diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2012-06-24 16:07:18 +0200 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2012-06-24 16:07:18 +0200 |
| commit | ab5d26daf90483fc0ed3437c64011a5e8475970f (patch) | |
| tree | fe1ca45547c95b587f53895e1e74d558b5f18676 /inc/auth.php | |
| parent | ff1769defb9de14a80792aed16652451a29f03da (diff) | |
| download | rpg-ab5d26daf90483fc0ed3437c64011a5e8475970f.tar.gz rpg-ab5d26daf90483fc0ed3437c64011a5e8475970f.tar.bz2 | |
code cleanup
Diffstat (limited to 'inc/auth.php')
| -rw-r--r-- | inc/auth.php | 596 |
1 files changed, 320 insertions, 276 deletions
diff --git a/inc/auth.php b/inc/auth.php index ed0e2dcf7..8489c2265 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -12,13 +12,13 @@ if(!defined('DOKU_INC')) die('meh.'); // some ACL level defines -define('AUTH_NONE',0); -define('AUTH_READ',1); -define('AUTH_EDIT',2); -define('AUTH_CREATE',4); -define('AUTH_UPLOAD',8); -define('AUTH_DELETE',16); -define('AUTH_ADMIN',255); +define('AUTH_NONE', 0); +define('AUTH_READ', 1); +define('AUTH_EDIT', 2); +define('AUTH_CREATE', 4); +define('AUTH_UPLOAD', 8); +define('AUTH_DELETE', 16); +define('AUTH_ADMIN', 255); /** * Initialize the auth system. @@ -29,26 +29,28 @@ define('AUTH_ADMIN',255); * * @todo backend loading maybe should be handled by the class autoloader * @todo maybe split into multiple functions at the XXX marked positions + * @triggers AUTH_LOGIN_CHECK + * @return bool */ -function auth_setup(){ +function auth_setup() { global $conf; + /* @var auth_basic $auth */ global $auth; global $AUTH_ACL; global $lang; - global $config_cascade; $AUTH_ACL = array(); if(!$conf['useacl']) return false; // load the the backend auth functions and instantiate the auth object XXX - if (@file_exists(DOKU_INC.'inc/auth/'.$conf['authtype'].'.class.php')) { + if(@file_exists(DOKU_INC.'inc/auth/'.$conf['authtype'].'.class.php')) { require_once(DOKU_INC.'inc/auth/basic.class.php'); require_once(DOKU_INC.'inc/auth/'.$conf['authtype'].'.class.php'); $auth_class = "auth_".$conf['authtype']; - if (class_exists($auth_class)) { + if(class_exists($auth_class)) { $auth = new $auth_class(); - if ($auth->success == false) { + if($auth->success == false) { // degrade to unauthenticated user unset($auth); auth_logoff(); @@ -61,14 +63,14 @@ function auth_setup(){ nice_die($lang['authmodfailed']); } - if(!$auth) return; + if(!$auth) return false; // do the login either by cookie or provided credentials XXX - if (!isset($_REQUEST['u'])) $_REQUEST['u'] = ''; - if (!isset($_REQUEST['p'])) $_REQUEST['p'] = ''; - if (!isset($_REQUEST['r'])) $_REQUEST['r'] = ''; + if(!isset($_REQUEST['u'])) $_REQUEST['u'] = ''; + if(!isset($_REQUEST['p'])) $_REQUEST['p'] = ''; + if(!isset($_REQUEST['r'])) $_REQUEST['r'] = ''; $_REQUEST['http_credentials'] = false; - if (!$conf['rememberme']) $_REQUEST['r'] = false; + if(!$conf['rememberme']) $_REQUEST['r'] = false; // handle renamed HTTP_AUTHORIZATION variable (can happen when a fix like // the one presented at @@ -77,48 +79,50 @@ function auth_setup(){ if(isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER['REDIRECT_HTTP_AUTHORIZATION']; // streamline HTTP auth credentials (IIS/rewrite -> mod_php) - if(isset($_SERVER['HTTP_AUTHORIZATION'])){ - list($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']) = + if(isset($_SERVER['HTTP_AUTHORIZATION'])) { + list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6))); } // if no credentials were given try to use HTTP auth (for SSO) - if(empty($_REQUEST['u']) && empty($_COOKIE[DOKU_COOKIE]) && !empty($_SERVER['PHP_AUTH_USER'])){ - $_REQUEST['u'] = $_SERVER['PHP_AUTH_USER']; - $_REQUEST['p'] = $_SERVER['PHP_AUTH_PW']; + if(empty($_REQUEST['u']) && empty($_COOKIE[DOKU_COOKIE]) && !empty($_SERVER['PHP_AUTH_USER'])) { + $_REQUEST['u'] = $_SERVER['PHP_AUTH_USER']; + $_REQUEST['p'] = $_SERVER['PHP_AUTH_PW']; $_REQUEST['http_credentials'] = true; } // apply cleaning $_REQUEST['u'] = $auth->cleanUser($_REQUEST['u']); - if(isset($_REQUEST['authtok'])){ + if(isset($_REQUEST['authtok'])) { // when an authentication token is given, trust the session auth_validateToken($_REQUEST['authtok']); - }elseif(!is_null($auth) && $auth->canDo('external')){ + } elseif(!is_null($auth) && $auth->canDo('external')) { // external trust mechanism in place - $auth->trustExternal($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r']); - }else{ + $auth->trustExternal($_REQUEST['u'], $_REQUEST['p'], $_REQUEST['r']); + } else { $evdata = array( - 'user' => $_REQUEST['u'], - 'password' => $_REQUEST['p'], - 'sticky' => $_REQUEST['r'], - 'silent' => $_REQUEST['http_credentials'], - ); + 'user' => $_REQUEST['u'], + 