* @author Romain Quetiez * @author Denis Flaven * @license http://www.opensource.org/licenses/gpl-3.0.html LGPL */ require_once("../application/nicewebpage.class.inc.php"); /** * Web page used for displaying the login form */ class LoginWebPage extends NiceWebPage { public function __construct() { parent::__construct("iTop Login"); $this->add_style(<<add_header('WWW-Authenticate: Basic realm="'.Dict::Format('UI:iTopVersion:Short', ITOP_VERSION)); $this->add_header('HTTP/1.0 401 Unauthorized'); // Note: displayed when the user will click on Cancel $this->add('

'.Dict::S('UI:Login:Error:AccessRestricted').'

'); break; case 'external': case 'form': default: // In case the settings get messed up... $sAuthUser = utils::ReadParam('auth_user', ''); $sAuthPwd = utils::ReadParam('suggest_pwd', ''); $sVersionShort = Dict::Format('UI:iTopVersion:Short', ITOP_VERSION); $this->add("\n"); $this->add("

\n"); $this->add("

".Dict::S('UI:Login:Welcome')."

\n"); if ($bFailedLogin) { $this->add("

".Dict::S('UI:Login:IncorrectLoginPassword')."

\n"); } else { $this->add("

".Dict::S('UI:Login:IdentifyYourself')."

\n"); } $this->add("\n"); $this->add("

\n"); break; } } public function DisplayChangePwdForm($bFailedLogin = false) { $sAuthUser = utils::ReadParam('auth_user', ''); $sAuthPwd = utils::ReadParam('suggest_pwd', ''); $sVersionShort = Dict::Format('UI:iTopVersion:Short', ITOP_VERSION); $sInconsistenPwdMsg = Dict::S('UI:Login:RetypePwdDoesNotMatch'); $this->add_script(<<add("\n"); $this->add("

\n"); $this->add("

".Dict::S('UI:Login:ChangeYourPassword')."

\n"); if ($bFailedLogin) { $this->add("

".Dict::S('UI:Login:IncorrectOldPassword')."

\n"); } $this->add("\n"); $this->add("

