Menu
▾
▴
gemstracker-svn
|
From: <gem...@li...> - 2011-11-14 15:42:22
|
Revision: 212
http://gemstracker.svn.sourceforge.net/gemstracker/?rev=212&view=rev
Author: mennodekker
Date: 2011-11-14 15:42:16 +0000 (Mon, 14 Nov 2011)
Log Message:
-----------
Fixing some flaws in #31: remember last organization restored, nologin selected more efficient and bypassing security by checking through gems_user_user
Modified Paths:
--------------
trunk/library/classes/Gems/User/NoLoginDefinition.php
trunk/library/classes/Gems/User/User.php
trunk/library/classes/Gems/User/UserLoader.php
Modified: trunk/library/classes/Gems/User/NoLoginDefinition.php
===================================================================
--- trunk/library/classes/Gems/User/NoLoginDefinition.php 2011-11-14 13:01:31 UTC (rev 211)
+++ trunk/library/classes/Gems/User/NoLoginDefinition.php 2011-11-14 15:42:16 UTC (rev 212)
@@ -71,7 +71,7 @@
return array(
'user_active' => false,
'user_role' => 'nologin',
- 'user_organization_id' => 0,
+ //'user_organization_id' => 0, //REMOVED AS IT BREAKS STORING LAST ORGANIZATION
);
}
}
Modified: trunk/library/classes/Gems/User/User.php
===================================================================
--- trunk/library/classes/Gems/User/User.php 2011-11-14 13:01:31 UTC (rev 211)
+++ trunk/library/classes/Gems/User/User.php 2011-11-14 15:42:16 UTC (rev 212)
@@ -200,7 +200,7 @@
*/
public function checkPassword($password)
{
- return $this->definition->checkPassword($this->getLoginName(), $this->getOrganizationId(), $password);
+ return $this->userLoader->checkPassword($this->getLoginName(), $this->getOrganizationId(), $password);
}
/**
Modified: trunk/library/classes/Gems/User/UserLoader.php
===================================================================
--- trunk/library/classes/Gems/User/UserLoader.php 2011-11-14 13:01:31 UTC (rev 211)
+++ trunk/library/classes/Gems/User/UserLoader.php 2011-11-14 15:42:16 UTC (rev 212)
@@ -262,6 +262,7 @@
*/
protected function getUserClassName($login_name, $organization)
{
+ if (is_null($login_name) && is_null($organization)) return 'NoLoginDefinition';
if ($this->isProjectUser($login_name)) {
return 'ProjectUserDefinition';
}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <gem...@li...> - 2012-03-22 11:04:11
|
Revision: 560
http://gemstracker.svn.sourceforge.net/gemstracker/?rev=560&view=rev
Author: matijsdejong
Date: 2012-03-22 11:04:04 +0000 (Thu, 22 Mar 2012)
Log Message:
-----------
User can login using their e-mail address.
User can login with any organization they are authorized for.
Modified Paths:
--------------
trunk/library/classes/Gems/User/User.php
trunk/library/classes/Gems/User/UserLoader.php
Modified: trunk/library/classes/Gems/User/User.php
===================================================================
--- trunk/library/classes/Gems/User/User.php 2012-03-21 17:26:57 UTC (rev 559)
+++ trunk/library/classes/Gems/User/User.php 2012-03-22 11:04:04 UTC (rev 560)
@@ -255,6 +255,7 @@
$formValues['allowed_ip_ranges'] = $this->getAllowedIPRanges();
$formValues['organization'] = $this->getBaseOrganizationId();
+ $formValues['userlogin'] = $this->getLoginName();
if ($this->isActive()) {
$adapter = $this->definition->getAuthAdapter($formValues['userlogin'], $formValues['organization'], $formValues['password']);
Modified: trunk/library/classes/Gems/User/UserLoader.php
===================================================================
--- trunk/library/classes/Gems/User/UserLoader.php 2012-03-21 17:26:57 UTC (rev 559)
+++ trunk/library/classes/Gems/User/UserLoader.php 2012-03-22 11:04:04 UTC (rev 560)
@@ -56,6 +56,18 @@
const USER_STAFF = 'StaffUser';
/**
+ * When true Respondent members can use their e-mail address as login name
+ * @var boolean
+ */
+ public $allowRespondentEmailLogin = true;
+
+ /**
+ * When true Staff members can use their e-mail address as login name
+ * @var boolean
+ */
+ public $allowStaffEmailLogin = true;
+
+ /**
* Allows sub classes of Gems_Loader_LoaderAbstract to specify the subdirectory where to look for.
