PageRenderTime 47ms CodeModel.GetById 19ms RepoModel.GetById 0ms app.codeStats 0ms

/index.php

https://github.com/obenauer/equilibrium
PHP | 418 lines | 272 code | 89 blank | 57 comment | 62 complexity | 24bfc3dac07afe2b9f0859291190453b MD5 | raw file
Possible License(s): GPL-2.0, LGPL-2.0
  1. <?php
  2. // Copyright 2008, St. Jude Children's Research Hospital.
  3. // Written by Dr. John Obenauer, john.obenauer@stjude.org.
  4. // This file is part of Equilibrium. Equilibrium is free software:
  5. // you can redistribute it and/or modify it under the terms of the
  6. // GNU General Public License as published by the Free Software
  7. // Foundation, either version 2 of the License, or (at your option)
  8. // any later version.
  9. // Equilibrium is distributed in the hope that it will be useful,
  10. // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11. // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  12. // GNU General Public License for more details.
  13. // You should have received a copy of the GNU General Public License
  14. // along with Equilibrium. If not, see <http://www.gnu.org/licenses/>.
  15. require("config.php");
  16. // Check for passed arguments
  17. if (isset($_REQUEST['action'])) {
  18. $action = $_REQUEST['action'];
  19. } else {
  20. $action = "login";
  21. }
  22. if (isset($_REQUEST['cmd'])) {
  23. $cmd = $_REQUEST['cmd'];
  24. } else {
  25. $cmd = "";
  26. }
  27. if (isset($_REQUEST['user'])) {
  28. $user = $_REQUEST['user'];
  29. } else {
  30. $user = "";
  31. }
  32. if (isset($_REQUEST['pass'])) {
  33. $pass = $_REQUEST['pass'];
  34. } else {
  35. $pass = "";
  36. }
  37. if (isset($_REQUEST['error'])) {
  38. $error = $_REQUEST['error'];
  39. $action = "error";
  40. } else {
  41. $error = "";
  42. }
  43. // Declare PHP functions
  44. //require("equilibrium.php");
  45. function authenticate_local($user, $pass) {
  46. global $userid;
  47. global $login;
  48. global $fullname;
  49. global $authentication;
  50. global $staff;
  51. global $admin;
  52. $conn = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD)
  53. or die ("Cannot connect to database. " . mysql_error() . "\n<br>");
  54. mysql_select_db(DB_DATABASE);
  55. $query = "SELECT user_id, login, first_name, last_name, " .
  56. "staff_flag, admin_priv, authentication " .
  57. "FROM users WHERE login = \"$user\" " .
  58. "AND password = PASSWORD(\"$pass\") ";
  59. $result = mysql_query ($query, $conn)
  60. or die ("Error in query: $query " . mysql_error() . "\n<br>");
  61. if (mysql_num_rows($result) == 1) {
  62. if ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
  63. if ($row['authentication'] == "local") {
  64. // User has been authenticated; set privileges
  65. $userid = $row['user_id'];
  66. $login = $row['login'];
  67. if ($row['first_name']) {
  68. $fullname = $row['first_name'] . " " . $row['last_name'];
  69. } else {
  70. $fullname = $row['last_name'];
  71. }
  72. $authentication = $row['authentication'];
  73. $staff = $row['staff_flag'];
  74. $admin = $row['admin_priv'];
  75. mysql_free_result($result);
  76. mysql_close($conn);
  77. return 1;
  78. } else if ($row['authentication'] == 'LDAP') {
  79. // Local authentication not allowed for this user
  80. mysql_free_result($result);
  81. mysql_close($conn);
  82. return 0;
  83. }
  84. }
  85. // User failed authentication -- authentication type unknown
  86. mysql_free_result($result);
  87. mysql_close($conn);
  88. return 0;
  89. } else {
  90. // User failed authentication -- not found in local database
  91. mysql_free_result($result);
  92. mysql_close($conn);
  93. return 0;
  94. }
  95. }
  96. function authenticate_ldap($user, $pass) {
  97. // Do not allow blank passwords
  98. if ($pass == "") {
  99. return 0;
  100. }
  101. // Connect to LDAP
  102. $conn = ldap_connect(LDAP_SERVER_ADDRESS, LDAP_PORT);
  103. if (!$conn) {
  104. die("Error: Could not connect to LDAP server " . LDAP_SERVER . ".\n");
  105. }
  106. ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);
  107. ldap_set_option($conn, LDAP_OPT_REFERRALS, 0);
  108. // Bind LDAP server
  109. $bind = ldap_bind($conn, LDAP_USER_NAME, LDAP_PASSWORD);
  110. if (!$bind) {
  111. die("Error: Could not BIND to LDAP server ->" . LDAP_SERVER .
