PageRenderTime 42ms CodeModel.GetById 13ms RepoModel.GetById 1ms app.codeStats 0ms

/apps/user/models/User.php

https://bitbucket.org/jonphipps/elefant-vocabhub
PHP | 486 lines | 186 code | 33 blank | 267 comment | 32 complexity | 52705b5f319d576f64657ba515f2786c MD5 | raw file
    

  1. <?php
    2. 

  2. 

  3. /**
    4. 

  4.  * Elefant CMS - http://www.elefantcms.com/
    5. 

  5.  *
    6. 

  6.  * Copyright (c) 2011 Johnny Broadway
    7. 

  7.  *
    8. 

  8.  * Permission is hereby granted, free of charge, to any person obtaining a copy
    9. 

  9.  * of this software and associated documentation files (the "Software"), to deal
    10. 

  10.  * in the Software without restriction, including without limitation the rights
    11. 

  11.  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
    12. 

  12.  * copies of the Software, and to permit persons to whom the Software is
    13. 

  13.  * furnished to do so, subject to the following conditions:
    14. 

  14.  *
    15. 

  15.  * The above copyright notice and this permission notice shall be included in
    16. 

  16.  * all copies or substantial portions of the Software.
    17. 

  17.  *
    18. 

  18.  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
    19. 

  19.  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
    20. 

  20.  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
    21. 

  21.  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
    22. 

  22.  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
    23. 

  23.  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
    24. 

  24.  * THE SOFTWARE.
    25. 

  25.  */
    26. 

  26. 

  27. /**
    28. 

  28.  * This is the default user authentication source for Elefant. Provides the
    29. 

  29.  * basic `User::require_login()` and `User::require_admin()` methods, as
    30. 

  30.  * well as `User::is_valid()` and `User::logout()`. If a user is logged in,
    31. 

  31.  * the first call to any validation method will initialize the `$user`
    32. 

  32.  * property to contain the static User object.
    33. 

  33.  *
    34. 

  34.  * Note that this class extends [[ExtendedModel]], so all of the [[ExtendedModel]]
    35. 

  35.  * and [[Model]] methods are available for querying the user list, and for user
    36. 

  36.  * management, as well.
    37. 

  37.  *
    38. 

  38.  * Fields:
    39. 

  39.  *
    40. 

  40.  * - id
    41. 

  41.  * - email
    42. 

  42.  * - password
    43. 

  43.  * - session_id
    44. 

  44.  * - expires
    45. 

  45.  * - name
    46. 

  46.  * - type
    47. 

  47.  * - signed_up
    48. 

  48.  * - updated
    49. 

  49.  * - userdata
    50. 

  50.  *
    51. 

  51.  * Basic usage of additional methods:
    52. 

  52.  *
    53. 

  53.  *     <?php
    54. 

  54.  *
    55. 

  55.  *     // Send unauth users to myapp/login view
    56. 

  56.  *     if (! User::require_login ()) {
    57. 

  57.  *         $page->title = __ ('Members');
    58. 

  58.  *         echo $this->run ('user/login');
    59. 

  59.  *         return;
    60. 

  60.  *     }
    61. 

  61.  *
    62. 

  62.  *     // Check if a user is valid at any point
    63. 

  63.  *     if (! User::is_valid ()) {
    64. 

  64.  *         // Not allowed
    65. 

  65.  *     }
    66. 

  66.  *
    67. 

  67.  *     // Check the user's type
    68. 

  68.  *     if (User::is ('member')) {
    69. 

  69.  *         // Access granted
    70. 

  70.  *     }
    71. 

  71.  *
    72. 

  72.  *     // Get the name value
    73. 

  73.  *     $name = User::val ('name');
    74. 

  74.  *
    75. 

  75.  *     // Get the actual user object
    76. 

  76.  *     info (User::$user);
    77. 

  77.  *
    78. 

  78.  *     // Update and save a user's name
    79. 

