EGOCMS  24.0
EGOTEC Content-Managament-System
Auth.php
gehe zur Dokumentation dieser Datei
1 <?php
6 require_once('rights/User_SQL.php');
7 
14 class Auth_Exception extends Exception
15 {
16  const LOGIN_REQUIRED = 1;
17  const LOGIN_REQUIRED_TEXT = 'Bitte melden Sie sich an.';
19  const WRONG_PASSWORD = 2;
20  const WRONG_PASSWORD_TEXT = 'Falscher Benutzername oder falsches Passwort.';
23  const LOGIN_DENIED = 3;
24  const LOGIN_DENIED_TEXT = 'Sie dürfen sich an diesem Server nicht anmelden.';
27  const WRONG_IP = 4;
28  const WRONG_IP_TEXT = 'Sie dürfen sich auf Grund der IP-Beschränkungen nicht anmelden';
31  const WRONG_TIME = 5;
32  const WRONG_TIME_TEXT = 'Sie dürfen sich auf Grund der Zeit-Beschränkung nicht anmelden';
35  const AUTH_ERROR = 6;
36  const AUTH_ERROR_TEXT = 'Fehlerhafte Konfiguration.';
39  const NO_MULTIPLE_LOGIN = 7;
40  const NO_MULTIPLE_LOGIN_TEXT = 'Dieser Benutzer befindet sich zur Zeit schon im System.';
43  const WRONG_PASSWORD_LIMIT = 8;
44  const WRONG_PASSWORD_LIMIT_TEXT = 'Das Passwort wurde zu oft falsch eingegeben.';
47  const CONCURRENT_USERS_LIMIT = 9;
48  const CONCURRENT_USERS_LIMIT_TEXT = 'Sie dürfen sich derzeit am System nicht anmelden, da die maximale Anzahl an gleichzeitigen Benutzern erreicht ist. Bitte versuchen Sie es später erneut.';
51  const PERMISSION_DENIED = 32;
52  const PERMISSION_DENIED_TEXT = 'Der Zugriff wird auf Grund fehlender Rechte verweigert.';
55  const MUST_CHANGE_PASSWORD = 64;
56  const MUST_CHANGE_PASSWORD_TEXT = 'Das Passwort muss geändert werden.';
59  const INVALID_LOGIN_PARAMETERS = 128;
60  const INVALID_LOGIN_PARAMETERS_TEXT = 'Bitte geben Sie einen Benutzernamen an.';
61 
62  const LOGIN_TIMED_OUT = 256;
63  const LOGIN_TIMED_OUT_TEXT = 'Ihre Anmeldung ist abgelaufen. Bitte melden Sie sich erneut an.';
64 
65  const LOST_PASSWORD = 256;
66  const LOST_PASSWORD_TEXT = 'Geben Sie die E-Mail Adresse des Benutzers an, für den ein neues Passwort angefordert werden soll.';
69  const LOST_PASSWORD_SUCCESS = 512;
70  const LOST_PASSWORD_SUCCESS_TEXT = 'Falls ein Benutzer mit der eingegebenen E-Mail Adresse gefunden wurde, hat dieser eine E-Mail mit den Anweisungen zum Zurücksetzen seines Passworts erhalten.';
73  const LOST_PASSWORD_DENIED = 1024;
74  const LOST_PASSWORD_DENIED_TEXT = 'Sie müssen mindestens 15 Minuten warten, bevor Sie eine weitere Anfrage durchführen können.';
77  const INVALID_NEW_PASSWORD = 2048;
78  const INVALID_NEW_PASSWORD_TEXT = 'Das angegebene Passwort ist ungültig. Bitte versuchen Sie es erneut.';
81  const PASSWORD_CHANGED = 4096;
82  const PASSWORD_CHANGED_TEXT = 'Das Passwort wurde geändert. Bitte melden Sie sich an.';
85  const TWO_FACTOR_AUTH_SETUP = 8192;
86  const TWO_FACTOR_AUTH_SETUP_TEXT = 'Bitte richten Sie die Zwei-Faktor-Authentifizierung ein.';
89  const TWO_FACTOR_AUTH_VERIFY = 16384;
90  const TWO_FACTOR_AUTH_VERIFY_TEXT = 'Bitte geben Sie den Code für die Zwei-Faktor-Authentifizierung ein.';
93  const TWO_FACTOR_AUTH_ERROR = 32768;
94  const TWO_FACTOR_AUTH_ERROR_TEXT = 'Der eingegebene Code ist ungültig. Bitte versuchen Sie es erneut.';
97  function __construct($text, $nr)
98  {
99  if ($nr == 2) // falsches Passwort
100  {
101  $bf_file = $GLOBALS['egotec_conf']['tmp_dir'].'wrong_pwd'.md5(Ego_System::getIp());
102  if(file_exists($bf_file))
103  {
104  [$s, $n] = explode(' ', file_get_contents($bf_file));
105  }
106  file_put_contents($bf_file, $s.' '.(++$n));
107  }
108  parent::__construct($text, $nr);
109  }
110 }
111 
120 class Auth
121 {
122  const LOGIN = 'login';
123  const LOGOUT = 'logout';
124  const ID = 'id';
125  const LOSTPW = 'lostpw';
126  const RESETPW = 'resetpw';
127  const WEBDAV = 'webdav';
128  const TWO_FACTOR_AUTH = 'tfa';
129  const NO_NULL_RIGHTS = ',child,edit,release,remove,view,workflow,live,linkto,';
130 
131  protected $_id = '';
132  public $user;
134  private static $_userRecord = array();
135  private $superUserFlag = null;
136 
137  public $isEditable = true;
147  public function __construct($force_login=false, $id='', $action='', $param=array())
148  {
149  $this->_id = $id;
150  if(isset($action))
151  {
152  switch ($action)
153  {
154  case Auth::LOGIN: // Benutzer anmeldem.
155  $this->reset();
156  $this->_id = $this->validate($param['username'], $param['password']);
157  $this->_id = $this->postValidate();
158  break;
159  case Auth::LOGOUT: // Benutzer abmelden.
160  $this->reset(true);
161  break;
162  case Auth::ID: // Als Benutzer über die ID anmelden.
163  $this->_id = $this->postValidate();
164  $this->clearCache();
165  break;
166  case AUTH::LOSTPW:
167  $param = array_merge([
168  'email' => $_REQUEST['email'],
169  'lostpw_lock' => true,
170  'lostpw_expire' => '+1 hour'
171  ], $param);
172  $this->lostPassword($param['email'], (bool) $param['lostpw_lock'], (string) $param['lostpw_expire']);
173  break;
174  case AUTH::RESETPW:
175  $param = array_merge([
176  'user_id' => $_REQUEST['user_id'],
177  'new_password1' => $_REQUEST['new_password1'],
178  'new_password2' => $_REQUEST['new_password2'],
179  ], $param);
180  if (
181  trim($param['new_password1']) == ''
182  || trim($param['new_password2']) == ''
183  || $param['new_password1'] != $param['new_password2']
184  ) {
185  throw new Auth_Exception(Auth_Exception::INVALID_NEW_PASSWORD_TEXT, Auth_Exception::INVALID_NEW_PASSWORD);
186  } else {
187  $this->_id = $param['user_id'];
188  $this->user = $this->_getUser();
189  $GLOBALS['auth'] = $this; // Hotfix: die Fehlermeldungen beim Passwort setzen müssen bereits übersetzbar sein
190 
191  if (($errors = self::checkPassword($param['new_password1'], $this->user->field['username'], true)) !== true) {
192  $this->_id = '';
193  $GLOBALS['check_password_errors'] = $errors;
194  throw new Auth_Exception(
195  Auth_Exception::INVALID_NEW_PASSWORD_TEXT,
196  Auth_Exception::INVALID_NEW_PASSWORD
197  );
198  } else {
199  $this->user->setPassword($param['new_password1']);
200  unset($this->user->extra['resetpw']);
201  $this->user->update();
202  throw new Auth_Exception(Auth_Exception::PASSWORD_CHANGED_TEXT, Auth_Exception::PASSWORD_CHANGED);
203  }
204  }
205  break;
206  case AUTH::TWO_FACTOR_AUTH:
207  // Code überprüfen
208  require_once 'auth/Ego_TwoFactorAuth.php';
209  $tfa = new Ego_TwoFactorAuth();
210 
211  $this->_id = $_SESSION['AUTH_VALIDATED'];
212  $this->user = $this->_getUser();
213  $secret = $this->user->extra['tfa_secret'] ?: $_SESSION['TFA_SECRET'];
214 
215  // Anmeldung abschließen
216  if ($tfa->verifyCode($secret, $param['verification'])) {
217  // Secret beim Benutzer speichern
218  if (empty($this->user->extra['tfa_secret']) && isset($_SESSION['TFA_SECRET'])) {
219  $this->user->extra['tfa_secret'] = $_SESSION['TFA_SECRET'];
220  unset($_SESSION['TFA_SECRET']);
221  $this->user->update();
222  }
223  } else {
224  throw new Auth_Exception(Auth_Exception::TWO_FACTOR_AUTH_ERROR_TEXT, Auth_Exception::TWO_FACTOR_AUTH_ERROR);
225  }
226  }
227  }
228  if (!$this->_id && $force_login)
229  {
230  throw new Auth_Exception(Auth_Exception::LOGIN_REQUIRED_TEXT, Auth_Exception::LOGIN_REQUIRED);
231  }
232  if ($this->_id)
233  {
234  if (!$action && $_SESSION['AUTH_TIME'][$this->_id] && $_SESSION['AUTH_TIME'][$this->_id]+$GLOBALS['egotec_conf']['auth_timeout']<time())
235  { // Timeout.
