class.dc.auth.php @ 333:5e2fb991a74d

Visit:

Revision 333:5e2fb991a74d, 14.6 KB checked in by Alex Pirine <digimag@…>, 14 years ago (diff)
Improved code documentation

Line
1	<?php
2	# -- BEGIN LICENSE BLOCK ---------------------------------------
3	#
4	# This file is part of Dotclear 2.
5	#
6	# Copyright (c) 2003-2010 Olivier Meunier & Association Dotclear
7	# Licensed under the GPL version 2.0 license.
8	# See LICENSE file or
9	# http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
10	#
11	# -- END LICENSE BLOCK -----------------------------------------
12	if (!defined('DC_RC_PATH')) { return; }
13
14	/**
15	* @ingroup DC_CORE
16	* @nosubgrouping
17	* @brief Authentication and user credentials management
18	*
19	* dcAuth is a class used to handle everything related to user authentication
20	* and credentials. Object is provided by dcCore $auth property.
21	*/
22	class dcAuth
23	{
24	/** @var dcCore dcCore instance */
25	protected $core;
26	/** @var connection Database connection object */
27	protected $con;
28
29	/** @var string User table name */
30	protected $user_table;
31	/** @var string Perm table name */
32	protected $perm_table;
33
34	/** @var string Current user ID */
35	protected $user_id;
36	/** @var array Array with user information */
37	protected $user_info = array();
38	/** @var array Array with user options */
39	protected $user_options = array();
40	/** @var boolean User must change his password after login */
41	protected $user_change_pwd;
42	/** @var boolean User is super admin */
43	protected $user_admin;
44	/** @var array Permissions for each blog */
45	protected $permissions = array();
46	/** @var boolean User can change its password */
47	protected $allow_pass_change = true;
48	/** @var array List of blogs on which the user has permissions */
49	protected $blogs = array();
50	/** @var integer Count of user blogs */
51	public $blog_count = null;
52
53	/** @var array Permission types */
54	protected $perm_types;
55
56	/** @var dcPrefs dcPrefs object */
57	public $user_prefs;
58
59	/**
60	* Class constructor. Takes dcCore object as single argument.
61	*
62	* @param dcCore $core dcCore object
63	*/
64	public function __construct($core)
65	{
66	$this->core =& $core;
67	$this->con =& $core->con;
68	$this->blog_table = $core->prefix.'blog';
69	$this->user_table = $core->prefix.'user';
70	$this->perm_table = $core->prefix.'permissions';
71
72	$this->perm_types = array(
73	'admin' => __('administrator'),
74	'usage' => __('manage their own entries and comments'),
75	'publish' => __('publish entries and comments'),
76	'delete' => __('delete entries and comments'),
77	'contentadmin' => __('manage all entries and comments'),
78	'categories' => __('manage categories'),
79	'media' => __('manage their own media items'),
80	'media_admin' => __('manage all media items')
81	);
82	}
83
84	/// @name Credentials and user permissions
85	//@{
86	/**
87	* Checks if user exists and can log in. <var>$pwd</var> argument is optionnal
88	* while you may need to check user without password. This method will create
89	* credentials and populate all needed object properties.
90	*
91	* @param string $user_id User ID
92	* @param string $pwd User password
93	* @param string $user_key User key check
94	* @param boolean $check_blog checks if user is associated to a blog or not.
95	* @return boolean
96	*/
97	public function checkUser($user_id, $pwd=null, $user_key=null, $check_blog=true)
98	{
99	# Check user and password
100	$strReq = 'SELECT user_id, user_super, user_pwd, user_change_pwd, '.
101	'user_name, user_firstname, user_displayname, user_email, '.
102	'user_url, user_default_blog, user_options, '.
103	'user_lang, user_tz, user_post_status, user_creadt, user_upddt '.
104	'FROM '.$this->con->escapeSystem($this->user_table).' '.
105	"WHERE user_id = '".$this->con->escape($user_id)."' ";
106
107	try {
108	$rs = $this->con->select($strReq);
109	} catch (Exception $e) {
110	$err = $e->getMessage();
111	return false;
112	}
113
114	if ($rs->isEmpty()) {
115	return false;
116	}
117
118	$rs->extend('rsExtUser');
119
120	if ($pwd != '')
121	{
122	if (crypt::hmac(DC_MASTER_KEY,$pwd) != $rs->user_pwd) {
