2006-03-12 00:03:24 +00:00
|
|
|
<?php
|
|
|
|
/* SVN FILE: $Id$ */
|
|
|
|
/**
|
|
|
|
* Short description for file.
|
|
|
|
*
|
|
|
|
* Long description for file
|
|
|
|
*
|
|
|
|
* PHP versions 4 and 5
|
|
|
|
*
|
2007-10-16 09:05:25 +00:00
|
|
|
* CakePHP(tm) : Rapid Development Framework <http://www.cakephp.org/>
|
2008-01-01 22:18:17 +00:00
|
|
|
* Copyright 2005-2008, Cake Software Foundation, Inc.
|
2006-05-26 05:29:17 +00:00
|
|
|
* 1785 E. Sahara Avenue, Suite 490-204
|
|
|
|
* Las Vegas, Nevada 89104
|
2006-03-12 00:03:24 +00:00
|
|
|
*
|
|
|
|
* Licensed under The MIT License
|
|
|
|
* Redistributions of files must retain the above copyright notice.
|
|
|
|
*
|
|
|
|
* @filesource
|
2008-01-01 22:18:17 +00:00
|
|
|
* @copyright Copyright 2005-2008, Cake Software Foundation, Inc.
|
2007-02-02 10:39:45 +00:00
|
|
|
* @link http://www.cakefoundation.org/projects/info/cakephp CakePHP(tm) Project
|
2006-05-26 05:29:17 +00:00
|
|
|
* @package cake
|
|
|
|
* @subpackage cake.cake.libs.controller.components
|
2007-02-02 10:39:45 +00:00
|
|
|
* @since CakePHP(tm) v 0.10.8.2156
|
2006-05-26 05:29:17 +00:00
|
|
|
* @version $Revision$
|
|
|
|
* @modifiedby $LastChangedBy$
|
|
|
|
* @lastmodified $Date$
|
|
|
|
* @license http://www.opensource.org/licenses/mit-license.php The MIT License
|
2006-03-12 00:03:24 +00:00
|
|
|
*/
|
|
|
|
/**
|
|
|
|
* Short description for file.
|
|
|
|
*
|
|
|
|
* Long description for file
|
|
|
|
*
|
2006-05-26 05:29:17 +00:00
|
|
|
* @package cake
|
|
|
|
* @subpackage cake.cake.libs.controller.components
|
2006-03-12 00:03:24 +00:00
|
|
|
*/
|
2006-06-16 19:45:33 +00:00
|
|
|
class SecurityComponent extends Object {
|
2006-11-28 00:00:23 +00:00
|
|
|
/**
|
2006-12-01 23:51:43 +00:00
|
|
|
* The controller method that will be called if this request is black-hole'd
|
2006-11-28 00:00:23 +00:00
|
|
|
*
|
|
|
|
* @var string
|
2006-12-01 23:51:43 +00:00
|
|
|
* @access public
|
2006-11-28 00:00:23 +00:00
|
|
|
*/
|
2006-05-26 05:29:17 +00:00
|
|
|
var $blackHoleCallback = null;
|
2006-11-28 00:00:23 +00:00
|
|
|
/**
|
2006-12-01 23:51:43 +00:00
|
|
|
* List of controller actions for which a POST request is required
|
2006-11-28 00:00:23 +00:00
|
|
|
*
|
|
|
|
* @var array
|
2006-12-01 23:51:43 +00:00
|
|
|
* @access public
|
|
|
|
* @see SecurityComponent::requirePost()
|
2006-11-28 00:00:23 +00:00
|
|
|
*/
|
2006-05-26 05:29:17 +00:00
|
|
|
var $requirePost = array();
|
2006-11-28 00:00:23 +00:00
|
|
|
/**
|
2006-12-01 23:51:43 +00:00
|
|
|
* List of actions that require an SSL-secured connection
|
2006-11-28 00:00:23 +00:00
|
|
|
*
|
|
|
|
* @var array
|
2006-12-01 23:51:43 +00:00
|
|
|
* @access public
|
|
|
|
* @see SecurityComponent::requireSecure()
|
2006-11-28 00:00:23 +00:00
|
|
|
*/
|
2006-11-08 02:18:41 +00:00
|
|
|
var $requireSecure = array();
|
2006-11-28 00:00:23 +00:00
|
|
|
/**
|
2006-12-01 23:51:43 +00:00
|
|
|
* List of actions that require a valid authentication key
|
2006-11-28 00:00:23 +00:00
|
|
|
*
|
|
|
|
* @var array
|
2006-12-01 23:51:43 +00:00
|
|
|
* @access public
|
|
|
|
* @see SecurityComponent::requireAuth()
|
2006-11-28 00:00:23 +00:00
|
|
|
*/
|
2006-05-26 05:29:17 +00:00
|
|
|
var $requireAuth = array();
|
2006-11-28 00:00:23 +00:00
|
|
|
/**
|
2006-12-01 23:51:43 +00:00
|
|
|
* List of actions that require an HTTP-authenticated login (basic or digest)
|
2006-11-28 00:00:23 +00:00
|
|
|
*
|
|
|
|
* @var array
|
2006-12-01 23:51:43 +00:00
|
|
|
* @access public
|
|
|
|
* @see SecurityComponent::requireLogin()
|
2006-11-28 00:00:23 +00:00
|
|
|
*/
|
2006-06-16 19:45:33 +00:00
|
|
|
var $requireLogin = array();
|
2006-11-28 00:00:23 +00:00
|
|
|
/**
|
2006-12-01 23:51:43 +00:00
|
|
|
* Login options for SecurityComponent::requireLogin()
|
2006-11-28 00:00:23 +00:00
|
|
|
*
|
|
|
|
* @var array
|
2006-12-01 23:51:43 +00:00
|
|
|
* @access public
|
|
|
|
* @see SecurityComponent::requireLogin()
|
2006-11-28 00:00:23 +00:00
|
|
|
*/
|
2007-10-09 21:00:32 +00:00
|
|
|
var $loginOptions = array('type' => '', 'prompt' => null);
|
2006-11-28 00:00:23 +00:00
|
|
|
/**
|
2006-12-01 23:51:43 +00:00
|
|
|
* An associative array of usernames/passwords used for HTTP-authenticated logins.
