1: <?php
  2: 
  3: /**
  4:  * This file is part of the Nette Framework (https://nette.org)
  5:  *
  6:  * Copyright (c) 2004 David Grudl (http://davidgrudl.com)
  7:  *
  8:  * For the full copyright and license information, please view
  9:  * the file license.txt that was distributed with this source code.
 10:  */
 11: 
 12: namespace Nette\Web;
 13: 
 14: use Nette,
 15:     Nette\Environment,
 16:     Nette\Security\IAuthenticator,
 17:     Nette\Security\IAuthorizator,
 18:     Nette\Security\IIdentity;
 19: 
 20: 
 21: 
 22: /**
 23:  * User authentication and authorization.
 24:  *
 25:  * @author     David Grudl
 26:  *
 27:  * @property-read Nette\Security\IIdentity $identity
 28:  * @property   Nette\Security\IAuthenticator $authenticationHandler
 29:  * @property   Nette\Security\IAuthorizator $authorizationHandler
 30:  * @property-read int $logoutReason
 31:  * @property-read array $roles
 32:  * @property-read bool $authenticated
 33:  */
 34: class User extends Nette\Object implements IUser
 35: {
 36:     /**#@+ log-out reason {@link User::getLogoutReason()} */
 37:     const MANUAL = 1;
 38:     const INACTIVITY = 2;
 39:     const BROWSER_CLOSED = 3;
 40:     /**#@-*/
 41: 
 42:     /** @var string  default role for unauthenticated user */
 43:     public $guestRole = 'guest';
 44: 
 45:     /** @var string  default role for authenticated user without own identity */
 46:     public $authenticatedRole = 'authenticated';
 47: 
 48:     /** @var array of function(User $sender); Occurs when the user is successfully logged in */
 49:     public $onLoggedIn;
 50: 
 51:     /** @var array of function(User $sender); Occurs when the user is logged out */
 52:     public $onLoggedOut;
 53: 
 54:     /** @deprecated */
 55:     public $onAuthenticated;
 56: 
 57:     /** @deprecated */
 58:     public $onSignedOut;
 59: 
 60:     /** @var Nette\Security\IAuthenticator */
 61:     private $authenticationHandler;
 62: 
 63:     /** @var Nette\Security\IAuthorizator */
 64:     private $authorizationHandler;
 65: 
 66:     /** @var string */
 67:     private $namespace = '';
 68: 
 69:     /** @var SessionNamespace */
 70:     private $session;
 71: 
 72: 
 73: 
 74:     public function __construct()
 75:     {
 76:         // back compatiblity
 77:         $this->onLoggedIn = & $this->onAuthenticated;
 78:         $this->onLoggedOut = & $this->onSignedOut;
 79:     }
 80: 
 81: 
 82: 
 83:     /********************* Authentication ****************d*g**/
 84: 
 85: 
 86: 
 87:     /**
 88:      * Conducts the authentication process.
 89:      * @param  string
 90:      * @param  string
 91:      * @param  mixed
 92:      * @return void
 93:      * @throws Nette\Security\AuthenticationException if authentication was not successful
 94:      */
 95:     public function login($username, $password, $extra = NULL)
 96:     {
 97:         $handler = $this->getAuthenticationHandler();
 98:         if ($handler === NULL) {
 99:             throw new \InvalidStateException('Authentication handler has not been set.');
100:         }
101: 
102:         $this->logout(TRUE);
103: 
104:         $credentials = array(
105:             IAuthenticator::USERNAME => $username,
106:             IAuthenticator::PASSWORD => $password,
107:             'extra' => $extra,
108:         );
109: 
110:         $this->setIdentity($handler->authenticate($credentials));
111:         $this->setAuthenticated(TRUE);
112:         $this->onLoggedIn($this);
113:     }
114: 
115: 
116: 
117:     /**
118:      * Logs out the user from the current session.
119:      * @param  bool  clear the identity from persistent storage?
120:      * @return void
121:      */
122:     final public function logout($clearIdentity = FALSE)
123:     {
124:         if ($this->isLoggedIn()) {
125:             $this->setAuthenticated(FALSE);
126:             $this->onLoggedOut($this);
127:         }
128: 
129:         if ($clearIdentity) {
130:             $this->setIdentity(NULL);
131:         }
132:     }
133: 
134: 
135: 
136:     /**
137:      * Is this user authenticated?
138:      * @return bool
139:      */
140:     final public function isLoggedIn()
141:     {
142:         $session = $this->getSessionNamespace(FALSE);
143:         return $session && $session->authenticated;
144:     }
145: 
146: 
147: 
148:     /**
149:      * Returns current user identity, if any.
