usergroups_cache = [];
$this->groupperm_cache = [[]];
$this->groupinclude_cache = [];
$this->get_object_permissions_for_user_cache = [];
$this->userobjectperm_cache = TikiLib::lib('cache')->getSerialized('userobjectperm_cache', 'userobjectperm') ?? [];
}
public function assign_object_permission($groupName, $objectId, $objectType, $permName)
{
$objectId = md5($objectType . TikiLib::strtolower($objectId));
$query = 'delete from `users_objectpermissions` where `objectId` = ? and `objectType`=?';
$bindvars = [$objectId, $objectType];
if (! empty($groupName)) {
$query .= ' and `groupName` = ?';
$bindvars[] = $groupName;
}
if (! empty($permName)) {
$query .= ' and `permName` = ?';
$bindvars[] = $permName;
}
$result = $this->query($query, $bindvars);
if (! empty($permName) && ! empty($groupName)) {
$query = 'insert into `users_objectpermissions`' .
' (`groupName`, `objectId`, `objectType`, `permName`)' .
' values(?, ?, ?, ?)';
$result = $this->query($query, [$groupName, $objectId, $objectType, $permName]);
}
if ($objectType == 'file gallery') {
$cachelib = TikiLib::lib('cache');
$cachelib->empty_type_cache('fgals_perms_' . $objectId . '_');
}
return true;
}
public function object_has_permission($user, $objectId, $objectType, $permName)
{
$groups = $this->get_user_groups($user);
$objectId = md5($objectType . TikiLib::strtolower($objectId));
$mid = implode(',', array_fill(0, count($groups), '?'));
$query = "select count(*) from `users_objectpermissions` where `groupName` in ($mid) and `objectId` = ? and `objectType` = ? and `permName` = ?";
$bindvars = array_merge($groups, [$objectId, $objectType, $permName]);
$result = $this->getOne($query, $bindvars);
if ($result > 0) {
return true;
} else {
return false;
}
}
public function remove_object_permission($groupName, $objectId, $objectType, $permName)
{
$objectId = md5($objectType . TikiLib::strtolower($objectId));
$query = 'delete from `users_objectpermissions`' .
' where`objectId` = ? and `objectType` = ?';
$bindvars = [$objectId, $objectType];
if (! empty($groupName)) {
$query .= ' and `groupName` = ? ';
$bindvars[] = $groupName;
}
if (! empty($permName)) {
$query .= ' and `permName` = ? ';
$bindvars[] = $permName;
}
$result = $this->query($query, $bindvars);
if ($objectType == 'file gallery') {
$cachelib = TikiLib::lib('cache');
$cachelib->empty_type_cache('fgals_perms_' . $objectId . '_');
}
return true;
}
public function copy_object_permissions($objectId, $destinationObjectId, $objectType)
{
$objectId = md5($objectType . TikiLib::strtolower($objectId));
$query = "select `permName`, `groupName`
from `users_objectpermissions`
where `objectId` =? and
`objectType` = ?";
$bindvars = [$objectId, $objectType];
$result = $this->query($query, $bindvars);
while ($res = $result->fetchRow()) {
$this->assign_object_permission($res["groupName"], $destinationObjectId, $objectType, $res["permName"]);
}
return true;
}
public function get_object_permissions($objectId, $objectType, $group = '', $perm = '')
{
$objectId = md5($objectType . TikiLib::strtolower($objectId));
$query = "select `groupName`, `permName`
from `users_objectpermissions`
where `objectId` = ? and
`objectType` = ?";
$bindvars = [$objectId, $objectType];
if (! empty($group)) {
$query .= ' and `groupName`=?';
$bindvars[] = $group;
}
if (! empty($perm)) {
$query .= ' and `permName`=?';
$bindvars[] = $perm;
}
return $this->fetchAll($query, $bindvars);
}
public function get_object_permissions_for_user($objectId, $objectType, $user)
{
$params = md5($objectId . $objectType . $user);
//Check the cache for these parameters
if (array_key_exists($params, $this->get_object_permissions_for_user_cache)) {
return $this->get_object_permissions_for_user_cache[$params];
}
$objectId = md5($objectType . TikiLib::strtolower($objectId));
$bindvars = [$objectId, $objectType];
$groups = $this->get_user_groups($user);
$bindvars = array_merge($bindvars, $groups);
$query = 'select `permName` ' .
' from `users_objectpermissions`' .
' where `objectId` = ? and `objectType` = ?' .
' and `groupName` in (' . implode(',', array_fill(0, count($groups), '?')) . ')';
$result = $this->query($query, $bindvars);
$ret = [];
while ($res = $result->fetchRow()) {
$ret[] = $res['permName'];
}
//Cache the result for this set of parameters
$this->get_object_permissions_for_user_cache[$params] = $ret;
return $ret;
}
public function object_has_one_permission($objectId, $objectType)
{
$objectId = md5($objectType . TikiLib::strtolower($objectId));
if (
! isset($this->userobjectperm_cache) || ! is_array($this->userobjectperm_cache)
|| ! isset($this->userobjectperm_cache[$objectId])
) {
// i think, we really dont need the "and `objectType`=?" because the objectId should be unique due to the md5()
$query = 'select count(*) from `users_objectpermissions` where `objectId`=? and `objectType`=?';
$this->userobjectperm_cache[$objectId] = $this->getOne($query, [$objectId, $objectType]);
TikiLib::lib('cache')->cacheItem('userobjectperm_cache', serialize($this->userobjectperm_cache), 'userobjectperm');
}
return $this->userobjectperm_cache[$objectId];
}
public function user_exists($user)
{
if (! isset($userexists_cache[$user])) {
$query = 'select count(*) from `users_users` where upper(`login`) = ?';
$result = $this->getOne($query, [TikiLib::strtoupper($user)]);
$userexists_cache[$user] = $result;
}
return $userexists_cache[$user];
}
public function user_exists_by_email($email)
{
if (! isset($userexists_cache[$email])) {
$query = 'select count(*) from `users_users` where upper(`email`) = ?';
$result = $this->getOne($query, [TikiLib::strtoupper($email)]);
$userexists_cache[$email] = $result;
}
return $userexists_cache[$email];
}
public function get_user_real_case($user)
{
$query = 'select `login` from `users_users` where upper(`login`) = ?';
return $this->getOne($query, [TikiLib::strtoupper($user)]);
}
public function group_exists($group)
{
return in_array($group, $this->list_all_groups());
}
/**
* @param string $user : username
* @param bool $remote_logout : logged out remotely (so do not redirect)
* @param string $redir : url to redirect to. Uses home page according to prefs if empty
* @return void : redirects to suitable homepage or redir param if not remote
*/
public function user_logout($user, $remote_logout = false, $redir = '')
{
global $prefs, $user_cookie_site;
$logslib = TikiLib::lib('logs');
$logslib->add_log('login', 'logged out');
$userInfo = $this->get_user_info($user);
if ($prefs['login_multiple_forbidden'] === 'y') {
$this->delete_user_cookie($userInfo['userId']);
} else if (! empty($_COOKIE[$user_cookie_site])) {
$secret = explode('.', $_COOKIE[$user_cookie_site]);
$this->delete_user_cookie($userInfo['userId'], $secret[0]);
}
if ($prefs['feature_intertiki'] == 'y' and $prefs['feature_intertiki_sharedcookie'] == 'y' and ! empty($prefs['feature_intertiki_mymaster'])) {
$remote = $prefs['interlist'][$prefs['feature_intertiki_mymaster']];
$remote['path'] = preg_replace('/^\/?/', '/', $remote['path']);
$client = new XML_RPC_Client($remote['path'], $remote['host'], $remote['port']);
$client->setDebug(0);
$msg = new XML_RPC_Message(
'intertiki.logout',
[
new XML_RPC_Value($prefs['tiki_key'], 'string'),
new XML_RPC_Value($user, 'string')
]
);
$client->send($msg);
}
// more local cleanup originally from tiki-logout.php
// go offline in Live Support
if ($prefs['feature_live_support'] == 'y') {
$access = TikiLib::lib('access');
global $lslib;
include_once('lib/live_support/lslib.php');
if ($lslib->get_operator_status($user) != 'offline') {
$lslib->set_operator_status($user, 'offline');
}
}
if ($prefs['auth_method'] === 'saml' && $prefs['saml_options_slo'] == 'y') {
$saml_instance = $this->get_saml_auth();
if (isset($saml_instance)) {
$nameId = null;
$sessionIndex = null;
if (isset($_SESSION['saml_nameid'])) {
$nameId = $_SESSION['saml_nameid'];
}
if (isset($_SESSION['saml_sessionindex'])) {
$sessionIndex = $_SESSION['saml_sessionindex'];
}
$saml_instance->logout(null, [], $nameId, $sessionIndex);
}
}
setcookie($user_cookie_site, '', -3600, $prefs['feature_intertiki_sharedcookie'] == 'y' ? '/' : $prefs['cookie_path'], $prefs['cookie_domain']);
/* change group home page or deactivate if no page is set */
if (! empty($redir)) {
$url = $redir;
} elseif (($groupHome = $this->get_group_home('Anonymous')) != '') {
$url = (preg_match('/^(\/|https?:)/', $groupHome)) ? $groupHome : 'tiki-index.php?page=' . $groupHome;
} else {
$url = $prefs['site_tikiIndex'];
}
// RFC 2616 defines that the 'Location' HTTP headerconsists of an absolute URI
if (! preg_match('/^https?\:/i', $url)) {
global $url_scheme, $url_host, $url_port, $base_url;
$url = (preg_match('#^/#', $url) ? $url_scheme . '://' . $url_host . (($url_port != '') ? ":$url_port" : '') : $base_url) . $url;
}
if (SID) {
$url .= '?' . SID;
}
if ($prefs['auth_method'] === 'cas' && $user !== 'admin' && $user !== '' && $prefs['cas_force_logout'] === 'y') {
phpCAS::logoutWithRedirectService($url);
}
unset($_SESSION['cas_validation_time']);
unset($_SESSION[$user_cookie_site]);
session_unset();
session_destroy();
if ($remote_logout) {
return;
}
if ($prefs['auth_method'] === 'ws') {
header('Location: ' . str_replace('//', '//admin:@', $url)); // simulate a fake login to logout the user
} else {
header('Location: ' . $url);
}
return;
}
/**
* @see TikiLib::genPass()
* TODO: Merge with the above
*/
public static function genPass()
{
// AWC: enable mixed case and digits, don't return too short password
global $prefs;
$vocales = 'AaEeIiOoUu13580';
$consonantes = 'BbCcDdFfGgHhJjKkLlMmNnPpQqRrSsTtVvWwXxYyZz24679';
$r = '';
$passlen = ($prefs['min_pass_length'] > 5) ? $prefs['min_pass_length'] : 5;
for ($i = 0; $i < $passlen; $i++) {
if ($i % 2) {
$r .= $vocales[rand(0, strlen($vocales) - 1)];
} else {
$r .= $consonantes[rand(0, strlen($consonantes) - 1)];
}
}
return $r;
}
/**
* Force a logout for the specified user
* @param $user
*/
public function force_logout($user)
{
if (! empty($user)) {
// Clear the timestamp for the existing session,
// which will force a logout next time the user accesses the session
$this->query('delete from `tiki_sessions` where `user`=?', [$user]);
// Add a log entry
$logslib = TikiLib::lib('logs');
$logslib->add_log("login", "logged out", $user, '', '', $this->now);
}
}
// For each auth method, validate user in auth, if valid, verify tiki user exists and create if necessary (as configured)
// Once complete, update_lastlogin and return result, username and login message.
/**
* Validate a user
* @param user: username
* @param pass: password
* @param twoFactorCode: ???
