Elgg  Version 2.3
sessions.php
Go to the documentation of this file.
1 <?php
2 
15 global $SESSION;
16 
23 function elgg_get_session() {
24  return _elgg_services()->session;
25 }
26 
32 function elgg_get_logged_in_user_entity() {
33  return _elgg_services()->session->getLoggedInUser();
34 }
35 
42 function elgg_get_logged_in_user_guid() {
43  return _elgg_services()->session->getLoggedInUserGuid();
44 }
45 
51 function elgg_is_logged_in() {
52  return _elgg_services()->session->isLoggedIn();
53 }
54 
60 function elgg_is_admin_logged_in() {
61  return _elgg_services()->session->isAdminLoggedIn();
62 }
63 
74 function elgg_is_admin_user($user_guid) {
75  global $CONFIG;
76 
77  $user_guid = (int)$user_guid;
78 
79  $current_user = elgg_get_logged_in_user_entity();
80  if ($current_user && $current_user->guid == $user_guid) {
81  return $current_user->isAdmin();
82  }
83 
84  // cannot use magic metadata here because of recursion
85 
86  // must support the old way of getting admin from metadata
87  // in order to run the upgrade to move it into the users table.
88  $version = (int) datalist_get('version');
89 
90  if ($version < 2010040201) {
91  $admin = elgg_get_metastring_id('admin');
92  $yes = elgg_get_metastring_id('yes');
93  $one = elgg_get_metastring_id('1');
94 
95  $query = "SELECT 1 FROM {$CONFIG->dbprefix}users_entity as e,
96  {$CONFIG->dbprefix}metadata as md
97  WHERE (
98  md.name_id = '$admin'
99  AND md.value_id IN ('$yes', '$one')
100  AND e.guid = md.entity_guid
101  AND e.guid = {$user_guid}
102  AND e.banned = 'no'
103  )";
104  } else {
105  $query = "SELECT 1 FROM {$CONFIG->dbprefix}users_entity as e
106  WHERE (
107  e.guid = {$user_guid}
108  AND e.admin = 'yes'
109  )";
110  }
111 
112  // normalizing the results from get_data()
113  // See #1242
114  $info = get_data($query);
115  if (!((is_array($info) && count($info) < 1) || $info === false)) {
116  return true;
117  }
118  return false;
119 }
120 
136 function elgg_authenticate($username, $password) {
137  $pam = new \ElggPAM('user');
138  $credentials = array('username' => $username, 'password' => $password);
139  $result = $pam->authenticate($credentials);
140  if (!$result) {
141  return $pam->getFailureMessage();
142  }
143  return true;
144 }
145 
158 function pam_auth_userpass(array $credentials = array()) {
159 
160  if (!isset($credentials['username']) || !isset($credentials['password'])) {
161  return false;
162  }
163 
164  $user = get_user_by_username($credentials['username']);
165  if (!$user) {
166  throw new \LoginException(_elgg_services()->translator->translate('LoginException:UsernameFailure'));
167  }
168 
169  if (check_rate_limit_exceeded($user->guid)) {
170  throw new \LoginException(_elgg_services()->translator->translate('LoginException:AccountLocked'));
171  }
172 
173  $password_svc = _elgg_services()->passwords;
174  $password = $credentials['password'];
175  $hash = $user->password_hash;
176 
177  if (!$hash) {
178  // try legacy hash
179  $legacy_hash = $password_svc->generateLegacyHash($user, $password);
180  if ($user->password !== $legacy_hash) {
181  log_login_failure($user->guid);