  79.  *     User::val ('name', 'Bob Diggity');
    80. 

  80.  *     User::save ();
    81. 

  81.  *
    82. 

  82.  *     // Encrypt a password
    83. 

  83.  *     $encrypted = User::encrypt_pass ($password);
    84. 

  84.  *
    85. 

  85.  *     // Log out and send them home
    86. 

  86.  *     User::logout ('/');
    87. 

  87.  *
    88. 

  88.  *     ?>
    89. 

  89.  * @property integer id
    90. 

  90.  * @property string  email
    91. 

  91.  * @property string  password
    92. 

  92.  * @property string  session_id
    93. 

  93.  * @property Datetime  expires
    94. 

  94.  * @property string  name
    95. 

  95.  * @property string  type
    96. 

  96.  * @property Datetime  signed_up
    97. 

  97.  * @property Datetime  updated
    98. 

  98.  * @property string  userdata
    99. 

  99.  *
    100. 

  100.  */
    101. 

  101. class User extends ExtendedModel {
    102. 

  102. 	/**
    103. 

  103. 	 * The database table name.
    104. 

  104. 	 *
    105. 

  105. 	 * @var string
    106. 

  106. 	 */
    107. 

  107. 	public $table = '#prefix#user';
    108. 

  108. 

  109. 	/**
    110. 

  110. 	 * Tell the ExtendedModel which field should contain the extended properties.
    111. 

  111. 	 */
    112. 

  112. 	public $_extended_field = 'userdata';
    113. 

  113. 

  114. 	/**
    115. 

  115. 	 * This is the static User object for the current user.
    116. 

  116. 	 *
    117. 

  117. 	 * @var User|bool
    118. 

  118. 	 */
    119. 

  119. 	public static $user = false;
    120. 

  120. 

  121. 	/**
    122. 

  122. 	 * Acl object for `require_acl()` method. Get and set via `User::acl()`.
    123. 

  123. 	 *
    124. 

  124. 	 * @var Acl|null
    125. 

  125. 	 */
    126. 

  126. 	public static $acl = null;
    127. 

  127. 

  128. 	/**
    129. 

  129. 	 * Generates a random salt and encrypts a password using MD5.
    130. 

  130. 	 *
    131. 

  131. 	 * @param string $plain
    132. 

  132. 	 *
    133. 

  133. 	 * @return string
    134. 

  134. 	 */
    135. 

  135. 	public static function encrypt_pass ($plain) {
    136. 

  136. 		$base = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
    137. 

  137. 		$salt = '$2a$07$';
    138. 

  138. 		for ($i = 0; $i < 22; $i++) {
    139. 

  139. 			$salt .= $base[rand (0, 61)];
    140. 

  140. 		}
    141. 

  141. 		return crypt ($plain, $salt . '$');
    142. 

  142. 	}
    143. 

  143. 

  144. 	/**
    145. 

  145. 	 * Takes a length and returns a random string of characters of that
    146. 

  146. 	 * length for use in passwords. String may contain any number, lower
    147. 

  147. 	 * or uppercase letters, or common symbols.
    148. 

  148. 	 *
    149. 

  149. 	 * @param int $length
    150. 

  150. 	 *
    151. 

  151. 	 * @return string
    152. 

  152. 	 */
    153. 

  153. 	public static function generate_pass ($length = 8) {
    154. 

  154. 		$list = '123467890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()_-+=~:;|<>[]{}?"\'';
    155. 

  155. 		$pass = '';
    156. 

  156. 		while (strlen ($pass) < $length) {
    157. 

  157. 			$pass .= substr ($list, mt_rand (0, strlen ($list)), 1);
    158. 

  158. 		}
    159. 

  159. 		return $pass;
    160. 

  160. 	}
    161. 

  161. 

  162. 	/**
    163. 

  163. 	 * Verifies a username/password combo against the database.
    164. 

  164. 	 * Username is matched to the email field. If things check out,
    165. 