'password' => $_REQUEST['p'], + 'sticky' => $_REQUEST['r'], + 'silent' => $_REQUEST['http_credentials'], + ); trigger_event('AUTH_LOGIN_CHECK', $evdata, 'auth_login_wrapper'); } //load ACL into a global array XXX $AUTH_ACL = auth_loadACL(); + + return true; } /** * Loads the ACL setup and handle user wildcards * * @author Andreas Gohr <andi@splitbrain.org> - * @returns array + * @return array */ -function auth_loadACL(){ +function auth_loadACL() { global $config_cascade; if(!is_readable($config_cascade['acl']['default'])) return array(); @@ -126,24 +130,32 @@ function auth_loadACL(){ $acl = file($config_cascade['acl']['default']); //support user wildcard - if(isset($_SERVER['REMOTE_USER'])){ + if(isset($_SERVER['REMOTE_USER'])) { $len = count($acl); - for($i=0; $i<$len; $i++){ + for($i = 0; $i < $len; $i++) { if($acl[$i]{0} == '#') continue; - list($id,$rest) = preg_split('/\s+/',$acl[$i],2); - $id = str_replace('%USER%',cleanID($_SERVER['REMOTE_USER']),$id); - $rest = str_replace('%USER%',auth_nameencode($_SERVER['REMOTE_USER']),$rest); + list($id, $rest) = preg_split('/\s+/', $acl[$i], 2); + $id = str_replace('%USER%', cleanID($_SERVER['REMOTE_USER']), $id); + $rest = str_replace('%USER%', auth_nameencode($_SERVER['REMOTE_USER']), $rest); $acl[$i] = "$id\t$rest"; } } return $acl; } +/** + * Event hook callback for AUTH_LOGIN_CHECK + * + * @param $evdata + * @return bool + */ function auth_login_wrapper($evdata) { - return auth_login($evdata['user'], - $evdata['password'], - $evdata['sticky'], - $evdata['silent']); + return auth_login( + $evdata['user'], + $evdata['password'], + $evdata['sticky'], + $evdata['silent'] + ); } /** @@ -175,53 +187,56 @@ function auth_login_wrapper($evdata) { * @param bool $silent Don't show error on bad auth * @return bool true on successful auth */ -function auth_login($user,$pass,$sticky=false,$silent=false){ +function auth_login($user, $pass, $sticky = false, $silent = false) { global $USERINFO; global $conf; global $lang; + /* @var auth_basic $auth */ global $auth; + $sticky ? $sticky = true : $sticky = false; //sanity check - if (!$auth) return false; + if(!$auth) return false; - if(!empty($user)){ + if(!empty($user)) { //usual login - if ($auth->checkPass($user,$pass)){ + if($auth->checkPass($user, $pass)) { // make logininfo globally available $_SERVER['REMOTE_USER'] = $user; - $secret = auth_cookiesalt(!$sticky); //bind non-sticky to session - auth_setCookie($user,PMA_blowfish_encrypt($pass,$secret),$sticky); + $secret = auth_cookiesalt(!$sticky); //bind non-sticky to session + auth_setCookie($user, PMA_blowfish_encrypt($pass, $secret), $sticky); return true; - }else{ + } else { //invalid credentials - log off - if(!$silent) msg($lang['badlogin'],-1); + if(!$silent) msg($lang['badlogin'], -1); auth_logoff(); return false; } - }else{ + } else { // read cookie information - list($user,$sticky,$pass) = auth_getCookie(); - if($user && $pass){ + list($user, $sticky, $pass) = auth_getCookie(); + if($user && $pass) { // we got a cookie - see if we can trust it // get session info $session = $_SESSION[DOKU_COOKIE]['auth']; if(isset($session) && - $auth->useSessionCache($user) && - ($session['time'] >= time()-$conf['auth_security_timeout']) && - ($session['user'] == $user) && - ($session['pass'] == sha1($pass)) && //still crypted - ($session['buid'] == auth_browseruid()) ){ + $auth->useSessionCache($user) && + ($session['time'] >= time() - $conf['auth_security_timeout']) && + ($session['user'] == $user) && + ($session['pass'] == sha1($pass)) && //still crypted + ($session['buid'] == auth_browseruid()) + ) { // he has session, cookie and browser right - let him in $_SERVER['REMOTE_USER'] = $user; - $USERINFO = $session['info']; //FIXME move all references to session + $USERINFO = $session['info']; //FIXME move all references to session return true; } // no we don't trust it yet - recheck pass but silent $secret = auth_cookiesalt(!$sticky); //bind non-sticky to session - $pass = PMA_blowfish_decrypt($pass,$secret); - return auth_login($user,$pass,$sticky,true); + $pass = PMA_blowfish_decrypt($pass, $secret); + return auth_login($user, $pass, $sticky, true); } } //just to be sure @@ -239,8 +254,8 @@ function auth_login($user,$pass,$sticky=false,$silent=false){ * @param string $token The authentication token * @return boolean true (or will exit on failure) */ -function auth_validateToken($token){ - if(!$token || $token != $_SESSION[DOKU_COOKIE]['auth']['token']){ +function auth_validateToken($token) { + if(!