236  $this->reset(true);
237  throw new Auth_Exception(Auth_Exception::LOGIN_TIMED_OUT_TEXT, Auth_Exception::LOGIN_TIMED_OUT);
238  } elseif (
239  !empty($param['tfa'])
240  && $action == Auth::LOGIN
241  && empty($_SESSION['AUTH_TIME'])
242  && version_compare(PHP_VERSION, '8.1.0') >= 0 // Nur für PHP >= 8.1.0
243  && !$_SERVER['HTTP_X_UNIT_TEST'] // 2FA ignorieren, wenn der Aufruf vom Unittest stammt
244  )
245  {
246  // Zwei-Faktor-Authentifizierung ausführen
247  require_once 'auth/Ego_TwoFactorAuth.php';
248  $tfa = new Ego_TwoFactorAuth();
249 
250  if ($tfa->isEnabled($this->user))
251  {
252  // Erfolgreiche Anmeldung zwischenspeichern
253  $_SESSION['AUTH_VALIDATED'] = $this->_id;
254 
255  if (empty($this->user->extra['tfa_secret'])) {
256  // Einrichtung starten
257  $_SESSION['TFA_SECRET'] = $tfa->createSecret(128); // 80 Bits gelten als unsicher
258  throw new Auth_Exception(Auth_Exception::TWO_FACTOR_AUTH_SETUP_TEXT, Auth_Exception::TWO_FACTOR_AUTH_SETUP);
259  } else {
260  // Code anfordern
261  $_SESSION['TFA_SECRET'] = $this->user->extra['tfa_secret'];
262  throw new Auth_Exception(Auth_Exception::TWO_FACTOR_AUTH_VERIFY_TEXT, Auth_Exception::TWO_FACTOR_AUTH_VERIFY);
263  }
264  }
265  }
266 
267  // Anmeldung durchführen
268  if (!$this->user) {
269  $this->user = $this->_getUser();
270  }
271  $_SESSION['AUTH_TIME'][$this->_id] = time();
272 
273  if (in_array($action, array(Auth::LOGIN, Auth::ID)) && $GLOBALS['admin_area'] !== 'webdav')
274  {
275  $this->user->extra['Anzahl_login'] = ((int) $this->user->extra['Anzahl_login']) + 1;
276  $this->user->extra['Anzahl_login_'.$GLOBALS['site']->name] = ((int) $this->user->extra['Anzahl_login_'.$GLOBALS['site']->name]) + 1;
277  $sid = session_id();
278  $now = date('Y-m-d H:i:s');
279 
280  // Erfolgreiche Anmeldung merken
281  if (!empty($param['persist'])) {
282  unset($this->user->extra['auth_persist_expire']); // Ablaufdatum neu setzen
283  self::setAuthPersist($this->user);
284  }
285 
286  $this->user->update(array(
287  'sid' => $sid,
288  'last_login' => $now
289  ));
290  }
291  }
292  }
293 
299  public function reset($remove_cookie = false)
300  {
301  $this->clearCache();
302  unset($_SESSION['AUTH_TIME']);
303  unset($_SESSION['auth_id']);
304  unset($_SESSION['intranet_admin']);
305  unset($_SESSION['is_adoptuser']);
306  unset($_SESSION['login']);
307  unset($_SESSION['TFA_SECRET']);
308  if (!empty($GLOBALS['egotec_conf']['auth']['sso_logout'])) {
309  $_SESSION['logout'] = true; // Nach dem ersten Logout gibt es kein SSO mehr.
310  }
311  if ($this->_id)
312  {
313  $db = new_db_connection();
314  $db->delete(array(
315  'table' => 'egotec_page_lock',
316  'where' => 'user_id=\''.$this->_id.'\''
317  ));
318  $db->update(array(
319  'table' => 'egotec_user',
320  'set' => array('sid' => ''),
321  'where' => 'user_id=\''.$this->_id.'\''
322  ));
323  }
324  $this->_id = '';
325 
326  if ($remove_cookie) {
327  // Beim Logout werden auch die Cookies gelöscht
328  Ego_System::removeCookie(EGOTEC);
329  Ego_System::removeCookie(EGOTEC_SU);
330  Ego_System::removeCookie(EGOTEC_PERSIST);
331  }
332  }
333 
356  public function validate($username, $password) {
357  if (!$password) {
358  throw new Auth_Exception(Auth_Exception::WRONG_PASSWORD_TEXT, Auth_Exception::WRONG_PASSWORD);
359  }
360 
361  // Den Benutzer in der Datenbank abfragen
362  $db = new_db_connection(array(
363  'fields' => '*',
364  'from' => 'egotec_user',
365  'where' => 'LOWER(username) = LOWER(:username) AND deleted = 0',
366  'bind' => array(
367  'username' => $username
368  )
369  ));
370  $found = $db->nextRecord();
371 
372  // Optional: Anmeldung über die E-Mail erlauben
373  if (!$found && trim($username) != '' && $GLOBALS['egotec_conf']['auth']['email_login']) {
374  $db = new_db_connection(array(
375  'fields' => '*',
376  'from' => 'egotec_user',
377  'where' => 'LOWER(email) = LOWER(:email) AND deleted = 0',
378  'bind' => array(
379  'email' => $username
380  )
381  ));
382  $found = $db->nextRecord();
383  }
384 
385  if ($found) {
386  // Benutzer wurde gefunden
387  $id = $db->Record['user_id'];
388  $this->_id = $id;
389  $this->user = $this->_getUser();
390 
391  if (!$this->user->isPassword($password)) {
392  $this->_id = '';
393  throw new Auth_Exception(Auth_Exception::WRONG_PASSWORD_TEXT, Auth_Exception::WRONG_PASSWORD);
394  } elseif (!$this->user->field['salt']) {
395  // Salt setzen
396  $this->user->setPassword($password);
397  $this->user->update();
398  }
399 
400  return $id;
401  }
402  throw new Auth_Exception(Auth_Exception::WRONG_PASSWORD_TEXT, Auth_Exception::WRONG_PASSWORD);
403  }
404 
410  public function clearTrashUsers() {
411  // Nur Benutzer löschen, für die man Rechte besitzt
412  $users = $this->getTrashUsers();
413  foreach ($users as $user) {
414  $user = new User_SQL($user['user_id'], $user);
415  $user->destroy();
416  }
417  return $this->translate("Der Benutzer Papierkorb wurde geleert.");
418  }
419 
425  public function getTrashUsers() {
426  $db = new_db_connection();
427  $db->select(array(
428  'table' => 'egotec_user',
429  'where' => 'deleted = 1'
430  ));
431  $users = array();
432  while ($db->nextRecord()) {
433  if (!$this->hasSuperuserPermission(true, true)) {
434  $user = new User_SQL($db->Record['user_id']);
435  $rel = $user->getGroupRoleRelations();
436  if (!empty($rel)) { // Nicht zugeordnete Benutzer darf jeder bearbeiten
437  $next = true;
438  foreach ($rel as $group => $roles) {
439  $roles = explode(',', $roles);
440  foreach ($roles as $role) {
441  if ($this->hasPermission($group, $role, false, false, false)) {
442  $next = false;
443  break 2;
444  }
445  }
446  }
447  if ($next) {
448  continue;
449  }
450  }
451  }
452  $users[] = $db->Record;
453  }
454  return $users;
455  }
456 
460  public function postValidate()
461  {
462  if (!$this->_id)
463  {
464  return false;
465  }
466  try {
467  $this->user = new User_SQL($this->_id);
468  } catch (User_Exception $e) {
469  return false;
470  }
471 
472  $this->extra = $this->user->extra;
473 
482  $days = array("Mon","Tue","Wed","Thu","Fri","Sat","Sun");
483  $group_ips = array();
484  $user_ips = array();
485  $group_times = array();
486  $user_times = array();
487 
488  if ($this->user->extra['ip_rights'] != "")
489  {
490  $user_ip_arr = explode("\n", $this->user->extra['ip_rights']);
491  foreach ($user_ip_arr as $entry)
492  {
493  $entry = str_replace('*', '', $entry);
