diff options
author | sembrestels <sembrestels@riseup.net> | 2011-10-13 02:39:43 +0200 |
---|---|---|
committer | sembrestels <sembrestels@riseup.net> | 2011-10-13 02:39:43 +0200 |
commit | 090e2188026c76ac396c919b27404dc7cb110bf8 (patch) | |
tree | 9f7f3a1278aa0a09f168abdc0db98f7de1788870 /lib/dokuwiki/inc/auth | |
download | elgg-090e2188026c76ac396c919b27404dc7cb110bf8.tar.gz elgg-090e2188026c76ac396c919b27404dc7cb110bf8.tar.bz2 |
Dokuwiki module for Elgg 1.7
Diffstat (limited to 'lib/dokuwiki/inc/auth')
-rw-r--r-- | lib/dokuwiki/inc/auth/ad.class.php | 205 | ||||
-rw-r--r-- | lib/dokuwiki/inc/auth/basic.class.php | 403 | ||||
-rw-r--r-- | lib/dokuwiki/inc/auth/elgg.class.php | 352 | ||||
-rw-r--r-- | lib/dokuwiki/inc/auth/ldap.class.php | 357 | ||||
-rw-r--r-- | lib/dokuwiki/inc/auth/mysql.class.php | 942 | ||||
-rw-r--r-- | lib/dokuwiki/inc/auth/pgsql.class.php | 411 | ||||
-rw-r--r-- | lib/dokuwiki/inc/auth/plain.class.php | 324 |
7 files changed, 2994 insertions, 0 deletions
diff --git a/lib/dokuwiki/inc/auth/ad.class.php b/lib/dokuwiki/inc/auth/ad.class.php new file mode 100644 index 000000000..9915b9f11 --- /dev/null +++ b/lib/dokuwiki/inc/auth/ad.class.php @@ -0,0 +1,205 @@ +<?php +/** + * Active Directory authentication backend for DokuWiki + * + * This makes authentication with a Active Directory server much easier + * than when using the normal LDAP backend by utilizing the adLDAP library + * + * Usage: + * Set DokuWiki's local.protected.php auth setting to read + * + * $conf['useacl'] = 1; + * $conf['disableactions'] = 'register'; + * $conf['autopasswd'] = 0; + * $conf['authtype'] = 'ad'; + * $conf['passcrypt'] = 'ssha'; + * + * $conf['auth']['ad']['account_suffix'] = '@my.domain.org'; + * $conf['auth']['ad']['base_dn'] = 'DC=my,DC=domain,DC=org'; + * $conf['auth']['ad']['domain_controllers'] = 'srv1.domain.org,srv2.domain.org'; + * + * //optional: + * $conf['auth']['ad']['sso'] = 1; + * $conf['auth']['ad']['ad_username'] = 'root'; + * $conf['auth']['ad']['ad_password'] = 'pass'; + * $conf['auth']['ad']['real_primarygroup'] = 1; + * $conf['auth']['ad']['use_ssl'] = 1; + * $conf['auth']['ad']['debug'] = 1; + * + * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) + * @author James Van Lommel <jamesvl@gmail.com> + * @link http://www.nosq.com/blog/2005/08/ldap-activedirectory-and-dokuwiki/ + * @author Andreas Gohr <andi@splitbrain.org> + */ + +require_once(DOKU_INC.'inc/adLDAP.php'); + +class auth_ad extends auth_basic { + var $cnf = null; + var $opts = null; + var $adldap = null; + + /** + * Constructor + */ + function auth_ad() { + global $conf; + $this->cnf = $conf['auth']['ad']; + + // ldap extension is needed + if (!function_exists('ldap_connect')) { + if ($this->cnf['debug']) + msg("LDAP err: PHP LDAP extension not found.",-1); + $this->success = false; + return; + } + + // Prepare SSO + if($_SERVER['REMOTE_USER'] && $this->cnf['sso']){ + // remove possible NTLM domain + list($dom,$usr) = explode('\\',$_SERVER['REMOTE_USER'],2); + if(!$usr) $usr = $dom; + + // remove possible Kerberos domain + list($usr,$dom) = explode('@',$usr); + + $dom = strtolower($dom); + $_SERVER['REMOTE_USER'] = $usr; + + // we need to simulate a login + if(empty($_COOKIE[DOKU_COOKIE])){ + $_REQUEST['u'] = $_SERVER['REMOTE_USER']; + $_REQUEST['p'] = 'sso_only'; + } + } + + // prepare adLDAP standard configuration + $this->opts = $this->cnf; + + // add possible domain specific configuration + if($dom && is_array($this->cnf[$dom])) foreach($this->cnf[$dom] as $key => $val){ + $this->opts[$key] = $val; + } + + // handle multiple AD servers + $this->opts['domain_controllers'] = explode(',',$this->opts['domain_controllers']); + $this->opts['domain_controllers'] = array_map('trim',$this->opts['domain_controllers']); + $this->opts['domain_controllers'] = array_filter($this->opts['domain_controllers']); + + // we currently just handle authentication, so no capabilities are set + } + + /** + * Check user+password [required auth function] + * + * Checks if the given user exists and the given + * plaintext password is correct by trying to bind + * to the LDAP server + * + * @author James Van Lommel <james@nosq.com> + * @return bool + */ + function checkPass($user, $pass){ + if($_SERVER['REMOTE_USER'] && + $_SERVER['REMOTE_USER'] == $user && + $this->cnf['sso']) return true; + + if(!$this->_init()) return false; + return $this->adldap->authenticate($user, $pass); + } + + /** + * Return user info [required auth function] + * + * Returns info about the given user needs to contain + * at least these fields: + * + * name string full name of the user + * mail string email addres of the user + * grps array list of groups the user is in + * + * This LDAP specific function returns the following + * addional fields: + * + * dn string distinguished name (DN) + * uid string Posix User ID + * + * @author James Van Lommel <james@nosq.com> + */ + function getUserData($user){ + global $conf; + if(!$this->_init()) return false; + + //get info for given user + $result = $this->adldap->user_info($user); + + //general user info + $info['name'] = $result[0]['displayname'][0]; + $info['mail'] = $result[0]['mail'][0]; + $info['uid'] = $result[0]['samaccountname'][0]; + $info['dn'] = $result[0]['dn']; + + // handle ActiveDirectory memberOf + $info['grps'] = $this->adldap->user_groups($user,(bool) $this->opts['recursive_groups']); + + if (is_array($info['grps'])) { + foreach ($info['grps'] as $ndx => $group) { + $info['grps'][$ndx] = $this->cleanGroup($group); + } + } + + // always add the default group to the list of groups + if(!is_array($info['grps']) || !in_array($conf['defaultgroup'],$info['grps'])){ + $info['grps'][] = $conf['defaultgroup']; + } + + return $info; + } + + /** + * Make AD group names usable by DokuWiki. + * + * Removes backslashes ('\'), pound signs ('#'), and converts spaces to underscores. + * + * @author James Van Lommel (jamesvl@gmail.com) + */ + function cleanGroup($name) { + $sName = str_replace('\\', '', $name); + $sName = str_replace('#', '', $sName); + $sName = preg_replace('[\s]', '_', $sName); + return $sName; + } + + /** + * Sanitize user names + */ + function cleanUser($name) { + return $this->cleanGroup($name); + } + + /** + * Most values in LDAP are case-insensitive + */ + function isCaseSensitive(){ + return false; + } + + /** + * Initialize the AdLDAP library and connect to the server + */ + function _init(){ + if(!is_null($this->adldap)) return true; + + // connect + try { + $this->adldap = new adLDAP($this->opts); + return true; + } catch (adLDAPException $e) { + $this->success = false; + $this->adldap = null; + } + return false; + } +} + +//Setup VIM: ex: et ts=4 enc=utf-8 : diff --git a/lib/dokuwiki/inc/auth/basic.class.php b/lib/dokuwiki/inc/auth/basic.class.php new file mode 100644 index 000000000..c08422488 --- /dev/null +++ b/lib/dokuwiki/inc/auth/basic.class.php @@ -0,0 +1,403 @@ +<?php +/** + * auth/basic.class.php + * + * foundation authorisation class + * all auth classes should inherit from this class + * + * @author Chris Smith <chris@jalakai.co.uk> + */ + +class auth_basic { + + var $success = true; + + + /** + * Posible things an auth backend module may be able to + * do. The things a backend can do need to be set to true + * in the constructor. + */ + var $cando = array ( + 'addUser' => false, // can Users be created? + 'delUser' => false, // can Users be deleted? + 'modLogin' => false, // can login names be changed? + 'modPass' => false, // can passwords be changed? + 'modName' => false, // can real names be changed? + 'modMail' => false, // can emails be changed? + 'modGroups' => false, // can groups be changed? + 'getUsers' => false, // can a (filtered) list of users be retrieved? + 'getUserCount'=> false, // can the number of users be retrieved? + 'getGroups' => false, // can a list of available groups be retrieved? + 'external' => false, // does the module do external auth checking? + 'logoff' => false, // has the module some special logoff method? + ); + + + /** + * Constructor. + * + * Carry out sanity checks to ensure the object is + * able to operate. Set capabilities in $this->cando + * array here + * + * Set $this->success to false if checks fail + * + * @author Christopher Smith <chris@jalakai.co.uk> + */ + function auth_basic() { + // the base class constructor does nothing, derived class + // constructors do the real work + } + + /** + * Capability check. [ DO NOT OVERRIDE ] + * + * Checks the capabilities set in the $this->cando array and + * some pseudo capabilities (shortcutting access to multiple + * ones) + * + * ususal capabilities start with lowercase letter + * shortcut capabilities start with uppercase letter + * + * @author Andreas Gohr <andi@splitbrain.org> + * @return bool + */ + function canDo($cap) { + switch($cap){ + case 'Profile': + // can at least one of the user's properties be changed? + return ( $this->cando['modPass'] || + $this->cando['modName'] || + $this->cando['modMail'] ); + break; + case 'UserMod': + // can at least anything be changed? + return ( $this->cando['modPass'] || + $this->cando['modName'] || + $this->cando['modMail'] || + $this->cando['modLogin'] || + $this->cando['modGroups'] || + $this->cando['modMail'] ); + break; + default: + // print a helping message for developers + if(!isset($this->cando[$cap])){ + msg("Check for unknown capability '$cap' - Do you use an outdated Plugin?",-1); + } + return $this->cando[$cap]; + } + } + + /** + * Trigger the AUTH_USERDATA_CHANGE event and call the modification function. [ DO NOT OVERRIDE ] + * + * You should use this function instead of calling createUser, modifyUser or + * deleteUsers directly. The event handlers can prevent the modification, for + * example for enforcing a user name schema. + * + * @author Gabriel Birke <birke@d-scribe.de> + * @param string $type Modification type ('create', 'modify', 'delete') + * @param array $params Parameters for the createUser, modifyUser or deleteUsers method. The content of this array depends on the modification type + * @return mixed Result from the modification function or false if an event handler has canceled the action + */ + function triggerUserMod($type, $params) + { + $validTypes = array( + 'create' => 'createUser', + 'modify' => 'modifyUser', + 'delete' => 'deleteUsers' + ); + if(empty($validTypes[$type])) + return false; + $eventdata = array('type' => $type, 'params' => $params, 'modification_result' => null); + $evt = new Doku_Event('AUTH_USER_CHANGE', $eventdata); + if ($evt->advise_before(true)) { + $result = call_user_func_array(array($this, $validTypes[$type]), $params); + $evt->data['modification_result'] = $result; + } + $evt->advise_after(); + unset($evt); + return $result; + } + + /** + * Log off the current user [ OPTIONAL ] + * + * Is run in addition to the ususal logoff method. Should + * only be needed when trustExternal is implemented. + * + * @see auth_logoff() + * @author Andreas Gohr <andi@splitbrain.org> + */ + function logOff(){ + } + + /** + * Do all authentication [ OPTIONAL ] + * + * Set $this->cando['external'] = true when implemented + * + * If this function is implemented it will be used to + * authenticate a user - all other DokuWiki internals + * will not be used for authenticating, thus + * implementing the checkPass() function is not needed + * anymore. + * + * The function can be used to authenticate against third + * party cookies or Apache auth mechanisms and replaces + * the auth_login() function + * + * The function will be called with or without a set + * username. If the Username is given it was called + * from the login form and the given credentials might + * need to be checked. If no username was given it + * the function needs to check if the user is logged in + * by other means (cookie, environment). + * + * The function needs to set some globals needed by + * DokuWiki like auth_login() does. + * + * @see auth_login() + * @author Andreas Gohr <andi@splitbrain.org> + * + * @param string $user Username + * @param string $pass Cleartext Password + * @param bool $sticky Cookie should not expire + * @return bool true on successful auth + */ + function trustExternal($user,$pass,$sticky=false){ +# // some example: +# +# global $USERINFO; +# global $conf; +# $sticky ? $sticky = true : $sticky = false; //sanity check +# +# // do the checking here +# +# // set the globals if authed +# $USERINFO['name'] = 'FIXME'; +# $USERINFO['mail'] = 'FIXME'; +# $USERINFO['grps'] = array('FIXME'); +# $_SERVER['REMOTE_USER'] = $user; +# $_SESSION[DOKU_COOKIE]['auth']['user'] = $user; +# $_SESSION[DOKU_COOKIE]['auth']['pass'] = $pass; +# $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO; +# return true; + } + + /** + * Check user+password [ MUST BE OVERRIDDEN ] + * + * Checks if the given user exists and the given + * plaintext password is correct + * + * May be ommited if trustExternal is used. + * + * @author Andreas Gohr <andi@splitbrain.org> + * @return bool + */ + function checkPass($user,$pass){ + msg("no valid authorisation system in use", -1); + return false; + } + + /** + * Return user info [ MUST BE OVERRIDDEN ] + * + * Returns info about the given user needs to contain + * at least these fields: + * + * name string full name of the user + * mail string email addres of the user + * grps array list of groups the user is in + * + * @author Andreas Gohr <andi@splitbrain.org> + * @return array containing user data or false + */ + function getUserData($user) { + if(!$this->cando['external']) msg("no valid authorisation system in use", -1); + return false; + } + + /** + * Create a new User [implement only where required/possible] + * + * Returns false if the user already exists, null when an error + * occurred and true if everything went well. + * + * The new user HAS TO be added to the default group by this + * function! + * + * Set addUser capability when implemented + * + * @author Andreas Gohr <andi@splitbrain.org> + */ + function createUser($user,$pass,$name,$mail,$grps=null){ + msg("authorisation method does not allow creation of new users", -1); + return null; + } + + /** + * Modify user data [implement only where required/possible] + * + * Set the mod* capabilities according to the implemented features + * + * @author Chris Smith <chris@jalakai.co.uk> + * @param $user nick of the user to be changed + * @param $changes array of field/value pairs to be changed (password will be clear text) + * @return bool + */ + function modifyUser($user, $changes) { + msg("authorisation method does not allow modifying of user data", -1); + return false; + } + + /** + * Delete one or more users [implement only where required/possible] + * + * Set delUser capability when implemented + * + * @author Chris Smith <chris@jalakai.co.uk> + * @param array $users + * @return int number of users deleted + */ + function deleteUsers($users) { + msg("authorisation method does not allow deleting of users", -1); + return false; + } + + /** + * Return a count of the number of user which meet $filter criteria + * [should be implemented whenever retrieveUsers is implemented] + * + * Set getUserCount capability when implemented + * + * @author Chris Smith <chris@jalakai.co.uk> + */ + function getUserCount($filter=array()) { + msg("authorisation method does not provide user counts", -1); + return 0; + } + + /** + * Bulk retrieval of user data [implement only where required/possible] + * + * Set getUsers capability when implemented + * + * @author Chris Smith <chris@jalakai.co.uk> + * @param start index of first user to be returned + * @param limit max number of users to be returned + * @param filter array of field/pattern pairs, null for no filter + * @return array of userinfo (refer getUserData for internal userinfo details) + */ + function retrieveUsers($start=0,$limit=-1,$filter=null) { + msg("authorisation method does not support mass retrieval of user data", -1); + return array(); + } + + /** + * Define a group [implement only where required/possible] + * + * Set addGroup capability when implemented + * + * @author Chris Smith <chris@jalakai.co.uk> + * @return bool + */ + function addGroup($group) { + msg("authorisation method does not support independent group creation", -1); + return false; + } + + /** + * Retrieve groups [implement only where required/possible] + * + * Set getGroups capability when implemented + * + * @author Chris Smith <chris@jalakai.co.uk> + * @return array + */ + function retrieveGroups($start=0,$limit=0) { + msg("authorisation method does not support group list retrieval", -1); + return array(); + } + + /** + * Return case sensitivity of the backend [OPTIONAL] + * + * When your backend is caseinsensitive (eg. you can login with USER and + * user) then you need to overwrite this method and return false + */ + function isCaseSensitive(){ + return true; + } + + /** + * Sanitize a given username [OPTIONAL] + * + * This function is applied to any user name that is given to + * the backend and should also be applied to any user name within + * the backend before returning it somewhere. + * + * This should be used to enforce username restrictions. + * + * @author Andreas Gohr <andi@splitbrain.org> + * @param string $user - username + * @param string - the cleaned username + */ + function cleanUser($user){ + return $user; + } + + /** + * Sanitize a given groupname [OPTIONAL] + * + * This function is applied to any groupname that is given to + * the backend and should also be applied to any groupname within + * the backend before returning it somewhere. + * + * This should be used to enforce groupname restrictions. + * + * Groupnames are to be passed without a leading '@' here. + * + * @author Andreas Gohr <andi@splitbrain.org> + * @param string $group - groupname + * @param string - the cleaned groupname + */ + function cleanGroup($group){ + return $group; + } + + + /** + * Check Session Cache validity [implement only where required/possible] + * + * DokuWiki caches user info in the user's session for the timespan defined + * in $conf['auth_security_timeout']. + * + * This makes sure slow authentication backends do not slow down DokuWiki. + * This also means that changes to the user database will not be reflected + * on currently logged in users. + * + * To accommodate for this, the user manager plugin will touch a reference + * file whenever a change is submitted. This function compares the filetime + * of this reference file with the time stored in the session. + * + * This reference file mechanism does not reflect changes done directly in + * the backend's database through other means than the user manager plugin. + * + * Fast backends might want to return always false, to force rechecks on + * each page load. Others might want to use their own checking here. If + * unsure, do not override. + * + * @param string $user - The username + * @author Andreas Gohr <andi@splitbrain.org> + * @return bool + */ + function useSessionCache($user){ + global $conf; + return ($_SESSION[DOKU_COOKIE]['auth']['time'] >= @filemtime($conf['cachedir'].'