dbxe
/
fusionpbx
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Get rid of $auth_failed, if username session is set consider the the user authenticated.

This commit is contained in:
Mark Crane 2015-03-17 14:44:09 +00:00
parent 20c68aa7ba
commit c07b8c73ac
1 changed files with 58 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

121
resources/check_auth.php
View File

@ -17,7 +17,7 @@
The Initial Developer of the Original Code is The Initial Developer of the Original Code is
Mark J Crane <markjcrane@fusionpbx.com> Mark J Crane <markjcrane@fusionpbx.com>
Portions created by the Initial Developer are Copyright (C) 2008-2014 Portions created by the Initial Developer are Copyright (C) 2008-2015
the Initial Developer. All Rights Reserved. the Initial Developer. All Rights Reserved.
Contributor(s): Contributor(s):
@ -34,7 +34,8 @@ require_once "resources/require.php";
session_start(); session_start();
//if the username session is not set the check username and password //if the username session is not set the check username and password
if (strlen($_SESSION["username"]) == 0) { if (strlen($_SESSION['username']) == 0) {
//clear the menu //clear the menu
$_SESSION["menu"] = ""; $_SESSION["menu"] = "";
@ -109,15 +110,11 @@ require_once "resources/require.php";
$bd = ldap_bind($ad,$username."@".$domain_name,check_str($_REQUEST["password"])); $bd = ldap_bind($ad,$username."@".$domain_name,check_str($_REQUEST["password"]));
if ($bd) { if ($bd) {
//echo "success\n"; //echo "success\n";
$auth_failed = false; $_SESSION['username'] = $username;
}
else {
//echo "failed\n";
$auth_failed = true;
} }
//check to see if the user exists //check to see if the user exists
if (!$auth_failed) { if (strlen($_SESSION['username']) > 0) {
$sql = "select * from v_users "; $sql = "select * from v_users ";
$sql .= "where username=:username "; $sql .= "where username=:username ";
if (count($_SESSION["domains"]) > 1) { if (count($_SESSION["domains"]) > 1) {
@ -188,13 +185,14 @@ require_once "resources/require.php";
} }
} }
} }
//database authentication //database authentication
else { if (strlen($_SESSION['username']) == 0) {
//check the username and password if they don't match then redirect to the login //check the username and password if they don't match then redirect to the login
$sql = "select * from v_users "; $sql = "select * from v_users ";
if (strlen($_REQUEST["key"]) > 30) { if (strlen($key) > 30) {
$sql .= "where api_key=:key "; //$sql .= "where api_key=:key ";
//$sql .= "and api_key='".$key."' "; $sql .= "where api_key='".$key."' ";
} }
else { else {
$sql .= "where username=:username "; $sql .= "where username=:username ";
@ -213,7 +211,7 @@ require_once "resources/require.php";
if ($_SESSION["user"]["unique"]["text"] != "global") { if ($_SESSION["user"]["unique"]["text"] != "global") {
$prep_statement->bindParam(':domain_uuid', $domain_uuid); $prep_statement->bindParam(':domain_uuid', $domain_uuid);
} }
if (strlen($_REQUEST["key"]) > 30) { if (strlen($key) > 30) {
$prep_statement->bindParam(':key', $key); $prep_statement->bindParam(':key', $key);
} }
else { else {
@ -221,41 +219,37 @@ require_once "resources/require.php";
} }
$prep_statement->execute(); $prep_statement->execute();
$result = $prep_statement->fetchAll(PDO::FETCH_NAMED); $result = $prep_statement->fetchAll(PDO::FETCH_NAMED);
if (count($result) == 0) { if (count($result) > 0) {
$auth_failed = true; foreach ($result as &$row) {
} //get the domain uuid
else { $domain_uuid = $row["domain_uuid"];
if (isset($_REQUEST["key"])) { //set the domain session variables
$auth_failed = false; $_SESSION["domain_uuid"] = $domain_uuid;
} $_SESSION["domain_name"] = $_SESSION['domains'][$domain_uuid]['domain_name'];
