diff options
Diffstat (limited to 'inc')
| -rw-r--r-- | inc/auth.php | 14 | ||||
| -rw-r--r-- | inc/auth/basic.class.php | 190 | ||||
| -rw-r--r-- | inc/auth/ldap.class.php | 7 | ||||
| -rw-r--r-- | inc/auth/mysql.class.php | 110 | ||||
| -rw-r--r-- | inc/auth/plain.class.php | 75 | ||||
| -rw-r--r-- | inc/html.php | 12 | ||||
| -rw-r--r-- | inc/template.php | 4 |
7 files changed, 205 insertions, 207 deletions
diff --git a/inc/auth.php b/inc/auth.php index 7ae0da1a4..69ff930be 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -51,7 +51,7 @@ // do the login either by cookie or provided credentials if($conf['useacl']){ // external trust mechanism in place? - if(!is_null($auth) && $auth->canDo('trustExternal')){ + if(!is_null($auth) && $auth->canDo('external')){ $auth->trustExternal($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r']); }else{ auth_login($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r']); @@ -413,7 +413,7 @@ function register(){ global $auth; if(!$_POST['save']) return false; - if(!$auth->canDo('createUser')) return false; + if(!$auth->canDo('addUser')) return false; //clean username $_POST['login'] = preg_replace('/.*:/','',$_POST['login']); @@ -483,8 +483,8 @@ function updateprofile() { if(!$_POST['save']) return false; - // should not be able to get here without modifyUser being possible... - if(!$auth->canDo('modifyUser')) { + // should not be able to get here without Profile being possible... + if(!$auth->canDo('Profile')) { msg($lang['profna'],-1); return false; } @@ -543,11 +543,11 @@ function act_resendpwd(){ if(!$_POST['save']) return false; if(!$conf['resendpasswd']) return false; - // should not be able to get here without modifyUser being possible... - if(!$auth->canDo('modifyUser')) { + // should not be able to get here without modPass being possible... + if(!$auth->canDo('modPass')) { msg($lang['resendna'],-1); return false; - } + } if (empty($_POST['login'])) { msg($lang['resendpwdmissing'], -1); diff --git a/inc/auth/basic.class.php b/inc/auth/basic.class.php index 9ea1a598b..7f187d458 100644 --- a/inc/auth/basic.class.php +++ b/inc/auth/basic.class.php @@ -12,22 +12,88 @@ class auth_basic { var $success = true; + /** - * Constructor + * Posible things an auth backend module may be able to + * do. The things a backend can do need to be set to true + * in the constructor. + */ + var $cando = array ( + 'addUser' => false, // can Users be created? + 'delUser' => false, // can Users be deleted? + 'modLogin' => false, // can login names be changed? + 'modPass' => false, // can passwords be changed? + 'modName' => false, // can real names be changed? + 'modMail' => false, // can emails be changed? + 'modGroups' => false, // can groups be changed? + 'getUsers' => false, // can a (filtered) list of users be retrieved? + 'getUserCount'=> false, // can the number of users be retrieved? + 'getGroups' => false, // can a list of available groups be retrieved? + 'external' => false, // does the module do external auth checking? + ); + + + /** + * Constructor. * * Carry out sanity checks to ensure the object is - * able to operate. + * able to operate. Set capabilities in $this->cando + * array here * * Set $this->success to false if checks fail * * @author Christopher Smith <chris@jalakai.co.uk> */ -# function auth_basic() { -# } + function auth_basic() { + // the base class constructor does nothing, derived class + // constructors do the real work + } + + /** + * Capability check. [ DO NOT OVERRIDE ] + * + * Checks the capabilities set in the $this->cando array and + * some pseudo capabilities (shortcutting access to multiple + * ones) + * + * ususal capabilities start with lowercase letter + * shortcut capabilities start with uppercase letter + * + * @author Andreas Gohr <andi@splitbrain.org> + * @return bool + */ + function canDo($cap) { + switch($cap){ + case 'Profile': + // can at least one of the user's properties be changed? + return ( $this->cando['modPass'] || + $this->cando['modName'] || + $this->cando['modMail'] ); + break; + case 