* @param validate_phase: If true, user followed the link from validation email after creation of account
* @param for_login: If true, we are validating user for login purpose. If false, we are only checking that user is valid (for check of current password for example)
*/
public function validate_user($user, $pass, $validate_phase = false, $twoFactorCode = null, $for_login = true)
{
global $prefs;
$user = str_replace(chr(0), '', $user);
$pass = str_replace(chr(0), '', $pass);
if ($user != 'admin' && $prefs['feature_intertiki'] == 'y' && ! empty($prefs['feature_intertiki_mymaster'])) {
// slave intertiki sites should never check passwords locally, just for admin
return false;
}
// these will help us keep tabs of what is going on
$userTiki = false;
$userTikiPresent = false;
$userLdap = false;
$userLdapPresent = false;
// read basic pam options
$auth_pam = ($prefs['auth_method'] == 'pam');
$pam_create_tiki = ($prefs['pam_create_user_tiki'] == 'y');
$pam_skip_admin = ($prefs['pam_skip_admin'] == 'y');
// read basic LDAP options
$auth_ldap = ($prefs['auth_method'] == 'ldap');
$ldap_create_tiki = ($prefs['ldap_create_user_tiki'] == 'y');
$create_auth = ($prefs['ldap_create_user_ldap'] == 'y');
$skip_admin = ($prefs['ldap_skip_admin'] == 'y');
// read basic cas options
$auth_cas = ($prefs['auth_method'] == 'cas');
$cas_create_tiki = ($prefs['cas_create_user_tiki'] == 'y');
$cas_skip_admin = ($prefs['cas_skip_admin'] == 'y');
// read basic phpbb options
$auth_phpbb = ($prefs['auth_method'] == 'phpbb');
$phpbb_create_tiki = ($prefs['auth_phpbb_create_tiki'] == 'y');
$phpbb_skip_admin = ($prefs['auth_phpbb_skip_admin'] == 'y');
$phpbb_disable_tikionly = ($prefs['auth_phpbb_disable_tikionly'] == 'y');
// see if we are to use Shibboleth
$auth_shib = ($prefs['auth_method'] == 'shib');
$shib_create_tiki = ($prefs['shib_create_user_tiki'] == 'y');
$shib_skip_admin = ($prefs['shib_skip_admin'] == 'y');
// see if we are to use SAML
$auth_saml = ($prefs['auth_method'] == 'saml');
$saml_create_tiki = (isset($prefs['saml_options_autocreates']) && $prefs['saml_options_autocreates'] == 'y');
$saml_skip_admin = (isset($prefs['saml_options_skip_admin']) && $prefs['saml_options_skip_admin'] == 'y');
// first attempt a login via the standard Tiki system
//
if (! ($auth_shib || $auth_cas || $auth_saml) || $user == 'admin') { //redflo: does this mean, that users in cas and shib are not replicated to tiki tables? Does this work well?
list($result, $user) = $this->validate_user_tiki($user, $pass, $validate_phase);
} else {
$result = null;
}
// If preference login_multiple_forbidden is set, don't let user login if already logged in
if ($result == USER_VALID && $prefs['login_multiple_forbidden'] == 'y' && $for_login == true && $user != 'admin') {
$tikilib = TikiLib::lib('tiki');
$grabSessionOnAlreadyLoggedIn = ! empty($prefs['login_grab_session']) ? $prefs['login_grab_session'] : 'n';
if ($grabSessionOnAlreadyLoggedIn === 'y') {
// Log out first, then proceed to log in again
$this->force_logout($user);
} else {
$tikilib->update_session();
if ($tikilib->is_user_online($user)) {
$result = USER_ALREADY_LOGGED;
}
}
}
switch ($result) {
case USER_VALID:
$userTiki = true;
$userTikiPresent = true;
break;
case USER_ALREADY_LOGGED:
$userTikiPresent = true;
break;
case PASSWORD_INCORRECT:
$userTikiPresent = true;
break;
}
// if we aren't using LDAP this will be quick
// if we are using tiki auth or if we're using an alternative auth except for admin
// todo: bad hack. better search for a more general solution here
if (
(! $auth_ldap && ! $auth_pam && ! $auth_cas && ! $auth_shib && ! $auth_saml && ! $auth_phpbb)
|| (
( ($auth_ldap && $skip_admin)
|| ($auth_shib && $shib_skip_admin)
|| ($auth_saml && $saml_skip_admin)
|| ($auth_pam && $pam_skip_admin)
|| ($auth_cas && $cas_skip_admin)
|| ($auth_phpbb && $phpbb_skip_admin)
)
&& $user == 'admin')
|| ($auth_ldap && ($prefs['auth_ldap_permit_tiki_users'] == 'y' && $userTiki))
) {
// if the user verified ok, log them in
if ($userTiki) {//user validated in tiki, update lastlogin and be done
if ($auth_ldap) {
return [$this->_ldap_sync_and_update_lastlogin($user, $pass), $user, $result, 'tiki'];
}
return [$this->_ldap_sync_and_update_lastlogin($user, $pass), $user, $result];
// if the user password was incorrect but the account was there, give an error
} elseif ($userTikiPresent) { //user ixists in tiki but bad password
return [false, $user, $result];
} else {
// if the user was not found, give an error
// this could be for future uses
return [false, $user, $result];
}
// For the alternate auth methods, attempt to validate user
// return back one of two conditions
// Valid User or Bad password
// next see if we need to check PAM
} elseif ($auth_pam) {
$result = $this->validate_user_pam($user, $pass);
switch ($result) {
case USER_VALID:
$userPAM = true;
break;
case PASSWORD_INCORRECT:
$userPAM = false;
break;
}
// start off easy
// if the user verified in Tiki and PAM, log in
if ($userPAM && $userTiki) {
return [$this->_ldap_sync_and_update_lastlogin($user, $pass), $user, $result];
} elseif (! $userTikiPresent && ! $userPAM) { // if the user wasn't found in either system, just fail
return [false, $user, $result];
} elseif ($userPAM && ! $userTikiPresent) { // if the user was logged into PAM but not found in Tiki
// see if we can create a new account
if ($pam_create_tiki) {
// need to make this better! *********************************************************
$result = $this->add_user($user, $pass, '');
// if it worked ok, just log in
if ($result == USER_VALID) {
// before we log in, update the login counter
return [$this->_ldap_sync_and_update_lastlogin($user, $pass), $user, $result];
// if the server didn't work, do something!
} elseif ($result == SERVER_ERROR) {
// check the notification status for this type of error
return [false, $user, $result];
} else {
// otherwise don't log in.
return [false, $user, $result];
}
} else {
// otherwise
// just say no!
return [false, $user, $result];
}
} elseif ($userPAM && $userTikiPresent) {
// if the user was logged into PAM and found in Tiki (no password in Tiki user table necessary)
return [$this->_ldap_sync_and_update_lastlogin($user, $pass), $user, $result];
}
} elseif ($auth_cas) {
// next see if we need to check CAS
$result = $this->validate_user_cas($user);
switch ($result) {
case USER_VALID:
$userCAS = true;
break;
case PASSWORD_INCORRECT:
$userCAS = false;
break;
}
if ($this->user_exists($user)) {
$userTikiPresent = true;
} else {
$userTikiPresent = false;
}
// start off easy
// if the user verified in Tiki and by CAS, log in
if ($userCAS && $userTikiPresent) {
return [$this->_ldap_sync_and_update_lastlogin($user, $pass), $user, $result];
} elseif (! $userCAS) {
// if the user wasn't authenticated through CAS, just fail
return [false, $user, $result];
} elseif ($userCAS && ! $userTikiPresent) {
// if the user was authenticated by CAS but not found in Tiki
// see if we can create a new account
if ($cas_create_tiki) {
// need to make this better! *********************************************************
$randompass = $this->genPass();
// in case CAS auth is turned off accidentally;
// we don't want ppl to be able to login as any user with blank passwords
$result = $this->add_user($user, $randompass, '');
// if it worked ok, just log in
if ($result == USER_VALID) {
// before we log in, update the login counter
return [$this->_ldap_sync_and_update_lastlogin($user, $pass), $user, $result];
// if the server didn't work, do something!
} elseif ($result == SERVER_ERROR) {
// check the notification status for this type of error
return [false, $user, $result];
} else {
// otherwise don't log in.
return [false, $user, $result];
}
} else {
// otherwise
// just say no!
return [false, $user, $result];
}
} elseif ($userCAS && $userTikiPresent) {
// if the user was authenticated by CAS and found in Tiki (no password in Tiki user table necessary)
return [$this->_ldap_sync_and_update_lastlogin($user, $pass), $user, $result];
}
} elseif ($auth_shib) {
// next see if we need to check Shibboleth
if ($this->user_exists($user)) {
$userTikiPresent = true;
} else {
$userTikiPresent = false;
}
// Shibboleth login was not successful
if (! isset($_SERVER['HTTP_SHIB_IDENTITY_PROVIDER'])) {
return false;
}
// Collect the shibboleth related attributes.
$shibmail = $_SERVER['HTTP_MAIL'];
$shibaffiliation = $_SERVER['HTTP_SHIB_EP_UNSCOPEDAFFILIATION'];
$shibproviderid = $_SERVER['HTTP_SHIB_IDENTITY_PROVIDER'];
// Get the affiliation information to log in
$shibaffiliarray = preg_split('/;/', TikiLib::strtoupper($shibaffiliation));
$validaffiliarray = preg_split('/,/', TikiLib::strtoupper($prefs['shib_affiliation']));
$validafil = false;
foreach ($shibaffiliarray as $affil) {
if (in_array($affil, $validaffiliarray)) {
$validafil = true;
}
}
// start off easy
// if the user verified in Tiki and by Shibboleth, log in
if ($userTikiPresent && $validafil) {
return [$this->_ldap_sync_and_update_lastlogin($user, $pass), $user, USER_VALID];
} else {
$smarty = TikiLib::lib('smarty');
// see if we can create a new account
if ($shib_create_tiki) {
if (! (strlen($user) > 0 and strlen($shibmail) > 0 and strlen($shibaffiliation) > 0)) {
$errmsg = 'User registration error: You do not have the required shibboleth attributes (';
if (strlen($user) == 0) {
$errmsg = $errmsg . 'User ';
}
if (strlen($shibmail) == 0) {
$errmsg = $errmsg . 'Mail ';
}
if (strlen($shibaffiliation) == 0) {
$errmsg = $errmsg . 'Affiliation ';
}
$errmsg = $errmsg . '). For further information on this error goto the ((ShibReg)) Page';
$smarty->assign('msg', $errmsg);
$smarty->display('error.tpl');
exit;
} else {
if ($validafil) {
// Create the user
// need to make this better! *********************************************************
$randompass = $this->genPass();
// in case Shibboleth auth is turned off accidentally;
// we don't want ppl to be able to login as any user with blank passwords
$result = $this->add_user($user, $randompass, $shibmail);
// if it worked ok, just log in
if ($result == USER_VALID) {
// Add to the default Group
if ($prefs['shib_usegroup'] == 'y') {
$result = $this->assign_user_to_group($user, $prefs['shib_group']);
}
// before we log in, update the login counter
return [$this->_ldap_sync_and_update_lastlogin($user, $randompass), $user, $result];
} elseif ($result == SERVER_ERROR) {
// if the server didn't work, do something!
// check the notification status for this type of error
return [false, $user, $result];
} else {
// otherwise don't log in.
return [false, $user, $result];
}
} else {
$vaffils = '';
foreach ($validaffiliarray as $vaffil) {
$vaffils = $vaffils . $vaffil . ", ";
}
$vaffils = rtrim($vaffils, ", ");
$errmsg = 'User login error
' .
'
You must have one of the following affiliations to get into this wiki.
' .
'' . $vaffils . '
' .
'For further information on this error goto the Shibreg Page';
$smarty->assign('msg', $errmsg);
$smarty->display('error.tpl');
exit;
}
}
} else {
$smarty->assign('msg', 'The user [ ' . $user . ' ] is not registered with this wiki.');
$smarty->display('error.tpl');
exit;
}
}
} elseif ($auth_saml) {
// next see if we need to check SAML
if (
isset($_SESSION['samlUserdata']) && ! empty($_SESSION['samlUserdata']) ||
isset($_SESSION['samlNameId']) && ! empty($_SESSION['samlNameId'])
) {
$saml_username = $saml_email = '';
$saml_groups = [];
if (empty($_SESSION['samlUserdata'])) {
$saml_username = $_SESSION['samlNameId'];
$saml_email = $saml_username;
} else {
$usernameMapping = $prefs['saml_attrmap_username'] ?? '';
$emailMapping = $prefs['saml_attrmap_mail'] ?? '';
$groupMapping = $prefs['saml_attrmap_group'] ?? '';
if (! empty($usernameMapping) && isset($_SESSION['samlUserdata'][$usernameMapping]) && ! empty($_SESSION['samlUserdata'][$usernameMapping][0])) {
$saml_username = $_SESSION['samlUserdata'][$usernameMapping][0];
}
if (! empty($emailMapping) && isset($_SESSION['samlUserdata'][$emailMapping]) && ! empty($_SESSION['samlUserdata'][$usernameMapping][0])) {
$saml_email = $_SESSION['samlUserdata'][$emailMapping][0];
}
if (! empty($groupMapping) && isset($_SESSION['samlUserdata'][$groupMapping]) && ! empty($_SESSION['samlUserdata'][$groupMapping])) {
$group_values = $_SESSION['samlUserdata'][$groupMapping];
foreach ($group_values as $group_value) {
if (isset($prefs['saml_groupmap_admins']) && ! empty($prefs['saml_groupmap_admins'])) {
if (strcasecmp($prefs['saml_groupmap_admins'], $group_value) == 0) {
$saml_groups[] = "Admins";
}
}
if (isset($prefs['saml_groupmap_registered']) && ! empty($prefs['saml_groupmap_registered'])) {
if (strcasecmp($prefs['saml_groupmap_registered'], $group_value) == 0) {
$saml_groups[] = "Registered";
}
}
}
}
// Code SAML Custom role here
}
$matcher = $prefs['saml_option_account_matcher'] ?? 'email';
if ($matcher == 'email') {
if (empty($saml_email)) {
Feedback::error(tra("The email could not be retrieved from the IdP and is required"));
return [false, $user, SERVER_ERROR];
} else {
$username = $this->get_user_by_email($saml_email);
if ($this->user_exists($username)) {
$userTikiPresent = true;
} else {
$userTikiPresent = false;
if (! isset($prefs['saml_options_autocreate']) || $prefs['saml_options_autocreate'] != 'y') {
Feedback::error(tr('The user [ %0 ] is not registered with this wiki and autocreate is disabled.', $saml_email));
return [false, $username, USER_NOT_FOUND];
}
}
}
} else {
if (empty($saml_username)) {
Feedback::error(tra("The username could not be retrieved from the IdP and is required"));
return [false, $user, SERVER_ERROR];
} else {
$username = $saml_username;
if ($this->user_exists($saml_username)) {
$userTikiPresent = true;
} else {
$userTikiPresent = false;
if (! isset($prefs['saml_options_autocreate']) || $prefs['saml_options_autocreate'] != 'y') {
Feedback::error(tr('The user [ %0 ] is not registered with this wiki and autocreate is disabled.', $saml_username));
return [false, $username, USER_NOT_FOUND];
}
}
}
}
if (empty($username)) {
$username = $saml_username;
}
$cookie_site = preg_replace("/[^a-zA-Z0-9]/", "", $prefs['cookie_name']);
$user_cookie_site = 'tiki-user-' . $cookie_site;
$_SESSION["$user_cookie_site"] = $username;
$randompass = $this->genPass();
if (! $userTikiPresent) {
// Create user
if (empty($saml_groups)) {
if (isset($prefs['saml_option_default_group']) && ! empty($prefs['saml_option_default_group'])) {
$saml_groups[] = $prefs['saml_option_default_group'];
}
}
$result = $this->add_user($username, $randompass, $saml_email, '', false, null, null, null, $saml_groups);
if (! $result) {
Feedback::error(tr('The user [ %0|%1 ] is not registered with this wiki and the creation process failed.', $username, $saml_email));
return [false, $username, SERVER_ERROR];
}
// if it worked ok, just log in
if ($result == USER_VALID) {
// before we log in, update the login counter
return [$this->update_lastlogin($username), $username, $result];
} elseif ($result == SERVER_ERROR) {
// check the notification status for this type of error
return [false, $username, $result];
} else {
// otherwise don't log in.