  112. " on port " . LDAP_PORT);
  113. }
  114. // Query LDAP for this user
  115. $authenticated = false;
  116. $query = 'samaccountname=' . $user;
  117. $fields = array("ou", "sn", "givenname", "mail", "memberof", "samaccountname",
  118. "department", "description", "initials");
  119. $search = ldap_search($conn, LDAP_BASE_DN, $query, $fields);
  120. if ($search !== false) {
  121. $result = @ldap_get_entries($conn, $search);
  122. if (!$result) {
  123. $authenticated = false;
  124. } else {
  125. if ($result['count'] == 0) {
  126. // This username was not found; authentication failed
  127. $authenticated = false;
  128. } else {
  129. // Username found in LDAP; check that password matches
  130. if ($result[0])
  131. {
  132. if (@ldap_bind($conn, $result[0]['dn'], $pass) )
  133. {
  134. // Password matches; authentication successful
  135. $authenticated = true;
  136. } else {
  137. // Failed authentication
  138. $authenticated = false;
  139. }
  140. }
  141. }
  142. }
  143. }
  144. // Close LDAP connection
  145. ldap_close($conn);
  146. if ($authenticated) {
  147. // User has St. Jude credentials; check local database for access
  148. global $userid;
  149. global $login;
  150. global $fullname;
  151. global $authentication;
  152. global $staff;
  153. global $admin;
  154. // If user is already in local database, retrieve settings
  155. $conn = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD)
  156. or die ("Cannot connect to database. " . mysql_error() . "\n<br>");
  157. mysql_select_db(DB_DATABASE);
  158. $query = "SELECT user_id, login, first_name, last_name, " .
  159. "staff_flag, admin_priv, authentication " .
  160. "FROM users WHERE login = \"$user\" ";
  161. $result = mysql_query ($query, $conn)
  162. or die ("Error in query: $query " . mysql_error() . "\n<br>");
  163. if (mysql_num_rows($result) == 1) {
  164. if ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
  165. // Verify that LDAP authentication is allowed for this user
  166. if ($row['authentication'] == "LDAP") {
  167. // User has been authenticated; set privileges
  168. $userid = $row['user_id'];
  169. $login = $row['login'];
  170. if ($row['first_name']) {
  171. $fullname = $row['first_name'] . " " . $row['last_name'];
  172. } else {
  173. $fullname = $row['last_name'];
  174. }
  175. $authentication = $row['authentication'];
  176. $staff = $row['staff_flag'];
  177. $admin = $row['admin_priv'];
  178. mysql_free_result($result);
  179. mysql_close($conn);
  180. return 1;
  181. } else if ($row['authentication'] == 'local') {
  182. // User failed authentication -- wrong auth type
  183. mysql_free_result($result);
  184. mysql_close($conn);
  185. return 0;
  186. }
  187. // User failed authentication -- unknown auth type
  188. mysql_free_result($result);
  189. mysql_close($conn);
  190. return 0;
  191. } else {
  192. // User failed authentication -- not found in local database
  193. mysql_free_result($result);
  194. mysql_close($conn);
  195. return 0;
  196. }
  197. } else {
  198. // If user is not in local database, deny access
  199. mysql_free_result($result);
  200. mysql_close($conn);
  201. return 0;
  202. }
  203. } else {
  204. // User failed authentication
  205. return 0;
  206. }
  207. }
  208. // Commands that don't generate HTML output
  209. switch($cmd) {
  210. case "authenticate":
  211. // Initialize variables
  212. $userid = 0;
  213. $login = "";
  214. $fullname = "";
  215. $staff = "N";
  216. $admin = "N";
  217. if ($use_ldap == "Y") {
  218. // Authenticate some users locally (like admin)
  219. $status = authenticate_local($user, $pass);
  220. // If local authentication fails, try LDAP
  221. if ($status == 0) {
  222. $status = authenticate_ldap($user, $pass);
  223. }
  224. } else {
  225. // Authenticate all users locally (like admin)
  226. $status = authenticate_local($user, $pass);
  227. }
  228. if ($status == 1) {
  229. // User authenticated, so start a session
