Last partial fix for ticket 585: Compartmentalize the admin area and require active authentication every 20 minutes to access the admin area.

Also renaming auth::validate_too_many_failed_password_changes to validate_too_many_failed_auth_attempts since it's used in this generalized way in 3 places now.

6 files changed, 118 insertions, 7 deletions

diff --git a/modules/gallery/controllers/admin.php b/modules/gallery/controllers/admin.php
index e4216991..b5f3db39 100644
--- a/modules/gallery/controllers/admin.php
+++ b/modules/gallery/controllers/admin.php
@@ -21,7 +21,7 @@ class Admin_Controller extends Controller {
   private $theme;
 
   public function __construct($theme=null) {
-    if (!(identity::active_user()->admin)) {
+    if (!identity::active_user()->admin) {
       access::forbidden();
     }
 
@@ -29,6 +29,10 @@ class Admin_Controller extends Controller {
   }
 
   public function __call($controller_name, $args) {
+    if (auth::must_reauth_for_admin_area()) {
+      return url::redirect("reauthenticate");
+    }
+
     if (request::method() == "post") {
       access::verify_csrf();
     }
diff --git a/modules/gallery/controllers/reauthenticate.php b/modules/gallery/controllers/reauthenticate.php
new file mode 100644
index 00000000..4b88a9cc
--- /dev/null
+++ b/modules/gallery/controllers/reauthenticate.php
@@ -0,0 +1,72 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2009 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+class Reauthenticate_Controller extends Controller {
+  public function index($share_translations_form=null) {
+    if (!identity::active_user()->admin) {
+      access::forbidden();
+    }
+    return self::_show_form(self::_form());
+  }
+
+  public function auth() {
+    if (!identity::active_user()->admin) {
+      access::forbidden();
+    }
+    access::verify_csrf();
+
+    $form = self::_form();
+    $valid = $form->validate();
+    $user = identity::active_user();
+    if ($valid) {
+      message::success(t("Successfully re-authenticated!"));
+      module::event("user_auth", $user);
+      url::redirect("admin");
+    } else {
+      $name = $user->name;
+      log::warning("user", t("Failed re-authentication for %name", array("name" => $name)));
+      module::event("user_auth_failed", $name);
+      return self::_show_form($form);
+    }
+  }
+
+  private static function _show_form($form) {
+    $view = new Theme_View("page.html", "other", "reauthenticate");
+    $view->page_title = t("Re-authenticate");
+    $view->content = new View("reauthenticate.html");
+    $view->content->form = $form;
+    $view->content->user_name = identity::active_user()->name;
+    print $view;
+  }
+
+  private static function _form() {
+    $form = new Forge("reauthenticate/auth", "", "post", array("id" => "g-reauthenticate-form"));
+    $form->set_attr('class', "g-narrow");
+    $group = $form->group("reauthenticate")->label(t("Re-authenticate"));
+    $group->password("password")->label(t("Password"))->id("g-password")->class(null)
+      ->callback("auth::validate_too_many_failed_auth_attempts")
+      ->callback("user::valid_password")
+      ->error_messages("invalid", t("Incorrect password"))
+      ->error_messages(
+        "too_many_failed_auth_attempts",
+        t("Too many incorrect passwords.  Try again later"));
+    $group->submit("")->value(t("Submit"));
+    return $form;
+  }
+}
diff --git a/modules/gallery/helpers/auth.php b/modules/gallery/helpers/auth.php
index 2c1e3f67..c3e9e6e9 100644
--- a/modules/gallery/helpers/auth.php
+++ b/modules/gallery/helpers/auth.php
@@ -78,9 +78,9 @@ class auth_Core {
     }
   }
 
-  static function validate_too_many_failed_password_changes($password_input) {
+  static function validate_too_many_failed_auth_attempts($form_input) {
     if (self::too_many_failures(identity::active_user()->name)) {
-      $password_input->add_error("too_many_failed_password_changes", 1);
+      $form_input->add_error("too_many_failed_auth_attempts", 1);
     }
   }
 
