1: <?php
  2: 
  3: // include the config file
  4: if(!isset($config)) {
  5:     require_once '../util/AlphaConfig.inc';
  6:     $config = AlphaConfig::getInstance();
  7:     
  8:     require_once $config->get('app.root').'alpha/util/AlphaAutoLoader.inc';
  9: }
 10: 
 11: /**
 12:  *
 13:  * Login controller that adds the current user object to the session
 14:  * 
 15:  * @package alpha::controller
 16:  * @since 1.0
 17:  * @author John Collins <dev@alphaframework.org>
 18:  * @version $Id: Login.php 1624 2012-12-21 12:17:55Z alphadevx $
 19:  * @license http://www.opensource.org/licenses/bsd-license.php The BSD License
 20:  * @copyright Copyright (c) 2012, John Collins (founder of Alpha Framework).  
 21:  * All rights reserved.
 22:  * 
 23:  * <pre>
 24:  * Redistribution and use in source and binary forms, with or 
 25:  * without modification, are permitted provided that the 
 26:  * following conditions are met:
 27:  * 
 28:  * * Redistributions of source code must retain the above 
 29:  *   copyright notice, this list of conditions and the 
 30:  *   following disclaimer.
 31:  * * Redistributions in binary form must reproduce the above 
 32:  *   copyright notice, this list of conditions and the 
 33:  *   following disclaimer in the documentation and/or other 
 34:  *   materials provided with the distribution.
 35:  * * Neither the name of the Alpha Framework nor the names 
 36:  *   of its contributors may be used to endorse or promote 
 37:  *   products derived from this software without specific 
 38:  *   prior written permission.
 39:  *   
 40:  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND 
 41:  * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, 
 42:  * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 
 43:  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
 44:  * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR 
 45:  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
 46:  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 
 47:  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 
 48:  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
 49:  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 
 50:  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE 
 51:  * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
 52:  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 53:  * </pre>
 54:  *  
 55:  */
 56: class Login extends AlphaController implements AlphaControllerInterface {
 57:     /**
 58:      * The person to be logged in
 59:      * 
 60:      * @var PersonObject
 61:      * @since 1.0
 62:      */
 63:     protected $personObject;
 64:     
 65:     /**
 66:      * The person view object
 67:      * 
 68:      * @var PersonView
 69:      * @since 1.0
 70:      */
 71:     private $personView;
 72:     
 73:     /**
 74:      * Trace logger
 75:      * 
 76:      * @var Logger
 77:      * @since 1.0
 78:      */
 79:     private static $logger = null;
 80:     
 81:     /**
 82:      * constructor to set up the object
 83:      * @since 1.0
 84:      */
 85:     public function __construct() {
 86:         self::$logger = new Logger('Login');
 87:         self::$logger->debug('>>__construct()');
 88:         
 89:         global $config;
 90:         
 91:         // ensure that the super class constructor is called, indicating the rights group
 92:         parent::__construct('Public');
 93:         
 94:         $this->personObject = new PersonObject();
 95:         $this->personView = AlphaView::getInstance($this->personObject);
 96:         $this->setBO($this->personObject);
 97:         
 98:         // set up the title and meta details
 99:         $this->setTitle('Login to '.$config->get('app.title'));
100:         $this->setDescription('Login page.');
101:         $this->setKeywords('login,logon');
102:         
103:         self::$logger->debug('<<__construct');
104:     }
105:         
106:     /**
107:      * Handle GET requests
108:      * 
109:      * @param array $params
110:      * @throws IllegalArguementException
111:      * @since 1.0
112:      */
113:     public function doGET($params) {
114:         self::$logger->debug('>>doGET($params=['.var_export($params, true).'])');
115:         
116:         if(!is_array($params))
117:             throw new IllegalArguementException('Bad $params ['.var_export($params, true).'] passed to doGET method!');
118:         
119:         echo AlphaView::displayPageHead($this);
120:         
121:         if (isset($params['reset']))
122:             echo $this->personView->displayResetForm();
123:         else
124:             echo $this->personView->displayLoginForm(); 
125:         
126:         echo AlphaView::displayPageFoot($this);
127:         
128:         self::$logger->debug('<<doGET');
129:     }   
130:     
131:     /**
132:      * Handle POST requests (adds $currentUser PersonObject to the session)
133:      * 
134:      * @param array $params
135:      * @throws IllegalArguementException
136:      * @since 1.0
137:      */
138:     public function doPOST($params) {
139:         self::$logger->debug('>>doPOST($params=['.var_export($params, true).'])');
140:         
141:         if(!is_array($params))
142:             throw new IllegalArguementException('Bad $params ['.var_export($params, true).'] passed to doPOST method!');
143:                 
144:         global $config;
145:         
146:         try {
147:             // check the hidden security fields before accepting the form POST data
148:             if(!$this->checkSecurityFields())
149:                 throw new SecurityException('This page cannot accept post data from remote servers!');
150:         
151:             if (isset($params['loginBut'])) {
152:                 // if the database has not been set up yet, accept a login from the config admin username/password
153:                 if(!AlphaDAO::isInstalled()) {
154:                     if ($params['email'] == $config->get('app.install.username') && crypt($params['password'], $config->get('app.install.password')) == 
155:                         crypt($config->get('app.install.password'), $config->get('app.install.password'))) {
156:                             
157:                         self::$logger->info('Logging in ['.$params['email'].'] at ['.date("Y-m-d H:i:s").']');
158:                         $admin = new PersonObject();
159:                         $admin->set('displayName', 'Admin');
160:                         $admin->set('email', $params['email']);
161:                         $admin->set('password', crypt($params['password'], $config->get('app.install.password')));
162:                         $admin->set('OID', '00000000001');
163:                         $_SESSION['currentUser'] = $admin;
164:                         if ($this->getNextJob() != '') {
