EGOCMS  18.0
EGOTEC Content-Managament-System
Auth.php
gehe zur Dokumentation dieser Datei
1 <?php
6 require_once('rights/User_SQL.php');
7 
14 class Auth_Exception extends Exception
15 {
16  const LOGIN_REQUIRED = 1;
17  const LOGIN_REQUIRED_TEXT = 'Bitte melden Sie sich an.';
19  const WRONG_PASSWORD = 2;
20  const WRONG_PASSWORD_TEXT = 'Falscher Benutzername oder falsches Passwort.';
23  const LOGIN_DENIED = 3;
24  const LOGIN_DENIED_TEXT = 'Sie dürfen sich an diesem Server nicht anmelden.';
27  const WRONG_IP = 4;
28  const WRONG_IP_TEXT = 'Sie dürfen sich auf Grund der IP-Beschränkungen nicht anmelden';
31  const WRONG_TIME = 5;
32  const WRONG_TIME_TEXT = 'Sie dürfen sich auf Grund der Zeit-Beschränkung nicht anmelden';
35  const AUTH_ERROR = 6;
36  const AUTH_ERROR_TEXT = 'Fehlerhafte Konfiguration.';
39  const NO_MULTIPLE_LOGIN = 7;
40  const NO_MULTIPLE_LOGIN_TEXT = 'Dieser Benutzer befindet sich zur Zeit schon im System.';
43  const WRONG_PASSWORD_LIMIT = 8;
44  const WRONG_PASSWORD_LIMIT_TEXT = 'Das Passwort wurde zu oft falsch eingegeben.';
47  const CONCURRENT_USERS_LIMIT = 9;
48  const CONCURRENT_USERS_LIMIT_TEXT = 'Sie dürfen sich derzeit am System nicht anmelden, da die maximale Anzahl an gleichzeitigen Benutzern erreicht ist. Bitte versuchen Sie es später erneut.';
51  const PERMISSION_DENIED = 32;
52  const PERMISSION_DENIED_TEXT = 'Der Zugriff wird auf Grund fehlender Rechte verweigert.';
55  const MUST_CHANGE_PASSWORD = 64;
56  const MUST_CHANGE_PASSWORD_TEXT = 'Das Passwort muss geändert werden.';
59  const INVALID_LOGIN_PARAMETERS = 128;
60  const INVALID_LOGIN_PARAMETERS_TEXT = 'Bitte geben Sie einen Benutzernamen an.';
61 
62  const LOGIN_TIMED_OUT = 256;
63  const LOGIN_TIMED_OUT_TEXT = 'Ihre Anmeldung ist abgelaufen. Bitte melden Sie sich erneut an.';
64 
65  function __construct($text, $nr)
66  {
67  if ($nr == 2) // falsches Passwort
68  {
69  $bf_file = $GLOBALS['egotec_conf']['tmp_dir'].'wrong_pwd'.md5(Ego_System::getIp());
70  if(file_exists($bf_file))
71  {
72  list ($s, $n) = explode(' ', file_get_contents($bf_file));
73  }
74  file_put_contents($bf_file, $s.' '.(++$n));
75  }
76  parent::__construct($text, $nr);
77  }
78 }
79 
88 class Auth
89 {
90  const LOGIN = 'login';
91  const LOGOUT = 'logout';
92  const ID = 'id';
93  const WEBDAV = 'webdav';
94  const NO_NULL_RIGHTS = ',child,edit,release,remove,view,workflow,live,linkto,';
95 
96  protected $_id = '';
97  public $user;
99  private static $_userRecord = array();
100  private $superUserFlag = null;
101 
102  public $isEditable = true;
112  public function __construct($force_login=false, $id='', $action='', $param=array())
113  {
114  $this->_id = $id;
115  if(isset($action))
116  {
117  switch ($action)
118  {
119  case Auth::LOGIN: // Benutzer anmeldem.
120  $this->reset();
121  $this->_id = $this->validate($param['username'], $param['password']);
122  $this->_id = $this->postValidate();
123  break;
124  case Auth::LOGOUT: // Benutzer abmelden.
125  $this->reset();
126  break;
127  case Auth::ID: // Als Benutzer über die ID anmelden.
128  $this->_id = $this->postValidate();
129  $this->clearCache();
130  }
131  }
132  if (!$this->_id && $force_login)
133  {
134  throw new Auth_Exception(Auth_Exception::LOGIN_REQUIRED_TEXT, Auth_Exception::LOGIN_REQUIRED);
135  }
136  if ($this->_id)
137  {
138  if (!$action && $_SESSION['AUTH_TIME'][$this->_id] && $_SESSION['AUTH_TIME'][$this->_id]+$GLOBALS['egotec_conf']['auth_timeout']<time())
139  { // Timeout.
140  $this->reset();
141  throw new Auth_Exception(Auth_Exception::LOGIN_TIMED_OUT_TEXT, Auth_Exception::LOGIN_TIMED_OUT);
142  } else
143  {
144  if (!$this->user) {
145  $this->user = $this->_getUser();
146  }
147  $_SESSION['AUTH_TIME'][$this->_id] = time();
148 
149  if (in_array($action, array(Auth::LOGIN, Auth::ID)) && $GLOBALS['admin_area'] !== 'webdav')
150  {
151  $db = new_db_connection();
152  $this->user->extra['Anzahl_login'] = $this->user->extra['Anzahl_login'] +1;
153  $this->user->extra['Anzahl_login_'.$GLOBALS['site']->name] = $this->user->extra['Anzahl_login_'.$GLOBALS['site']->name] +1;
154  $sid = session_id();
155  $now = date('Y-m-d H:i:s');
156  $db->update(array(
157  'table' => 'egotec_user',
158  'set' => array(
159  'sid' => $sid,
160  'last_login' => $now,
161  'extra' => serialize($this->user->extra)
162  ),
163  'where' => 'user_id=\''.$this->_id.'\''
164  ));
165  }
166  }
167  }
168  }
169 
173  public function reset()
174  {
175  $this->clearCache();
176  unset($_SESSION['AUTH_TIME']);
177  unset($_SESSION['auth_id']);
178  unset($_SESSION['intranet_admin']);
179  unset($_SESSION['is_adoptuser']);
180  unset($_SESSION['login']);
181  if (!empty($GLOBALS['egotec_conf']['auth']['sso_logout'])) {
182  $_SESSION['logout'] = true; // Nach dem ersten Logout gibt es kein SSO mehr.
