[Mapbender-commits] r10138 - in trunk/mapbender: conf http/classes http/frames http/geoportal http/php http_auth/http lib resources/db/pgsql/UTF-8/update
svn_mapbender at osgeo.org
svn_mapbender at osgeo.org
Wed Jun 5 09:29:36 PDT 2019
Author: armin11
Date: 2019-06-05 09:29:36 -0700 (Wed, 05 Jun 2019)
New Revision: 10138
Modified:
trunk/mapbender/conf/mapbender.conf-dist
trunk/mapbender/conf/session.conf
trunk/mapbender/http/classes/class_user.php
trunk/mapbender/http/frames/login.php
trunk/mapbender/http/geoportal/authentication.php
trunk/mapbender/http/geoportal/forgotten_password.php
trunk/mapbender/http/php/mod_activateUserAccount.php
trunk/mapbender/http/php/mod_changePassword.php
trunk/mapbender/http/php/mod_editFilteredUser.php
trunk/mapbender/http/php/mod_editUser.php
trunk/mapbender/http/php/mod_forgottenPassword.php
trunk/mapbender/http_auth/http/index.php
trunk/mapbender/lib/editUser.php
trunk/mapbender/resources/db/pgsql/UTF-8/update/update_2.7.4_to_2.8_pgsql_UTF-8.sql
Log:
Most things for changing the autentication in mapbender !
Following things has been done in code (after grep of mb_user_password in sources):
conf/session.conf - commented out - has to be checked!
http/php/mod_forgottenPassword.php - 100%
http/php/mod_editElements.php - loads mb_user_password from session to invoke gui :-( - really needed?
http/php/mod_meetingPoint.php - will not work after passwords are secure if attribute of mb_meetingpoint is not changed from mb_user_password to password! Don't use this module cause it readsout the password fom mapbenders session! - set to deprecate!!!!!!
http/php/mod_changePassword.php - 100%
http/php/mod_createUser.php - 70% - some further attributes should be set if wished for future - self registration in mapbender portal!
http/frames/cleanurl.php - will not work after passwords are secure if attribute of mb_meetingpoint is not changed from mb_user_password to password!
http/frames/login.php - 100%
http/javascripts/mod_insertKmlIntoDb.php - mb_meetingpoint - loads mb_user_password from session to invoke gui :-( - really needed?
http/javascripts/mod_initWmc.php - mb_meetingpoint - loads mb_user_password from session to invoke gui :-( - really needed?
http/javascripts/mod_saveWmcKml.php - set to be deprecated - insecure: echo Mapbender::session()->get("mb_user_password") - in javascript!
http/geoportal/insertUserDataIntoDb.php - will be deprecated when typo3 is deleted!
http/geoportal/forgotten_password.php - adopted to new authentication!
http/geoportal/updateUserDataIntoDb.php - will be deprecated when typo3 is deleted!
http/geoportal/authentication.php - adopted to new authentication!
http/classes/class_user.php - 100%
http_auth/http/index.php - 100%
resources/db/install_geoportal_mb28.sh - TODO!
Modified: trunk/mapbender/conf/mapbender.conf-dist
===================================================================
--- trunk/mapbender/conf/mapbender.conf-dist 2019-06-05 08:19:00 UTC (rev 10137)
+++ trunk/mapbender/conf/mapbender.conf-dist 2019-06-05 16:29:36 UTC (rev 10138)
@@ -381,6 +381,13 @@
#define("WRAPPER_PATH","");
# --------------------------------------------
+# define if mapbender is already integrated in new django portal
+# --------------------------------------------
+#define("DJANGO_PORTAL", true);
+
+define("OWSPROXY_ALLOW_SESSION_GRABBING", false);
+
+# --------------------------------------------
# user autocomplete
# --------------------------------------------
define('SEARCH_LIMIT', 50);
Modified: trunk/mapbender/conf/session.conf
===================================================================
--- trunk/mapbender/conf/session.conf 2019-06-05 08:19:00 UTC (rev 10137)
+++ trunk/mapbender/conf/session.conf 2019-06-05 16:29:36 UTC (rev 10138)
@@ -2,8 +2,10 @@
require_once(dirname(__FILE__)."/../lib/class_Mapbender_session.php");
new mb_notice("sessionConf.class.loading...");
-
-Mapbender::session()->set("mb_user_password",$password);
+//secure this - TODO only write password attribute in session - better to write none of those!!!!!!
+//Mapbender::session()->set("mb_user_password",$password);
+//TODO maybe: - if read from mb_user table
+//Mapbender::session()->set("password",$row['password']);
Mapbender::session()->set("mb_user_id",$row["mb_user_id"]);
Mapbender::session()->set("mb_user_name",$name);
Mapbender::session()->set("mb_user_ip",$_SERVER['REMOTE_ADDR']);
Modified: trunk/mapbender/http/classes/class_user.php
===================================================================
--- trunk/mapbender/http/classes/class_user.php 2019-06-05 08:19:00 UTC (rev 10137)
+++ trunk/mapbender/http/classes/class_user.php 2019-06-05 16:29:36 UTC (rev 10138)
@@ -48,6 +48,9 @@
var $lastName = "";
var $academicTitle = "";
var $activationKey = "";
+
+var $isActive = 'f';
+var $createDigest = 'f';
static $displayName = "User";
static $internalName = "user";
@@ -147,7 +150,9 @@
"firstName" => $this->firstName,
"lastName" => $this->lastName,
"academicTitle" => $this->academicTitle,
- "activationKey" => $this->activationKey
+ "activationKey" => $this->activationKey,
+ "isActive" => $this->isActive,
+ "createDigest" => $this->createDigest
);
return $result;
}
@@ -176,15 +181,15 @@
if ($this->name === "") {
$e = new Exception("Can' t create user without name");
}
+ $uuid = new Uuid();
- $sql_user_create = "INSERT INTO mb_user (mb_user_name) VALUES ('" .
