'Varchar',
'Surname' => 'Varchar',
'Email' => 'Varchar(254)', // See RFC 5321, Section 4.5.3.1.3. (256 minus the < and > character)
'TempIDHash' => 'Varchar(160)', // Temporary id used for cms re-authentication
'TempIDExpired' => 'Datetime', // Expiry of temp login
'Password' => 'Varchar(160)',
'AutoLoginHash' => 'Varchar(160)', // Used to auto-login the user on password reset
'AutoLoginExpired' => 'Datetime',
// This is an arbitrary code pointing to a PasswordEncryptor instance,
// not an actual encryption algorithm.
// Warning: Never change this field after its the first password hashing without
// providing a new cleartext password as well.
'PasswordEncryption' => "Varchar(50)",
'Salt' => 'Varchar(50)',
'PasswordExpiry' => 'Date',
'LockedOutUntil' => 'Datetime',
'Locale' => 'Varchar(6)',
// handled in registerFailedLogin(), only used if $lock_out_after_incorrect_logins is set
'FailedLoginCount' => 'Int',
);
private static $belongs_many_many = array(
'Groups' => Group::class,
);
private static $has_many = array(
'LoggedPasswords' => MemberPassword::class,
'RememberLoginHashes' => RememberLoginHash::class,
);
private static $table_name = "Member";
private static $default_sort = '"Surname", "FirstName"';
private static $indexes = array(
'Email' => true,
//Removed due to duplicate null values causing MSSQL problems
//'AutoLoginHash' => Array('type'=>'unique', 'value'=>'AutoLoginHash', 'ignoreNulls'=>true)
);
/**
* @config
* @var boolean
*/
private static $notify_password_change = false;
/**
* All searchable database columns
* in this object, currently queried
* with a "column LIKE '%keywords%'
* statement.
*
* @var array
* @todo Generic implementation of $searchable_fields on DataObject,
* with definition for different searching algorithms
* (LIKE, FULLTEXT) and default FormFields to construct a searchform.
*/
private static $searchable_fields = array(
'FirstName',
'Surname',
'Email',
);
/**
* @config
* @var array
*/
private static $summary_fields = array(
'FirstName',
'Surname',
'Email',
);
/**
* @config
* @var array
*/
private static $casting = array(
'Name' => 'Varchar',
);
/**
* Internal-use only fields
*
* @config
* @var array
*/
private static $hidden_fields = array(
'AutoLoginHash',
'AutoLoginExpired',
'PasswordEncryption',
'PasswordExpiry',
'LockedOutUntil',
'TempIDHash',
'TempIDExpired',
'Salt',
);
/**
* @config
* @var array See {@link set_title_columns()}
*/
private static $title_format = null;
/**
* The unique field used to identify this member.
* By default, it's "Email", but another common
* field could be Username.
*
* @config
* @var string
* @skipUpgrade
*/
private static $unique_identifier_field = 'Email';
/**
* @config
* The number of days that a password should be valid for.
* By default, this is null, which means that passwords never expire
*/
private static $password_expiry_days = null;
/**
* @config
* @var bool enable or disable logging of previously used passwords. See {@link onAfterWrite}
*/
private static $password_logging_enabled = true;
/**
* @config
* @var Int Number of incorrect logins after which
* the user is blocked from further attempts for the timespan
* defined in {@link $lock_out_delay_mins}.
*/
private static $lock_out_after_incorrect_logins = 10;
/**
* @config
* @var integer Minutes of enforced lockout after incorrect password attempts.
* Only applies if {@link $lock_out_after_incorrect_logins} greater than 0.
*/
private static $lock_out_delay_mins = 15;
/**
* @config
* @var String If this is set, then a session cookie with the given name will be set on log-in,
* and cleared on logout.
*/
private static $login_marker_cookie = null;
/**
* Indicates that when a {@link Member} logs in, Member:session_regenerate_id()
* should be called as a security precaution.
*
* This doesn't always work, especially if you're trying to set session cookies
* across an entire site using the domain parameter to session_set_cookie_params()
*
* @config
* @var boolean
*/
private static $session_regenerate_id = true;
/**
* Default lifetime of temporary ids.
*
* This is the period within which a user can be re-authenticated within the CMS by entering only their password
* and without losing their workspace.
*
* Any session expiration outside of this time will require them to login from the frontend using their full
* username and password.
*
* Defaults to 72 hours. Set to zero to disable expiration.
*
* @config
* @var int Lifetime in seconds
*/
private static $temp_id_lifetime = 259200;
/**
* Default lifetime of auto login token.
*
* This is the maximum allowed period between a user requesting a password reset link and using it to reset
* their password.
*
* Defaults to 2 days.
*
* @config
* @var int Lifetime in seconds
*/
private static $auto_login_token_lifetime = 172800;
/**
* Used to track whether {@link Member::changePassword} has made changed that need to be written. Used to prevent
* the write from calling changePassword again.
*
* @var bool
*/
protected $passwordChangesToWrite = false;
/**
* Ensure the locale is set to something sensible by default.
*/
public function populateDefaults()
{
parent::populateDefaults();
$this->Locale = i18n::get_locale();
}
public function requireDefaultRecords()
{
parent::requireDefaultRecords();
// Default groups should've been built by Group->requireDefaultRecords() already
$service = DefaultAdminService::singleton();
$service->findOrCreateDefaultAdmin();
}
/**
* Get the default admin record if it exists, or creates it otherwise if enabled
*
* @deprecated 4.0.0...5.0.0 Use DefaultAdminService::findOrCreateDefaultAdmin() instead
* @return Member
*/
public static function default_admin()
{
Deprecation::notice('5.0', 'Use DefaultAdminService::findOrCreateDefaultAdmin() instead');
return DefaultAdminService::singleton()->findOrCreateDefaultAdmin();
}
/**
* Check if the passed password matches the stored one (if the member is not locked out).