183  }
184  if ($this->_id)
185  {
186  $db = new_db_connection();
187  $db->delete(array(
188  'table' => 'egotec_page_lock',
189  'where' => 'user_id=\''.$this->_id.'\''
190  ));
191  $db->update(array(
192  'table' => 'egotec_user',
193  'set' => array('sid' => ''),
194  'where' => 'user_id=\''.$this->_id.'\''
195  ));
196  }
197  $this->_id = '';
198  }
199 
222  public function validate($username, $password) {
223  if (!$password) {
224  throw new Auth_Exception(Auth_Exception::WRONG_PASSWORD_TEXT, Auth_Exception::WRONG_PASSWORD);
225  }
226 
227  // Den Benutzer in der Datenbank abfragen
228  $db = new_db_connection(array(
229  'fields' => '*',
230  'from' => 'egotec_user',
231  'where' => 'username = :username',
232  'bind' => array(
233  'username' => $username
234  )
235  ));
236 
237  if ($db->nextRecord()) {
238  // Benutzer wurde gefunden
239  $id = $db->Record['user_id'];
240  $this->_id = $id;
241  $this->user = $this->_getUser();
242 
243  if (!$this->user->isPassword($password)) {
244  $this->_id = '';
245  throw new Auth_Exception(Auth_Exception::WRONG_PASSWORD_TEXT, Auth_Exception::WRONG_PASSWORD);
246  } elseif (!$this->user->field['salt']) {
247  // Salt setzen
248  $this->user->setPassword($password);
249  $this->user->update();
250  }
251 
252  return $id;
253  }
254  throw new Auth_Exception(Auth_Exception::WRONG_PASSWORD_TEXT, Auth_Exception::WRONG_PASSWORD);
255  }
256 
262  public function clearTrashUsers() {
263  $db = new_db_connection();
264  if ($this->hasSuperuserPermission(true, true)) {
265  // Alle Benutzer löschen
266  $db->delete(array(
267  'table' => 'egotec_user',
268  'where' => 'deleted = 1'
269  ));
270  } else {
271  // Nur Benutzer löschen, für die man Rechte besitzt
272  $users = $this->getTrashUsers();
273  $user_ids = array();
274  foreach ($users as $user) {
275  $user_ids[] = $user['user_id'];
276  }
277  if (!empty($user_ids)) {
278  $db->delete(array(
279  'table' => 'egotec_user',
280  'where' => "deleted = 1 AND user_id IN ('" . implode("', '", $user_ids) . "')"
281  ));
282  }
283  }
284  $msg = $this->translate("Der Benutzer Papierkorb wurde geleert.");
285  return $msg;
286  }
287 
293  public function getTrashUsers() {
294  $db = new_db_connection();
295  $db->select(array(
296  'table' => 'egotec_user',
297  'where' => 'deleted = 1'
298  ));
299  $users = array();
300  while ($db->nextRecord()) {
301  if (!$this->hasSuperuserPermission(true, true)) {
302  $user = new User_SQL($db->Record['user_id']);
303  $rel = $user->getGroupRoleRelations();
304  if (!empty($rel)) { // Nicht zugeordnete Benutzer darf jeder bearbeiten
305  $next = true;
306  foreach ($rel as $group => $roles) {
307  $roles = explode(',', $roles);
308  foreach ($roles as $role) {
309  if ($this->hasPermission($group, $role, false, false, false)) {
310  $next = false;
311  break 2;
312  }
313  }
314  }
315  if ($next) {
316  continue;
317  }
318  }
319  }
320  $users[] = $db->Record;
321  }
322  return $users;
323  }
324 
328  public function postValidate()
329  {
330  if (!$this->_id)
331  {
332  return false;
333  }
334  try {
335  $this->user = new User_SQL($this->_id);
336  } catch (User_Exception $e) {
337  return false;
338  }
339 
340  $this->extra = $this->user->extra;
341 
350  $days = array("Mon","Tue","Wed","Thu","Fri","Sat","Sun");
351  $group_ips = array();
352  $user_ips = array();
353  $group_times = array();
354  $user_times = array();
355 
356  if ($this->user->extra['ip_rights'] != "")
357  {
358  $user_ip_arr = explode("\n", $this->user->extra['ip_rights']);
359  foreach ($user_ip_arr as $entry)
360  {
361  $entry = str_replace('*', '', $entry);
362  $entry = trim($entry);
363  if ($entry)
364  {
365  $user_ips['_'.$entry] = $entry;
366  }
367  }
368  }
369 
370  if ($this->user->extra['time_rights'] != '')
371  {
372  $user_time_arr = explode("\n", $this->user->extra['time_rights']);
373  foreach ($user_time_arr as $entry)
374  {
375  $day_arr = explode(" ",$entry);
376  $user_times[$day_arr[0]] = $day_arr[1];
377  }
378  }
379 
380  $db = new_db_connection(array(
381  'fields' => '*',
382  'from' => 'egotec_user_group',
383  'join' => array('egotec_group on egotec_group.group_id = egotec_user_group.group_id'),
384  'where' => "user_id='$this->_id'"
385  ));
386 
387  $groupDesc_arr = array();
388  do {
389  $groupDesc = str_replace("\n\r", "\n", $db->Record['group_descr']);
390  if (strpos($groupDesc, "\n\n")>=0)
391  {
392  $groupDesc_arr1 = explode("\n", $groupDesc);
393  foreach ($groupDesc_arr1 as $line)
394  {
395  if (trim($line)=='')
396  {
397  $add_flag = false;
398  }else
399  {
400  $groupDesc_arr[] = trim($line);
401  }
402  }
403  }
404  }while($db->nextRecord());
405 
406 
407 
408  if ($groupDesc_arr)
409  {
410  // die berschreibung durchgehen
411  foreach ($groupDesc_arr as $entry)
412  {
413  // check ob $entry eine IP ist
414  if (strpos($entry, 'IP:') === 0)
415  {
416  $entry = str_replace('IP:', '', $entry);
417  $entry = trim($entry);
418  $ip_arr = explode(' ',$entry);
