| 1 |
lars |
1 |
<?php
|
|
|
2 |
/* SVN FILE: $Id: security.php 7945 2008-12-19 02:16:01Z gwoo $ */
|
|
|
3 |
/**
|
|
|
4 |
* Short description for file.
|
|
|
5 |
*
|
|
|
6 |
* Long description for file
|
|
|
7 |
*
|
|
|
8 |
* PHP versions 4 and 5
|
|
|
9 |
*
|
|
|
10 |
* CakePHP(tm) : Rapid Development Framework (http://www.cakephp.org)
|
|
|
11 |
* Copyright 2005-2008, Cake Software Foundation, Inc. (http://www.cakefoundation.org)
|
|
|
12 |
*
|
|
|
13 |
* Licensed under The MIT License
|
|
|
14 |
* Redistributions of files must retain the above copyright notice.
|
|
|
15 |
*
|
|
|
16 |
* @filesource
|
|
|
17 |
* @copyright Copyright 2005-2008, Cake Software Foundation, Inc. (http://www.cakefoundation.org)
|
|
|
18 |
* @link http://www.cakefoundation.org/projects/info/cakephp CakePHP(tm) Project
|
|
|
19 |
* @package cake
|
|
|
20 |
* @subpackage cake.cake.libs.controller.components
|
|
|
21 |
* @since CakePHP(tm) v 0.10.8.2156
|
|
|
22 |
* @version $Revision: 7945 $
|
|
|
23 |
* @modifiedby $LastChangedBy: gwoo $
|
|
|
24 |
* @lastmodified $Date: 2008-12-18 18:16:01 -0800 (Thu, 18 Dec 2008) $
|
|
|
25 |
* @license http://www.opensource.org/licenses/mit-license.php The MIT License
|
|
|
26 |
*/
|
|
|
27 |
/**
|
|
|
28 |
* Short description for file.
|
|
|
29 |
*
|
|
|
30 |
* Long description for file
|
|
|
31 |
*
|
|
|
32 |
* @package cake
|
|
|
33 |
* @subpackage cake.cake.libs.controller.components
|
|
|
34 |
*/
|
|
|
35 |
class SecurityComponent extends Object {
|
|
|
36 |
/**
|
|
|
37 |
* The controller method that will be called if this request is black-hole'd
|
|
|
38 |
*
|
|
|
39 |
* @var string
|
|
|
40 |
* @access public
|
|
|
41 |
*/
|
|
|
42 |
var $blackHoleCallback = null;
|
|
|
43 |
/**
|
|
|
44 |
* List of controller actions for which a POST request is required
|
|
|
45 |
*
|
|
|
46 |
* @var array
|
|
|
47 |
* @access public
|
|
|
48 |
* @see SecurityComponent::requirePost()
|
|
|
49 |
*/
|
|
|
50 |
var $requirePost = array();
|
|
|
51 |
/**
|
|
|
52 |
* List of controller actions for which a GET request is required
|
|
|
53 |
*
|
|
|
54 |
* @var array
|
|
|
55 |
* @access public
|
|
|
56 |
* @see SecurityComponent::requireGet()
|
|
|
57 |
*/
|
|
|
58 |
var $requireGet = array();
|
|
|
59 |
/**
|
|
|
60 |
* List of controller actions for which a PUT request is required
|
|
|
61 |
*
|
|
|
62 |
* @var array
|
|
|
63 |
* @access public
|
|
|
64 |
* @see SecurityComponent::requirePut()
|
|
|
65 |
*/
|
|
|
66 |
var $requirePut = array();
|
|
|
67 |
/**
|
|
|
68 |
* List of controller actions for which a DELETE request is required
|
|
|
69 |
*
|
|
|
70 |
* @var array
|
|
|
71 |
* @access public
|
|
|
72 |
* @see SecurityComponent::requireDelete()
|
|
|
73 |
*/
|
|
|
74 |
var $requireDelete = array();
|
|
|
75 |
/**
|
|
|
76 |
* List of actions that require an SSL-secured connection
|
|
|
77 |
*
|
|
|
78 |
* @var array
|
|
|
79 |
* @access public
|
|
|
80 |
* @see SecurityComponent::requireSecure()
|
|
|
81 |
*/
|
|
|
82 |
var $requireSecure = array();
|
|
|
83 |
/**
|
|
|
84 |
* List of actions that require a valid authentication key
|
|
|
85 |
*
|
|
|
86 |
* @var array
|
|
|
87 |
* @access public
|
|
|
88 |
* @see SecurityComponent::requireAuth()
|
|
|
89 |
*/
|
|
|
90 |
var $requireAuth = array();
|
|
|
91 |
/**
|
|
|
92 |
* List of actions that require an HTTP-authenticated login (basic or digest)
|
|
|
93 |
*
|
|
|
94 |
* @var array
|
|
|
95 |
* @access public
|
|
|
96 |
* @see SecurityComponent::requireLogin()
|
|
|
97 |
*/
|
|
|
98 |
var $requireLogin = array();
|
|
|
99 |
/**
|
|
|
100 |
* Login options for SecurityComponent::requireLogin()
|
|
|
101 |
*
|
|
|
102 |
* @var array
|
|
|
103 |
* @access public
|
|
|
104 |
* @see SecurityComponent::requireLogin()
|
|
|
105 |
*/
|
|
|
106 |
var $loginOptions = array('type' => '', 'prompt' => null);
|
|
|
107 |
/**
|
|
|
108 |
* An associative array of usernames/passwords used for HTTP-authenticated logins.