return [false, $username, $result];
}
} else {
// Update user
if ($username != 'admin') { // Prevent change groups of the admin account
if (isset($prefs['saml_options_sync_group']) && $prefs['saml_options_sync_group'] == 'y') {
if (! empty($saml_groups)) {
$this->assign_user_to_groups($username, $saml_groups);
}
}
}
return [$this->update_lastlogin($username), $username, USER_VALID];
}
}
} elseif ($auth_ldap) {
// next see if we need to check LDAP
// check the user account
$result = $this->validate_user_ldap($user, $pass);
switch ($result) {
case USER_VALID:
$userLdap = true;
$userLdapPresent = true;
break;
case PASSWORD_INCORRECT:
$userLdapPresent = true;
break;
}
// start off easy
// if the user is in Tiki and password is verified in LDAP, log in
if ($userLdap && $userTikiPresent) {
if ($userLdapPresent) {
# Sync again user attributes from LDAP (such as the RealName, mail and country) with user data in Tiki to prevent un-sync'ing them in a later stage
$this->init_ldap($user, $pass);
$this->ldap_sync_user_data($user, $this->ldap->get_user_attributes());
}
return [$this->_ldap_sync_and_update_lastlogin($user, $pass), $user, $result];
} elseif (! $userTikiPresent && ! $userLdapPresent) {
// if the user wasn't found in either system, just fail
return [false, $user, $result];
} elseif ($userTiki && ! $userLdapPresent) {
// if the user was logged into Tiki but not found in LDAP
// see if we can create a new account
if ($create_auth) {
// need to make this better! *********************************************************
$result = $this->create_user_ldap($user, $pass);
// if it worked ok, just log in
if ($result == USER_VALID) {
// before we log in, update the login counter
return [$this->_ldap_sync_and_update_lastlogin($user, $pass), $user, $result];
} elseif ($result == SERVER_ERROR) {
// if the server didn't work, do something!
// check the notification status for this type of error
return [false, $user, $result];
} else { // otherwise don't log in.
return [false, $user, $result];
}
} else {
// otherwise
// just say no!
return [false, $user, $result];
}
} elseif ($userLdap && ! $userTikiPresent) {
// if the user was logged into Auth but not found in Tiki
// see if we are allowed to create a new account
if ($ldap_create_tiki) {
$ldap_user_attr = $this->ldap->get_user_attributes();
// Get user attributes such as the real name, email and country from the data received by the ldap auth
$this->ldap_sync_user_data($user, $ldap_user_attr);
// Use what was configured in ldap admin config, otherwise assume the attribute name is "mail" as is usual
$email = $ldap_user_attr[empty($prefs['auth_ldap_emailattr']) ? 'mail' : $prefs['auth_ldap_emailattr']];
$result = $this->add_user($user, $pass, $email);
$this->disable_tiki_auth($user); //disable that user's password in tiki - since we use ldap
// if it worked ok, just log in
if ($result == $user) {
// before we log in, update the login counter
return [$this->_ldap_sync_and_update_lastlogin($user, $pass), $user, $result];
} elseif ($result == SERVER_ERROR) {
// if the server didn't work, do something!
// check the notification status for this type of error
return [false, $user, $result];
} else { // otherwise don't log in.
return [false, $user, $result];
}
} else { // otherwise
// just say no!
return [false, $user, $result];
}
} elseif ($userLdap && $userTikiPresent) {
// if the user was logged into Auth and found in Tiki (no password in Tiki user table necessary)
return [$this->_ldap_sync_and_update_lastlogin($user, $pass), $user, $result];
}
} elseif ($auth_phpbb) {
$result = $this->validate_user_phpbb($user, $pass);
switch ($result) {
case USER_VALID:
$userPhpbb = true;
break;
case PASSWORD_INCORRECT:
$userPhpbb = false;
break;
}
// start off easy
// if the user verified in Tiki and phpBB, log in
if ($userPhpbb && $userTiki) {
return [$this->_ldap_sync_and_update_lastlogin($user, $pass), $user, $result];
} elseif (! $userTikiPresent && ! $userPhpbb) {
// if the user wasn't found in either system, just fail
return [false, $user, USER_UNKNOWN];
} elseif ($userPhpbb && ! $userTikiPresent) {
// if the user was logged into phpBB but not found in Tiki
// see if we can create a new account
if ($phpbb_create_tiki) {
// get the user email and then add the user to Tiki
$the_email = $this->phpbbauth->grabEmail($user);
$result = $this->add_user($user, $pass, $the_email);
// if it worked ok, just log in
if ($result == USER_VALID) {
// before we log in, update the login counter
return [$this->_ldap_sync_and_update_lastlogin($user, $pass), $user, $result];
} elseif ($result == SERVER_ERROR) { // if the server didn't work, do something!
// check the notification status for this type of error
return [false, $user, $result];
} else { // otherwise don't log in.
return [false, $user, $result];
}
} else { // otherwise
// just say no!
return [false, $user, $result];
}
} elseif ($userTikiPresent && ! $userPhpbb) {
// if the user was found in Tiki, but not found in phpBB, we should probably disable the user
if ($phpbb_disable_tikionly) {
// would probably be better do flag the user as not active? How do you do that?
// and it also would be better to check if the user is active first.. :)
$this->invalidate_account($user);
$logslib = TikiLib::lib('logs');
$logslib->add_log('auth_phpbb', 'NOTICE: Invalidated user ' . $user . ' due to missing phpBB account.');
}
return [false, $user, ACCOUNT_DISABLED];
// if the user was logged into phpBB and found in Tiki (no password in Tiki user table necessary)
} elseif ($userPhpbb && $userTikiPresent) {
return [$this->_ldap_sync_and_update_lastlogin($user, $pass), $user, $result];
}
}
// we will never get here
return [false, $user, $result];
}
// validate the user through PAM
public function validate_user_pam($user, $pass)
{
global $prefs;
$tikilib = TikiLib::lib('tiki');
// just make sure we're supposed to be here
if ($prefs['auth_method'] != 'pam') {
return false;
}
// Read page AuthPAM at tw.o, it says about a php module required.
// maybe and if extension line could be added here... module requires $error
// as reference.
$error = '';
if (pam_auth($user, $pass, $error)) {
return USER_VALID;
} else {
// Uncomment the following to see errors on that
// error_log("TIKI ERROR PAM: $error User: $user Pass: $pass");
return PASSWORD_INCORRECT;
}
}
public function check_cas_authentication($user_cookie_site)
{
global $prefs, $webdav_access;
$tikilib = TikiLib::lib('tiki');
// Avoid CAS authentication check if the client is not able to handle HTTP redirects to another domain. This includes:
// - WebDAV requests
// - Javascript/AJAX requests
//
if (
( isset($webdav_access) && $webdav_access === true )
|| ( isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' )
) {
return true;
}
// just make sure we're supposed to be here
if (! $this->_init_cas_client()) {
return false;
}
if (! empty($_SESSION['phpCAS']['user'])) {
$_SESSION[$user_cookie_site] = strtolower($_SESSION['phpCAS']['user']);
}
if (isset($_REQUEST['ticket']) && empty($_SESSION[$user_cookie_site])) {
$cas_user = '';
$_SESSION['cas_is_validating'] = false;
$this->validate_user_cas($cas_user, true);
die();
}
// Check for CAS (re-)validation
// Only if :
// - using CAS auth method
// - not calling tiki-login.php nor tiki-logout.php
// - not using 'admin' user
// - the request is not a POST ( which does not keep its params with CAS redirections )
// - either the CAS validation timed out or the validation process has not ended within 5 seconds which often means that the redirection to the CAS server failed
//
if (
php_sapi_name() !== 'cli'
&& (isset($_SESSION[$user_cookie_site]) || $prefs['cas_autologin'] == 'y')
&& basename($_SERVER['SCRIPT_NAME']) != 'tiki-login.php'
&& basename($_SERVER['SCRIPT_NAME']) != 'tiki-logout.php'
&& (! isset($_SESSION[$user_cookie_site]) || $_SESSION[$user_cookie_site] != 'admin' )
&& empty($_POST)
&& ( ( $prefs['cas_authentication_timeout'] && $tikilib->now - $_SESSION['cas_validation_time'] > $prefs['cas_authentication_timeout'] )
|| ( isset($_SESSION['cas_is_validating']) && $_SESSION['cas_is_validating'] === true && $tikilib->now - $_SESSION['cas_validation_time'] > 5 ) )
) {
unset($_SESSION["$user_cookie_site"]);
unset($_SESSION['phpCAS']['user']);
$_SESSION['cas_validation_time'] = $tikilib->now;
$_SESSION['cas_is_validating'] = true;
$cas_user = '';
// phpCAS will always redirect to CAS validate URL
$this->validate_user_cas($cas_user, true);
die();
}
}
public function _init_cas_client()
{
global $prefs;
// just make sure we're supposed to be here
if ($prefs['auth_method'] != 'cas') {
return false;
}
if (self::$cas_initialized === false) {
// initialize phpCAS
phpCAS::client($prefs['cas_version'], '' . $prefs['cas_hostname'], (int) $prefs['cas_port'], '' . $prefs['cas_path'], false);
self::$cas_initialized = true;
}
return true;
}
// validate the user through CAS
public function validate_user_cas(&$user, $checkOnly = false)
{
global $prefs, $base_url;
$tikilib = TikiLib::lib('tiki');
// just make sure we're supposed to be here
if (! $this->_init_cas_client()) {
return false;
}
// Redirect to this URL after authentication
if (! empty($prefs['cas_extra_param']) && basename($_SERVER['SCRIPT_NAME']) == 'tiki-login.php') {
phpCAS::setFixedServiceURL($base_url . 'tiki-login.php?cas=y&' . $prefs['cas_extra_param']);
}
// check CAS authentication
phpCAS::setNoCasServerValidation();
if ($checkOnly) {
unset($_SESSION['phpCAS']['auth_checked']);
$auth = phpCAS::checkAuthentication();
} else {
$auth = phpCAS::forceAuthentication();
}
$_SESSION['cas_validation_time'] = $tikilib->now;
// at this step, the user has been authenticated by the CAS server
// and the user's login name can be read with phpCAS::getUser().