419  $ip_arr[0] = trim(str_replace('*', '',$ip_arr[0]));
420  $group_ips['_'.$ip_arr[0]] = $ip_arr[0];
421  continue;
422  }
423 
424  // check ob $entry eine zeit ist
425  foreach ($days as $day)
426  {
427 
428  if (strpos($entry, "$day ") === 0)
429  { // wir haben einen tag
430  $group_times[] = $entry;
431  }
432  }
433  }
434  }
435 
436  $ips = array_merge($group_ips,$user_ips);
437  $times = array_merge($group_times,$user_times);
438 
439  // check ob die IP gleich der Session IP ist. bzw ob welche da sind
440  if (count($ips) > 0)
441  {
442  $ipcheck = false;
443  $currentIP = Ego_System::getIp();
444  foreach ($ips as $ip)
445  {
446  if (strpos($currentIP, $ip)===0)
447  {
448  $ipcheck = true;
449  break;
450  }
451  }
452 
453  if (!$ipcheck)
454  {
455  throw new Auth_Exception(Auth_Exception::WRONG_IP_TEXT, Auth_Exception::WRONG_IP);
456  }
457  }
458 
459  // check ob eine zeitbeschraenkung vorliegt bzw. ob der benutzer in diesem Zeit Frame ist
460  if (count($times) > 0)
461  {
462  $timecheck = false;
463 
464  // aktueller tag mit stunde
465  // Mon-10
466  //echo date('D-H'); exit;
467  $dayTime_arr = explode('-', date('D-H'));
468 
469  foreach($times as $entry)
470  {
471  $day_arr = explode(' ',$entry);
472  $day = $day_arr[0];
473  $time = $day_arr[1];
474  $time_arr = explode("-",$time);
475  $day_start = $time_arr[0];
476  $day_end = $time_arr[1];
477 
478  if($day == $dayTime_arr[0])
479  { //aktueller tag
480  if($dayTime_arr[1] < $day_start)
481  {
482  break; // frame hat noch nicht angefangen
483  }
484  elseif($dayTime_arr[1] >= $day_end)
485  {
486  break; // frame zu ende
487  }
488  else
489  {
490  // im zeit frame
491  $timecheck = true;
492  }
493  }
494  }
495 
496  if(!$timecheck)
497  {
498  throw new Auth_Exception(Auth_Exception::WRONG_TIME_TEXT, Auth_Exception::WRONG_TIME);
499  }
500  }
501  if (isset($GLOBALS['admin_area']) && $GLOBALS['egotec_conf']['liveserver'])
502  { // Auf einem Liveserver
503  if (!$this->user->extra['liveserver'])
504  {
505  throw new Auth_Exception(Auth_Exception::LOGIN_DENIED_TEXT, Auth_Exception::LOGIN_DENIED);
506  }
507  }
508  if ($this->user->isInactive()) {
509  // Ein inaktiver Benutzer kann sich nicht anmelden.
510  throw new Auth_Exception(Auth_Exception::WRONG_PASSWORD_TEXT, Auth_Exception::WRONG_PASSWORD);
511  }
512  if (!$this->user->getGroupRoleRelations()) {
513  // Nicht zugeordneter Benutzer kann sich nicht anmelden.
514  throw new Auth_Exception(Auth_Exception::LOGIN_DENIED_TEXT, Auth_Exception::LOGIN_DENIED);
515  }
516  if ($this->user->field['sid']
517  && !$this->user->field['multiple_login']
518  && $this->user->field['sid']!=$_COOKIE[EGOTEC]
519  && $this->user->isActive()
520  && $GLOBALS['admin_area'] != 'webdav'
521  ) {
522  // Meldet sich ein Benutzer mit einer neuen Session an, so wird die alte zerstört und der Benutzer angemeldet.
523  sess_destroy($this->user->field['sid']);
524  }
525  self::makeFlat($this->_id);
526  if ($GLOBALS['admin_area']) {
527  // Anmeldung über den Adminbereich
528  $_SESSION['login']['admin'] = true;
529  }
530  return $this->_id;
531  }
532 
538  function getId()
539  {
540  return $this->_id;
541  }
542 
548  public function getAnonymousId() {
549  return '#'.substr(
550  md5(Ego_System::getIp().$_SERVER['HTTP_USER_AGENT']),
551  1
552  ); // muss 32-Zeichen lang sein
553  }
554 
571  public function translate($string, $placeholders = array(), $language = null)
572  {
573  global $site;
574  require_once('smarty/Ego_Smarty.php');
575  require_once('smarty/plugins/block.t.php');
576  $smarty = $GLOBALS['smarty']?$GLOBALS['smarty']:new Ego_Smarty();
577 
578  if ($language) {
579  $params['language'] = $language;
580  } elseif (!$GLOBALS['admin_area']) {
581  $params['language'] = $site->language;
582  } else {
583  $params['language'] = $this->user&&$this->user->extra['lang']?$this->user->extra['lang']:'de';
584  }
585  $params['placeholders'] = $placeholders;
586  return smarty_block_t($params, $string, $smarty);
587  }
588 
602  function getPageTableQuery($page_table, $rights, $query=array(), $param=array())
603  {
604  $is_null = true;
605  if (is_array($rights))
606  {
607  if (sizeof($rights)>1)
608  {
609  $rights_condition = ' IN (\''.join('\',\'', $rights).'\')';
610  $is_null = false;
611  foreach ($rights as $right)
612  {
613  if (strpos(Auth::NO_NULL_RIGHTS, ','.$right.',')===false)
614  {
615  $is_null = true;
616  }
617  }
618  } else
619  {
620  $rights_condition = '=\''.$rights[0].'\'';
621  if (strpos(Auth::NO_NULL_RIGHTS, ','.$rights[0].',')!==false)
622  {
623  $is_null = false;
624  }
625  }
626  } else
627  {
628  $rights_condition = '=\''.$rights.'\'';
629  if (strpos(Auth::NO_NULL_RIGHTS, ','.$rights.',')!==false)
630  {
631  $is_null = false;
632  }
633  }
634  if ($param['user_id'])
635  {
636  $user_id = $param['user_id'];
637  self::makeFlat($user_id);
638  } else {
639  $user_id = $this->_id;
640  if ($this->hasSuperuserPermission())
641  { // Ein Superuser darf alles.
