From 9c29eea515b336b23187a86f5b55443571fcba01 Mon Sep 17 00:00:00 2001 From: Jan Schumann Date: Tue, 3 Jan 2012 02:56:20 +0100 Subject: Setup auth system from plugins --- inc/auth.php | 56 ++++++++++++++++++++++++++++++++++---------------------- 1 file changed, 34 insertions(+), 22 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index e0f58e5f2..b11a14d50 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -36,29 +36,41 @@ function auth_setup(){ global $AUTH_ACL; global $lang; global $config_cascade; + global $plugin_controller; $AUTH_ACL = array(); if(!$conf['useacl']) return false; - // load the the backend auth functions and instantiate the auth object XXX - if (@file_exists(DOKU_INC.'inc/auth/'.$conf['authtype'].'.class.php')) { - require_once(DOKU_INC.'inc/auth/basic.class.php'); - require_once(DOKU_INC.'inc/auth/'.$conf['authtype'].'.class.php'); - - $auth_class = "auth_".$conf['authtype']; - if (class_exists($auth_class)) { - $auth = new $auth_class(); - if ($auth->success == false) { - // degrade to unauthenticated user - unset($auth); - auth_logoff(); - msg($lang['authtempfail'], -1); - } - } else { - nice_die($lang['authmodfailed']); - } - } else { - nice_die($lang['authmodfailed']); + // try to load auth backend from plugins + $plugins = $plugin_controller->getList('auth'); + foreach ($plugin_controller->getList('auth') as $plugin) { + if ($conf['authtype'] === $plugin) { + $auth = $plugin_controller->load('auth', $plugin)->getAuth(); + break; + } + } + + if (!$auth) { + // load the the backend auth functions and instantiate the auth object XXX + if (@file_exists(DOKU_INC.'inc/auth/'.$conf['authtype'].'.class.php')) { + require_once(DOKU_INC.'inc/auth/basic.class.php'); + require_once(DOKU_INC.'inc/auth/'.$conf['authtype'].'.class.php'); + + $auth_class = "auth_".$conf['authtype']; + if (class_exists($auth_class)) { + $auth = new $auth_class(); + if ($auth->success == false) { + // degrade to unauthenticated user + unset($auth); + auth_logoff(); + msg($lang['authtempfail'], -1); + } + } else { + nice_die($lang['authmodfailed']); + } + } else { + nice_die($lang['authmodfailed']); + } } if(!$auth) return; @@ -675,7 +687,7 @@ function auth_sendPassword($user,$password){ if(empty($conf['mailprefix'])) { $subject = $lang['regpwmail']; - } else { + } else { $subject = '['.$conf['mailprefix'].'] '.$lang['regpwmail']; } @@ -920,10 +932,10 @@ function act_resendpwd(){ if(empty($conf['mailprefix'])) { $subject = $lang['regpwmail']; - } else { + } else { $subject = '['.$conf['mailprefix'].'] '.$lang['regpwmail']; } - + if(mail_send($userinfo['name'].' <'.$userinfo['mail'].'>', $subject, $text, -- cgit v1.2.3 From f4476bd9b5badd36cd0617d76538e47d9649986b Mon Sep 17 00:00:00 2001 From: Jan Schumann Date: Mon, 20 Feb 2012 19:51:26 +0100 Subject: Refactored auth system: All auth methods are now introduced as plugins. --- inc/auth.php | 37 ++++++++++++------------------------- 1 file changed, 12 insertions(+), 25 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index b11a14d50..aac7a2fca 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -45,35 +45,19 @@ function auth_setup(){ $plugins = $plugin_controller->getList('auth'); foreach ($plugin_controller->getList('auth') as $plugin) { if ($conf['authtype'] === $plugin) { - $auth = $plugin_controller->load('auth', $plugin)->getAuth(); + $auth = $plugin_controller->load('auth', $plugin); break; } } - if (!$auth) { - // load the the backend auth functions and instantiate the auth object XXX - if (@file_exists(DOKU_INC.'inc/auth/'.$conf['authtype'].'.class.php')) { - require_once(DOKU_INC.'inc/auth/basic.class.php'); - require_once(DOKU_INC.'inc/auth/'.$conf['authtype'].'.class.php'); - - $auth_class = "auth_".$conf['authtype']; - if (class_exists($auth_class)) { - $auth = new $auth_class(); - if ($auth->success == false) { - // degrade to unauthenticated user - unset($auth); - auth_logoff(); - msg($lang['authtempfail'], -1); - } - } else { - nice_die($lang['authmodfailed']); - } - } else { - nice_die($lang['authmodfailed']); - } - } + if(!$auth) return; - if(!$auth) return; + if ($auth && $auth->success == false) { + // degrade to unauthenticated user + unset($auth); + auth_logoff(); + msg($lang['authtempfail'], -1); + } // do the login either by cookie or provided credentials XXX if (!isset($_REQUEST['u'])) $_REQUEST['u'] = ''; @@ -102,7 +86,10 @@ function auth_setup(){ } // apply cleaning - $_REQUEST['u'] = $auth->cleanUser($_REQUEST['u']); + if (true === $auth->success) + { + $_REQUEST['u'] = $auth->cleanUser($_REQUEST['u']); + } if(isset($_REQUEST['authtok'])){ // when an authentication token is given, trust the session -- cgit v1.2.3 From 2ed38036a53a489d2fcadc46ce601f8c876fca31 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Fri, 21 Sep 2012 11:53:17 +0200 Subject: consolidate more notification code in subscription class This is untested and probably broken currently --- inc/auth.php | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index cedfdee36..3fb937613 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -778,23 +778,18 @@ function register() { return false; } - // create substitutions for use in notification email - $substitutions = array( - 'NEWUSER' => $_POST['login'], - 'NEWNAME' => $_POST['fullname'], - 'NEWEMAIL' => $_POST['email'], - ); + $subscription = new Subscription(); if(!$conf['autopasswd']) { msg($lang['regsuccess2'], 1); - notify('', 'register', '', $_POST['login'], false, $substitutions); + $subscription->send_register($_POST['login'], $_POST['fullname'], $_POST['email']); return true; } // autogenerated password? then send him the password if(auth_sendPassword($_POST['login'], $pass)) { msg($lang['regsuccess'], 1); - notify('', 'register', '', $_POST['login'], false, $substitutions); + $subscription->send_register($_POST['login'], $_POST['fullname'], $_POST['email']); return true; } else { msg($lang['regmailfail'], -1); -- cgit v1.2.3 From 3094e817f9f8c3971ffa00a852a1acee8bbcfd4c Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sat, 6 Oct 2012 11:11:50 +0200 Subject: changed default auth to authplain We need to decide how to handle the renaming of the auth classes. Should this be done automatically somehow? Or is an admin expected to fix this manually when updating? --- inc/auth.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 25b9e4632..3fe465cbb 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -54,7 +54,10 @@ function auth_setup() { } } - if(!$auth) return false; + if(!$auth){ + msg($lang['authtempfail'], -1); + return false; + } if ($auth && $auth->success == false) { // degrade to unauthenticated user -- cgit v1.2.3 From 80b4f3761dd43d240253888985ae74cb16ef6200 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Thu, 18 Oct 2012 16:20:28 +0200 Subject: avoid broken browser_uid on IE Internet Explorer 8 (and maybe others) seem to use different capitalization in the ACCEPT_CHARSET header between "normal" requests and AJAX requests. This causes a browser UID mismatch and thus an unecessary reauthentication. --- inc/auth.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 99adfa791..1c8a8f5f5 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -299,7 +299,7 @@ function auth_createToken() { * * This is neither unique nor unfakable - still it adds some * security. Using the first part of the IP makes sure - * proxy farms like AOLs are stil okay. + * proxy farms like AOLs are still okay. * * @author Andreas Gohr * @@ -313,6 +313,7 @@ function auth_browseruid() { $uid .= $_SERVER['HTTP_ACCEPT_LANGUAGE']; $uid .= $_SERVER['HTTP_ACCEPT_CHARSET']; $uid .= substr($ip, 0, strpos($ip, '.')); + $uid = strtolower($uid); return md5($uid); } -- cgit v1.2.3 From eb3ce0d55290dd4a60193e680aa50b46571350bd Mon Sep 17 00:00:00 2001 From: Kazutaka Miyasaka Date: Sun, 25 Nov 2012 21:02:32 +0900 Subject: Fix case-insensitive match in ACL checking ACL checking of DokuWiki is currently always case-sensitive regardless of auth backend setting ($auth->isCaseSensitive). This commit enables case-insensitive match in the same way of auth_isMember(). --- inc/auth.php | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 1c8a8f5f5..9c458338d 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -535,9 +535,10 @@ function auth_aclcheck($id, $user, $groups) { return AUTH_ADMIN; } - $ci = ''; - if(!$auth->isCaseSensitive()) $ci = 'ui'; - + if(!