diff options
| author |  Clément <clement@selfhost.fr>
| 2017-02-15 14:12:25 +0100 |
|---|---|---|
| committer | Clément <clement@selfhost.fr>
| 2017-02-15 14:12:25 +0100 |
| commit | 2d097bc855dbd1ad06c7c306c05e78a198209084 (patch) | |
| tree | 67028e45792c575c25c92616633f64cc7a4a13eb /app/Controllers/authController.php | |
| parent | fe293900061263a1917fc1cf18ca369c8e07cb99 (diff) | |
| parent | 5f637bd816b7323885bfe1751a1724ee59a822f6 (diff) | |
Merge remote-tracking branch 'FreshRSS/master' into dev
Diffstat (limited to 'app/Controllers/authController.php')
| -rw-r--r-- | app/Controllers/authController.php | 228 |
1 files changed, 46 insertions, 182 deletions
diff --git a/app/Controllers/authController.php b/app/Controllers/authController.php index 4af39cb71..1398e4e49 100644 --- a/app/Controllers/authController.php +++ b/app/Controllers/authController.php @@ -19,17 +19,18 @@ class FreshRSS_auth_Controller extends Minz_ActionController { */ public function indexAction() { if (!FreshRSS_Auth::hasAccess('admin')) { - Minz_Error::error(403, - array('error' => array(_t('access_denied')))); + Minz_Error::error(403); } + Minz_View::prependTitle(_t('admin.auth.title') . ' · '); + if (Minz_Request::isPost()) { $ok = true; - $current_token = FreshRSS_Context::$conf->token; + $current_token = FreshRSS_Context::$user_conf->token; $token = Minz_Request::param('token', $current_token); - FreshRSS_Context::$conf->_token($token); - $ok &= FreshRSS_Context::$conf->save(); + FreshRSS_Context::$user_conf->token = $token; + $ok &= FreshRSS_Context::$user_conf->save(); $anon = Minz_Request::param('anon_access', false); $anon = ((bool)$anon) && ($anon !== 'no'); @@ -38,27 +39,29 @@ class FreshRSS_auth_Controller extends Minz_ActionController { $auth_type = Minz_Request::param('auth_type', 'none'); $unsafe_autologin = Minz_Request::param('unsafe_autologin', false); $api_enabled = Minz_Request::param('api_enabled', false); - if ($anon != Minz_Configuration::allowAnonymous() || - $auth_type != Minz_Configuration::authType() || - $anon_refresh != Minz_Configuration::allowAnonymousRefresh() || - $unsafe_autologin != Minz_Configuration::unsafeAutologinEnabled() || - $api_enabled != Minz_Configuration::apiEnabled()) { - - Minz_Configuration::_authType($auth_type); - Minz_Configuration::_allowAnonymous($anon); - Minz_Configuration::_allowAnonymousRefresh($anon_refresh); - Minz_Configuration::_enableAutologin($unsafe_autologin); - Minz_Configuration::_enableApi($api_enabled); - $ok &= Minz_Configuration::writeFile(); + if ($anon != FreshRSS_Context::$system_conf->allow_anonymous || + $auth_type != FreshRSS_Context::$system_conf->auth_type || + $anon_refresh != FreshRSS_Context::$system_conf->allow_anonymous_refresh || + $unsafe_autologin != FreshRSS_Context::$system_conf->unsafe_autologin_enabled || + $api_enabled != FreshRSS_Context::$system_conf->api_enabled) { + + // TODO: test values from form + FreshRSS_Context::$system_conf->auth_type = $auth_type; + FreshRSS_Context::$system_conf->allow_anonymous = $anon; + FreshRSS_Context::$system_conf->allow_anonymous_refresh = $anon_refresh; + FreshRSS_Context::$system_conf->unsafe_autologin_enabled = $unsafe_autologin; + FreshRSS_Context::$system_conf->api_enabled = $api_enabled; + + $ok &= FreshRSS_Context::$system_conf->save(); } invalidateHttpCache(); if ($ok) { - Minz_Request::good('configuration_updated', + Minz_Request::good(_t('feedback.conf.updated'), array('c' => 'auth', 'a' => 'index')); } else { - Minz_Request::bad('error_occurred', + Minz_Request::bad(_t('feedback.conf.error'), array('c' => 'auth', 'a' => 'index')); } } @@ -67,7 +70,7 @@ class FreshRSS_auth_Controller extends Minz_ActionController { /** * This action handles the login page. * - * It forwards to the correct login page (form or Persona) or main page if + * It forwards to the correct