'UserMod': + // can at least anything be changed? + return ( $this->cando['modPass'] || + $this->cando['modName'] || + $this->cando['modMail'] || + $this->cando['modLogin'] || + $this->cando['modGroups'] || + $this->cando['modMail'] ); + break; + default: + // print a helping message for developers + if(!isset($this->cando[$cap])){ + msg("Check for unknown capability '$cap' - Do you use an outdated Plugin?",-1); + } + return $this->cando[$cap]; + } + } + /** * Do all authentication [ OPTIONAL ] * + * Set $this->cando['external'] = true when implemented + * * If this function is implemented it will be used to * authenticate a user - all other DokuWiki internals * will not be used for authenticating, thus @@ -55,7 +121,9 @@ class auth_basic { * @param bool $sticky Cookie should not expire * @return bool true on successful auth */ -# function trustExternal($user,$pass,$sticky=false){ + function trustExternal($user,$pass,$sticky=false){ +# // some example: +# # global $USERINFO; # global $conf; # $sticky ? $sticky = true : $sticky = false; //sanity check @@ -71,18 +139,7 @@ class auth_basic { # $_SESSION[$conf['title']]['auth']['pass'] = $pass; # $_SESSION[$conf['title']]['auth']['info'] = $USERINFO; # return true; -# } - - /** - * Check if authorisation mechanism supports fn and - * that fn will operate in the current environment - * - * @author Christopher Smith <chris@jalakai.co.uk> - * @return bool - */ - function canDo($fn) { - return method_exists($this, $fn); - } + } /** * Check user+password [ MUST BE OVERRIDDEN ] @@ -94,7 +151,6 @@ class auth_basic { * @return bool */ function checkPass($user,$pass){ - msg("no valid authorisation system in use", -1); return false; } @@ -113,9 +169,8 @@ class auth_basic { * @return array containing user data or false */ function getUserData($user) { - - msg("no valid authorisation system in use", -1); - return false; + msg("no valid authorisation system in use", -1); + return false; } /** @@ -128,106 +183,97 @@ class auth_basic { * The new user HAS TO be added to the default group by this * function! * + * Set addUser capability when implemented + * * @author Andreas Gohr <andi@splitbrain.org> */ -# function createUser($user,$pass,$name,$mail,$grps=null){ -# -# msg("authorisation method does not allow creation of new users", -1); -# return null; -# } + function createUser($user,$pass,$name,$mail,$grps=null){ + msg("authorisation method does not allow creation of new users", -1); + return null; + } /** * Modify user data [implement only where required/possible] * + * Set the mod* capabilities according to the implemented features + * * @author Chris Smith <chris@jalakai.co.uk> * @param $user nick of the user to be changed * @param $changes array of field/value pairs to be changed (password will be clear text) * @return bool */ -# function modifyUser($user, $changes) { -# msg("authorisation method does not allow modifying of user data", -1); -# return false; -# } + function modifyUser($user, $changes) { + msg("authorisation method does not allow modifying of user data", -1); + return false; + } /** * Delete one or more users [implement only where required/possible] * + * Set delUser capability when implemented + * * @author Chris Smith <chris@jalakai.co.uk> * @param array $users * @return int number of users deleted */ -# function deleteUsers($users) { -# msg("authorisation method does not allow deleting of users", -1); -# return false; -# } + function deleteUsers($users) { + msg("authorisation method does not allow deleting of users", -1); + return false; + } /** * Return a count of the number of user which meet $filter criteria * [should be implemented whenever retrieveUsers is implemented] * + * Set getUserCount capability when implemented + * * @author Chris Smith <chris@jalakai.co.uk> */ -# function getUserCount($filter=array()) { -# -# msg("authorisation method does not provide user counts", -1); -# return 0; -# } + function