class.dc.auth.php @ 1179:a43a29427ef3

Visit:

Revision 1179:a43a29427ef3, 14.6 KB checked in by franck <carnet.franck.paul@…>, 12 years ago (diff)
Update copyright notice

Rev	Line
[0]	1	<?php
	2	# -- BEGIN LICENSE BLOCK ---------------------------------------
	3	#
	4	# This file is part of Dotclear 2.
	5	#
[1179]	6	# Copyright (c) 2003-2013 Olivier Meunier & Association Dotclear
[0]	7	# Licensed under the GPL version 2.0 license.
	8	# See LICENSE file or
	9	# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
	10	#
	11	# -- END LICENSE BLOCK -----------------------------------------
	12	if (!defined('DC_RC_PATH')) { return; }
	13
	14	/**
[333]	15	* @ingroup DC_CORE
	16	* @nosubgrouping
	17	* @brief Authentication and user credentials management
	18	*
	19	* dcAuth is a class used to handle everything related to user authentication
	20	* and credentials. Object is provided by dcCore $auth property.
[0]	21	*/
	22	class dcAuth
	23	{
[333]	24	/** @var dcCore dcCore instance */
	25	protected $core;
	26	/** @var connection Database connection object */
	27	protected $con;
[0]	28
[333]	29	/** @var string User table name */
	30	protected $user_table;
	31	/** @var string Perm table name */
	32	protected $perm_table;
[0]	33
[333]	34	/** @var string Current user ID */
	35	protected $user_id;
	36	/** @var array Array with user information */
	37	protected $user_info = array();
	38	/** @var array Array with user options */
	39	protected $user_options = array();
	40	/** @var boolean User must change his password after login */
	41	protected $user_change_pwd;
	42	/** @var boolean User is super admin */
	43	protected $user_admin;
	44	/** @var array Permissions for each blog */
	45	protected $permissions = array();
	46	/** @var boolean User can change its password */
	47	protected $allow_pass_change = true;
	48	/** @var array List of blogs on which the user has permissions */
	49	protected $blogs = array();
	50	/** @var integer Count of user blogs */
	51	public $blog_count = null;
[0]	52
[333]	53	/** @var array Permission types */
	54	protected $perm_types;
[0]	55
[333]	56	/** @var dcPrefs dcPrefs object */
	57	public $user_prefs;
[3]	58
[0]	59	/**
[333]	60	* Class constructor. Takes dcCore object as single argument.
	61	*
	62	* @param dcCore $core dcCore object
[0]	63	*/
	64	public function __construct($core)
	65	{
	66	$this->core =& $core;
	67	$this->con =& $core->con;
	68	$this->blog_table = $core->prefix.'blog';
	69	$this->user_table = $core->prefix.'user';
	70	$this->perm_table = $core->prefix.'permissions';
	71
	72	$this->perm_types = array(
	73	'admin' => __('administrator'),
	74	'usage' => __('manage their own entries and comments'),
	75	'publish' => __('publish entries and comments'),
	76	'delete' => __('delete entries and comments'),
	77	'contentadmin' => __('manage all entries and comments'),
	78	'categories' => __('manage categories'),
	79	'media' => __('manage their own media items'),
	80	'media_admin' => __('manage all media items')
	81	);
	82	}
	83
	84	/// @name Credentials and user permissions
	85	//@{
	86	/**
[333]	87	* Checks if user exists and can log in. <var>$pwd</var> argument is optionnal
	88	* while you may need to check user without password. This method will create
	89	* credentials and populate all needed object properties.
	90	*
	91	* @param string $user_id User ID
	92	* @param string $pwd User password
	93	* @param string $user_key User key check
	94	* @param boolean $check_blog checks if user is associated to a blog or not.
