xref: /dokuwiki/inc/auth.php (revision cab2716ac2fbdb0903e4d1c357c8fb630fdd6b0d) 
1ed7b5f09Sandi<?php
215fae107Sandi/**
315fae107Sandi * Authentication library
415fae107Sandi *
515fae107Sandi * Including this file will automatically try to login
615fae107Sandi * a user by calling auth_login()
715fae107Sandi *
815fae107Sandi * @license    GPL 2 (http://www.gnu.org/licenses/gpl.html)
915fae107Sandi * @author     Andreas Gohr <andi@splitbrain.org>
1015fae107Sandi */
1115fae107Sandi
12ed7b5f09Sandi  if(!defined('DOKU_INC')) define('DOKU_INC',realpath(dirname(__FILE__).'/../').'/');
13ed7b5f09Sandi  require_once(DOKU_INC.'inc/common.php');
14ed7b5f09Sandi  require_once(DOKU_INC.'inc/io.php');
15ed7b5f09Sandi  require_once(DOKU_INC.'inc/blowfish.php');
16ed7b5f09Sandi  require_once(DOKU_INC.'inc/mail.php');
1715fae107Sandi  // load the the auth functions
18ed7b5f09Sandi  require_once(DOKU_INC.'inc/auth_'.$conf['authtype'].'.php');
19f3f0262cSandi
2015fae107Sandi  // some ACL level defines
21f3f0262cSandi  define('AUTH_NONE',0);
22f3f0262cSandi  define('AUTH_READ',1);
23f3f0262cSandi  define('AUTH_EDIT',2);
24f3f0262cSandi  define('AUTH_CREATE',4);
25f3f0262cSandi  define('AUTH_UPLOAD',8);
2610a76f6fSfrank  define('AUTH_ADMIN',255);
27f3f0262cSandi
28f3f0262cSandi  if($conf['useacl']){
29132bdbfeSandi    auth_login($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r']);
3015fae107Sandi    //load ACL into a global array
31f3f0262cSandi    $AUTH_ACL = file('conf/acl.auth');
32f3f0262cSandi  }
33f3f0262cSandi
34f3f0262cSandi/**
35f3f0262cSandi * This tries to login the user based on the sent auth credentials
36f3f0262cSandi *
37f3f0262cSandi * The authentication works like this: if a username was given
3815fae107Sandi * a new login is assumed and user/password are checked. If they
3915fae107Sandi * are correct the password is encrypted with blowfish and stored
4015fae107Sandi * together with the username in a cookie - the same info is stored
4115fae107Sandi * in the session, too. Additonally a browserID is stored in the
4215fae107Sandi * session.
4315fae107Sandi *
4415fae107Sandi * If no username was given the cookie is checked: if the username,
4515fae107Sandi * crypted password and browserID match between session and cookie
4615fae107Sandi * no further testing is done and the user is accepted
4715fae107Sandi *
4815fae107Sandi * If a cookie was found but no session info was availabe the
49136ce040Sandi * blowfish encrypted password from the cookie is decrypted and
5015fae107Sandi * together with username rechecked by calling this function again.
51f3f0262cSandi *
52f3f0262cSandi * On a successful login $_SERVER[REMOTE_USER] and $USERINFO
53f3f0262cSandi * are set.
