[Mapbender-commits] r10133 - in trunk/mapbender/http: classes php
svn_mapbender at osgeo.org
svn_mapbender at osgeo.org
Tue Jun 4 05:42:01 PDT 2019
Author: armin11
Date: 2019-06-04 05:42:01 -0700 (Tue, 04 Jun 2019)
New Revision: 10133
Modified:
trunk/mapbender/http/classes/class_user.php
trunk/mapbender/http/php/mod_createUser.php
Log:
Next enhancements of class_user.php for authentification.
Modified: trunk/mapbender/http/classes/class_user.php
===================================================================
--- trunk/mapbender/http/classes/class_user.php 2019-06-03 16:14:01 UTC (rev 10132)
+++ trunk/mapbender/http/classes/class_user.php 2019-06-04 12:42:01 UTC (rev 10133)
@@ -47,6 +47,7 @@
var $firstName = "";
var $lastName = "";
var $academicTitle = "";
+ var $activationKey = "";
static $displayName = "User";
static $internalName = "user";
@@ -73,6 +74,34 @@
catch(Exception $E) {
new mb_exception($E->getMessage());
}
+
+ $this->returnObject = new stdClass(); // default object for returning information from function calls
+ /*
+ //maybe helpful: https://docs.ckan.org/en/ckan-2.7.3/api/
+ {
+ "help": "Creates a package",
+ "success": false,
+ "error": {
+ "message": "Access denied",
+ "__type": "Authorization Error"
+ }
+ }
+ //example for returned array - associated arrays are json objects!
+ {
+ "help": "Creates a package",
+ "success": true,
+ "result": {
+ [
+ {"key1": "value1"},
+ {"key2": "value1"},
+ ],
+ [
+ {"key1": "value1"},
+ {"key2": "value1"}
+ ]
+ }
+
+ */
}
@@ -117,7 +146,8 @@
"passwordTicket" => $this->passwordTicket,
"firstName" => $this->firstName,
"lastName" => $this->lastName,
- "academicTitle" => $this->academicTitle
+ "academicTitle" => $this->academicTitle,
+ "activationKey" => $this->activationKey
);
return $result;
}
@@ -216,6 +246,7 @@
$this->firstName = isset($changes->firstName) ? $changes->firstName : $this->firstName;
$this->lastName = isset($changes->lastName) ? $changes->lastName : $this->lastName;
$this->academicTitle = isset($changes->academicTitle) ? $changes->academicTitle : $this->academicTitle;
+ $this->activationKey = isset($changes->activationKey) ? $changes->activationKey : $this->activationKey;
return true;
}
@@ -249,8 +280,9 @@
"mb_user_firstname = $25, " .
"mb_user_lastname = $26, " .
"mb_user_academictitle = $27, " .
- "mb_user_login_count = $28 " .
- "WHERE mb_user_id = $29;";
+ "mb_user_login_count = $28 " .
+ "activation_key = $29 " .
+ "WHERE mb_user_id = $30;";
$v = array(
$this->name,
@@ -281,6 +313,7 @@
$this->lastName,
$this->academicTitle,
is_numeric($this->loginCount) ? intval($this->loginCount) : 0,
+ $this->activationKey !== "" ? $this->activationKey : null,
is_numeric($this->id) ? intval($this->id) : null,
);
@@ -290,7 +323,7 @@
"s", "s", "s", "i", "s",
"s", "s", "s", "s", "s",
"s", "s", "s", "s", "s",
- "s", "s", "i", "i"
+ "s", "s", "i", "s", "i"
);
$update_result = db_prep_query($sql_update,$v,$t);
@@ -346,6 +379,7 @@
$this->validFrom = $row['mb_user_valid_from'];
$this->validTo = $row['mb_user_valid_to'];
$this->passwordTicket = $row['mb_user_password_ticket'];
+ $this->activationKey = $row['activation_key'];
$this->firstName = $row["mb_user_firstname"];
$this->lastName = $row["mb_user_lastname"];
$this->academicTitle = $row["mb_user_academictitle"];
@@ -421,12 +455,12 @@
public function sendUserLoginMail () {
$admin = new administration();
-
$userMessage = "Your Mapbender login data:\n";
$userMessage .= "Your login name is: ".$this->name."\n";
$userMessage .= "Please set your password using the following link: \n";
$mbUrl = substr(LOGIN, 0, -9);
- $userMessage .= $mbUrl."../javascripts/mod_confirmLogin.php?user_id=".$this->id."&user_name=".$this->name."&user_ticket=".$this->passwordTicket."\n";
+ //$userMessage .= $mbUrl."../javascripts/mod_confirmLogin.php?user_id=".$this->id."&user_name=".$this->name."&user_ticket=".$this->passwordTicket."\n";
+ $userMessage .= $mbUrl."../php/mod_activateUserAccount?activationKey=".$this->activation_key."\n";
$userMessage .= "Follow this link to login to Mapbender: \n";
$userMessage .= LOGIN."\n";
@@ -507,12 +541,13 @@
/*
* new 2019 - tries to initialize a userobject from a register form and store it in the mapbender database
- * @return An assiociated array with all information from mb_user table or false if the register process has problems
+ * @return An json string. The information of the mb_user table is in resultObject->result if the registration was successful.
