1*ed7b5f09Sandi<?php 215fae107Sandi/** 315fae107Sandi * Authentication library 415fae107Sandi * 515fae107Sandi * Including this file will automatically try to login 615fae107Sandi * a user by calling auth_login() 715fae107Sandi * 815fae107Sandi * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) 915fae107Sandi * @author Andreas Gohr <andi@splitbrain.org> 1015fae107Sandi */ 1115fae107Sandi 12*ed7b5f09Sandi if(!defined('DOKU_INC')) define('DOKU_INC',realpath(dirname(__FILE__).'/../').'/'); 13*ed7b5f09Sandi require_once(DOKU_INC.'inc/common.php'); 14*ed7b5f09Sandi require_once(DOKU_INC.'inc/io.php'); 15*ed7b5f09Sandi require_once(DOKU_INC.'inc/blowfish.php'); 16*ed7b5f09Sandi require_once(DOKU_INC.'inc/mail.php'); 1715fae107Sandi // load the the auth functions 18*ed7b5f09Sandi require_once(DOKU_INC.'inc/auth_'.$conf['authtype'].'.php'); 19f3f0262cSandi 2015fae107Sandi // some ACL level defines 21f3f0262cSandi define('AUTH_NONE',0); 22f3f0262cSandi define('AUTH_READ',1); 23f3f0262cSandi define('AUTH_EDIT',2); 24f3f0262cSandi define('AUTH_CREATE',4); 25f3f0262cSandi define('AUTH_UPLOAD',8); 26f3f0262cSandi define('AUTH_GRANT',255); 27f3f0262cSandi 28f3f0262cSandi if($conf['useacl']){ 29132bdbfeSandi auth_login($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r']); 3015fae107Sandi // load ACL into a global array 31f3f0262cSandi $AUTH_ACL = file('conf/acl.auth'); 32f3f0262cSandi } 33f3f0262cSandi 34f3f0262cSandi/** 35f3f0262cSandi * This tries to login the user based on the sent auth credentials 36f3f0262cSandi * 37f3f0262cSandi * The authentication works like this: if a username was given 3815fae107Sandi * a new login is assumed and user/password are checked. If they 3915fae107Sandi * are correct the password is encrypted with blowfish and stored 4015fae107Sandi * together with the username in a cookie - the same info is stored 4115fae107Sandi * in the session, too. Additonally a browserID is stored in the 4215fae107Sandi * session. 4315fae107Sandi * 4415fae107Sandi * If no username was given the cookie is checked: if the username, 4515fae107Sandi * crypted password and browserID match between session and cookie 4615fae107Sandi * no further testing is done and the user is accepted 4715fae107Sandi * 4815fae107Sandi * If a cookie was found but no session info was availabe the 4915fae107Sandi * blowish encrypted password from the cookie is decrypted and 5015fae107Sandi * together with username rechecked by calling this function again. 51f3f0262cSandi * 52f3f0262cSandi * On a successful login $_SERVER[REMOTE_USER] and $USERINFO 53f3f0262cSandi * are set. 5415fae107Sandi * 5515fae107Sandi * @author Andreas Gohr <andi@splitbrain.org> 5615fae107Sandi * 5715fae107Sandi * @param string $user Username 5815fae107Sandi * @param string $pass Cleartext Password 5915fae107Sandi * @param bool $sticky Cookie should not expire 6015fae107Sandi * @return bool true on successful auth 61f3f0262cSandi*/ 62132bdbfeSandifunction auth_login($user,$pass,$sticky=false){ 63f3f0262cSandi global $USERINFO; 64f3f0262cSandi global $conf; 65f3f0262cSandi global $lang; 66132bdbfeSandi $sticky ? $sticky = true : $sticky = false; //sanity check 67f3f0262cSandi 68f3f0262cSandi if(isset($user)){ 69132bdbfeSandi //usual login 70f3f0262cSandi if (auth_checkPass($user,$pass)){ 71132bdbfeSandi // make logininfo globally available 72f3f0262cSandi $_SERVER['REMOTE_USER'] = $user; 73132bdbfeSandi $USERINFO = auth_getUserData($user); //FIXME move all references to session 74132bdbfeSandi 75132bdbfeSandi // set cookie 76132bdbfeSandi $pass = PMA_blowfish_encrypt($pass,auth_cookiesalt()); 77132bdbfeSandi $cookie = base64_encode("$user|$sticky|$pass"); 78132bdbfeSandi if($sticky) $time = time()+60*60*24*365; //one year 79132bdbfeSandi setcookie('DokuWikiAUTH',$cookie,$time); 80132bdbfeSandi 81132bdbfeSandi // set session 82132bdbfeSandi $_SESSION[$conf['title']]['auth']['user'] = $user; 83132bdbfeSandi $_SESSION[$conf['title']]['auth']['pass'] = $pass; 84132bdbfeSandi $_SESSION[$conf['title']]['auth']['buid'] = auth_browseruid(); 85132bdbfeSandi $_SESSION[$conf['title']]['auth']['info'] = $USERINFO; 86132bdbfeSandi return true; 87f3f0262cSandi }else{ 88f3f0262cSandi //invalid credentials - log off 89f3f0262cSandi msg($lang['badlogin'],-1); 90f3f0262cSandi auth_logoff(); 91132bdbfeSandi return false; 92f3f0262cSandi } 93f3f0262cSandi }else{ 94132bdbfeSandi // read cookie information 95132bdbfeSandi $cookie = base64_decode($_COOKIE['DokuWikiAUTH']); 96132bdbfeSandi list($user,$sticky,$pass) = split('\|',$cookie,3); 97132bdbfeSandi // get session info 98132bdbfeSandi $session = $_SESSION[$conf['title']]['auth']; 99132bdbfeSandi 100132bdbfeSandi if($user && $pass){ 101132bdbfeSandi // we got a cookie - see if we can trust it 102132bdbfeSandi if(isset($session) && 103132bdbfeSandi ($session['user'] == $user) && 104132bdbfeSandi ($session['pass'] == $pass) && //still crypted 105132bdbfeSandi ($session['buid'] == auth_browseruid()) ){ 106132bdbfeSandi // he has session, cookie and browser right - let him in 107132bdbfeSandi $_SERVER['REMOTE_USER'] = $user; 108132bdbfeSandi $USERINFO = $session['info']; //FIXME move all references to session 109132bdbfeSandi return true; 110132bdbfeSandi } 111132bdbfeSandi // no we don't trust it yet - recheck pass 112132bdbfeSandi $pass = PMA_blowfish_decrypt($pass,auth_cookiesalt()); 113132bdbfeSandi return auth_login($user,$pass,$sticky); 114132bdbfeSandi } 115132bdbfeSandi } 116f3f0262cSandi //just to be sure 117f3f0262cSandi auth_logoff(); 118132bdbfeSandi return false; 119f3f0262cSandi} 120132bdbfeSandi 121132bdbfeSandi/** 122132bdbfeSandi * Builds a pseudo UID from browserdata 123132bdbfeSandi * 124132bdbfeSandi * This is neither unique nor unfakable - still it adds some 125132bdbfeSandi * security 12615fae107Sandi * 12715fae107Sandi * @author Andreas Gohr <andi@splitbrain.org> 12815fae107Sandi * 12915fae107Sandi * @return string a MD5 sum of various browser headers 130132bdbfeSandi */ 131132bdbfeSandifunction auth_browseruid(){ 132132bdbfeSandi $uid = ''; 133132bdbfeSandi $uid .= $_SERVER['HTTP_USER_AGENT']; 134132bdbfeSandi $uid .= $_SERVER['HTTP_ACCEPT_ENCODING']; 135132bdbfeSandi $uid .= $_SERVER['HTTP_ACCEPT_LANGUAGE']; 136132bdbfeSandi $uid .= $_SERVER['HTTP_ACCEPT_CHARSET']; 137132bdbfeSandi return md5($uid); 138132bdbfeSandi} 139132bdbfeSandi 140132bdbfeSandi/** 141132bdbfeSandi * Creates a random key to encrypt the password in cookies 14215fae107Sandi * 14315fae107Sandi * This function tries to read the password for encrypting 144dfd3db4aSandi * cookies from $conf['datadir'].'