|
|
|
109 |
* If using digest authentication, passwords should be MD5-hashed.
|
|
|
110 |
*
|
|
|
111 |
* @var array
|
|
|
112 |
* @access public
|
|
|
113 |
* @see SecurityComponent::requireLogin()
|
|
|
114 |
*/
|
|
|
115 |
var $loginUsers = array();
|
|
|
116 |
/**
|
|
|
117 |
* Controllers from which actions of the current controller are allowed to receive
|
|
|
118 |
* requests.
|
|
|
119 |
*
|
|
|
120 |
* @var array
|
|
|
121 |
* @access public
|
|
|
122 |
* @see SecurityComponent::requireAuth()
|
|
|
123 |
*/
|
|
|
124 |
var $allowedControllers = array();
|
|
|
125 |
/**
|
|
|
126 |
* Actions from which actions of the current controller are allowed to receive
|
|
|
127 |
* requests.
|
|
|
128 |
*
|
|
|
129 |
* @var array
|
|
|
130 |
* @access public
|
|
|
131 |
* @see SecurityComponent::requireAuth()
|
|
|
132 |
*/
|
|
|
133 |
var $allowedActions = array();
|
|
|
134 |
/**
|
|
|
135 |
* Form fields to disable
|
|
|
136 |
*
|
|
|
137 |
* @var array
|
|
|
138 |
* @access public
|
|
|
139 |
*/
|
|
|
140 |
var $disabledFields = array();
|
|
|
141 |
/**
|
|
|
142 |
* Whether to validate POST data. Set to false to disable for data coming from 3rd party
|
|
|
143 |
* services, etc.
|
|
|
144 |
*
|
|
|
145 |
* @var boolean
|
|
|
146 |
* @access public
|
|
|
147 |
*/
|
|
|
148 |
var $validatePost = true;
|
|
|
149 |
/**
|
|
|
150 |
* Other components used by the Security component
|
|
|
151 |
*
|
|
|
152 |
* @var array
|
|
|
153 |
* @access public
|
|
|
154 |
*/
|
|
|
155 |
var $components = array('RequestHandler', 'Session');
|
|
|
156 |
/**
|
|
|
157 |
* Holds the current action of the controller
|
|
|
158 |
*
|
|
|
159 |
* @var string
|
|
|
160 |
*/
|
|
|
161 |
var $_action = null;
|
|
|
162 |
/**
|
|
|
163 |
* Component startup. All security checking happens here.
