From b5ee21aa65a2f380e3b99ff5ea6ced48c1cb720e Mon Sep 17 00:00:00 2001 From: Adrian Lang Date: Tue, 15 Dec 2009 10:54:30 +0100 Subject: Provide AFTER event for AUTH_LOGIN_CHECK Ignore-this: 804d0837b9a04e4f82e6b54765f453cf darcs-hash:20091215095430-e4919-19c61854c27fdade90caeed035445ee3396b0095.gz --- inc/auth.php | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 50c5f17ed..c18104487 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -90,13 +90,7 @@ if($conf['useacl']){ 'sticky' => $_REQUEST['r'], 'silent' => $_REQUEST['http_credentials'], ); - $evt = new Doku_Event('AUTH_LOGIN_CHECK',$evdata); - if($evt->advise_before()){ - auth_login($evdata['user'], - $evdata['password'], - $evdata['sticky'], - $evdata['silent']); - } + trigger_event('AUTH_LOGIN_CHECK', $evdata, 'auth_login_wrapper'); } } @@ -114,6 +108,13 @@ if($conf['useacl']){ } } +function auth_login_wrapper($evdata) { + return auth_login($evdata['user'], + $evdata['password'], + $evdata['sticky'], + $evdata['silent']); +} + /** * This tries to login the user based on the sent auth credentials * -- cgit v1.2.3 From 16905344219a6293705b71cd526fad3ba07b04eb Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sun, 31 Jan 2010 19:02:14 +0100 Subject: first attempt to centralize all include loading Classes are loaded throug PHP5's class autoloader, all other includes are just loaded by default. This skips a lot of require_once calls. Parser and Plugin stuff isn't handled by the class loader yet. --- inc/auth.php | 100 +++++++++++++++++++++++++++++++---------------------------- 1 file changed, 52 insertions(+), 48 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index c18104487..33626cf80 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -10,8 +10,6 @@ */ if(!defined('DOKU_INC')) die('meh.'); -require_once(DOKU_INC.'inc/common.php'); -require_once(DOKU_INC.'inc/io.php'); // some ACL level defines define('AUTH_NONE',0); @@ -22,15 +20,23 @@ define('AUTH_UPLOAD',8); define('AUTH_DELETE',16); define('AUTH_ADMIN',255); -global $conf; - -if($conf['useacl']){ - require_once(DOKU_INC.'inc/blowfish.php'); - require_once(DOKU_INC.'inc/mail.php'); - +/** + * Initialize the auth system. + * + * This function is automatically called at the end of init.php + * + * This used to be the main() of the auth.php + * + * @todo backend loading maybe should be handled by the class autoloader + * @todo maybe split into multiple functions at the XXX marked positions + */ +function auth_setup(){ + global $conf; global $auth; - // load the the backend auth functions and instantiate the auth object + if(!$conf['useacl']) return false; + + // load the the backend auth functions and instantiate the auth object XXX if (@file_exists(DOKU_INC.'inc/auth/'.$conf['authtype'].'.class.php')) { require_once(DOKU_INC.'inc/auth/basic.class.php'); require_once(DOKU_INC.'inc/auth/'.$conf['authtype'].'.class.php'); @@ -50,51 +56,49 @@ if($conf['useacl']){ } else { nice_die($lang['authmodfailed']); } -} -// do the login either by cookie or provided credentials -if($conf['useacl']){ - if($auth){ - if (!isset($_REQUEST['u'])) $_REQUEST['u'] = ''; - if (!isset($_REQUEST['p'])) $_REQUEST['p'] = ''; - if (!isset($_REQUEST['r'])) $_REQUEST['r'] = ''; - $_REQUEST['http_credentials'] = false; - if (!$conf['rememberme']) $_REQUEST['r'] = false; - - // streamline HTTP auth credentials (IIS/rewrite -> mod_php) - if(isset($_SERVER['HTTP_AUTHORIZATION'])){ - list($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']) = - explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6))); - } + if(!$auth) return; - // if no credentials were given try to use HTTP auth (for SSO) - if(empty($_REQUEST['u']) && empty($_COOKIE[DOKU_COOKIE]) && !empty($_SERVER['PHP_AUTH_USER'])){ - $_REQUEST['u'] = $_SERVER['PHP_AUTH_USER']; - $_REQUEST['p'] = $_SERVER['PHP_AUTH_PW']; - $_REQUEST['http_credentials'] = true; - } + // do the login either by cookie or provided credentials XXX + if (!isset($_REQUEST['u'])) $_REQUEST['u'] = ''; + if (!isset($_REQUEST['p'])) $_REQUEST['p'] = ''; + if (!isset($_REQUEST['r'])) $_REQUEST['r'] = ''; + $_REQUEST['http_credentials'] = false; + if (!$conf['rememberme']) $_REQUEST['r'] = false; - // apply cleaning - $_REQUEST['u'] = $auth->cleanUser($_REQUEST['u']); + // streamline HTTP auth credentials (IIS/rewrite -> mod_php) + if(isset($_SERVER['HTTP_AUTHORIZATION'])){ + list($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW']) = + explode(':', base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6))); + } - if(isset($_REQUEST['authtok'])){ - // when an authentication token is given, trust the session - auth_validateToken($_REQUEST['authtok']); - }elseif(!is_null($auth) && $auth->canDo('external')){ - // external trust mechanism in place - $auth->trustExternal($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r']); - }else{ - $evdata = array( - 'user' => $_REQUEST['u'], - 'password' => $_REQUEST['p'], - 'sticky' => $_REQUEST['r'], - 'silent' => $_REQUEST['http_credentials'], - ); - trigger_event('AUTH_LOGIN_CHECK', $evdata, 'auth_login_wrapper'); - } + // if no credentials were given try to use HTTP auth (for SSO) + if(empty($_REQUEST['u']) && empty($_COOKIE[DOKU_COOKIE]) && !empty($_SERVER['PHP_AUTH_USER'])){ + $_REQUEST['u'] = $_SERVER['PHP_AUTH_USER']; + $_REQUEST['p'] = $_SERVER['PHP_AUTH_PW']; + $_REQUEST['http_credentials'] = true; + } + + // apply cleaning + $_REQUEST['u'] = $auth->cleanUser($_REQUEST['u']); + + if(isset($_REQUEST['authtok'])){ + // when an authentication token is given, trust the session + auth_validateToken($_REQUEST['authtok']); + }elseif(!is_null($auth) && $auth->canDo('external')){ + // external trust mechanism in place + $auth->trustExternal($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r']); + }else{ + $evdata = array( + 'user' => $_REQUEST['u'], + 'password' => $_REQUEST['p'], + 'sticky' => $_REQUEST['r'], + 'silent' => $_REQUEST['http_credentials'], + ); + trigger_event('AUTH_LOGIN_CHECK', $evdata, 'auth_login_wrapper'); } - //load ACL into a global array + //load ACL into a global array XXX global $AUTH_ACL; if(is_readable(DOKU_CONF.'acl.auth.php')){ $AUTH_ACL = file(DOKU_CONF.'acl.auth.php'); -- cgit v1.2.3 From 689cba4d4ba37bdcb57ea6c6bbf55e7546d428c3 Mon Sep 17 00:00:00 2001 From: Adrian Lang Date: Tue, 23 Mar 2010 15:23:35 +0100 Subject: No warning for an undefined variable --- inc/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 33626cf80..6804c2696 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -931,7 +931,7 @@ function auth_cryptPassword($clear,$method='',$salt=null){ $magic = '1'; case 'apr1': //from http://de.php.net/manual/en/function.crypt.php#73619 comment by - if(!$magic) $magic = 'apr1'; + if(!defined($magic)) $magic = 'apr1'; $salt = substr($salt,0,8); $len = strlen($clear); $text = $clear.'$'.$magic.'$'.$salt; -- cgit v1.2.3 From 3371a8b471eea344a99f015cdf0ef9089b1f20ef Mon Sep 17 00:00:00 2001 From: Adrian Lang Date: Wed, 24 Mar 2010 11:25:30 +0100 Subject: Fixed selffail. --- inc/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 6804c2696..ace379214 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -931,7 +931,7 @@ function auth_cryptPassword($clear,$method='',$salt=null){ $magic = '1'; case 'apr1': //from http://de.php.net/manual/en/function.crypt.php#73619 comment by - if(!defined($magic)) $magic = 'apr1'; + if(!isset($magic)) $magic = 'apr1'; $salt = substr($salt,0,8); $len = strlen($clear); $text = $clear.'$'.$magic.'$'.$salt; -- cgit v1.2.3 From 9a9714ac71ab80981388c37e9b7f0e7f3505358a Mon Sep 17 00:00:00 2001 From: Dominik Eckelmann Date: Wed, 28 Apr 2010 16:38:27 +0200 Subject: Avoid broken ACL check if Auth Backend fails --- inc/auth.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index ace379214..564eb0285 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -33,6 +33,9 @@ define('AUTH_ADMIN',255); function auth_setup(){ global $conf; global $auth; + global $AUTH_ACL; + global $lang; + $AUTH_ACL = array(); if(!$conf['useacl']) return false; @@ -99,7 +102,6 @@ function auth_setup(){ } //load ACL into a global array XXX - global $AUTH_ACL; if(is_readable(DOKU_CONF.'acl.auth.php')){ $AUTH_ACL = file(DOKU_CONF.'acl.auth.php'); //support user wildcard @@ -107,8 +109,6 @@ function auth_setup(){ $AUTH_ACL = str_replace('%USER%',$_SERVER['REMOTE_USER'],$AUTH_ACL); $AUTH_ACL = str_replace('@USER@',$_SERVER['REMOTE_USER'],$AUTH_ACL); //legacy } - }else{ - $AUTH_ACL = array(); } } -- cgit v1.2.3 From 880f62faf63b666adcc1d6aec6a8ead3edb18f59 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Tue, 22 Jun 2010 18:51:00 +0200 Subject: new auth capability 'logout' This patch implements what Adrian's patch "Hide logout button if auth backend cannot logout" intended to do. The 'logoff' capability was used to decide if a special method called $auth->logOff() should be called when the user logs out, not if the backend supports logouts at all. This was a superflous capability since an empty logOff() method is