2007-07-19 12:40:28 +02:00
|
|
|
<?php
|
|
|
|
/**
|
|
|
|
* Provides an interface to HTTP basic authentication.
|
2009-11-15 22:24:58 +01:00
|
|
|
*
|
|
|
|
* This utility class can be used to secure any request with basic authentication. To do so,
|
|
|
|
* {@link BasicAuth::requireLogin()} from your Controller's init() method or action handler method.
|
|
|
|
*
|
|
|
|
* It also has a function to protect your entire site. See {@link BasicAuth::protect_entire_site()}
|
|
|
|
* for more information.
|
|
|
|
*
|
2008-02-25 03:10:37 +01:00
|
|
|
* @package sapphire
|
|
|
|
* @subpackage security
|
2007-07-19 12:40:28 +02:00
|
|
|
*/
|
2010-05-25 06:20:54 +02:00
|
|
|
class BasicAuth {
|
2008-04-09 13:17:39 +02:00
|
|
|
/**
|
2009-11-15 22:24:58 +01:00
|
|
|
* Flag set by {@link self::protect_entire_site()}
|
2008-04-09 13:17:39 +02:00
|
|
|
*/
|
2009-11-15 22:41:13 +01:00
|
|
|
private static $entire_site_protected = false;
|
2008-04-09 13:17:39 +02:00
|
|
|
|
2007-07-19 12:40:28 +02:00
|
|
|
/**
|
|
|
|
* Require basic authentication. Will request a username and password if none is given.
|
2008-04-09 13:17:39 +02:00
|
|
|
*
|
2009-03-22 23:59:14 +01:00
|
|
|
* Used by {@link Controller::init()}.
|
|
|
|
*
|
2008-04-09 13:17:39 +02:00
|
|
|
* @param string $realm
|
|
|
|
* @param string|array $permissionCode
|
2010-10-15 03:18:07 +02:00
|
|
|
* @param boolean $tryUsingSessionLogin If true, then the method with authenticate against the
|
|
|
|
* session log-in if those credentials are disabled.
|
2008-04-09 13:17:39 +02:00
|
|
|
* @return Member $member
|
2007-07-19 12:40:28 +02:00
|
|
|
*/
|
2010-10-15 03:18:07 +02:00
|
|
|
static function requireLogin($realm, $permissionCode, $tryUsingSessionLogin = true) {
|
2008-08-09 06:38:44 +02:00
|
|
|
if(!Security::database_is_ready() || Director::is_cli()) return true;
|
2007-07-19 12:40:28 +02:00
|
|
|
|
2010-10-15 03:18:07 +02:00
|
|
|
$member = null;
|
2007-07-19 12:40:28 +02:00
|
|
|
if(isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) {
|
2008-02-25 03:10:37 +01:00
|
|
|
$member = MemberAuthenticator::authenticate(array(
|
|
|
|
'Email' => $_SERVER['PHP_AUTH_USER'],
|
|
|
|
'Password' => $_SERVER['PHP_AUTH_PW'],
|
|
|
|
), null);
|
2007-07-19 12:40:28 +02:00
|
|
|
}
|
|
|
|
|
2010-10-15 03:18:07 +02:00
|
|
|
if(!$member && $tryUsingSessionLogin) $member = Member::currentUser();
|
|
|
|
|
2007-07-19 12:40:28 +02:00
|
|
|
// If we've failed the authentication mechanism, then show the login form
|
2010-10-15 03:18:07 +02:00
|
|
|
if(!$member) {
|
2007-07-19 12:40:28 +02:00
|
|
|
header("WWW-Authenticate: Basic realm=\"$realm\"");
|
2008-10-01 16:41:15 +02:00
|
|
|
header($_SERVER['SERVER_PROTOCOL'] . ' 401 Unauthorized');
|
2007-07-19 12:40:28 +02:00
|
|
|
|
|
|
|
if(isset($_SERVER['PHP_AUTH_USER'])) {
|
2007-10-25 04:47:45 +02:00
|
|
|
echo _t('BasicAuth.ERRORNOTREC', "That username / password isn't recognised");
|
2007-07-19 12:40:28 +02:00
|
|
|
} else {
|
2007-10-25 04:47:45 +02:00
|
|
|
echo _t('BasicAuth.ENTERINFO', "Please enter a username and password.");
|
2007-07-19 12:40:28 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
die();
|
|
|
|
}
|
|
|
|
|
2007-10-02 06:30:20 +02:00
|
|
|
if(!Permission::checkMember($member->ID, $permissionCode)) {
|
2007-07-19 12:40:28 +02:00
|
|
|
header("WWW-Authenticate: Basic realm=\"$realm\"");
|
2008-10-01 16:41:15 +02:00
|
|
|
header($_SERVER['SERVER_PROTOCOL'] . ' 401 Unauthorized');
|
2007-07-19 12:40:28 +02:00
|
|
|
|
|
|
|
if(isset($_SERVER['PHP_AUTH_USER'])) {
|
2007-10-25 04:47:45 +02:00
|
|
|
echo _t('BasicAuth.ERRORNOTADMIN', "That user is not an administrator.");
|
2007-07-19 12:40:28 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
die();
|
|
|
|
}
|
2007-10-02 06:32:11 +02:00
|
|
|
|
|
|
|
return $member;
|
2007-07-19 12:40:28 +02:00
|
|
|
}
|
2009-11-15 22:24:58 +01:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Enable protection of the entire site with basic authentication.
|
|
|
|
*
|
|
|
|
* This log-in uses the Member database for authentication, but doesn't interfere with the
|
|
|
|
* regular log-in form. This can be useful for test sites, where you want to hide the site
|
|
|
|
* away from prying eyes, but still be able to test the regular log-in features of the site.
|
|
|
|
*
|
|
|
|
* If you are including conf/ConfigureFromEnv.php in your _config.php file, you can also enable
|
|
|
|
* this feature by adding this line to your _ss_environment.php:
|
|
|
|
*
|
|
|
|
* define('SS_USE_BASIC_AUTH', true);
|
|
|
|
*
|
|
|
|
* @param $protect Set this to false to disable protection.
|
|
|
|
*/
|
|
|
|
static function protect_entire_site($protect = true) {
|
|
|
|
return self::$entire_site_protected = $protect;
|
|
|
|
}
|
2007-07-19 12:40:28 +02:00
|
|
|
|
2009-11-15 22:24:58 +01:00
|
|
|
/**
|
|
|
|
* @deprecated Use BasicAuth::protect_entire_site() instead.
|
|
|
|
*/
|
|
|
|
static function enable() {
|
2009-11-16 00:43:30 +01:00
|
|
|
user_error("BasicAuth::enable() is deprecated. Use BasicAuth::protect_entire_site() instead.", E_USER_NOTICE);
|
2009-11-15 22:24:58 +01:00
|
|
|
return self::protect_entire_site();
|
2008-08-27 12:52:03 +02:00
|
|
|
}
|
2009-11-15 22:24:58 +01:00
|
|
|
|
|
|
|
/**
|
|
|
|
* @deprecated Use BasicAuth::protect_entire_site(false) instead.
|
|
|
|
*/
|
2007-07-19 12:40:28 +02:00
|
|
|
static function disable() {
|
2009-11-16 00:43:30 +01:00
|
|
|
user_error("BasicAuth::disable() is deprecated. Use BasicAuth::protect_entire_site(false) instead.", E_USER_NOTICE);
|
2009-11-15 22:24:58 +01:00
|
|
|
return self::protect_entire_site(false);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Call {@link BasicAuth::requireLogin()} if {@link BasicAuth::protect_entire_site()} has been called.
|
|
|
|
* This is a helper function used by Controller.
|
|
|
|
*/
|
|
|
|
static function protect_site_if_necessary() {
|
|
|
|
if(self::$entire_site_protected) {
|
2010-10-15 03:18:07 +02:00
|
|
|
// The test-site protection should ignore the session log-in; otherwise it's difficult
|
|
|
|
// to test the log-in features of your site
|
|
|
|
self::requireLogin("SilverStripe test website. Use your CMS login.", "ADMIN", false);
|
2009-11-15 22:24:58 +01:00
|
|
|
}
|
2007-07-19 12:40:28 +02:00
|
|
|
}
|
2009-11-15 22:24:58 +01:00
|
|
|
|
2009-03-10 23:08:52 +01:00
|
|
|
}
|