PageRenderTime 66ms CodeModel.GetById 30ms RepoModel.GetById 0ms app.codeStats 0ms

/gforge/plugins/wiki/www/lib/WikiUserNew.php

https://github.com/neymanna/fusionforge
PHP | 2503 lines | 1919 code | 124 blank | 460 comment | 273 complexity | ce8ba0cf0b7f829ab12654b30abbb61a MD5 | raw file
Possible License(s): GPL-2.0, MPL-2.0-no-copyleft-exception

Large files files are truncated, but you can click here to view the full file

  1. <?php //-*-php-*-
  2. rcs_id('$Id: WikiUserNew.php,v 1.137 2006/05/03 06:05:37 rurban Exp $');
  3. /* Copyright (C) 2004,2005 $ThePhpWikiProgrammingTeam
  4. *
  5. * This file is part of PhpWiki.
  6. *
  7. * PhpWiki is free software; you can redistribute it and/or modify
  8. * it under the terms of the GNU General Public License as published by
  9. * the Free Software Foundation; either version 2 of the License, or
  10. * (at your option) any later version.
  11. *
  12. * PhpWiki is distributed in the hope that it will be useful,
  13. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. * GNU General Public License for more details.
  16. *
  17. * You should have received a copy of the GNU General Public License
  18. * along with PhpWiki; if not, write to the Free Software
  19. * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
  20. */
  21. /**
  22. * This is a complete OOP rewrite of the old WikiUser code with various
  23. * configurable external authentication methods.
  24. *
  25. * There's only one entry point, the function WikiUser which returns
  26. * a WikiUser object, which contains the name, authlevel and user's preferences.
  27. * This object might get upgraded during the login step and later also.
  28. * There exist three preferences storage methods: cookie, homepage and db,
  29. * and multiple password checking methods.
  30. * See index.php for $USER_AUTH_ORDER[] and USER_AUTH_POLICY if
  31. * ALLOW_USER_PASSWORDS is defined.
  32. *
  33. * Each user object must define the two preferences methods
  34. * getPreferences(), setPreferences(),
  35. * and the following 1-4 auth methods
  36. * checkPass() must be defined by all classes,
  37. * userExists() only if USER_AUTH_POLICY'=='strict'
  38. * mayChangePass() only if the password is storable.
  39. * storePass() only if the password is storable.
  40. *
  41. * WikiUser() given no name, returns an _AnonUser (anonymous user)
  42. * object, who may or may not have a cookie.
  43. * However, if the there's a cookie with the userid or a session,
  44. * the user is upgraded to the matching user object.
  45. * Given a user name, returns a _BogoUser object, who may or may not
  46. * have a cookie and/or PersonalPage, one of the various _PassUser objects
  47. * or an _AdminUser object.
  48. * BTW: A BogoUser is a userid (loginname) as valid WikiWord, who might
  49. * have stored a password or not. If so, his account is secure, if not
  50. * anybody can use it, because the username is visible e.g. in RecentChanges.
  51. *
  52. * Takes care of passwords, all preference loading/storing in the
  53. * user's page and any cookies. lib/main.php will query the user object to
  54. * verify the password as appropriate.
  55. *
  56. * @author: Reini Urban (the tricky parts),
  57. * Carsten Klapp (started rolling the ball)
  58. *
  59. * Random architectural notes, sorted by date:
  60. * 2004-01-25 rurban
  61. * Test it by defining ENABLE_USER_NEW in config/config.ini
  62. * 1) Now a ForbiddenUser is returned instead of false.
  63. * 2) Previously ALLOW_ANON_USER = false meant that anon users cannot edit,
  64. * but may browse. Now with ALLOW_ANON_USER = false he may not browse,
  65. * which is needed to disable browse PagePermissions.
  66. * I added now ALLOW_ANON_EDIT = true to makes things clear.
  67. * (which replaces REQUIRE_SIGNIN_BEFORE_EDIT)
  68. * 2004-02-27 rurban:
  69. * 3) Removed pear prepare. Performance hog, and using integers as
  70. * handler doesn't help. Do simple sprintf as with adodb. And a prepare
  71. * in the object init is no advantage, because in the init loop a lot of
  72. * objects are tried, but not used.
  73. * 4) Already gotten prefs are passed to the next object to avoid
  74. * duplicate getPreferences() calls.
  75. * 2004-03-18 rurban
  76. * 5) Major php-5 problem: $this re-assignment is disallowed by the parser
  77. * So we cannot just discrimate with
  78. * if (!check_php_version(5))
  79. * $this = $user;
  80. * A /php5-patch.php is provided, which patches the src automatically
  81. * for php4 and php5. Default is php4.
  82. * Update: not needed anymore. we use eval to fool the load-time syntax checker.
  83. * 2004-03-24 rurban
  84. * 6) enforced new cookie policy: prefs don't get stored in cookies
  85. * anymore, only in homepage and/or database, but always in the
  86. * current session. old pref cookies will get deleted.
  87. * 2004-04-04 rurban
  88. * 7) Certain themes should be able to extend the predefined list
  89. * of preferences. Display/editing is done in the theme specific userprefs.tmpl,
  90. * but storage must be extended to the Get/SetPreferences methods.
  91. * <theme>/themeinfo.php must provide CustomUserPreferences:
  92. * A list of name => _UserPreference class pairs.
  93. */
  94. define('WIKIAUTH_FORBIDDEN', -1); // Completely not allowed.
  95. define('WIKIAUTH_ANON', 0); // Not signed in.
  96. define('WIKIAUTH_BOGO', 1); // Any valid WikiWord is enough.
  97. define('WIKIAUTH_USER', 2); // Bogo user with a password.
  98. define('WIKIAUTH_ADMIN', 10); // UserName == ADMIN_USER.
