tonyair/silverstripe-framework
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-framework synced 2024-10-22 14:05:37 +02:00
Code Issues Projects Releases Wiki Activity
7af7e6719e
silverstripe-framework/src/Security/MemberAuthenticator/LoginForm.php

212 lines
7.4 KiB
PHP
Raw Normal View History

Turned dos line endings into unix git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@63113 467b73ca-7a2a-4603-9d3b-597d59a354a9
2008-09-26 04:22:51 +02:00
<?php
API Apply Framework\Security namespace
2016-06-23 01:37:22 +02:00
Refactoring of authenticators Further down the line, I'm only returning the `Member` on the doLogin, so it's possible for the Handler or Extending Handler to move to a second step. Also cleaned up some minor typos I ran in to. Nothing major. This solution works and is manually tested for now. Supports multiple login forms that end up in the correct handler. I haven't gotten past the handler yet, as I've yet to refactor my Yubiauth implementation. FIX: Corrections to the multi-login-form support. Importantly, the system provide a URL-space for each handler, e.g. “Security/login/default” and “Security/login/other”. This is much cleaner than identifying the active authenticator by a get parameter, and means that the tabbed interface is only needed on the very first view. Note that you can test this without a module simply by loading the default authenticator twice: SilverStripe\Security\Security: authenticators: default: SilverStripe\Security\MemberAuthenticator\Authenticator other: SilverStripe\Security\MemberAuthenticator\Authenticator FIX: Refactor delegateToHandler / delegateToHandlers to have less duplicated code.
2017-04-22 06:30:10 +02:00
namespace SilverStripe\Security\MemberAuthenticator;
API Apply Framework\Security namespace
2016-06-23 01:37:22 +02:00
API Namespace all classes Namespace all templates Move difflib and BBCodeParser2 to thirdparty Remove deprecated API marked for removal in 4.0
2016-08-19 00:51:35 +02:00
use SilverStripe\Control\Director;
use SilverStripe\Control\Session;
use SilverStripe\Control\Controller;
use SilverStripe\Forms\HiddenField;
use SilverStripe\Forms\FieldList;
use SilverStripe\Forms\FormAction;
use SilverStripe\Forms\TextField;
use SilverStripe\Forms\PasswordField;
use SilverStripe\Forms\CheckboxField;
use SilverStripe\Forms\LiteralField;
use SilverStripe\Forms\RequiredFields;
API Updates to Form, ValidationResponse, ValidationException API Implement form schema "errors" handling
2016-11-23 06:09:10 +01:00
use SilverStripe\ORM\ValidationResult;
Refactoring of authenticators Further down the line, I'm only returning the `Member` on the doLogin, so it's possible for the Handler or Extending Handler to move to a second step. Also cleaned up some minor typos I ran in to. Nothing major. This solution works and is manually tested for now. Supports multiple login forms that end up in the correct handler. I haven't gotten past the handler yet, as I've yet to refactor my Yubiauth implementation. FIX: Corrections to the multi-login-form support. Importantly, the system provide a URL-space for each handler, e.g. “Security/login/default” and “Security/login/other”. This is much cleaner than identifying the active authenticator by a get parameter, and means that the tabbed interface is only needed on the very first view. Note that you can test this without a module simply by loading the default authenticator twice: SilverStripe\Security\Security: authenticators: default: SilverStripe\Security\MemberAuthenticator\Authenticator other: SilverStripe\Security\MemberAuthenticator\Authenticator FIX: Refactor delegateToHandler / delegateToHandlers to have less duplicated code.
2017-04-22 06:30:10 +02:00
use SilverStripe\Security\Member;
use SilverStripe\Security\Security;
use SilverStripe\Security\RememberLoginHash;
use SilverStripe\Security\LoginForm as BaseLoginForm;
API Namespace all classes Namespace all templates Move difflib and BBCodeParser2 to thirdparty Remove deprecated API marked for removal in 4.0
2016-08-19 00:51:35 +02:00
use SilverStripe\View\Requirements;
API Apply Framework\Security namespace
2016-06-23 01:37:22 +02:00
Turned dos line endings into unix git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@63113 467b73ca-7a2a-4603-9d3b-597d59a354a9
2008-09-26 04:22:51 +02:00
/**
Allow vetoing forgot password requests
2014-02-24 06:45:18 +01:00
* Log-in form for the "member" authentication method.
*
* Available extension points:
Fix 'Uncaught ReferenceError: jQuery is not defined' if jQuery is not included in template.
2014-04-29 23:12:23 +02:00
* - "authenticationFailed": Called when login was not successful.
