/src/site/administrator/components/com_jfusion/plugins/dokuwiki/auth/basic.class.php
PHP | 392 lines | 124 code | 25 blank | 243 comment | 11 complexity | 3ab194046f0f2969a425a024159fe88e MD5 | raw file
Possible License(s): BSD-3-Clause, LGPL-2.1, GPL-2.0, Apache-2.0
- <?php
- /**
- * @package JFusion_dokuwiki
- * @author Chris Smith <chris@jalakai.co.uk>
- * @author JFusion development team
- * @copyright Copyright (C) 2008 JFusion. All rights reserved.
- * @license http://www.gnu.org/copyleft/gpl.html GNU/GPL
- */
-
- // no direct access
- defined('_JEXEC' ) or die('Restricted access' );
-
- /**
- * Basic authentication class for dokuwiki
- * @package JFusion_dokuwiki
- */
- class doku_auth_basic {
-
- var $success = true;
-
-
- /**
- * Posible things an auth backend module may be able to
- * do. The things a backend can do need to be set to true
- * in the constructor.
- */
- var $cando = array (
- 'addUser' => false, // can Users be created?
- 'delUser' => false, // can Users be deleted?
- 'modLogin' => false, // can login names be changed?
- 'modPass' => false, // can passwords be changed?
- 'modName' => false, // can real names be changed?
- 'modMail' => false, // can emails be changed?
- 'modGroups' => false, // can groups be changed?
- 'getUsers' => false, // can a (filtered) list of users be retrieved?
- 'getUserCount'=> false, // can the number of users be retrieved?
- 'getGroups' => false, // can a list of available groups be retrieved?
- 'external' => false, // does the module do external auth checking?
- 'logoff' => false, // has the module some special logoff method?
- );
-
- /**
- * Encrypts a password using the given method and salt
- *
- * If the selected method needs a salt and none was given, a random one
- * is chosen.
- *
- * The following methods are understood:
- *
- * smd5 - Salted MD5 hashing
- * md5 - Simple MD5 hashing
- * sha1 - SHA1 hashing
- * ssha - Salted SHA1 hashing
- * crypt - Unix crypt
- * mysql - MySQL password (old method)
- * my411 - MySQL 4.1.1 password
- *
- * @author Andreas Gohr <andi@splitbrain.org>
- * @return string The crypted password
- */
- function cryptPassword($clear,$method='',$salt=''){
- $share = Dokuwiki::getInstance();
- $conf = $share->getConf();
-
- if(empty($method)) $method = $conf['passcrypt'];
-
- //prepare a salt
- if(empty($salt)) $salt = md5(uniqid(rand(), true));
-
- switch(strtolower($method)){
- case 'smd5':
- return crypt($clear,'$1$'.substr($salt,0,8).'$');
- case 'md5':
- return md5($clear);
- case 'sha1':
- return sha1($clear);
- case 'ssha':
- $salt=substr($salt,0,4);
- return '{SSHA}'.base64_encode(pack("H*", sha1($clear.$salt)).$salt);
- case 'crypt':
- return crypt($clear,substr($salt,0,2));
- case 'mysql':
- //from http://www.php.net/mysql comment by <soren at byu dot edu>
- $nr=0x50305735;
- $nr2=0x12345671;
- $add=7;
- $charArr = preg_split("//", $clear);
- foreach ($charArr as $char) {
- if (($char == '') || ($char == ' ') || ($char == '\t')) continue;
- $charVal = ord($char);
- $nr ^= ((($nr & 63) + $add) * $charVal) + ($nr << 8);
- $nr2 += ($nr2 << 8) ^ $nr;
- $add += $charVal;
- }
- return sprintf("%08x%08x", ($nr & 0x7fffffff), ($nr2 & 0x7fffffff));
- case 'my411':
- return '*'.sha1(pack("H*", sha1($clear)));
- default:
- JError::raiseWarning(500,"Unsupported crypt method $method");
- }
- }
-
-
- /**
- * Constructor.
