File sapphire/security/BasicAuth.php

  1 <?php
  2 /**
  3  * Provides an interface to HTTP basic authentication.
  4  * 
  5  * This utility class can be used to secure any request with basic authentication.  To do so,
  6  * {@link BasicAuth::requireLogin()} from your Controller's init() method or action handler method.
  7  * 
  8  * It also has a function to protect your entire site.  See {@link BasicAuth::protect_entire_site()}
  9  * for more information.
 10  * 
 11  * @package sapphire
 12  * @subpackage security
 13  */
 14 class BasicAuth {
 15     /**
 16      * Flag set by {@link self::protect_entire_site()}
 17      */
 18     private static $entire_site_protected = false;
 19 
 20     /**
 21      * Require basic authentication.  Will request a username and password if none is given.
 22      * 
 23      * Used by {@link Controller::init()}.
 24      * 
 25      * @param string $realm
 26      * @param string|array $permissionCode
 27      * @return Member $member 
 28      */
 29     static function requireLogin($realm, $permissionCode) {
 30         if(!Security::database_is_ready() || Director::is_cli()) return true;
 31         $authenticated = false;
 32         
 33         if(isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW'])) {
 34             $member = MemberAuthenticator::authenticate(array(
 35                 'Email' => $_SERVER['PHP_AUTH_USER'], 
 36                 'Password' => $_SERVER['PHP_AUTH_PW'],
 37             ), null);
 38 
 39             if (!$member) $member = Member::currentUser(); // fallback if MemberAuthenticator not return a mamber object
 40             if($member) $authenticated = true;
 41         }
 42         
 43         // If we've failed the authentication mechanism, then show the login form
 44         if(!$authenticated) {
 45             header("WWW-Authenticate: Basic realm=\"$realm\"");
 46             header($_SERVER['SERVER_PROTOCOL'] . ' 401 Unauthorized');
 47 
 48             if(isset($_SERVER['PHP_AUTH_USER'])) {
 49                 echo _t('BasicAuth.ERRORNOTREC', "That username / password isn't recognised");
 50             } else {
 51                 echo _t('BasicAuth.ENTERINFO', "Please enter a username and password.");
 52             }
 53             
 54             die();
 55         }
 56         
 57         if(!Permission::checkMember($member->ID, $permissionCode)) {
 58             header("WWW-Authenticate: Basic realm=\"$realm\"");
 59             header($_SERVER['SERVER_PROTOCOL'] . ' 401 Unauthorized');
 60 
 61             if(isset($_SERVER['PHP_AUTH_USER'])) {
 62                 echo _t('BasicAuth.ERRORNOTADMIN', "That user is not an administrator.");
 63             }
 64             
 65             die();
 66         }
 67         
 68         return $member;
 69     }
 70         
 71     /**
 72      * Enable protection of the entire site with basic authentication.
 73      * 
 74      * This log-in uses the Member database for authentication, but doesn't interfere with the
 75      * regular log-in form. This can be useful for test sites, where you want to hide the site
 76      * away from prying eyes, but still be able to test the regular log-in features of the site.
 77      * 
 78      * If you are including conf/ConfigureFromEnv.php in your _config.php file, you can also enable
 79      * this feature by adding this line to your _ss_environment.php:
 80      * 
 81      * define('SS_USE_BASIC_AUTH', true);
 82      * 
 83      * @param $protect Set this to false to disable protection.
 84      */
 85     static function protect_entire_site($protect = true) {
 86         return self::$entire_site_protected = $protect;
 87     }
 88     
 89     /**
 90      * @deprecated Use BasicAuth::protect_entire_site() instead.
 91      */
 92     static function enable() {
 93         user_error("BasicAuth::enable() is deprecated.  Use BasicAuth::protect_entire_site() instead.", E_USER_NOTICE);
 94         return self::protect_entire_site();
 95     }
 96 
 97     /**
 98      * @deprecated Use BasicAuth::protect_entire_site(false) instead.
 99      */
100     static function disable() {
101         user_error("BasicAuth::disable() is deprecated.  Use BasicAuth::protect_entire_site(false) instead.", E_USER_NOTICE);
102         return self::protect_entire_site(false);
103     }
104 
105     /**
106      * Call {@link BasicAuth::requireLogin()} if {@link BasicAuth::protect_entire_site()} has been called.
107      * This is a helper function used by Controller.
108      */
109     static function protect_site_if_necessary() {
110         if(self::$entire_site_protected) {
111             self::requireLogin("SilverStripe test website. Use your CMS login.", "ADMIN");
112         }
113     }
114 
115 }
116
[Raise a SilverStripe Framework issue/bug](https://github.com/silverstripe/silverstripe-framework/issues/new)
- [Raise a SilverStripe CMS issue/bug](https://github.com/silverstripe/silverstripe-cms/issues/new)
- Please use the Silverstripe Forums to ask development related questions. -
Packages

Classes

Interfaces

Exceptions