$token || $token != $_SESSION[DOKU_COOKIE]['auth']['token']) { // bad token header("HTTP/1.0 401 Unauthorized"); print 'Invalid auth token - maybe the session timed out'; @@ -250,7 +265,7 @@ function auth_validateToken($token){ // still here? trust the session data global $USERINFO; $_SERVER['REMOTE_USER'] = $_SESSION[DOKU_COOKIE]['auth']['user']; - $USERINFO = $_SESSION[DOKU_COOKIE]['auth']['info']; + $USERINFO = $_SESSION[DOKU_COOKIE]['auth']['info']; return true; } @@ -262,7 +277,7 @@ function auth_validateToken($token){ * @author Andreas Gohr <andi@splitbrain.org> * @return string The auth token */ -function auth_createToken(){ +function auth_createToken() { $token = md5(mt_rand()); @session_start(); // reopen the session if needed $_SESSION[DOKU_COOKIE]['auth']['token'] = $token; @@ -281,14 +296,14 @@ function auth_createToken(){ * * @return string a MD5 sum of various browser headers */ -function auth_browseruid(){ - $ip = clientIP(true); - $uid = ''; +function auth_browseruid() { + $ip = clientIP(true); + $uid = ''; $uid .= $_SERVER['HTTP_USER_AGENT']; $uid .= $_SERVER['HTTP_ACCEPT_ENCODING']; $uid .= $_SERVER['HTTP_ACCEPT_LANGUAGE']; $uid .= $_SERVER['HTTP_ACCEPT_CHARSET']; - $uid .= substr($ip,0,strpos($ip,'.')); + $uid .= substr($ip, 0, strpos($ip, '.')); return md5($uid); } @@ -304,15 +319,15 @@ function auth_browseruid(){ * @param bool $addsession if true, the sessionid is added to the salt * @return string */ -function auth_cookiesalt($addsession=false){ +function auth_cookiesalt($addsession = false) { global $conf; $file = $conf['metadir'].'/_htcookiesalt'; $salt = io_readFile($file); - if(empty($salt)){ - $salt = uniqid(rand(),true); - io_saveFile($file,$salt); + if(empty($salt)) { + $salt = uniqid(rand(), true); + io_saveFile($file, $salt); } - if($addsession){ + if($addsession) { $salt .= session_id(); } return $salt; @@ -327,10 +342,10 @@ function auth_cookiesalt($addsession=false){ * @author Andreas Gohr <andi@splitbrain.org> * @param bool $keepbc - when true, the breadcrumb data is not cleared */ -function auth_logoff($keepbc=false){ +function auth_logoff($keepbc = false) { global $conf; global $USERINFO; - global $INFO, $ID; + /* @var auth_basic $auth */ global $auth; // make sure the session is writable (it usually is) @@ -346,13 +361,13 @@ function auth_logoff($keepbc=false){ unset($_SESSION[DOKU_COOKIE]['bc']); if(isset($_SERVER['REMOTE_USER'])) unset($_SERVER['REMOTE_USER']); - $USERINFO=null; //FIXME + $USERINFO = null; //FIXME $cookieDir = empty($conf['cookiedir']) ? DOKU_REL : $conf['cookiedir']; - if (version_compare(PHP_VERSION, '5.2.0', '>')) { - setcookie(DOKU_COOKIE,'',time()-600000,$cookieDir,'',($conf['securecookie'] && is_ssl()),true); - }else{ - setcookie(DOKU_COOKIE,'',time()-600000,$cookieDir,'',($conf['securecookie'] && is_ssl())); + if(version_compare(PHP_VERSION, '5.2.0', '>')) { + setcookie(DOKU_COOKIE, '', time() - 600000, $cookieDir, '', ($conf['securecookie'] && is_ssl()), true); + } else { + setcookie(DOKU_COOKIE, '', time() - 600000, $cookieDir, '', ($conf['securecookie'] && is_ssl())); } if($auth) $auth->logOff(); @@ -368,32 +383,34 @@ function auth_logoff($keepbc=false){ * * @author Andreas Gohr <andi@splitbrain.org> * @see auth_isadmin - * @param string user - Username - * @param array groups - List of groups the user is in - * @param bool adminonly - when true checks if user is admin + * @param string $user Username + * @param array $groups List of groups the user is in + * @param bool $adminonly when true checks if user is admin + * @return bool */ -function auth_ismanager($user=null,$groups=null,$adminonly=false){ +function auth_ismanager($user = null, $groups = null, $adminonly = false) { global $conf; global $USERINFO; + /* @var auth_basic $auth */ global $auth; - if (!$auth) return false; + if(!$auth) return false; if(is_null($user)) { - if (!isset($_SERVER['REMOTE_USER'])) { + if(!isset($_SERVER['REMOTE_USER'])) { return false; } else { $user = $_SERVER['REMOTE_USER']; } } - if(is_null($groups)){ + if(is_null($groups)) { $groups = (array) $USERINFO['grps']; } // check superuser match - if(auth_isMember($conf['superuser'],$user, $groups)) return true; + if(auth_isMember($conf['superuser'], $user, $groups)) return true; if($adminonly) return false; // check managers - if(auth_isMember($conf['manager'],$user, $groups)) return true; + if(auth_isMember($conf['manager'], $user, $groups)) return true; return false; } @@ -406,13 +423,15 @@ function auth_ismanager($user=null,$groups=null,$adminonly=false){ * The info is available through $INFO['isadmin'], too * * @author Andreas Gohr <andi@splitbrain.org> - * @see auth_ismanager + * @see auth_ismanager() + * @param string $user Username + * @param array $groups List of groups the user is in + * @return bool */ -function auth_isadmin($user=null,$groups=null){ - return auth_ismanager($user,$groups,true); +function auth_isadmin($user = null, $groups = null) { + return auth_ismanager($user, $groups, true); } - /** * Match a user and his groups against a comma separated list of * users and groups to determine membership status @@ -424,31 +443,32 @@ function auth_isadmin($user=null,$groups=null){ * @param $groups array groups the user is member of * @return bool true for membership acknowledged */ -function auth_isMember($memberlist,$user,array $groups){ +function auth_isMember($memberlist, $user, array $groups) { + /* @var auth_basic $auth */ global $auth; - if (!