642  return $query;
643  }
644  }
645  $as_page_table = $query['page_table'] ?? $page_table;
646  if ($user_id)
647  {
648  if (isset($query['join']) && !is_array($query['join'])) {
649  $query['join'] = array($query['join']);
650  egotec_deprecated_log('14.6.3'); // join muss als Array übergeben werden
651  }
652  $query['join'][] = $page_table.'_rights ON '.
653  $page_table.'_rights.page_id='.$as_page_table.'.id AND '.
654  $page_table.'_rights.perm'.$rights_condition;
655  $query['join'][] = 'egotec_user_group_flat ON '.
656  $page_table.'_rights.group_id=egotec_user_group_flat.group_id AND '.
657  $page_table.'_rights.role_id=egotec_user_group_flat.role_id AND '.
658  'egotec_user_group_flat.user_id=\''.$user_id.'\'';
659  $query['join'][] = $page_table.'_users ON '.
660  $page_table.'_users.page_id='.$as_page_table.'.id AND '.
661  $page_table.'_users.perm'.$rights_condition.' AND '.
662  $page_table.'_users.user_id=\''.$user_id.'\'';
663  $query['where'] = ($query['where']?$query['where'].' AND ':'').
664  '(egotec_user_group_flat.user_id IS NOT NULL OR '.
665  $page_table.'_rights.group_id=\'*\' OR '.
666  $page_table.'_users.user_id IS NOT NULL'.
667  ($is_null?' OR '.$page_table.'_rights.group_id IS NULL':'').
668  ($param['auth_or']?' OR '.$param['auth_or']:'').')';
669  $query['distinct'] = 1;
670  } else
671  { // Wenn keine Authentifizierung vorliegt, dann werden nur nicht beschränkte Seiten zurückgegeben.
672  $query['join'][] = $page_table.'_rights on '.$page_table.'_rights.page_id='.$as_page_table.'.id AND '.$page_table.'_rights.perm '.$rights_condition;
673  $query['where'] = ($query['where']?'('.$query['where'].') AND ':'').
674  '('.$page_table."_rights.group_id='*' AND ".$page_table."_rights.role_id='*')";
675  }
676  return $query;
677  }
678 
706  function hasPermission($group, $role='', $flag=false, $user_id=false, $equal=true)
707  {
708  if ($this->superUserFlag) {
709  return true; // Der Superuser darf alles.
710  }
711  if (is_array($group))
712  {
713  $role = $group['role'];
714  $flag = $group['flag'];
715  $group = $group['group'];
716  }
717  if (!$group && !$role)
718  {
719  return true;
720  }
721  if (!$user_id)
722  {
723  $user_id = $this->_id;
724  }
725  if (!$flag)
726  { // Nur auf Mitgliedschaft in übergeordnete Gruppen prüfen.
727  $db = new_db_connection(array(
728  'from' => 'egotec_user_group'.
729  ($group?', egotec_group, egotec_group user_group':'').
730  ($role?', egotec_role, egotec_role user_role':''),
731  'where' => "egotec_user_group.user_id = '".$user_id."'
732  ".($group?" AND
733  egotec_user_group.group_id = user_group.group_id AND
734  egotec_group.group_id = '$group' AND
735  user_group.links <= egotec_group.links AND
736  user_group.rechts >= egotec_group.rechts
737  ":'').($role?" AND
738  egotec_user_group.role_id = user_role.role_id AND
739  egotec_role.role_id = '$role' AND
740  user_role.links <= egotec_role.links AND
741  user_role.rechts >= egotec_role.rechts
742  ":'').(!$equal && $group && $role ?" AND (
743  user_group.links != egotec_group.links OR
744  user_role.links != egotec_role.links)
745  ":'')
746  ));
747  } else
748  { // Auf Mitgliedschaft in über und untergeordneten Gruppen prüfen.
749  $db = new_db_connection(array(
750  'from' => 'egotec_user_group'.
751  ($group?', egotec_group, egotec_group user_group':'').
752  ($role?', egotec_role, egotec_role user_role':''),
753  'where' => "egotec_user_group.user_id = '".$user_id."'
754  ".($group?" AND
755  egotec_user_group.group_id = user_group.group_id AND
756  egotec_group.group_id = '$group' AND ( (
757  user_group.links <= egotec_group.links AND
758  user_group.rechts >= egotec_group.rechts
759  ) OR (
760  egotec_group.links <= user_group.links AND
761  egotec_group.rechts >= user_group.rechts
762  ) )
763  ":'').($role?" AND
764  egotec_user_group.role_id = user_role.role_id AND
765  egotec_role.role_id = '$role' AND ( (
766  user_role.links <= egotec_role.links AND
767  user_role.rechts >= egotec_role.rechts
768  ) OR (
769  egotec_role.links <= user_role.links AND
770  egotec_role.rechts >= user_role.rechts
771  ) )
772  ":'')
773  ));
774  }
775  return (bool) $db->next();
776  }
777 
785  public function hasPermissionOn($object, $equal = true) {
786  if (is_a($object, 'User_SQL')) {
787  $relations = $object->getGroupRoleRelations();
788  if (empty($relations)) {
789  // Für nicht zugeordnete Benutzer hat man immer Rechte
790  return true;
791  }
792  foreach ($relations as $group => $roles) {
793  foreach (explode(',', $roles) as $role) {
794  if ($this->hasPermission($group, $role, false, false, $equal)) {
795  return true;
796  }
797  }
798  }
799  } elseif (is_a($object, 'Group_SQL')) {
800  return $this->hasPermission($object->field['group_id']);
801  } elseif (is_a($object, 'Role_SQL')) {
802  return $this->hasPermission('', $object->field['role_id']);
803  }
804  return false;
805  }
806 
823  function hasSuperuserPermission($session = true, $recalc = false) {
824  if ($recalc) {
825  $this->superUserFlag = null;
826  } elseif ($GLOBALS['soap'] || $GLOBALS['rest']) {
827  $session = false;
828  }
829  if ($this->superUserFlag === null || !$session) {
830  $this->superUserFlag = (!$session || $_SESSION['login']['is_superuser'])
831  && $this->hasPermission($GLOBALS['egotec_conf']['superuser']['group'], $GLOBALS['egotec_conf']['superuser']['role']);
832  }
833  return $this->superUserFlag;
834  }
835 
841  function isSoapUser()
842  {
843  if ($this->user->extra['anrede'] == "SOAP")
844  {
845  return true;
846  } else {
847  return false;
848  }
849  }
850 
865  function isNobody()
866  {
867  return $this->_id==NULL;
868  }
869 
892  function checkSuperuserPermission()
893  {
894  return $this->checkPermission($GLOBALS['egotec_conf']['superuser']['group'], $GLOBALS['egotec_conf']['superuser']['role']);
895  }
896 
924  function checkPermission($group, $role='', $flag = false)
925  {
926  if ($this->hasPermission($group, $role, $flag))
927  {
928  return true;
929  } else
930  {
931  throw new Auth_Exception(Auth_Exception::PERMISSION_DENIED_TEXT, Auth_Exception::PERMISSION_DENIED);
932  }
933  }
934 
949  public static function getLanguages()
950  {
951  $languages = array();
952  $handle = opendir($GLOBALS['egotec_conf']['lib_dir'].'locale');
953  while ($file = readdir ($handle))
954  {
955  if ($file[0] != '.')
