4 files changed, 104 insertions, 22 deletions

diff --git a/application/ApplicationUtils.php b/application/ApplicationUtils.php
index 911873a0..f21a1ef3 100644
--- a/application/ApplicationUtils.php
+++ b/application/ApplicationUtils.php
@@ -191,6 +191,9 @@ class ApplicationUtils
             $conf->get('resource.page_cache'),
             $conf->get('resource.raintpl_tmp'),
         ) as $path) {
+            if (! is_dir($path)) {
+                mkdir($path, 0755, true);
+            }
             if (! is_readable(realpath($path))) {
                 $errors[] = '"'.$path.'" '. t('directory is not readable');
             }
diff --git a/application/config/ConfigManager.php b/application/config/ConfigManager.php
index 32aaea48..99efc156 100644
--- a/application/config/ConfigManager.php
+++ b/application/config/ConfigManager.php
@@ -22,6 +22,11 @@ class ConfigManager
     public static $DEFAULT_PLUGINS = array('qrcode');
 
     /**
+     * @var string User space.
+     */
+    protected $userSpace;
+
+    /**
      * @var string Config folder.
      */
     protected $configFile;
@@ -41,12 +46,36 @@ class ConfigManager
      *
      * @param string $configFile Configuration file path without extension.
      */
-    public function __construct($configFile = 'data/config')
+    public function __construct($configFile = null, $userSpace = null)
     {
-        $this->configFile = $configFile;
+        $this->userSpace = $this->findLDAPUser($userSpace);
+        if ($configFile !== null) {
+            $this->configFile = $configFile;
+        } else {
+            $this->configFile = ($this->userSpace === null) ? 'data/config' : 'data/' . $this->userSpace . '/config';
+        }
         $this->initialize();
     }
 
+    public function findLDAPUser($login, $password = null) {
+        $connect = ldap_connect(getenv('SHAARLI_LDAP_HOST'));
+        ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
+        if (!$connect || !ldap_bind($connect, getenv('SHAARLI_LDAP_DN'), getenv('SHAARLI_LDAP_PASSWORD'))) {
+            return false;
+        }
+
+        $search_query = str_replace('%login%', ldap_escape($login), getenv('SHAARLI_LDAP_FILTER'));
+
+        $search = ldap_search($connect, getenv('SHAARLI_LDAP_BASE'), $search_query);
+        $info = ldap_get_entries($connect, $search);
+
+        if (ldap_count_entries($connect, $search) == 1 && (is_null($password) || ldap_bind($connect, $info[0]["dn"], $password))) {
+            return $login;
+        } else {
+            return null;
+        }
+    }
+
     /**
      * Reset the ConfigManager instance.
      */
@@ -270,6 +299,16 @@ class ConfigManager
     }
 
     /**
+     * Get the current userspace.
+     *
+     * @return mixed User space.
+     */
+    public function getUserSpace()
+    {
+      return $this->userSpace;
+    }
+
+    /**
      * Recursive function which find asked setting in the loaded config.
      *
      * @param array $settings Ordered array which contains keys to find.
@@ -342,19 +381,31 @@ class ConfigManager
      */
     protected function setDefaultValues()
     {
-        $this->setEmpty('resource.data_dir', 'data');
-        $this->setEmpty('resource.config', 'data/config.php');
-        $this->setEmpty('resource.datastore', 'data/datastore.php');
-        $this->setEmpty('resource.ban_file', 'data/ipbans.php');
-        $this->setEmpty('resource.updates', 'data/updates.txt');
-        $this->setEmpty('resource.log', 'data/log.txt');
-        $this->setEmpty('resource.update_check', 'data/lastupdatecheck.txt');
-        $this->setEmpty('resource.history', 'data/history.php');
+        if ($this->userSpace === null) {
+          $data = 'data';
+          $tmp  = 'tmp';
+          $cache = 'cache';
+          $pagecache = 'pagecache';
+        } else {
+          $data = 'data/' . ($this->userSpace);
+          $tmp  = 'tmp/' . ($this->userSpace);
+          $cache = 'cache/' . ($this->userSpace);
+          $pagecache = 'pagecache/' . ($this->userSpace);
+        }
+
+        $this->setEmpty('resource.data_dir', $data);
+        $this->setEmpty('resource.config', $data . '/config.php');
+        $this->setEmpty('resource.datastore', $data . '/datastore.php');
+        $this->setEmpty('resource.ban_file', $data . '/ipbans.php');
+        $this->setEmpty('resource.updates', $data . '/updates.txt');
+        $this->setEmpty('resource.log', $data . '/log.txt');
+        $this->setEmpty('resource.update_check', $data . '/lastupdatecheck.txt');
+        $this->setEmpty('resource.history', $data . '/history.php');
         $this->setEmpty('resource.raintpl_tpl', 'tpl/');
         $this->setEmpty('resource.theme', 'default');
-        $this->setEmpty('resource.raintpl_tmp', 'tmp/');
-        $this->setEmpty('resource.thumbnails_cache', 'cache');
-        $this->setEmpty('resource.page_cache', 'pagecache');
+        $this->setEmpty('resource.raintpl_tmp', $tmp);
+        $this->setEmpty('resource.thumbnails_cache', $cache);
+        $this->setEmpty('resource.page_cache', $pagecache);
 