- $this->name ."');";
- $v = array($this->name);
- $t = array("s");
+ $sql_user_create = "INSERT INTO mb_user (mb_user_name, uuid, activation_key, is_active) VALUES ( $1 , $2 , $3, $4)";
+ $v = array($this->name, $uuid, md5($uuid), 'f');
+ $t = array("s","s","s","b");
db_begin();
- $insert_result = db_query($sql_user_create);
+ $insert_result = db_prep_query($sql_user_create, $v, $t);
if($insert_result == false) {
db_rollback();
throw new Exception("Could not insert new user");
@@ -247,6 +252,8 @@
$this->lastName = isset($changes->lastName) ? $changes->lastName : $this->lastName;
$this->academicTitle = isset($changes->academicTitle) ? $changes->academicTitle : $this->academicTitle;
$this->activationKey = isset($changes->activationKey) ? $changes->activationKey : $this->activationKey;
+ $this->isActive = isset($changes->isActive) ? $changes->isActive : $this->isActive;
+ $this->createDigest = isset($changes->createDigest) ? $changes->createDigest : $this->createDigest;
return true;
}
@@ -280,10 +287,15 @@
"mb_user_firstname = $25, " .
"mb_user_lastname = $26, " .
"mb_user_academictitle = $27, " .
- "mb_user_login_count = $28 " .
- "activation_key = $29 " .
- "WHERE mb_user_id = $30;";
+ "mb_user_login_count = $28, " .
+ "activation_key = $29, " .
+ "is_active = $30, " .
+ "create_digest = $31 " .
+ "WHERE mb_user_id = $32;";
+ if ($this->isActive !== 't') {$this->isActive = 'f';}
+ if ($this->createDigest !== 't') {$this->createDigest = 'f';}
+
$v = array(
$this->name,
is_numeric($this->owner) ? intval($this->owner) : null,
@@ -314,6 +326,8 @@
$this->academicTitle,
is_numeric($this->loginCount) ? intval($this->loginCount) : 0,
$this->activationKey !== "" ? $this->activationKey : null,
+ $this->isActive,
+ $this->createDigest,
is_numeric($this->id) ? intval($this->id) : null,
);
@@ -323,7 +337,7 @@
"s", "s", "s", "i", "s",
"s", "s", "s", "s", "s",
"s", "s", "s", "s", "s",
- "s", "s", "i", "s", "i"
+ "s", "s", "i", "s", "b", "b", "i"
);
$update_result = db_prep_query($sql_update,$v,$t);
@@ -352,7 +366,6 @@
$v = array($this->id);
$t = array("i");
$res_user = db_prep_query($sql_user,$v,$t);
-
if ($row = db_fetch_array($res_user)) {
$this->name = $row['mb_user_name'];
$this->owner = $row['mb_user_owner'];
@@ -372,14 +385,36 @@
$this->country = $row['mb_user_country'];
$this->url = $row['mb_user_online_resource'];
$this->realName = $row['mb_user_realname'];
- $this->street = $row['mb_user_street'];
- $this->houseNumber = $row['mb_user_housenumber'];
- $this->reference = $row['mb_user_reference'];
- $this->forAttentionOf = $row['mb_user_for_attention_of'];
- $this->validFrom = $row['mb_user_valid_from'];
- $this->validTo = $row['mb_user_valid_to'];
- $this->passwordTicket = $row['mb_user_password_ticket'];
- $this->activationKey = $row['activation_key'];
+ $this->street = $row['mb_user_street'];
+ $this->houseNumber = $row['mb_user_housenumber'];
+ $this->reference = $row['mb_user_reference'];
+ $this->forAttentionOf = $row['mb_user_for_attention_of'];
+ $this->validFrom = $row['mb_user_valid_from'];
+ $this->validTo = $row['mb_user_valid_to'];
+ $this->passwordTicket = $row['mb_user_password_ticket'];
+ $this->activationKey = $row['activation_key'];
+ switch ($row['is_active']) {
+ case "t":
+ $this->isActive = 't';
+ break;
+ case "f":
+ $this->isActive = 'f';
+ break;
+ default:
+ $this->isActive = 'f';
+ break;
+ }
+ switch ($row['create_digest']) {
+ case "t":
+ $this->createDigest = 't';
+ break;
+ case "f":
+ $this->createDigest = 'f';
+ break;
+ default:
+ $this->createDigest = 'f';
+ break;
+ }
$this->firstName = $row["mb_user_firstname"];
$this->lastName = $row["mb_user_lastname"];
$this->academicTitle = $row["mb_user_academictitle"];
@@ -390,7 +425,6 @@
}
return true;
}
-
/*
* @param $userId the Mapbender user id
@@ -399,10 +433,9 @@
public function validUserPasswordTicket($userTicket) {
$sql = "SELECT * FROM mb_user ";
$sql .= "WHERE mb_user_id = $1 AND mb_user_password_ticket = $2";
- $v = array($this->id,$userTicket);
+ $v = array($this->id, $userTicket);
$t = array("i","s");
$res = db_prep_query($sql,$v,$t);
-
if($row = db_fetch_array($res)){
if($row['mb_user_password_ticket'] == '' || $row['mb_user_password_ticket'] != $userTicket) {
return false;
@@ -420,13 +453,44 @@
* @param $newPassword Mapbender user id
* @param $newPassword Mapbender user ticket
*/
- public function setPassword($newPassword,$userTicket) {
+ public function setPassword($newPassword, $userTicket, $hashAlgo = 'MD5') {
//set new password in db
- $sql = "UPDATE mb_user SET mb_user_password = $1, mb_user_password_ticket = '' WHERE mb_user_id = $2 AND mb_user_password_ticket = $3";
- $v = array(md5($newPassword),$this->id,$userTicket);
- $t = array('s','i','s');
+ //new in 2019 - only set hashed password if create_digest is true!
