1f3f0262cSandi<? 215fae107Sandi/** 315fae107Sandi * Authentication library 415fae107Sandi * 515fae107Sandi * Including this file will automatically try to login 615fae107Sandi * a user by calling auth_login() 715fae107Sandi * 815fae107Sandi * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) 915fae107Sandi * @author Andreas Gohr <andi@splitbrain.org> 1015fae107Sandi */ 1115fae107Sandi 12f3f0262cSandi require_once("inc/common.php"); 13f3f0262cSandi require_once("inc/io.php"); 14132bdbfeSandi require_once("inc/blowfish.php"); 15*44f669e9Sandi require_once("inc/mail.php"); 1615fae107Sandi // load the the auth functions 17f3f0262cSandi require_once('inc/auth_'.$conf['authtype'].'.php'); 18f3f0262cSandi 1915fae107Sandi // some ACL level defines 20f3f0262cSandi define('AUTH_NONE',0); 21f3f0262cSandi define('AUTH_READ',1); 22f3f0262cSandi define('AUTH_EDIT',2); 23f3f0262cSandi define('AUTH_CREATE',4); 24f3f0262cSandi define('AUTH_UPLOAD',8); 25f3f0262cSandi define('AUTH_GRANT',255); 26f3f0262cSandi 27f3f0262cSandi if($conf['useacl']){ 28132bdbfeSandi auth_login($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r']); 2915fae107Sandi // load ACL into a global array 30f3f0262cSandi $AUTH_ACL = file('conf/acl.auth'); 31f3f0262cSandi } 32f3f0262cSandi 33f3f0262cSandi/** 34f3f0262cSandi * This tries to login the user based on the sent auth credentials 35f3f0262cSandi * 36f3f0262cSandi * The authentication works like this: if a username was given 3715fae107Sandi * a new login is assumed and user/password are checked. If they 3815fae107Sandi * are correct the password is encrypted with blowfish and stored 3915fae107Sandi * together with the username in a cookie - the same info is stored 4015fae107Sandi * in the session, too. Additonally a browserID is stored in the 4115fae107Sandi * session. 4215fae107Sandi * 4315fae107Sandi * If no username was given the cookie is checked: if the username, 4415fae107Sandi * crypted password and browserID match between session and cookie 4515fae107Sandi * no further testing is done and the user is accepted 4615fae107Sandi * 4715fae107Sandi * If a cookie was found but no session info was availabe the 4815fae107Sandi * blowish encrypted password from the cookie is decrypted and 4915fae107Sandi * together with username rechecked by calling this function again. 50f3f0262cSandi * 51f3f0262cSandi * On a successful login $_SERVER[REMOTE_USER] and $USERINFO 52f3f0262cSandi * are set. 5315fae107Sandi * 5415fae107Sandi * @author Andreas Gohr <andi@splitbrain.org> 5515fae107Sandi * 5615fae107Sandi * @param string $user Username 5715fae107Sandi * @param string $pass Cleartext Password 5815fae107Sandi * @param bool $sticky Cookie should not expire 5915fae107Sandi * @return bool true on successful auth 60f3f0262cSandi*/ 61132bdbfeSandifunction auth_login($user,$pass,$sticky=false){ 62f3f0262cSandi global $USERINFO; 63f3f0262cSandi global $conf; 64f3f0262cSandi global $lang; 65132bdbfeSandi $sticky ? $sticky = true : $sticky = false; //sanity check 66f3f0262cSandi 67f3f0262cSandi if(isset($user)){ 68132bdbfeSandi //usual login 69f3f0262cSandi if (auth_checkPass($user,$pass)){ 70132bdbfeSandi // make logininfo globally available 71f3f0262cSandi $_SERVER['REMOTE_USER'] = $user; 72132bdbfeSandi $USERINFO = auth_getUserData($user); //FIXME move all references to session 73132bdbfeSandi 74132bdbfeSandi // set cookie 75132bdbfeSandi $pass = PMA_blowfish_encrypt($pass,auth_cookiesalt()); 76132bdbfeSandi $cookie = base64_encode("$user|$sticky|$pass"); 77132bdbfeSandi if($sticky) $time = time()+60*60*24*365; //one year 78132bdbfeSandi setcookie('DokuWikiAUTH',$cookie,$time); 79132bdbfeSandi 80132bdbfeSandi // set session 81132bdbfeSandi $_SESSION[$conf['title']]['auth']['user'] = $user; 82132bdbfeSandi $_SESSION[$conf['title']]['auth']['pass'] = $pass; 83132bdbfeSandi $_SESSION[$conf['title']]['auth']['buid'] = auth_browseruid(); 84132bdbfeSandi $_SESSION[$conf['title']]['auth']['info'] = $USERINFO; 85132bdbfeSandi return true; 86f3f0262cSandi }else{ 87f3f0262cSandi //invalid credentials - log off 88f3f0262cSandi msg($lang['badlogin'],-1); 89f3f0262cSandi auth_logoff(); 90132bdbfeSandi return false; 91f3f0262cSandi } 92f3f0262cSandi }else{ 93132bdbfeSandi // read cookie information 94132bdbfeSandi $cookie = base64_decode($_COOKIE['DokuWikiAUTH']); 95132bdbfeSandi list($user,$sticky,$pass) = split('\|',$cookie,3); 96132bdbfeSandi // get session info 97132bdbfeSandi $session = $_SESSION[$conf['title']]['auth']; 98132bdbfeSandi 99132bdbfeSandi if($user && $pass){ 100132bdbfeSandi // we got a cookie - see if we can trust it 101132bdbfeSandi if(isset($session) && 102132bdbfeSandi ($session['user'] == $user) && 103132bdbfeSandi ($session['pass'] == $pass) && //still crypted 104132bdbfeSandi ($session['buid'] == auth_browseruid()) ){ 105132bdbfeSandi // he has session, cookie and browser right - let him in 106132bdbfeSandi $_SERVER['REMOTE_USER'] = $user; 107132bdbfeSandi $USERINFO = $session['info']; //FIXME move all references to session 108132bdbfeSandi return true; 109132bdbfeSandi } 110132bdbfeSandi // no we don't trust it yet - recheck pass 111132bdbfeSandi $pass = PMA_blowfish_decrypt($pass,auth_cookiesalt()); 112132bdbfeSandi return auth_login($user,$pass,$sticky); 113132bdbfeSandi } 114132bdbfeSandi } 115f3f0262cSandi //just to be sure 116f3f0262cSandi auth_logoff(); 117132bdbfeSandi return false; 118f3f0262cSandi} 119132bdbfeSandi 120132bdbfeSandi/** 121132bdbfeSandi * Builds a pseudo UID from browserdata 122132bdbfeSandi * 123132bdbfeSandi * This is neither unique nor unfakable - still it adds some 124132bdbfeSandi * security 12515fae107Sandi * 12615fae107Sandi * @author Andreas Gohr <andi@splitbrain.org> 12715fae107Sandi * 12815fae107Sandi * @return string a MD5 sum of various browser headers 129132bdbfeSandi */ 130132bdbfeSandifunction auth_browseruid(){ 131132bdbfeSandi $uid = ''; 132132bdbfeSandi $uid .= $_SERVER['HTTP_USER_AGENT']; 133132bdbfeSandi $uid .= $_SERVER['HTTP_ACCEPT_ENCODING']; 134132bdbfeSandi $uid .= $_SERVER['HTTP_ACCEPT_LANGUAGE']; 135132bdbfeSandi $uid .= $_SERVER['HTTP_ACCEPT_CHARSET']; 136132bdbfeSandi return md5($uid); 137132bdbfeSandi} 138132bdbfeSandi 139132bdbfeSandi/** 140132bdbfeSandi * Creates a random key to encrypt the password in cookies 14115fae107Sandi * 14215fae107Sandi * This function tries to read the password for encrypting 14315fae107Sandi * cookies from $conf['datadir'].'