	95	* @return boolean
[0]	96	*/
[312]	97	public function checkUser($user_id, $pwd=null, $user_key=null, $check_blog=true)
[0]	98	{
	99	# Check user and password
	100	$strReq = 'SELECT user_id, user_super, user_pwd, user_change_pwd, '.
	101	'user_name, user_firstname, user_displayname, user_email, '.
	102	'user_url, user_default_blog, user_options, '.
	103	'user_lang, user_tz, user_post_status, user_creadt, user_upddt '.
	104	'FROM '.$this->con->escapeSystem($this->user_table).' '.
	105	"WHERE user_id = '".$this->con->escape($user_id)."' ";
	106
	107	try {
	108	$rs = $this->con->select($strReq);
	109	} catch (Exception $e) {
	110	$err = $e->getMessage();
	111	return false;
	112	}
	113
	114	if ($rs->isEmpty()) {
	115	return false;
	116	}
	117
	118	$rs->extend('rsExtUser');
	119
	120	if ($pwd != '')
	121	{
	122	if (crypt::hmac(DC_MASTER_KEY,$pwd) != $rs->user_pwd) {
	123	sleep(rand(2,5));
	124	return false;
	125	}
	126	}
	127	elseif ($user_key != '')
	128	{
	129	if (http::browserUID(DC_MASTER_KEY.$rs->user_id.$rs->user_pwd) != $user_key) {
	130	return false;
	131	}
	132	}
	133
	134	$this->user_id = $rs->user_id;
	135	$this->user_change_pwd = (boolean) $rs->user_change_pwd;
	136	$this->user_admin = (boolean) $rs->user_super;
	137
	138	$this->user_info['user_pwd'] = $rs->user_pwd;
	139	$this->user_info['user_name'] = $rs->user_name;
	140	$this->user_info['user_firstname'] = $rs->user_firstname;
	141	$this->user_info['user_displayname'] = $rs->user_displayname;
	142	$this->user_info['user_email'] = $rs->user_email;
	143	$this->user_info['user_url'] = $rs->user_url;
	144	$this->user_info['user_default_blog'] = $rs->user_default_blog;
	145	$this->user_info['user_lang'] = $rs->user_lang;
	146	$this->user_info['user_tz'] = $rs->user_tz;
	147	$this->user_info['user_post_status'] = $rs->user_post_status;
	148	$this->user_info['user_creadt'] = $rs->user_creadt;
	149	$this->user_info['user_upddt'] = $rs->user_upddt;
	150
	151	$this->user_info['user_cn'] = dcUtils::getUserCN($rs->user_id, $rs->user_name,
	152	$rs->user_firstname, $rs->user_displayname);
	153
	154	$this->user_options = array_merge($this->core->userDefaults(),$rs->options());
	155
[3]	156	$this->user_prefs = new dcPrefs($this->core,$this->user_id);
	157
[0]	158	# Get permissions on blogs
[312]	159	if ($check_blog && ($this->findUserBlog() === false)) {
[0]	160	return false;
	161	}
	162	return true;
	163	}
	164
	165	/**
[333]	166	* This method only check current user password.
	167	*
	168	* @param string $pwd User password
	169	* @return boolean
[0]	170	*/
	171	public function checkPassword($pwd)
	172	{
	173	if (!empty($this->user_info['user_pwd'])) {
	174	return $pwd == $this->user_info['user_pwd'];
	175	}
	176
	177	return false;
	178	}
	179
	180	/**
[333]	181	* This method checks if user session cookie exists
	182	*
	183	* @return boolean
[0]	184	*/
	185	public function sessionExists()
	186	{
	187	return isset($_COOKIE[DC_SESSION_NAME]);
	188	}
	189
	190	/**
[333]	191	* This method checks user session validity.
	192	*
	193	* @return boolean
[0]	194	*/
	195	public function checkSession($uid=null)
	196	{
	197	$this->core->session->start();
	198
	199	# If session does not exist, logout.
	200	if (!isset($_SESSION['sess_user_id'])) {
	201	$this->core->session->destroy();
	202	return false;
	203	}
	204
	205	# Check here for user and IP address
	206	$this->checkUser($_SESSION['sess_user_id']);
	207	$uid = $uid ? $uid : http::browserUID(DC_MASTER_KEY);
	208
