/wp-content/plugins/buddypress-old/bp-forums/bbpress/bb-includes/backpress/class.wp-auth.php

https://github.com/pfond/PFOND · PHP · 298 lines · 158 code · 41 blank · 99 comment · 33 complexity · 0d80efdfd135391007d4d6019c03495a MD5 · raw file 

    

  1. <?php
    2. 

  2. class WP_Auth
    3. 

  3. {
    4. 

  4. 	var $db; // BBPDB object
    5. 

  5. 	var $users; // WP_Users object
    6. 

  6. 

  7. 	var $cookies;
    8. 

  8. 

  9. 	var $current = 0;
    10. 

  10. 

  11. 	function WP_Auth( &$db, &$users, $cookies )
    12. 

  12. 	{
    13. 

  13. 		$this->__construct( $db, $users, $cookies );
    14. 

  14. 	}
    15. 

  15. 

  16. 	/**
    17. 

  17. 	 * @param array $cookies Array indexed by internal name of cookie.  Values are arrays of array defining cookie parameters.
    18. 

  18. 	 * $cookies = array(
    19. 

  19. 	 *	'auth' => array(
    20. 

  20. 	 *		0 => array(
    21. 

  21. 	 *			'domain' => (string) cookie domain
    22. 

  22. 	 *			'path' => (string) cookie path
    23. 

  23. 	 *			'name' => (string) cookie name
    24. 

  24. 	 *			'secure' => (bool) restrict cookie to HTTPS only
    25. 

  25. 	 *		)
    26. 

  26. 	 *	)
    27. 

  27. 	 * );
    28. 

  28. 	 *
    29. 

  29. 	 * At least one cookie is required.  Give it an internal name of 'auth'.
    30. 

  30. 	 *
    31. 

  31. 	 * Suggested cookie structure:
    32. 

  32. 	 * 	logged_in: whether or not a user is logged in.  Send everywhere.
    33. 

  33. 	 *	auth: used to authorize user's actions.  Send only to domains/paths that need it (e.g. wp-admin/)
    34. 

  34. 	 *	secure_auth: used to authorize user's actions.  Send only to domains/paths that need it and only over HTTPS
    35. 

  35. 	 */
    36. 

  36. 	function __construct( &$db, &$users, $cookies )
    37. 

  37. 	{
    38. 

  38. 		$this->db =& $db;
    39. 

  39. 		$this->users =& $users;
    40. 

  40. 		
    41. 

  41. 		$cookies = wp_parse_args( $cookies, array( 'auth' => null ) );
    42. 

  42. 		$_cookies = array();
    43. 

  43. 		foreach ( $cookies as $_scheme => $_scheme_cookies ) {
    44. 

  44. 			foreach ( $_scheme_cookies as $_scheme_cookie ) {
    45. 

  45. 				$_cookies[$_scheme][] = wp_parse_args( $_scheme_cookie, array( 'domain' => null, 'path' => null, 'name' => '' ) );
    46. 

  46. 			}
    47. 

  47. 			unset( $_scheme_cookie );
    48. 

  48. 		}
    49. 

  49. 		unset( $_scheme, $_scheme_cookies );
    50. 

  50. 		$this->cookies = $_cookies;
    51. 

  51. 		unset( $_cookies );
    52. 

  52. 	}
    53. 

  53. 

  54. 	/**
    55. 

  55. 	 * Changes the current user by ID or name
    56. 

  56. 	 *
    57. 

  57. 	 * Set $id to null and specify a name if you do not know a user's ID
    58. 

  58. 	 *
    59. 

  59. 	 * Some WordPress functionality is based on the current user and
    60. 

  60. 	 * not based on the signed in user. Therefore, it opens the ability
    61. 

  61. 	 * to edit and perform actions on users who aren't signed in.
    62. 

  62. 	 *
    63. 

  63. 	 * @since 2.0.4
    64. 

  64. 	 * @uses do_action() Calls 'set_current_user' hook after setting the current user.
    65. 

  65. 	 *
    66. 

  66. 	 * @param int $id User ID
    67. 

  67. 	 * @param string $name User's username
    68. 

  68. 	 * @return BP_User Current user User object
    69. 

  69. 	 */
    70. 