  99. define('WIKIAUTH_UNOBTAINABLE', 100); // Permissions that no user can achieve
  100. //if (!defined('COOKIE_EXPIRATION_DAYS')) define('COOKIE_EXPIRATION_DAYS', 365);
  101. //if (!defined('COOKIE_DOMAIN')) define('COOKIE_DOMAIN', '/');
  102. if (!defined('EDITWIDTH_MIN_COLS')) define('EDITWIDTH_MIN_COLS', 30);
  103. if (!defined('EDITWIDTH_MAX_COLS')) define('EDITWIDTH_MAX_COLS', 150);
  104. if (!defined('EDITWIDTH_DEFAULT_COLS')) define('EDITWIDTH_DEFAULT_COLS', 80);
  105. if (!defined('EDITHEIGHT_MIN_ROWS')) define('EDITHEIGHT_MIN_ROWS', 5);
  106. if (!defined('EDITHEIGHT_MAX_ROWS')) define('EDITHEIGHT_MAX_ROWS', 80);
  107. if (!defined('EDITHEIGHT_DEFAULT_ROWS')) define('EDITHEIGHT_DEFAULT_ROWS', 22);
  108. define('TIMEOFFSET_MIN_HOURS', -26);
  109. define('TIMEOFFSET_MAX_HOURS', 26);
  110. if (!defined('TIMEOFFSET_DEFAULT_HOURS')) define('TIMEOFFSET_DEFAULT_HOURS', 0);
  111. /**
  112. * There are be the following constants in config/config.ini to
  113. * establish login parameters:
  114. *
  115. * ALLOW_ANON_USER default true
  116. * ALLOW_ANON_EDIT default true
  117. * ALLOW_BOGO_LOGIN default true
  118. * ALLOW_USER_PASSWORDS default true
  119. * PASSWORD_LENGTH_MINIMUM default 0
  120. *
  121. * To require user passwords for editing:
  122. * ALLOW_ANON_USER = true
  123. * ALLOW_ANON_EDIT = false (before named REQUIRE_SIGNIN_BEFORE_EDIT)
  124. * ALLOW_BOGO_LOGIN = false
  125. * ALLOW_USER_PASSWORDS = true
  126. *
  127. * To establish a COMPLETELY private wiki, such as an internal
  128. * corporate one:
  129. * ALLOW_ANON_USER = false
  130. * (and probably require user passwords as described above). In this
  131. * case the user will be prompted to login immediately upon accessing
  132. * any page.
  133. *
  134. * There are other possible combinations, but the typical wiki (such
  135. * as http://PhpWiki.sf.net/phpwiki) would usually just leave all four
  136. * enabled.
  137. *
  138. */
  139. // The last object in the row is the bad guy...
  140. if (!is_array($USER_AUTH_ORDER))
  141. $USER_AUTH_ORDER = array("Forbidden");
  142. else
  143. $USER_AUTH_ORDER[] = "Forbidden";
  144. // Local convenience functions.
  145. function _isAnonUserAllowed() {
  146. return (defined('ALLOW_ANON_USER') && ALLOW_ANON_USER);
  147. }
  148. function _isBogoUserAllowed() {
  149. return (defined('ALLOW_BOGO_LOGIN') && ALLOW_BOGO_LOGIN);
  150. }
  151. function _isUserPasswordsAllowed() {
  152. return (defined('ALLOW_USER_PASSWORDS') && ALLOW_USER_PASSWORDS);
  153. }
  154. // Possibly upgrade userobject functions.
  155. function _determineAdminUserOrOtherUser($UserName) {
  156. // Sanity check. User name is a condition of the definition of the
  157. // _AdminUser, _BogoUser and _passuser.
  158. if (!$UserName)
  159. return $GLOBALS['ForbiddenUser'];
  160. //FIXME: check admin membership later at checkPass. Now we cannot raise the level.
  161. //$group = &WikiGroup::getGroup($GLOBALS['request']);
  162. if ($UserName == ADMIN_USER)
  163. return new _AdminUser($UserName);
  164. /* elseif ($group->isMember(GROUP_ADMIN)) { // unneeded code
  165. return _determineBogoUserOrPassUser($UserName);
  166. }
  167. */
  168. else
  169. return _determineBogoUserOrPassUser($UserName);
  170. }
  171. function _determineBogoUserOrPassUser($UserName) {
  172. global $ForbiddenUser;
  173. // Sanity check. User name is a condition of the definition of
  174. // _BogoUser and _PassUser.
  175. if (!$UserName)
  176. return $ForbiddenUser;
  177. // Check for password and possibly upgrade user object.
  178. // $_BogoUser = new _BogoUser($UserName);
  179. if (_isBogoUserAllowed() and isWikiWord($UserName)) {
  180. include_once("lib/WikiUser/BogoLogin.php");
  181. $_BogoUser = new _BogoLoginPassUser($UserName);
  182. if ($_BogoUser->userExists() or $GLOBALS['request']->getArg('auth'))
  183. return $_BogoUser;
  184. }
  185. if (_isUserPasswordsAllowed()) {
  186. // PassUsers override BogoUsers if a password is stored
  187. if (isset($_BogoUser) and isset($_BogoUser->_prefs)
  188. and $_BogoUser->_prefs->get('passwd'))
  189. return new _PassUser($UserName, $_BogoUser->_prefs);
  190. else {
  191. $_PassUser = new _PassUser($UserName,
  192. isset($_BogoUser) ? $_BogoUser->_prefs : false);
  193. if ($_PassUser->userExists() or $GLOBALS['request']->getArg('auth'))
  194. return $_PassUser;
  195. }
  196. }
  197. // No Bogo- or PassUser exists, or
  198. // passwords are not allowed, and bogo is disallowed too.
  199. // (Only the admin can sign in).
  200. return $ForbiddenUser;
  201. }
  202. /**
  203. * Primary WikiUser function, called by lib/main.php.
  204. *
  205. * This determines the user's type and returns an appropriate user
  206. * object. lib/main.php then querys the resultant object for password
  207. * validity as necessary.
  208. *
  209. * If an _AnonUser object is returned, the user may only browse pages
  210. * (and save prefs in a cookie).
  211. *
  212. * To disable access but provide prefs the global $ForbiddenUser class
  213. * is returned. (was previously false)
  214. *
  215. */
  216. function WikiUser ($UserName = '') {
  217. global $ForbiddenUser;
  218. //Maybe: Check sessionvar for username & save username into
  219. //sessionvar (may be more appropriate to do this in lib/main.php).
  220. if ($UserName) {
  221. $ForbiddenUser = new _ForbiddenUser($UserName);
  222. // Found a user name.
  223. return _determineAdminUserOrOtherUser($UserName);
  224. }
  225. elseif (!empty($_SESSION['userid'])) {
  226. // Found a user name.
  227. $ForbiddenUser = new _ForbiddenUser($_SESSION['userid']);
  228. return _determineAdminUserOrOtherUser($_SESSION['userid']);
  229. }
  230. else {
  231. // Check for autologin pref in cookie and possibly upgrade
  232. // user object to another type.
  233. $_AnonUser = new _AnonUser();
  234. if ($UserName = $_AnonUser->_userid && $_AnonUser->_prefs->get('autologin')) {
  235. // Found a user name.
  236. $ForbiddenUser = new _ForbiddenUser($UserName);
  237. return _determineAdminUserOrOtherUser($UserName);
  238. }
  239. else {
  240. $ForbiddenUser = new _ForbiddenUser();
  241. if (_isAnonUserAllowed())
  242. return $_AnonUser;
  243. return $ForbiddenUser; // User must sign in to browse pages.