$auth) return false; + if(!$auth) return false; // clean user and groups - if(!$auth->isCaseSensitive()){ - $user = utf8_strtolower($user); - $groups = array_map('utf8_strtolower',$groups); + if(!$auth->isCaseSensitive()) { + $user = utf8_strtolower($user); + $groups = array_map('utf8_strtolower', $groups); } - $user = $auth->cleanUser($user); - $groups = array_map(array($auth,'cleanGroup'),$groups); + $user = $auth->cleanUser($user); + $groups = array_map(array($auth, 'cleanGroup'), $groups); // extract the memberlist - $members = explode(',',$memberlist); - $members = array_map('trim',$members); + $members = explode(',', $memberlist); + $members = array_map('trim', $members); $members = array_unique($members); $members = array_filter($members); // compare cleaned values - foreach($members as $member){ + foreach($members as $member) { if(!$auth->isCaseSensitive()) $member = utf8_strtolower($member); - if($member[0] == '@'){ - $member = $auth->cleanGroup(substr($member,1)); + if($member[0] == '@') { + $member = $auth->cleanGroup(substr($member, 1)); if(in_array($member, $groups)) return true; - }else{ + } else { $member = $auth->cleanUser($member); if($member == $user) return true; } @@ -468,12 +488,12 @@ function auth_isMember($memberlist,$user,array $groups){ * @param string $id page ID (needs to be resolved and cleaned) * @return int permission level */ -function auth_quickaclcheck($id){ +function auth_quickaclcheck($id) { global $conf; global $USERINFO; # if no ACL is used always return upload rights if(!$conf['useacl']) return AUTH_UPLOAD; - return auth_aclcheck($id,$_SERVER['REMOTE_USER'],$USERINFO['grps']); + return auth_aclcheck($id, $_SERVER['REMOTE_USER'], $USERINFO['grps']); } /** @@ -487,106 +507,110 @@ function auth_quickaclcheck($id){ * @param array $groups Array of groups the user is in * @return int permission level */ -function auth_aclcheck($id,$user,$groups){ +function auth_aclcheck($id, $user, $groups) { global $conf; global $AUTH_ACL; + /* @var auth_basic $auth */ global $auth; // if no ACL is used always return upload rights if(!$conf['useacl']) return AUTH_UPLOAD; - if (!$auth) return AUTH_NONE; + if(!$auth) return AUTH_NONE; //make sure groups is an array if(!is_array($groups)) $groups = array(); //if user is superuser or in superusergroup return 255 (acl_admin) - if(auth_isadmin($user,$groups)) { return AUTH_ADMIN; } + if(auth_isadmin($user, $groups)) { + return AUTH_ADMIN; + } $ci = ''; if(!$auth->isCaseSensitive()) $ci = 'ui'; - $user = $auth->cleanUser($user); - $groups = array_map(array($auth,'cleanGroup'),(array)$groups); - $user = auth_nameencode($user); + $user = $auth->cleanUser($user); + $groups = array_map(array($auth, 'cleanGroup'), (array) $groups); + $user = auth_nameencode($user); //prepend groups with @ and nameencode $cnt = count($groups); - for($i=0; $i<$cnt; $i++){ + for($i = 0; $i < $cnt; $i++) { $groups[$i] = '@'.auth_nameencode($groups[$i]); } - $ns = getNS($id); - $perm = -1; + $ns = getNS($id); + $perm = -1; - if($user || count($groups)){ + if($user || count($groups)) { //add ALL group $groups[] = '@ALL'; //add User if($user) $groups[] = $user; - }else{ + } else { $groups[] = '@ALL'; } //check exact match first - $matches = preg_grep('/^'.preg_quote($id,'/').'\s+(\S+)\s+/'.$ci,$AUTH_ACL); - if(count($matches)){ - foreach($matches as $match){ - $match = preg_replace('/#.*$/','',$match); //ignore comments - $acl = preg_split('/\s+/',$match); - if (!in_array($acl[1], $groups)) { + $matches = preg_grep('/^'.preg_quote($id, '/').'\s+(\S+)\s+/'.$ci, $AUTH_ACL); + if(count($matches)) { + foreach($matches as $match) { + $match = preg_replace('/#.*$/', '', $match); //ignore comments + $acl = preg_split('/\s+/', $match); + if(!in_array($acl[1], $groups)) { continue; } if($acl[2] > AUTH_DELETE) $acl[2] = AUTH_DELETE; //no admins in the ACL! - if($acl[2] > $perm){ + if($acl[2] > $perm) { $perm = $acl[2]; } } - if($perm > -1){ + if($perm > -1) { //we had a match - return it return $perm; } } //still here? do the namespace checks - if($ns){ + if($ns) { $path = $ns.':*'; - }else{ + } else { $path = '*'; //root document } - do{ - $matches = preg_grep('/^'.preg_quote($path,'/').'