Administrator / test_1

BasicAuth.php 6.05 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 
<?php
/**
 * Provides an interface to HTTP basic authentication.
 *
 * This utility class can be used to secure any request with basic authentication.  To do so,
 * {@link BasicAuth::requireLogin()} from your Controller's init() method or action handler method.
 *
 * It also has a function to protect your entire site.  See {@link BasicAuth::protect_entire_site()}
 * for more information. You can control this setting on controller-level by using {@link Controller->basicAuthEnabled}.
 *
 * @package framework
 * @subpackage security
 */
class BasicAuth {
	/**
	 * @config
	 * @var Boolean Flag set by {@link self::protect_entire_site()}
	 */
	private static $entire_site_protected = false;

	/**
	 * @config
	 * @var String|array Holds a {@link Permission} code that is required
	 * when calling {@link protect_site_if_necessary()}. Set this value through
	 * {@link protect_entire_site()}.
	 */
	private static $entire_site_protected_code = 'ADMIN';

	/**
	 * @config
	 * @var String Message that shows in the authentication box.
	 * Set this value through {@link protect_entire_site()}.
	 */
	private static $entire_site_protected_message = "SilverStripe test website. Use your CMS login.";

	/**
	 * Require basic authentication.  Will request a username and password if none is given.
	 *
	 * Used by {@link Controller::init()}.
	 *
	 * @throws SS_HTTPResponse_Exception
	 *
	 * @param string $realm
	 * @param string|array $permissionCode Optional
	 * @param boolean $tryUsingSessionLogin If true, then the method with authenticate against the
	 *  session log-in if those credentials are disabled.
	 * @return Member $member
	 */
	public static function requireLogin($realm, $permissionCode = null, $tryUsingSessionLogin = true) {
		$isRunningTests = (class_exists('SapphireTest', false) && SapphireTest::is_running_test());
		if(!Security::database_is_ready() || (Director::is_cli() && !$isRunningTests)) return true;

                /*
                 * Enable HTTP Basic authentication workaround for PHP running in CGI mode with Apache
                 * Depending on server configuration the auth header may be in HTTP_AUTHORIZATION or
                 * REDIRECT_HTTP_AUTHORIZATION
                 * 
                 * The follow rewrite rule must be in the sites .htaccess file to enable this workaround
                 * RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
                 */
		$authHeader = (isset($_SERVER['HTTP_AUTHORIZATION']) ? $_SERVER['HTTP_AUTHORIZATION'] :
			      (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION']) ? $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] : null));
		$matches = array();
		if ($authHeader &&
                        preg_match('/Basic\s+(.*)$/i', $authHeader, $matches)) {
			list($name, $password) = explode(':', base64_decode($matches[1]));
			$_SERVER['PHP_AUTH_USER'] = strip_tags($name);
			$_SERVER['PHP_AUTH_PW'] = strip_tags($password);
		}

		$member = null;
		if(isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) {
			$member = MemberAuthenticator::authenticate(array(
				'Email' => $_SERVER['PHP_AUTH_USER'],
				'Password' => $_SERVER['PHP_AUTH_PW'],
			), null);
		}

		if(!$member && $tryUsingSessionLogin) $member = Member::currentUser();

		// If we've failed the authentication mechanism, then show the login form
		if(!$member) {
			$response = new SS_HTTPResponse(null, 401);
			$response->addHeader('WWW-Authenticate', "Basic realm=\"$realm\"");

			if(isset($_SERVER['PHP_AUTH_USER'])) {
				$response->setBody(_t('BasicAuth.ERRORNOTREC', "That username / password isn't recognised"));
			} else {
				$response->setBody(_t('BasicAuth.ENTERINFO', "Please enter a username and password."));
			}

			// Exception is caught by RequestHandler->handleRequest() and will halt further execution
			$e = new SS_HTTPResponse_Exception(null, 401);
			$e->setResponse($response);
			throw $e;
		}

		if($permissionCode && !Permission::checkMember($member->ID, $permissionCode)) {
			$response = new SS_HTTPResponse(null, 401);
			$response->addHeader('WWW-Authenticate', "Basic realm=\"$realm\"");

			if(isset($_SERVER['PHP_AUTH_USER'])) {
				$response->setBody(_t('BasicAuth.ERRORNOTADMIN', "That user is not an administrator."));
			}

			// Exception is caught by RequestHandler->handleRequest() and will halt further execution
			$e = new SS_HTTPResponse_Exception(null, 401);
			$e->setResponse($response);
			throw $e;
		}

		return $member;
	}

	/**
	 * Enable protection of the entire site with basic authentication.
	 *
	 * This log-in uses the Member database for authentication, but doesn't interfere with the
	 * regular log-in form. This can be useful for test sites, where you want to hide the site
	 * away from prying eyes, but still be able to test the regular log-in features of the site.
	 *
	 * If you are including conf/ConfigureFromEnv.php in your _config.php file, you can also enable
	 * this feature by adding this line to your _ss_environment.php:
	 *
	 * define('SS_USE_BASIC_AUTH', true);
	 *
	 * @param boolean $protect Set this to false to disable protection.
	 * @param String $code {@link Permission} code that is required from the user.
	 *  Defaults to "ADMIN". Set to NULL to just require a valid login, regardless
	 *  of the permission codes a user has.
	 */
	public static function protect_entire_site($protect = true, $code = 'ADMIN', $message = null) {
		Config::inst()->update('BasicAuth', 'entire_site_protected', $protect);
		Config::inst()->update('BasicAuth', 'entire_site_protected_code', $code);
		Config::inst()->update('BasicAuth', 'entire_site_protected_message', $message);
	}

	/**
	 * Call {@link BasicAuth::requireLogin()} if {@link BasicAuth::protect_entire_site()} has been called.
	 * This is a helper function used by {@link Controller::init()}.
	 *
	 * If you want to enabled protection (rather than enforcing it),
	 * please use {@link protect_entire_site()}.
	 */
	public static function protect_site_if_necessary() {
		$config = Config::inst()->forClass('BasicAuth');
		if($config->entire_site_protected) {
			self::requireLogin($config->entire_site_protected_message, $config->entire_site_protected_code, false);
		}
	}

}