  230. session_start();
  231. session_register("SESSION");
  232. session_register("SESSION_USERID");
  233. session_register("SESSION_LOGIN");
  234. session_register("SESSION_USER");
  235. session_register("SESSION_STAFF");
  236. session_register("SESSION_ADMIN");
  237. $_SESSION['SESSION_USERID'] = $userid;
  238. $_SESSION['SESSION_LOGIN'] = $login;
  239. $_SESSION['SESSION_USER'] = $fullname;
  240. $_SESSION['SESSION_STAFF'] = $staff;
  241. $_SESSION['SESSION_ADMIN'] = $admin;
  242. // Send user to protected page
  243. header("Location: $main_page");
  244. exit();
  245. } else {
  246. // User not authenticated
  247. header("Location: index.php?error=1");
  248. exit();
  249. }
  250. break;
  251. case "logout":
  252. // Destroy all session variables
  253. session_start();
  254. session_destroy();
  255. // Redirect browser to login page
  256. header("Location: index.php");
  257. break;
  258. }
  259. // Start HTML and declare Javascript functions
  260. $activepage = "";
  261. //require("header.php");
  262. // Main functions of page
  263. switch($action) {
  264. case "error":
  265. if ($error == 1) {
  266. printf("<html><head><title>Login Failure</title></head>\n");
  267. printf("<body bgcolor='%s'>\n", $background_color);
  268. printf("<h2>Login Failed</h2>\n");
  269. printf("<p>Either your username, password, or both are not recognized.</p>\n");
  270. printf("<a href='index.php'>Try again</a>\n");
  271. printf("</body></html>\n");
  272. } else if ($error == 2) {
  273. printf("<html><head><title>Authorization Required</title></head>\n");
  274. printf("<body bgcolor='%s'>\n", $background_color);
  275. printf("<h2>Authorization Required</h2>\n");
  276. printf("<p>You must <a href='index.php'>log in</a> to access this page. \n");
  277. printf("Your session may have timed out.</p>\n");
  278. printf("</body></html>\n");
  279. } else {
  280. printf("<html><head><title>Authentication Error</title></head>\n");
  281. printf("<body bgcolor='%s'>\n", $background_color);
  282. printf("<h2>Authentication Error</h2>\n");
  283. printf("<p>The system was not able to authenticate your username ");
  284. printf("and password. ");
  285. printf("If you were previously logged in, your session may have ");
  286. printf("timed out.</p>\n");
  287. printf("<a href='index.php'>Log in again</a>\n");
  288. printf("</body></html>\n");
  289. }
  290. break;
  291. case "":
  292. break;
  293. case "":
  294. break;
  295. case "":
  296. break;
  297. case "login":
  298. // Show login page
  299. printf("<html><head><title>%s Projects Database</title></head>\n",
  300. $organization_name);
  301. printf("<body bgcolor='%s'>\n", $background_color);
  302. printf("<h2>%s Projects Database</h2>\n", $organization_name);
  303. printf("<table><tr><td>\n");
  304. printf(" <table cellspacing='5' cellpadding='5'>\n");
  305. printf(" <form action=\"index.php\" method='POST'>\n");
  306. printf(" <input type='hidden' name='cmd' value='authenticate'>\n");
  307. printf(" <tr><td>Username</td><td><input type='text' name='user' ");
  308. printf("id='username' size='20'></td></tr>\n");
  309. printf(" <tr><td>Password</td><td><input type='password' ");
  310. printf("name='pass' size='20'</td></tr>\n");
  311. printf(" <tr><td colspan='2' align='center'>");
  312. printf("<input type='submit' name='submit' value='Log In'></td></tr>\n");
  313. printf(" </form>\n");
  314. printf(" </table>\n");
  315. printf("</td>\n");
  316. // Optional: include an image on login page
  317. //printf("<td><img src=''></td>\n");
  318. printf("</tr></table>\n");
  319. // Set focus to username text box
  320. printf("<script type='text/javascript'>\n");
  321. printf(" document.getElementById('username').value = '';\n");
  322. printf(" document.getElementById('username').focus();\n");
  323. printf("</script>\n");
  324. printf("</body></html>\n");
  325. break;
  326. }
  327. // End page
  328. //require("footer.php");
  329. ?>