mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
Remove merge artifact
This commit is contained in:
parent
c22726bfd7
commit
052f11a427
@ -1,2045 +0,0 @@
|
||||
<?php
|
||||
/**
|
||||
* The member class which represents the users of the system
|
||||
*
|
||||
* @package framework
|
||||
* @subpackage security
|
||||
*
|
||||
* @property string $FirstName
|
||||
* @property string $Surname
|
||||
* @property string $Email
|
||||
* @property string $Password
|
||||
* @property string $RememberLoginToken
|
||||
* @property string $TempIDHash
|
||||
* @property string $TempIDExpired
|
||||
* @property int $NumVisit @deprecated 4.0
|
||||
* @property string $LastVisited @deprecated 4.0
|
||||
* @property string $AutoLoginHash
|
||||
* @property string $AutoLoginExpired
|
||||
* @property string $PasswordEncryption
|
||||
* @property string $Salt
|
||||
* @property string $PasswordExpiry
|
||||
* @property string $LockedOutUntil
|
||||
* @property string $Locale
|
||||
* @property int $FailedLoginCount
|
||||
* @property string $DateFormat
|
||||
* @property string $TimeFormat
|
||||
*/
|
||||
class Member extends DataObject implements TemplateGlobalProvider {
|
||||
|
||||
private static $db = array(
|
||||
'FirstName' => 'Varchar',
|
||||
'Surname' => 'Varchar',
|
||||
'Email' => 'Varchar(254)', // See RFC 5321, Section 4.5.3.1.3. (256 minus the < and > character)
|
||||
'TempIDHash' => 'Varchar(160)', // Temporary id used for cms re-authentication
|
||||
'TempIDExpired' => 'SS_Datetime', // Expiry of temp login
|
||||
'Password' => 'Varchar(160)',
|
||||
'RememberLoginToken' => 'Varchar(160)', // Note: this currently holds a hash, not a token.
|
||||
'NumVisit' => 'Int', // @deprecated 4.0
|
||||
'LastVisited' => 'SS_Datetime', // @deprecated 4.0
|
||||
'AutoLoginHash' => 'Varchar(160)', // Used to auto-login the user on password reset
|
||||
'AutoLoginExpired' => 'SS_Datetime',
|
||||
// This is an arbitrary code pointing to a PasswordEncryptor instance,
|
||||
// not an actual encryption algorithm.
|
||||
// Warning: Never change this field after its the first password hashing without
|
||||
// providing a new cleartext password as well.
|
||||
'PasswordEncryption' => "Varchar(50)",
|
||||
'Salt' => 'Varchar(50)',
|
||||
'PasswordExpiry' => 'Date',
|
||||
'LockedOutUntil' => 'SS_Datetime',
|
||||
'Locale' => 'Varchar(6)',
|
||||
// handled in registerFailedLogin(), only used if $lock_out_after_incorrect_logins is set
|
||||
'FailedLoginCount' => 'Int',
|
||||
// In ISO format
|
||||
'DateFormat' => 'Varchar(30)',
|
||||
'TimeFormat' => 'Varchar(30)',
|
||||
);
|
||||
|
||||
private static $belongs_many_many = array(
|
||||
'Groups' => 'Group',
|
||||
);
|
||||
|
||||
private static $has_one = array();
|
||||
|
||||
private static $has_many = array(
|
||||
'LoggedPasswords' => 'MemberPassword',
|
||||
);
|
||||
|
||||
private static $many_many = array();
|
||||
|
||||
private static $many_many_extraFields = array();
|
||||
|
||||
private static $default_sort = '"Surname", "FirstName"';
|
||||
|
||||
private static $indexes = array(
|
||||
'Email' => true,
|
||||
//Removed due to duplicate null values causing MSSQL problems
|
||||
//'AutoLoginHash' => Array('type'=>'unique', 'value'=>'AutoLoginHash', 'ignoreNulls'=>true)
|
||||
);
|
||||
|
||||
/**
|
||||
* @config
|
||||
* @var boolean
|
||||
*/
|
||||
private static $notify_password_change = false;
|
||||
|
||||
/**
|
||||
* Flag whether or not member visits should be logged (count only)
|
||||
*
|
||||
* @deprecated 4.0
|
||||
* @var bool
|
||||
* @config
|
||||
*/
|
||||
private static $log_last_visited = true;
|
||||
|
||||
/**
|
||||
* Flag whether we should count number of visits
|
||||
*
|
||||
* @deprecated 4.0
|
||||
* @var bool
|
||||
* @config
|
||||
*/
|
||||
private static $log_num_visits = true;
|
||||
|
||||
/**
|
||||
* All searchable database columns
|
||||
* in this object, currently queried
|
||||
* with a "column LIKE '%keywords%'
|
||||
* statement.
|
||||
*
|
||||
* @var array
|
||||
* @todo Generic implementation of $searchable_fields on DataObject,
|
||||
* with definition for different searching algorithms
|
||||
* (LIKE, FULLTEXT) and default FormFields to construct a searchform.
|
||||
*/
|
||||
private static $searchable_fields = array(
|
||||
'FirstName',
|
||||
'Surname',
|
||||
'Email',
|
||||
);
|
||||
|
||||
/**
|
||||
* @config
|
||||
* @var array
|
||||
*/
|
||||
private static $summary_fields = array(
|
||||
'FirstName',
|
||||
'Surname',
|
||||
'Email',
|
||||
);
|
||||
|
||||
/**
|
||||
* @config
|
||||
* @var array
|
||||
*/
|
||||
private static $casting = array(
|
||||
'Name' => 'Varchar',
|
||||
);
|
||||
|
||||
/**
|
||||
* Internal-use only fields
|
||||
*
|
||||
* @config
|
||||
* @var array
|
||||
*/
|
||||
private static $hidden_fields = array(
|
||||
'RememberLoginToken',
|
||||
'AutoLoginHash',
|
||||
'AutoLoginExpired',
|
||||
'PasswordEncryption',
|
||||
'PasswordExpiry',
|
||||
'LockedOutUntil',
|
||||
'TempIDHash',
|
||||
'TempIDExpired',
|
||||
'Salt',
|
||||
'NumVisit', // @deprecated 4.0
|
||||
);
|
||||
|
||||
/**
|
||||
* @config
|
||||
* @var Array See {@link set_title_columns()}
|
||||
*/
|
||||
private static $title_format = null;
|
||||
|
||||
/**
|
||||
* The unique field used to identify this member.
|
||||
* By default, it's "Email", but another common
|
||||
* field could be Username.
|
||||
*
|
||||
* @config
|
||||
* @var string
|
||||
*/
|
||||
private static $unique_identifier_field = 'Email';
|
||||
|
||||
/**
|
||||
* @config
|
||||
* {@link PasswordValidator} object for validating user's password
|
||||
*/
|
||||
private static $password_validator = null;
|
||||
|
||||
/**
|
||||
* @config
|
||||
* The number of days that a password should be valid for.
|
||||
* By default, this is null, which means that passwords never expire
|
||||
*/
|
||||
private static $password_expiry_days = null;
|
||||
|
||||
/**
|
||||
* @config
|
||||
* @var Int Number of incorrect logins after which
|
||||
* the user is blocked from further attempts for the timespan
|
||||
* defined in {@link $lock_out_delay_mins}.
|
||||
*/
|
||||
private static $lock_out_after_incorrect_logins = 10;
|
||||
|
||||
/**
|
||||
* @config
|
||||
* @var integer Minutes of enforced lockout after incorrect password attempts.
|
||||
* Only applies if {@link $lock_out_after_incorrect_logins} greater than 0.
|
||||
*/
|
||||
private static $lock_out_delay_mins = 15;
|
||||
|
||||
/**
|
||||
* @config
|
||||
* @var String If this is set, then a session cookie with the given name will be set on log-in,
|
||||
* and cleared on logout.
|
||||
*/
|
||||
private static $login_marker_cookie = null;
|
||||
|
||||
/**
|
||||
* Indicates that when a {@link Member} logs in, Member:session_regenerate_id()
|
||||
* should be called as a security precaution.
|
||||
*
|
||||
* This doesn't always work, especially if you're trying to set session cookies
|
||||
* across an entire site using the domain parameter to session_set_cookie_params()
|
||||
*
|
||||
* @config
|
||||
* @var boolean
|
||||
*/
|
||||
private static $session_regenerate_id = true;
|
||||
|
||||
|
||||
/**
|
||||
* Default lifetime of temporary ids.
|
||||
*
|
||||
* This is the period within which a user can be re-authenticated within the CMS by entering only their password
|
||||
* and without losing their workspace.
|
||||
*
|
||||
* Any session expiration outside of this time will require them to login from the frontend using their full
|
||||
* username and password.
|
||||
*
|
||||
* Defaults to 72 hours. Set to zero to disable expiration.
|
||||
*
|
||||
* @config
|
||||
* @var int Lifetime in seconds
|
||||
*/
|
||||
private static $temp_id_lifetime = 259200;
|
||||
|
||||
/**
|
||||
* @deprecated 4.0 Use the "Member.session_regenerate_id" config setting instead
|
||||
*/
|
||||
public static function set_session_regenerate_id($bool) {
|
||||
Deprecation::notice('4.0', 'Use the "Member.session_regenerate_id" config setting instead');
|
||||
self::config()->session_regenerate_id = $bool;
|
||||
}
|
||||
|
||||
/**
|
||||
* Ensure the locale is set to something sensible by default.