*
* @deprecated 4.0.0...5.0.0 Use Authenticator::checkPassword() instead
*
* @param string $password
* @return ValidationResult
*/
public function checkPassword($password)
{
Deprecation::notice('5.0', 'Use Authenticator::checkPassword() instead');
// With a valid user and password, check the password is correct
$result = ValidationResult::create();
$authenticators = Security::singleton()->getApplicableAuthenticators(Authenticator::CHECK_PASSWORD);
foreach ($authenticators as $authenticator) {
$authenticator->checkPassword($this, $password, $result);
if (!$result->isValid()) {
break;
}
}
return $result;
}
/**
* Check if this user is the currently configured default admin
*
* @return bool
*/
public function isDefaultAdmin()
{
return DefaultAdminService::isDefaultAdmin($this->Email);
}
/**
* Check if this user can login
*
* @return bool
*/
public function canLogin()
{
return $this->validateCanLogin()->isValid();
}
/**
* Returns a valid {@link ValidationResult} if this member can currently log in, or an invalid
* one with error messages to display if the member is locked out.
*
* You can hook into this with a "canLogIn" method on an attached extension.
*
* @param ValidationResult $result Optional result to add errors to
* @return ValidationResult
*/
public function validateCanLogin(ValidationResult &$result = null)
{
$result = $result ?: ValidationResult::create();
if ($this->isLockedOut()) {
$result->addError(
_t(
__CLASS__ . '.ERRORLOCKEDOUT2',
'Your account has been temporarily disabled because of too many failed attempts at ' . 'logging in. Please try again in {count} minutes.',
null,
array('count' => static::config()->get('lock_out_delay_mins'))
)
);
}
$this->extend('canLogIn', $result);
return $result;
}
/**
* Returns true if this user is locked out
*
* @skipUpgrade
* @return bool
*/
public function isLockedOut()
{
/** @var DBDatetime $lockedOutUntilObj */
$lockedOutUntilObj = $this->dbObject('LockedOutUntil');
if ($lockedOutUntilObj->InFuture()) {
return true;
}
$maxAttempts = $this->config()->get('lock_out_after_incorrect_logins');
if ($maxAttempts <= 0) {
return false;
}
$idField = static::config()->get('unique_identifier_field');
$attempts = LoginAttempt::getByEmail($this->{$idField})
->sort('Created', 'DESC')
->limit($maxAttempts);
if ($attempts->count() < $maxAttempts) {
return false;
}
foreach ($attempts as $attempt) {
if ($attempt->Status === 'Success') {
return false;
}
}
// Calculate effective LockedOutUntil
/** @var DBDatetime $firstFailureDate */
$firstFailureDate = $attempts->first()->dbObject('Created');
$maxAgeSeconds = $this->config()->get('lock_out_delay_mins') * 60;
$lockedOutUntil = $firstFailureDate->getTimestamp() + $maxAgeSeconds;
$now = DBDatetime::now()->getTimestamp();
if ($now < $lockedOutUntil) {
return true;
}
return false;
}
/**
* Set a {@link PasswordValidator} object to use to validate member's passwords.
*
* @param PasswordValidator $validator
*/
public static function set_password_validator(PasswordValidator $validator = null)
{
// Override existing config
Config::modify()->remove(Injector::class, PasswordValidator::class);
if ($validator) {
Injector::inst()->registerService($validator, PasswordValidator::class);
} else {
Injector::inst()->unregisterNamedObject(PasswordValidator::class);
}
}
/**
* Returns the default {@link PasswordValidator}
*
* @return PasswordValidator
*/
public static function password_validator()
{
if (Injector::inst()->has(PasswordValidator::class)) {
return Injector::inst()->get(PasswordValidator::class);
}
return null;
}
public function isPasswordExpired()
{
if (!$this->PasswordExpiry) {
return false;
}
return strtotime(date('Y-m-d')) >= strtotime($this->PasswordExpiry);
}
/**
* @deprecated 5.0.0 Use Security::setCurrentUser() or IdentityStore::logIn()
*
*/
public function logIn()
{
Deprecation::notice(
'5.0.0',
'This method is deprecated and only logs in for the current request. Please use Security::setCurrentUser($user) or an IdentityStore'
);
Security::setCurrentUser($this);
}
/**
* Called before a member is logged in via session/cookie/etc
*/
public function beforeMemberLoggedIn()
{
// @todo Move to middleware on the AuthenticationMiddleware IdentityStore
$this->extend('beforeMemberLoggedIn');
}
/**
* Called after a member is logged in via session/cookie/etc
*/
public function afterMemberLoggedIn()
{
// Clear the incorrect log-in count
$this->registerSuccessfulLogin();
$this->LockedOutUntil = null;
$this->regenerateTempID();
$this->write();
// Audit logging hook
$this->extend('afterMemberLoggedIn');
}
/**
* Trigger regeneration of TempID.
*
* This should be performed any time the user presents their normal identification (normally Email)
* and is successfully authenticated.
*/
public function regenerateTempID()
{
$generator = new RandomGenerator();
$lifetime = self::config()->get('temp_id_lifetime');
$this->TempIDHash = $generator->randomToken('sha1');
$this->TempIDExpired = $lifetime
? date('Y-m-d H:i:s', strtotime(DBDatetime::now()->getValue()) + $lifetime)
: null;
$this->write();
}
/**
* Check if the member ID logged in session actually
* has a database record of the same ID. If there is
* no logged in user, FALSE is returned anyway.