  244. }
  245. return $ForbiddenUser; // User must sign in with a password.
  246. }
  247. /*
  248. trigger_error("DEBUG: Note: End of function reached in WikiUser." . " "
  249. . "Unexpectedly, an appropriate user class could not be determined.");
  250. return $ForbiddenUser; // Failsafe.
  251. */
  252. }
  253. /**
  254. * WikiUser.php use the name 'WikiUser'
  255. */
  256. function WikiUserClassname() {
  257. return '_WikiUser';
  258. }
  259. /**
  260. * Upgrade olduser by copying properties from user to olduser.
  261. * We are not sure yet, for which php's a simple $this = $user works reliably,
  262. * (on php4 it works ok, on php5 it's currently disallowed on the parser level)
  263. * that's why try it the hard way.
  264. */
  265. function UpgradeUser ($olduser, $user) {
  266. if (isa($user,'_WikiUser') and isa($olduser,'_WikiUser')) {
  267. // populate the upgraded class $olduser with the values from the new user object
  268. //only _auth_level, _current_method, _current_index,
  269. if (!empty($user->_level) and
  270. $user->_level > $olduser->_level)
  271. $olduser->_level = $user->_level;
  272. if (!empty($user->_current_index) and
  273. $user->_current_index > $olduser->_current_index) {
  274. $olduser->_current_index = $user->_current_index;
  275. $olduser->_current_method = $user->_current_method;
  276. }
  277. if (!empty($user->_authmethod))
  278. $olduser->_authmethod = $user->_authmethod;
  279. /*
  280. foreach (get_object_vars($user) as $k => $v) {
  281. if (!empty($v)) $olduser->$k = $v;
  282. }
  283. */
  284. $olduser->hasHomePage(); // revive db handle, because these don't survive sessions
  285. //$GLOBALS['request']->_user = $olduser;
  286. return $olduser;
  287. } else {
  288. return false;
  289. }
  290. }
  291. /**
  292. * Probably not needed, since we use the various user objects methods so far.
  293. * Anyway, here it is, looping through all available objects.
  294. */
  295. function UserExists ($UserName) {
  296. global $request;
  297. if (!($user = $request->getUser()))
  298. $user = WikiUser($UserName);
  299. if (!$user)
  300. return false;
  301. if ($user->userExists($UserName)) {
  302. $request->_user = $user;
  303. return true;
  304. }
  305. if (isa($user,'_BogoUser'))
  306. $user = new _PassUser($UserName,$user->_prefs);
  307. $class = $user->nextClass();
  308. if ($user = new $class($UserName,$user->_prefs)) {
  309. return $user->userExists($UserName);
  310. }
  311. $request->_user = $GLOBALS['ForbiddenUser'];
  312. return false;
  313. }
  314. /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
  315. /**
  316. * Base WikiUser class.
  317. */
  318. class _WikiUser
  319. {
  320. var $_userid = '';
  321. var $_level = WIKIAUTH_ANON;
  322. var $_prefs = false;
  323. var $_HomePagehandle = false;
  324. // constructor
  325. function _WikiUser($UserName='', $prefs=false) {
  326. $this->_userid = $UserName;
  327. $this->_HomePagehandle = false;
  328. if ($UserName) {
  329. $this->hasHomePage();
  330. }
  331. if (empty($this->_prefs)) {
  332. if ($prefs) $this->_prefs = $prefs;
  333. else $this->getPreferences();
  334. }
  335. }
  336. function UserName() {
  337. if (!empty($this->_userid))
  338. return $this->_userid;
  339. }
  340. function getPreferences() {
  341. trigger_error("DEBUG: Note: undefined _WikiUser class trying to load prefs." . " "
  342. . "New subclasses of _WikiUser must override this function.");
  343. return false;
  344. }
  345. function setPreferences($prefs, $id_only) {
  346. trigger_error("DEBUG: Note: undefined _WikiUser class trying to save prefs."
  347. . " "
  348. . "New subclasses of _WikiUser must override this function.");
  349. return false;
  350. }
  351. function userExists() {
  352. return $this->hasHomePage();
  353. }
  354. function checkPass($submitted_password) {
  355. // By definition, an undefined user class cannot sign in.
  356. trigger_error("DEBUG: Warning: undefined _WikiUser class trying to sign in."
  357. . " "
  358. . "New subclasses of _WikiUser must override this function.");
  359. return false;
  360. }
  361. // returns page_handle to user's home page or false if none
  362. function hasHomePage() {
  363. if ($this->_userid) {
  364. if (!empty($this->_HomePagehandle) and is_object($this->_HomePagehandle)) {
  365. return $this->_HomePagehandle->exists();
  366. }
  367. else {
  368. // check db again (maybe someone else created it since
  369. // we logged in.)
  370. global $request;
  371. $this->_HomePagehandle = $request->getPage($this->_userid);
  372. return $this->_HomePagehandle->exists();
  373. }
  374. }
  375. // nope
  376. return false;
  377. }
  378. // innocent helper: case-insensitive position in _auth_methods
  379. function array_position ($string, $array) {
  380. $string = strtolower($string);
  381. for ($found = 0; $found < count($array); $found++) {
  382. if (strtolower($array[$found]) == $string)
  383. return $found;
  384. }
  385. return false;
  386. }
  387. function nextAuthMethodIndex() {
  388. if (empty($this->_auth_methods))
  389. $this->_auth_methods = $GLOBALS['USER_AUTH_ORDER'];
  390. if (empty($this->_current_index)) {
  391. if (strtolower(get_class($this)) != '_passuser') {
  392. $this->_current_method = substr(get_class($this),1,-8);
  393. $this->_current_index = $this->array_position($this->_current_method,
  394. $this->_auth_methods);
  395. } else {
  396. $this->_current_index = -1;
  397. }
  398. }
  399. $this->_current_index++;
  400. if ($this->_current_index >= count($this->_auth_methods))
  401. return false;
  402. $this->_current_method = $this->_auth_methods[$this->_current_index];
  403. return $this->_current_index;
  404. }
  405. function AuthMethod($index = false) {
  406. return $this->_auth_methods[ $index === false
  407. ? count($this->_auth_methods)-1
  408. : $index];
  409. }
  410. // upgrade the user object
  411. function nextClass() {
  412. $method = $this->AuthMethod($this->nextAuthMethodIndex());
  413. include_once("lib/WikiUser/$method.php");
  414. return "_".$method."PassUser";
  415. }
  416. //Fixme: for _HttpAuthPassUser
  417. function PrintLoginForm (&$request, $args, $fail_message = false,
  418. $seperate_page = false) {
  419. include_once('lib/Template.php');
  420. // Call update_locale in case the system's default language is not 'en'.
