TYPO3 CMS  TYPO3_7-6
AuthenticationService.php
Go to the documentation of this file.
1 <?php
2 namespace TYPO3\CMS\Sv;
3 
4 /*
5  * This file is part of the TYPO3 CMS project.
6  *
7  * It is free software; you can redistribute it and/or modify it under
8  * the terms of the GNU General Public License, either version 2
9  * of the License, or any later version.
10  *
11  * For the full copyright and license information, please read the
12  * LICENSE.txt file that was distributed with this source code.
13  *
14  * The TYPO3 project - inspiring people to share!
15  */
16 
18 
23 {
32  public function processLoginData(array &$loginData, $passwordTransmissionStrategy)
33  {
34  $isProcessed = false;
35  if ($passwordTransmissionStrategy === 'normal') {
36  $loginData['uident_text'] = $loginData['uident'];
37  $isProcessed = true;
38  }
39  return $isProcessed;
40  }
41 
47  public function getUser()
48  {
49  if ($this->login['status'] !== 'login') {
50  return false;
51  }
52  if ((string)$this->login['uident_text'] === '') {
53  // Failed Login attempt (no password given)
54  $this->writelog(255, 3, 3, 2, 'Login-attempt from %s (%s) for username \'%s\' with an empty password!', [
55  $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']
56  ]);
57  GeneralUtility::sysLog(sprintf('Login-attempt from %s (%s), for username \'%s\' with an empty password!', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']), 'Core', GeneralUtility::SYSLOG_SEVERITY_WARNING);
58  return false;
59  }
60 
61  $user = $this->fetchUserRecord($this->login['uname']);
62  if (!is_array($user)) {
63  // Failed login attempt (no username found)
64  $this->writelog(255, 3, 3, 2, 'Login-attempt from %s (%s), username \'%s\' not found!!', [$this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']]);
65  // Logout written to log
66  GeneralUtility::sysLog(sprintf('Login-attempt from %s (%s), username \'%s\' not found!', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']), 'core', GeneralUtility::SYSLOG_SEVERITY_WARNING);
67  } else {
68  if ($this->writeDevLog) {
69  GeneralUtility::devLog('User found: ' . GeneralUtility::arrayToLogString($user, [$this->db_user['userid_column'], $this->db_user['username_column']]), self::class);
70  }
71  }
72  return $user;
73  }
74 
88  public function authUser(array $user)
89  {
90  $OK = 100;
91  // This authentication service can only work correctly, if a non empty username along with a non empty password is provided.
92  // Otherwise a different service is allowed to check for other login credentials
93  if ((string)$this->login['uident_text'] !== '' && (string)$this->login['uname'] !== '') {
94  // Checking password match for user:
95  $OK = $this->compareUident($user, $this->login);
96  if (!$OK) {
97  // Failed login attempt (wrong password) - write that to the log!
98  if ($this->writeAttemptLog) {
99  $this->writelog(255, 3, 3, 1, 'Login-attempt from %s (%s), username \'%s\', password not accepted!', [$this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']]);
100  GeneralUtility::sysLog(sprintf('Login-attempt from %s (%s), username \'%s\', password not accepted!', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']), 'core', GeneralUtility::SYSLOG_SEVERITY_WARNING);
101  }
102  if ($this->writeDevLog) {
103  GeneralUtility::devLog('Password not accepted: ' . $this->login['uident'], self::class, 2);
104  }
105  }
106  // Checking the domain (lockToDomain)
107  if ($OK && $user['lockToDomain'] && $user['lockToDomain'] !== $this->authInfo['HTTP_HOST']) {
108  // Lock domain didn't match, so error:
109  if ($this->writeAttemptLog) {
110  $this->writelog(255, 3, 3, 1, 'Login-attempt from %s (%s), username \'%s\', locked domain \'%s\' did not match \'%s\'!', [$this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $user['lockToDomain'], $this->authInfo['HTTP_HOST']]);
111  GeneralUtility::sysLog(sprintf('Login-attempt from %s (%s), username \'%s\', locked domain \'%s\' did not match \'%s\'!', $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $user['lockToDomain'], $this->authInfo['HTTP_HOST']), 'core', GeneralUtility::SYSLOG_SEVERITY_WARNING);
112  }
113  $OK = 0;
114  }
115  }
116  return $OK;
117  }
118 
126  public function getGroups($user, $knownGroups)
127  {
128  /*
129  * Attention: $knownGroups is not used within this method, but other services can use it.
130  * This parameter should not be removed!
131  * The FrontendUserAuthentication call getGroups and handover the previous detected groups.
132  */
133  $groupDataArr = [];
134  if ($this->mode === 'getGroupsFE') {
135  $groups = [];
136  if (is_array($user) && $user[$this->db_user['usergroup_column']]) {
137  $groupList = $user[$this->db_user['usergroup_column']];
138  $groups = [];
139  $this->getSubGroups($groupList, '', $groups);
140  }
141  // ADD group-numbers if the IPmask matches.
