API CHANGE: Replaced BasicAuth::enable() with BasicAuth::protect_entire_site()

API CHANGE: BasicAuth::requireLogin() no longer has an option to automatically log you in.  You can call logIn() on the object returned, instead. (from r91603)

git-svn-id: svn://svn.silverstripe.com/silverstripe/open/modules/sapphire/branches/2.3@91610 467b73ca-7a2a-4603-9d3b-597d59a354a9
This commit is contained in:
Sam Minnee 2009-11-15 21:42:35 +00:00
parent 5d71f30794
commit a2fc20de22
5 changed files with 65 additions and 23 deletions

View File

@ -6,7 +6,6 @@
*/ */
abstract class CliController extends Controller { abstract class CliController extends Controller {
function init() { function init() {
$this->disableBasicAuth();
parent::init(); parent::init();
// Unless called from the command line, all CliControllers need ADMIN privileges // Unless called from the command line, all CliControllers need ADMIN privileges
if(!Director::is_cli() && !Permission::check("ADMIN")) return Security::permissionFailure(); if(!Director::is_cli() && !Permission::check("ADMIN")) return Security::permissionFailure();

View File

@ -92,7 +92,7 @@ if(defined('SS_DEFAULT_ADMIN_USERNAME')) {
Security::setDefaultAdmin(SS_DEFAULT_ADMIN_USERNAME, SS_DEFAULT_ADMIN_PASSWORD); Security::setDefaultAdmin(SS_DEFAULT_ADMIN_USERNAME, SS_DEFAULT_ADMIN_PASSWORD);
} }
if(defined('SS_USE_BASIC_AUTH') && SS_USE_BASIC_AUTH) { if(defined('SS_USE_BASIC_AUTH') && SS_USE_BASIC_AUTH) {
BasicAuth::enable(); BasicAuth::protect_entire_site();
} }
if(defined('SS_ERROR_LOG')) { if(defined('SS_ERROR_LOG')) {

View File

@ -75,10 +75,7 @@ class Controller extends RequestHandler {
* @uses BasicAuth::requireLogin() * @uses BasicAuth::requireLogin()
*/ */
function init() { function init() {
// Test and development sites should be secured, via basic-auth if($this->basicAuthEnabled) BasicAuth::protect_site_if_necessary();
if(Director::isTest() && $this->basicAuthEnabled && Security::database_is_ready()) {
BasicAuth::requireLogin("SilverStripe test website. Use your CMS login", "ADMIN");
}
// Directly access the session variable just in case the Group or Member tables don't yet exist // Directly access the session variable just in case the Group or Member tables don't yet exist
if(Session::get('loggedInAs') && Security::database_is_ready()) { if(Session::get('loggedInAs') && Security::database_is_ready()) {
@ -327,9 +324,9 @@ class Controller extends RequestHandler {
} }
/** /**
* Call this to disable basic authentication on test sites. * Call this to disable site-wide basic authentication for a specific contoller.
* must be called in the init() method * This must be called before Controller::init(). That is, you must call it in your controller's
* @deprecated Use BasicAuth::disable() instead? This is used in CliController - it should be updated. * init method before it calls parent::init().
*/ */
function disableBasicAuth() { function disableBasicAuth() {
$this->basicAuthEnabled = false; $this->basicAuthEnabled = false;

View File

@ -398,6 +398,16 @@ class Debug {
* @todo Log detailed errors to full file * @todo Log detailed errors to full file
*/ */
protected static function log_error_if_necessary($errno, $errstr, $errfile, $errline, $errcontext, $errtype) { protected static function log_error_if_necessary($errno, $errstr, $errfile, $errline, $errcontext, $errtype) {
if(class_exists('SS_Log')) {
SS_Log::log(array(
'errno' => $errno,
'errstr' => $errstr,
'errfile' => $errfile,
'errline' => $errline,
'errcontext' => $errcontext
), $errtype);
}
if(self::$log_errors_to) { if(self::$log_errors_to) {
$shortFile = "../" . self::$log_errors_to; $shortFile = "../" . self::$log_errors_to;
$fullFile = $shortFile . '.full'; $fullFile = $shortFile . '.full';

