[ Index ]

PHP Cross Reference of phpBB-3.2.8-deutsch

title

Body

[close]

/phpbb/auth/provider/ -> db.php (source)

   1  <?php
   2  /**
   3  *
   4  * This file is part of the phpBB Forum Software package.
   5  *
   6  * @copyright (c) phpBB Limited <https://www.phpbb.com>
   7  * @license GNU General Public License, version 2 (GPL-2.0)
   8  *
   9  * For full copyright and license information, please see
  10  * the docs/CREDITS.txt file.
  11  *
  12  */
  13  
  14  namespace phpbb\auth\provider;
  15  
  16  /**
  17   * Database authentication provider for phpBB3
  18   * This is for authentication via the integrated user table
  19   */
  20  class db extends \phpbb\auth\provider\base
  21  {
  22      /**
  23      * phpBB passwords manager
  24      *
  25      * @var \phpbb\passwords\manager
  26      */
  27      protected $passwords_manager;
  28  
  29      /**
  30      * DI container
  31      *
  32      * @var \Symfony\Component\DependencyInjection\ContainerInterface
  33      */
  34      protected $phpbb_container;
  35  
  36      /**
  37       * Database Authentication Constructor
  38       *
  39       * @param    \phpbb\db\driver\driver_interface        $db
  40       * @param    \phpbb\config\config         $config
  41       * @param    \phpbb\passwords\manager    $passwords_manager
  42       * @param    \phpbb\request\request        $request
  43       * @param    \phpbb\user            $user
  44       * @param    \Symfony\Component\DependencyInjection\ContainerInterface $phpbb_container DI container
  45       * @param    string                $phpbb_root_path
  46       * @param    string                $php_ext
  47       */
  48  	public function __construct(\phpbb\db\driver\driver_interface $db, \phpbb\config\config $config, \phpbb\passwords\manager $passwords_manager, \phpbb\request\request $request, \phpbb\user $user, \Symfony\Component\DependencyInjection\ContainerInterface $phpbb_container, $phpbb_root_path, $php_ext)
  49      {
  50          $this->db = $db;
  51          $this->config = $config;
  52          $this->passwords_manager = $passwords_manager;
  53          $this->request = $request;
  54          $this->user = $user;
  55          $this->phpbb_root_path = $phpbb_root_path;
  56          $this->php_ext = $php_ext;
  57          $this->phpbb_container = $phpbb_container;
  58      }
  59  
  60      /**
  61       * {@inheritdoc}
  62       */
  63  	public function login($username, $password)
  64      {
  65          // Auth plugins get the password untrimmed.
  66          // For compatibility we trim() here.
  67          $password = trim($password);
  68  
  69          // do not allow empty password
  70          if (!$password)
  71          {
  72              return array(
  73                  'status'    => LOGIN_ERROR_PASSWORD,
  74                  'error_msg'    => 'NO_PASSWORD_SUPPLIED',
  75                  'user_row'    => array('user_id' => ANONYMOUS),
  76              );
  77          }
  78  
  79          if (!$username)
  80          {
  81              return array(
  82                  'status'    => LOGIN_ERROR_USERNAME,
  83                  'error_msg'    => 'LOGIN_ERROR_USERNAME',
  84                  'user_row'    => array('user_id' => ANONYMOUS),
  85              );
  86          }
  87  
  88          $username_clean = utf8_clean_string($username);
  89  
  90          $sql = 'SELECT *
  91              FROM ' . USERS_TABLE . "
  92              WHERE username_clean = '" . $this->db->sql_escape($username_clean) . "'";
  93          $result = $this->db->sql_query($sql);
  94          $row = $this->db->sql_fetchrow($result);
  95          $this->db->sql_freeresult($result);
  96  
  97          if (($this->user->ip && !$this->config['ip_login_limit_use_forwarded']) ||
  98              ($this->user->forwarded_for && $this->config['ip_login_limit_use_forwarded']))
  99          {
 100              $sql = 'SELECT COUNT(*) AS attempts
 101                  FROM ' . LOGIN_ATTEMPT_TABLE . '
 102                  WHERE attempt_time > ' . (time() - (int) $this->config['ip_login_limit_time']);
 103              if ($this->config['ip_login_limit_use_forwarded'])
 104              {
 105                  $sql .= " AND attempt_forwarded_for = '" . $this->db->sql_escape($this->user->forwarded_for) . "'";
 106              }
 107              else
 108              {
 109                  $sql .= " AND attempt_ip = '" . $this->db->sql_escape($this->user->ip) . "' ";
 110              }
 111  
 112              $result = $this->db->sql_query($sql);
 113              $attempts = (int) $this->db->sql_fetchfield('attempts');
 114              $this->db->sql_freeresult($result);
 115  
 116              $attempt_data = array(
 117                  'attempt_ip'            => $this->user->ip,
 118                  'attempt_browser'        => trim(substr($this->user->browser, 0, 149)),
 119                  'attempt_forwarded_for'    => $this->user->forwarded_for,
 120                  'attempt_time'            => time(),
 121                  'user_id'                => ($row) ? (int) $row['user_id'] : 0,
 122                  'username'                => $username,