login page (form) or main page if * the user is already connected. */ public function loginAction() { @@ -75,14 +78,11 @@ class FreshRSS_auth_Controller extends Minz_ActionController { Minz_Request::forward(array('c' => 'index', 'a' => 'index'), true); } - $auth_type = Minz_Configuration::authType(); + $auth_type = FreshRSS_Context::$system_conf->auth_type; switch ($auth_type) { case 'form': Minz_Request::forward(array('c' => 'auth', 'a' => 'formLogin')); break; - case 'persona': - Minz_Request::forward(array('c' => 'auth', 'a' => 'personaLogin')); - break; case 'http_auth': case 'none': // It should not happened! @@ -113,17 +113,19 @@ class FreshRSS_auth_Controller extends Minz_ActionController { $file_mtime = @filemtime(PUBLIC_PATH . '/scripts/bcrypt.min.js'); Minz_View::appendScript(Minz_Url::display('/scripts/bcrypt.min.js?' . $file_mtime)); + $conf = Minz_Configuration::get('system'); + $limits = $conf->limits; + $this->view->cookie_days = round($limits['cookie_duration'] / 86400, 1); + if (Minz_Request::isPost()) { $nonce = Minz_Session::param('nonce'); $username = Minz_Request::param('username', ''); $challenge = Minz_Request::param('challenge', ''); - try { - $conf = new FreshRSS_Configuration($username); - } catch(Minz_Exception $e) { - // $username is not a valid user, nor the configuration file! - Minz_Log::warning('Login failure: ' . $e->getMessage()); - Minz_Request::bad(_t('invalid_login'), - array('c' => 'auth', 'a' => 'login')); + + $conf = get_user_configuration($username); + if (is_null($conf)) { + Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false); + return; } $ok = FreshRSS_FormAuth::checkCredentials( @@ -143,17 +145,16 @@ class FreshRSS_auth_Controller extends Minz_ActionController { } // All is good, go back to the index. - Minz_Request::good(_t('login'), + Minz_Request::good(_t('feedback.auth.login.success'), array('c' => 'index', 'a' => 'index')); } else { Minz_Log::warning('Password mismatch for' . ' user=' . $username . ', nonce=' . $nonce . ', c=' . $challenge); - Minz_Request::bad(_t('invalid_login'), - array('c' => 'auth', 'a' => 'login')); + Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false); } - } elseif (Minz_Configuration::unsafeAutologinEnabled()) { + } elseif (FreshRSS_Context::$system_conf->unsafe_autologin_enabled) { $username = Minz_Request::param('u', ''); $password = Minz_Request::param('p', ''); Minz_Request::_param('p'); @@ -162,11 +163,8 @@ class FreshRSS_auth_Controller extends Minz_ActionController { return; } - try { - $conf = new FreshRSS_Configuration($username); - } catch(Minz_Exception $e) { - // $username is not a valid user, nor the configuration file! - Minz_Log::warning('Login failure: ' . $e->getMessage()); + $conf = get_user_configuration($username); + if (is_null($conf)) { return; } @@ -182,89 +180,12 @@ class FreshRSS_auth_Controller extends Minz_ActionController { Minz_Session::_param('passwordHash', $s); FreshRSS_Auth::giveAccess(); - Minz_Request::good(_t('login'), + Minz_Request::good(_t('feedback.auth.login.success'), array('c' => 'index', 'a' => 'index')); } else { Minz_Log::warning('Unsafe password mismatch for user ' . $username); - Minz_Request::bad(_t('invalid_login'), - array('c' => 'auth', 'a' => 'login')); - } - } - } - - /** - * This action handles Persona login page. - * - * If this action is reached through a POST request, assertion from Persona - * is verificated and user connected if all is ok. - * - * Parameter is: - * - assertion (default: false) - * - * @todo: Persona system should be moved to a plugin - */ - public function personaLoginAction() { - $this->view->res = false; - - if (Minz_Request::isPost()) { - $this->view->_useLayout(false); - - $assert = Minz_Request::param('assertion'); - $url = 'https://verifier.login.persona.org/verify'; - $params = 'assertion=' . $assert . '&audience=' . - urlencode(Minz_Url::display(null, 'php', true)); - $ch = curl_init(); - $options = array( - CURLOPT_URL => $url, - CURLOPT_RETURNTRANSFER => TRUE, - CURLOPT_POST => 2, - CURLOPT_POSTFIELDS => $params - ); - curl_setopt_array($ch, $options); - $result = curl_exec($ch); - curl_close($ch); - - $res = json_decode($result, true); - - $login_ok = false; - $reason = ''; - if ($res['status'] === 'okay') { - $email = filter_var($res['email'], FILTER_VALIDATE_EMAIL); - if ($email != '') { - $persona_file = DATA_PATH . '/persona/' . $email . '.txt'; - if (($current_user = @file_get_contents($persona_file)) !== false) { - $current_user = trim($current_user); - try { - $conf = new FreshRSS_Configuration($current_user); - $login_ok = strcasecmp($email, $conf->mail_login) === 0; - } catch (Minz_Exception $e) { - //Permission denied or conf file does not exist - $reason = 'Invalid configuration for user ' . - '[' . $current_user . '] ' . $e->getMessage(); - } - } - } else { - $reason = 'Invalid email format [' . $res['email'] . ']'; - } - } else { - $reason = $res['reason']; + Minz_Error::error(403, array(_t('feedback.auth.login.invalid')), false); } - - if ($login_ok) { - Minz_Session::_param('currentUser', $current_user); - Minz_Session::_param('mail', $email); - FreshRSS_Auth::giveAccess(); - invalidateHttpCache(); - } else { - Minz_Log::error($reason); - - $res = array(); - $res['status'] = 'failure'; - $res['reason'] = _t('invalid_login'); - } - - header('Content-Type: application/json; charset=UTF-8'); - $this->view->res = $res; } } @@ -274,75 +195,18 @@ class FreshRSS_auth_Controller extends Minz_ActionController { public function logoutAction() { invalidateHttpCache(); FreshRSS_Auth::removeAccess(); - Minz_Request::good(_t('disconnected'), + Minz_Request::good(_t('feedback.auth.logout.success'), array('c' => 'index', 'a' => 'index')); } /** - * This action resets the authentication system. - * - * After reseting, form auth is set by default. + * This action gives possibility to a user to create an account. */ - public function resetAction() { - Minz_View::prependTitle(_t('auth_reset') . ' · '); - - Minz_View::appendScript(Minz_Url::display( - '/scripts/bcrypt.min.js?' . @filemtime(PUBLIC_PATH . '/scripts/bcrypt.min.js') - )); - - $this->view->no_form = false; - // Enable changement of auth only if Persona! - if (Minz_Configuration::authType() != 'persona') { - $this->view->message = array( - 'status' => 'bad', - 'title' => _t('damn'), - 'body' => _t('auth_not_persona') - ); - $this->view->no_form = true; - return; + public function registerAction() { + if (max_registrations_reached()) { + Minz_Error::error(403); } - $conf = new FreshRSS_Configuration(Minz_Configuration::defaultUser()); - // Admin user must have set its master password. - if (!$conf->passwordHash) { - $this->view->message = array( - 'status' => 'bad', - 'title' => _t('damn'), - 'body' => _t('auth_no_password_set') - ); - $this->view->no_form = true; - return; - } - - invalidateHttpCache(); - - if (Minz_Request::isPost()) { - $nonce = Minz_Session::param('nonce'); - $username = Minz_Request::param('username', ''); - $challenge = Minz_Request::param('challenge', ''); - - $ok = FreshRSS_FormAuth::checkCredentials( - $username, $conf->passwordHash, $nonce, $challenge - ); - - if ($ok) { - Minz_Configuration::_authType('form'); - $ok = Minz_Configuration::writeFile(); - - if ($ok) { - Minz_Request::good(_t('auth_form_set')); - } else { - Minz_Request::bad(_t('auth_form_not_set'), - array('c' => 'auth', 'a' => 'reset')); - } - } else { - Minz_Log::warning('Password mismatch for' . - ' user=' . $username . - ', nonce=' . $nonce . - ', c=' . $challenge); - Minz_Request::bad(_t('invalid_login'), - array('c' => 'auth', 'a' => 'reset')); - } - } + Minz_View::prependTitle(_t('gen.auth.registration.title') . ' · '); } } |