diff options
| -rw-r--r-- | inc/auth.php | 5 | ||||
| -rw-r--r-- | inc/auth/basic.class.php | 349 | ||||
| -rw-r--r-- | inc/auth/punbb.class.php | 121 | ||||
| -rw-r--r-- | inc/html.php | 7 |
4 files changed, 304 insertions, 178 deletions
diff --git a/inc/auth.php b/inc/auth.php index 69ff930be..d8fae97b7 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -207,6 +207,7 @@ function auth_logoff(){ global $conf; global $USERINFO; global $INFO, $ID; + global $auth; if(isset($_SESSION[$conf['title']]['auth']['user'])) unset($_SESSION[$conf['title']]['auth']['user']); @@ -218,6 +219,10 @@ function auth_logoff(){ unset($_SERVER['REMOTE_USER']); $USERINFO=null; //FIXME setcookie(DOKU_COOKIE,'',time()-600000,'/'); + + if($auth && $auth->canDo('logoff')){ + $auth->logOff(); + } } /** diff --git a/inc/auth/basic.class.php b/inc/auth/basic.class.php index 7f187d458..b47a63de9 100644 --- a/inc/auth/basic.class.php +++ b/inc/auth/basic.class.php @@ -10,44 +10,45 @@ class auth_basic { - var $success = true; + var $success = true; - /** + /** * Posible things an auth backend module may be able to * do. The things a backend can do need to be set to true * in the constructor. */ - var $cando = array ( - 'addUser' => false, // can Users be created? - 'delUser' => false, // can Users be deleted? - 'modLogin' => false, // can login names be changed? - 'modPass' => false, // can passwords be changed? - 'modName' => false, // can real names be changed? - 'modMail' => false, // can emails be changed? - 'modGroups' => false, // can groups be changed? - 'getUsers' => false, // can a (filtered) list of users be retrieved? - 'getUserCount'=> false, // can the number of users be retrieved? - 'getGroups' => false, // can a list of available groups be retrieved? - 'external' => false, // does the module do external auth checking? + var $cando = array ( + 'addUser' => false, // can Users be created? + 'delUser' => false, // can Users be deleted? + 'modLogin' => false, // can login names be changed? + 'modPass' => false, // can passwords be changed? + 'modName' => false, // can real names be changed? + 'modMail' => false, // can emails be changed? + 'modGroups' => false, // can groups be changed? + 'getUsers' => false, // can a (filtered) list of users be retrieved? + 'getUserCount'=> false, // can the number of users be retrieved? + 'getGroups' => false, // can a list of available groups be retrieved? + 'external' => false, // does the module do external auth checking? + 'logoff' => false, // has the module some special logoff method? ); - /** - * Constructor. - * - * Carry out sanity checks to ensure the object is - * able to operate. Set capabilities in $this->cando + /** + * Constructor. + * + * Carry out sanity checks to ensure the object is + * able to operate. Set capabilities in $this->cando * array here - * - * Set $this->success to false if checks fail - * + * + * Set $this->success to false if checks fail + * * @author Christopher Smith <chris@jalakai.co.uk> - */ + */ function auth_basic() { - // the base class constructor does nothing, derived class + // the base class constructor does nothing, derived class // constructors do the real work - } + } /** * Capability check. [ DO NOT OVERRIDE ] @@ -59,19 +60,19 @@ class auth_basic { * ususal capabilities start with lowercase letter * shortcut capabilities start with uppercase letter * - * @author Andreas Gohr <andi@splitbrain.org> - * @return bool - */ + * @author Andreas Gohr <andi@splitbrain.org> + * @return bool + */ function canDo($cap) { - switch($cap){ - case 'Profile': - // can at least one of the user's properties be changed? - return ( $this->cando['modPass'] || + switch($cap){ + case 'Profile': + // can at least one of the