         $this->setEmpty('security.ban_after', 4);
         $this->setEmpty('security.ban_duration', 1800);
diff --git a/application/security/LoginManager.php b/application/security/LoginManager.php
index d6784d6d..bdfaca7b 100644
--- a/application/security/LoginManager.php
+++ b/application/security/LoginManager.php
@@ -32,6 +32,9 @@ class LoginManager
     /** @var string User sign-in token depending on remote IP and credentials */
     protected $staySignedInToken = '';
 
+    protected $lastErrorReason = '';
+    protected $lastErrorIsBanishable = false;
+
     /**
      * Constructor
      *
@@ -83,7 +86,7 @@ class LoginManager
      */
     public function checkLoginState($cookie, $clientIpId)
     {
-        if (! $this->configManager->exists('credentials.login')) {
+        if (! $this->configManager->exists('credentials.login') || (isset($_SESSION['username']) && $_SESSION['username'] && $this->configManager->get('credentials.login') !== $_SESSION['username'])) {
             // Shaarli is not configured yet
             $this->isLoggedIn = false;
             return;
@@ -133,20 +136,40 @@ class LoginManager
      */
     public function checkCredentials($remoteIp, $clientIpId, $login, $password)
     {
-        $hash = sha1($password . $login . $this->configManager->get('credentials.salt'));
+        $this->lastErrorIsBanishable = false;
+
+        if ($this->configManager->getUserSpace() !== null && $this->configManager->getUserSpace() !== $login) {
+          logm($this->configManager->get('resource.log'),
+               $remoteIp,
+               'Trying to login to wrong user space');
+          $this->lastErrorReason = 'You’re trying to access the wrong account.';
+          return false;
+        }
 
-        if ($login != $this->configManager->get('credentials.login')
-            || $hash != $this->configManager->get('credentials.hash')
-        ) {
+        logm($this->configManager->get('resource.log'),
+             $remoteIp,
+             'Trying LDAP connection');
+        $result = $this->configManager->findLDAPUser($login, $password);
+        if ($result === false) {
             logm(
                 $this->configManager->get('resource.log'),
                 $remoteIp,
-                'Login failed for user ' . $login
+                'Impossible to connect to LDAP'
             );
+            $this->lastErrorReason = 'Server error.';
+            return false;
+        } else if (is_null($result)) {
+            logm(
+              $this->configManager->get('resource.log'),
+              $remoteIp,
+              'Login failed for user ' . $login
+            );
+            $this->lastErrorIsBanishable = true;
+            $this->lastErrorReason = 'Wrong login/password.';
             return false;
         }
 
-        $this->sessionManager->storeLoginInfo($clientIpId);
+        $this->sessionManager->storeLoginInfo($clientIpId, $login);
         logm(
             $this->configManager->get('resource.log'),
             $remoteIp,
@@ -187,6 +210,10 @@ class LoginManager
      */
     public function handleFailedLogin($server)
     {
+        if (!$this->lastErrorIsBanishable) {
+          return $this->lastErrorReason ?: 'Error during login.';
+        };
+
         $ip = $server['REMOTE_ADDR'];
         $trusted = $this->configManager->get('security.trusted_proxies', []);
 
@@ -215,6 +242,7 @@ class LoginManager
             );
         }
         $this->writeBanFile();
+        return $this->lastErrorReason ?: 'Error during login.';
     }
 
     /**
diff --git a/application/security/SessionManager.php b/application/security/SessionManager.php
index b8b8ab8d..5eb4aac5 100644
--- a/application/security/SessionManager.php
+++ b/application/security/SessionManager.php
@@ -111,10 +111,10 @@ class SessionManager
      *
      * @param string $clientIpId Client IP address identifier
      */
-    public function storeLoginInfo($clientIpId)
+    public function storeLoginInfo($clientIpId, $login = null)
     {
         $this->session['ip'] = $clientIpId;
-        $this->session['username'] = $this->conf->get('credentials.login');
+        $this->session['username'] = $login ?: $this->conf->get('credentials.login');
         $this->extendTimeValidityBy(self::$SHORT_TIMEOUT);
     }