Open Journal Systems: classes/security/Validation.inc.php Source File

00001 <?php
00002 
00015 // $Id: Validation.inc.php,v 1.34 2008/07/01 01:16:10 asmecher Exp $
00016 
00017 
00018 import('security.Role');
00019 
00020 class Validation {
00021 
00030    function &login($username, $password, &$reason, $remember = false) {
00031       $implicitAuth = Config::getVar('security', 'implicit_auth');
00032 
00033       $reason = null;
00034       $valid = false;
00035       $userDao = &DAORegistry::getDAO('UserDAO');
00036 
00037       if ($implicitAuth) { // Implicit auth
00038          if (!Validation::isLoggedIn()) {
00039             PluginRegistry::loadCategory('implicitAuth');
00040 
00041             // Call the implicitAuth hook. It will set user.
00042 
00043             HookRegistry::call('ImplicitAuthPlugin::implicitAuth', array(&$user));
00044 
00045             $valid=true;
00046          }
00047       } else { // Regular Auth
00048          $user = &$userDao->getUserByUsername($username, true);
00049 
00050          if (!isset($user)) {
00051             // User does not exist
00052             return $valid;
00053          }
00054 
00055          if ($user->getAuthId()) {
00056             $authDao = &DAORegistry::getDAO('AuthSourceDAO');
00057             $auth = &$authDao->getPlugin($user->getAuthId());
00058          }
00059 
00060          if (isset($auth)) {
00061             // Validate against remote authentication source
00062             $valid = $auth->authenticate($username, $password);
00063             if ($valid) {
00064                $oldEmail = $user->getEmail();
00065                $auth->doGetUserInfo($user);
00066                if ($user->getEmail() != $oldEmail) {
00067                   // FIXME OJS requires email addresses to be unique; if changed email already exists, ignore
00068                   if ($userDao->userExistsByEmail($user->getEmail())) {
00069                      $user->setEmail($oldEmail);
00070                   }
00071                }
00072             }
00073          } else {
00074             // Validate against OJS user database
00075             $valid = ($user->getPassword() === Validation::encryptCredentials($username, $password));
00076          }
00077       }
00078 
00079       if (!$valid) {
00080          // Login credentials are invalid
00081          return $valid;
00082 
00083       } else {
00084          if ($user->getDisabled()) {
00085             // The user has been disabled.
00086             $reason = $user->getDisabledReason();
00087             if ($reason === null) $reason = '';
00088             $valid = false;
00089             return $valid;
00090          }
00091 
00092          // The user is valid, mark user as logged in in current session
00093          $sessionManager = &SessionManager::getManager();
00094 
00095          // Regenerate session ID first
00096          $sessionManager->regenerateSessionId();
00097 
00098          $session = &$sessionManager->getUserSession();
00099          $session->setSessionVar('userId', $user->getUserId());
00100          $session->setUserId($user->getUserId());
00101          $session->setSessionVar('username', $user->getUsername());
00102          $session->setRemember($remember);
00103 
00104          if ($remember && Config::getVar('general', 'session_lifetime') > 0) {
00105             // Update session expiration time
00106             $sessionManager->updateSessionLifetime(time() +  Config::getVar('general', 'session_lifetime') * 86400);
00107          }
00108 
00109          $user->setDateLastLogin(Core::getCurrentDate());
00110          $userDao->updateUser($user);
00111 
00112          return $user;
00113       }
00114    }
00115 
00120    function logout() {
00121       $sessionManager = &SessionManager::getManager();
00122       $session = &$sessionManager->getUserSession();
00123       $session->unsetSessionVar('userId');
00124       $session->unsetSessionVar('signedInAs');
00125       $session->setUserId(null);
00126 
00127       if ($session->getRemember()) {
00128          $session->setRemember(0);
00129          $sessionManager->updateSessionLifetime(0);
00130       }
00131 
00132       $sessionDao = &DAORegistry::getDAO('SessionDAO');
00133       $sessionDao->updateSession($session);
00134 
00135       return true;
00136    }
00137 
00142    function redirectLogin($message = null) {
00143       $args = array();
00144 
00145       if (isset($_SERVER['REQUEST_URI'])) {
00146          $args['source'] = $_SERVER['REQUEST_URI'];
00147       }
00148       if ($message !== null) {
00149          $args['loginMessage'] = $message;
00150       }
00151 
00152       Request::redirect(null, 'login', null, null, $args);
00153    }
00154 
00161    function checkCredentials($username, $password) {
00162       $userDao = &DAORegistry::getDAO('UserDAO');
00163       $user = &$userDao->getUserByUsername($username, false);
00164 
00165       $valid = false;
00166       if (isset($user)) {
00167          if ($user->getAuthId()) {
00168             $authDao = &DAORegistry::getDAO('AuthSourceDAO');
00169             $auth = &$authDao->getPlugin($user->getAuthId());
00170          }
00171 
00172          if (isset($auth)) {
00173             $valid = $auth->authenticate($username, $password);
00174          } else {
00175             $valid = ($user->getPassword() === Validation::encryptCredentials($username, $password));