  421. // (We have no user pref for lang at this point yet, no one is logged in.)
  422. if ($GLOBALS['LANG'] != DEFAULT_LANGUAGE)
  423. update_locale(DEFAULT_LANGUAGE);
  424. $userid = $this->_userid;
  425. $require_level = 0;
  426. extract($args); // fixme
  427. $require_level = max(0, min(WIKIAUTH_ADMIN, (int)$require_level));
  428. $pagename = $request->getArg('pagename');
  429. $nocache = 1;
  430. $login = Template('login',
  431. compact('pagename', 'userid', 'require_level',
  432. 'fail_message', 'pass_required', 'nocache'));
  433. // check if the html template was already processed
  434. $seperate_page = $seperate_page ? true : !alreadyTemplateProcessed('html');
  435. if ($seperate_page) {
  436. $page = $request->getPage($pagename);
  437. $revision = $page->getCurrentRevision();
  438. return GeneratePage($login,_("Sign In"),$revision);
  439. } else {
  440. return $login->printExpansion();
  441. }
  442. }
  443. /** Signed in but not password checked or empty password.
  444. */
  445. function isSignedIn() {
  446. return (isa($this,'_BogoUser') or isa($this,'_PassUser'));
  447. }
  448. /** This is password checked for sure.
  449. */
  450. function isAuthenticated() {
  451. //return isa($this,'_PassUser');
  452. //return isa($this,'_BogoUser') || isa($this,'_PassUser');
  453. return $this->_level >= WIKIAUTH_BOGO;
  454. }
  455. function isAdmin () {
  456. static $group;
  457. if ($this->_level == WIKIAUTH_ADMIN) return true;
  458. if (!$this->isSignedIn()) return false;
  459. if (!$this->isAuthenticated()) return false;
  460. if (!$group) $group = &$GLOBALS['request']->getGroup();
  461. return ($this->_level > WIKIAUTH_BOGO and $group->isMember(GROUP_ADMIN));
  462. }
  463. /** Name or IP for a signed user. UserName could come from a cookie e.g.
  464. */
  465. function getId () {
  466. return ( $this->UserName()
  467. ? $this->UserName()
  468. : $GLOBALS['request']->get('REMOTE_ADDR') );
  469. }
  470. /** Name for an authenticated user. No IP here.
  471. */
  472. function getAuthenticatedId() {
  473. return ( $this->isAuthenticated()
  474. ? $this->_userid
  475. : ''); //$GLOBALS['request']->get('REMOTE_ADDR') );
  476. }
  477. function hasAuthority ($require_level) {
  478. return $this->_level >= $require_level;
  479. }
  480. /* This is quite restrictive and not according the login description online.
  481. Any word char (A-Za-z0-9_), ".", "@" and "-"
  482. The backends may loosen this.
  483. */
  484. function isValidName ($userid = false) {
  485. if (!$userid) $userid = $this->_userid;
  486. return true; // XXX TODO Hack for GForge
  487. return preg_match("/^[\w\.@\-]+$/",$userid) and strlen($userid) < 32;
  488. }
  489. /**
  490. * Called on an auth_args POST request, such as login, logout or signin.
  491. * TODO: Check BogoLogin users with empty password. (self-signed users)
  492. */
  493. function AuthCheck ($postargs) {
  494. // Normalize args, and extract.
  495. $keys = array('userid', 'passwd', 'require_level', 'login', 'logout',
  496. 'cancel');
  497. foreach ($keys as $key)
  498. $args[$key] = isset($postargs[$key]) ? $postargs[$key] : false;
  499. extract($args);
  500. $require_level = max(0, min(WIKIAUTH_ADMIN, (int)$require_level));
  501. if ($logout) { // Log out
  502. if (method_exists($GLOBALS['request']->_user, "logout")) { //_HttpAuthPassUser
  503. $GLOBALS['request']->_user->logout();
  504. }
  505. $user = new _AnonUser();
  506. $user->_userid = '';
  507. $user->_level = WIKIAUTH_ANON;
  508. return $user;
  509. } elseif ($cancel)
  510. return false; // User hit cancel button.
  511. elseif (!$login && !$userid)
  512. return false; // Nothing to do?
  513. if (!$this->isValidName($userid))
  514. return _("Invalid username.");;
  515. $authlevel = $this->checkPass($passwd === false ? '' : $passwd);
  516. if ($authlevel <= 0) { // anon or forbidden
  517. if ($passwd)
  518. return _("Invalid password.");
  519. else
  520. return _("Invalid password or userid.");
  521. } elseif ($authlevel < $require_level) { // auth ok, but not enough
  522. if (!empty($this->_current_method) and strtolower(get_class($this)) == '_passuser')
  523. {
  524. // upgrade class
  525. $class = "_" . $this->_current_method . "PassUser";
  526. include_once("lib/WikiUser/".$this->_current_method.".php");
  527. $user = new $class($userid,$this->_prefs);
  528. if (!check_php_version(5))
  529. eval("\$this = \$user;");
  530. // /*PHP5 patch*/$this = $user;
  531. $this->_level = $authlevel;
  532. return $user;
  533. }
  534. $this->_userid = $userid;
  535. $this->_level = $authlevel;
  536. return _("Insufficient permissions.");
  537. }
  538. // Successful login.
  539. //$user = $GLOBALS['request']->_user;
  540. if (!empty($this->_current_method) and
  541. strtolower(get_class($this)) == '_passuser')
  542. {
  543. // upgrade class
  544. $class = "_" . $this->_current_method . "PassUser";
  545. include_once("lib/WikiUser/".$this->_current_method.".php");
  546. $user = new $class($userid, $this->_prefs);
  547. if (!check_php_version(5))
  548. eval("\$this = \$user;");
  549. // /*PHP5 patch*/$this = $user;
  550. $user->_level = $authlevel;
  551. return $user;
  552. }
  553. $this->_userid = $userid;
  554. $this->_level = $authlevel;
  555. return $this;
  556. }
  557. }
  558. /**
  559. * Not authenticated in user, but he may be signed in. Basicly with view access only.
  560. * prefs are stored in cookies, but only the userid.
  561. */
  562. class _AnonUser
  563. extends _WikiUser
  564. {
  565. var $_level = WIKIAUTH_ANON; // var in php-5.0.0RC1 deprecated
  566. /** Anon only gets to load and save prefs in a cookie, that's it.