getUserCount($filter=array()) { + msg("authorisation method does not provide user counts", -1); + return 0; + } /** * Bulk retrieval of user data [implement only where required/possible] * + * Set getUsers capability when implemented + * * @author Chris Smith <chris@jalakai.co.uk> * @param start index of first user to be returned * @param limit max number of users to be returned * @param filter array of field/pattern pairs, null for no filter * @return array of userinfo (refer getUserData for internal userinfo details) */ -# function retrieveUsers($start=0,$limit=-1,$filter=null) { -# msg("authorisation method does not support mass retrieval of user data", -1); -# return array(); -# } + function retrieveUsers($start=0,$limit=-1,$filter=null) { + msg("authorisation method does not support mass retrieval of user data", -1); + return array(); + } /** * Define a group [implement only where required/possible] * + * Set addGroup capability when implemented + * * @author Chris Smith <chris@jalakai.co.uk> * @return bool */ -# function addGroup($group) { -# msg("authorisation method does not support independent group creation", -1); -# return false; -# } + function addGroup($group) { + msg("authorisation method does not support independent group creation", -1); + return false; + } /** * Retrieve groups [implement only where required/possible] * + * Set getGroups capability when implemented + * * @author Chris Smith <chris@jalakai.co.uk> * @return array */ -# function retrieveGroups($start=0,$limit=0) { -# msg("authorisation method does not support group list retrieval", -1); -# return array(); -# } - - /** - * Give user membership of a group [implement only where required/possible] - * - * @author Chris Smith <chris@jalakai.co.uk> - * @return bool - */ -# function joinGroup($user, $group) { -# msg("authorisation method does not support alteration of group memberships", -1); -# return false; -# } + function retrieveGroups($start=0,$limit=0) { + msg("authorisation method does not support group list retrieval", -1); + return array(); + } - /** - * Remove user from a group [implement only where required/possible] - * - * @author Chris Smith <chris@jalakai.co.uk> - * @return bool - */ -# function leaveGroup($user, $group) { -# msg("authorisation method does not support alteration of group memberships", -1); -# return false; -# } } diff --git a/inc/auth/ldap.class.php b/inc/auth/ldap.class.php index f59800476..de1c8570b 100644 --- a/inc/auth/ldap.class.php +++ b/inc/auth/ldap.class.php @@ -20,8 +20,13 @@ class auth_ldap extends auth_basic { global $conf; $this->cnf = $conf['auth']['ldap']; if(empty($this->cnf['groupkey'])) $this->cnf['groupkey'] = 'cn'; - } + // try to connect + if(!$this->_openLDAP()) $this->success = false; + + // auth_ldap currently just handles authentication, so no + // capabilities are set + } /** * Check user+password diff --git a/inc/auth/mysql.class.php b/inc/auth/mysql.class.php index fb7f43d80..0fb311e26 100644 --- a/inc/auth/mysql.class.php +++ b/inc/auth/mysql.class.php @@ -42,76 +42,62 @@ class auth_mysql extends auth_basic { $this->cnf = $conf['auth']['mysql']; $this->defaultgroup = $conf['defaultgroup']; - } - /** - * Check if authorisation mechanism supports fn and - * that fn will operate in the current environment - * - * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> - * @author Christopher Smith <chris@jalakai.co.uk> - * @return bool - */ - function canDo($fn) { - $wop = false; /* function is write operation */ - - /* general database configuration set? */ + // set capabilities based upon config strings set if (empty($this->cnf['server']) || empty($this->cnf['user']) || empty($this->cnf['password']) || empty($this->cnf['database'])) - return false; - - switch($fn) { - case 'checkPass': - $config = array('checkPass'); - break; - case 'getUserData': - $config = array('getUserInfo','getGroups'); - break; - case 'createUser': - $config = array('getUserInfo','getGroups','addUser', - 