5415fae107Sandi *
5515fae107Sandi * @author  Andreas Gohr <andi@splitbrain.org>
5615fae107Sandi *
5715fae107Sandi * @param   string  $user    Username
5815fae107Sandi * @param   string  $pass    Cleartext Password
5915fae107Sandi * @param   bool    $sticky  Cookie should not expire
6015fae107Sandi * @return  bool             true on successful auth
61f3f0262cSandi*/
62132bdbfeSandifunction auth_login($user,$pass,$sticky=false){
63f3f0262cSandi  global $USERINFO;
64f3f0262cSandi  global $conf;
65f3f0262cSandi  global $lang;
66132bdbfeSandi  $sticky ? $sticky = true : $sticky = false; //sanity check
67f3f0262cSandi
68f3f0262cSandi  if(isset($user)){
69132bdbfeSandi    //usual login
70f3f0262cSandi    if (auth_checkPass($user,$pass)){
71132bdbfeSandi      // make logininfo globally available
72f3f0262cSandi      $_SERVER['REMOTE_USER'] = $user;
73132bdbfeSandi      $USERINFO = auth_getUserData($user); //FIXME move all references to session
74132bdbfeSandi
75132bdbfeSandi      // set cookie
76132bdbfeSandi      $pass   = PMA_blowfish_encrypt($pass,auth_cookiesalt());
77132bdbfeSandi      $cookie = base64_encode("$user|$sticky|$pass");
78132bdbfeSandi      if($sticky) $time = time()+60*60*24*365; //one year
79132bdbfeSandi      setcookie('DokuWikiAUTH',$cookie,$time);
80132bdbfeSandi
81132bdbfeSandi      // set session
82132bdbfeSandi      $_SESSION[$conf['title']]['auth']['user'] = $user;
83132bdbfeSandi      $_SESSION[$conf['title']]['auth']['pass'] = $pass;
84132bdbfeSandi      $_SESSION[$conf['title']]['auth']['buid'] = auth_browseruid();
85132bdbfeSandi      $_SESSION[$conf['title']]['auth']['info'] = $USERINFO;
86132bdbfeSandi      return true;
87f3f0262cSandi    }else{
88f3f0262cSandi      //invalid credentials - log off
89f3f0262cSandi      msg($lang['badlogin'],-1);
90f3f0262cSandi      auth_logoff();
91132bdbfeSandi      return false;
92f3f0262cSandi    }
93f3f0262cSandi  }else{
94132bdbfeSandi    // read cookie information
95132bdbfeSandi    $cookie = base64_decode($_COOKIE['DokuWikiAUTH']);
96132bdbfeSandi    list($user,$sticky,$pass) = split('\|',$cookie,3);
97132bdbfeSandi    // get session info
98132bdbfeSandi    $session = $_SESSION[$conf['title']]['auth'];
99132bdbfeSandi
100132bdbfeSandi    if($user && $pass){
101132bdbfeSandi      // we got a cookie - see if we can trust it
102132bdbfeSandi      if(isset($session) &&
103132bdbfeSandi        ($session['user'] == $user) &&
104132bdbfeSandi        ($session['pass'] == $pass) &&  //still crypted
105132bdbfeSandi        ($session['buid'] == auth_browseruid()) ){
106132bdbfeSandi        // he has session, cookie and browser right - let him in
107132bdbfeSandi        $_SERVER['REMOTE_USER'] = $user;
108132bdbfeSandi        $USERINFO = $session['info']; //FIXME move all references to session
109132bdbfeSandi        return true;
110132bdbfeSandi      }
111132bdbfeSandi      // no we don't trust it yet - recheck pass
112132bdbfeSandi      $pass = PMA_blowfish_decrypt($pass,auth_cookiesalt());
113132bdbfeSandi      return auth_login($user,$pass,$sticky);
114132bdbfeSandi    }
115132bdbfeSandi  }
116f3f0262cSandi  //just to be sure
117f3f0262cSandi  auth_logoff();
118132bdbfeSandi  return false;
119f3f0262cSandi}
120132bdbfeSandi
121132bdbfeSandi/**
122136ce040Sandi * Builds a pseudo UID from browser and IP data
123132bdbfeSandi *
124132bdbfeSandi * This is neither unique nor unfakable - still it adds some
125136ce040Sandi * security. Using the first part of the IP makes sure
126136ce040Sandi * proxy farms like AOLs are stil okay.
12715fae107Sandi *
12815fae107Sandi * @author  Andreas Gohr <andi@splitbrain.org>
12915fae107Sandi *
13015fae107Sandi * @return  string  a MD5 sum of various browser headers
131132bdbfeSandi */
132132bdbfeSandifunction auth_browseruid(){
133132bdbfeSandi  $uid  = '';
134132bdbfeSandi  $uid .= $_SERVER['HTTP_USER_AGENT'];
135132bdbfeSandi  $uid .= $_SERVER['HTTP_ACCEPT_ENCODING'];
136132bdbfeSandi  $uid .= $_SERVER['HTTP_ACCEPT_LANGUAGE'];
137132bdbfeSandi  $uid .= $_SERVER['HTTP_ACCEPT_CHARSET'];
138136ce040Sandi  $uid .= substr($_SERVER['REMOTE_ADDR'],0,strpos($_SERVER['REMOTE_ADDR'],'.'));
139132bdbfeSandi  return md5($uid);
140132bdbfeSandi}
141132bdbfeSandi
142132bdbfeSandi/**
143132bdbfeSandi * Creates a random key to encrypt the password in cookies
14415fae107Sandi *
14515fae107Sandi * This function tries to read the password for encrypting
1469afe4dbfSjan * cookies from $conf['datadir'].'/_cache/_htcookiesalt'
14715fae107Sandi * if no such file is found a random key is created and
14815fae107Sandi * and stored in this file.