|
|
|
|
* If using digest authentication, passwords should be MD5-hashed.
|
2006-11-28 00:00:23 +00:00
|
|
|
*
|
|
|
|
* @var array
|
2006-12-01 23:51:43 +00:00
|
|
|
* @access public
|
|
|
|
* @see SecurityComponent::requireLogin()
|
2006-11-28 00:00:23 +00:00
|
|
|
*/
|
2006-06-16 19:45:33 +00:00
|
|
|
var $loginUsers = array();
|
2006-11-28 00:00:23 +00:00
|
|
|
/**
|
2006-12-06 20:37:12 +00:00
|
|
|
* Controllers from which actions of the current controller are allowed to receive
|
|
|
|
* requests.
|
2006-11-28 00:00:23 +00:00
|
|
|
*
|
|
|
|
* @var array
|
2007-10-22 21:22:35 +00:00
|
|
|
* @access public
|
2006-12-06 20:37:12 +00:00
|
|
|
* @see SecurityComponent::requireAuth()
|
2006-11-28 00:00:23 +00:00
|
|
|
*/
|
2006-05-26 05:29:17 +00:00
|
|
|
var $allowedControllers = array();
|
2006-11-28 00:00:23 +00:00
|
|
|
/**
|
2006-12-06 20:37:12 +00:00
|
|
|
* Actions from which actions of the current controller are allowed to receive
|
|
|
|
* requests.
|
2006-11-28 00:00:23 +00:00
|
|
|
*
|
|
|
|
* @var array
|
2007-10-22 21:22:35 +00:00
|
|
|
* @access public
|
2006-12-06 20:37:12 +00:00
|
|
|
* @see SecurityComponent::requireAuth()
|
2006-11-28 00:00:23 +00:00
|
|
|
*/
|
2006-05-26 05:29:17 +00:00
|
|
|
var $allowedActions = array();
|
2007-05-02 02:31:06 +00:00
|
|
|
/**
|
|
|
|
* Form fields to disable
|
|
|
|
*
|
|
|
|
* @var array
|
2007-10-22 21:22:35 +00:00
|
|
|
* @access public
|
2007-05-02 02:31:06 +00:00
|
|
|
*/
|
|
|
|
var $disabledFields = array();
|
2006-11-28 00:00:23 +00:00
|
|
|
/**
|
2006-12-06 20:37:12 +00:00
|
|
|
* Other components used by the Security component
|
2006-11-28 00:00:23 +00:00
|
|
|
*
|
|
|
|
* @var array
|
2006-12-06 20:37:12 +00:00
|
|
|
* @access public
|
2006-11-28 00:00:23 +00:00
|
|
|
*/
|
2006-05-26 05:29:17 +00:00
|
|
|
var $components = array('RequestHandler', 'Session');
|
2006-11-28 00:00:23 +00:00
|
|
|
/**
|
2007-10-16 09:05:25 +00:00
|
|
|
* Component startup. All security checking happens here.
