Skip to content
GitLab
Select Git revision
  • dev default
  • 6378-orcid-test-method-is-wrong-and-break-orcid-saving
  • core-php8
  • master
  • 6342-update-the-locales-for-1-5
  • 6344-template-issue-when-creating-a-template-with-empty-password-error-message-should-not-be-seen
  • 6365-core-locking-mechanism-is-not-changing-the-mail-ressource-it-does-lock-the-mail-account
  • 6365-core-when-lock-mechanism-is-trigger-the-user-should-not-be-editable-if-not-unlock
  • fusiondirectory-1.5
  • fusiondirectory-1.4
  • fusiondirectory-1.3.1
  • fusiondirectory-1.3
  • fusiondirectory-1.2.3
  • fusiondirectory-1.2.2
  • fusiondirectory-1.2.1
  • fusiondirectory-1.2
  • fusiondirectory-1.1.1
  • fusiondirectory-1.1
  • fusiondirectory-1.0.20
  • fusiondirectory-1.0.19
  • fusiondirectory-1.0.18
  • fusiondirectory-1.0.17
  • fusiondirectory-1.0.16
  • fusiondirectory-1.0.15
  • fusiondirectory-1.0.14
  • fusiondirectory-1.0.13
  • fusiondirectory-1.0.12
  • fusiondirectory-1.0.11
Find file BlameHistoryPermalink
class_user.inc 23.70 KiB
1 
<?php
2 
/*
3 
  This code is part of FusionDirectory (http://www.fusiondirectory.org/)
4 
  Copyright (C) 2013-2018  FusionDirectory
5
6 
  This program is free software; you can redistribute it and/or modify
7 
  it under the terms of the GNU General Public License as published by
8 
  the Free Software Foundation; either version 2 of the License, or
9 
  (at your option) any later version.
10
11 
  This program is distributed in the hope that it will be useful,
12 
  but WITHOUT ANY WARRANTY; without even the implied warranty of
13 
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
14 
  GNU General Public License for more details.
15
16 
  You should have received a copy of the GNU General Public License
17 
  along with this program; if not, write to the Free Software
18 
  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
19 
*/
20
21 
/* Handle a password and its hash method */
22 
class UserPasswordAttribute extends CompositeAttribute
23 
{
24 
  protected $needPassword;
25 
  protected $previousMethod;
26
27 
  function __construct ($label, $description, $ldapName, $required = FALSE, $defaultValue = "", $acl = "")
28 
  {
29 
    $temp = passwordMethod::get_available_methods();
30
31 
    /* Create password methods array */
32 
    $pwd_methods = array();
33 
    $this->needPassword = array();
34 
    foreach ($temp['name'] as $id => $name) {
35 
      $this->needPassword[$name] = $temp[$id]['object']->need_password();
36 
      $pwd_methods[$name] = $name;
37 
      if (!empty($temp[$id]['desc'])) {
38 
        $pwd_methods[$name] .= " (".$temp[$id]['desc'].")";
39 
      }
40 
    }
41
42 
    parent::__construct (
43 
      $description, $ldapName,
44 
      array(
45 
        new SelectAttribute(
46 
          _('Password method'), _('Password hash method to use'),
47 
          $ldapName.'_pwstorage', TRUE,
48 
          array_keys($pwd_methods), '', array_values($pwd_methods)
49 
        ),
50 
        new PasswordAttribute(
51 
          _('Password'), _('Password (Leave empty if you do not wish to change it)'),
52 
          $ldapName.'_password', $required
53 
        ),
54 
        new PasswordAttribute(
55 
          _('Password again'), _('Same password as above, to avoid errors'),
56 
          $ldapName.'_password2', $required
57 
        ),
58 
        new HiddenAttribute(
59 
          $ldapName.'_hash'
60 
        ),
61 
        new HiddenAttribute(
62 
          $ldapName.'_locked', FALSE,
63 
          FALSE
64 
        )
65 
      ),
66 
      '', '', $acl, $label
67 
    );
68 
    $this->attributes[0]->setSubmitForm(TRUE);
69 
  }
70