14915fae107Sandi *
15015fae107Sandi * @author  Andreas Gohr <andi@splitbrain.org>
15115fae107Sandi *
15215fae107Sandi * @return  string
153132bdbfeSandi */
154132bdbfeSandifunction auth_cookiesalt(){
155132bdbfeSandi  global $conf;
1569afe4dbfSjan  $file = $conf['datadir'].'/_cache/_htcookiesalt';
157132bdbfeSandi  $salt = io_readFile($file);
158132bdbfeSandi  if(empty($salt)){
159132bdbfeSandi    $salt = uniqid(rand(),true);
160132bdbfeSandi    io_saveFile($file,$salt);
161132bdbfeSandi  }
162132bdbfeSandi  return $salt;
163f3f0262cSandi}
164f3f0262cSandi
165f3f0262cSandi/**
166f3f0262cSandi * This clears all authenticationdata and thus log the user
167f3f0262cSandi * off
16815fae107Sandi *
16915fae107Sandi * @author  Andreas Gohr <andi@splitbrain.org>
170f3f0262cSandi */
171f3f0262cSandifunction auth_logoff(){
172f3f0262cSandi  global $conf;
173f3f0262cSandi  global $USERINFO;
174132bdbfeSandi  unset($_SESSION[$conf['title']]['auth']['user']);
175132bdbfeSandi  unset($_SESSION[$conf['title']]['auth']['pass']);
176132bdbfeSandi  unset($_SESSION[$conf['title']]['auth']['info']);
177f3f0262cSandi  unset($_SERVER['REMOTE_USER']);
178132bdbfeSandi  $USERINFO=null; //FIXME
179132bdbfeSandi  setcookie('DokuWikiAUTH','',time()-3600);
180f3f0262cSandi}
181f3f0262cSandi
182f3f0262cSandi/**
18315fae107Sandi * Convinience function for auth_aclcheck()
18415fae107Sandi *
18515fae107Sandi * This checks the permissions for the current user
18615fae107Sandi *
18715fae107Sandi * @author  Andreas Gohr <andi@splitbrain.org>
18815fae107Sandi *
18915fae107Sandi * @param  string  $id  page ID
19015fae107Sandi * @return int          permission level
191f3f0262cSandi */
192f3f0262cSandifunction auth_quickaclcheck($id){
193f3f0262cSandi  global $conf;
194f3f0262cSandi  global $USERINFO;
195f3f0262cSandi  # if no ACL is used always return upload rights
196f3f0262cSandi  if(!$conf['useacl']) return AUTH_UPLOAD;
197f3f0262cSandi  return auth_aclcheck($id,$_SERVER['REMOTE_USER'],$USERINFO['grps']);
198f3f0262cSandi}
199f3f0262cSandi
200f3f0262cSandi/**
201f3f0262cSandi * Returns the maximum rights a user has for
202f3f0262cSandi * the given ID or its namespace
20315fae107Sandi *
20415fae107Sandi * @author  Andreas Gohr <andi@splitbrain.org>
20515fae107Sandi *
20615fae107Sandi * @param  string  $id     page ID
20715fae107Sandi * @param  string  $user   Username
20815fae107Sandi * @param  array   $groups Array of groups the user is in
20915fae107Sandi * @return int             permission level
210f3f0262cSandi */
211f3f0262cSandifunction auth_aclcheck($id,$user,$groups){
212f3f0262cSandi  global $conf;
213f3f0262cSandi  global $AUTH_ACL;
214f3f0262cSandi