|
||||
*/
|
||||
public function populateDefaults() {
|
||||
parent::populateDefaults();
|
||||
$this->Locale = i18n::get_closest_translation(i18n::get_locale());
|
||||
}
|
||||
|
||||
public function requireDefaultRecords() {
|
||||
parent::requireDefaultRecords();
|
||||
// Default groups should've been built by Group->requireDefaultRecords() already
|
||||
static::default_admin();
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the default admin record if it exists, or creates it otherwise if enabled
|
||||
*
|
||||
* @return Member
|
||||
*/
|
||||
public static function default_admin() {
|
||||
// Check if set
|
||||
if(!Security::has_default_admin()) return null;
|
||||
|
||||
// Find or create ADMIN group
|
||||
singleton('Group')->requireDefaultRecords();
|
||||
$adminGroup = Permission::get_groups_by_permission('ADMIN')->First();
|
||||
|
||||
// Find member
|
||||
$admin = Member::get()
|
||||
->filter('Email', Security::default_admin_username())
|
||||
->first();
|
||||
if(!$admin) {
|
||||
// 'Password' is not set to avoid creating
|
||||
// persistent logins in the database. See Security::setDefaultAdmin().
|
||||
// Set 'Email' to identify this as the default admin
|
||||
$admin = Member::create();
|
||||
$admin->FirstName = _t('Member.DefaultAdminFirstname', 'Default Admin');
|
||||
$admin->Email = Security::default_admin_username();
|
||||
$admin->write();
|
||||
}
|
||||
|
||||
// Ensure this user is in the admin group
|
||||
if(!$admin->inGroup($adminGroup)) {
|
||||
// Add member to group instead of adding group to member
|
||||
// This bypasses the privilege escallation code in Member_GroupSet
|
||||
$adminGroup
|
||||
->DirectMembers()
|
||||
->add($admin);
|
||||
}
|
||||
|
||||
return $admin;
|
||||
}
|
||||
|
||||
/**
|
||||
* If this is called, then a session cookie will be set to "1" whenever a user
|
||||
* logs in. This lets 3rd party tools, such as apache's mod_rewrite, detect
|
||||
* whether a user is logged in or not and alter behaviour accordingly.
|
||||
*
|
||||
* One known use of this is to bypass static caching for logged in users. This is
|
||||
* done by putting this into _config.php
|
||||
* <pre>
|
||||
* Member::set_login_marker_cookie("SS_LOGGED_IN");
|
||||
* </pre>
|
||||
*
|
||||
* And then adding this condition to each of the rewrite rules that make use of
|
||||
* the static cache.
|
||||
* <pre>
|
||||
* RewriteCond %{HTTP_COOKIE} !SS_LOGGED_IN=1
|
||||
* </pre>
|
||||
*
|
||||
* @deprecated 4.0 Use the "Member.login_marker_cookie" config setting instead
|
||||
* @param $cookieName string The name of the cookie to set.
|
||||
*/
|
||||
public static function set_login_marker_cookie($cookieName) {
|
||||
Deprecation::notice('4.0', 'Use the "Member.login_marker_cookie" config setting instead');
|
||||
self::config()->login_marker_cookie = $cookieName;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if the passed password matches the stored one (if the member is not locked out).
|
||||
*
|
||||
* @param string $password
|
||||
* @return ValidationResult
|
||||
*/
|
||||
public function checkPassword($password) {
|
||||
$result = $this->canLogIn();
|
||||
|
||||
// Short-circuit the result upon failure, no further checks needed.
|
||||
if (!$result->valid()) {
|
||||
return $result;
|
||||
}
|
||||
|
||||
// Allow default admin to login as self
|
||||
if($this->isDefaultAdmin() && Security::check_default_admin($this->Email, $password)) {
|
||||
return $result;
|
||||
}
|
||||
|
||||
// Check a password is set on this member
|
||||
if(empty($this->Password) && $this->exists()) {
|
||||
$result->error(_t('Member.NoPassword','There is no password on this member.'));
|
||||
return $result;
|
||||
}
|
||||
|
||||
$e = PasswordEncryptor::create_for_algorithm($this->PasswordEncryption);
|
||||
if(!$e->check($this->Password, $password, $this->Salt, $this)) {
|
||||
$result->error(_t (
|
||||
'Member.ERRORWRONGCRED',
|
||||
'The provided details don\'t seem to be correct. Please try again.'
|
||||
));
|
||||
}
|
||||
|
||||
return $result;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if this user is the currently configured default admin
|
||||
*
|
||||
* @return bool
|
||||
*/
|
||||
public function isDefaultAdmin() {
|
||||
return Security::has_default_admin()
|
||||
&& $this->Email === Security::default_admin_username();
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns a valid {@link ValidationResult} if this member can currently log in, or an invalid
|
||||
* one with error messages to display if the member is locked out.
|
||||
*
|
||||
* You can hook into this with a "canLogIn" method on an attached extension.
|
||||
*
|
||||
* @return ValidationResult
|
||||
*/
|
||||
public function canLogIn() {
|
||||
$result = ValidationResult::create();
|
||||
|
||||
if($this->isLockedOut()) {
|
||||
$result->error(
|
||||
_t(
|
||||
'Member.ERRORLOCKEDOUT2',
|
||||
'Your account has been temporarily disabled because of too many failed attempts at ' .
|
||||
'logging in. Please try again in {count} minutes.',
|
||||
null,
|
||||
array('count' => $this->config()->lock_out_delay_mins)
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
$this->extend('canLogIn', $result);
|
||||
return $result;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns true if this user is locked out
|
||||
*/
|
||||
public function isLockedOut() {
|
||||
$state = true;
|
||||
if ($this->LockedOutUntil && $this->dbObject('LockedOutUntil')->InFuture()) {
|
||||
$state = true;
|
||||
} elseif ($this->config()->lock_out_after_incorrect_logins <= 0) {
|
||||
$state = false;
|
||||
} else {
|
||||
|
||||
<<<<<<< HEAD
|
||||
$attempts = LoginAttempt::get()->filter($filter = array(
|
||||
'Email' => $this->{static::config()->unique_identifier_field},
|
||||
))->sort('Created', 'DESC')->limit($this->config()->lock_out_after_incorrect_logins);
|
||||
=======
|
||||
$email = $this->{static::config()->unique_identifier_field};
|
||||
$attempts = LoginAttempt::getByEmail($email)
|
||||
->sort('Created', 'DESC')
|
||||
->limit($this->config()->lock_out_after_incorrect_logins);
|
||||
>>>>>>> silverstripe-security/3.5
|
||||
|
||||
if ($attempts->count() < $this->config()->lock_out_after_incorrect_logins) {
|
||||
$state = false;
|
||||
} else {
|
||||
|
||||
$success = false;
|
||||
foreach ($attempts as $attempt) {
|
||||
if ($attempt->Status === 'Success') {
|
||||
$success = true;
|
||||
$state = false;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (!$success) {
|
||||
$lockedOutUntil = $attempts->first()->dbObject('Created')->Format('U')
|
||||
+ ($this->config()->lock_out_delay_mins * 60);
|
||||
if (SS_Datetime::now()->Format('U') < $lockedOutUntil) {
|
||||
$state = true;
|
||||
} else {
|
||||
$state = false;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
$this->extend('updateIsLockedOut', $state);
|
||||
return $state;
|
||||
}
|
||||
|
||||
/**
|
||||
* Regenerate the session_id.
|
||||
* This wrapper is here to make it easier to disable calls to session_regenerate_id(), should you need to.
|
||||
* They have caused problems in certain
|
||||
* quirky problems (such as using the Windmill 0.3.6 proxy).
|
||||
*/
|
||||
public static function session_regenerate_id() {
|
||||
if(!self::config()->session_regenerate_id) return;
|
||||
|
||||
// This can be called via CLI during testing.
|
||||
if(Director::is_cli()) return;
|
||||
|
||||
$file = '';
|
||||
$line = '';
|
||||
|
||||
// @ is to supress win32 warnings/notices when session wasn't cleaned up properly
|
||||
// There's nothing we can do about this, because it's an operating system function!
|
||||
if(!headers_sent($file, $line)) @session_regenerate_id(true);
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the field used for uniquely identifying a member
|
||||
* in the database. {@see Member::$unique_identifier_field}
|
||||
*
|
||||
* @deprecated 4.0 Use the "Member.unique_identifier_field" config setting instead
|
||||
* @return string
|
||||
*/
|
||||
public static function get_unique_identifier_field() {
|
||||
Deprecation::notice('4.0', 'Use the "Member.unique_identifier_field" config setting instead');
|
||||
return Member::config()->unique_identifier_field;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the field used for uniquely identifying a member
|
||||
* in the database. {@see Member::$unique_identifier_field}
|
||||
*
|
||||
* @deprecated 4.0 Use the "Member.unique_identifier_field" config setting instead
|
||||
* @param $field The field name to set as the unique field
|
||||
*/
|
||||
public static function set_unique_identifier_field($field) {
|
||||
Deprecation::notice('4.0', 'Use the "Member.unique_identifier_field" config setting instead');
|
||||
Member::config()->unique_identifier_field = $field;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set a {@link PasswordValidator} object to use to validate member's passwords.
|
||||
*/
|
||||
public static function set_password_validator($pv) {
|
||||
self::$password_validator = $pv;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the current {@link PasswordValidator}
|
||||
*/
|
||||
public static function password_validator() {
|
||||
return self::$password_validator;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the number of days that a password should be valid for.
|
||||
* Set to null (the default) to have passwords never expire.