  165. 	 * a session_id is generated and initialized in the database
    166. 

  166. 	 * and for the user. Also creates the global $user object
    167. 

  167. 	 * as well, since we have the data (no sense requesting it
    168. 

  168. 	 * twice).
    169. 

  169. 	 *
    170. 

  170. 	 * @param string $user
    171. 

  171. 	 * @param string $pass
    172. 

  172. 	 *
    173. 

  173. 	 * @return array|bool
    174. 

  174. 	 */
    175. 

  175. 	public static function verifier ($user, $pass) {
    176. 

  176. 		// If it's been called before for this user, return cached result
    177. 

  177. 		static $called = array ();
    178. 

  178. 		if (isset ($called[$user])) {
    179. 

  179. 			return $called[$user];
    180. 

  180. 		}
    181. 

  181. 

  182. 		$u = DB::single (
    183. 

  183. 			'select * from `#prefix#user` where email = ?',
    184. 

  184. 			$user
    185. 

  185. 		);
    186. 

  186. 

  187. 		// Check if they've exceeded their login attempt limit
    188. 

  188. 		global $cache, $controller;
    189. 

  189. 		$appconf = parse_ini_file ('apps/user/conf/config.php', true);
    190. 

  190. 		$attempts = $cache->get ('_user_login_attempts_' . session_id ());
    191. 

  191. 		if (! $attempts) {
    192. 

  192. 			$attempts = 0;
    193. 

  193. 		}
    194. 

  194. 		if ($attempts > $appconf['User']['login_attempt_limit']) {
    195. 

  195. 			$called[$user] = false;
    196. 

  196. 			$controller->redirect ('/user/too-many-attempts');
    197. 

  197. 		}
    198. 

  198. 

  199. 		if ($u && crypt ($pass, $u->password) == $u->password) {
    200. 

  200. 			$class = get_called_class ();
    201. 

  201. 			self::$user = new $class ((array) $u, false);
    202. 

  202. 			self::$user->session_id = md5 (uniqid (mt_rand (), 1));
    203. 

  203. 			self::$user->expires = gmdate ('Y-m-d H:i:s', time () + 2592000); // 1 month
    204. 

  204. 			$try = 0;
    205. 

  205. 			while (! self::$user->put ()) {
    206. 

  206. 				self::$user->session_id = md5 (uniqid (mt_rand (), 1));
    207. 

  207. 				$try++;
    208. 

  208. 				if ($try == 5) {
    209. 

  209. 					$called[$user] = false;
    210. 

  210. 					return false;
    211. 

  211. 				}
    212. 

  212. 			}
    213. 

  213. 			$_SESSION['session_id'] = self::$user->session_id;
    214. 

  214. 

  215. 			// Save the user agent so we can verify it against future sessions,
    216. 

  216. 			// and remove the login attempts cache item
    217. 

  217. 			$cache->add ('_user_session_agent_' . $_SESSION['session_id'], $_SERVER['HTTP_USER_AGENT'], 0, time () + 2592000);
    218. 

  218. 			$cache->delete ('_user_login_attempts_' . session_id ());
    219. 

  219. 

  220. 			$called[$user] = true;
    221. 

  221. 			return true;
    222. 

  222. 		}
    223. 

  223. 

  224. 		// Increment the number of attempts they've made
    225. 

  225. 		$attempts++;
    226. 

  226. 		if (! $cache->add ('_user_login_attempts_' . session_id (), $attempts, 0, $appconf['User']['block_attempts_for'])) {
    227. 

  227. 			$cache->replace ('_user_login_attempts_' . session_id (), $attempts, 0, $appconf['User']['block_attempts_for']);
    228. 

  228. 		}
    229. 

  229. 

  230. 		$called[$user] = false;
    231. 

  231. 		return false;
    232. 

  232. 	}
    233. 

  233. 

  234. 	/**
    235. 

  235. 	 * A custom handler for `simple_auth()`. Note: Calls `session_start()`
    236. 