494  $entry = trim($entry);
495  if ($entry)
496  {
497  $user_ips['_'.$entry] = $entry;
498  }
499  }
500  }
501 
502  if ($this->user->extra['time_rights'] != '')
503  {
504  $user_time_arr = explode("\n", $this->user->extra['time_rights']);
505  foreach ($user_time_arr as $entry)
506  {
507  $day_arr = explode(" ",$entry);
508  $user_times[$day_arr[0]] = $day_arr[1];
509  }
510  }
511 
512  $db = new_db_connection(array(
513  'fields' => '*',
514  'from' => 'egotec_user_group',
515  'join' => array('egotec_group on egotec_group.group_id = egotec_user_group.group_id'),
516  'where' => "user_id='$this->_id'"
517  ));
518 
519  $groupDesc_arr = array();
520  do {
521  $groupDesc = str_replace("\n\r", "\n", $db->Record['group_descr']);
522  if (strpos($groupDesc, "\n\n")>=0)
523  {
524  $groupDesc_arr1 = explode("\n", $groupDesc);
525  foreach ($groupDesc_arr1 as $line)
526  {
527  if (trim($line)=='')
528  {
529  $add_flag = false;
530  }else
531  {
532  $groupDesc_arr[] = trim($line);
533  }
534  }
535  }
536  }while($db->nextRecord());
537 
538 
539 
540  if ($groupDesc_arr)
541  {
542  // die berschreibung durchgehen
543  foreach ($groupDesc_arr as $entry)
544  {
545  // check ob $entry eine IP ist
546  if (strpos($entry, 'IP:') === 0)
547  {
548  $entry = str_replace('IP:', '', $entry);
549  $entry = trim($entry);
550  $ip_arr = explode(' ',$entry);
551  $ip_arr[0] = trim(str_replace('*', '',$ip_arr[0]));
552  $group_ips['_'.$ip_arr[0]] = $ip_arr[0];
553  continue;
554  }
555 
556  // check ob $entry eine zeit ist
557  foreach ($days as $day)
558  {
559 
560  if (strpos($entry, "$day ") === 0)
561  { // wir haben einen tag
562  $group_times[] = $entry;
563  }
564  }
565  }
566  }
567 
568  $ips = array_merge($group_ips,$user_ips);
569  $times = array_merge($group_times,$user_times);
570 
571  // check ob die IP gleich der Session IP ist. bzw ob welche da sind
572  if (count($ips) > 0)
573  {
574  $ipcheck = false;
575  $currentIP = Ego_System::getIp();
576  foreach ($ips as $ip)
577  {
578  if (strpos($currentIP, $ip)===0)
579  {
580  $ipcheck = true;
581  break;
582  }
583  }
584 
585  if (!$ipcheck)
586  {
587  throw new Auth_Exception(Auth_Exception::WRONG_IP_TEXT, Auth_Exception::WRONG_IP);
588  }
589  }
590 
591  // check ob eine zeitbeschraenkung vorliegt bzw. ob der benutzer in diesem Zeit Frame ist
592  if (count($times) > 0)
593  {
594  $timecheck = false;
595 
596  // aktueller tag mit stunde
597  // Mon-10
598  //echo date('D-H'); exit;
599  $dayTime_arr = explode('-', date('D-H'));
600 
601  foreach($times as $entry)
602  {
603  $day_arr = explode(' ',$entry);
604  $day = $day_arr[0];
605  $time = $day_arr[1];
606  $time_arr = explode("-",$time);
607  $day_start = $time_arr[0];
608  $day_end = $time_arr[1];
609 
610  if($day == $dayTime_arr[0])
611  { //aktueller tag
612  if($dayTime_arr[1] < $day_start)
613  {
614  break; // frame hat noch nicht angefangen
615  }
616  elseif($dayTime_arr[1] >= $day_end)
617  {
618  break; // frame zu ende
619  }
620  else
621  {
622  // im zeit frame
623  $timecheck = true;
624  }
625  }
626  }
627 
628  if(!$timecheck)
629  {
630  throw new Auth_Exception(Auth_Exception::WRONG_TIME_TEXT, Auth_Exception::WRONG_TIME);
631  }
632  }
633  if (isset($GLOBALS['admin_area']) && $GLOBALS['egotec_conf']['liveserver'])
634  { // Auf einem Liveserver
635  if (!$this->user->extra['liveserver'])
636  {
637  throw new Auth_Exception(Auth_Exception::LOGIN_DENIED_TEXT, Auth_Exception::LOGIN_DENIED);
638  }
639  }
640  if ($this->user->isInactive() && !$this->user->extra['saml2']) {
641  // Ein inaktiver Benutzer kann sich nicht anmelden.
642  throw new Auth_Exception(Auth_Exception::WRONG_PASSWORD_TEXT, Auth_Exception::WRONG_PASSWORD);
643  }
644  if (!$this->user->getGroupRoleRelations()) {
645  // Nicht zugeordneter Benutzer kann sich nicht anmelden.
646  throw new Auth_Exception(Auth_Exception::LOGIN_DENIED_TEXT, Auth_Exception::LOGIN_DENIED);
647  }
648  if ($this->user->field['sid']
649  && !$this->user->field['multiple_login']
650  && $this->user->field['sid']!=$_COOKIE[EGOTEC]
651  && $this->user->isActive()
652  && $GLOBALS['admin_area'] != 'webdav'
653  ) {
654  // Meldet sich ein Benutzer mit einer neuen Session an, so wird die alte zerstört und der Benutzer angemeldet.
655  sess_destroy($this->user->field['sid']);
656  }
657  self::makeFlat($this->_id);
658  if ($GLOBALS['admin_area']) {
659  // Anmeldung über den Adminbereich
660  $_SESSION['login']['admin'] = true;
661  }
662  return $this->_id;
663  }
664 
670  function getId()
671  {
672  return $this->_id;
673  }
674 
680  public function getAnonymousId() {
681  return '#'.substr(
682  md5(Ego_System::getIp().$_SERVER['HTTP_USER_AGENT']),
683  1
684  ); // muss 32-Zeichen lang sein
685  }
686 
703  public function translate($string, $placeholders = array(), $language = null)
704  {
705  global $site;
706  require_once('smarty/Ego_Smarty.php');
707  require_once('smarty/plugins/block.t.php');
708  $smarty = $GLOBALS['smarty']?$GLOBALS['smarty']:new Ego_Smarty();
709 
710  if ($language) {
711  $params['language'] = $language;
712  } elseif (!$GLOBALS['admin_area']) {
713  $params['language'] = $site->language;
714  } else {
715  $params['language'] = $this->user&&$this->user->extra['lang']?$this->user->extra['lang']:'de';
716  }
717  $params['placeholders'] = $placeholders;
718  return smarty_block_t($params, $string, $smarty);
719  }
720 
734  function getPageTableQuery($page_table, $rights, $query=array(), $param=array())
735  {
736  $is_null = true;
737  if (is_array($rights))
738  {
739  if (sizeof($rights)>1)
740  {
741  $rights_condition = ' IN (\''.join('\',\'', $rights).'\')';
742  $is_null = false;
743  foreach ($rights as $right)
744  {
745  if (strpos(Auth::NO_NULL_RIGHTS, ','.$right.',')===false)
746  {
747  $is_null = true;
748  }
749  }
750  } else
751  {
752  $rights_condition = '=\''.$rights[0].'\'';
753  if (strpos(Auth::NO_NULL_RIGHTS, ','.$rights[0].',')!==false)
754  {
755  $is_null = false;
756  }
757  }
758  } else
759  {
760  $rights_condition = '=\''.$rights.'\'';
761  if (strpos(Auth::NO_NULL_RIGHTS, ','.$rights.',')!==false)
762  {
763  $is_null = false;
764  }
765  }
766  if ($param['user_id'])
767  {
768  $user_id = $param['user_id'];
769  self::makeFlat($user_id);
770  } else {
771  $user_id = $this->_id;
772  if ($this->hasSuperuserPermission())
773  { // Ein Superuser darf alles.