|
2006-11-28 00:00:23 +00:00
|
|
|
*
|
2007-10-22 21:22:35 +00:00
|
|
|
* @param object $controller Instantiating controller
|
2006-11-28 00:00:23 +00:00
|
|
|
* @access public
|
|
|
|
*/
|
2006-06-16 19:45:33 +00:00
|
|
|
function startup(&$controller) {
|
2007-05-01 13:09:35 +00:00
|
|
|
$this->__postRequired($controller);
|
|
|
|
$this->__secureRequired($controller);
|
|
|
|
$this->__authRequired($controller);
|
|
|
|
$this->__loginRequired($controller);
|
2007-06-06 17:28:32 +00:00
|
|
|
|
2007-12-25 10:49:29 +00:00
|
|
|
if ((!isset($controller->params['requested']) || $controller->params['requested'] != 1) && ($this->RequestHandler->isPost() || $this->RequestHandler->isPut())) {
|
2007-05-01 13:09:35 +00:00
|
|
|
$this->__validatePost($controller);
|
2006-06-16 19:45:33 +00:00
|
|
|
}
|
2007-06-06 17:28:32 +00:00
|
|
|
|
2007-05-01 13:09:35 +00:00
|
|
|
$this->__generateToken($controller);
|
2006-06-16 19:45:33 +00:00
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Sets the actions that require a POST request, or empty for all actions
|
2006-12-01 23:51:43 +00:00
|
|
|
*
|
2006-11-28 00:00:23 +00:00
|
|
|
* @access public
|
2006-06-16 19:45:33 +00:00
|
|
|
*/
|
|
|
|
function requirePost() {
|
|
|
|
$this->requirePost = func_get_args();
|
2007-06-20 06:15:35 +00:00
|
|
|
if (empty($this->requirePost)) {
|
2006-06-16 19:45:33 +00:00
|
|
|
$this->requirePost = array('*');
|
2006-05-26 05:29:17 +00:00
|
|
|
}
|
2006-06-16 19:45:33 +00:00
|
|
|
}
|
2006-11-08 02:18:41 +00:00
|
|
|
/**
|
|
|
|
* Sets the actions that require a request that is SSL-secured, or empty for all actions
|
2006-12-01 23:51:43 +00:00
|
|
|
*
|
2006-11-28 00:00:23 +00:00
|
|
|
* @access public
|
2006-11-08 02:18:41 +00:00
|
|
|
*/
|
|
|
|
function requireSecure() {
|
|
|
|
$this->requireSecure = func_get_args();
|
2007-06-20 06:15:35 +00:00
|
|
|
if (empty($this->requireSecure)) {
|
2006-11-08 02:18:41 +00:00
|
|
|
$this->requireSecure = array('*');
|
|
|
|
}
|
|
|
|
}
|
2006-06-16 19:45:33 +00:00
|
|
|
/**
|
|
|
|
* Sets the actions that require an authenticated request, or empty for all actions
|
2006-12-01 23:51:43 +00:00
|
|
|
*
|
2006-11-28 00:00:23 +00:00
|
|
|
* @access public
|
2006-06-16 19:45:33 +00:00
|
|
|
*/
|
|
|
|
function requireAuth() {
|
|
|
|
$this->requireAuth = func_get_args();
|
2007-06-20 06:15:35 +00:00
|
|
|
if (empty($this->requireAuth)) {
|
2006-06-16 19:45:33 +00:00
|
|
|
$this->requireAuth = array('*');
|
2006-05-26 05:29:17 +00:00
|
|
|
}
|
|
|
|
}
|
2006-06-16 19:45:33 +00:00
|
|
|
/**
|
|
|
|
* Sets the actions that require an HTTP-authenticated request, or empty for all actions
|
2006-12-01 23:51:43 +00:00
|
|
|
*
|
2006-11-28 00:00:23 +00:00
|
|
|
* @access public
|
2006-06-16 19:45:33 +00:00
|
|
|
*/
|
|
|
|
function requireLogin() {
|
|
|
|
$args = func_get_args();
|
2007-10-09 21:00:32 +00:00
|
|
|
$base = $this->loginOptions;
|
|
|
|
|
2006-06-16 19:45:33 +00:00
|
|
|
foreach ($args as $arg) {
|
2007-06-20 06:15:35 +00:00
|
|
|
if (is_array($arg)) {
|
2006-06-16 19:45:33 +00:00
|
|
|
$this->loginOptions = $arg;
|
|
|
|
} else {
|
|
|
|
$this->requireLogin[] = $arg;
|
|
|
|
}
|
|
|
|
}
|
2007-12-08 06:08:03 +00:00
|
|
|
$this->loginOptions = array_merge($base, $this->loginOptions);
|
2007-05-01 08:56:02 +00:00
|
|
|
|
2007-06-20 06:15:35 +00:00
|
|
|
if (empty($this->requireLogin)) {
|
2006-06-16 19:45:33 +00:00
|
|
|
$this->requireLogin = array('*');
|
|
|
|
}
|
2007-05-01 08:56:02 +00:00
|
|
|
|
2007-06-20 06:15:35 +00:00
|
|
|
if (isset($this->loginOptions['users'])) {
|
2006-06-16 19:45:33 +00:00
|
|
|
$this->loginUsers =& $this->loginOptions['users'];
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/**
|
2007-10-09 21:00:32 +00:00
|
|
|
* Attempts to validate the login credentials for an HTTP-authenticated request
|
2006-06-16 19:45:33 +00:00
|
|
|
*
|
2006-12-01 23:51:43 +00:00
|
|
|
* @param string $type Either 'basic', 'digest', or null. If null/empty, will try both.
|
2006-06-16 19:45:33 +00:00
|
|
|
* @return mixed If successful, returns an array with login name and password, otherwise null.
|
2006-11-28 00:00:23 +00:00
|
|
|
* @access public
|
2006-06-16 19:45:33 +00:00
|
|
|
*/
|
2006-12-01 23:51:43 +00:00
|
|
|
function loginCredentials($type = null) {
|
2007-12-08 06:08:03 +00:00
|
|
|
switch (strtolower($type)) {
|
2007-10-09 21:00:32 +00:00
|
|
|
case 'basic':
|
|
|
|
$login = array('username' => env('PHP_AUTH_USER'), 'password' => env('PHP_AUTH_PW'));
|
|
|
|
if (!empty($login['username'])) {
|
|
|
|
return $login;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case 'digest':
|
|
|
|
default:
|
|
|
|
$digest = null;
|
2006-06-16 19:45:33 +00:00
|
|
|
|
2007-10-09 21:00:32 +00:00
|
|
|
if (version_compare(phpversion(), '5.1') != -1) {
|
|
|
|
$digest = env('PHP_AUTH_DIGEST');
|
|
|
|
} elseif (function_exists('apache_request_headers')) {
|
|
|
|
$headers = apache_request_headers();
|
|
|
|
if (isset($headers['Authorization']) && !empty($headers['Authorization']) && substr($headers['Authorization'], 0, 7) == 'Digest ') {
|
|
|
|
$digest = substr($headers['Authorization'], 7);
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
// Server doesn't support digest-auth headers
|
|
|
|
trigger_error(__('SecurityComponent::loginCredentials() - Server does not support digest authentication', true), E_USER_WARNING);
|
2006-06-16 19:45:33 +00:00
|
|
|
}
|
|
|
|
|
2007-10-09 21:00:32 +00:00
|
|
|
if (!empty($digest)) {
|
|
|
|
return $this->parseDigestAuthData($digest);
|
|
|
|
}
|
|
|
|
break;
|
2006-06-16 19:45:33 +00:00
|
|
|
}
|
|
|
|
return null;
|
2006-05-26 05:29:17 +00:00
|
|
|
}
|
2006-06-16 19:45:33 +00:00
|
|
|
/**
|
2006-11-28 00:00:23 +00:00
|
|
|
* Generates the text of an HTTP-authentication request header from an array of options..
|
2006-06-16 19:45:33 +00:00
|
|
|
*
|
2007-10-22 21:22:35 +00:00
|
|
|
* @param array $options Set of options for header
|
|
|
|
* @return string HTTP-authentication request header
|
2006-11-28 00:00:23 +00:00
|
|
|
* @access public
|
2006-06-16 19:45:33 +00:00
|
|
|
*/
|
|
|
|
function loginRequest($options = array()) {
|
2007-12-08 06:08:03 +00:00
|
|
|
$options = array_merge($this->loginOptions, $options);
|
2006-06-16 19:45:33 +00:00
|
|
|
$this->__setLoginDefaults($options);
|
2007-10-16 09:05:25 +00:00
|
|
|
$auth = 'WWW-Authenticate: ' . ucfirst($options['type']);
|
2007-10-09 21:00:32 +00:00
|
|
|
$out = array('realm="' . $options['realm'] . '"');
|
|
|
|
|
2007-12-08 06:08:03 +00:00
|
|
|
if (strtolower($options['type']) == 'digest') {
|
2007-10-09 21:00:32 +00:00
|
|
|
$out[] = 'qop="auth"';
|
|
|
|
$out[] = 'nonce="' . uniqid() . '"'; //str_replace('-', '', String::uuid())
|
|
|
|
$out[] = 'opaque="' . md5($options['realm']).'"';
|
|
|
|
}
|
|
|
|
|
|
|
|
return $auth . ' ' . join(',', $out);
|
2006-06-16 19:45:33 +00:00
|
|
|
}
|
|
|
|
/**
|
2006-11-28 00:00:23 +00:00
|
|
|
* Parses an HTTP digest authentication response, and returns an array of the data, or null on failure.
|
2006-06-16 19:45:33 +00:00
|
|
|
*
|
2007-10-22 21:22:35 +00:00
|
|
|
* @param string $digest Digest authentication response
|
2006-12-01 23:51:43 +00:00
|
|
|
* @return array Digest authentication parameters
|
2006-11-28 00:00:23 +00:00
|
|
|
* @access public
|
2006-06-16 19:45:33 +00:00
|
|
|
*/
|
|
|
|
function parseDigestAuthData($digest) {
|
2007-06-20 06:15:35 +00:00
|
|
|
if (substr($digest, 0, 7) == 'Digest ') {
|
2006-06-16 19:45:33 +00:00
|
|
|
$digest = substr($digest, 7);
|
|
|
|
}
|
|
|
|
$keys = array();
|
|
|
|
$match = array();
|
|
|
|
$req = array('nonce' => 1, 'nc' => 1, 'cnonce' => 1, 'qop' => 1, 'username' => 1, 'uri' => 1, 'response' => 1);
|
|
|
|
preg_match_all('@(\w+)=([\'"]?)([a-zA-Z0-9=./\_-]+)\2@', $digest, $match, PREG_SET_ORDER);
|
|
|
|
|
2007-06-20 06:15:35 +00:00
|
|
|
foreach ($match as $i) {
|
2006-06-16 19:45:33 +00:00
|
|
|
$keys[$i[1]] = $i[3];
|
|
|
|
unset($req[$i[1]]);
|
|
|
|
}
|
2007-05-01 08:56:02 +00:00
|
|
|
|
2007-06-20 06:15:35 +00:00
|
|
|
if (empty($req)) {
|
2006-06-16 19:45:33 +00:00
|
|
|
return $keys;
|
|
|
|
} else {
|
|
|
|
return null;
|
|
|
|
}
|
2006-05-26 05:29:17 +00:00
|
|
|
}
|
2007-10-09 21:00:32 +00:00
|
|
|
/**
|
|
|
|
* Generates a hash to be compared with an HTTP digest-authenticated response
|
|
|
|
*
|
|
|
|
* @param array $data HTTP digest response data, as parsed by SecurityComponent::parseDigestAuthData()
|
|
|
|
* @return string Digest authentication hash
|
|
|
|
* @access public
|
|
|
|
* @see SecurityComponent::parseDigestAuthData()
|
|
|
|
*/
|
|
|
|
function generateDigestResponseHash($data) {
|
|
|
|
return md5(
|
|
|
|
md5($data['username'] . ':' . $this->loginOptions['realm'] . ':' . $this->loginUsers[$data['username']]) .