|
|
|
164 |
*
|
|
|
165 |
* @param object $controller Instantiating controller
|
|
|
166 |
* @access public
|
|
|
167 |
*/
|
|
|
168 |
function startup(&$controller) {
|
|
|
169 |
$this->_action = strtolower($controller->action);
|
|
|
170 |
$this->_methodsRequired($controller);
|
|
|
171 |
$this->_secureRequired($controller);
|
|
|
172 |
$this->_authRequired($controller);
|
|
|
173 |
$this->_loginRequired($controller);
|
|
|
174 |
|
|
|
175 |
$isPost = ($this->RequestHandler->isPost() || $this->RequestHandler->isPut());
|
|
|
176 |
$isRequestAction = (
|
|
|
177 |
!isset($controller->params['requested']) ||
|
|
|
178 |
$controller->params['requested'] != 1
|
|
|
179 |
);
|
|
|
180 |
|
|
|
181 |
if ($isPost && $isRequestAction && $this->validatePost) {
|
|
|
182 |
if ($this->_validatePost($controller) === false) {
|
|
|
183 |
if (!$this->blackHole($controller, 'auth')) {
|
|
|
184 |
return null;
|
|
|
185 |
}
|
|
|
186 |
}
|
|
|
187 |
}
|
|
|
188 |
$this->_generateToken($controller);
|
|
|
189 |
}
|
|
|
190 |
/**
|
|
|
191 |
* Sets the actions that require a POST request, or empty for all actions
|
|
|
192 |
*
|
|
|
193 |
* @return void
|
|
|
194 |
* @access public
|
|
|
195 |
*/
|
|
|
196 |
function requirePost() {
|
|
|
197 |
$args = func_get_args();
|
|
|
198 |
$this->_requireMethod('Post', $args);
|
|
|
199 |
}
|
|
|
200 |
/**
|
|
|
201 |
* Sets the actions that require a GET request, or empty for all actions
|
|
|
202 |
*
|
|
|
203 |
* @return void
|
|
|
204 |
* @access public
|
|
|
205 |
*/
|
|
|
206 |
function requireGet() {
|
|
|
207 |
$args = func_get_args();
|
|
|
208 |
$this->_requireMethod('Get', $args);
|
|
|
209 |
}
|
|
|
210 |
/**
|
|
|
211 |
* Sets the actions that require a PUT request, or empty for all actions
|
|
|
212 |
*
|
|
|
213 |
* @return void
|
|
|
214 |
* @access public
|
|
|
215 |
*/
|
|
|
216 |
function requirePut() {
|
|
|
217 |
$args = func_get_args();
|
|
|
218 |
$this->_requireMethod('Put', $args);
|
|
|
219 |
}
|
|
|
220 |
/**
|
|
|
221 |
* Sets the actions that require a DELETE request, or empty for all actions
|
|
|
222 |
*
|
|
|
223 |
* @return void
|
|
|
224 |
* @access public
|
|
|
225 |
*/
|
|
|
226 |
function requireDelete() {
|
|
|
227 |
$args = func_get_args();
|
|
|
228 |
$this->_requireMethod('Delete', $args);
|
|
|
229 |
}
|
|
|
230 |
/**
|
|
|
231 |
* Sets the actions that require a request that is SSL-secured, or empty for all actions
|
|
|
232 |
*
|
|
|
233 |
* @return void
|
|
|
234 |
* @access public
|
|
|
235 |
*/
|
|
|
236 |
function requireSecure() {
|
|
|
237 |
$args = func_get_args();
|
|
|
238 |
$this->_requireMethod('Secure', $args);
|
|
|
239 |
}
|
|
|
240 |
/**
|
|
|
241 |
* Sets the actions that require an authenticated request, or empty for all actions
|
|
|
242 |
*
|
|
|
243 |
* @return void
|
|
|
244 |
* @access public
|
|
|
245 |
*/
|
|
|
246 |
function requireAuth() {
|
|
|
247 |
$args = func_get_args();
|
|
|
248 |
$this->_requireMethod('Auth', $args);
|
|
|
249 |
}
|
|
|
250 |
/**
|
|
|
251 |
* Sets the actions that require an HTTP-authenticated request, or empty for all actions
|
|
|
252 |
*
|
|
|
253 |
* @return void
|
|
|
254 |
* @access public
|
|
|
255 |
*/
|
|
|
256 |
function requireLogin() {
|
|
|
257 |
$args = func_get_args();
|
|
|
258 |
$base = $this->loginOptions;
|
|
|
259 |
|
|
|
260 |
foreach ($args as $i => $arg) {
|
|
|
261 |
if (is_array($arg)) {
|
|
|
262 |
$this->loginOptions = $arg;
|
|
|
263 |
unset($args[$i]);
|
|
|
264 |
}
|
|
|
265 |
}
|
|
|
266 |
$this->loginOptions = array_merge($base, $this->loginOptions);
|
|
|
267 |
$this->_requireMethod('Login', $args);
|
|
|
268 |
|
|
|
269 |
if (isset($this->loginOptions['users'])) {
|
|
|
270 |
$this->loginUsers =& $this->loginOptions['users'];
|
|
|
271 |
}
|
|
|
272 |
}
|
|
|
273 |
/**
|
|
|
274 |
* Attempts to validate the login credentials for an HTTP-authenticated request
|
|
|
275 |
*
|
|
|
276 |
* @param string $type Either 'basic', 'digest', or null. If null/empty, will try both.