*
* @deprecated Not needed anymore, as it returns Security::getCurrentUser();
*
* @return boolean TRUE record found FALSE no record found
*/
public static function logged_in_session_exists()
{
Deprecation::notice(
'5.0.0',
'This method is deprecated and now does not add value. Please use Security::getCurrentUser()'
);
if ($member = Security::getCurrentUser()) {
if ($member && $member->exists()) {
return true;
}
}
return false;
}
/**
* @deprecated Use Security::setCurrentUser(null) or an IdentityStore
* Logs this member out.
*/
public function logOut()
{
Deprecation::notice(
'5.0.0',
'This method is deprecated and now does not persist. Please use Security::setCurrentUser(null) or an IdentityStore'
);
Injector::inst()->get(IdentityStore::class)->logOut(Controller::curr()->getRequest());
}
/**
* Audit logging hook, called before a member is logged out
*
* @param HTTPRequest|null $request
*/
public function beforeMemberLoggedOut(HTTPRequest $request = null)
{
$this->extend('beforeMemberLoggedOut', $request);
}
/**
* Audit logging hook, called after a member is logged out
*
* @param HTTPRequest|null $request
*/
public function afterMemberLoggedOut(HTTPRequest $request = null)
{
$this->extend('afterMemberLoggedOut', $request);
}
/**
* Utility for generating secure password hashes for this member.
*
* @param string $string
* @return string
* @throws PasswordEncryptor_NotFoundException
*/
public function encryptWithUserSettings($string)
{
if (!$string) {
return null;
}
// If the algorithm or salt is not available, it means we are operating
// on legacy account with unhashed password. Do not hash the string.
if (!$this->PasswordEncryption) {
return $string;
}
// We assume we have PasswordEncryption and Salt available here.
$e = PasswordEncryptor::create_for_algorithm($this->PasswordEncryption);
return $e->encrypt($string, $this->Salt);
}
/**
* Generate an auto login token which can be used to reset the password,
* at the same time hashing it and storing in the database.
*
* @param int|null $lifetime DEPRECATED: The lifetime of the auto login hash in days. Overrides
* the Member.auto_login_token_lifetime config value
* @return string Token that should be passed to the client (but NOT persisted).
*/
public function generateAutologinTokenAndStoreHash($lifetime = null)
{
if ($lifetime !== null) {
Deprecation::notice(
'5.0',
'Passing a $lifetime to Member::generateAutologinTokenAndStoreHash() is deprecated,
use the Member.auto_login_token_lifetime config setting instead',
Deprecation::SCOPE_GLOBAL
);
$lifetime = (86400 * $lifetime); // Method argument is days, convert to seconds
} else {
$lifetime = $this->config()->auto_login_token_lifetime;
}
do {
$generator = new RandomGenerator();
$token = $generator->randomToken();
$hash = $this->encryptWithUserSettings($token);
} while (DataObject::get_one(Member::class, array(
'"Member"."AutoLoginHash"' => $hash
)));
$this->AutoLoginHash = $hash;
$this->AutoLoginExpired = date('Y-m-d H:i:s', time() + $lifetime);
$this->write();
return $token;
}
/**
* Check the token against the member.
*
* @param string $autologinToken
*
* @returns bool Is token valid?
*/
public function validateAutoLoginToken($autologinToken)
{
$hash = $this->encryptWithUserSettings($autologinToken);
$member = self::member_from_autologinhash($hash, false);
return (bool)$member;
}
/**
* Return the member for the auto login hash
*
* @param string $hash The hash key
* @param bool $login Should the member be logged in?
*
* @return Member the matching member, if valid
* @return Member
*/
public static function member_from_autologinhash($hash, $login = false)
{
/** @var Member $member */
$member = static::get()->filter([
'AutoLoginHash' => $hash,
'AutoLoginExpired:GreaterThan' => DBDatetime::now()->getValue(),
])->first();
if ($login && $member) {
Injector::inst()->get(IdentityStore::class)->logIn($member);
}
return $member;
}
/**
* Find a member record with the given TempIDHash value
*
* @param string $tempid
* @return Member
*/
public static function member_from_tempid($tempid)
{
$members = static::get()
->filter('TempIDHash', $tempid);
// Exclude expired
if (static::config()->get('temp_id_lifetime')) {
/** @var DataList|Member[] $members */
$members = $members->filter('TempIDExpired:GreaterThan', DBDatetime::now()->getValue());
}
return $members->first();
}
/**
* Returns the fields for the member form - used in the registration/profile module.
* It should return fields that are editable by the admin and the logged-in user.
*
* @todo possibly move this to an extension
*
* @return FieldList Returns a {@link FieldList} containing the fields for
* the member form.
*/
public function getMemberFormFields()
{
$fields = parent::getFrontEndFields();
$fields->replaceField('Password', $this->getMemberPasswordField());
$fields->replaceField('Locale', new DropdownField(
'Locale',
$this->fieldLabel('Locale'),
i18n::getSources()->getKnownLocales()
));
$fields->removeByName(static::config()->get('hidden_fields'));
$fields->removeByName('FailedLoginCount');
$this->extend('updateMemberFormFields', $fields);
return $fields;
}
/**
* Builds "Change / Create Password" field for this member
*
* @return ConfirmedPasswordField
*/
public function getMemberPasswordField()
{
$editingPassword = $this->isInDB();
$label = $editingPassword
? _t(__CLASS__ . '.EDIT_PASSWORD', 'New Password')
: $this->fieldLabel('Password');
/** @var ConfirmedPasswordField $password */
$password = ConfirmedPasswordField::create(
'Password',
$label,
null,
null,
$editingPassword
);
// If editing own password, require confirmation of existing
if ($editingPassword && $this->ID == Security::getCurrentUser()->ID) {
$password->setRequireExistingPassword(true);
}
$password->setCanBeEmpty(true);
$this->extend('updateMemberPasswordField', $password);
return $password;
}
/**
* Returns the {@link RequiredFields} instance for the Member object. This
* Validator is used when saving a {@link CMSProfileController} or added to
* any form responsible for saving a users data.
