1 files changed, 80 insertions, 78 deletions

diff --git a/engine/lib/sessions.php b/engine/lib/sessions.php
index 05258243f..e3d5ce9cd 100644
--- a/engine/lib/sessions.php
+++ b/engine/lib/sessions.php
@@ -18,9 +18,9 @@ global $SESSION;
  * hook - 'session:get' 'user' to give plugin authors another
  * way to provide user details to the ACL system without touching the session.
  *
- * @return ElggUser|NULL
+ * @return ElggUser
  */
-function get_loggedin_user() {
+function elgg_get_logged_in_user_entity() {
 	global $SESSION;
 
 	if (isset($SESSION)) {
@@ -33,11 +33,11 @@ function get_loggedin_user() {
 /**
  * Return the current logged in user by id.
  *
- * @see get_loggedin_user()
+ * @see elgg_get_logged_in_user_entity()
  * @return int
  */
-function get_loggedin_userid() {
-	$user = get_loggedin_user();
+function elgg_get_logged_in_user_guid() {
+	$user = elgg_get_logged_in_user_entity();
 	if ($user) {
 		return $user->guid;
 	}
@@ -50,9 +50,8 @@ function get_loggedin_userid() {
  *
  * @return bool
  */
-function isloggedin() {
-
-	$user = get_loggedin_user();
+function elgg_is_logged_in() {
+	$user = elgg_get_logged_in_user_entity();
 
 	if ((isset($user)) && ($user instanceof ElggUser) && ($user->guid > 0)) {
 		return true;
@@ -64,14 +63,12 @@ function isloggedin() {
 /**
  * Returns whether or not the user is currently logged in and that they are an admin user.
  *
- * @uses isloggedin()
  * @return bool
  */
-function isadminloggedin() {
-
-	$user = get_loggedin_user();
+function elgg_is_admin_logged_in() {
+	$user = elgg_get_logged_in_user_entity();
 
-	if ((isloggedin()) && $user->isAdmin()) {
+	if ((elgg_is_logged_in()) && $user->isAdmin()) {
 		return TRUE;
 	}
 
@@ -90,6 +87,9 @@ function isadminloggedin() {
  */
 function elgg_is_admin_user($user_guid) {
 	global $CONFIG;
+
+	$user_guid = (int)$user_guid;
+
 	// cannot use magic metadata here because of recursion
 
 	// must support the old way of getting admin from metadata
@@ -128,23 +128,28 @@ function elgg_is_admin_user($user_guid) {
 }
 
 /**
- * Perform standard authentication with a given username and password.
- * Returns an ElggUser object for use with login.
+ * Perform user authentication with a given username and password.
+ *
+ * @warning This returns an error message on failure. Use the identical operator to check
+ * for access: if (true === elgg_authenticate()) { ... }.
+ *
  *
  * @see login
  *
- * @param string $username The username, optionally (for standard logins)
- * @param string $password The password, optionally (for standard logins)
+ * @param string $username The username
+ * @param string $password The password
  *
- * @return ElggUser|false The authenticated user object, or false on failure.
+ * @return true|string True or an error message on failure
+ * @access private
  */
-
-function authenticate($username, $password) {
-	if (pam_authenticate(array('username' => $username, 'password' => $password))) {
-		return get_user_by_username($username);
+function elgg_authenticate($username, $password) {
+	$pam = new ElggPAM('user');
+	$credentials = array('username' => $username, 'password' => $password);
+	$result = $pam->authenticate($credentials);
+	if (!$result) {
+		return $pam->getFailureMessage();
 	}
-
-	return false;
+	return true;
 }
 
 /**
@@ -152,31 +157,34 @@ function authenticate($username, $password) {
  * it against a known user.
  *
  * @param array $credentials Associated array of credentials passed to
- *                           pam_authenticate. This function expects
+ *                           Elgg's PAM system. This function expects
  *                           'username' and 'password' (cleartext).
  *
  * @return bool
+ * @throws LoginException
+ * @access private
  */
-function pam_auth_userpass($credentials = NULL) {
+function pam_auth_userpass(array $credentials = array()) {
 
-	if (is_array($credentials) && ($credentials['username']) && ($credentials['password'])) {
-		if ($user = get_user_by_username($credentials['username'])) {
-			// User has been banned, so prevent from logging in
-			if ($user->isBanned()) {
-				return FALSE;
-			}
+	if (!isset($credentials['username']) || !isset($credentials['password'])) {
+		return false;
+	}
 