user's properties be changed? + return ( $this->cando['modPass'] || $this->cando['modName'] || $this->cando['modMail'] ); - break; - case 'UserMod': - // can at least anything be changed? + break; + case 'UserMod': + // can at least anything be changed? return ( $this->cando['modPass'] || $this->cando['modName'] || $this->cando['modMail'] || @@ -79,15 +80,26 @@ class auth_basic { $this->cando['modGroups'] || $this->cando['modMail'] ); break; - default: - // print a helping message for developers - if(!isset($this->cando[$cap])){ - msg("Check for unknown capability '$cap' - Do you use an outdated Plugin?",-1); - } - return $this->cando[$cap]; - } - } + default: + // print a helping message for developers + if(!isset($this->cando[$cap])){ + msg("Check for unknown capability '$cap' - Do you use an outdated Plugin?",-1); + } + return $this->cando[$cap]; + } + } + /** + * Log off the current user [ OPTIONAL ] + * + * Is run in addition to the ususal logoff method. Should + * only be needed when trustExternal is implemented. + * + * @see auth_logoff() + * @author Andreas Gohr + */ + function logOff(){ + } /** * Do all authentication [ OPTIONAL ] @@ -141,139 +153,140 @@ class auth_basic { # return true; } - /** - * Check user+password [ MUST BE OVERRIDDEN ] - * - * Checks if the given user exists and the given - * plaintext password is correct - * - * @author Andreas Gohr <andi@splitbrain.org> - * @return bool - */ - function checkPass($user,$pass){ - msg("no valid authorisation system in use", -1); - return false; - } - - /** - * Return user info [ MUST BE OVERRIDDEN ] - * - * Returns info about the given user needs to contain - * at least these fields: - * - * name string full name of the user - * mail string email addres of the user - * grps array list of groups the user is in - * - * @author Andreas Gohr <andi@splitbrain.org> - * @return array containing user data or false - */ - function getUserData($user) { + /** + * Check user+password [ MUST BE OVERRIDDEN ] + * + * Checks if the given user exists and the given + * plaintext password is correct + * + * @author Andreas Gohr <andi@splitbrain.org> + * @return bool + */ + function checkPass($user,$pass){ + msg("no valid authorisation system in use", -1); + return false; + } + + /** + * Return user info [ MUST BE OVERRIDDEN ] + * + * Returns info about the given user needs to contain + * at least these fields: + * + * name string full name of the user + * mail string email addres of the user + * grps array list of groups the user is in + * + * @author Andreas Gohr <andi@splitbrain.org> + * @return array containing user data or false + */ + function getUserData($user) { msg("no valid authorisation system in use", -1); return false; - } - - /** - * Create a new User [implement only where required/possible] - * - * Returns false if the user already exists, null when an error - * occured and the cleartext password of the new user if - * everything went well. - * - * The new user HAS TO be added to the default group by this - * function! - * + } + + /** + * Create a new User [implement only where required/possible] + * + * Returns false if the user already exists, null when an error + * occured and the cleartext password of the new user if + * everything went well. + * + * The new user HAS TO be added to the default group by this + * function! + * * Set addUser capability when implemented * - * @author Andreas Gohr <andi@splitbrain.org> - */ - function createUser($user,$pass,$name,$mail,$grps=null){ - msg("authorisation method does not allow creation of new users", -1); - return null; - } - - /** - * Modify user data [implement only where required/possible] - * + * @author Andreas Gohr <andi@splitbrain.org> + */ + function