if ($auth && ($user = strtolower(phpCAS::getUser()))) {
return USER_VALID;
} else {
$user = null;
return PASSWORD_INCORRECT;
}
}
/**
* Get php-saml auth object
*/
public function check_saml_authentication($user_cookie_site)
{
global $prefs;
if ($prefs['auth_method'] != 'saml' || ! class_exists('\OneLogin\Saml2\Auth')) {
return;
}
$clicked_on_saml_link = false;
// Check endpoints
if (array_key_exists('auth', $_REQUEST) && $_REQUEST['auth'] == 'saml') {
$saml_instance = $this->get_saml_auth();
$saml_instance->login();
} elseif (array_key_exists('saml_metadata', $_REQUEST)) {
$samlSettingsInfo = $this->get_saml_settings();
$saml_settings = new Saml2\Settings($samlSettingsInfo, true);
$metadata = $saml_settings->getSPMetadata();
$errors = $saml_settings->validateMetadata($metadata);
if (empty($errors)) {
header('Content-Type: text/xml');
echo $metadata;
exit();
} else {
throw new \OneLogin\Saml2\Error(
'Invalid SP metadata: ' . implode(', ', $errors),
OneLogin\Saml2\Error::METADATA_SP_INVALID
);
}
} elseif (array_key_exists('saml_acs', $_REQUEST)) {
$clicked_on_saml_link = true;
$saml_instance = $this->get_saml_auth();
try {
$saml_instance->processResponse();
} catch (Exception $e) {
Feedback::error($e->getMessage());
return;
}
$errors = $saml_instance->getErrors();
if (! empty($errors)) {
Feedback::error(implode(', ', $errors));
return;
}
if (! $saml_instance->isAuthenticated()) {
Feedback::error(tra("SAML Login failed. User not authenticated"));
return;
}
$_SESSION['samlUserdata'] = $saml_instance->getAttributes();
$_SESSION['samlNameId'] = $saml_instance->getNameId();
$_SESSION['samlSessionIndex'] = $saml_instance->getSessionIndex();
/*
if (isset($_POST['RelayState']) && OneLogin_Saml2_Utils::getSelfURL() != $_POST['RelayState']) {
$saml_instance->redirectTo($_POST['RelayState']);
}
*/
} elseif (array_key_exists('saml_sls', $_REQUEST)) {
$saml_instance = $this->get_saml_auth();
try {
$saml_instance->processSLO(false);
} catch (Exception $e) {
Feedback::error($e->getMessage());
return;
}
$errors = $saml_instance->getErrors();
if (! empty($errors)) {
Feedback::error(implode(', ', $errors));
return;
} else {
unset($_SESSION['samlUserdata']);
unset($_SESSION['samlNameId']);
unset($_SESSION['samlSessionIndex']);
}
}
$already_logged_as_admin = isset($_SESSION["$user_cookie_site"]) && $_SESSION["$user_cookie_site"] == 'admin';
$force_saml_login = ! (isset($prefs['saml_options_skip_admin']) && $prefs['saml_options_skip_admin'] == 'y');
if ($clicked_on_saml_link || ($force_saml_login && ! $already_logged_as_admin)) {
$this->validate_user("", "", "", "");
}
}
/**
* Get php-saml auth object
*/
public function get_saml_auth()
{
if (! class_exists('\OneLogin\Saml2\Auth')) {
return;
}
try {
$samlSettingsInfo = $this->get_saml_settings();
$auth = new Saml2\Auth($samlSettingsInfo);
} catch (Exception $e) {
print_r("There is a problem with the SAML settings, review them: " . $e->getMessage());
exit();
}
return $auth;
}
/**
* Build a settingsInfo array based on SAML settings store at Tiki
*/
public function get_saml_settings()
{
global $prefs;
global $base_url;
$samlSettingsInfo = [
'strict' => isset($prefs['saml_advanced_strict']) && $prefs['saml_advanced_strict'] == 'y',
'debug' => isset($prefs['saml_advanced_debug']) && $prefs['saml_advanced_debug'] == 'y',
'sp' => [
'entityId' => (! empty($prefs['saml_advanced_sp_entity_id']) ? $prefs['saml_advanced_sp_entity_id'] : 'php-saml'),
'assertionConsumerService' => [
'url' => $base_url . 'tiki-login.php?saml_acs'
],
'singleLogoutService' => [
'url' => $base_url . 'tiki-login.php?saml_sls'
],
'NameIDFormat' => (! empty($prefs['saml_advanced_nameidformat']) ? $prefs['saml_advanced_nameidformat'] : 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'),
'x509cert' => $prefs['saml_advanced_sp_x509cert'] ?? '',
'privateKey' => $prefs['saml_advanced_sp_privatekey'] ?? '',
],
'idp' => [
'entityId' => $prefs['saml_idp_entityid'] ?? '',
'singleSignOnService' => [
'url' => $prefs['saml_idp_sso'] ?? '',
],
'singleLogoutService' => [
'url' => $prefs['saml_idp_slo'] ?? '',
],
'x509cert' => $prefs['saml_idp_x509cert'] ?? '',
'lowercaseUrlencoding' => isset($prefs['saml_advanced_idp_lowercase_url_encoding']) && $prefs['saml_advanced_idp_lowercase_url_encoding'] == 'y',
],
'security' => [
'signMetadata' => isset($prefs['saml_advanced_metadata_signed']) && $prefs['saml_advanced_metadata_signed'] == 'y',
'nameIdEncrypted' => isset($prefs['saml_advanced_nameid_encrypted']) && $prefs['saml_advanced_nameid_encrypted'] == 'y',
'authnRequestsSigned' => isset($prefs['saml_advanced_authn_request_signed']) && $prefs['saml_advanced_authn_request_signed'] == 'y',
'logoutRequestSigned' => isset($prefs['saml_advanced_logout_request_signed']) && $prefs['saml_advanced_logout_request_signed'] == 'y',
'logoutResponseSigned' => isset($prefs['saml_advanced_logout_response_signed']) && $prefs['saml_advanced_logout_response_signed'] == 'y',
'wantMessagesSigned' => isset($prefs['saml_advanced_want_message_signed']) && $prefs['saml_advanced_want_message_signed'] == 'y',
'wantAssertionsSigned' => isset($prefs['saml_advanced_want_assertion_signed']) && $prefs['saml_advanced_want_assertion_signed'] == 'y',
'wantAssertionsEncrypted' => isset($prefs['saml_advanced_want_assertion_encrypted']) && $prefs['saml_advanced_want_assertion_encrypted'] == 'y',
'requestedAuthnContext' => isset($prefs['saml_advanced_requestedauthncontext']) && $prefs['saml_advanced_requestedauthncontext'],
'signatureAlgorithm' => $prefs['saml_advanced_sign_algorithm'] ?? 'http://www.w3.org/2000/09/xmldsig#rsa-sha1',
]
];
return $samlSettingsInfo;
}
/**
* Initiates the Tiki LDAP library.
*
* Passes it a set of options according to Tiki's preferences.
* FIXME: a similar piece of code can be found at two other places in this file.
*/
public function init_ldap($user, $pass)
{
global $prefs;
if (! isset($this->ldap)) {
require_once('auth/ldap.php');
$ldap_options = [
'host' => $prefs['auth_ldap_host'],
'port' => $prefs['auth_ldap_port'],
'useStartTls' => $prefs['auth_ldap_starttls'],
'useSsl' => $prefs['auth_ldap_ssl'],
'baseDn' => $prefs['auth_ldap_basedn'],
'scope' => $prefs['auth_ldap_scope'],
'bind_type' => $prefs['auth_ldap_type'],
'username' => $user,
'password' => $pass,
'userdn' => $prefs['auth_ldap_userdn'],
'useroc' => $prefs['auth_ldap_useroc'],
'userattr' => $prefs['auth_ldap_userattr'],
'fullnameattr' => $prefs['auth_ldap_nameattr'],
'emailattr' => $prefs['auth_ldap_emailattr'],
'countryattr' => $prefs['auth_ldap_countryattr'],
'groupdn' => $prefs['auth_ldap_groupdn'],
'groupattr' => $prefs['auth_ldap_groupattr'],
'groupoc' => $prefs['auth_ldap_groupoc'],
'groupnameattr' => $prefs['auth_ldap_groupnameatr'],
'groupdescattr' => $prefs['auth_ldap_groupdescatr'],
'groupmemberattr' => $prefs['auth_ldap_memberattr'],
'groupmemberisdn' => $prefs['auth_ldap_memberisdn'],
'usergroupattr' => $prefs['auth_ldap_usergroupattr'],
'groupgroupattr' => $prefs['auth_ldap_groupgroupattr'],
'debug' => $prefs['auth_ldap_debug']
];
// print_r($ldap_options);
$this->ldap = new TikiLdapLib($ldap_options);
}
}
/**
* Validates the user via LDAP and gets a LDAP connection
*
* @param user: username
* @param pass: password
*/
public function validate_user_ldap($user, $pass)
{
if (! $pass) { // An LDAP password cannot be empty. Treat specially so that Tiki does *NOT* unintentionally request an unauthenticated bind.
return PASSWORD_INCORRECT;
}
global $prefs;
$logslib = TikiLib::lib('logs');
if ($prefs['auth_ldap_debug'] == 'y') {
$logslib->add_log('ldap', 'UserLib::validate_user_ldap()');
}
// First connection on the ldap server in anonymous, now we can search the real name of the $user
// It's required to pass in param the username & password because the username is used to determine the realname (dn)
$this->init_ldap($user, $pass);
$err = $this->ldap->bind();
// Change the default bind_type to use the full, call get_user_attributes function to use the realname (dn) in the credentials test
$this->ldap->setOption('bind_type', 'full');
$this->ldap->get_user_attributes();
// Credentials test! To test it we force the reconnection.
$err = $this->ldap->bind(true);
switch ($err) {
case LdapException::LDAP_INVALID_CREDENTIALS:
return PASSWORD_INCORRECT;
case LdapException::LDAP_INVALID_SYNTAX:
case LdapException::LDAP_NO_SUCH_OBJECT:
case LdapException::LDAP_INVALID_DN_SYNTAX:
return USER_NOT_FOUND;
case LdapException::LDAP_SUCCESS:
if ($prefs['auth_ldap_debug'] == 'y') {
$logslib->add_log('ldap', 'Bind successful.');
}
return USER_VALID;
default:
return SERVER_ERROR;
}
// this should never happen
die('Assertion failed ' . __FILE__ . ':' . __LINE__);
}
// validate the user from a phpBB database
public function validate_user_phpbb($user, $pass)
{
require_once('auth/phpbb.php');
$this->phpbbauth = new TikiPhpBBLib();
switch ($this->phpbbauth->check($user, $pass)) {
case PHPBB_INVALID_CREDENTIALS:
return PASSWORD_INCORRECT;
break;
case PHPBB_INVALID_SYNTAX:
case PHPBB_NO_SUCH_USER:
return USER_NOT_FOUND;
break;
case PHPBB_SUCCESS:
//$logslib->add_log('phpbb','PhpBB user validation successful.');
return USER_VALID;
break;
default:
return SERVER_ERROR;
}
// this should never happen
die('Assertion failed ' . __FILE__ . ':' . __LINE__);
}
/**
* Help function to disable a user's password.
*
* Used, whenever the user password shall not be
* hold in the tiki db but in LDAP or somewhere else.
*/
public function disable_tiki_auth($user)
{
global $tiki, $prefs;
if ($prefs['auth_ldap_debug'] == 'y') {
TikiLib::lib('logs')->add_log('ldap', 'UserLib::disable_tiki_auth()');
}
$query = 'update `users_users` set `hash`=? where binary `login` = ?';
$result = $this->query($query, ['', $user]);
}
/**
* Synchronizes all existing Tiki users to what is in the LDAP directory.
*
* Retrieves all users info from LDAP.
* Creates the corresponding Tiki users from this data.
*/
public function ldap_sync_all_users()
{
global $prefs;
$logslib = TikiLib::lib('logs');
if ($prefs['syncUsersWithDirectory'] != 'y') {
return false;
}
require_once('auth/ldap.php');
if ($prefs['auth_ldap_debug'] == 'y') {
$logslib->add_log('ldap', 'UsersLib::ldap_sync_all_users(): Syncing all Tiki users to LDAP');
}
$bind_type = 'default';
switch ($prefs['auth_ldap_type']) { // Must be anonymous or admin
case 'default':
break;
default:
if (! empty($prefs['auth_ldap_adminuser'])) {
$bind_type = 'explicit';
break;
}
return false;
break;
}
// FIXME: Similar to the contents of the init_ldap method:
$ldap_options = [
'host' => $prefs['auth_ldap_host'],
'port' => $prefs['auth_ldap_port'],
'useStartTls' => $prefs['auth_ldap_starttls'],
'useSsl' => $prefs['auth_ldap_ssl'],
'baseDn' => $prefs['auth_ldap_basedn'],
'scope' => $prefs['auth_ldap_scope'],
'bind_type' => $bind_type,
'binddn' => $prefs['auth_ldap_adminuser'],
'bindpw' => $prefs['auth_ldap_adminpass'],
'userdn' => $prefs['auth_ldap_userdn'],
'useroc' => $prefs['auth_ldap_useroc'],
'userattr' => $prefs['auth_ldap_userattr'],
'fullnameattr' => $prefs['auth_ldap_nameattr'],
'emailattr' => $prefs['auth_ldap_emailattr'],
'countryattr' => $prefs['auth_ldap_countryattr'],
'groupdn' => $prefs['auth_ldap_groupdn'],
'groupattr' => $prefs['auth_ldap_groupattr'],
'groupoc' => $prefs['auth_ldap_groupoc'],
'groupnameattr' => $prefs['auth_ldap_groupnameatr'],
'groupdescattr' => $prefs['auth_ldap_groupdescatr'],
'groupmemberattr' => $prefs['auth_ldap_memberattr'],
'groupmemberisdn' => $prefs['auth_ldap_memberisdn'],
'usergroupattr' => $prefs['auth_ldap_usergroupattr'],
'groupgroupattr' => $prefs['auth_ldap_groupgroupattr'],
'debug' => $prefs['auth_ldap_debug']
];
$user_ldap = new TikiLdapLib($ldap_options);
// Retrieve all users from LDAP:
if (! ($users_attributes = $user_ldap->get_all_users_attributes())) {
return false;
}
foreach ($users_attributes as $user_attributes) {
$user = $user_attributes[$prefs['auth_ldap_userattr']];
$this->add_user($user, '', $user);
if ($prefs['auth_method'] == 'ldap') {
$this->disable_tiki_auth($user);
}
$this->ldap_sync_user_data($user, $user_attributes);
}
}
/**
* Synchronize all groups with LDAP directory
*
* For each user, makes sure that user is member of the same groups as specified in their LDAP entry.
*/
public function ldap_sync_all_groups()
{
global $prefs;
if ($prefs['auth_ldap_debug'] == 'y') {
TikiLib::lib('logs')->add_log('ldap', 'UsersLib::ldap_sync_all_groups()');
}
if ($prefs['syncGroupsWithDirectory'] != 'y') {
return false;
}
$users = $this->list_all_users();
foreach ($users as $user) {
$this->_ldap_sync_groups($user, null);
}
}
/**
* Updates the info about the current Tiki user with the info found in the LDAP directory.
*
* @see \UsersLib::disable_tiki_auth()
* @see \UsersLib::ldap_sync_user_data()
*/
public function ldap_sync_user($user, $pass)
{
if ($user == 'admin') {
return true;
}
global $prefs;
$logslib = TikiLib::lib('logs');
$ret = true;
$this->init_ldap($user, $pass);
if ($prefs['auth_ldap_debug'] == 'y') {
$logslib->add_log('ldap', 'Syncing user with ldap');
}
// sync user information
if ($prefs['auth_method'] == 'ldap') {
$this->disable_tiki_auth($user);
}
if ($prefs['syncUsersWithDirectory'] == 'y') {
$this->ldap_sync_user_data($user, $this->ldap->get_user_attributes());
}
return $ret;
}
/**
* Sets Tiki user fields with the values found about a given user in LDAP.
