diff options
Diffstat (limited to 'mayor-orig/www/include/base')
| -rw-r--r-- | mayor-orig/www/include/base/log.php | 2 | ||||
| -rw-r--r-- | mayor-orig/www/include/base/login.php | 23 | ||||
| -rw-r--r-- | mayor-orig/www/include/base/rights.php | 69 |
3 files changed, 67 insertions, 27 deletions
diff --git a/mayor-orig/www/include/base/log.php b/mayor-orig/www/include/base/log.php index 0b8f6fd1..14e214a9 100644 --- a/mayor-orig/www/include/base/log.php +++ b/mayor-orig/www/include/base/log.php @@ -5,7 +5,7 @@ function naploz($aCode) function szamlal($policy,$page) */ - + define('CLIENTIPADDRESS',_clientIp()); function _clientIp() { return ($_SERVER['HTTP_X_FORWARDED_FOR']!='')?$_SERVER['HTTP_X_FORWARDED_FOR']:$_SERVER['REMOTE_ADDR']; } diff --git a/mayor-orig/www/include/base/login.php b/mayor-orig/www/include/base/login.php index da3217a9..4624a92a 100644 --- a/mayor-orig/www/include/base/login.php +++ b/mayor-orig/www/include/base/login.php @@ -1,6 +1,6 @@ <?php - if ($action == 'mayorGlobalLogin' || $action == 'facebooklogin' || $action== 'googleapilogin') { + if ($sessionMode===2 || $action == 'mayorGlobalLogin' || $action == 'facebooklogin' || $action== 'googleapilogin') { $toPolicy = readVariable($_REQUEST['toPolicy'], 'enum', 'private', $POLICIES); $policyOrderIndex = readVariable($_POST['policyOrderIndex'], 'id', 0); @@ -46,6 +46,15 @@ $userAccount = $GOOGLEAPIDATA['userAccount']; $googleapiAuth = true; } + } elseif ($sessionMode===2) { + $MAYORAPIDATA = mayorApiAuth(); + if ($MAYORAPIDATA!==false && $MAYORAPIDATA['userAccount']!="") { + $userAccount = $MAYORAPIDATA['userAccount']; + $toPolicy = $MAYORAPIDATA['toPolicy']; + $mayorapiAuth = true; + } else { + unsetTokenCookies(); // + unregister token + } } else { $userPassword = readVariable($_POST['userPassword'], 'string'); // $userAccount = readVariable($_POST['userAccount'], 'regexp', null, array("^([a-z]|[A-Z]|[0-9]| |\.|,|_|[űáéúőóüöíŰÁÉÚŐÓÜÖÍäÄ]|-|@)*$")); @@ -56,7 +65,7 @@ if (is_array($AUTH[$toPolicy]['allowOnly']) && !in_array($userAccount,$AUTH[$toPolicy]['allowOnly'])) $userAccount=''; if ($sessionID != '') $accountInformation['sessionID'] = $sessionID; - if ($userAccount != '' and ($userPassword != '' or $fbAuth===true or $googleapiAuth===true)) { + if ($userAccount != '' and ($userPassword != '' or $fbAuth===true or $googleapiAuth===true or $mayorapiAuth === true)) { for ($i=0; $i<count($__POLICYORDER[$policyOrderIndex]); $i++) { $toPolicy=$__POLICYORDER[$policyOrderIndex][$i]; @@ -84,6 +93,15 @@ $_SESSION['alert'][] = 'info:A google azonosító nincs még összekötve! Először lépj be a MaYoR-ba, és kezdeményezd!'; continue;; } + } elseif ($mayorapiAuth===true) { + if ($MAYORAPIDATA['toPolicy'] == $toPolicy) { + $result = _AUTH_SUCCESS; // az authentikációt a mayorApiAuth() csinálta + $accountInformation['cn'] = $MAYORAPIDATA['userCn']; + // $accountInformation['mail'] = $MAYORAPIDATA['userEmail']; + $accountInformation['studyId'] = $MAYORAPIDATA['studyId']; + } else { + continue;; + } } else { $result = userAuthentication($userAccount, $userPassword, $accountInformation, $toPolicy); // ??? toPolicy benne van az AccountInformation-ben!!! Ldap backend only? } @@ -93,6 +111,7 @@ if ($result === _AUTH_SUCCESS) { $_SESSION['alert'] = array(); $sessionID = newSession($accountInformation, $toPolicy); + if ($mayorapiAuth!