master/html/Validation_8inc_8php_source.html

<?php


class Validation {


   static function login($username, $password, &$reason, $remember = false) {

      $reason = null;

      $userDao = DAORegistry::getDAO('UserDAO'); /* @var $userDao UserDAO */

      $user = $userDao->getByUsername($username, true);

      if (!isset($user)) {

         // User does not exist

         return false;

      }


      if ($user->getAuthId()) {

         $authDao = DAORegistry::getDAO('AuthSourceDAO'); /* @var $authDao AuthSourceDAO */

         $auth = $authDao->getPlugin($user->getAuthId());

      } else {

         $auth = null;

      }


      if ($auth) {

         // Validate against remote authentication source

         $valid = $auth->authenticate($username, $password);

         if ($valid) {

            $oldEmail = $user->getEmail();

            $auth->doGetUserInfo($user);

            if ($user->getEmail() != $oldEmail) {

               // FIXME requires email addresses to be unique; if changed email already exists, ignore

               if ($userDao->userExistsByEmail($user->getEmail())) {

                  $user->setEmail($oldEmail);

               }

            }

         }

      } else {

         // Validate against user database

         $rehash = null;

         $valid = self::verifyPassword($username, $password, $user->getPassword(), $rehash);


         if ($valid && !empty($rehash)) {

            // update to new hashing algorithm

            $user->setPassword($rehash);

         }

      }


      if (!$valid) {

         // Login credentials are invalid

         return false;


      } else {

         return self::registerUserSession($user, $reason, $remember);

      }

   }


   static function verifyPassword($username, $password, $hash, &$rehash) {

      if (password_needs_rehash($hash, PASSWORD_BCRYPT)) {

         // update to new hashing algorithm

         $oldHash = self::encryptCredentials($username, $password, false, true);


         if ($oldHash === $hash) {

            // update hash

            $rehash = self::encryptCredentials($username, $password);


            return true;

         }

      }


      return password_verify($password, $hash);

   }


   static function registerUserSession($user, &$reason, $remember = false) {

      if (!is_a($user, 'User')) return false;


      if ($user->getDisabled()) {

         // The user has been disabled.

         $reason = $user->getDisabledReason();

         if ($reason === null) $reason = '';

         return false;

      }


      // The user is valid, mark user as logged in in current session

      $sessionManager = SessionManager::getManager();


      // Regenerate session ID first

      $sessionManager->regenerateSessionId();


      $session = $sessionManager->getUserSession();

      $session->setSessionVar('userId', $user->getId());

      $session->setUserId($user->getId());

      $session->setSessionVar('username', $user->getUsername());

      $session->getCSRFToken(); // Force generation (see issue #2417)

      $session->setRemember($remember);


      if ($remember && Config::getVar('general', 'session_lifetime') > 0) {

         // Update session expiration time

         $sessionManager->updateSessionLifetime(time() +  Config::getVar('general', 'session_lifetime') * 86400);

      }


      $user->setDateLastLogin(Core::getCurrentDate());

      $userDao = DAORegistry::getDAO('UserDAO'); /* @var $userDao UserDAO */

      $userDao->updateObject($user);


      return $user;

   }


   static function logout() {

      $sessionManager = SessionManager::getManager();

      $session = $sessionManager->getUserSession();

      $session->unsetSessionVar('userId');

      $session->unsetSessionVar('signedInAs');

      $session->setUserId(null);


      if ($session->getRemember()) {

         $session->setRemember(0);

         $sessionManager->updateSessionLifetime(0);

      }


      $sessionDao = DAORegistry::getDAO('SessionDAO'); /* @var $sessionDao SessionDAO */

      $sessionDao->updateObject($session);


      return true;

   }


   static function redirectLogin($message = null) {

      $args = array();


      if (isset($_SERVER['REQUEST_URI'])) {

         $args['source'] = $_SERVER['REQUEST_URI'];

      }

      if ($message !== null) {

         $args['loginMessage'] = $message;

      }


      $request = Application::get()->getRequest();

      $request->redirect(null, 'login', null, null, $args);

   }


   static function checkCredentials($username, $password) {

      $userDao = DAORegistry::getDAO('UserDAO'); /* @var $userDao UserDAO */

      $user = $userDao->getByUsername($username, false);


      $valid = false;

      if (isset($user)) {

         if ($user->getAuthId()) {

            $authDao = DAORegistry::getDAO('AuthSourceDAO'); /* @var $authDao AuthSourceDAO */

            $auth =& $authDao->getPlugin($user->getAuthId());

         }


         if (isset($auth)) {

            $valid = $auth->authenticate($username, $password);

         } else {

            // Validate against user database

            $rehash = null;

            $valid = self::verifyPassword($username, $password, $user->getPassword(), $rehash);


            if ($valid && !empty($rehash)) {

               // update to new hashing algorithm

               $user->setPassword($rehash);


               // save new password hash to database

               $userDao->updateObject($user);

            }

         }

      }


      return $valid;

   }


   static function isAuthorized($roleId, $contextId = 0) {

      if (!self::isLoggedIn()) {

         return false;

      }


      if ($contextId === -1) {

         // Get context ID from request

         $request = Application::get()->getRequest();

         $context = $request->getContext();

         $contextId = $context == null ? 0 : $context->getId();

      }


      $sessionManager = SessionManager::getManager();

      $session = $sessionManager->getUserSession();

      $user = $session->getUser();


