From dfcba305775af1d5fd1fab9515e87a52ee6421c0 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 27 Jan 2023 14:06:31 +0100 Subject: [PATCH] FIX Check of date of validity --- htdocs/api/class/api_access.class.php | 18 +++++++------ htdocs/core/lib/security2.lib.php | 3 ++- htdocs/core/login/functions_dolibarr.php | 20 +-------------- htdocs/dav/fileserver.php | 19 +++++++++++--- htdocs/main.inc.php | 23 ++++++++++++----- htdocs/user/class/user.class.php | 32 ++++++++++++++++++++++-- 6 files changed, 76 insertions(+), 39 deletions(-) diff --git a/htdocs/api/class/api_access.class.php b/htdocs/api/class/api_access.class.php index e5cc664fa0e..6874d3faaed 100644 --- a/htdocs/api/class/api_access.class.php +++ b/htdocs/api/class/api_access.class.php @@ -155,17 +155,19 @@ class DolibarrApiAccess implements iAuthenticate throw new RestException(503, 'Error when fetching user. This user has been locked or disabled'); } - $now = dol_now(); - - // Check date start validity - if ($fuser->datestartvalidity && $this->db->jdate($fuser->datestartvalidity) > $now) { - throw new RestException(503, $genericmessageerroruser); - } - // Check date end validity - if ($fuser->dateendvalidity && $this->db->jdate($fuser->dateendvalidity) < dol_get_first_hour($now)) { + // Check if session was unvalidated by a password change + if (($fuser->flagdelsessionsbefore && !empty($_SESSION["dol_logindate"]) && $fuser->flagdelsessionsbefore > $_SESSION["dol_logindate"])) { + // Session is no more valid + dol_syslog("The user has a date for session invalidation = ".$fuser->flagdelsessionsbefore." and a session date = ".$_SESSION["dol_logindate"].". We must invalidate its sessions."); throw new RestException(503, $genericmessageerroruser); } + // Check date validity + if ($fuser->isNotIntoValidityDateRange()) { + // User validity dates are no more valid + dol_syslog("The user login has a validity between [".$fuser->datestartvalidity." and ".$fuser->dateendvalidity."], curren date is ".dol_now()); + throw new RestException(503, $genericmessageerroruser); + } // User seems valid $fuser->getrights(); diff --git a/htdocs/core/lib/security2.lib.php b/htdocs/core/lib/security2.lib.php index f450d390dff..93da106aebd 100644 --- a/htdocs/core/lib/security2.lib.php +++ b/htdocs/core/lib/security2.lib.php @@ -96,7 +96,8 @@ function checkLoginPassEntity($usertotest, $passwordtotest, $entitytotest, $auth // Call function to check user/password $function = 'check_user_password_'.$mode; $login = call_user_func($function, $usertotest, $passwordtotest, $entitytotest, $context); - if ($login && $login != '--bad-login-validity--') { // Login is successfull + if ($login && $login != '--bad-login-validity--') { + // Login is successfull with this method $test = false; // To stop once at first login success $conf->authmode = $mode; // This properties is defined only when logged to say what mode was successfully used /*$dol_tz = GETPOST('tz'); diff --git a/htdocs/core/login/functions_dolibarr.php b/htdocs/core/login/functions_dolibarr.php index 5f4b722ea1c..9b65bf4d877 100644 --- a/htdocs/core/login/functions_dolibarr.php +++ b/htdocs/core/login/functions_dolibarr.php @@ -74,24 +74,6 @@ function check_user_password_dolibarr($usertotest, $passwordtotest, $entitytotes if ($resql) { $obj = $db->fetch_object($resql); if ($obj) { - $now = dol_now(); - // Check date start validity - if ($obj->datestartvalidity && $db->jdate($obj->datestartvalidity) > $now) { - // Load translation files required by the page - $langs->loadLangs(array('main', 'errors')); - $_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorLoginDateValidity"); - dol_syslog("functions_dolibarr::check_user_password_dolibarr bad datestart validity", LOG_WARNING); - return '--bad-login-validity--'; - } - // Check date end validity - if ($obj->dateendvalidity && $db->jdate($obj->dateendvalidity) < dol_get_first_hour($now)) { - // Load translation files required by the page - $langs->loadLangs(array('main', 'errors')); - $_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorLoginDateValidity"); - dol_syslog("functions_dolibarr::check_user_password_dolibarr bad date end validity", LOG_WARNING); - return '--bad-login-validity--'; - } - $passclear = $obj->pass; $passcrypted = $obj->pass_crypted; $passtyped = $passwordtotest; @@ -121,7 +103,7 @@ function check_user_password_dolibarr($usertotest, $passwordtotest, $entitytotes if ((!