*
* To customize the required fields, add a {@link DataExtension} to member
* calling the `updateValidator()` method.
*
* @return Member_Validator
*/
public function getValidator()
{
$validator = Member_Validator::create();
$validator->setForMember($this);
$this->extend('updateValidator', $validator);
return $validator;
}
/**
* Returns the current logged in user
*
* @deprecated 5.0.0 use Security::getCurrentUser()
*
* @return Member
*/
public static function currentUser()
{
Deprecation::notice(
'5.0.0',
'This method is deprecated. Please use Security::getCurrentUser() or an IdentityStore'
);
return Security::getCurrentUser();
}
/**
* Temporarily act as the specified user, limited to a $callback, but
* without logging in as that user.
*
* E.g.
*
* Member::logInAs(Security::findAnAdministrator(), function() {
* $record->write();
* });
*
*
* @param Member|null|int $member Member or member ID to log in as.
* Set to null or 0 to act as a logged out user.
* @param callable $callback
*/
public static function actAs($member, $callback)
{
$previousUser = Security::getCurrentUser();
// Transform ID to member
if (is_numeric($member)) {
$member = DataObject::get_by_id(Member::class, $member);
}
Security::setCurrentUser($member);
try {
return $callback();
} finally {
Security::setCurrentUser($previousUser);
}
}
/**
* Get the ID of the current logged in user
*
* @deprecated 5.0.0 use Security::getCurrentUser()
*
* @return int Returns the ID of the current logged in user or 0.
*/
public static function currentUserID()
{
Deprecation::notice(
'5.0.0',
'This method is deprecated. Please use Security::getCurrentUser() or an IdentityStore'
);
if ($member = Security::getCurrentUser()) {
return $member->ID;
} else {
return 0;
}
}
/**
* Generate a random password, with randomiser to kick in if there's no words file on the
* filesystem.
*
* @return string Returns a random password.
*/
public static function create_new_password()
{
$words = Security::config()->uninherited('word_list');
if ($words && file_exists($words)) {
$words = file($words);
list($usec, $sec) = explode(' ', microtime());
mt_srand($sec + ((float)$usec * 100000));
$word = trim($words[random_int(0, count($words) - 1)]);
$number = random_int(10, 999);
return $word . $number;
} else {
$random = mt_rand();
$string = md5($random);
$output = substr($string, 0, 8);
return $output;
}
}
/**
* Event handler called before writing to the database.
*/
public function onBeforeWrite()
{
// If a member with the same "unique identifier" already exists with a different ID, don't allow merging.
// Note: This does not a full replacement for safeguards in the controller layer (e.g. in a registration form),
// but rather a last line of defense against data inconsistencies.
$identifierField = Member::config()->get('unique_identifier_field');
if ($this->$identifierField) {
// Note: Same logic as Member_Validator class
$filter = [
"\"Member\".\"$identifierField\"" => $this->$identifierField
];
if ($this->ID) {
$filter[] = array('"Member"."ID" <> ?' => $this->ID);
}
$existingRecord = DataObject::get_one(Member::class, $filter);
if ($existingRecord) {
throw new ValidationException(_t(
__CLASS__ . '.ValidationIdentifierFailed',
'Can\'t overwrite existing member #{id} with identical identifier ({name} = {value}))',
'Values in brackets show "fieldname = value", usually denoting an existing email address',
array(
'id' => $existingRecord->ID,
'name' => $identifierField,
'value' => $this->$identifierField
)
));
}
}
// We don't send emails out on dev/tests sites to prevent accidentally spamming users.
// However, if TestMailer is in use this isn't a risk.
// @todo some developers use external tools, so emailing might be a good idea anyway
if ((Director::isLive() || Injector::inst()->get(Mailer::class) instanceof TestMailer)
&& $this->isChanged('Password')
&& $this->record['Password']
&& static::config()->get('notify_password_change')
) {
Email::create()
->setHTMLTemplate('SilverStripe\\Control\\Email\\ChangePasswordEmail')
->setData($this)
->setTo($this->Email)
->setSubject(_t(__CLASS__ . '.SUBJECTPASSWORDCHANGED', "Your password has been changed", 'Email subject'))
->send();
}
// The test on $this->ID is used for when records are initially created. Note that this only works with
// cleartext passwords, as we can't rehash existing passwords. Checking passwordChangesToWrite prevents
// recursion between changePassword and this method.
if ((!$this->ID && $this->Password) || ($this->isChanged('Password') && !$this->passwordChangesToWrite)) {
$this->changePassword($this->Password, false);
}
// save locale
if (!$this->Locale) {
$this->Locale = i18n::get_locale();
}
parent::onBeforeWrite();
}
public function onAfterWrite()
{
parent::onAfterWrite();
Permission::reset();
if ($this->isChanged('Password') && static::config()->get('password_logging_enabled')) {
MemberPassword::log($this);
}
}
public function onAfterDelete()
{
parent::onAfterDelete();
//prevent orphaned records remaining in the DB
$this->deletePasswordLogs();
}
/**
* Delete the MemberPassword objects that are associated to this user
*
* @return $this
*/
protected function deletePasswordLogs()
{
foreach ($this->LoggedPasswords() as $password) {
$password->delete();
$password->destroy();
}
return $this;
}
/**
* Filter out admin groups to avoid privilege escalation,
* If any admin groups are requested, deny the whole save operation.