/sessionpurge')); + } + +} +//Setup VIM: ex: et ts=2 enc=utf-8 : diff --git a/lib/dokuwiki/inc/auth/elgg.class.php b/lib/dokuwiki/inc/auth/elgg.class.php new file mode 100644 index 000000000..f8b575564 --- /dev/null +++ b/lib/dokuwiki/inc/auth/elgg.class.php @@ -0,0 +1,352 @@ +<?php +/** + * Plaintext authentication backend + * + * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) + * @author Andreas Gohr <andi@splitbrain.org> + * @author Chris Smith <chris@jalakai.co.uk> + */ + +define('DOKU_AUTH', dirname(__FILE__)); +require_once(DOKU_AUTH.'/basic.class.php'); + +//define('AUTH_USERFILE',DOKU_CONF.'users.auth.php'); + +class auth_elgg extends auth_basic { + + var $users = null; + var $_pattern = array(); + + /** + * Constructor + * + * Carry out sanity checks to ensure the object is + * able to operate. Set capabilities. + * + * @author Christopher Smith <chris@jalakai.co.uk> + */ + function auth_elgg() { + // $this->cando['addUser'] = true; + // $this->cando['delUser'] = true; + // $this->cando['modLogin'] = true; + // $this->cando['modPass'] = true; + // $this->cando['modName'] = true; + // $this->cando['modMail'] = true; + $this->cando['getACL'] = true; + $this->cando['modGroups'] = true; + // $this->cando['getUsers'] = true; + $this->cando['getUserCount'] = true; + } + + /** + * Check user+password [required auth function] + * + * Checks if the given user exists and the given + * plaintext password is correct + * + * @author Andreas Gohr <andi@splitbrain.org> + * @return bool + */ + function checkPass($user,$pass){ + $user = get_user_by_username($user); + if ($user && $user->password == $pass) + return true; + /*if (authenticate($user, $pass)) { + return true; + }*/ + return false; + } + + /** + * Return user info + * + * Returns info about the given user needs to contain + * at least these fields: + * + * name string full name of the user + * mail string email addres of the user + * grps array list of groups the user is in + * + * @author Andreas Gohr <andi@splitbrain.org> + */ + function getUserData($username){ + $user = get_user_by_username($username); + //error_log("getUserData:".$username); + if (!$user) + return false; + //error_log("getUserData:".$username); + $page_owner = page_owner_entity(); + $grps = array(); + if ($page_owner instanceof ElggGroup) { + if ($page_owner->canEdit($user->getGUID())) { + $grps[] = "admin"; + $grps[] = "root"; + //error_log('operator'); + } + elseif ($page_owner->isMember($user)) { + $grps[] = "member"; + } + } + elseif ($page_owner instanceof ElggUser) { + if ($page_owner == $user) { + $grps[] = "admin"; + } + elseif ($page_owner->isFriendsWith($user->getGUID())) { + $grps[] = "member"; + } + } + if ($user->isAdmin()) { + $grps[] = "root"; + $grps[] = "admin"; + } + $groups = elgg_get_entities_from_relationship(array('relationship' => 'member', 'relationship_guid' => $user->getGUID(), 'inverse_relationship' => FALSE, 'limit'=>0)); + foreach($groups as $group) { + $grps[] = $this->cleanUser($group->name); + } + return array('name'=>$user->name, 'mail'=>$user->email, 'grps'=>$grps); + } + + /** + * Create a new User + * + * Returns false if the user already exists, null when an error + * occurred and true if everything went well. + * + * The new user will be added to the default group by this + * function if grps are not specified (default behaviour). + * + * @author Andreas Gohr <andi@splitbrain.org> + * @author Chris Smith <chris@jalakai.co.uk> + */ + function createUser($user,$pwd,$name,$mail,$grps=null){ + global $conf; + + // user mustn't already exist + if ($this->getUserData($user) !== false) return false; + + $pass = auth_cryptPassword($pwd); + + // set default group if no groups specified + if (!is_array($grps)) $grps = array($conf['defaultgroup']); + + // prepare user line + $groups = join(',',$grps); + $userline = join(':',array($user,$pass,$name,$mail,$groups))."\n"; + + if (io_saveFile(AUTH_USERFILE,$userline,true)) { + $this->users[$user] = compact('pass','name','mail','grps'); + return $pwd; + } + + msg('The '.AUTH_USERFILE.' file is not writable. Please inform the Wiki-Admin',-1); + return null; + } + + /** + * Modify user data + * + * @author Chris Smith <chris@jalakai.co.uk> + * @param $user nick of the user to be changed + * @param $changes array of field/value pairs to be changed (password will be clear text) + * @return bool + */ + function modifyUser($user, $changes) { + global $conf; + global $ACT; + global $INFO; + + // sanity checks, user must already exist and there must be something to change + if (($userinfo = $this->getUserData($user)) === false) return false; + if (!is_array($changes) || !count($changes)) return true; + + // update userinfo with new data, remembering to encrypt any password + $newuser = $user; + foreach ($changes as $field => $value) { + if ($field == 'user') { + $newuser = $value; + continue; + } + if ($field == 'pass') $value = auth_cryptPassword($value); + $userinfo[$field] = $value; + } + + $groups = join(',',$userinfo['grps']); + $userline = join(':',array($newuser, $userinfo['pass'], $userinfo['name'], $userinfo['mail'], $groups))."\n"; + + if (!$this->deleteUsers(array($user))) { + msg('Unable to modify user data. Please inform the Wiki-Admin',-1); + return false; + } + + if (!io_saveFile(AUTH_USERFILE,$userline,true)) { + msg('There was an error modifying your user data. You should register again.',-1); + // FIXME, user has been deleted but not recreated, should force a logout and redirect to login page + $ACT == 'register'; + return false; + } + + $this->users[$newuser] = $userinfo; + return true; + } + + /** + * Remove one or more users from the list of registered users + * + * @author Christopher Smith <chris@jalakai.co.uk> + * @param array $users array of users to be deleted + * @return int the number of users deleted + */ + function deleteUsers($users) { + + if (!is_array($users) || empty($users)) return 0; + + if ($this->users === null) $this->_loadUserData(); + + $deleted = array(); + foreach ($users as $user) { + if (isset($this->users[$user])) $deleted[] = preg_quote($user,'/'); + } + + if (empty($deleted)) return 0; + + $pattern = '/^('.join('|',$deleted).'):/'; + + if (io_deleteFromFile(AUTH_USERFILE,$pattern,true)) { + foreach ($deleted as $user) unset($this->users[$user]); + return count($deleted); + } + + // problem deleting, reload the user list and count the difference + $count = count($this->users); + $this->_loadUserData(); + $count -= count($this->users); + return $count; + } + + /** + * Return a count of the number of user which meet $filter criteria + * + * @author Chris Smith <chris@jalakai.co.uk> + */ + function getUserCount($filter=array()) { + return get_number_users(true); + } + + /** + * Bulk retrieval of user data + * + * @author Chris Smith <chris@jalakai.co.uk> + * @param start index of first user to be returned + * @param limit max number of users to be returned + * @param filter array of field/pattern pairs + * @return array of userinfo (refer getUserData for internal userinfo details) + */ + function retrieveUsers($start=0,$limit=0,$filter=array()) { + $entities = elgg_get_entities(array('types'=>'user','limit'=>$limit, 'offset'=>$start)); + $allusers = array(); + foreach ($entities as $entity) { + $allusers[$entity->username] = getUserData($entity->username); + } + return $allusers; + } + + /** + * Only valid pageid's (no namespaces) for usernames + */ + function cleanUser($user){ + global $conf; + return cleanID(str_replace(':',$conf['sepchar'],$user)); + } + + function getACL(){ + $doku = current_dokuwiki_entity(); + elgg_set_ignore_access(true); + $acl = explode("\n" ,$doku->wiki_acl); + //error_log(json_encode($acl)); + elgg_set_ignore_access(false); + return $acl; + global $conf; + $acl = array(); + $acl[] = "# acl.auth.php"; + $acl[] = '# <?php exit()?\>'; + $acl[] = "* @ALL 0"; + $acl[] = "* @user 1"; + $acl[] = "* @member 8"; + $acl[] = "* @admin 16"; + $acl[] = "* @root 255"; + $acl[] = "* @testers_de_la_red_social 8"; + return $acl; + } + function setACL($newacl){ + $doku = current_dokuwiki_entity(); + elgg_set_ignore_access(true); + $doku->wiki_acl = $newacl; + elgg_set_ignore_access(false); + } + + /** + * Only valid pageid's (no namespaces) for groupnames + */ + function cleanGroup($group){ + global $conf; + return cleanID(str_replace(':',$conf['sepchar'],$group)); + } + + /** + * Load all user data + * + * loads the user file into a datastructure + * + * @author Andreas Gohr <andi@splitbrain.org> + */ + function _loadUserData(){ + //error_log("getUserData:"); + $this->users = array(); + + if(!@file_exists(AUTH_USERFILE)) return; + + $lines = file(AUTH_USERFILE); + foreach($lines as $line){ + $line = preg_replace('/#.*$/','',$line); //ignore comments + $line = trim($line); + if(empty($line)) continue; + + $row = explode(":",$line,5); + $groups = array_values(array_filter(explode(",",$row[4]))); + + $this->users[$row[0]]['pass'] = $row[1]; + $this->users[$row[0]]['name'] = urldecode($row[2]); + $this->users[$row[0]]['mail'] = $row[3]; + $this->users[$row[0]]['grps'] = $groups; + } + } + + /** + * return 1 if $user + $info match $filter criteria, 0 otherwise + * + * @author Chris Smith <chris@jalakai.co.uk> + */ + function _filter($user, $info) { + // FIXME + foreach ($this->_pattern as $item => $pattern) { + if ($item == 'user') { + if (!preg_match($pattern, $user)) return 0; + } else if ($item == 'grps') { + if (!count(preg_grep($pattern, $info['grps']))) return 0; + } else { + if (!preg_match($pattern, $info[$item])) return 0; + } + } + return 1; + } + + function _constructPattern($filter) { + $this->_pattern = array(); + foreach ($filter as $item => $pattern) { +// $this->_pattern[$item] = '/'.preg_quote($pattern,"/").'