|
|
|
277 |
* @return mixed If successful, returns an array with login name and password, otherwise null.
|
|
|
278 |
* @access public
|
|
|
279 |
*/
|
|
|
280 |
function loginCredentials($type = null) {
|
|
|
281 |
switch (strtolower($type)) {
|
|
|
282 |
case 'basic':
|
|
|
283 |
$login = array('username' => env('PHP_AUTH_USER'), 'password' => env('PHP_AUTH_PW'));
|
|
|
284 |
if (!empty($login['username'])) {
|
|
|
285 |
return $login;
|
|
|
286 |
}
|
|
|
287 |
break;
|
|
|
288 |
case 'digest':
|
|
|
289 |
default:
|
|
|
290 |
$digest = null;
|
|
|
291 |
|
|
|
292 |
if (version_compare(PHP_VERSION, '5.1') != -1) {
|
|
|
293 |
$digest = env('PHP_AUTH_DIGEST');
|
|
|
294 |
} elseif (function_exists('apache_request_headers')) {
|
|
|
295 |
$headers = apache_request_headers();
|
|
|
296 |
if (isset($headers['Authorization']) && !empty($headers['Authorization']) && substr($headers['Authorization'], 0, 7) == 'Digest ') {
|
|
|
297 |
$digest = substr($headers['Authorization'], 7);
|
|
|
298 |
}
|
|
|
299 |
} else {
|
|
|
300 |
// Server doesn't support digest-auth headers
|
|
|
301 |
trigger_error(__('SecurityComponent::loginCredentials() - Server does not support digest authentication', true), E_USER_WARNING);
|
|
|
302 |
}
|
|
|
303 |
|
|
|
304 |
if (!empty($digest)) {
|
|
|
305 |
return $this->parseDigestAuthData($digest);
|
|
|
306 |
}
|
|
|
307 |
break;
|
|
|
308 |
}
|
|
|
309 |
return null;
|
|
|
310 |
}
|
|
|
311 |
/**
|
|
|
312 |
* Generates the text of an HTTP-authentication request header from an array of options.
|
|
|
313 |
*
|
|
|
314 |
* @param array $options Set of options for header
|
|
|
315 |
* @return string HTTP-authentication request header
|
|
|
316 |
* @access public
|
|
|
317 |
*/
|
|
|
318 |
function loginRequest($options = array()) {
|
|
|
319 |
$options = array_merge($this->loginOptions, $options);
|
|
|
320 |
$this->_setLoginDefaults($options);
|
|
|
321 |
$auth = 'WWW-Authenticate: ' . ucfirst($options['type']);
|
|
|
322 |
$out = array('realm="' . $options['realm'] . '"');
|
|
|
323 |
|
|
|
324 |
if (strtolower($options['type']) == 'digest') {
|
|
|
325 |
$out[] = 'qop="auth"';
|
|
|
326 |
$out[] = 'nonce="' . uniqid() . '"';
|
|
|
327 |
$out[] = 'opaque="' . md5($options['realm']).'"';
|
|
|
328 |
}
|
|
|
329 |
|
|
|
330 |
return $auth . ' ' . join(',', $out);
|
|
|
331 |
}
|
|
|
332 |
/**
|
|
|
333 |
* Parses an HTTP digest authentication response, and returns an array of the data, or null on failure.
|
|
|
334 |
*
|
|
|
335 |
* @param string $digest Digest authentication response
|
|
|
336 |
* @return array Digest authentication parameters
|
|
|
337 |
* @access public
|
|
|
338 |
*/
|
|
|
339 |
function parseDigestAuthData($digest) {
|
|
|
340 |
if (substr($digest, 0, 7) == 'Digest ') {
|
|
|
341 |
$digest = substr($digest, 7);
|
|
|
342 |
}
|
|
|
343 |
$keys = array();
|
|
|
344 |
$match = array();
|
|
|
345 |
$req = array('nonce' => 1, 'nc' => 1, 'cnonce' => 1, 'qop' => 1, 'username' => 1, 'uri' => 1, 'response' => 1);
|
|
|
346 |
preg_match_all('@(\w+)=([\'"]?)([a-zA-Z0-9=./\_-]+)\2@', $digest, $match, PREG_SET_ORDER);
|
|
|
347 |
|
|
|
348 |
foreach ($match as $i) {
|
|
|
349 |
$keys[$i[1]] = $i[3];
|
|
|
350 |
unset($req[$i[1]]);
|
|
|
351 |
}
|
|
|
352 |
|
|
|
353 |
if (empty($req)) {
|
|
|
354 |
return $keys;
|
|
|
355 |
}
|
|
|
356 |
return null;
|
|
|
357 |
}
|
|
|
358 |
/**
|
|
|
359 |
* Generates a hash to be compared with an HTTP digest-authenticated response
|
|
|
360 |
*
|
|
|
361 |
* @param array $data HTTP digest response data, as parsed by SecurityComponent::parseDigestAuthData()
|
|
|
362 |
* @return string Digest authentication hash
|
|
|
363 |
* @access public
|
|
|
364 |
* @see SecurityComponent::parseDigestAuthData()
|
|
|
365 |
*/
|
|
|
366 |
function generateDigestResponseHash($data) {
|
|
|
367 |
return md5(
|
|
|
368 |
md5($data['username'] . ':' . $this->loginOptions['realm'] . ':' . $this->loginUsers[$data['username']]) .
|
|
|
369 |
':' . $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' .
|
|
|
370 |
md5(env('REQUEST_METHOD') . ':' . $data['uri'])
|
|
|
371 |
);
|
|
|
372 |
}
|
|
|
373 |
/**
|
|
|
374 |
* Black-hole an invalid request with a 404 error or custom callback. If SecurityComponent::$blackHoleCallback
|
|
|
375 |
* is specified, it will use this callback by executing the method indicated in $error
|
|
|
376 |
*
|
|
|
377 |
* @param object $controller Instantiating controller
|
|
|
378 |
* @param string $error Error method
|
|
|
379 |
* @return mixed If specified, controller blackHoleCallback's response, or no return otherwise
|
|
|
380 |
* @access public
|
|
|
381 |
* @see SecurityComponent::$blackHoleCallback
|
|
|
382 |
*/
|
|
|
383 |
function blackHole(&$controller, $error = '') {
|
|
|
384 |
$this->Session->del('_Token');
|
|
|
385 |
|
|
|
386 |
if ($this->blackHoleCallback == null) {
|
|
|
387 |
$code = 404;
|
|
|
388 |
if ($error == 'login') {
|
|
|
389 |
$code = 401;
|
|
|
390 |
$controller->header($this->loginRequest());
|
|
|
391 |
}
|
|
|
392 |
$controller->redirect(null, $code, true);
|
|
|
393 |
} else {
|
|
|
394 |
return $this->_callback($controller, $this->blackHoleCallback, array($error));
|
|
|
395 |
}
|
|
|
396 |
}
|
|
|
397 |
/**
|
|
|
398 |
* Sets the actions that require a $method HTTP request, or empty for all actions
|
|
|
399 |
*
|
|
|
400 |
* @param string $method The HTTP method to assign controller actions to
|
|
|
401 |
* @param array $actions Controller actions to set the required HTTP method to.
|
|
|
402 |
* @return void
|
|
|
403 |
* @access protected
|
|
|
404 |
*/
|
|
|
405 |
function _requireMethod($method, $actions = array()) {
|
|
|
406 |
$this->{'require' . $method} = (empty($actions)) ? array('*'): $actions;
|
|
|
407 |
}
|
|
|
408 |
/**
|
|
|
409 |
* Check if HTTP methods are required
|
|
|
410 |
*
|
|
|
411 |
* @param object $controller Instantiating controller
|
|
|
412 |
* @return bool true if $method is required
|
|
|
413 |
* @access protected
|
|
|
414 |
*/
|
|
|
415 |
function _methodsRequired(&$controller) {
|
|
|
416 |
foreach (array('Post', 'Get', 'Put', 'Delete') as $method) {
|
|
|
417 |
$property = 'require' . $method;
|
|
|
418 |
if (is_array($this->$property) && !empty($this->$property)) {
|
|
|
419 |
$require = array_map('strtolower', $this->$property);
|
|
|
420 |
|
|
|
421 |
if (in_array($this->_action, $require) || $this->$property == array('*')) {
|
|
|
422 |
if (!$this->RequestHandler->{'is' . $method}()) {
|
|
|
423 |
if (!$this->blackHole($controller, strtolower($method))) {
|
|
|
424 |
return null;
|
|
|
425 |
}
|
|
|
426 |
}
|
|
|
427 |
}
|
|
|
428 |
}
|
|
|
429 |
}
|
|
|
430 |
return true;
|
|
|
431 |
}
|
|
|
432 |
/**
|
|
|
433 |
* Check if access requires secure connection
|
|
|
434 |
*
|
|
|
435 |
* @param object $controller Instantiating controller
|
|
|
436 |
* @return bool true if secure connection required
|
|
|
437 |
* @access protected
|
|
|
438 |
*/
|
|
|
439 |
function _secureRequired(&$controller) {
|
|
|
440 |
if (is_array($this->requireSecure) && !empty($this->requireSecure)) {
|
|
|
441 |