'getUserID','addGroup','addUserGroup','delGroup'); - $wop = true; - break; - case 'modifyUser': - $config = array('getUserID','updateUser','UpdateTarget', - 'getGroups','getGroupID','addGroup','addUserGroup', - 'delGroup','getGroupID','delUserGroup'); - $wop = true; - break; - case 'deleteUsers': - $config = array('getUserID','delUser','delUserRefs'); - $wop = true; - break; - case 'getUserCount': - $config = array('getUsers'); - break; - case 'retrieveUsers': - $config = array('getUsers','getUserInfo','getGroups'); - break; - case 'joinGroup': - $config = array('getUserID','getGroupID','addGroup', - 'addUserGroup','delGroup'); - $wop = true; - break; - case 'leaveGroup': - $config = array('getUserID','getGroupID','delUserGroup'); - $wop = true; - break; - default: - return false; /* unknown function call */ + return; + + $this->cando['addUser'] = $this->_chkcnf(array('getUserInfo', + 'getGroups', + 'addUser', + 'getUserID', + 'addGroup', + 'addUserGroup'),true); + $this->cando['delUser'] = $this->_chkcnf(array('getUserID', + 'delUser', + 'delUserRefs'),true); + $this->cando['modLogin'] = $this->_chkcnf(array('getUserID', + 'updateUser', + 'UpdateTarget', + 'getGroups', + 'getGroupID', + 'addGroup', + 'addUserGroup', + 'delGroup', + 'getGroupID', + 'delUserGroup'),true); + $this->cando['modPass'] = $this->cando['modLogin']; + $this->cando['modName'] = $this->cando['modLogin']; + $this->cando['modMail'] = $this->cando['modLogin']; + $this->cando['modGroups'] = $this->cando['modLogin']; + $this->cando['getGroups'] = $this->_chkcnf(array('getGroups', + 'getGroupID'),false); + $this->cando['getUsers'] = $this->_chkcnf(array('getUsers', + 'getUserInfo', + 'getGroups'),false); + $this->cando['getUserCount'] = $this->_chkcnf(array('getUsers'),false); + } + + /** + * Check if the given config strings are set + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + * @return bool + */ + function _chkcnf($keys, $wop=false){ + foreach ($keys as $key){ + if (empty($this->cnf[$key])) return false; } - + /* write operation and lock array filled with tables names? */ - if ($wop && (!is_array($this->cnf['TablesToLock']) || empty($this->cnf['TablesToLock']))) + if ($wop && (!is_array($this->cnf['TablesToLock']) || + !count($this->cnf['TablesToLock']))){ return false; - - foreach ($config as $statement) - if (empty($this->cnf[$statement])) - return false; /* required statement not set */ + } - /* all tests passed :-) */ return true; - } + } /** * Checks if the given user exists and the given plaintext password diff --git a/inc/auth/plain.class.php b/inc/auth/plain.class.php index 373bb2907..2dae8de98 100644 --- a/inc/auth/plain.class.php +++ b/inc/auth/plain.class.php @@ -25,38 +25,29 @@ class auth_plain extends auth_basic { * Constructor * * Carry out sanity checks to ensure the object is - * able to operate. + * able to operate. Set capabilities. * - * Set $this->success to false if checks fail - * * @author Christopher Smith <chris@jalakai.co.uk> */ function auth_plain() { - if (!@is_readable(AUTH_USERFILE)) $this->success = false; + if (!@is_readable(AUTH_USERFILE)){ + $this->success = false; + }else{ + if(@is_writable(AUTH_USERFILE)){ + $this->cando['addUser'] = true; + $this->cando['delUser'] = true; + $this->cando['modLogin'] = true; + $this->cando['modPass'] = true; + $this->cando['modName'] = true; + $this->cando['modMail'] = true; + $this->cando['modGroups'] = true; + } + $this->cando['getUsers'] = true; + $this->cando['getUserCount'] = true; + } } /** - * Check if authorisation mechanism supports fn and - * that fn will operate in the current environment - * - * @author Christopher Smith <chris@jalakai.co.uk> - * @return bool - */ - function canDo($fn) { - - switch ($fn) { - case 'createUser' : - case 'modifyUser' : - case 'deleteUsers' : - case 'joinGroup' : - case 'leaveGroup' : - return (@is_writable(AUTH_USERFILE)); - } - - return method_exists($this, $fn); - } - - /** * Check user+password [required auth function] * * Checks if the given user exists and