silverstripe-framework/security/BasicAuth.php

116 lines
3.6 KiB
PHP
Raw Normal View History

<?php
/**
* Provides an interface to HTTP basic authentication.
*
* This utility class can be used to secure any request with basic authentication. To do so,
* {@link BasicAuth::requireLogin()} from your Controller's init() method or action handler method.
*
* It also has a function to protect your entire site. See {@link BasicAuth::protect_entire_site()}
* for more information.
*
* @package sapphire
* @subpackage security
*/
class BasicAuth extends Object {
/**
* Flag set by {@link self::protect_entire_site()}
*/
private static $entire_site_protected = true;
/**
* Require basic authentication. Will request a username and password if none is given.
*
* Used by {@link Controller::init()}.
*
* @param string $realm
* @param string|array $permissionCode
* @return Member $member
*/
static function requireLogin($realm, $permissionCode) {
if(!Security::database_is_ready() || Director::is_cli()) return true;
if(isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) {
$member = MemberAuthenticator::authenticate(array(
'Email' => $_SERVER['PHP_AUTH_USER'],
'Password' => $_SERVER['PHP_AUTH_PW'],
), null);
if($member) {
$authenticated = true;
}
}
// If we've failed the authentication mechanism, then show the login form
if(!isset($authenticated)) {
header("WWW-Authenticate: Basic realm=\"$realm\"");
header($_SERVER['SERVER_PROTOCOL'] . ' 401 Unauthorized');
if(isset($_SERVER['PHP_AUTH_USER'])) {
echo _t('BasicAuth.ERRORNOTREC', "That username / password isn't recognised");
} else {
echo _t('BasicAuth.ENTERINFO', "Please enter a username and password.");
}
die();
}
if(!Permission::checkMember($member->ID, $permissionCode)) {
header("WWW-Authenticate: Basic realm=\"$realm\"");
header($_SERVER['SERVER_PROTOCOL'] . ' 401 Unauthorized');
if(isset($_SERVER['PHP_AUTH_USER'])) {
echo _t('BasicAuth.ERRORNOTADMIN', "That user is not an administrator.");
}
die();
}
return $member;
}
/**
* Enable protection of the entire site with basic authentication.
*
* This log-in uses the Member database for authentication, but doesn't interfere with the
* regular log-in form. This can be useful for test sites, where you want to hide the site
* away from prying eyes, but still be able to test the regular log-in features of the site.
*
* If you are including conf/ConfigureFromEnv.php in your _config.php file, you can also enable
* this feature by adding this line to your _ss_environment.php:
*
* define('SS_USE_BASIC_AUTH', true);
*
* @param $protect Set this to false to disable protection.
*/
static function protect_entire_site($protect = true) {
return self::$entire_site_protected = $protect;
}
/**
* @deprecated Use BasicAuth::protect_entire_site() instead.
*/
static function enable() {
user_error("BasicAuth::enable() is deprated. Use BasicAuth::protect_entire_site() instead.", E_USER_NOTICE);
return self::protect_entire_site();
}
/**
* @deprecated Use BasicAuth::protect_entire_site(false) instead.
*/
static function disable() {
user_error("BasicAuth::disable() is deprated. Use BasicAuth::protect_entire_site(false) instead.", E_USER_NOTICE);
return self::protect_entire_site(false);
}
/**
* Call {@link BasicAuth::requireLogin()} if {@link BasicAuth::protect_entire_site()} has been called.
* This is a helper function used by Controller.
*/
static function protect_site_if_necessary() {
if(self::$entire_site_protected) {
self::requireLogin("SilverStripe test website. Use your CMS login.", "ADMIN");
}
}
}