/.cache/cookiesalt' 14415fae107Sandi * if no such file is found a random key is created and 14515fae107Sandi * and stored in this file. 14615fae107Sandi * 14715fae107Sandi * @author Andreas Gohr <andi@splitbrain.org> 14815fae107Sandi * 14915fae107Sandi * @return string 150132bdbfeSandi */ 151132bdbfeSandifunction auth_cookiesalt(){ 152132bdbfeSandi global $conf; 153132bdbfeSandi $file = $conf['datadir'].'/.cache/cookiesalt'; 154132bdbfeSandi $salt = io_readFile($file); 155132bdbfeSandi if(empty($salt)){ 156132bdbfeSandi $salt = uniqid(rand(),true); 157132bdbfeSandi io_saveFile($file,$salt); 158132bdbfeSandi } 159132bdbfeSandi return $salt; 160f3f0262cSandi} 161f3f0262cSandi 162f3f0262cSandi/** 163f3f0262cSandi * This clears all authenticationdata and thus log the user 164f3f0262cSandi * off 16515fae107Sandi * 16615fae107Sandi * @author Andreas Gohr <andi@splitbrain.org> 167f3f0262cSandi */ 168f3f0262cSandifunction auth_logoff(){ 169f3f0262cSandi global $conf; 170f3f0262cSandi global $USERINFO; 171132bdbfeSandi unset($_SESSION[$conf['title']]['auth']['user']); 172132bdbfeSandi unset($_SESSION[$conf['title']]['auth']['pass']); 173132bdbfeSandi unset($_SESSION[$conf['title']]['auth']['info']); 174f3f0262cSandi unset($_SERVER['REMOTE_USER']); 175132bdbfeSandi $USERINFO=null; //FIXME 176132bdbfeSandi setcookie('DokuWikiAUTH','',time()-3600); 177f3f0262cSandi} 178f3f0262cSandi 179f3f0262cSandi/** 18015fae107Sandi * Convinience function for auth_aclcheck() 18115fae107Sandi * 18215fae107Sandi * This checks the permissions for the current user 18315fae107Sandi * 18415fae107Sandi * @author Andreas Gohr <andi@splitbrain.org> 18515fae107Sandi * 18615fae107Sandi * @param string $id page ID 18715fae107Sandi * @return int permission level 188f3f0262cSandi */ 189f3f0262cSandifunction auth_quickaclcheck($id){ 190f3f0262cSandi global $conf; 191f3f0262cSandi global $USERINFO; 192f3f0262cSandi # if no ACL is used always return upload rights 193f3f0262cSandi if(!$conf['useacl']) return AUTH_UPLOAD; 194f3f0262cSandi return auth_aclcheck($id,$_SERVER['REMOTE_USER'],$USERINFO['grps']); 195f3f0262cSandi} 196f3f0262cSandi 197f3f0262cSandi/** 198f3f0262cSandi * Returns the maximum rights a user has for 199f3f0262cSandi * the given ID or its namespace 20015fae107Sandi * 20115fae107Sandi * @author Andreas Gohr <andi@splitbrain.org> 20215fae107Sandi * 20315fae107Sandi * @param string $id page ID 20415fae107Sandi * @param string $user Username 20515fae107Sandi * @param array $groups Array of groups the user is in 20615fae107Sandi * @return int permission level 207f3f0262cSandi */ 208f3f0262cSandifunction auth_aclcheck($id,$user,$groups){ 209f3f0262cSandi global $conf; 210f3f0262cSandi global $AUTH_ACL; 211f3f0262cSandi 212f3f0262cSandi # if no ACL is used always return upload rights 213f3f0262cSandi if(!$conf['useacl']) return AUTH_UPLOAD; 214f3f0262cSandi 215f3f0262cSandi $ns = getNS($id); 216f3f0262cSandi $perm = -1; 217f3f0262cSandi 218f3f0262cSandi if($user){ 219f3f0262cSandi //prepend groups with @ 220f3f0262cSandi for($i=0; $i<count($groups); $i++){ 221f3f0262cSandi $groups[$i] = '@'.