/** @var string User sign-in token depending on remote IP and credentials */
protected $staySignedInToken = '';
+ protected $lastErrorReason = '';
+ protected $lastErrorIsBanishable = false;
+
/**
* Constructor
*
$this->sessionManager = $sessionManager;
$this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php');
$this->readBanFile();
- if ($this->configManager->get('security.open_shaarli')) {
+ if ($this->configManager->get('security.open_shaarli') === true) {
$this->openShaarli = true;
}
}
*
* @param array $cookie The $_COOKIE array
* @param string $clientIpId Client IP address identifier
- *
- * @return bool true if the user session is valid, false otherwise
*/
public function checkLoginState($cookie, $clientIpId)
{
- if (! $this->configManager->exists('credentials.login')) {
+ if (! $this->configManager->exists('credentials.login') || (isset($_SESSION['username']) && $_SESSION['username'] && $this->configManager->get('credentials.login') !== $_SESSION['username'])) {
// Shaarli is not configured yet
$this->isLoggedIn = false;
return;
if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE])
&& $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken
) {
+ // The user client has a valid stay-signed-in cookie
+ // Session information is updated with the current client information
$this->sessionManager->storeLoginInfo($clientIpId);
- $this->isLoggedIn = true;
- }
- if ($this->sessionManager->hasSessionExpired()
+ } elseif ($this->sessionManager->hasSessionExpired()
|| $this->sessionManager->hasClientIpChanged($clientIpId)
) {
$this->sessionManager->logout();
return;
}
+ $this->isLoggedIn = true;
$this->sessionManager->extendSession();
}
*/
public function checkCredentials($remoteIp, $clientIpId, $login, $password)
{
- $hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
+ $this->lastErrorIsBanishable = false;
+
+ if ($this->configManager->getUserSpace() !== null && $this->configManager->getUserSpace() !== $login) {
+ logm($this->configManager->get('resource.log'),
+ $remoteIp,
+ 'Trying to login to wrong user space');
+ $this->lastErrorReason = 'You’re trying to access the wrong account.';
+ return false;
+ }
- if ($login != $this->configManager->get('credentials.login')
- || $hash != $this->configManager->get('credentials.hash')
- ) {
+ logm($this->configManager->get('resource.log'),
+ $remoteIp,
+ 'Trying LDAP connection');
+ $result = $this->configManager->findLDAPUser($login, $password);
+ if ($result === false) {
logm(
$this->configManager->get('resource.log'),
$remoteIp,
- 'Login failed for user ' . $login
+ 'Impossible to connect to LDAP'
);
+ $this->lastErrorReason = 'Server error.';
+ return false;
+ } else if (is_null($result)) {
+ logm(
+ $this->configManager->get('resource.log'),
+ $remoteIp,
+ 'Login failed for user ' . $login
+ );
+ $this->lastErrorIsBanishable = true;
+ $this->lastErrorReason = 'Wrong login/password.';
return false;
}
- $this->sessionManager->storeLoginInfo($clientIpId);
+ $this->sessionManager->storeLoginInfo($clientIpId, $login);
logm(
$this->configManager->get('resource.log'),
$remoteIp,
*/
public function handleFailedLogin($server)
{
+ if (!$this->lastErrorIsBanishable) {
+ return $this->lastErrorReason ?: 'Error during login.';
+ };
+
$ip = $server['REMOTE_ADDR'];
$trusted = $this->configManager->get('security.trusted_proxies', []);
);
}
$this->writeBanFile();
+ return $this->lastErrorReason ?: 'Error during login.';
}
/**