  236. 	 * for you, and creates the global `$user` object if a session is
    237. 

  237. 	 * valid, since we have the data already.
    238. 

  238. 	 *
    239. 

  239. 	 * @param string $callback
    240. 

  240. 	 *
    241. 

  241. 	 * @return bool|mixed
    242. 

  242. 	 */
    243. 

  243. 	public static function method ($callback) {
    244. 

  244. 		if (! isset ($_SESSION)) {
    245. 

  245. 			$domain = conf ('General', 'session_domain');
    246. 

  246. 			if ($domain === 'full') {
    247. 

  247. 				$domain = $_SERVER['HTTP_HOST'];
    248. 

  248. 			} elseif ($domain === 'top') {
    249. 

  249. 				$parts = explode ('.', $_SERVER['HTTP_HOST']);
    250. 

  250. 				$tld = array_pop ($parts);
    251. 

  251. 				$domain = '.' . array_pop ($parts) . '.' . $tld;
    252. 

  252. 			}
    253. 

  253. 			@session_set_cookie_params (time () + conf ('General', 'session_duration'), '/', $domain);
    254. 

  254. 			@session_start ();
    255. 

  255. 		}
    256. 

  256. 

  257. 		if (isset ($_POST['username']) && isset ($_POST['password'])) {
    258. 

  258. 			return call_user_func ($callback, $_POST['username'], $_POST['password']);
    259. 

  259. 		} elseif (isset ($_SESSION['session_id'])) {
    260. 

  260. 			$u = DB::single (
    261. 

  261. 				'select * from `#prefix#user` where session_id = ? and expires > ?',
    262. 

  262. 				$_SESSION['session_id'],
    263. 

  263. 				gmdate ('Y-m-d H:i:s')
    264. 

  264. 			);
    265. 

  265. 			if ($u) {
    266. 

  266. 				// Verify user agent as a last step (make hijacking harder)
    267. 

  267. 				global $cache;
    268. 

  268. 				$ua = $cache->get ('_user_session_agent_' . $_SESSION['session_id']);
    269. 

  269. 				if ($ua && $ua !== $_SERVER['HTTP_USER_AGENT']) {
    270. 

  270. 					return false;
    271. 

  271. 				}
    272. 

  272. 

  273. 				$class = get_called_class ();
    274. 

  274. 				self::$user = new $class ((array) $u, false);
    275. 

  275. 				return true;
    276. 

  276. 			}
    277. 

  277. 		}
    278. 

  278. 		return false;
    279. 

  279. 	}
    280. 

  280. 

  281. 	/**
    282. 

  282. 	 * Simplifies authorization down to:
    283. 

  283. 	 *
    284. 

  284. 	 *     <?php
    285. 

  285. 	 *
    286. 

  286. 	 *     if (! User::require_login ()) {
    287. 

  287. 	 *         // unauthorized
    288. 

  288. 	 *     }
    289. 

  289. 	 *
    290. 

  290. 	 *     ?>
    291. 

  291. 	 *
    292. 

  292. 	 * @return bool
    293. 

  293. 	 */
    294. 

  294. 	public static function require_login () {
    295. 

  295. 		$class = get_called_class ();
    296. 

  296. 		return simple_auth (array ($class, 'verifier'), array ($class, 'method'));
    297. 

  297. 	}
    298. 

  298. 

  299. 	/**
    300. 

  300. 	 * Alias of `require_acl('admin')`. Simplifies authorization
    301. 

  301. 	 * for general admin access down to:
    302. 

  302. 	 *
    303. 

  303. 	 *     <?php
    304. 

  304. 	 *
    305. 

  305. 	 *     if (! User::require_admin ()) {
    306. 

  306. 	 *         // unauthorized
    307. 

  307. 	 *     }
    308. 

  308. 	 *
    309. 

  309. 	 *     ?>
    310. 

  310. 	 *
    311. 

