[ Index ]

PHP Cross Reference of phpBB-3.3.2-deutsch

title

Body

[close]

/phpbb/auth/provider/ -> db.php (source)

   1  <?php
   2  /**
   3  *
   4  * This file is part of the phpBB Forum Software package.
   5  *
   6  * @copyright (c) phpBB Limited <https://www.phpbb.com>
   7  * @license GNU General Public License, version 2 (GPL-2.0)
   8  *
   9  * For full copyright and license information, please see
  10  * the docs/CREDITS.txt file.
  11  *
  12  */
  13  
  14  namespace phpbb\auth\provider;
  15  
  16  use phpbb\captcha\factory;
  17  use phpbb\config\config;
  18  use phpbb\db\driver\driver_interface;
  19  use phpbb\passwords\manager;
  20  use phpbb\request\request_interface;
  21  use phpbb\user;
  22  
  23  /**
  24   * Database authentication provider for phpBB3
  25   * This is for authentication via the integrated user table
  26   */
  27  class db extends base
  28  {
  29      /** @var factory CAPTCHA factory */
  30      protected $captcha_factory;
  31  
  32      /** @var config phpBB config */
  33      protected $config;
  34  
  35      /** @var driver_interface DBAL driver instance */
  36      protected $db;
  37  
  38      /** @var request_interface Request object */
  39      protected $request;
  40  
  41      /** @var user User object */
  42      protected $user;
  43  
  44      /** @var string phpBB root path */
  45      protected $phpbb_root_path;
  46  
  47      /** @var string PHP file extension */
  48      protected $php_ext;
  49  
  50      /**
  51      * phpBB passwords manager
  52      *
  53      * @var manager
  54      */
  55      protected $passwords_manager;
  56  
  57      /**
  58       * Database Authentication Constructor
  59       *
  60       * @param factory $captcha_factory
  61       * @param    config         $config
  62       * @param    driver_interface        $db
  63       * @param    manager    $passwords_manager
  64       * @param    request_interface        $request
  65       * @param    user            $user
  66       * @param    string                $phpbb_root_path
  67       * @param    string                $php_ext
  68       */
  69  	public function __construct(factory $captcha_factory, config $config, driver_interface $db, manager $passwords_manager, request_interface $request, user $user, $phpbb_root_path, $php_ext)
  70      {
  71          $this->captcha_factory = $captcha_factory;
  72          $this->config = $config;
  73          $this->db = $db;
  74          $this->passwords_manager = $passwords_manager;
  75          $this->request = $request;
  76          $this->user = $user;
  77          $this->phpbb_root_path = $phpbb_root_path;
  78          $this->php_ext = $php_ext;
  79      }
  80  
  81      /**
  82       * {@inheritdoc}
  83       */
  84  	public function login($username, $password)
  85      {
  86          // Auth plugins get the password untrimmed.
  87          // For compatibility we trim() here.
  88          $password = trim($password);
  89  
  90          // do not allow empty password
  91          if (!$password)
  92          {
  93              return array(
  94                  'status'    => LOGIN_ERROR_PASSWORD,
  95                  'error_msg'    => 'NO_PASSWORD_SUPPLIED',
  96                  'user_row'    => array('user_id' => ANONYMOUS),
  97              );
  98          }
  99  
 100          if (!$username)
 101          {
 102              return array(
 103                  'status'    => LOGIN_ERROR_USERNAME,
 104                  'error_msg'    => 'LOGIN_ERROR_USERNAME',
 105                  'user_row'    => array('user_id' => ANONYMOUS),
 106              );
 107          }
 108  
 109          $username_clean = utf8_clean_string($username);
 110  
 111          $sql = 'SELECT *
 112              FROM ' . USERS_TABLE . "
 113              WHERE username_clean = '" . $this->db->sql_escape($username_clean) . "'";
 114          $result = $this->db->sql_query($sql);
 115          $row = $this->db->sql_fetchrow($result);
 116          $this->db->sql_freeresult($result);
 117  
 118          if (($this->user->ip && !$this->config['ip_login_limit_use_forwarded']) ||
 119              ($this->user->forwarded_for && $this->config['ip_login_limit_use_forwarded']))
 120          {
 121              $sql = 'SELECT COUNT(*) AS attempts
 122                  FROM ' . LOGIN_ATTEMPT_TABLE . '
 123                  WHERE attempt_time > ' . (time() - (int) $this->config['ip_login_limit_time']);
 124              if ($this->config['ip_login_limit_use_forwarded'])
 125              {
 126                  $sql .= " AND attempt_forwarded_for = '" . $this->db->sql_escape($this->user->forwarded_for) . "'";
 127              }
 128              else
 129              {
 130                  $sql .= " AND attempt_ip = '" . $this->db->sql_escape($this->user->ip) . "' ";
 131              }
 132  
 133              $result = $this->db->sql_query($sql);
 134              $attempts = (int) $this->db->sql_fetchfield('attempts');
 135              $this->db->sql_freeresult($result);
 136  
 137              $attempt_data = array(
 138                  'attempt_ip'            => $this->user->ip,
 139                  'attempt_browser'        => trim(substr($this->user->browser, 0, 149)),
 140                  'attempt_forwarded_for'    => $this->user->forwarded_for,