$auth->isCaseSensitive()) { + $user = utf8_strtolower($user); + $groups = array_map('utf8_strtolower', $groups); + } $user = $auth->cleanUser($user); $groups = array_map(array($auth, 'cleanGroup'), (array) $groups); $user = auth_nameencode($user); @@ -561,11 +562,14 @@ function auth_aclcheck($id, $user, $groups) { } //check exact match first - $matches = preg_grep('/^'.preg_quote($id, '/').'\s+(\S+)\s+/'.$ci, $AUTH_ACL); + $matches = preg_grep('/^'.preg_quote($id, '/').'\s+(\S+)\s+/u', $AUTH_ACL); if(count($matches)) { foreach($matches as $match) { $match = preg_replace('/#.*$/', '', $match); //ignore comments $acl = preg_split('/\s+/', $match); + if(!$auth->isCaseSensitive() && $acl[1] !== '@ALL') { + $acl[1] = utf8_strtolower($acl[1]); + } if(!in_array($acl[1], $groups)) { continue; } @@ -588,11 +592,14 @@ function auth_aclcheck($id, $user, $groups) { } do { - $matches = preg_grep('/^'.preg_quote($path, '/').'\s+(\S+)\s+/'.$ci, $AUTH_ACL); + $matches = preg_grep('/^'.preg_quote($path, '/').'\s+(\S+)\s+/u', $AUTH_ACL); if(count($matches)) { foreach($matches as $match) { $match = preg_replace('/#.*$/', '', $match); //ignore comments $acl = preg_split('/\s+/', $match); + if(!$auth->isCaseSensitive() && $acl[1] !== '@ALL') { + $acl[1] = utf8_strtolower($acl[1]); + } if(!in_array($acl[1], $groups)) { continue; } -- cgit v1.2.3 From 10b5c32d6486ab0884deda109b1e5947f7ec7662 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Fri, 30 Nov 2012 12:35:46 +0100 Subject: fixed merge error in inc/auth.php merged the wrong change here --- inc/auth.php | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 54d2cd50a..9c458338d 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -782,21 +782,21 @@ function register() { // create substitutions for use in notification email $substitutions = array( - 'NEWUSER' => $_POST['login'], - 'NEWNAME' => $_POST['fullname'], - 'NEWEMAIL' => $_POST['email'], + 'NEWUSER' => $login, + 'NEWNAME' => $fullname, + 'NEWEMAIL' => $email, ); if(!$conf['autopasswd']) { msg($lang['regsuccess2'], 1); - notify('', 'register', '', $_POST['login'], false, $substitutions); + notify('', 'register', '', $login, false, $substitutions); return true; } // autogenerated password? then send him the password if(auth_sendPassword($login, $pass)) { msg($lang['regsuccess'], 1); - notify('', 'register', '', $_POST['login'], false, $substitutions); + notify('', 'register', '', $login, false, $substitutions); return true; } else { msg($lang['regmailfail'], -1); -- cgit v1.2.3 From 790b77202079261b11d425e0c814608d626eea70 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Fri, 30 Nov 2012 13:09:15 +0100 Subject: moved registration notification to subscription class --- inc/auth.php | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 9c458338d..29a46b37e 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -780,23 +780,19 @@ function register() { return false; } - // create substitutions for use in notification email - $substitutions = array( - 'NEWUSER' => $login, - 'NEWNAME' => $fullname, - 'NEWEMAIL' => $email, - ); + // send notification about the new user + $subscription = new Subscription(); + $subscription->send_register($login, $fullname, $email); + // are we done? if(!$conf['autopasswd']) { msg($lang['regsuccess2'], 1); - notify('', 'register', '', $login, false, $substitutions); return true; } - // autogenerated password? then send him the password + // autogenerated password? then send password to user if(auth_sendPassword($login, $pass)) { msg($lang['regsuccess'], 1); - notify('', 'register', '', $login, false, $substitutions); return true; } else { msg($lang['regmailfail'], -1); -- cgit v1.2.3 From def492a2d77af9effca204483b570061202cda5b Mon Sep 17 00:00:00 2001 From: Guillaume Turri Date: Sun, 6 Jan 2013 10:18:17 +0100 Subject: Made auth_aclcheck always return int The returned type is important in particular when we deal with xmlrpc. Indeed, this value is directly returned to the client eg when the wiki.getAllPages method is queried. Currently the 'perms' attribute may be either an int or a string, and its up to the xmlrpc client to resolve it (although Dokuwiki's documentation only tells it can be an int). This patch makes sure we'll always return perms as int. --- inc/auth.