  567. */
  568. function getPreferences() {
  569. global $request;
  570. if (empty($this->_prefs))
  571. $this->_prefs = new UserPreferences;
  572. $UserName = $this->UserName();
  573. // Try to read deprecated 1.3.x style cookies
  574. if ($cookie = $request->cookies->get_old(WIKI_NAME)) {
  575. if (! $unboxedcookie = $this->_prefs->retrieve($cookie)) {
  576. trigger_error(_("Empty Preferences or format of UserPreferences cookie not recognised.")
  577. . "\n"
  578. . sprintf("%s='%s'", WIKI_NAME, $cookie)
  579. . "\n"
  580. . _("Default preferences will be used."),
  581. E_USER_NOTICE);
  582. }
  583. /**
  584. * Only set if it matches the UserName who is
  585. * signing in or if this really is an Anon login (no
  586. * username). (Remember, _BogoUser and higher inherit this
  587. * function too!).
  588. */
  589. if (! $UserName || $UserName == @$unboxedcookie['userid']) {
  590. $updated = $this->_prefs->updatePrefs($unboxedcookie);
  591. //$this->_prefs = new UserPreferences($unboxedcookie);
  592. $UserName = @$unboxedcookie['userid'];
  593. if (is_string($UserName) and (substr($UserName,0,2) != 's:'))
  594. $this->_userid = $UserName;
  595. else
  596. $UserName = false;
  597. }
  598. // v1.3.8 policy: don't set PhpWiki cookies, only plaintext WIKI_ID cookies
  599. if (!headers_sent())
  600. $request->deleteCookieVar(WIKI_NAME);
  601. }
  602. // Try to read deprecated 1.3.4 style cookies
  603. if (! $UserName and ($cookie = $request->cookies->get_old("WIKI_PREF2"))) {
  604. if (! $unboxedcookie = $this->_prefs->retrieve($cookie)) {
  605. if (! $UserName || $UserName == $unboxedcookie['userid']) {
  606. $updated = $this->_prefs->updatePrefs($unboxedcookie);
  607. //$this->_prefs = new UserPreferences($unboxedcookie);
  608. $UserName = $unboxedcookie['userid'];
  609. if (is_string($UserName) and (substr($UserName,0,2) != 's:'))
  610. $this->_userid = $UserName;
  611. else
  612. $UserName = false;
  613. }
  614. if (!headers_sent())
  615. $request->deleteCookieVar("WIKI_PREF2");
  616. }
  617. }
  618. if (! $UserName ) {
  619. // Try reading userid from old PhpWiki cookie formats:
  620. if ($cookie = $request->cookies->get_old(getCookieName())) {
  621. if (is_string($cookie) and (substr($cookie,0,2) != 's:'))
  622. $UserName = $cookie;
  623. elseif (is_array($cookie) and !empty($cookie['userid']))
  624. $UserName = $cookie['userid'];
  625. }
  626. if (! $UserName and !headers_sent())
  627. $request->deleteCookieVar(getCookieName());
  628. else
  629. $this->_userid = $UserName;
  630. }
  631. // initializeTheme() needs at least an empty object
  632. /*
  633. if (empty($this->_prefs))
  634. $this->_prefs = new UserPreferences;
  635. */
  636. return $this->_prefs;
  637. }
  638. /** _AnonUser::setPreferences(): Save prefs in a cookie and session and update all global vars
  639. *
  640. * Allow for multiple wikis in same domain. Encode only the
  641. * _prefs array of the UserPreference object. Ideally the
  642. * prefs array should just be imploded into a single string or
  643. * something so it is completely human readable by the end
  644. * user. In that case stricter error checking will be needed
  645. * when loading the cookie.
  646. */
  647. function setPreferences($prefs, $id_only=false) {
  648. if (!is_object($prefs)) {
  649. if (is_object($this->_prefs)) {
  650. $updated = $this->_prefs->updatePrefs($prefs);
  651. $prefs =& $this->_prefs;
  652. } else {
  653. // update the prefs values from scratch. This could leed to unnecessary
  654. // side-effects: duplicate emailVerified, ...
  655. $this->_prefs = new UserPreferences($prefs);
  656. $updated = true;
  657. }
  658. } else {
  659. if (!isset($this->_prefs))
  660. $this->_prefs =& $prefs;
  661. else
  662. $updated = $this->_prefs->isChanged($prefs);
  663. }
  664. if ($updated) {
  665. if ($id_only and !headers_sent()) {
  666. global $request;
  667. // new 1.3.8 policy: no array cookies, only plain userid string as in
  668. // the pre 1.3.x versions.
  669. // prefs should be stored besides the session in the homepagehandle or in a db.
  670. $request->setCookieVar(getCookieName(), $this->_userid,
  671. COOKIE_EXPIRATION_DAYS, COOKIE_DOMAIN);
  672. //$request->setCookieVar(WIKI_NAME, array('userid' => $prefs->get('userid')),
  673. // COOKIE_EXPIRATION_DAYS, COOKIE_DOMAIN);
  674. }
  675. }
  676. $packed = $prefs->store();
  677. $unpacked = $prefs->unpack($packed);
  678. if (count($unpacked)) {
  679. foreach (array('_method','_select','_update','_insert') as $param) {
  680. if (!empty($this->_prefs->{$param}))
  681. $prefs->{$param} = $this->_prefs->{$param};
  682. }
  683. $this->_prefs = $prefs;
  684. }
  685. return $updated;
  686. }
  687. function userExists() {
  688. return true;
  689. }
  690. function checkPass($submitted_password) {
  691. return false;
  692. // this might happen on a old-style signin button.
  693. // By definition, the _AnonUser does not HAVE a password
  694. // (compared to _BogoUser, who has an EMPTY password).
  695. trigger_error("DEBUG: Warning: _AnonUser unexpectedly asked to checkPass()." . " "
  696. . "Check isa(\$user, '_PassUser'), or: isa(\$user, '_AdminUser') etc. first." . " "
  697. . "New subclasses of _WikiUser must override this function.");
  698. return false;
  699. }
  700. }
  701. /**
  702. * Helper class to finish the PassUser auth loop.
  703. * This is added automatically to USER_AUTH_ORDER.
  704. */
  705. class _ForbiddenUser
  706. extends _AnonUser
  707. {
  708. var $_level = WIKIAUTH_FORBIDDEN;
  709. function checkPass($submitted_password) {
  710. return WIKIAUTH_FORBIDDEN;
  711. }
  712. function userExists() {
  713. if ($this->_HomePagehandle) return true;
  714. return false;
  715. }
  716. }
  717. /**
  718. * Do NOT extend _BogoUser to other classes, for checkPass()
  719. * security. (In case of defects in code logic of the new class!)
  720. * The intermediate step between anon and passuser.
  721. * We also have the _BogoLoginPassUser class with stricter
  722. * password checking, which fits into the auth loop.