Allow vetoing forgot password requests
2014-02-24 06:45:18 +01:00
* Arguments: $data containing the form submission
Fix 'Uncaught ReferenceError: jQuery is not defined' if jQuery is not included in template.
2014-04-29 23:12:23 +02:00
* - "forgotPassword": Called before forgot password logic kicks in,
* allowing extensions to "veto" execution by returning FALSE.
Allow vetoing forgot password requests
2014-02-24 06:45:18 +01:00
* Arguments: $member containing the detected Member record
Turned dos line endings into unix git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@63113 467b73ca-7a2a-4603-9d3b-597d59a354a9
2008-09-26 04:22:51 +02:00
*/
Refactoring of authenticators Further down the line, I'm only returning the `Member` on the doLogin, so it's possible for the Handler or Extending Handler to move to a second step. Also cleaned up some minor typos I ran in to. Nothing major. This solution works and is manually tested for now. Supports multiple login forms that end up in the correct handler. I haven't gotten past the handler yet, as I've yet to refactor my Yubiauth implementation. FIX: Corrections to the multi-login-form support. Importantly, the system provide a URL-space for each handler, e.g. “Security/login/default” and “Security/login/other”. This is much cleaner than identifying the active authenticator by a get parameter, and means that the tabbed interface is only needed on the very first view. Note that you can test this without a module simply by loading the default authenticator twice: SilverStripe\Security\Security: authenticators: default: SilverStripe\Security\MemberAuthenticator\Authenticator other: SilverStripe\Security\MemberAuthenticator\Authenticator FIX: Refactor delegateToHandler / delegateToHandlers to have less duplicated code.
2017-04-22 06:30:10 +02:00
class LoginForm extends BaseLoginForm
PSR2: Whitespace-only changes
2016-11-29 00:31:16 +01:00
{
/**
* This field is used in the "You are logged in as %s" message
* @var string
*/
public $loggedInAsField = 'FirstName';
Improve the default LoginForm - has the fields and actions extracted to a separate method, so it's more easily overridable - Moved the global variable $_REQUEST to getting the info from the controller - Updated string variables to `::class` - Updated RequiredFields to be set in the YML, so it's overridable/updatable from either Config or code
2017-04-14 06:21:38 +02:00
/**
* Required fields for validation
* @var array
*/
private static $required_fields;
PSR2: Whitespace-only changes
2016-11-29 00:31:16 +01:00
/**
* Constructor
*
* @skipUpgrade
* @param Controller $controller The parent controller, necessary to
* create the appropriate form action tag.
Pass the AuthenticationMethod to the controller Resolves issue #6788 The AuthenticationMethed is passed in via hidden field as per usual, but due to changes, the fallback authenticator was always the MemberAuthenticator and the actual passed in authenticator was defaulting to an empty string. This causes an issue when there are multiple authenticators and the default authenticator is _not_ in the allowed authenticators, but is still the default. It caused the getAuthenticator method to return the default MemberAuthenticator to be returned, despite it being disabled. A second issue around multiple authenticators, was the template using a no-longer used method `getAuthenticatorName`. This method returned a null on the default MemberLoginForm (as nothing was set), causing a Warning. Because the getAuthenticator and getAuthenticatorName are no longer in use, I've opted to replace these with a translatable string `getAuthenticatorName`, to display the title of the form on the tabs, as per the tabset on Security_MultiAuthenticatorLogin template.
2017-04-14 05:30:55 +02:00
* @param string $authenticatorClass Authenticator for this LoginForm
PSR2: Whitespace-only changes
2016-11-29 00:31:16 +01:00
* @param string $name The method on the controller that will return this
* form object.
* @param FieldList $fields All of the fields in the form - a
* {@link FieldList} of {@link FormField}
* objects.
* @param FieldList|FormAction $actions All of the action buttons in the
* form - a {@link FieldList} of
* {@link FormAction} objects
* @param bool $checkCurrentUser If set to TRUE, it will be checked if a
* the user is currently logged in, and if
* so, only a logout button will be rendered
*/
public function __construct(
$controller,
Pass the AuthenticationMethod to the controller Resolves issue #6788 The AuthenticationMethed is passed in via hidden field as per usual, but due to changes, the fallback authenticator was always the MemberAuthenticator and the actual passed in authenticator was defaulting to an empty string. This causes an issue when there are multiple authenticators and the default authenticator is _not_ in the allowed authenticators, but is still the default. It caused the getAuthenticator method to return the default MemberAuthenticator to be returned, despite it being disabled. A second issue around multiple authenticators, was the template using a no-longer used method `getAuthenticatorName`. This method returned a null on the default MemberLoginForm (as nothing was set), causing a Warning. Because the getAuthenticator and getAuthenticatorName are no longer in use, I've opted to replace these with a translatable string `getAuthenticatorName`, to display the title of the form on the tabs, as per the tabset on Security_MultiAuthenticatorLogin template.