123	sleep(rand(2,5));
124	return false;
125	}
126	}
127	elseif ($user_key != '')
128	{
129	if (http::browserUID(DC_MASTER_KEY.$rs->user_id.$rs->user_pwd) != $user_key) {
130	return false;
131	}
132	}
133
134	$this->user_id = $rs->user_id;
135	$this->user_change_pwd = (boolean) $rs->user_change_pwd;
136	$this->user_admin = (boolean) $rs->user_super;
137
138	$this->user_info['user_pwd'] = $rs->user_pwd;
139	$this->user_info['user_name'] = $rs->user_name;
140	$this->user_info['user_firstname'] = $rs->user_firstname;
141	$this->user_info['user_displayname'] = $rs->user_displayname;
142	$this->user_info['user_email'] = $rs->user_email;
143	$this->user_info['user_url'] = $rs->user_url;
144	$this->user_info['user_default_blog'] = $rs->user_default_blog;
145	$this->user_info['user_lang'] = $rs->user_lang;
146	$this->user_info['user_tz'] = $rs->user_tz;
147	$this->user_info['user_post_status'] = $rs->user_post_status;
148	$this->user_info['user_creadt'] = $rs->user_creadt;
149	$this->user_info['user_upddt'] = $rs->user_upddt;
150
151	$this->user_info['user_cn'] = dcUtils::getUserCN($rs->user_id, $rs->user_name,
152	$rs->user_firstname, $rs->user_displayname);
153
154	$this->user_options = array_merge($this->core->userDefaults(),$rs->options());
155
156	$this->user_prefs = new dcPrefs($this->core,$this->user_id);
157
158	# Get permissions on blogs
159	if ($check_blog && ($this->findUserBlog() === false)) {
160	return false;
161	}
162	return true;
163	}
164
165	/**
166	* This method only check current user password.
167	*
168	* @param string $pwd User password
169	* @return boolean
170	*/
171	public function checkPassword($pwd)
172	{
173	if (!empty($this->user_info['user_pwd'])) {
174	return $pwd == $this->user_info['user_pwd'];
175	}
176
177	return false;
178	}
179
180	/**
181	* This method checks if user session cookie exists
182	*
183	* @return boolean
184	*/
185	public function sessionExists()
186	{
187	return isset($_COOKIE[DC_SESSION_NAME]);
188	}
189
190	/**
191	* This method checks user session validity.
192	*
193	* @return boolean
194	*/
195	public function checkSession($uid=null)
196	{
197	$this->core->session->start();
198
199	# If session does not exist, logout.
200	if (!isset($_SESSION['sess_user_id'])) {
201	$this->core->session->destroy();
202	return false;
203	}
204
205	# Check here for user and IP address
206	$this->checkUser($_SESSION['sess_user_id']);
207	$uid = $uid ? $uid : http::browserUID(DC_MASTER_KEY);
208
209	$user_can_log = $this->userID() !== null && $uid == $_SESSION['sess_browser_uid'];
210
211	if (!$user_can_log) {
212	$this->core->session->destroy();
213	return false;
214	}
215
216	return true;
217	}
218
219	/**
220	* Checks if user must change his password in order to login.
221	*
222	* @return boolean
223	*/
224	public function mustChangePassword()
225	{
226	return $this->user_change_pwd;
227	}
228
229	/**
230	* Checks if user is super admin
231	*
232	* @return boolean
233	*/
234	public function isSuperAdmin()
235	{
236	return $this->user_admin;
237	}
238
239	/**
240	* Checks if user has permissions given in <var>$permissions</var> for blog
241	* <var>$blog_id</var>. <var>$permissions</var> is a coma separated list of
242	* permissions.
243	*
244	* @param string $permissions Permissions list
245	* @param string $blog_id Blog ID
246	* @return boolean
247	*/
248	public function check($permissions,$blog_id)
249	{
250	if ($this->user_admin) {
251	return true;
252	}
253
254	$p = explode(',',$permissions);
255	$b = $this->getPermissions($blog_id);
256
257	if ($b != false)
258	{
259	if (isset($b['admin'])) {
260	return true;
261	}
262
263	foreach ($p as $v)
264	{
265	if (isset($b[$v])) {
266	return true;
267	}
268	}
269	}
270
271	return false;
272	}
273
274	/**
275	* Returns true if user is allowed to change its password.
276	*
277	* @return boolean
278	*/
279	public function allowPassChange()
280	{
281	return $this->allow_pass_change;
282	}
283	//@}
284
285	/// @name User code handlers
286	//@{
287	public function getUserCode()
288	{
289	$code =
290	pack('a32',$this->userID()).
291	pack('H*',crypt::hmac(DC_MASTER_KEY,$this->getInfo('user_pwd')));