*
* @var string $cascade An optional subdirectory where this subclass always loads from.
@@ -268,45 +280,20 @@
public function getUser($login_name, $currentOrganization)
{
list($defName, $userOrganization, $userName) = $this->getUserClassInfo($login_name, $currentOrganization);
- // MUtil_Echo::track($defName, $userOrganization);
+ $user = $this->loadUser($defName, $userOrganization, $userName);
- $definition = $this->getUserDefinition($defName);
-
- $values = $definition->getUserData($userName, $userOrganization);
- // MUtil_Echo::track($defName, $login_name, $userOrganization, $values);
-
- if (! isset($values['user_active'])) {
- $values['user_active'] = true;
+ // Check: can the user log in as this organization, if not load non-existing user
+ $orgs = $user->getAllowedOrganizations();
+ if (! isset($orgs[$currentOrganization])) {
+ $user = $this->loadUser(self::USER_NOLOGIN . 'Definition', $currentOrganization, $login_name);
}
- if (! isset($values['user_staff'])) {
- $values['user_staff'] = $definition->isStaff();
- }
- $values['__user_definition'] = $defName;
-
- $user = $this->_loadClass('User', true, array($values, $definition));
- // MUtil_Echo::track($user->getAllowedOrganizations());
-
$user->setCurrentOrganization($currentOrganization);
return $user;
}
/**
- * Retrieve a userdefinition, so we can check it's capabilities without
- * instantiating a user
- *
- * @param string $userClassName
- * @return Gems_User_UserDefinitionInterface
- */
- public function getUserDefinition($userClassName)
- {
- $definition = $this->_getClass($userClassName);
-
- return $definition;
- }
-
- /**
* Get a staff user using the $staff_id
*
* @param int $staff_id
@@ -341,59 +328,9 @@
}
try {
- /*
$select = $this->getUserClassSelect($login_name, $organization);
- $row = $this->db->fetchRow($select, null, Zend_Db::FETCH_NUM);
- // */
- //*
- $sql = "SELECT CONCAT(gul_user_class, 'Definition'), gul_id_organization
- FROM gems__user_logins INNER JOIN gems__organizations ON gor_id_organization = gul_id_organization
- WHERE gor_active = 1 AND
- gul_can_login = 1 AND
- gul_login = ? AND
- gul_id_organization = ?
- LIMIT 1";
- $params[] = $login_name;
- $params[] = $organization;
- // MUtil_Echo::track($sql, $params);
-
- $row = $this->db->fetchRow($sql, $params, Zend_Db::FETCH_NUM);
-
- if (! $row) {
- // Try to get see if this is another allowed organization for this user
- $sql = "SELECT CONCAT(gul_user_class, 'Definition'), gul_id_organization, gul_login
- FROM gems__user_logins INNER JOIN gems__organizations ON gor_id_organization != gul_id_organization
- WHERE gor_active = 1 AND
- gul_can_login = 1 AND
- gul_login = ? AND
- gor_id_organization = ? AND
- gor_accessible_by LIKE CONCAT('%:', gul_id_organization, ':%')
- LIMIT 1";
-
- // MUtil_Echo::track($sql, $params);
-
- $row = $this->db->fetchRow($sql, $params, Zend_Db::FETCH_NUM);
- }
-
- if ((! $row) && ($organization == $this->project->getDefaultOrganization())) {
- // Check for the current organization being the default one
- //
- // For optimization do set the allowed organizations
- // Try to get see if this is another allowed organization for this user
- $sql = "SELECT CONCAT(gul_user_class, 'Definition'), gul_id_organization, gul_login
- FROM gems__user_logins INNER JOIN gems__organizations ON gor_id_organization != gul_id_organization
- WHERE gor_active = 1 AND
- gul_can_login = 1 AND
- gul_login = ?