View File

@ -1,17 +1,21 @@
<?php <?php
/** /**
* Provides an interface to HTTP basic authentication. * Provides an interface to HTTP basic authentication.
*
* This utility class can be used to secure any request with basic authentication. To do so,
* {@link BasicAuth::requireLogin()} from your Controller's init() method or action handler method.
*
* It also has a function to protect your entire site. See {@link BasicAuth::protect_entire_site()}
* for more information.
*
* @package sapphire * @package sapphire
* @subpackage security * @subpackage security
*/ */
class BasicAuth extends Object { class BasicAuth extends Object {
/** /**
* Site-wide basic auth is disabled by default but can be enabled as needed in _config.php by calling BasicAuth::enable() * Flag set by {@link self::protect_entire_site()}
* @var boolean
*/ */
static protected $enabled = false; private static $entire_site_protected = true;
static protected $autologin = false;
/** /**
* Require basic authentication. Will request a username and password if none is given. * Require basic authentication. Will request a username and password if none is given.
@ -23,10 +27,8 @@ class BasicAuth extends Object {
* @return Member $member * @return Member $member
*/ */
static function requireLogin($realm, $permissionCode) { static function requireLogin($realm, $permissionCode) {
if(!self::$enabled) return true;
if(!Security::database_is_ready() || Director::is_cli()) return true; if(!Security::database_is_ready() || Director::is_cli()) return true;
if(isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) { if(isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) {
$member = MemberAuthenticator::authenticate(array( $member = MemberAuthenticator::authenticate(array(
'Email' => $_SERVER['PHP_AUTH_USER'], 'Email' => $_SERVER['PHP_AUTH_USER'],
@ -35,9 +37,6 @@ class BasicAuth extends Object {
if($member) { if($member) {
$authenticated = true; $authenticated = true;
if(self::$autologin) {
$member->logIn();
}
} }
} }
@ -68,12 +67,49 @@ class BasicAuth extends Object {
return $member; return $member;
} }
/**
* Enable protection of the entire site with basic authentication.
*
* This log-in uses the Member database for authentication, but doesn't interfere with the
* regular log-in form. This can be useful for test sites, where you want to hide the site
* away from prying eyes, but still be able to test the regular log-in features of the site.
*
* If you are including conf/ConfigureFromEnv.php in your _config.php file, you can also enable
* this feature by adding this line to your _ss_environment.php:
*
* define('SS_USE_BASIC_AUTH', true);
*
* @param $protect Set this to false to disable protection.
*/
static function protect_entire_site($protect = true) {
return self::$entire_site_protected = $protect;
}
static function enable($auto = false) { /**
self::$enabled = true; * @deprecated Use BasicAuth::protect_entire_site() instead.
self::$autologin = $auto; */
static function enable() {
user_error("BasicAuth::enable() is deprated. Use BasicAuth::protect_entire_site() instead.", E_USER_NOTICE);
return self::protect_entire_site();
} }
/**
* @deprecated Use BasicAuth::protect_entire_site(false) instead.
*/
static function disable() { static function disable() {
self::$enabled = false; user_error("BasicAuth::disable() is deprated. Use BasicAuth::protect_entire_site(false) instead.", E_USER_NOTICE);
return self::protect_entire_site(false);
} }
/**
* Call {@link BasicAuth::requireLogin()} if {@link BasicAuth::protect_entire_site()} has been called.
* This is a helper function used by Controller.
*/
static function protect_site_if_necessary() {
if(self::$entire_site_protected) {
self::requireLogin("SilverStripe test website. Use your CMS login.", "ADMIN");
}
}
} }