3v4l.org

run code in 300+ PHP versions simultaneously
<?php /** * @file classes/security/Validation.inc.php * * Copyright (c) 2013-2015 Simon Fraser University Library * Copyright (c) 2003-2015 John Willinsky * Distributed under the GNU GPL v2. For full terms see the file docs/COPYING. * * @class Validation * @ingroup security * * @brief Class providing user validation/authentication operations. */ import('classes.security.Role'); import('classes.security.password'); class Validation { /** * Authenticate user credentials and mark the user as logged in in the current session. * @param $username string * @param $password string unencrypted password * @param $reason string reference to string to receive the reason an account was disabled; null otherwise * @param $remember boolean remember a user's session past the current browser session * @return User the User associated with the login credentials, or false if the credentials are invalid */ function &login($username, $password, &$reason, $remember = false) { $implicitAuth = Config::getVar('security', 'implicit_auth'); $reason = null; $valid = false; $userDao =& DAORegistry::getDAO('UserDAO'); if ($implicitAuth) { // Implicit auth if (!Validation::isLoggedIn()) { PluginRegistry::loadCategory('implicitAuth'); // Call the implicitAuth hook. It will set user. HookRegistry::call('ImplicitAuthPlugin::implicitAuth', array(&$user)); $valid=true; } } else { // Regular Auth $user =& $userDao->getByUsername($username, true); if (!isset($user)) { // User does not exist return $valid; } if ($user->getAuthId()) { $authDao =& DAORegistry::getDAO('AuthSourceDAO'); $auth =& $authDao->getPlugin($user->getAuthId()); } if (isset($auth)) { // Validate against remote authentication source $valid = $auth->authenticate($username, $password); if ($valid) { $oldEmail = $user->getEmail(); $auth->doGetUserInfo($user); if ($user->getEmail() != $oldEmail) { // FIXME OJS requires email addresses to be unique; if changed email already exists, ignore if ($userDao->userExistsByEmail($user->getEmail())) { $user->setEmail($oldEmail); } } } } else { // Validate against OJS user database $valid = Validation::verifyPassword($username, $password, $user->getPassword(), $rehash); if ($valid && !empty($rehash)) { // update to new hashing algorithm $user->setPassword($rehash); } } } if (!$valid) { // Login credentials are invalid return $valid; } else { if ($user->getDisabled()) { // The user has been disabled. $reason = $user->getDisabledReason(); if ($reason === null) $reason = ''; $valid = false; return $valid; } // The user is valid, mark user as logged in in current session $sessionManager =& SessionManager::getManager(); // Regenerate session ID first $sessionManager->regenerateSessionId(); $session =& $sessionManager->getUserSession(); $session->setSessionVar('userId', $user->getId()); $session->setUserId($user->getId()); $session->setSessionVar('username', $user->getUsername()); $session->setRemember($remember); if ($remember && Config::getVar('general', 'session_lifetime') > 0) { // Update session expiration time $sessionManager->updateSessionLifetime(time() + Config::getVar('general', 'session_lifetime') * 86400); } $user->setDateLastLogin(Core::getCurrentDate()); $userDao->updateObject($user); return $user; } } /** * verify if the input password is correct * * @param string $username the string username * @param string $password the plaintext password * @param string $hash the password hash from the database * @param string &$rehash if password needs rehash, this variable is used * @return boolean */ function verifyPassword($username, $password, $hash, &$rehash) { if (LEGACY_ENCRYPTION) { // BCRYPT not supported return $hash === Validation::encryptCredentials($username, $password, false, true); } else if (password_needs_rehash($hash, PASSWORD_BCRYPT)) { // update to new hashing algorithm $oldHash = Validation::encryptCredentials($username, $password, false, true); if ($oldHash === $hash) { // update hash $rehash = Validation::encryptCredentials($username, $password); return true; } } else if (password_verify($password, $hash)) { return true; } return false; } /** * Mark the user as logged out in the current session. * @return boolean */ function logout() { $sessionManager =& SessionManager::getManager(); $session =& $sessionManager->getUserSession(); $session->unsetSessionVar('userId'); $session->unsetSessionVar('signedInAs'); $session->setUserId(null); if ($session->getRemember()) { $session->setRemember(0); $sessionManager->updateSessionLifetime(0); } $sessionDao =& DAORegistry::getDAO('SessionDAO'); $sessionDao->updateObject($session); return true; } /** * Redirect to the login page, appending the current URL as the source. * @param $message string Optional name of locale key to add to login page */ function redirectLogin($message = null) { $args = array(); if (isset($_SERVER['REQUEST_URI'])) { $args['source'] = $_SERVER['REQUEST_URI']; } if ($message !