*
* (name, email, country)
*
* @param user: username
* @param attributes: Name and value for each LDAP attribute of the user.
*/
public function ldap_sync_user_data($user, $attributes)
{
global $prefs;
if ($prefs['auth_ldap_debug'] == 'y') {
TikiLib::lib('logs')->add_log('ldap', 'UsersLib::ldap_sync_user_data()');
}
$u = ['login' => $user];
$userPreferenceToLdapPreferenceMap = [
'realName' => 'auth_ldap_nameattr',
'email' => 'auth_ldap_emailattr',
'country' => 'auth_ldap_countryattr',
];
foreach ($userPreferenceToLdapPreferenceMap as $preference => $ldapPreference) {
if ($preference == 'email') {
$userPreferenceValue = $this->get_user_email($user);
} else {
$userPreferenceValue = $this->get_user_preference($user, $preference);
}
$isSetLdapPreferenceValue = isset($attributes[$prefs[$ldapPreference]]);
$ldapPreferenceValue = $isSetLdapPreferenceValue ? $attributes[$prefs[$ldapPreference]] : '';
if ($userPreferenceValue && empty($ldapPreferenceValue)) {
$u[$preference] = '';
} else {
if ($isSetLdapPreferenceValue) {
// Ldap attributes can (by default) have multiple values, check if the current user preference is one of
// the values of the attribute, in that case keep the same value
if (
is_array($ldapPreferenceValue)
&& $userPreferenceValue
&& in_array($userPreferenceValue, $ldapPreferenceValue)
) {
$u[$preference] = $userPreferenceValue;
continue;
}
if (is_array($ldapPreferenceValue)) {
// Ldap attributes can (by default) have multiple values
// so we always take the first from the list in case of a multi value field
$ldapPreferenceValue = reset($ldapPreferenceValue);
}
if ($isSetLdapPreferenceValue) {
$u[$preference] = $ldapPreferenceValue;
}
}
}
}
if (count($u) > 1) {
$this->set_user_fields($u);
}
}
/**
* For a given user, makes sure this user is member of all the groups they should be,
* according to their entry in the LDAP directory.
*
* @param user: username
* @param pass: password (might be null)
*/
private function _ldap_sync_groups($user, $pass)
{
if ($user == 'admin') {
return true;
}
global $prefs;
$logslib = TikiLib::lib('logs');
static $ldap_group_options = [];
static $ext_dir = null;
$ret = true;
$this->init_ldap($user, $pass);
$this->ldap->setOption('username', $user);
$this->ldap->setOption('password', $pass);
if ($prefs['auth_ldap_debug'] == 'y') {
$logslib->add_log('ldap', 'UsersLib::_ldap_sync_groups(): Syncing group with ldap');
}
$userattributes = $this->ldap->get_user_attributes(true);
if ($prefs['syncGroupsWithDirectory'] == 'y' && $userattributes[$prefs['auth_ldap_group_corr_userattr']] != null) {
// sync external group information of user
$ldapgroups = [];
if ($prefs['auth_ldap_group_external'] == 'y') {
// External directory for groups
if (! isset($ext_dir)) {
$ldap_group_options = [
'host' => $prefs['auth_ldap_group_host'],
'port' => $prefs['auth_ldap_group_port'],
'useStartTls' => $prefs['auth_ldap_group_starttls'],
'useSsl' => $prefs['auth_ldap_group_ssl'],
'baseDn' => $prefs['auth_ldap_group_basedn'],
'scope' => $prefs['auth_ldap_group_scope'],
'userdn' => $prefs['auth_ldap_group_userdn'],
'useroc' => $prefs['auth_ldap_group_useroc'],
'userattr' => $prefs['auth_ldap_group_userattr'],
'username' => $userattributes[$prefs['auth_ldap_group_corr_userattr']],
'groupdn' => $prefs['auth_ldap_groupdn'],
'groupattr' => $prefs['auth_ldap_groupattr'],
'groupoc' => $prefs['auth_ldap_groupoc'],
'groupnameattr' => $prefs['auth_ldap_groupnameatr'],
'groupdescattr' => $prefs['auth_ldap_groupdescatr'],
'groupmemberattr' => $prefs['auth_ldap_memberattr'],
'groupmemberisdn' => $prefs['auth_ldap_memberisdn'],
'usergroupattr' => $prefs['auth_ldap_usergroupattr'],
'groupgroupattr' => $prefs['auth_ldap_groupgroupattr'],
'debug' => $prefs['auth_ldap_group_debug']
];
if (empty($prefs['auth_ldap_group_adminuser'])) {
// Anonymous
$ldap_group_options['bind_type'] = 'default';
} else {
// Explicit
$ldap_group_options['bind_type'] = 'explicit';
$ldap_group_options['binddn'] = $prefs['auth_ldap_group_adminuser'];
$ldap_group_options['bindpw'] = $prefs['auth_ldap_group_adminpass'];
}
$ext_dir = new TikiLdapLib($ldap_group_options);
}
$ext_dir->setOption('username', $userattributes[$prefs['auth_ldap_group_corr_userattr']]);
$ldapgroups = $ext_dir->get_groups(true);
} else {
if (! empty($prefs['auth_ldap_adminuser'])) {
$this->ldap->setOption('bind_type', 'explicit');
$this->ldap->setOption('binddn', $prefs['auth_ldap_adminuser']);
$this->ldap->setOption('bindpw', $prefs['auth_ldap_adminpass']);
$this->ldap->bind(true);
}
$ldapgroups = $this->ldap->get_groups(true);
if (! empty($prefs['auth_ldap_adminuser'])) {
$this->ldap->setOption('bind_type', $prefs['auth_ldap_type']);
$this->ldap->bind(true);
}
}
$this->_ldap_sync_group_data($user, $ldapgroups);
}
return $ret;
}
/**
* Sync Tiki groups with LDAP groups data
*
* For each group, assigns the user to it if it is not already a member of it.
*
* Called from \UsersLib::_ldap_sync_groups()
*
* @param user: username
* @param ldapgroups: list of LDAP group names
*/
private function _ldap_sync_group_data($user, $ldapgroups)
{
global $prefs;
$logslib = TikiLib::lib('logs');
if (! count($ldapgroups)) {
return;
}
$ldapgroups_simple = [];
$tikigroups = $this->get_user_groups($user);
foreach ($ldapgroups as $group) {
$gname = $group[$prefs['auth_ldap_groupattr']];
$ldapgroups_simple[] = $gname; // needed later
if ($this->group_exists($gname) && ! $this->group_is_external($gname)) { // group exists
//check if we need to sync group information
if (isset($group[$prefs['auth_ldap_groupdescattr']])) {
$ginfo = $this->get_group_info($gname);
if ($group[$prefs['auth_ldap_groupdescattr']] != $ginfo['groupDesc']) {
$this->set_group_description($gname, $group[$prefs['auth_ldap_groupdescattr']]);
}
}
} elseif (! $this->group_exists($gname)) { // create group
if (isset($group[$prefs['auth_ldap_groupdescattr']])) {
$gdesc = $group[$prefs['auth_ldap_groupdescattr']];
} else {
$gdesc = '';
}
$logslib->add_log('ldap', 'Creating external group ' . $gname);
$this->add_group($gname, $gdesc, '', 0, 0, '', '', 0, '', 0, 0, 'y');
}
// add user
if (! in_array($gname, $tikigroups)) {
$logslib->add_log('ldap', 'Adding user ' . $user . ' to external group ' . $gname);
$this->assign_user_to_group($user, $gname);
}
}
// now clean up group membership if user has been unassigned from a group in ldap
$extgroups = $this->get_user_external_groups($user);
foreach ($extgroups as $eg) {
if (! in_array($eg, $ldapgroups_simple)) {
$logslib->add_log('ldap', 'Removing user ' . $user . ' from external group ' . $eg);
$this->remove_user_from_group($user, $eg);
}
}
}
/**
* Update infos for a user, and which groups it is in, reading from LDAP.
*
* Called after a user has been created or logged from LDAP.
*
* @param user: username
* @param pass: password
* @see \UserLib::_ldap_sync_user()
* @see \UserLib::_ldap_sync_groups()
*/
public function _ldap_sync_user_and_groups($user, $pass)
{
global $prefs;
if ($prefs['auth_ldap_debug'] == 'y') {
TikiLib::lib('logs')->add_log('ldap', 'UsersLib::_ldap_sync_user_and_groups()');
}
$ret = true;
$ret &= $this->ldap_sync_user($user, $pass);
$ret &= $this->_ldap_sync_groups($user, $pass);
// Invalidate cache
$cachelib = TikiLib::lib('cache');
$cacheKey = 'user_details_' . $user;
$cachelib->invalidate($cacheKey);
return($ret);
}
public function set_group_description($group, $description)
{
$query = 'update `users_groups` set `groupDesc`=? where `groupName`=?';
$result = $this->query($query, [$description, $group]);
}
public function group_is_external($group)
{
$gi = $this->get_group_info($group);
if ($gi['isExternal'] == 'y') {
return true;
}
return false;
}
// simple function - no group inclusion or intertiki
public function get_user_external_groups($user)
{
$userid = $this->get_user_id($user);
$query = 'select u.`groupName`' .
' from `users_usergroups` u, `users_groups` g' .
' where u.`groupName`=g.`groupName` and u.`userId`=? and g.`isExternal`=?';
$result = $this->query($query, [(int) $userid, 'y']);
$ret = [];
while ($res = $result->fetchRow()) {
$ret[] = $res['groupName'];
}
return $ret;
}
/**
* Validate the user in the Tiki database
* @param user: username
* @param pass: password
*/
public function validate_user_tiki($user, $pass, $validate_phase = false)
{
global $prefs;
$userUpper = TikiLib::strtoupper($user);
// first verify that the user exists
$query = 'select `userId`,`login`,`waiting`, `hash`, `email`,`valid` from `users_users` where upper(`login`) = ?';
$result = $this->query($query, [$userUpper]);
switch ($result->numRows()) {
case 0:
if ($prefs['login_allow_email'] == 'y') { //if no users found, check check if email is being used to login
$query = 'select `userId`,`login`,`waiting`, `hash`, `email`,`valid` from `users_users` where upper(`email`) = ?';
$result = $this->query($query, [$userUpper]);
if ($result->numRows() > 1) {
return [EMAIL_AMBIGUOUS, $user]; // if there is more than one user with that email
} elseif ($result->numRows() == 1) {
break; // if there is only one user, exit switch
}
}
return [USER_NOT_FOUND, $user];
case 1:
break;
default:
return [USER_AMBIGOUS, $user];
}
$res = $result->fetchRow();
$user = $res['login'];
// check for account flags
if ($res['waiting'] === 'u') { // if account is in validation mode.
if (! empty($pass) && $pass === $res['valid']) { // if user successfully provides code from email
return [USER_VALID, $user];
} else {
return [ACCOUNT_WAITING_USER, $user]; // if code validation fails, (or user tries to log in before verifying)
}
} elseif ($res['waiting'] === 'a') { // if account needs administrator validation
if (! empty($res['valid']) && $pass === $res['valid']) { // if admin successfully validates account
return [USER_VALID, $user];
} else {
return [ACCOUNT_DISABLED, $user];
}
} elseif ($res['waiting'] === 'l') {
return [ACCOUNT_LOCKED, $user];
}
if ($validate_phase) {
return [USER_PREVIOUSLY_VALIDATED, $user]; // if email verification code is used an a validated account, deny.
}
// next verify the password with every hashes methods
if ($res['hash'][0] == '$') { // if password was created by crypt (old tiki hash) or password_hash (current tiki hash)
if (password_verify($pass, $res['hash'])) {
if (password_needs_rehash($res['hash'], PASSWORD_DEFAULT)) {
$this->set_user_password($res['userId'], $pass); //if its a old hash style, rehash it in a more secure way
}
return [USER_VALID, $user];
} else {
return [PASSWORD_INCORRECT, $user]; // if the password was incorrect, dont give the md5's a spin
}
}
if (! empty($pass) && $res['hash'] === md5($pass)) { // very method md5(pass), for compatibility
$this->set_user_password($res['userId'], $pass);
return [USER_VALID, $user];
}
if (! empty($pass) && $res['hash'] === md5($user . $pass)) { // ancient method md5(user.pass), for compatibility
$this->set_user_password($res['userId'], $pass);
return [USER_VALID, $user];
}
if (! empty($pass) && $res['hash'] === md5($user . $pass . trim($res['email']))) { // very ancient method md5(user.pass.email), for compatibility
$this->set_user_password($res['userId'], $pass);
return [USER_VALID, $user];
}
return [PASSWORD_INCORRECT, $user];
}
/**
* Stores a users password in the database
*
* @param userId: the id of the user.
* @param pass: the clear text password to be hashed and stored
*/
private function set_user_password($userId, $pass)
{
$hash = password_hash($pass, PASSWORD_DEFAULT);
$query = 'update `users_users` set `hash`=? where `userId`=?';
$result = $this->query($query, [$hash, $userId]);
//todo: a little error checking would be nice.
}
/**
* Synchronizes Tiki user and group info from LDAP.
*
* @param user: User name.
* @param pass: Password.