+ if ($this->createDigest == 't') {
+ $sql = "UPDATE mb_user SET password = $1, mb_user_password_ticket = '', mb_user_digest_hash = $2, mb_user_digest = $3,";
+ $sql .= " mb_user_aldigest = $4 WHERE mb_user_id = $5 AND mb_user_password_ticket = $6";
+ $v = array(password_hash($newPassword, PASSWORD_BCRYPT), $hashAlgo, hash(strtolower($hashAlgo), $this->name.";".$this->email.":".REALM.":".$newPassword), hash(strtolower($hashAlgo), $this->name.":".REALM.":".$newPassword), $this->id, $userTicket);
+ $t = array('s','s','s','s','i','s');
+ } else {
+ $sql = "UPDATE mb_user SET password = $1, mb_user_password_ticket = '' WHERE mb_user_id = $2 AND mb_user_password_ticket = $3";
+ $v = array(password_hash($newPassword, PASSWORD_BCRYPT), $this->id, $userTicket);
+ $t = array('s','i','s');
+ }
$update_result = db_prep_query($sql,$v,$t);
+ if (!$update_result) {
+ throw new Exception("Database error updating user password");
+ return false;
+ }
+ return true;
+ }
+ /*
+ * @param $newPassword values of the new password - the class have to been invoked before to have a user->id !
+ */
+ public function setPasswordWithoutTicket($newPassword, $hashAlgo = 'MD5') {
+ //set new password in db
+ //new in 2019 - only set hashed password if create_digest is true!
+ if ($this->createDigest == 't') {
+ $sql = "UPDATE mb_user SET password = $1, mb_user_password_ticket = '', mb_user_digest_hash = $2, mb_user_digest = $3,";
+ $sql .= " mb_user_aldigest = $4 WHERE mb_user_id = $5";
+ $v = array(password_hash($newPassword, PASSWORD_BCRYPT), $hashAlgo, hash(strtolower($hashAlgo), $this->name.";".$this->email.":".REALM.":".$newPassword), hash(strtolower($hashAlgo), $this->name.":".REALM.":".$newPassword), $this->id);
+ $t = array('s','s','s','s','i');
+ } else {
+ $sql = "UPDATE mb_user SET password = $1, mb_user_password_ticket = '' WHERE mb_user_id = $2";
+ $v = array(password_hash($newPassword, PASSWORD_BCRYPT), $this->id);
+ $t = array('s','i');
+ }
+ $update_result = db_prep_query($sql,$v,$t);
if (!$update_result) {
throw new Exception("Database error updating user password");
return false;
@@ -433,14 +497,12 @@
}
return true;
}
-
+
public function setNewUserPasswordTicket () {
$sql = "UPDATE mb_user SET mb_user_password_ticket = $1";
$sql.=" WHERE mb_user_id = $2";
-
$passwordTicket = substr(md5(uniqid(rand())),0,30);
-
$v = array($passwordTicket,$this->id);
$t = array('s','i');
$res = db_prep_query($sql,$v,$t);
@@ -463,7 +525,6 @@
$userMessage .= $mbUrl."../php/mod_activateUserAccount?activationKey=".$this->activation_key."\n";
$userMessage .= "Follow this link to login to Mapbender: \n";
$userMessage .= LOGIN."\n";
-
$userMail = $admin->getEmailByUserId($this->id);
if(!$admin->sendEmail("", "", $userMail, $this->name, utf8_decode("Your Mapbender account"), utf8_decode($userMessage), $error_msg)) {
return "Registry data could not be send. Please check mail address.";
@@ -479,45 +540,38 @@
//FIXME: optimize
$name = $filter->name ? $filter->name : null;
$owner = $filter->owner && is_numeric($filter->owner) ? intval($filter->owner) : null;
-
$users = Array();
$sql_userlist = "SELECT mb_user_id FROM mb_user";
-
$andConditions = array();
$v = array();
$t = array();
-
if (!is_null($name)) {
$v[]= $name;
$t[]= "s";
$andConditions[]= "mb_user_name LIKE $" . count($v);
}
-
if (!is_null($owner)) {
$v[]= $owner;
$t[]= "i";
$andConditions[]= "mb_user_owner = $" . count($v);
}
-
if (count($andConditions) > 0) {
$sql_userlist .= " WHERE " . implode("AND", $andConditions);
}
-
$sql_userlist .= " ORDER BY mb_user_name";
+ $res_users = db_prep_query($sql_userlist, $v, $t);
- $res_users = db_prep_query($sql_userlist, $v, $t);
-
- while($row = db_fetch_array($res_users)) {
- try{
- $users[] = new User($row['mb_user_id']);
+ while($row = db_fetch_array($res_users)) {
+ try {
+ $users[] = new User($row['mb_user_id']);
+ }
+ catch(Exception $E) {
+ continue;
+ //FIXME: should catch some errors here
+ }
+ }
+ return $users;
}
- catch(Exception $E) {
- continue;
- //FIXME: should catch some errors here
- }
- }
- return $users;
- }
/*
* tries to initialize a userobject by Name
@@ -595,15 +649,15 @@
$mb_user_digest = hash(strtolower($mb_user_digest_hash), $mbUserName.";".$mbUserEmail.":".REALM.":".$mbUserPassword);
$mb_user_aldigest = hash(strtolower($mb_user_digest_hash), $mbUserName.":".REALM.":".$mbUserPassword);
//TODO deactivate in production
- $mb_user_password = hash(strtolower($mb_user_digest_hash), $mbUserPassword);
- //$mb_user_password = "";
+ //$mb_user_password = hash(strtolower($mb_user_digest_hash), $mbUserPassword);
+ $mb_user_password = "";
break;
default:
$mb_user_digest = hash(strtolower($mb_user_digest_hash), $mbUserName.";".$mbUserEmail.":".REALM.":".$mbUserPassword);
$mb_user_aldigest = hash(strtolower($mb_user_digest_hash), $mbUserName.":".REALM.":".$mbUserPassword);
//TODO deactivate in production
- $mb_user_password = hash(strtolower($mb_user_digest_hash), $mbUserPassword);
- //$mb_user_password = "";
+ //$mb_user_password = hash(strtolower($mb_user_digest_hash), $mbUserPassword);
+ $mb_user_password = "";
break;
}
if ($mbUserNewsletter == false) {
@@ -692,13 +746,16 @@
if (defined("DJANGO_PORTAL") && DJANGO_PORTAL == true) {
//TODO - get url from django!