774  return $query;
775  }
776  }
777  $as_page_table = $query['page_table'] ?? $page_table;
778 
779  if (isset($query['join']) && !is_array($query['join'])) {
780  $query['join'] = [$query['join']];
781  egotec_deprecated_log('14.6.3'); // join muss als Array übergeben werden
782  }
783 
784  if ($user_id) {
785  $query['join'][] = $page_table . '_rights ON ' .
786  $page_table . '_rights.page_id=' . $as_page_table . '.id AND ' .
787  $page_table . '_rights.perm' . $rights_condition;
788  $query['join'][] = 'egotec_user_group_flat ON ' .
789  $page_table . '_rights.group_id=egotec_user_group_flat.group_id AND ' .
790  $page_table . '_rights.role_id=egotec_user_group_flat.role_id AND ' .
791  'egotec_user_group_flat.user_id=\'' . $user_id . '\'';
792  $query['join'][] = $page_table . '_users ON ' .
793  $page_table . '_users.page_id=' . $as_page_table . '.id AND ' .
794  $page_table . '_users.perm' . $rights_condition . ' AND ' .
795  $page_table . '_users.user_id=\'' . $user_id . '\'';
796  $query['where'] = ($query['where'] ? $query['where'] . ' AND ' : '') .
797  '(egotec_user_group_flat.user_id IS NOT NULL OR ' .
798  $page_table . '_rights.group_id=\'*\' OR ' .
799  $page_table . '_users.user_id IS NOT NULL' .
800  ($is_null ? ' OR ' . $page_table . '_rights.group_id IS NULL' : '') .
801  ($param['auth_or'] ? ' OR ' . $param['auth_or'] : '') . ')';
802  $query['distinct'] = 1;
803  } else { // Wenn keine Authentifizierung vorliegt, dann werden nur nicht beschränkte Seiten zurückgegeben.
804  $query['join'][] = $page_table . '_rights on ' . $page_table . '_rights.page_id=' . $as_page_table . '.id AND ' . $page_table . '_rights.perm ' . $rights_condition;
805  $query['where'] = ($query['where'] ? '(' . $query['where'] . ') AND ' : '') .
806  '(' . $page_table . "_rights.group_id='*' AND " . $page_table . "_rights.role_id='*')";
807  }
808 
809  return $query;
810  }
811 
839  function hasPermission($group, $role='', $flag=false, $user_id=false, $equal=true)
840  {
841  if ($this->superUserFlag && !$user_id) {
842  return true; // Der Superuser darf alles.
843  }
844  if (is_array($group))
845  {
846  $role = $group['role'];
847  $flag = $group['flag'];
848  $group = $group['group'];
849  }
850  if (!$group && !$role)
851  {
852  return true;
853  }
854  if (!$user_id)
855  {
856  $user_id = $this->_id;
857  }
858  if (!$flag)
859  { // Nur auf Mitgliedschaft in übergeordnete Gruppen prüfen.
860  $db = new_db_connection(array(
861  'from' => 'egotec_user_group'.
862  ($group?', egotec_group, egotec_group user_group':'').
863  ($role?', egotec_role, egotec_role user_role':''),
864  'where' => "egotec_user_group.user_id = '".$user_id."'
865  ".($group?" AND
866  egotec_user_group.group_id = user_group.group_id AND
867  egotec_group.group_id = '$group' AND
868  user_group.links <= egotec_group.links AND
869  user_group.rechts >= egotec_group.rechts
870  ":'').($role?" AND
871  egotec_user_group.role_id = user_role.role_id AND
872  egotec_role.role_id = '$role' AND
873  user_role.links <= egotec_role.links AND
874  user_role.rechts >= egotec_role.rechts
875  ":'').(!$equal && $group && $role ?" AND (
876  user_group.links != egotec_group.links OR
877  user_role.links != egotec_role.links)
878  ":'')
879  ));
880  } else
881  { // Auf Mitgliedschaft in über und untergeordneten Gruppen prüfen.
882  $db = new_db_connection(array(
883  'from' => 'egotec_user_group'.
884  ($group?', egotec_group, egotec_group user_group':'').
885  ($role?', egotec_role, egotec_role user_role':''),
886  'where' => "egotec_user_group.user_id = '".$user_id."'
887  ".($group?" AND
888  egotec_user_group.group_id = user_group.group_id AND
889  egotec_group.group_id = '$group' AND ( (
890  user_group.links <= egotec_group.links AND
891  user_group.rechts >= egotec_group.rechts
892  ) OR (
893  egotec_group.links <= user_group.links AND
894  egotec_group.rechts >= user_group.rechts
895  ) )
896  ":'').($role?" AND
897  egotec_user_group.role_id = user_role.role_id AND
898  egotec_role.role_id = '$role' AND ( (
899  user_role.links <= egotec_role.links AND
900  user_role.rechts >= egotec_role.rechts
901  ) OR (
902  egotec_role.links <= user_role.links AND
903  egotec_role.rechts >= user_role.rechts
904  ) )
905  ":'')
906  ));
907  }
908  return (bool) $db->next();
909  }
910 
918  public function hasPermissionOn($object, $equal = true) {
919  if (is_a($object, 'User_SQL')) {
920  $relations = $object->getGroupRoleRelations();
921  if (empty($relations)) {
922  // Für nicht zugeordnete Benutzer hat man immer Rechte
923  return true;
924  }
925  foreach ($relations as $group => $roles) {
926  foreach (explode(',', $roles) as $role) {
927  if ($this->hasPermission($group, $role, false, false, $equal)) {
928  return true;
929  }
930  }
931  }
932  } elseif (is_a($object, 'Group_SQL')) {
933  return $this->hasPermission($object->field['group_id']);
934  } elseif (is_a($object, 'Role_SQL')) {
935  return $this->hasPermission('', $object->field['role_id']);
936  }
937  return false;
938  }
939 
956  function hasSuperuserPermission($session = true, $recalc = false) {
957  if ($recalc) {
958  $this->superUserFlag = null;
959  } elseif ($GLOBALS['soap'] || $GLOBALS['rest']) {
960  $session = false;
961  }
962  if ($this->superUserFlag === null || !$session) {
963  $is_superuser = (!$session || $_COOKIE[EGOTEC_SU])
964  && $this->hasPermission(
965  $GLOBALS['egotec_conf']['superuser']['group'],
966  $GLOBALS['egotec_conf']['superuser']['role']
967  );
968 
969  if (!$session) {
970  // Wird der Superusermodus nicht abgefragt, wird nicht der Zwischenspeicher "superUserFlag" verwendet
971  return $is_superuser;
972  }
973  $this->superUserFlag = $is_superuser;
974  }
975  return $this->superUserFlag;
976  }
977 
983  function isSoapUser()
984  {
985  if ($this->user->extra['anrede'] == "SOAP")
986  {
987  return true;
988  } else {
989  return false;
990  }
991  }
992 
1007  function isNobody()
1008  {
1009  return $this->_id==NULL;
1010  }
1011 
1034  function checkSuperuserPermission()
1035  {
1036  return $this->checkPermission($GLOBALS['egotec_conf']['superuser']['group'], $GLOBALS['egotec_conf']['superuser']['role']);
1037  }
1038 
1066  function checkPermission($group, $role='', $flag = false)
1067  {
1068  if ($this->hasPermission($group, $role, $flag))
1069  {
1070  return true;
1071  } else
1072  {
1073  throw new Auth_Exception(Auth_Exception::PERMISSION_DENIED_TEXT, Auth_Exception::PERMISSION_DENIED);
1074  }
1075  }
1076 
1091  public static function getLanguages()
1092  {
1093  $languages = array();
1094  $handle = opendir($GLOBALS['egotec_conf']['lib_dir'].'locale');
1095  while ($file = readdir ($handle))
1096  {
1097  if ($file[0] != '.'&& $file != 'blocks')
1098  {
1099  $languages[] = $file;
1100  }
1101  }
1102  closedir($handle);
1103 
1104  if(Ego_System::file_exists($GLOBALS['egotec_conf']['var_dir'].'lib/locale'))
1105  {
1106  $handle2 = opendir($GLOBALS['egotec_conf']['var_dir'].'lib/locale');
1107  while ($file = readdir ($handle2))
1108  {
1109  if ($file[0] != '.' && $file != 'blocks')
1110  {
1111  $languages[] = $file;
1112  }
1113  }
1114  closedir($handle2);
1115  }
1116  sort($languages);
1117  return array_unique($languages);
1118  }
1119 
1135  static function getUserRecord($user_id)
1136  {
1137  if (isset(Auth::$_userRecord[$user_id]))
1138  {
1139  return Auth::$_userRecord[$user_id];
1140  }
1141  $db = new_db_connection(array(
1142  'table' => 'egotec_user',
1143  'where' => "user_id='".$user_id."'"