*/
private function _ldap_sync_and_update_lastlogin($user, $pass)
{
global $prefs;
global $tikilib;
if ($prefs['auth_ldap_debug'] == 'y') {
TikiLib::lib('logs')->add_log('ldap', 'UsersLib::_ldap_sync_and_update_lastlogin()');
}
$ret = $this->update_lastlogin($user);
if (empty($current)) {
// First time
$current = 0;
}
if ($prefs['auth_method'] === 'ldap' && ($prefs['syncGroupsWithDirectory'] == 'y' || $prefs['syncUsersWithDirectory'] == 'y' )) {
$ret &= $this->_ldap_sync_user_and_groups($user, $pass);
}
return $ret;
}
/**
* Updates date and time of current and last (previous) login.
*
* Called when the user logs in.
* The updated fields are: currentLogin and lastLogin.
* Resets unsuccessful_logins field.
*
* @param user: Username
*/
public function update_lastlogin($user)
{
$previous = $this->getOne('select `currentLogin` from `users_users` where `login`= ?', [$user]);
if (is_null($previous)) {
// First login
$previous = $this->now; // TODO: Should we really set lastLogin on the first login?
}
$query = 'update `users_users` set `lastLogin`=?, `currentLogin`=?, `unsuccessful_logins`=? where `login`=? and (`waiting` <> \'a\' OR `waiting` IS NULL)'; // don't update last login if waiting for admin
$this->query(
$query,
[
(int)$previous,
(int)$this->now,
0,
$user
]
);
return true;
}
/**
* Creates a new user in the LDAP directory
*
* @param user: username
* @param pass: password
*/
public function create_user_ldap($user, $pass)
{
// todo: no more pear::auth! all in pear::ldap2
global $prefs;
$tikilib = TikiLib::lib('tiki');
$options = [];
$options['url'] = $prefs['auth_ldap_url'];
$options['host'] = $prefs['auth_ldap_host'];
$options['port'] = $prefs['auth_ldap_port'];
$options['scope'] = $prefs['auth_ldap_scope'];
$options['baseDn'] = $prefs['auth_ldap_basedn'];
$options['userdn'] = $prefs['auth_ldap_userdn'];
$options['userattr'] = $prefs['auth_ldap_userattr'];
$options['useroc'] = $prefs['auth_ldap_useroc'];
$options['groupdn'] = $prefs['auth_ldap_groupdn'];
$options['groupattr'] = $prefs['auth_ldap_groupattr'];
$options['groupoc'] = $prefs['auth_ldap_groupoc'];
$options['memberattr'] = $prefs['auth_ldap_memberattr'];
$options['memberisdn'] = ($prefs['auth_ldap_memberisdn'] == 'y');
$options['binduser'] = $prefs['auth_ldap_adminuser'];
$options['bindpw'] = $prefs['auth_ldap_adminpass'];
// set additional attributes here
$userattr = [];
$userattr['email'] = ( $prefs['login_is_email'] == 'y' )
? $user
: $this->getOne('select `email` from `users_users` where `login`=?', [$user]);
// set the Auth options
$a = new Auth('LDAP', $options);
// check if the login correct
if ($a->addUser($user, $pass, $userattr) === true) {
$status = USER_VALID;
} else {
// otherwise use the error status given back
$status = $a->getStatus();
}
return $status;
}
/**
* This is a lighter version of get_users_names designed for AJAX checking of userrealnames
*/
public function get_users_light($offset = 0, $maxRecords = -1, $sort_mode = 'login_asc', $find = '', $group = '')
{
global $prefs, $tiki_p_list_users, $tiki_p_admin;
if ($tiki_p_list_users !== 'y' && $tiki_p_admin != 'y') {
return [];
}
$mid = '';
$bindvars = [];
if (! empty($group)) {
if (! is_array($group)) {
$group = [$group];
}
$mid = ', `users_usergroups` uug where uu.`userId`=uug.`userId` and uug.`groupName` in (' .
implode(',', array_fill(0, count($group), '?')) . ')';
$bindvars = $group;
}
if (! empty($find)) {
$findesc = '%' . $find . '%';
if (empty($mid)) {
$mid .= ' where uu.`login` like ?';
} else {
$mid .= ' and uu.`login` like ?';
}
$bindvars[] = $findesc;
}
$query = "select uu.`login` from `users_users` uu $mid order by " . $this->convertSortMode($sort_mode);
$result = $this->fetchAll($query, $bindvars, $maxRecords, $offset);
$ret = [];
foreach ($result as $res) {
$ret[$res['login']] = $this->clean_user($res['login']);
}
if (! empty($findesc) && $prefs['user_show_realnames'] == 'y') {
$query = "select `user` from `tiki_user_preferences` where `prefName` = 'realName' and `value` like ?";
$result = $this->fetchAll($query, [$findesc], $maxRecords, $offset);
foreach ($result as $res) {
if (! isset($ret[$res['user']])) {
$ret[$res['user']] = $this->clean_user($res['user']);
}
}
}
asort($ret);
return($ret);
}
public function get_users_names($offset = 0, $maxRecords = -1, $sort_mode = 'login_asc', $find = '')
{
global $tiki_p_list_users, $tiki_p_admin;
if ($tiki_p_list_users !== 'y' && $tiki_p_admin != 'y') {
return [];
}
// This function gets an array of user login names.
if (! empty($find)) {
$findesc = '%' . $find . '%';
$mid = ' where `login` like ?';
$bindvars = [$findesc];
} else {
$mid = '';
$bindvars = [];
}
$query = "select `login` from `users_users` $mid order by " . $this->convertSortMode($sort_mode);
$result = $this->query($query, $bindvars, $maxRecords, $offset);
$ret = [];
while ($res = $result->fetchRow()) {
$ret[] = $res['login'];
}
return ($ret);
}
public function get_members($group)
{
$group_results = true;
if (! is_array($group)) {
$group = [$group];
$group_results = false;
} elseif (count($group) == 0) {
return [];
}
$users = $this->fetchAll('SELECT ug.groupName, u.login FROM `users_usergroups` ug INNER JOIN `users_users` u ON u.userId = ug.userId WHERE ug.groupName IN ('
. implode(',', array_fill(0, count($group), '?')) . ')', $group);
if (! $group_results) {
return array_map(function ($row) {
return $row['login'];
}, $users);
} else {
$grouped = [];
foreach ($users as $row) {
$grouped[$row['groupName']][] = $row['login'];
}
return $grouped;
}
}
public function get_users(
$offset = 0,
$maxRecords = -1,
$sort_mode = 'login_asc',
$find = '',
$initial = '',
$inclusion = false,
$group = '',
$email = '',
$notconfirmed = false,
$notvalidated = false,
$neverloggedin = false
) {
$hasPermission = function ($group) {
$perms = Perms::get(['type' => 'group', 'object' => $group]);
if (! $perms->group_view_members && ! $perms->list_users && ! $perms->admin_users) {
return false;
}
return true;
};
if (is_array($group)) {
$group = array_filter($group, $hasPermission);
if (empty($group)) {
return [];
}
} elseif (! $hasPermission($group)) {
return [];
}
$mid = '';
$bindvars = [];
$mmid = '';
$mbindvars = [];
// Return an array of users indicating name, email, last changed pages, versions, lastLogin
//TODO : recurse included groups
if (! empty($group)) {
if (! is_array($group)) {
$group = [$group];
}
$mid = ', `users_usergroups` uug where uu.`userId`=uug.`userId` and uug.`groupName` in (' . implode(',', array_fill(0, count($group), '?')) . ')';
$mmid = $mid;
$bindvars = $group;
$mbindvars = $bindvars;
}
if (! empty($email)) {
$mid .= $mid == '' ? ' where' : ' and';
$mid .= ' uu.`email` like ?';
$mmid = $mid;
$bindvars[] = '%' . $email . '%';
$mbindvars[] = '%' . $email . '%';
}
if (! empty($find)) {
$mid .= $mid == '' ? ' where' : ' and';
$mid .= ' uu.`login` like ?';
$mmid = $mid;
$bindvars[] = '%' . $find . '%';
$mbindvars[] = '%' . $find . '%';
}
if (! empty($initial)) {
$mid = ' where `login` like ?';
$mmid = $mid;
$bindvars = [$initial . '%'];
$mbindvars = $bindvars;
}
if ($notconfirmed && $notvalidated) {
$mid .= $mid == '' ? ' where' : ' and';
$mid .= ' (uu.`waiting` = \'u\' or uu.`waiting` = \'a\')';
$mmid = $mid;
} else {
if ($notconfirmed) {
$mid .= $mid == '' ? ' where' : ' and';
$mid .= ' uu.`waiting` = \'u\'';
$mmid = $mid;
}
if ($notvalidated) {
$mid .= $mid == '' ? ' where' : ' and';
$mid .= ' uu.`waiting` = \'a\'';
$mmid = $mid;
}
}
if ($neverloggedin) {
$mid .= $mid == '' ? ' where' : ' and';
$mid .= ' (uu.`lastLogin` is null or uu.`lastLogin` = 0)';
$mmid = $mid;
}
$query = "select uu.* from `users_users` uu $mid order by " . $this->convertSortMode($sort_mode);
$query_cant = "select count(*) from `users_users` uu $mmid";
$ret = $this->fetchAll($query, $bindvars, $maxRecords, $offset);
$cant = $this->getOne($query_cant, $mbindvars);
$perms = Perms::get(['type' => 'group', 'object' => $group]);
foreach ($ret as &$res) {
if (! $perms->admin_users) {
// Filter out sensitive data
unset($res['email']);
unset($res['hash']);
unset($res['provpass']);
}
$res['user'] = $res['login'];
$user = $res['user'];
if ($inclusion) {
$groups = $this->get_user_groups_inclusion($user);
} else {
$groups = $this->get_user_groups($user);
}
$res['groups'] = $groups;
$res['age'] = $this->now - $res['registrationDate'];
$res['user_information'] = $this->get_user_preference($user, 'user_information', 'public');
$res['editable'] = $this->user_can_be_edited($user);
if (TIKI_API) {
// TODO: handle this as part of the API output serialization module
$res['avatar'] = $this->get_user_avatar_inline($res);
unset($res['avatarName']);
unset($res['avatarSize']);
unset($res['avatarType']);
unset($res['avatarFileType']);
unset($res['avatarData']);
unset($res['avatarLibName']);
}
}
$retval = [];
$retval['data'] = $ret;
$retval['cant'] = $cant;
return $retval;
}
/**
* @param string $edited_user : username (login) of the user that might be edited
* @param string $editing_user : username of user doing the editing (or logged-in user if omitted)
* @return bool : true if $editing_user can edit $edited_user
*/
public function user_can_be_edited($edited_user, $editing_user = '')
{
global $user;
if (empty($editing_user)) {
$editing_user = $user;
}
$editable = false;
if ($this->user_has_permission($editing_user, 'tiki_p_admin')) {
$editable = true;
} elseif ($this->user_has_permission($editing_user, 'tiki_p_admin_users') && ! $this->user_has_permission($edited_user, 'tiki_p_admin')) {
$editable = true;
}
return $editable;
}
public function group_inclusion($group, $include)
{
$query = 'insert into `tiki_group_inclusion`(`groupName`,`includeGroup`) values(?,?)';
$result = $this->query($query, [$group, $include]);
}
public function get_included_container_groups($group, $recur = true)
{
$includedGroups = $this->get_included_groups($group, $recur);
$groups = $this->get_group_info($includedGroups);
return array_filter($groups, function ($item) {
return $item["isTplGroup"] == "y";
});
}
public function get_included_groups($group, $recur = true)
{
$engroup = urlencode($group);
if (! $recur || ! isset($this->groupinclude_cache[$engroup])) {
$query = 'select `includeGroup` from `tiki_group_inclusion` where `groupName`=?';
$result = $this->query($query, [$group]);
$ret = [];
while ($res = $result->fetchRow()) {
$ret[] = $res['includeGroup'];
if ($recur) {
$ret2 = $this->get_included_groups($res['includeGroup']);
$ret = array_merge($ret, $ret2);
}
}
$back = array_unique($ret);
if ($recur) {
$this->groupinclude_cache[$engroup] = $back;
}
return $back;
} else {
return $this->groupinclude_cache[$engroup];
}
}
public function get_including_groups($group, $recur = 'n')
{
$query = 'select `groupName` from `tiki_group_inclusion` where `includeGroup`=? order by `groupName`';
$result = $this->query($query, [$group]);
$ret = [];
while ($res = $result->fetchRow()) {
$ret[] = $res['groupName'];
if ($recur == 'y') {
$ret = array_merge($ret, $this->get_including_groups($res['groupName']));
}
}
if ($recur == 'y') {
sort($ret);
}
return $ret;
}
public function user_is_in_group($user, $group)
{
$user_groups = $this->get_user_groups($user);
if (in_array($group, $user_groups)) {
return true;
} else {
return false;
}
}
/**
* @param $user
* @param $group
* @param bool $bulk
*
* @return TikiDb_Pdo_Result|TikiDb_Adodb_Result
* @throws Exception
*/
public function remove_user_from_group($user, $group, $bulk = false)
{
global $prefs;
$tikilib = TikiLib::lib('tiki');
$cachelib = TikiLib::lib('cache');
$cachelib->invalidate('user_details_' . $user);
$tikilib->invalidate_usergroups_cache($user);
$this->invalidate_usergroups_cache($user); // this is needed as cache is present in this instance too
$userid = $this->get_user_id($user);
$query = 'delete from `users_usergroups` where `userId` = ? and `groupName` = ?';
$result = $this->query($query, [$userid, $group]);
$query = 'update `users_users` set `default_group`=? where `login`=? and `default_group`=?';
$this->query($query, ['Registered', $user, $group]);
TikiLib::events()->trigger('tiki.user.groupleave', [
'type' => 'user',
'object' => $user,
'group' => $group,
'bulk_import' => $bulk,
]);
$_SESSION['u_info']['group'] = 'Registered';
return $result;
}
public function remove_user_from_all_groups($user)
{
global $prefs;
$userid = $this->get_user_id($user);
$query = 'delete from `users_usergroups` where `userId` = ?';
$result = $this->query($query, [$userid]);
TikiLib::events()->trigger('tiki.user.update', ['type' => 'user', 'object' => $user]);
}
public function get_groups_userchoice()
{
$ret = [];
$groups = $this->get_groups(0, -1, '', '', '', 'n', '', 'y');
foreach ($groups['data'] as $g) {
$ret[] = $g['groupName'];
}
return $ret;
}
public function get_groups_for_permissions()
{
$query = "SELECT * from users_groups
where isTplGroup <> 'y' and groupName not in (select groupName
from tiki_group_inclusion where includeGroup in (SELECT groupName
from users_groups where isTplGroup = 'y')) order by id asc;";
$ret = $this->fetchAll($query);
$retval = [];
$retval['data'] = $ret;
$retval['cant'] = count($ret);
return $retval;
}
public function get_template_groups_containers()
{
$query = "SELECT * from users_groups
where isTplGroup = 'y' order by id asc;";
$ret = $this->fetchAll($query);
$retval = [];
$retval['data'] = $ret;
$retval['cant'] = count($ret);
return $retval;
}
public function get_group_children($groupName)
{
$query = "SELECT DISTINCT * from users_groups as ug
where ug.groupName in (select groupName from tiki_group_inclusion where includeGroup = ?) order by id asc;";
$ret = $this->fetchAll($query, [$groupName]);
$retval = [];
$retval['data'] = $ret;
$retval['cant'] = count($ret);
return $retval;
}
public function get_group_children_with_permissions($groupName)
{
$query = "SELECT DISTINCT ug.* from users_groups as ug join users_grouppermissions as up on ug.groupName = up.groupName
where ug.groupName in (select groupName from tiki_group_inclusion where includeGroup = ?) order by id asc;";
$ret = $this->fetchAll($query, [$groupName]);
$retval = [];
$retval['data'] = $ret;
$retval['cant'] = count($ret);
return $retval;
}
public function get_groups($offset = 0, $maxRecords = -1, $sort_mode = 'groupName_asc', $find = '', $initial = '', $details = "y", $inGroups = '', $userChoice = '')
{
$mid = '';
$bindvars = [];
if ($find) {
$mid = ' where `groupName` like ?';
$bindvars[] = '%' . $find . '%';
}
if ($initial) {
$mid = ' where `groupName` like ?';
$bindvars = [$initial . '%'];
}
if ($inGroups) {
$mid .= $mid ? ' and ' : ' where ';
$mid .= '`groupName` in (';
$cpt = 0;
foreach ($inGroups as $grp => $value) {
if ($cpt++) {
$mid .= ',';
}
$mid .= '?';
$bindvars[] = $grp;
}
$mid .= ')';
}
if ($userChoice) {
$mid .= $mid ? ' and ' : ' where ';
$mid .= "`userChoice` = 'y'";
}
$query = "select * from `users_groups` $mid order by " . $this->convertSortMode($sort_mode);
$query_cant = "select count(*) from `users_groups` $mid";
$ret = $this->fetchAll($query, $bindvars, $maxRecords, $offset);
$cant = $this->getOne($query_cant, $bindvars);
foreach ($ret as &$res) {
if ($details == 'y') {
$perms = $this->get_group_permissions($res['groupName']);
$res['perms'] = $perms;
$res['permcant'] = count($perms);
$groups = $this->get_included_groups($res['groupName']);
$res['included'] = $groups;
$res['included_direct'] = $this->get_included_groups($res['groupName'], false);
}
}
$retval = [];
$retval['data'] = $ret;
$retval['cant'] = $cant;
return $retval;
}
public function list_all_users()
{
global $tiki_p_list_users, $tiki_p_admin;
$cachelib = TikiLib::lib('cache');
if ($tiki_p_list_users !== 'y' && $tiki_p_admin != 'y') {
return [];
}
if (! $users = $cachelib->getSerialized('userslist')) {
$users = [];
$result = $this->query('select `login`,`userId` from `users_users` order by `login`', []);
while ($res = $result->fetchRow()) {
$users["{$res['userId']}"] = $res['login'];
}
$cachelib->cacheItem('userslist', serialize($users));
}
return $users;
}
public function list_regular_groups()
{
$groups = [];
$result = $this->query('select `id`, `groupName` from `users_groups` where isRole <> ? order by `groupName`', ['y']);
while ($res = $result->fetchRow()) {
$groups[] = ["groupName" => $res['groupName'], "id" => $res['id']];
}
return $groups;
}
public function list_role_groups()
{
return $this->fetchAll("
SELECT ug.id, ug.groupName FROM `users_groups` ug
WHERE
ug.isRole = 'y'
group by ug.id, ug.GroupName");
}
public function list_all_groups()
{
$cachelib = TikiLib::lib('cache');
if (! $groups = $cachelib->getSerialized('grouplist')) {
$groups = [];
$result = $this->query('select `groupName` from `users_groups` order by `groupName`', []);
while ($res = $result->fetchRow()) {
$groups[] = $res['groupName'];
}
$cachelib->cacheItem('grouplist', serialize($groups));
}
return $groups;
}
public function list_all_groupIds()
{
$cachelib = TikiLib::lib('cache');
if (! $groups = $cachelib->getSerialized('groupIdlist')) {
$groups = $this->fetchAll('select `id`, `groupName`, isRole from `users_groups` order by `groupName`', []);
$cachelib->cacheItem('groupIdlist', serialize($groups));
}
return $groups;
}
public function list_can_include_groups($group)
{
$list = [];
$query = 'select `groupName` from `users_groups`';
$result = $this->query($query);
while ($res = $result->fetchRow()) {
if ($res['groupName'] != $group) {
$includedGroups = $this->get_included_groups($res['groupName']);
if (! in_array($group, $includedGroups)) {
$list[] = $res['groupName'];
}
}
}
return $list;
}
public function list_all_groups_with_permission()
{
$groups = array_map(function ($g) {
return ['groupName' => $g];
}, $this->list_all_groups());
$filtered = Perms::filter(
['type' => 'group'],
'object',
$groups,
['object' => 'groupName'],
'group_view'
);
return array_map(function ($g) {
return $g['groupName'];
}, $filtered);
}
public function remove_user($user)
{
$cachelib = TikiLib::lib('cache');
if ($user == 'admin') {
return false;
}
$userexists_cache[$user] = null;
$userId = $this->getOne('select `userId` from `users_users` where `login` = ?', [$user]);
$groupTracker = $this->get_tracker_usergroup($user);
if ($groupTracker && $groupTracker['usersTrackerId']) {
$trklib = TikiLib::lib('trk');
$itemId = $trklib->get_item_id($groupTracker['usersTrackerId'], $groupTracker['usersFieldId'], $user);
if ($itemId) {
$trklib->remove_tracker_item($itemId);
}
}
$tracker = $this->get_usertracker($userId);
if ($tracker && $tracker['usersTrackerId']) {
$trklib = TikiLib::lib('trk');
$itemId = $trklib->get_item_id($tracker['usersTrackerId'], $tracker['usersFieldId'], $user);
if ($itemId) {
$trklib->remove_tracker_item($itemId);
}
}
$query = 'delete from `users_users` where binary `login` = ?';
$result = $this->query($query, [ $user ]);
$query = 'delete from `users_usergroups` where `userId`=?';
$result = $this->query($query, [ $userId ]);
$query = 'delete from `tiki_user_login_cookies` where `userId`=?';
$result = $this->query($query, [ $userId ]);
$query = 'delete from `tiki_user_watches` where binary `user`=?';
$result = $this->query($query, [$user]);
$query = 'delete from `tiki_user_preferences` where binary `user`=?';
$result = $this->query($query, [$user]);
$query = 'delete from `tiki_newsletter_subscriptions` where binary `email`=? and `isUser`=?';
$result = $this->query($query, [$user, 'y']);
$this->query('delete from `tiki_user_reports` where `user` = ?', [$user]);
$this->query('delete from `tiki_user_reports_cache` where `user` = ?', [$user]);
$this->query('delete from `tiki_user_mailin_struct` where `username` = ?', [$user]);
$cachelib->invalidate('userslist');
TikiLib::events()->trigger('tiki.user.delete', ['type' => 'user', 'object' => $user]);
return true;
}
public function change_login($from, $to)
{
global $user;
$cachelib = TikiLib::lib('cache');
if ($from == 'admin') {
return false;
}
$userexists_cache[$user] = null;
$userId = $this->getOne('select `userId` from `users_users` where `login` = ?', [$from]);
if ($userId) {
$this->query('update `users_users` set `login`=? where `userId` = ?', [$to, (int)$userId]);
$this->query('update `tiki_wiki_attachments` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_webmail_contacts` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_webmail_contacts_fields` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_userpoints` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_userfiles` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_user_watches` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_user_votings` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_user_tasks` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_user_tasks` set `creator`=? where `creator`=?', [$to, $from]);
$this->query('update `tiki_user_tasks_history` set `lasteditor`=? where `lasteditor`=?', [$to, $from]);
$this->query('update `tiki_user_taken_quizzes` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_user_quizzes` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_user_preferences` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_user_postings` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_user_notes` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_user_menus` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_user_bookmarks_urls` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_user_bookmarks_folders` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_user_assigned_modules` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_tags` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_suggested_faq_questions` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_submissions` set `author`=? where `author`=?', [$to, $from]);
$this->query('update `tiki_shoutbox` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_sessions` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_semaphores` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_received_pages` set `receivedFromUser`=? where `receivedFromUser`=?', [$to, $from]);
$this->query('update `tiki_received_articles` set `author`=? where `author`=?', [$to, $from]);
$this->query('update `tiki_private_messages` set `poster`=? where `poster`=?', [$to, $from]);
$this->query('update `tiki_private_messages` set `toNickname`=? where `toNickname`=?', [$to, $from]);
$this->query('update `tiki_pages` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_pages` set `creator`=? where `creator`=?', [$to, $from]);
$this->query('update `tiki_page_footnotes` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_newsletters` set `author`=? where `author`=?', [$to, $from]);
$this->query('update `tiki_minical_events` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_minical_topics` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_mailin_accounts` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_live_support_requests` set `operator`=? where `operator`=?', [$to, $from]);
$this->query('update `tiki_live_support_requests` set `tiki_user`=? where `tiki_user`=?', [$to, $from]);
$this->query('update `tiki_live_support_requests` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_live_support_operators` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_live_support_messages` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_live_support_messages` set `username`=? where `username`=?', [$to, $from]);
$this->query('update `tiki_history` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_forums_reported` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_forums_queue` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_forums` set `moderator`=? where `moderator`=?', [$to, $from]);
$this->query('update `tiki_forum_reads` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_files` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_files` set `lastModifUser`=? where `lastModifUser`=?', [$to, $from]);
$this->query('update `tiki_files` set `lockedby`=? where `lockedby`=?', [$to, $from]);
$this->query('update `tiki_file_galleries` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_file_drafts` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_copyrights` set `userName`=? where `userName`=?', [$to, $from]);
$this->query('update `tiki_comments` set `userName`=? where `userName`=?', [$to, $from]);
$this->query('update `tiki_chat_users` set `nickname`=? where `nickname`=?', [$to, $from]);
$this->query('update `tiki_chat_messages` set `poster`=? where `poster`=?', [$to, $from]);
$this->query('update `tiki_chat_channels` set `moderator`=? where `moderator`=?', [$to, $from]);
$this->query('update `tiki_calendars` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_calendar_roles` set `username`=? where `username`=?', [$to, $from]);
$this->query('update `tiki_calendar_items` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_blogs` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_blog_posts` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_banning` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_banners` set `client`=? where `client`=?', [$to, $from]);
$this->query('update `tiki_articles` set `author`=? where `author`=?', [$to, $from]);
$this->query('update `tiki_actionlog` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `messu_messages` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `messu_messages` set `user_from`=? where `user_from`=?', [$to, $from]);
$this->query('update `tiki_newsletter_subscriptions` set `email`=? where `email`=? and `isUser`=?', [$to, $from, 'y']);
$this->query("update `tiki_object_relations` set `source_itemId`=? where source_type='user' and `source_itemId`=?", [$to, $from]);
$this->query("update `tiki_object_relations` set `target_itemId`=? where target_type='user' and `target_itemId`=?", [$to, $from]);
$this->query('update `tiki_freetagged_objects` set `user`=? where `user`=?', [$to, $from]);
$this->query('update `tiki_object_scores` set `triggerUser`=? where `triggerUser`=?', [$to, $from]);
$this->query("update `tiki_object_scores` set `recipientObjectId`=? where `recipientObjectType`='user' and `recipientObjectId`=?", [$to, $from]);
$this->query(
'update `tiki_tracker_item_fields`ttif' .
' left join `tiki_tracker_fields` ttf on (ttif.`fieldId`=ttf.`fieldId`)' .