150:      * @return Nette\Security\IIdentity
151:      */
152:     final public function getIdentity()
153:     {
154:         $session = $this->getSessionNamespace(FALSE);
155:         return $session ? $session->identity : NULL;
156:     }
157: 
158: 
159: 
160:     /**
161:      * Sets authentication handler.
162:      * @param  Nette\Security\IAuthenticator
163:      * @return User  provides a fluent interface
164:      */
165:     public function setAuthenticationHandler(IAuthenticator $handler)
166:     {
167:         $this->authenticationHandler = $handler;
168:         return $this;
169:     }
170: 
171: 
172: 
173:     /**
174:      * Returns authentication handler.
175:      * @return Nette\Security\IAuthenticator
176:      */
177:     final public function getAuthenticationHandler()
178:     {
179:         if ($this->authenticationHandler === NULL) {
180:             $this->authenticationHandler = Environment::getService('Nette\\Security\\IAuthenticator');
181:         }
182:         return $this->authenticationHandler;
183:     }
184: 
185: 
186: 
187:     /**
188:      * Changes namespace; allows more users to share a session.
189:      * @param  string
190:      * @return User  provides a fluent interface
191:      */
192:     public function setNamespace($namespace)
193:     {
194:         if ($this->namespace !== $namespace) {
195:             $this->namespace = (string) $namespace;
196:             $this->session = NULL;
197:         }
198:         return $this;
199:     }
200: 
201: 
202: 
203:     /**
204:      * Returns current namespace.
205:      * @return string
206:      */
207:     final public function getNamespace()
208:     {
209:         return $this->namespace;
210:     }
211: 
212: 
213: 
214:     /**
215:      * Enables log out after inactivity.
216:      * @param  string|int|DateTime number of seconds or timestamp
217:      * @param  bool  log out when the browser is closed?
218:      * @param  bool  clear the identity from persistent storage?
219:      * @return User  provides a fluent interface
220:      */
221:     public function setExpiration($time, $whenBrowserIsClosed = TRUE, $clearIdentity = FALSE)
222:     {
223:         $session = $this->getSessionNamespace(TRUE);
224:         if ($time) {
225:             $time = Nette\DateTime::from($time)->format('U');
226:             $session->expireTime = $time;
227:             $session->expireDelta = $time - time();
228: 
229:         } else {
230:             unset($session->expireTime, $session->expireDelta);
231:         }
232: 
233:         $session->expireIdentity = (bool) $clearIdentity;
234:         $session->expireBrowser = (bool) $whenBrowserIsClosed;
235:         $session->browserCheck = TRUE;
236:         $session->setExpiration(0, 'browserCheck');
237:         return $this;
238:     }
239: 
240: 
241: 
242:     /**
243:      * Why was user logged out?
244:      * @return int
245:      */
246:     final public function getLogoutReason()
247:     {
248:         $session = $this->getSessionNamespace(FALSE);
249:         return $session ? $session->reason : NULL;
250:     }
251: 
252: 
253: 
254:     /**
255:      * Returns and initializes $this->session.
256:      * @return SessionNamespace
257:      */
258:     protected function getSessionNamespace($need)
259:     {
260:         if ($this->session !== NULL) {
261:             return $this->session;
262:         }
263: 
264:         $sessionHandler = $this->getSession();
265:         if (!$need && !$sessionHandler->exists()) {
266:             return NULL;
267:         }
268: 
269:         $this->session = $session = $sessionHandler->getNamespace('Nette.Web.User/' . $this->namespace);
270: 
271:         if (!($session->identity instanceof IIdentity) || !is_bool($session->authenticated)) {
272:             $session->remove();
273:         }
274: 
275:         if ($session->authenticated && $session->expireBrowser && !$session->browserCheck) { // check if browser was closed?
276:             $session->reason = self::BROWSER_CLOSED;
277:             $session->authenticated = FALSE;
278:             $this->onLoggedOut($this);
279:             if ($session->expireIdentity) {
280:                 unset($session->identity);
281:             }
282:         }
283: 
284:         if ($session->authenticated && $session->expireDelta > 0) { // check time expiration
285:             if ($session->expireTime < time()) {
286:                 $session->reason = self::INACTIVITY;
287:                 $session->authenticated = FALSE;
288:                 $this->onLoggedOut($this);
289:                 if ($session->expireIdentity) {
290:                     unset($session->identity);
291:                 }
292:             }
293:             $session->expireTime = time() + $session->expireDelta; // sliding expiration
294:         }
295: 
296:         if (!$session->authenticated) {
297:             unset($session->expireTime, $session->expireDelta, $session->expireIdentity,
298:                 $session->expireBrowser, $session->browserCheck, $session->authTime);
299:         }
300: 
301:         return $this->session;
302:     }
303: 
304: 
305: 
306:     /**
307:      * Sets the authenticated status of this user.