1144  ));
1145  if ($db->nextRecord())
1146  {
1147  $user_record = $db->Record;
1148  $user_record['extra'] = unserialize($user_record['extra']);
1149 
1150  try {
1151  require_once('rights/User_SQL.php');
1152  $user = new User_SQL($user_id, $db->Record);
1153  $user_record['fullname'] = $user->getFullname();
1154  } catch (User_Exception $e) {
1155  // ignorieren
1156  }
1157  } else
1158  {
1159  $user_record = array('username' => $GLOBALS['auth']->translate('unbekannt'));
1160  $user_record['fullname'] = $user_record['username'];
1161  }
1162  AUTH::$_userRecord[$user_id] = $user_record;
1163  return $user_record;
1164  }
1165 
1211  static function getUsers($rights, $users=array(), $direct_flag=false)
1212  {
1213  require_once('rights/User_Iterator.php');
1214  if ($rights)
1215  {
1216  $query = array();
1217  if ($direct_flag)
1218  {
1219  $query['distinct'] = true;
1220  $query['fields'] = 'egotec_user.*';
1221  $query['table'] = 'egotec_user';
1222  $query['join'][] = 'egotec_user_group ON egotec_user.user_id = egotec_user_group.user_id';
1223  $where = array();
1224  foreach ($rights as $right)
1225  {
1226  $where[] = "egotec_user_group.group_id='".$right['group_id']."' AND egotec_user_group.role_id='".$right['role_id']."'";
1227  }
1228  $query['where'] = '('.join(') OR (', $where).')';
1229  } else
1230  {
1231  $query['distinct'] = true;
1232  $query['fields'] = 'egotec_user.*';
1233  $query['from'] = 'egotec_user';
1234  $query['join'][] = 'egotec_user_group ON egotec_user_group.user_id = egotec_user.user_id';
1235  $query['join'][] = 'egotec_group direct_group ON egotec_user_group.group_id = direct_group.group_id';
1236  $query['join'][] = "egotec_group ON egotec_group.links >= direct_group.links AND egotec_group.rechts <= direct_group.rechts";
1237  $query['join'][] = 'egotec_role direct_role ON egotec_user_group.role_id = direct_role.role_id';
1238  $query['join'][] = "egotec_role ON egotec_role.links >= direct_role.links AND egotec_role.rechts <= direct_role.rechts";
1239  $where = array();
1240  foreach ($rights as $right)
1241  {
1242  $where[] = "egotec_group.group_id='".$right['group_id']."' AND egotec_role.role_id='".$right['role_id']."'";
1243  }
1244  $query['where'] = '('.join(') OR (', $where).')';
1245  }
1246  if ($users)
1247  {
1248  $query2['fields'] = 'egotec_user.*';
1249  $query2['table'] = 'egotec_user';
1250  foreach ($users as $user)
1251  {
1252  if (is_array($user)) {
1253  $user_ids[] = $user['user_id'];
1254  } else {
1255  $user_ids[] = $user;
1256  }
1257  }
1258  $query2['where'] = "user_id IN ('".join("','", $user_ids)."')";
1259  return new User_Iterator(new_db_connection(array(
1260  'union' => array($query, $query2)
1261  )));
1262  } else {
1263  return new User_Iterator(new_db_connection($query));
1264  }
1265  } elseif ($users)
1266  {
1267  foreach ($users as $user)
1268  {
1269  if (is_array($user)) {
1270  $user_ids[] = $user['user_id'];
1271  } else {
1272  $user_ids[] = $user;
1273  }
1274  }
1275  $db = new_db_connection(array(
1276  'fields' => '*',
1277  'table' => 'egotec_user',
1278  'where' => "user_id IN ('".join("','", $user_ids)."')"
1279  ));
1280  return new User_Iterator($db);
1281  } else
1282  {
1283  return new User_Iterator();
1284  }
1285  }
1286 
1290  function clearCache()
1291  {
1292  if ($this->_id)
1293  {
1294  $cache_dir = $GLOBALS['egotec_conf']['cache_dir'].'_user/'.$this->_id;
1295  Ego_System::deldir($cache_dir);
1296  }
1297  }
1298 
1307  static function checkPassword($pwd, $name=0, $return_text=false)
1308  {
1309  $min_len = $GLOBALS['egotec_conf']['auth']['min_passw_chars'];
1310  $min_upper = $GLOBALS['egotec_conf']['auth']['min_big_chars'];
1311  $min_lower = $GLOBALS['egotec_conf']['auth']['min_small_chars'];
1312  $min_numbers = $GLOBALS['egotec_conf']['auth']['min_digits'];
1313  $min_special = $GLOBALS['egotec_conf']['auth']['min_extra_chars'];
1314  $max_same_chars = ($GLOBALS['egotec_conf']['auth']['no_chars_from_username'])?$GLOBALS['egotec_conf']['auth']['no_chars_from_username']-1:false;
1315  $min_erfuellt = ($GLOBALS['egotec_conf']['auth']['min_ok_parameters'])?$GLOBALS['egotec_conf']['auth']['min_ok_parameters']:0; // Alle müssen stimmen
1316 
1317  $nicht_erfuellt = array();
1318 
1319  $erfuellt = 0;
1320  if ($min_len)
1321  {
1322  if (strlen($pwd) >= $min_len) $erfuellt++;
1323  else $nicht_erfuellt[] = $return_text
1324  ? $GLOBALS['auth']->translate('Das Passwort ist zu kurz (vorgegeben: %n).', array('n' => $min_len))
1325  : 'min_len';
1326  }
1327  if ($min_upper)
1328  {
1329  $anz=0;
1330  for($i=0;$i<strlen($pwd);$i++)
1331  {
1332  $ascii = ord($pwd[$i]); // Ascii-Wert eines einzelnen Zeichens
1333  if ($ascii > 64 && $ascii < 91) $anz++;
1334  }
1335  if ($anz >= $min_upper) $erfuellt++;
1336  else $nicht_erfuellt[] = $return_text
1337  ? $GLOBALS['auth']->translate('Das Passwort hat zu wenige Großbuchstaben (vorgegeben: %n).', array('n' => $min_upper))
1338  : 'min_upper';
1339  }
1340  if ($min_lower)
1341  {
1342  $anz=0;
1343  for($i=0;$i<strlen($pwd);$i++)
1344  {
1345  $ascii = ord($pwd[$i]); // Ascii-Wert eines einzelnen Zeichens
1346  if ($ascii > 96 && $ascii < 123) $anz++;
1347  }
1348  if ($anz >= $min_lower) $erfuellt++;
1349  else $nicht_erfuellt[] = $return_text
1350  ? $GLOBALS['auth']->translate('Das Passwort hat zu wenige Kleinbuchstaben (vorgegeben: %n).', array('n' => $min_lower))
1351  : 'min_lower';
1352  }
1353  if ($min_numbers)
1354  {
1355  $anz=0;
1356  for($i=0;$i<strlen($pwd);$i++)
1357  {
1358  $ascii = ord($pwd[$i]); // Ascii-Wert eines einzelnen Zeichens
1359  if ($ascii > 47 && $ascii < 58) $anz++;
1360  }
1361  if ($anz >= $min_numbers) $erfuellt++;
1362  else $nicht_erfuellt[] = $return_text
1363  ? $GLOBALS['auth']->translate('Das Passwort hat zu wenige Zahlen (vorgegeben: %n).', array('n' => $min_numbers))
1364  : 'min_numbers';
1365  }
1366  if ($min_special)
1367  {
1368  $anz=0;
1369  for($i=0;$i<strlen($pwd);$i++)
1370  {
1371  $ascii = ord($pwd[$i]); // Ascii-Wert eines einzelnen Zeichens
1372  if (
1373  ($ascii > 31 && $ascii < 48) ||
1374  ($ascii > 57 && $ascii < 65) ||
1375  ($ascii > 90 && $ascii < 95) ||
1376  ($ascii > 122 && $ascii < 127)
1377  ) $anz++;
1378  }
1379  if ($anz >= $min_special) $erfuellt++;
1380  else $nicht_erfuellt[] = $return_text
1381  ? $GLOBALS['auth']->translate('Das Passwort hat zu wenige Sonderzeichen (vorgegeben: %n).', array('n' => $min_special))
1382  : 'min_special';
1383  }
1384 
1385  // zählen wie oft ein zeichen aus dem namen genommen wird
1386  if ($name)
1387  {
1388  if ($max_same_chars !== false)
1389  {
1390  $same_chars = 0;
1391  for ($i=0;$i<strlen($pwd);$i++)
1392  {
1393  for ($ii=0;$ii<strlen($name);$ii++)
1394  {
1395  if ($name[$ii] == $pwd[$i])
1396  {
1397  $same_chars++;
1398  }
1399  }
1400  }
1401  if ($same_chars <= $max_same_chars) $erfuellt++;
1402  else $nicht_erfuellt[] = $return_text
1403  ? $GLOBALS['auth']->translate('Das Passwort hat zu viele Zeichen aus dem Benutzernamen (vorgegeben: %n).', array('n' => $max_same_chars))
1404  : 'same_chars';
1405  }
1406  }
1407 
1408  // Ausschlussliste prüfen
1409  if (file_exists($GLOBALS['egotec_conf']['var_dir'].'conf/pw_exclusion_list.txt'))
1410  {
1411  $words_array = file($GLOBALS['egotec_conf']['var_dir'].'conf/pw_exclusion_list.txt');
1412  if ($words_array)
1413  {
1414  foreach ($words_array as $word)
1415  {
1416  if ($pwd == trim($word,"\n\r"))
1417  {
1418  return array(
1419  $return_text
1420  ? $GLOBALS['auth']->translate('Das Passwort darf nicht verwendet werden.')