|
||||
*
|
||||
* @deprecated 4.0 Use the "Member.password_expiry_days" config setting instead
|
||||
*/
|
||||
public static function set_password_expiry($days) {
|
||||
Deprecation::notice('4.0', 'Use the "Member.password_expiry_days" config setting instead');
|
||||
self::config()->password_expiry_days = $days;
|
||||
}
|
||||
|
||||
/**
|
||||
* Configure the security system to lock users out after this many incorrect logins
|
||||
*
|
||||
* @deprecated 4.0 Use the "Member.lock_out_after_incorrect_logins" config setting instead
|
||||
*/
|
||||
public static function lock_out_after_incorrect_logins($numLogins) {
|
||||
Deprecation::notice('4.0', 'Use the "Member.lock_out_after_incorrect_logins" config setting instead');
|
||||
self::config()->lock_out_after_incorrect_logins = $numLogins;
|
||||
}
|
||||
|
||||
|
||||
public function isPasswordExpired() {
|
||||
if(!$this->PasswordExpiry) return false;
|
||||
return strtotime(date('Y-m-d')) >= strtotime($this->PasswordExpiry);
|
||||
}
|
||||
|
||||
/**
|
||||
* Logs this member in
|
||||
*
|
||||
* @param bool $remember If set to TRUE, the member will be logged in automatically the next time.
|
||||
*/
|
||||
public function logIn($remember = false) {
|
||||
$this->extend('beforeMemberLoggedIn');
|
||||
|
||||
self::session_regenerate_id();
|
||||
|
||||
Session::set("loggedInAs", $this->ID);
|
||||
// This lets apache rules detect whether the user has logged in
|
||||
if(Member::config()->login_marker_cookie) Cookie::set(Member::config()->login_marker_cookie, 1, 0);
|
||||
|
||||
$this->addVisit();
|
||||
|
||||
// Only set the cookie if autologin is enabled
|
||||
if($remember && Security::config()->autologin_enabled) {
|
||||
// Store the hash and give the client the cookie with the token.
|
||||
$generator = new RandomGenerator();
|
||||
$token = $generator->randomToken('sha1');
|
||||
$hash = $this->encryptWithUserSettings($token);
|
||||
$this->RememberLoginToken = $hash;
|
||||
Cookie::set('alc_enc', $this->ID . ':' . $token, 90, null, null, null, true);
|
||||
} else {
|
||||
$this->RememberLoginToken = null;
|
||||
Cookie::force_expiry('alc_enc');
|
||||
}
|
||||
|
||||
// Clear the incorrect log-in count
|
||||
$this->registerSuccessfulLogin();
|
||||
|
||||
// Don't set column if its not built yet (the login might be precursor to a /dev/build...)
|
||||
if(array_key_exists('LockedOutUntil', DB::field_list('Member'))) {
|
||||
$this->LockedOutUntil = null;
|
||||
}
|
||||
|
||||
$this->regenerateTempID();
|
||||
|
||||
$this->write();
|
||||
|
||||
// Audit logging hook
|
||||
$this->extend('memberLoggedIn');
|
||||
}
|
||||
|
||||
/**
|
||||
* @deprecated 4.0
|
||||
*/
|
||||
public function addVisit() {
|
||||
if($this->config()->log_num_visits) {
|
||||
Deprecation::notice(
|
||||
'4.0',
|
||||
'Member::$NumVisit is deprecated. From 4.0 onwards you should implement this as a custom extension'
|
||||
);
|
||||
$this->NumVisit++;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Trigger regeneration of TempID.
|
||||
*
|
||||
* This should be performed any time the user presents their normal identification (normally Email)
|
||||
* and is successfully authenticated.
|
||||
*/
|
||||
public function regenerateTempID() {
|
||||
$generator = new RandomGenerator();
|
||||
$this->TempIDHash = $generator->randomToken('sha1');
|
||||
$this->TempIDExpired = self::config()->temp_id_lifetime
|
||||
? date('Y-m-d H:i:s', strtotime(SS_Datetime::now()->getValue()) + self::config()->temp_id_lifetime)
|
||||
: null;
|
||||
$this->write();
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if the member ID logged in session actually
|
||||
* has a database record of the same ID. If there is
|
||||
* no logged in user, FALSE is returned anyway.
|
||||
*
|
||||
* @return boolean TRUE record found FALSE no record found
|
||||
*/
|
||||
public static function logged_in_session_exists() {
|
||||
if($id = Member::currentUserID()) {
|
||||
if($member = DataObject::get_by_id('Member', $id)) {
|
||||
if($member->exists()) return true;
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Log the user in if the "remember login" cookie is set
|
||||
*
|
||||
* The <i>remember login token</i> will be changed on every successful
|
||||
* auto-login.
|
||||
*/
|
||||
public static function autoLogin() {
|
||||
// Don't bother trying this multiple times
|
||||
self::$_already_tried_to_auto_log_in = true;
|
||||
|
||||
if(!Security::config()->autologin_enabled
|
||||
|| strpos(Cookie::get('alc_enc'), ':') === false
|
||||
|| Session::get("loggedInAs")
|
||||
|| !Security::database_is_ready()
|
||||
) {
|
||||
return;
|
||||
}
|
||||
|
||||
list($uid, $token) = explode(':', Cookie::get('alc_enc'), 2);
|
||||
|
||||
if (!$uid || !$token) {
|
||||
return;
|
||||
}
|
||||
|
||||
$member = DataObject::get_by_id("Member", $uid);
|
||||
|
||||
// check if autologin token matches
|
||||
if($member) {
|
||||
$hash = $member->encryptWithUserSettings($token);
|
||||
if(!$member->RememberLoginToken || $member->RememberLoginToken !== $hash) {
|
||||
$member = null;
|
||||
}
|
||||
}
|
||||
|
||||
if($member) {
|
||||
self::session_regenerate_id();
|
||||
Session::set("loggedInAs", $member->ID);
|
||||
// This lets apache rules detect whether the user has logged in
|
||||
if(Member::config()->login_marker_cookie) {
|
||||
Cookie::set(Member::config()->login_marker_cookie, 1, 0, null, null, false, true);
|
||||
}
|
||||
|
||||
$generator = new RandomGenerator();
|
||||
$token = $generator->randomToken('sha1');
|
||||
$hash = $member->encryptWithUserSettings($token);
|
||||
$member->RememberLoginToken = $hash;
|
||||
Cookie::set('alc_enc', $member->ID . ':' . $token, 90, null, null, false, true);
|
||||
|
||||
$member->addVisit();
|
||||
$member->write();
|
||||
|
||||
// Audit logging hook
|
||||
$member->extend('memberAutoLoggedIn');
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Logs this member out.
|
||||
*/
|
||||
public function logOut() {
|
||||
$this->extend('beforeMemberLoggedOut');
|
||||
|
||||
Session::clear("loggedInAs");
|
||||
if(Member::config()->login_marker_cookie) Cookie::set(Member::config()->login_marker_cookie, null, 0);
|
||||
|
||||
Session::destroy();
|
||||
|
||||
$this->extend('memberLoggedOut');
|
||||
|
||||
$this->RememberLoginToken = null;
|
||||
Cookie::force_expiry('alc_enc');
|
||||
|
||||
// Switch back to live in order to avoid infinite loops when
|
||||
// redirecting to the login screen (if this login screen is versioned)
|
||||
Session::clear('readingMode');
|
||||
|
||||
$this->write();
|
||||
|
||||
// Audit logging hook
|
||||
$this->extend('memberLoggedOut');
|
||||
}
|
||||
|
||||
/**
|
||||
* Utility for generating secure password hashes for this member.
|
||||
*/
|
||||
public function encryptWithUserSettings($string) {
|
||||
if (!$string) return null;
|
||||
|
||||
// If the algorithm or salt is not available, it means we are operating
|
||||
// on legacy account with unhashed password. Do not hash the string.
|
||||
if (!$this->PasswordEncryption) {
|
||||
return $string;
|
||||
}
|
||||
|
||||
// We assume we have PasswordEncryption and Salt available here.
|
||||
$e = PasswordEncryptor::create_for_algorithm($this->PasswordEncryption);
|
||||
return $e->encrypt($string, $this->Salt);
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Generate an auto login token which can be used to reset the password,
|
||||
* at the same time hashing it and storing in the database.
|
||||
*
|
||||
* @param int $lifetime The lifetime of the auto login hash in days (by default 2 days)
|
||||
*
|
||||
* @returns string Token that should be passed to the client (but NOT persisted).
|
||||
*
|
||||
* @todo Make it possible to handle database errors such as a "duplicate key" error
|
||||
*/
|
||||
public function generateAutologinTokenAndStoreHash($lifetime = 2) {
|
||||
do {
|
||||
$generator = new RandomGenerator();
|
||||
$token = $generator->randomToken();
|
||||
$hash = $this->encryptWithUserSettings($token);
|
||||
} while(DataObject::get_one('Member', array(
|
||||
'"Member"."AutoLoginHash"' => $hash
|
||||
)));
|
||||
|
||||
$this->AutoLoginHash = $hash;
|
||||
$this->AutoLoginExpired = date('Y-m-d H:i:s', time() + (86400 * $lifetime));
|
||||
|
||||
$this->write();
|
||||
|
||||
return $token;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check the token against the member.
|
||||
*
|
||||
* @param string $autologinToken
|
||||
*
|
||||
* @returns bool Is token valid?
|
||||
*/
|
||||
public function validateAutoLoginToken($autologinToken) {
|
||||
$hash = $this->encryptWithUserSettings($autologinToken);
|
||||
$member = self::member_from_autologinhash($hash, false);
|
||||
return (bool)$member;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return the member for the auto login hash
|
||||
*
|
||||
* @param string $hash The hash key
|
||||
* @param bool $login Should the member be logged in?