*
* @param array $ids Database IDs of Group records
* @return bool True if the change can be accepted
*/
public function onChangeGroups($ids)
{
// unless the current user is an admin already OR the logged in user is an admin
if (Permission::check('ADMIN') || Permission::checkMember($this, 'ADMIN')) {
return true;
}
// If there are no admin groups in this set then it's ok
$adminGroups = Permission::get_groups_by_permission('ADMIN');
$adminGroupIDs = ($adminGroups) ? $adminGroups->column('ID') : array();
return count(array_intersect($ids, $adminGroupIDs)) == 0;
}
/**
* Check if the member is in one of the given groups.
*
* @param array|SS_List $groups Collection of {@link Group} DataObjects to check
* @param boolean $strict Only determine direct group membership if set to true (Default: false)
* @return bool Returns TRUE if the member is in one of the given groups, otherwise FALSE.
*/
public function inGroups($groups, $strict = false)
{
if ($groups) {
foreach ($groups as $group) {
if ($this->inGroup($group, $strict)) {
return true;
}
}
}
return false;
}
/**
* Check if the member is in the given group or any parent groups.
*
* @param int|Group|string $group Group instance, Group Code or ID
* @param boolean $strict Only determine direct group membership if set to TRUE (Default: FALSE)
* @return bool Returns TRUE if the member is in the given group, otherwise FALSE.
*/
public function inGroup($group, $strict = false)
{
if (is_numeric($group)) {
$groupCheckObj = DataObject::get_by_id(Group::class, $group);
} elseif (is_string($group)) {
$groupCheckObj = DataObject::get_one(Group::class, array(
'"Group"."Code"' => $group
));
} elseif ($group instanceof Group) {
$groupCheckObj = $group;
} else {
throw new InvalidArgumentException('Member::inGroup(): Wrong format for $group parameter');
}
if (!$groupCheckObj) {
return false;
}
$groupCandidateObjs = ($strict) ? $this->getManyManyComponents("Groups") : $this->Groups();
if ($groupCandidateObjs) {
foreach ($groupCandidateObjs as $groupCandidateObj) {
if ($groupCandidateObj->ID == $groupCheckObj->ID) {
return true;
}
}
}
return false;
}
/**
* Adds the member to a group. This will create the group if the given
* group code does not return a valid group object.
*
* @param string $groupcode
* @param string $title Title of the group
*/
public function addToGroupByCode($groupcode, $title = "")
{
$group = DataObject::get_one(Group::class, array(
'"Group"."Code"' => $groupcode
));
if ($group) {
$this->Groups()->add($group);
} else {
if (!$title) {
$title = $groupcode;
}
$group = new Group();
$group->Code = $groupcode;
$group->Title = $title;
$group->write();
$this->Groups()->add($group);
}
}
/**
* Removes a member from a group.
*
* @param string $groupcode
*/
public function removeFromGroupByCode($groupcode)
{
$group = Group::get()->filter(array('Code' => $groupcode))->first();
if ($group) {
$this->Groups()->remove($group);
}
}
/**
* @param array $columns Column names on the Member record to show in {@link getTitle()}.
* @param String $sep Separator
*/
public static function set_title_columns($columns, $sep = ' ')
{
Deprecation::notice('5.0', 'Use Member.title_format config instead');
if (!is_array($columns)) {
$columns = array($columns);
}
self::config()->set(
'title_format',
[
'columns' => $columns,
'sep' => $sep
]
);
}
//------------------- HELPER METHODS -----------------------------------//
/**
* Get the complete name of the member, by default in the format ", ".
* Falls back to showing either field on its own.
*
* You can overload this getter with {@link set_title_format()}
* and {@link set_title_sql()}.
*
* @return string Returns the first- and surname of the member. If the ID
* of the member is equal 0, only the surname is returned.
*/
public function getTitle()
{
$format = static::config()->get('title_format');
if ($format) {
$values = array();
foreach ($format['columns'] as $col) {
$values[] = $this->getField($col);
}
return implode($format['sep'], $values);
}
if ($this->getField('ID') === 0) {
return $this->getField('Surname');
} else {
if ($this->getField('Surname') && $this->getField('FirstName')) {
return $this->getField('Surname') . ', ' . $this->getField('FirstName');
} elseif ($this->getField('Surname')) {
return $this->getField('Surname');
} elseif ($this->getField('FirstName')) {
return $this->getField('FirstName');
} else {
return null;
}
}
}
/**
* Return a SQL CONCAT() fragment suitable for a SELECT statement.
* Useful for custom queries which assume a certain member title format.
*
* @return String SQL
*/
public static function get_title_sql()
{
// Get title_format with fallback to default
$format = static::config()->get('title_format');
if (!$format) {
$format = [
'columns' => ['Surname', 'FirstName'],
'sep' => ' ',
];
}
$columnsWithTablename = array();
foreach ($format['columns'] as $column) {
$columnsWithTablename[] = static::getSchema()->sqlColumnForField(__CLASS__, $column);
}
$sepSQL = Convert::raw2sql($format['sep'], true);
$op = DB::get_conn()->concatOperator();
return "(" . join(" $op $sepSQL $op ", $columnsWithTablename) . ")";
}
/**
* Get the complete name of the member
*
* @return string Returns the first- and surname of the member.