if($_SERVER["HTTPS"] != "on") {
+ $loginRedirectUrl = "http://".$_SERVER['HTTP_HOST']."/login/";
$activateRedirectUrl = "http://".$_SERVER['HTTP_HOST']."/login/";
$registerRedirectUrl = "http://".$_SERVER['HTTP_HOST']."/register/";
} else {
+ $loginRedirectUrl = "https://".$_SERVER['HTTP_HOST']."/login/";
$activateRedirectUrl = "https://".$_SERVER['HTTP_HOST']."/login/";
$registerRedirectUrl = "https://".$_SERVER['HTTP_HOST']."/register/";
}
} else {
+ $loginRedirectUrl = LOGIN;
$activateRedirectUrl = MAPBENDER_PATH."/php/mod_activateUserAccount.php?activationKey=".$row['activation_key'];
$registerRedirectUrl = LOGIN;
}
@@ -714,8 +771,8 @@
//change password only, if secure password not already given !!!!!!
//$e = new mb_exception("classes/class_user.php: "."New - secure - password: ".$row['password']);
if($row['password'] == "" || $row['password'] == null){
- $e = new mb_exception("classes/class_user.php: "."New bcrypt(ed) password not set - will be set now for user: ".$userName. "!");
- $e = new mb_exception("classes/class_user.php: "."First check old password if this one exists!");
+ $e = new mb_notice("classes/class_user.php: "."New bcrypt(ed) password not set - will be set now for user: ".$userName. "!");
+ $e = new mb_notice("classes/class_user.php: "."First check old password if this one exists!");
if($row['mb_user_password'] == hash(strtolower($mbUserHashAlgo), $userPassword)){
//generate bcrypt hash
$sql = "UPDATE mb_user SET password = $1 WHERE mb_user_id = $2";
@@ -725,7 +782,7 @@
$res = db_prep_query($sql,$v,$t);
// delete old hashed passwords (mostly md5)
if ($row['create_digest'] == 'f') {
- $sql = "UPDATE mb_user SET mb_user_password = $1 , mb_user_digest = $2, mb_user_al_digest = $3 WHERE mb_user_id = $4";
+ $sql = "UPDATE mb_user SET mb_user_password = $1 , mb_user_digest = $2, mb_user_aldigest = $3 WHERE mb_user_id = $4";
$v = array('','','',$row['mb_user_id']);
$t = array('s','s','s','i');
$res = db_prep_query($sql,$v,$t);
@@ -763,10 +820,10 @@
$salt = $row['password'];
if (password_verify($userPassword, $salt)) {
//delete all old unsecure passwords if given!!!
- $e = new mb_exception("classes/class_user.php: "."Try to delete all unsecure passwords!");
+ $e = new mb_notice("classes/class_user.php: "."Try to delete all unsecure passwords!");
if ($row['create_digest'] == 'f') {
- $e = new mb_exception("classes/class_user.php: "."Try to delete all unsecure passwords!");
+ $e = new mb_notice("classes/class_user.php: "."Try to delete all unsecure passwords!");
$sql = "UPDATE mb_user SET mb_user_password = $1 , mb_user_digest = $2, mb_user_aldigest = $3 WHERE mb_user_id = $4";
$v = array('','','',$row['mb_user_id']);
$t = array('s','s','s','i');
Modified: trunk/mapbender/http/frames/login.php
===================================================================
--- trunk/mapbender/http/frames/login.php 2019-06-05 08:19:00 UTC (rev 10137)
+++ trunk/mapbender/http/frames/login.php 2019-06-05 16:29:36 UTC (rev 10138)
@@ -19,30 +19,16 @@
ob_start();
require_once dirname(__FILE__) . "/../../conf/mapbender.conf";
+require_once(dirname(__FILE__)."/../classes/class_user.php");
function auth_user($name,$pw){
- $setEncPw = false;
- $sql = "SELECT * FROM mb_user WHERE mb_user_name = $1 AND mb_user_password = $2";
- $v = array($name,md5($pw));
- $t = array('s','s');
- $res = db_prep_query($sql,$v,$t);
- if($row = db_fetch_array($res)){
- return $row;
+ $user = new User();
+ $returnObject = json_decode($user->authenticateUserByName($name, $pw));
+ if ($returnObject->success !== false) {
+ return json_decode(json_encode($returnObject->result), JSON_OBJECT_AS_ARRAY);
+ } else {
+ return false;
}
- else if(SYS_DBTYPE == 'pgsql' && $setEncPw == true){
- // unencrypted pw in postgres without md5-support?
