mz/crm.e5.pl
1
0
Fork 0
Code Issues 12 Pull Requests Actions Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
Michał Zieliński
2024-04-27 09:23:34 +02:00
commit 11e713ca6f
11884 changed files with 3263371 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

345
modules/Users/authentication/SugarAuthenticate/SugarAuthenticate.php Executable file
View File

@@ -0,0 +1,345 @@
<?php
if(!defined('sugarEntry') || !sugarEntry) die('Not A Valid Entry Point');
/*********************************************************************************
* SugarCRM is a customer relationship management program developed by
* SugarCRM, Inc. Copyright (C) 2004-2010 SugarCRM Inc.
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU Affero General Public License version 3 as published by the
* Free Software Foundation with the addition of the following permission added
* to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
* IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY
* OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
* details.
*
* You should have received a copy of the GNU Affero General Public License along with
* this program; if not, see http://www.gnu.org/licenses or write to the Free
* Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301 USA.
*
* You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road,
* SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "Powered by
* SugarCRM" logo. If the display of the logo is not reasonably feasible for
* technical reasons, the Appropriate Legal Notices must display the words
* "Powered by SugarCRM".
********************************************************************************/
/**
* This file is used to control the authentication process.
* It will call on the user authenticate and controll redirection
* based on the users validation
*
*/
class SugarAuthenticate{
var $userAuthenticateClass = 'SugarAuthenticateUser';
var $authenticationDir = 'SugarAuthenticate';
/**
* Constructs SugarAuthenticate
* This will load the user authentication class
*
* @return SugarAuthenticate
*/
function SugarAuthenticate(){
require_once('modules/Users/authentication/'. $this->authenticationDir . '/'. $this->userAuthenticateClass . '.php');
$this->userAuthenticate = new $this->userAuthenticateClass();
}
/**
* Authenticates a user based on the username and password
* returns true if the user was authenticated false otherwise
* it also will load the user into current user if he was authenticated
*
* @param string $username
* @param string $password
* @return boolean
*/
function loginAuthenticate($username, $password, $fallback=false, $PARAMS = array ()){
global $mod_strings;
unset($_SESSION['login_error']);
$usr= new user();
$usr_id=$usr->retrieve_user_id($username);
$usr->retrieve($usr_id);
$_SESSION['login_error']='';
$_SESSION['waiting_error']='';
$_SESSION['hasExpiredPassword']='0';
if ($this->userAuthenticate->loadUserOnLogin($username, $password, $fallback, $PARAMS)) {
require_once('modules/Users/password_utils.php');
if(hasPasswordExpired($username)) {
$_SESSION['hasExpiredPassword'] = '1';
}
return $this->postLoginAuthenticate();
}
else
{
if(!empty($usr_id) && $res['lockoutexpiration'] > 0){
if (($logout=$usr->getPreference('loginfailed'))=='')
$usr->setPreference('loginfailed','1');
else
$usr->setPreference('loginfailed',$logout+1);
$usr->savePreferencesToDB();
}
}
if(strtolower(get_class($this)) != 'sugarauthenticate'){
$sa = new SugarAuthenticate();
$error = (!empty($_SESSION['login_error']))?$_SESSION['login_error']:'';
if($sa->loginAuthenticate($username, $password, true, $PARAMS)){
return true;
}
$_SESSION['login_error'] = $error;
}
$_SESSION['login_user_name'] = $username;
$_SESSION['login_password'] = $password;
if(empty($_SESSION['login_error'])){
$_SESSION['login_error'] = translate('ERR_INVALID_PASSWORD', 'Users');
}
return false;
}
/**