7172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140
public function setParent(&$plugin) { global $config; parent::setParent($plugin); if (is_object($this->plugin)) { $hash = $config->get_cfg_value('passwordDefaultHash', 'ssha'); $this->attributes[0]->setDefaultValue($hash); if ($config->get_cfg_value('forcePasswordDefaultHash', 'FALSE') == 'TRUE') { $this->attributes[0]->setValue($hash); $this->attributes[0]->setDisabled(TRUE); } $this->checkIfMethodNeedsPassword(); } } /* We need to handle method select disabling manually */ function renderAttribute(&$attributes, $readOnly) { global $config; if ($this->visible) { if ($this->linearRendering) { parent::renderAttribute($attributes, $readOnly); } else { foreach ($this->attributes as $key => &$attribute) { if (is_object($this->plugin) && $this->plugin->is_template && ($key == 2)) { /* Do not display confirmation field in template mode */ continue; } if (($key == 0) && ($config->get_cfg_value('forcePasswordDefaultHash', 'FALSE') == 'TRUE')) { $attribute->setDisabled(TRUE); } else { $attribute->setDisabled($this->disabled); } $attribute->renderAttribute($attributes, $readOnly); } unset($attribute); } } } /*! \brief Loads this attribute value from the attrs array */ protected function loadAttrValue ($attrs) { if (isset($attrs[$this->getLdapName()])) { $this->setValue($this->inputValue($attrs[$this->getLdapName()][0])); $this->setRequired(FALSE); $this->attributes[1]->setRequired(FALSE); $this->attributes[2]->setRequired(FALSE); } else { $this->setRequired(TRUE); $this->attributes[0]->resetToDefault(); $this->attributes[1]->setRequired(TRUE); $this->attributes[2]->setRequired(TRUE); $this->checkIfMethodNeedsPassword(); } } function setValue ($value) { reset($value); $key = key($value); if ($this->attributes[0]->isDisabled() || ($value[$key] == '')) { $value[$key] = $this->attributes[0]->getValue(); } parent::setValue($value); $this->checkIfMethodNeedsPassword(); } function applyPostValue ()
141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210
{ parent::applyPostValue(); $this->checkIfMethodNeedsPassword(); } function checkIfMethodNeedsPassword() { $method = $this->attributes[0]->getValue(); if ($method != $this->previousMethod) { if ($this->needPassword[$method]) { $this->attributes[1]->setVisible(TRUE); $this->attributes[2]->setVisible(TRUE); } else { $this->attributes[1]->setVisible(FALSE); $this->attributes[1]->setValue(''); $this->attributes[2]->setVisible(FALSE); $this->attributes[2]->setValue(''); } } $this->previousMethod = $method; } function readValues($value) { global $config; $pw_storage = $config->get_cfg_value('passwordDefaultHash', 'ssha'); $locked = FALSE; $password = ''; if ($this->plugin->is_template) { list($value, $password) = explode('|', $value, 2); } if (preg_match ('/^{[^}]+}/', $value)) { $tmp = passwordMethod::get_method($value); if (is_object($tmp)) { $pw_storage = $tmp->get_hash(); $locked = $tmp->is_locked($this->plugin->dn); if ($this->plugin->is_template) { $value = $tmp->generate_hash($password); } } } else { if ($value != '') { $pw_storage = 'clear'; } } return array($pw_storage, $password, $password, $value, $locked); } function writeValues($values) { if ($this->needPassword[$values[0]] && ($values[1] == '')) { if ($this->plugin->is_template) { return ''; } else { return $values[3]; } } $temp = passwordMethod::get_available_methods(); if (!isset($temp[$values[0]])) { trigger_error('Unknown password method '.$values[0]); return $values[3]; } $test = new $temp[$values[0]]($this->plugin->dn, $this->plugin); $test->set_hash($values[0]); if ($this->plugin->is_template) { return $test->generate_hash($values[1]).'|'.$values[1]; } else { return $test->generate_hash($values[1]); } }