|
||||
*
|
||||
* @return Member the matching member, if valid
|
||||
* @return Member
|
||||
*/
|
||||
public static function member_from_autologinhash($hash, $login = false) {
|
||||
|
||||
$nowExpression = DB::get_conn()->now();
|
||||
$member = DataObject::get_one('Member', array(
|
||||
"\"Member\".\"AutoLoginHash\"" => $hash,
|
||||
"\"Member\".\"AutoLoginExpired\" > $nowExpression" // NOW() can't be parameterised
|
||||
));
|
||||
|
||||
if($login && $member) $member->logIn();
|
||||
|
||||
return $member;
|
||||
}
|
||||
|
||||
/**
|
||||
* Find a member record with the given TempIDHash value
|
||||
*
|
||||
* @param string $tempid
|
||||
* @return Member
|
||||
*/
|
||||
public static function member_from_tempid($tempid) {
|
||||
$members = Member::get()
|
||||
->filter('TempIDHash', $tempid);
|
||||
|
||||
// Exclude expired
|
||||
if(static::config()->temp_id_lifetime) {
|
||||
$members = $members->filter('TempIDExpired:GreaterThan', SS_Datetime::now()->getValue());
|
||||
}
|
||||
|
||||
return $members->first();
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the fields for the member form - used in the registration/profile module.
|
||||
* It should return fields that are editable by the admin and the logged-in user.
|
||||
*
|
||||
* @return FieldList Returns a {@link FieldList} containing the fields for
|
||||
* the member form.
|
||||
*/
|
||||
public function getMemberFormFields() {
|
||||
$fields = parent::getFrontendFields();
|
||||
|
||||
$fields->replaceField('Password', $this->getMemberPasswordField());
|
||||
|
||||
$fields->replaceField('Locale', new DropdownField (
|
||||
'Locale',
|
||||
$this->fieldLabel('Locale'),
|
||||
i18n::get_existing_translations()
|
||||
));
|
||||
|
||||
$fields->removeByName(static::config()->hidden_fields);
|
||||
$fields->removeByName('LastVisited');
|
||||
$fields->removeByName('FailedLoginCount');
|
||||
|
||||
|
||||
$this->extend('updateMemberFormFields', $fields);
|
||||
return $fields;
|
||||
}
|
||||
|
||||
/**
|
||||
* Builds "Change / Create Password" field for this member
|
||||
*
|
||||
* @return ConfirmedPasswordField
|
||||
*/
|
||||
public function getMemberPasswordField() {
|
||||
$editingPassword = $this->isInDB();
|
||||
$label = $editingPassword
|
||||
? _t('Member.EDIT_PASSWORD', 'New Password')
|
||||
: $this->fieldLabel('Password');
|
||||
/** @var ConfirmedPasswordField $password */
|
||||
$password = ConfirmedPasswordField::create(
|
||||
'Password',
|
||||
$label,
|
||||
null,
|
||||
null,
|
||||
$editingPassword
|
||||
);
|
||||
|
||||
// If editing own password, require confirmation of existing
|
||||
if($editingPassword && $this->ID == Member::currentUserID()) {
|
||||
$password->setRequireExistingPassword(true);
|
||||
}
|
||||
|
||||
$password->setCanBeEmpty(true);
|
||||
$this->extend('updateMemberPasswordField', $password);
|
||||
return $password;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Returns the {@link RequiredFields} instance for the Member object. This
|
||||
* Validator is used when saving a {@link CMSProfileController} or added to
|
||||
* any form responsible for saving a users data.
|
||||
*
|
||||
* To customize the required fields, add a {@link DataExtension} to member
|
||||
* calling the `updateValidator()` method.
|
||||
*
|
||||
* @return Member_Validator
|
||||
*/
|
||||
public function getValidator() {
|
||||
$validator = Injector::inst()->create('Member_Validator');
|
||||
$validator->setForMember($this);
|
||||
$this->extend('updateValidator', $validator);
|
||||
|
||||
return $validator;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Returns the current logged in user
|
||||
*
|
||||
* @return Member|null
|
||||
*/
|
||||
public static function currentUser() {
|
||||
$id = Member::currentUserID();
|
||||
|
||||
if($id) {
|
||||
return DataObject::get_by_id('Member', $id) ?: null;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the ID of the current logged in user
|
||||
*
|
||||
* @return int Returns the ID of the current logged in user or 0.
|
||||
*/
|
||||
public static function currentUserID() {
|
||||
$id = Session::get("loggedInAs");
|
||||
if(!$id && !self::$_already_tried_to_auto_log_in) {
|
||||
self::autoLogin();
|
||||
$id = Session::get("loggedInAs");
|
||||
}
|
||||
|
||||
return is_numeric($id) ? $id : 0;
|
||||
}
|
||||
private static $_already_tried_to_auto_log_in = false;
|
||||
|
||||
|
||||
/*
|
||||
* Generate a random password, with randomiser to kick in if there's no words file on the
|
||||
* filesystem.
|
||||
*
|
||||
* @return string Returns a random password.
|
||||
*/
|
||||
public static function create_new_password() {
|
||||
$words = Config::inst()->get('Security', 'word_list');
|
||||
|
||||
if($words && file_exists($words)) {
|
||||
$words = file($words);
|
||||
|
||||
list($usec, $sec) = explode(' ', microtime());
|
||||
srand($sec + ((float) $usec * 100000));
|
||||
|
||||
$word = trim($words[rand(0,sizeof($words)-1)]);
|
||||
$number = rand(10,999);
|
||||
|
||||
return $word . $number;
|
||||
} else {
|
||||
$random = rand();
|
||||
$string = md5($random);
|
||||
$output = substr($string, 0, 8);
|
||||
return $output;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Event handler called before writing to the database.
|
||||
*/
|
||||
public function onBeforeWrite() {
|
||||
if($this->SetPassword) $this->Password = $this->SetPassword;
|
||||
|
||||
// If a member with the same "unique identifier" already exists with a different ID, don't allow merging.
|
||||
// Note: This does not a full replacement for safeguards in the controller layer (e.g. in a registration form),
|
||||
// but rather a last line of defense against data inconsistencies.
|
||||
$identifierField = Member::config()->unique_identifier_field;
|
||||
if($this->$identifierField) {
|
||||
|
||||
// Note: Same logic as Member_Validator class
|
||||
$filter = array("\"$identifierField\"" => $this->$identifierField);
|
||||
if($this->ID) {
|
||||
$filter[] = array('"Member"."ID" <> ?' => $this->ID);
|
||||
}
|
||||
$existingRecord = DataObject::get_one('Member', $filter);
|
||||
|
||||
if($existingRecord) {
|
||||
throw new ValidationException(ValidationResult::create(false, _t(
|
||||
'Member.ValidationIdentifierFailed',
|
||||
'Can\'t overwrite existing member #{id} with identical identifier ({name} = {value}))',
|
||||
'Values in brackets show "fieldname = value", usually denoting an existing email address',
|
||||
array(
|
||||
'id' => $existingRecord->ID,
|
||||
'name' => $identifierField,
|
||||
'value' => $this->$identifierField
|
||||
)
|
||||
)));
|
||||
}
|
||||
}
|
||||
|
||||
// We don't send emails out on dev/tests sites to prevent accidentally spamming users.
|
||||
// However, if TestMailer is in use this isn't a risk.
|
||||
if(
|
||||
(Director::isLive() || Email::mailer() instanceof TestMailer)
|
||||
&& $this->isChanged('Password')
|
||||
&& $this->record['Password']
|
||||
&& $this->config()->notify_password_change
|
||||
) {
|
||||
$e = Member_ChangePasswordEmail::create();
|
||||
$e->populateTemplate($this);
|
||||
$e->setTo($this->Email);
|
||||
$e->send();
|
||||
}
|
||||
|
||||
// The test on $this->ID is used for when records are initially created.
|
||||
// Note that this only works with cleartext passwords, as we can't rehash
|
||||
// existing passwords.
|
||||
if((!$this->ID && $this->Password) || $this->isChanged('Password')) {
|
||||
//reset salt so that it gets regenerated - this will invalidate any persistant login cookies
|
||||
// or other information encrypted with this Member's settings (see self::encryptWithUserSettings)
|
||||
$this->Salt = '';
|
||||
// Password was changed: encrypt the password according the settings
|
||||
$encryption_details = Security::encrypt_password(
|
||||
$this->Password, // this is assumed to be cleartext
|
||||
$this->Salt,
|
||||
$this->isChanged('PasswordEncryption') ? $this->PasswordEncryption : null,
|
||||
$this
|
||||
);
|
||||
|
||||
// Overwrite the Password property with the hashed value
|
||||
$this->Password = $encryption_details['password'];
|
||||
$this->Salt = $encryption_details['salt'];
|
||||
$this->PasswordEncryption = $encryption_details['algorithm'];
|
||||
|
||||
// If we haven't manually set a password expiry
|
||||
if(!$this->isChanged('PasswordExpiry')) {
|
||||
// then set it for us
|
||||
if(self::config()->password_expiry_days) {
|
||||
$this->PasswordExpiry = date('Y-m-d', time() + 86400 * self::config()->password_expiry_days);
|
||||
} else {
|
||||
$this->PasswordExpiry = null;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// save locale
|
||||
if(!$this->Locale) {
|
||||
$this->Locale = i18n::get_locale();
|
||||
}
|
||||
|
||||
parent::onBeforeWrite();
|
||||
}
|
||||
|
||||
public function onAfterWrite() {
|
||||
parent::onAfterWrite();
|
||||
|
||||
Permission::flush_permission_cache();
|
||||
|
||||
if($this->isChanged('Password')) {
|
||||
MemberPassword::log($this);
|
||||
}
|
||||
}
|
||||
|
||||
public function onAfterDelete() {
|
||||
parent::onAfterDelete();
|
||||
|
||||
//prevent orphaned records remaining in the DB
|
||||
$this->deletePasswordLogs();
|
||||
}
|
||||
|
||||
/**
|
||||
* Delete the MemberPassword objects that are associated to this user
|
||||
*
|
||||
* @return self
|
||||
*/
|
||||
protected function deletePasswordLogs() {
|
||||
foreach ($this->LoggedPasswords() as $password) {
|
||||
$password->delete();
|
||||
$password->destroy();
|
||||
}
|
||||
return $this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Filter out admin groups to avoid privilege escalation,
|
||||
* If any admin groups are requested, deny the whole save operation.