  723. * Note: This class is not called anymore by WikiUser()
  724. */
  725. class _BogoUser
  726. extends _AnonUser
  727. {
  728. function userExists() {
  729. if (isWikiWord($this->_userid)) {
  730. $this->_level = WIKIAUTH_BOGO;
  731. return true;
  732. } else {
  733. $this->_level = WIKIAUTH_ANON;
  734. return false;
  735. }
  736. }
  737. function checkPass($submitted_password) {
  738. // By definition, BogoUser has an empty password.
  739. $this->userExists();
  740. return $this->_level;
  741. }
  742. }
  743. class _PassUser
  744. extends _AnonUser
  745. /**
  746. * Called if ALLOW_USER_PASSWORDS and Anon and Bogo failed.
  747. *
  748. * The classes for all subsequent auth methods extend from this class.
  749. * This handles the auth method type dispatcher according $USER_AUTH_ORDER,
  750. * the three auth method policies first-only, strict and stacked
  751. * and the two methods for prefs: homepage or database,
  752. * if $DBAuthParams['pref_select'] is defined.
  753. *
  754. * Default is PersonalPage auth and prefs.
  755. *
  756. * @author: Reini Urban
  757. * @tables: pref
  758. */
  759. {
  760. var $_auth_dbi, $_prefs;
  761. var $_current_method, $_current_index;
  762. // check and prepare the auth and pref methods only once
  763. function _PassUser($UserName='', $prefs=false) {
  764. //global $DBAuthParams, $DBParams;
  765. if ($UserName) {
  766. if (!$this->isValidName($UserName))
  767. return false;
  768. $this->_userid = $UserName;
  769. if ($this->hasHomePage())
  770. $this->_HomePagehandle = $GLOBALS['request']->getPage($this->_userid);
  771. }
  772. $this->_authmethod = substr(get_class($this),1,-8);
  773. if ($this->_authmethod == 'a') $this->_authmethod = 'admin';
  774. // Check the configured Prefs methods
  775. $dbi = $this->getAuthDbh();
  776. $dbh = $GLOBALS['request']->getDbh();
  777. if ( $dbi and !isset($this->_prefs->_select) and $dbh->getAuthParam('pref_select')) {
  778. if (!$this->_prefs) {
  779. $this->_prefs = new UserPreferences();
  780. $need_pref = true;
  781. }
  782. $this->_prefs->_method = $dbh->getParam('dbtype');
  783. $this->_prefs->_select = $this->prepare($dbh->getAuthParam('pref_select'), "userid");
  784. // read-only prefs?
  785. if ( !isset($this->_prefs->_update) and $dbh->getAuthParam('pref_update')) {
  786. $this->_prefs->_update = $this->prepare($dbh->getAuthParam('pref_update'),
  787. array("userid", "pref_blob"));
  788. }
  789. } else {
  790. if (!$this->_prefs) {
  791. $this->_prefs = new UserPreferences();
  792. $need_pref = true;
  793. }
  794. $this->_prefs->_method = 'HomePage';
  795. }
  796. if (! $this->_prefs or isset($need_pref) ) {
  797. if ($prefs) $this->_prefs = $prefs;
  798. else $this->getPreferences();
  799. }
  800. // Upgrade to the next parent _PassUser class. Avoid recursion.
  801. if ( strtolower(get_class($this)) === '_passuser' ) {
  802. //auth policy: Check the order of the configured auth methods
  803. // 1. first-only: Upgrade the class here in the constructor
  804. // 2. old: ignore USER_AUTH_ORDER and try to use all available methods as
  805. /// in the previous PhpWiki releases (slow)
  806. // 3. strict: upgrade the class after checking the user existance in userExists()
  807. // 4. stacked: upgrade the class after the password verification in checkPass()
  808. // Methods: PersonalPage, HttpAuth, DB, Ldap, Imap, File
  809. //if (!defined('USER_AUTH_POLICY')) define('USER_AUTH_POLICY','old');
  810. if (defined('USER_AUTH_POLICY')) {
  811. // policy 1: only pre-define one method for all users
  812. if (USER_AUTH_POLICY === 'first-only') {
  813. $class = $this->nextClass();
  814. return new $class($UserName,$this->_prefs);
  815. }
  816. // Use the default behaviour from the previous versions:
  817. elseif (USER_AUTH_POLICY === 'old') {
  818. // Default: try to be smart
  819. // On php5 we can directly return and upgrade the Object,
  820. // before we have to upgrade it manually.
  821. if (!empty($GLOBALS['PHP_AUTH_USER']) or !empty($_SERVER['REMOTE_USER'])) {
  822. include_once("lib/WikiUser/HttpAuth.php");
  823. if (check_php_version(5))
  824. return new _HttpAuthPassUser($UserName,$this->_prefs);
  825. else {
  826. $user = new _HttpAuthPassUser($UserName,$this->_prefs);
  827. eval("\$this = \$user;");
  828. // /*PHP5 patch*/$this = $user;
  829. return $user;
  830. }
  831. } elseif (in_array('Db', $dbh->getAuthParam('USER_AUTH_ORDER')) and
  832. $dbh->getAuthParam('auth_check') and
  833. ($dbh->getAuthParam('auth_dsn') or $dbh->getParam('dsn'))) {
  834. if (check_php_version(5))
  835. return new _DbPassUser($UserName,$this->_prefs);
  836. else {
  837. $user = new _DbPassUser($UserName,$this->_prefs);
  838. eval("\$this = \$user;");
  839. // /*PHP5 patch*/$this = $user;
  840. return $user;
  841. }
  842. } elseif (in_array('LDAP', $dbh->getAuthParam('USER_AUTH_ORDER')) and
  843. defined('LDAP_AUTH_HOST') and defined('LDAP_BASE_DN') and
  844. function_exists('ldap_connect')) {
  845. include_once("lib/WikiUser/LDAP.php");
  846. if (check_php_version(5))
  847. return new _LDAPPassUser($UserName,$this->_prefs);
  848. else {
  849. $user = new _LDAPPassUser($UserName,$this->_prefs);
  850. eval("\$this = \$user;");
  851. // /*PHP5 patch*/$this = $user;
  852. return $user;
  853. }
  854. } elseif (in_array('IMAP', $dbh->getAuthParam('USER_AUTH_ORDER')) and
  855. defined('IMAP_AUTH_HOST') and function_exists('imap_open')) {
  856. include_once("lib/WikiUser/IMAP.php");
  857. if (check_php_version(5))
  858. return new _IMAPPassUser($UserName,$this->_prefs);
  859. else {
  860. $user = new _IMAPPassUser($UserName,$this->_prefs);
  861. eval("\$this = \$user;");
  862. // /*PHP5 patch*/$this = $user;
  863. return $user;
  864. }
  865. } elseif (in_array('File', $dbh->getAuthParam('USER_AUTH_ORDER')) and
  866. defined('AUTH_USER_FILE') and file_exists(AUTH_USER_FILE)) {
  867. include_once("lib/WikiUser/File.php");
  868. if (check_php_version(5))
  869. return new _FilePassUser($UserName, $this->_prefs);
  870. else {
  871. $user = new _FilePassUser($UserName, $this->_prefs);
  872. eval("\$this = \$user;");
  873. // /*PHP5 patch*/$this = $user;
  874. return $user;
  875. }
  876. } else {
  877. include_once("lib/WikiUser/PersonalPage.php");
  878. if (check_php_version(5))
  879. return new _PersonalPagePassUser($UserName,$this->_prefs);
  880. else {
  881. $user = new _PersonalPagePassUser($UserName,$this->_prefs);
  882. eval("\$this = \$user;");
  883. // /*PHP5 patch*/$this = $user;
  884. return $user;
  885. }
  886. }
  887. }
  888. else
  889. // else use the page methods defined in _PassUser.