292	return bin2hex($code);
293	}
294
295	public function checkUserCode($code)
296	{
297	$code = @pack('H*',$code);
298
299	$user_id = trim(@pack('a32',substr($code,0,32)));
300	$pwd = @unpack('H40hex',substr($code,32,40));
301
302	if ($user_id === false \|\| $pwd === false) {
303	return false;
304	}
305
306	$pwd = $pwd['hex'];
307
308	$strReq = 'SELECT user_id, user_pwd '.
309	'FROM '.$this->user_table.' '.
310	"WHERE user_id = '".$this->con->escape($user_id)."' ";
311
312	$rs = $this->con->select($strReq);
313
314	if ($rs->isEmpty()) {
315	return false;
316	}
317
318	if (crypt::hmac(DC_MASTER_KEY,$rs->user_pwd) != $pwd) {
319	return false;
320	}
321
322	return $rs->user_id;
323	}
324	//@}
325
326
327	/// @name Sudo
328	//@{
329	/**
330	* Calls $f function with super admin rights.
331	* Returns the function result.
332	*
333	* @param callback $f Callback function
334	* @return mixed
335	*/
336	public function sudo($f)
337	{
338	if (!is_callable($f)) {
339	throw new Exception($f.' function doest not exist');
340	}
341
342	$args = func_get_args();
343	array_shift($args);
344
345	if ($this->user_admin) {
346	$res = call_user_func_array($f,$args);
347	} else {
348	$this->user_admin = true;
349	try {
350	$res = call_user_func_array($f,$args);
351	$this->user_admin = false;
352	} catch (Exception $e) {
353	$this->user_admin = false;
354	throw $e;
355	}
356	}
357
358	return $res;
359	}
360	//@}
361
362	/// @name User information and options
363	//@{
364	/**
365	* Returns user permissions for a blog as an array which looks like:
366	*
367	* - [blog_id]
368	* - [permission] => true
369	* - ...
370	*
371	* @param string $blog_id Blog ID
372	* @return array
373	*/
374	public function getPermissions($blog_id)
375	{
376	if (isset($this->blogs[$blog_id])) {
377	return $this->blogs[$blog_id];
378	}
379
380	if ($this->blog_count === null) {
381	$this->blog_count = $this->core->getBlogs(array(),true)->f(0);
382	}
383
384	if ($this->user_admin) {
385	$strReq = 'SELECT blog_id '.
386	'from '.$this->blog_table.' '.
387	"WHERE blog_id = '".$this->con->escape($blog_id)."' ";
388	$rs = $this->con->select($strReq);
389
390	$this->blogs[$blog_id] = $rs->isEmpty() ? false : array('admin' => true);
391
392	return $this->blogs[$blog_id];
393	}
394
395	$strReq = 'SELECT permissions '.
396	'FROM '.$this->perm_table.' '.
397	"WHERE user_id = '".$this->con->escape($this->user_id)."' ".
398	"AND blog_id = '".$this->con->escape($blog_id)."' ".
399	"AND (permissions LIKE '%\|usage\|%' OR permissions LIKE '%\|admin\|%' OR permissions LIKE '%\|contentadmin\|%') ";
400	$rs = $this->con->select($strReq);
401
402	$this->blogs[$blog_id] = $rs->isEmpty() ? false : $this->parsePermissions($rs->permissions);
403
404	return $this->blogs[$blog_id];
405	}
406
407	public function findUserBlog($blog_id=null)
408	{
409	if ($blog_id && $this->getPermissions($blog_id) !== false)
410	{
411	return $blog_id;
412	}
413	else
414	{
415	if ($this->user_admin)
416	{
417	$strReq = 'SELECT blog_id '.
418	'FROM '.$this->blog_table.' '.
419	'ORDER BY blog_id ASC '.
420	$this->con->limit(1);
421	}
422	else
423	{
424	$strReq = 'SELECT blog_id '.
425	'FROM '.$this->perm_table.' '.
426	"WHERE user_id = '".$this->con->escape($this->user_id)."' ".
427	"AND (permissions LIKE '%\|usage\|%' OR permissions LIKE '%\|admin\|%' OR permissions LIKE '%\|contentadmin\|%') ".
428	'ORDER BY blog_id ASC '.
429	$this->con->limit(1);
430	}
431
432	$rs = $this->con->select($strReq);
433	if (!$rs->isEmpty()) {
434	return $rs->blog_id;
435	}
436	}
437
438	return false;
439	}
440
441	/**
442	* Returns current user ID
443	*
444	* @return string
445	*/
446	public function userID()
447	{
448	return $this->user_id;
449	}
450
451	/**
452	* Returns information about a user .
453	*
454	* @param string $n Information name
455	* @return string
456	*/
457	public function getInfo($n)
458	{
459	if (isset($this->user_info[$n])) {
460	return $this->user_info[$n];
461	}
462
463	return null;
464	}
465
466	/**
467	* Returns a specific user option
468	*
469	* @param string $n Option name
470	* @return string
471	*/
472	public function getOption($n)