+ * To get the assoc array do following: $userArray = json_decode(json_encode($returnObject->result), JSON_OBJECT_AS_ARRAY);
* @params:
- * {"user_attributes": {"mb_user_name": {"mandatory": true, "type": "string", "default": null}}, {"mb_user_email", {"mandatory": true, "type": "string", "default": null}}, {"mb_user_department", {"mandatory": false, "type": "string", "default": null}}, {"mb_user_organization_name", {"mandatory": false, "type": "string", "default": null}}, {"mb_user_phone", {"mandatory": false, "type": "string", "default": null}}, {"mb_user_newsletter", {"mandatory": true, "type": "boolean", "default": false}}, {"mb_user_allow_survey", {"mandatory": true, "type": "boolean", "default": false}}, {"timestamp_dsgvo_accepted", {"mandatory": true, "type": "string", "default": null}}}
+ * {"user_attributes": {"mbUserName": {"mapbenderDbColumn":"mb_user_name", "mandatory": true, "type": "string", "default": null}}, {"mbUserEmail", {"mapbenderDbColumn":"mb_user_email", "mandatory": true, "type": "string", "default": null}}, {"mbUserOrganization", {"mapbenderDbColumn":"mb_user_organization_name", "mandatory": false, "type": "string", "default": null}}, {"mbUserDepartment", {"mapbenderDbColumn":"mb_user_department", "mandatory": false, "type": "string", "default": null}}, {"mbUserPhone", {"mapbenderDbColumn":"mb_user_phone", "mandatory": false, "type": "string", "default": null}}, {"mbUserNewsletter", {"mapbenderDbColumn":"mb_user_newsletter", "mandatory": true, "type": "boolean", "default": false}}, {"mbUserAllowSurvey", {"mapbenderDbColumn":"mb_user_allow_survey", "mandatory": true, "type": "boolean", "default": false}}, {"timestampDsgvoAccepted", {"mapbenderDbColumn":"timestamp_dsgvo_accepted", "mandatory": true, "type": "string", "default": null}}, {"mbUserHash
Algo", {"mapbenderDbColumn":"mb_user_digest_hash", "mandatory": false, "type": "string", "default": "MD5"}}}
*
*/
- public static function selfRegisterNewUser($mbUserName, $mbUserEmail, $mbUserPassword, $mbUserOrganization, $mbUserDepartment, $mbUserPhone, $mbUserNewsletter=false, $mbUserAllowSurvey=false, $timestampDsgvoAccepted=0, $mbUserHashAlgo = 'MD5') {
+ public function selfRegisterNewUser($mbUserName, $mbUserEmail, $mbUserPassword, $mbUserOrganization, $mbUserDepartment, $mbUserPhone, $mbUserNewsletter=false, $mbUserAllowSurvey=false, $timestampDsgvoAccepted=0, $mbUserHashAlgo = 'MD5') {
//check if user with name already exists - if so return false
$sql = "SELECT * FROM mb_user WHERE mb_user_name = $1";
$v = array($mbUserName); // wird in unserer Lösung immer md5 genutzt?