\s+(\S+)\s+/'.$ci,$AUTH_ACL); - if(count($matches)){ - foreach($matches as $match){ - $match = preg_replace('/#.*$/','',$match); //ignore comments - $acl = preg_split('/\s+/',$match); - if (!in_array($acl[1], $groups)) { + do { + $matches = preg_grep('/^'.preg_quote($path, '/').'\s+(\S+)\s+/'.$ci, $AUTH_ACL); + if(count($matches)) { + foreach($matches as $match) { + $match = preg_replace('/#.*$/', '', $match); //ignore comments + $acl = preg_split('/\s+/', $match); + if(!in_array($acl[1], $groups)) { continue; } if($acl[2] > AUTH_DELETE) $acl[2] = AUTH_DELETE; //no admins in the ACL! - if($acl[2] > $perm){ + if($acl[2] > $perm) { $perm = $acl[2]; } } //we had a match - return it - if ($perm != -1) { + if($perm != -1) { return $perm; } } //get next higher namespace - $ns = getNS($ns); + $ns = getNS($ns); - if($path != '*'){ + if($path != '*') { $path = $ns.':*'; if($path == ':*') $path = '*'; - }else{ + } else { //we did this already //looks like there is something wrong with the ACL //break here msg('No ACL setup yet! Denying access to everyone.'); return AUTH_NONE; } - }while(1); //this should never loop endless + } while(1); //this should never loop endless + return AUTH_NONE; } /** @@ -602,7 +626,7 @@ function auth_aclcheck($id,$user,$groups){ * @author Andreas Gohr <gohr@cosmocode.de> * @see rawurldecode() */ -function auth_nameencode($name,$skip_group=false){ +function auth_nameencode($name, $skip_group = false) { global $cache_authname; $cache =& $cache_authname; $name = (string) $name; @@ -610,13 +634,17 @@ function auth_nameencode($name,$skip_group=false){ // never encode wildcard FS#1955 if($name == '%USER%') return $name; - if (!isset($cache[$name][$skip_group])) { - if($skip_group && $name{0} =='@'){ - $cache[$name][$skip_group] = '@'.preg_replace('/([\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f])/e', - "'%'.dechex(ord(substr('\\1',-1)))",substr($name,1)); - }else{ - $cache[$name][$skip_group] = preg_replace('/([\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f])/e', - "'%'.dechex(ord(substr('\\1',-1)))",$name); + if(!isset($cache[$name][$skip_group])) { + if($skip_group && $name{0} == '@') { + $cache[$name][$skip_group] = '@'.preg_replace( + '/([\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f])/e', + "'%'.dechex(ord(substr('\\1',-1)))", substr($name, 1) + ); + } else { + $cache[$name][$skip_group] = preg_replace( + '/([\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f])/e', + "'%'.dechex(ord(substr('\\1',-1)))", $name + ); } } @@ -631,20 +659,20 @@ function auth_nameencode($name,$skip_group=false){ * * @return string pronouncable password */ -function auth_pwgen(){ +function auth_pwgen() { $pw = ''; $c = 'bcdfghjklmnprstvwz'; //consonants except hard to speak ones - $v = 'aeiou'; //vowels - $a = $c.$v; //both + $v = 'aeiou'; //vowels + $a = $c.$v; //both //use two syllables... - for($i=0;$i < 2; $i++){ - $pw .= $c[rand(0, strlen($c)-1)]; - $pw .= $v[rand(0, strlen($v)-1)]; - $pw .= $a[rand(0, strlen($a)-1)]; + for($i = 0; $i < 2; $i++) { + $pw .= $c[rand(0, strlen($c) - 1)]; + $pw .= $v[rand(0, strlen($v) - 1)]; + $pw .= $a[rand(0, strlen($a) - 1)]; } //... and add a nice number - $pw .= rand(10,99); + $pw .= rand(10, 99); return $pw; } @@ -653,16 +681,16 @@ function auth_pwgen(){ * Sends a password to the given user * * @author Andreas Gohr <andi@splitbrain.org> - * + * @param string $user Login name of the user + * @param string $password The new password in clear text * @return bool true on success */ -function auth_sendPassword($user,$password){ - global $conf; +function auth_sendPassword($user, $password) { global $lang; + /* @var auth_basic $auth */ global $auth; - if (!$auth) return false; + if(!$auth) return false; - $hdrs = ''; $user = $auth->cleanUser($user); $userinfo = $auth->getUserData($user); @@ -670,15 +698,15 @@ function auth_sendPassword($user,$password){ $text = rawLocale('password'); $trep = array( - 'FULLNAME' => $userinfo['name'], - 'LOGIN' => $user, - 'PASSWORD' => $password - ); + 'FULLNAME' => $userinfo['name'], + 'LOGIN' => $user, + 'PASSWORD' => $password + ); $mail = new Mailer(); $mail->to($userinfo['name'].' <'.$userinfo['mail'].'>'); $mail->subject($lang['regpwmail']); - $mail->setBody($text,$trep); + $mail->setBody($text, $trep); return $mail->send(); } @@ -688,12 +716,12 @@ function auth_sendPassword($user,$password){ * This registers a new user - Data is read directly from $_POST * * @author Andreas Gohr <andi@splitbrain.org> - * * @return bool true on success, false on any error */ -function register(){ +function register() { global $lang; global $conf; + /* @var auth_basic $auth */ global $auth; if(!