$groups[$i]; 222f3f0262cSandi } 223f3f0262cSandi //add ALL group 224f3f0262cSandi $groups[] = '@ALL'; 225f3f0262cSandi //add User 226f3f0262cSandi $groups[] = $user; 227f3f0262cSandi //build regexp 228f3f0262cSandi $regexp = join('|',$groups); 229f3f0262cSandi }else{ 230f3f0262cSandi $regexp = '@ALL'; 231f3f0262cSandi } 232f3f0262cSandi 233f3f0262cSandi //check exact match first 234f3f0262cSandi $matches = preg_grep('/^'.$id.'\s+('.$regexp.')\s+/',$AUTH_ACL); 235f3f0262cSandi if(count($matches)){ 236f3f0262cSandi foreach($matches as $match){ 237f3f0262cSandi $match = preg_replace('/#.*$/','',$match); //ignore comments 238f3f0262cSandi $acl = preg_split('/\s+/',$match); 239f3f0262cSandi if($acl[2] > $perm){ 240f3f0262cSandi $perm = $acl[2]; 241f3f0262cSandi } 242f3f0262cSandi } 243f3f0262cSandi if($perm > -1){ 244f3f0262cSandi //we had a match - return it 245f3f0262cSandi return $perm; 246f3f0262cSandi } 247f3f0262cSandi } 248f3f0262cSandi 249f3f0262cSandi //still here? do the namespace checks 250f3f0262cSandi if($ns){ 251f3f0262cSandi $path = $ns.':\*'; 252f3f0262cSandi }else{ 253f3f0262cSandi $path = '\*'; //root document 254f3f0262cSandi } 255f3f0262cSandi 256f3f0262cSandi do{ 257f3f0262cSandi $matches = preg_grep('/^'.$path.'\s+('.$regexp.')\s+/',$AUTH_ACL); 258f3f0262cSandi if(count($matches)){ 259f3f0262cSandi foreach($matches as $match){ 260f3f0262cSandi $match = preg_replace('/#.*$/','',$match); //ignore comments 261f3f0262cSandi $acl = preg_split('/\s+/',$match); 262f3f0262cSandi if($acl[2] > $perm){ 263f3f0262cSandi $perm = $acl[2]; 264f3f0262cSandi } 265f3f0262cSandi } 266f3f0262cSandi //we had a match - return it 267f3f0262cSandi return $perm; 268f3f0262cSandi } 269f3f0262cSandi 270f3f0262cSandi //get next higher namespace 271f3f0262cSandi $ns = getNS($ns); 272f3f0262cSandi 273f3f0262cSandi if($path != '\*'){ 274f3f0262cSandi $path = $ns.':\*'; 275f3f0262cSandi if($path == ':\*') $path = '\*'; 276f3f0262cSandi }else{ 277f3f0262cSandi //we did this already 278f3f0262cSandi //looks like there is something wrong with the ACL 279f3f0262cSandi //break here 280f3f0262cSandi return $perm; 281f3f0262cSandi } 282f3f0262cSandi }while(1); //this should never loop endless 283f3f0262cSandi} 284f3f0262cSandi 285f3f0262cSandi/** 286f3f0262cSandi * Create a pronouncable password 287f3f0262cSandi * 28815fae107Sandi * @author Andreas Gohr <andi@splitbrain.org> 28915fae107Sandi * @link http://www.phpbuilder.com/annotate/message.php3?id=1014451 29015fae107Sandi * 29115fae107Sandi * @return string pronouncable password 292f3f0262cSandi */ 293f3f0262cSandifunction auth_pwgen(){ 294f3f0262cSandi $pw = ''; 295f3f0262cSandi $c = 'bcdfghjklmnprstvwz'; //consonants except hard to speak ones 296f3f0262cSandi $v = 'aeiou'; //vowels 297f3f0262cSandi $a = $c.$v; //both 298f3f0262cSandi 299f3f0262cSandi //use two syllables... 300f3f0262cSandi for($i=0;$i < 2; $i++){ 301f3f0262cSandi $pw .= $c[rand(0, strlen($c)-1)]; 302f3f0262cSandi $pw .= $v[rand(0, strlen($v)-1)]; 303f3f0262cSandi $pw .= $a[rand(0, strlen($a)-1)]; 304f3f0262cSandi } 305f3f0262cSandi //... and add a nice number 306f3f0262cSandi $pw .