/i'; // don't allow regex characters + $this->_pattern[$item] = '/'.str_replace('/','\/',$pattern).'/i'; // allow regex characters + } + } +} + +//Setup VIM: ex: et ts=2 enc=utf-8 : diff --git a/lib/dokuwiki/inc/auth/ldap.class.php b/lib/dokuwiki/inc/auth/ldap.class.php new file mode 100644 index 000000000..c51924135 --- /dev/null +++ b/lib/dokuwiki/inc/auth/ldap.class.php @@ -0,0 +1,357 @@ +<?php +/** + * LDAP authentication backend + * + * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) + * @author Andreas Gohr <andi@splitbrain.org> + * @author Chris Smith <chris@jalakaic.co.uk> + */ + +class auth_ldap extends auth_basic { + var $cnf = null; + var $con = null; + var $bound = 0; // 0: anonymous, 1: user, 2: superuser + + /** + * Constructor + */ + function auth_ldap(){ + global $conf; + $this->cnf = $conf['auth']['ldap']; + + // ldap extension is needed + if(!function_exists('ldap_connect')) { + if ($this->cnf['debug']) + msg("LDAP err: PHP LDAP extension not found.",-1,__LINE__,__FILE__); + $this->success = false; + return; + } + + if(empty($this->cnf['groupkey'])) $this->cnf['groupkey'] = 'cn'; + + // auth_ldap currently just handles authentication, so no + // capabilities are set + } + + /** + * Check user+password + * + * Checks if the given user exists and the given + * plaintext password is correct by trying to bind + * to the LDAP server + * + * @author Andreas Gohr <andi@splitbrain.org> + * @return bool + */ + function checkPass($user,$pass){ + // reject empty password + if(empty($pass)) return false; + if(!$this->_openLDAP()) return false; + + // indirect user bind + if($this->cnf['binddn'] && $this->cnf['bindpw']){ + // use superuser credentials + if(!@ldap_bind($this->con,$this->cnf['binddn'],$this->cnf['bindpw'])){ + if($this->cnf['debug']) + msg('LDAP bind as superuser: '.htmlspecialchars(ldap_error($this->con)),0,__LINE__,__FILE__); + return false; + } + $this->bound = 2; + }else if($this->cnf['binddn'] && + $this->cnf['usertree'] && + $this->cnf['userfilter']) { + // special bind string + $dn = $this->_makeFilter($this->cnf['binddn'], + array('user'=>$user,'server'=>$this->cnf['server'])); + + }else if(strpos($this->cnf['usertree'], '%{user}')) { + // direct user bind + $dn = $this->_makeFilter($this->cnf['usertree'], + array('user'=>$user,'server'=>$this->cnf['server'])); + + }else{ + // Anonymous bind + if(!@ldap_bind($this->con)){ + msg("LDAP: can not bind anonymously",-1); + if($this->cnf['debug']) + msg('LDAP anonymous bind: '.htmlspecialchars(ldap_error($this->con)),0,__LINE__,__FILE__); + return false; + } + } + + // Try to bind to with the dn if we have one. + if(!empty($dn)) { + // User/Password bind + if(!@ldap_bind($this->con,$dn,$pass)){ + if($this->cnf['debug']){ + msg("LDAP: bind with $dn failed", -1,__LINE__,__FILE__); + msg('LDAP user dn bind: '.htmlspecialchars(ldap_error($this->con)),0); + } + return false; + } + $this->bound = 1; + return true; + }else{ + // See if we can find the user + $info = $this->getUserData($user,true); + if(empty($info['dn'])) { + return false; + } else { + $dn = $info['dn']; + } + + // Try to bind with the dn provided + if(!@ldap_bind($this->con,$dn,$pass)){ + if($this->cnf['debug']){ + msg("LDAP: bind with $dn failed", -1,__LINE__,__FILE__); + msg('LDAP user bind: '.htmlspecialchars(ldap_error($this->con)),0); + } + return false; + } + $this->bound = 1; + return true; + } + + return false; + } + + /** + * Return user info + * + * Returns info about the given user needs to contain + * at least these fields: + * + * name string full name of the user + * mail string email addres of the user + * grps array list of groups the user is in + * + * This LDAP specific function returns the following + * addional fields: + * + * dn string distinguished name (DN) + * uid string Posix User ID + * inbind bool for internal use - avoid loop in binding + * + * @author Andreas Gohr <andi@splitbrain.org> + * @author Trouble + * @author Dan Allen <dan.j.allen@gmail.com> + * @author <evaldas.auryla@pheur.org> + * @author Stephane Chazelas <stephane.chazelas@emerson.com> + * @return array containing user data or false + */ + function getUserData($user,$inbind=false) { + global $conf; + if(!$this->_openLDAP()) return false; + + // force superuser bind if wanted and not bound as superuser yet + if($this->cnf['binddn'] && $this->cnf['bindpw'] && $this->bound < 2){ + // use superuser credentials + if(!@ldap_bind($this->con,$this->cnf['binddn'],$this->cnf['bindpw'])){ + if($this->cnf['debug']) + msg('LDAP bind as superuser: '.htmlspecialchars(ldap_error($this->con)),0,__LINE__,__FILE__); + return false; + } + $this->bound = 2; + }elseif($this->bound == 0 && !$inbind) { + // in some cases getUserData is called outside the authentication workflow + // eg. for sending email notification on subscribed pages. This data might not + // be accessible anonymously, so we try to rebind the current user here + $pass = PMA_blowfish_decrypt($_SESSION[DOKU_COOKIE]['auth']['pass'],auth_cookiesalt()); + $this->checkPass($_SESSION[DOKU_COOKIE]['auth']['user'], $pass); + } + + $info['user'] = $user; + $info['server'] = $this->cnf['server']; + + //get info for given user + $base = $this->_makeFilter($this->cnf['usertree'], $info); + if(!empty($this->cnf['userfilter'])) { + $filter = $this->_makeFilter($this->cnf['userfilter'], $info); + } else { + $filter = "(ObjectClass=*)"; + } + + $sr = @ldap_search($this->con, $base, $filter); + $result = @ldap_get_entries($this->con, $sr); + if($this->cnf['debug']){ + msg('LDAP user search: '.htmlspecialchars(ldap_error($this->con)),0,__LINE__,__FILE__); + msg('LDAP search at: '.htmlspecialchars($base.' '.$filter),0,__LINE__,__FILE__); + } + + // Don't accept more or less than one response + if(!is_array($result) || $result['count'] != 1){ + return false; //user not found + } + + $user_result = $result[0]; + ldap_free_result($sr); + + // general user info + $info['dn'] = $user_result['dn']; + $info['gid'] = $user_result['gidnumber'][0]; + $info['mail'] = $user_result['mail'][0]; + $info['name'] = $user_result['cn'][0]; + $info['grps'] = array(); + + // overwrite if other attribs are specified. + if(is_array($this->cnf['mapping'])){ + foreach($this->cnf['mapping'] as $localkey => $key) { + if(is_array($key)) { + // use regexp to clean up user_result + list($key, $regexp) = each($key); + if($user_result[$key]) foreach($user_result[$key] as $grp){ + if (preg_match($regexp,$grp,$match)) { + if($localkey == 'grps') { + $info[$localkey][] = $match[1]; + } else { + $info[$localkey] = $match[1]; + } + } + } + } else { + $info[$localkey] = $user_result[$key][0]; + } + } + } + $user_result = array_merge($info,$user_result); + + //get groups for given user if grouptree is given + if ($this->cnf['grouptree'] && $this->cnf['groupfilter']) { + $base = $this->_makeFilter($this->cnf['grouptree'], $user_result); + $filter = $this->_makeFilter($this->cnf['groupfilter'], $user_result); + $sr = @ldap_search($this->con, $base, $filter, array($this->cnf['groupkey'])); + if(!$sr){ + msg("LDAP: Reading group memberships failed",-1); + if($this->cnf['debug']){ + msg('LDAP group search: '.htmlspecialchars(ldap_error($this->con)),0,__LINE__,__FILE__); + msg('LDAP search at: '.htmlspecialchars($base.' '.$filter),0,__LINE__,__FILE__); + } + return false; + } + $result = ldap_get_entries($this->con, $sr); + ldap_free_result($sr); + + if(is_array($result)) foreach($result as $grp){ + if(!empty($grp[$this->cnf['groupkey']][0])){ + if($this->cnf['debug']) + msg('LDAP usergroup: '.htmlspecialchars($grp[$this->cnf['groupkey']][0]),0,__LINE__,__FILE__); + $info['grps'][] = $grp[$this->cnf['groupkey']][0]; + } + } + } + + // always add the default group to the list of groups + if(!in_array($conf['defaultgroup'],$info['grps'])){ + $info['grps'][] = $conf['defaultgroup']; + } + return $info; + } + + /** + * Most values in LDAP are case-insensitive + */ + function isCaseSensitive(){ + return false; + } + + /** + * Make LDAP filter strings. + * + * Used by auth_getUserData to make the filter + * strings for grouptree and groupfilter + * + * filter string ldap search filter with placeholders + * placeholders array array with the placeholders + * + * @author Troels Liebe Bentsen <tlb@rapanden.dk> + * @return string + */ + function _makeFilter($filter, $placeholders) { + preg_match_all("/%{([^}]+)/", $filter, $matches, PREG_PATTERN_ORDER); + //replace each match + foreach ($matches[1] as $match) { + //take first element if array + if(is_array($placeholders[$match])) { + $value = $placeholders[$match][0]; + } else { + $value = $placeholders[$match]; + } + $value = $this->_filterEscape($value); + $filter = str_replace('%{'.$match.'}', $value, $filter); + } + return $filter; + } + + /** + * Escape a string to be used in a LDAP filter + * + * Ported from Perl's Net::LDAP::Util escape_filter_value + * + * @author Andreas Gohr + */ + function _filterEscape($string){ + return preg_replace('/([\x00-\x1F\*\(\)\\\\])/e', + '"\\\\\".join("",unpack("H2","$1"))', + $string); + } + + /** + * Opens a connection to the configured LDAP server and sets the wanted + * option on the connection + * + * @author Andreas Gohr <andi@splitbrain.org> + */ + function _openLDAP(){ + if($this->con) return true; // connection already established + + $this->bound = 0; + + $port = ($this->cnf['port']) ? $this->cnf['port'] : 389; + $this->con = @ldap_connect($this->cnf['server'],$port); + if(!