1421  : 'pw_exclusion_list'
1422  );
1423  }
1424  }
1425  }
1426  }
1427 
1428  if ($min_erfuellt == 0)
1429  { // alles muss erfuellt werden
1430  if (sizeof($nicht_erfuellt) == 0)
1431  {
1432  return true;
1433  }
1434  } else if ($erfuellt >= $min_erfuellt)
1435  {
1436  return true;
1437  }
1438 
1439  return $nicht_erfuellt;
1440  }
1441 
1451  private function lostPassword($email, $lock = false, $expire = '') {
1452  if (empty($email)) {
1453  throw new Auth_Exception(Auth_Exception::LOST_PASSWORD_TEXT, Auth_Exception::LOST_PASSWORD);
1454  }
1455 
1456  // Passwort zurücksetzen ist nur einmal alle 15 Minuten pro IP möglich
1457  $lock_file = $GLOBALS['egotec_conf']['tmp_dir'] . 'LOSTPW.LOCK';
1458  if ($lock && ($data = Ego_System::file_get_contents($lock_file))) {
1459  $data = unserialize($data);
1460  if (isset($data[md5(Ego_System::getIp())]) && $data[md5(Ego_System::getIp())] + 900 > time()) {
1461  throw new Auth_Exception(Auth_Exception::LOST_PASSWORD_DENIED_TEXT, Auth_Exception::LOST_PASSWORD_DENIED);
1462  }
1463  }
1464 
1465  $db = new_db_connection([
1466  'table' => 'egotec_user',
1467  'where' => 'email = :email AND deleted = 0',
1468  'bind' => [
1469  'email' => $email
1470  ]
1471  ]);
1472  while ($db->nextRecord()) {
1473  // Der Benutzer wurde gefunden
1474  $user = new User_SQL($db->Record['user_id'], $db->Record);
1475  if ($user->isInactive()) {
1476  // Wenn ein inaktiver Benutzer gefunden wurde, dann mit dem nächsten versuchen
1477  continue;
1478  }
1479 
1480  // Eindeutigen Hash generieren
1481  $hash = md5(microtime() . $db->Record['user_id']);
1482  $user->extra['resetpw'] = [
1483  'expire' => date('Y-m-d H:i:s', strtotime($expire)),
1484  'hash' => $hash
1485  ];
1486  $user->update();
1487 
1488  // Passwort zurücksetzen Link generieren
1489  $url = Ego_System::getProtocol() . $_SERVER['HTTP_HOST'] . '/admin.php?resetpw=' . $hash;
1490  $url = '<a href="' . $url . '">' . $url . '</a>';
1491 
1492  // E-Mail an den Benutzer senden
1493  if (
1494  $user->field['email']
1495  && (
1496  (
1497  ($lang = $user->extra['lang'])
1498  && Ego_System::file_exists($template = $GLOBALS['egotec_conf']['var_dir'].'lib/mail/auth/lostPassword.'.$lang.'.xml')
1499  )
1500  || Ego_System::file_exists($template = $GLOBALS['egotec_conf']['var_dir'].'lib/mail/auth/lostPassword.de.xml')
1501  )
1502  ) {
1503  require_once 'base/template/Ego_Template_Mail.php';
1504  $mail = new Ego_Template_Mail('file:'.$template);
1505  $mail->addRecipients(['default' => [
1506  'text' => [$user->field['email']]
1507  ]]);
1508  $mail->setPlaceholders([
1509  'user' => $user->field['username'],
1510  'email' => $user->field['email'],
1511  'anrede' => $user->extra['anrede'],
1512  'vorname' => $user->extra['vorname'],
1513  'name' => $user->extra['name'],
1514  'date' => $user->extra['resetpw']['expire'],
1515  'hash' => $hash,
1516  'url' => $url,
1517  ]);
1518  $mail->send();
1519  } else {
1520  $user->sendMail([
1521  'subject' => $this->translate('Ihre Anfrage zum Zurücksetzen Ihres Passworts'),
1522  'message' => $this->translate('Es wurde eine Anfrage zum Zurücksetzen Ihres Passworts gestellt. Sollten Sie diese Anfrage nicht gestellt haben, ignorieren Sie einfach diese E-Mail.')
1523  . "\r\n\r\n"
1524  . $this->translate('Über folgenden Link können Sie ein neues Passwort erstellen. Dieser Link ist gültig bis %date:', ['date' => $user->extra['resetpw']['expire']])
1525  . "\r\n\r\n"
1526  . $url
1527  ]);
1528  }
1529 
1530  // Nur den ersten aktiven gefundenen Benutzer benachrichtigen
1531  break;
1532  }
1533 
1534  // Weitere Abfragen von dieser IP für eine Stunde blockieren
1535  if ($lock) {
1536  if (!isset($data)) {
1537  $data = [];
1538  }
1539  $data[md5(Ego_System::getIp())] = time();
1540  Ego_System::file_put_contents($lock_file, serialize($data));
1541  }
1542 
1543  unset($_REQUEST['doauth']);
1544  throw new Auth_Exception(Auth_Exception::LOST_PASSWORD_SUCCESS_TEXT, Auth_Exception::LOST_PASSWORD_SUCCESS);
1545  }
1546 
1552  public function getAllGroups()
1553  {
1554  $db = new_db_connection(
1555  array(
1556  'fields' => 'group_id',
1557  'table' => 'egotec_group'
1558  )
1559  );
1560  return new Group_Iterator($db);
1561  }
1562 
1568  public function getAllRoles()
1569  {
1570  $db = new_db_connection(
1571  array(
1572  'fields' => 'role_id',
1573  'table' => 'egotec_role'
1574  )
1575  );
1576  return new Role_Iterator($db);
1577  }
1578 
1584  protected function _getUser()
1585  {
1586  require_once('rights/User_SQL.php');
1587  return new User_SQL($this->_id);
1588  }
1589 
1595  public static function makeFlat($id) {
1596  $clear_cache = false; // Bei Änderungen der Rechte muss der Cache geleert werden
1597 
1598  // Die Tabelle mit der flachen Rechteprüfung mit den Berechtigungen des Benutzers füttern.
