From 8be08c692fb6720f11580bffe55e25e6375734fc Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 25 Mar 2015 18:10:45 +0100
Subject: [PATCH] Fix some secuity tests were not done.

---
 htdocs/core/login/functions_dolibarr.php | 26 ++++---
 htdocs/core/login/functions_ldap.php     | 92 +++++++++++++-----------
 2 files changed, 66 insertions(+), 52 deletions(-)

diff --git a/htdocs/core/login/functions_dolibarr.php b/htdocs/core/login/functions_dolibarr.php
index 0a0ab1e8bfe..69aec814413 100644
--- a/htdocs/core/login/functions_dolibarr.php
+++ b/htdocs/core/login/functions_dolibarr.php
@@ -36,9 +36,6 @@
 function check_user_password_dolibarr($usertotest,$passwordtotest,$entitytotest=1)
 {
 	global $db,$conf,$langs;
-	global $mc;
-
-	dol_syslog("functions_dolibarr::check_user_password_dolibarr usertotest=".$usertotest);
 
 	// Force master entity in transversal mode
 	$entity=$entitytotest;
@@ -48,6 +45,8 @@ function check_user_password_dolibarr($usertotest,$passwordtotest,$entitytotest=
 
 	if (! empty($usertotest))
 	{
+		dol_syslog("functions_dolibarr::check_user_password_dolibarr usertotest=".$usertotest." passwordtotest=".preg_replace('/./','*',$passwordtotest)." entitytotest=".$entitytotest);
+
 		// If test username/password asked, we define $test=false and $login var if ok, set $_SESSION["dol_loginmesg"] if ko
 		$table = MAIN_DB_PREFIX."user";
 		$usernamecol1 = 'login';
@@ -60,7 +59,6 @@ function check_user_password_dolibarr($usertotest,$passwordtotest,$entitytotest=
 		if (preg_match('/@/',$usertotest)) $sql.=' OR '.$usernamecol2." = '".$db->escape($usertotest)."'";
 		$sql.=') AND '.$entitycol." IN (0," . ($entity ? $entity : 1) . ")";
 
-		dol_syslog("functions_dolibarr::check_user_password_dolibarr", LOG_DEBUG);
 		$resql=$db->query($sql);
 		if ($resql)
 		{
@@ -99,12 +97,6 @@ function check_user_password_dolibarr($usertotest,$passwordtotest,$entitytotest=
 					}
 				}
 
-				if ($passok && ! empty($obj->entity) && (! empty($conf->multicompany->enabled) && ! empty($conf->multicompany->transverse_mode)))
-				{
-					$ret=$mc->checkRight($obj->rowid, $entitytotest);	// The module multicompany check here user belong to at least one group into company. This is a bugged behaviour, so you must hack module to make thing working.
-					if ($ret < 0) $passok=false;
-				}
-
 				// Password ok ?
 				if ($passok)
 				{
@@ -112,12 +104,24 @@ function check_user_password_dolibarr($usertotest,$passwordtotest,$entitytotest=
 				}
 				else
 				{
-					dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentification ko bad password pour '".$usertotest."'");
+					dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentification ko bad password for '".$usertotest."'");
 					sleep(1);
 					$langs->load('main');
 					$langs->load('errors');
 					$_SESSION["dol_loginmesg"]=$langs->trans("ErrorBadLoginPassword");
 				}
+
+				if ($passok && ! empty($conf->multicompany->enabled))	// We must check entity
+				{
+					global $mc;
+
+					$ret=$mc->checkRight($obj->rowid, $entitytotest);
+					if ($ret < 0)
+					{
+						dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentification ko entity '".$entitytotest."' not allowed for user '".$obj->rowid."'");
+						$login=''; // force authentication failure
+					}
+				}
 			}
 			else
 			{
diff --git a/htdocs/core/login/functions_ldap.php b/htdocs/core/login/functions_ldap.php
index a67bc040e2f..208ccd0c37c 100644
--- a/htdocs/core/login/functions_ldap.php
+++ b/htdocs/core/login/functions_ldap.php
@@ -34,7 +34,8 @@
  */
 function check_user_password_ldap($usertotest,$passwordtotest,$entitytotest)
 {
-	global $_POST,$db,$conf,$langs;
+	global $db,$conf,$langs;
+	global $_POST;
 	global $dolibarr_main_auth_ldap_host,$dolibarr_main_auth_ldap_port;
 	global $dolibarr_main_auth_ldap_version,$dolibarr_main_auth_ldap_servertype;
 	global $dolibarr_main_auth_ldap_login_attribute,$dolibarr_main_auth_ldap_dn;
@@ -42,6 +43,13 @@ function check_user_password_ldap($usertotest,$passwordtotest,$entitytotest)
 	global $dolibarr_main_auth_ldap_filter;
 	global $dolibarr_main_auth_ldap_debug;
 