== null) { $args['loginMessage'] = $message; } Request::redirect(null, 'login', null, null, $args); } /** * Check if a user's credentials are valid. * @param $username string username * @param $password string unencrypted password * @return boolean */ function checkCredentials($username, $password) { $userDao =& DAORegistry::getDAO('UserDAO'); $user =& $userDao->getByUsername($username, false); $valid = false; if (isset($user)) { if ($user->getAuthId()) { $authDao =& DAORegistry::getDAO('AuthSourceDAO'); $auth =& $authDao->getPlugin($user->getAuthId()); } if (isset($auth)) { $valid = $auth->authenticate($username, $password); } else { // Validate against OJS user database $valid = Validation::verifyPassword($username, $password, $user->getPassword(), $rehash); if ($valid && !empty($rehash)) { // update to new hashing algorithm $user->setPassword($rehash); // save new password hash to database $userDao->updateObject($user); } } } return $valid; } /** * Check if a user is authorized to access the specified role in the specified journal. * @param $roleId int * @param $journalId optional (e.g., for global site admin role), the ID of the journal * @return boolean */ function isAuthorized($roleId, $journalId = 0) { if (!Validation::isLoggedIn()) { return false; } if ($journalId === -1) { // Get journal ID from request $journal =& Request::getJournal(); $journalId = $journal == null ? 0 : $journal->getId(); } $sessionManager =& SessionManager::getManager(); $session =& $sessionManager->getUserSession(); $user =& $session->getUser(); $roleDao =& DAORegistry::getDAO('RoleDAO'); return $roleDao->userHasRole($journalId, $user->getId(), $roleId); } /** * Encrypt user passwords for database storage. * The username is used as a unique salt to make dictionary * attacks against a compromised database more difficult. * @param $username string username (kept for backwards compatibility) * @param $password string unencrypted password * @param $encryption string optional encryption algorithm to use, defaulting to the value from the site configuration * @param $legacy boolean if true, use legacy hashing technique for backwards compatibility * @return string encrypted password */ function encryptCredentials($username, $password, $encryption = false, $legacy = LEGACY_ENCRYPTION) { if ($legacy || LEGACY_ENCRYPTION) { $valueToEncrypt = $username . $password; if ($encryption == false) { $encryption = Config::getVar('security', 'encryption'); } switch ($encryption) { case 'sha1': if (function_exists('sha1')) { return sha1($valueToEncrypt); } case 'md5': default: return md5($valueToEncrypt); } } else { return password_hash($password, PASSWORD_BCRYPT); } } /** * Generate a random password. * Assumes the random number generator has already been seeded. * @param $length int the length of the password to generate (default 8) * @return string */ function generatePassword($length = 8) { $letters = 'abcdefghijkmnpqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ'; $numbers = '23456789'; $password = ""; for ($i=0; $i<$length; $i++) { $password .