- *
- * Carry out sanity checks to ensure the object is
- * able to operate. Set capabilities in $this->cando
- * array here
- *
- * Set $this->success to false if checks fail
- *
- * @author Christopher Smith <chris@jalakai.co.uk>
- */
- function auth_basic() {
- // the base class constructor does nothing, derived class
- // constructors do the real work
- }
-
- /**
- * Capability check. [ DO NOT OVERRIDE ]
- *
- * Checks the capabilities set in the $this->cando array and
- * some pseudo capabilities (shortcutting access to multiple
- * ones)
- *
- * ususal capabilities start with lowercase letter
- * shortcut capabilities start with uppercase letter
- *
- * @author Andreas Gohr <andi@splitbrain.org>
- * @return bool
- */
- function canDo($cap) {
- switch($cap){
- case 'Profile':
- // can at least one of the user's properties be changed?
- return ( $this->cando['modPass'] ||
- $this->cando['modName'] ||
- $this->cando['modMail'] );
- break;
- case 'UserMod':
- // can at least anything be changed?
- return ( $this->cando['modPass'] ||
- $this->cando['modName'] ||
- $this->cando['modMail'] ||
- $this->cando['modLogin'] ||
- $this->cando['modGroups'] ||
- $this->cando['modMail'] );
- break;
- default:
- // print a helping message for developers
- if(!isset($this->cando[$cap])){
- JError::raiseWarning(500,"Check for unknown capability '$cap' - Do you use an outdated Plugin?");
- return false;
- }
- return $this->cando[$cap];
- }
- }
-
- /**
- * Log off the current user [ OPTIONAL ]
- *
- * Is run in addition to the ususal logoff method. Should
- * only be needed when trustExternal is implemented.
- *
- * @see auth_logoff()
- * @author Andreas Gohr
- */
- function logOff(){
- }
-
- /**
- * Do all authentication [ OPTIONAL ]
- *
- * Set $this->cando['external'] = true when implemented
- *
- * If this function is implemented it will be used to
- * authenticate a user - all other DokuWiki internals
- * will not be used for authenticating, thus
- * implementing the checkPass() function is not needed
- * anymore.
- *
- * The function can be used to authenticate against third
- * party cookies or Apache auth mechanisms and replaces
- * the auth_login() function
- *
- * The function will be called with or without a set
- * username. If the Username is given it was called
- * from the login form and the given credentials might
- * need to be checked. If no username was given it
- * the function needs to check if the user is logged in
- * by other means (cookie, environment).
- *
- * The function needs to set some globals needed by
- * DokuWiki like auth_login() does.
- *
- * @see auth_login()
- * @author Andreas Gohr <andi@splitbrain.org>
- *
- * @param string $user Username
- * @param string $pass Cleartext Password
- * @param bool $sticky Cookie should not expire
- * @return bool true on successful auth
- */
- function trustExternal($user,$pass,$sticky=false){
- # // some example:
- #
- # global $USERINFO;
- # global $conf;
- # $sticky ? $sticky = true : $sticky = false; //sanity check
- #
- # // do the checking here
- #
- # // set the globals if authed
- # $USERINFO['name'] = 'FIXME';
- # $USERINFO['mail'] = 'FIXME';
- # $USERINFO['grps'] = array('FIXME');
- # $_SERVER['REMOTE_USER'] = $user;
- # $_SESSION[DOKU_COOKIE]['auth']['user'] = $user;
- # $_SESSION[DOKU_COOKIE]['auth']['pass'] = $pass;
- # $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO;
- # return true;
- }
-
- /**
- * Check user+password [ MUST BE OVERRIDDEN ]
- *
- * Checks if the given user exists and the given
- * plaintext password is correct
- *
- * May be ommited if trustExternal is used.
- *
- * @author Andreas Gohr <andi@splitbrain.org>
- * @return bool
- */
- function checkPass($user,$pass){
- JError::raiseWarning(500,"no valid authorisation system in use");
- return false;
- }
-
- /**
- * Return user info [ MUST BE OVERRIDDEN ]
- *
- * Returns info about the given user needs to contain
- * at least these fields:
- *
- * name string full name of the user
- * mail string email addres of the user
- * grps array list of groups the user is in
- *
- * @author Andreas Gohr <andi@splitbrain.org>
- * @return array containing user data or false
- */
- function getUserData($user) {
- if(!$this->cando['external']) JError::raiseWarning(500,"no valid authorisation system in use");
- return false;
- }
-
- /**
- * Create a new User [implement only where required/possible]
- *
- * Returns false if the user already exists, null when an error
- * occurred and true if everything went well.