142  if (is_array($GLOBALS['TYPO3_CONF_VARS']['FE']['IPmaskMountGroups'])) {
143  foreach ($GLOBALS['TYPO3_CONF_VARS']['FE']['IPmaskMountGroups'] as $IPel) {
144  if ($this->authInfo['REMOTE_ADDR'] && $IPel[0] && GeneralUtility::cmpIP($this->authInfo['REMOTE_ADDR'], $IPel[0])) {
145  $groups[] = (int)$IPel[1];
146  }
147  }
148  }
149  $groups = array_unique($groups);
150  if (!empty($groups)) {
151  $list = implode(',', $groups);
152  if ($this->writeDevLog) {
153  GeneralUtility::devLog('Get usergroups with id: ' . $list, __CLASS__);
154  }
155  $lockToDomain_SQL =
156  ' AND ('
157  . 'lockToDomain=\'\''
158  . ' OR lockToDomain IS NULL'
159  . ' OR lockToDomain=' . $this->getDatabaseConnection()->fullQuoteStr($this->authInfo['HTTP_HOST'], $this->db_groups['table'])
160  . ')';
161  $hiddenP = !$this->authInfo['showHiddenRecords'] ? 'AND hidden=0 ' : '';
162  $res = $this->getDatabaseConnection()->exec_SELECTquery('*', $this->db_groups['table'], 'deleted=0 ' . $hiddenP . ' AND uid IN (' . $list . ')' . $lockToDomain_SQL);
163  while ($row = $this->getDatabaseConnection()->sql_fetch_assoc($res)) {
164  $groupDataArr[$row['uid']] = $row;
165  }
166  if ($res) {
167  $this->getDatabaseConnection()->sql_free_result($res);
168  }
169  } else {
170  if ($this->writeDevLog) {
171  GeneralUtility::devLog('No usergroups found.', self::class, 2);
172  }
173  }
174  }
175  return $groupDataArr;
176  }
177 
189  public function getSubGroups($grList, $idList = '', &$groups)
190  {
191  // Fetching records of the groups in $grList (which are not blocked by lockedToDomain either):
192  $lockToDomain_SQL =
193  ' AND ('
194  . 'lockToDomain=\'\''
195  . ' OR lockToDomain IS NULL'
196  . ' OR lockToDomain=' . $this->getDatabaseConnection()->fullQuoteStr($this->authInfo['HTTP_HOST'], 'fe_groups')
197  . ')';
198  $hiddenP = !$this->authInfo['showHiddenRecords'] ? 'AND hidden=0 ' : '';
199  $res = $this->getDatabaseConnection()->exec_SELECTquery('uid,subgroup', 'fe_groups', 'deleted=0 ' . $hiddenP . ' AND uid IN (' . $grList . ')' . $lockToDomain_SQL);
200  // Internal group record storage
201  $groupRows = [];
202  // The groups array is filled
203  while ($row = $this->getDatabaseConnection()->sql_fetch_assoc($res)) {
204  if (!in_array($row['uid'], $groups)) {
205  $groups[] = $row['uid'];
206  }
207  $groupRows[$row['uid']] = $row;
208  }
209  // Traversing records in the correct order
210  $include_staticArr = GeneralUtility::intExplode(',', $grList);
211  // traversing list
212  foreach ($include_staticArr as $uid) {
213  // Get row:
214  $row = $groupRows[$uid];
215  // Must be an array and $uid should not be in the idList, because then it is somewhere previously in the grouplist
216  if (is_array($row) && !GeneralUtility::inList($idList, $uid)) {
217  // Include sub groups
218  if (trim($row['subgroup'])) {
219  // Make integer list
220  $theList = implode(',', GeneralUtility::intExplode(',', $row['subgroup']));
221  // Call recursively, pass along list of already processed groups so they are not processed again.
222  $this->getSubGroups($theList, $idList . ',' . $uid, $groups);
223  }
224  }
225  }
226  }
227 
233  protected function getDatabaseConnection()
234  {
235  return $GLOBALS['TYPO3_DB'];
236  }
237 }
static devLog($msg, $extKey, $severity=0, $dataVar=false)
static intExplode($delimiter, $string, $removeEmptyValues=false, $limit=0)
static arrayToLogString(array $arr, $valueList=[], $valueLength=20)
writelog($type, $action, $error, $details_nr, $details, $data, $tablename='', $recuid='', $recpid='')
processLoginData(array &$loginData, $passwordTransmissionStrategy)
getSubGroups($grList, $idList='', &$groups)
$uid
Definition: server.php:38
fetchUserRecord($username, $extraWhere='', $dbUserSetup='')
if(TYPO3_MODE==='BE') $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_tsfebeuserauth.php']['frontendEditingController']['default']
compareUident(array $user, array $loginData, $passwordCompareStrategy='')