956  {
957  $languages[] = $file;
958  }
959  }
960  closedir($handle);
961 
962  if(Ego_System::file_exists($GLOBALS['egotec_conf']['var_dir'].'lib/locale'))
963  {
964  $handle2 = opendir($GLOBALS['egotec_conf']['var_dir'].'lib/locale');
965  while ($file = readdir ($handle2))
966  {
967  if ($file[0] != '.')
968  {
969  $languages[] = $file;
970  }
971  }
972  closedir($handle2);
973  }
974  sort($languages);
975  return array_unique($languages);
976  }
977 
993  static function getUserRecord($user_id)
994  {
995  if (isset(Auth::$_userRecord[$user_id]))
996  {
997  return Auth::$_userRecord[$user_id];
998  }
999  $db = new_db_connection(array(
1000  'table' => 'egotec_user',
1001  'where' => "user_id='".$user_id."'"
1002  ));
1003  if ($db->nextRecord())
1004  {
1005  $user_record = $db->Record;
1006  $user_record['extra'] = unserialize($user_record['extra']);
1007 
1008  try {
1009  require_once('rights/User_SQL.php');
1010  $user = new User_SQL($user_id, $db->Record);
1011  $user_record['fullname'] = $user->getFullname();
1012  } catch (User_Exception $e) {
1013  // ignorieren
1014  }
1015  } else
1016  {
1017  $user_record = array('username' => $GLOBALS['auth']->translate('unbekannt'));
1018  $user_record['fullname'] = $user_record['username'];
1019  }
1020  AUTH::$_userRecord[$user_id] = $user_record;
1021  return $user_record;
1022  }
1023 
1069  static function getUsers($rights, $users=array(), $direct_flag=false)
1070  {
1071  require_once('rights/User_Iterator.php');
1072  if ($rights)
1073  {
1074  $query = array();
1075  if ($direct_flag)
1076  {
1077  $query['distinct'] = true;
1078  $query['fields'] = 'egotec_user.*';
1079  $query['table'] = 'egotec_user';
1080  $query['join'][] = 'egotec_user_group ON egotec_user.user_id = egotec_user_group.user_id';
1081  $where = array();
1082  foreach ($rights as $right)
1083  {
1084  $where[] = "egotec_user_group.group_id='".$right['group_id']."' AND egotec_user_group.role_id='".$right['role_id']."'";
1085  }
1086  $query['where'] = '('.join(') OR (', $where).')';
1087  } else
1088  {
1089  $query['distinct'] = true;
1090  $query['fields'] = 'egotec_user.*';
1091  $query['from'] = 'egotec_user';
1092  $query['join'][] = 'egotec_user_group ON egotec_user_group.user_id = egotec_user.user_id';
1093  $query['join'][] = 'egotec_group direct_group ON egotec_user_group.group_id = direct_group.group_id';
1094  $query['join'][] = "egotec_group ON egotec_group.links >= direct_group.links AND egotec_group.rechts <= direct_group.rechts";
1095  $query['join'][] = 'egotec_role direct_role ON egotec_user_group.role_id = direct_role.role_id';
1096  $query['join'][] = "egotec_role ON egotec_role.links >= direct_role.links AND egotec_role.rechts <= direct_role.rechts";
1097  $where = array();
1098  foreach ($rights as $right)
1099  {
1100  $where[] = "egotec_group.group_id='".$right['group_id']."' AND egotec_role.role_id='".$right['role_id']."'";
1101  }
1102  $query['where'] = '('.join(') OR (', $where).')';
1103  }
1104  if ($users)
1105  {
1106  $query2['fields'] = 'egotec_user.*';
1107  $query2['table'] = 'egotec_user';
1108  foreach ($users as $user)
1109  {
1110  if (is_array($user)) {
1111  $user_ids[] = $user['user_id'];
1112  } else {
1113  $user_ids[] = $user;
1114  }
1115  }
1116  $query2['where'] = "user_id IN ('".join("','", $user_ids)."')";
1117  return new User_Iterator(new_db_connection(array(
1118  'union' => array($query, $query2)
1119  )));
1120  } else {
1121  return new User_Iterator(new_db_connection($query));
1122  }
1123  } elseif ($users)
1124  {
1125  foreach ($users as $user)
1126  {
1127  if (is_array($user)) {
1128  $user_ids[] = $user['user_id'];
1129  } else {
1130  $user_ids[] = $user;
1131  }
1132  }
1133  $db = new_db_connection(array(
1134  'fields' => '*',
1135  'table' => 'egotec_user',
1136  'where' => "user_id IN ('".join("','", $user_ids)."')"