@@ -522,7 +557,12 @@
//$userAlreadyExists = false;
} else {
$e = new mb_exception("classes/class_user.php: user with name ".$mbUserName." already exists in mapbender database! Will not registered twice!");
- return false;
+ $this->returnObject->success = false;
+ unset($this->returnObject->result);
+ $this->returnObject->help = "class_user.php:selfRegisterNewUser()";
+ $this->returnObject->error->message = "User with name: ".$mbUserName." alreadyRegistrated!";
+ $this->returnObject->error->{__type} = "Content already exists";
+ return json_encode($this->returnObject);
}
//mb_user_owner
$uuid = new Uuid();
@@ -537,7 +577,7 @@
$publicGroupId = PUBLIC_GROUP;
} else {
$publicGroupId = "22"; //default to mapbenders default public group
- $e = new mb_exception("classes/class_user.php: No PUBLIC_GROUP defined in mapbender.conf - assume it is 22!");
+ $e = new mb_notice("classes/class_user.php: No PUBLIC_GROUP defined in mapbender.conf - assume it is 22!");
}
//TODO: use other algorithms for hashing password with digest autentification! - see https://github.com/curl/curl/commit/2b5b37cb9109e7c2e6bfa5ebf54016aff8a1fb48 and https://bugzilla.mozilla.org/show_bug.cgi?id=472823
$sql = "INSERT INTO mb_user (mb_user_name, mb_user_email, mb_user_organisation_name, mb_user_department, mb_user_phone, ";
@@ -545,8 +585,8 @@
$sql .= "mb_user_owner, password, mb_user_digest, mb_user_aldigest, mb_user_digest_hash, uuid, mb_user_password) VALUES ";
$sql.= "($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13, $14, $15, $16, $17)";
//define hard coded values
- $mb_user_activation_key = "";
$mb_user_uuid = $uuid;
+ $mb_user_activation_key = md5($uuid);
$password = password_hash($mbUserPassword, PASSWORD_BCRYPT);
$mb_user_digest_hash = $mbUserHashAlgo;
$timestampDsgvoAccepted = 1; //bigint!
@@ -578,50 +618,104 @@
}
$v = array($mbUserName, $mbUserEmail, $mbUserOrganization, $mbUserDepartment, $mbUserPhone, $mbUserNewsletter, $mbUserAllowSurvey, $timestampDsgvoAccepted, $mb_user_activation_key, 'f', (integer)$mb_user_owner, $password, $mb_user_digest, $mb_user_aldigest, $mb_user_digest_hash, $uuid, $mb_user_password);
$t = array('s','s','s','s','s','b','b','i','s','b','i','s','s','s','s','s','s');
- $res = db_prep_query($sql,$v,$t);
+ $res = db_prep_query($sql, $v, $t);
+ if (!$res) {
+ $e = new mb_exception("classes/class_user.php: An error occured when trying to insert user '".$mbUserName."' into mapbender mb_user table!");
+ $this->returnObject->success = false;
+ unset($this->returnObject->result);
+ $this->returnObject->help = "class_user.php:selfRegisterNewUser()";
+ $this->returnObject->error->message = "An error occured when trying to insert user '".$mbUserName."' into mapbender mb_user table!";
+ $this->returnObject->error->{__type} = "Database exception";
+ return json_encode($this->returnObject);
+ }
//get id from user with initial uuid
$sql = "SELECT * FROM mb_user WHERE uuid = $1";
$v = array($mb_user_uuid);
$t = array('s');
$res = db_prep_query($sql, $v, $t);
- $row = db_fetch_array($res);
- $e = new mb_exception("User: ".$row['mb_user_name']." with id: ".$row['mb_user_id']." and uuid: ".$row['uuid']." newly registered in mapbender database!");
+ //Important for json encode/decode: fetch assoc as associated array!
+ $row = db_fetch_assoc($res);
//insert user in to public group!