211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280
function check() { $method = $this->attributes[0]->getValue(); if (!$this->needPassword[$method]) { $this->attributes[1]->setRequired(FALSE); $this->attributes[2]->setRequired(FALSE); } $error = parent::check(); if (!empty($error)) { return $error; } if (($this->attributes[1]->getValue() != '') || ($this->attributes[2]->getValue() != '')) { return user::reportPasswordProblems($this->plugin->dn, $this->attributes[1]->getValue(), $this->attributes[2]->getValue()); } } function getMethod() { return $this->attributes[0]->getValue(); } function getClear() { return $this->attributes[1]->getValue(); } function isLocked() { return $this->attributes[4]->getValue(); } } class PostalAddressAttribute extends TextAreaAttribute { function inputValue ($ldapValue) { return str_replace( array('$', '\24','\5C'), array("\n", '$', '\\'), $ldapValue ); } function computeLdapValue () { return str_replace( array("\r\n", "\n", "\r"), '$', str_replace( array('\\', '$'), array('\5C','\24'), $this->getValue() ) ); } } class user extends simplePlugin { var $objectclasses = array('inetOrgPerson','organizationalPerson','person'); private $was_locked; static function plInfo() { return array( 'plShortName' => _('User'), 'plDescription' => _('User account information'), 'plIcon' => 'geticon.php?context=applications&icon=user-info&size=48',
281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350
'plSmallIcon' => 'geticon.php?context=applications&icon=user-info&size=16', 'plSelfModify' => TRUE, 'plObjectType' => array('user' => array( 'name' => _('User'), 'description' => _('User account'), 'filter' => '(objectClass=inetOrgPerson)', 'mainAttr' => 'uid', 'nameAttr' => 'cn', 'icon' => 'geticon.php?context=types&icon=user&size=16', 'ou' => get_ou('userRDN'), )), 'plForeignKeys' => array( 'manager' => array('user','dn','manager=%oldvalue%','*') ), 'plProvidedAcls' => array_merge( parent::generatePlProvidedAcls(static::getAttributesInfo()), array('userLock' => _('User lock status')) ) ); } // The main function : information about attributes static function getAttributesInfo () { global $config; $languages = Language::getList(TRUE); asort($languages); $languages = array_merge(array('' => ''), $languages); $attributesInfo = array( 'perso' => array( 'name' => _('Personal information'), 'icon' => 'geticon.php?context=types&icon=user&size=16', 'attrs' => array( new HiddenAttribute('cn'), new StringAttribute ( _('Last name'), _('Last name of this user'), 'sn', TRUE, '', '', '/[^,+"?()=<>;\\\\]/' ), new StringAttribute ( _('First name'), _('First name of this user'), 'givenName', TRUE, '', '', '/[^,+"?()=<>;\\\\]/' ), new TextAreaAttribute ( _('Description'), _('Short description of the user'), 'description', FALSE ), new ImageAttribute ( _('Picture'), _('The avatar for this user'), 'jpegPhoto', FALSE, 150, 200, 'jpeg' ), ) ), 'contact' => array( 'name' => _('Organizational contact information'), 'icon' => 'geticon.php?context=types&icon=contact&size=16', 'attrs' => array( new StringAttribute ( _('Location'), _('Location'), 'l', FALSE ), new StringAttribute ( _('State'), _('State'), 'st', FALSE ), new PostalAddressAttribute ( _('Address'), _('Business postal address'),
351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420
