[BUGFIX] Log password attempt with empty password
[Packages/TYPO3.CMS.git] / typo3 / sysext / sv / class.tx_sv_auth.php
1 <?php
2 /***************************************************************
3 * Copyright notice
4 *
5 * (c) 2004-2011 René Fritz <r.fritz@colorcube.de>
6 * All rights reserved
7 *
8 * This script is part of the TYPO3 project. The TYPO3 project is
9 * free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * The GNU General Public License can be found at
15 * http://www.gnu.org/copyleft/gpl.html.
16 * A copy is found in the textfile GPL.txt and important notices to the license
17 * from the author is found in LICENSE.txt distributed with these scripts.
18 *
19 *
20 * This script is distributed in the hope that it will be useful,
21 * but WITHOUT ANY WARRANTY; without even the implied warranty of
22 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
23 * GNU General Public License for more details.
24 *
25 * This copyright notice MUST APPEAR in all copies of the script!
26 ***************************************************************/
27 /**
28 * Service 'User authentication' for the 'sv' extension.
29 *
30 * @author René Fritz <r.fritz@colorcube.de>
31 */
32
33
34
35 /**
36 * Authentication services class
37 *
38 * @author René Fritz <r.fritz@colorcube.de>
39 * @package TYPO3
40 * @subpackage tx_sv
41 */
42 class tx_sv_auth extends tx_sv_authbase {
43
44
45 /**
46 * Find a user (eg. look up the user record in database when a login is sent)
47 *
48 * @return mixed user array or FALSE
49 */
50 function getUser() {
51 $user = FALSE;
52
53 if ($this->login['status'] == 'login') {
54 if ($this->login['uident']) {
55
56 $user = $this->fetchUserRecord($this->login['uname']);
57
58 if(!is_array($user)) {
59 // Failed login attempt (no username found)
60 $this->writelog(255, 3, 3, 2,
61 'Login-attempt from %s (%s), username \'%s\' not found!!',
62 array($this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname'])
63 ); // Logout written to log
64 t3lib_div::sysLog(
65 sprintf(
66 'Login-attempt from %s (%s), username \'%s\' not found!',
67 $this->authInfo['REMOTE_ADDR'],
68 $this->authInfo['REMOTE_HOST'],
69 $this->login['uname']
70 ),
71 'Core',
72 0
73 );
74 } else {
75 if ($this->writeDevLog) {
76 t3lib_div::devLog(
77 'User found: ' . t3lib_div::arrayToLogString(
78 $user, array($this->db_user['userid_column'], $this->db_user['username_column'])
79 ),
80 'tx_sv_auth'
81 );
82 }
83 }
84 } else {
85 // Failed Login attempt (no password given)
86 $this->writelog(255, 3, 3, 2,
87 'Login-attempt from %s (%s) for username \'%s\' with an empty password!',
88 array($this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname'])
89 );
90 t3lib_div::sysLog(
91 sprintf(
92 'Login-attempt from %s (%s), for username \'%s\' with an empty password!',
93 $this->authInfo['REMOTE_ADDR'],
94 $this->authInfo['REMOTE_HOST'],
95 $this->login['uname']
96 ),
97 'Core',
98 0
99 );
100 }
101 }
102 return $user;
103 }
104
105 /**
106 * Authenticate a user (Check various conditions for the user that might invalidate its authentication, eg. password match, domain, IP, etc.)
107 *
108 * @param array Data of user.
109 * @return boolean
110 */
111 public function authUser(array $user) {
112 $OK = 100;
113
114 if ($this->login['uident'] && $this->login['uname']) {
115
116 // Checking password match for user:
117 $OK = $this->compareUident($user, $this->login);
118
119 if(!$OK) {
120 // Failed login attempt (wrong password) - write that to the log!
121 if ($this->writeAttemptLog) {
122 $this->writelog(255,3,3,1,
123 "Login-attempt from %s (%s), username '%s', password not accepted!",
124 Array($this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname']));
125 t3lib_div::sysLog(
126 sprintf( "Login-attempt from %s (%s), username '%s', password not accepted!", $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $this->login['uname'] ),
127 'Core',
128 0
129 );
130 }
131 if ($this->writeDevLog) t3lib_div::devLog('Password not accepted: '.$this->login['uident'], 'tx_sv_auth', 2);
132 }
133
134 // Checking the domain (lockToDomain)
135 if ($OK && $user['lockToDomain'] && $user['lockToDomain']!=$this->authInfo['HTTP_HOST']) {
136 // Lock domain didn't match, so error:
137 if ($this->writeAttemptLog) {
138 $this->writelog(255,3,3,1,
139 "Login-attempt from %s (%s), username '%s', locked domain '%s' did not match '%s'!",
140 Array($this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $user['lockToDomain'], $this->authInfo['HTTP_HOST']));
141 t3lib_div::sysLog(
142 sprintf( "Login-attempt from %s (%s), username '%s', locked domain '%s' did not match '%s'!", $this->authInfo['REMOTE_ADDR'], $this->authInfo['REMOTE_HOST'], $user[$this->db_user['username_column']], $user['lockToDomain'], $this->authInfo['HTTP_HOST'] ),
143 'Core',
144 0
145 );
146 }
147 $OK = FALSE;
148 }
149 }
150
151 return $OK;
152 }
153
154 /**
155 * Find usergroup records, currently only for frontend
156 *
157 * @param array Data of user.