==true) generateAuthToken(array('userAccount'=>$userAccount, 'policy'=>$toPolicy, 'userCn'=>$accountInformation['cn'], 'studyId'=>$accountInformation['studyId'])); // --TODO untrusted clients if ($toSkin == '') $toSkin = $skin; header('Location: '.location("index.php?page=$toPage&sub=$toSub&f=$toF&sessionID=$sessionID&policy=$toPolicy&lang=$lang&skin=$toSkin", array('alertOLD'))); break; diff --git a/mayor-orig/www/include/base/rights.php b/mayor-orig/www/include/base/rights.php index 1f3eed0f..dc6b7aa7 100644 --- a/mayor-orig/www/include/base/rights.php +++ b/mayor-orig/www/include/base/rights.php @@ -1,4 +1,9 @@ <?php + +// --TODO-- ez nem ide való! +require_once('include/modules/auth/base/token.php'); + + /* Module: base @@ -43,16 +48,14 @@ function sessionCookieEncode($sessionID,$now,$extra='') { if ($extra=='') $extra = uniqid(rand(), true); $extraHash=sessionHash('ripemd160',$extra); -// pwHash added -// $value = base64_encode(strtotime($now).'g'.$extraHash); $pwHash = sessionHash('ripemd160',uniqid(rand(), true)); $value = base64_encode(strtotime($now).'g'.$extraHash.'g'.$pwHash); - return array('name'=>md5($sessionID), 'value'=>$value, 'store'=> $extraHash, 'pwHash'=>$pwHash); + return array('name'=>($sessionID), 'value'=>$value, 'store'=> $extraHash, 'pwHash'=>$pwHash); } function sessionCookieDecode($sessionID) { - return explode('g',base64_decode($_COOKIE[md5($sessionID)])); + return explode('g',base64_decode($_COOKIE[($sessionID)])); } function pseudoTokenGenerator() { @@ -68,10 +71,8 @@ function pseudoTokenGenerator() { # Azonosított user ellenőrzése a session tábla alapján ###################################################################### - - function validUser($sessionID,$policy,$skin='',$lang='') { - + global $page; if (_RUNLEVEL === 'cron') { define('_USERPASSWORD','MaYoR-cron'); define('_USERACCOUNT','MaYoR-cron'); @@ -82,31 +83,25 @@ function validUser($sessionID,$policy,$skin='',$lang='') { return true; } +// if ($sessionID == '' || $MAYORAPIAUTH['valid']!==true) { if ($sessionID == '') { - - if ($policy == _POLICY) { + $MAYORAPIAUTH = mayorApiAuth(); // van-e hosszulejáratu session-je + if ($policy == _POLICY && $MAYORAPIAUTH['valid']!==true) { define('_USERPASSWORD',''); define('_USERACCOUNT',''); define('_USERCN',''); define('_STUDYID',''); -// define('_SKIN',$skin); define('_LANG',$lang); define('_SESSIONID',''); } return false; - } else { $lr = db_connect('login', array('fv' => 'validUser')); if ($lr === false) die('A keretrendeszer adatbázisa nem érhető el! (validUser)'); // ha nem tudta beállítani a sütit, akkor az $_sc üres lesz így a dt feltétel 1970-01-01, ami nem gond. -// pwHash -// list($_sessionDt,$_sessionCookie) = sessionCookieDecode($sessionID); list($_sessionDt,$_sessionCookie,$_sessionPwHash) = sessionCookieDecode($sessionID); -// pwHash -// $query = "SELECT userAccount, userCn, studyId, decode(userPassword, '"._MYSQL_ENCODE_STR."'), skin, lang, activity, dt -// FROM session WHERE sessionID='%s' AND policy='%s'"; $query = "SELECT userAccount, userCn, studyId, aes_decrypt(userPassword, '%s'), skin, lang, activity, dt FROM session WHERE sessionID='%s' AND policy='%s'"; // [SECURITY-002] quickfix from marton.drotos@sztaki.hu @@ -116,12 +111,30 @@ function validUser($sessionID,$policy,$skin='',$lang='') { $query .