*/
public function getName()
{
return ($this->Surname) ? trim($this->FirstName . ' ' . $this->Surname) : $this->FirstName;
}
/**
* Set first- and surname
*
* This method assumes that the last part of the name is the surname, e.g.
* A B C will result in firstname A B and surname C
*
* @param string $name The name
*/
public function setName($name)
{
$nameParts = explode(' ', $name);
$this->Surname = array_pop($nameParts);
$this->FirstName = join(' ', $nameParts);
}
/**
* Alias for {@link setName}
*
* @param string $name The name
* @see setName()
*/
public function splitName($name)
{
return $this->setName($name);
}
/**
* Return the date format based on the user's chosen locale,
* falling back to the default format defined by the {@link i18n.get_locale()} setting.
*
* @return string ISO date format
*/
public function getDateFormat()
{
$formatter = new IntlDateFormatter(
$this->getLocale(),
IntlDateFormatter::MEDIUM,
IntlDateFormatter::NONE
);
$format = $formatter->getPattern();
$this->extend('updateDateFormat', $format);
return $format;
}
/**
* Get user locale
*/
public function getLocale()
{
$locale = $this->getField('Locale');
if ($locale) {
return $locale;
}
return i18n::get_locale();
}
/**
* Return the time format based on the user's chosen locale,
* falling back to the default format defined by the {@link i18n.get_locale()} setting.
*
* @return string ISO date format
*/
public function getTimeFormat()
{
$formatter = new IntlDateFormatter(
$this->getLocale(),
IntlDateFormatter::NONE,
IntlDateFormatter::MEDIUM
);
$format = $formatter->getPattern();
$this->extend('updateTimeFormat', $format);
return $format;
}
//---------------------------------------------------------------------//
/**
* Get a "many-to-many" map that holds for all members their group memberships,
* including any parent groups where membership is implied.
* Use {@link DirectGroups()} to only retrieve the group relations without inheritance.
*
* @todo Push all this logic into Member_GroupSet's getIterator()?
* @return Member_Groupset
*/
public function Groups()
{
$groups = Member_GroupSet::create(Group::class, 'Group_Members', 'GroupID', 'MemberID');
$groups = $groups->forForeignID($this->ID);
$this->extend('updateGroups', $groups);
return $groups;
}
/**
* @return ManyManyList
*/
public function DirectGroups()
{
return $this->getManyManyComponents('Groups');
}
/**
* Get a member SQLMap of members in specific groups
*
* If no $groups is passed, all members will be returned
*
* @param mixed $groups - takes a SS_List, an array or a single Group.ID
* @return Map Returns an Map that returns all Member data.
*/
public static function map_in_groups($groups = null)
{
$groupIDList = array();
if ($groups instanceof SS_List) {
foreach ($groups as $group) {
$groupIDList[] = $group->ID;
}
} elseif (is_array($groups)) {
$groupIDList = $groups;
} elseif ($groups) {
$groupIDList[] = $groups;
}
// No groups, return all Members
if (!$groupIDList) {
return static::get()->sort(array('Surname' => 'ASC', 'FirstName' => 'ASC'))->map();
}
$membersList = new ArrayList();
// This is a bit ineffective, but follow the ORM style
/** @var Group $group */
foreach (Group::get()->byIDs($groupIDList) as $group) {
$membersList->merge($group->Members());
}
$membersList->removeDuplicates('ID');
return $membersList->map();
}
/**
* Get a map of all members in the groups given that have CMS permissions
*
* If no groups are passed, all groups with CMS permissions will be used.
*
* @param array $groups Groups to consider or NULL to use all groups with
* CMS permissions.
* @return Map Returns a map of all members in the groups given that
* have CMS permissions.
*/
public static function mapInCMSGroups($groups = null)
{
// Check CMS module exists
if (!class_exists(LeftAndMain::class)) {
return ArrayList::create()->map();
}
if (count($groups) == 0) {
$perms = array('ADMIN', 'CMS_ACCESS_AssetAdmin');
if (class_exists(CMSMain::class)) {
$cmsPerms = CMSMain::singleton()->providePermissions();
} else {
$cmsPerms = LeftAndMain::singleton()->providePermissions();
}
if (!empty($cmsPerms)) {
$perms = array_unique(array_merge($perms, array_keys($cmsPerms)));
}
$permsClause = DB::placeholders($perms);
/** @skipUpgrade */
$groups = Group::get()
->innerJoin("Permission", '"Permission"."GroupID" = "Group"."ID"')
->where(array(
"\"Permission\".\"Code\" IN ($permsClause)" => $perms
));
}
$groupIDList = array();
if ($groups instanceof SS_List) {
foreach ($groups as $group) {
$groupIDList[] = $group->ID;
}
} elseif (is_array($groups)) {
$groupIDList = $groups;
}
/** @skipUpgrade */
$members = static::get()
->innerJoin("Group_Members", '"Group_Members"."MemberID" = "Member"."ID"')
->innerJoin("Group", '"Group"."ID" = "Group_Members"."GroupID"');
if ($groupIDList) {
$groupClause = DB::placeholders($groupIDList);
$members = $members->where(array(
"\"Group\".\"ID\" IN ($groupClause)" => $groupIDList
));
}
return $members->sort('"Member"."Surname", "Member"."FirstName"')->map();
}
/**
* Get the groups in which the member is NOT in
*
* When passed an array of groups, and a component set of groups, this
* function will return the array of groups the member is NOT in.
*
* @param array $groupList An array of group code names.