473	{
474	if (isset($this->user_options[$n])) {
475	return $this->user_options[$n];
476	}
477	return null;
478	}
479
480	/**
481	* Returns all user options in an associative array.
482	*
483	* @return array
484	*/
485	public function getOptions()
486	{
487	return $this->user_options;
488	}
489	//@}
490
491	/// @name Permissions
492	//@{
493	/**
494	* Returns an array with permissions parsed from the string <var>$level</var>
495	*
496	* @param string $level Permissions string
497	* @return array
498	*/
499	public function parsePermissions($level)
500	{
501	$level = preg_replace('/^\\|/','',$level);
502	$level = preg_replace('/\\|$/','',$level);
503
504	$res = array();
505	foreach (explode('\|',$level) as $v) {
506	$res[$v] = true;
507	}
508	return $res;
509	}
510
511	/**
512	* Returns <var>perm_types</var> property content.
513	*
514	* @return array
515	*/
516	public function getPermissionsTypes()
517	{
518	return $this->perm_types;
519	}
520
521	/**
522	* Adds a new permission type.
523	*
524	* @param string $name Permission name
525	* @param string $title Permission title
526	*/
527	public function setPermissionType($name,$title)
528	{
529	$this->perm_types[$name] = $title;
530	}
531	//@}
532
533	/// @name Password recovery
534	//@{
535	/**
536	* Add a recover key to a specific user identified by its email and
537	* password.
538	*
539	* @param string $user_id User ID
540	* @param string $user_email User Email
541	* @return string
542	*/
543	public function setRecoverKey($user_id,$user_email)
544	{
545	$strReq = 'SELECT user_id '.
546	'FROM '.$this->user_table.' '.
547	"WHERE user_id = '".$this->con->escape($user_id)."' ".
548	"AND user_email = '".$this->con->escape($user_email)."' ";
549
550	$rs = $this->con->select($strReq);
551
552	if ($rs->isEmpty()) {
553	throw new Exception(__('That user does not exist in the database.'));
554	}
555
556	$key = md5(uniqid());
557
558	$cur = $this->con->openCursor($this->user_table);
559	$cur->user_recover_key = $key;
560
561	$cur->update("WHERE user_id = '".$this->con->escape($user_id)."'");
562
563	return $key;
564	}
565
566	/**
567	* Creates a new user password using recovery key. Returns an array:
568	*
569	* - user_email
570	* - user_id
571	* - new_pass
572	*
573	* @param string $recover_key Recovery key
574	* @return array
575	*/
576	public function recoverUserPassword($recover_key)
577	{
578	$strReq = 'SELECT user_id, user_email '.
579	'FROM '.$this->user_table.' '.
580	"WHERE user_recover_key = '".$this->con->escape($recover_key)."' ";
581
582	$rs = $this->con->select($strReq);
583
584	if ($rs->isEmpty()) {
585	throw new Exception(__('That key does not exist in the database.'));
586	}
587
588	$new_pass = crypt::createPassword();
589
590	$cur = $this->con->openCursor($this->user_table);
591	$cur->user_pwd = crypt::hmac(DC_MASTER_KEY,$new_pass);
592	$cur->user_recover_key = null;
593
594	$cur->update("WHERE user_recover_key = '".$this->con->escape($recover_key)."'");
595
596	return array('user_email' => $rs->user_email, 'user_id' => $rs->user_id, 'new_pass' => $new_pass);
597	}
598	//@}
599
600	/** @name User management callbacks
601	This 3 functions only matter if you extend this class and use
602	DC_AUTH_CLASS constant.
603	These are called after core user management functions.
604	Could be useful if you need to add/update/remove stuff in your
605	LDAP directory or other third party authentication database.
606	*/
607	//@{
608
609	/**
610	* Called after core->addUser
611	* @see dcCore::addUser
612	* @param cursor $cur User cursor
613	*/
614	public function afterAddUser($cur) {}
615
616	/**
617	* Called after core->updUser
618	* @see dcCore::updUser
619	* @param string $id User ID
620	* @param cursor $cur User cursor
621	*/
622	public function afterUpdUser($id,$cur) {}
623
624	/**
625	* Called after core->delUser
626	* @see dcCore::delUser
627	* @param string $id User ID
628	*/
629	public function afterDelUser($id) {}
630	//@}
631	}
632	?>

Note: See TracBrowser for help on using the repository browser.

Dotclear

Context Navigation

source: inc/core/class.dc.auth.php @ 333:5e2fb991a74d

Download in other formats:

Sites map