 141                  'attempt_time'            => time(),
 142                  'user_id'                => ($row) ? (int) $row['user_id'] : 0,
 143                  'username'                => $username,
 144                  'username_clean'        => $username_clean,
 145              );
 146              $sql = 'INSERT INTO ' . LOGIN_ATTEMPT_TABLE . $this->db->sql_build_array('INSERT', $attempt_data);
 147              $this->db->sql_query($sql);
 148          }
 149          else
 150          {
 151              $attempts = 0;
 152          }
 153  
 154          if (!$row)
 155          {
 156              if ($this->config['ip_login_limit_max'] && $attempts >= $this->config['ip_login_limit_max'])
 157              {
 158                  return array(
 159                      'status'        => LOGIN_ERROR_ATTEMPTS,
 160                      'error_msg'        => 'LOGIN_ERROR_ATTEMPTS',
 161                      'user_row'        => array('user_id' => ANONYMOUS),
 162                  );
 163              }
 164  
 165              return array(
 166                  'status'    => LOGIN_ERROR_USERNAME,
 167                  'error_msg'    => 'LOGIN_ERROR_USERNAME',
 168                  'user_row'    => array('user_id' => ANONYMOUS),
 169              );
 170          }
 171  
 172          $show_captcha = ($this->config['max_login_attempts'] && $row['user_login_attempts'] >= $this->config['max_login_attempts']) ||
 173              ($this->config['ip_login_limit_max'] && $attempts >= $this->config['ip_login_limit_max']);
 174  
 175          // If there are too many login attempts, we need to check for a confirm image
 176          // Every auth module is able to define what to do by itself...
 177          if ($show_captcha)
 178          {
 179              $captcha = $this->captcha_factory->get_instance($this->config['captcha_plugin']);
 180              $captcha->init(CONFIRM_LOGIN);
 181              $vc_response = $captcha->validate($row);
 182              if ($vc_response)
 183              {
 184                  return array(
 185                      'status'        => LOGIN_ERROR_ATTEMPTS,
 186                      'error_msg'        => 'LOGIN_ERROR_ATTEMPTS',
 187                      'user_row'        => $row,
 188                  );
 189              }
 190              else
 191              {
 192                  $captcha->reset();
 193              }
 194  
 195          }
 196  
 197          // Check password ...
 198          if ($this->passwords_manager->check($password, $row['user_password'], $row))
 199          {
 200              // Check for old password hash...
 201              if ($this->passwords_manager->convert_flag || strlen($row['user_password']) == 32)
 202              {
 203                  $hash = $this->passwords_manager->hash($password);
 204  
 205                  // Update the password in the users table to the new format
 206                  $sql = 'UPDATE ' . USERS_TABLE . "
 207                      SET user_password = '" . $this->db->sql_escape($hash) . "'
 208                      WHERE user_id = {$row['user_id']}";
 209                  $this->db->sql_query($sql);
 210  
 211                  $row['user_password'] = $hash;
 212              }
 213  
 214              $sql = 'DELETE FROM ' . LOGIN_ATTEMPT_TABLE . '
 215                  WHERE user_id = ' . $row['user_id'];
 216              $this->db->sql_query($sql);
 217  
 218              if ($row['user_login_attempts'] != 0)
 219              {
 220                  // Successful, reset login attempts (the user passed all stages)
 221                  $sql = 'UPDATE ' . USERS_TABLE . '
 222                      SET user_login_attempts = 0
 223                      WHERE user_id = ' . $row['user_id'];
 224                  $this->db->sql_query($sql);
 225              }
 226  
 227              // User inactive...
 228              if ($row['user_type'] == USER_INACTIVE || $row['user_type'] == USER_IGNORE)
 229              {
 230                  return array(
 231                      'status'        => LOGIN_ERROR_ACTIVE,
 232                      'error_msg'        => 'ACTIVE_ERROR',
 233                      'user_row'        => $row,
 234                  );
 235              }
 236  
 237              // Successful login... set user_login_attempts to zero...
 238              return array(
 239                  'status'        => LOGIN_SUCCESS,
 240                  'error_msg'        => false,
 241                  'user_row'        => $row,
 242              );
 243          }
 244  
 245          // Password incorrect - increase login attempts
 246          $sql = 'UPDATE ' . USERS_TABLE . '
 247              SET user_login_attempts = user_login_attempts + 1
 248              WHERE user_id = ' . (int) $row['user_id'] . '
 249                  AND user_login_attempts < ' . LOGIN_ATTEMPTS_MAX;
 250          $this->db->sql_query($sql);
 251  
 252          // Give status about wrong password...
 253          return array(
 254              'status'        => ($show_captcha) ? LOGIN_ERROR_ATTEMPTS : LOGIN_ERROR_PASSWORD,
 255              'error_msg'        => 'LOGIN_ERROR_PASSWORD',
 256              'user_row'        => $row,
 257          );
 258      }
 259  }


Generated: Wed Nov 11 20:28:18 2020 Cross-referenced by PHPXref 0.7.1