@@ -107,4 +107,27 @@ class auth_Core {
       ->where("name", "=", $user->name)
       ->delete_all();
   }
+
+  /**
+   * Checks whether the current user (= admin) must
+   * actively re-authenticate before access is given
+   * to the admin area.
+   */
+  static function must_reauth_for_admin_area() {
+    if (!identity::active_user()->admin) {
+      access::forbidden();
+    }
+
+    $session = Session::instance();
+    $last_active_auth = $session->get("active_auth_timestamp", 0);
+    $last_admin_area_activity = $session->get("admin_area_activity_timestamp", 0);
+    $admin_area_timeout = module::get_var("gallery", "admin_area_timeout");
+
+    if (max($last_active_auth, $last_admin_area_activity) + $admin_area_timeout < time()) {
+      return true;
+    }
+
+    $session->set("admin_area_activity_timestamp", time());
+    return false;
+  }
 }
\ No newline at end of file
diff --git a/modules/gallery/helpers/gallery_event.php b/modules/gallery/helpers/gallery_event.php
index 5fa82160..63f33c12 100644
--- a/modules/gallery/helpers/gallery_event.php
+++ b/modules/gallery/helpers/gallery_event.php
@@ -110,6 +110,7 @@ class gallery_event_Core {
       graphics::choose_default_toolkit();
       module::clear_var("gallery", "choose_default_tookit");
     }
+    Session::instance()->set("active_auth_timestamp", time());
     auth::clear_failed_attempts($user);
   }
 
@@ -119,6 +120,7 @@ class gallery_event_Core {
 
   static function user_auth($user) {
     auth::clear_failed_attempts($user);
+    Session::instance()->set("active_auth_timestamp", time());
   }
 
   static function item_index_data($item, $data) {
diff --git a/modules/gallery/views/reauthenticate.html.php b/modules/gallery/views/reauthenticate.html.php
new file mode 100644
index 00000000..8611d0f7
--- /dev/null
+++ b/modules/gallery/views/reauthenticate.html.php
@@ -0,0 +1,10 @@
+<?php defined("SYSPATH") or die("No direct script access.") ?>
+<div>
+  <p>
+    <?= t("The administration session has expired, please re-authenticate to access the administration area.") ?>
+  </p>
+  <p>
+    <?= t("You are currently logged in as %user_name.", array("user_name" => $user_name)) ?>
+  </p>
+  <?= $form ?>
+</div>
\ No newline at end of file
diff --git a/modules/user/controllers/users.php b/modules/user/controllers/users.php
index 1130852b..0730f391 100644
--- a/modules/user/controllers/users.php
+++ b/modules/user/controllers/users.php
@@ -164,11 +164,11 @@ class Users_Controller extends Controller {
       "users/change_password/$user->id", "", "post", array("id" => "g-change-password-user-form"));
     $group = $form->group("change_password")->label(t("Change your password"));
     $group->password("old_password")->label(t("Old password"))->id("g-password")
-      ->callback("auth::validate_too_many_failed_password_changes")
+      ->callback("auth::validate_too_many_failed_auth_attempts")
       ->callback("user::valid_password")
       ->error_messages("invalid", t("Incorrect password"))
       ->error_messages(
-        "too_many_failed_password_changes",
+        "too_many_failed_auth_attempts",
         t("Too many incorrect passwords.  Try again later"));
     $group->password("password")->label(t("New password"))->id("g-password")
       ->error_messages("min_length", t("Your new password is too short"));
@@ -189,11 +189,11 @@ class Users_Controller extends Controller {
       "users/change_email/$user->id", "", "post", array("id" => "g-change-email-user-form"));
     $group = $form->group("change_email")->label(t("Change your email address"));
     $group->password("password")->label(t("Current password"))->id("g-password")
-      ->callback("auth::validate_too_many_failed_password_changes")
+      ->callback("auth::validate_too_many_failed_auth_attempts")
       ->callback("user::valid_password")
       ->error_messages("invalid", t("Incorrect password"))
       ->error_messages(
-        "too_many_failed_password_changes",
+        "too_many_failed_auth_attempts",
         t("Too many incorrect passwords.  Try again later"));
     $group->input("email")->label(t("New email address"))->id("g-email")->value($user->email)
       ->error_messages("email", t("You must enter a valid email address"))