$passcrypted || $passtyped) && ($passclear && ($passtyped == $passclear))) { $passok = true; - dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentification ok - found pass in database"); + dol_syslog("functions_dolibarr::check_user_password_dolibarr Authentification ok - found old pass in database", LOG_WARNING); } } diff --git a/htdocs/dav/fileserver.php b/htdocs/dav/fileserver.php index 7abe3f2bacf..15d9cd1764f 100644 --- a/htdocs/dav/fileserver.php +++ b/htdocs/dav/fileserver.php @@ -92,8 +92,7 @@ $tmpDir = $conf->dav->multidir_output[$entity]; // We need root dir, not a dir t // Authentication callback function $authBackend = new \Sabre\DAV\Auth\Backend\BasicCallBack(function ($username, $password) { - global $user; - global $conf; + global $user, $conf; global $dolibarr_main_authentication, $dolibarr_auto_user; if (empty($user->login)) { @@ -101,7 +100,7 @@ $authBackend = new \Sabre\DAV\Auth\Backend\BasicCallBack(function ($username, $p return false; } if ($user->socid > 0) { - dol_syslog("Failed to authenticate to DAV, use is an external user", LOG_WARNING); + dol_syslog("Failed to authenticate to DAV, user is an external user", LOG_WARNING); return false; } if ($user->login != $username) { @@ -132,6 +131,20 @@ $authBackend = new \Sabre\DAV\Auth\Backend\BasicCallBack(function ($username, $p return false; } + // Check if session was unvalidated by a password change + if (($user->flagdelsessionsbefore && !empty($_SESSION["dol_logindate"]) && $user->flagdelsessionsbefore > $_SESSION["dol_logindate"])) { + // Session is no more valid + dol_syslog("The user has a date for session invalidation = ".$user->flagdelsessionsbefore." and a session date = ".$_SESSION["dol_logindate"].". We must invalidate its sessions."); + return false; + } + + // Check date validity + if ($user->isNotIntoValidityDateRange()) { + // User validity dates are no more valid + dol_syslog("The user login has a validity between [".$user->datestartvalidity." and ".$user->dateendvalidity."], curren date is ".dol_now()); + return false; + } + return true; }); diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 115be3cf0cf..24ce10ea7c1 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -879,8 +879,8 @@ if (!defined('NOLOGIN')) { exit; } - $resultFetchUser = $user->fetch('', $login, '', 1, ($entitytotest > 0 ? $entitytotest : -1)); // login was retrieved previously when checking password. - if ($resultFetchUser <= 0) { + $resultFetchUser = $user->fetch('', $login, '', 1, ($entitytotest > 0 ? $entitytotest : -1)); // value for $login was retrieved previously when checking password. + if ($resultFetchUser <= 0 || $user->isNotIntoValidityDateRange()) { dol_syslog('User not found, connexion refused'); session_destroy(); session_set_cookie_params(0, '/', null, (empty($dolibarr_main_force_https) ? false : true), true); // Add tag secure and httponly on session cookie @@ -894,11 +894,17 @@ if (!defined('NOLOGIN')) { $_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorCantLoadUserFromDolibarrDatabase", $login); $user->trigger_mesg = 'ErrorCantLoadUserFromDolibarrDatabase - login='.