'postalAddress', FALSE ), new StringAttribute ( _('Room No.'), _('Room number'), 'roomNumber', FALSE ), new PhoneNumberButtonAttribute ( _('Phone'), _('Business phone number'), 'telephoneNumber', FALSE, '', 'phone' ), new PhoneNumberButtonAttribute ( _('Mobile'), _('Business mobile number'), 'mobile', FALSE, '', 'mobile' ), new PhoneNumberAttribute ( _('Pager'), _('Business pager number'), 'pager', FALSE ), new PhoneNumberAttribute ( _('Fax'), _('Business fax number'), 'facsimileTelephoneNumber', FALSE ), new URLAttribute ( _('Homepage'), _('Personal homepage'), 'labeledURI', FALSE ), ) ), 'account' => array( 'name' => _('Account information'), 'icon' => 'geticon.php?context=applications&icon=ldap&size=16', 'attrs' => array( new BaseSelectorAttribute (get_ou("userRDN")), new UidAttribute ( _('Login'), _('Login of this user'), 'uid', TRUE ), new SelectAttribute ( _('Preferred language'), _('Preferred language'), 'preferredLanguage', FALSE, array_keys($languages), '', array_values($languages) ), new UserPasswordAttribute( _('Password'), _('Password of the user'), 'userPassword', FALSE ), ) ), 'homecontact' => array( 'name' => _('Personal contact information'), 'icon' => 'geticon.php?context=types&icon=contact&size=16', 'attrs' => array( new StringAttribute ( _('Display name'), _('Name this user should appear as. Used by Exchange.'), 'displayName', FALSE ), new PostalAddressAttribute ( _('Home address'), _('Home postal address'), 'homePostalAddress', FALSE ), new PhoneNumberAttribute ( _('Private phone'), _('Home phone number'), 'homePhone', FALSE ), ) ),
421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490
'organization' => array( 'name' => _('Organizational information'), 'icon' => 'geticon.php?context=places&icon=folder&size=16', 'attrs' => array( new SetAttribute ( new StringAttribute ( _('Title'), _('Title of a person in their organizational context. Each title is one value of this multi-valued attribute'), 'title', FALSE ) ), new StringAttribute ( _('Organization'), _('Organization'), 'o', FALSE ), new StringAttribute ( _('Unit'), _('Organizational unit this user belongs to'), 'ou', FALSE ), new StringAttribute ( _('Department No.'), _('Department number'), 'departmentNumber', FALSE ), new StringAttribute ( _('Employee No.'), _('Employee number'), 'employeeNumber', FALSE ), new StringAttribute ( _('Employee type'), _('Employee type'), 'employeeType', FALSE ), new UserAttribute( _('Manager'), _('Manager'), 'manager', FALSE ), ) ), ); if ($config->get_cfg_value('SplitPostalAddress') == 'TRUE') { $attributesInfo['contact']['attrs'][2]->setVisible(FALSE); array_splice($attributesInfo['contact']['attrs'], 3, 0, array( new StringAttribute ( _('Street'), _('Street part of the address'), 'street', FALSE ), new StringAttribute ( _('Post office box'), _('Post office box'), 'postOfficeBox', FALSE ), new IntAttribute ( _('Postal code'), _('Postal code'), 'postalCode', FALSE, 0, FALSE ), )); } return $attributesInfo; } function __construct ($dn = NULL, $object = NULL, $parent = NULL, $mainTab = FALSE) { parent::__construct($dn, $object, $parent, $mainTab); $this->attributesAccess['uid']->setUnique('whole'); $this->attributesAccess['uid']->setAutocomplete(FALSE); $this->attributesAccess['uid']->setDisabled($this->initially_was_account && !$this->is_template); $filename = './plugins/users/images/default.jpg'; $fd = fopen ($filename, 'rb'); $this->attributesAccess['jpegPhoto']->setPlaceholder(fread ($fd, filesize($filename)));
491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560