+	// Force master entity in transversal mode
+	$entity=$entitytotest;
+	if (! empty($conf->multicompany->enabled) && ! empty($conf->multicompany->transverse_mode)) $entity=1;
+
+	$login='';
+	$resultFetchUser='';
+
 	if (! function_exists("ldap_connect"))
 	{
 		dol_syslog("functions_ldap::check_user_password_ldap Authentification ko failed to connect to LDAP. LDAP functions are disabled on this PHP");
@@ -52,11 +60,10 @@ function check_user_password_ldap($usertotest,$passwordtotest,$entitytotest)
 		return;
 	}
 
-	$login='';
-	$resultFetchUser='';
-
-	if (!empty($_POST["username"]) || $usertotest)
+	if ($usertotest)
 	{
+		dol_syslog("functions_ldap::check_user_password_ldap usertotest=".$usertotest." passwordtotest=".preg_replace('/./','*',$passwordtotest)." entitytotest=".$entitytotest);
+
 		// If test username/password asked, we define $test=false and $login var if ok, set $_SESSION["dol_loginmesg"] if ko
 		$ldaphost=$dolibarr_main_auth_ldap_host;
 		$ldapport=$dolibarr_main_auth_ldap_port;
@@ -80,7 +87,6 @@ function check_user_password_ldap($usertotest,$passwordtotest,$entitytotest)
 		$ldap->searchUser=$ldapadminlogin;
 		$ldap->searchPassword=$ldapadminpass;
 
-		dol_syslog("functions_ldap::check_user_password_ldap usertotest=".$usertotest);
 		if ($ldapdebug)
 		{
 			dol_syslog("functions_ldap::check_user_password_ldap Server:".join(',',$ldap->server).", Port:".$ldap->serverPort.", Protocol:".$ldap->ldapProtocolVersion.", Type:".$ldap->serverType);
@@ -146,52 +152,56 @@ function check_user_password_ldap($usertotest,$passwordtotest,$entitytotest)
 				$login=$usertotest;
 
 				// ldap2dolibarr synchronisation
-				if ($login && ! empty($conf->ldap->enabled) && $conf->global->LDAP_SYNCHRO_ACTIVE == 'ldap2dolibarr')
+				if ($login && ! empty($conf->ldap->enabled) && $conf->global->LDAP_SYNCHRO_ACTIVE == 'ldap2dolibarr')	// ldap2dolibarr synchronisation
 				{
-					dol_syslog("functions_ldap::check_user_password_ldap Sync ldap2dolibarr");
+						dol_syslog("functions_ldap::check_user_password_ldap Sync ldap2dolibarr");
 
-					// On charge les attributs du user ldap
-					if ($ldapdebug) print "DEBUG: login ldap = ".$login."<br>\n";
-					$resultFetchLdapUser = $ldap->fetch($login,$userSearchFilter);
+						// On charge les attributs du user ldap
+						if ($ldapdebug) print "DEBUG: login ldap = ".$login."<br>\n";
+						$resultFetchLdapUser = $ldap->fetch($login,$userSearchFilter);
 