  890. return $this;
  891. }
  892. }
  893. }
  894. function getAuthDbh () {
  895. global $request; //, $DBParams, $DBAuthParams;
  896. $dbh = $request->getDbh();
  897. // session restauration doesn't re-connect to the database automatically,
  898. // so dirty it here, to force a reconnect.
  899. if (isset($this->_auth_dbi)) {
  900. if (($dbh->getParam('dbtype') == 'SQL') and empty($this->_auth_dbi->connection))
  901. unset($this->_auth_dbi);
  902. if (($dbh->getParam('dbtype') == 'ADODB') and empty($this->_auth_dbi->_connectionID))
  903. unset($this->_auth_dbi);
  904. }
  905. if (empty($this->_auth_dbi)) {
  906. if ($dbh->getParam('dbtype') != 'SQL'
  907. and $dbh->getParam('dbtype') != 'ADODB'
  908. and $dbh->getParam('dbtype') != 'PDO')
  909. return false;
  910. if (empty($GLOBALS['DBAuthParams']))
  911. return false;
  912. if (!$dbh->getAuthParam('auth_dsn')) {
  913. $dbh = $request->getDbh(); // use phpwiki database
  914. } elseif ($dbh->getAuthParam('auth_dsn') == $dbh->getParam('dsn')) {
  915. $dbh = $request->getDbh(); // same phpwiki database
  916. } else { // use another external database handle. needs PHP >= 4.1
  917. $local_params = array_merge($GLOBALS['DBParams'],$GLOBALS['DBAuthParams']);
  918. $local_params['dsn'] = $local_params['auth_dsn'];
  919. $dbh = WikiDB::open($local_params);
  920. }
  921. $this->_auth_dbi =& $dbh->_backend->_dbh;
  922. }
  923. return $this->_auth_dbi;
  924. }
  925. function _normalize_stmt_var($var, $oldstyle = false) {
  926. static $valid_variables = array('userid','password','pref_blob','groupname');
  927. // old-style: "'$userid'"
  928. // new-style: '"\$userid"' or just "userid"
  929. $new = str_replace(array("'",'"','\$','$'),'',$var);
  930. if (!in_array($new, $valid_variables)) {
  931. trigger_error("Unknown DBAuthParam statement variable: ". $new, E_USER_ERROR);
  932. return false;
  933. }
  934. return !$oldstyle ? "'$".$new."'" : '\$'.$new;
  935. }
  936. // TODO: use it again for the auth and member tables
  937. // sprintfstyle vs prepare style: %s or ?
  938. // multiple vars should be executed via prepare(?,?)+execute,
  939. // single vars with execute(sprintf(quote(var)))
  940. // help with position independency
  941. function prepare ($stmt, $variables, $oldstyle = false, $sprintfstyle = true) {
  942. global $request;
  943. $dbi = $request->getDbh();
  944. $this->getAuthDbh();
  945. // "'\$userid"' => %s
  946. // variables can be old-style: '"\$userid"' or new-style: "'$userid'" or just "userid"
  947. // old-style strings don't survive pear/Config/IniConfig treatment, that's why we changed it.
  948. $new = array();
  949. if (is_array($variables)) {
  950. //$sprintfstyle = false;
  951. for ($i=0; $i < count($variables); $i++) {
  952. $var = $this->_normalize_stmt_var($variables[$i], $oldstyle);
  953. if (!$var)
  954. trigger_error(sprintf("DbAuthParams: Undefined or empty statement variable %s in %s",
  955. $variables[$i], $stmt), E_USER_WARNING);
  956. $variables[$i] = $var;
  957. if (!$var) $new[] = '';
  958. else {
  959. $s = "%" . ($i+1) . "s";
  960. $new[] = $sprintfstyle ? $s : "?";
  961. }
  962. }
  963. } else {
  964. $var = $this->_normalize_stmt_var($variables, $oldstyle);
  965. if (!$var)
  966. trigger_error(sprintf("DbAuthParams: Undefined or empty statement variable %s in %s",
  967. $variables, $stmt), E_USER_WARNING);
  968. $variables = $var;
  969. if (!$var) $new = '';
  970. else $new = $sprintfstyle ? '%s' : "?";
  971. }
  972. $prefix = $dbi->getParam('prefix');
  973. // probably prefix table names if in same database
  974. if ($prefix and isset($this->_auth_dbi) and isset($dbi->_backend->_dbh) and
  975. ($dbi->getAuthParam('auth_dsn') and $dbi->getParam('dsn') == $dbi->getAuthParam('auth_dsn')))
  976. {
  977. if (!stristr($stmt, $prefix)) {
  978. $oldstmt = $stmt;
  979. $stmt = str_replace(array(" user "," pref "," member "),
  980. array(" ".$prefix."user ",
  981. " ".$prefix."pref ",
  982. " ".$prefix."member "), $stmt);
  983. //Do it automatically for the lazy admin? Esp. on sf.net it's nice to have
  984. trigger_error("Need to prefix the DBAUTH tablename in config/config.ini:\n $oldstmt \n=> $stmt",
  985. E_USER_WARNING);
  986. }
  987. }
  988. // Preparate the SELECT statement, for ADODB and PearDB (MDB not).
  989. // Simple sprintf-style.