	209	$user_can_log = $this->userID() !== null && $uid == $_SESSION['sess_browser_uid'];
	210
	211	if (!$user_can_log) {
	212	$this->core->session->destroy();
	213	return false;
	214	}
	215
	216	return true;
	217	}
	218
	219	/**
	220	* Checks if user must change his password in order to login.
	221	*
	222	* @return boolean
	223	*/
	224	public function mustChangePassword()
	225	{
	226	return $this->user_change_pwd;
	227	}
	228
	229	/**
[333]	230	* Checks if user is super admin
	231	*
	232	* @return boolean
[0]	233	*/
	234	public function isSuperAdmin()
	235	{
	236	return $this->user_admin;
	237	}
	238
	239	/**
[333]	240	* Checks if user has permissions given in <var>$permissions</var> for blog
	241	* <var>$blog_id</var>. <var>$permissions</var> is a coma separated list of
	242	* permissions.
	243	*
	244	* @param string $permissions Permissions list
	245	* @param string $blog_id Blog ID
	246	* @return boolean
[0]	247	*/
	248	public function check($permissions,$blog_id)
	249	{
	250	if ($this->user_admin) {
	251	return true;
	252	}
	253
	254	$p = explode(',',$permissions);
	255	$b = $this->getPermissions($blog_id);
	256
	257	if ($b != false)
	258	{
	259	if (isset($b['admin'])) {
	260	return true;
	261	}
	262
	263	foreach ($p as $v)
	264	{
	265	if (isset($b[$v])) {
	266	return true;
	267	}
	268	}
	269	}
	270
	271	return false;
	272	}
	273
	274	/**
[333]	275	* Returns true if user is allowed to change its password.
	276	*
	277	* @return boolean
[0]	278	*/
	279	public function allowPassChange()
	280	{
	281	return $this->allow_pass_change;
	282	}
	283	//@}
	284
	285	/// @name User code handlers
	286	//@{
	287	public function getUserCode()
	288	{
	289	$code =
	290	pack('a32',$this->userID()).
	291	pack('H*',crypt::hmac(DC_MASTER_KEY,$this->getInfo('user_pwd')));
	292	return bin2hex($code);
	293	}
	294
	295	public function checkUserCode($code)
	296	{
	297	$code = @pack('H*',$code);
	298
	299	$user_id = trim(@pack('a32',substr($code,0,32)));
	300	$pwd = @unpack('H40hex',substr($code,32,40));
	301
	302	if ($user_id === false \|\| $pwd === false) {
	303	return false;
	304	}
	305
	306	$pwd = $pwd['hex'];
	307
	308	$strReq = 'SELECT user_id, user_pwd '.
	309	'FROM '.$this->user_table.' '.
	310	"WHERE user_id = '".$this->con->escape($user_id)."' ";
	311
	312	$rs = $this->con->select($strReq);
	313
	314	if ($rs->isEmpty()) {
	315	return false;
	316	}
	317
	318	if (crypt::hmac(DC_MASTER_KEY,$rs->user_pwd) != $pwd) {
	319	return false;
	320	}
	321
	322	return $rs->user_id;
	323	}
	324	//@}
	325
	326
	327	/// @name Sudo
	328	//@{
	329	/**
[333]	330	* Calls $f function with super admin rights.
	331	* Returns the function result.
	332	*
	333	* @param callback $f Callback function
	334	* @return mixed
[0]	335	*/
	336	public function sudo($f)
	337	{
	338	if (!is_callable($f)) {
	339	throw new Exception($f.' function doest not exist');
	340	}
	341
	342	$args = func_get_args();
	343	array_shift($args);
	344
	345	if ($this->user_admin) {
	346	$res = call_user_func_array($f,$args);
	347	} else {
	348	$this->user_admin = true;
	349	try {
	350	$res = call_user_func_array($f,$args);
	351	$this->user_admin = false;
	352	} catch (Exception $e) {
	353	$this->user_admin = false;
	354	throw $e;
	355	}
	356	}
	357
	358	return $res;
	359	}
	360	//@}
	361
	362	/// @name User information and options
	363	//@{
	364	/**
[333]	365	* Returns user permissions for a blog as an array which looks like:
	366	*
	367	* - [blog_id]
	368	* - [permission] => true
	369	* - ...
	370	*
	371	* @param string $blog_id Blog ID
