diff --git a/core/authentication_api.php b/core/authentication_api.php index 806caa1f6e..407e1b90ae 100644 --- a/core/authentication_api.php +++ b/core/authentication_api.php @@ -76,37 +76,13 @@ /** * Gets set of flags for authentication that can be overridden by configuration or auth plugins. - * @return array The array of flags to use. + * @return AuthFlags The auth flags object to use. */ function auth_flags() { static $s_flags = null; if( is_null( $s_flags ) ) { - $t_default_flags = array( - 'signup_enabled' => config_get_global( 'allow_signup' ), - 'signup_access_level' => config_get( 'default_new_account_access_level' ), - 'anonymous_enabled' => config_get_global( 'allow_anonymous_login' ), - 'anonymous_account' => config_get_global( 'anonymous_account' ), - 'access_level_set_password' => ANYBODY, - 'password_managed_elsewhere_message' => '', - 'password_change_not_allowed_message' => '', - 'access_level_create_api_tokens' => VIEWER, - 'access_level_can_use_standard_login' => ANYBODY, - 'login_page' => 'login_page.php', - 'logout_page' => 'logout_page.php', - 'logout_redirect_page' => config_get( 'logout_redirect_page' ), - 'session_lifetime' => 0, - 'perm_session_enabled' => config_get_global( 'allow_permanent_cookie' ) == ON, - 'perm_session_lifetime' => config_get_global( 'cookie_time_length' ), - 'reauthentication_enabled' => config_get( 'reauthentication' ), - 'reauthentication_expiry' => config_get( 'reauthentication_expiry' ), - ); - - $s_flags = event_signal( 'EVENT_AUTH_FLAGS' ); - if( is_null( $s_flags ) || !is_array( $s_flags ) ) { - $s_flags = array(); - } - - $s_flags = array_merge( $t_default_flags, $s_flags ); + $s_flags = new AuthFlags(); + $s_flags = event_signal( 'EVENT_AUTH_FLAGS', array( 'flags' => $s_flags ) ); } return $s_flags; @@ -118,11 +94,7 @@ function auth_flags() { */ function auth_password_managed_elsewhere_message() { $t_auth_flags = auth_flags(); - if( !empty( $t_auth_flags['password_managed_elsewhere_message'] ) ) { - return $t_auth_flags['password_managed_elsewhere_message']; - } - - return lang_get( 'no_password_request' ); + return $t_auth_flags->getPasswordManagedExternallyMessage(); } /** @@ -131,11 +103,7 @@ function auth_password_managed_elsewhere_message() { */ function auth_password_change_not_allowed_message() { $t_auth_flags = auth_flags(); - if( !empty( $t_auth_flags['password_change_not_allowed_message'] ) ) { - return $t_auth_flags['password_change_not_allowed_message']; - } - - return lang_get( 'no_password_change' ); + return $t_auth_flags->getPasswordManagedExternallyMessage(); } /** @@ -144,7 +112,7 @@ function auth_password_change_not_allowed_message() { */ function auth_allow_perm_login() { $t_auth_flags = auth_flags(); - return $t_auth_flags['perm_session_enabled']; + return $t_auth_flags->getPermSessionEnabled(); } /** @@ -153,7 +121,7 @@ function auth_allow_perm_login() { */ function auth_signup_enabled() { $t_auth_flags = auth_flags(); - return $t_auth_flags['signup_enabled'] != OFF; + return $t_auth_flags->getSignupEnabled(); } /** @@ -162,7 +130,7 @@ function auth_signup_enabled() { */ function auth_signup_access_level() { $t_auth_flags = auth_flags(); - return $t_auth_flags['signup_access_level']; + return $t_auth_flags->getSignupAccessLevel(); } /** @@ -171,7 +139,7 @@ function auth_signup_access_level() { */ function auth_anonymous_enabled() { $t_auth_flags = auth_flags(); - return $t_auth_flags['anonymous_enabled'] != OFF; + return $t_auth_flags->getAnonymousEnabled(); } /** @@ -180,11 +148,7 @@ function auth_anonymous_enabled() { */ function auth_anonymous_account() { $t_auth_flags = auth_flags(); - if( $t_auth_flags['anonymous_enabled'] == OFF ) { - return ''; - } - - return $t_auth_flags['anonymous_account']; + return $t_auth_flags->getAnonymousAccount(); } /** @@ -192,17 +156,17 @@ function auth_anonymous_account() { * @param boolean $p_perm_login Use permanent login. * @return integer cookie lifetime or 0 for browser session. */ -function auth_session_expiry($p_perm_login ) { +function auth_session_expiry( $p_perm_login ) { $t_auth_flags = auth_flags(); $t_perm_login = $p_perm_login; - if( !