1f3f0262cSandi<? 2f3f0262cSandirequire_once("inc/common.php"); 3f3f0262cSandirequire_once("inc/io.php"); 4*132bdbfeSandirequire_once("inc/blowfish.php"); 5f3f0262cSandi# load the the auth functions 6f3f0262cSandirequire_once('inc/auth_'.$conf['authtype'].'.php'); 7f3f0262cSandi 8f3f0262cSandi# some ACL level defines 9f3f0262cSandidefine('AUTH_NONE',0); 10f3f0262cSandidefine('AUTH_READ',1); 11f3f0262cSandidefine('AUTH_EDIT',2); 12f3f0262cSandidefine('AUTH_CREATE',4); 13f3f0262cSandidefine('AUTH_UPLOAD',8); 14f3f0262cSandidefine('AUTH_GRANT',255); 15f3f0262cSandi 16f3f0262cSandiif($conf['useacl']){ 17*132bdbfeSandi auth_login($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r']); 18f3f0262cSandi # load ACL into a global array 19f3f0262cSandi $AUTH_ACL = file('conf/acl.auth'); 20f3f0262cSandi} 21f3f0262cSandi 22f3f0262cSandi/** 23f3f0262cSandi * This tries to login the user based on the sent auth credentials 24f3f0262cSandi * 25*132bdbfeSandi * FIXME: Description no longer valid! 26*132bdbfeSandi * 27f3f0262cSandi * The authentication works like this: if a username was given 28f3f0262cSandi * a new login is assumed and user/password are checked - if they 29f3f0262cSandi * are correct a random authtoken is created which is stored in 30f3f0262cSandi * the session _and_ in a cookie. 31f3f0262cSandi * The user stays logged in as long as the session and the cookie 32f3f0262cSandi * match. This still isn't the securest method but requires an 33f3f0262cSandi * attacker to steal an existing session _and_ the authtoken 34f3f0262cSandi * cookie. The actual password is only transfered once per login. 35f3f0262cSandi * 36f3f0262cSandi * On a successful login $_SERVER[REMOTE_USER] and $USERINFO 37f3f0262cSandi * are set. 38f3f0262cSandi*/ 39*132bdbfeSandifunction auth_login($user,$pass,$sticky=false){ 40f3f0262cSandi global $USERINFO; 41f3f0262cSandi global $conf; 42f3f0262cSandi global $lang; 43*132bdbfeSandi $sticky ? $sticky = true : $sticky = false; //sanity check 44f3f0262cSandi 45f3f0262cSandi if(isset($user)){ 46*132bdbfeSandi //usual login 47f3f0262cSandi if (auth_checkPass($user,$pass)){ 48*132bdbfeSandi // make logininfo globally available 49f3f0262cSandi $_SERVER['REMOTE_USER'] = $user; 50*132bdbfeSandi $USERINFO = auth_getUserData($user); //FIXME move all references to session 51*132bdbfeSandi 52*132bdbfeSandi // set cookie 53*132bdbfeSandi $pass = PMA_blowfish_encrypt($pass,auth_cookiesalt()); 54*132bdbfeSandi $cookie = base64_encode("$user|$sticky|$pass"); 55*132bdbfeSandi if($sticky) $time = time()+60*60*24*365; //one year 56*132bdbfeSandi setcookie('DokuWikiAUTH',$cookie,$time); 57*132bdbfeSandi 58*132bdbfeSandi // set session 59*132bdbfeSandi $_SESSION[$conf['title']]['auth']['user'] = $user; 60*132bdbfeSandi $_SESSION[$conf['title']]['auth']['pass'] = $pass; 61*132bdbfeSandi $_SESSION[$conf['title']]['auth']['buid'] = auth_browseruid(); 62*132bdbfeSandi $_SESSION[$conf['title']]['auth']['info'] = $USERINFO; 63*132bdbfeSandi return true; 64f3f0262cSandi }else{ 65f3f0262cSandi //invalid credentials - log off 66f3f0262cSandi msg($lang['badlogin'],-1); 67f3f0262cSandi auth_logoff(); 68*132bdbfeSandi return false; 69f3f0262cSandi } 70f3f0262cSandi }else{ 71*132bdbfeSandi // read cookie information 72*132bdbfeSandi $cookie = base64_decode($_COOKIE['DokuWikiAUTH']); 73*132bdbfeSandi list($user,$sticky,$pass) = split('\|',$cookie,3); 74*132bdbfeSandi // get session info 75*132bdbfeSandi $session = $_SESSION[$conf['title']]['auth']; 