$sql = "INSERT INTO mb_user_mb_group (fkey_mb_user_id, fkey_mb_group_id) VALUES ($1, $2)";
$v = array($row['mb_user_id'], $publicGroupId);
$t = array('i', 'i');
$res = db_prep_query($sql, $v, $t);
+ if (!$res) {
+ $e = new mb_exception("classes/class_user.php: An error occured when trying to insert user '".$row['mb_user_id']."' into group '".$publicGroupId."' of mapbender mb_group table!");
+ $this->returnObject->success = false;
+ unset($this->returnObject->result);
+ $this->returnObject->help = "class_user.php:selfRegisterNewUser()";
+ $this->returnObject->error->message = "An error occured when trying to insert user '".$row['mb_user_id']."' into group '".$publicGroupId."' of mapbender mb_group table!";
+ $this->returnObject->error->{__type} = "Database exception";
+ return json_encode($this->returnObject);
+ }
//return result
- return $row;
+ $this->returnObject->success = true;
+ $this->returnObject->help = "class_user.php:selfRegisterNewUser()";
+ $this->returnObject->result = json_decode(json_encode($row));
+ return json_encode($this->returnObject);
}
/*
* new 2019 - authenticate against mb_user table
- * @return An assiociated array with all information from mb_user table or false if the authentication has problems
+ * @return An json string. The information of the mb_user table is in resultObject->result if the registration was successful.
+ * To get the assoc array do following: $userArray = json_decode(json_encode($returnObject->result), JSON_OBJECT_AS_ARRAY);
* @params: $userName, $userPassword
*
*/
- public static function authenticateUserByName($userName, $userPassword, $mbUserHashAlgo = 'MD5') {
+ public function authenticateUserByName($mbUserName, $userPassword, $mbUserHashAlgo = 'MD5') {
$sql = "SELECT * FROM mb_user WHERE mb_user_name = $1";
- $v = array($userName);
+ $v = array($mbUserName);
$t = array('s');
$res = db_prep_query($sql, $v, $t);
+ if(db_numrows($res) == 0){
+ $e = new mb_notice("classes/class_user.php: "."No account for user ".$mbUserName. " found in mapbender database!");
+ $this->returnObject->success = false;
+ unset($this->returnObject->result);
+ $this->returnObject->help = "class_user.php:authenticateUserByName()";
+ $this->returnObject->error->message = "No account for user with name: ".$mbUserName." found in mapbender database!";
+ $this->returnObject->error->{__type} = "Object not found";
+ return json_encode($this->returnObject);
+ }
$row = db_fetch_array($res);
//check all
//first login on new system, set (salt - maybe later - and ) new password when password column is empty, delete old unsecure md5 hash
+ //Test if account has already been activated by the user
if ($row['is_active'] == "f"){
- $URLAdd="?status=notactive";
+ //$URLAdd="?status=notactive";
//TODO - use right URL!- from mapbender.conf
- if($_SERVER["HTTPS"] != "on") {
+ /*if($_SERVER["HTTPS"] != "on") {
header ("Location: http://".$_SERVER['HTTP_HOST'].$URLAdd);
} else {
header ("Location: https://".$_SERVER['HTTP_HOST'].$URLAdd);
+ }*/
+ if (defined("DJANGO_PORTAL") && DJANGO_PORTAL == true) {
+ //TODO - get url from django!
+ if($_SERVER["HTTPS"] != "on") {
+ $activateRedirectUrl = "http://".$_SERVER['HTTP_HOST']."/login/";
+ $registerRedirectUrl = "http://".$_SERVER['HTTP_HOST']."/register/";
+ } else {
+ $activateRedirectUrl = "https://".$_SERVER['HTTP_HOST']."/login/";
+ $registerRedirectUrl = "https://".$_SERVER['HTTP_HOST']."/register/";
+ }
+ } else {
+ $activateRedirectUrl = MAPBENDER_PATH."/php/mod_activateUserAccount.php?activationKey=".$row['activation_key'];
+ $registerRedirectUrl = LOGIN;
}
- $e = new mb_exception("classes/class_user.php: "."account for user ".$userName. "is not activated til now - redirect to activation!");
- return false;
- } else if ($row['is_active'] == "t" or $row['is_active'] == ""){
- if($row['password'] == "" || $row['password'] = null){
- $e = new mb_exception("classes/class_user.php: "."New crypted password not set - will be set now for user: ".$userName. "!");
+
+ $e = new mb_notice("classes/class_user.php: "."Account for user ".$mbUserName. " is not activated til now - redirect to activation!");
+ $this->returnObject->success = false;
+ unset($this->returnObject->result);
+ $this->returnObject->help = "class_user.php:authenticateUserByName()";
+ $this->returnObject->error->message = "Account for user with name: ".$mbUserName." has not been activated til now. Please activate the account to allow authentication: ".$activateRedirectUrl;
+ $this->returnObject->error->{__type} = "Method not possible";
+ return json_encode($this->returnObject);
+ } else if ($row['is_active'] == "t" or $row['is_active'] == ""){ //maybe for older users which are registrated before 06/2019
+ //change password only, if secure password not already given !!!!!!