$this->was_locked = $this->attributesAccess['userPassword']->isLocked(); } function is_this_account($attrs) { /* Only inetOrgPerson is needed, it has the two others as SUP classes */ return (isset($attrs['objectClass']) && in_array_ics('inetOrgPerson', $attrs['objectClass'])); } function resetCopyInfos() { parent::resetCopyInfos(); $this->attributesAccess['uid']->setDisabled($this->initially_was_account && !$this->is_template); } private function update_cn () { global $config; $pattern = $config->get_cfg_value('CnPattern', '%givenName% %sn%'); $this->attributesAccess['cn']->setValue($this->applyPattern($pattern)); } private function applyPattern ($pattern) { $fields = templateHandling::listFields($pattern); $attrs = array(); foreach ($fields as $field) { if (in_array($field, $this->attributes)) { $attrs[$field] = $this->$field; continue; } if (isset($this->parent->by_object)) { foreach ($this->parent->by_object as $object) { if (in_array($field, $object->attributes)) { $attrs[$field] = $object->$field; continue 2; } } } trigger_error('Could not find field '.$field.' in any tab!'); } return templateHandling::parseString($pattern, $attrs); } function compute_dn() { global $config; if ($this->is_template) { $dn = 'cn='.ldap_escape_dn($this->_template_cn).',ou=templates,'.get_ou('userRDN').$this->base; return $dn; } $this->update_cn(); $attribute = $config->get_cfg_value('accountPrimaryAttribute', 'uid'); return $this->create_unique_dn($attribute, get_ou('userRDN').$this->base); } function execute() { $smarty = get_smarty(); $smarty->append('css_files', 'plugins/users/style/user_tab.css'); return parent::execute(); } protected function shouldSave() { if ($this->attributesAccess['userPassword']->getClear() != '') {
561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630
/* There may be hooks using this even if LDAP object is not modified */ return TRUE; } return parent::shouldSave(); } protected function prepare_save () { global $config; if ($config->get_cfg_value('SplitPostalAddress') == 'TRUE') { $pattern = $config->get_cfg_value('PostalAddressPattern', ''); if (!empty($pattern)) { $this->postalAddress = $this->applyPattern($this->attributesAccess['postalAddress']->inputValue($pattern)); } } return parent::prepare_save(); } function ldap_save() { $errors = parent::ldap_save(); if (!empty($errors)) { return $errors; } if (!$this->is_template && $this->was_locked && $this->attributesAccess['userPassword']->hasChanged()) { $methods = passwordMethod::get_available_methods(); $pmethod = new $methods[$this->attributesAccess['userPassword']->getMethod()]($this->dn); $pmethod->lock_account($this->dn); } return $errors; } function post_save() { global $ui; /* Update current locale settings, if we have edited ourselves */ if (isset($this->attrs['preferredLanguage']) && ($this->dn == $ui->dn)) { $ui->language = $this->preferredLanguage; session::set('ui', $ui); session::set('Last_init_lang', 'update'); } return parent::post_save(); } function adapt_from_template($attrs, $skip = array()) { if ($this->uid != '') { $skip[] = 'uid'; } parent::adapt_from_template($attrs, $skip); if (isset($this->attrs['userPassword']) && !in_array('userPassword', $skip)) { list($hash,$password) = explode('|', $this->attrs['userPassword'][0], 2); if (preg_match ('/^{[^}]+}/', $hash)) { $tmp = passwordMethod::get_method($hash); if (is_object($tmp)) { $hash = $tmp->generate_hash($password); } } $this->userPassword = array( '', $password, $password, $hash, $this->attributesAccess['userPassword']->isLocked()
631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700
); } } function callHook($cmd, array $addAttrs = array(), &$returnOutput = array(), &$returnCode = NULL) { $addAttrs['passwordMethod'] = $this->attributesAccess['userPassword']->getMethod(); $addAttrs['userLocked'] = $this->attributesAccess['userPassword']->isLocked(); $addAttrs['passwordClear'] = $this->attributesAccess['userPassword']->getClear(); return parent::callHook($cmd, $addAttrs, $returnOutput, $returnCode); } static function reportPasswordProblems ($user, $new_password, $repeated_password, $current_password = NULL) { global $config, $ui; /* Should we check different