$this->con){ + msg("LDAP: couldn't connect to LDAP server",-1); + return false; + } + + //set protocol version and dependend options + if($this->cnf['version']){ + if(!@ldap_set_option($this->con, LDAP_OPT_PROTOCOL_VERSION, + $this->cnf['version'])){ + msg('Setting LDAP Protocol version '.$this->cnf['version'].' failed',-1); + if($this->cnf['debug']) + msg('LDAP version set: '.htmlspecialchars(ldap_error($this->con)),0,__LINE__,__FILE__); + }else{ + //use TLS (needs version 3) + if($this->cnf['starttls']) { + if (!@ldap_start_tls($this->con)){ + msg('Starting TLS failed',-1); + if($this->cnf['debug']) + msg('LDAP TLS set: '.htmlspecialchars(ldap_error($this->con)),0,__LINE__,__FILE__); + } + } + // needs version 3 + if(isset($this->cnf['referrals'])) { + if(!@ldap_set_option($this->con, LDAP_OPT_REFERRALS, + $this->cnf['referrals'])){ + msg('Setting LDAP referrals to off failed',-1); + if($this->cnf['debug']) + msg('LDAP referal set: '.htmlspecialchars(ldap_error($this->con)),0,__LINE__,__FILE__); + } + } + } + } + + //set deref mode + if($this->cnf['deref']){ + if(!@ldap_set_option($this->con, LDAP_OPT_DEREF, $this->cnf['deref'])){ + msg('Setting LDAP Deref mode '.$this->cnf['deref'].' failed',-1); + if($this->cnf['debug']) + msg('LDAP deref set: '.htmlspecialchars(ldap_error($this->con)),0,__LINE__,__FILE__); + } + } + + return true; + } +} + +//Setup VIM: ex: et ts=4 enc=utf-8 : diff --git a/lib/dokuwiki/inc/auth/mysql.class.php b/lib/dokuwiki/inc/auth/mysql.class.php new file mode 100644 index 000000000..b1c6a3a52 --- /dev/null +++ b/lib/dokuwiki/inc/auth/mysql.class.php @@ -0,0 +1,942 @@ +<?php +/** + * MySQLP authentication backend + * + * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) + * @author Andreas Gohr <andi@splitbrain.org> + * @author Chris Smith <chris@jalakai.co.uk> + * @author Matthias Grimm <matthias.grimmm@sourceforge.net> +*/ + +define('DOKU_AUTH', dirname(__FILE__)); +require_once(DOKU_AUTH.'/basic.class.php'); + +class auth_mysql extends auth_basic { + + var $dbcon = 0; + var $dbver = 0; // database version + var $dbrev = 0; // database revision + var $dbsub = 0; // database subrevision + var $cnf = null; + var $defaultgroup = ""; + + /** + * Constructor + * + * checks if the mysql interface is available, otherwise it will + * set the variable $success of the basis class to false + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function auth_mysql() { + global $conf; + $this->cnf = $conf['auth']['mysql']; + + if (method_exists($this, 'auth_basic')) + parent::auth_basic(); + + if(!function_exists('mysql_connect')) { + if ($this->cnf['debug']) + msg("MySQL err: PHP MySQL extension not found.",-1,__LINE__,__FILE__); + $this->success = false; + return; + } + + // default to UTF-8, you rarely want something else + if(!isset($this->cnf['charset'])) $this->cnf['charset'] = 'utf8'; + + $this->defaultgroup = $conf['defaultgroup']; + + // set capabilities based upon config strings set + if (empty($this->cnf['server']) || empty($this->cnf['user']) || + empty($this->cnf['password']) || empty($this->cnf['database'])){ + if ($this->cnf['debug']) + msg("MySQL err: insufficient configuration.",-1,__LINE__,__FILE__); + $this->success = false; + return; + } + + $this->cando['addUser'] = $this->_chkcnf(array('getUserInfo', + 'getGroups', + 'addUser', + 'getUserID', + 'getGroupID', + 'addGroup', + 'addUserGroup'),true); + $this->cando['delUser'] = $this->_chkcnf(array('getUserID', + 'delUser', + 'delUserRefs'),true); + $this->cando['modLogin'] = $this->_chkcnf(array('getUserID', + 'updateUser', + 'UpdateTarget'),true); + $this->cando['modPass'] = $this->cando['modLogin']; + $this->cando['modName'] = $this->cando['modLogin']; + $this->cando['modMail'] = $this->cando['modLogin']; + $this->cando['modGroups'] = $this->_chkcnf(array('getUserID', + 'getGroups', + 'getGroupID', + 'addGroup', + 'addUserGroup', + 'delGroup', + 'getGroupID', + 'delUserGroup'),true); + /* getGroups is not yet supported + $this->cando['getGroups'] = $this->_chkcnf(array('getGroups', + 'getGroupID'),false); */ + $this->cando['getUsers'] = $this->_chkcnf(array('getUsers', + 'getUserInfo', + 'getGroups'),false); + $this->cando['getUserCount'] = $this->_chkcnf(array('getUsers'),false); + } + + /** + * Check if the given config strings are set + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + * @return bool + */ + function _chkcnf($keys, $wop=false){ + foreach ($keys as $key){ + if (empty($this->cnf[$key])) return false; + } + + /* write operation and lock array filled with tables names? */ + if ($wop && (!is_array($this->cnf['TablesToLock']) || + !count($this->cnf['TablesToLock']))){ + return false; + } + + return true; + } + + /** + * Checks if the given user exists and the given plaintext password + * is correct. Furtheron it might be checked wether the user is + * member of the right group + * + * Depending on which SQL string is defined in the config, password + * checking is done here (getpass) or by the database (passcheck) + * + * @param $user user who would like access + * @param $pass user's clear text password to check + * @return bool + * + * @author Andreas Gohr <andi@splitbrain.org> + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function checkPass($user,$pass){ + $rc = false; + + if($this->_openDB()) { + $sql = str_replace('%{user}',$this->_escape($user),$this->cnf['checkPass']); + $sql = str_replace('%{pass}',$this->_escape($pass),$sql); + $sql = str_replace('%{dgroup}',$this->_escape($this->defaultgroup),$sql); + $result = $this->_queryDB($sql); + + if($result !== false && count($result) == 1) { + if($this->cnf['forwardClearPass'] == 1) + $rc = true; + else + $rc = auth_verifyPassword($pass,$result[0]['pass']); + } + $this->_closeDB(); + } + return $rc; + } + + /** + * [public function] + * + * Returns info about the given user needs to contain + * at least these fields: + * name string full name of the user + * mail string email addres of the user + * grps array list of groups the user is in + * + * @param $user user's nick to get data for + * + * @author Andreas Gohr <andi@splitbrain.org> + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function getUserData($user){ + if($this->_openDB()) { + $this->_lockTables("READ"); + $info = $this->_getUserInfo($user); + $this->_unlockTables(); + $this->_closeDB(); + } else + $info = false; + return $info; + } + + /** + * [public function] + * + * Create a new User. Returns false if the user already exists, + * null when an error occurred and true if everything went well. + * + * The new user will be added to the default group by this + * function if grps are not specified (default behaviour). + * + * @param $user nick of the user + * @param $pwd clear text password + * @param $name full name of the user + * @param $mail email address + * @param $grps array of groups the user should become member of + * + * @author Andreas Gohr <andi@splitbrain.org> + * @author Chris Smith <chris@jalakai.co.uk> + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function createUser($user,$pwd,$name,$mail,$grps=null){ + if($this->_openDB()) { + if (($info = $this->_getUserInfo($user)) !== false) + return false; // user already exists + + // set defaultgroup if no groups were given + if ($grps == null) + $grps = array($this->defaultgroup); + + $this->_lockTables("WRITE"); + $pwd = $this->cnf['forwardClearPass'] ? $pwd : auth_cryptPassword($pwd); + $rc = $this->_addUser($user,$pwd,$name,$mail,$grps); + $this->_unlockTables(); + $this->_closeDB(); + if ($rc) return true; + } + return null; // return error + } + + /** + * Modify user data [public function] + * + * An existing user dataset will be modified. Changes are given in an array. + * + * The dataset update will be rejected if the user name should be changed + * to an already existing one. + * + * The password must be provides unencrypted. Pasword cryption is done + * automatically if configured. + * + * If one or more groups could't be updated, an error would be set. In + * this case the dataset might already be changed and we can't rollback + * the changes. Transactions would be really usefull here. + * + * modifyUser() may be called without SQL statements defined that are + * needed to change group membership (for example if only the user profile + * should be modified). In this case we asure that we don't touch groups + * even $changes['grps'] is set by mistake. + * + * @param $user nick of the user to be changed + * @param $changes array of field/value pairs to be changed (password + * will be clear text) + * @return bool true on success, false on error + * + * @author Chris Smith <chris@jalakai.co.uk> + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function modifyUser($user, $changes) { + $rc = false; + + if (!is_array($changes) || !count($changes)) + return true; // nothing to change + + if($this->_openDB()) { + $this->_lockTables("WRITE"); + + if (($uid = $this->_getUserID($user))) { + $rc = $this->_updateUserInfo($changes, $uid); + + if ($rc && isset($changes['grps']) && $this->cando['modGroups']) { + $groups = $this->_getGroups($user); + $grpadd = array_diff($changes['grps'], $groups); + $grpdel = array_diff($groups, $changes['grps']); + + foreach($grpadd as $group) + if (($this->_addUserToGroup($user, $group, 1)) == false) + $rc = false; + + foreach($grpdel as $group) + if (($this->_delUserFromGroup($user, $group)) == false) + $rc = false; + } + } + + $this->_unlockTables(); + $this->_closeDB(); + } + return $rc; + } + + /** + * [public function] + * + * Remove one or more users from the list of registered users + * + * @param array $users array of users to be deleted + * @return int the number of users deleted + * + * @author Christopher Smith <chris@jalakai.co.uk> + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function deleteUsers($users) { + $count = 0; + + if($this->_openDB()) { + if (is_array($users) && count($users)) { + $this->_lockTables("WRITE"); + foreach ($users as $user) { + if ($this->_delUser($user)) + $count++; + } + $this->_unlockTables(); + } + $this->_closeDB(); + } + return $count; + } + + /** + * [public function] + * + * Counts users which meet certain $filter criteria. + * + * @param array $filter filter criteria in item/pattern pairs + * @return count of found users. + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function getUserCount($filter=array()) { + $rc = 0; + + if($this->_openDB()) { + $sql = $this->_createSQLFilter($this->cnf['getUsers'], $filter); + + if ($this->dbver >= 4) { + $sql = substr($sql, 6); /* remove 'SELECT' or 'select' */ + $sql = "SELECT SQL_CALC_FOUND_ROWS".