|
||||
*
|
||||
* @param Array $ids Database IDs of Group records
|
||||
* @return boolean True if the change can be accepted
|
||||
*/
|
||||
public function onChangeGroups($ids) {
|
||||
// unless the current user is an admin already OR the logged in user is an admin
|
||||
if(Permission::check('ADMIN') || Permission::checkMember($this, 'ADMIN')) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// If there are no admin groups in this set then it's ok
|
||||
$adminGroups = Permission::get_groups_by_permission('ADMIN');
|
||||
$adminGroupIDs = ($adminGroups) ? $adminGroups->column('ID') : array();
|
||||
return count(array_intersect($ids, $adminGroupIDs)) == 0;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Check if the member is in one of the given groups.
|
||||
*
|
||||
* @param array|SS_List $groups Collection of {@link Group} DataObjects to check
|
||||
* @param boolean $strict Only determine direct group membership if set to true (Default: false)
|
||||
* @return bool Returns TRUE if the member is in one of the given groups, otherwise FALSE.
|
||||
*/
|
||||
public function inGroups($groups, $strict = false) {
|
||||
if($groups) foreach($groups as $group) {
|
||||
if($this->inGroup($group, $strict)) return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Check if the member is in the given group or any parent groups.
|
||||
*
|
||||
* @param int|Group|string $group Group instance, Group Code or ID
|
||||
* @param boolean $strict Only determine direct group membership if set to TRUE (Default: FALSE)
|
||||
* @return bool Returns TRUE if the member is in the given group, otherwise FALSE.
|
||||
*/
|
||||
public function inGroup($group, $strict = false) {
|
||||
if(is_numeric($group)) {
|
||||
$groupCheckObj = DataObject::get_by_id('Group', $group);
|
||||
} elseif(is_string($group)) {
|
||||
$groupCheckObj = DataObject::get_one('Group', array(
|
||||
'"Group"."Code"' => $group
|
||||
));
|
||||
} elseif($group instanceof Group) {
|
||||
$groupCheckObj = $group;
|
||||
} else {
|
||||
user_error('Member::inGroup(): Wrong format for $group parameter', E_USER_ERROR);
|
||||
}
|
||||
|
||||
if(!$groupCheckObj) return false;
|
||||
|
||||
$groupCandidateObjs = ($strict) ? $this->getManyManyComponents("Groups") : $this->Groups();
|
||||
if($groupCandidateObjs) foreach($groupCandidateObjs as $groupCandidateObj) {
|
||||
if($groupCandidateObj->ID == $groupCheckObj->ID) return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Adds the member to a group. This will create the group if the given
|
||||
* group code does not return a valid group object.
|
||||
*
|
||||
* @param string $groupcode
|
||||
* @param string Title of the group
|
||||
*/
|
||||
public function addToGroupByCode($groupcode, $title = "") {
|
||||
$group = DataObject::get_one('Group', array(
|
||||
'"Group"."Code"' => $groupcode
|
||||
));
|
||||
|
||||
if($group) {
|
||||
$this->Groups()->add($group);
|
||||
} else {
|
||||
if(!$title) $title = $groupcode;
|
||||
|
||||
$group = new Group();
|
||||
$group->Code = $groupcode;
|
||||
$group->Title = $title;
|
||||
$group->write();
|
||||
|
||||
$this->Groups()->add($group);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Removes a member from a group.
|
||||
*
|
||||
* @param string $groupcode
|
||||
*/
|
||||
public function removeFromGroupByCode($groupcode) {
|
||||
$group = Group::get()->filter(array('Code' => $groupcode))->first();
|
||||
|
||||
if($group) {
|
||||
$this->Groups()->remove($group);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @param Array $columns Column names on the Member record to show in {@link getTitle()}.
|
||||
* @param String $sep Separator
|
||||
*/
|
||||
public static function set_title_columns($columns, $sep = ' ') {
|
||||
if (!is_array($columns)) $columns = array($columns);
|
||||
self::config()->title_format = array('columns' => $columns, 'sep' => $sep);
|
||||
}
|
||||
|
||||
//------------------- HELPER METHODS -----------------------------------//
|
||||
|
||||
/**
|
||||
* Get the complete name of the member, by default in the format "<Surname>, <FirstName>".
|
||||
* Falls back to showing either field on its own.
|
||||
*
|
||||
* You can overload this getter with {@link set_title_format()}
|
||||
* and {@link set_title_sql()}.
|
||||
*
|
||||
* @return string Returns the first- and surname of the member. If the ID
|
||||
* of the member is equal 0, only the surname is returned.
|
||||
*/
|
||||
public function getTitle() {
|
||||
$format = $this->config()->title_format;
|
||||
if ($format) {
|
||||
$values = array();
|
||||
foreach($format['columns'] as $col) {
|
||||
$values[] = $this->getField($col);
|
||||
}
|
||||
return join($format['sep'], $values);
|
||||
}
|
||||
if($this->getField('ID') === 0)
|
||||
return $this->getField('Surname');
|
||||
else{
|
||||
if($this->getField('Surname') && $this->getField('FirstName')){
|
||||
return $this->getField('Surname') . ', ' . $this->getField('FirstName');
|
||||
}elseif($this->getField('Surname')){
|
||||
return $this->getField('Surname');
|
||||
}elseif($this->getField('FirstName')){
|
||||
return $this->getField('FirstName');
|
||||
}else{
|
||||
return null;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Return a SQL CONCAT() fragment suitable for a SELECT statement.
|
||||
* Useful for custom queries which assume a certain member title format.
|
||||
*
|
||||
* @param String $tableName
|
||||
* @return String SQL
|
||||
*/
|
||||
public static function get_title_sql($tableName = 'Member') {
|
||||
// This should be abstracted to SSDatabase concatOperator or similar.
|
||||
$op = (DB::get_conn() instanceof MSSQLDatabase) ? " + " : " || ";
|
||||
|
||||
$format = self::config()->title_format;
|
||||
if ($format) {
|
||||
$columnsWithTablename = array();
|
||||
foreach($format['columns'] as $column) {
|
||||
$columnsWithTablename[] = "\"$tableName\".\"$column\"";
|
||||
}
|
||||
|
||||
return "(".join(" $op '".$format['sep']."' $op ", $columnsWithTablename).")";
|
||||
} else {
|
||||
return "(\"$tableName\".\"Surname\" $op ' ' $op \"$tableName\".\"FirstName\")";
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Get the complete name of the member
|
||||
*
|
||||
* @return string Returns the first- and surname of the member.
|
||||
*/
|
||||
public function getName() {
|
||||
return ($this->Surname) ? trim($this->FirstName . ' ' . $this->Surname) : $this->FirstName;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Set first- and surname
|
||||
*
|
||||
* This method assumes that the last part of the name is the surname, e.g.
|
||||
* <i>A B C</i> will result in firstname <i>A B</i> and surname <i>C</i>
|
||||
*
|
||||
* @param string $name The name
|
||||
*/
|
||||
public function setName($name) {
|
||||
$nameParts = explode(' ', $name);
|
||||
$this->Surname = array_pop($nameParts);
|
||||
$this->FirstName = join(' ', $nameParts);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Alias for {@link setName}
|
||||
*
|
||||
* @param string $name The name
|
||||
* @see setName()
|
||||
*/
|
||||
public function splitName($name) {
|
||||
return $this->setName($name);
|
||||
}
|
||||
|
||||
/**
|
||||
* Override the default getter for DateFormat so the
|
||||
* default format for the user's locale is used
|
||||
* if the user has not defined their own.
|
||||
*
|
||||
* @return string ISO date format
|
||||
*/
|
||||
public function getDateFormat() {
|
||||
if($this->getField('DateFormat')) {
|
||||
return $this->getField('DateFormat');
|
||||
} else {
|
||||
return Config::inst()->get('i18n', 'date_format');
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Override the default getter for TimeFormat so the
|
||||
* default format for the user's locale is used
|
||||
* if the user has not defined their own.
|
||||
*
|
||||
* @return string ISO date format
|
||||
*/
|
||||
public function getTimeFormat() {
|
||||
if($this->getField('TimeFormat')) {
|
||||
return $this->getField('TimeFormat');
|
||||
} else {
|
||||
return Config::inst()->get('i18n', 'time_format');
|
||||
}
|
||||
}
|
||||
|
||||
//---------------------------------------------------------------------//
|
||||
|
||||
|
||||
/**
|
||||
* Get a "many-to-many" map that holds for all members their group memberships,
|
||||
* including any parent groups where membership is implied.
|
||||
* Use {@link DirectGroups()} to only retrieve the group relations without inheritance.
|
||||
*
|
||||
* @todo Push all this logic into Member_GroupSet's getIterator()?