- $sql = "SELECT * FROM mb_user WHERE mb_user_name = $1 AND mb_user_password = $2";
- $v = array($name,$pw);
- $t = array('s','s');
- $resn = db_prep_query($sql,$v,$t);
- if($rown = db_fetch_array($resn)){
- $sqlu = "UPDATE mb_user SET mb_user_password = $1 WHERE mb_user_id = $2";
- $vu = array(md5($pw),$rown["mb_user_id"]);
- $tu = array('s','i');
- $rowu = db_prep_query($sqlu,$vu,$tu);
- return $rown;
- }
- }
}
function redirectToLogin ($name = "") {
@@ -169,8 +155,7 @@
# session_start();
# }
include(dirname(__FILE__) . "/../../conf/session.conf");
- }
- else {
+ } else {
$sql_set_cnt = "UPDATE mb_user SET mb_user_login_count = (mb_user_login_count + 1) WHERE mb_user_name = $1";
$v = array($name);
$t = array('s');
@@ -217,8 +202,7 @@
mb_listGUIs($arrayGUIs);
}
}
- }
- else{
+ } else {
Mapbender::session()->kill();
$sql_set_cnt = "UPDATE mb_user SET mb_user_login_count = (mb_user_login_count + 1) WHERE mb_user_name = $1";
$v = array($name);
Modified: trunk/mapbender/http/geoportal/authentication.php
===================================================================
--- trunk/mapbender/http/geoportal/authentication.php 2019-06-05 08:19:00 UTC (rev 10137)
+++ trunk/mapbender/http/geoportal/authentication.php 2019-06-05 16:29:36 UTC (rev 10138)
@@ -1,5 +1,6 @@
<?php
include_once(dirname(__FILE__)."/../../core/globalSettings.php");
+require_once(dirname(__FILE__)."/../classes/class_user.php");
$pw = $_REQUEST['password'];
$name = $_REQUEST['name'];
@@ -62,29 +63,14 @@
header ("Location: http://".$_SERVER['HTTP_HOST']."/portal/failed.html".$URLAdd);
}
-function authenticate ($name,$pw){
- $con = db_connect(DBSERVER,OWNER,PW);
- db_select_db(DB,$con);
-
- $sql = "SELECT * FROM mb_user WHERE mb_user_name = $1 AND mb_user_password = $2";
- $v = array($name,md5($pw)); // is md5 used really?
- $t = array('s','s');
- $res = db_prep_query($sql,$v,$t);
-
- if($row = db_fetch_array($res)){
- $e = new mb_exception('geoportal/authentication.php: user login: '.$row['mb_user_name']);
- //update mb_user_aldigest
- $sql = "UPDATE mb_user SET mb_user_aldigest = $1 WHERE mb_user_id = $2";
- //$sql = "SELECT * FROM mb_user WHERE mb_user_name = $1 AND mb_user_password = $2";
- $v = array(md5($row['mb_user_name'].":".REALM.":".$pw),$row['mb_user_id']);
- $t = array('s','i');
- $res = db_prep_query($sql,$v,$t);
- return $row;
- }
- else
- {
- return false;
- }
+function authenticate ($name, $pw){
+ $user = new User();
+ $returnObject = json_decode($user->authenticateUserByName($name, $pw));
+ if ($returnObject->success !== false) {
+ return json_decode(json_encode($returnObject->result), JSON_OBJECT_AS_ARRAY);
+ } else {
+ return false;
+ }
}
function setSession(){
session_start(); //function is ok cause the session will be closed directly after starting it!
Modified: trunk/mapbender/http/geoportal/forgotten_password.php
===================================================================
--- trunk/mapbender/http/geoportal/forgotten_password.php 2019-06-05 08:19:00 UTC (rev 10137)
+++ trunk/mapbender/http/geoportal/forgotten_password.php 2019-06-05 16:29:36 UTC (rev 10138)
@@ -1,8 +1,8 @@
<?php
require_once(dirname(__FILE__)."/../../core/globalSettings.php");
require_once(dirname(__FILE__)."/../classes/class_administration.php");
+require_once(dirname(__FILE__)."/../classes/class_user.php");
-
extract($_GET, EXTR_OVERWRITE);extract($_POST, EXTR_OVERWRITE);
function forgotten_password() {
@@ -30,15 +30,12 @@
}
$new_password = $administration->getRandomPassword();
-
- $sql_update = "UPDATE mb_user SET mb_user_password = $1, mb_user_digest = $3 WHERE mb_user_id = $2";
- $v = array(md5($new_password),$administration->getUserIdByUserName(USER_NAME),md5(USER_NAME.";".USER_EMAIL.":".REALM.":".$new_password));
- $t = array("s","i");
-
- if(!db_prep_query($sql_update,$v,$t)) {
+ //change 06/2019 - store more secure passwords in database!
+ $user = new User($administration->getUserIdByUserName(USER_NAME));
+ $result = $user->setPasswordWithoutTicket($new_password);
+ if($result == false) {
return -3;
}
-
$email_subject = "Neues Geoportal Passwort";
$email_body = sprintf("Ihr neues Geoportal Passwort lautet: %s",$new_password);
Modified: trunk/mapbender/http/php/mod_activateUserAccount.php
===================================================================
--- trunk/mapbender/http/php/mod_activateUserAccount.php 2019-06-05 08:19:00 UTC (rev 10137)
+++ trunk/mapbender/http/php/mod_activateUserAccount.php 2019-06-05 16:29:36 UTC (rev 10138)
@@ -55,6 +55,7 @@
header('Content-Type: application/json');
echo json_encode($this->returnObject);
//redirect to register
+sleep(5);
header("Location: ".$registerRedirectUrl);
die();
} else {
@@ -68,6 +69,7 @@
header('Content-Type: application/json');
echo json_encode($this->returnObject);
//redirect to login?