1137  ));
1138  return new User_Iterator($db);
1139  } else
1140  {
1141  return new User_Iterator();
1142  }
1143  }
1144 
1148  function clearCache()
1149  {
1150  if ($this->_id)
1151  {
1152  //require_once('base/functions.php');
1153  if (function_exists('deldir'))
1154  {
1155  $cache_dir = $GLOBALS['egotec_conf']['cache_dir'].'_user/'.$this->_id;
1156  deldir($cache_dir);
1157  }
1158  }
1159  }
1160 
1169  static function checkPassword($pwd, $name=0, $return_text=false)
1170  {
1171  $min_len = $GLOBALS['egotec_conf']['auth']['min_passw_chars'];
1172  $min_upper = $GLOBALS['egotec_conf']['auth']['min_big_chars'];
1173  $min_lower = $GLOBALS['egotec_conf']['auth']['min_small_chars'];
1174  $min_numbers = $GLOBALS['egotec_conf']['auth']['min_digits'];
1175  $min_special = $GLOBALS['egotec_conf']['auth']['min_extra_chars'];
1176  $max_same_chars = ($GLOBALS['egotec_conf']['auth']['no_chars_from_username'])?$GLOBALS['egotec_conf']['auth']['no_chars_from_username']-1:false;
1177  $min_erfuellt = ($GLOBALS['egotec_conf']['auth']['min_ok_parameters'])?$GLOBALS['egotec_conf']['auth']['min_ok_parameters']:0; // Alle müssen stimmen
1178 
1179  $nicht_erfuellt = array();
1180 
1181  $erfuellt = 0;
1182  if ($min_len)
1183  {
1184  if (strlen($pwd) >= $min_len) $erfuellt++;
1185  else $nicht_erfuellt[] = $return_text
1186  ? $GLOBALS['auth']->translate('Das Passwort ist zu kurz (vorgegeben: %n).', array('n' => $min_len))
1187  : 'min_len';
1188  }
1189  if ($min_upper)
1190  {
1191  $anz=0;
1192  for($i=0;$i<strlen($pwd);$i++)
1193  {
1194  $ascii = ord($pwd[$i]); // Ascii-Wert eines einzelnen Zeichens
1195  if ($ascii > 64 && $ascii < 91) $anz++;
1196  }
1197  if ($anz >= $min_upper) $erfuellt++;
1198  else $nicht_erfuellt[] = $return_text
1199  ? $GLOBALS['auth']->translate('Das Passwort hat zu wenige Großbuchstaben (vorgegeben: %n).', array('n' => $min_upper))
1200  : 'min_upper';
1201  }
1202  if ($min_lower)
1203  {
1204  $anz=0;
1205  for($i=0;$i<strlen($pwd);$i++)
1206  {
1207  $ascii = ord($pwd[$i]); // Ascii-Wert eines einzelnen Zeichens
1208  if ($ascii > 96 && $ascii < 123) $anz++;
1209  }
1210  if ($anz >= $min_lower) $erfuellt++;
1211  else $nicht_erfuellt[] = $return_text
1212  ? $GLOBALS['auth']->translate('Das Passwort hat zu wenige Kleinbuchstaben (vorgegeben: %n).', array('n' => $min_lower))
1213  : 'min_lower';
1214  }
1215  if ($min_numbers)
1216  {
1217  $anz=0;
1218  for($i=0;$i<strlen($pwd);$i++)
1219  {
1220  $ascii = ord($pwd[$i]); // Ascii-Wert eines einzelnen Zeichens
1221  if ($ascii > 47 && $ascii < 58) $anz++;
1222  }
1223  if ($anz >= $min_numbers) $erfuellt++;
1224  else $nicht_erfuellt[] = $return_text
1225  ? $GLOBALS['auth']->translate('Das Passwort hat zu wenige Zahlen (vorgegeben: %n).', array('n' => $min_numbers))
1226  : 'min_numbers';
1227  }
1228  if ($min_special)
1229  {
1230  $anz=0;
1231  for($i=0;$i<strlen($pwd);$i++)
1232  {
1233  $ascii = ord($pwd[$i]); // Ascii-Wert eines einzelnen Zeichens
1234  if (
1235  ($ascii > 31 && $ascii < 48) ||
1236  ($ascii > 57 && $ascii < 65) ||
1237  ($ascii > 90 && $ascii < 95) ||
1238  ($ascii > 122 && $ascii < 127)
1239  ) $anz++;
1240  }
1241  if ($anz >= $min_special) $erfuellt++;
1242  else $nicht_erfuellt[] = $return_text
1243  ? $GLOBALS['auth']->translate('Das Passwort hat zu wenige Sonderzeichen (vorgegeben: %n).', array('n' => $min_special))
1244  : 'min_special';
1245  }
1246 
1247  // zählen wie oft ein zeichen aus dem namen genommen wird
1248  if ($name)
1249  {
1250  if ($max_same_chars !== false)
1251  {
1252  $same_chars = 0;
1253  for ($i=0;$i<strlen($pwd);$i++)
1254  {
1255  for ($ii=0;$ii<strlen($name);$ii++)
1256  {
1257  if ($name[$ii] == $pwd[$i])
1258  {
1259  $same_chars++;
1260  }
1261  }
1262  }
1263  if ($same_chars <= $max_same_chars) $erfuellt++;
1264  else $nicht_erfuellt[] = $return_text
1265  ? $GLOBALS['auth']->translate('Das Passwort hat zu viele Zeichen aus dem Benutzernamen (vorgegeben: %n).', array('n' => $max_same_chars))
1266  : 'same_chars';
1267  }
1268  }
1269 
1270  // Ausschlussliste prüfen
1271  if (file_exists($GLOBALS['egotec_conf']['var_dir'].'conf/pw_exclusion_list.txt'))
1272  {
1273  $words_array = file($GLOBALS['egotec_conf']['var_dir'].'conf/pw_exclusion_list.txt');
1274  if ($words_array)
1275  {
1276  foreach ($words_array as $word)
1277  {
1278  if ($pwd == trim($word,"\n\r"))
1279  {
1280  return array(
1281  $return_text
1282  ? $GLOBALS['auth']->translate('Das Passwort darf nicht verwendet werden.')
