mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 14:05:37 +02:00
d8e9af8af8
Database abstraction broken up into controller, connector, query builder, and schema manager, each independently configurable via YAML / Injector Creation of new DBQueryGenerator for database specific generation of SQL Support for parameterised queries, move of code base to use these over escaped conditions Refactor of SQLQuery into separate query classes for each of INSERT UPDATE DELETE and SELECT Support for PDO Installation process upgraded to use new ORM SS_DatabaseException created to handle database errors, maintaining details of raw sql and parameter details for user code designed interested in that data. Renamed DB static methods to conform correctly to naming conventions (e.g. DB::getConn -> DB::get_conn) 3.2 upgrade docs Performance Optimisation and simplification of code to use more concise API API Ability for database adapters to register extensions to ConfigureFromEnv.php
151 lines
4.4 KiB
PHP
151 lines
4.4 KiB
PHP
<?php
|
|
/**
|
|
* Authenticator for the default "member" method
|
|
*
|
|
* @author Markus Lanthaler <markus@silverstripe.com>
|
|
* @package framework
|
|
* @subpackage security
|
|
*/
|
|
class MemberAuthenticator extends Authenticator {
|
|
|
|
/**
|
|
* Contains encryption algorithm identifiers.
|
|
* If set, will migrate to new precision-safe password hashing
|
|
* upon login. See http://open.silverstripe.org/ticket/3004
|
|
*
|
|
* @var array
|
|
*/
|
|
private static $migrate_legacy_hashes = array(
|
|
'md5' => 'md5_v2.4',
|
|
'sha1' => 'sha1_v2.4'
|
|
);
|
|
|
|
/**
|
|
* Method to authenticate an user
|
|
*
|
|
* @param array $RAW_data Raw data to authenticate the user
|
|
* @param Form $form Optional: If passed, better error messages can be
|
|
* produced by using
|
|
* {@link Form::sessionMessage()}
|
|
* @return bool|Member Returns FALSE if authentication fails, otherwise
|
|
* the member object
|
|
* @see Security::setDefaultAdmin()
|
|
*/
|
|
public static function authenticate($RAW_data, Form $form = null) {
|
|
// Check for email
|
|
if(empty($RAW_data['Email'])) return false;
|
|
|
|
$userEmail = $RAW_data['Email'];
|
|
if(is_array($userEmail)) {
|
|
user_error("Bad email passed to MemberAuthenticator::authenticate()", E_USER_WARNING);
|
|
return false;
|
|
}
|
|
|
|
$result = null;
|
|
|
|
// Default login (see Security::setDefaultAdmin())
|
|
if(Security::check_default_admin($userEmail, $RAW_data['Password'])) {
|
|
$member = Security::findAnAdministrator();
|
|
} else {
|
|
$member = Member::get()
|
|
->filter(Member::config()->unique_identifier_field, $userEmail)
|
|
->where('"Member"."Password" IS NOT NULL')
|
|
->first();
|
|
|
|
if($member) {
|
|
$result = $member->checkPassword($RAW_data['Password']);
|
|
} else {
|
|
$result = new ValidationResult(false, _t('Member.ERRORWRONGCRED'));
|
|
}
|
|
|
|
if($member && !$result->valid()) {
|
|
$member->registerFailedLogin();
|
|
$member = false;
|
|
}
|
|
}
|
|
|
|
// Optionally record every login attempt as a {@link LoginAttempt} object
|
|
/**
|
|
* TODO We could handle this with an extension
|
|
*/
|
|
if(Security::config()->login_recording) {
|
|
$attempt = new LoginAttempt();
|
|
if($member) {
|
|
// successful login (member is existing with matching password)
|
|
$attempt->MemberID = $member->ID;
|
|
$attempt->Status = 'Success';
|
|
|
|
// Audit logging hook
|
|
$member->extend('authenticated');
|
|
} else {
|
|
// failed login - we're trying to see if a user exists with this email (disregarding wrong passwords)
|
|
$existingMember = DataObject::get_one("Member", array(
|
|
'"'.Member::config()->unique_identifier_field.'"' => $userEmail
|
|
));
|
|
if($existingMember) {
|
|
$attempt->MemberID = $existingMember->ID;
|
|
|
|
// Audit logging hook
|
|
$existingMember->extend('authenticationFailed');
|
|
} else {
|
|
|
|
// Audit logging hook
|
|
singleton('Member')->extend('authenticationFailedUnknownUser', $RAW_data);
|
|
}
|
|
$attempt->Status = 'Failure';
|
|
}
|
|
|
|
$attempt->Email = $userEmail;
|
|
$attempt->IP = Controller::curr()->getRequest()->getIP();
|
|
$attempt->write();
|
|
}
|
|
|
|
// Legacy migration to precision-safe password hashes.
|
|
// A login-event with cleartext passwords is the only time
|
|
// when we can rehash passwords to a different hashing algorithm,
|
|
// bulk-migration doesn't work due to the nature of hashing.
|
|
// See PasswordEncryptor_LegacyPHPHash class.
|
|
if(
|
|
$member // only migrate after successful login
|
|
&& self::$migrate_legacy_hashes
|
|
&& array_key_exists($member->PasswordEncryption, self::$migrate_legacy_hashes)
|
|
) {
|
|
$member->Password = $RAW_data['Password'];
|
|
$member->PasswordEncryption = self::$migrate_legacy_hashes[$member->PasswordEncryption];
|
|
$member->write();
|
|
}
|
|
|
|
if($member) {
|
|
Session::clear('BackURL');
|
|
} else {
|
|
if($form && $result) $form->sessionMessage($result->message(), 'bad');
|
|
}
|
|
|
|
return $member;
|
|
}
|
|
|
|
|
|
/**
|
|
* Method that creates the login form for this authentication method
|
|
*
|
|
* @param Controller The parent controller, necessary to create the
|
|
* appropriate form action tag
|
|
* @return Form Returns the login form to use with this authentication
|
|
* method
|
|
*/
|
|
public static function get_login_form(Controller $controller) {
|
|
return Object::create("MemberLoginForm", $controller, "LoginForm");
|
|
}
|
|
|
|
|
|
/**
|
|
* Get the name of the authentication method
|
|
*
|
|
* @return string Returns the name of the authentication method.
|
|
*/
|
|
public static function get_name() {
|
|
return _t('MemberAuthenticator.TITLE', "E-mail & Password");
|
|
}
|
|
}
|
|
|