING SITES
248                 if (($user_unique_key != $server_unique_key) && (!in_array($action, $allowed_actions)) && (!isset ($_SESSION['login_error']))) {
249
250                         session_destroy();
251                         $post_login_nav = '';
252                         if (!empty ($record) && !empty ($action) && !empty ($module)) {
253                                 $post_login_nav = "&login_module=".$module."&login_action=".$action."&login_record=".$record;
254                         }
255                         $GLOBALS['log']->debug('Destroying Session User has crossed Sites');
256                         header("Location: index.php?action=Login&module=Users".$post_login_nav);
257                         sugar_cleanup(true);
258                 }
259                 if (!$this->userAuthenticate->loadUserOnSession($_SESSION['authenticated_user_id'])) {
260                         session_destroy();
261                         header("Location: index.php?action=Login&module=Users&loginErrorMessage=LBL_SESSION_EXPIRED");
262                         $GLOBALS['log']->debug('Current user session does not exist redirecting to login');
263                         sugar_cleanup(true);
264                 }
265                 $GLOBALS['log']->debug('Current user is: '.$GLOBALS['current_user']->user_name);
266                 return true;
267         }
268
269         /**
270          * Make sure a user isn't stealing sessions so check the ip to ensure that the ip address hasn't dramatically changed
271          *
272          */
273         function validateIP() {
274                 global $sugar_config;
275                 // grab client ip address
276                 $clientIP = query_client_ip();
277                 $classCheck = 0;
278                 // check to see if config entry is present, if not, verify client ip
279                 if (!isset ($sugar_config['verify_client_ip']) || $sugar_config['verify_client_ip'] == true) {
280                         // check to see if we've got a current ip address in $_SESSION
281                         // and check to see if the session has been hijacked by a foreign ip
282                         if (isset ($_SESSION["ipaddress"])) {
283                                 $session_parts = explode(".", $_SESSION["ipaddress"]);
284                                 $client_parts = explode(".", $clientIP);
285                 if(count($session_parts) < 4) {
286                     $classCheck = 0;
287                 }
288                 else {
289                                 // match class C IP addresses
290                                 for ($i = 0; $i < 3; $i ++) {
291                                         if ($session_parts[$i] == $client_parts[$i]) {
292                                                 $classCheck = 1;
293                                                 continue;
294                                         } else {
295                                                 $classCheck = 0;
296                                                 break;
297                                         }
298                                 }
299                 }
300                                 // we have a different IP address
301                                 if ($_SESSION["ipaddress"] != $clientIP && empty ($classCheck)) {
302                                         $GLOBALS['log']->fatal("IP Address mismatch: SESSION IP: {$_SESSION['ipaddress']} CLIENT IP: {$clientIP}");
303                                         session_destroy();
304                                         die("Your session was terminated due to a significant change in your IP address.  <a href=\"{$sugar_config['site_url']}\">Return to Home</a>");
305                                 }
306                         } else {
307                                 $_SESSION["ipaddress"] = $clientIP;
308                         }
309                 }
310
311         }
312
313
314
315
316         /**
317          * Called when a user requests to logout
318          *
319          */
320         function logout(){
321                         session_destroy();
322                         ob_clean();
323                         header('Location: index.php?module=Users&action=Login');
324                         sugar_cleanup(true);
325         }
326
327
328         /**
329          * Encodes a users password. This is a static function and can be called at any time.
330          *
331          * @param STRING $password
332          * @return STRING $encoded_password
333          */
334         function encodePassword($password){
335                 return strtolower(md5($password));
336         }
337
338         /**
339          * If a user may change there password through the Sugar UI
340          *
341          */
342         function canChangePassword(){
343                 return true;
344         }
345         /**
346          * If a user may change there user name through the Sugar UI
347          *
348          */
349         function canChangeUserName(){
350                 return true;
351         }
352
353
354     /**
355      * pre_login
356      * 
357      * This function allows the SugarAuthenticate subclasses to perform some pre login initialization as needed
358      */
359     function pre_login()
360     {
361     }
362
363 }
SugarCRM local repository, cloned from git://github.com/sugarcrm/sugarcrm_dev.git