/.cache/.htcookiesalt' 14515fae107Sandi * if no such file is found a random key is created and 14615fae107Sandi * and stored in this file. 14715fae107Sandi * 14815fae107Sandi * @author Andreas Gohr <andi@splitbrain.org> 14915fae107Sandi * 15015fae107Sandi * @return string 151132bdbfeSandi */ 152132bdbfeSandifunction auth_cookiesalt(){ 153132bdbfeSandi global $conf; 154dfd3db4aSandi $file = $conf['datadir'].'/.cache/.htcookiesalt'; 155132bdbfeSandi $salt = io_readFile($file); 156132bdbfeSandi if(empty($salt)){ 157132bdbfeSandi $salt = uniqid(rand(),true); 158132bdbfeSandi io_saveFile($file,$salt); 159132bdbfeSandi } 160132bdbfeSandi return $salt; 161f3f0262cSandi} 162f3f0262cSandi 163f3f0262cSandi/** 164f3f0262cSandi * This clears all authenticationdata and thus log the user 165f3f0262cSandi * off 16615fae107Sandi * 16715fae107Sandi * @author Andreas Gohr <andi@splitbrain.org> 168f3f0262cSandi */ 169f3f0262cSandifunction auth_logoff(){ 170f3f0262cSandi global $conf; 171f3f0262cSandi global $USERINFO; 172132bdbfeSandi unset($_SESSION[$conf['title']]['auth']['user']); 173132bdbfeSandi unset($_SESSION[$conf['title']]['auth']['pass']); 174132bdbfeSandi unset($_SESSION[$conf['title']]['auth']['info']); 175f3f0262cSandi unset($_SERVER['REMOTE_USER']); 176132bdbfeSandi $USERINFO=null; //FIXME 177132bdbfeSandi setcookie('DokuWikiAUTH','',time()-3600); 178f3f0262cSandi} 179f3f0262cSandi 180f3f0262cSandi/** 18115fae107Sandi * Convinience function for auth_aclcheck() 18215fae107Sandi * 18315fae107Sandi * This checks the permissions for the current user 18415fae107Sandi * 18515fae107Sandi * @author Andreas Gohr <andi@splitbrain.org> 18615fae107Sandi * 18715fae107Sandi * @param string $id page ID 18815fae107Sandi * @return int permission level 189f3f0262cSandi */ 190f3f0262cSandifunction auth_quickaclcheck($id){ 191f3f0262cSandi global $conf; 192f3f0262cSandi global $USERINFO; 193f3f0262cSandi # if no ACL is used always return upload rights 194f3f0262cSandi if(!$conf['useacl']) return AUTH_UPLOAD; 195f3f0262cSandi return auth_aclcheck($id,$_SERVER['REMOTE_USER'],$USERINFO['grps']); 196f3f0262cSandi} 197f3f0262cSandi 198f3f0262cSandi/** 199f3f0262cSandi * Returns the maximum rights a user has for 200f3f0262cSandi * the given ID or its namespace 20115fae107Sandi * 20215fae107Sandi * @author Andreas Gohr <andi@splitbrain.org> 20315fae107Sandi * 20415fae107Sandi * @param string $id page ID 20515fae107Sandi * @param string $user Username 20615fae107Sandi * @param array $groups Array of groups the user is in 20715fae107Sandi * @return int permission level 208f3f0262cSandi */ 209f3f0262cSandifunction auth_aclcheck($id,$user,$groups){ 210f3f0262cSandi global $conf; 211f3f0262cSandi global $AUTH_ACL; 212f3f0262cSandi 213f3f0262cSandi # if no ACL is used always return upload rights 214f3f0262cSandi if(!$conf['useacl']) return AUTH_UPLOAD; 215f3f0262cSandi 216f3f0262cSandi $ns = getNS($id); 217f3f0262cSandi $perm = -1; 218f3f0262cSandi 219f3f0262cSandi if($user){ 220f3f0262cSandi //prepend groups with @ 221f3f0262cSandi for($i=0; $i<count($groups); $i++){ 222f3f0262cSandi $groups[$i] = '@'.$groups[$i]; 223f3f0262cSandi } 224f3f0262cSandi //add ALL group 225f3f0262cSandi $groups[] = '@ALL'; 226f3f0262cSandi //add User 227f3f0262cSandi $groups[] = $user; 228f3f0262cSandi //build regexp 229f3f0262cSandi $regexp = join('|',$groups); 230f3f0262cSandi }else{ 231f3f0262cSandi $regexp = '@ALL'; 232f3f0262cSandi } 233f3f0262cSandi 234f3f0262cSandi //check exact match first 235f3f0262cSandi $matches = preg_grep('/^'.$id.'\s+('.$regexp.')\s+/',$AUTH_ACL); 236f3f0262cSandi if(count($matches)){ 237f3f0262cSandi foreach($matches as $match){ 238f3f0262cSandi $match = preg_replace('/#.*$/','',$match); //ignore comments 239f3f0262cSandi $acl = preg_split('/\s+/',$match); 240f3f0262cSandi if($acl[2] > $perm){ 241f3f0262cSandi $perm = $acl[2]; 242f3f0262cSandi } 243f3f0262cSandi } 244f3f0262cSandi if($perm > -1){ 245f3f0262cSandi //we had a match - return it 246f3f0262cSandi return $perm; 247f3f0262cSandi } 248f3f0262cSandi } 249f3f0262cSandi 250f3f0262cSandi //still here? do the namespace checks 251f3f0262cSandi if($ns){ 252f3f0262cSandi $path = $ns.':\*'; 253f3f0262cSandi }else{ 254f3f0262cSandi $path = '\*'; //root document 255f3f0262cSandi } 256f3f0262cSandi 257f3f0262cSandi do{ 258f3f0262cSandi $matches = preg_grep('/^'.$path.'\s+('.$regexp.')\s+/',$AUTH_ACL); 259f3f0262cSandi if(count($matches)){ 260f3f0262cSandi foreach($matches as $match){ 261f3f0262cSandi $match = preg_replace('/#.*$/','',$match); //ignore comments 262f3f0262cSandi $acl = preg_split('/\s+/',$match); 263f3f0262cSandi if($acl[2] > $perm){ 264f3f0262cSandi $perm = $acl[2]; 265f3f0262cSandi } 266f3f0262cSandi } 267f3f0262cSandi //we had a match - return it 268f3f0262cSandi return $perm; 269f3f0262cSandi } 270f3f0262cSandi 271f3f0262cSandi //get next higher namespace 272f3f0262cSandi $ns = getNS($ns); 273f3f0262cSandi 274f3f0262cSandi if($path != '\*'){ 275f3f0262cSandi $path = $ns.':\*'; 276f3f0262cSandi if($path == ':\*') $path = '\*'; 277f3f0262cSandi }else{ 278f3f0262cSandi //we did this already 279f3f0262cSandi //looks like there is something wrong with the ACL 280f3f0262cSandi //break here 281f3f0262cSandi return $perm; 282f3f0262cSandi } 283f3f0262cSandi }while(1); //this should never loop endless 284f3f0262cSandi} 285f3f0262cSandi 286f3f0262cSandi/** 287f3f0262cSandi * Create a pronouncable password 288f3f0262cSandi * 28915fae107Sandi * @author Andreas Gohr <andi@splitbrain.org> 29015fae107Sandi * @link http://www.phpbuilder.com/annotate/message.php3?id=1014451 29115fae107Sandi * 29215fae107Sandi * @return string pronouncable password 293f3f0262cSandi */ 294f3f0262cSandifunction auth_pwgen(){ 295f3f0262cSandi $pw = ''; 296f3f0262cSandi $c = 'bcdfghjklmnprstvwz'; //consonants except hard to speak ones 297f3f0262cSandi $v = 'aeiou'; //vowels 298f3f0262cSandi $a = $c.$v; //both 299f3f0262cSandi 300f3f0262cSandi //use two syllables... 301f3f0262cSandi for($i=0;$i < 2; $i++){ 302f3f0262cSandi $pw .= $c[rand(0, strlen($c)-1)]; 303f3f0262cSandi $pw .= $v[rand(0, strlen($v)-1)]; 304f3f0262cSandi $pw .= $a[rand(0, strlen($a)-1)]; 305f3f0262cSandi } 306f3f0262cSandi //... and add a nice number 307f3f0262cSandi $pw .= rand(10,99); 308f3f0262cSandi 309f3f0262cSandi return $pw; 310f3f0262cSandi} 311f3f0262cSandi 312f3f0262cSandi/** 313f3f0262cSandi * Sends a password to the given user 314f3f0262cSandi * 31515fae107Sandi * @author Andreas Gohr <andi@splitbrain.org> 31615fae107Sandi * 31715fae107Sandi * @return bool true on success 318f3f0262cSandi */ 319f3f0262cSandifunction auth_sendPassword($user,$password){ 320f3f0262cSandi global $conf; 321f3f0262cSandi global $lang; 322f3f0262cSandi $hdrs = ''; 32387ddda95Sandi $userinfo = auth_getUserData($user); 324f3f0262cSandi 32587ddda95Sandi if(!$userinfo['mail']) return false; 326f3f0262cSandi 327f3f0262cSandi $text = rawLocale('password'); 328*ed7b5f09Sandi $text = str_replace('@DOKUWIKIURL@',DOKU_URL,$text); 32987ddda95Sandi $text = str_replace('@FULLNAME@',$userinfo['name'],$text); 330f3f0262cSandi $text = str_replace('@LOGIN@',$user,$text); 331f3f0262cSandi $text = str_replace('@PASSWORD@',$password,$text); 332f3f0262cSandi $text = str_replace('@TITLE@',$conf['title'],$text); 333f3f0262cSandi 33444f669e9Sandi return mail_send($userinfo['name'].' <'.$userinfo['mail'].'>', 33544f669e9Sandi $lang['regpwmail'], 33644f669e9Sandi $text, 33744f669e9Sandi $conf['mailfrom']); 338f3f0262cSandi} 339f3f0262cSandi 340f3f0262cSandi/** 34115fae107Sandi * Register a new user 342f3f0262cSandi * 34315fae107Sandi * This registers a new user - Data is read directly from $_POST 34415fae107Sandi * 34515fae107Sandi * @author Andreas Gohr <andi@splitbrain.org> 34615fae107Sandi * 34715fae107Sandi * @return bool true on success, false on any error 348f3f0262cSandi */ 349f3f0262cSandifunction register(){ 350f3f0262cSandi global $lang; 351f3f0262cSandi global $conf; 352f3f0262cSandi 353f3f0262cSandi if(!$_POST['save']) return false; 354f3f0262cSandi if(!$conf['openregister']) return false; 355f3f0262cSandi 356f3f0262cSandi //clean username 357f3f0262cSandi $_POST['login'] = preg_replace('/.*:/','',$_POST['login']); 358f3f0262cSandi $_POST['login'] = cleanID($_POST['login']); 359f3f0262cSandi //clean fullname and email 360f3f0262cSandi $_POST['fullname'] = trim(str_replace(':','',$_POST['fullname'])); 361f3f0262cSandi $_POST['email'] = trim(str_replace(':','',$_POST['email'])); 362f3f0262cSandi 363f3f0262cSandi if( empty($_POST['login']) || 364f3f0262cSandi empty($_POST['fullname']) || 365f3f0262cSandi empty($_POST['email']) ){ 366f3f0262cSandi msg($lang['regmissing'],-1); 367f3f0262cSandi return false; 368f3f0262cSandi } 369f3f0262cSandi 370f3f0262cSandi //check mail 37144f669e9Sandi if(!mail_isvalid($_POST['email'])){ 372f3f0262cSandi msg($lang['regbadmail'],-1); 373f3f0262cSandi return false; 374f3f0262cSandi } 375f3f0262cSandi 376f3f0262cSandi //okay try to create the user 377f3f0262cSandi $pass = auth_createUser($_POST['login'],$_POST['fullname'],$_POST['email']); 378f3f0262cSandi if(empty($pass)){ 379f3f0262cSandi msg($lang['reguexists'],-1); 380f3f0262cSandi return false; 381f3f0262cSandi } 382f3f0262cSandi 383f3f0262cSandi //send him the password 384f3f0262cSandi if (auth_sendPassword($_POST['login'],$pass)){ 385f3f0262cSandi msg($lang['regsuccess'],1); 386f3f0262cSandi return true; 387f3f0262cSandi }else{ 388f3f0262cSandi msg($lang['regmailfail'],-1); 389f3f0262cSandi return false; 390f3f0262cSandi } 391f3f0262cSandi} 392f3f0262cSandi 393f3f0262cSandi?> 394