2017-04-14 05:30:55 +02:00
$authenticatorClass,
PSR2: Whitespace-only changes
2016-11-29 00:31:16 +01:00
$name,
$fields = null,
$actions = null,
$checkCurrentUser = true
) {
Pass the AuthenticationMethod to the controller Resolves issue #6788 The AuthenticationMethed is passed in via hidden field as per usual, but due to changes, the fallback authenticator was always the MemberAuthenticator and the actual passed in authenticator was defaulting to an empty string. This causes an issue when there are multiple authenticators and the default authenticator is _not_ in the allowed authenticators, but is still the default. It caused the getAuthenticator method to return the default MemberAuthenticator to be returned, despite it being disabled. A second issue around multiple authenticators, was the template using a no-longer used method `getAuthenticatorName`. This method returned a null on the default MemberLoginForm (as nothing was set), causing a Warning. Because the getAuthenticator and getAuthenticatorName are no longer in use, I've opted to replace these with a translatable string `getAuthenticatorName`, to display the title of the form on the tabs, as per the tabset on Security_MultiAuthenticatorLogin template.
2017-04-14 05:30:55 +02:00
$this->authenticator_class = $authenticatorClass;
PSR2: Whitespace-only changes
2016-11-29 00:31:16 +01:00
$customCSS = project() . '/css/member_login.css';
if (Director::fileExists($customCSS)) {
Requirements::css($customCSS);
}
Improve the default LoginForm - has the fields and actions extracted to a separate method, so it's more easily overridable - Moved the global variable $_REQUEST to getting the info from the controller - Updated string variables to `::class` - Updated RequiredFields to be set in the YML, so it's overridable/updatable from either Config or code
2017-04-14 06:21:38 +02:00
if ($controller->request->getVar('BackURL')) {
$backURL = $controller->request->getVar('BackURL');
PSR2: Whitespace-only changes
2016-11-29 00:31:16 +01:00
} else {
$backURL = Session::get('BackURL');
}
if ($checkCurrentUser && Member::currentUser() && Member::logged_in_session_exists()) {
$fields = FieldList::create(
HiddenField::create("AuthenticationMethod", null, $this->authenticator_class, $this)
);
$actions = FieldList::create(
Reorganise i18n keys
2017-05-08 13:34:39 +02:00
FormAction::create("logout", _t('SilverStripe\\Security\\Member.BUTTONLOGINOTHER', "Log in as someone else"))
PSR2: Whitespace-only changes
2016-11-29 00:31:16 +01:00
);
} else {
if (!$fields) {
Improve the default LoginForm - has the fields and actions extracted to a separate method, so it's more easily overridable - Moved the global variable $_REQUEST to getting the info from the controller - Updated string variables to `::class` - Updated RequiredFields to be set in the YML, so it's overridable/updatable from either Config or code
2017-04-14 06:21:38 +02:00
$fields = $this->getFormFields();
PSR2: Whitespace-only changes
2016-11-29 00:31:16 +01:00
}
if (!$actions) {
Improve the default LoginForm - has the fields and actions extracted to a separate method, so it's more easily overridable - Moved the global variable $_REQUEST to getting the info from the controller - Updated string variables to `::class` - Updated RequiredFields to be set in the YML, so it's overridable/updatable from either Config or code
2017-04-14 06:21:38 +02:00
$actions = $this->getFormActions();
PSR2: Whitespace-only changes
2016-11-29 00:31:16 +01:00
}
}
if (isset($backURL)) {
$fields->push(HiddenField::create('BackURL', 'BackURL', $backURL));
}
// Reduce attack surface by enforcing POST requests
$this->setFormMethod('POST', true);
parent::__construct($controller, $name, $fields, $actions);
Improve the default LoginForm - has the fields and actions extracted to a separate method, so it's more easily overridable - Moved the global variable $_REQUEST to getting the info from the controller - Updated string variables to `::class` - Updated RequiredFields to be set in the YML, so it's overridable/updatable from either Config or code
2017-04-14 06:21:38 +02:00
$this->setValidator(RequiredFields::create(self::config()->get('required_fields')));
}
PSR2: Whitespace-only changes
2016-11-29 00:31:16 +01:00