- LIMIT 1";
-
- // MUtil_Echo::track($sql, $login_name);
-
- $row = $this->db->fetchRow($sql, $login_name, Zend_Db::FETCH_NUM);
- } // */
-
- if ($row) {
+ if ($row = $this->db->fetchRow($select, null, Zend_Db::FETCH_NUM)) {
// MUtil_Echo::track($row);
return $row;
}
@@ -404,26 +341,13 @@
// Fail over for pre 1.5 projects
//
- // No login as other organization for first login
+ // No login as other organization or with e-mail possible for first login
$sql = "SELECT gsf_id_user
FROM gems__staff INNER JOIN
gems__organizations ON gsf_id_organization = gor_id_organization
WHERE gor_active = 1 AND gsf_active = 1 AND gsf_login = ? AND gsf_id_organization = ?";
- $user_id = $this->db->fetchOne($sql, $params);
-
- if ((! $user_id) && ($organization == $this->project->getDefaultOrganization())) {
- $sql = "SELECT gsf_id_user
- FROM gems__staff INNER JOIN
- gems__organizations ON gsf_id_organization = gor_id_organization
- WHERE gor_active = 1 AND gsf_active = 1 AND gsf_login = ?";
-
- // MUtil_Echo::track($sql, $login_name);
-
- $user_id = $this->db->fetchOne($sql, $login_name);
- }
-
- if ($user_id) {
+ if ($user_id = $this->db->fetchOne($sql, $params)) {
// Move user to new staff.
$values['gul_login'] = $login_name;
$values['gul_id_organization'] = $organization;
@@ -448,6 +372,7 @@
}
/**
+ * Returns a select statement to find a corresponding user.
*
* @param string $login_name
* @param int $organization
@@ -459,26 +384,84 @@
$select->from('gems__user_logins', array("CONCAT(gul_user_class, 'Definition')", 'gul_id_organization', 'gul_login'))
->from('gems__organizations', array())
- ->joinLeft('gems__staff', 'gul_login = gsf_login AND gul_id_organization = gsf_id_organization', array())
- ->joinLeft('gems__respondent2org', 'gul_login = gr2o_patient_nr AND gul_id_organization = gr2o_id_organization', array())
- ->joinLeft('gems__respondents', 'gr2o_id_user = grs_id_user', array())
->where('gor_active = 1')
->where('gul_can_login = 1')
->where('gor_id_organization = ?', $organization)
- ->where('(gul_login = ? OR gsf_email = ? OR grs_email = ?)', $login_name)
->order("CASE WHEN gor_id_organization = gul_id_organization THEN 1 WHEN gor_accessible_by LIKE CONCAT('%:', gul_id_organization, ':%') THEN 2 ELSE 3 END");
- MUtil_Echo::track($select->__toString());
+ $ids[] = 'gul_login';
+ if ($this->allowStaffEmailLogin) {
+ $select->joinLeft('gems__staff', 'gul_login = gsf_login AND gul_id_organization = gsf_id_organization', array());
+ $ids[] = 'gsf_email';
+ }
+ if ($this->allowRespondentEmailLogin) {
+ $select->joinLeft('gems__respondent2org', 'gul_login = gr2o_patient_nr AND gul_id_organization = gr2o_id_organization', array())
+ ->joinLeft('gems__respondents', 'gr2o_id_user = grs_id_user', array());
+ $ids[] = 'grs_email';
+ }
+ // Add search fields
+ $select->where('(' . implode(' = ? OR ', $ids) . ' = ?)', $login_name);
+
+ // MUtil_Echo::track($select->__toString());
+
return $select;
}
+ /**
+ * Retrieve a userdefinition, so we can check it's capabilities without
+ * instantiating a user.
+ *
+ * @param string $userClassName
+ * @return Gems_User_UserDefinitionInterface
+ */
+ public function getUserDefinition($userClassName)
+ {
+ $definition = $this->_getClass($userClassName);
+
+ return $definition;
+ }
+
+ /**
+ * Check: is this user the super user defined
+ * in project.ini?