$_POST['save']) return false; @@ -703,61 +731,63 @@ function register(){ $_POST['login'] = trim($auth->cleanUser($_POST['login'])); //clean fullname and email - $_POST['fullname'] = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/','',$_POST['fullname'])); - $_POST['email'] = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/','',$_POST['email'])); + $_POST['fullname'] = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/', '', $_POST['fullname'])); + $_POST['email'] = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/', '', $_POST['email'])); - if( empty($_POST['login']) || + if(empty($_POST['login']) || empty($_POST['fullname']) || - empty($_POST['email']) ){ - msg($lang['regmissing'],-1); + empty($_POST['email']) + ) { + msg($lang['regmissing'], -1); return false; } - if ($conf['autopasswd']) { - $pass = auth_pwgen(); // automatically generate password - } elseif (empty($_POST['pass']) || - empty($_POST['passchk'])) { - msg($lang['regmissing'], -1); // complain about missing passwords + if($conf['autopasswd']) { + $pass = auth_pwgen(); // automatically generate password + } elseif(empty($_POST['pass']) || + empty($_POST['passchk']) + ) { + msg($lang['regmissing'], -1); // complain about missing passwords return false; - } elseif ($_POST['pass'] != $_POST['passchk']) { - msg($lang['regbadpass'], -1); // complain about misspelled passwords + } elseif($_POST['pass'] != $_POST['passchk']) { + msg($lang['regbadpass'], -1); // complain about misspelled passwords return false; } else { - $pass = $_POST['pass']; // accept checked and valid password + $pass = $_POST['pass']; // accept checked and valid password } //check mail - if(!mail_isvalid($_POST['email'])){ - msg($lang['regbadmail'],-1); + if(!mail_isvalid($_POST['email'])) { + msg($lang['regbadmail'], -1); return false; } //okay try to create the user - if(!$auth->triggerUserMod('create', array($_POST['login'],$pass,$_POST['fullname'],$_POST['email']))){ - msg($lang['reguexists'],-1); + if(!$auth->triggerUserMod('create', array($_POST['login'], $pass, $_POST['fullname'], $_POST['email']))) { + msg($lang['reguexists'], -1); return false; } // create substitutions for use in notification email $substitutions = array( - 'NEWUSER' => $_POST['login'], - 'NEWNAME' => $_POST['fullname'], - 'NEWEMAIL' => $_POST['email'], - ); + 'NEWUSER' => $_POST['login'], + 'NEWNAME' => $_POST['fullname'], + 'NEWEMAIL' => $_POST['email'], + ); - if (!$conf['autopasswd']) { - msg($lang['regsuccess2'],1); + if(!$conf['autopasswd']) { + msg($lang['regsuccess2'], 1); notify('', 'register', '', $_POST['login'], false, $substitutions); return true; } // autogenerated password? then send him the password - if (auth_sendPassword($_POST['login'],$pass)){ - msg($lang['regsuccess'],1); + if(auth_sendPassword($_POST['login'], $pass)) { + msg($lang['regsuccess'], 1); notify('', 'register', '', $_POST['login'], false, $substitutions); return true; - }else{ - msg($lang['regmailfail'],-1); + } else { + msg($lang['regmailfail'], -1); return false; } } @@ -771,61 +801,66 @@ function updateprofile() { global $conf; global $INFO; global $lang; + /* @var auth_basic $auth */ global $auth; if(empty($_POST['save'])) return false; if(!checkSecurityToken()) return false; if(!actionOK('profile')) { - msg($lang['profna'],-1); + msg($lang['profna'], -1); return false; } - if ($_POST['newpass'] != $_POST['passchk']) { - msg($lang['regbadpass'], -1); // complain about misspelled passwords + if($_POST['newpass'] != $_POST['passchk']) { + msg($lang['regbadpass'], -1); // complain about misspelled passwords return false; } //clean fullname and email - $_POST['fullname'] = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/','',$_POST['fullname'])); - $_POST['email'] = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/','',$_POST['email'])); + $_POST['fullname'] = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/', '', $_POST['fullname'])); + $_POST['email'] = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/', '', $_POST['email'])); - if ((empty($_POST['fullname']) && $auth->canDo('modName')) || - (empty($_POST['email']) && $auth->canDo('modMail'))) { - msg($lang['profnoempty'],-1); + if((empty($_POST['fullname']) && $auth->canDo('modName')) || + (empty($_POST['email']) && $auth->canDo('modMail')) + ) { + msg($lang['profnoempty'], -1); return false; } - if (!mail_isvalid($_POST['email']) && $auth->canDo('modMail')){ - msg($lang['regbadmail'],-1); + if(!mail_isvalid($_POST['email']) && $auth->canDo('modMail')) { + msg($lang['regbadmail'], -1); return