182  throw new \LoginException(_elgg_services()->translator->translate('LoginException:PasswordFailure'));
183  }
184 
185  // migrate password
186  $password_svc->forcePasswordReset($user, $password);
187  return true;
188  }
189 
190  if (!$password_svc->verify($password, $hash)) {
191  log_login_failure($user->guid);
192  throw new \LoginException(_elgg_services()->translator->translate('LoginException:PasswordFailure'));
193  }
194 
195  if ($password_svc->needsRehash($hash)) {
196  $password_svc->forcePasswordReset($user, $password);
197  }
198 
199  return true;
200 }
201 
209 function log_login_failure($user_guid) {
210  $user_guid = (int)$user_guid;
211  $user = get_entity($user_guid);
212 
213  if (($user_guid) && ($user) && ($user instanceof \ElggUser)) {
214  $fails = (int)$user->getPrivateSetting("login_failures");
215  $fails++;
216 
217  $user->setPrivateSetting("login_failures", $fails);
218  $user->setPrivateSetting("login_failure_$fails", time());
219  return true;
220  }
221 
222  return false;
223 }
224 
232 function reset_login_failure_count($user_guid) {
233  $user_guid = (int)$user_guid;
234  $user = get_entity($user_guid);
235 
236  if (($user_guid) && ($user) && ($user instanceof \ElggUser)) {
237  $fails = (int)$user->getPrivateSetting("login_failures");
238 
239  if ($fails) {
240  for ($n = 1; $n <= $fails; $n++) {
241  $user->removePrivateSetting("login_failure_$n");
242  }
243 
244  $user->removePrivateSetting("login_failures");
245 
246  return true;
247  }
248 
249  // nothing to reset
250  return true;
251  }
252 
253  return false;
254 }
255 
263 function check_rate_limit_exceeded($user_guid) {
264  // 5 failures in 5 minutes causes temporary block on logins
265  $limit = 5;
266  $user_guid = (int)$user_guid;
267  $user = get_entity($user_guid);
268 
269  if (($user_guid) && ($user) && ($user instanceof \ElggUser)) {
270  $fails = (int)$user->getPrivateSetting("login_failures");
271  if ($fails >= $limit) {
272  $cnt = 0;
273  $time = time();
274  for ($n = $fails; $n > 0; $n--) {
275  $f = $user->getPrivateSetting("login_failure_$n");
276  if ($f > $time - (60 * 5)) {
277  $cnt++;
278  }
279 
280  if ($cnt == $limit) {
281  // Limit reached
282  return true;
283  }
284  }
285  }
286  }
287 
288  return false;
289 }
290 
300 function elgg_set_cookie(\ElggCookie $cookie) {
301  if (elgg_trigger_event('init:cookie', $cookie->name, $cookie)) {
302  return setcookie($cookie->name, $cookie->value, $cookie->expire, $cookie->path,
303  $cookie->domain, $cookie->secure, $cookie->httpOnly);
304  }
305  return false;
306 }
307 
320 function login(\ElggUser $user, $persistent = false) {
321  if ($user->isBanned()) {
322  throw new \LoginException(elgg_echo('LoginException:BannedUser'));
323  }
324 
325  $session = _elgg_services()->session;
326 
327  // give plugins a chance to reject the login of this user (no user in session!)
328  if (!elgg_trigger_before_event('login', 'user', $user)) {
329  throw new \LoginException(elgg_echo('LoginException:Unknown'));
330  }
331 
332  // #5933: set logged in user early so code in login event will be able to
333  // use elgg_get_logged_in_user_entity().