$login; - } - if ($resultFetchUser < 0) { + } elseif ($resultFetchUser < 0) { $_SESSION["dol_loginmesg"] = $user->error; $user->trigger_mesg = $user->error; + } else { + // Load translation files required by the page + $langs->loadLangs(array('main', 'errors')); + + $_SESSION["dol_loginmesg"] = $langs->transnoentitiesnoconv("ErrorLoginDateValidity"); + + $user->trigger_mesg = $langs->trans("ErrorLoginDateValidity").' - login='.$login; } // Call trigger @@ -943,13 +949,18 @@ if (!defined('NOLOGIN')) { dol_syslog("- This is an already logged session. _SESSION['dol_login']=".$login." _SESSION['dol_entity']=".$entity, LOG_DEBUG); $resultFetchUser = $user->fetch('', $login, '', 1, ($entity > 0 ? $entity : -1)); - if ($resultFetchUser <= 0 || ($user->flagdelsessionsbefore && !empty($_SESSION["dol_logindate"]) && $user->flagdelsessionsbefore > $_SESSION["dol_logindate"])) { + if ($resultFetchUser <= 0 + || ($user->flagdelsessionsbefore && !empty($_SESSION["dol_logindate"]) && $user->flagdelsessionsbefore > $_SESSION["dol_logindate"]) + || ($user->isNotIntoValidtyDateRange())) { if ($resultFetchUser <= 0) { // Account has been removed after login dol_syslog("Can't load user even if session logged. _SESSION['dol_login']=".$login, LOG_WARNING); - } else { + } elseif ($user->flagdelsessionsbefore && !empty($_SESSION["dol_logindate"]) && $user->flagdelsessionsbefore > $_SESSION["dol_logindate"]) { // Session is no more valid dol_syslog("The user has a date for session invalidation = ".$user->flagdelsessionsbefore." and a session date = ".$_SESSION["dol_logindate"].". We must invalidate its sessions."); + } else { + // User validity dates are no more valid + dol_syslog("The user login has a validity between [".$user->datestartvalidity." and ".$user->dateendvalidity."], curren date is ".dol_now()); } session_destroy(); session_set_cookie_params(0, '/', null, (empty($dolibarr_main_force_https) ? false : true), true); // Add tag secure and httponly on session cookie diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php index b32c23ab7fc..f8d437d4fa0 100644 --- a/htdocs/user/class/user.class.php +++ b/htdocs/user/class/user.class.php @@ -1885,8 +1885,12 @@ class User extends CommonObject $this->employee = ($this->employee > 0 ? $this->employee : 0); $this->login = trim((string) $this->login); $this->gender = trim((string) $this->gender); + $this->pass = trim((string) $this->pass); $this->api_key = trim((string) $this->api_key); + $this->datestartvalidity = empty($this->datestartvalidity) ? '' : $this->datestartvalidity; + $this->dateendvalidity = empty($this->dateendvalidity) ? '' : $this->dateendvalidity; + $this->address = trim((string) $this->address); $this->zip = trim((string) $this->zip); $this->town = trim((string) $this->town); @@ -1911,8 +1915,7 @@ class User extends CommonObject $this->color = trim((string) $this->color); $this->dateemployment = empty($this->dateemployment) ? '' : $this->dateemployment; $this->dateemploymentend = empty($this->dateemploymentend) ? '' : $this->dateemploymentend; - $this->datestartvalidity = empty($this->datestartvalidity) ? '' : $this->datestartvalidity; - $this->dateendvalidity = empty($this->dateendvalidity) ? '' : $this->dateendvalidity; + $this->birth = empty($this->birth) ? '' : $this->birth; $this->fk_warehouse = (int) $this->fk_warehouse; @@ -2695,6 +2698,31 @@ class User extends CommonObject } + /** + * Return a link with photo + * Use this->id,this->photo + * + * @return int 0=No more valid, >0 if OK + */ + public function isNotIntoValidtyDateRange() + { + include_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php'; + + $now = dol_now(); + + // Check date start validity + if ($this->datestartvalidity && $this->datestartvalidity > dol_get_last_hour($now)) { + return 0; + } + // Check date end validity + if ($this->dateendvalidity && $this->dateendvalidity < dol_get_first_hour($now)) { + return 0; + } + + return 1; + } + + /** * Return a link with photo * Use this->id,this->photo