$sql." LIMIT 1"; + $this->_queryDB($sql); + $result = $this->_queryDB("SELECT FOUND_ROWS()"); + $rc = $result[0]['FOUND_ROWS()']; + } else if (($result = $this->_queryDB($sql))) + $rc = count($result); + + $this->_closeDB(); + } + return $rc; + } + + /** + * Bulk retrieval of user data. [public function] + * + * @param first index of first user to be returned + * @param limit max number of users to be returned + * @param filter array of field/pattern pairs + * @return array of userinfo (refer getUserData for internal userinfo details) + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function retrieveUsers($first=0,$limit=10,$filter=array()) { + $out = array(); + + if($this->_openDB()) { + $this->_lockTables("READ"); + $sql = $this->_createSQLFilter($this->cnf['getUsers'], $filter); + $sql .= " ".$this->cnf['SortOrder']." LIMIT $first, $limit"; + $result = $this->_queryDB($sql); + + if (!empty($result)) { + foreach ($result as $user) + if (($info = $this->_getUserInfo($user['user']))) + $out[$user['user']] = $info; + } + + $this->_unlockTables(); + $this->_closeDB(); + } + return $out; + } + + /** + * Give user membership of a group [public function] + * + * @param $user + * @param $group + * @return bool true on success, false on error + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function joinGroup($user, $group) { + $rc = false; + + if ($this->_openDB()) { + $this->_lockTables("WRITE"); + $rc = $this->_addUserToGroup($user, $group); + $this->_unlockTables(); + $this->_closeDB(); + } + return $rc; + } + + /** + * Remove user from a group [public function] + * + * @param $user user that leaves a group + * @param $group group to leave + * @return bool + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function leaveGroup($user, $group) { + $rc = false; + + if ($this->_openDB()) { + $this->_lockTables("WRITE"); + $uid = $this->_getUserID($user); + $rc = $this->_delUserFromGroup($user, $group); + $this->_unlockTables(); + $this->_closeDB(); + } + return $rc; + } + + /** + * MySQL is case-insensitive + */ + function isCaseSensitive(){ + return false; + } + + /** + * Adds a user to a group. + * + * If $force is set to '1' non existing groups would be created. + * + * The database connection must already be established. Otherwise + * this function does nothing and returns 'false'. It is strongly + * recommended to call this function only after all participating + * tables (group and usergroup) have been locked. + * + * @param $user user to add to a group + * @param $group name of the group + * @param $force '1' create missing groups + * @return bool 'true' on success, 'false' on error + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function _addUserToGroup($user, $group, $force=0) { + $newgroup = 0; + + if (($this->dbcon) && ($user)) { + $gid = $this->_getGroupID($group); + if (!$gid) { + if ($force) { // create missing groups + $sql = str_replace('%{group}',$this->_escape($group),$this->cnf['addGroup']); + $gid = $this->_modifyDB($sql); + $newgroup = 1; // group newly created + } + if (!$gid) return false; // group didn't exist and can't be created + } + + $sql = $this->cnf['addUserGroup']; + if(strpos($sql,'%{uid}') !== false){ + $uid = $this->_getUserID($user); + $sql = str_replace('%{uid}', $this->_escape($uid),$sql); + } + $sql = str_replace('%{user}', $this->_escape($user),$sql); + $sql = str_replace('%{gid}', $this->_escape($gid),$sql); + $sql = str_replace('%{group}',$this->_escape($group),$sql); + if ($this->_modifyDB($sql) !== false) return true; + + if ($newgroup) { // remove previously created group on error + $sql = str_replace('%{gid}', $this->_escape($gid),$this->cnf['delGroup']); + $sql = str_replace('%{group}',$this->_escape($group),$sql); + $this->_modifyDB($sql); + } + } + return false; + } + + /** + * Remove user from a group + * + * @param $user user that leaves a group + * @param $group group to leave + * @return bool true on success, false on error + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function _delUserFromGroup($user, $group) { + $rc = false; + + + if (($this->dbcon) && ($user)) { + $sql = $this->cnf['delUserGroup']; + if(strpos($sql,'%{uid}') !== false){ + $uid = $this->_getUserID($user); + $sql = str_replace('%{uid}', $this->_escape($uid),$sql); + } + $gid = $this->_getGroupID($group); + if ($gid) { + $sql = str_replace('%{user}', $this->_escape($user),$sql); + $sql = str_replace('%{gid}', $this->_escape($gid),$sql); + $sql = str_replace('%{group}',$this->_escape($group),$sql); + $rc = $this->_modifyDB($sql) == 0 ? true : false; + } + } + return $rc; + } + + /** + * Retrieves a list of groups the user is a member off. + * + * The database connection must already be established + * for this function to work. Otherwise it will return + * 'false'. + * + * @param $user user whose groups should be listed + * @return bool false on error + * @return array array containing all groups on success + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function _getGroups($user) { + $groups = array(); + + if($this->dbcon) { + $sql = str_replace('%{user}',$this->_escape($user),$this->cnf['getGroups']); + $result = $this->_queryDB($sql); + + if($result !== false && count($result)) { + foreach($result as $row) + $groups[] = $row['group']; + } + return $groups; + } + return false; + } + + /** + * Retrieves the user id of a given user name + * + * The database connection must already be established + * for this function to work. Otherwise it will return + * 'false'. + * + * @param $user user whose id is desired + * @return user id + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function _getUserID($user) { + if($this->dbcon) { + $sql = str_replace('%{user}',$this->_escape($user),$this->cnf['getUserID']); + $result = $this->_queryDB($sql); + return $result === false ? false : $result[0]['id']; + } + return false; + } + + /** + * Adds a new User to the database. + * + * The database connection must already be established + * for this function to work. Otherwise it will return + * 'false'. + * + * @param $user login of the user + * @param $pwd encrypted password + * @param $name full name of the user + * @param $mail email address + * @param $grps array of groups the user should become member of + * @return bool + * + * @author Andreas Gohr <andi@splitbrain.org> + * @author Chris Smith <chris@jalakai.co.uk> + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function _addUser($user,$pwd,$name,$mail,$grps){ + if($this->dbcon && is_array($grps)) { + $sql = str_replace('%{user}', $this->_escape($user),$this->cnf['addUser']); + $sql = str_replace('%{pass}', $this->_escape($pwd),$sql); + $sql = str_replace('%{name}', $this->_escape($name),$sql); + $sql = str_replace('%{email}',$this->_escape($mail),$sql); + $uid = $this->_modifyDB($sql); + + if ($uid) { + foreach($grps as $group) { + $gid = $this->_addUserToGroup($user, $group, 1); + if ($gid === false) break; + } + + if ($gid) return true; + else { + /* remove the new user and all group relations if a group can't + * be assigned. Newly created groups will remain in the database + * and won't be removed. This might create orphaned groups but + * is not a big issue so we ignore this problem here. + */ + $this->_delUser($user); + if ($this->cnf['debug']) + msg ("MySQL err: Adding user '$user' to group '$group' failed.",-1,__LINE__,__FILE__); + } + } + } + return false; + } + + /** + * Deletes a given user and all his group references. + * + * The database connection must already be established + * for this function to work. Otherwise it will return + * 'false'. + * + * @param $user user whose id is desired + * @return bool + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function _delUser($user) { + if($this->dbcon) { + $uid = $this->_getUserID($user); + if ($uid) { + $sql = str_replace('%{uid}',$this->_escape($uid),$this->cnf['delUserRefs']); + $this->_modifyDB($sql); + $sql = str_replace('%{uid}',$this->_escape($uid),$this->cnf['delUser']); + $sql = str_replace('%{user}', $this->_escape($user),$sql); + $this->_modifyDB($sql); + return true; + } + } + return false; + } + + /** + * getUserInfo + * + * Gets the data for a specific user The database connection + * must already be established for this function to work. + * Otherwise it will return 'false'. + * + * @param $user user's nick to get data for + * @return bool false on error + * @return array user info on success + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function _getUserInfo($user){ + $sql = str_replace('%{user}',$this->_escape($user),$this->cnf['getUserInfo']); + $result = $this->_queryDB($sql); + if($result !