diff options
| author | Lester Caine <lester@lsces.co.uk> | 2008-07-22 10:19:55 +0000 |
|---|---|---|
| committer | Lester Caine <lester@lsces.co.uk> | 2008-07-22 10:19:55 +0000 |
| commit | 1eb8676fa375cc3568084d02d596bbbc003a7147 (patch) | |
| tree | dbf009bab7293b0eb3922687449c0459dee57a1d /auth | |
| parent | f0ed8f81c77f7fc49b772e385d39fccc56ee5132 (diff) | |
| download | users-1eb8676fa375cc3568084d02d596bbbc003a7147.tar.gz users-1eb8676fa375cc3568084d02d596bbbc003a7147.tar.bz2 users-1eb8676fa375cc3568084d02d596bbbc003a7147.zip | |
Extended authorization module for restricting multisite login
Diffstat (limited to 'auth')
| -rw-r--r-- | auth/multisites/auth.php | 128 |
1 files changed, 128 insertions, 0 deletions
diff --git a/auth/multisites/auth.php b/auth/multisites/auth.php new file mode 100644 index 0000000..973c26e --- /dev/null +++ b/auth/multisites/auth.php @@ -0,0 +1,128 @@ +<?php +/** + * $Header: /cvsroot/bitweaver/_bit_users/auth/multisites/auth.php,v 1.1 2008/07/22 10:19:55 lsces Exp $ + * + * @package users + */ + +/** + * Class that manages the bitweaver autentication method with additional limitations from multisites + * + * @package users + * @subpackage auth + */ +class MultisitesAuth extends BaseAuth { + + function MultisitesAuth() { + parent::BaseAuth('multisites'); + } + + function validate($user,$pass,$challenge,$response) { + parent::validate($user,$pass,$challenge,$response); + global $gBitSystem; + global $gBitDb; + $ret = SERVER_ERROR; + if( empty( $user ) ) { + $this->mErrors['login'] = 'User not found'; + } elseif( empty( $pass ) ) { + $this->mErrors['login'] = 'Password incorrect'; + } else { + $loginVal = strtoupper( $user ); // case insensitive login + $loginCol = ' UPPER(`'.(strpos( $user, '@' ) ? 'email' : 'login').'`)'; + // first verify that the user exists + $query = "select `email`, `login`, `user_id`, `user_password` from `".BIT_DB_PREFIX."users_users` where " . $gBitDb->convertBinary(). " $loginCol = ?"; + $result = $gBitDb->query( $query, array( $loginVal ) ); + if( !$result->numRows() ) { + $this->mErrors['login'] = 'User not found'; + } else { + $res = $result->fetchRow(); + $userId = $res['user_id']; + $user = $res['login']; + // TikiWiki 1.8+ uses this bizarro conglomeration of fields to get the hash. this sucks for many reasons + $hash = md5( strtolower($user) . $pass . $res['email']); + $hash2 = md5($pass); + // next verify the password with 2 hashes methods, the old one (pass)) and the new one (login.pass;email) + // TODO - this needs cleaning up - wolff_borg + if( !$gBitSystem->isFeatureActive( 'feature_challenge' ) || empty($response) ) { + $query = "select `user_id`, `content_id`, `hash` from `".BIT_DB_PREFIX."users_users` where " . $gBitDb->convertBinary(). " $loginCol = ? and (`hash`=? or `hash`=?)"; + if ( $row = $gBitDb->getRow( $query, array( $loginVal, $hash, $hash2 ) ) ) { + // auto-update old hashes with simple and standard md5( password ) + $hashUpdate = ''; + if( $row['hash'] == $hash ) { + $hashUpdate = 'hash=?, '; + $bindVars[] = $hash2; + } + $bindVars[] = $gBitSystem->getUTCTime(); + $bindVars[] = $userId; + $query = "update `".BIT_DB_PREFIX."users_users` set $hashUpdate `last_login`=`current_login`, `current_login`=? where `user_id`=?"; + $result = $gBitDb->query($query, $bindVars ); + $query = "select `multisite_id` from `".BIT_DB_PREFIX."multisite_content` where `content_id` = ?"; + $sites = $gBitDb->getAll($query, array( $row['content_id'] ) ); + if ( !$sites ) { + $ret=USER_VALID; + } else { + // This will allow for additional by site checking in future + // Currently only a single site per user_id is allowed + $ret=PASSWORD_INCORRECT; + foreach ( $sites as $id ) { + if ( $id['multisite_id'] == $gMultisites->mMultisiteId ) { + $ret=USER_VALID; + } + } + if ( $ret == PASSWORD_INCORRECT ) { + $this->mErrors[] = 'You are not authorized on this area of the site'; + } + } + } else { + $ret=PASSWORD_INCORRECT; + $this->mErrors[] = 'Password incorrect'; + } + } else { + // Use challenge-reponse method + // Compare pass against md5(user,challenge,hash) + $hash = $gBitDb->getOne("select `hash` from `".BIT_DB_PREFIX."users_users` where " . $gBitDb->convertBinary(). " $loginCol = ?", array( $user ) ); + if (!isset($_SESSION["challenge"])) { + $this->mErrors[] = 'Invalid challenge'; + $ret=PASSWORD_INCORRECT; + } + //print("pass: $pass user: $user hash: $hash <br/>"); + //print("challenge: ".$_SESSION["challenge"]." challenge: $challenge<br/>"); + //print("response : $response<br/>"); + if ($response == md5( strtolower($user) . $hash . $_SESSION["challenge"]) ) { + $ret = USER_VALID; + $this->update_lastlogin( $userId ); + } else { + $this->mErrors[] = 'Invalid challenge'; + $ret=PASSWORD_INCORRECT; + } + } + } + if (!empty($userId)) { + $this->mInfo['user_id']=$userId; + } + } + return( $ret ); + } + + function canManageAuth() { + global $gBitSystem; + if( $gBitSystem->isPackageActive( 'multisites' ) ) { return true; + } else { return false; } + } + + function isSupported() { + global $gBitSystem; + if( $gBitSystem->isPackageActive( 'multisites' ) ) { return true; + } else { return false; } + } + + function createUser( &$pUserHash ) { + //$authUserInfo = array( 'login' => $instance->mInfo['login'], 'password' => $instance->mInfo['password'], 'real_name' => $instance->mInfo['real_name'], 'email' => $instance->mInfo['email'] ); + $u = new BitPermUser(); + + if( !$u->store( $pUserHash ) ) { + $this->mErrors = array_merge($this->mErrors,$u->mErrors); + } + return $u->mUserId; + } +} |