1283  : 'pw_exclusion_list'
1284  );
1285  }
1286  }
1287  }
1288  }
1289 
1290  if ($min_erfuellt == 0)
1291  { // alles muss erfuellt werden
1292  if (sizeof($nicht_erfuellt) == 0)
1293  {
1294  return true;
1295  }
1296  } else if ($erfuellt >= $min_erfuellt)
1297  {
1298  return true;
1299  }
1300 
1301  return $nicht_erfuellt;
1302  }
1303 
1309  public function getAllGroups()
1310  {
1311  $db = new_db_connection(
1312  array(
1313  'fields' => 'group_id',
1314  'table' => 'egotec_group'
1315  )
1316  );
1317  return new Group_Iterator($db);
1318  }
1319 
1325  public function getAllRoles()
1326  {
1327  $db = new_db_connection(
1328  array(
1329  'fields' => 'role_id',
1330  'table' => 'egotec_role'
1331  )
1332  );
1333  return new Role_Iterator($db);
1334  }
1335 
1341  protected function _getUser()
1342  {
1343  require_once('rights/User_SQL.php');
1344  return new User_SQL($this->_id);
1345  }
1346 
1352  public static function makeFlat($id) {
1353  $clear_cache = false; // Bei Änderungen der Rechte muss der Cache geleert werden
1354 
1355  // Die Tabelle mit der flachen Rechteprüfung mit den Berechtigungen des Benutzers füttern.
1356  $db = new_db_connection(array(
1357  'fields' => 'egotec_group.group_id AS group_id, egotec_role.role_id AS role_id',
1358  'table' => 'egotec_user_group',
1359  'where' => 'egotec_user_group.user_id=:userid',
1360  'join' => array(
1361  'egotec_group direct_group ON direct_group.group_id=egotec_user_group.group_id', // Aus der direkt eingetragenen Gruppe alle
1362  'egotec_group ON egotec_group.links>=direct_group.links AND egotec_group.rechts<=direct_group.rechts', // untergeordneten Gruppen bestimmen.
1363  'egotec_role direct_role ON direct_role.role_id=egotec_user_group.role_id', // Aus der direkt eingetragenen Rolle alle
1364  'egotec_role ON egotec_role.links>=direct_role.links AND egotec_role.rechts<=direct_role.rechts' // untergeordneten Rollen bestimmen.
1365  ),
1366  'bind' => array(
1367  'userid' => $id
1368  )
1369  ));
1370 
1374  $db2 = new_db_connection(array(
1375  'fields' => 'group_id, role_id',
1376  'table' => 'egotec_user_group_flat',
1377  'where' => 'user_id=:userid',
1378  'bind' => array(
1379  'userid' => $id
1380  )
1381  ));
1382  $old_rights = array();
1383  while ($db2->nextRecord()) {
1384  $old_rights[$db2->Record['group_id']."####".$db2->Record['role_id']] = 1;
1385  }
1386 
1387  $db2->begin();
1388 
1392  while ($db->nextRecord()) {
1393  if (empty($old_rights[$db->Record['group_id']."####".$db->Record['role_id']])) { // Wenn die Berechtigung nicht existiert => insert
1394  $db->Record['user_id'] = $id;
1395  if ($db->Record['group_id'] != '*' && $db->Record['role_id'] != '*') {
1396  $db2->insert(array(
1397  'table' => 'egotec_user_group_flat',
1398  'set' => $db->Record,
1399  'nobackup' => 1
1400  ));
1401  $clear_cache = true;
1402  }
1403  }
1404  // group / role merken
1405  $old_rights[$db->Record['group_id']."####".$db->Record['role_id']] = 2; // keine doppelten inserts (duplicate entry Fehler)
1406  }
1407 
1411  foreach ($old_rights as $key => $val) {
1412  if ($val == 1 && $key != "*####*") {
1413  $rights = explode("####", $key);
1414  $db2->delete(array(
1415  'table' => 'egotec_user_group_flat',
1416  'where' => 'user_id=\''.$id.'\' AND group_id=\''.$rights[0].'\' AND role_id=\''.$rights[1].'\'',
1417  'nobackup' => 1
1418  ));
1419  $clear_cache = true;
1420  }
1421  }
1422 
1423  // gibt es * / * noch nicht => insert
1424  if (!isset($old_rights["*####*"])) {
1425  $db2->insert(array(
1426  'table' => 'egotec_user_group_flat',
1427  'set' => array(
1428  'group_id' => '*',
1429  'role_id' => '*',
1430  'user_id' => $id
1431  ),
1432  'nobackup' => 1
1433  ));
1434  }
1435 
1436  $db2->commit();
1437 
1438  if ($clear_cache) {
1439  Ego_System::clearCacheAllSites();
1440  }
1441  }
1442 
1450  public static function makeFlatSuperusers() {
1451  require_once 'rights/Group_SQL.php';
1452  $root = new Group_SQL($GLOBALS['egotec_conf']['superuser']['group']);
1453  foreach ($root->getAllUsers() as $user) {
1454  if ($user->hasGroupRoleRelation(
1455  $GLOBALS['egotec_conf']['superuser']['group'],
1456  $GLOBALS['egotec_conf']['superuser']['role']
1457  )) {
1458  self::makeFlat($user->field['user_id']);
1459  }
1460  }
1461  Ego_System::clearCacheAllSites();
1462  }
1463 }
1464 ?>
Auth_Exception\__construct
__construct($text, $nr)
Definition: Auth.php:65
Auth\validate
validate($username, $password)
Definition: Auth.php:222
Auth\LOGOUT
const LOGOUT
Definition: Auth.php:91
Auth\_getUser
_getUser()