= rand(10,99); 307f3f0262cSandi 308f3f0262cSandi return $pw; 309f3f0262cSandi} 310f3f0262cSandi 311f3f0262cSandi/** 312f3f0262cSandi * Sends a password to the given user 313f3f0262cSandi * 31415fae107Sandi * @author Andreas Gohr <andi@splitbrain.org> 31515fae107Sandi * 31615fae107Sandi * @return bool true on success 317f3f0262cSandi */ 318f3f0262cSandifunction auth_sendPassword($user,$password){ 319f3f0262cSandi global $conf; 320f3f0262cSandi global $lang; 321f3f0262cSandi $hdrs = ''; 32287ddda95Sandi $userinfo = auth_getUserData($user); 323f3f0262cSandi 32487ddda95Sandi if(!$userinfo['mail']) return false; 325f3f0262cSandi 326f3f0262cSandi $text = rawLocale('password'); 327f3f0262cSandi $text = str_replace('@DOKUWIKIURL@',getBaseURL(true),$text); 32887ddda95Sandi $text = str_replace('@FULLNAME@',$userinfo['name'],$text); 329f3f0262cSandi $text = str_replace('@LOGIN@',$user,$text); 330f3f0262cSandi $text = str_replace('@PASSWORD@',$password,$text); 331f3f0262cSandi $text = str_replace('@TITLE@',$conf['title'],$text); 332f3f0262cSandi 333*44f669e9Sandi return mail_send($userinfo['name'].' <'.$userinfo['mail'].'>', 334*44f669e9Sandi $lang['regpwmail'], 335*44f669e9Sandi $text, 336*44f669e9Sandi $conf['mailfrom']); 337f3f0262cSandi} 338f3f0262cSandi 339f3f0262cSandi/** 34015fae107Sandi * Register a new user 341f3f0262cSandi * 34215fae107Sandi * This registers a new user - Data is read directly from $_POST 34315fae107Sandi * 34415fae107Sandi * @author Andreas Gohr <andi@splitbrain.org> 34515fae107Sandi * 34615fae107Sandi * @return bool true on success, false on any error 347f3f0262cSandi */ 348f3f0262cSandifunction register(){ 349f3f0262cSandi global $lang; 350f3f0262cSandi global $conf; 351f3f0262cSandi 352f3f0262cSandi if(!$_POST['save']) return false; 353f3f0262cSandi if(!$conf['openregister']) return false; 354f3f0262cSandi 355f3f0262cSandi //clean username 356f3f0262cSandi $_POST['login'] = preg_replace('/.*:/','',$_POST['login']); 357f3f0262cSandi $_POST['login'] = cleanID($_POST['login']); 358f3f0262cSandi //clean fullname and email 359f3f0262cSandi $_POST['fullname'] = trim(str_replace(':','',$_POST['fullname'])); 360f3f0262cSandi $_POST['email'] = trim(str_replace(':','',$_POST['email'])); 361f3f0262cSandi 362f3f0262cSandi if( empty($_POST['login']) || 363f3f0262cSandi empty($_POST['fullname']) || 364f3f0262cSandi empty($_POST['email']) ){ 365f3f0262cSandi msg($lang['regmissing'],-1); 366f3f0262cSandi return false; 367f3f0262cSandi } 368f3f0262cSandi 369f3f0262cSandi //check mail 370*44f669e9Sandi if(!mail_isvalid($_POST['email'])){ 371f3f0262cSandi msg($lang['regbadmail'],-1); 372f3f0262cSandi return false; 373f3f0262cSandi } 374f3f0262cSandi 375f3f0262cSandi //okay try to create the user 376f3f0262cSandi $pass = auth_createUser($_POST['login'],$_POST['fullname'],$_POST['email']); 377f3f0262cSandi if(empty($pass)){ 378f3f0262cSandi msg($lang['reguexists'],-1); 379f3f0262cSandi return false; 380f3f0262cSandi } 381f3f0262cSandi 382f3f0262cSandi //send him the password 383f3f0262cSandi if (auth_sendPassword($_POST['login'],$pass)){ 384f3f0262cSandi msg($lang['regsuccess'],1); 385f3f0262cSandi return true; 386f3f0262cSandi }else{ 387f3f0262cSandi msg($lang['regmailfail'],-1); 388f3f0262cSandi return false; 389f3f0262cSandi } 390f3f0262cSandi} 391f3f0262cSandi 392f3f0262cSandi?> 393