* Once a user is authenticated on login this function will be called. Populate the session with what is needed and log anything that needs to be logged
*
*/
function postLoginAuthenticate(){
global $reset_theme_on_default_user, $reset_language_on_default_user, $sugar_config;
//THIS SECTION IS TO ENSURE VERSIONS ARE UPTODATE
require_once ('modules/Versions/CheckVersions.php');
$invalid_versions = get_invalid_versions();
if (!empty ($invalid_versions)) {
if (isset ($invalid_versions['Rebuild Relationships'])) {
unset ($invalid_versions['Rebuild Relationships']);
// flag for pickup in DisplayWarnings.php
$_SESSION['rebuild_relationships'] = true;
}
if (isset ($invalid_versions['Rebuild Extensions'])) {
unset ($invalid_versions['Rebuild Extensions']);
// flag for pickup in DisplayWarnings.php
$_SESSION['rebuild_extensions'] = true;
}
$_SESSION['invalid_versions'] = $invalid_versions;
}
//just do a little house cleaning here
unset($_SESSION['login_password']);
unset($_SESSION['login_error']);
unset($_SESSION['login_user_name']);
unset($_SESSION['ACL']);
//set the server unique key
if (isset ($sugar_config['unique_key']))$_SESSION['unique_key'] = $sugar_config['unique_key'];
//set user language
if (isset ($reset_language_on_default_user) && $reset_language_on_default_user && $$GLOBALS['current_user']->user_name == $sugar_config['default_user_name']) {
$authenticated_user_language = $sugar_config['default_language'];
} else {
$authenticated_user_language = isset($_REQUEST['login_language']) ? $_REQUEST['login_language'] : (isset ($_REQUEST['ck_login_language_20']) ? $_REQUEST['ck_login_language_20'] : $sugar_config['default_language']);
}
$_SESSION['authenticated_user_language'] = $authenticated_user_language;
$GLOBALS['log']->debug("authenticated_user_language is $authenticated_user_language");
// Clear all uploaded import files for this user if it exists
$tmp_file_name = $sugar_config['import_dir']."IMPORT_".$GLOBALS['current_user']->id;
if (file_exists($tmp_file_name)) {
unlink($tmp_file_name);
}
return true;
}
/**
* On every page hit this will be called to ensure a user is authenticated
* @return boolean
*/
function sessionAuthenticate(){
global $module, $action, $allowed_actions;
$authenticated = false;
$allowed_actions = array ("Authenticate", "Login"); // these are actions where the user/server keys aren't compared
if (isset ($_SESSION['authenticated_user_id'])) {
$GLOBALS['log']->debug("We have an authenticated user id: ".$_SESSION["authenticated_user_id"]);
$authenticated = $this->postSessionAuthenticate();
} else
if (isset ($action) && isset ($module) && $action == "Authenticate" && $module == "Users") {
$GLOBALS['log']->debug("We are authenticating user now");
} else {
$GLOBALS['log']->debug("The current user does not have a session. Going to the login page");
$action = "Login";
$module = "Users";
$_REQUEST['action'] = $action;
$_REQUEST['module'] = $module;
}
if (empty ($GLOBALS['current_user']->id) && !in_array($action, $allowed_actions)) {
$GLOBALS['log']->debug("The current user is not logged in going to login page");
$action = "Login";
$module = "Users";
$_REQUEST['action'] = $action;
$_REQUEST['module'] = $module;
}
if($authenticated && ((empty($_REQUEST['module']) || empty($_REQUEST['action'])) || ($_REQUEST['module'] != 'Users' || $_REQUEST['action'] != 'Logout'))){
$this->validateIP();
}
return $authenticated;
}
/**
* Called after a session is authenticated - if this returns false the sessionAuthenticate will return false and destroy the session
* and it will load the current user
* @return boolean
*/
function postSessionAuthenticate(){
global $action, $allowed_actions, $sugar_config;
$_SESSION['userTime']['last'] = time();
$user_unique_key = (isset ($_SESSION['unique_key'])) ? $_SESSION['unique_key'] : '';
$server_unique_key = (isset ($sugar_config['unique_key'])) ? $sugar_config['unique_key'] : '';
//CHECK IF USER IS CROSSING SITES