215f3f0262cSandi  # if no ACL is used always return upload rights
216f3f0262cSandi  if(!$conf['useacl']) return AUTH_UPLOAD;
217f3f0262cSandi
21810a76f6fSfrank  //if user is superuser return 255 (acl_admin)
21910a76f6fSfrank  if($conf['superuser'] == $user) { return AUTH_ADMIN; }
22010a76f6fSfrank
221074cf26bSandi  //make sure groups is an array
222074cf26bSandi  if(!is_array($groups)) $groups = array();
223074cf26bSandi
22410a76f6fSfrank  //prepend groups with @
2252cd2db38Sandi  $cnt = count($groups);
2262cd2db38Sandi  for($i=0; $i<$cnt; $i++){
22710a76f6fSfrank    $groups[$i] = '@'.$groups[$i];
22810a76f6fSfrank  }
22910a76f6fSfrank  //if user is in superuser group return 255 (acl_admin)
23010a76f6fSfrank  if(in_array($conf['superuser'], $groups)) { return AUTH_ADMIN; }
23110a76f6fSfrank
232f3f0262cSandi  $ns    = getNS($id);
233f3f0262cSandi  $perm  = -1;
234f3f0262cSandi
235f3f0262cSandi  if($user){
236f3f0262cSandi    //add ALL group
237f3f0262cSandi    $groups[] = '@ALL';
238f3f0262cSandi    //add User
239f3f0262cSandi    $groups[] = $user;
240f3f0262cSandi    //build regexp
241f3f0262cSandi    $regexp   = join('|',$groups);
242f3f0262cSandi  }else{
243f3f0262cSandi    $regexp = '@ALL';
244f3f0262cSandi  }
245f3f0262cSandi
246f3f0262cSandi  //check exact match first
247f3f0262cSandi  $matches = preg_grep('/^'.$id.'\s+('.$regexp.')\s+/',$AUTH_ACL);
248f3f0262cSandi  if(count($matches)){
249f3f0262cSandi    foreach($matches as $match){
250f3f0262cSandi      $match = preg_replace('/#.*$/','',$match); //ignore comments
251f3f0262cSandi      $acl   = preg_split('/\s+/',$match);
25210a76f6fSfrank      if($acl[2] > AUTH_UPLOAD) $acl[2] = AUTH_UPLOAD; //no admins in the ACL!
253f3f0262cSandi      if($acl[2] > $perm){
254f3f0262cSandi        $perm = $acl[2];
255f3f0262cSandi      }
256f3f0262cSandi    }
257f3f0262cSandi    if($perm > -1){
258f3f0262cSandi      //we had a match - return it
259f3f0262cSandi      return $perm;
260f3f0262cSandi    }
261f3f0262cSandi  }
262f3f0262cSandi
263f3f0262cSandi  //still here? do the namespace checks
264f3f0262cSandi  if($ns){
265f3f0262cSandi    $path = $ns.':\*';
266f3f0262cSandi  }else{
267f3f0262cSandi    $path = '\*'; //root document
268f3f0262cSandi  }
269f3f0262cSandi
270f3f0262cSandi  do{
271f3f0262cSandi    $matches = preg_grep('/^'.$path.'\s+('.$regexp.')\s+/',$AUTH_ACL);
272f3f0262cSandi    if(count($matches)){
273f3f0262cSandi      foreach($matches as $match){
274f3f0262cSandi        $match = preg_replace('/#.*$/','',$match); //ignore comments
275f3f0262cSandi        $acl   = preg_split('/\s+/',$match);
27610a76f6fSfrank        if($acl[2] > AUTH_UPLOAD) $acl[2] = AUTH_UPLOAD; //no admins in the ACL!