  311. 	 * @return bool
    312. 

  312. 	 */
    313. 

  313. 	public static function require_admin () {
    314. 

  314. 		return self::require_acl ('admin');
    315. 

  315. 	}
    316. 

  316. 

  317. 	/**
    318. 

  318. 	 * Determine whether the current user is allowed to access
    319. 

  319. 	 * a given resource.
    320. 

  320. 	 *
    321. 

  321. 	 * @param $resource
    322. 

  322. 	 *
    323. 

  323. 	 * @return bool
    324. 

  324. 	 */
    325. 

  325. 	public static function require_acl ($resource) {
    326. 

  326. 		if (! User::is_valid ()) {
    327. 

  327. 			return false;
    328. 

  328. 		}
    329. 

  329. 		$acl = self::acl ();
    330. 

  330. 		$resources = func_get_args ();
    331. 

  331. 		foreach ($resources as $resource) {
    332. 

  332. 			if (! $acl->allowed ($resource, self::$user)) {
    333. 

  333. 				return false;
    334. 

  334. 			}
    335. 

  335. 		}
    336. 

  336. 		return true;
    337. 

  337. 	}
    338. 

  338. 

  339. 	/**
    340. 

  340. 	 * Check if a user is valid.
    341. 

  341. 	 *
    342. 

  342. 	 * @return bool
    343. 

  343. 	 */
    344. 

  344. 	public static function is_valid () {
    345. 

  345. 		if (is_object (self::$user) && self::$user->session_id == $_SESSION['session_id']) {
    346. 

  346. 			return true;
    347. 

  347. 		}
    348. 

  348. 		return self::require_login ();
    349. 

  349. 	}
    350. 

  350. 

  351. 	/**
    352. 

  352. 	 * Check if a user is of a certain type.
    353. 

  353. 	 *
    354. 

  354. 	 * @param string $type
    355. 

  355. 	 *
    356. 

  356. 	 * @return bool
    357. 

  357. 	 */
    358. 

  358. 	public static function is ($type) {
    359. 

  359. 		return (self::$user->type === $type);
    360. 

  360. 	}
    361. 

  361. 

  362. 	/**
    363. 

  363. 	 * Fetch or set the currently active user.
    364. 

  364. 	 *
    365. 

  365. 	 * @param User $current
    366. 

  366. 	 *
    367. 

  367. 	 * @return User
    368. 

  368. 	 */
    369. 

  369. 	public static function current (User $current = null) {
    370. 

  370. 		if ($current !== null) {
    371. 

  371. 			self::$user = $current;
    372. 

  372. 		}
    373. 

  373. 		return self::$user;
    374. 

  374. 	}
    375. 

  375. 

  376. 	/**
    377. 

  377. 	 * Alias of `require_acl('content/' . $access)`, prepending the
    378. 

  378. 	 * `content/` string to the resource name before comparing it.
    379. 

  379. 	 * Where `User::require_acl('resource')` is good for validating
    380. 

  380. 	 * access to any resource type, `User::access('member')` is used
    381. 

  381. 	 * for content access levels.
    382. 

  382. 	 *
    383. 

  383. 	 * @param string $access
    384. 

  384. 	 *
    385. 

  385. 	 * @return bool
    386. 

  386. 	 */
    387. 

  387. 	public static function access ($access) {
    388. 

  388. 		return self::require_acl ('content/' . $access);
    389. 

  389. 	}
    390. 

  390. 

  391. 	/**
    392. 

  392. 	 * Returns the list of access levels for content. This is a list
    393. 

  393. 	 * of resources that begin with `content/` e.g., `content/private`,
    394. 

  394. 	 * with keys as the resource and values as a display name for that
    395. 

  395. 	 * resource:
    396. 

  396. 	 *
    397. 

  397. 	 *     array (
    398. 

  398. 	 *         'public'  => 'Public',
    399. 

  399. 	 *         'member'  => 'Member',
    400. 