	372	* @return array
[0]	373	*/
	374	public function getPermissions($blog_id)
	375	{
	376	if (isset($this->blogs[$blog_id])) {
	377	return $this->blogs[$blog_id];
	378	}
	379
	380	if ($this->blog_count === null) {
	381	$this->blog_count = $this->core->getBlogs(array(),true)->f(0);
	382	}
	383
	384	if ($this->user_admin) {
	385	$strReq = 'SELECT blog_id '.
	386	'from '.$this->blog_table.' '.
	387	"WHERE blog_id = '".$this->con->escape($blog_id)."' ";
	388	$rs = $this->con->select($strReq);
	389
	390	$this->blogs[$blog_id] = $rs->isEmpty() ? false : array('admin' => true);
	391
	392	return $this->blogs[$blog_id];
	393	}
	394
	395	$strReq = 'SELECT permissions '.
	396	'FROM '.$this->perm_table.' '.
	397	"WHERE user_id = '".$this->con->escape($this->user_id)."' ".
	398	"AND blog_id = '".$this->con->escape($blog_id)."' ".
	399	"AND (permissions LIKE '%\|usage\|%' OR permissions LIKE '%\|admin\|%' OR permissions LIKE '%\|contentadmin\|%') ";
	400	$rs = $this->con->select($strReq);
	401
	402	$this->blogs[$blog_id] = $rs->isEmpty() ? false : $this->parsePermissions($rs->permissions);
	403
	404	return $this->blogs[$blog_id];
	405	}
	406
	407	public function findUserBlog($blog_id=null)
	408	{
	409	if ($blog_id && $this->getPermissions($blog_id) !== false)
	410	{
	411	return $blog_id;
	412	}
	413	else
	414	{
	415	if ($this->user_admin)
	416	{
	417	$strReq = 'SELECT blog_id '.
	418	'FROM '.$this->blog_table.' '.
	419	'ORDER BY blog_id ASC '.
	420	$this->con->limit(1);
	421	}
	422	else
	423	{
	424	$strReq = 'SELECT blog_id '.
	425	'FROM '.$this->perm_table.' '.
	426	"WHERE user_id = '".$this->con->escape($this->user_id)."' ".
	427	"AND (permissions LIKE '%\|usage\|%' OR permissions LIKE '%\|admin\|%' OR permissions LIKE '%\|contentadmin\|%') ".
	428	'ORDER BY blog_id ASC '.
	429	$this->con->limit(1);
	430	}
	431
	432	$rs = $this->con->select($strReq);
	433	if (!$rs->isEmpty()) {
	434	return $rs->blog_id;
	435	}
	436	}
	437
	438	return false;
	439	}
	440
	441	/**
[333]	442	* Returns current user ID
	443	*
	444	* @return string
[0]	445	*/
	446	public function userID()
	447	{
	448	return $this->user_id;
	449	}
	450
	451	/**
[333]	452	* Returns information about a user .
	453	*
	454	* @param string $n Information name
	455	* @return string
[0]	456	*/
	457	public function getInfo($n)
	458	{
	459	if (isset($this->user_info[$n])) {
	460	return $this->user_info[$n];
	461	}
	462
	463	return null;
	464	}
	465
	466	/**
[333]	467	* Returns a specific user option
	468	*
	469	* @param string $n Option name
	470	* @return string
[0]	471	*/
	472	public function getOption($n)
	473	{
	474	if (isset($this->user_options[$n])) {
	475	return $this->user_options[$n];
	476	}
	477	return null;
	478	}
	479
	480	/**
[333]	481	* Returns all user options in an associative array.
	482	*
	483	* @return array
[0]	484	*/
	485	public function getOptions()
	486	{
	487	return $this->user_options;
	488	}
	489	//@}
	490
	491	/// @name Permissions
	492	//@{
	493	/**
[333]	494	* Returns an array with permissions parsed from the string <var>$level</var>
	495	*
	496	* @param string $level Permissions string
	497	* @return array
[0]	498	*/
	499	public function parsePermissions($level)
	500	{
	501	$level = preg_replace('/^\\|/','',$level);
	502	$level = preg_replace('/\\|$/','',$level);
	503
	504	$res = array();
	505	foreach (explode('\|',$level) as $v) {
	506	$res[$v] = true;
	507	}
	508	return $res;
	509	}
	510
	511	/**
[333]	512	* Returns <var>perm_types</var> property content.
