Overview

Packages

  • application
    • commands
    • components
      • actions
      • filters
      • leftWidget
      • permissions
      • sortableWidget
      • util
      • webupdater
      • x2flow
        • actions
        • triggers
      • X2GridView
      • X2Settings
    • controllers
    • models
      • embedded
    • modules
      • accounts
        • controllers
        • models
      • actions
        • controllers
        • models
      • calendar
        • controllers
        • models
      • charts
        • models
      • contacts
        • controllers
        • models
      • docs
        • components
        • controllers
        • models
      • groups
        • controllers
        • models
      • marketing
        • components
        • controllers
        • models
      • media
        • controllers
        • models
      • mobile
        • components
      • opportunities
        • controllers
        • models
      • products
        • controllers
        • models
      • quotes
        • controllers
        • models
      • services
        • controllers
        • models
      • template
        • models
      • users
        • controllers
        • models
      • workflow
        • controllers
        • models
      • x2Leads
        • controllers
        • models
  • None
  • system
    • base
    • caching
    • console
    • db
      • ar
      • schema
    • validators
    • web
      • actions
      • auth
      • helpers
      • widgets
        • captcha
        • pagers
  • zii
    • widgets
      • grid

Classes

  • AdminController
  • Api2Controller
  • ApiController
  • BugReportsController
  • CommonSiteControllerBehavior
  • ProfileController
  • RelationshipsController
  • SearchController
  • SiteController
  • StudioController
  • TemplatesController
  • TopicsController
  • x2base
  • X2Controller
  • Overview
  • Package
  • Class
  • Tree 
  1: <?php
  2: /*****************************************************************************************
  3:  * X2Engine Open Source Edition is a customer relationship management program developed by
  4:  * X2Engine, Inc. Copyright (C) 2011-2016 X2Engine Inc.
  5:  * 
  6:  * This program is free software; you can redistribute it and/or modify it under
  7:  * the terms of the GNU Affero General Public License version 3 as published by the
  8:  * Free Software Foundation with the addition of the following permission added
  9:  * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
 10:  * IN WHICH THE COPYRIGHT IS OWNED BY X2ENGINE, X2ENGINE DISCLAIMS THE WARRANTY
 11:  * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
 12:  * 
 13:  * This program is distributed in the hope that it will be useful, but WITHOUT
 14:  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 15:  * FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
 16:  * details.
 17:  * 
 18:  * You should have received a copy of the GNU Affero General Public License along with
 19:  * this program; if not, see http://www.gnu.org/licenses or write to the Free
 20:  * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 21:  * 02110-1301 USA.
 22:  * 
 23:  * You can contact X2Engine, Inc. P.O. Box 66752, Scotts Valley,
 24:  * California 95067, USA. or at email address contact@x2engine.com.
 25:  * 
 26:  * The interactive user interfaces in modified source and object code versions
 27:  * of this program must display Appropriate Legal Notices, as required under
 28:  * Section 5 of the GNU Affero General Public License version 3.
 29:  * 
 30:  * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
 31:  * these Appropriate Legal Notices must retain the display of the "Powered by
 32:  * X2Engine" logo. If the display of the logo is not reasonably feasible for
 33:  * technical reasons, the Appropriate Legal Notices must display the words
 34:  * "Powered by X2Engine".