implemented in the base class anyway - it doesn't hurt to always call the method. The 'logoff' capability is now deprecated. Backends who want to do actions on logout simply need to overwrite logOff(). A new capability 'logout' was added which defaults to true. Backends that can't logoff the user (eg. because they use some automatic login/logoff mechanism) can set this to false. Probably makes sense to add a 'login' capability as well... --- inc/auth.php | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 564eb0285..70514316c 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -320,9 +320,7 @@ function auth_logoff($keepbc=false){ setcookie(DOKU_COOKIE,'',time()-600000,DOKU_REL,'',($conf['securecookie'] && is_ssl())); } - if($auth && $auth->canDo('logoff')){ - $auth->logOff(); - } + if($auth) $auth->logOff(); } /** -- cgit v1.2.3 From 80601d26897c5dced80645aaf904085aa08b7bb9 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sat, 26 Jun 2010 11:20:25 +0200 Subject: fixed wildcard handling in ACL manager FS#1955 This patch also removes legacy support for @USER@. Only %USER% is valid now. --- inc/auth.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 70514316c..6a4108a7c 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -107,7 +107,6 @@ function auth_setup(){ //support user wildcard if(isset($_SERVER['REMOTE_USER'])){ $AUTH_ACL = str_replace('%USER%',$_SERVER['REMOTE_USER'],$AUTH_ACL); - $AUTH_ACL = str_replace('@USER@',$_SERVER['REMOTE_USER'],$AUTH_ACL); //legacy } } } @@ -569,6 +568,9 @@ function auth_nameencode($name,$skip_group=false){ $cache =& $cache_authname; $name = (string) $name; + // never encode wildcard FS#1955 + if($name == '%USER%') return $name; + if (!isset($cache[$name][$skip_group])) { if($skip_group && $name{0} =='@'){ $cache[$name][$skip_group] = '@'.preg_replace('/([\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f])/e', -- cgit v1.2.3 From c8f80b4e70ee1b73ecc08cac583d021979af9359 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sun, 27 Jun 2010 14:43:56 +0200 Subject: Use config_cascade for ACLs and plain auth users FS#1677 --- inc/auth.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 6a4108a7c..49bb2d4d9 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -35,6 +35,7 @@ function auth_setup(){ global $auth; global $AUTH_ACL; global $lang; + global $config_cascade; $AUTH_ACL = array(); if(!$conf['useacl']) return false; @@ -102,8 +103,8 @@ function auth_setup(){ } //load ACL into a global array XXX - if(is_readable(DOKU_CONF.'acl.auth.php')){ - $AUTH_ACL = file(DOKU_CONF.'acl.auth.php'); + if(is_readable($config_cascade['acl']['default'])){ + $AUTH_ACL = file($config_cascade['acl']['default']); //support user wildcard if(isset($_SERVER['REMOTE_USER'])){ $AUTH_ACL = str_replace('%USER%',$_SERVER['REMOTE_USER'],$AUTH_ACL); -- cgit v1.2.3 From a6bc56d03c064a1d747ccba79705cbac0e2bd453 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Fri, 27 Aug 2010 10:04:30 +0200 Subject: Do not allow empty strings as superuser or manager FS#2009 --- inc/auth.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'inc/auth.php') diff --git a/inc/auth.php b/inc/auth.php index 49bb2d4d9..e1f689f96 100644 --- a/inc/auth.php +++ b/inc/auth.php @@ -350,7 +350,8 @@ function auth_ismanager($user=null,$groups=null,$adminonly=false){ $user = $_SERVER['REMOTE_USER']; } } - $user = $auth->cleanUser($user); + $user = trim($auth->cleanUser($user)); + if($user === '') return false; if(is_null($groups)) $groups = (array) $USERINFO['grps']; $groups = array_map(array($auth,'cleanGroup'),$groups); $user = auth_nameencode($user); @@ -359,6 +360,7 @@ function auth_ismanager($user=null,$groups=null,$adminonly=false){ $superusers = explode(',', $conf['superuser']); $superusers = array_unique($superusers); $superusers = array_map('trim', $superusers); + $superusers = array_filter($superusers); // prepare an array containing only true values for array_map call $alltrue = array_fill(0, count($superusers), true); $superusers = array_map('auth_nameencode', $superusers, $alltrue); @@ -377,6 +379,7 @@ function auth_ismanager($user=null,$groups=null,$adminonly=false){ $managers = explode(',', $conf['manager']); $managers = array_unique($managers); $managers = array_map('trim', $managers); + $managers = array_filter($managers); // prepare an array containing only true values for array_map call $alltrue = array_fill(0, count($managers), true); $managers = array_map('auth_nameencode', $managers, $alltrue); -- cgit v1.2.3