-					if ($ldapdebug) print "DEBUG: UACF = ".join(',',$ldap->uacf)."<br>\n";
-					if ($ldapdebug) print "DEBUG: pwdLastSet = ".dol_print_date($ldap->pwdlastset,'day')."<br>\n";
-					if ($ldapdebug) print "DEBUG: badPasswordTime = ".dol_print_date($ldap->badpwdtime,'day')."<br>\n";
+						if ($ldapdebug) print "DEBUG: UACF = ".join(',',$ldap->uacf)."<br>\n";
+						if ($ldapdebug) print "DEBUG: pwdLastSet = ".dol_print_date($ldap->pwdlastset,'day')."<br>\n";
+						if ($ldapdebug) print "DEBUG: badPasswordTime = ".dol_print_date($ldap->badpwdtime,'day')."<br>\n";
 
-					// On recherche le user dolibarr en fonction de son SID ldap
-					$sid = $ldap->getObjectSid($login);
-					if ($ldapdebug) print "DEBUG: sid = ".$sid."<br>\n";
+						// On recherche le user dolibarr en fonction de son SID ldap
+						$sid = $ldap->getObjectSid($login);
+						if ($ldapdebug) print "DEBUG: sid = ".$sid."<br>\n";
 
-					$user=new User($db);
-					$resultFetchUser=$user->fetch('',$login,$sid);
-					if ($resultFetchUser > 0)
-					{
-						dol_syslog("functions_ldap::check_user_password_ldap Sync user found id=".$user->id);
-						// On verifie si le login a change et on met a jour les attributs dolibarr
-
-						if ($conf->multicompany->enabled)
+						$usertmp=new User($db);
+						$resultFetchUser=$usertmp->fetch('',$login,$sid);
+						if ($resultFetchUser > 0)
 						{
-							global $mc;
+							dol_syslog("functions_ldap::check_user_password_ldap Sync user found user id=".$usertmp->id);
+							// On verifie si le login a change et on met a jour les attributs dolibarr
 
-							$ret=$mc->checkRight($user->id, $entitytotest, $user);	// The module multicompany check here user belong to at least one group into company. This is a bugged behaviour, so you must hack module to make thing working.
-							if ($ret < 0)
+							if ($usertmp->login != $ldap->login && $ldap->login)
 							{
-								dol_syslog("Failed to checkRight by module multicompany for user id = ".$user->id." into entity ".$entitytotest);
-								$login=false; // force error of authentication
+								$usertmp->login = $ldap->login;
+								$usertmp->update($usertmp);
+								// TODO Que faire si update echoue car on update avec un login deja existant.
 							}
+
+							//$resultUpdate = $usertmp->update_ldap2dolibarr($ldap);
 						}
-
-
-						if ($user->login != $ldap->login && $ldap->login)
-						{
-							$user->login = $ldap->login;
-							$user->update($user);
-							// TODO Que faire si update echoue car on update avec un login deja existant.
-						}
-
-						//$resultUpdate = $user->update_ldap2dolibarr($ldap);
-					}
+						unset($usertmp);
 				}
+
+				if (! empty($conf->multicompany->enabled))	// We must check entity (even if sync is not active)
+				{
+					global $mc;
+
+					$usertmp=new User($db);
+					$usertmp->fetch('',$login);
+					$ret=$mc->checkRight($usertmp->id, $entitytotest);
+					if ($ret < 0)
+					{
+						dol_syslog("functions_ldap::check_user_password_ldap Authentification ko entity '".$entitytotest."' not allowed for user '".$usertmp->id."'");
+						$login=''; // force authentication failure
+					}
+					unset($usertmp);
+				}
+
 			}
 			if ($result == 1)
 			{