false; } - if ($_POST['fullname'] != $INFO['userinfo']['name'] && $auth->canDo('modName')) $changes['name'] = $_POST['fullname']; - if ($_POST['email'] != $INFO['userinfo']['mail'] && $auth->canDo('modMail')) $changes['mail'] = $_POST['email']; - if (!empty($_POST['newpass']) && $auth->canDo('modPass')) $changes['pass'] = $_POST['newpass']; + $changes = array(); + if($_POST['fullname'] != $INFO['userinfo']['name'] && $auth->canDo('modName')) $changes['name'] = $_POST['fullname']; + if($_POST['email'] != $INFO['userinfo']['mail'] && $auth->canDo('modMail')) $changes['mail'] = $_POST['email']; + if(!empty($_POST['newpass']) && $auth->canDo('modPass')) $changes['pass'] = $_POST['newpass']; - if (!count($changes)) { + if(!count($changes)) { msg($lang['profnochange'], -1); return false; } - if ($conf['profileconfirm']) { - if (!$auth->checkPass($_SERVER['REMOTE_USER'], $_POST['oldpass'])) { - msg($lang['badlogin'],-1); + if($conf['profileconfirm']) { + if(!$auth->checkPass($_SERVER['REMOTE_USER'], $_POST['oldpass'])) { + msg($lang['badlogin'], -1); return false; } } - if ($result = $auth->triggerUserMod('modify', array($_SERVER['REMOTE_USER'], $changes))) { + if($result = $auth->triggerUserMod('modify', array($_SERVER['REMOTE_USER'], $changes))) { // update cookie and session with the changed data - if ($changes['pass']){ - list($user,$sticky,$pass) = auth_getCookie(); - $pass = PMA_blowfish_encrypt($changes['pass'],auth_cookiesalt(!$sticky)); - auth_setCookie($_SERVER['REMOTE_USER'],$pass,(bool)$sticky); + if($changes['pass']) { + list( /*user*/, $sticky, /*pass*/) = auth_getCookie(); + $pass = PMA_blowfish_encrypt($changes['pass'], auth_cookiesalt(!$sticky)); + auth_setCookie($_SERVER['REMOTE_USER'], $pass, (bool) $sticky); } return true; } + + return false; } /** @@ -842,68 +877,69 @@ function updateprofile() { * * @return bool true on success, false on any error */ -function act_resendpwd(){ +function act_resendpwd() { global $lang; global $conf; + /* @var auth_basic $auth */ global $auth; if(!actionOK('resendpwd')) { - msg($lang['resendna'],-1); + msg($lang['resendna'], -1); return false; } - $token = preg_replace('/[^a-f0-9]+/','',$_REQUEST['pwauth']); + $token = preg_replace('/[^a-f0-9]+/', '', $_REQUEST['pwauth']); - if($token){ + if($token) { // we're in token phase - get user info from token $tfile = $conf['cachedir'].'/'.$token{0}.'/'.$token.'.pwauth'; - if(!@file_exists($tfile)){ - msg($lang['resendpwdbadauth'],-1); + if(!@file_exists($tfile)) { + msg($lang['resendpwdbadauth'], -1); unset($_REQUEST['pwauth']); return false; } // token is only valid for 3 days - if( (time() - filemtime($tfile)) > (3*60*60*24) ){ - msg($lang['resendpwdbadauth'],-1); + if((time() - filemtime($tfile)) > (3 * 60 * 60 * 24)) { + msg($lang['resendpwdbadauth'], -1); unset($_REQUEST['pwauth']); @unlink($tfile); return false; } - $user = io_readfile($tfile); + $user = io_readfile($tfile); $userinfo = $auth->getUserData($user); if(!$userinfo['mail']) { msg($lang['resendpwdnouser'], -1); return false; } - if(!$conf['autopasswd']){ // we let the user choose a password + if(!$conf['autopasswd']) { // we let the user choose a password // password given correctly? if(!isset($_REQUEST['pass']) || $_REQUEST['pass'] == '') return false; - if($_REQUEST['pass'] != $_REQUEST['passchk']){ - msg($lang['regbadpass'],-1); + if($_REQUEST['pass'] != $_REQUEST['passchk']) { + msg($lang['regbadpass'], -1); return false; } $pass = $_REQUEST['pass']; - if (!$auth->triggerUserMod('modify', array($user,array('pass' => $pass)))) { - msg('error modifying user data',-1); + if(!$auth->triggerUserMod('modify', array($user, array('pass' => $pass)))) { + msg('error modifying user data', -1); return false; } - }else{ // autogenerate the password and send by mail + } else { // autogenerate the password and send by mail $pass = auth_pwgen(); - if (!$auth->triggerUserMod('modify', array($user,array('pass' => $pass)))) { - msg('error modifying user data',-1); + if(!$auth->triggerUserMod('modify', array($user, array('pass' => $pass)))) { + msg('error modifying user data', -1); return false; } - if (auth_sendPassword($user,$pass)) { - msg($lang['resendpwdsuccess'],1); + if(auth_sendPassword($user, $pass)) { + msg($lang['resendpwdsuccess'], 1); } else { - msg($lang['regmailfail'],-1); + msg($lang['regmailfail'], -1); } } @@ -915,7 +951,7 @@ function act_resendpwd(){ if(!$_POST['save']) return false; - if (empty($_POST['login'])) { + if(empty($_POST['login'])) { msg($lang['resendpwdmissing'], -1); return false; } else { @@ -931,30 +967,29 @@ function act_resendpwd(){ // generate auth token $token = md5(auth_cookiesalt().