  990. $new_stmt = str_replace($variables, $new, $stmt);
  991. if ($new_stmt == $stmt) {
  992. if ($oldstyle) {
  993. trigger_error(sprintf("DbAuthParams: Invalid statement in %s",
  994. $stmt), E_USER_WARNING);
  995. } else {
  996. trigger_error(sprintf("DbAuthParams: Old statement quoting style in %s",
  997. $stmt), E_USER_WARNING);
  998. $new_stmt = $this->prepare($stmt, $variables, 'oldstyle');
  999. }
  1000. }
  1001. return $new_stmt;
  1002. }
  1003. function getPreferences() {
  1004. if (!empty($this->_prefs->_method)) {
  1005. if ($this->_prefs->_method == 'ADODB') {
  1006. // FIXME: strange why this should be needed...
  1007. include_once("lib/WikiUser/Db.php");
  1008. include_once("lib/WikiUser/AdoDb.php");
  1009. _AdoDbPassUser::_AdoDbPassUser($this->_userid, $this->_prefs);
  1010. return _AdoDbPassUser::getPreferences();
  1011. } elseif ($this->_prefs->_method == 'SQL') {
  1012. include_once("lib/WikiUser/Db.php");
  1013. include_once("lib/WikiUser/PearDb.php");
  1014. _PearDbPassUser::_PearDbPassUser($this->_userid, $this->_prefs);
  1015. return _PearDbPassUser::getPreferences();
  1016. } elseif ($this->_prefs->_method == 'PDO') {
  1017. include_once("lib/WikiUser/Db.php");
  1018. include_once("lib/WikiUser/PdoDb.php");
  1019. _PdoDbPassUser::_PdoDbPassUser($this->_userid, $this->_prefs);
  1020. return _PdoDbPassUser::getPreferences();
  1021. }
  1022. }
  1023. // We don't necessarily have to read the cookie first. Since
  1024. // the user has a password, the prefs stored in the homepage
  1025. // cannot be arbitrarily altered by other Bogo users.
  1026. _AnonUser::getPreferences();
  1027. // User may have deleted cookie, retrieve from his
  1028. // PersonalPage if there is one.
  1029. if ($this->_HomePagehandle) {
  1030. if ($restored_from_page = $this->_prefs->retrieve
  1031. ($this->_HomePagehandle->get('pref'))) {
  1032. $updated = $this->_prefs->updatePrefs($restored_from_page,'init');
  1033. //$this->_prefs = new UserPreferences($restored_from_page);
  1034. return $this->_prefs;
  1035. }
  1036. }
  1037. return $this->_prefs;
  1038. }
  1039. function setPreferences($prefs, $id_only=false) {
  1040. if (!empty($this->_prefs->_method)) {
  1041. if ($this->_prefs->_method == 'ADODB') {
  1042. // FIXME: strange why this should be needed...
  1043. include_once("lib/WikiUser/Db.php");
  1044. include_once("lib/WikiUser/AdoDb.php");
  1045. _AdoDbPassUser::_AdoDbPassUser($this->_userid, $prefs);
  1046. return _AdoDbPassUser::setPreferences($prefs, $id_only);
  1047. }
  1048. elseif ($this->_prefs->_method == 'SQL') {
  1049. include_once("lib/WikiUser/Db.php");
  1050. include_once("lib/WikiUser/PearDb.php");
  1051. _PearDbPassUser::_PearDbPassUser($this->_userid, $prefs);
  1052. return _PearDbPassUser::setPreferences($prefs, $id_only);
  1053. }
  1054. elseif ($this->_prefs->_method == 'PDO') {
  1055. include_once("lib/WikiUser/Db.php");
  1056. include_once("lib/WikiUser/PdoDb.php");
  1057. _PdoDbPassUser::_PdoDbPassUser($this->_userid, $prefs);
  1058. return _PdoDbPassUser::setPreferences($prefs, $id_only);
  1059. }
  1060. }
  1061. if ($updated = _AnonUser::setPreferences($prefs, $id_only)) {
  1062. // Encode only the _prefs array of the UserPreference object
  1063. if (!empty($this->_HomePagehandle) and !$id_only) {
  1064. $this->_HomePagehandle->set('pref', $this->_prefs->store());
  1065. }
  1066. }
  1067. return $updated;
  1068. }
  1069. function mayChangePass() {
  1070. return true;
  1071. }
  1072. //The default method is getting the password from prefs.
  1073. // child methods obtain $stored_password from external auth.
  1074. function userExists() {
  1075. //if ($this->_HomePagehandle) return true;
  1076. $class = $this->nextClass();
  1077. while ($user = new $class($this->_userid, $this->_prefs)) {
  1078. if (!check_php_version(5))
  1079. eval("\$this = \$user;");
  1080. // /*PHP5 patch*/$this = $user;
  1081. UpgradeUser($this,$user);
  1082. if ($user->userExists()) {
  1083. return true;
  1084. }
  1085. // prevent endless loop. does this work on all PHP's?
  1086. // it just has to set the classname, what it correctly does.
  1087. $class = $user->nextClass();
  1088. if ($class == "_ForbiddenPassUser")
  1089. return false;
  1090. }
  1091. return false;
  1092. }
  1093. //The default method is getting the password from prefs.
  1094. // child methods obtain $stored_password from external auth.
  1095. function checkPass($submitted_password) {
  1096. $stored_password = $this->_prefs->get('passwd');
  1097. if ($this->_checkPass($submitted_password, $stored_password)) {
  1098. $this->_level = WIKIAUTH_USER;
  1099. return $this->_level;
  1100. } else {
  1101. if ((USER_AUTH_POLICY === 'strict') and $this->userExists()) {
  1102. $this->_level = WIKIAUTH_FORBIDDEN;
  1103. return $this->_level;
  1104. }
  1105. return $this->_tryNextPass($submitted_password);
  1106. }
  1107. }
  1108. function _checkPassLength($submitted_password) {
  1109. if (strlen($submitted_password) < PASSWORD_LENGTH_MINIMUM) {
  1110. trigger_error(_("The length of the password is shorter than the system policy allows."));
  1111. return false;
  1112. }
  1113. return true;
  1114. }
  1115. /**
  1116. * The basic password checker for all PassUser objects.
  1117. * Uses global ENCRYPTED_PASSWD and PASSWORD_LENGTH_MINIMUM.
  1118. * Empty passwords are always false!
  1119. * PASSWORD_LENGTH_MINIMUM is enforced here and in the preference set method.
  1120. * @see UserPreferences::set
  1121. *
  1122. * DBPassUser password's have their own crypt definition.
  1123. * That's why DBPassUser::checkPass() doesn't call this method, if
  1124. * the db password method is 'plain', which means that the DB SQL
  1125. * statement just returns 1 or 0. To use CRYPT() or PASSWORD() and
  1126. * don't store plain passwor…

Large files files are truncated, but you can click here to view the full file