|
|
|
|
':' . $data['nonce'] . ':' . $data['nc'] . ':' . $data['cnonce'] . ':' . $data['qop'] . ':' .
|
|
|
|
md5(env('REQUEST_METHOD') . ':' . $data['uri'])
|
|
|
|
);
|
|
|
|
}
|
2007-05-01 13:09:35 +00:00
|
|
|
/**
|
2007-10-22 21:22:35 +00:00
|
|
|
* Black-hole an invalid request with a 404 error or custom callback. If SecurityComponent::$blackHoleCallback
|
|
|
|
* is speicifed, it will use this callback by executing the method indicated in $error
|
2007-05-01 13:09:35 +00:00
|
|
|
*
|
2007-10-22 21:22:35 +00:00
|
|
|
* @param object $controller Instantiating controller
|
|
|
|
* @param string $error Error method
|
|
|
|
* @return mixed If specified, controller blackHoleCallback's response, or no return otherwise
|
2007-05-01 13:09:35 +00:00
|
|
|
* @access public
|
2007-10-22 21:22:35 +00:00
|
|
|
* @see SecurityComponent::$blackHoleCallback
|
2007-05-01 13:09:35 +00:00
|
|
|
*/
|
|
|
|
function blackHole(&$controller, $error = '') {
|
2007-06-20 06:15:35 +00:00
|
|
|
if ($this->blackHoleCallback == null) {
|
2007-05-01 13:09:35 +00:00
|
|
|
$code = 404;
|
2007-06-20 06:15:35 +00:00
|
|
|
if ($error == 'login') {
|
2007-05-01 13:09:35 +00:00
|
|
|
$code = 401;
|
|
|
|
}
|
|
|
|
$controller->redirect(null, $code, true);
|
|
|
|
} else {
|
|
|
|
return $this->__callback($controller, $this->blackHoleCallback, array($error));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Check if post is required
|
|
|
|
*
|
2007-10-22 21:22:35 +00:00
|
|
|
* @param object $controller Instantiating controller
|
|
|
|
* @return bool true if post is requred
|
2007-05-01 13:09:35 +00:00
|
|
|
* @access private
|
|
|
|
*/
|
|
|
|
function __postRequired(&$controller) {
|
2007-06-20 06:15:35 +00:00
|
|
|
if (is_array($this->requirePost) && !empty($this->requirePost)) {
|
|
|
|
if (in_array($controller->action, $this->requirePost) || $this->requirePost == array('*')) {
|
|
|
|
if (!$this->RequestHandler->isPost()) {
|
|
|
|
if (!$this->blackHole($controller, 'post')) {
|
2007-05-01 13:09:35 +00:00
|
|
|
return null;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Check if access requires secure connection
|
|
|
|
*
|
2007-10-22 21:22:35 +00:00
|
|
|
* @param object $controller Instantiating controller
|
|
|
|
* @return bool true if secure connection required
|
2007-05-01 13:09:35 +00:00
|
|
|
* @access private
|
|
|
|
*/
|
|
|
|
function __secureRequired(&$controller) {
|
2007-06-20 06:15:35 +00:00
|
|
|
if (is_array($this->requireSecure) && !empty($this->requireSecure)) {
|
|
|
|
if (in_array($controller->action, $this->requireSecure) || $this->requireSecure == array('*')) {
|
|
|
|
if (!$this->RequestHandler->isSSL()) {
|
|
|
|
if (!$this->blackHole($controller, 'secure')) {
|
2007-05-01 13:09:35 +00:00
|
|
|
return null;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Check if authentication is required
|
|
|
|
*
|
2007-10-22 21:22:35 +00:00
|
|
|
* @param object $controller Instantiating controller
|
|
|
|
* @return bool true if authentication required
|
2007-05-01 13:09:35 +00:00
|
|
|
* @access private
|
|
|
|
*/
|
|
|
|
function __authRequired(&$controller) {
|
2007-06-20 06:15:35 +00:00
|
|
|
if (is_array($this->requireAuth) && !empty($this->requireAuth) && !empty($controller->data)) {
|
|
|
|
if (in_array($controller->action, $this->requireAuth) || $this->requireAuth == array('*')) {
|
|
|
|
if (!isset($controller->data['__Token'] )) {
|
|
|
|
if (!$this->blackHole($controller, 'auth')) {
|
2007-05-01 13:09:35 +00:00
|
|
|
return null;
|
|
|
|
}
|
|
|
|
}
|
2007-06-20 03:10:15 +00:00
|
|
|
$token = $controller->data['__Token']['key'];
|
2007-05-01 13:09:35 +00:00
|
|
|
|
2007-06-20 06:15:35 +00:00
|
|
|
if ($this->Session->check('_Token')) {
|
2007-05-01 13:09:35 +00:00
|
|
|
$tData = unserialize($this->Session->read('_Token'));
|
|
|
|
|
2007-06-20 06:15:35 +00:00
|
|
|
if (!empty($tData['allowedControllers']) && !in_array($controller->params['controller'], $tData['allowedControllers']) ||!empty($tData['allowedActions']) && !in_array($controller->params['action'], $tData['allowedActions'])) {
|
|
|
|
if (!$this->blackHole($controller, 'auth')) {
|
2007-05-01 13:09:35 +00:00
|
|
|
return null;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
} else {
|
2007-06-20 06:15:35 +00:00
|
|
|
if (!$this->blackHole($controller, 'auth')) {
|
2007-05-01 13:09:35 +00:00
|
|
|
return null;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Check if login is required
|
|
|
|
*
|
2007-10-22 21:22:35 +00:00
|
|
|
* @param object $controller Instantiating controller
|
|
|
|
* @return bool true if login is required
|
2007-05-01 13:09:35 +00:00
|
|
|
* @access private
|
|
|
|
*/
|
|
|
|
function __loginRequired(&$controller) {
|
2007-06-20 06:15:35 +00:00
|
|
|
if (is_array($this->requireLogin) && !empty($this->requireLogin)) {
|
|
|
|
if (in_array($controller->action, $this->requireLogin) || $this->requireLogin == array('*')) {
|
2007-05-01 13:09:35 +00:00
|
|
|
$login = $this->loginCredentials($this->loginOptions['type']);
|
|
|
|
|
2007-06-20 06:15:35 +00:00
|
|
|
if ($login == null) {
|
2007-05-01 13:09:35 +00:00
|
|
|
// User hasn't been authenticated yet
|
|
|
|
header($this->loginRequest());
|
|
|
|
|
2007-10-09 21:00:32 +00:00
|
|
|
if (!empty($this->loginOptions['prompt'])) {
|
2007-05-01 13:09:35 +00:00
|
|
|
$this->__callback($controller, $this->loginOptions['prompt']);
|
|
|
|
} else {
|
|
|
|
$this->blackHole($controller, 'login');
|
|
|
|
}
|
|
|
|
} else {
|
2007-06-20 06:15:35 +00:00
|
|
|
if (isset($this->loginOptions['login'])) {
|
2007-05-01 13:09:35 +00:00
|
|
|
$this->__callback($controller, $this->loginOptions['login'], array($login));
|
|
|
|
} else {
|
2007-12-08 06:08:03 +00:00
|
|
|
if (strtolower($this->loginOptions['type']) == 'digest') {
|
2007-05-01 13:09:35 +00:00
|
|
|
// Do digest authentication
|
2007-10-09 21:00:32 +00:00
|
|
|
if ($login && isset($this->loginUsers[$login['username']])) {
|
|
|
|
if ($login['response'] == $this->generateDigestResponseHash($login)) {
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
$this->blackHole($controller, 'login');
|
2007-05-01 13:09:35 +00:00
|
|
|
} else {
|
|
|
|
if (!(in_array($login['username'], array_keys($this->loginUsers)) && $this->loginUsers[$login['username']] == $login['password'])) {
|
|
|
|
$this->blackHole($controller, 'login');
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
/**
|
2007-10-22 21:22:35 +00:00
|
|
|
* Validate submitted form
|
2007-05-01 13:09:35 +00:00
|
|
|
*
|
2007-10-22 21:22:35 +00:00
|
|
|
* @param object $controller Instantiating controller
|
|
|
|
* @return bool true if submitted form is valid
|
2007-05-01 13:09:35 +00:00
|
|
|
* @access private
|
|
|
|
*/
|
|
|
|
function __validatePost(&$controller) {
|
2007-06-20 06:15:35 +00:00
|
|
|
if (!empty($controller->data)) {
|
2007-05-01 15:17:27 +00:00
|
|
|
if (!isset($controller->data['__Token'])) {
|
2007-06-20 06:15:35 +00:00
|
|
|
if (!$this->blackHole($controller, 'auth')) {
|
2007-05-01 13:09:35 +00:00
|
|
|
return null;
|
|
|
|
}
|
|
|
|
}
|
2007-05-01 15:17:27 +00:00
|
|
|
$token = $controller->data['__Token']['key'];
|
2007-05-01 13:09:35 +00:00
|
|
|
|
2007-06-20 06:15:35 +00:00
|
|
|
if ($this->Session->check('_Token')) {
|
2007-05-01 13:09:35 +00:00
|
|
|
$tData = unserialize($this->Session->read('_Token'));
|
|
|
|
|
2007-06-20 06:15:35 +00:00
|
|
|
if ($tData['expires'] < time() || $tData['key'] !== $token) {
|
|
|
|
if (!$this->blackHole($controller, 'auth')) {
|
2007-05-01 13:09:35 +00:00
|
|
|
return null;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2007-06-20 06:15:35 +00:00
|
|
|
if (!isset($controller->data['__Token']['fields'])) {
|
|
|
|
if (!$this->blackHole($controller, 'auth')) {
|
2007-05-01 13:09:35 +00:00
|
|
|
return null;
|
|
|
|
}
|
|
|
|
}
|
2007-05-02 02:31:06 +00:00
|
|
|
$form = $controller->data['__Token']['fields'];
|
2007-05-01 13:09:35 +00:00
|
|
|
$check = $controller->data;
|
2007-05-01 15:17:27 +00:00
|
|
|
unset($check['__Token']['fields']);
|
2007-05-01 13:09:35 +00:00
|
|
|
|
2007-06-20 06:15:35 +00:00
|
|
|
if (!empty($this->disabledFields)) {
|
|
|
|
foreach ($check as $model => $fields) {
|
|
|
|
foreach ($fields as $field => $value) {
|
2007-05-02 02:31:06 +00:00
|
|
|
$key[] = $model . '.' . $field;
|
|
|
|
}
|
|
|
|
unset($field);
|
|
|
|
}
|
|
|
|
|
2007-06-20 06:15:35 +00:00
|
|
|
foreach ($this->disabledFields as $value) {
|
2007-05-02 02:31:06 +00:00
|
|
|
$parts = preg_split('/\/|\./', $value);
|
|
|
|
|
|
|
|
if (count($parts) == 1) {
|
2007-10-16 09:05:25 +00:00
|
|
|
$key1[] = $controller->modelClass . '.' . $parts['0'];
|
2007-05-02 02:31:06 +00:00
|
|
|
} elseif (count($parts) == 2) {
|
2007-10-16 09:05:25 +00:00
|
|
|
$key1[] = $parts['0'] . '.' . $parts['1'];
|
2007-05-02 02:31:06 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
foreach ($key1 as $value) {
|
2007-06-20 06:15:35 +00:00
|
|
|
if (in_array($value, $key)) {
|
2007-05-02 02:31:06 +00:00
|
|
|
$remove = explode('.', $value);
|
|
|
|
unset($check[$remove['0']][$remove['1']]);
|
|
|
|
} elseif (in_array('_' . $value, $key)) {
|
|
|
|
$remove = explode('.', $value);
|
|
|
|
$controller->data[$remove['0']][$remove['1']] = $controller->data['_' . $remove['0']][$remove['1']];
|
|
|
|
unset($check['_' . $remove['0']][$remove['1']]);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2007-06-20 06:15:35 +00:00
|
|
|
foreach ($check as $key => $value) {
|
2007-10-09 18:47:32 +00:00
|
|
|
$merge = array();
|
2007-06-20 06:15:35 +00:00
|
|
|
if ($key === '__Token') {
|
2007-05-01 13:09:35 +00:00
|
|
|
$field[$key] = $value;
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
$string = substr($key, 0, 1);
|
|
|
|
|
2007-06-20 06:15:35 +00:00
|
|
|
if ($string === '_') {
|
2007-05-01 13:09:35 +00:00
|
|
|
$newKey = substr($key, 1);
|
2007-06-22 06:19:19 +00:00
|
|
|
|
2007-07-25 04:38:28 +00:00
|
|
|
if (!isset($controller->data[$newKey])) {
|
2007-06-22 06:19:19 +00:00
|
|
|
$controller->data[$newKey] = array();
|
|
|
|
}
|
2007-05-01 17:42:09 +00:00
|
|
|
|
2007-06-20 06:15:35 +00:00
|
|
|
if (is_array($value)) {
|
2007-05-01 17:42:09 +00:00
|
|
|
$values = array_values($value);
|
2007-06-04 06:11:48 +00:00
|
|
|
$k = array_keys($value);
|
|
|
|
$count = count($k);
|
2007-06-20 06:15:35 +00:00
|
|
|
for ($i = 0; $count > $i; $i++) {
|
2007-06-04 06:11:48 +00:00
|
|
|
$field[$key][$k[$i]] = $values[$i];
|
2007-05-01 17:42:09 +00:00
|
|
|
}
|
|
|
|
}
|
2007-06-04 06:11:48 +00:00
|
|
|
|
2007-10-16 09:05:25 +00:00
|
|
|
foreach ($k as $lookup) {
|
2007-06-20 07:51:52 +00:00
|
|
|
if (isset($controller->data[$newKey][$lookup])) {
|
2007-06-04 06:11:48 +00:00
|
|
|
unset($controller->data[$key][$lookup]);
|
|
|
|
} elseif ($controller->data[$key][$lookup] === '0') {
|
|
|
|
$merge[] = $lookup;
|
|
|
|
}
|
|
|
|
}
|
2007-10-09 18:47:32 +00:00
|
|
|
|
2007-10-09 18:06:10 +00:00
|
|
|
if (isset($field[$newKey])) {
|
|
|
|
$field[$newKey] = array_merge($merge, $field[$newKey]);
|
2007-10-09 18:47:32 +00:00
|
|
|
} else {
|
|
|
|
$field[$newKey] = $merge;
|
2007-10-09 18:06:10 +00:00
|
|
|
}
|
2007-06-04 06:11:48 +00:00
|
|
|
$controller->data[$newKey] = Set::pushDiff($controller->data[$key], $controller->data[$newKey]);
|
|
|
|
unset($controller->data[$key]);
|
2007-05-01 13:09:35 +00:00
|
|
|
continue;
|
|
|
|
}
|
2007-06-20 06:15:35 +00:00
|
|
|