277f3f0262cSandi        if($acl[2] > $perm){
278f3f0262cSandi          $perm = $acl[2];
279f3f0262cSandi        }
280f3f0262cSandi      }
281f3f0262cSandi      //we had a match - return it
282f3f0262cSandi      return $perm;
283f3f0262cSandi    }
284f3f0262cSandi
285f3f0262cSandi    //get next higher namespace
286f3f0262cSandi    $ns   = getNS($ns);
287f3f0262cSandi
288f3f0262cSandi    if($path != '\*'){
289f3f0262cSandi      $path = $ns.':\*';
290f3f0262cSandi      if($path == ':\*') $path = '\*';
291f3f0262cSandi    }else{
292f3f0262cSandi      //we did this already
293f3f0262cSandi      //looks like there is something wrong with the ACL
294f3f0262cSandi      //break here
295f3f0262cSandi      return $perm;
296f3f0262cSandi    }
297f3f0262cSandi  }while(1); //this should never loop endless
29852a5af8dSandi
29952a5af8dSandi  //still here? return no permissions
30052a5af8dSandi  return AUTH_NONE;
301f3f0262cSandi}
302f3f0262cSandi
303f3f0262cSandi/**
304f3f0262cSandi * Create a pronouncable password
305f3f0262cSandi *
30615fae107Sandi * @author  Andreas Gohr <andi@splitbrain.org>
30715fae107Sandi * @link    http://www.phpbuilder.com/annotate/message.php3?id=1014451
30815fae107Sandi *
30915fae107Sandi * @return string  pronouncable password
310f3f0262cSandi */
311f3f0262cSandifunction auth_pwgen(){
312f3f0262cSandi  $pw = '';
313f3f0262cSandi  $c  = 'bcdfghjklmnprstvwz'; //consonants except hard to speak ones
314f3f0262cSandi  $v  = 'aeiou';              //vowels
315f3f0262cSandi  $a  = $c.$v;                //both
316f3f0262cSandi
317f3f0262cSandi  //use two syllables...
318f3f0262cSandi  for($i=0;$i < 2; $i++){
319f3f0262cSandi    $pw .= $c[rand(0, strlen($c)-1)];
320f3f0262cSandi    $pw .= $v[rand(0, strlen($v)-1)];
321f3f0262cSandi    $pw .= $a[rand(0, strlen($a)-1)];
322f3f0262cSandi  }
323f3f0262cSandi  //... and add a nice number
324f3f0262cSandi  $pw .= rand(10,99);
325f3f0262cSandi
326f3f0262cSandi  return $pw;
327f3f0262cSandi}
328f3f0262cSandi
329f3f0262cSandi/**
330f3f0262cSandi * Sends a password to the given user
331f3f0262cSandi *
33215fae107Sandi * @author  Andreas Gohr <andi@splitbrain.org>
33315fae107Sandi *
33415fae107Sandi * @return bool  true on success
335f3f0262cSandi */
336f3f0262cSandifunction auth_sendPassword($user,$password){
337f3f0262cSandi  global $conf;
338f3f0262cSandi  global $lang;
339f3f0262cSandi  $hdrs  = '';
34087ddda95Sandi  $userinfo = auth_getUserData($user);
341f3f0262cSandi
34287ddda95Sandi  if(!$userinfo['mail']) return false;
343f3f0262cSandi
344f3f0262cSandi  $text = rawLocale('password');
345ed7b5f09Sandi  $text = str_replace('@DOKUWIKIURL@',DOKU_URL,$text);
34687ddda95Sandi  $text = str_replace('@FULLNAME@',$userinfo['name'],$text);
347f3f0262cSandi  $text = str_replace('@LOGIN@',$user,$text);
348f3f0262cSandi  $text = str_replace('@PASSWORD@',$password,$text);
349f3f0262cSandi  $text = str_replace('@TITLE@',$conf['title'],$text);
350f3f0262cSandi
35144f669e9Sandi  return mail_send($userinfo['name'].' <'.$userinfo['mail'].'>',
35244f669e9Sandi                   $lang['regpwmail'],
35344f669e9Sandi                   $text,
35444f669e9Sandi                   $conf['mailfrom']);
355f3f0262cSandi}
356f3f0262cSandi
357f3f0262cSandi/**
35815fae107Sandi * Register a new user
359f3f0262cSandi *
36015fae107Sandi * This registers a new user - Data is read directly from $_POST
36115fae107Sandi *
36215fae107Sandi * @author  Andreas Gohr <andi@splitbrain.org>
36315fae107Sandi *
36415fae107Sandi * @return bool  true on success, false on any error
365f3f0262cSandi */
