From 0765a1196f421c4aeff269c416985ea4d61ddf00 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Fri, 27 Jan 2023 14:27:51 +0100 Subject: [PATCH] FIX Check of date of validity --- htdocs/api/class/api_access.class.php | 9 +++++++-- htdocs/dav/fileserver.php | 7 +++++++ htdocs/langs/en_US/errors.lang | 2 +- htdocs/main.inc.php | 11 +++++++++-- htdocs/user/class/user.class.php | 12 +++++++----- 5 files changed, 31 insertions(+), 10 deletions(-) diff --git a/htdocs/api/class/api_access.class.php b/htdocs/api/class/api_access.class.php index 6874d3faaed..541682101c6 100644 --- a/htdocs/api/class/api_access.class.php +++ b/htdocs/api/class/api_access.class.php @@ -144,6 +144,7 @@ class DolibarrApiAccess implements iAuthenticate throw new RestException(503, 'Error when searching login user from api key'); } + $genericmessageerroruser = 'Error user not valid (not found or bad status or bad validity dates) (conf->entity='.$conf->entity.')'; $fuser = new User($this->db); @@ -151,8 +152,12 @@ class DolibarrApiAccess implements iAuthenticate if ($result <= 0) { throw new RestException(503, $genericmessageerroruser); } - if ($fuser->statut == 0) { - throw new RestException(503, 'Error when fetching user. This user has been locked or disabled'); + + // Check if user status is enabled + if ($fuser->statut != $fuser::STATUS_ENABLED) { + // Status is disabled + dol_syslog("The user has been disabled"); + throw new RestException(503, $genericmessageerroruser); } // Check if session was unvalidated by a password change diff --git a/htdocs/dav/fileserver.php b/htdocs/dav/fileserver.php index 15d9cd1764f..af23fde5fff 100644 --- a/htdocs/dav/fileserver.php +++ b/htdocs/dav/fileserver.php @@ -131,6 +131,13 @@ $authBackend = new \Sabre\DAV\Auth\Backend\BasicCallBack(function ($username, $p return false; } + // Check if user status is enabled + if ($user->statut != $user::STATUS_ENABLED) { + // Status is disabled + dol_syslog("The user has been disabled."); + return false; + } + // Check if session was unvalidated by a password change if (($user->flagdelsessionsbefore && !empty($_SESSION["dol_logindate"]) && $user->flagdelsessionsbefore > $_SESSION["dol_logindate"])) { // Session is no more valid diff --git a/htdocs/langs/en_US/errors.lang b/htdocs/langs/en_US/errors.lang index b779c901b54..240dd7c4c41 100644 --- a/htdocs/langs/en_US/errors.lang +++ b/htdocs/langs/en_US/errors.lang @@ -303,7 +303,7 @@ ErrorValueForTooLow=Value for %s is too low ErrorValueCantBeNull=Value for %s can't be null ErrorDateOfMovementLowerThanDateOfFileTransmission=The date of the bank transaction can't be lower than the date of the file transmission ErrorTooMuchFileInForm=Too much files in form, the maximum number is %s file(s) -ErrorSessionInvalidatedAfterPasswordChange=The session was invalidated after a password change. Please relogin. +ErrorSessionInvalidatedAfterPasswordChange=The session was invalidated after a password or dates of validity change. Please relogin. # Warnings WarningParamUploadMaxFileSizeHigherThanPostMaxSize=Your PHP parameter upload_max_filesize (%s) is higher than PHP parameter post_max_size (%s). This is not a consistent setup. diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 24ce10ea7c1..8a4efc8466b 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -881,7 +881,7 @@ if (!defined('NOLOGIN')) { $resultFetchUser = $user->fetch('', $login, '', 1, ($entitytotest > 0 ? $entitytotest : -1)); // value for $login was retrieved previously when checking password. if ($resultFetchUser <= 0 || $user->isNotIntoValidityDateRange()) { - dol_syslog('User not found, connexion refused'); + dol_syslog('User not found or not valid, connexion refused'); session_destroy(); session_set_cookie_params(0, '/', null, (empty($dolibarr_main_force_https) ? false : true), true); // Add tag secure and httponly on session cookie session_name($sessionname); @@ -949,15 +949,22 @@ if (!defined('NOLOGIN')) { dol_syslog("- This is an already logged session. _SESSION['dol_login']=".$login." _SESSION['dol_entity']=".$entity, LOG_DEBUG); $resultFetchUser = $user->fetch('', $login, '', 1, ($entity > 0 ? $entity : -1)); + + //var_dump(dol_print_date($user->flagdelsessionsbefore, 'dayhour', 'gmt')." ".dol_print_date($_SESSION["dol_logindate"], 'dayhour', 'gmt')); + if ($resultFetchUser <= 0 || ($user->flagdelsessionsbefore && !empty($_SESSION["dol_logindate"]) && $user->flagdelsessionsbefore > $_SESSION["dol_logindate"]) - || ($user->isNotIntoValidtyDateRange())) { + || ($user->status != $user::STATUS_ENABLED) + || ($user->isNotIntoValidityDateRange())) { if ($resultFetchUser <= 0) { // Account has been removed after login dol_syslog("Can't load user even if session logged. _SESSION['dol_login']=".$login, LOG_WARNING); } elseif ($user->flagdelsessionsbefore && !empty($_SESSION["dol_logindate"]) && $user->flagdelsessionsbefore > $_SESSION["dol_logindate"]) { // Session is no more valid dol_syslog("The user has a date for session invalidation = ".$user->flagdelsessionsbefore." and a session date = ".$_SESSION["dol_logindate"].". We must invalidate its sessions."); + } elseif ($user->status != $user::STATUS_ENABLED) { + // User is not enabled + dol_syslog("The user login is disabled"); } else { // User validity dates are no more valid dol_syslog("The user login has a validity between [".$user->datestartvalidity." and ".$user->dateendvalidity."], curren date is ".dol_now()); diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php index f8d437d4fa0..2893378bdd9 100644 --- a/htdocs/user/class/user.class.php +++ b/htdocs/user/class/user.class.php @@ -2702,24 +2702,26 @@ class User extends CommonObject * Return a link with photo * Use this->id,this->photo * - * @return int 0=No more valid, >0 if OK + * @return int 0=Valid, >0 if not valid */ - public function isNotIntoValidtyDateRange() + public function isNotIntoValidityDateRange() { include_once DOL_DOCUMENT_ROOT.'/core/lib/date.lib.php'; $now = dol_now(); + //dol_syslog("isNotIntoValidityDateRange ".$this->datestartvalidity); + // Check date start validity if ($this->datestartvalidity && $this->datestartvalidity > dol_get_last_hour($now)) { - return 0; + return 1; } // Check date end validity if ($this->dateendvalidity && $this->dateendvalidity < dol_get_first_hour($now)) { - return 0; + return 1; } - return 1; + return 0; }