|
||||
* @return Member_Groupset
|
||||
*/
|
||||
public function Groups() {
|
||||
$groups = Member_GroupSet::create('Group', 'Group_Members', 'GroupID', 'MemberID');
|
||||
$groups = $groups->forForeignID($this->ID);
|
||||
|
||||
$this->extend('updateGroups', $groups);
|
||||
|
||||
return $groups;
|
||||
}
|
||||
|
||||
/**
|
||||
* @return ManyManyList
|
||||
*/
|
||||
public function DirectGroups() {
|
||||
return $this->getManyManyComponents('Groups');
|
||||
}
|
||||
|
||||
/**
|
||||
* Get a member SQLMap of members in specific groups
|
||||
*
|
||||
* If no $groups is passed, all members will be returned
|
||||
*
|
||||
* @param mixed $groups - takes a SS_List, an array or a single Group.ID
|
||||
* @return SQLMap Returns an SQLMap that returns all Member data.
|
||||
* @see map()
|
||||
*/
|
||||
public static function map_in_groups($groups = null) {
|
||||
$groupIDList = array();
|
||||
|
||||
if($groups instanceof SS_List) {
|
||||
foreach( $groups as $group ) {
|
||||
$groupIDList[] = $group->ID;
|
||||
}
|
||||
} elseif(is_array($groups)) {
|
||||
$groupIDList = $groups;
|
||||
} elseif($groups) {
|
||||
$groupIDList[] = $groups;
|
||||
}
|
||||
|
||||
// No groups, return all Members
|
||||
if(!$groupIDList) {
|
||||
return Member::get()->sort(array('Surname'=>'ASC', 'FirstName'=>'ASC'))->map();
|
||||
}
|
||||
|
||||
$membersList = new ArrayList();
|
||||
// This is a bit ineffective, but follow the ORM style
|
||||
foreach(Group::get()->byIDs($groupIDList) as $group) {
|
||||
$membersList->merge($group->Members());
|
||||
}
|
||||
|
||||
$membersList->removeDuplicates('ID');
|
||||
return $membersList->map();
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Get a map of all members in the groups given that have CMS permissions
|
||||
*
|
||||
* If no groups are passed, all groups with CMS permissions will be used.
|
||||
*
|
||||
* @param array $groups Groups to consider or NULL to use all groups with
|
||||
* CMS permissions.
|
||||
* @return SS_Map Returns a map of all members in the groups given that
|
||||
* have CMS permissions.
|
||||
*/
|
||||
public static function mapInCMSGroups($groups = null) {
|
||||
if(!$groups || $groups->Count() == 0) {
|
||||
$perms = array('ADMIN', 'CMS_ACCESS_AssetAdmin');
|
||||
|
||||
if(class_exists('CMSMain')) {
|
||||
$cmsPerms = singleton('CMSMain')->providePermissions();
|
||||
} else {
|
||||
$cmsPerms = singleton('LeftAndMain')->providePermissions();
|
||||
}
|
||||
|
||||
if(!empty($cmsPerms)) {
|
||||
$perms = array_unique(array_merge($perms, array_keys($cmsPerms)));
|
||||
}
|
||||
|
||||
$permsClause = DB::placeholders($perms);
|
||||
$groups = DataObject::get('Group')
|
||||
->innerJoin("Permission", '"Permission"."GroupID" = "Group"."ID"')
|
||||
->where(array(
|
||||
"\"Permission\".\"Code\" IN ($permsClause)" => $perms
|
||||
));
|
||||
}
|
||||
|
||||
$groupIDList = array();
|
||||
|
||||
if(is_a($groups, 'SS_List')) {
|
||||
foreach($groups as $group) {
|
||||
$groupIDList[] = $group->ID;
|
||||
}
|
||||
} elseif(is_array($groups)) {
|
||||
$groupIDList = $groups;
|
||||
}
|
||||
|
||||
$members = Member::get()
|
||||
->innerJoin("Group_Members", '"Group_Members"."MemberID" = "Member"."ID"')
|
||||
->innerJoin("Group", '"Group"."ID" = "Group_Members"."GroupID"');
|
||||
if($groupIDList) {
|
||||
$groupClause = DB::placeholders($groupIDList);
|
||||
$members = $members->where(array(
|
||||
"\"Group\".\"ID\" IN ($groupClause)" => $groupIDList
|
||||
));
|
||||
}
|
||||
|
||||
return $members->sort('"Member"."Surname", "Member"."FirstName"')->map();
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Get the groups in which the member is NOT in
|
||||
*
|
||||
* When passed an array of groups, and a component set of groups, this
|
||||
* function will return the array of groups the member is NOT in.
|
||||
*
|
||||
* @param array $groupList An array of group code names.
|
||||
* @param array $memberGroups A component set of groups (if set to NULL,
|
||||
* $this->groups() will be used)
|
||||
* @return array Groups in which the member is NOT in.
|
||||
*/
|
||||
public function memberNotInGroups($groupList, $memberGroups = null){
|
||||
if(!$memberGroups) $memberGroups = $this->Groups();
|
||||
|
||||
foreach($memberGroups as $group) {
|
||||
if(in_array($group->Code, $groupList)) {
|
||||
$index = array_search($group->Code, $groupList);
|
||||
unset($groupList[$index]);
|
||||
}
|
||||
}
|
||||
|
||||
return $groupList;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Return a {@link FieldList} of fields that would appropriate for editing
|
||||
* this member.
|
||||
*
|
||||
* @return FieldList Return a FieldList of fields that would appropriate for
|
||||
* editing this member.
|
||||
*/
|
||||
public function getCMSFields() {
|
||||
require_once 'Zend/Date.php';
|
||||
|
||||
$self = $this;
|
||||
$this->beforeUpdateCMSFields(function(FieldList $fields) use ($self) {
|
||||
/** @var FieldList $mainFields */
|
||||
$mainFields = $fields->fieldByName("Root")->fieldByName("Main")->getChildren();
|
||||
|
||||
// Build change password field
|
||||
$mainFields->replaceField('Password', $self->getMemberPasswordField());
|
||||
|
||||
$mainFields->replaceField('Locale', new DropdownField(
|
||||
"Locale",
|
||||
_t('Member.INTERFACELANG', "Interface Language", 'Language of the CMS'),
|
||||
i18n::get_existing_translations()
|
||||
));
|
||||
|
||||
$mainFields->removeByName($self->config()->hidden_fields);
|
||||
|
||||
// make sure that the "LastVisited" field exists
|
||||
// it may have been removed using $self->config()->hidden_fields
|
||||
if($mainFields->fieldByName("LastVisited")){
|
||||
$mainFields->makeFieldReadonly('LastVisited');
|
||||
}
|
||||
|
||||
if( ! $self->config()->lock_out_after_incorrect_logins) {
|
||||
$mainFields->removeByName('FailedLoginCount');
|
||||
}
|
||||
|
||||
|
||||
// Groups relation will get us into logical conflicts because
|
||||
// Members are displayed within group edit form in SecurityAdmin
|
||||
$fields->removeByName('Groups');
|
||||
|
||||
// Members shouldn't be able to directly view/edit logged passwords
|
||||
$fields->removeByName('LoggedPasswords');
|
||||
|
||||
if(Permission::check('EDIT_PERMISSIONS')) {
|
||||
$groupsMap = array();
|
||||
foreach(Group::get() as $group) {
|
||||
// Listboxfield values are escaped, use ASCII char instead of »
|
||||
$groupsMap[$group->ID] = $group->getBreadcrumbs(' > ');
|
||||
}
|
||||
asort($groupsMap);
|
||||
$fields->addFieldToTab('Root.Main',
|
||||
ListboxField::create('DirectGroups', singleton('Group')->i18n_plural_name())
|
||||
->setMultiple(true)
|
||||
->setSource($groupsMap)
|
||||
->setAttribute(
|
||||
'data-placeholder',
|
||||
_t('Member.ADDGROUP', 'Add group', 'Placeholder text for a dropdown')
|
||||
)
|
||||
);
|
||||
|
||||
|
||||
// Add permission field (readonly to avoid complicated group assignment logic).
|
||||
// This should only be available for existing records, as new records start
|
||||
// with no permissions until they have a group assignment anyway.