	513	*
	514	* @return array
[0]	515	*/
	516	public function getPermissionsTypes()
	517	{
	518	return $this->perm_types;
	519	}
	520
	521	/**
[333]	522	* Adds a new permission type.
	523	*
	524	* @param string $name Permission name
	525	* @param string $title Permission title
[0]	526	*/
	527	public function setPermissionType($name,$title)
	528	{
	529	$this->perm_types[$name] = $title;
	530	}
	531	//@}
	532
	533	/// @name Password recovery
	534	//@{
	535	/**
[333]	536	* Add a recover key to a specific user identified by its email and
	537	* password.
	538	*
	539	* @param string $user_id User ID
	540	* @param string $user_email User Email
	541	* @return string
[0]	542	*/
	543	public function setRecoverKey($user_id,$user_email)
	544	{
	545	$strReq = 'SELECT user_id '.
	546	'FROM '.$this->user_table.' '.
	547	"WHERE user_id = '".$this->con->escape($user_id)."' ".
	548	"AND user_email = '".$this->con->escape($user_email)."' ";
	549
	550	$rs = $this->con->select($strReq);
	551
	552	if ($rs->isEmpty()) {
	553	throw new Exception(__('That user does not exist in the database.'));
	554	}
	555
	556	$key = md5(uniqid());
	557
	558	$cur = $this->con->openCursor($this->user_table);
	559	$cur->user_recover_key = $key;
	560
	561	$cur->update("WHERE user_id = '".$this->con->escape($user_id)."'");
	562
	563	return $key;
	564	}
	565
	566	/**
[333]	567	* Creates a new user password using recovery key. Returns an array:
	568	*
	569	* - user_email
	570	* - user_id
	571	* - new_pass
	572	*
	573	* @param string $recover_key Recovery key
	574	* @return array
[0]	575	*/
	576	public function recoverUserPassword($recover_key)
	577	{
	578	$strReq = 'SELECT user_id, user_email '.
	579	'FROM '.$this->user_table.' '.
	580	"WHERE user_recover_key = '".$this->con->escape($recover_key)."' ";
	581
	582	$rs = $this->con->select($strReq);
	583
	584	if ($rs->isEmpty()) {
	585	throw new Exception(__('That key does not exist in the database.'));
	586	}
	587
	588	$new_pass = crypt::createPassword();
	589
	590	$cur = $this->con->openCursor($this->user_table);
	591	$cur->user_pwd = crypt::hmac(DC_MASTER_KEY,$new_pass);
	592	$cur->user_recover_key = null;
	593
	594	$cur->update("WHERE user_recover_key = '".$this->con->escape($recover_key)."'");
	595
	596	return array('user_email' => $rs->user_email, 'user_id' => $rs->user_id, 'new_pass' => $new_pass);
	597	}
	598	//@}
	599
	600	/** @name User management callbacks
	601	This 3 functions only matter if you extend this class and use
	602	DC_AUTH_CLASS constant.
	603	These are called after core user management functions.
	604	Could be useful if you need to add/update/remove stuff in your
	605	LDAP directory or other third party authentication database.
	606	*/
	607	//@{
	608
	609	/**
[333]	610	* Called after core->addUser
	611	* @see dcCore::addUser
	612	* @param cursor $cur User cursor
[0]	613	*/
	614	public function afterAddUser($cur) {}
	615
	616	/**
[333]	617	* Called after core->updUser
	618	* @see dcCore::updUser
	619	* @param string $id User ID
	620	* @param cursor $cur User cursor
[0]	621	*/
	622	public function afterUpdUser($id,$cur) {}
	623
	624	/**
[333]	625	* Called after core->delUser
	626	* @see dcCore::delUser
	627	* @param string $id User ID
[0]	628	*/
	629	public function afterDelUser($id) {}
	630	//@}
	631	}
	632	?>

Note: See TracBrowser for help on using the repository browser.

Dotclear

Context Navigation

source: inc/core/class.dc.auth.php @ 1179:a43a29427ef3

Download in other formats:

Sites map