+sleep(5);
header("Location: ".$loginRedirectUrl);
die();
} else {
@@ -90,6 +92,7 @@
unset($returnObject->error);
$returnObject->help = "mod_activateUserAccount.php";
//redirect to login page
+sleep(5);
header("Location: ".$loginRedirectUrl);
die();
}
Modified: trunk/mapbender/http/php/mod_changePassword.php
===================================================================
--- trunk/mapbender/http/php/mod_changePassword.php 2019-06-05 08:19:00 UTC (rev 10137)
+++ trunk/mapbender/http/php/mod_changePassword.php 2019-06-05 16:29:36 UTC (rev 10138)
@@ -20,6 +20,7 @@
require_once(dirname(__FILE__)."/../php/mb_validateSession.php");
+require_once(dirname(__FILE__)."/../classes/class_user.php");
/*
* @security_patch irv done
*/
@@ -114,8 +115,8 @@
<body>
<?php
//the database-params
-$con = db_connect($DBSERVER,$OWNER,$PW);
-db_select_db(DB,$con);
+/*$con = db_connect($DBSERVER,$OWNER,$PW);
+db_select_db(DB,$con);*/
$logged_user_name=Mapbender::session()->get("mb_user_name");
$logged_user_id=Mapbender::session()->get("mb_user_id");
@@ -122,6 +123,7 @@
/* handle INSERT and DELETE */
if($upd){
+ /*
$sql_user_id = "SELECT mb_user_id FROM mb_user WHERE mb_user_id = $1 ";
$v = array($logged_user_id);
$t = array('i');
@@ -131,32 +133,18 @@
$sql_password = "SELECT mb_user_password, mb_user_password = $1 as new FROM mb_user where mb_user_id = $2";
$v = array($newpassword,$real_user_id);
$t = array('s','i');
- $res_password = db_prep_query($sql_password,$v,$t);
-
- if( db_result($res_password,0,"mb_user_password") == md5($oldpassword) &&
- db_result($res_password,0,"mb_user_password") != db_result($res_password,0,"new")){
- $sql_update = "UPDATE mb_user SET mb_user_password = $1";
- $v = array(md5($newpassword));
- $t = array('s');
- $sql_update .= " WHERE mb_user_id = $2 ";
- array_push($v,$real_user_id);
- array_push($t,'i');
- db_prep_query($sql_update,$v,$t);
- echo "<script language='javascript'>";
- //echo "alert('Passwort wurde ge�ndert!');";
- echo "alert('Password has been updated!');";
- echo "</script>";
- }
- elseif (db_result($res_password,0,"mb_user_password") != md5($oldpassword)){
- echo "<script language='javascript'>";
- echo "alert('Please enter the correct current password!');";
- echo "</script>";
+ $res_password = db_prep_query($sql_password,$v,$t);*/
+ $user = new User();
+ $returnObject = json_decode($user->authenticateUserByName($logged_user_name, $oldpassword));
+ if ($returnObject->success !== false) {
+ $userArray = json_decode(json_encode($returnObject->result), JSON_OBJECT_AS_ARRAY);
+ $result = $user->setPasswordWithoutTicket($newpassword);
} else {
echo "<script language='javascript'>";
- //echo "alert('Bitte beachten Sie die unten aufgef�hrten Passwortregeln!');";
- echo "alert('Please note the rules for choosing a password below!');";
+ echo "alert('".$returnObject->error->message."');";
echo "</script>";
}
+ $result = $user->setPasswordWithoutTicket($newpassword);
}
/* HTML */
Modified: trunk/mapbender/http/php/mod_editFilteredUser.php
===================================================================
--- trunk/mapbender/http/php/mod_editFilteredUser.php 2019-06-05 08:19:00 UTC (rev 10137)
+++ trunk/mapbender/http/php/mod_editFilteredUser.php 2019-06-05 16:29:36 UTC (rev 10138)
@@ -17,11 +17,8 @@
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-
$e_id="editFilteredUser";
-
require_once(dirname(__FILE__)."/../php/mb_validatePermission.php");
-
/*
* @security_patch irv done
*/
@@ -53,10 +50,9 @@
$login_count = $_POST["login_count"];
$resolution = $_POST["resolution"];
$action = $_POST["action"];
-
-
+$is_active = $_POST["is_active"];
+$create_digest = $_POST["create_digest"];
require_once(dirname(__FILE__)."/../classes/class_user.php");
$myUser = true;
-
include "../../lib/editUser.php";
?>
Modified: trunk/mapbender/http/php/mod_editUser.php
===================================================================
--- trunk/mapbender/http/php/mod_editUser.php 2019-06-05 08:19:00 UTC (rev 10137)
+++ trunk/mapbender/http/php/mod_editUser.php 2019-06-05 16:29:36 UTC (rev 10138)
@@ -17,10 +17,8 @@
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-
$e_id="editUser";
require_once(dirname(__FILE__)."/../php/mb_validatePermission.php");
-
/*
* @security_patch irv done
*/
@@ -27,14 +25,10 @@
//security_patch_log(__FILE__,__LINE__);
//import_request_variables("PG");
-$postvars = explode(",", "selected_user,name,firstname,lastname,academic_title,password,password_plain,v_password,description,email,phone,facsimile,street,housenumber,delivery_point,postal_code,city,organization,department,position,country,owner_name,owner_id,login_count,resolution,action");
+$postvars = explode(",", "selected_user,name,firstname,lastname,academic_title,password,password_plain,v_password,description,email,phone,facsimile,street,housenumber,delivery_point,postal_code,city,organization,department,position,country,owner_name,owner_id,login_count,resolution,action,is_active, create_digest");
foreach ($postvars as $value) {
${$value} = $_POST[$value];
}
-
-
-
require_once(dirname(__FILE__)."/../classes/class_user.php");
-
include "../../lib/editUser.php";
?>
Modified: trunk/mapbender/http/php/mod_forgottenPassword.php
===================================================================
--- trunk/mapbender/http/php/mod_forgottenPassword.php 2019-06-05 08:19:00 UTC (rev 10137)
+++ trunk/mapbender/http/php/mod_forgottenPassword.php 2019-06-05 16:29:36 UTC (rev 10138)
@@ -22,6 +22,7 @@
* @security_patch irv done
*/
require_once(dirname(__FILE__)."/../../core/globalSettings.php");
+require_once(dirname(__FILE__)."/../classes/class_user.php");
//security_patch_log(__FILE__,__LINE__);
//import_request_variables("PG");
@@ -108,28 +109,22 @@
}
elseif ($user_id) {
if ($admin->sendEmail("", "", $mailToAddr, $mailToName, "Your new Mapbender password", "login: " . $mailToName . "\npassword: " . $sql_password, $error_msg)) {
- //set new password in db
- $sql_update = "UPDATE mb_user SET mb_user_password = $1";
- $sql_update .= " WHERE mb_user_id = $2";
- #echo $sql_update;
- $v = array(md5($sql_password),$user_id);
- $t = array('s','i');
- db_prep_query($sql_update,$v,$t);
+ //change 06/2019 - store more secure passwords in database!