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 9c458338d..c68a699fe 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -580,7 +580,7 @@ function auth_aclcheck($id, $user, $groups) { } if($perm > -1) { //we had a match - return it - return $perm; + return (int) $perm; } } @@ -610,7 +610,7 @@ function auth_aclcheck($id, $user, $groups) { } //we had a match - return it if($perm != -1) { - return $perm; + return (int) $perm; } } //get next higher namespace -- cgit v1.2.3 From 9d2e1be699d573eebda922cf67f030d3d2aa462d Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sat, 16 Feb 2013 18:29:20 +0100 Subject: introduced http_status() for sending HTTP status code FS#1698 It seems, some servers require a special Status: header for sending the HTTP status code from PHP (F)CGI to the server. This patch introduces a new function (adopted from CodeIgniter) for simplifying the status handling. --- inc/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 7f427bd8d..9566a2615 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -267,7 +267,7 @@ function auth_login($user, $pass, $sticky = false, $silent = false) { function auth_validateToken($token) { if(!$token || $token != $_SESSION[DOKU_COOKIE]['auth']['token']) { // bad token - header("HTTP/1.0 401 Unauthorized"); + http_status(401); print 'Invalid auth token - maybe the session timed out'; unset($_SESSION[DOKU_COOKIE]['auth']['token']); // no second chance exit; -- cgit v1.2.3 From a4ce95c84dca904abb57d30efa2a9d5d68eeda1b Mon Sep 17 00:00:00 2001 From: Dominik Eckelmann Date: Wed, 20 Feb 2013 10:44:25 +0100 Subject: fixed auth_browseruid on IE9 IE9 send different HTTP_ACCEPT_LANGUAGE header on ajax request. This causes different results from auth_browseruid. This patch removes the HTTP_ACCEPT_LANGUAGE from the browser id calculation. --- inc/auth.php | 1 - 1 file changed, 1 deletion(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 9566a2615..d82b8b5dd 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -311,7 +311,6 @@ function auth_browseruid() { $uid = ''; $uid .= $_SERVER['HTTP_USER_AGENT']; $uid .= $_SERVER['HTTP_ACCEPT_ENCODING']; - $uid .= $_SERVER['HTTP_ACCEPT_LANGUAGE']; $uid .= $_SERVER['HTTP_ACCEPT_CHARSET']; $uid .= substr($ip, 0, strpos($ip, '.')); $uid = strtolower($uid); -- cgit v1.2.3 From 6416b708d3d115a6d7529b6c388c796fcb651d55 Mon Sep 17 00:00:00 2001 From: Michael Hamann Date: Wed, 20 Feb 2013 19:43:29 +0100 Subject: Fix handling of failed authentication loading In the case of a failed authentication initialization, the authentication setup was simply continued with an unset $auth object. This restores the previous behavior (before merging #141) of simply returning after unsetting $auth. Furthermore this re-introduces the check if $auth is set before checking $auth and removes a useless check if $auth is true (could never be false). --- inc/auth.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index d82b8b5dd..92a56e163 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -54,16 +54,17 @@ function auth_setup() { } } - if(!$auth){ + if(!isset($auth) || !$auth){ msg($lang['authtempfail'], -1); return false; } - if ($auth && $auth->success == false) { + if ($auth->success == false) { // degrade to unauthenticated user unset($auth); auth_logoff(); msg($lang['authtempfail'], -1); + return false; } // do the login either by cookie or provided credentials XXX -- cgit v1.2.3 From 00d58927261c5bed6f093ca4aa2064a18139a228 Mon Sep 17 00:00:00 2001 From: Michael Hamann Date: Wed, 20 Feb 2013 20:26:05 +0100 Subject: Fix remaining missing $INPUT uses FS#2577 This adds $INPUT in all places where it was still missing and available. $INPUT is now also used in places where using $_REQUEST/... was okay in order to make the code consistent. --- inc/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 92a56e163..68b6b438d 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -92,7 +92,7 @@ function auth_setup() { // apply cleaning if (true === $auth->success) { - $_REQUEST['u'] = $auth->cleanUser($_REQUEST['u']); + $INPUT->set('u', $auth->cleanUser($INPUT->str('u'))); } if($INPUT->str('authtok')) { -- cgit v1.2.3