\n"); } static function ResetSession() { if (isset($_SESSION['login_mode'])) { $sPreviousLoginMode = $_SESSION['login_mode']; } else { $sPreviousLoginMode = ''; } // Unset all of the session variables. $_SESSION = array(); // If it's desired to kill the session, also delete the session cookie. // Note: This will destroy the session, and not just the session data! if (isset($_COOKIE[session_name()])) { setcookie(session_name(), '', time()-3600, '/'); } // Finally, destroy the session. session_destroy(); } static function SecureConnectionRequired() { $oConfig = new Config(ITOP_CONFIG_FILE); return $oConfig->GetSecureConnectionRequired(); } static function IsConnectionSecure() { $bSecured = false; if ( !empty($_SERVER['HTTPS']) && ($_SERVER['HTTPS']!= 'off') ) { $bSecured = true; } return $bSecured; } protected static function Login() { if (self::SecureConnectionRequired() && !self::IsConnectionSecure()) { // Non secured URL... redirect to a secured one $sUrl = Utils::GetAbsoluteUrl(true /* query string */, true /* force HTTPS */); header("Location: $sUrl"); exit; } $aAllowedLoginTypes = utils::GetConfig()->GetAllowedLoginTypes(); if (isset($_SESSION['auth_user'])) { //echo "User: ".$_SESSION['auth_user']."\n"; // Already authentified UserRights::Login($_SESSION['auth_user']); // Login & set the user's language return true; } else { $index = 0; $sLoginMode = ''; $sAuthentication = 'internal'; while(($sLoginMode == '') && ($index < count($aAllowedLoginTypes))) { $sLoginType = $aAllowedLoginTypes[$index]; switch($sLoginType) { case 'form': // iTop standard mode: form based authentication $sAuthUser = utils::ReadParam('auth_user', '', 'post'); $sAuthPwd = utils::ReadParam('auth_pwd', '', 'post'); if ($sAuthUser != '') { $sLoginMode = 'form'; } break; case 'basic': // Standard PHP authentication method, works with Apache... // Case 1) Apache running in CGI mode + rewrite rules in .htaccess if (isset($_SERVER['HTTP_AUTHORIZATION']) && !empty($_SERVER['HTTP_AUTHORIZATION'])) { list($sAuthUser, $sAuthPwd) = explode(':' , base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6))); $sLoginMode = 'basic'; } else if (isset($_SERVER['PHP_AUTH_USER'])) { $sAuthUser = $_SERVER['PHP_AUTH_USER']; $sAuthPwd = $_SERVER['PHP_AUTH_PW']; $sLoginMode = 'basic'; } break; case 'external': // Web server supplied authentication $bExternalAuth = false; $sExtAuthVar = utils::GetConfig()->GetExternalAuthenticationVariable(); // In which variable is the info passed ? $sEval = '$bExternalAuth = isset('.$sExtAuthVar.');'; eval($sEval); if ($bExternalAuth) { eval('$sAuthUser = '.$sExtAuthVar.';'); // Retrieve the value $sAuthPwd = ''; // No password in this case the web server already authentified the user... $sLoginMode = 'external'; $sAuthentication = 'external'; } break; case 'url': // Credentials passed directly in the url $sAuthUser = utils::ReadParam('auth_user', '', 'get'); if ($sAuthUser != '') { $sAuthPwd = utils::ReadParam('auth_pwd', '', 'post'); $sLoginMode = 'url'; } break; } $index++; } //echo "\nsLoginMode: $sLoginMode (user: $sAuthUser / pwd: $sAuthPwd\n)"; if ($sLoginMode == '') { // First connection $sDesiredLoginMode = utils::ReadParam('login_mode'); if (in_array($sDesiredLoginMode, $aAllowedLoginTypes)) { $sLoginMode = $sDesiredLoginMode; } else { $sLoginMode = $aAllowedLoginTypes[0]; // First in the list... } $oPage = new LoginWebPage(); $oPage->DisplayLoginForm( $sLoginMode, false /* no previous failed attempt */); $oPage->output(); exit; } else { if (!UserRights::CheckCredentials($sAuthUser, $sAuthPwd, $sAuthentication)) { self::ResetSession(); $oPage = new LoginWebPage(); $oPage->DisplayLoginForm( $sLoginMode, true /* failed attempt */); $oPage->output(); exit; } else { // User is Ok, let's save it in the session and proceed with normal login UserRights::Login($sAuthUser, $sAuthentication); // Login & set the user's language $_SESSION['auth_user'] = $sAuthUser; $_SESSION['login_mode'] = $sLoginMode; } } } } static function DoLogin() { $operation = utils::ReadParam('loginop', ''); session_start(); if ($operation == 'logoff') { if (isset($_SESSION['login_mode'])) { $sLoginMode = $_SESSION['login_mode']; } else { $aAllowedLoginTypes = utils::GetConfig()->GetAllowedLoginTypes(); if (count($aAllowedLoginTypes) > 0) { $sLoginMode = $aAllowedLoginTypes[0]; } else { $sLoginMode = 'form'; } } self::ResetSession(); $oPage = new LoginWebPage(); $oPage->DisplayLoginForm( $sLoginMode, false /* not a failed attempt */); $oPage->output(); exit; } else if ($operation == 'change_pwd') { $sAuthUser = $_SESSION['auth_user']; UserRights::Login($sAuthUser); // Set the user's language $oPage = new LoginWebPage(); $oPage->DisplayChangePwdForm(); $oPage->output(); exit; } if ($operation == 'do_change_pwd') { $sAuthUser = $_SESSION['auth_user']; UserRights::Login($sAuthUser); // Set the user's language $sOldPwd = utils::ReadPostedParam('old_pwd'); $sNewPwd = utils::ReadPostedParam('new_pwd'); if (UserRights::CanChangePassword() && ((!UserRights::CheckCredentials($sAuthUser, $sOldPwd)) || (!UserRights::ChangePassword($sOldPwd, $sNewPwd)))) { $oPage = new LoginWebPage(); $oPage->DisplayChangePwdForm(true); // old pwd was wrong $oPage->output(); exit; } else { // Remember the changed password $_SESSION['auth_pwd'] = $sNewPwd; return; } } self::Login(); } } // End of class ?>

".Dict::S('UI:Login:UserNamePrompt').":
".Dict::S('UI:Login:PasswordPrompt').":

".Dict::S('UI:Login:OldPasswordPrompt').":
".Dict::S('UI:Login:NewPasswordPrompt').":
".Dict::S('UI:Login:RetypeNewPasswordPrompt').":