Commit 0e17f951 authored by Leigh B Stoller's avatar Leigh B Stoller

Minor refactoring to allow easier login checks from APT login path.

Add check for pswd_expires=null setting; never expires.
parent 25d378be
...@@ -35,6 +35,8 @@ $ISAPT = 1; ...@@ -35,6 +35,8 @@ $ISAPT = 1;
$ISCLOUD = 0; $ISCLOUD = 0;
$ISVSERVER = 0; $ISVSERVER = 0;
$GOOGLEUA = 'UA-45161989-1'; $GOOGLEUA = 'UA-45161989-1';
# See tbauth.php3
$CHANGEPSWD_PAGE= "changepswd.php";
# #
# Global flag to disable accounts. We do this on some pages which # Global flag to disable accounts. We do this on some pages which
...@@ -741,7 +743,7 @@ function RedirectLoginPage() ...@@ -741,7 +743,7 @@ function RedirectLoginPage()
# #
# Check the login and redirect to login page. # Check the login and redirect to login page.
# #
function CheckLoginOrRedirect() function CheckLoginOrRedirect($modifier = 0)
{ {
RedirectSecure(); RedirectSecure();
...@@ -750,8 +752,7 @@ function CheckLoginOrRedirect() ...@@ -750,8 +752,7 @@ function CheckLoginOrRedirect()
if (! ($check_status & CHECKLOGIN_LOGGEDIN)) { if (! ($check_status & CHECKLOGIN_LOGGEDIN)) {
RedirectLoginPage(); RedirectLoginPage();
} }
# Catch other illegal login issues. CheckLoginConditions($check_status & ~$modifier);
CheckLoginOrDie();
return $this_user; return $this_user;
} }
......
...@@ -67,8 +67,8 @@ define("CHECKLOGIN_WEBONLY", 0x040000); ...@@ -67,8 +67,8 @@ define("CHECKLOGIN_WEBONLY", 0x040000);
define("CHECKLOGIN_PLABUSER", 0x080000); define("CHECKLOGIN_PLABUSER", 0x080000);
define("CHECKLOGIN_STUDLY", 0x100000); define("CHECKLOGIN_STUDLY", 0x100000);
define("CHECKLOGIN_WIKIONLY", 0x200000); define("CHECKLOGIN_WIKIONLY", 0x200000);
define("CHECKLOGIN_OPSGUY", 0x400000); # Member of emulab-ops. define("CHECKLOGIN_OPSGUY", 0x400000); # Member of emulab-ops.
define("CHECKLOGIN_ISFOREIGN_ADMIN", 0x800000); # Admin of another Emulab. define("CHECKLOGIN_ISFOREIGN_ADMIN", 0x800000); # Admin of another Emulab.
# #
# Constants for tracking possible login attacks. # Constants for tracking possible login attacks.
...@@ -83,6 +83,9 @@ define("DOLOGIN_STATUS_ERROR", -1); ...@@ -83,6 +83,9 @@ define("DOLOGIN_STATUS_ERROR", -1);
define("DOLOGIN_STATUS_IPFREEZE", -2); define("DOLOGIN_STATUS_IPFREEZE", -2);
define("DOLOGIN_STATUS_WEBFREEZE", -3); define("DOLOGIN_STATUS_WEBFREEZE", -3);
# So we can redefine this in the APT pages.
$CHANGEPSWD_PAGE = "moduserinfo.php3";
# #
# Generate a hash value suitable for authorization. We use the results of # Generate a hash value suitable for authorization. We use the results of
# microtime, combined with a random number. # microtime, combined with a random number.
...@@ -417,7 +420,7 @@ function LoginStatus() { ...@@ -417,7 +420,7 @@ function LoginStatus() {
# Now add in the modifiers. # Now add in the modifiers.
# #
# Do not expire passwords for admin users. # Do not expire passwords for admin users.
if ($expired && !$admin) if (!is_null($expired) && $expired && !$admin)
$CHECKLOGIN_STATUS |= CHECKLOGIN_PSWDEXPIRED; $CHECKLOGIN_STATUS |= CHECKLOGIN_PSWDEXPIRED;
if ($admin) if ($admin)
$CHECKLOGIN_STATUS |= CHECKLOGIN_ISADMIN; $CHECKLOGIN_STATUS |= CHECKLOGIN_ISADMIN;
...@@ -554,14 +557,22 @@ function LOGGEDINORDIE($uid, $modifier = 0, $login_url = NULL) { ...@@ -554,14 +557,22 @@ function LOGGEDINORDIE($uid, $modifier = 0, $login_url = NULL) {
TBERROR("LOGGEDINORDIE failed mysteriously", 1); TBERROR("LOGGEDINORDIE failed mysteriously", 1);
} }
$status = $status & ~$modifier; CheckLoginConditions($status & ~$modifier);
# # No one should ever look at the return value of this function.
# Check other conditions. return null;
# }
#
# Check other conditions.
#
function CheckLoginConditions($status)
{
global $CHANGEPSWD_PAGE;
if ($status & CHECKLOGIN_PSWDEXPIRED) if ($status & CHECKLOGIN_PSWDEXPIRED)
USERERROR("Your password has expired. ". USERERROR("Your password has expired. ".
"<a href=moduserinfo.php3>Please change it now!</a>", "<a href='$CHANGEPSWD_PAGE'>Please change it now.</a>",
1, HTTP_403_FORBIDDEN); 1, HTTP_403_FORBIDDEN);
if ($status & CHECKLOGIN_FROZEN) if ($status & CHECKLOGIN_FROZEN)
USERERROR("Your account has been frozen!", USERERROR("Your account has been frozen!",
...@@ -585,10 +596,7 @@ function LOGGEDINORDIE($uid, $modifier = 0, $login_url = NULL) { ...@@ -585,10 +596,7 @@ function LOGGEDINORDIE($uid, $modifier = 0, $login_url = NULL) {
# #
if (NOLOGINS() && !ISADMIN()) if (NOLOGINS() && !ISADMIN())
USERERROR("Sorry. The Web Interface is ". USERERROR("Sorry. The Web Interface is ".
"<a href=nologins.php3>Temporarily Unavailable!</a>", 1); "temporarily unavailable. Please check back later.", 1);
# No one should ever look at the return value of this function.
return null;
} }
# #
...@@ -612,12 +620,22 @@ function CheckLoginOrDie($modifier = 0, $login_url = NULL) ...@@ -612,12 +620,22 @@ function CheckLoginOrDie($modifier = 0, $login_url = NULL)
# #
function CheckLogin(&$status) function CheckLogin(&$status)
{ {
global $CHECKLOGIN_USER; global $CHECKLOGIN_USER, $CHECKLOGIN_STATUS;
$status = LoginStatus(); $status = LoginStatus();
# If login looks valid, return the user. # If login looks valid, return the user.
if ($status & (CHECKLOGIN_LOGGEDIN|CHECKLOGIN_MAYBEVALID)) { if ($status & (CHECKLOGIN_LOGGEDIN|CHECKLOGIN_MAYBEVALID)) {
#
# Check for NOLOGINS.
# We want to allow admin types to continue using the web interface,
# and logout anyone else that is currently logged in!
#
if (NOLOGINS() && !ISADMIN()) {
DOLOGOUT($CHECKLOGIN_USER);
$status = $CHECKLOGIN_STATUS;
return null;
}
if ($status & CHECKLOGIN_LOGGEDIN) { if ($status & CHECKLOGIN_LOGGEDIN) {
BumpLogoutTime(); BumpLogoutTime();
} }
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment