1<?php 2/** 3 * Authentication library 4 * 5 * Including this file will automatically try to login 6 * a user by calling auth_login() 7 * 8 * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) 9 * @author Andreas Gohr <andi@splitbrain.org> 10 */ 11 12 if(!defined('DOKU_INC')) define('DOKU_INC',realpath(dirname(__FILE__).'/../').'/'); 13 require_once(DOKU_INC.'inc/common.php'); 14 require_once(DOKU_INC.'inc/io.php'); 15 require_once(DOKU_INC.'inc/blowfish.php'); 16 require_once(DOKU_INC.'inc/mail.php'); 17 // load the the auth functions 18 require_once(DOKU_INC.'inc/auth_'.$conf['authtype'].'.php'); 19 require_once(DOKU_INC.'inc/acl_admin.php'); 20 21 // some ACL level defines 22 define('AUTH_NONE',0); 23 define('AUTH_READ',1); 24 define('AUTH_EDIT',2); 25 define('AUTH_CREATE',4); 26 define('AUTH_UPLOAD',8); 27 define('AUTH_ADMIN',255); 28 29 if($conf['useacl']){ 30 auth_login($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r']); 31 //load ACL into a global array 32 $AUTH_ACL = file('conf/acl.auth'); 33 } 34 35/** 36 * This tries to login the user based on the sent auth credentials 37 * 38 * The authentication works like this: if a username was given 39 * a new login is assumed and user/password are checked. If they 40 * are correct the password is encrypted with blowfish and stored 41 * together with the username in a cookie - the same info is stored 42 * in the session, too. Additonally a browserID is stored in the 43 * session. 44 * 45 * If no username was given the cookie is checked: if the username, 46 * crypted password and browserID match between session and cookie 47 * no further testing is done and the user is accepted 48 * 49 * If a cookie was found but no session info was availabe the 50 * blowish encrypted password from the cookie is decrypted and 51 * together with username rechecked by calling this function again. 52 * 53 * On a successful login $_SERVER[REMOTE_USER] and $USERINFO 54 * are set. 55 * 56 * @author Andreas Gohr <andi@splitbrain.org> 57 * 58 * @param string $user Username 59 * @param string $pass Cleartext Password 60 * @param bool $sticky Cookie should not expire 61 * @return bool true on successful auth 62*/ 63function auth_login($user,$pass,$sticky=false){ 64 global $USERINFO; 65 global $conf; 66 global $lang; 67 $sticky ? $sticky = true : $sticky = false; //sanity check 68 69 if(isset($user)){ 70 //usual login 71 if (auth_checkPass($user,$pass)){ 72 // make logininfo globally available 73 $_SERVER['REMOTE_USER'] = $user; 74 $USERINFO = auth_getUserData($user); //FIXME move all references to session 75 76 // set cookie 77 $pass = PMA_blowfish_encrypt($pass,auth_cookiesalt()); 78 $cookie = base64_encode("$user|$sticky|$pass"); 79 if($sticky) $time = time()+60*60*24*365; //one year 80 setcookie('DokuWikiAUTH',$cookie,$time); 81 82 // set session 83 $_SESSION[$conf['title']]['auth']['user'] = $user; 84 $_SESSION[$conf['title']]['auth']['pass'] = $pass; 85 $_SESSION[$conf['title']]['auth']['buid'] = auth_browseruid(); 86 $_SESSION[$conf['title']]['auth']['info'] = $USERINFO; 87 return true; 88 }else{ 89 //invalid credentials - log off 90 msg($lang['badlogin'],-1); 91 auth_logoff(); 92 return false; 93 } 94 }else{ 95 // read cookie information 96 $cookie = base64_decode($_COOKIE['DokuWikiAUTH']); 97 list($user,$sticky,$pass) = split('\|',$cookie,3); 98 // get session info 99 $session = $_SESSION[$conf['title']]['auth']; 100 101 if($user && $pass){ 102 // we got a cookie - see if we can trust it 103 if(isset($session) && 104 ($session['user'] == $user) && 105 ($session['pass'] == $pass) && //still crypted 106 ($session['buid'] == auth_browseruid()) ){ 107 // he has session, cookie and browser right - let him in 108 $_SERVER['REMOTE_USER'] = $user; 109 $USERINFO = $session['info']; //FIXME move all references to session 110 return true; 111 } 112 // no we don't trust it yet - recheck pass 113 $pass = PMA_blowfish_decrypt($pass,auth_cookiesalt()); 114 return auth_login($user,$pass,$sticky); 115 } 116 } 117 //just to be sure 118 auth_logoff(); 119 return false; 120} 121 122/** 123 * Builds a pseudo UID from browserdata 124 * 125 * This is neither unique nor unfakable - still it adds some 126 * security 127 * 128 * @author Andreas Gohr <andi@splitbrain.org> 129 * 130 * @return string a MD5 sum of various browser headers 131 */ 132function auth_browseruid(){ 133 $uid = ''; 134 $uid .= $_SERVER['HTTP_USER_AGENT']; 135 $uid .= $_SERVER['HTTP_ACCEPT_ENCODING']; 136 $uid .= $_SERVER['HTTP_ACCEPT_LANGUAGE']; 137 $uid .= $_SERVER['HTTP_ACCEPT_CHARSET']; 138 return md5($uid); 139} 140 141/** 142 * Creates a random key to encrypt the password in cookies 143 * 144 * This function tries to read the password for encrypting 145 * cookies from $conf['datadir'].'/.cache/.htcookiesalt' 146 * if no such file is found a random key is created and 147 * and stored in this file. 148 * 149 * @author Andreas Gohr <andi@splitbrain.org> 150 * 151 * @return string 152 */ 153function auth_cookiesalt(){ 154 global $conf; 155 $file = $conf['datadir'].'/.cache/.htcookiesalt'; 156 $salt = io_readFile($file); 157 if(empty($salt)){ 158 $salt = uniqid(rand(),true); 159 io_saveFile($file,$salt); 160 } 161 return $salt; 162} 163 164/** 165 * This clears all authenticationdata and thus log the user 166 * off 167 * 168 * @author Andreas Gohr <andi@splitbrain.org> 169 */ 170function auth_logoff(){ 171 global $conf; 172 global $USERINFO; 173 unset($_SESSION[$conf['title']]['auth']['user']); 174 unset($_SESSION[$conf['title']]['auth']['pass']); 175 unset($_SESSION[$conf['title']]['auth']['info']); 176 unset($_SERVER['REMOTE_USER']); 177 $USERINFO=null; //FIXME 178 setcookie('DokuWikiAUTH','',time()-3600); 179} 180 181/** 182 * Convinience function for auth_aclcheck() 183 * 184 * This checks the permissions for the current user 185 * 186 * @author Andreas Gohr <andi@splitbrain.org> 187 * 188 * @param string $id page ID 189 * @return int permission level 190 */ 191function auth_quickaclcheck($id){ 192 global $conf; 193 global $USERINFO; 194 # if no ACL is used always return upload rights 195 if(!$conf['useacl']) return AUTH_UPLOAD; 196 return auth_aclcheck($id,$_SERVER['REMOTE_USER'],$USERINFO['grps']); 197} 198 199/** 200 * Returns the maximum rights a user has for 201 * the given ID or its namespace 202 * 203 * @author Andreas Gohr <andi@splitbrain.org> 204 * 205 * @param string $id page ID 206 * @param string $user Username 207 * @param array $groups Array of groups the user is in 208 * @return int permission level 209 */ 210function auth_aclcheck($id,$user,$groups){ 211 global $conf; 212 global $AUTH_ACL; 213 214 # if no ACL is used always return upload rights 215 if(!$conf['useacl']) return AUTH_UPLOAD; 216 217 //if user is superuser return 255 (acl_admin) 218 if($conf['superuser'] == $user) { return AUTH_ADMIN; } 219 220 //make sure groups is an array 221 if(!is_array($groups)) $groups = array(); 222 223 //prepend groups with @ 224 for($i=0; $i<count($groups); $i++){ 225 $groups[$i] = '@'.$groups[$i]; 226 } 227 //if user is in superuser group return 255 (acl_admin) 228 if(in_array($conf['superuser'], $groups)) { return AUTH_ADMIN; } 229 230 $ns = getNS($id); 231 $perm = -1; 232 233 if($user){ 234 //prepend groups with @ 235 for($i=0; $i<count($groups); $i++){ 236 $groups[$i] = '@'.$groups[$i]; 237 } 238 //add ALL group 239 $groups[] = '@ALL'; 240 //add User 241 $groups[] = $user; 242 //build regexp 243 $regexp = join('|',$groups); 244 }else{ 245 $regexp = '@ALL'; 246 } 247 248 //check exact match first 249 $matches = preg_grep('/^'.$id.'\s+('.$regexp.')\s+/',$AUTH_ACL); 250 if(count($matches)){ 251 foreach($matches as $match){ 252 $match = preg_replace('/#.*$/','',$match); //ignore comments 253 $acl = preg_split('/\s+/',$match); 254 if($acl[2] > AUTH_UPLOAD) $acl[2] = AUTH_UPLOAD; //no admins in the ACL! 255 if($acl[2] > $perm){ 256 $perm = $acl[2]; 257 } 258 } 259 if($perm > -1){ 260 //we had a match - return it 261 return $perm; 262 } 263 } 264 265 //still here? do the namespace checks 266 if($ns){ 267 $path = $ns.':\*'; 268 }else{ 269 $path = '\*'; //root document 270 } 271 272 do{ 273 $matches = preg_grep('/^'.$path.'\s+('.$regexp.')\s+/',$AUTH_ACL); 274 if(count($matches)){ 275 foreach($matches as $match){ 276 $match = preg_replace('/#.*$/','',$match); //ignore comments 277 $acl = preg_split('/\s+/',$match); 278 if($acl[2] > AUTH_UPLOAD) $acl[2] = AUTH_UPLOAD; //no admins in the ACL! 279 if($acl[2] > $perm){ 280 $perm = $acl[2]; 281 } 282 } 283 //we had a match - return it 284 return $perm; 285 } 286 287 //get next higher namespace 288 $ns = getNS($ns); 289 290 if($path != '\*'){ 291 $path = $ns.':\*'; 292 if($path == ':\*') $path = '\*'; 293 }else{ 294 //we did this already 295 //looks like there is something wrong with the ACL 296 //break here 297 return $perm; 298 } 299 }while(1); //this should never loop endless 300} 301 302/** 303 * Create a pronouncable password 304 * 305 * @author Andreas Gohr <andi@splitbrain.org> 306 * @link http://www.phpbuilder.com/annotate/message.php3?id=1014451 307 * 308 * @return string pronouncable password 309 */ 310function auth_pwgen(){ 311 $pw = ''; 312 $c = 'bcdfghjklmnprstvwz'; //consonants except hard to speak ones 313 $v = 'aeiou'; //vowels 314 $a = $c.$v; //both 315 316 //use two syllables... 317 for($i=0;$i < 2; $i++){ 318 $pw .= $c[rand(0, strlen($c)-1)]; 319 $pw .= $v[rand(0, strlen($v)-1)]; 320 $pw .= $a[rand(0, strlen($a)-1)]; 321 } 322 //... and add a nice number 323 $pw .= rand(10,99); 324 325 return $pw; 326} 327 328/** 329 * Sends a password to the given user 330 * 331 * @author Andreas Gohr <andi@splitbrain.org> 332 * 333 * @return bool true on success 334 */ 335function auth_sendPassword($user,$password){ 336 global $conf; 337 global $lang; 338 $hdrs = ''; 339 $userinfo = auth_getUserData($user); 340 341 if(!$userinfo['mail']) return false; 342 343 $text = rawLocale('password'); 344 $text = str_replace('@DOKUWIKIURL@',DOKU_URL,$text); 345 $text = str_replace('@FULLNAME@',$userinfo['name'],$text); 346 $text = str_replace('@LOGIN@',$user,$text); 347 $text = str_replace('@PASSWORD@',$password,$text); 348 $text = str_replace('@TITLE@',$conf['title'],$text); 349 350 return mail_send($userinfo['name'].' <'.$userinfo['mail'].'>', 351 $lang['regpwmail'], 352 $text, 353 $conf['mailfrom']); 354} 355 356/** 357 * Register a new user 358 * 359 * This registers a new user - Data is read directly from $_POST 360 * 361 * @author Andreas Gohr <andi@splitbrain.org> 362 * 363 * @return bool true on success, false on any error 364 */ 365function register(){ 366 global $lang; 367 global $conf; 368 369 if(!$_POST['save']) return false; 370 if(!$conf['openregister']) return false; 371 372 //clean username 373 $_POST['login'] = preg_replace('/.*:/','',$_POST['login']); 374 $_POST['login'] = cleanID($_POST['login']); 375 //clean fullname and email 376 $_POST['fullname'] = trim(str_replace(':','',$_POST['fullname'])); 377 $_POST['email'] = trim(str_replace(':','',$_POST['email'])); 378 379 if( empty($_POST['login']) || 380 empty($_POST['fullname']) || 381 empty($_POST['email']) ){ 382 msg($lang['regmissing'],-1); 383 return false; 384 } 385 386 //check mail 387 if(!mail_isvalid($_POST['email'])){ 388 msg($lang['regbadmail'],-1); 389 return false; 390 } 391 392 //okay try to create the user 393 $pass = auth_createUser($_POST['login'],$_POST['fullname'],$_POST['email']); 394 if(empty($pass)){ 395 msg($lang['reguexists'],-1); 396 return false; 397 } 398 399 //send him the password 400 if (auth_sendPassword($_POST['login'],$pass)){ 401 msg($lang['regsuccess'],1); 402 return true; 403 }else{ 404 msg($lang['regmailfail'],-1); 405 return false; 406 } 407} 408 409/** 410 * Uses a regular expresion to check if a given mail address is valid 411 * 412 * May not be completly RFC conform! 413 * 414 * @link http://www.webmasterworld.com/forum88/135.htm 415 * 416 * @param string $email the address to check 417 * @return bool true if address is valid 418 */ 419function isvalidemail($email){ 420 return eregi("^[0-9a-z]([-_.]?[0-9a-z])*@[0-9a-z]([-.]?[0-9a-z])*\\.[a-z]{2,4}$", $email); 421} 422 423 424?> 425