== false && count($result)) { + $info = $result[0]; + $info['grps'] = $this->_getGroups($user); + return $info; + } + return false; + } + + /** + * Updates the user info in the database + * + * Update a user data structure in the database according changes + * given in an array. The user name can only be changes if it didn't + * exists already. If the new user name exists the update procedure + * will be aborted. The database keeps unchanged. + * + * The database connection has already to be established for this + * function to work. Otherwise it will return 'false'. + * + * The password will be crypted if necessary. + * + * @param $changes array of items to change as pairs of item and value + * @param $uid user id of dataset to change, must be unique in DB + * @return true on success or false on error + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function _updateUserInfo($changes, $uid) { + $sql = $this->cnf['updateUser']." "; + $cnt = 0; + $err = 0; + + if($this->dbcon) { + foreach ($changes as $item => $value) { + if ($item == 'user') { + if (($this->_getUserID($changes['user']))) { + $err = 1; /* new username already exists */ + break; /* abort update */ + } + if ($cnt++ > 0) $sql .= ", "; + $sql .= str_replace('%{user}',$value,$this->cnf['UpdateLogin']); + } else if ($item == 'name') { + if ($cnt++ > 0) $sql .= ", "; + $sql .= str_replace('%{name}',$value,$this->cnf['UpdateName']); + } else if ($item == 'pass') { + if (!$this->cnf['forwardClearPass']) + $value = auth_cryptPassword($value); + if ($cnt++ > 0) $sql .= ", "; + $sql .= str_replace('%{pass}',$value,$this->cnf['UpdatePass']); + } else if ($item == 'mail') { + if ($cnt++ > 0) $sql .= ", "; + $sql .= str_replace('%{email}',$value,$this->cnf['UpdateEmail']); + } + } + + if ($err == 0) { + if ($cnt > 0) { + $sql .= " ".str_replace('%{uid}', $uid, $this->cnf['UpdateTarget']); + if(get_class($this) == 'auth_mysql') $sql .= " LIMIT 1"; //some PgSQL inheritance comp. + $this->_modifyDB($sql); + } + return true; + } + } + return false; + } + + /** + * Retrieves the group id of a given group name + * + * The database connection must already be established + * for this function to work. Otherwise it will return + * 'false'. + * + * @param $group group name which id is desired + * @return group id + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function _getGroupID($group) { + if($this->dbcon) { + $sql = str_replace('%{group}',$this->_escape($group),$this->cnf['getGroupID']); + $result = $this->_queryDB($sql); + return $result === false ? false : $result[0]['id']; + } + return false; + } + + /** + * Opens a connection to a database and saves the handle for further + * usage in the object. The successful call to this functions is + * essential for most functions in this object. + * + * @return bool + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function _openDB() { + if (!$this->dbcon) { + $con = @mysql_connect ($this->cnf['server'], $this->cnf['user'], $this->cnf['password']); + if ($con) { + if ((mysql_select_db($this->cnf['database'], $con))) { + if ((preg_match("/^(\d+)\.(\d+)\.(\d+).*/", mysql_get_server_info ($con), $result)) == 1) { + $this->dbver = $result[1]; + $this->dbrev = $result[2]; + $this->dbsub = $result[3]; + } + $this->dbcon = $con; + if(!empty($this->cnf['charset'])){ + mysql_query('SET CHARACTER SET "' . $this->cnf['charset'] . '"', $con); + } + return true; // connection and database successfully opened + } else { + mysql_close ($con); + if ($this->cnf['debug']) + msg("MySQL err: No access to database {$this->cnf['database']}.",-1,__LINE__,__FILE__); + } + } else if ($this->cnf['debug']) + msg ("MySQL err: Connection to {$this->cnf['user']}@{$this->cnf['server']} not possible.", + -1,__LINE__,__FILE__); + + return false; // connection failed + } + return true; // connection already open + } + + /** + * Closes a database connection. + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function _closeDB() { + if ($this->dbcon) { + mysql_close ($this->dbcon); + $this->dbcon = 0; + } + } + + /** + * Sends a SQL query to the database and transforms the result into + * an associative array. + * + * This function is only able to handle queries that returns a + * table such as SELECT. + * + * @param $query SQL string that contains the query + * @return array with the result table + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function _queryDB($query) { + if($this->cnf['debug'] >= 2){ + msg('MySQL query: '.hsc($query),0,__LINE__,__FILE__); + } + + $resultarray = array(); + if ($this->dbcon) { + $result = @mysql_query($query,$this->dbcon); + if ($result) { + while (($t = mysql_fetch_assoc($result)) !== false) + $resultarray[]=$t; + mysql_free_result ($result); + return $resultarray; + } + if ($this->cnf['debug']) + msg('MySQL err: '.mysql_error($this->dbcon),-1,__LINE__,__FILE__); + } + return false; + } + + /** + * Sends a SQL query to the database + * + * This function is only able to handle queries that returns + * either nothing or an id value such as INPUT, DELETE, UPDATE, etc. + * + * @param $query SQL string that contains the query + * @return insert id or 0, false on error + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function _modifyDB($query) { + if ($this->dbcon) { + $result = @mysql_query($query,$this->dbcon); + if ($result) { + $rc = mysql_insert_id($this->dbcon); //give back ID on insert + if ($rc !== false) return $rc; + } + if ($this->cnf['debug']) + msg('MySQL err: '.mysql_error($this->dbcon),-1,__LINE__,__FILE__); + } + return false; + } + + /** + * Locked a list of tables for exclusive access so that modifications + * to the database can't be disturbed by other threads. The list + * could be set with $conf['auth']['mysql']['TablesToLock'] = array() + * + * If aliases for tables are used in SQL statements, also this aliases + * must be locked. For eg. you use a table 'user' and the alias 'u' in + * some sql queries, the array must looks like this (order is important): + * array("user", "user AS u"); + * + * MySQL V3 is not able to handle transactions with COMMIT/ROLLBACK + * so that this functionality is simulated by this function. Nevertheless + * it is not as powerful as transactions, it is a good compromise in safty. + * + * @param $mode could be 'READ' or 'WRITE' + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function _lockTables($mode) { + if ($this->dbcon) { + if (is_array($this->cnf['TablesToLock']) && !empty($this->cnf['TablesToLock'])) { + if ($mode == "READ" || $mode == "WRITE") { + $sql = "LOCK TABLES "; + $cnt = 0; + foreach ($this->cnf['TablesToLock'] as $table) { + if ($cnt++ != 0) $sql .= ", "; + $sql .= "$table $mode"; + } + $this->_modifyDB($sql); + return true; + } + } + } + return false; + } + + /** + * Unlock locked tables. All existing locks of this thread will be + * abrogated. + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function _unlockTables() { + if ($this->dbcon) { + $this->_modifyDB("UNLOCK TABLES"); + return true; + } + return false; + } + + /** + * Transforms the filter settings in an filter string for a SQL database + * The database connection must already be established, otherwise the + * original SQL string without filter criteria will be returned. + * + * @param $sql SQL string to which the $filter criteria should be added + * @param $filter array of filter criteria as pairs of item and pattern + * @return SQL string with attached $filter criteria on success + * @return the original SQL string on error. + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function _createSQLFilter($sql, $filter) { + $SQLfilter = ""; + $cnt = 0; + + if ($this->dbcon) { + foreach ($filter as $item => $pattern) { + $tmp = '%'.$this->_escape($pattern).'%'; + if ($item == 'user') { + if ($cnt++ > 0) $SQLfilter .= " AND "; + $SQLfilter .= str_replace('%{user}',$tmp,$this->cnf['FilterLogin']); + } else if ($item == 'name') { + if ($cnt++ > 0) $SQLfilter .= " AND "; + $SQLfilter .= str_replace('%{name}',$tmp,$this->cnf['FilterName']); + } else if ($item == 'mail') { + if ($cnt++ > 0) $SQLfilter .= " AND "; + $SQLfilter .= str_replace('%{email}',$tmp,$this->cnf['FilterEmail']); + } else if ($item == 'grps') { + if ($cnt++ > 0) $SQLfilter .= " AND "; + $SQLfilter .= str_replace('%{group}',$tmp,$this->cnf['FilterGroup']); + } + } + + // we have to check SQLfilter here and must not use $cnt because if + // any of cnf['Filter????'] is not defined, a malformed SQL string + // would be generated. + + if (strlen($SQLfilter)) { + $glue = strpos(strtolower($sql),"where") ? " AND " : " WHERE "; + $sql = $sql.$glue.$SQLfilter; + } + } + + return $sql; + } + + /** + * Escape a string for insertion into the database + * + * @author Andreas Gohr <andi@splitbrain.org> + * @param string $string The string to escape + * @param boolean $like Escape wildcard chars as well? + */ + function _escape($string,$like=false){ + if($this->dbcon){ + $string = mysql_real_escape_string($string, $this->dbcon); + }else{ + $string = addslashes($string); + } + if($like){ + $string = addcslashes($string,'%_'); + } + return $string; + } +} + +//Setup VIM: ex: et ts=2 enc=utf-8 : diff --git a/lib/dokuwiki/inc/auth/pgsql.class.php b/lib/dokuwiki/inc/auth/pgsql.class.php new file mode 100644 index 000000000..a6da56af5 --- /dev/null +++ b/lib/dokuwiki/inc/auth/pgsql.class.php @@ -0,0 +1,411 @@ +<?php +/** + * PgSQL authentication backend + * + * This class inherits much functionality from the MySQL class + * and just reimplements the Postgres specific parts. + * + * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) + * @author Andreas Gohr <andi@splitbrain.org> + * @author Chris Smith <chris@jalakai.co.uk> + * @author Matthias Grimm <matthias.grimmm@sourceforge.net> +*/ + +define('DOKU_AUTH', dirname(__FILE__)); +require_once(DOKU_AUTH.'