$t_auth_flags['perm_session_enabled'] ) { + if( !$t_auth_flags->getPermSessionEnabled() ) { $t_perm_login = false; } if( $t_perm_login ) { - $t_lifetime = $t_auth_flags['perm_session_lifetime']; + $t_lifetime = $t_auth_flags->getPermSessionLifetime(); } else { - $t_lifetime = $t_auth_flags['session_lifetime']; + $t_lifetime = $t_auth_flags->getSessionLifetime(); } return $t_lifetime == 0 ? 0 : time() + $t_lifetime; @@ -215,7 +179,7 @@ function auth_session_expiry($p_perm_login ) { */ function auth_login_page( $p_query_string = '' ) { $t_auth_flags = auth_flags(); - $t_login_page = $t_auth_flags['login_page']; + $t_login_page = $t_auth_flags->getLoginPage(); if( !is_blank( $p_query_string ) ) { if( stripos( $t_login_page, '?' ) !== false ) { @@ -234,7 +198,7 @@ function auth_login_page( $p_query_string = '' ) { */ function auth_logout_page() { $t_auth_flags = auth_flags(); - return $t_auth_flags['logout_page']; + return $t_auth_flags->getLogoutPage(); } /** @@ -243,7 +207,7 @@ function auth_logout_page() { */ function auth_logout_redirect_page() { $t_auth_flags = auth_flags(); - return $t_auth_flags['logout_redirect_page']; + return $t_auth_flags->getLogoutRedirectPage(); } /** @@ -253,7 +217,7 @@ function auth_logout_redirect_page() { */ function auth_can_create_api_token( $p_user_id = null ) { $t_auth_flags = auth_flags(); - return access_has_global_level( $t_auth_flags['access_level_create_api_tokens'], $p_user_id ); + return access_has_global_level( $t_auth_flags->getCreateApiTokensThreshold(), $p_user_id ); } /** @@ -266,10 +230,10 @@ function auth_can_set_password( $p_user_id = null ) { # If it is a signup scenario and user is not authenticated, return false. if( $p_user_id == NO_USER ) { - return $t_auth_flags['access_level_set_password'] == ANYBODY; + return $t_auth_flags->getSetPasswordThreshold() === ANYBODY; } - if( !access_has_global_level( $t_auth_flags['access_level_set_password'], $p_user_id ) ) { + if( !access_has_global_level( $t_auth_flags->getSetPasswordThreshold(), $p_user_id ) ) { return false; } @@ -291,10 +255,10 @@ function auth_can_set_password( $p_user_id = null ) { function auth_can_use_standard_login( $p_user_id = null ) { $t_auth_flags = auth_flags(); if( $p_user_id === NO_USER ) { - return $t_auth_flags['access_level_can_use_standard_login'] == ANYBODY; + return $t_auth_flags->getUseStandardLoginThreshold() === ANYBODY; } - return access_has_global_level( $t_auth_flags['access_level_can_use_standard_login'], $p_user_id ); + return access_has_global_level( $t_auth_flags->getUseStandardLoginThreshold(), $p_user_id ); } /** @@ -981,7 +945,7 @@ function auth_set_tokens( $p_user_id ) { */ function auth_reauthentication_enabled() { $t_auth_flags = auth_flags(); - return $t_auth_flags['reauthentication_enabled'] != OFF; + return $t_auth_flags->getReauthenticationEnabled(); } /** @@ -990,7 +954,7 @@ function auth_reauthentication_enabled() { */ function auth_reauthentication_expiry() { $t_auth_flags = auth_flags(); - return $t_auth_flags['reauthentication_expiry']; + return $t_auth_flags->getReauthenticationLifetime(); } /** diff --git a/core/classes/AuthFlags.class.php b/core/classes/AuthFlags.class.php new file mode 100644 index 0000000000..81575ad138 --- /dev/null +++ b/core/classes/AuthFlags.class.php @@ -0,0 +1,348 @@ +. + +/** + * Avatar class. + * @copyright Copyright 2014 MantisBT Team - mantisbt-dev@lists.sourceforge.net + * @link http://www.mantisbt.org + * @package MantisBT + */ + +/** + * Auth Flags class + * + * @package MantisBT + * @subpackage classes + */ + +require_api( 'access_api.php' ); +require_api( 'plugin_api.php' ); +require_api( 'user_api.php' ); + +/** + * A class that that contains authentication flags. + */ +class AuthFlags { + /** + * Core signup functionality is enabled. + * @see $signup_access_level + * @var bool|null + */ + private $signup_enabled = null; + + /** + * The access level to assign to users who use core signup functionality. + * @see $signup_enabled + * @var int|null + */ + private $signup_access_level = null; + + /** + * Core anonymous login functionality is enabled. + * @see $anonymous_account + * @var bool|null + */ + private $anonymous_enabled = null; + + /** + * User account to designate as the anonymous / guest account. + * @see $anonymous_enabled + * @var string|null + */ + private $anonymous_account = null; + + /** + * The access level or array of access levels that can leverage MantisBT native passwords. + * @var int|array|null + */ + private $access_level_set_password = null; + + /** + * The message to display indicating that passwords are not managed by MantisBT native passwords. + * @var string|null + */ + private $password_managed_elsewhere_message = null; + + /** + * The access level or array of access levels that can create and use API tokens. + * @var int|array|null + */ + private $access_level_create_api_tokens = null; + + /** + * The access level or array of access levels that can use native MantisBT login. + * @var int|array|null + */ + private $access_level_can_use_standard_login = null; + + /** + * The login page to use instead of the standard MantisBT login page. This can be + * a plugin page. + * @see $logout_page + * @var string|null + */ + private $login_page = null; + + /** + * The logout page to use instead of the standard MantisBT logout page. This can be + * a plugin page. + * @see $login_page + * @see $logout_redirect_page + * @var string|null + */ + private $logout_page = null; + + /** + * The page to redirect to after successful logout. This can be a plugin page. Such + * page can display content directly to redirect to a MantisBT page to a remote page. + * @see $logout_page + * @var string|null + */ + private $logout_redirect_page = null; + + /** + * The login session lifetime in seconds or 0 for browser session. + * @var int|null + */ + private $session_lifetime = null; + + /** + * Indicates whether 'remember me' option is allowed. + * @see $perm_session_lifetime + * @var bool|null + */ + private $perm_session_enabled = null; + + /** + * Indicates the lifetime for 'remember me' sessions. MantisBT default is 1 year. + * @see $perm_session_enabled + * @var int|null + */ + private $perm_session_lifetime = null; + + /** + * Indicates if re-authentication for operations like administrative functions and updating + * user profile is enabled. + * @see $reauthentication_expiry; + * @var bool|null + */ + private $reauthentication_enabled = null; + + /** + * Indicates the expiry time in seconds after which the user should be asked to reauthenticate + * for administrative functions and updating user profile. + * @see $reauthentication_enabled + * @var int|null + */ + private $reauthentication_expiry = null; + + /** + * AuthFlags constructor. + */ + function __construct() { + } + + function setSignupEnabled( $p_enabled ) { + $this->signup_enabled = $p_enabled; + } + + function getSignupEnabled() { + if( is_null( $this->signup_enabled ) ) { + return config_get_global( 'allow_signup' ); + } + + return $this->signup_enabled; + } + + function setSignupAccessLevel( $p_access_level ) { + $this->signup_access_level = $p_access_level; + } + + function getSignupAccessLevel() { + if( is_null( $this->signup_access_level ) ) { + return config_get( 'default_new_account_access_level' ); + } + + return $this->signup_access_level; + } + + function setAnonymousEnabled( $p_enabled ) { + $this->anonymous_enabled = $p_enabled; + } + + function getAnonymousEnabled() { + if( is_null( $this->anonymous_enabled ) ) { + return config_get_global( 'allow_anonymous_login' ); + } + + return $this->anonymous_enabled; + } + + function setAnonymousAccount( $p_username ) { + $this->anonymous_account = $p_username; + } + + function getAnonymousAccount() { + if( is_null( $this->anonymous_account ) ) { + return config_get_global( 'anonymous_account' ); + } + + return $this->anonymous_account; + } + + function setSetPasswordThreshold( $p_threshold ) { + $this->access_level_set_password = $p_threshold; + } + + function getSetPasswordThreshold() { + if( is_null( $this->access_level_set_password ) ) { + return ANYBODY; + } + + return $this->access_level_set_password; + } + + function setPasswordManagedExternallyMessage( $p_message ) { + $this->password_managed_elsewhere_message = $p_message; + } + + function getPasswordManagedExternallyMessage() { + if( empty( $this->password_managed_elsewhere_message ) ) { + return lang_get( 'password_managed_elsewhere_message' ); + } + } + + function setCreateApiTokensThreshold( $p_threshold ) { + $this->access_level_create_api_tokens = $p_threshold; + } + + function getCreateApiTokensThreshold() { + if( is_null( $this->access_level_create_api_tokens ) ) { + return VIEWER; + } + + return $this->access_level_create_api_tokens; + } + + function setUserStandardLoginThreshold( $p_threshold ) { + $this->access_level_can_use_standard_login = $p_threshold; + } + + function getUseStandardLoginThreshold() { + if( is_null( $this->access_level_can_use_standard_login ) ) { + return ANYBODY; + } + + return $this->access_level_can_use_standard_login; + } + + function setLoginPage( $p_page ) { + $this->login_page = $p_page; + } + + function getLoginPage() { + if( is_null( $this->login_page ) ) { + return 'login_page.php'; + } + + return $this->login_page; + } + + function setLogoutPage( $p_page ) { + $this->logout_page = $p_page; + } + + function getLogoutPage() { + if( is_null( $this->logout_page ) ) { + return 'logout_page.php'; + } + + return $this->logout_page; + } + + function setLogoutRedirectPage( $p_page ) { + $this->logout_redirect_page = $p_page; + } + + function getLogoutRedirectPage() { + if( is_null( $this->logout_redirect_page ) ) { + return config_get( 'logout_redirect_page' ); + } + + return $this->logout_redirect_page; + } + + function setSessionLifetime( $p_seconds ) { + $this->session_lifetime = $p_seconds; + } + + function getSessionLifetime() { + if( is_null( $this->session_lifetime ) ) { + return 0; + } + + return $this->session_lifetime; + } + + function setPermSessionEnabled( $p_enabled ) { + $this->perm_session_enabled = $p_enabled; + } + + function getPermSessionEnabled() { + if( is_null( $this->perm_session_enabled ) ) { + return config_get_global( 'allow_permanent_cookie' ) != OFF; + } + + return $this->perm_session_enabled; + } + + function setPermSessionLifetime( $p_seconds ) { + $this->perm_session_lifetime = $p_seconds; + } + + function getPermSessionLifetime() { + if( is_null( $this->perm_session_lifetime ) ) { + return config_get_global( 'cookie_time_length' ); + } + + return $this->perm_session_lifetime; + } + + function setReauthenticationEnabled( $p_enabled ) { + $this->reauthentication_enabled = $p_enabled; + } + + function getReauthenticationEnabled() { + if( is_null( $this->reauthentication_enabled ) ) { + return config_get( 'reauthentication' ); + } + + return $this->reauthentication_enabled; + } + + function setReauthenticationLifetime( $p_seconds ) { + $this->reauthentication_expiry = $p_seconds; + } + + function getReauthenticationLifetime() { + if( is_null( $this->reauthentication_expiry ) ) { + return config_get( 'reauthentication_expiry' ); + } + + return $this->reauthentication_expiry; + } +} + diff --git a/core/classes/AuthPlugin.class.php b/core/classes/AuthPlugin.class.php new file mode 100644 index 0000000000..4e2238ba0e --- /dev/null +++ b/core/classes/AuthPlugin.class.php @@ -0,0 +1,39 @@ +. + +/** + * Avatar class. + * @copyright Copyright 2014 MantisBT Team - mantisbt-dev@lists.sourceforge.net + * @link http://www.mantisbt.org + * @package MantisBT + */ + +/** + * Auth Plugin base class + * + * @package MantisBT + * @subpackage classes + */ + +require_api( 'access_api.php' ); +require_api( 'plugin_api.php' ); +require_api( 'user_api.php' ); + +/** + * A class that represents an auth plugin. + */ +abstract class AuthPlugin extends MantisPlugin { +} \ No newline at end of file diff --git a/core/events_inc.php b/core/events_inc.php index d4b1f955a2..7c061e83c6 100644 --- a/core/events_inc.php +++ b/core/events_inc.php @@ -148,5 +148,5 @@ 'EVENT_LOG' => EVENT_TYPE_EXECUTE, # Authentication Events - 'EVENT_AUTH_FLAGS' => EVENT_TYPE_FIRST, + 'EVENT_AUTH_FLAGS' => EVENT_TYPE_CHAIN, ) );