if (!array_key_exists($key, $value)) {
|
2007-10-16 09:05:25 +00:00
|
|
|
if (isset($field[$key])) {
|
|
|
|
$field[$key] = array_merge($field[$key], array_keys($value));
|
|
|
|
} else {
|
|
|
|
$field[$key] = array_keys($value);
|
|
|
|
}
|
2007-05-21 20:20:55 +00:00
|
|
|
}
|
2007-05-01 13:09:35 +00:00
|
|
|
}
|
2007-10-04 18:27:35 +00:00
|
|
|
|
|
|
|
foreach ($field as $key => $value) {
|
|
|
|
if(strpos($key, '_') !== 0) {
|
|
|
|
sort($field[$key]);
|
|
|
|
}
|
|
|
|
}
|
2007-09-27 00:38:03 +00:00
|
|
|
ksort($field);
|
2007-10-16 09:05:25 +00:00
|
|
|
$check = urlencode(Security::hash(serialize($field) . Configure::read('Security.salt')));
|
2007-05-01 13:09:35 +00:00
|
|
|
|
2007-06-20 06:15:35 +00:00
|
|
|
if ($form !== $check) {
|
|
|
|
if (!$this->blackHole($controller, 'auth')) {
|
2007-05-01 13:09:35 +00:00
|
|
|
return null;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Add authentication key for new form posts
|
|
|
|
*
|
2007-10-22 21:22:35 +00:00
|
|
|
* @param object $controller Instantiating controller
|
|
|
|
* @return bool Success
|
2007-05-01 13:09:35 +00:00
|
|
|
* @access private
|
|
|
|
*/
|
|
|
|
function __generateToken(&$controller) {
|
2007-06-20 06:15:35 +00:00
|
|
|
if (!isset($controller->params['requested']) || $controller->params['requested'] != 1) {
|
2007-05-01 13:09:35 +00:00
|
|
|
$authKey = Security::generateAuthKey();
|
2007-11-04 18:57:23 +00:00
|
|
|
$expires = strtotime('+' . Security::inactiveMins() . ' minutes');
|
|
|
|
$token = array(
|
|
|
|
'key' => $authKey,
|
|
|
|
'expires' => $expires,
|
|
|
|
'allowedControllers' => $this->allowedControllers,
|
|
|
|
'allowedActions' => $this->allowedActions,
|
|
|
|
'disabledFields' => $this->disabledFields
|
|
|
|
);
|
2007-05-01 13:09:35 +00:00
|
|
|
|
2007-06-20 06:15:35 +00:00
|
|
|
if (!isset($controller->data)) {
|
2007-05-01 13:09:35 +00:00
|
|
|
$controller->data = array();
|
|
|
|
}
|
|
|
|
$controller->params['_Token'] = $token;
|
|
|
|
$this->Session->write('_Token', serialize($token));
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
/**
|
|
|
|
* Sets the default login options for an HTTP-authenticated request
|
|
|
|
*
|
2007-10-22 21:22:35 +00:00
|
|
|
* @param array $options Default login options
|
2007-05-01 13:09:35 +00:00
|
|
|
* @access private
|
|
|
|
*/
|
|
|
|
function __setLoginDefaults(&$options) {
|
2007-12-08 06:08:03 +00:00
|
|
|
$options = array_merge(array(
|
2007-10-09 21:00:32 +00:00
|
|
|
'type' => 'basic',
|
|
|
|
'realm' => env('SERVER_NAME'),
|
|
|
|
'qop' => 'auth',
|
|
|
|
'nonce' => String::uuid()
|
|
|
|
), array_filter($options));
|
2007-12-08 06:08:03 +00:00
|
|
|
$options = array_merge(array('opaque' => md5($options['realm'])), $options);
|
2007-05-01 13:09:35 +00:00
|
|
|
}
|
2006-06-16 20:06:11 +00:00
|
|
|
/**
|
2006-12-01 23:51:43 +00:00
|
|
|
* Calls a controller callback method
|
2006-06-16 20:06:11 +00:00
|
|
|
*
|
2007-10-22 21:22:35 +00:00
|
|
|
* @param object $controller Controller to run callback on
|
|
|
|
* @param string $method Method to execute
|
|
|
|
* @param array $params Parameters to send to method
|
|
|
|
* @return mixed Controller callback method's response
|
2006-11-28 00:00:23 +00:00
|
|
|
* @access private
|
2006-06-16 20:06:11 +00:00
|
|
|
*/
|
|
|
|
function __callback(&$controller, $method, $params = array()) {
|
2007-06-20 06:15:35 +00:00
|
|
|
if (is_callable(array($controller, $method))) {
|
2006-06-16 20:06:11 +00:00
|
|
|
return call_user_func_array(array(&$controller, $method), empty($params) ? null : $params);
|
|
|
|
} else {
|
|
|
|
// Debug::warning('Callback method ' . $method . ' in controller ' . get_class($controller)
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
}
|
2006-03-12 00:03:24 +00:00
|
|
|
}
|
2007-10-09 18:47:32 +00:00
|
|
|
?>
|