165:                             $url = FrontController::generateSecureURL('act='.$this->getNextJob());
166:                             self::$logger->info('Redirecting to ['.$url.']');
167:                             header('Location: '.$url);
168:                             exit;
169:                         }else{
170:                             header('Location: '.$config->get('app.url').'alpha/controller/Install.php');
171:                             exit;
172:                         }
173:                     }else{
174:                         throw new ValidationException('Failed to login user '.$params['email'].', the password is incorrect!');
175:                     }
176:                 }else{
177:                     // here we are attempting to load the person from the email address
178:                     $this->personObject->loadByAttribute('email', $params['email'], true);
179:                     
180:                     AlphaDAO::disconnect();
181:                     
182:                     // checking to see if the account has been disabled
183:                     if (!$this->personObject->isTransient() && $this->personObject->get('state') == 'Disabled')
184:                         throw new SecurityException('Failed to login user '.$params['email'].', that account has been disabled!');
185:                     
186:                     // check the password
187:                     $this->doLoginAndRedirect($params['password']);
188:                 }
189:                 
190:                 echo AlphaView::displayPageHead($this);
191:                 
192:                 echo $this->personView->displayLoginForm();
193:             }
194:             
195:             if (isset($params['resetBut'])) {               
196:                 // here we are attempting to load the person from the email address         
197:                 $this->personObject->loadByAttribute('email', $params['email']);
198:                 
199:                 AlphaDAO::disconnect();
200:                 
201:                 // generate a new random password
202:                 $new_password = $this->personObject->generatePassword();
203:                                     
204:                 // now encrypt and save the new password, then e-mail the user
205:                 $this->personObject->set('password', crypt($new_password));             
206:                 $this->personObject->save();
207:                     
208:                 $message = 'The password for your account has been reset to '.$new_password.' as you requested.  You can now login to the site using your '.
209:                     'e-mail address and this new password as before.';
210:                 $subject = 'Password change request';
211:                     
212:                 $this->personObject->sendMail($message, $subject);              
213:                     
214:                 echo AlphaView::displayUpdateMessage('The password for the user <strong>'.$params['email'].'</strong> has been reset, and the new password '.
215:                     'has been sent to that e-mail address.');
216:                 echo '<a href="'.$config->get('app.url').'">Home Page</a>';
217:             }
218:         }catch(ValidationException $e) {
219:             echo AlphaView::displayPageHead($this);
220:             
221:             echo AlphaView::displayErrorMessage($e->getMessage());
222:             
223:             echo $this->personView->displayLoginForm();
224:                                             
225:             self::$logger->warn($e->getMessage());
226:         }catch(SecurityException $e) {
227:             echo AlphaView::displayPageHead($this);
228:             
229:             echo AlphaView::displayErrorMessage($e->getMessage());
230:                                             
231:             self::$logger->warn($e->getMessage());
232:         }catch(BONotFoundException $e) {
233:             echo AlphaView::displayPageHead($this);
234:             
235:             echo AlphaView::displayErrorMessage('Failed to find the user \''.$params['email'].'\'');
236:             
237:             echo $this->personView->displayLoginForm();
238:             
239:             self::$logger->warn($e->getMessage());
240:         }
241:         
242:         echo AlphaView::displayPageFoot($this);
243:         self::$logger->debug('<<doPOST');
244:     }
245:     
246:     /**
247:      * Login the user and re-direct to the defined destination
248:      * 
249:      * @param string $password The password supplied by the user logging in
250:      * @throws ValidationException
251:      * @since 1.0
252:      */
253:     protected function doLoginAndRedirect($password) {
254:         self::$logger->debug('>>doLoginAndRedirect(password=['.$password.'])');
255:         
256:         global $config;
257:         
258:         if (!$this->personObject->isTransient() && $this->personObject->get('state') == 'Active') {
259:             if (crypt($password, $this->personObject->get('password')) == $this->personObject->get('password')) {
260:                                 
261:                 self::$logger->info('Logging in ['.$this->personObject->get('email').'] at ['.date("Y-m-d H:i:s").']');
262:                 
263:                 $_SESSION['currentUser'] = $this->personObject;
264:                 
265:                 if ($this->getNextJob() != '') {
266:                     self::$logger->debug('<<doLoginAndRedirect');
267:                     $url = FrontController::generateSecureURL('act='.$this->getNextJob());
268:                     header('Location: '.$url);
269:                     exit;
270:                 }else{
271:                     self::$logger->debug('<<doLoginAndRedirect');
272:                     header('Location: '.$config->get('app.url'));
273:                     exit;
274:                 }
275:             }else{
276:                 throw new ValidationException('Failed to login user '.$this->personObject->get('email').', the password is incorrect!');
277:                 self::$logger->debug('<<doLoginAndRedirect');
278:             }
279:         }
280:     }
281:     
282:     /**
283:      * Displays the application version number on the login screen.
284:      * 
285:      * @return string
286:      * @since 1.0
287:      */
288:     public function before_displayPageFoot_callback() {
289:         global $config;
290:         
291:         return '<p><em>Version '.$config->get('app.version').'</em></p>';
292:     }
293: }
294: 
295: // now build the new controller if this file is called directly
296: if ('Login.php' == basename($_SERVER['PHP_SELF'])) {
297:     $controller = new Login();
298:     
299:     if(!empty($_POST)) {            
300:         $controller->doPOST($_POST);
301:     }else{
302:         $controller->doGET($_GET);
303:     }
304: }
305: 
306: ?>