00176          }
00177       }
00178 
00179       return $valid;
00180    }
00181 
00188    function isAuthorized($roleId, $journalId = 0) {
00189       if (!Validation::isLoggedIn()) {
00190          return false;
00191       }
00192 
00193       if ($journalId === -1) {
00194          // Get journal ID from request
00195          $journal = &Request::getJournal();
00196          $journalId = $journal == null ? 0 : $journal->getJournalId();
00197       }
00198 
00199       $sessionManager = &SessionManager::getManager();
00200       $session = &$sessionManager->getUserSession();
00201       $user = &$session->getUser();
00202 
00203       $roleDao = &DAORegistry::getDAO('RoleDAO');
00204       return $roleDao->roleExists($journalId, $user->getUserId(), $roleId);
00205    }
00206 
00216    function encryptCredentials($username, $password, $encryption = false) {
00217       $valueToEncrypt = $username . $password;
00218 
00219       if ($encryption == false) {
00220          $encryption = Config::getVar('security', 'encryption');
00221       }
00222 
00223       switch ($encryption) {
00224          case 'sha1':
00225             if (function_exists('sha1')) {
00226                return sha1($valueToEncrypt);
00227             }
00228          case 'md5':
00229          default:
00230             return md5($valueToEncrypt);
00231       }
00232    }
00233 
00240    function generatePassword($length = 8) {
00241       $letters = 'abcdefghijkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ';
00242       $numbers = '23456789';
00243 
00244       $password = "";
00245       for ($i=0; $i<$length; $i++) {
00246          $password .= mt_rand(1, 4) == 4 ? $numbers[mt_rand(0,strlen($numbers)-1)] : $letters[mt_rand(0, strlen($letters)-1)];
00247       }
00248       return $password;
00249    }
00250 
00256    function generatePasswordResetHash($userId) {
00257       $userDao = &DAORegistry::getDAO('UserDAO');
00258       if (($user = $userDao->getUser($userId)) == null) {
00259          // No such user
00260          return false;
00261       }
00262       return substr(md5($user->getUserId() . $user->getUsername() . $user->getPassword()), 0, 6);
00263    }
00264 
00269    function suggestUsername($firstName, $lastName) {
00270       $initial = String::substr($firstName, 0, 1);
00271 
00272       $suggestion = String::regexp_replace('/[^a-zA-Z0-9_-]/', '', String::strtolower($initial . $lastName));
00273       $userDao =& DAORegistry::getDAO('UserDAO');
00274       for ($i = ''; $userDao->userExistsByUsername($suggestion . $i); $i++);
00275       return $suggestion . $i;
00276    }
00277 
00282    function isLoggedIn() {
00283       $sessionManager = &SessionManager::getManager();
00284       $session = &$sessionManager->getUserSession();
00285 
00286       $userId = $session->getUserId();
00287       return isset($userId) && !empty($userId);
00288    }
00289 
00294    function isSiteAdmin() {
00295       return Validation::isAuthorized(ROLE_ID_SITE_ADMIN);
00296    }
00297 
00303    function isJournalManager($journalId = -1) {
00304       return Validation::isAuthorized(ROLE_ID_JOURNAL_MANAGER, $journalId);
00305    }
00306 
00312    function isEditor($journalId = -1) {
00313       return Validation::isAuthorized(ROLE_ID_EDITOR, $journalId);
00314    }
00315 
00321    function isSectionEditor($journalId = -1) {
00322       return Validation::isAuthorized(ROLE_ID_SECTION_EDITOR, $journalId);
00323    }
00324 
00330    function isLayoutEditor($journalId = -1) {
00331       return Validation::isAuthorized(ROLE_ID_LAYOUT_EDITOR, $journalId);
00332    }
00333 
00339    function isReviewer($journalId = -1) {
00340       return Validation::isAuthorized(ROLE_ID_REVIEWER, $journalId);
00341    }
00342 
00348    function isCopyeditor($journalId = -1) {
00349       return Validation::isAuthorized(ROLE_ID_COPYEDITOR, $journalId);
00350    }
00351 
00357    function isProofreader($journalId = -1) {
00358       return Validation::isAuthorized(ROLE_ID_PROOFREADER, $journalId);
00359    }
00360 
00366    function isAuthor($journalId = -1) {
00367       return Validation::isAuthorized(ROLE_ID_AUTHOR, $journalId);
00368    }
00369 
00375    function isReader($journalId = -1) {
00376       return Validation::isAuthorized(ROLE_ID_READER, $journalId);
00377    }
00378 
00384    function isSubscriptionManager($journalId = -1) {
00385       return Validation::isAuthorized(ROLE_ID_SUBSCRIPTION_MANAGER, $journalId);
00386    }
00387 
00394    function canAdminister($journalId, $userId) {
00395       if (Validation::isSiteAdmin()) return true;
00396       if (!Validation::isJournalManager($journalId)) return false;
00397 
00398       // Check for roles in other journals that this user
00399       // doesn't have administrative rights over.
00400       $roleDao = &DAORegistry::getDAO('RoleDAO');
00401       $roles = &$roleDao->getRolesByUserId($userId);
00402       foreach ($roles as $role) {
00403          if ($role->getRoleId() == ROLE_ID_SITE_ADMIN) return false;
00404          if (
00405             $role->getJournalId() != $journalId &&
00406             !Validation::isJournalManager($role->getJournalId())
00407          ) return false;
00408       }
00409 
00410       // There were no conflicting roles.
00411       return true;
00412    }
00413 }
00414 
00415 ?>