the given @@ -265,40 +256,6 @@ class auth_plain extends auth_basic { } /** - * Give user membership of a group - * - * @author Chris Smith <chris@jalakai.co.uk> - * @return bool - */ - function joinGroup($user, $group) { - - // sanity checks, user must exist, and not currently a group member - if (($userinfo = $this->getUserData($user)) === false) return false; - if (in_array($group, $userinfo['grps'])) return true; - - $userinfo['grps'][] = $group; - - return $this->modifyUser($user, array('grps' => $userinfo['grps'])); - } - - /** - * Remove user from a group - * - * @author Chris Smith <chris@jalakai.co.uk> - * @return bool - */ - function leaveGroup($user, $group) { - - // sanity checks, user must exist, and currently be a group member - if (($userinfo = $this->getUserData($user)) === false) return false; - if (($i = array_search($group, $userinfo['grps'])) === false) return true; - - array_splice($userinfo['grps'],$i,1); - - return $this->modifyUser($user, array('grps' => $userinfo['grps'])); - } - - /** * Load all user data * * loads the user file into a datastructure diff --git a/inc/html.php b/inc/html.php index e53dcbaf6..c641dc212 100644 --- a/inc/html.php +++ b/inc/html.php @@ -73,14 +73,14 @@ function html_login(){ </fieldset> </form> <?php - if($conf['openregister']){ + if($auth->canDo('addUser') && $conf['openregister']){ print '<p>'; print $lang['reghere']; print ': <a href="'.wl($ID,'do=register').'" class="wikilink1">'.$lang['register'].'</a>'; print '</p>'; } - if ($auth->canDo('modifyUser') && $conf['resendpasswd']) { + if ($auth->canDo('modPass') && $conf['resendpasswd']) { print '<p>'; print $lang['pwdforget']; print ': <a href="'.wl($ID,'do=resendpwd').'" class="wikilink1">'.$lang['btn_resendpwd'].'</a>'; @@ -872,6 +872,7 @@ function html_updateprofile(){ global $conf; global $ID; global $INFO; + global $auth; print p_locale_xhtml('updateprofile'); @@ -891,12 +892,14 @@ function html_updateprofile(){ </label><br /> <label class="block"> <?php echo $lang['fullname']?> - <input type="text" name="fullname" class="edit" size="50" value="<?php echo formText($_POST['fullname'])?>" /> + <input type="text" name="fullname" <?php if(!$auth->canDo('modName')) echo 'disabled="disabled"'?> class="edit" size="50" value="<?php echo formText($_POST['fullname'])?>" /> </label><br /> <label class="block"> <?php echo $lang['email']?> - <input type="text" name="email" class="edit" size="50" value="<?php echo formText($_POST['email'])?>" /> + <input type="text" name="email" <?php if(!$auth->canDo('modName')) echo 'disabled="disabled"'?> class="edit" size="50" value="<?php echo formText($_POST['email'])?>" /> </label><br /><br /> + + <?php if($auth->canDo('modPass')) { ?> <label class="block"> <?php echo $lang['newpass']?> <input type="password" name="newpass" class="edit" size="50" /> @@ -905,6 +908,7 @@ function html_updateprofile(){ <?php echo $lang['passchk']?> <input type="password" name="passchk" class="edit" size="50" /> </label><br /> + <?php } ?> <?php if ($conf['profileconfirm']) { ?> <br /> diff --git a/inc/template.php b/inc/template.php index e9aba3297..3e9cd55ad 100644 --- a/inc/template.php +++ b/inc/template.php @@ -358,7 +358,7 @@ function tpl_button($type){ print html_btn('backlink',$ID,'',array('do' => 'backlink')); break; case 'profile': - if(($_SERVER['REMOTE_USER']) && $auth->canDo('modifyUser') && ($ACT!='profile')){ + if(($_SERVER['REMOTE_USER']) && $auth->canDo('Profile') && ($ACT!='profile')){ print html_btn('profile',$ID,'',array('do' => 'profile')); } break; @@ -466,7 +466,7 @@ function tpl_actionlink($type,$pre='',$suf=''){ tpl_link(wl($ID,'do=backlink'),$pre.$lang['btn_backlink'].$suf, 'class="action backlink"'); break; case 'profile': - if(($_SERVER['REMOTE_USER']) && $auth->canDo('modifyUser') && ($ACT!='profile')){ + if(($_SERVER['REMOTE_USER']) && $auth->canDo('Profile') && ($ACT!='profile')){ tpl_link(wl($ID,'do=profile'),$pre.$lang['btn_profile'].$suf, 'class="action profile"'); } break; |