else { //set the setting arrays
foreach ($result as &$row) { $domain = new domains();
//get the domain uuid $domain->db = $db;
$domain_uuid = $row["domain_uuid"]; $domain->set();
//set the domain session variables //get the salt from the database
$_SESSION["domain_uuid"] = $domain_uuid; $salt = $row["salt"];
$_SESSION["domain_name"] = $_SESSION['domains'][$domain_uuid]['domain_name']; //if salt is not defined then use the default salt for backwards compatibility
//set the setting arrays if (strlen($salt) == 0) {
$domain = new domains(); $salt = 'e3.7d.12';
$domain->db = $db; }
$domain->set(); //compare the password provided by the user with the one in the database
//get the salt from the database if (md5($salt.check_str($_REQUEST["password"])) == $row["password"]) {
$salt = $row["salt"]; $_SESSION['username'] = $row["username"];
//if salt is not defined then use the default salt for backwards compatibility } elseif (strlen($_REQUEST["key"]) > 30 && $_REQUEST["key"] == $row["api_key"]) {
if (strlen($salt) == 0) { $_SESSION['username'] = $row["username"];
$salt = 'e3.7d.12'; } else {
} unset($result);
//compare the password provided by the user with the one in the database }
if (md5($salt.check_str($_REQUEST["password"])) != $row["password"]) { //end the loop
$auth_failed = true; break;
}
//end the loop
break;
}
} }
} }
} }
if ($auth_failed) { if (strlen($_SESSION['username']) == 0) {
//log the failed auth attempt to the system, to be available for fail2ban. //log the failed auth attempt to the system, to be available for fail2ban.
openlog('FusionPBX', LOG_NDELAY, LOG_AUTH); openlog('FusionPBX', LOG_NDELAY, LOG_AUTH);
syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] authentication failed for ".check_str($_REQUEST["username"])); syslog(LOG_WARNING, '['.$_SERVER['REMOTE_ADDR']."] authentication failed for ".check_str($_REQUEST["username"]));
@ -266,24 +260,25 @@ require_once "resources/require.php";
header("Location: ".PROJECT_PATH."/login.php?path=".urlencode($target_path)); header("Location: ".PROJECT_PATH."/login.php?path=".urlencode($target_path));
exit; exit;
} }
foreach ($result as &$row) { else {
//allow the user to choose a template only if the template has not been assigned by the superadmin foreach ($result as &$row) {
if (strlen($_SESSION['domain']['template']['name']) == 0) { //allow the user to choose a template only if the template has not been assigned by the superadmin
$_SESSION['domain']['template']['name'] = $row["user_template_name"]; if (strlen($_SESSION['domain']['template']['name']) == 0) {
} $_SESSION['domain']['template']['name'] = $row["user_template_name"];
//user defined time zone }
$_SESSION["time_zone"]["user"] = ''; //user defined time zone
if (strlen($row["user_time_zone"]) > 0) { $_SESSION["time_zone"]["user"] = '';
//user defined time zone if (strlen($row["user_time_zone"]) > 0) {
$_SESSION["time_zone"]["user"] = $row["user_time_zone"]; //user defined time zone
} $_SESSION["time_zone"]["user"] = $row["user_time_zone"];
// add session variables }
$_SESSION["user_uuid"] = $row["user_uuid"]; // add session variables
$_SESSION["username"] = $row["username"]; $_SESSION["user_uuid"] = $row["user_uuid"];
// user session array // user session array
$_SESSION["user"]["username"] = $row["username"]; $_SESSION["user"]["username"] = $row["username"];
$_SESSION["user"]["user_uuid"] = $row["user_uuid"]; $_SESSION["user"]["user_uuid"] = $row["user_uuid"];
$_SESSION["user"]["contact_uuid"] = $row["contact_uuid"]; $_SESSION["user"]["contact_uuid"] = $row["contact_uuid"];
}
} }
//get the groups assigned to the user and then set the groups in $_SESSION["groups"] //get the groups assigned to the user and then set the groups in $_SESSION["groups"]