= " AND sessionCookie='%s'"; $ret = db_query($query, array('fv' => 'validUser', 'modul' => 'login', 'result' => 'indexed', 'values' => array($_sessionPwHash, $sessionID, $policy, $_sessionCookie)), $lr); - $num = count($ret); + $sessionMode = 1; + + // ha nincs találat, nézzük meg, van-e a kliensnek hosszú lejáratú tokenje, kivéve, ha ... + if ($num !== 1 && $page!='password') { + $MAYORAPIAUTH = mayorApiAuth(); + if ($MAYORAPIAUTH['valid'] === true) { + global $sessionMode; + $sessionMode = 2; + // reauth AS: + $toPolicy = $MAYORAPIAUTH['policy']; + $userAccount = $MAYORAPIAUTH['userAccount']; + $userCn = $MAYORAPIAUTH['userCn']; + $studyId = $MAYORAPIAUTH['studyId']; + $userPassword = ''; + $lang = _DEFAULT_LANG; + } else { + unsetTokenCookies(); + } + } // --token vizsgálat vége + if ($num == 1) { - list($userAccount, $userCn, $studyId, $userPassword, $savedSkin, $lang, $activity, $dt) = array_values($ret[0]); - /* PDA */ + if ($sessionMode == 1) list($userAccount, $userCn, $studyId, $userPassword, $savedSkin, $lang, $activity, $dt) = array_values($ret[0]); global $SKINS; if (_USER_AGENT!=='ppc' && @in_array($savedSkin,$SKINS) ) $skin=$savedSkin; if ($policy == _POLICY) { @@ -133,7 +146,8 @@ function validUser($sessionID,$policy,$skin='',$lang='') { define('_LANG',$lang); define('_SESSIONID',$sessionID); } - // Aktivitás figyelése! + + // Aktivitás figyelése! // hopp, nem biztos, hogy van session! $query = "UPDATE session SET activity = NOW() WHERE sessionID = '%s'"; db_query($query, array('fv' => 'validUser', 'modul' => 'login', 'values' => array($sessionID)), $lr); db_close($lr); @@ -247,7 +261,10 @@ function validUser($sessionID,$policy,$skin='',$lang='') { unset($_POST['action']); unset($action); } - } else { // klasszikus ellenőrzés, fallback // TODO BEGIN DEPRECATED BLOCK + } else { // klasszikus ellenőrzés, fallback + echo 'FATAL ERROR 696'; + die(); + /* // $_JSON['result'] = false; // ITT gátolhatjuk a működést if ($_COOKIE[__SALTNAME]=='') { // a session átállásig - ez semmitől nem véd, adott nevű sütit generálni bárki tud $_SESSION['alert'][] = 'message:not_valid_form:no cookie'.$_SESSION[__SALTNAME]; @@ -264,13 +281,17 @@ function validUser($sessionID,$policy,$skin='',$lang='') { unset($_POST['action']); unset($action); } + */ } // END DEPRECATED BLOCK } // eredeti post kezelés + ETAG prevent cache if (($_SERVER['HTTPS']!=='on') || (isset($_SERVER['HTTP_REFERER']) && $_SERVER['HTTP_REFERER']!='' && substr($_SERVER['HTTP_REFERER'],4,1)!=='s')) $_ssl = false; else $_ssl=true; - if (@setcookie(__SALTNAME,__SALTVALUE,time()+60*60*_SESSION_MAX_IDLE_TIME,'/','',$_ssl, true) == false) { - $_SESSION['alert'][] = 'message:no_cookie:unabletoset'; - } + +//4400 if (@setcookie('xxxDEPRECATEDxxx_'.__SALTNAME,__SALTVALUE,time()+60*60*_SESSION_MAX_IDLE_TIME,'/','',$_ssl, true) == false) { +//4400 $_SESSION['alert'][] = 'message:no_cookie:unabletoset'; +//4400 } + + /* /XSRF2 previous revision: r4138 */ // betöltjük az össes config-ot... (lásd még widgets) |