      $roleDao = DAORegistry::getDAO('RoleDAO'); /* @var $roleDao RoleDAO */

      return $roleDao->userHasRole($contextId, $user->getId(), $roleId);

   }


   static function encryptCredentials($username, $password, $encryption = false, $legacy = false) {

      if ($legacy) {

         $valueToEncrypt = $username . $password;


         if ($encryption == false) {

            $encryption = Config::getVar('security', 'encryption');

         }


         switch ($encryption) {

            case 'sha1':

               if (function_exists('sha1')) {

                  return sha1($valueToEncrypt);

               }

            case 'md5':

            default:

               return md5($valueToEncrypt);

         }

      } else {

         return password_hash($password, PASSWORD_BCRYPT);

      }

   }


   static function generatePassword($length = null) {

      if (!$length) {

         $siteDao = DAORegistry::getDAO('SiteDAO');

         $site = $siteDao->getSite();

         $length = $site->getMinPasswordLength();

      }

      $letters = 'abcdefghijkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ';

      $numbers = '23456789';


      $password = "";

      for ($i=0; $i<$length; $i++) {

         $password .= mt_rand(1, 4) == 4 ? $numbers[mt_rand(0,strlen($numbers)-1)] : $letters[mt_rand(0, strlen($letters)-1)];

      }

      return $password;

   }


   static function generatePasswordResetHash($userId, $expiry = null) {

      $userDao = DAORegistry::getDAO('UserDAO'); /* @var $userDao UserDAO */

      if (($user = $userDao->getById($userId)) == null) {

         // No such user

         return false;

      }

      // create hash payload

      $salt = Config::getVar('security', 'salt');


      if (empty($expiry)) {

         $expires = (int) Config::getVar('security', 'reset_seconds', 7200);

         $expiry = time() + $expires;

      }


      // use last login time to ensure the hash changes when they log in

      $data = $user->getUsername() . $user->getPassword() . $user->getDateLastLogin() . $expiry;


      // generate hash and append expiry timestamp

      $algos = hash_algos();


      foreach (array('sha256', 'sha1', 'md5') as $algo) {

         if (in_array($algo, $algos)) {

            return hash_hmac($algo, $data, $salt) . ':' . $expiry;

         }

      }


      // fallback to MD5

      return md5($data . $salt) . ':' . $expiry;

   }


   static function verifyPasswordResetHash($userId, $hash) {

      // append ":" to ensure the explode results in at least 2 elements

      list(, $expiry) = explode(':', $hash . ':');


      if (empty($expiry) || ((int) $expiry < time())) {

         // expired

         return false;

      }


      return ($hash === self::generatePasswordResetHash($userId, $expiry));

   }


   static function suggestUsername($givenName, $familyName = null) {

      $name = $givenName;

      if (!empty($familyName)) {

         $initial = PKPString::substr($givenName, 0, 1);

         $name = $initial . $familyName;

      }


      $suggestion = PKPString::regexp_replace('/[^a-zA-Z0-9_-]/', '', Stringy\Stringy::create($name)->toAscii()->toLowerCase());

      $userDao = DAORegistry::getDAO('UserDAO'); /* @var $userDao UserDAO */

      for ($i = ''; $userDao->userExistsByUsername($suggestion . $i); $i++);

      return $suggestion . $i;

   }


   static function isLoggedIn() {

      $sessionManager = SessionManager::getManager();

      $session = $sessionManager->getUserSession();


      $userId = $session->getUserId();

      return isset($userId) && !empty($userId);

   }


   static function isLoggedInAs() {

      $sessionManager = SessionManager::getManager();

      $session = $sessionManager->getUserSession();

      $signedInAs = $session->getSessionVar('signedInAs');


      return isset($signedInAs) && !empty($signedInAs);

   }


   static function isSiteAdmin() {

      return self::isAuthorized(ROLE_ID_SITE_ADMIN);

   }


   static function canAdminister($administeredUserId, $administratorUserId) {

      $roleDao = DAORegistry::getDAO('RoleDAO'); /* @var $roleDao RoleDAO */


      // You can administer yourself

      if ($administeredUserId == $administratorUserId) return true;


      // You cannot adminster administrators

      if ($roleDao->userHasRole(CONTEXT_SITE, $administeredUserId, ROLE_ID_SITE_ADMIN)) return false;


      // Otherwise, administrators can administer everyone

      if ($roleDao->userHasRole(CONTEXT_SITE, $administratorUserId, ROLE_ID_SITE_ADMIN)) return true;


      // Check for administered user group assignments in other contexts

      // that the administrator user doesn't have a manager role in.

      $userGroupDao = DAORegistry::getDAO('UserGroupDAO'); /* @var $userGroupDao UserGroupDAO */

      $userGroups = $userGroupDao->getByUserId($administeredUserId);

      while ($userGroup = $userGroups->next()) {

         if ($userGroup->getContextId()!=CONTEXT_SITE && !$roleDao->userHasRole($userGroup->getContextId(), $administratorUserId, ROLE_ID_MANAGER)) {

            // Found an assignment: disqualified.

            return false;

         }

      }


      // Make sure the administering user has a manager role somewhere

      $foundManagerRole = false;

      $roles = $roleDao->getByUserId($administratorUserId);

      foreach ($roles as $role) {

         if ($role->getRoleId() == ROLE_ID_MANAGER) $foundManagerRole = true;

      }

      if (!$foundManagerRole) return false;


      // There were no conflicting roles. Permit administration.

      return true;

   }

}