[Mapbender-commits] r10132 - in trunk/mapbender: conf http/classes http/php resources/db/pgsql/UTF-8/update

Mon Jun 3 09:14:01 PDT 2019

Author: armin11
Date: 2019-06-03 09:14:01 -0700 (Mon, 03 Jun 2019)
New Revision: 10132

Modified:
   trunk/mapbender/conf/mapbender.conf-dist
   trunk/mapbender/http/classes/class_user.php
   trunk/mapbender/http/php/mod_createUser.php
   trunk/mapbender/resources/db/pgsql/UTF-8/update/update_2.7.4_to_2.8_pgsql_UTF-8.sql
Log:
First change for class_user to handle authentication - further things have to be done: e.g. in following files: 

conf/session.conf

http/php/mod_forgottenPassword.php
http/php/mod_editElements.php
http/php/mod_meetingPoint.php
http/php/mod_changePassword.php
http/php/mod_createUser.php

http/frames/cleanurl.php
http/frames/login.php

http/javascripts/mod_insertKmlIntoDb.php
http/javascripts/mod_initWmc.php
http/javascripts/mod_saveWmcKml.php

http/geoportal/insertUserDataIntoDb.php
http/geoportal/forgotten_password.php
http/geoportal/updateUserDataIntoDb.php
http/geoportal/authentication.php

http/classes/class_user.php

http_auth/http/index.php

resources/db/install_geoportal_mb28.sh

Modified: trunk/mapbender/conf/mapbender.conf-dist
===================================================================

--- trunk/mapbender/conf/mapbender.conf-dist	2019-05-23 08:42:37 UTC (rev 10131)
+++ trunk/mapbender/conf/mapbender.conf-dist	2019-06-03 16:14:01 UTC (rev 10132)
@@ -289,6 +289,14 @@
 #define("PUBLIC_USER_DEFAULT_SRS", "EPSG:25832");
 
 # --------------------------------------------
+# define a public group
+# This user is a typical anonymous group which has access on all freely available services and datasets.
+# Some functions of the portal framework not allowed for this group.
+# --------------------------------------------
+#define("PUBLIC_GROUP", "");
+
+
+# --------------------------------------------
 # define a admin user id for catalogue maintenance - defaults to 1 - 'root' user
 # --------------------------------------------
 #define("CATALOGUE_MAINTENANCE_USER", 1);

Modified: trunk/mapbender/http/classes/class_user.php
===================================================================
--- trunk/mapbender/http/classes/class_user.php	2019-05-23 08:42:37 UTC (rev 10131)
+++ trunk/mapbender/http/classes/class_user.php	2019-06-03 16:14:01 UTC (rev 10132)
@@ -8,6 +8,7 @@
 require_once(dirname(__FILE__)."/../../core/globalSettings.php");
 require_once(dirname(__FILE__)."/../classes/class_RPCEndpoint.php");
 require_once(dirname(__FILE__)."/../classes/class_administration.php");
+require_once(dirname(__FILE__)."/../classes/class_Uuid.php");
 
 /**
  * A Mapbender user as described in the table mb_user.
@@ -503,7 +504,166 @@
       return null;
 