308:      * @param  bool  flag indicating the authenticated status of user
309:      * @return User  provides a fluent interface
310:      */
311:     protected function setAuthenticated($state)
312:     {
313:         $session = $this->getSessionNamespace(TRUE);
314:         $session->authenticated = (bool) $state;
315: 
316:         // Session Fixation defence
317:         $this->getSession()->regenerateId();
318: 
319:         if ($state) {
320:             $session->reason = NULL;
321:             $session->authTime = time(); // informative value
322: 
323:         } else {
324:             $session->reason = self::MANUAL;
325:             $session->authTime = NULL;
326:         }
327:         return $this;
328:     }
329: 
330: 
331: 
332:     /**
333:      * Sets the user identity.
334:      * @param  IIdentity
335:      * @return User  provides a fluent interface
336:      */
337:     protected function setIdentity(IIdentity $identity = NULL)
338:     {
339:         $this->getSessionNamespace(TRUE)->identity = $identity;
340:         return $this;
341:     }
342: 
343: 
344: 
345:     /********************* Authorization ****************d*g**/
346: 
347: 
348: 
349:     /**
350:      * Returns a list of effective roles that a user has been granted.
351:      * @return array
352:      */
353:     public function getRoles()
354:     {
355:         if (!$this->isLoggedIn()) {
356:             return array($this->guestRole);
357:         }
358: 
359:         $identity = $this->getIdentity();
360:         return $identity ? $identity->getRoles() : array($this->authenticatedRole);
361:     }
362: 
363: 
364: 
365:     /**
366:      * Is a user in the specified effective role?
367:      * @param  string
368:      * @return bool
369:      */
370:     final public function isInRole($role)
371:     {
372:         return in_array($role, $this->getRoles(), TRUE);
373:     }
374: 
375: 
376: 
377:     /**
378:      * Has a user effective access to the Resource?
379:      * If $resource is NULL, then the query applies to all resources.
380:      * @param  string  resource
381:      * @param  string  privilege
382:      * @return bool
383:      */
384:     public function isAllowed($resource = IAuthorizator::ALL, $privilege = IAuthorizator::ALL)
385:     {
386:         $handler = $this->getAuthorizationHandler();
387:         if (!$handler) {
388:             throw new \InvalidStateException("Authorization handler has not been set.");
389:         }
390: 
391:         foreach ($this->getRoles() as $role) {
392:             if ($handler->isAllowed($role, $resource, $privilege)) return TRUE;
393:         }
394: 
395:         return FALSE;
396:     }
397: 
398: 
399: 
400:     /**
401:      * Sets authorization handler.
402:      * @param  Nette\Security\IAuthorizator
403:      * @return User  provides a fluent interface
404:      */
405:     public function setAuthorizationHandler(IAuthorizator $handler)
406:     {
407:         $this->authorizationHandler = $handler;
408:         return $this;
409:     }
410: 
411: 
412: 
413:     /**
414:      * Returns current authorization handler.
415:      * @return Nette\Security\IAuthorizator
416:      */
417:     final public function getAuthorizationHandler()
418:     {
419:         if ($this->authorizationHandler === NULL) {
420:             $this->authorizationHandler = Environment::getService('Nette\\Security\\IAuthorizator');
421:         }
422:         return $this->authorizationHandler;
423:     }
424: 
425: 
426: 
427:     /********************* backend ****************d*g**/
428: 
429: 
430: 
431:     /**
432:      * Returns session handler.
433:      * @return Nette\Web\Session
434:      */
435:     protected function getSession()
436:     {
437:         return Environment::getSession();
438:     }
439: 
440: 
441: 
442:     /**#@+ @deprecated */
443:     function authenticate($username, $password, $extra = NULL)
444:     {
445:         trigger_error(__METHOD__ . '() is deprecated; use login() instead.', E_USER_WARNING);
446:         return $this->login($username, $password, $extra);
447:     }
448: 
449:     function signOut($clearIdentity = FALSE)
450:     {
451:         trigger_error(__METHOD__ . '() is deprecated; use logout() instead.', E_USER_WARNING);
452:         return $this->logout($clearIdentity);
453:     }
454: 
455:     function isAuthenticated()
456:     {
457:         trigger_error(__METHOD__ . '() is deprecated; use isLoggedIn() instead.', E_USER_WARNING);
458:         return $this->isLoggedIn();
459:     }
460: 
461:     function getSignOutReason()
462:     {
463:         trigger_error(__METHOD__ . '() is deprecated; use getLogoutReason() instead.', E_USER_WARNING);
464:         return $this->getLogoutReason();
465:     }
466:     /**#@-*/
467: 
468: }
469: