/core/model/modx/processors/security/login.php

https://github.com/gregorysmart/MODx · PHP · 178 lines · 156 code · 13 blank · 9 comment · 54 complexity · 1f82224e6c9036eed87e24f0315a7577 MD5 · raw file 

    

  1. <?php
    2. 

  2. /**
    3. 

  3.  * Properly log in the user and set up the session.
    4. 

  4.  *
    5. 

  5.  * @package modx
    6. 

  6.  * @subpackage processors.security
    7. 

  7.  */
    8. 

  8. if (!isset($modx->lexicon) || !is_object($modx->lexicon)) {
    9. 

  9.     $modx->getService('lexicon','modLexicon');
    10. 

  10. }
    11. 

  11. $modx->lexicon->load('login');
    12. 

  12. 

  13. $username = $scriptProperties['username'];
    14. 

  14. $givenPassword = $scriptProperties['password'];
    15. 

  15. 

  16. $rememberme= isset ($scriptProperties['rememberme']) ? ($scriptProperties['rememberme'] == 'on' || $scriptProperties['rememberme'] == true) : false;
    17. 

  17. $lifetime= (integer) $modx->getOption('lifetime', $scriptProperties, $modx->getOption('session_cookie_lifetime', null, 0));
    18. 

  18. $loginContext= isset ($scriptProperties['login_context']) ? $scriptProperties['login_context'] : $modx->context->get('key');
    19. 

  19. 

  20. $onBeforeLoginParams = array(
    21. 

  21.     'username' => $username,
    22. 

  22.     'password' => $givenPassword,
    23. 

  23.     'attributes' => array(
    24. 

  24.         'rememberme' => & $rememberme,
    25. 

  25.         'lifetime' => & $lifetime,
    26. 

  26.         'loginContext' => & $loginContext
    27. 

  27.     )
    28. 

  28. );
    29. 

  29. 

  30. $rt = false;  /* $rt will be an array if the event fires */
    31. 

  31. if ($loginContext == 'mgr') {
    32. 

  32.     $rt = $modx->invokeEvent("OnBeforeManagerLogin", $onBeforeLoginParams);
    33. 

  33. } else {
    34. 

  34.     $rt = $modx->invokeEvent("OnBeforeWebLogin", $onBeforeLoginParams);
    35. 

  35. }
    36. 

  36. /* If the event fired, loop through the event array and fail if there's an error message  */
    37. 

  37. if (is_array($rt)) {
    38. 

  38.     foreach ($rt as $key => $value) {   /* php4 compatible */
    39. 

  39.         if ($value !== true) {
    40. 

  40.             return $modx->error->failure($value);
    41. 

  41.         }
    42. 

  42.     }
    43. 

  43.     unset($key,$value);
    44. 

  44. }
    45. 

  45. 

  46. $user= $modx->getObjectGraph('modUser', '{"Profile":{},"UserSettings":{}}', array ('modUser.username' => $username));
    47. 

  47. 

  48. if (!$user) {
    49. 

  49.     $ru = $modx->invokeEvent("OnUserNotFound", array(
    50. 

  50.         'user' => &$user,
    51. 

  51.         'username' => $username,
    52. 

  52.         'password' => $password,
    53. 

  53.         array (
    54. 

  54.             'rememberme' => $rememberme,
    55. 

  55.             'lifetime' => $lifetime,
    56. 

  56.             'loginContext' => $loginContext,
    57. 

  57.         )
    58. 

  58.     ));
    59. 

  59.     if (!empty($ru)) {
    60. 

  60.         foreach ($ru as $obj) {
    61. 

  61.             if (is_object($obj) && $obj instanceof modUser) {
    62. 

  62.                 $user = $obj;
    63. 

  63.                 break;
    64. 

  64.             }
    65. 

  65.         }
    66. 

  66.     }
    67. 

  67.     if (!is_object($user) || !($user instanceof modUser)) {
    68. 

  68.         return $modx->error->failure($modx->lexicon('login_cannot_locate_account'));
    69. 

  69.     }
    70. 

  70. }
    71. 

  71. 

  72. if (!$user->get('active')) {
    73. 

  73.     return $modx->error->failure($modx->lexicon('login_user_inactive'));
    74. 

  74. }
    75. 

  75. 

  76. $up= & $user->Profile;
    77. 

  77. $us= & $user->UserSettings;
    78. 

  78. foreach ($us as $settingPK => $setting) {
    79. 

  79.     $sname= $setting->get('key');
    80. 

  80.     $$sname= $setting->get('value');
    81. 

  81. }
    82. 

  82. if ($up->get('failed_logins') >= $modx->getOption('failed_login_attempts') && $up->get('blockeduntil') > time()) {
    83. 

  83.     return $modx->error->failure($modx->lexicon('login_blocked_too_many_attempts'));
    84. 

  84. }
    85. 

  85. if ($up->get('failedlogincount') >= $modx->getOption('failed_login_attempts') && $up->get('blockeduntil') < time()) {
    86. 

  86.     $up->set('failedlogincount', 0);
    87. 

  87.     $up->set('blockeduntil', time() - 1);
    88. 

  88.     $up->save();
    89. 

  89. }
    90. 

  90. if ($up->get('blocked')) {
    91. 

  91.     return $modx->error->failure($modx->lexicon('login_blocked_admin'));
    92. 

  92. }
    93. 

  93. if ($up->get('blockeduntil') > time()) {
    94. 

  94.     return $modx->error->failure($modx->lexicon('login_blocked_error'));
    95. 

  95. }
    96. 

  96. if ($up->get('blockedafter') > 0 && $up->get('blockedafter') < time()) {
    97. 

  97.     return $modx->error->failure($modx->lexicon('login_blocked_error'));
    98. 

  98. }
    99. 

  99. if (isset ($allowed_ip) && $allowed_ip) {
    100. 

  100.     if (($hostname = gethostbyaddr($_SERVER['REMOTE_ADDR'])) && ($hostname != $_SERVER['REMOTE_ADDR'])) {
    101. 

  101.         if (gethostbyname($hostname) != $_SERVER['REMOTE_ADDR']) {
    102. 

  102.             return $modx->error->failure($modx->lexicon('login_hostname_error'));
    103. 

  103.         }
    104. 

  104.     }
    105. 

  105.     if (!in_array($_SERVER['REMOTE_ADDR'], explode(',', str_replace(' ', '', $allowed_ip)))) {
    106. 

  106.         return $modx->error->failure($modx->lexicon('login_blocked_ip'));
    107. 

  107.     }
    108. 

  108. }
    109. 

  109. if (isset ($allowed_days) && $allowed_days) {
    110. 

  110.     $date = getdate();
    111. 

  111.     $day = $date['wday'] + 1;
    112. 

  112.     if (strpos($allowed_days, "{$day}") === false) {
    113. 

  113.         return $modx->error->failure($modx->lexicon('login_blocked_time'));
    114. 

  114.     }
    115. 

  115. }
    116. 

  116. 

  117. $loginAttributes = array(
    118. 

  118.     "user"       => & $user,
    119. 

  119.     "password"   => $givenPassword,
    120. 

  120.     "rememberme" => $rememberme,
    121. 

  121.     "lifetime" => $lifetime
    122. 

  122. );
    123. 

  123. if ($loginContext == 'mgr') {
    124. 

  124.     $rt = $modx->invokeEvent("OnManagerAuthentication", $loginAttributes);
    125. 

  125. } else {
    126. 

  126.     $rt = $modx->invokeEvent("OnWebAuthentication", $loginAttributes);
    127. 

  127. }
    128. 

  128. /* check if plugin authenticated the user */
    129. 

  129. if (!$rt || (is_array($rt) && !in_array(true, $rt))) {
    130. 

  130.     /* check user password - local authentication */
    131. 

  131.     if($user->get('password') != md5($givenPassword)) {
    132. 

  132.         return $modx->error->failure($modx->lexicon('login_username_password_incorrect'));
    133. 

  133.     }
    134. 

  134. }
    135. 

  135. 

  136. $user->addSessionContext($loginContext);
    137. 

  137. 

  138. if ($rememberme) {
    139. 

  139.     $_SESSION['modx.' . $loginContext . '.session.cookie.lifetime']= $lifetime;
    140. 

  140. } else {
    141. 

  141.     $_SESSION['modx.' . $loginContext . '.session.cookie.lifetime']= 0;
    142. 

  142. }
    143. 

  143. 

  144. $postLoginAttributes = array(
    145. 

  145.     'user' => $user,
    146. 

  146.     'attributes' => array(
    147. 

  147.         'rememberme' => $rememberme,
    148. 

  148.         'lifetime' => $lifetime,
    149. 

  149.         'loginContext' => $loginContext
    150. 

  150.     )
    151. 

  151. );
    152. 

  152. if ($loginContext == 'mgr') {
    153. 

  153.     $rt = $modx->invokeEvent("OnManagerLogin", $postLoginAttributes);
    154. 

  154. } else {
    155. 

  155.     $modx->invokeEvent("OnWebLogin", $postLoginAttributes);
    156. 

  156. }
    157. 

  157. $returnUrl = isset($scriptProperties['returnUrl']) ? $scriptProperties['returnUrl'] : '';
    158. 

  158. $response = array('url' => $returnUrl);
    159. 

  159. switch ($loginContext) {
    160. 

  160.     case 'mgr':
    161. 

  161.         $manager_login_startup_url = $modx->getOption('manager_url', null, $returnUrl);
    162. 

  162.         if (!empty($manager_login_startup)) {
    163. 

  163.             $manager_login_startup= intval($manager_login_startup);
    164. 

  164.             if ($manager_login_startup) $manager_login_startup_url .= '?id=' . $manager_login_startup;
    165. 

  165.         }
    166. 

  166.         $response= array('url' => $manager_login_startup_url);
    167. 

  167.         break;
    168. 

  168.     case 'web':
    169. 

  169.     default:
    170. 

  170.         $login_startup_url = $returnUrl;
    171. 

  171.         if (!empty($login_startup)) {
    172. 

  172.             $login_startup = intval($login_startup);
    173. 

  173.             if ($login_startup) $login_startup_url = $modx->makeUrl($login_startup, $loginContext, '', 'full');
    174. 

  174.         }
    175. 

  175.         $response= array('url' => $login_startup_url);
    176. 

  176. }
    177. 

  177. 

  178. return $modx->error->success('', $response);
    179.