- *
- * The new user HAS TO be added to the default group by this
- * function!
- *
- * Set addUser capability when implemented
- *
- * @author Andreas Gohr <andi@splitbrain.org>
- */
- function createUser($user,$pass,$name,$mail,$grps=null){
- JError::raiseWarning(500,"authorisation method does not allow creation of new users");
- return null;
- }
-
- /**
- * Modify user data [implement only where required/possible]
- *
- * Set the mod* capabilities according to the implemented features
- *
- * @author Chris Smith <chris@jalakai.co.uk>
- * @param $user nick of the user to be changed
- * @param $changes array of field/value pairs to be changed (password will be clear text)
- * @return bool
- */
- function modifyUser($user, $changes) {
- JError::raiseWarning(500,"authorisation method does not allow modifying of user data");
- return false;
- }
-
- /**
- * Delete one or more users [implement only where required/possible]
- *
- * Set delUser capability when implemented
- *
- * @author Chris Smith <chris@jalakai.co.uk>
- * @param array $users
- * @return int number of users deleted
- */
- function deleteUsers($users) {
- JError::raiseWarning(500,"authorisation method does not allow deleting of users");
- return false;
- }
-
- /**
- * Return a count of the number of user which meet $filter criteria
- * [should be implemented whenever retrieveUsers is implemented]
- *
- * Set getUserCount capability when implemented
- *
- * @author Chris Smith <chris@jalakai.co.uk>
- */
- function getUserCount($filter=array()) {
- JError::raiseWarning(500,"authorisation method does not provide user counts");
- return 0;
- }
-
- /**
- * Bulk retrieval of user data [implement only where required/possible]
- *
- * Set getUsers capability when implemented
- *
- * @author Chris Smith <chris@jalakai.co.uk>
- * @param start index of first user to be returned
- * @param limit max number of users to be returned
- * @param filter array of field/pattern pairs, null for no filter
- * @return array of userinfo (refer getUserData for internal userinfo details)
- */
- function retrieveUsers($start=0,$limit=-1,$filter=null) {
- JError::raiseWarning(500,"authorisation method does not provide user counts");
- return array();
- }
-
- /**
- * Define a group [implement only where required/possible]
- *
- * Set addGroup capability when implemented
- *
- * @author Chris Smith <chris@jalakai.co.uk>
- * @return bool
- */
- function addGroup($group) {
- JError::raiseWarning(500,"authorisation method does not support independent group creation");
- return false;
- }
-
- /**
- * Retrieve groups [implement only where required/possible]
- *
- * Set getGroups capability when implemented
- *
- * @author Chris Smith <chris@jalakai.co.uk>
- * @return array
- */
- function retrieveGroups($start=0,$limit=0) {
- JError::raiseWarning(500,"authorisation method does not support group list retrieval");
- return array();
- }
-
- /**
- * Check Session Cache validity [implement only where required/possible]
- *
- * DokuWiki caches user info in the user's session for the timespan defined
- * in $conf['securitytimeout'].
- *
- * This makes sure slow authentication backends do not slow down DokuWiki.
- * This also means that changes to the user database will not be reflected
- * on currently logged in users.
- *
- * To accommodate for this, the user manager plugin will touch a reference
- * file whenever a change is submitted. This function compares the filetime
- * of this reference file with the time stored in the session.
- *
- * This reference file mechanism does not reflect changes done directly in
- * the backend's database through other means than the user manager plugin.
- *
- * Fast backends might want to return always false, to force rechecks on
- * each page load. Others might want to use their own checking here. If
- * unsure, do not override.
- *
- * @param string $user - The username
- * @author Andreas Gohr <andi@splitbrain.org>
- * @return bool
- */
- function useSessionCache($user){
- global $conf;
- return ($_SESSION[DOKU_COOKIE]['auth']['time'] >= @filemtime($conf['cachedir'].'/sessionpurge'));
- }
-
- }
- //Setup VIM: ex: et ts=2 enc=utf-8 :