1599  $db = new_db_connection(array(
1600  'fields' => 'egotec_group.group_id AS group_id, egotec_role.role_id AS role_id',
1601  'table' => 'egotec_user_group',
1602  'where' => 'egotec_user_group.user_id=:userid',
1603  'join' => array(
1604  'egotec_group direct_group ON direct_group.group_id=egotec_user_group.group_id', // Aus der direkt eingetragenen Gruppe alle
1605  'egotec_group ON egotec_group.links>=direct_group.links AND egotec_group.rechts<=direct_group.rechts', // untergeordneten Gruppen bestimmen.
1606  'egotec_role direct_role ON direct_role.role_id=egotec_user_group.role_id', // Aus der direkt eingetragenen Rolle alle
1607  'egotec_role ON egotec_role.links>=direct_role.links AND egotec_role.rechts<=direct_role.rechts' // untergeordneten Rollen bestimmen.
1608  ),
1609  'bind' => array(
1610  'userid' => $id
1611  )
1612  ));
1613 
1617  $db2 = new_db_connection(array(
1618  'fields' => 'group_id, role_id',
1619  'table' => 'egotec_user_group_flat',
1620  'where' => 'user_id=:userid',
1621  'bind' => array(
1622  'userid' => $id
1623  )
1624  ));
1625  $old_rights = array();
1626  while ($db2->nextRecord()) {
1627  $old_rights[$db2->Record['group_id']."####".$db2->Record['role_id']] = 1;
1628  }
1629 
1630  $db2->begin();
1631 
1635  while ($db->nextRecord()) {
1636  if (empty($old_rights[$db->Record['group_id']."####".$db->Record['role_id']])) { // Wenn die Berechtigung nicht existiert => insert
1637  $db->Record['user_id'] = $id;
1638  if (
1639  $db->Record['group_id'] != '*'
1640  && $db->Record['role_id'] != '*'
1641  && !empty($db->Record['group_id'])
1642  && !empty($db->Record['role_id'])
1643  ) {
1644  $db2->insert(array(
1645  'table' => 'egotec_user_group_flat',
1646  'set' => $db->Record,
1647  'nobackup' => 1
1648  ));
1649  $clear_cache = true;
1650  }
1651  }
1652  // group / role merken
1653  $old_rights[$db->Record['group_id']."####".$db->Record['role_id']] = 2; // keine doppelten inserts (duplicate entry Fehler)
1654  }
1655 
1659  foreach ($old_rights as $key => $val) {
1660  if ($val == 1 && $key != "*####*") {
1661  $rights = explode("####", $key);
1662  $db2->delete(array(
1663  'table' => 'egotec_user_group_flat',
1664  'where' => 'user_id=\''.$id.'\' AND group_id=\''.$rights[0].'\' AND role_id=\''.$rights[1].'\'',
1665  'nobackup' => 1
1666  ));
1667  $clear_cache = true;
1668  }
1669  }
1670 
1671  // gibt es * / * noch nicht => insert
1672  if (!isset($old_rights["*####*"])) {
1673  $db2->insert(array(
1674  'table' => 'egotec_user_group_flat',
1675  'set' => array(
1676  'group_id' => '*',
1677  'role_id' => '*',
1678  'user_id' => $id
1679  ),
1680  'nobackup' => 1
1681  ));
1682  }
1683 
1684  $db2->commit();
1685 
1686  if ($clear_cache) {
1687  Ego_System::clearCacheAllSites();
1688  }
1689  }
1690 
1698  public static function makeFlatSuperusers() {
1699  require_once 'rights/Group_SQL.php';
1700  $root = new Group_SQL($GLOBALS['egotec_conf']['superuser']['group']);
1701  foreach ($root->getAllUsers() as $user) {
1702  if ($user->hasGroupRoleRelation(
1703  $GLOBALS['egotec_conf']['superuser']['group'],
1704  $GLOBALS['egotec_conf']['superuser']['role']
1705  )) {
1706  self::makeFlat($user->field['user_id']);
1707  }
1708  }
1709  Ego_System::clearCacheAllSites();
1710  }
1711 
1717  public static function getFirstSuperuser() {
1718  require_once 'rights/Group_SQL.php';
1719  $root = new Group_SQL($GLOBALS['egotec_conf']['superuser']['group']);
1720  foreach ($root->getAllUsers() as $user) {
1721  if (
1722  empty($user->field['no_admin'])
1723  && $user->hasGroupRoleRelation(
1724  $GLOBALS['egotec_conf']['superuser']['group'],
1725  $GLOBALS['egotec_conf']['superuser']['role']
1726  )
1727  ) {
1728  return $user;
1729  }
1730  }
1731  return null;
1732  }
1733 
1740  public static function setAuthPersist(User_SQL $user) {
1741  // Einstellungen ermitteln
1742  $conf = [
1743  'expire' => (int) $GLOBALS['egotec_conf']['auth']['persist_days'],
1744  'refresh' => isset($GLOBALS['egotec_conf']['auth']['persist_refresh'])
1745  ];
1746 
1747  // Der Mandant überschreibt die Einstellungen
1748  if (isset($GLOBALS['site']) && !empty($GLOBALS['site']->admin['auth']['persist_overwrite'])) {
1749  $conf = [
1750  'expire' => (int) $GLOBALS['site']->admin['auth']['persist_days'],
1751  'refresh' => isset($GLOBALS['site']->admin['auth']['persist_refresh'])
1752  ];
1753  }
1754 
1755  // Token bestimmen
1756  $persist_token = sha1(rand() ^ date('U'));
1757  $user->extra['auth_persist_token'] = $persist_token;
1758 
1759  // Ablaufdatum bestimmen
1760  $persist_expire = (int) $user->extra['auth_persist_expire'];
1761  if ($conf['refresh'] || !$persist_expire) {
1762  $persist_expire = strtotime('+' . ($conf['expire'] ?: 30) . ' days');
1763  $user->extra['auth_persist_expire'] = $persist_expire;
1764  }
1765 
1766  // Cookie setzen
1767  Ego_System::setCookie(EGOTEC_PERSIST, $persist_token, $persist_expire);
1768  }
1769 }
1770 ?>
Auth_Exception
Definition: Auth.php:15
Auth_Exception\NO_MULTIPLE_LOGIN
const NO_MULTIPLE_LOGIN
Definition: Auth.php:39
Auth_Exception\CONCURRENT_USERS_LIMIT_TEXT
const CONCURRENT_USERS_LIMIT_TEXT
Definition: Auth.php:48
Auth_Exception\LOGIN_REQUIRED_TEXT
const LOGIN_REQUIRED_TEXT
Definition: Auth.php:17
Auth_Exception\LOGIN_TIMED_OUT
const LOGIN_TIMED_OUT
Definition: Auth.php:62
Auth_Exception\LOST_PASSWORD_TEXT
const LOST_PASSWORD_TEXT
Definition: Auth.php:66
Auth_Exception\PERMISSION_DENIED
const PERMISSION_DENIED
Definition: Auth.php:51
Auth_Exception\WRONG_PASSWORD
const WRONG_PASSWORD
Definition: Auth.php:19
Auth_Exception\WRONG_IP
const WRONG_IP
Definition: Auth.php:27
Auth_Exception\LOST_PASSWORD_DENIED
const LOST_PASSWORD_DENIED
Definition: Auth.php:73
Auth_Exception\__construct
__construct($text, $nr)
Definition: Auth.php:97
Auth_Exception\WRONG_IP_TEXT
const WRONG_IP_TEXT
Definition: Auth.php:28
Auth_Exception\WRONG_TIME_TEXT
const WRONG_TIME_TEXT
Definition: Auth.php:32
Auth_Exception\LOST_PASSWORD_DENIED_TEXT
const LOST_PASSWORD_DENIED_TEXT
Definition: Auth.php:74
Auth_Exception\LOGIN_REQUIRED
const LOGIN_REQUIRED
Definition: Auth.php:16
Auth_Exception\AUTH_ERROR
const AUTH_ERROR
Definition: Auth.php:35
Auth_Exception\LOGIN_DENIED
const LOGIN_DENIED