+ *
+ * @param string $login_name
+ * @return boolean
+ */
protected function isProjectUser($login_name)
{
return $this->project->getSuperAdminName() == $login_name;
}
/**
+ * Returns a loaded user object
+ *
+ * @param string $defName
+ * @param int $userOrganization
+ * @param string $userName
+ * @return Gems_User_User But ! ->isActive when the user does not exist
+ */
+ protected function loadUser($defName, $userOrganization, $userName)
+ {
+ $definition = $this->getUserDefinition($defName);
+
+ $values = $definition->getUserData($userName, $userOrganization);
+ // MUtil_Echo::track($defName, $login_name, $userOrganization, $values);
+
+ if (! isset($values['user_active'])) {
+ $values['user_active'] = true;
+ }
+ if (! isset($values['user_staff'])) {
+ $values['user_staff'] = $definition->isStaff();
+ }
+
+ $values['__user_definition'] = $defName;
+
+ return $this->_loadClass('User', true, array($values, $definition));
+ }
+
+ /**
* Check for password weakness.
*
* @param Gems_User_User $user The user for e.g. name checks
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <gem...@li...> - 2012-05-04 08:52:16
|
Revision: 665
http://gemstracker.svn.sourceforge.net/gemstracker/?rev=665&view=rev
Author: mennodekker
Date: 2012-05-04 08:52:10 +0000 (Fri, 04 May 2012)
Log Message:
-----------
Implemented ip-check for organizations, project user can always login
Modified Paths:
--------------
trunk/library/classes/Gems/User/Organization.php
trunk/library/classes/Gems/User/User.php
Modified: trunk/library/classes/Gems/User/Organization.php
===================================================================
--- trunk/library/classes/Gems/User/Organization.php 2012-05-04 08:29:55 UTC (rev 664)
+++ trunk/library/classes/Gems/User/Organization.php 2012-05-04 08:52:10 UTC (rev 665)
@@ -153,6 +153,16 @@
}
/**
+ * Get the allowed_ip_ranges attribute.
+ *
+ * @return string
+ */
+ public function getAllowedIpRanges()
+ {
+ return $this->_get('gor_allowed_ip_ranges');
+ }
+
+ /**
* Get the organizations this organizations can access.
*
* @return array Of type orgId => orgName
Modified: trunk/library/classes/Gems/User/User.php
===================================================================
--- trunk/library/classes/Gems/User/User.php 2012-05-04 08:29:55 UTC (rev 664)
+++ trunk/library/classes/Gems/User/User.php 2012-05-04 08:52:10 UTC (rev 665)
@@ -413,6 +413,7 @@
/**
* Checks if the user is allowed to login using the current IP address
+ * according to the group he is in
*
* An adapter authorizes and if the end resultis boolean, string or array
* it is converted into a Zend_Auth_Result.
@@ -432,6 +433,33 @@
}
/**
+ * Checks if the user is allowed to login using the current IP address
+ * according to his BASE organization
+ *
+ * An adapter authorizes and if the end resultis boolean, string or array
+ * it is converted into a Zend_Auth_Result.
+ *
+ * @return mixed Zend_Auth_Adapter_Interface|Zend_Auth_Result|boolean|string|array
+ */
+ protected function authorizeOrgIp()
+ {
+ //In unit test REMOTE_ADDR is not available and will return null
+ $request = Zend_Controller_Front::getInstance()->getRequest();
+ $remoteIp = $request->getServer('REMOTE_ADDR');
+
+ //special case: project user should have no restriction
+ if ($this->project->getSuperAdminName() == $this->getLoginName()) {
+ return true;
+ }
+
+ if ($this->util->isAllowedIP($remoteIp, $this->getBaseOrganization()->getAllowedIpRanges())) {
+ return true;
+ } else {
+ return $this->translate->_('You are not allowed to login from this location.');
+ }
+ }
+
+ /**
* True when the current url is one where this user is allowed to login.
*
* If the url is a fixed organization url and the user is not allowed to
@@ -1048,6 +1076,10 @@
*/
protected function loadAuthorizers($password)
{
+ // organization ip restriction
+ $auths['orgip'] = array($this, 'authorizeOrgIp');
+
+ // group ip restriction
$auths['ip'] = array($this, 'authorizeIp');
if ($this->isBlockable()) {
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X