Improve the default LoginForm - has the fields and actions extracted to a separate method, so it's more easily overridable - Moved the global variable $_REQUEST to getting the info from the controller - Updated string variables to `::class` - Updated RequiredFields to be set in the YML, so it's overridable/updatable from either Config or code
2017-04-14 06:21:38 +02:00
/**
* Build the FieldList for the login form
*
* @return FieldList
*/
protected function getFormFields()
{
$label = Member::singleton()->fieldLabel(Member::config()->unique_identifier_field);
$fields = FieldList::create(
HiddenField::create("AuthenticationMethod", null, $this->authenticator_class, $this),
// Regardless of what the unique identifer field is (usually 'Email'), it will be held in the
// 'Email' value, below:
// @todo Rename the field to a more generic covering name
$emailField = TextField::create("Email", $label, null, null, $this),
Ran upgrader for lang files
2017-04-20 03:15:24 +02:00
PasswordField::create("Password", _t('SilverStripe\\Security\\Member.PASSWORD', 'Password'))
Improve the default LoginForm - has the fields and actions extracted to a separate method, so it's more easily overridable - Moved the global variable $_REQUEST to getting the info from the controller - Updated string variables to `::class` - Updated RequiredFields to be set in the YML, so it's overridable/updatable from either Config or code
2017-04-14 06:21:38 +02:00
);
$emailField->setAttribute('autofocus', 'true');
if (Security::config()->remember_username) {
$emailField->setValue(Session::get('SessionForms.MemberLoginForm.Email'));
} else {
// Some browsers won't respect this attribute unless it's added to the form
$this->setAttribute('autocomplete', 'off');
$emailField->setAttribute('autocomplete', 'off');
}
if (Security::config()->autologin_enabled) {
$fields->push(
CheckboxField::create(
"Remember",
Ran upgrader for lang files
2017-04-20 03:15:24 +02:00
_t('SilverStripe\\Security\\Member.KEEPMESIGNEDIN', "Keep me signed in")
Improve the default LoginForm - has the fields and actions extracted to a separate method, so it's more easily overridable - Moved the global variable $_REQUEST to getting the info from the controller - Updated string variables to `::class` - Updated RequiredFields to be set in the YML, so it's overridable/updatable from either Config or code
2017-04-14 06:21:38 +02:00
)->setAttribute(
'title',
sprintf(
Ran upgrader for lang files
2017-04-20 03:15:24 +02:00
_t('SilverStripe\\Security\\Member.REMEMBERME', "Remember me next time? (for %d days on this device)"),
Improve the default LoginForm - has the fields and actions extracted to a separate method, so it's more easily overridable - Moved the global variable $_REQUEST to getting the info from the controller - Updated string variables to `::class` - Updated RequiredFields to be set in the YML, so it's overridable/updatable from either Config or code
2017-04-14 06:21:38 +02:00
RememberLoginHash::config()->uninherited('token_expiry_days')
)
)
);
}
return $fields;
}
/**
* Build default login form action FieldList
*
* @return FieldList
*/
protected function getFormActions()
{
$actions = FieldList::create(
Refactoring of authenticators Further down the line, I'm only returning the `Member` on the doLogin, so it's possible for the Handler or Extending Handler to move to a second step. Also cleaned up some minor typos I ran in to. Nothing major. This solution works and is manually tested for now. Supports multiple login forms that end up in the correct handler. I haven't gotten past the handler yet, as I've yet to refactor my Yubiauth implementation. FIX: Corrections to the multi-login-form support. Importantly, the system provide a URL-space for each handler, e.g. “Security/login/default” and “Security/login/other”. This is much cleaner than identifying the active authenticator by a get parameter, and means that the tabbed interface is only needed on the very first view. Note that you can test this without a module simply by loading the default authenticator twice: SilverStripe\Security\Security: authenticators: default: SilverStripe\Security\MemberAuthenticator\Authenticator other: SilverStripe\Security\MemberAuthenticator\Authenticator FIX: Refactor delegateToHandler / delegateToHandlers to have less duplicated code.
2017-04-22 06:30:10 +02:00
FormAction::create('doLogin', _t('SilverStripe\\Security\\Member.BUTTONLOGIN', "Log in")),
Improve the default LoginForm - has the fields and actions extracted to a separate method, so it's more easily overridable - Moved the global variable $_REQUEST to getting the info from the controller - Updated string variables to `::class` - Updated RequiredFields to be set in the YML, so it's overridable/updatable from either Config or code
2017-04-14 06:21:38 +02:00
LiteralField::create(
'forgotPassword',
'<p id="ForgotPassword"><a href="' . Security::lost_password_url() . '">'
Ran upgrader for lang files
2017-04-20 03:15:24 +02:00
. _t('SilverStripe\\Security\\Member.BUTTONLOSTPASSWORD', "I've lost my password") . '</a></p>'
Improve the default LoginForm - has the fields and actions extracted to a separate method, so it's more easily overridable - Moved the global variable $_REQUEST to getting the info from the controller - Updated string variables to `::class` - Updated RequiredFields to be set in the YML, so it's overridable/updatable from either Config or code
2017-04-14 06:21:38 +02:00
)
);
return $actions;
PSR2: Whitespace-only changes
2016-11-29 00:31:16 +01:00
}
API Updates to Form, ValidationResponse, ValidationException API Implement form schema "errors" handling
2016-11-23 06:09:10 +01:00
public function restoreFormState()
PSR2: Whitespace-only changes
2016-11-29 00:31:16 +01:00
{
API Updates to Form, ValidationResponse, ValidationException API Implement form schema "errors" handling
2016-11-23 06:09:10 +01:00
parent::restoreFormState();
PSR2: Whitespace-only changes
2016-11-29 00:31:16 +01:00
$forceMessage = Session::get('MemberLoginForm.force_message');
if (($member = Member::currentUser()) && !$forceMessage) {
API Updates to Form, ValidationResponse, ValidationException API Implement form schema "errors" handling
2016-11-23 06:09:10 +01:00
$message = _t(
Ran upgrader for lang files
2017-04-20 03:15:24 +02:00
'SilverStripe\\Security\\Member.LOGGEDINAS',
PSR2: Whitespace-only changes
2016-11-29 00:31:16 +01:00
"You're logged in as {name}.",
array('name' => $member->{$this->loggedInAsField})
);
API Updates to Form, ValidationResponse, ValidationException API Implement form schema "errors" handling
2016-11-23 06:09:10 +01:00
$this->setMessage($message, ValidationResult::TYPE_INFO);
PSR2: Whitespace-only changes
2016-11-29 00:31:16 +01:00
}
// Reset forced message
if ($forceMessage) {
Session::set('MemberLoginForm.force_message', false);
}
API Updates to Form, ValidationResponse, ValidationException API Implement form schema "errors" handling
2016-11-23 06:09:10 +01:00
return $this;
PSR2: Whitespace-only changes
2016-11-29 00:31:16 +01:00
}
Pass the AuthenticationMethod to the controller Resolves issue #6788 The AuthenticationMethed is passed in via hidden field as per usual, but due to changes, the fallback authenticator was always the MemberAuthenticator and the actual passed in authenticator was defaulting to an empty string. This causes an issue when there are multiple authenticators and the default authenticator is _not_ in the allowed authenticators, but is still the default. It caused the getAuthenticator method to return the default MemberAuthenticator to be returned, despite it being disabled. A second issue around multiple authenticators, was the template using a no-longer used method `getAuthenticatorName`. This method returned a null on the default MemberLoginForm (as nothing was set), causing a Warning. Because the getAuthenticator and getAuthenticatorName are no longer in use, I've opted to replace these with a translatable string `getAuthenticatorName`, to display the title of the form on the tabs, as per the tabset on Security_MultiAuthenticatorLogin template.
2017-04-14 05:30:55 +02:00
/**
* The name of this login form, to display in the frontend
* Replaces Authenticator::get_name()
*
* @return string
*/
public function getAuthenticatorName()
{
Ran upgrader for lang files
2017-04-20 03:15:24 +02:00
return _t('SilverStripe\\Security\\MemberLoginForm.AUTHENTICATORNAME', "E-mail &amp; Password");
Pass the AuthenticationMethod to the controller Resolves issue #6788 The AuthenticationMethed is passed in via hidden field as per usual, but due to changes, the fallback authenticator was always the MemberAuthenticator and the actual passed in authenticator was defaulting to an empty string. This causes an issue when there are multiple authenticators and the default authenticator is _not_ in the allowed authenticators, but is still the default. It caused the getAuthenticator method to return the default MemberAuthenticator to be returned, despite it being disabled. A second issue around multiple authenticators, was the template using a no-longer used method `getAuthenticatorName`. This method returned a null on the default MemberLoginForm (as nothing was set), causing a Warning. Because the getAuthenticator and getAuthenticatorName are no longer in use, I've opted to replace these with a translatable string `getAuthenticatorName`, to display the title of the form on the tabs, as per the tabset on Security_MultiAuthenticatorLogin template.
2017-04-14 05:30:55 +02:00
}
Turned dos line endings into unix git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/trunk@63113 467b73ca-7a2a-4603-9d3b-597d59a354a9
2008-09-26 04:22:51 +02:00
}
Reference in New Issue Copy Permalink