* @param array $memberGroups A component set of groups (if set to NULL,
* $this->groups() will be used)
* @return array Groups in which the member is NOT in.
*/
public function memberNotInGroups($groupList, $memberGroups = null)
{
if (!$memberGroups) {
$memberGroups = $this->Groups();
}
foreach ($memberGroups as $group) {
if (in_array($group->Code, $groupList)) {
$index = array_search($group->Code, $groupList);
unset($groupList[$index]);
}
}
return $groupList;
}
/**
* Return a {@link FieldList} of fields that would appropriate for editing
* this member.
*
* @skipUpgrade
* @return FieldList Return a FieldList of fields that would appropriate for
* editing this member.
*/
public function getCMSFields()
{
$this->beforeUpdateCMSFields(function (FieldList $fields) {
/** @var TabSet $rootTabSet */
$rootTabSet = $fields->fieldByName("Root");
/** @var Tab $mainTab */
$mainTab = $rootTabSet->fieldByName("Main");
/** @var FieldList $mainFields */
$mainFields = $mainTab->getChildren();
// Build change password field
$mainFields->replaceField('Password', $this->getMemberPasswordField());
$mainFields->replaceField('Locale', new DropdownField(
"Locale",
_t(__CLASS__ . '.INTERFACELANG', "Interface Language", 'Language of the CMS'),
i18n::getSources()->getKnownLocales()
));
$mainFields->removeByName(static::config()->get('hidden_fields'));
if (!static::config()->get('lock_out_after_incorrect_logins')) {
$mainFields->removeByName('FailedLoginCount');
}
// Groups relation will get us into logical conflicts because
// Members are displayed within group edit form in SecurityAdmin
$fields->removeByName('Groups');
// Members shouldn't be able to directly view/edit logged passwords
$fields->removeByName('LoggedPasswords');
$fields->removeByName('RememberLoginHashes');
if (Permission::check('EDIT_PERMISSIONS')) {
$groupsMap = array();
foreach (Group::get() as $group) {
// Listboxfield values are escaped, use ASCII char instead of »
$groupsMap[$group->ID] = $group->getBreadcrumbs(' > ');
}
asort($groupsMap);
$fields->addFieldToTab(
'Root.Main',
ListboxField::create('DirectGroups', Group::singleton()->i18n_plural_name())
->setSource($groupsMap)
->setAttribute(
'data-placeholder',
_t(__CLASS__ . '.ADDGROUP', 'Add group', 'Placeholder text for a dropdown')
)
);
// Add permission field (readonly to avoid complicated group assignment logic).
// This should only be available for existing records, as new records start
// with no permissions until they have a group assignment anyway.
if ($this->ID) {
$permissionsField = new PermissionCheckboxSetField_Readonly(
'Permissions',
false,
Permission::class,
'GroupID',
// we don't want parent relationships, they're automatically resolved in the field
$this->getManyManyComponents('Groups')
);
$fields->findOrMakeTab('Root.Permissions', Permission::singleton()->i18n_plural_name());
$fields->addFieldToTab('Root.Permissions', $permissionsField);
}
}
$permissionsTab = $rootTabSet->fieldByName('Permissions');
if ($permissionsTab) {
$permissionsTab->addExtraClass('readonly');
}
});
return parent::getCMSFields();
}
/**
* @param bool $includerelations Indicate if the labels returned include relation fields
* @return array
*/
public function fieldLabels($includerelations = true)
{
$labels = parent::fieldLabels($includerelations);
$labels['FirstName'] = _t(__CLASS__ . '.FIRSTNAME', 'First Name');
$labels['Surname'] = _t(__CLASS__ . '.SURNAME', 'Surname');
/** @skipUpgrade */
$labels['Email'] = _t(__CLASS__ . '.EMAIL', 'Email');
$labels['Password'] = _t(__CLASS__ . '.db_Password', 'Password');
$labels['PasswordExpiry'] = _t(__CLASS__ . '.db_PasswordExpiry', 'Password Expiry Date', 'Password expiry date');
$labels['LockedOutUntil'] = _t(__CLASS__ . '.db_LockedOutUntil', 'Locked out until', 'Security related date');
$labels['Locale'] = _t(__CLASS__ . '.db_Locale', 'Interface Locale');
if ($includerelations) {
$labels['Groups'] = _t(
__CLASS__ . '.belongs_many_many_Groups',
'Groups',
'Security Groups this member belongs to'
);
}
return $labels;
}
/**
* Users can view their own record.
* Otherwise they'll need ADMIN or CMS_ACCESS_SecurityAdmin permissions.
* This is likely to be customized for social sites etc. with a looser permission model.
*
* @param Member $member
* @return bool
*/
public function canView($member = null)
{
//get member
if (!$member) {
$member = Security::getCurrentUser();
}
//check for extensions, we do this first as they can overrule everything
$extended = $this->extendedCan(__FUNCTION__, $member);
if ($extended !== null) {
return $extended;
}
//need to be logged in and/or most checks below rely on $member being a Member
if (!$member) {
return false;
}
// members can usually view their own record
if ($this->ID == $member->ID) {
return true;
}
//standard check
return Permission::checkMember($member, 'CMS_ACCESS_SecurityAdmin');
}
/**
* Users can edit their own record.