createUser($user,$pass,$name,$mail,$grps=null){ + msg("authorisation method does not allow creation of new users", -1); + return null; + } + + /** + * Modify user data [implement only where required/possible] + * * Set the mod* capabilities according to the implemented features * - * @author Chris Smith <chris@jalakai.co.uk> - * @param $user nick of the user to be changed - * @param $changes array of field/value pairs to be changed (password will be clear text) - * @return bool - */ - function modifyUser($user, $changes) { - msg("authorisation method does not allow modifying of user data", -1); - return false; - } - - /** - * Delete one or more users [implement only where required/possible] - * + * @author Chris Smith <chris@jalakai.co.uk> + * @param $user nick of the user to be changed + * @param $changes array of field/value pairs to be changed (password will be clear text) + * @return bool + */ + function modifyUser($user, $changes) { + msg("authorisation method does not allow modifying of user data", -1); + return false; + } + + /** + * Delete one or more users [implement only where required/possible] + * * Set delUser capability when implemented - * - * @author Chris Smith <chris@jalakai.co.uk> - * @param array $users - * @return int number of users deleted - */ - function deleteUsers($users) { - msg("authorisation method does not allow deleting of users", -1); - return false; - } + * + * @author Chris Smith <chris@jalakai.co.uk> + * @param array $users + * @return int number of users deleted + */ + function deleteUsers($users) { + msg("authorisation method does not allow deleting of users", -1); + return false; + } - /** - * Return a count of the number of user which meet $filter criteria - * [should be implemented whenever retrieveUsers is implemented] - * - * Set getUserCount capability when implemented - * - * @author Chris Smith <chris@jalakai.co.uk> - */ - function getUserCount($filter=array()) { - msg("authorisation method does not provide user counts", -1); - return 0; - } - - /** - * Bulk retrieval of user data [implement only where required/possible] - * - * Set getUsers capability when implemented - * - * @author Chris Smith <chris@jalakai.co.uk> - * @param start index of first user to be returned - * @param limit max number of users to be returned - * @param filter array of field/pattern pairs, null for no filter - * @return array of userinfo (refer getUserData for internal userinfo details) - */ - function retrieveUsers($start=0,$limit=-1,$filter=null) { - msg("authorisation method does not support mass retrieval of user data", -1); - return array(); - } - - /** - * Define a group [implement only where required/possible] - * - * Set addGroup capability when implemented - * - * @author Chris Smith <chris@jalakai.co.uk> - * @return bool - */ - function addGroup($group) { - msg("authorisation method does not support independent group creation", -1); - return false; - } + /** + * Return a count of the number of user which meet $filter criteria + * [should be implemented whenever retrieveUsers is implemented] + * + * Set getUserCount capability when implemented + * + * @author Chris Smith <chris@jalakai.co.uk> + */ + function getUserCount($filter=array()) { + msg("authorisation method does not provide user counts", -1); + return 0; + } + + /** + * Bulk retrieval of user data [implement only where required/possible] + * + * Set getUsers capability when implemented + * + * @author Chris Smith <chris@jalakai.co.uk> + * @param start index of first user to be returned + * @param limit max number of users to be returned + * @param filter array of field/pattern pairs, null for no filter + * @return array of userinfo (refer getUserData for internal userinfo