 123                  'username_clean'        => $username_clean,
 124              );
 125              $sql = 'INSERT INTO ' . LOGIN_ATTEMPT_TABLE . $this->db->sql_build_array('INSERT', $attempt_data);
 126              $this->db->sql_query($sql);
 127          }
 128          else
 129          {
 130              $attempts = 0;
 131          }
 132  
 133          if (!$row)
 134          {
 135              if ($this->config['ip_login_limit_max'] && $attempts >= $this->config['ip_login_limit_max'])
 136              {
 137                  return array(
 138                      'status'        => LOGIN_ERROR_ATTEMPTS,
 139                      'error_msg'        => 'LOGIN_ERROR_ATTEMPTS',
 140                      'user_row'        => array('user_id' => ANONYMOUS),
 141                  );
 142              }
 143  
 144              return array(
 145                  'status'    => LOGIN_ERROR_USERNAME,
 146                  'error_msg'    => 'LOGIN_ERROR_USERNAME',
 147                  'user_row'    => array('user_id' => ANONYMOUS),
 148              );
 149          }
 150  
 151          $show_captcha = ($this->config['max_login_attempts'] && $row['user_login_attempts'] >= $this->config['max_login_attempts']) ||
 152              ($this->config['ip_login_limit_max'] && $attempts >= $this->config['ip_login_limit_max']);
 153  
 154          // If there are too many login attempts, we need to check for a confirm image
 155          // Every auth module is able to define what to do by itself...
 156          if ($show_captcha)
 157          {
 158              /* @var $captcha_factory \phpbb\captcha\factory */
 159              $captcha_factory = $this->phpbb_container->get('captcha.factory');
 160              $captcha = $captcha_factory->get_instance($this->config['captcha_plugin']);
 161              $captcha->init(CONFIRM_LOGIN);
 162              $vc_response = $captcha->validate($row);
 163              if ($vc_response)
 164              {
 165                  return array(
 166                      'status'        => LOGIN_ERROR_ATTEMPTS,
 167                      'error_msg'        => 'LOGIN_ERROR_ATTEMPTS',
 168                      'user_row'        => $row,
 169                  );
 170              }
 171              else
 172              {
 173                  $captcha->reset();
 174              }
 175  
 176          }
 177  
 178          // Check password ...
 179          if ($this->passwords_manager->check($password, $row['user_password'], $row))
 180          {
 181              // Check for old password hash...
 182              if ($this->passwords_manager->convert_flag || strlen($row['user_password']) == 32)
 183              {
 184                  $hash = $this->passwords_manager->hash($password);
 185  
 186                  // Update the password in the users table to the new format
 187                  $sql = 'UPDATE ' . USERS_TABLE . "
 188                      SET user_password = '" . $this->db->sql_escape($hash) . "'
 189                      WHERE user_id = {$row['user_id']}";
 190                  $this->db->sql_query($sql);
 191  
 192                  $row['user_password'] = $hash;
 193              }
 194  
 195              $sql = 'DELETE FROM ' . LOGIN_ATTEMPT_TABLE . '
 196                  WHERE user_id = ' . $row['user_id'];
 197              $this->db->sql_query($sql);
 198  
 199              if ($row['user_login_attempts'] != 0)
 200              {
 201                  // Successful, reset login attempts (the user passed all stages)
 202                  $sql = 'UPDATE ' . USERS_TABLE . '
 203                      SET user_login_attempts = 0
 204                      WHERE user_id = ' . $row['user_id'];
 205                  $this->db->sql_query($sql);
 206              }
 207  
 208              // User inactive...
 209              if ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE)
 210              {
 211                  return array(
 212                      'status'        => LOGIN_ERROR_ACTIVE,
 213                      'error_msg'        => 'ACTIVE_ERROR',
 214                      'user_row'        => $row,
 215                  );
 216              }
 217  
 218              // Successful login... set user_login_attempts to zero...
 219              return array(
 220                  'status'        => LOGIN_SUCCESS,
 221                  'error_msg'        => false,
 222                  'user_row'        => $row,
 223              );
 224          }
 225  
 226          // Password incorrect - increase login attempts
 227          $sql = 'UPDATE ' . USERS_TABLE . '
 228              SET user_login_attempts = user_login_attempts + 1
 229              WHERE user_id = ' . (int) $row['user_id'] . '
 230                  AND user_login_attempts < ' . LOGIN_ATTEMPTS_MAX;
 231          $this->db->sql_query($sql);
 232  
 233          // Give status about wrong password...
 234          return array(
 235              'status'        => ($show_captcha) ? LOGIN_ERROR_ATTEMPTS : LOGIN_ERROR_PASSWORD,
 236              'error_msg'        => 'LOGIN_ERROR_PASSWORD',
 237              'user_row'        => $row,
 238          );
 239      }
 240  }


Generated: Sat Oct 26 11:28:42 2019 Cross-referenced by PHPXref 0.7.1