 35:  *****************************************************************************************/
 36: Yii::import('application.components.ThemeGenerator.LoginThemeHelper');
 37: /**
 38:  * For code shared between mobile and full app site controllers
 39:  *
 40:  * @package application.controllers
 41:  */
 42: class CommonSiteControllerBehavior extends CBehavior {
 43: 
 44:     /**
 45:      * Displays the login page
 46:      * @param object $formModel
 47:      * @param bool $isMobile Whether this was called from mobile site controller
 48:      */
 49:     public function login (LoginForm $model, $isMobile=false){
 50:             
 51:         $model->attributes = $_POST['LoginForm']; // get user input data
 52:         Session::cleanUpSessions();
 53: 
 54:         $ip = $this->owner->getRealIp();
 55:         
 56:         $userModel = $model->getUser();
 57:         $isRealUser = $userModel instanceof User;
 58:         $effectiveUsername = $isRealUser ? $userModel->username : $model->username;
 59:         $isActiveUser = $isRealUser && $userModel->status == User::STATUS_ACTIVE;
 60:         /* increment count on every session with this user/IP, to prevent brute force attacks 
 61:            using session_id spoofing or whatever */
 62:         Yii::app()->db->createCommand(
 63:             'UPDATE x2_sessions SET status=status-1,lastUpdated=:time WHERE user=:name AND 
 64:             CAST(IP AS CHAR)=:ip AND status BETWEEN -2 AND 0')
 65:                 ->bindValues(
 66:                     array(':time' => time(), ':name' => $effectiveUsername, ':ip' => $ip))
 67:                 ->execute();
 68: 
 69:         $activeUser = Yii::app()->db->createCommand() // see if this is an actual, active user
 70:                 ->select('username')
 71:                 ->from('x2_users')
 72:                 ->where('username=:name AND status=1', array(':name' => $model->username))
 73:                 ->limit(1)
 74:                 ->queryScalar(); // get the correctly capitalized username
 75: 
 76:         if(isset($_SESSION['sessionId']))
 77:             $sessionId = $_SESSION['sessionId'];
 78:         else
 79:             $sessionId = $_SESSION['sessionId'] = session_id();
 80: 
 81:         $session = X2Model::model('Session')->findByPk($sessionId);
 82: 
 83:         /* get the number of failed login attempts from this IP within timeout interval. If the 
 84:         number of login attempts exceeds maximum, display captcha */
 85:         $badAttemptsRefreshTimeout = 900;
 86:         $maxFailedLoginAttemptsPerIP = 100;
 87:         $maxLoginsBeforeCaptcha = 5;
 88:         
 89:         $this->pruneTimedOutBans ($badAttemptsRefreshTimeout);
 90:         $failedLoginRecord = FailedLogins::model()->findActiveByIp ($ip);
 91:         $badAttemptsWithThisIp = ($failedLoginRecord) ? $failedLoginRecord->attempts : 0;
 92:         if ($badAttemptsWithThisIp >= $maxFailedLoginAttemptsPerIP) {
 93:             $this->recordFailedLogin ($ip);
 94:             throw new CHttpException (403, Yii::t('app',
 95:                 'You are not authorized to use this application'));
 96:         }
 97:         // if this client has already tried to log in, increment their attempt count
 98:         if ($session === null) {
 99:             $session = new Session;
100:             $session->id = $sessionId;
101:             $session->user = $model->getSessionUserName();
102:             $session->lastUpdated = time();
103:             $session->status = 0;
104:             $session->IP = $ip;
105:         } else {
106:             $session->lastUpdated = time();
107:             $session->user = $model->getSessionUserName();
108:         }
109: 
110:         if($isActiveUser === false){
111:             $model->verifyCode = ''; // clear captcha code
112:             $model->validate (); // validate captcha if it's being used
113:             $this->recordFailedLogin ($ip);
114:             $session->save();
115:             if ($badAttemptsWithThisIp + 1 >= $maxFailedLoginAttemptsPerIP) {
116:                 throw new CHttpException (403, Yii::t('app',
117:                     'You are not authorized to use this application'));
118:             } else if ($badAttemptsWithThisIp >= $maxLoginsBeforeCaptcha - 1) {
119:                 $model->useCaptcha = true;
120:                 $model->setScenario('loginWithCaptcha');
121:                 $session->status = -2;
122:             }
123:         }else{
124:             if($model->validate() && $model->login()){  // user successfully logged in
125:                 
126:                 if($model->rememberMe){
127:                     foreach(array('username','rememberMe') as $attr) {
128:                         $cookieName = CHtml::resolveName ($model, $attr);
129:                         $cookie = new CHttpCookie(
130:                             $cookieName, $model->$attr);
131:                         $cookie->expire = time () + 2592000; // expire in 30 days
132:                         Yii::app()->request->cookies[$cookieName] = $cookie; // save cookie
133:                     }
134:                 }else{
135:                     foreach(array('username','rememberMe') as $attr) {
136:                         // Remove the cookie if they unchecked the box
137:                         AuxLib::clearCookie(CHtml::resolveName($model, $attr));
138:                     }
139:                 }
140: 
141:                 // We're not using the isAdmin parameter of the application
142:                 // here because isAdmin in this context hasn't been set yet.