     }
-	
+
+    /*
+    * new 2019 - tries to initialize a userobject from a register form and store it in the mapbender database
+    * @return An assiociated array with all information from mb_user table or false if the register process has problems
+    * @params: 
+    * {"user_attributes": {"mb_user_name": {"mandatory": true, "type": "string", "default": null}}, {"mb_user_email", {"mandatory": true, "type": "string", "default": null}}, {"mb_user_department", {"mandatory": false, "type": "string", "default": null}}, {"mb_user_organization_name", {"mandatory": false, "type": "string", "default": null}}, {"mb_user_phone", {"mandatory": false, "type": "string", "default": null}}, {"mb_user_newsletter", {"mandatory": true, "type": "boolean", "default": false}}, {"mb_user_allow_survey", {"mandatory": true, "type": "boolean", "default": false}}, {"timestamp_dsgvo_accepted", {"mandatory": true, "type": "string", "default": null}}} 
+    * 
+    */
+    public static function selfRegisterNewUser($mbUserName, $mbUserEmail, $mbUserPassword, $mbUserOrganization, $mbUserDepartment, $mbUserPhone, $mbUserNewsletter=false, $mbUserAllowSurvey=false, $timestampDsgvoAccepted=0, $mbUserHashAlgo = 'MD5') {
+	//check if user with name already exists - if so return false
+	$sql = "SELECT * FROM mb_user WHERE mb_user_name = $1";
+ 	$v = array($mbUserName); // wird in unserer Lösung immer md5 genutzt?
+	$t = array('s');
+ 	$res = db_prep_query($sql, $v, $t);
+	if(db_numrows($res) == 0){
+		//$userAlreadyExists = false;
+	} else {
+		$e = new mb_exception("classes/class_user.php: user with name ".$mbUserName." already exists in mapbender database! Will not registered twice!");
+		return false;
+	}
+	//mb_user_owner
+	$uuid = new Uuid();
+	//Check mapbender.conf for central portal admin user id
+	if (defined("PORTAL_ADMIN_USER_ID") && PORTAL_ADMIN_USER_ID != "" ) {
+		$mb_user_owner = PORTAL_ADMIN_USER_ID;
+	} else {
+		$mb_user_owner = "1"; //default to mapbenders root user
+	}
+	//Check mapbender.conf for anonymous group
+	if (defined("PUBLIC_GROUP") && PUBLIC_GROUP != "" ) {
+		$publicGroupId = PUBLIC_GROUP;
+	} else {
+		$publicGroupId = "22"; //default to mapbenders default public group
+		$e = new mb_exception("classes/class_user.php: No PUBLIC_GROUP defined in mapbender.conf - assume it is 22!");
+	}
+	//TODO: use other algorithms for hashing password with digest autentification! - see https://github.com/curl/curl/commit/2b5b37cb9109e7c2e6bfa5ebf54016aff8a1fb48 and https://bugzilla.mozilla.org/show_bug.cgi?id=472823
+	$sql = "INSERT INTO mb_user (mb_user_name, mb_user_email, mb_user_organisation_name, mb_user_department, mb_user_phone, ";
+	$sql .= "mb_user_newsletter, mb_user_allow_survey, timestamp_dsgvo_accepted, activation_key, is_active, ";
+	$sql .= "mb_user_owner, password, mb_user_digest, mb_user_aldigest, mb_user_digest_hash, uuid, mb_user_password) VALUES ";
+	$sql.= "($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17)";
+	//define hard coded values
+	$mb_user_activation_key = "";
+	$mb_user_uuid = $uuid;
+	$password = password_hash($mbUserPassword, PASSWORD_BCRYPT);
+	$mb_user_digest_hash = $mbUserHashAlgo;
+	$timestampDsgvoAccepted = 1; //bigint!
+	switch($mb_user_digest_hash) {
+		case "MD5":
+			$mb_user_digest = hash(strtolower($mb_user_digest_hash), $mbUserName.";".$mbUserEmail.":".REALM.":".$mbUserPassword);
+			$mb_user_aldigest = hash(strtolower($mb_user_digest_hash), $mbUserName.":".REALM.":".$mbUserPassword);
+			//TODO deactivate in production
+			$mb_user_password = hash(strtolower($mb_user_digest_hash), $mbUserPassword);
+			//$mb_user_password = "";
+			break;
+		default:
+			$mb_user_digest = hash(strtolower($mb_user_digest_hash), $mbUserName.";".$mbUserEmail.":".REALM.":".$mbUserPassword);
+			$mb_user_aldigest = hash(strtolower($mb_user_digest_hash), $mbUserName.":".REALM.":".$mbUserPassword);
+			//TODO deactivate in production
+			$mb_user_password = hash(strtolower($mb_user_digest_hash), $mbUserPassword);
+			//$mb_user_password = "";
+			break;
+	}
+	if ($mbUserNewsletter == false) {
+		$mbUserNewsletter = 'f';
+	} else {
+		$mbUserNewsletter = 't';
+	}
+	if ($mbUserAllowSurvey == false) {
+		$mbUserAllowSurvey = 'f';
+	} else {
+		$mbUserAllowSurvey = 't';
+	}
+	$v = array($mbUserName, $mbUserEmail, $mbUserOrganization, $mbUserDepartment, $mbUserPhone, $mbUserNewsletter, $mbUserAllowSurvey, $timestampDsgvoAccepted, $mb_user_activation_key, 'f', (integer)$mb_user_owner, $password, $mb_user_digest, $mb_user_aldigest, $mb_user_digest_hash, $uuid, $mb_user_password);
+	$t = array('s','s','s','s','s','b','b','i','s','b','i','s','s','s','s','s','s');
+	$res = db_prep_query($sql,$v,$t);
+	//get id from user with initial uuid
+	$sql = "SELECT * FROM mb_user WHERE uuid = $1";
+	$v = array($mb_user_uuid);
+	$t = array('s');
+	$res = db_prep_query($sql, $v, $t);
+	$row = db_fetch_array($res);
+	$e = new mb_exception("User: ".$row['mb_user_name']." with id: ".$row['mb_user_id']." and uuid: ".$row['uuid']." newly registered in mapbender database!");
+	//insert user in to public group!
+	$sql = "INSERT INTO mb_user_mb_group (fkey_mb_user_id, fkey_mb_group_id) VALUES ($1, $2)";
+	$v = array($row['mb_user_id'], $publicGroupId);
+	$t = array('i', 'i');
+	$res = db_prep_query($sql, $v, $t);
+	//return result
+	return $row;
+    }
+
+    /*
+    * new 2019 - authenticate against mb_user table
+    * @return An assiociated array with all information from mb_user table or false if the authentication has problems
+    * @params: $userName, $userPassword
+    * 
+    */
+    public static function authenticateUserByName($userName, $userPassword, $mbUserHashAlgo = 'MD5') {
+	$sql = "SELECT * FROM mb_user WHERE mb_user_name = $1";
+	$v = array($userName);
+	$t = array('s');
+	$res = db_prep_query($sql, $v, $t);
+	$row = db_fetch_array($res);
+	//check all 
+	//first login on new system, set (salt - maybe later - and ) new password when password column is empty, delete old unsecure md5 hash
+	if ($row['is_active'] == "f"){
+		$URLAdd="?status=notactive";
+		//TODO - use right URL!- from mapbender.conf
+		if($_SERVER["HTTPS"] != "on") {
+			header ("Location: http://".$_SERVER['HTTP_HOST'].$URLAdd);
+		} else  {
+			header ("Location: https://".$_SERVER['HTTP_HOST'].$URLAdd);
+		}
+		$e = new mb_exception("classes/class_user.php: "."account for user ".$userName. "is not activated til now - redirect to activation!");
+		return false;
+	} else if ($row['is_active'] == "t" or $row['is_active'] == ""){
+		if($row['password'] == "" || $row['password'] = null){
+			$e = new mb_exception("classes/class_user.php: "."New crypted password not set - will be set now for user: ".$userName. "!");
+			if($row['mb_user_password'] == hash(strtolower($mbUserHashAlgo), $userPassword)){
+				//generate bcrypt hash
+				$sql = "UPDATE mb_user SET password = $1 WHERE mb_user_id = $2";
+				$newCryptedPassword = password_hash($userPassword, PASSWORD_BCRYPT);
+				$v = array($newCryptedPassword, $row['mb_user_id']);
+				$t = array('s','i');
+				$res = db_prep_query($sql,$v,$t);
+				// delete old hashed password (mostly md5)
+				$sql = "UPDATE mb_user SET mb_user_password = $1 WHERE mb_user_id = $2";
+				$v = array('',$row['mb_user_id']);
+				$t = array('s','i');
+				$res = db_prep_query($sql,$v,$t);
+				$e = new mb_exception("classes/class_user.php: "."New password stored in db, old md5 password deleted for user: ".$userName. "!");
+				//store passwords to $row objects:
+				$row['mb_user_password'] = '';
+				$row['password'] = $newCryptedPassword;
+				return $row;
+			}
+		} else {
+			$e = new mb_exception("classes/class_user.php: "."New password version found for user: ".$userName. "! Authenticate against this one!");
+			$sql = "SELECT password FROM mb_user WHERE mb_user_id = $1";
+			$v = array($row['mb_user_id']);
+			$t = array('s');
+			$res = db_prep_query($sql,$v,$t);
+			$row = db_fetch_array($res);
+			// salt is includes in the hashed password
+			$salt = $row['password'];
+			if (password_verify($userPassword, $salt)) {
+				$sql = "SELECT * FROM mb_user WHERE mb_user_name = $1";
+				$v = array($userName);
+				$t = array('s');
+				$res = db_prep_query($sql,$v,$t);
+				$row = db_fetch_array($res);
+				return $row;
+			}
+		}
+		return false;
+	} else {
+		return false;
+	}
+    }
+
 	/**
 	 * Returns an array of application IDs that the user is allowed to access.
 	 * 

Modified: trunk/mapbender/http/php/mod_createUser.php
===================================================================
--- trunk/mapbender/http/php/mod_createUser.php	2019-05-23 08:42:37 UTC (rev 10131)
+++ trunk/mapbender/http/php/mod_createUser.php	2019-06-03 16:14:01 UTC (rev 10132)
@@ -26,6 +26,7 @@
 
 require_once(dirname(__FILE__)."/../classes/class_gui.php");
 require_once(dirname(__FILE__)."/../classes/class_administration.php");
+require_once(dirname(__FILE__)."/../classes/class_user.php");
 
 /*  
  * @security_patch irv done
@@ -98,40 +99,15 @@
 <body>
 
 <?php
-#save
+//save
 if($action == 'save'){
-	$owner_id =1;
-	$resolution = 72;
-	$login_count = 0;
-	$sql = "SELECT mb_user_id FROM mb_user WHERE mb_user_name = $1 ";
-	$v = array($name);
-	$t = array('s');
-	$res = db_prep_query($sql,$v,$t);
-	if(db_fetch_row($res)){
+	$user = new User();
+	//TODO: MD5 is not secure - use SHA256 instead!
+	$user_array = $user->selfRegisterNewUser($name, $email, $password, "user dummy orga", $department, $phone, false, false, 0, 'MD5');
+	if($user_array == false){
 		echo "<script language='JavaScript'>alert('Username must be unique!');</script>";
-	}
-	else{
-		
-		$sql = "Insert INTO mb_user (mb_user_name, mb_user_password,mb_user_owner, ";
-		$sql .= "mb_user_description, mb_user_email, mb_user_phone, mb_user_department, ";
-		$sql .= "mb_user_resolution) VALUES ";
-		$sql.= "($1, $2, $3, $4, $5, $6, $7, $8)";
-		$v = array($name,md5($password),$owner_id,$description,$email,$phone,$department,$resolution);
-		$t = array('s','s','i','s','s','s','s','i');
-		$res = db_prep_query($sql,$v,$t);
-		
-		$selected_user = db_insert_id('platzhalter','mb_user','mb_user_id');
-		$sql_owner = "Update mb_user SET mb_user_owner = $1 ";
-		$sql_owner.= " WHERE mb_user_name = $2 ";
-		$v = array(1,$name); #$selected_user;
-		$t = array('i','s');
-		$res_owner = db_prep_query($sql_owner,$v,$t);	 
-		# removed, because a new user may be inserted in a group with too many privileges
-		$sql_group = "Insert INTO mb_user_mb_group (fkey_mb_user_id, fkey_mb_group_id) VALUES ";
-		$sql_group.= "($1, $2) ";
-		$v = array($selected_user,20);
-		$t = array('i','i');
-		$res_group = db_prep_query($sql_group,$v,$t);
+	} else {
+		$selected_user = $user_array['mb_user_id'];
 		// CB (begin)
 		// adding new GUIs for new user (copies of gui and gui1 with owner rights)
 		$gui = new gui();

Modified: trunk/mapbender/resources/db/pgsql/UTF-8/update/update_2.7.4_to_2.8_pgsql_UTF-8.sql
===================================================================
--- trunk/mapbender/resources/db/pgsql/UTF-8/update/update_2.7.4_to_2.8_pgsql_UTF-8.sql	2019-05-23 08:42:37 UTC (rev 10131)
+++ trunk/mapbender/resources/db/pgsql/UTF-8/update/update_2.7.4_to_2.8_pgsql_UTF-8.sql	2019-06-03 16:14:01 UTC (rev 10132)
@@ -2741,9 +2741,13 @@
 ALTER TABLE md_topic_category ADD COLUMN md_topic_category_description_en text;
 ALTER TABLE md_topic_category ADD COLUMN md_topic_category_uri text;
 
+-- Column: uuid for mb_user table
 
+-- ALTER TABLE mb_user DROP COLUMN uuid;
 
+ALTER TABLE mb_user ADD COLUMN uuid uuid;
 
+ALTER TABLE mb_user ADD COLUMN mb_user_digest_hash character varying(100);
 
 
 
@@ -2752,3 +2756,4 @@
 
 
 
+