  70. 	function set_current_user( $user_id )
    71. 

  71. 	{
    72. 

  72. 		$user = $this->users->get_user( $user_id );
    73. 

  73. 		if ( !$user || is_wp_error( $user ) ) {
    74. 

  74. 			$this->current = 0;
    75. 

  75. 			return $this->current;
    76. 

  76. 		}
    77. 

  77. 

  78. 		$user_id = $user->ID;
    79. 

  79. 

  80. 		if ( isset( $this->current->ID ) && $user_id == $this->current->ID ) {
    81. 

  81. 			return $this->current;
    82. 

  82. 		}
    83. 

  83. 

  84. 		if ( class_exists( 'BP_User' ) ) {
    85. 

  85. 			$this->current = new BP_User( $user_id );
    86. 

  86. 		} else {
    87. 

  87. 			$this->current =& $user;
    88. 

  88. 		}
    89. 

  89. 

  90. 		// WP add_action( 'set_current_user', 'setup_userdata', 1 );
    91. 

  91. 

  92. 		do_action( 'set_current_user', $user_id );
    93. 

  93. 

  94. 		return $this->current;
    95. 

  95. 	}
    96. 

  96. 

  97. 	/**
    98. 

  98. 	 * Populate variables with information about the currently logged in user
    99. 

  99. 	 *
    100. 

  100. 	 * Will set the current user, if the current user is not set. The current
    101. 

  101. 	 * user will be set to the logged in person. If no user is logged in, then
    102. 

  102. 	 * it will set the current user to 0, which is invalid and won't have any
    103. 

  103. 	 * permissions.
    104. 

  104.  	 *
    105. 

  105. 	 * @since 0.71
    106. 

  106.  	 * @uses $current_user Checks if the current user is set
    107. 

  107.  	 * @uses wp_validate_auth_cookie() Retrieves current logged in user.
    108. 

  108.  	 *
    109. 

  109.  	 * @return bool|null False on XMLRPC Request and invalid auth cookie. Null when current user set
    110. 

  110.  	 */
    111. 

  111. 	function get_current_user()
    112. 

  112. 	{
    113. 

  113. 		if ( !empty( $this->current ) ) {
    114. 

  114. 			return $this->current;
    115. 

  115. 		}
    116. 

  116. 

  117. 		if ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST ) {
    118. 

  118. 			$this->set_current_user( 0 );
    119. 

  119. 		} elseif ( $user_id = $this->validate_auth_cookie( null, 'logged_in' ) ) {
    120. 

  120. 			$this->set_current_user( $user_id );
    121. 

  121. 		} else {
    122. 

  122. 			$this->set_current_user( 0 );
    123. 

  123. 		}
    124. 

  124. 

  125. 		return $this->current;
    126. 

  126. 	}
    127. 

  127. 

  128. 	/**
    129. 

  129. 	 * Validates authentication cookie
    130. 

  130. 	 *
    131. 

  131. 	 * The checks include making sure that the authentication cookie
    132. 

  132. 	 * is set and pulling in the contents (if $cookie is not used).
    133. 

  133. 	 *
    134. 

  134. 	 * Makes sure the cookie is not expired. Verifies the hash in
    135. 

  135. 	 * cookie is what is should be and compares the two.
    136. 

  136. 	 *
    137. 

  137. 	 * @since 2.5
    138. 

  138. 	 *
    139. 

  139. 	 * @param string $cookie Optional. If used, will validate contents instead of cookie's
    140. 

  140. 	 * @return bool|int False if invalid cookie, User ID if valid.
    141. 

  141. 	 */
    142. 

  142. 	function validate_auth_cookie( $cookie = null, $scheme = 'auth' )
    143. 

  143. 	{
    144. 

  144. 		if ( empty( $cookie ) ) {
    145. 

  145. 			foreach ( $this->cookies[$scheme] as $_scheme_cookie ) {
    146. 

  146. 				// Take the first cookie of type scheme that exists
    147. 

  147. 				if ( !empty( $_COOKIE[$_scheme_cookie['name']] ) ) {
    148. 

  148. 					$cookie = $_COOKIE[$_scheme_cookie['name']];
    149. 