-			if ($user->password == generate_user_password($user, $credentials['password'])) {
-				return TRUE;
-			} else {
-				// Password failed, log.
-				log_login_failure($user->guid);
-			}
+	$user = get_user_by_username($credentials['username']);
+	if (!$user) {
+		throw new LoginException(elgg_echo('LoginException:UsernameFailure'));
+	}
 
-		}
+	if (check_rate_limit_exceeded($user->guid)) {
+		throw new LoginException(elgg_echo('LoginException:AccountLocked'));
 	}
 
-	return FALSE;
+	if ($user->password !== generate_user_password($user, $credentials['password'])) {
+		log_login_failure($user->guid);
+		throw new LoginException(elgg_echo('LoginException:PasswordFailure'));
+	}
+
+	return true;
 }
 
 /**
@@ -184,7 +192,7 @@ function pam_auth_userpass($credentials = NULL) {
  *
  * @param int $user_guid User GUID
  *
- * @return bool on success
+ * @return bool
  */
 function log_login_failure($user_guid) {
 	$user_guid = (int)$user_guid;
@@ -207,7 +215,7 @@ function log_login_failure($user_guid) {
  *
  * @param int $user_guid User GUID
  *
- * @return bool on success (success = user has no logged failed attempts)
+ * @return bool true on success (success = user has no logged failed attempts)
  */
 function reset_login_failure_count($user_guid) {
 	$user_guid = (int)$user_guid;
@@ -270,26 +278,20 @@ function check_rate_limit_exceeded($user_guid) {
 
 /**
  * Logs in a specified ElggUser. For standard registration, use in conjunction
- * with authenticate.
+ * with elgg_authenticate.
  *
- * @see authenticate
+ * @see elgg_authenticate
  *
  * @param ElggUser $user       A valid Elgg user object
  * @param boolean  $persistent Should this be a persistent login?
  *
- * @return bool Whether login was successful
+ * @return true or throws exception
+ * @throws LoginException
  */
 function login(ElggUser $user, $persistent = false) {
-	global $CONFIG;
-
 	// User is banned, return false.
 	if ($user->isBanned()) {
-		return false;
-	}
-
-	// Check rate limit
-	if (check_rate_limit_exceeded($user->guid)) {
-		return false;
+		throw new LoginException(elgg_echo('LoginException:BannedUser'));
 	}
 
 	$_SESSION['user'] = $user;
@@ -306,7 +308,7 @@ function login(ElggUser $user, $persistent = false) {
 		setcookie("elggperm", $code, (time() + (86400 * 30)), "/");
 	}
 
-	if (!$user->save() || !trigger_elgg_event('login', 'user', $user)) {
+	if (!$user->save() || !elgg_trigger_event('login', 'user', $user)) {
 		unset($_SESSION['username']);
 		unset($_SESSION['name']);
 		unset($_SESSION['code']);
@@ -314,7 +316,7 @@ function login(ElggUser $user, $persistent = false) {
 		unset($_SESSION['id']);
 		unset($_SESSION['user']);
 		setcookie("elggperm", "", (time() - (86400 * 30)), "/");
-		return false;
+		throw new LoginException(elgg_echo('LoginException:Unknown'));
 	}
 
 	// Users privilege has been elevated, so change the session id (prevents session fixation)
@@ -324,6 +326,12 @@ function login(ElggUser $user, $persistent = false) {
 	set_last_login($_SESSION['guid']);
 	reset_login_failure_count($user->guid); // Reset any previous failed login attempts
 
+	// if memcache is enabled, invalidate the user in memcache @see https://github.com/Elgg/Elgg/issues/3143
+	if (is_memcache_available()) {
+		// this needs to happen with a shutdown function because of the timing with set_last_login()
+		register_shutdown_function("_elgg_invalidate_memcache_for_entity", $_SESSION['guid']);
+	}
+	
 	return true;
 }
 
@@ -333,10 +341,8 @@ function login(ElggUser $user, $persistent = false) {
  * @return bool
  */
 function logout() {
-	global $CONFIG;
-
 	if (isset($_SESSION['user'])) {
-		if (!trigger_elgg_event('logout', 'user', $_SESSION['user'])) {
+		if (!elgg_trigger_event('logout', 'user', $_SESSION['user'])) {
 			return false;
 		}
 		$_SESSION['user']->code = "";
@@ -358,7 +364,7 @@ function logout() {
 	session_destroy();
 
