X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=application%2Fsecurity%2FLoginManager.php;h=bdfaca7b29f05e4c46a8f79e848990bd18d3d33f;hb=refs%2Fheads%2Fgitolite_local%2Fldap;hp=d6784d6da6424e266a21702b7f0686746e91fe20;hpb=630ebca2b6359e942e5b6c057cca2b6069c1093a;p=github%2Fshaarli%2FShaarli.git

diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php
index d6784d6d..bdfaca7b 100644
--- a/application/security/LoginManager.php
+++ b/application/security/LoginManager.php
@@ -32,6 +32,9 @@ class LoginManager
     /** @var string User sign-in token depending on remote IP and credentials */
     protected $staySignedInToken = '';
 
+    protected $lastErrorReason = '';
+    protected $lastErrorIsBanishable = false;
+
     /**
      * Constructor
      *
@@ -83,7 +86,7 @@ class LoginManager
      */
     public function checkLoginState($cookie, $clientIpId)
     {
-        if (! $this->configManager->exists('credentials.login')) {
+        if (! $this->configManager->exists('credentials.login') || (isset($_SESSION['username']) && $_SESSION['username'] && $this->configManager->get('credentials.login') !== $_SESSION['username'])) {
             // Shaarli is not configured yet
             $this->isLoggedIn = false;
             return;
@@ -133,20 +136,40 @@ class LoginManager
      */
     public function checkCredentials($remoteIp, $clientIpId, $login, $password)
     {
-        $hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
+        $this->lastErrorIsBanishable = false;
+
+        if ($this->configManager->getUserSpace() !== null && $this->configManager->getUserSpace() !== $login) {
+          logm($this->configManager->get('resource.log'),
+               $remoteIp,
+               'Trying to login to wrong user space');
+          $this->lastErrorReason = 'You’re trying to access the wrong account.';
+          return false;
+        }
 
-        if ($login != $this->configManager->get('credentials.login')
-            || $hash != $this->configManager->get('credentials.hash')
-        ) {
+        logm($this->configManager->get('resource.log'),
+             $remoteIp,
+             'Trying LDAP connection');
+        $result = $this->configManager->findLDAPUser($login, $password);
+        if ($result === false) {
             logm(
                 $this->configManager->get('resource.log'),
                 $remoteIp,
-                'Login failed for user ' . $login
+                'Impossible to connect to LDAP'
             );
+            $this->lastErrorReason = 'Server error.';
+            return false;
+        } else if (is_null($result)) {
+            logm(
+              $this->configManager->get('resource.log'),
+              $remoteIp,
+              'Login failed for user ' . $login
+            );
+            $this->lastErrorIsBanishable = true;
+            $this->lastErrorReason = 'Wrong login/password.';
             return false;
         }
 
-        $this->sessionManager->storeLoginInfo($clientIpId);
+        $this->sessionManager->storeLoginInfo($clientIpId, $login);
         logm(
             $this->configManager->get('resource.log'),
             $remoteIp,
@@ -187,6 +210,10 @@ class LoginManager
      */
     public function handleFailedLogin($server)
     {
+        if (!$this->lastErrorIsBanishable) {
+          return $this->lastErrorReason ?: 'Error during login.';
+        };
+
         $ip = $server['REMOTE_ADDR'];
         $trusted = $this->configManager->get('security.trusted_proxies', []);
 
@@ -215,6 +242,7 @@ class LoginManager
             );
         }
         $this->writeBanFile();
+        return $this->lastErrorReason ?: 'Error during login.';
     }
 
     /**