if (($user_unique_key != $server_unique_key) && (!in_array($action, $allowed_actions)) && (!isset ($_SESSION['login_error']))) {
session_destroy();
$post_login_nav = '';
if (!empty ($record) && !empty ($action) && !empty ($module)) {
$post_login_nav = "&login_module=".$module."&login_action=".$action."&login_record=".$record;
}
$GLOBALS['log']->debug('Destroying Session User has crossed Sites');
header("Location: index.php?action=Login&module=Users".$post_login_nav);
sugar_cleanup(true);
}
if (!$this->userAuthenticate->loadUserOnSession($_SESSION['authenticated_user_id'])) {
session_destroy();
header("Location: index.php?action=Login&module=Users");
$GLOBALS['log']->debug('Current user session does not exist redirecting to login');
sugar_cleanup(true);
}
$GLOBALS['log']->debug('Current user is: '.$GLOBALS['current_user']->user_name);
return true;
}
/**
* Make sure a user isn't stealing sessions so check the ip to ensure that the ip address hasn't dramatically changed
*
*/
function validateIP() {
global $sugar_config;
// grab client ip address
$clientIP = query_client_ip();
$classCheck = 0;
// check to see if config entry is present, if not, verify client ip
if (!isset ($sugar_config['verify_client_ip']) || $sugar_config['verify_client_ip'] == true) {
// check to see if we've got a current ip address in $_SESSION
// and check to see if the session has been hijacked by a foreign ip
if (isset ($_SESSION["ipaddress"])) {
$session_parts = explode(".", $_SESSION["ipaddress"]);
$client_parts = explode(".", $clientIP);
if(count($session_parts) < 4) {
$classCheck = 0;
}
else {
// match class C IP addresses
for ($i = 0; $i < 3; $i ++) {
if ($session_parts[$i] == $client_parts[$i]) {
$classCheck = 1;
continue;
} else {
$classCheck = 0;
break;
}
}
}
// we have a different IP address
if ($_SESSION["ipaddress"] != $clientIP && empty ($classCheck)) {
$GLOBALS['log']->fatal("IP Address mismatch: SESSION IP: {$_SESSION['ipaddress']} CLIENT IP: {$clientIP}");
session_destroy();
die("Your session was terminated due to a significant change in your IP address. <a href=\"{$sugar_config['site_url']}\">Return to Home</a>");
}
} else {
$_SESSION["ipaddress"] = $clientIP;
}
}
}
/**
* Called when a user requests to logout
*
*/
function logout(){
session_destroy();
ob_clean();
header('Location: index.php?module=Users&action=Login');
sugar_cleanup(true);
}
/**
* Encodes a users password. This is a static function and can be called at any time.
*
* @param STRING $password
* @return STRING $encoded_password
*/
function encodePassword($password){
return strtolower(md5($password));
}
/**
* If a user may change there password through the Sugar UI
*
*/
function canChangePassword(){
return true;
}
/**
* If a user may change there user name through the Sugar UI
*
*/
function canChangeUserName(){
return true;
}
}

142
modules/Users/authentication/SugarAuthenticate/SugarAuthenticateUser.php Executable file
View File

@@ -0,0 +1,142 @@
<?php
if(!defined('sugarEntry') || !sugarEntry) die('Not A Valid Entry Point');
/*********************************************************************************
* SugarCRM is a customer relationship management program developed by
* SugarCRM, Inc. Copyright (C) 2004-2010 SugarCRM Inc.
*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU Affero General Public License version 3 as published by the
* Free Software Foundation with the addition of the following permission added
* to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
* IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY
* OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
* details.
*
* You should have received a copy of the GNU Affero General Public License along with
* this program; if not, see http://www.gnu.org/licenses or write to the Free
* Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301 USA.
*
* You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road,
* SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com.