143:                 $isAdmin = Yii::app()->user->checkAccess('AdminIndex');
144:                 if($isAdmin && !$isMobile) {
145:                     $this->owner->attachBehavior('updaterBehavior', new UpdaterBehavior);
146:                     $this->owner->checkUpdates();   // check for updates if admin
147:                 } else
148:                     Yii::app()->session['versionCheck'] = true; // ...or don't
149: 
150:                 $session->status = 1;
151:                 $session->save();
152:                 SessionLog::logSession($model->username, $sessionId, 'login');
153:                 $_SESSION['playLoginSound'] = true;
154: 
155:                 if(YII_UNIT_TESTING && defined ('X2_DEBUG_EMAIL') && X2_DEBUG_EMAIL)
156:                     Yii::app()->session['debugEmailWarning'] = 1;
157: 
158:                 // if ( isset($_POST['themeName']) ) {
159:                 //     $profile = X2Model::model('Profile')->findByPk(Yii::app()->user->id);
160:                 //     $profile->theme = array_merge( 
161:                 //         $profile->theme, 
162:                 //         ThemeGenerator::loadDefault( $_POST['themeName'])
163:                 //     );
164:                 //     $profile->save();
165:                 // }
166: 
167:                 LoginThemeHelper::login();
168: 
169:                 if ($isMobile) {
170:                     $this->owner->redirect($this->owner->createUrl('/mobile/home'));
171:                 } else {
172:                     if(Yii::app()->user->returnUrl == '/site/index') {
173:                         $this->owner->redirect(array('/site/index'));
174:                     } else {
175:                         // after login, redirect to wherever
176:                         $this->owner->redirect(Yii::app()->user->returnUrl); 
177:                     }
178:                 }
179: 
180: 
181:             } else{ // login failed
182:                 $model->verifyCode = ''; // clear captcha code
183:                 $this->recordFailedLogin ($ip);
184:                 $session->save();
185: 
186:                 if ($badAttemptsWithThisIp + 1 >= $maxFailedLoginAttemptsPerIP) {
187:                     throw new CHttpException (403, Yii::t('app',
188:                         'You are not authorized to use this application'));
189:                 } else if ($badAttemptsWithThisIp >= $maxLoginsBeforeCaptcha - 1) {
190:                     $model->useCaptcha = true;
191:                     $model->setScenario('loginWithCaptcha');
192:                     $session->status = -2;
193:                 }
194:             }
195:         }
196:         $model->rememberMe = false;
197:     }
198: 
199:     /**
200:      * @return bool Whether this IP has reached the CAPTCHA threshold
201:      */
202:     protected function loginRequiresCaptcha() {
203:         if (isset($_SESSION['sessionId'])) {
204:             $failedLoginRecord = FailedLogins::model()->findActiveByIp ($this->owner->getRealIp());
205:             $badAttemptsWithThisIp = ($failedLoginRecord) ? $failedLoginRecord->attempts : 0;
206: 
207:             $maxLoginsBeforeCaptcha = 5;
208:             
209: 
210:             return $badAttemptsWithThisIp >= $maxLoginsBeforeCaptcha;
211:         }
212:     }
213: 
214:     public function recordFailedLogin($ip) {
215:         $record = FailedLogins::model()->findActiveByIp ($ip);
216:         if ($record) {
217:             $record->attempts++;
218:         } else {
219:             $record = new FailedLogins;
220:             $record->IP = $ip;
221:             $record->attempts = 1;
222:         }
223:         $record->lastAttempt = time();
224:         $record->save();
225:     }
226: 
227:     /**
228:      * Update any timed out bans and mark them as inactive
229:      * @param int Timeout period (in minutes)
230:      */
231:     private function pruneTimedOutBans ($badAttemptsRefreshTimeout) {
232:         Yii::app()->db->createCommand()
233:             ->update (
234:                 'x2_failed_logins',
235:                 array('active' => 0),
236:                 'active = 1 AND lastAttempt < :timeout',
237:                 array(':timeout' => time() - ($badAttemptsRefreshTimeout * 60))
238:             );
239:     }
240: 
241:     
242: }
243: 
244:
X2CRM Documentation API documentation generated by ApiGen 2.8.0