76*132bdbfeSandi 77*132bdbfeSandi if($user && $pass){ 78*132bdbfeSandi // we got a cookie - see if we can trust it 79*132bdbfeSandi if(isset($session) && 80*132bdbfeSandi ($session['user'] == $user) && 81*132bdbfeSandi ($session['pass'] == $pass) && //still crypted 82*132bdbfeSandi ($session['buid'] == auth_browseruid()) ){ 83*132bdbfeSandi // he has session, cookie and browser right - let him in 84*132bdbfeSandi $_SERVER['REMOTE_USER'] = $user; 85*132bdbfeSandi $USERINFO = $session['info']; //FIXME move all references to session 86*132bdbfeSandi return true; 87*132bdbfeSandi } 88*132bdbfeSandi // no we don't trust it yet - recheck pass 89*132bdbfeSandi $pass = PMA_blowfish_decrypt($pass,auth_cookiesalt()); 90*132bdbfeSandi return auth_login($user,$pass,$sticky); 91*132bdbfeSandi } 92*132bdbfeSandi } 93f3f0262cSandi //just to be sure 94f3f0262cSandi auth_logoff(); 95*132bdbfeSandi return false; 96f3f0262cSandi} 97*132bdbfeSandi 98*132bdbfeSandi/** 99*132bdbfeSandi * Builds a pseudo UID from browserdata 100*132bdbfeSandi * 101*132bdbfeSandi * This is neither unique nor unfakable - still it adds some 102*132bdbfeSandi * security 103*132bdbfeSandi */ 104*132bdbfeSandifunction auth_browseruid(){ 105*132bdbfeSandi $uid = ''; 106*132bdbfeSandi $uid .= $_SERVER['HTTP_USER_AGENT']; 107*132bdbfeSandi $uid .= $_SERVER['HTTP_ACCEPT_ENCODING']; 108*132bdbfeSandi $uid .= $_SERVER['HTTP_ACCEPT_LANGUAGE']; 109*132bdbfeSandi $uid .= $_SERVER['HTTP_ACCEPT_CHARSET']; 110*132bdbfeSandi return md5($uid); 111*132bdbfeSandi} 112*132bdbfeSandi 113*132bdbfeSandi/** 114*132bdbfeSandi * Creates a random key to encrypt the password in cookies 115*132bdbfeSandi */ 116*132bdbfeSandifunction auth_cookiesalt(){ 117*132bdbfeSandi global $conf; 118*132bdbfeSandi $file = $conf['datadir'].'/.cache/cookiesalt'; 119*132bdbfeSandi $salt = io_readFile($file); 120*132bdbfeSandi if(empty($salt)){ 121*132bdbfeSandi $salt = uniqid(rand(),true); 122*132bdbfeSandi io_saveFile($file,$salt); 123*132bdbfeSandi } 124*132bdbfeSandi return $salt; 125f3f0262cSandi} 126f3f0262cSandi 127f3f0262cSandi/** 128f3f0262cSandi * This clears all authenticationdata and thus log the user 129f3f0262cSandi * off 130f3f0262cSandi */ 131f3f0262cSandifunction auth_logoff(){ 132f3f0262cSandi global $conf; 133f3f0262cSandi global $USERINFO; 134*132bdbfeSandi unset($_SESSION[$conf['title']]['auth']['user']); 135*132bdbfeSandi unset($_SESSION[$conf['title']]['auth']['pass']); 136*132bdbfeSandi unset($_SESSION[$conf['title']]['auth']['info']); 137f3f0262cSandi unset($_SERVER['REMOTE_USER']); 138*132bdbfeSandi $USERINFO=null; //FIXME 139*132bdbfeSandi setcookie('DokuWikiAUTH','',time()-3600); 140f3f0262cSandi} 141f3f0262cSandi 142f3f0262cSandi/** 143f3f0262cSandi * Convinience function for auth_aclcheck 144f3f0262cSandi */ 145f3f0262cSandifunction auth_quickaclcheck($id){ 146f3f0262cSandi global $conf; 147f3f0262cSandi global $USERINFO; 148f3f0262cSandi # if no ACL is used always return upload rights 149f3f0262cSandi if(!$conf['useacl']) return AUTH_UPLOAD; 150f3f0262cSandi return auth_aclcheck($id,$_SERVER['REMOTE_USER'],$USERINFO['grps']); 151f3f0262cSandi} 152f3f0262cSandi 153f3f0262cSandi/** 154f3f0262cSandi * Returns the maximum rights a user has for 155f3f0262cSandi * the given ID or its namespace 156f3f0262cSandi */ 157f3f0262cSandifunction auth_aclcheck($id,$user,$groups){ 158f3f0262cSandi global $conf; 159f3f0262cSandi global $AUTH_ACL; 160f3f0262cSandi 161f3f0262cSandi # if no ACL is used always return upload rights 162f3f0262cSandi if(!