366f3f0262cSandifunction register(){
367f3f0262cSandi  global $lang;
368f3f0262cSandi
369f3f0262cSandi  if(!$_POST['save']) return false;
370640145a5Sandi
371f3f0262cSandi  //clean username
372f3f0262cSandi  $_POST['login'] = preg_replace('/.*:/','',$_POST['login']);
373f3f0262cSandi  $_POST['login'] = cleanID($_POST['login']);
374f3f0262cSandi  //clean fullname and email
375f3f0262cSandi  $_POST['fullname'] = trim(str_replace(':','',$_POST['fullname']));
376f3f0262cSandi  $_POST['email']    = trim(str_replace(':','',$_POST['email']));
377f3f0262cSandi
378f3f0262cSandi  if( empty($_POST['login']) ||
379f3f0262cSandi      empty($_POST['fullname']) ||
380f3f0262cSandi      empty($_POST['email']) ){
381f3f0262cSandi    msg($lang['regmissing'],-1);
382f3f0262cSandi    return false;
383f3f0262cSandi  }
384f3f0262cSandi
385*cab2716aSmatthias.grimm  if ($conf['autopasswd']) {
386*cab2716aSmatthias.grimm    $pass = auth_pwgen();                // automatically generate password
387*cab2716aSmatthias.grimm  } elseif (empty($_POST['pass']) ||
388*cab2716aSmatthias.grimm            empty($_POST['passchk'])) {
389*cab2716aSmatthias.grimm    msg($lang['reqmissing'], -1);        // complain about missing passwords
390*cab2716aSmatthias.grimm    return false;
391*cab2716aSmatthias.grimm  } elseif ($_POST['pass'] != $_POST['passchk']) {
392*cab2716aSmatthias.grimm    msg($lang['reqbadpass'], -1);      // complain about misspelled passwords
393*cab2716aSmatthias.grimm    return false;
394*cab2716aSmatthias.grimm  } else {
395*cab2716aSmatthias.grimm    $pass = $_POST['pass'];              // accept checked and valid password
396*cab2716aSmatthias.grimm  }
397*cab2716aSmatthias.grimm
398f3f0262cSandi  //check mail
39944f669e9Sandi  if(!mail_isvalid($_POST['email'])){
400f3f0262cSandi    msg($lang['regbadmail'],-1);
401f3f0262cSandi    return false;
402f3f0262cSandi  }
403f3f0262cSandi
404f3f0262cSandi  //okay try to create the user
4057c37db8aSmatthias.grimm  $pass = auth_createUser($_POST['login'],$pass,$_POST['fullname'],$_POST['email']);
406f3f0262cSandi  if(empty($pass)){
407f3f0262cSandi    msg($lang['reguexists'],-1);
408f3f0262cSandi    return false;
409f3f0262cSandi  }
410f3f0262cSandi
411*cab2716aSmatthias.grimm  if (!$conf['autopasswd']) {
412*cab2716aSmatthias.grimm    msg($lang['regsuccess2'],1);
413*cab2716aSmatthias.grimm    return true;
414*cab2716aSmatthias.grimm  }
415*cab2716aSmatthias.grimm
416*cab2716aSmatthias.grimm  // autogenerated password? then send him the password
417f3f0262cSandi  if (auth_sendPassword($_POST['login'],$pass)){
418f3f0262cSandi    msg($lang['regsuccess'],1);
419f3f0262cSandi    return true;
420f3f0262cSandi  }else{
421f3f0262cSandi    msg($lang['regmailfail'],-1);
422f3f0262cSandi    return false;
423f3f0262cSandi  }
424f3f0262cSandi}
425f3f0262cSandi
42610a76f6fSfrank/**
42710a76f6fSfrank * Uses a regular expresion to check if a given mail address is valid
42810a76f6fSfrank *
42910a76f6fSfrank * May not be completly RFC conform!
43010a76f6fSfrank *
43110a76f6fSfrank * @link    http://www.webmasterworld.com/forum88/135.htm
43210a76f6fSfrank *
43310a76f6fSfrank * @param   string $email the address to check
43410a76f6fSfrank * @return  bool          true if address is valid
43510a76f6fSfrank */
43610a76f6fSfrankfunction isvalidemail($email){
43710a76f6fSfrank  return eregi("^[0-9a-z]([-_.]?[0-9a-z])*@[0-9a-z]([-.]?[0-9a-z])*\\.[a-z]{2,4}$", $email);
43810a76f6fSfrank}
43910a76f6fSfrank
44010a76f6fSfrank
441340756e4Sandi
442340756e4Sandi//Setup VIM: ex: et ts=2 enc=utf-8 :
443