X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=application%2Fsecurity%2FLoginManager.php;h=bdfaca7b29f05e4c46a8f79e848990bd18d3d33f;hb=refs%2Fheads%2Fgitolite_local%2Fldap;hp=41fa9a20ee9c4d025e6ae72f59897e9c7c3c2f17;hpb=c689e108639a4f6aa9e15928422e14db7cbe30ca;p=github%2Fshaarli%2FShaarli.git

diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php
index 41fa9a20..bdfaca7b 100644
--- a/application/security/LoginManager.php
+++ b/application/security/LoginManager.php
@@ -32,6 +32,9 @@ class LoginManager
     /** @var string User sign-in token depending on remote IP and credentials */
     protected $staySignedInToken = '';
 
+    protected $lastErrorReason = '';
+    protected $lastErrorIsBanishable = false;
+
     /**
      * Constructor
      *
@@ -46,7 +49,7 @@ class LoginManager
         $this->sessionManager = $sessionManager;
         $this->banFile = $this->configManager->get('resource.ban_file', 'data/ipbans.php');
         $this->readBanFile();
-        if ($this->configManager->get('security.open_shaarli')) {
+        if ($this->configManager->get('security.open_shaarli') === true) {
             $this->openShaarli = true;
         }
     }
@@ -80,12 +83,10 @@ class LoginManager
      *
      * @param array  $cookie     The $_COOKIE array
      * @param string $clientIpId Client IP address identifier
-     *
-     * @return bool true if the user session is valid, false otherwise
      */
     public function checkLoginState($cookie, $clientIpId)
     {
-        if (! $this->configManager->exists('credentials.login')) {
+        if (! $this->configManager->exists('credentials.login') || (isset($_SESSION['username']) && $_SESSION['username'] && $this->configManager->get('credentials.login') !== $_SESSION['username'])) {
             // Shaarli is not configured yet
             $this->isLoggedIn = false;
             return;
@@ -94,11 +95,11 @@ class LoginManager
         if (isset($cookie[self::$STAY_SIGNED_IN_COOKIE])
             && $cookie[self::$STAY_SIGNED_IN_COOKIE] === $this->staySignedInToken
         ) {
+            // The user client has a valid stay-signed-in cookie
+            // Session information is updated with the current client information
             $this->sessionManager->storeLoginInfo($clientIpId);
-            $this->isLoggedIn = true;
-        }
 
-        if ($this->sessionManager->hasSessionExpired()
+        } elseif ($this->sessionManager->hasSessionExpired()
             || $this->sessionManager->hasClientIpChanged($clientIpId)
         ) {
             $this->sessionManager->logout();
@@ -106,6 +107,7 @@ class LoginManager
             return;
         }
 
+        $this->isLoggedIn = true;
         $this->sessionManager->extendSession();
     }
 
@@ -134,20 +136,40 @@ class LoginManager
      */
     public function checkCredentials($remoteIp, $clientIpId, $login, $password)
     {
-        $hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
+        $this->lastErrorIsBanishable = false;
+
+        if ($this->configManager->getUserSpace() !== null && $this->configManager->getUserSpace() !== $login) {
+          logm($this->configManager->get('resource.log'),
+               $remoteIp,
+               'Trying to login to wrong user space');
+          $this->lastErrorReason = 'You’re trying to access the wrong account.';
+          return false;
+        }
 
-        if ($login != $this->configManager->get('credentials.login')
-            || $hash != $this->configManager->get('credentials.hash')
-        ) {
+        logm($this->configManager->get('resource.log'),
+             $remoteIp,
+             'Trying LDAP connection');
+        $result = $this->configManager->findLDAPUser($login, $password);
+        if ($result === false) {
             logm(
                 $this->configManager->get('resource.log'),
                 $remoteIp,
-                'Login failed for user ' . $login
+                'Impossible to connect to LDAP'
             );
+            $this->lastErrorReason = 'Server error.';
+            return false;
+        } else if (is_null($result)) {
+            logm(
+              $this->configManager->get('resource.log'),
+              $remoteIp,
+              'Login failed for user ' . $login
+            );
+            $this->lastErrorIsBanishable = true;
+            $this->lastErrorReason = 'Wrong login/password.';
             return false;
         }
 
-        $this->sessionManager->storeLoginInfo($clientIpId);
+        $this->sessionManager->storeLoginInfo($clientIpId, $login);
         logm(
             $this->configManager->get('resource.log'),
             $remoteIp,
@@ -188,6 +210,10 @@ class LoginManager
      */
     public function handleFailedLogin($server)
     {
+        if (!$this->lastErrorIsBanishable) {
+          return $this->lastErrorReason ?: 'Error during login.';
+        };
+
         $ip = $server['REMOTE_ADDR'];
         $trusted = $this->configManager->get('security.trusted_proxies', []);
 
@@ -216,6 +242,7 @@ class LoginManager
             );
         }
         $this->writeBanFile();
+        return $this->lastErrorReason ?: 'Error during login.';
     }
 
     /**