characters in new password */ $check_differ = ($config->get_cfg_value('passwordMinDiffer') != ''); $differ = $config->get_cfg_value('passwordMinDiffer', 0); if ($current_password === NULL) { $check_differ = FALSE; } /* Enable length check ? */ $check_length = ($config->get_cfg_value('passwordMinLength') != ''); $length = $config->get_cfg_value('passwordMinLength', 0); $ldap = $config->get_ldap_link(); $ldap->cat($user, array('pwdPolicySubentry', 'pwdHistory', 'pwdChangedTime', 'userPassword')); $attrs = $ldap->fetch(); $ppolicydn = ''; if (isset($attrs['pwdPolicySubentry'][0])) { $ppolicydn = $attrs['pwdPolicySubentry'][0]; } else { $ppolicydn = $config->get_cfg_value('ppolicyDefaultCn', ''); if (!empty($ppolicydn)) { $ppolicydn = 'cn='.$ppolicydn.','.get_ou('ppolicyRDN').$config->current['BASE']; } } if (!empty($ppolicydn)) { $ldap->cat($ppolicydn, array('pwdAllowUserChange', 'pwdMinLength', 'pwdMinAge', 'pwdSafeModify')); $policy = $ldap->fetch(); if (!$policy) { return sprintf(_('Ppolicy "%s" could not be found in the LDAP!'), $ppolicydn); } if (isset($policy['pwdAllowUserChange'][0]) && ($policy['pwdAllowUserChange'][0] == 'FALSE') && ($ui->dn == $user)) { return _('You are not allowed to change your own password'); } if (isset($policy['pwdMinLength'][0])) { $check_length = TRUE; $length = $policy['pwdMinLength'][0]; } if (isset($policy['pwdMinAge'][0]) && isset($attrs['pwdChangedTime'][0])) { $date = LdapGeneralizedTime::fromString($attrs['pwdChangedTime'][0]); $date->setTimezone(timezone::utc()); $now = new DateTime('now', timezone::utc()); if ($now->getTimeStamp() < $date->getTimeStamp() + $policy['pwdMinAge'][0]) { return sprintf(_('You must wait %d seconds before changing your password again'), $policy['pwdMinAge'][0] - ($now->getTimeStamp() - $date->getTimeStamp())); } } if (isset($policy['pwdSafeModify'][0]) && ($policy['pwdSafeModify'][0] == 'FALSE')) { if (empty($current_password)) { $current_password = NULL; } } if (isset($attrs['pwdHistory'][0])) { unset($attrs['pwdHistory']['count']); foreach ($attrs['pwdHistory'] as $pwdHistory) { $pwdHistory = explode('#', $pwdHistory, 4); $method = passwordMethod::get_method($pwdHistory[3], $user);
701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735
if (($method !== NULL) && $method->checkPassword($new_password, $pwdHistory[3])) { return _('Password is in history of old passwords'); } } } if (($current_password !== NULL) && ($current_password == $new_password)) { return _('Password is not being changed from existing value'); } elseif (isset($attrs['userPassword'][0])) { $method = passwordMethod::get_method($attrs['userPassword'][0], $user); if (($method !== NULL) && $method->checkPassword($new_password, $attrs['userPassword'][0])) { return _('Password is not being changed from existing value'); } } } // Perform FusionDirectory password policy checks if (($current_password !== NULL) && empty($current_password)) { return _('You need to specify your current password in order to proceed.'); } elseif ($new_password != $repeated_password) { return _('The passwords you\'ve entered as "New password" and "Repeated new password" do not match.'); } elseif ($new_password == '') { return msgPool::required(_('New password')); } elseif ($check_differ && (mb_substr($current_password, 0, $differ) == mb_substr($new_password, 0, $differ))) { return _('The password used as new and current are too similar.'); } elseif ($check_length && (mb_strlen($new_password) < $length)) { return _('The password used as new is too short.'); } elseif (!passwordMethod::is_harmless($new_password)) { return _('The password contains possibly problematic Unicode characters!'); } return FALSE; } } ?>