  149. 					break;
    150. 

  150. 				}
    151. 

  151. 			}
    152. 

  152. 		}
    153. 

  153. 		
    154. 

  154. 		if ( !$cookie ) {
    155. 

  155. 			return false;
    156. 

  156. 		}
    157. 

  157. 

  158. 		$cookie_elements = explode( '|', $cookie );
    159. 

  159. 		if ( count( $cookie_elements ) != 3 ) {
    160. 

  160. 			do_action( 'auth_cookie_malformed', $cookie, $scheme );
    161. 

  161. 			return false;
    162. 

  162. 		}
    163. 

  163. 

  164. 		list( $username, $expiration, $hmac ) = $cookie_elements;
    165. 

  165. 

  166. 		$expired = $expiration;
    167. 

  167. 

  168. 		// Allow a grace period for POST and AJAX requests
    169. 

  169. 		if ( defined( 'DOING_AJAX' ) || 'POST' == $_SERVER['REQUEST_METHOD'] ) {
    170. 

  170. 			$expired += 3600;
    171. 

  171. 		}
    172. 

  172. 

  173. 		if ( $expired < time() ) {
    174. 

  174. 			do_action( 'auth_cookie_expired', $cookie_elements );
    175. 

  175. 			return false;
    176. 

  176. 		}
    177. 

  177. 

  178. 		$user = $this->users->get_user( $username, array( 'by' => 'login' ) );
    179. 

  179. 		if ( !$user || is_wp_error( $user ) ) {
    180. 

  180. 			do_action( 'auth_cookie_bad_username', $cookie_elements );
    181. 

  181. 			return $user;
    182. 

  182. 		}
    183. 

  183. 

  184. 		$pass_frag = '';
    185. 

  185. 		if ( 1 < WP_AUTH_COOKIE_VERSION ) {
    186. 

  186. 			$pass_frag = substr( $user->user_pass, 8, 4 );
    187. 

  187. 		}
    188. 

  188. 

  189. 		$key  = call_user_func( backpress_get_option( 'hash_function_name' ), $username . $pass_frag . '|' . $expiration, $scheme );
    190. 

  190. 		$hash = hash_hmac( 'md5', $username . '|' . $expiration, $key );
    191. 

  191. 	
    192. 

  192. 		if ( $hmac != $hash ) {
    193. 

  193. 			do_action( 'auth_cookie_bad_hash', $cookie_elements );
    194. 

  194. 			return false;
    195. 

  195. 		}
    196. 

  196. 

  197. 		do_action( 'auth_cookie_valid', $cookie_elements, $user );
    198. 

  198. 

  199. 		return $user->ID;
    200. 

  200. 	}
    201. 

  201. 

  202. 	/**
    203. 

  203. 	 * Generate authentication cookie contents
    204. 

  204. 	 *
    205. 

  205. 	 * @since 2.5
    206. 

  206. 	 * @uses apply_filters() Calls 'auth_cookie' hook on $cookie contents, User ID
    207. 

  207. 	 *		and expiration of cookie.
    208. 

  208. 	 *
    209. 

  209. 	 * @param int $user_id User ID
    210. 

  210. 	 * @param int $expiration Cookie expiration in seconds
    211. 

  211. 	 * @return string Authentication cookie contents
    212. 

  212. 	 */
    213. 

  213. 	function generate_auth_cookie( $user_id, $expiration, $scheme = 'auth' )
    214. 

  214. 	{
    215. 

  215. 		$user = $this->users->get_user( $user_id );
    216. 

  216. 		if ( !$user || is_wp_error( $user ) ) {
    217. 

  217. 			return $user;
    218. 

  218. 		}
    219. 

  219. 

  220. 		$pass_frag = '';
    221. 

  221. 		if ( 1 < WP_AUTH_COOKIE_VERSION ) {
    222. 

  222. 			$pass_frag = substr( $user->user_pass, 8, 4 );
    223. 

  223. 		}
    224. 

  224. 

  225. 		$key  = call_user_func( backpress_get_option( 'hash_function_name' ), $user->user_login . $pass_frag . '|' . $expiration, $scheme );
    226. 

  226. 		$hash = hash_hmac('md5', $user->user_login . '|' . $expiration, $key);
    227. 