* Otherwise they'll need ADMIN or CMS_ACCESS_SecurityAdmin permissions
*
* @param Member $member
* @return bool
*/
public function canEdit($member = null)
{
//get member
if (!$member) {
$member = Security::getCurrentUser();
}
//check for extensions, we do this first as they can overrule everything
$extended = $this->extendedCan(__FUNCTION__, $member);
if ($extended !== null) {
return $extended;
}
//need to be logged in and/or most checks below rely on $member being a Member
if (!$member) {
return false;
}
// HACK: we should not allow for an non-Admin to edit an Admin
if (!Permission::checkMember($member, 'ADMIN') && Permission::checkMember($this, 'ADMIN')) {
return false;
}
// members can usually edit their own record
if ($this->ID == $member->ID) {
return true;
}
//standard check
return Permission::checkMember($member, 'CMS_ACCESS_SecurityAdmin');
}
/**
* Users can edit their own record.
* Otherwise they'll need ADMIN or CMS_ACCESS_SecurityAdmin permissions
*
* @param Member $member
* @return bool
*/
public function canDelete($member = null)
{
if (!$member) {
$member = Security::getCurrentUser();
}
//check for extensions, we do this first as they can overrule everything
$extended = $this->extendedCan(__FUNCTION__, $member);
if ($extended !== null) {
return $extended;
}
//need to be logged in and/or most checks below rely on $member being a Member
if (!$member) {
return false;
}
// Members are not allowed to remove themselves,
// since it would create inconsistencies in the admin UIs.
if ($this->ID && $member->ID == $this->ID) {
return false;
}
// HACK: if you want to delete a member, you have to be a member yourself.
// this is a hack because what this should do is to stop a user
// deleting a member who has more privileges (e.g. a non-Admin deleting an Admin)
if (Permission::checkMember($this, 'ADMIN')) {
if (!Permission::checkMember($member, 'ADMIN')) {
return false;
}
}
//standard check
return Permission::checkMember($member, 'CMS_ACCESS_SecurityAdmin');
}
/**
* Validate this member object.
*/
public function validate()
{
$valid = parent::validate();
$validator = static::password_validator();
if (!$this->ID || $this->isChanged('Password')) {
if ($this->Password && $validator) {
$userValid = $validator->validate($this->Password, $this);
$valid->combineAnd($userValid);
}
}
return $valid;
}
/**
* Change password. This will cause rehashing according to the `PasswordEncryption` property. This method will
* allow extensions to perform actions and augment the validation result if required before the password is written
* and can check it after the write also.
*
* This method will encrypt the password prior to writing.
*
* @param string $password Cleartext password
* @param bool $write Whether to write the member afterwards
* @return ValidationResult
*/
public function changePassword($password, $write = true)
{
$this->Password = $password;
$valid = $this->validate();
$this->extend('onBeforeChangePassword', $password, $valid);
if ($valid->isValid()) {
$this->AutoLoginHash = null;
$this->encryptPassword();
if ($write) {
$this->passwordChangesToWrite = true;
$this->write();
}
}
$this->extend('onAfterChangePassword', $password, $valid);
return $valid;
}
/**
* Takes a plaintext password (on the Member object) and encrypts it
*
* @return $this
*/
protected function encryptPassword()
{
// reset salt so that it gets regenerated - this will invalidate any persistent login cookies
// or other information encrypted with this Member's settings (see self::encryptWithUserSettings)
$this->Salt = '';
// Password was changed: encrypt the password according the settings
$encryption_details = Security::encrypt_password(
$this->Password,
$this->Salt,
$this->isChanged('PasswordEncryption') ? $this->PasswordEncryption : null,
$this
);
// Overwrite the Password property with the hashed value
$this->Password = $encryption_details['password'];
$this->Salt = $encryption_details['salt'];
$this->PasswordEncryption = $encryption_details['algorithm'];
// If we haven't manually set a password expiry
if (!$this->isChanged('PasswordExpiry')) {
// then set it for us
if (static::config()->get('password_expiry_days')) {
$this->PasswordExpiry = date('Y-m-d', time() + 86400 * static::config()->get('password_expiry_days'));
} else {
$this->PasswordExpiry = null;
}
}
return $this;
}
/**
* Tell this member that someone made a failed attempt at logging in as them.
* This can be used to lock the user out temporarily if too many failed attempts are made.
*/
public function registerFailedLogin()
{
$lockOutAfterCount = self::config()->get('lock_out_after_incorrect_logins');
if ($lockOutAfterCount) {
// Keep a tally of the number of failed log-ins so that we can lock people out
++$this->FailedLoginCount;
if ($this->FailedLoginCount >= $lockOutAfterCount) {
$lockoutMins = self::config()->get('lock_out_delay_mins');
$this->LockedOutUntil = date('Y-m-d H:i:s', DBDatetime::now()->getTimestamp() + $lockoutMins * 60);
$this->FailedLoginCount = 0;
}
}
$this->extend('registerFailedLogin');
$this->write();
}
/**
* Tell this member that a successful login has been made
*/
public function registerSuccessfulLogin()
{
if (self::config()->get('lock_out_after_incorrect_logins')) {
// Forgive all past login failures
$this->FailedLoginCount = 0;
$this->LockedOutUntil = null;
$this->write();
}
}
/**
* Get the HtmlEditorConfig for this user to be used in the CMS.
* This is set by the group. If multiple configurations are set,
* the one with the highest priority wins.
*
* @return string
*/
public function getHtmlEditorConfigForCMS()
{
$currentName = '';
$currentPriority = 0;
foreach ($this->Groups() as $group) {
$configName = $group->HtmlEditorConfig;
if ($configName) {
$config = HTMLEditorConfig::get($group->HtmlEditorConfig);
if ($config && $config->getOption('priority') > $currentPriority) {
$currentName = $configName;
$currentPriority = $config->getOption('priority');
}
}
}
// If can't find a suitable editor, just default to cms
return $currentName ? $currentName : 'cms';
}
}