*
* The interactive user interfaces in modified source and object code versions
* of this program must display Appropriate Legal Notices, as required under
* Section 5 of the GNU Affero General Public License version 3.
*
* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
* these Appropriate Legal Notices must retain the display of the "Powered by
* SugarCRM" logo. If the display of the logo is not reasonably feasible for
* technical reasons, the Appropriate Legal Notices must display the words
* "Powered by SugarCRM".
********************************************************************************/
/**
* This file is where the user authentication occurs. No redirection should happen in this file.
*
*/
class SugarAuthenticateUser{
/**
* Does the actual authentication of the user and returns an id that will be used
* to load the current user (loadUserOnSession)
*
* @param STRING $name
* @param STRING $password
* @param STRING $fallback - is this authentication a fallback from a failed authentication
* @return STRING id - used for loading the user
*/
function authenticateUser($name, $password, $fallback=false) {
$name = $GLOBALS['db']->quote($name);
$password = $GLOBALS['db']->quote($password);
$query = "SELECT * from users where user_name='$name' AND user_hash='$password' AND (portal_only IS NULL OR portal_only !='1') AND (is_group IS NULL OR is_group !='1') AND status !='Inactive'";
$result =$GLOBALS['db']->limitQuery($query,0,1,false);
$row = $GLOBALS['db']->fetchByAssoc($result);
// set the ID in the seed user. This can be used for retrieving the full user record later
//if it's falling back on Sugar Authentication after the login failed on an external authentication return empty if the user has external_auth_disabled for them
if (empty ($row) || ($fallback && !empty($row['external_auth_only']))) {
return '';
} else {
return $row['id'];
}
}
/**
* Checks if a user is a sugarLogin user
* which implies they should use the sugar authentication to login
*
* @param STRING $name
* @param STRIUNG $password
* @return boolean
*/
function isSugarLogin($name, $password){
$password = SugarAuthenticate::encodePassword($password);
$name = $GLOBALS['db']->quote($name);
$password = $GLOBALS['db']->quote($password);
$query = "SELECT * from users where user_name='$name' AND user_hash='$password' AND (portal_only IS NULL OR portal_only !='1') AND (is_group IS NULL OR is_group !='1') AND status !='Inactive' AND sugar_login=1";
$result =$GLOBALS['db']->limitQuery($query,0,1,false);
$row = $GLOBALS['db']->fetchByAssoc($result);
if($row)return true;
return false;
}
/**
* this is called when a user logs in
*
* @param STRING $name
* @param STRING $password
* @param STRING $fallback - is this authentication a fallback from a failed authentication
* @return boolean
*/
function loadUserOnLogin($name, $password, $fallback = false, $PARAMS = array()) {
global $login_error;
$GLOBALS['log']->debug("Starting user load for ". $name);
if(empty($name) || empty($password)) return false;
$user_hash = $password;
$passwordEncrypted = false;
if (!empty($PARAMS) && isset($PARAMS['passwordEncrypted']) && $PARAMS['passwordEncrypted']) {
$passwordEncrypted = true;
}// if
if (!$passwordEncrypted) {
$user_hash = SugarAuthenticate::encodePassword($password);
} // if
$user_id = $this->authenticateUser($name, $user_hash, $fallback);
if(empty($user_id)) {
$GLOBALS['log']->fatal('SECURITY: User authentication for '.$name.' failed');
return false;
}
$this->loadUserOnSession($user_id);
return true;
}
/**
* Loads the current user bassed on the given user_id
*
* @param STRING $user_id
* @return boolean
*/
function loadUserOnSession($user_id=''){
if(!empty($user_id)){
$_SESSION['authenticated_user_id'] = $user_id;
}
if(!empty($_SESSION['authenticated_user_id']) || !empty($user_id)){
$GLOBALS['current_user'] = new User();
if($GLOBALS['current_user']->retrieve($_SESSION['authenticated_user_id'])){
return true;
}
}
return false;
}
}
?>