 	// starting a default session to store any post-logout messages.
-	session_init(NULL, NULL, NULL);
+	_elgg_session_boot(NULL, NULL, NULL);
 	$_SESSION['msg'] = $old_msg;
 
 	return TRUE;
@@ -375,13 +381,10 @@ function logout() {
  *
  * @uses $_SESSION
  *
- * @param string $event       Event name
- * @param string $object_type Object type
- * @param mixed  $object      Object
- *
  * @return bool
+ * @access private
  */
-function session_init($event, $object_type, $object) {
+function _elgg_session_boot() {
 	global $DB_PREFIX, $CONFIG;
 
 	// Use database for sessions
@@ -446,8 +449,8 @@ function session_init($event, $object_type, $object) {
 		set_last_action($_SESSION['guid']);
 	}
 
-	register_action("login", true);
-	register_action("logout");
+	elgg_register_action('login', '', 'public');
+	elgg_register_action('logout');
 
 	// Register a default PAM handler
 	register_pam_handler('pam_auth_userpass');
@@ -462,9 +465,6 @@ function session_init($event, $object_type, $object) {
 		return false;
 	}
 
-	// Since we have loaded a new user, this user may have different language preferences
-	register_translations(dirname(dirname(dirname(__FILE__))) . "/languages/");
-
 	return true;
 }
 
@@ -474,10 +474,10 @@ function session_init($event, $object_type, $object) {
  * @return void
  */
 function gatekeeper() {
-	if (!isloggedin()) {
+	if (!elgg_is_logged_in()) {
 		$_SESSION['last_forward_from'] = current_page_url();
 		register_error(elgg_echo('loggedinrequired'));
-		forward();
+		forward('', 'login');
 	}
 }
 
@@ -489,10 +489,10 @@ function gatekeeper() {
 function admin_gatekeeper() {
 	gatekeeper();
 
-	if (!isadminloggedin()) {
+	if (!elgg_is_admin_logged_in()) {
 		$_SESSION['last_forward_from'] = current_page_url();
 		register_error(elgg_echo('adminrequired'));
-		forward();
+		forward('', 'admin');
 	}
 }
 
@@ -504,6 +504,7 @@ function admin_gatekeeper() {
  *
  * @return true
  * @todo Document
+ * @access private
  */
 function _elgg_session_open($save_path, $session_name) {
 	global $sess_save_path;
@@ -519,6 +520,7 @@ function _elgg_session_open($save_path, $session_name) {
  * @todo document
  *
  * @return true
+ * @access private
  */
 function _elgg_session_close() {
 	return true;
@@ -530,6 +532,7 @@ function _elgg_session_close() {
  * @param string $id The session ID
  *
  * @return string
+ * @access private
  */
 function _elgg_session_read($id) {
 	global $DB_PREFIX;
@@ -563,6 +566,7 @@ function _elgg_session_read($id) {
  * @param mixed  $sess_data Session data
  *
  * @return bool
+ * @access private
  */
 function _elgg_session_write($id, $sess_data) {
 	global $DB_PREFIX;
@@ -602,6 +606,7 @@ function _elgg_session_write($id, $sess_data) {
  * @param string $id Session ID
  *
  * @return bool
+ * @access private
  */
 function _elgg_session_destroy($id) {
 	global $DB_PREFIX;
@@ -616,10 +621,8 @@ function _elgg_session_destroy($id) {
 		global $sess_save_path;
 
 		$sess_file = "$sess_save_path/sess_$id";
-		return(@unlink($sess_file));
+		return @unlink($sess_file);
 	}
-
-	return false;
 }
 
 /**
@@ -628,6 +631,7 @@ function _elgg_session_destroy($id) {
  * @param int $maxlifetime Max age of a session
  *
  * @return bool
+ * @access private
  */
 function _elgg_session_gc($maxlifetime) {
 	global $DB_PREFIX;
@@ -650,5 +654,3 @@ function _elgg_session_gc($maxlifetime) {
 
 	return true;
 }
-
-register_elgg_event_handler("boot", "system", "session_init", 20);