' set `value`=? where ttif.`value`=? and ttf.`type`=?',
[$to, $from, 'u']
);
$this->query('update `tiki_tracker_items` set `createdBy`=? where `createdBy`=?', [$to, $from]);
$this->query('update `tiki_tracker_items` set `lastModifBy`=? where `lastModifBy`=?', [$to, $from]);
$result = $this->query("select `fieldId`, `itemChoices` from `tiki_tracker_fields` where `type`='u'");
while ($res = $result->fetchRow()) {
$u = ($res['itemChoices'] != '' ) ? unserialize($res['itemChoices']) : [];
if ($value = array_search($from, $u)) {
$u[$value] = $to;
$u = serialize($u);
$this->query('update `tiki_tracker_fields` set `itemChoices`=? where `fieldId`=?', [$u, $res['fieldId']]);
}
}
$result = $this->query(
'select ttif.itemId, ttif.fieldId, ttif.value from `tiki_tracker_item_fields` ttif' .
' left join `tiki_tracker_fields` ttf on ttif.fieldId = ttf.fieldId' .
' where ttif.value LIKE ? and ttf.type = ? and ttf.options NOT LIKE ?',
['%' . $from . '%', 'u', '"multiple":0']
);
while ($res = $result->fetchRow()) {
$values = TikiLib::lib('trk')->parse_user_field($res['value']);
$key = array_search($from, $values);
if ($key !== false) {
$values[$key] = $to;
$this->query(
'update `tiki_tracker_item_fields` set value = ? where itemId = ? and fieldId = ?',
[TikiLib::lib('tiki')->str_putcsv($values), $res['itemId'], $res['fieldId']]
);
}
}
$cachelib->invalidate('userslist');
TikiLib::events()->trigger('tiki.user.update', ['type' => 'user', 'object' => $from]);
TikiLib::events()->trigger('tiki.user.update', ['type' => 'user', 'object' => $to]);
return true;
} else {
return false;
}
}
public function remove_group($group)
{
if ($group == 'Anonymous' || $group == 'Registered') {
return false;
}
$info = $this->get_group_info($group);
$query = 'delete from `tiki_group_inclusion` where `groupName` = ? or `includeGroup` = ?';
$result = $this->query($query, [$group, $group]);
$query = [];
$query[] = 'delete from `users_groups` where `groupName` = ?';
$query[] = 'delete from `users_usergroups` where `groupName` = ?';
$query[] = 'delete from `users_grouppermissions` where `groupName` = ?';
$query[] = 'delete from `users_objectpermissions` where `groupName` = ?';
$query[] = 'delete from `tiki_newsletter_groups` where `groupName` = ?';
$query[] = 'delete from `tiki_group_watches` where `group` = ?';
foreach ($query as $q) {
$this->query($q, [$group]);
}
$this->query('update `users_users` set `default_group`=? where `default_group`=?', ['Registered', $group]);
if (isset($info['id'])) {
TikiLib::lib('categ')->detach_managed_category($info['id']);
TikiLib::lib('attribute')->delete_objects_with('tiki.category.templatedgroupid', $info['id']);
TikiLib::lib('attribute')->delete_objects_with('tiki.menu.templatedgroupid', $info['id']);
}
TikiLib::events()->trigger('tiki.group.delete', [
'type' => 'group',
'object' => $group,
]);
$cachelib = TikiLib::lib('cache');
$cachelib->invalidate('grouplist');
$cachelib->invalidate('group_theme_' . $group);
return $result;
}
public function get_user_default_group($user)
{
if (! isset($user)) {
return 'Anonymous';
}
if (isset($_SESSION['u_info']) && $user == $_SESSION['u_info']['login']) {
if (isset($_SESSION['u_info']['group']) && is_string($_SESSION['u_info']['group'])) {
return $_SESSION['u_info']['group'];
} elseif (isset($_SESSION['u_info']['group']['groupName']) && is_string($_SESSION['u_info']['group']['groupName'])) {
return $_SESSION['u_info']['group']['groupName'];
}
}
$query = 'select `default_group` from `users_users` where `login` = ?';
$result = $this->getOne($query, [$user]);
$ret = '';
if (! is_null($result) && $result != '') {
$ret = $result;
} else {
$groups = $this->get_user_groups($user);
foreach ($groups as $gr) {
if ($gr != 'Anonymous' and $gr != 'Registered' and $gr != '') {
$ret = $gr;
break;
}
}
if (! $ret) {
$ret = 'Registered';
}
}
return $ret;
}
/**
* Returns the wiki page name for the current user and checks for useGroupHome pref
*
* @param string $user current logged in user
* @return string page name
*/
public function get_user_default_homepage($user)
{
global $prefs;
if ($prefs['useGroupHome'] !== 'y') {
return $prefs['wikiHomePage'];
}
$home = '';
$group = $this->get_user_default_group($user);
if ($group) {
$home = $this->get_group_home($group);
}
if (! $home) { // work through the other groups this user is a member of
$query = "select g.`groupHome`, g.`groupName`" .
" from `users_usergroups` as gu, `users_users` as u, `users_groups`as g" .
" where gu.`userId`= u.`userId` and u.`login`=? and gu.`groupName`= g.`groupName` and g.`groupHome` != '' and g.`groupHome` is not null";
$result = $this->query($query, [$user]);
while ($res = $result->fetchRow()) {
if ($home != '') {
$groups = $this->get_included_groups($res['groupName']);
if (in_array($group, $groups)) {
$home = $res['groupHome'];
$group = $res['groupName'];
}
} else {
$home = $res['groupHome'];
$group = $res['groupName'];
}
}
}
$home = $this->best_multilingual_page($home);
$validHome = substr($home, 0, 1) === '/'
|| preg_match(',^https?://,', $home)
|| TikiLib::lib('tiki')->page_exists($home);
if (! $validHome && $prefs['tikiIndex'] === 'tiki-index.php') {
$home = $prefs['wikiHomePage'];
}
return $home;
}
public function best_multilingual_page($page)
{
global $prefs;
if ($prefs['feature_multilingual'] != 'y') {
return ($page);
}
$info = $this->get_page_info($page);
if (empty($info)) {
return $page;
}
$multilinguallib = TikiLib::lib('multilingual');
$bestLangPageId = $multilinguallib->selectLangObj('wiki page', $info['page_id'], $prefs['language']);
if ($info['page_id'] == $bestLangPageId) {
return $page;
}
return $this->get_page_name_from_id($bestLangPageId);
}
/* Returns a theme/style for this ithe default group of the current user. */
public function get_user_group_theme()
{
global $user;
$group = $this->get_user_default_group($user);
$cachelib = TikiLib::lib('cache');
$k = 'group_theme_' . $group;
if ($data = $cachelib->getCached($k)) {
$return = $data;
} elseif (! empty($group)) {
$query = 'select `groupTheme` from `users_groups` where `groupName` = ?';
$return = $this->getOne($query, [$group]);
$cachelib->cacheItem($k, $return);
}
return $return;
}
/* Returns a default category for user's default_group
*/
public function get_user_group_default_category($user)
{
$query = 'select `groupDefCat` from `users_groups` ug, `users_users` uu where `login` = ? and ug.`groupName` = uu.`default_group`';
$result = $this->getOne($query, [$user]);
return $result;
}
//modified get_user_groups() to know if the user is part of the group directly or through groups inclusion
public function get_user_groups_inclusion($user)
{
$userid = $this->get_user_id($user);
$query = 'select `groupName` from `users_usergroups` where `userId`=?';
$result = $this->query($query, [(int)$userid]);
$real = []; //really assigned groups (not (only) included)
$ret = [];
while ($res = $result->fetchRow()) {
$real[] = $res['groupName'];
foreach ($this->get_included_groups($res['groupName']) as $group) {
$ret[$group] = 'included';
}
}
foreach ($real as $group) {
$ret[$group] = 'real';
}
return $ret;
}
public function get_group_home($group)
{
$query = 'select `groupHome` from `users_groups` where `groupName`=?';
$result = $this->getOne($query, [$group]);
$ret = '';
if (! is_null($result)) {
$ret = $result;
}
return $ret;
}
/**
* Return information about users that belong to a
* specific group
*
* @param string $group group name
* @param int $offset
* @param int $max
* @param string $what which user fields to retrieve
* @param string $sort_mode
* @return array list of users
*/
public function get_group_users($group, $offset = 0, $max = -1, $what = 'login', $sort_mode = 'login_asc')
{
if (empty($group)) {
return [];
}
$w = $what == '*' ? 'uu.*, ug.`created`, ug.`expire` ' : "uu.`$what`";
if (strpos($sort_mode, 'created_') !== false) {
$sort_mode = 'ug.' . $sort_mode; // avoid ambiguity of created column
}
$query = "select $w from `users_users` uu, `users_usergroups` ug where uu.`userId`=ug.`userId` and `groupName`=? order by " .
$this->convertSortMode($sort_mode);
$result = $this->fetchAll($query, $group, $max, $offset);
$ret = [];
foreach ($result as $res) {
$ret[] = ($what == '*') ? $res : $res[$what];
}
return $ret;
}
public function get_recur_group_users($group, $recur = 0, $what = 'login')
{
$users = $this->get_group_users($group, 0, -1, $what);
if ($recur > 0) {
$includings = $this->get_including_groups($group, 'n');
--$recur;
foreach ($includings as $including) {
$users = array_merge($users, $this->get_recur_group_users($including, $recur, $what));
}
}
return $users;
}
public function get_user_info($user, $inclusion = false, $field = 'login')
{
global $prefs;
if ($field == 'userId') {
$user = (int)$user;
} elseif ($field != 'login') {
return false;
}
$result = $this->query("select * from `users_users` where `$field`=?", [$user]);
if ($res = $result->fetchRow()) {
$res['groups'] = ( $inclusion ) ? $this->get_user_groups_inclusion($res['login']) : $this->get_user_groups($res['login']);
$res['age'] = ( ! isset($res['registrationDate']) ) ? 0 : $this->now - $res['registrationDate'];
if ($prefs['login_is_email'] == 'y' && isset($res['login']) && $res['login'] != 'admin') {
$res['email'] = $res['login'];
}
$res['editable'] = $this->user_can_be_edited($res['login']);
return $res;
}
}
public function get_userid_info($user, $inclusion = false)
{
return $this->get_user_info($user, $inclusion, 'userId');
}
/**
* Helps recognize nicknames which anonymous users have chosen
* A leading tab is for recognizing anonymous entries. Real usernames don't start with a tab
* @param string $username user nickname or name
* @return string string which should be displayed
*/
public function distinguish_anonymous_users($username = "")
{
if (empty($username)) {
return "";
}
if ($username[0] == "\t") {
$username = $username . ' (' . tra('unverified') . ')';
}
return $username;
}
/**
* Creates DOM tag for user info with popup or not depending on prefs etc
* @param string $auser user to find info for (current user if empty)
* @param string $body content of the anchor tag (user name if empty)
* @param string $class add a class to the a tag (default userlink)
* @return string HTML anchor tag
*/
public function build_userinfo_tag($auser = '', $body = '', $class = 'userlink', $show_popup = 'y', $elementId = '')
{
global $user, $prefs;
if (! $auser) {
$auser = $user;
}
$realn = $this->clean_user($auser);
if (! $body) {
$body = $realn;
}
if ($elementId) {
$idStr = " id=\"$elementId\"";
} else {
$idStr = '';
}
$isSelf = ($auser === $user) ? true : false;
// Only process if feature_friends enabled, user_information public or we query ourselfs
if (($this->get_user_preference($auser, 'user_information', 'public') != 'public') && ($prefs['feature_friends'] != 'y') && ! $isSelf) {
return "$body";
}
$id = $this->get_user_id($auser);
if ($id == -1) {
return $body;
}
$extra = '';
if ($show_popup == "n") {
//do nothing for adding a tip
$title = '';
} elseif ($prefs['feature_community_mouseover'] == 'y' && ($this->get_user_preference($auser, 'show_mouseover_user_info', 'y') == 'y' || $prefs['feature_friends'] == 'y')) {
$data = TikiLib::lib('service')->getUrl([
'controller' => 'user',
'action' => 'info',
'username' => $auser,
]);
$extra .= ' data-ajaxtips="' . htmlspecialchars($data, ENT_QUOTES) . '"';
$class .= ' ajaxtips';
if ($auser === $user) {
$title = tra('Your Information');
} else {
$title = tra('User Information');
}
} elseif ($prefs['user_show_realnames'] == 'y') {
$class .= ' tips';
$title = tr('User') . ':' . $realn;
} else {
$class .= ' tips';
$title = tr('User') . ':' . $auser;
}
if (empty($prefs['urlOnUsername'])) {
$url = 'tiki-user_information.php?userId=' . $id;
if ($prefs['feature_sefurl'] == 'y') {
include_once('tiki-sefurl.php');
$url = filter_out_sefurl($url);
}
} else {
$url = preg_replace(
['/%userId%/', '/%user%/'],
[$id, $auser],
$prefs['urlOnUsername']
);
}
$lat = $this->get_user_preference($auser, 'lat');
$lon = $this->get_user_preference($auser, 'lon');
$zoom = $this->get_user_preference($auser, 'zoom');
if (! ($lat == 0 && $lon == 0)) {
$class .= ' geolocated';
$extra .= ' data-geo-lat="' . $lat . '" data-geo-lon="' . $lon . '"';
if ($zoom) {
$extra .= ' data-geo-zoom="' . $zoom . '"';
}
}
if ($title) {
$titleStr = ' title="' . htmlspecialchars($title, ENT_QUOTES) . '"';
} else {
$titleStr = '';
}
$body = "