$requireSecure = array_map('strtolower', $this->requireSecure);
|
|
|
442 |
|
|
|
443 |
if (in_array($this->_action, $requireSecure) || $this->requireSecure == array('*')) {
|
|
|
444 |
if (!$this->RequestHandler->isSSL()) {
|
|
|
445 |
if (!$this->blackHole($controller, 'secure')) {
|
|
|
446 |
return null;
|
|
|
447 |
}
|
|
|
448 |
}
|
|
|
449 |
}
|
|
|
450 |
}
|
|
|
451 |
return true;
|
|
|
452 |
}
|
|
|
453 |
/**
|
|
|
454 |
* Check if authentication is required
|
|
|
455 |
*
|
|
|
456 |
* @param object $controller Instantiating controller
|
|
|
457 |
* @return bool true if authentication required
|
|
|
458 |
* @access protected
|
|
|
459 |
*/
|
|
|
460 |
function _authRequired(&$controller) {
|
|
|
461 |
if (is_array($this->requireAuth) && !empty($this->requireAuth) && !empty($controller->data)) {
|
|
|
462 |
$requireAuth = array_map('strtolower', $this->requireAuth);
|
|
|
463 |
|
|
|
464 |
if (in_array($this->_action, $requireAuth) || $this->requireAuth == array('*')) {
|
|
|
465 |
if (!isset($controller->data['_Token'] )) {
|
|
|
466 |
if (!$this->blackHole($controller, 'auth')) {
|
|
|
467 |
return null;
|
|
|
468 |
}
|
|
|
469 |
}
|
|
|
470 |
|
|
|
471 |
if ($this->Session->check('_Token')) {
|
|
|
472 |
$tData = unserialize($this->Session->read('_Token'));
|
|
|
473 |
|
|
|
474 |
if (!empty($tData['allowedControllers']) && !in_array($controller->params['controller'], $tData['allowedControllers']) || !empty($tData['allowedActions']) && !in_array($controller->params['action'], $tData['allowedActions'])) {
|
|
|
475 |
if (!$this->blackHole($controller, 'auth')) {
|
|
|
476 |
return null;
|
|
|
477 |
}
|
|
|
478 |
}
|
|
|
479 |
} else {
|
|
|
480 |
if (!$this->blackHole($controller, 'auth')) {
|
|
|
481 |
return null;
|
|
|
482 |
}
|
|
|
483 |
}
|
|
|
484 |
}
|
|
|
485 |
}
|
|
|
486 |
return true;
|
|
|
487 |
}
|
|
|
488 |
/**
|
|
|
489 |
* Check if login is required
|
|
|
490 |
*
|
|
|
491 |
* @param object $controller Instantiating controller
|
|
|
492 |
* @return bool true if login is required
|
|
|
493 |
* @access protected
|
|
|
494 |
*/
|
|
|
495 |
function _loginRequired(&$controller) {
|
|
|
496 |
if (is_array($this->requireLogin) && !empty($this->requireLogin)) {
|
|
|
497 |
$requireLogin = array_map('strtolower', $this->requireLogin);
|
|
|
498 |
|
|
|
499 |
if (in_array($this->_action, $requireLogin) || $this->requireLogin == array('*')) {
|
|
|
500 |
$login = $this->loginCredentials($this->loginOptions['type']);
|
|
|
501 |
|
|
|
502 |
if ($login == null) {
|
|
|
503 |
$controller->header($this->loginRequest());
|
|
|
504 |
|
|
|
505 |
if (!empty($this->loginOptions['prompt'])) {
|
|
|
506 |
$this->_callback($controller, $this->loginOptions['prompt']);
|
|
|
507 |
} else {
|
|
|
508 |
$this->blackHole($controller, 'login');
|
|
|
509 |
}
|
|
|
510 |
} else {
|
|
|
511 |
if (isset($this->loginOptions['login'])) {
|
|
|
512 |
$this->_callback($controller, $this->loginOptions['login'], array($login));
|
|
|
513 |
} else {
|
|
|
514 |
if (strtolower($this->loginOptions['type']) == 'digest') {
|
|
|
515 |
if ($login && isset($this->loginUsers[$login['username']])) {
|
|
|
516 |