details) + */ + function retrieveUsers($start=0,$limit=-1,$filter=null) { + msg("authorisation method does not support mass retrieval of user data", -1); + return array(); + } + + /** + * Define a group [implement only where required/possible] + * + * Set addGroup capability when implemented + * + * @author Chris Smith <chris@jalakai.co.uk> + * @return bool + */ + function addGroup($group) { + msg("authorisation method does not support independent group creation", -1); + return false; + } - /** - * Retrieve groups [implement only where required/possible] - * - * Set getGroups capability when implemented - * - * @author Chris Smith <chris@jalakai.co.uk> - * @return array - */ - function retrieveGroups($start=0,$limit=0) { - msg("authorisation method does not support group list retrieval", -1); - return array(); - } + /** + * Retrieve groups [implement only where required/possible] + * + * Set getGroups capability when implemented + * + * @author Chris Smith <chris@jalakai.co.uk> + * @return array + */ + function retrieveGroups($start=0,$limit=0) { + msg("authorisation method does not support group list retrieval", -1); + return array(); + } } +//Setup VIM: ex: et ts=2 enc=utf-8 : diff --git a/inc/auth/punbb.class.php b/inc/auth/punbb.class.php index e4e7bca42..455432d51 100644 --- a/inc/auth/punbb.class.php +++ b/inc/auth/punbb.class.php @@ -5,11 +5,6 @@ * Uses external Trust mechanism to check against PunBB's * user cookie. PunBB's PUN_ROOT must be defined correctly. * - * It inherits from the MySQL module, so you may set up - * the correct SQL strings for user modification if you like. - * - * @todo This is far from perfect yet. SQL Strings should be - * predefined. Logging in should be handled correctly. * @author Andreas Gohr <andi@splitbrain.org> */ @@ -17,28 +12,124 @@ if(!defined('PUN_ROOT')) define('PUN_ROOT', DOKU_INC.'../forum/'); require_once PUN_ROOT.'include/common.php'; require_once DOKU_INC.'inc/auth/mysql.class.php'; +#dbg($GLOBALS); +#dbg($pun_user); + class auth_punbb extends auth_mysql { /** + * Constructor. + * + * Sets additional capabilities and config strings + */ + function auth_punbb(){ + global $conf; + $this->cando['external'] = true; + $this->cando['logoff'] = true; + + // make sure we use a crypt understood by punbb + if(function_exists('sha1')){ + $conf['passcrypt'] = 'sha1'; + }else{ + $conf['passcrypt'] = 'md5'; + } + + // get global vars from PunBB config + global $db_host; + global $db_name; + global $db_username; + global $db_password; + global $db_prefix; + + // now set up the mysql config strings + $conf['auth']['mysql']['server'] = $db_host; + $conf['auth']['mysql']['user'] = $db_username; + $conf['auth']['mysql']['password'] = $db_password; + $conf['auth']['mysql']['database'] = $db_name; + + $conf['auth']['mysql']['checkPass'] = "SELECT u.password AS pass + FROM ${db_prefix}users AS u, ${db_prefix}groups AS g + WHERE u.group_id = g.g_id + AND u.username = '%{user}' + AND g.g_title != 'Guest'"; + $conf['auth']['mysql']['getUserInfo'] = "SELECT password AS pass, realname AS name, email AS mail, + id, g_title as `group` + FROM ${db_prefix}users AS u, ${db_prefix}groups AS g + WHERE u.group_id = g.g_id + AND u.username = '%{user}'"; + $conf['auth']['mysql']['getGroups'] = "SELECT g.g_title as `group` + FROM ${db_prefix}users AS u, ${db_prefix}groups AS g + WHERE u.group_id = g.g_id + AND u.username = '%{user}'"; + $conf['auth']['mysql']['getUsers'] = "SELECT DISTINCT u.username AS user + FROM ${db_prefix}users AS u, ${db_prefix}groups AS g + WHERE u.group_id = g.g_id"; + $conf['auth']['mysql']['FilterLogin'] = "u.username LIKE '%{user}'"; + $conf['auth']['mysql']['FilterName'] = "u.realname LIKE '%{name}'"; + $conf['auth']['mysql']['FilterEmail'] = "u.email LIKE '%{email}'"; + $conf['auth']['mysql']['FilterGroup'] = "g.g_title LIKE '%{group}'"; + $conf['auth']['mysql']['SortOrder'] = "ORDER BY u.username"; + $conf['auth']['mysql']['addUser'] = "INSERT INTO ${db_prefix}users + (username, password, email, realname) + VALUES ('%{user}', '%{pass}', '%{email}', '%{name}')"; + $conf['auth']['mysql']['addGroup'] = "INSERT INTO ${db_prefix}groups (g_title) VALUES ('%{group}')"; + $conf['auth']['mysql']['addUserGroup']= "UPDATE ${db_prefix}users + SET group_id=%{gid} + WHERE id='%{uid}'"; + $conf['auth']['mysql']['delGroup'] = "DELETE FROM ${db_prefix}groups WHERE g_id='%{gid}'"; + $conf['auth']['mysql']['getUserID'] = "SELECT id FROM ${db_prefix}users WHERE username='%{user}'"; + $conf['auth']['mysql']['updateUser'] = "UPDATE ${db_prefix}users SET"; + $conf['auth']['mysql']['UpdateLogin'] = "username='%{user}'"; + $conf['auth']['mysql']['UpdatePass'] = "password='%{pass}'"; + $conf['auth']['mysql']['UpdateEmail'] = "email='%{email}'"; + $conf['auth']['mysql']['UpdateName'] = "realname='%{name}'"; + $conf['auth']['mysql']['UpdateTarget']= "WHERE id=%{uid}"; + $conf['auth']['mysql']['delUserGroup']= "UPDATE ${db_prefix}users SET g_id=4 WHERE id=%{uid}"; + $conf['auth']['mysql']['getGroupID'] = "SELECT g_id AS id FROM ${db_prefix}groups WHERE g_title='%{group}'"; + + $conf['auth']['mysql']['TablesToLock']= array("${db_prefix}users", "${db_prefix}users AS u", + "${db_prefix}groups", "${db_prefix}groups AS g"); + + $conf['auth']['mysql']['debug'] = 1; + // call mysql constructor + $this->auth_mysql(); + } + + /** * Just checks against the $pun_user variable */ function trustExternal($user,$pass,$sticky=false){ global $USERINFO; global $conf; + global $lang; global $pun_user; + global $pun_config; $sticky ? $sticky = true : $sticky = false; //sanity check // someone used the login form if(isset($user)){ - msg('Please login at the forum',-1); - //FIXME a redirect to PunBBs login would be nice here - auth_logoff(); - return false; + if($this->checkPass($user,$pass)){ + $expire = ($sticky) ? time() + 31536000 : 0; + $uinfo = $this->getUserData($user); + pun_setcookie($uinfo['id'], auth_cryptPassword($pass), $expire); + $pun_user = array(); + $pun_user['password'] = auth_cryptPassword($pass); + $pun_user['username'] = $user; + $pun_user['realname'] = $uinfo['name']; + $pun_user['email'] = $uinfo['mail']; + $pun_user['g_title'] = $uinfo['group']; + }else{ + //invalid credentials - log off + msg($lang['badlogin'],-1); + auth_logoff(); + return false; + } } if(isset($pun_user) && !$pun_user['is_guest']){ // okay we're logged in - set the globals - $USERINFO['name'] = $pun_user['username']; + $USERINFO['pass'] = $pun_user['password']; + $USERINFO['name'] = $pun_user['realname']; $USERINFO['mail'] = $pun_user['email']; $USERINFO['grps'] = array($pun_user['g_title']); @@ -52,4 +143,14 @@ class auth_punbb extends auth_mysql { auth_logoff(); return false; } + + /** + * remove punbb cookie on logout + */ + function logOff(){ + global $pun_user; + $pun_user = array(); + pun_setcookie(1, random_pass(8), time() + 31536000); + } } +//Setup VIM: ex: et ts=2 enc=utf-8 : diff --git a/inc/html.php b/inc/html.php index 6f99947f9..0e5454d4e 100644 --- a/inc/html.php +++ b/inc/html.php @@ -1063,6 +1063,7 @@ function html_minoredit(){ function html_debug(){ global $conf; global $lang; + global $auth; //remove sensitive data $cnf = $conf; $cnf['auth']='***'; @@ -1107,6 +1108,12 @@ function html_debug(){ print $lang['encoding']; print '</pre>'; + if($auth){ + print '<b>Auth backend capabilities:</b><pre>'; + print_r($auth->cando); + print '</pre>'; + } + print '<b>$_SESSION:</b><pre>'; print_r($_SESSION); print '</pre>'; |