  227. 

  228. 		$cookie = $user->user_login . '|' . $expiration . '|' . $hash;
    229. 

  229. 

  230. 		return apply_filters( 'auth_cookie', $cookie, $user_id, $expiration, $scheme );
    231. 

  231. 	}
    232. 

  232. 

  233. 	/**
    234. 

  234. 	 * Sets the authentication cookies based User ID
    235. 

  235. 	 *
    236. 

  236. 	 * The $remember parameter increases the time that the cookie will
    237. 

  237. 	 * be kept. The default the cookie is kept without remembering is
    238. 

  238. 	 * two days. When $remember is set, the cookies will be kept for
    239. 

  239. 	 * 14 days or two weeks.
    240. 

  240. 	 *
    241. 

  241. 	 * @since 2.5
    242. 

  242. 	 *
    243. 

  243. 	 * @param int $user_id User ID
    244. 

  244. 	 * @param int $expiration the UNIX time after which the cookie's authentication token is no longer valid
    245. 

  245. 	 * @param int $expire the UNIX time at which the cookie expires
    246. 

  246. 	 * @param int $scheme name of the 
    247. 

  247. 	 */
    248. 

  248. 	function set_auth_cookie( $user_id, $expiration = 0, $expire = 0, $scheme = 'auth' )
    249. 

  249. 	{
    250. 

  250. 		if ( !isset( $this->cookies[$scheme] ) ) {
    251. 

  251. 			return;
    252. 

  252. 		}
    253. 

  253. 

  254. 		if ( !$expiration = absint( $expiration ) ) {
    255. 

  255. 			$expiration = time() + 172800; // 2 days
    256. 

  256. 		}
    257. 

  257. 

  258. 		$expire = absint( $expire );
    259. 

  259. 

  260. 		foreach ( $this->cookies[$scheme] as $_cookie ) {
    261. 

  261. 			$cookie = $this->generate_auth_cookie( $user_id, $expiration, $scheme );
    262. 

  262. 			if ( is_wp_error( $cookie ) ) {
    263. 

  263. 				return $cookie;
    264. 

  264. 			}
    265. 

  265. 

  266. 			do_action( 'set_' . $scheme . '_cookie', $cookie, $expire, $expiration, $user_id, $scheme );
    267. 

  267. 

  268. 			$domain = $_cookie['domain'];
    269. 

  269. 			$secure = isset($_cookie['secure']) ? (bool) $_cookie['secure'] : false;
    270. 

  270. 

  271. 			// Set httponly if the php version is >= 5.2.0
    272. 

  272. 			if ( version_compare( phpversion(), '5.2.0', 'ge' ) ) {
    273. 

  273. 				setcookie( $_cookie['name'], $cookie, $expire, $_cookie['path'], $domain, $secure, true );
    274. 

  274. 			} else {
    275. 

  275. 				$domain = ( empty( $domain ) ) ? $domain : $domain . '; HttpOnly';
    276. 

  276. 				setcookie( $_cookie['name'], $cookie, $expire, $_cookie['path'], $domain, $secure );
    277. 

  277. 			}
    278. 

  278. 		}
    279. 

  279. 		unset( $_cookie );
    280. 

  280. 	}
    281. 

  281. 

  282. 	/**
    283. 

  283. 	 * Deletes all of the cookies associated with authentication
    284. 

  284. 	 *
    285. 

  285. 	 * @since 2.5
    286. 

  286. 	 */
    287. 

  287. 	function clear_auth_cookie()
    288. 

  288. 	{
    289. 

  289. 		do_action( 'clear_auth_cookie' );
    290. 

  290. 		foreach ( $this->cookies as $_scheme => $_scheme_cookies ) {
    291. 

  291. 			foreach ( $_scheme_cookies as $_cookie ) {
    292. 

  292. 				setcookie( $_cookie['name'], ' ', time() - 31536000, $_cookie['path'], $_cookie['domain'] );
    293. 

  293. 			}
    294. 

  294. 			unset( $_cookie );
    295. 

  295. 		}
    296. 

  296. 		unset( $_scheme, $_scheme_cookies );
    297. 

  297. 	}
    298. 

  298. }
    299.