Definition: Auth.php:23
Auth_Exception\CONCURRENT_USERS_LIMIT
const CONCURRENT_USERS_LIMIT
Definition: Auth.php:47
Auth_Exception\WRONG_PASSWORD_LIMIT
const WRONG_PASSWORD_LIMIT
Definition: Auth.php:43
Auth_Exception\PASSWORD_CHANGED
const PASSWORD_CHANGED
Definition: Auth.php:81
Auth_Exception\TWO_FACTOR_AUTH_ERROR
const TWO_FACTOR_AUTH_ERROR
Definition: Auth.php:93
Auth_Exception\AUTH_ERROR_TEXT
const AUTH_ERROR_TEXT
Definition: Auth.php:36
Auth_Exception\NO_MULTIPLE_LOGIN_TEXT
const NO_MULTIPLE_LOGIN_TEXT
Definition: Auth.php:40
Auth_Exception\PERMISSION_DENIED_TEXT
const PERMISSION_DENIED_TEXT
Definition: Auth.php:52
Auth_Exception\TWO_FACTOR_AUTH_VERIFY_TEXT
const TWO_FACTOR_AUTH_VERIFY_TEXT
Definition: Auth.php:90
Auth_Exception\TWO_FACTOR_AUTH_ERROR_TEXT
const TWO_FACTOR_AUTH_ERROR_TEXT
Definition: Auth.php:94
Auth_Exception\LOST_PASSWORD_SUCCESS_TEXT
const LOST_PASSWORD_SUCCESS_TEXT
Definition: Auth.php:70
Auth_Exception\MUST_CHANGE_PASSWORD_TEXT
const MUST_CHANGE_PASSWORD_TEXT
Definition: Auth.php:56
Auth_Exception\LOGIN_TIMED_OUT_TEXT
const LOGIN_TIMED_OUT_TEXT
Definition: Auth.php:63
Auth_Exception\WRONG_PASSWORD_LIMIT_TEXT
const WRONG_PASSWORD_LIMIT_TEXT
Definition: Auth.php:44
Auth_Exception\INVALID_LOGIN_PARAMETERS_TEXT
const INVALID_LOGIN_PARAMETERS_TEXT
Definition: Auth.php:60
Auth_Exception\MUST_CHANGE_PASSWORD
const MUST_CHANGE_PASSWORD
Definition: Auth.php:55
Auth_Exception\TWO_FACTOR_AUTH_SETUP
const TWO_FACTOR_AUTH_SETUP
Definition: Auth.php:85
Auth_Exception\TWO_FACTOR_AUTH_VERIFY
const TWO_FACTOR_AUTH_VERIFY
Definition: Auth.php:89
Auth_Exception\LOST_PASSWORD
const LOST_PASSWORD
Definition: Auth.php:65
Auth_Exception\WRONG_PASSWORD_TEXT
const WRONG_PASSWORD_TEXT
Definition: Auth.php:20
Auth_Exception\TWO_FACTOR_AUTH_SETUP_TEXT
const TWO_FACTOR_AUTH_SETUP_TEXT
Definition: Auth.php:86
Auth_Exception\LOGIN_DENIED_TEXT
const LOGIN_DENIED_TEXT
Definition: Auth.php:24
Auth_Exception\WRONG_TIME
const WRONG_TIME
Definition: Auth.php:31
Auth_Exception\INVALID_LOGIN_PARAMETERS
const INVALID_LOGIN_PARAMETERS
Definition: Auth.php:59
Auth_Exception\INVALID_NEW_PASSWORD
const INVALID_NEW_PASSWORD
Definition: Auth.php:77
Auth_Exception\INVALID_NEW_PASSWORD_TEXT
const INVALID_NEW_PASSWORD_TEXT
Definition: Auth.php:78
Auth_Exception\PASSWORD_CHANGED_TEXT
const PASSWORD_CHANGED_TEXT
Definition: Auth.php:82
Auth_Exception\LOST_PASSWORD_SUCCESS
const LOST_PASSWORD_SUCCESS
Definition: Auth.php:69
Auth
Definition: Auth.php:121
Auth\ID
const ID
Definition: Auth.php:124
Auth\getId
getId()
Definition: Auth.php:670
Auth\getAnonymousId
getAnonymousId()
Definition: Auth.php:680
Auth\isSoapUser
isSoapUser()
Definition: Auth.php:983
Auth\checkSuperuserPermission
checkSuperuserPermission()
Definition: Auth.php:1034
Auth\clearTrashUsers
clearTrashUsers()
Definition: Auth.php:410
Auth\checkPassword
static checkPassword($pwd, $name=0, $return_text=false)
Definition: Auth.php:1307
Auth\makeFlatSuperusers
static makeFlatSuperusers()
Definition: Auth.php:1698
Auth\getAllGroups
getAllGroups()
Definition: Auth.php:1552
Auth\getFirstSuperuser
static getFirstSuperuser()
Definition: Auth.php:1717
Auth\hasSuperuserPermission
hasSuperuserPermission($session=true, $recalc=false)
Definition: Auth.php:956
Auth\$user
$user
Definition: Auth.php:132
Auth\setAuthPersist
static setAuthPersist(User_SQL $user)
Definition: Auth.php:1740
Auth\$_id
$_id
Definition: Auth.php:131
Auth\_getUser
_getUser()
Definition: Auth.php:1584
Auth\NO_NULL_RIGHTS
const NO_NULL_RIGHTS
Definition: Auth.php:129
Auth\getUserRecord
static getUserRecord($user_id)
Definition: Auth.php:1135
Auth\TWO_FACTOR_AUTH
const TWO_FACTOR_AUTH
Definition: Auth.php:128
Auth\makeFlat
static makeFlat($id)
Definition: Auth.php:1595
Auth\LOGIN
const LOGIN
Definition: Auth.php:122
Auth\WEBDAV
const WEBDAV
Definition: Auth.php:127
Auth\__construct
__construct($force_login=false, $id='', $action='', $param=array())
Definition: Auth.php:147
Auth\getTrashUsers
getTrashUsers()
Definition: Auth.php:425
Auth\translate
translate($string, $placeholders=array(), $language=null)
Definition: Auth.php:703
Auth\getLanguages
static getLanguages()
Definition: Auth.php:1091
Auth\$isEditable
$isEditable
Definition: Auth.php:137
Auth\checkPermission
checkPermission($group, $role='', $flag=false)
Definition: Auth.php:1066
Auth\getUsers
static getUsers($rights, $users=array(), $direct_flag=false)
Definition: Auth.php:1211
Auth\clearCache
clearCache()
Definition: Auth.php:1290
Auth\hasPermission
hasPermission($group, $role='', $flag=false, $user_id=false, $equal=true)
Definition: Auth.php:839
Auth\getPageTableQuery
getPageTableQuery($page_table, $rights, $query=array(), $param=array())
Definition: Auth.php:734
Auth\RESETPW
const RESETPW
Definition: Auth.php:126
Auth\getAllRoles
getAllRoles()
Definition: Auth.php:1568
Auth\validate
validate($username, $password)
Definition: Auth.php:356
Auth\reset
reset($remove_cookie=false)
Definition: Auth.php:299
Auth\hasPermissionOn
hasPermissionOn($object, $equal=true)
Definition: Auth.php:918
Auth\LOGOUT
const LOGOUT
Definition: Auth.php:123
Auth\postValidate
postValidate()
Definition: Auth.php:460
Auth\isNobody
isNobody()
Definition: Auth.php:1007
Auth\LOSTPW
const LOSTPW
Definition: Auth.php:125
Ego_System\clearCacheAllSites
static clearCacheAllSites()
Definition: Ego_System.php:383
Ego_System\file_put_contents
static file_put_contents($filename, $data, $flags=0, $context=null)
Definition: Ego_System.php:3001
Ego_System\getProtocol
static getProtocol($https=false)
Definition: Ego_System.php:3839
Ego_System\getIp
static getIp($anonymized=false)
Definition: Ego_System.php:4049
Ego_System\removeCookie
static removeCookie($name, $expires=-1, $path='/', $cross_domain=true, $secure=false, $httponly=true)
Definition: Ego_System.php:4545
Ego_System\deldir
static deldir($location, $del=true, $without='', $rename=true)
Definition: Ego_System.php:803
Ego_System\file_exists
static file_exists($file)
Definition: Ego_System.php:1506
Ego_System\file_get_contents
static file_get_contents($filename, $utf8=true, $context=null)
Definition: Ego_System.php:2951
Ego_System\setCookie
static setCookie($name, $value, $expires=0, $path='/', $cross_domain=true, $secure=false, $httponly=true)
Definition: Ego_System.php:4513