334  $session->setLoggedInUser($user);
335 
336  // deprecate event
337  $message = "The 'login' event was deprecated. Register for 'login:before' or 'login:after'";
338  $version = "1.9";
339  if (!elgg_trigger_deprecated_event('login', 'user', $user, $message, $version)) {
340  $session->removeLoggedInUser();
341  throw new \LoginException(elgg_echo('LoginException:Unknown'));
342  }
343 
344  // if remember me checked, set cookie with token and store hash(token) for user
345  if ($persistent) {
346  _elgg_services()->persistentLogin->makeLoginPersistent($user);
347  }
348 
349  // User's privilege has been elevated, so change the session id (prevents session fixation)
350  $session->migrate();
351 
352  set_last_login($user->guid);
353  reset_login_failure_count($user->guid);
354 
355  elgg_trigger_after_event('login', 'user', $user);
356 
357  return true;
358 }
359 
365 function logout() {
366  $session = _elgg_services()->session;
367  $user = $session->getLoggedInUser();
368  if (!$user) {
369  return false;
370  }
371 
372  if (!elgg_trigger_before_event('logout', 'user', $user)) {
373  return false;
374  }
375 
376  // deprecate event
377  $message = "The 'logout' event was deprecated. Register for 'logout:before' or 'logout:after'";
378  $version = "1.9";
379  if (!elgg_trigger_deprecated_event('logout', 'user', $user, $message, $version)) {
380  return false;
381  }
382 
383  _elgg_services()->persistentLogin->removePersistentLogin();
384 
385  // pass along any messages into new session
386  $old_msg = $session->get('msg');
387  $session->invalidate();
388  $session->set('msg', $old_msg);
389 
390  elgg_trigger_after_event('logout', 'user', $user);
391 
392  return true;
393 }
394 
401 function _elgg_session_boot() {
402  _elgg_services()->timer->begin([__FUNCTION__]);
403 
404  elgg_register_action('login', '', 'public');
405  elgg_register_action('logout');
406  register_pam_handler('pam_auth_userpass');
407 
408  $session = _elgg_services()->session;
409  $session->start();
410 
411  // test whether we have a user session
412  if ($session->has('guid')) {
413  $user = _elgg_services()->entityTable->get($session->get('guid'), 'user');
414  if (!$user) {
415  // OMG user has been deleted.
416  $session->invalidate();
417  forward('');
418  }
419 
420  $session->setLoggedInUser($user);
421 
422  _elgg_services()->persistentLogin->replaceLegacyToken($user);
423  } else {
424  $user = _elgg_services()->persistentLogin->bootSession();
425  if ($user) {
426  $session->setLoggedInUser($user);
427  }
428  }
429 
430  if ($session->has('guid')) {
431  set_last_action($session->get('guid'));
432  }
433 
434  // initialize the deprecated global session wrapper
435  global $SESSION;
436  $SESSION = new \Elgg\DeprecationWrapper($session, "\$SESSION is deprecated", 1.9);
437 
438  // logout a user with open session who has been banned
439  $user = $session->getLoggedInUser();
440  if ($user && $user->isBanned()) {
441  logout();
442  return false;
443  }
444 
445  _elgg_services()->timer->end([__FUNCTION__]);
446  return true;
447 }
$n
$n
Profile fields.
Definition: list.php:9
elgg_is_logged_in
elgg_is_logged_in()
Returns whether or not the user is currently logged in.
Definition: sessions.php:51
$username
$username
Definition: delete.php:22
$version
$version
Definition: ci_installer.php:57
elgg_get_metastring_id
elgg_get_metastring_id($string, $case_sensitive=true)
Gets the metastring identifier for a value.
Definition: metastrings.php:25
$result
$result
Definition: set_maintenance_mode.php:11
elgg_is_admin_logged_in
elgg_is_admin_logged_in()
Returns whether or not the viewer is currently logged in and an admin user.
Definition: sessions.php:60
elgg_echo
elgg_echo($message_key, $args=array(), $language="")
Given a message key, returns an appropriately translated full-text string.
Definition: languages.php:21
register_pam_handler
register_pam_handler($handler, $importance="sufficient", $policy="user")
Register a PAM handler.
Definition: pam.php:42
$admin
$admin
Definition: useradd.php:22
elgg_get_session
elgg_get_session()
Gets Elgg&#39;s session object.
Definition: sessions.php:23
$message
$message
Definition: set_maintenance_mode.php:7
reset_login_failure_count
reset_login_failure_count($user_guid)
Resets the fail login count for $user_guid.
Definition: sessions.php:232
set_last_login
set_last_login($user_guid)
Sets the last logon time of the given user to right now.
Definition: users.php:452
forward
elgg forward
Meant to mimic the php forward() function by simply redirecting the user to another page...