Definition: Auth.php:1341
Auth
Definition: Auth.php:88
Auth\getAllGroups
getAllGroups()
Definition: Auth.php:1309
Auth_Exception\WRONG_IP
const WRONG_IP
Definition: Auth.php:27
Auth_Exception\WRONG_PASSWORD
const WRONG_PASSWORD
Definition: Auth.php:19
Auth\getTrashUsers
getTrashUsers()
Definition: Auth.php:293
Auth\getUserRecord
static getUserRecord($user_id)
Definition: Auth.php:993
Auth\__construct
__construct($force_login=false, $id='', $action='', $param=array())
Definition: Auth.php:112
Auth\ID
const ID
Definition: Auth.php:92
Auth_Exception\INVALID_LOGIN_PARAMETERS
const INVALID_LOGIN_PARAMETERS
Definition: Auth.php:59
Auth_Exception\LOGIN_DENIED_TEXT
const LOGIN_DENIED_TEXT
Definition: Auth.php:24
Auth\NO_NULL_RIGHTS
const NO_NULL_RIGHTS
Definition: Auth.php:94
Auth_Exception\LOGIN_TIMED_OUT
const LOGIN_TIMED_OUT
Definition: Auth.php:62
Auth\hasPermission
hasPermission($group, $role='', $flag=false, $user_id=false, $equal=true)
Definition: Auth.php:706
Auth\isNobody
isNobody()
Definition: Auth.php:865
Auth_Exception\LOGIN_REQUIRED_TEXT
const LOGIN_REQUIRED_TEXT
Definition: Auth.php:17
Auth_Exception\AUTH_ERROR_TEXT
const AUTH_ERROR_TEXT
Definition: Auth.php:36
Auth\reset
reset()
Definition: Auth.php:173
Auth_Exception\LOGIN_DENIED
const LOGIN_DENIED
Definition: Auth.php:23
Auth_Exception\PERMISSION_DENIED
const PERMISSION_DENIED
Definition: Auth.php:51
Auth\makeFlat
static makeFlat($id)
Definition: Auth.php:1352
Auth\checkSuperuserPermission
checkSuperuserPermission()
Definition: Auth.php:892
Ego_System\file_exists
static file_exists($file)
Definition: Ego_System.php:1088
Auth\postValidate
postValidate()
Definition: Auth.php:328
Auth\hasPermissionOn
hasPermissionOn($object, $equal=true)
Definition: Auth.php:785
Auth_Exception\NO_MULTIPLE_LOGIN_TEXT
const NO_MULTIPLE_LOGIN_TEXT
Definition: Auth.php:40
Ego_System\clearCacheAllSites
static clearCacheAllSites()
Definition: Ego_System.php:243
Auth\checkPassword
static checkPassword($pwd, $name=0, $return_text=false)
Definition: Auth.php:1169
Auth_Exception\PERMISSION_DENIED_TEXT
const PERMISSION_DENIED_TEXT
Definition: Auth.php:52
Auth_Exception\INVALID_LOGIN_PARAMETERS_TEXT
const INVALID_LOGIN_PARAMETERS_TEXT
Definition: Auth.php:60
Auth_Exception\WRONG_TIME_TEXT
const WRONG_TIME_TEXT
Definition: Auth.php:32
Auth\getLanguages
static getLanguages()
Definition: Auth.php:949
Auth_Exception\WRONG_PASSWORD_LIMIT
const WRONG_PASSWORD_LIMIT
Definition: Auth.php:43
Auth\getId
getId()
Definition: Auth.php:538
Auth\translate
translate($string, $placeholders=array(), $language=null)
Definition: Auth.php:571
Auth_Exception\CONCURRENT_USERS_LIMIT_TEXT
const CONCURRENT_USERS_LIMIT_TEXT
Definition: Auth.php:48
Auth\getAllRoles
getAllRoles()
Definition: Auth.php:1325
Auth\LOGIN
const LOGIN
Definition: Auth.php:90
Auth_Exception\AUTH_ERROR
const AUTH_ERROR
Definition: Auth.php:35
Auth_Exception\WRONG_PASSWORD_LIMIT_TEXT
const WRONG_PASSWORD_LIMIT_TEXT
Definition: Auth.php:44
Auth_Exception\CONCURRENT_USERS_LIMIT
const CONCURRENT_USERS_LIMIT
Definition: Auth.php:47
Auth\hasSuperuserPermission
hasSuperuserPermission($session=true, $recalc=false)
Definition: Auth.php:823
Auth_Exception\LOGIN_REQUIRED
const LOGIN_REQUIRED
Definition: Auth.php:16
Auth\clearTrashUsers
clearTrashUsers()
Definition: Auth.php:262
Ego_System\getIp
static getIp()
Definition: Ego_System.php:3433
Auth\clearCache
clearCache()
Definition: Auth.php:1148
Auth_Exception\NO_MULTIPLE_LOGIN
const NO_MULTIPLE_LOGIN
Definition: Auth.php:39
Auth_Exception\MUST_CHANGE_PASSWORD
const MUST_CHANGE_PASSWORD
Definition: Auth.php:55
Auth\checkPermission
checkPermission($group, $role='', $flag=false)
Definition: Auth.php:924
Auth_Exception\LOGIN_TIMED_OUT_TEXT
const LOGIN_TIMED_OUT_TEXT
Definition: Auth.php:63
Auth\makeFlatSuperusers
static makeFlatSuperusers()
Definition: Auth.php:1450
Auth\getPageTableQuery
getPageTableQuery($page_table, $rights, $query=array(), $param=array())
Definition: Auth.php:602
Auth\$user
$user
Definition: Auth.php:97
Auth_Exception
Definition: Auth.php:14
Auth_Exception\MUST_CHANGE_PASSWORD_TEXT
const MUST_CHANGE_PASSWORD_TEXT
Definition: Auth.php:56
Auth_Exception\WRONG_PASSWORD_TEXT
const WRONG_PASSWORD_TEXT
Definition: Auth.php:20
Auth\isSoapUser
isSoapUser()
Definition: Auth.php:841
Auth\getAnonymousId
getAnonymousId()
Definition: Auth.php:548
Auth_Exception\WRONG_IP_TEXT
const WRONG_IP_TEXT
Definition: Auth.php:28
Auth_Exception\WRONG_TIME
const WRONG_TIME
Definition: Auth.php:31
Auth\getUsers
static getUsers($rights, $users=array(), $direct_flag=false)
Definition: Auth.php:1069