+ $user = new User($user_id);
+ $result = $user->setPasswordWithoutTicket($sql_password);
+ //reset login count
+ $admin->resetLoginCount($user_id);
- //reset login count
- $admin->resetLoginCount($user_id);
-
- echo "<script language='javascript'>";
- echo "alert('A new password will be sent to your e-mail-address!');";
- echo "window.close();";
- echo "</script>";
+ echo "<script language='javascript'>";
+ echo "alert('A new password will be sent to your e-mail-address!');";
+ echo "window.close();";
+ echo "</script>";
+ } else {
+ echo "<script language='javascript'>";
+ echo "alert('An error occured while sending the new password to your e-mail-address! " . $error_msg . " Please try again later.');";
+ echo "window.back();";
+ echo "</script>";
}
- else {
- echo "<script language='javascript'>";
- echo "alert('An error occured while sending the new password to your e-mail-address! " . $error_msg . " Please try again later.');";
- echo "window.back();";
- echo "</script>";
- }
}
$upd = false;
}
Modified: trunk/mapbender/http_auth/http/index.php
===================================================================
--- trunk/mapbender/http_auth/http/index.php 2019-06-05 08:19:00 UTC (rev 10137)
+++ trunk/mapbender/http_auth/http/index.php 2019-06-05 16:29:36 UTC (rev 10138)
@@ -195,6 +195,12 @@
$mbUsername = $userIdentification[0];
$mbEmail = $userIdentification[1]; //not given in all circumstances
$userInformation = getUserInfo($mbUsername, $mbEmail);
+ /*
+ $result[0] = $row['mb_user_id'];
+ $result[1] = $row['mb_user_digest'];
+ $result[2] = $row['mb_user_password'];
+ $result[3] = $row['password'];
+ */
if ($userInformation[0] == '-1') {
die('User with name: ' . $mbUsername . ' and email: ' . $mbEmail . ' not known to security proxy!');
}
@@ -239,18 +245,27 @@
$mbUsername = $userIdentification[0];
$mbEmail = $userIdentification[1]; //not given in all circumstances
$userInformation = getUserInfo($mbUsername, $mbEmail);
+ /*
+ $result[0] = $row['mb_user_id'];
+ $result[1] = $row['mb_user_digest'];
+ $result[2] = $row['mb_user_password'];
+ $result[3] = $row['password'];
+ */
if ($userInformation[0] == '-1') {
die('User with name: ' . $mbUsername . ' and email: ' . $mbEmail . ' not known to security proxy!');
}
- if ($userInformation[1] == '') { //check if digest exists in db - if no digest exists it should be a null string!
+ /*if ($userInformation[1] == '') { //check if digest exists in db - if no digest exists it should be a null string!
die('User with name: ' . $mbUsername . ' and email: ' . $mbEmail . ' has no digest - please set a new password and try again!');
+ }*/
+ //check password - new since 06/2019 - secure password !!!!!
+ if ($userInformation[3] == '' || $userInformation[3] == null) {
+ die('User with name: ' . $mbUsername . ' and email: ' . $mbEmail . ' has no password which is stored in a secure way. - Please login at the portal to generate one!');
}
- //check password
- if ($userInformation[2] !== md5($_SERVER['PHP_AUTH_PW'])) {
- die('HTTP Authentication failed for user: ' . $mbUsername.'!');
+ if (password_verify($_SERVER['PHP_AUTH_PW'], $userInformation[3])) {
+ $userId = $userInformation[0];
} else {
$userId = $userInformation[0];
- //$e = new mb_exception("requesting userid: ".$userInformation[0]);
+ die('HTTP Authentication failed for user: ' . $mbUsername.'!');
}
}
break;
@@ -570,11 +585,11 @@
{
$result = array();
if (preg_match('#[@]#', $mbEmail)) {
- $sql = "SELECT mb_user_id, mb_user_digest, mb_user_password FROM mb_user where mb_user_name = $1 AND mb_user_email = $2";
+ $sql = "SELECT mb_user_id, mb_user_digest, mb_user_password, password FROM mb_user where mb_user_name = $1 AND mb_user_email = $2";
$v = array($mbUsername, $mbEmail);
$t = array("s", "s");
} else {
- $sql = "SELECT mb_user_id, mb_user_aldigest As mb_user_digest, mb_user_password FROM mb_user where mb_user_name = $1";
+ $sql = "SELECT mb_user_id, mb_user_aldigest As mb_user_digest, mb_user_password, password FROM mb_user where mb_user_name = $1";
$v = array($mbUsername);
$t = array("s");
}
@@ -585,6 +600,7 @@
$result[0] = $row['mb_user_id'];
$result[1] = $row['mb_user_digest'];
$result[2] = $row['mb_user_password'];
+ $result[3] = $row['password'];
}
return $result;
}
Modified: trunk/mapbender/lib/editUser.php
===================================================================
--- trunk/mapbender/lib/editUser.php 2019-06-05 08:19:00 UTC (rev 10137)
+++ trunk/mapbender/lib/editUser.php 2019-06-05 16:29:36 UTC (rev 10138)
@@ -141,6 +141,7 @@
</head>
<body>
<?php
+//TODO: important - to extent form mod_editUser.php and mod_editFilteredUser.php have to include the allowed HTTP POST variables!!!!!!!!!!!