Definition: elgglib.js:425
$info
if($screenshots) $info
Definition: details.php:58
elgg_trigger_before_event
elgg_trigger_before_event($event, $object_type, $object=null)
Trigger a "Before event" indicating a process is about to begin.
Definition: elgglib.php:635
pam_auth_userpass
pam_auth_userpass(array $credentials=array())
Hook into the PAM system which accepts a username and password and attempts to authenticate it agains...
Definition: sessions.php:158
get_user_by_username
get_user_by_username($username)
Get user by username.
Definition: users.php:98
check_rate_limit_exceeded
check_rate_limit_exceeded($user_guid)
Checks if the rate limit of failed logins has been exceeded for $user_guid.
Definition: sessions.php:263
$persistent
$persistent
Definition: login.php:26
$limit
$limit
Definition: userpicker.php:38
elgg_trigger_deprecated_event
elgg_trigger_deprecated_event($event, $object_type, $object=null, $message, $version)
Trigger an event normally, but send a notice about deprecated use if any handlers are registered...
Definition: elgglib.php:671
datalist_get
datalist_get($name)
Get the value of a datalist element.
Definition: configuration.php:150
elgg_is_admin_user
elgg_is_admin_user($user_guid)
Check if the given user has full access.
Definition: sessions.php:74
$CONFIG
global $CONFIG
Definition: settings.example.php:19
set_last_action
set_last_action($user_guid)
Sets the last action time of the given user to right now.
Definition: users.php:438
$user
$user
Definition: ban.php:13
global
elgg global
Pointer to the global context.
Definition: elgglib.js:12
get_data
get_data($query, $callback=null, array $params=[])
Retrieve rows from the database.
Definition: database.php:55
_elgg_services
_elgg_services(\Elgg\Di\ServiceProvider $services=null)
Get the global service provider.
Definition: autoloader.php:17
$password
$password
Definition: login.php:25
elgg_set_cookie
elgg_set_cookie(\ElggCookie $cookie)
Set a cookie, but allow plugins to customize it first.
Definition: sessions.php:300
logout
logout()
Log the current user out.
Definition: sessions.php:365
time
elgg subtext time
Definition: typography.css.php:121
elgg_authenticate
elgg_authenticate($username, $password)
Perform user authentication with a given username and password.
Definition: sessions.php:136
login
login(\ElggUser $user, $persistent=false)
Logs in a specified .
Definition: sessions.php:320
elgg_trigger_after_event
elgg_trigger_after_event($event, $object_type, $object=null)
Trigger an "After event" indicating a process has finished.
Definition: elgglib.php:654
elgg_get_logged_in_user_entity
elgg_get_logged_in_user_entity()
Return the current logged in user, or null if no user is logged in.
Definition: sessions.php:32
ElggUser\isBanned
isBanned()
Is this user banned or not?
Definition: ElggUser.php:275
elgg_register_action
elgg_register_action($action, $filename="", $access= 'logged_in')
Registers an action.
Definition: actions.php:96
$SESSION
global $SESSION
Elgg magic session.
Definition: sessions.php:15
_elgg_session_boot
_elgg_session_boot()
Initializes the session and checks for the remember me cookie.
Definition: sessions.php:401
$user_guid
$user_guid
Avatar remove action.
Definition: remove.php:6
elgg_trigger_event
elgg_trigger_event($event, $object_type, $object=null)
Definition: elgglib.php:614
$session
$session
Definition: login.php:9
log_login_failure
log_login_failure($user_guid)
Log a failed login for $user_guid.
Definition: sessions.php:209
elgg_get_logged_in_user_guid
elgg_get_logged_in_user_guid()
Return the current logged in user by guid.
Definition: sessions.php:42
get_entity
get_entity($guid)
Loads and returns an entity object from a guid.
Definition: entities.php:204
Generated on Sat Dec 21 2024 00:01:04 for Elgg by   doxygen 1.8.11