Support authentication plugins

Provide plugins with the ability to control authentication related flags and provide their own login flows. Fixes #4235
mantisbt · Apr 16, 2017 · 8e466bb · 8e466bb
1 parent 5a72e41
commit 8e466bb
Show file tree

Hide file tree

Showing 31 changed files with 347 additions and 104 deletions.
diff --git a/account_page.php b/account_page.php
@@ -104,7 +104,7 @@
 # If the password is the default password, then prompt user to change it.
 $t_reset_password = $u_username == 'administrator' && auth_does_password_match( $u_id, 'root' );
 
-$t_can_change_password = helper_call_custom_function( 'auth_can_change_password', array() );
+$t_can_change_password = auth_can_set_password();
 $t_force_pw_reset = false;
 
 # Only show the update button if there is something to update.
@@ -162,7 +162,7 @@
 					<?php echo lang_get( 'password' ) ?>
 				</td>
 				<td>
-					<?php echo lang_get( 'no_password_change' ) ?>
+					<?php echo auth_password_change_not_allowed_message() ?>
 				</td>
 			</tr><?php
 			} else {

diff --git a/admin/check/check_anonymous_inc.php b/admin/check/check_anonymous_inc.php
@@ -38,7 +38,7 @@
 
 check_print_section_header_row( 'Anonymous access' );
 
-$t_anonymous_access_enabled = config_get_global( 'allow_anonymous_login' );
+$t_anonymous_access_enabled = auth_anonymous_enabled();
 check_print_info_row(
 	'Anonymous access is enabled',
 	$t_anonymous_access_enabled ? 'Yes' : 'No'
@@ -48,7 +48,7 @@
 	return;
 }
 
-$t_anonymous_account = config_get_global( 'anonymous_account' );
+$t_anonymous_account = auth_anonymous_account();
 check_print_test_row(
 	'anonymous_account configuration option is specified',
 	$t_anonymous_account !== '',

diff --git a/api/rest/restcore/AuthMiddleware.php b/api/rest/restcore/AuthMiddleware.php
@@ -40,9 +40,9 @@ public function __invoke( \Slim\Http\Request $request, \Slim\Http\Response $resp
 				$t_password = auth_get_current_user_cookie( /* auto-login-anonymous */ false );
 				$t_login_method = LOGIN_METHOD_COOKIE;
 			} else {
-				$t_username = config_get( 'anonymous_account' );
+				$t_username = auth_anonymous_account();
 
-				if( config_get( 'allow_anonymous_login' ) == OFF || empty( $t_username ) ) {
+				if( !auth_anonymous_enabled() || empty( $t_username ) ) {
 					return $response->withStatus( HTTP_STATUS_UNAUTHORIZED, 'API token required' );
 				}
 

diff --git a/api_token_create.php b/api_token_create.php
@@ -42,6 +42,10 @@
 
 user_ensure_unprotected( $t_user_id );
 
+if( !auth_can_create_api_token() ) {
+	access_denied();
+}
+
 $t_token = api_token_create( $f_token_name, $t_user_id );
 $t_disclose_message = lang_get( 'api_token_disclose_message' );
 $t_display_once_message = lang_get( 'api_token_displayed_once' );

diff --git a/api_tokens_page.php b/api_tokens_page.php
@@ -40,6 +40,10 @@
 
 current_user_ensure_unprotected();
 
+if( !auth_can_create_api_token() ) {
+	access_denied();
+}
+
 layout_page_header( lang_get( 'api_tokens_link' ) );
 layout_page_begin();
 print_account_menu( 'api_tokens_page.php' );

diff --git a/core/access_api.php b/core/access_api.php
@@ -72,17 +72,17 @@
  */
 function access_denied() {
 	if( !auth_is_user_authenticated() ) {
-		if( basename( $_SERVER['SCRIPT_NAME'] ) != 'login_page.php' ) {
+		if( basename( $_SERVER['SCRIPT_NAME'] ) != auth_login_page() ) {
 			$t_return_page = $_SERVER['SCRIPT_NAME'];
 			if( isset( $_SERVER['QUERY_STRING'] ) ) {
 				$t_return_page .= '?' . $_SERVER['QUERY_STRING'];
 			}
 			$t_return_page = string_url( string_sanitize_url( $t_return_page ) );
-			print_header_redirect( 'login_page.php?return=' . $t_return_page );
+			print_header_redirect( auth_login_page( 'return=' . $t_return_page ) );
 		}
 	} else {
 		if( current_user_is_anonymous() ) {
-			if( basename( $_SERVER['SCRIPT_NAME'] ) != 'login_page.php' ) {
+			if( basename( $_SERVER['SCRIPT_NAME'] ) != auth_login_page() ) {
 				$t_return_page = $_SERVER['SCRIPT_NAME'];
 				if( isset( $_SERVER['QUERY_STRING'] ) ) {
 					$t_return_page .= '?' . $_SERVER['QUERY_STRING'];

diff --git a/core/antispam_api.php b/core/antispam_api.php
@@ -36,7 +36,7 @@
  * error and exit the script.
  */
 function antispam_check() {
-	if( OFF == config_get_global( 'allow_signup' ) ) {
+	if( !auth_signup_enabled() ) {
 		return;
 	}
 

diff --git a/core/api_token_api.php b/core/api_token_api.php
@@ -146,6 +146,13 @@ function api_token_validate( $p_username, $p_token ) {
 		return false;
 	}
 
+	# If users can't create tokens, then they can't use them.  This can change in the future if we enabled
+	# admins to create tokens on behalf of users that are usable.  This is a defense in depth anyways for
+	# cases where users may have had tokens before this config option changes.
+	if( !auth_can_create_api_token( $t_user_id ) ) {
+		return false;
+	}
+
 	$t_encrypted_token = api_token_hash( $p_token );
 
 	db_param_push();