= mt_rand(1, 4) == 4 ? $numbers[mt_rand(0,strlen($numbers)-1)] : $letters[mt_rand(0, strlen($letters)-1)]; } return $password; } /** * Generate a hash value to use for confirmation to reset a password. * @param $userId int * @return string (boolean false if user is invalid) */ function generatePasswordResetHash($userId) { $userDao =& DAORegistry::getDAO('UserDAO'); if (($user = $userDao->getUser($userId)) == null) { // No such user return false; } // create hash payload $salt = Config::getVar('security', 'salt'); // use last login time to create a basic expiry coeffecient $lastLogin = strtotime($user->getDateLastLogin()); $time = time(); $normalised = ($time - ($time % 3600)) + 7200; $diff = floor(($normalised - $lastLogin) / 3600); $data = $user->getUsername() . $user->getPassword() . $lastLogin . $diff; switch (true) { case function_exists('hash_hmac'): // always use HMAC SHA256 if available return hash_hmac('sha256', $data, $salt); case function_exists('sha1'); // use SHA1 is HMAC not available return sha1($data . $salt); default: // fallback to MD5 return md5($data . $salt); } } /** * Suggest a username given the first and last names. * @return string */ function suggestUsername($firstName, $lastName) { $initial = String::substr($firstName, 0, 1); $suggestion = String::regexp_replace('/[^a-zA-Z0-9_-]/', '', String::strtolower($initial . $lastName)); $userDao =& DAORegistry::getDAO('UserDAO'); for ($i = ''; $userDao->userExistsByUsername($suggestion . $i); $i++); return $suggestion . $i; } /** * Check if the user must change their password in order to log in. * @return boolean */ function isLoggedIn() { $sessionManager =& SessionManager::getManager(); $session =& $sessionManager->getUserSession(); $userId = $session->getUserId(); return isset($userId) && !empty($userId); } /** * Shortcut for checking authorization as site admin. * @return boolean */ function isSiteAdmin() { return Validation::isAuthorized(ROLE_ID_SITE_ADMIN); } /** * Shortcut for checking authorization as journal manager. * @param $journalId int * @return boolean */ function isJournalManager($journalId = -1) { return Validation::isAuthorized(ROLE_ID_JOURNAL_MANAGER, $journalId); } /** * Shortcut for checking authorization as editor. * @param $journalId int * @return boolean */ function isEditor($journalId = -1) { return Validation::isAuthorized(ROLE_ID_EDITOR, $journalId); } /** * Shortcut for checking authorization as section editor. * @param $journalId int * @return boolean */ function isSectionEditor($journalId = -1) { return Validation::isAuthorized(ROLE_ID_SECTION_EDITOR, $journalId); } /** * Shortcut for checking authorization as layout editor. * @param $journalId int * @return boolean */ function isLayoutEditor($journalId = -1) { return Validation::isAuthorized(ROLE_ID_LAYOUT_EDITOR, $journalId); } /** * Shortcut for checking authorization as reviewer. * @param $journalId int * @return boolean */ function isReviewer($journalId = -1) { return Validation::isAuthorized(ROLE_ID_REVIEWER, $journalId); } /** * Shortcut for checking authorization as copyeditor. * @param $journalId int * @return boolean */ function isCopyeditor($journalId = -1) { return Validation::isAuthorized(ROLE_ID_COPYEDITOR, $journalId); } /** * Shortcut for checking authorization as proofreader. * @param $journalId int * @return boolean */ function isProofreader($journalId = -1) { return Validation::isAuthorized(ROLE_ID_PROOFREADER, $journalId); } /** * Shortcut for checking authorization as author. * @param $journalId int * @return boolean */ function isAuthor($journalId = -1) { return Validation::isAuthorized(ROLE_ID_AUTHOR, $journalId); } /** * Shortcut for checking authorization as reader. * @param $journalId int * @return boolean */ function isReader($journalId = -1) { return Validation::isAuthorized(ROLE_ID_READER, $journalId); } /** * Shortcut for checking authorization as subscription manager. * @param $journalId int * @return boolean */ function isSubscriptionManager($journalId = -1) { return Validation::isAuthorized(ROLE_ID_SUBSCRIPTION_MANAGER, $journalId); } /** * Check whether a user is allowed to administer another user. * @param $journalId int * @param $userId int * @return boolean */ function canAdminister($journalId, $userId) { if (Validation::isSiteAdmin()) return true; if (!Validation::isJournalManager($journalId)) return false; // Check for roles in other journals that this user // doesn't have administrative rights over. $roleDao =& DAORegistry::getDAO('RoleDAO'); $roles =& $roleDao->getRolesByUserId($userId); foreach ($roles as $role) { if ($role->getRoleId() == ROLE_ID_SITE_ADMIN) return false; if ( $role->getJournalId() != $journalId && !Validation::isJournalManager($role->getJournalId()) ) return false; } // There were no conflicting roles. return true; } } ?>

Here you find the average performance (time & memory) of each version. A grayed out version indicates it didn't complete successfully (based on exit-code).