|
||||
if($self->ID) {
|
||||
$permissionsField = new PermissionCheckboxSetField_Readonly(
|
||||
'Permissions',
|
||||
false,
|
||||
'Permission',
|
||||
'GroupID',
|
||||
// we don't want parent relationships, they're automatically resolved in the field
|
||||
$self->getManyManyComponents('Groups')
|
||||
);
|
||||
$fields->findOrMakeTab('Root.Permissions', singleton('Permission')->i18n_plural_name());
|
||||
$fields->addFieldToTab('Root.Permissions', $permissionsField);
|
||||
}
|
||||
}
|
||||
|
||||
$permissionsTab = $fields->fieldByName("Root")->fieldByName('Permissions');
|
||||
if($permissionsTab) $permissionsTab->addExtraClass('readonly');
|
||||
|
||||
$defaultDateFormat = Zend_Locale_Format::getDateFormat(new Zend_Locale($self->Locale));
|
||||
$dateFormatMap = array(
|
||||
'MMM d, yyyy' => Zend_Date::now()->toString('MMM d, yyyy'),
|
||||
'yyyy/MM/dd' => Zend_Date::now()->toString('yyyy/MM/dd'),
|
||||
'MM/dd/yyyy' => Zend_Date::now()->toString('MM/dd/yyyy'),
|
||||
'dd/MM/yyyy' => Zend_Date::now()->toString('dd/MM/yyyy'),
|
||||
);
|
||||
$dateFormatMap[$defaultDateFormat] = Zend_Date::now()->toString($defaultDateFormat)
|
||||
. sprintf(' (%s)', _t('Member.DefaultDateTime', 'default'));
|
||||
$mainFields->push(
|
||||
$dateFormatField = new MemberDatetimeOptionsetField(
|
||||
'DateFormat',
|
||||
$self->fieldLabel('DateFormat'),
|
||||
$dateFormatMap
|
||||
)
|
||||
);
|
||||
$dateFormatField->setValue($self->DateFormat);
|
||||
|
||||
$defaultTimeFormat = Zend_Locale_Format::getTimeFormat(new Zend_Locale($self->Locale));
|
||||
$timeFormatMap = array(
|
||||
'h:mm a' => Zend_Date::now()->toString('h:mm a'),
|
||||
'H:mm' => Zend_Date::now()->toString('H:mm'),
|
||||
);
|
||||
$timeFormatMap[$defaultTimeFormat] = Zend_Date::now()->toString($defaultTimeFormat)
|
||||
. sprintf(' (%s)', _t('Member.DefaultDateTime', 'default'));
|
||||
$mainFields->push(
|
||||
$timeFormatField = new MemberDatetimeOptionsetField(
|
||||
'TimeFormat',
|
||||
$self->fieldLabel('TimeFormat'),
|
||||
$timeFormatMap
|
||||
)
|
||||
);
|
||||
$timeFormatField->setValue($self->TimeFormat);
|
||||
});
|
||||
|
||||
return parent::getCMSFields();
|
||||
}
|
||||
|
||||
/**
|
||||
*
|
||||
* @param boolean $includerelations a boolean value to indicate if the labels returned include relation fields
|
||||
*
|
||||
*/
|
||||
public function fieldLabels($includerelations = true) {
|
||||
$labels = parent::fieldLabels($includerelations);
|
||||
|
||||
$labels['FirstName'] = _t('Member.FIRSTNAME', 'First Name');
|
||||
$labels['Surname'] = _t('Member.SURNAME', 'Surname');
|
||||
$labels['Email'] = _t('Member.EMAIL', 'Email');
|
||||
$labels['Password'] = _t('Member.db_Password', 'Password');
|
||||
$labels['NumVisit'] = _t('Member.db_NumVisit', 'Number of Visits');
|
||||
$labels['LastVisited'] = _t('Member.db_LastVisited', 'Last Visited Date');
|
||||
$labels['PasswordExpiry'] = _t('Member.db_PasswordExpiry', 'Password Expiry Date', 'Password expiry date');
|
||||
$labels['LockedOutUntil'] = _t('Member.db_LockedOutUntil', 'Locked out until', 'Security related date');
|
||||
$labels['Locale'] = _t('Member.db_Locale', 'Interface Locale');
|
||||
$labels['DateFormat'] = _t('Member.DATEFORMAT', 'Date format');
|
||||
$labels['TimeFormat'] = _t('Member.TIMEFORMAT', 'Time format');
|
||||
if($includerelations){
|
||||
$labels['Groups'] = _t('Member.belongs_many_many_Groups', 'Groups',
|
||||
'Security Groups this member belongs to');
|
||||
}
|
||||
return $labels;
|
||||
}
|
||||
|
||||
/**
|
||||
* Users can view their own record.
|
||||
* Otherwise they'll need ADMIN or CMS_ACCESS_SecurityAdmin permissions.
|
||||
* This is likely to be customized for social sites etc. with a looser permission model.
|
||||
*/
|
||||
public function canView($member = null) {
|
||||
if(!$member || !(is_a($member, 'Member')) || is_numeric($member)) $member = Member::currentUser();
|
||||
|
||||
// extended access checks
|
||||
$results = $this->extend('canView', $member);
|
||||
if($results && is_array($results)) {
|
||||
if(!min($results)) return false;
|
||||
else return true;
|
||||
}
|
||||
|
||||
// members can usually edit their own record
|
||||
if($member && $this->ID == $member->ID) return true;
|
||||
|
||||
if(
|
||||
Permission::checkMember($member, 'ADMIN')
|
||||
|| Permission::checkMember($member, 'CMS_ACCESS_SecurityAdmin')
|
||||
) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
* Users can edit their own record.
|
||||
* Otherwise they'll need ADMIN or CMS_ACCESS_SecurityAdmin permissions
|
||||
*/
|
||||
public function canEdit($member = null) {
|
||||
if(!$member || !(is_a($member, 'Member')) || is_numeric($member)) $member = Member::currentUser();
|
||||
|
||||
// extended access checks
|
||||
$results = $this->extend('canEdit', $member);
|
||||
if($results && is_array($results)) {
|
||||
if(!min($results)) return false;
|
||||
else return true;
|
||||
}
|
||||
|
||||
// No member found
|
||||
if(!($member && $member->exists())) return false;
|
||||
|
||||
// If the requesting member is not an admin, but has access to manage members,
|
||||
// they still can't edit other members with ADMIN permission.
|
||||
// This is a bit weak, strictly speaking they shouldn't be allowed to
|
||||
// perform any action that could change the password on a member
|
||||
// with "higher" permissions than himself, but thats hard to determine.
|
||||
if(!Permission::checkMember($member, 'ADMIN') && Permission::checkMember($this, 'ADMIN')) return false;
|
||||
|
||||
return $this->canView($member);
|
||||
}
|
||||
|
||||
/**
|
||||
* Users can edit their own record.
|
||||
* Otherwise they'll need ADMIN or CMS_ACCESS_SecurityAdmin permissions
|
||||
*/
|
||||
public function canDelete($member = null) {
|
||||
if(!$member || !(is_a($member, 'Member')) || is_numeric($member)) $member = Member::currentUser();
|
||||
|
||||
// extended access checks
|
||||
$results = $this->extend('canDelete', $member);
|
||||
if($results && is_array($results)) {
|
||||
if(!min($results)) return false;
|
||||
else return true;
|
||||
}
|
||||
|
||||
// No member found
|
||||
if(!($member && $member->exists())) return false;
|
||||
|
||||
// Members are not allowed to remove themselves,
|
||||
// since it would create inconsistencies in the admin UIs.
|
||||
if($this->ID && $member->ID == $this->ID) return false;
|
||||
|
||||
return $this->canEdit($member);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Validate this member object.
|
||||
*/
|
||||
public function validate() {
|
||||
$valid = parent::validate();
|
||||
|
||||
if(!$this->ID || $this->isChanged('Password')) {
|
||||
if($this->Password && self::$password_validator) {
|
||||
$valid->combineAnd(self::$password_validator->validate($this->Password, $this));
|
||||
}
|
||||
}
|
||||
|
||||
if((!$this->ID && $this->SetPassword) || $this->isChanged('SetPassword')) {
|
||||
if($this->SetPassword && self::$password_validator) {
|
||||
$valid->combineAnd(self::$password_validator->validate($this->SetPassword, $this));
|
||||
}
|
||||
}
|
||||
|
||||
return $valid;
|
||||
}
|
||||
|
||||
/**
|
||||
* Change password. This will cause rehashing according to
|
||||
* the `PasswordEncryption` property.
|
||||
*
|
||||
* @param String $password Cleartext password
|
||||
*/
|
||||
public function changePassword($password) {
|
||||
$this->Password = $password;
|
||||
$valid = $this->validate();
|
||||
|
||||
if($valid->valid()) {
|
||||
$this->AutoLoginHash = null;
|
||||
$this->write();
|
||||
}
|
||||
|
||||
return $valid;
|
||||
}
|
||||
|
||||
/**
|
||||
* Tell this member that someone made a failed attempt at logging in as them.
|
||||
* This can be used to lock the user out temporarily if too many failed attempts are made.
|
||||
*/
|
||||
public function registerFailedLogin() {
|
||||
if(self::config()->lock_out_after_incorrect_logins) {
|
||||
// Keep a tally of the number of failed log-ins so that we can lock people out
|
||||
++$this->FailedLoginCount;
|
||||
|
||||
if($this->FailedLoginCount >= self::config()->lock_out_after_incorrect_logins) {
|
||||
$lockoutMins = self::config()->lock_out_delay_mins;
|
||||
$this->LockedOutUntil = date('Y-m-d H:i:s', SS_Datetime::now()->Format('U') + $lockoutMins*60);
|
||||
$this->FailedLoginCount = 0;
|
||||
}
|
||||
}
|
||||
$this->extend('registerFailedLogin');
|
||||
$this->write();
|
||||
}
|
||||
|
||||
/**
|
||||
* Tell this member that a successful login has been made
|
||||
*/
|
||||
public function registerSuccessfulLogin() {
|
||||
if(self::config()->lock_out_after_incorrect_logins) {
|
||||
// Forgive all past login failures
|
||||
$this->FailedLoginCount = 0;
|
||||
$this->LockedOutUntil = null;
|
||||
$this->write();
|
||||
}
|
||||
$this->extend('onAfterRegisterSuccessfulLogin');
|
||||
}
|
||||
/**
|
||||
* Get the HtmlEditorConfig for this user to be used in the CMS.
|
||||
* This is set by the group. If multiple configurations are set,
|
||||
* the one with the highest priority wins.
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
public function getHtmlEditorConfigForCMS() {
|
||||
$currentName = '';
|
||||
$currentPriority = 0;
|
||||
|
||||
foreach($this->Groups() as $group) {
|
||||
$configName = $group->HtmlEditorConfig;
|
||||
if($configName) {
|
||||
$config = HtmlEditorConfig::get($group->HtmlEditorConfig);
|
||||
if($config && $config->getOption('priority') > $currentPriority) {
|
||||
$currentName = $configName;
|
||||
$currentPriority = $config->getOption('priority');
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// If can't find a suitable editor, just default to cms
|
||||
return $currentName ? $currentName : 'cms';
|
||||
}
|
||||
|
||||
public static function get_template_global_variables() {
|
||||
return array(
|
||||
'CurrentMember' => 'currentUser',
|
||||
'currentUser',
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Represents a set of Groups attached to a member.
|
||||
* Handles the hierarchy logic.
|
||||
* @package framework
|
||||
* @subpackage security
|
||||
*/
|
||||
class Member_GroupSet extends ManyManyList {
|
||||
|
||||
protected function linkJoinTable() {
|
||||
// Do not join the table directly
|
||||
if($this->extraFields) {
|
||||
user_error('Member_GroupSet does not support many_many_extraFields', E_USER_ERROR);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Link this group set to a specific member.
|
||||
*
|
||||
* Recursively selects all groups applied to this member, as well as any
|
||||
* parent groups of any applied groups
|
||||
*
|
||||
* @param array|integer $id (optional) An ID or an array of IDs - if not provided, will use the current
|
||||
* ids as per getForeignID
|
||||
* @return array Condition In array(SQL => parameters format)
|
||||
*/
|
||||
public function foreignIDFilter($id = null) {
|
||||
if ($id === null) $id = $this->getForeignID();
|
||||
|
||||
// Find directly applied groups
|
||||
$manyManyFilter = parent::foreignIDFilter($id);
|
||||
$query = new SQLQuery('"Group_Members"."GroupID"', '"Group_Members"', $manyManyFilter);
|
||||
$groupIDs = $query->execute()->column();
|
||||
|
||||
// Get all ancestors, iteratively merging these into the master set
|
||||
$allGroupIDs = array();
|
||||
while($groupIDs) {
|
||||
$allGroupIDs = array_merge($allGroupIDs, $groupIDs);
|
||||
$groupIDs = DataObject::get("Group")->byIDs($groupIDs)->column("ParentID");
|
||||
$groupIDs = array_filter($groupIDs);
|
||||
}
|
||||
|
||||
// Add a filter to this DataList
|
||||
if(!empty($allGroupIDs)) {
|
||||
$allGroupIDsPlaceholders = DB::placeholders($allGroupIDs);
|
||||
return array("\"Group\".\"ID\" IN ($allGroupIDsPlaceholders)" => $allGroupIDs);
|
||||
} else {
|
||||
return array('"Group"."ID"' => 0);
|
||||
}
|
||||
}
|
||||
|
||||
public function foreignIDWriteFilter($id = null) {
|
||||
// Use the ManyManyList::foreignIDFilter rather than the one
|
||||
// in this class, otherwise we end up selecting all inherited groups
|
||||
return parent::foreignIDFilter($id);
|
||||
}
|
||||
|
||||
public function add($item, $extraFields = null) {
|
||||
// Get Group.ID
|
||||
$itemID = null;
|
||||
if(is_numeric($item)) {
|
||||
$itemID = $item;
|
||||
} else if($item instanceof Group) {
|
||||
$itemID = $item->ID;
|
||||
}
|
||||
|
||||
// Check if this group is allowed to be added
|
||||
if($this->canAddGroups(array($itemID))) {
|
||||
parent::add($item, $extraFields);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Determine if the following groups IDs can be added
|
||||
*
|
||||
* @param array $itemIDs
|
||||
* @return boolean
|
||||
*/
|
||||
protected function canAddGroups($itemIDs) {
|
||||
if(empty($itemIDs)) {
|
||||
return true;
|
||||
}
|
||||
$member = $this->getMember();
|
||||
return empty($member) || $member->onChangeGroups($itemIDs);
|
||||
}
|
||||
|
||||
/**
|
||||
* Get foreign member record for this relation
|
||||
*
|
||||
* @return Member
|
||||
*/
|
||||
protected function getMember() {
|
||||
$id = $this->getForeignID();
|
||||
if($id) {
|
||||
return DataObject::get_by_id('Member', $id);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Class used as template to send an email saying that the password has been
|
||||
* changed.
|
||||
*
|
||||
* @package framework
|
||||
* @subpackage security
|
||||
*/
|
||||
class Member_ChangePasswordEmail extends Email {
|
||||
|
||||
protected $from = ''; // setting a blank from address uses the site's default administrator email
|
||||
protected $subject = '';
|
||||
protected $ss_template = 'ChangePasswordEmail';
|
||||
|
||||
public function __construct() {
|
||||
parent::__construct();
|
||||
|
||||
$this->subject = _t('Member.SUBJECTPASSWORDCHANGED', "Your password has been changed", 'Email subject');
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
/**
|
||||
* Class used as template to send the forgot password email
|
||||
*
|
||||
* @package framework
|
||||
* @subpackage security
|
||||
*/
|
||||
class Member_ForgotPasswordEmail extends Email {
|
||||
protected $from = ''; // setting a blank from address uses the site's default administrator email
|
||||
protected $subject = '';
|
||||
protected $ss_template = 'ForgotPasswordEmail';
|
||||
|
||||
public function __construct() {
|
||||
parent::__construct();
|
||||
|
||||
$this->subject = _t('Member.SUBJECTPASSWORDRESET', "Your password reset link", 'Email subject');
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Member Validator
|
||||
*
|
||||
* Custom validation for the Member object can be achieved either through an
|
||||
* {@link DataExtension} on the Member_Validator object or, by specifying a subclass of
|
||||
* {@link Member_Validator} through the {@link Injector} API.
|
||||
* The Validator can also be modified by adding an Extension to Member and implement the
|
||||
* <code>updateValidator</code> hook.
|
||||
* {@see Member::getValidator()}
|
||||
*
|
||||
* Additional required fields can also be set via config API, eg.
|
||||
* <code>
|
||||
* Member_Validator:
|
||||
* customRequired:
|
||||
* - Surname
|
||||
* </code>
|
||||
*
|
||||
* @package framework
|
||||
* @subpackage security
|
||||
*/
|
||||
class Member_Validator extends RequiredFields
|
||||
{
|
||||
/**
|
||||
* Fields that are required by this validator
|
||||
* @config
|
||||
* @var array
|
||||
*/
|
||||
protected $customRequired = array(
|
||||
'FirstName',
|
||||
'Email'
|
||||
);
|
||||
|
||||
/**
|
||||
* Determine what member this validator is meant for
|
||||
* @var Member
|
||||
*/
|
||||
protected $forMember = null;
|
||||
|
||||
/**
|
||||
* Constructor
|
||||
*/
|
||||
public function __construct() {
|
||||
$required = func_get_args();
|
||||
|
||||
if(isset($required[0]) && is_array($required[0])) {
|
||||
$required = $required[0];
|
||||
}
|
||||
|
||||
$required = array_merge($required, $this->customRequired);
|
||||
|
||||
// check for config API values and merge them in
|
||||
$config = $this->config()->customRequired;
|
||||
if(is_array($config)){
|
||||
$required = array_merge($required, $config);
|
||||
}
|
||||
|
||||
parent::__construct(array_unique($required));
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the member this validator applies to.
|
||||
* @return Member
|
||||
*/
|
||||
public function getForMember()
|
||||
{
|
||||
return $this->forMember;
|
||||
}
|
||||
|
||||
/**
|
||||
* Set the Member this validator applies to.
|
||||
* @param Member $value
|
||||
* @return $this
|
||||
*/
|
||||
public function setForMember(Member $value)
|
||||
{
|
||||
$this->forMember = $value;
|
||||
return $this;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if the submitted member data is valid (server-side)
|
||||
*
|
||||
* Check if a member with that email doesn't already exist, or if it does
|
||||
* that it is this member.
|
||||
*
|
||||
* @param array $data Submitted data
|
||||
* @return bool Returns TRUE if the submitted data is valid, otherwise
|
||||
* FALSE.
|
||||
*/
|
||||
public function php($data)
|
||||
{
|
||||
$valid = parent::php($data);
|
||||
|
||||
$identifierField = (string)Member::config()->unique_identifier_field;
|
||||
|
||||
// Only validate identifier field if it's actually set. This could be the case if
|
||||
// somebody removes `Email` from the list of required fields.
|
||||
if(isset($data[$identifierField])){
|
||||
$id = isset($data['ID']) ? (int)$data['ID'] : 0;
|
||||
if(!$id && ($ctrl = $this->form->getController())){
|
||||
// get the record when within GridField (Member editing page in CMS)
|
||||
if($ctrl instanceof GridFieldDetailForm_ItemRequest && $record = $ctrl->getRecord()){
|
||||
$id = $record->ID;
|
||||
}
|
||||
}
|
||||
|
||||
// If there's no ID passed via controller or form-data, use the assigned member (if available)
|
||||
if(!$id && ($member = $this->getForMember())){
|
||||
$id = $member->exists() ? $member->ID : 0;
|
||||
}
|
||||
|
||||
// set the found ID to the data array, so that extensions can also use it
|
||||
$data['ID'] = $id;
|
||||
|
||||
$members = Member::get()->filter($identifierField, $data[$identifierField]);
|
||||
if($id) {
|
||||
$members = $members->exclude('ID', $id);
|
||||
}
|
||||
|
||||
if($members->count() > 0) {
|
||||
$this->validationError(
|
||||
$identifierField,
|
||||
_t(
|
||||
'Member.VALIDATIONMEMBEREXISTS',
|
||||
'A member already exists with the same {identifier}',
|
||||
array('identifier' => Member::singleton()->fieldLabel($identifierField))
|
||||
),
|
||||
'required'
|
||||
);
|
||||
$valid = false;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
// Execute the validators on the extensions
|
||||
$results = $this->extend('updatePHP', $data, $this->form);
|
||||
$results[] = $valid;
|
||||
return min($results);
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user