if ($login['response'] == $this->generateDigestResponseHash($login)) {
|
|
|
517 |
return true;
|
|
|
518 |
}
|
|
|
519 |
}
|
|
|
520 |
$this->blackHole($controller, 'login');
|
|
|
521 |
} else {
|
|
|
522 |
if (
|
|
|
523 |
!(in_array($login['username'], array_keys($this->loginUsers)) &&
|
|
|
524 |
$this->loginUsers[$login['username']] == $login['password'])
|
|
|
525 |
) {
|
|
|
526 |
$this->blackHole($controller, 'login');
|
|
|
527 |
}
|
|
|
528 |
}
|
|
|
529 |
}
|
|
|
530 |
}
|
|
|
531 |
}
|
|
|
532 |
}
|
|
|
533 |
return true;
|
|
|
534 |
}
|
|
|
535 |
/**
|
|
|
536 |
* Validate submitted form
|
|
|
537 |
*
|
|
|
538 |
* @param object $controller Instantiating controller
|
|
|
539 |
* @return bool true if submitted form is valid
|
|
|
540 |
* @access protected
|
|
|
541 |
*/
|
|
|
542 |
function _validatePost(&$controller) {
|
|
|
543 |
if (empty($controller->data)) {
|
|
|
544 |
return true;
|
|
|
545 |
}
|
|
|
546 |
$data = $controller->data;
|
|
|
547 |
|
|
|
548 |
if (!isset($data['_Token']) || !isset($data['_Token']['fields'])) {
|
|
|
549 |
return false;
|
|
|
550 |
}
|
|
|
551 |
$token = $data['_Token']['key'];
|
|
|
552 |
|
|
|
553 |
if ($this->Session->check('_Token')) {
|
|
|
554 |
$tokenData = unserialize($this->Session->read('_Token'));
|
|
|
555 |
|
|
|
556 |
if ($tokenData['expires'] < time() || $tokenData['key'] !== $token) {
|
|
|
557 |
return false;
|
|
|
558 |
}
|
|
|
559 |
}
|
|
|
560 |
|
|
|
561 |
$locked = null;
|
|
|
562 |
$check = $controller->data;
|
|
|
563 |
$token = urldecode($check['_Token']['fields']);
|
|
|
564 |
|
|
|
565 |
if (strpos($token, ':')) {
|
|
|
566 |
list($token, $locked) = explode(':', $token, 2);
|
|
|
567 |
}
|
|
|
568 |
unset($check['_Token']);
|
|
|
569 |
|
|
|
570 |
$lockedFields = array();
|
|
|
571 |
$fields = Set::flatten($check);
|
|
|
572 |
$fieldList = array_keys($fields);
|
|
|
573 |
$locked = unserialize(str_rot13($locked));
|
|
|
574 |
$multi = array();
|
|
|
575 |
|
|
|
576 |
foreach ($fieldList as $i => $key) {
|
|
|
577 |
if (preg_match('/\.\d+$/', $key)) {
|
|
|
578 |
$multi[$i] = preg_replace('/\.\d+$/', '', $key);
|
|
|
579 |
unset($fieldList[$i]);
|
|
|
580 |
}
|
|
|
581 |
}
|
|
|
582 |
if (!empty($multi)) {
|
|
|
583 |
$fieldList += array_unique($multi);
|
|
|
584 |
}
|
|
|
585 |
|
|
|
586 |
foreach ($fieldList as $i => $key) {
|
|
|
587 |
$isDisabled = false;
|
|
|
588 |
$isLocked = (is_array($locked) && in_array($key, $locked));
|
|
|
589 |
|
|
|
590 |
if (!empty($this->disabledFields)) {
|
|
|
591 |
foreach ((array)$this->disabledFields as $disabled) {
|
|
|
592 |
$disabled = explode('.', $disabled);
|
|
|
593 |
$field = array_values(array_intersect(explode('.', $key), $disabled));
|
|
|
594 |
$isDisabled = ($field === $disabled);
|
|
|
595 |
if ($isDisabled) {
|
|
|
596 |
break;
|
|
|
597 |
}
|
|
|
598 |
}
|
|
|
599 |
}
|
|
|
600 |
|
|
|
601 |
if ($isDisabled || $isLocked) {
|
|
|
602 |
unset($fieldList[$i]);
|
|
|
603 |
if ($isLocked) {
|
|
|
604 |
$lockedFields[$key] = $fields[$key];
|
|
|
605 |
}
|
|
|
606 |
}
|
|
|
607 |
}
|
|
|
608 |
sort($fieldList, SORT_STRING);
|
|
|
609 |
ksort($lockedFields, SORT_STRING);
|
|
|
610 |
|
|
|
611 |