158 * @param array Group data array of already known groups. This is handy if you want select other related groups. Keys in this array are unique IDs of those groups.
159 * @return mixed Groups array, keys = uid which must be unique
160 */
161 function getGroups($user, $knownGroups) {
162 global $TYPO3_CONF_VARS;
163
164 $groupDataArr = array();
165
166 if($this->mode=='getGroupsFE') {
167
168 $groups = array();
169 if (is_array($user) && $user[$this->db_user['usergroup_column']]) {
170 $groupList = $user[$this->db_user['usergroup_column']];
171 $groups = array();
172 $this->getSubGroups($groupList,'',$groups);
173 }
174
175 // ADD group-numbers if the IPmask matches.
176 if (is_array($TYPO3_CONF_VARS['FE']['IPmaskMountGroups'])) {
177 foreach($TYPO3_CONF_VARS['FE']['IPmaskMountGroups'] as $IPel) {
178 if ($this->authInfo['REMOTE_ADDR'] && $IPel[0] && t3lib_div::cmpIP($this->authInfo['REMOTE_ADDR'],$IPel[0])) {$groups[]=intval($IPel[1]);}
179 }
180 }
181
182 $groups = array_unique($groups);
183
184 if (count($groups)) {
185 $list = implode(',',$groups);
186
187 if ($this->writeDevLog) t3lib_div::devLog('Get usergroups with id: '.$list, 'tx_sv_auth');
188
189 $lockToDomain_SQL = ' AND (lockToDomain=\'\' OR lockToDomain IS NULL OR lockToDomain=\''.$this->authInfo['HTTP_HOST'].'\')';
190 if (!$this->authInfo['showHiddenRecords']) $hiddenP = 'AND hidden=0 ';
191 $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery('*', $this->db_groups['table'], 'deleted=0 '.$hiddenP.' AND uid IN ('.$list.')'.$lockToDomain_SQL);
192 while ($row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res)) {
193 $groupDataArr[$row['uid']] = $row;
194 }
195 if ($res) $GLOBALS['TYPO3_DB']->sql_free_result($res);
196
197 } else {
198 if ($this->writeDevLog) t3lib_div::devLog('No usergroups found.', 'tx_sv_auth', 2);
199 }
200 } elseif ($this->mode=='getGroupsBE') {
201
202 # Get the BE groups here
203 # still needs to be implemented in t3lib_userauthgroup
204 }
205
206 return $groupDataArr;
207 }
208
209 /**
210 * Fetches subgroups of groups. Function is called recursively for each subgroup.
211 * Function was previously copied from t3lib_userAuthGroup->fetchGroups and has been slightly modified.
212 *
213 * @param string Commalist of fe_groups uid numbers
214 * @param string List of already processed fe_groups-uids so the function will not fall into a eternal recursion.
215 * @return array
216 * @access private
217 */
218 function getSubGroups($grList, $idList='', &$groups) {
219
220 // Fetching records of the groups in $grList (which are not blocked by lockedToDomain either):
221 $lockToDomain_SQL = ' AND (lockToDomain=\'\' OR lockToDomain IS NULL OR lockToDomain=\''.$this->authInfo['HTTP_HOST'].'\')';
222 if (!$this->authInfo['showHiddenRecords']) $hiddenP = 'AND hidden=0 ';
223 $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery('uid,subgroup', 'fe_groups', 'deleted=0 '.$hiddenP.' AND uid IN ('.$grList.')'.$lockToDomain_SQL);
224
225 $groupRows = array(); // Internal group record storage
226
227 // The groups array is filled
228 while ($row = $GLOBALS['TYPO3_DB']->sql_fetch_assoc($res)) {
229 if(!in_array($row['uid'], $groups)) { $groups[] = $row['uid']; }
230 $groupRows[$row['uid']] = $row;
231 }
232
233 // Traversing records in the correct order
234 $include_staticArr = t3lib_div::intExplode(',', $grList);
235 foreach($include_staticArr as $uid) { // traversing list
236
237 // Get row:
238 $row=$groupRows[$uid];
239 if (is_array($row) && !t3lib_div::inList($idList,$uid)) { // Must be an array and $uid should not be in the idList, because then it is somewhere previously in the grouplist
240
241 // Include sub groups
242 if (trim($row['subgroup'])) {
243 $theList = implode(',',t3lib_div::intExplode(',',$row['subgroup'])); // Make integer list
244 $this->getSubGroups($theList, $idList.','.$uid, $groups); // Call recursively, pass along list of already processed groups so they are not recursed again.
245 }
246 }
247 }
248 }
249 }
250
251
252
253 if (defined('TYPO3_MODE') && isset($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['ext/sv/class.tx_sv_auth.php'])) {
254 include_once($GLOBALS['TYPO3_CONF_VARS'][TYPO3_MODE]['XCLASS']['ext/sv/class.tx_sv_auth.php']);
255 }
256 ?>