VersionSystem time (s)User time (s)Memory (MiB)
7.2.60.0030.01416.51
7.2.00.0060.01019.06
7.1.200.0040.01115.37
7.1.100.0090.00917.80
7.1.70.0030.01417.01
7.1.60.0030.02119.42
7.1.50.0120.01216.88
7.1.00.0030.07722.48
7.0.200.0200.00316.54
7.0.90.0130.09320.09
7.0.80.0000.04720.07
7.0.70.0030.07720.02
7.0.60.0130.07320.01
7.0.50.0030.08720.45
7.0.40.0070.08020.04
7.0.30.0070.04720.16
7.0.20.0070.04020.03
7.0.10.0000.05020.03
7.0.00.0130.07319.99
5.6.280.0070.05321.20
5.6.240.0100.07720.76
5.6.230.0100.04020.63
5.6.220.0170.07720.58
5.6.210.0070.04020.69
5.6.200.0030.05021.04
5.6.190.0030.09321.14
5.6.180.0000.05021.20
5.6.170.0070.06021.06
5.6.160.0100.07321.09
5.6.150.0070.07721.06
5.6.140.0130.06021.20
5.6.130.0130.03721.14
5.6.120.0100.06021.04
5.6.110.0170.07321.16
5.6.100.0070.08321.09
5.6.90.0070.05721.14
5.6.80.0070.07720.59
5.6.70.0070.04020.55
5.6.60.0100.07020.60
5.6.50.0000.06320.57
5.6.40.0070.08020.57
5.6.30.0130.07320.56
5.6.20.0070.05020.40
5.6.10.0000.04320.51
5.6.00.0100.07020.51
5.5.380.0070.09020.43
5.5.370.0030.07320.49
5.5.360.0100.07720.49
5.5.350.0030.07320.51
5.5.340.0030.08721.00
5.5.330.0100.06720.98
5.5.320.0030.07321.02
5.5.310.0000.04720.93
5.5.300.0070.07720.92
5.5.290.0100.08021.00
5.5.280.0130.07721.01
5.5.270.0030.07720.95
5.5.260.0070.04721.01
5.5.250.0070.05320.68
5.5.240.0030.05020.35
5.5.230.0000.05020.25
5.5.220.0070.06720.20
5.5.210.0030.08020.23
5.5.200.0070.03720.25
5.5.190.0070.08020.18
5.5.180.0070.05320.35
5.5.160.0100.04020.32
5.5.150.0030.08020.24
5.5.140.0170.07020.25
5.5.130.0030.08320.25
5.5.120.0070.05020.30
5.5.110.0030.04320.21
5.5.100.0030.05720.17
5.5.90.0070.07720.25
5.5.80.0170.06720.07
5.5.70.0030.08720.16
5.5.60.0130.07320.25
5.5.50.0000.06020.25
5.5.40.0100.08020.15
5.5.30.0070.04020.15
5.5.20.0000.04320.25
5.5.10.0070.04320.09
5.5.00.0000.05720.07
5.4.450.0030.07719.38
5.4.440.0030.05319.21
5.4.430.0070.04019.53
5.4.420.0070.03719.56
5.4.410.0100.07019.26
5.4.400.0030.08019.21
5.4.390.0000.08018.90
5.4.380.0130.07319.23
5.4.370.0030.04319.06
5.4.360.0070.05319.16
5.4.350.0130.03319.05
5.4.340.0070.06719.09
5.4.320.0100.07019.00
5.4.310.0100.07718.93
5.4.300.0030.04019.06
5.4.290.0130.06319.21
5.4.280.0070.07319.21
5.4.270.0070.04019.07
5.4.260.0000.04718.91
5.4.250.0130.06319.20
5.4.240.0030.05319.09
5.4.230.0070.07019.22
5.4.220.0030.07719.09
5.4.210.0100.07019.21
5.4.200.0070.07319.23
5.4.190.0000.04019.20
5.4.180.0070.03718.91
5.4.170.0030.03719.08
5.4.160.0070.04019.03
5.4.150.0030.04019.12
5.4.140.0030.05716.49
5.4.130.0030.04016.42
5.4.120.0100.03316.46
5.4.110.0000.04016.54
5.4.100.0070.03716.41
5.4.90.0030.04016.54
5.4.80.0070.03316.55
5.4.70.0070.03716.38
5.4.60.0070.03316.51
5.4.50.0070.03716.37
5.4.40.0000.04016.55
5.4.30.0030.03716.37
5.4.20.0070.03016.50
5.4.10.0070.03016.42
5.4.00.0130.06715.72
preferences:
34.99 ms | 401 KiB | 5 Q