+//$e = new mb_exception("classes/class_user.php: "."New - secure - password: ".$row['password']);
+ if($row['password'] == "" || $row['password'] == null){
+ $e = new mb_exception("classes/class_user.php: "."New bcrypt(ed) password not set - will be set now for user: ".$userName. "!");
+ $e = new mb_exception("classes/class_user.php: "."First check old password if this one exists!");
if($row['mb_user_password'] == hash(strtolower($mbUserHashAlgo), $userPassword)){
//generate bcrypt hash
$sql = "UPDATE mb_user SET password = $1 WHERE mb_user_id = $2";
@@ -629,38 +723,88 @@
$v = array($newCryptedPassword, $row['mb_user_id']);
$t = array('s','i');
$res = db_prep_query($sql,$v,$t);
- // delete old hashed password (mostly md5)
- $sql = "UPDATE mb_user SET mb_user_password = $1 WHERE mb_user_id = $2";
- $v = array('',$row['mb_user_id']);
- $t = array('s','i');
- $res = db_prep_query($sql,$v,$t);
- $e = new mb_exception("classes/class_user.php: "."New password stored in db, old md5 password deleted for user: ".$userName. "!");
- //store passwords to $row objects:
- $row['mb_user_password'] = '';
+ // delete old hashed passwords (mostly md5)
+ if ($row['create_digest'] == 'f') {
+ $sql = "UPDATE mb_user SET mb_user_password = $1 , mb_user_digest = $2, mb_user_al_digest = $3 WHERE mb_user_id = $4";
+ $v = array('','','',$row['mb_user_id']);
+ $t = array('s','s','s','i');
+ $res = db_prep_query($sql,$v,$t);
+ $row['mb_user_password'] = '';
+ $row['mb_user_digest'] = '';
+ $row['mb_user_aldigest'] = '';
+ } else {
+ $sql = "UPDATE mb_user SET mb_user_password = $1 WHERE mb_user_id = $2";
+ $v = array('',$row['mb_user_id']);
+ $t = array('s','i');
+ $res = db_prep_query($sql,$v,$t);
+ $row['mb_user_password'] = '';
+ }
+ $e = new mb_notice("classes/class_user.php: "."New password stored in db, old md5 password deleted for user: ".$userName. "!");
+ //save new crypted password in array
$row['password'] = $newCryptedPassword;
- return $row;
+ $this->returnObject->success = true;
+ unset($this->returnObject->error);
+ $this->returnObject->help = "class_user.php:authenticateUserByName()";
+ $this->returnObject->result = json_decode(json_encode($row));
+ return json_encode($this->returnObject);
+ } else {
+ $e = new mb_exception("classes/class_user.php: "."Could not authenticate user ".$mbUserName. " with old password - either the password is wrong or the hash algo differs!");
+ $this->returnObject->success = false;
+ unset($this->returnObject->result);
+ $this->returnObject->help = "class_user.php:authenticateUserByName()";
+ $this->returnObject->error->message = "Could not authenticate user ".$mbUserName. " with old password - either the password is wrong or the hash algo differs!";
+ $this->returnObject->error->{__type} = "Access denied";
+ return json_encode($this->returnObject);
}
} else {
- $e = new mb_exception("classes/class_user.php: "."New password version found for user: ".$userName. "! Authenticate against this one!");
- $sql = "SELECT password FROM mb_user WHERE mb_user_id = $1";
- $v = array($row['mb_user_id']);
- $t = array('s');
- $res = db_prep_query($sql,$v,$t);
- $row = db_fetch_array($res);
- // salt is includes in the hashed password
+ $e = new mb_notice("classes/class_user.php: "."New - secure - password version found for user: ".$mbUserName. "! Authenticate against this one!");
+//$e = new mb_exception("classes/class_user.php: "."New - secure - password: ".$row['password']);
+ // salt is included in the hashed password
$salt = $row['password'];
if (password_verify($userPassword, $salt)) {
+ //delete all old unsecure passwords if given!!!
+ $e = new mb_exception("classes/class_user.php: "."Try to delete all unsecure passwords!");
+ if ($row['create_digest'] == 'f') {
+
+ $e = new mb_exception("classes/class_user.php: "."Try to delete all unsecure passwords!");
+ $sql = "UPDATE mb_user SET mb_user_password = $1 , mb_user_digest = $2, mb_user_aldigest = $3 WHERE mb_user_id = $4";
+ $v = array('','','',$row['mb_user_id']);
+ $t = array('s','s','s','i');
+ $res = db_prep_query($sql,$v,$t);
+ } else {
+ $sql = "UPDATE mb_user SET mb_user_password = $1 WHERE mb_user_id = $2";
+ $v = array('',$row['mb_user_id']);
+ $t = array('s','i');
+ $res = db_prep_query($sql,$v,$t);
+ }
+ //
$sql = "SELECT * FROM mb_user WHERE mb_user_name = $1";
- $v = array($userName);
+ $v = array($mbUserName);
$t = array('s');
$res = db_prep_query($sql,$v,$t);
- $row = db_fetch_array($res);
- return $row;
+ $row = db_fetch_assoc($res);
+ $this->returnObject->success = true;
+ unset($this->returnObject->error);
+ $this->returnObject->help = "class_user.php:authenticateUserByName()";
+ $this->returnObject->result = json_decode(json_encode($row));
+ return json_encode($this->returnObject);
}
}
- return false;
- } else {
- return false;
+ $e = new mb_exception("classes/class_user.php: "."Account for activated user ".$mbUserName. " could not be authenticated with given password!");
+ $this->returnObject->success = false;
+ unset($this->returnObject->result);
+ $this->returnObject->help = "class_user.php:authenticateUserByName()";
+ $this->returnObject->error->message = "Account for activated user with name: ".$mbUserName." could not be authenticated with given password!";
+ $this->returnObject->error->{__type} = "Access denied";
+ return json_encode($this->returnObject);
+ } else {
+ $e = new mb_exception("classes/class_user.php: "."Account for user ".$mbUserName. " (not active!) could not be authenticated with given password!");
+ $this->returnObject->success = false;
+ unset($this->returnObject->result);
+ $this->returnObject->help = "class_user.php:authenticateUserByName()";
+ $this->returnObject->error->message = "Account for user (not active!) with name: ".$mbUserName." could not be authenticated with given password!";
+ $this->returnObject->error->{__type} = "Access denied";
+ return json_encode($this->returnObject);
}
}
Modified: trunk/mapbender/http/php/mod_createUser.php
===================================================================
--- trunk/mapbender/http/php/mod_createUser.php 2019-06-03 16:14:01 UTC (rev 10132)
+++ trunk/mapbender/http/php/mod_createUser.php 2019-06-04 12:42:01 UTC (rev 10133)
@@ -103,10 +103,11 @@
if($action == 'save'){
$user = new User();
//TODO: MD5 is not secure - use SHA256 instead!
- $user_array = $user->selfRegisterNewUser($name, $email, $password, "user dummy orga", $department, $phone, false, false, 0, 'MD5');
- if($user_array == false){
+ $returnObject = json_decode($user->selfRegisterNewUser($name, $email, $password, "user dummy orga", $department, $phone, false, false, 0, 'MD5'));
+ if ($returnObject->success == false) {
echo "<script language='JavaScript'>alert('Username must be unique!');</script>";
} else {
+ $user_array = json_decode(json_encode($returnObject->result), JSON_OBJECT_AS_ARRAY);
$selected_user = $user_array['mb_user_id'];
// CB (begin)
// adding new GUIs for new user (copies of gui and gui1 with owner rights)
More information about the Mapbender_commits
mailing list