$fieldList += $lockedFields;
|
|
|
612 |
$check = Security::hash(serialize($fieldList) . Configure::read('Security.salt'));
|
|
|
613 |
return ($token === $check);
|
|
|
614 |
}
|
|
|
615 |
/**
|
|
|
616 |
* Add authentication key for new form posts
|
|
|
617 |
*
|
|
|
618 |
* @param object $controller Instantiating controller
|
|
|
619 |
* @return bool Success
|
|
|
620 |
* @access protected
|
|
|
621 |
*/
|
|
|
622 |
function _generateToken(&$controller) {
|
|
|
623 |
if (isset($controller->params['requested']) && $controller->params['requested'] === 1) {
|
|
|
624 |
return false;
|
|
|
625 |
}
|
|
|
626 |
$authKey = Security::generateAuthKey();
|
|
|
627 |
$expires = strtotime('+' . Security::inactiveMins() . ' minutes');
|
|
|
628 |
$token = array(
|
|
|
629 |
'key' => $authKey,
|
|
|
630 |
'expires' => $expires,
|
|
|
631 |
'allowedControllers' => $this->allowedControllers,
|
|
|
632 |
'allowedActions' => $this->allowedActions,
|
|
|
633 |
'disabledFields' => $this->disabledFields
|
|
|
634 |
);
|
|
|
635 |
|
|
|
636 |
if (!isset($controller->data)) {
|
|
|
637 |
$controller->data = array();
|
|
|
638 |
}
|
|
|
639 |
|
|
|
640 |
if ($this->Session->check('_Token')) {
|
|
|
641 |
$tokenData = unserialize($this->Session->read('_Token'));
|
|
|
642 |
$valid = (
|
|
|
643 |
isset($tokenData['expires']) &&
|
|
|
644 |
$tokenData['expires'] > time() &&
|
|
|
645 |
isset($tokenData['key'])
|
|
|
646 |
);
|
|
|
647 |
|
|
|
648 |
if ($valid) {
|
|
|
649 |
$token['key'] = $tokenData['key'];
|
|
|
650 |
}
|
|
|
651 |
}
|
|
|
652 |
$controller->params['_Token'] = $token;
|
|
|
653 |
$this->Session->write('_Token', serialize($token));
|
|
|
654 |
|
|
|
655 |
return true;
|
|
|
656 |
}
|
|
|
657 |
/**
|
|
|
658 |
* Sets the default login options for an HTTP-authenticated request
|
|
|
659 |
*
|
|
|
660 |
* @param array $options Default login options
|
|
|
661 |
* @return void
|
|
|
662 |
* @access protected
|
|
|
663 |
*/
|
|
|
664 |
function _setLoginDefaults(&$options) {
|
|
|
665 |
$options = array_merge(array(
|
|
|
666 |
'type' => 'basic',
|
|
|
667 |
'realm' => env('SERVER_NAME'),
|
|
|
668 |
'qop' => 'auth',
|
|
|
669 |
'nonce' => String::uuid()
|
|
|
670 |
), array_filter($options));
|
|
|
671 |
$options = array_merge(array('opaque' => md5($options['realm'])), $options);
|
|
|
672 |
}
|
|
|
673 |
/**
|
|
|
674 |
* Calls a controller callback method
|
|
|
675 |
*
|
|
|
676 |
* @param object $controller Controller to run callback on
|
|
|
677 |
* @param string $method Method to execute
|
|
|
678 |
* @param array $params Parameters to send to method
|
|
|
679 |
* @return mixed Controller callback method's response
|
|
|
680 |
* @access protected
|
|
|
681 |
*/
|
|
|
682 |
function _callback(&$controller, $method, $params = array()) {
|
|
|
683 |
if (is_callable(array($controller, $method))) {
|
|
|
684 |
return call_user_func_array(array(&$controller, $method), empty($params) ? null : $params);
|
|
|
685 |
} else {
|
|
|
686 |
// Debug::warning('Callback method ' . $method . ' in controller ' . get_class($controller)
|
|
|
687 |
return null;
|
|
|
688 |
}
|
|
|
689 |
}
|
|
|
690 |
}
|
|
|
691 |
|
|
|
692 |
?>
|