  400. 	 *         'private' => 'Private'
    401. 

  401. 	 *     )
    402. 

  402. 	 *
    403. 

  403. 	 * Note: Public is hard-coded, since there's no need to verify
    404. 

  404. 	 * access to public resources, but you still need an access level
    405. 

  405. 	 * to specify it.
    406. 

  406. 	 *
    407. 

  407. 	 * @return array
    408. 

  408. 	 */
    409. 

  409. 	public static function access_list () {
    410. 

  410. 		$acl = self::acl ();
    411. 

  411. 		$resources = $acl->resources ();
    412. 

  412. 		$access = array ('public' => __ ('Public'));
    413. 

  413. 		foreach ($resources as $key => $value) {
    414. 

  414. 			if (strpos ($key, 'content/') === 0) {
    415. 

  415. 				$resource = str_replace ('content/', '', $key);
    416. 

  416. 				$access[$resource] = __ (ucfirst ($resource));
    417. 

  417. 			}
    418. 

  418. 		}
    419. 

  419. 		return $access;
    420. 

  420. 	}
    421. 

  421. 

  422. 	/**
    423. 

  423. 	 * Get or set the Acl object.
    424. 

  424. 	 *
    425. 

  425. 	 * @param Acl|null $acl
    426. 

  426. 	 *
    427. 

  427. 	 * @return Acl
    428. 

  428. 	 */
    429. 

  429. 	public static function acl ($acl = null) {
    430. 

  430. 		if ($acl !== null) {
    431. 

  431. 			self::$acl = $acl;
    432. 

  432. 		}
    433. 

  433. 

  434. 		if (self::$acl === null) {
    435. 

  435. 			self::$acl = new Acl (conf ('Paths', 'access_control_list'));
    436. 

  436. 		}
    437. 

  437. 

  438. 		return self::$acl;
    439. 

  439. 	}
    440. 

  440. 

  441. 	/**
    442. 

  442. 	 * Get or set a specific field's value.
    443. 

  443. 	 *
    444. 

  444. 	 * @param string $key
    445. 

  445. 	 * @param mixed  $val
    446. 

  446. 	 *
    447. 

  447. 	 * @return array|bool|null
    448. 

  448. 	 */
    449. 

  449. 	public static function val ($key, $val = null) {
    450. 

  450. 		if ($val !== null) {
    451. 

  451. 			self::$user->{$key} = $val;
    452. 

  452. 		}
    453. 

  453. 		return self::$user->{$key};
    454. 

  454. 	}
    455. 

  455. 

  456. 	/**
    457. 

  457. 	 * Save the user's data to the database.
    458. 

  458. 	 *
    459. 

  459. 	 * @return bool
    460. 

  460. 	 */
    461. 

  461. 	public static function save () {
    462. 

  462. 		return self::$user->put ();
    463. 

  463. 	}
    464. 

  464. 

  465. 	/**
    466. 

  466. 	 * Log out and optionally redirect to the specified URL.
    467. 

  467. 	 *
    468. 

  468. 	 * @param string|bool $redirect_to
    469. 

  469. 	 */
    470. 

  470. 	public static function logout ($redirect_to = false) {
    471. 

  471. 		if (self::$user === false) {
    472. 

  472. 			self::require_login ();
    473. 

  473. 		}
    474. 

  474. 		if (! empty (self::$user->session_id)) {
    475. 

  475. 			self::$user->expires = gmdate ('Y-m-d H:i:s', time () - 100000);
    476. 

  476. 			self::$user->put ();
    477. 

  477. 		}
    478. 

  478. 		$_SESSION['session_id'] = null;
    479. 

  479. 		if ($redirect_to) {
    480. 

  480. 			global $controller;
    481. 

  481. 			$controller->redirect ($redirect_to);
    482. 

  482. 		}
    483. 

  483. 	}
    484. 

  484. }
    485. 

  485. 

  486. ?>
    487. 

  487.