$conf['useacl']) return AUTH_UPLOAD; 163f3f0262cSandi 164f3f0262cSandi $ns = getNS($id); 165f3f0262cSandi $perm = -1; 166f3f0262cSandi 167f3f0262cSandi if($user){ 168f3f0262cSandi //prepend groups with @ 169f3f0262cSandi for($i=0; $i<count($groups); $i++){ 170f3f0262cSandi $groups[$i] = '@'.$groups[$i]; 171f3f0262cSandi } 172f3f0262cSandi //add ALL group 173f3f0262cSandi $groups[] = '@ALL'; 174f3f0262cSandi //add User 175f3f0262cSandi $groups[] = $user; 176f3f0262cSandi //build regexp 177f3f0262cSandi $regexp = join('|',$groups); 178f3f0262cSandi }else{ 179f3f0262cSandi $regexp = '@ALL'; 180f3f0262cSandi } 181f3f0262cSandi 182f3f0262cSandi //check exact match first 183f3f0262cSandi $matches = preg_grep('/^'.$id.'\s+('.$regexp.')\s+/',$AUTH_ACL); 184f3f0262cSandi if(count($matches)){ 185f3f0262cSandi foreach($matches as $match){ 186f3f0262cSandi $match = preg_replace('/#.*$/','',$match); //ignore comments 187f3f0262cSandi $acl = preg_split('/\s+/',$match); 188f3f0262cSandi if($acl[2] > $perm){ 189f3f0262cSandi $perm = $acl[2]; 190f3f0262cSandi } 191f3f0262cSandi } 192f3f0262cSandi if($perm > -1){ 193f3f0262cSandi //we had a match - return it 194f3f0262cSandi return $perm; 195f3f0262cSandi } 196f3f0262cSandi } 197f3f0262cSandi 198f3f0262cSandi //still here? do the namespace checks 199f3f0262cSandi if($ns){ 200f3f0262cSandi $path = $ns.':\*'; 201f3f0262cSandi }else{ 202f3f0262cSandi $path = '\*'; //root document 203f3f0262cSandi } 204f3f0262cSandi 205f3f0262cSandi do{ 206f3f0262cSandi $matches = preg_grep('/^'.$path.'\s+('.$regexp.')\s+/',$AUTH_ACL); 207f3f0262cSandi if(count($matches)){ 208f3f0262cSandi foreach($matches as $match){ 209f3f0262cSandi $match = preg_replace('/#.*$/','',$match); //ignore comments 210f3f0262cSandi $acl = preg_split('/\s+/',$match); 211f3f0262cSandi if($acl[2] > $perm){ 212f3f0262cSandi $perm = $acl[2]; 213f3f0262cSandi } 214f3f0262cSandi } 215f3f0262cSandi //we had a match - return it 216f3f0262cSandi return $perm; 217f3f0262cSandi } 218f3f0262cSandi 219f3f0262cSandi //get next higher namespace 220f3f0262cSandi $ns = getNS($ns); 221f3f0262cSandi 222f3f0262cSandi if($path != '\*'){ 223f3f0262cSandi $path = $ns.':\*'; 224f3f0262cSandi if($path == ':\*') $path = '\*'; 225f3f0262cSandi }else{ 226f3f0262cSandi //we did this already 227f3f0262cSandi //looks like there is something wrong with the ACL 228f3f0262cSandi //break here 229f3f0262cSandi return $perm; 230f3f0262cSandi } 231f3f0262cSandi }while(1); //this should never loop endless 232f3f0262cSandi} 233f3f0262cSandi 234f3f0262cSandi/** 235f3f0262cSandi * Create a pronouncable password 236f3f0262cSandi * 237f3f0262cSandi * @see: http://www.phpbuilder.com/annotate/message.php3?id=1014451 238f3f0262cSandi */ 239f3f0262cSandifunction auth_pwgen(){ 240f3f0262cSandi $pw = ''; 241f3f0262cSandi $c = 'bcdfghjklmnprstvwz'; //consonants except hard to speak ones 242f3f0262cSandi $v = 'aeiou'; //vowels 243f3f0262cSandi $a = $c.$v; //both 244f3f0262cSandi 245f3f0262cSandi //use two syllables... 246f3f0262cSandi for($i=0;$i < 2; $i++){ 247f3f0262cSandi $pw .= $c[rand(0, strlen($c)-1)]; 248f3f0262cSandi $pw .= $v[rand(0, strlen($v)-1)]; 249f3f0262cSandi $pw .= $a[rand(0, strlen($a)-1)]; 250f3f0262cSandi } 251f3f0262cSandi //... and add a nice number 252f3f0262cSandi $pw .