#delete
if ($action == 'delete' && (!isset($editSelf) || !$editSelf)) {
$user = new User(intval($selected_user));
@@ -147,11 +148,9 @@
$user->remove();
$selected_user = 'new';
}
-
#save
if($action == 'save'){
$user = User::byName($name);
-
if (!is_null($user)) {
echo "<script language='JavaScript'>alert('"._mb("Username must be unique!")."');</script>";
}
@@ -176,24 +175,42 @@
$user->postalCode = $postal_code;
$user->city = $city;
$user->country = $country;
-
+ switch ($create_digest) {
+ case "on":
+ $user->createDigest = 't';
+ break;
+ case "off":
+ $user->createDigest = 'f';
+ break;
+ default:
+ $user->createDigest = 'f';
+ break;
+ }
+ switch ($is_active) {
+ case "on":
+ $user->isActive = 't';
+ break;
+ case "off":
+ $user->isActive = 'f';
+ break;
+ default:
+ $user->isActive = 'f';
+ break;
+ }
$user->create();
$user->setNewUserPasswordTicket();
-
+ //TODO: check function !
if($withPasswordInsertion == 'true' && $password !== '' && $user->validUserPasswordTicket($user->passwordTicket)) {
$user->setPassword($password, $user->passwordTicket);
- }
-
-// TODO: uuid() ????
+ }
+// TODO: uuid() ???? - insert it by default in class_user.php!
}
}
-
#update
if ($action == 'update') {
- //check sercurity:
+ //check security:
// has the user all permissions to do that
$user = User::byName($name);
-
if (!is_null($user) && intval($user->id) !== intval($selected_user)) {
echo "<script language='JavaScript'>alert('"._mb("Username must be unique!")."');</script>";
}
@@ -218,11 +235,30 @@
$user->postalCode = $postal_code;
$user->city = $city;
$user->country = $country;
- $user->loginCount = $login_count;
-
+ $user->loginCount = $login_count;
+ switch ($create_digest) {
+ case "on":
+ $user->createDigest = 't';
+ break;
+ case "off":
+ $user->createDigest = 'f';
+ break;
+ default:
+ $user->createDigest = 'f';
+ break;
+ }
+ switch ($is_active) {
+ case "on":
+ $user->isActive = 't';
+ break;
+ case "off":
+ $user->isActive = 'f';
+ break;
+ default:
+ $user->isActive = 'f';
+ break;
+ }
$user->commit();
-
- // TODO: uuid ???
$user->setNewUserPasswordTicket();
@@ -262,6 +298,8 @@
$postal_code = "";
$city = "";
$country = "";
+ $is_active = 'f';
+ $create_digest = 'f';
}
@@ -325,7 +363,6 @@
$organization = $data["organization"];
$position = $data["position"];
$resolution = $data["resolution"];
-// $uuid = $data["uuid"];
$firstname = $data["firstName"];
$lastname = $data["lastName"];
$academic_title = $data["academicTitle"];
@@ -336,7 +373,8 @@
$postal_code = $data["postalCode"];
$city = $data["city"];
$country = $data["country"];
-
+ $is_active = $data["isActive"];
+ $create_digest = $data["createDigest"];
}
}
@@ -525,7 +563,27 @@
echo "</td>";
echo "</tr>";
+#is_active - boolean
+echo "<tr>";
+ echo "<td>"._mb("Account active").": </td>";
+ echo "<td>";
+ echo "<input type='checkbox' id='is_active' name='is_active' ";
+ if($is_active == 't'){ echo " checked "; };
+ echo ">";
+ echo "</td>";
+echo "</tr>";
+#create_digest - boolean
+echo "<tr>";
+ echo "<td>"._mb("Activate digest authentication for secured services.")."<br>(****"._mb("Personal passwords are not stored secure")."****): </td>";
+
+ echo "<td>";
+ echo "<input type='checkbox' id='create_digest' name='create_digest' ";
+ if($create_digest == 't'){ echo " checked "; };
+ echo ">";
+ echo "</td>";
+echo "</tr>";
+
# blank row
echo "<tr>";
echo "<td colspan='2'> </td>";
@@ -610,4 +668,4 @@
// -->
</script>
</body>
-</html>
\ No newline at end of file
+</html>
Modified: trunk/mapbender/resources/db/pgsql/UTF-8/update/update_2.7.4_to_2.8_pgsql_UTF-8.sql
===================================================================
--- trunk/mapbender/resources/db/pgsql/UTF-8/update/update_2.7.4_to_2.8_pgsql_UTF-8.sql 2019-06-05 08:19:00 UTC (rev 10137)
+++ trunk/mapbender/resources/db/pgsql/UTF-8/update/update_2.7.4_to_2.8_pgsql_UTF-8.sql 2019-06-05 16:29:36 UTC (rev 10138)
@@ -2749,7 +2749,9 @@
ALTER TABLE mb_user ADD COLUMN mb_user_digest_hash character varying(100);
+ALTER TABLE mb_user ALTER COLUMN mb_user_password TYPE varchar(255);
+ALTER TABLE mb_user ADD COLUMN create_digest boolean DEFAULT false;
More information about the Mapbender_commits
mailing list