$user); //secret but user based $tfile = $conf['cachedir'].'/'.$token{0}.'/'.$token.'.pwauth'; - $url = wl('',array('do'=>'resendpwd','pwauth'=>$token),true,'&'); + $url = wl('', array('do'=> 'resendpwd', 'pwauth'=> $token), true, '&'); - io_saveFile($tfile,$user); + io_saveFile($tfile, $user); $text = rawLocale('pwconfirm'); $trep = array( - 'FULLNAME' => $userinfo['name'], - 'LOGIN' => $user, - 'CONFIRM' => $url - ); + 'FULLNAME' => $userinfo['name'], + 'LOGIN' => $user, + 'CONFIRM' => $url + ); $mail = new Mailer(); $mail->to($userinfo['name'].' <'.$userinfo['mail'].'>'); $mail->subject($lang['regpwmail']); - $mail->setBody($text,$trep); - if($mail->send()){ - msg($lang['resendpwdconfirm'],1); - }else{ - msg($lang['regmailfail'],-1); + $mail->setBody($text, $trep); + if($mail->send()) { + msg($lang['resendpwdconfirm'], 1); + } else { + msg($lang['regmailfail'], -1); } return true; } - - return false; // never reached + // never reached } /** @@ -964,32 +999,37 @@ function act_resendpwd(){ * is chosen. * * @author Andreas Gohr <andi@splitbrain.org> + * @param string $clear The clear text password + * @param string $method The hashing method + * @param string $salt A salt, null for random * @return string The crypted password */ -function auth_cryptPassword($clear,$method='',$salt=null){ +function auth_cryptPassword($clear, $method = '', $salt = null) { global $conf; if(empty($method)) $method = $conf['passcrypt']; - $pass = new PassHash(); - $call = 'hash_'.$method; + $pass = new PassHash(); + $call = 'hash_'.$method; - if(!method_exists($pass,$call)){ - msg("Unsupported crypt method $method",-1); + if(!method_exists($pass, $call)) { + msg("Unsupported crypt method $method", -1); return false; } - return $pass->$call($clear,$salt); + return $pass->$call($clear, $salt); } /** * Verifies a cleartext password against a crypted hash * - * @author Andreas Gohr <andi@splitbrain.org> - * @return bool + * @author Andreas Gohr <andi@splitbrain.org> + * @param string $clear The clear text password + * @param string $crypt The hash to compare with + * @return bool true if both match */ -function auth_verifyPassword($clear,$crypt){ +function auth_verifyPassword($clear, $crypt) { $pass = new PassHash(); - return $pass->verify_hash($clear,$crypt); + return $pass->verify_hash($clear, $crypt); } /** @@ -998,23 +1038,25 @@ function auth_verifyPassword($clear,$crypt){ * @param string $user username * @param string $pass encrypted password * @param bool $sticky whether or not the cookie will last beyond the session + * @return bool */ -function auth_setCookie($user,$pass,$sticky) { +function auth_setCookie($user, $pass, $sticky) { global $conf; + /* @var auth_basic $auth */ global $auth; global $USERINFO; - if (!$auth) return false; + if(!$auth) return false; $USERINFO = $auth->getUserData($user); // set cookie - $cookie = base64_encode($user).'|'.((int) $sticky).'|'.base64_encode($pass); + $cookie = base64_encode($user).'|'.((int) $sticky).'|'.base64_encode($pass); $cookieDir = empty($conf['cookiedir']) ? DOKU_REL : $conf['cookiedir']; - $time = $sticky ? (time()+60*60*24*365) : 0; //one year - if (version_compare(PHP_VERSION, '5.2.0', '>')) { - setcookie(DOKU_COOKIE,$cookie,$time,$cookieDir,'',($conf['securecookie'] && is_ssl()),true); - }else{ - setcookie(DOKU_COOKIE,$cookie,$time,$cookieDir,'',($conf['securecookie'] && is_ssl())); + $time = $sticky ? (time() + 60 * 60 * 24 * 365) : 0; //one year + if(version_compare(PHP_VERSION, '5.2.0', '>')) { + setcookie(DOKU_COOKIE, $cookie, $time, $cookieDir, '', ($conf['securecookie'] && is_ssl()), true); + } else { + setcookie(DOKU_COOKIE, $cookie, $time, $cookieDir, '', ($conf['securecookie'] && is_ssl())); } // set session $_SESSION[DOKU_COOKIE]['auth']['user'] = $user; @@ -1022,6 +1064,8 @@ function auth_setCookie($user,$pass,$sticky) { $_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid(); $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO; $_SESSION[DOKU_COOKIE]['auth']['time'] = time(); + + return true; } /** @@ -1029,15 +1073,15 @@ function auth_setCookie($user,$pass,$sticky) { * * @returns array */ -function auth_getCookie(){ - if (!isset($_COOKIE[DOKU_COOKIE])) { +function auth_getCookie() { + if(!isset($_COOKIE[DOKU_COOKIE])) { return array(null, null, null); } - list($user,$sticky,$pass) = explode('|',$_COOKIE[DOKU_COOKIE],3); + list($user, $sticky, $pass) = explode('|', $_COOKIE[DOKU_COOKIE], 3); $sticky = (bool) $sticky; $pass = base64_decode($pass); $user = base64_decode($user); - return array($user,$sticky,$pass); + return array($user, $sticky, $pass); } //Setup VIM: ex: et ts=2 : |