= rand(10,99); 253f3f0262cSandi 254f3f0262cSandi return $pw; 255f3f0262cSandi} 256f3f0262cSandi 257f3f0262cSandi/** 258f3f0262cSandi * Sends a password to the given user 259f3f0262cSandi * 260f3f0262cSandi * returns true on success 261f3f0262cSandi */ 262f3f0262cSandifunction auth_sendPassword($user,$password){ 263f3f0262cSandi global $conf; 264f3f0262cSandi global $lang; 265f3f0262cSandi $users = auth_loadUserData(); 266f3f0262cSandi $hdrs = ''; 267f3f0262cSandi 268f3f0262cSandi if(!$users[$user]['mail']) return false; 269f3f0262cSandi 270f3f0262cSandi $text = rawLocale('password'); 271f3f0262cSandi $text = str_replace('@DOKUWIKIURL@',getBaseURL(true),$text); 272f3f0262cSandi $text = str_replace('@FULLNAME@',$users[$user]['name'],$text); 273f3f0262cSandi $text = str_replace('@LOGIN@',$user,$text); 274f3f0262cSandi $text = str_replace('@PASSWORD@',$password,$text); 275f3f0262cSandi $text = str_replace('@TITLE@',$conf['title'],$text); 276f3f0262cSandi 277f3f0262cSandi if (!empty($conf['mailfrom'])) { 278f3f0262cSandi $hdrs = 'From: '.$conf['mailfrom']."\n"; 279f3f0262cSandi } 280f3f0262cSandi return @mail($users[$user]['mail'],$lang['regpwmail'],$text,$hdrs); 281f3f0262cSandi} 282f3f0262cSandi 283f3f0262cSandi/** 284f3f0262cSandi * The new user registration - we get our info directly from 285f3f0262cSandi * $_POST 286f3f0262cSandi * 287f3f0262cSandi * It returns true on success and false on any error 288f3f0262cSandi */ 289f3f0262cSandifunction register(){ 290f3f0262cSandi global $lang; 291f3f0262cSandi global $conf; 292f3f0262cSandi 293f3f0262cSandi if(!$_POST['save']) return false; 294f3f0262cSandi if(!$conf['openregister']) return false; 295f3f0262cSandi 296f3f0262cSandi //clean username 297f3f0262cSandi $_POST['login'] = preg_replace('/.*:/','',$_POST['login']); 298f3f0262cSandi $_POST['login'] = cleanID($_POST['login']); 299f3f0262cSandi //clean fullname and email 300f3f0262cSandi $_POST['fullname'] = trim(str_replace(':','',$_POST['fullname'])); 301f3f0262cSandi $_POST['email'] = trim(str_replace(':','',$_POST['email'])); 302f3f0262cSandi 303f3f0262cSandi if( empty($_POST['login']) || 304f3f0262cSandi empty($_POST['fullname']) || 305f3f0262cSandi empty($_POST['email']) ){ 306f3f0262cSandi msg($lang['regmissing'],-1); 307f3f0262cSandi return false; 308f3f0262cSandi } 309f3f0262cSandi 310f3f0262cSandi //check mail 311f3f0262cSandi if(!isvalidemail($_POST['email'])){ 312f3f0262cSandi msg($lang['regbadmail'],-1); 313f3f0262cSandi return false; 314f3f0262cSandi } 315f3f0262cSandi 316f3f0262cSandi //okay try to create the user 317f3f0262cSandi $pass = auth_createUser($_POST['login'],$_POST['fullname'],$_POST['email']); 318f3f0262cSandi if(empty($pass)){ 319f3f0262cSandi msg($lang['reguexists'],-1); 320f3f0262cSandi return false; 321f3f0262cSandi } 322f3f0262cSandi 323f3f0262cSandi //send him the password 324f3f0262cSandi if (auth_sendPassword($_POST['login'],$pass)){ 325f3f0262cSandi msg($lang['regsuccess'],1); 326f3f0262cSandi return true; 327f3f0262cSandi }else{ 328f3f0262cSandi msg($lang['regmailfail'],-1); 329f3f0262cSandi return false; 330f3f0262cSandi } 331f3f0262cSandi} 332f3f0262cSandi 333f3f0262cSandi/** 334f3f0262cSandi * Uses a regular expresion to check if a given mail address is valid 335f3f0262cSandi * 336f3f0262cSandi * @see http://www.webmasterworld.com/forum88/135.htm 337f3f0262cSandi * 338f3f0262cSandi * May not be completly RFC conform! 339f3f0262cSandi */ 340f3f0262cSandifunction isvalidemail($email){ 341f3f0262cSandi return eregi("^[0-9a-z]([-_.]?[0-9a-z])*@[0-9a-z]([-.]?[0-9a-z])*\\.[a-z]{2,4}$", $email); 342f3f0262cSandi} 343f3f0262cSandi 344f3f0262cSandi?> 345