/mysql.class.php'); + +class auth_pgsql extends auth_mysql { + + /** + * Constructor + * + * checks if the pgsql interface is available, otherwise it will + * set the variable $success of the basis class to false + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + * @author Andreas Gohr <andi@splitbrain.org> + */ + function auth_pgsql() { + global $conf; + $this->cnf = $conf['auth']['pgsql']; + if(!$this->cnf['port']) $this->cnf['port'] = 5432; + + if (method_exists($this, 'auth_basic')) + parent::auth_basic(); + + if(!function_exists('pg_connect')) { + if ($this->cnf['debug']) + msg("PgSQL err: PHP Postgres extension not found.",-1); + $this->success = false; + return; + } + + $this->defaultgroup = $conf['defaultgroup']; + + // set capabilities based upon config strings set + if (empty($this->cnf['user']) || + empty($this->cnf['password']) || empty($this->cnf['database'])){ + if ($this->cnf['debug']) + msg("PgSQL err: insufficient configuration.",-1,__LINE__,__FILE__); + $this->success = false; + return; + } + + $this->cando['addUser'] = $this->_chkcnf(array('getUserInfo', + 'getGroups', + 'addUser', + 'getUserID', + 'getGroupID', + 'addGroup', + 'addUserGroup')); + $this->cando['delUser'] = $this->_chkcnf(array('getUserID', + 'delUser', + 'delUserRefs')); + $this->cando['modLogin'] = $this->_chkcnf(array('getUserID', + 'updateUser', + 'UpdateTarget')); + $this->cando['modPass'] = $this->cando['modLogin']; + $this->cando['modName'] = $this->cando['modLogin']; + $this->cando['modMail'] = $this->cando['modLogin']; + $this->cando['modGroups'] = $this->_chkcnf(array('getUserID', + 'getGroups', + 'getGroupID', + 'addGroup', + 'addUserGroup', + 'delGroup', + 'getGroupID', + 'delUserGroup')); + /* getGroups is not yet supported + $this->cando['getGroups'] = $this->_chkcnf(array('getGroups', + 'getGroupID')); */ + $this->cando['getUsers'] = $this->_chkcnf(array('getUsers', + 'getUserInfo', + 'getGroups')); + $this->cando['getUserCount'] = $this->_chkcnf(array('getUsers')); + } + + /** + * Check if the given config strings are set + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + * @return bool + */ + function _chkcnf($keys, $wop=false){ + foreach ($keys as $key){ + if (empty($this->cnf[$key])) return false; + } + return true; + } + + // @inherit function checkPass($user,$pass) + // @inherit function getUserData($user) + // @inherit function createUser($user,$pwd,$name,$mail,$grps=null) + // @inherit function modifyUser($user, $changes) + // @inherit function deleteUsers($users) + + + /** + * [public function] + * + * Counts users which meet certain $filter criteria. + * + * @param array $filter filter criteria in item/pattern pairs + * @return count of found users. + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function getUserCount($filter=array()) { + $rc = 0; + + if($this->_openDB()) { + $sql = $this->_createSQLFilter($this->cnf['getUsers'], $filter); + + // no equivalent of SQL_CALC_FOUND_ROWS in pgsql? + if (($result = $this->_queryDB($sql))){ + $rc = count($result); + } + $this->_closeDB(); + } + return $rc; + } + + /** + * Bulk retrieval of user data. [public function] + * + * @param first index of first user to be returned + * @param limit max number of users to be returned + * @param filter array of field/pattern pairs + * @return array of userinfo (refer getUserData for internal userinfo details) + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function retrieveUsers($first=0,$limit=10,$filter=array()) { + $out = array(); + + if($this->_openDB()) { + $this->_lockTables("READ"); + $sql = $this->_createSQLFilter($this->cnf['getUsers'], $filter); + $sql .= " ".$this->cnf['SortOrder']." LIMIT $limit OFFSET $first"; + $result = $this->_queryDB($sql); + + foreach ($result as $user) + if (($info = $this->_getUserInfo($user['user']))) + $out[$user['user']] = $info; + + $this->_unlockTables(); + $this->_closeDB(); + } + return $out; + } + + // @inherit function joinGroup($user, $group) + // @inherit function leaveGroup($user, $group) { + + /** + * Adds a user to a group. + * + * If $force is set to '1' non existing groups would be created. + * + * The database connection must already be established. Otherwise + * this function does nothing and returns 'false'. + * + * @param $user user to add to a group + * @param $group name of the group + * @param $force '1' create missing groups + * @return bool 'true' on success, 'false' on error + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + * @author Andreas Gohr <andi@splitbrain.org> + */ + function _addUserToGroup($user, $group, $force=0) { + $newgroup = 0; + + if (($this->dbcon) && ($user)) { + $gid = $this->_getGroupID($group); + if (!$gid) { + if ($force) { // create missing groups + $sql = str_replace('%{group}',addslashes($group),$this->cnf['addGroup']); + $this->_modifyDB($sql); + //group should now exists try again to fetch it + $gid = $this->_getGroupID($group); + $newgroup = 1; // group newly created + } + } + if (!$gid) return false; // group didn't exist and can't be created + + $sql = $this->cnf['addUserGroup']; + if(strpos($sql,'%{uid}') !== false){ + $uid = $this->_getUserID($user); + $sql = str_replace('%{uid}', addslashes($uid), $sql); + } + $sql = str_replace('%{user}', addslashes($user),$sql); + $sql = str_replace('%{gid}', addslashes($gid),$sql); + $sql = str_replace('%{group}',addslashes($group),$sql); + if ($this->_modifyDB($sql) !== false) return true; + + if ($newgroup) { // remove previously created group on error + $sql = str_replace('%{gid}', addslashes($gid),$this->cnf['delGroup']); + $sql = str_replace('%{group}',addslashes($group),$sql); + $this->_modifyDB($sql); + } + } + return false; + } + + // @inherit function _delUserFromGroup($user $group) + // @inherit function _getGroups($user) + // @inherit function _getUserID($user) + + /** + * Adds a new User to the database. + * + * The database connection must already be established + * for this function to work. Otherwise it will return + * 'false'. + * + * @param $user login of the user + * @param $pwd encrypted password + * @param $name full name of the user + * @param $mail email address + * @param $grps array of groups the user should become member of + * @return bool + * + * @author Andreas Gohr <andi@splitbrain.org> + * @author Chris Smith <chris@jalakai.co.uk> + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function _addUser($user,$pwd,$name,$mail,$grps){ + if($this->dbcon && is_array($grps)) { + $sql = str_replace('%{user}', addslashes($user),$this->cnf['addUser']); + $sql = str_replace('%{pass}', addslashes($pwd),$sql); + $sql = str_replace('%{name}', addslashes($name),$sql); + $sql = str_replace('%{email}',addslashes($mail),$sql); + if($this->_modifyDB($sql)){ + $uid = $this->_getUserID($user); + }else{ + return false; + } + + if ($uid) { + foreach($grps as $group) { + $gid = $this->_addUserToGroup($user, $group, 1); + if ($gid === false) break; + } + + if ($gid) return true; + else { + /* remove the new user and all group relations if a group can't + * be assigned. Newly created groups will remain in the database + * and won't be removed. This might create orphaned groups but + * is not a big issue so we ignore this problem here. + */ + $this->_delUser($user); + if ($this->cnf['debug']) + msg("PgSQL err: Adding user '$user' to group '$group' failed.",-1,__LINE__,__FILE__); + } + } + } + return false; + } + + // @inherit function _delUser($user) + // @inherit function _getUserInfo($user) + // @inherit function _updateUserInfo($changes, $uid) + // @inherit function _getGroupID($group) + + /** + * Opens a connection to a database and saves the handle for further + * usage in the object. The successful call to this functions is + * essential for most functions in this object. + * + * @return bool + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function _openDB() { + if (!$this->dbcon) { + $dsn = $this->cnf['server'] ? 'host='.$this->cnf['server'] : ''; + $dsn .= ' port='.$this->cnf['port']; + $dsn .= ' dbname='.$this->cnf['database']; + $dsn .= ' user='.$this->cnf['user']; + $dsn .= ' password='.$this->cnf['password']; + + $con = @pg_connect($dsn); + if ($con) { + $this->dbcon = $con; + return true; // connection and database successfully opened + } else if ($this->cnf['debug']){ + msg ("PgSQL err: Connection to {$this->cnf['user']}@{$this->cnf['server']} not possible.", + -1,__LINE__,__FILE__); + } + return false; // connection failed + } + return true; // connection already open + } + + /** + * Closes a database connection. + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function _closeDB() { + if ($this->dbcon) { + pg_close ($this->dbcon); + $this->dbcon = 0; + } + } + + /** + * Sends a SQL query to the database and transforms the result into + * an associative array. + * + * This function is only able to handle queries that returns a + * table such as SELECT. + * + * @param $query SQL string that contains the query + * @return array with the result table + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function _queryDB($query) { + if ($this->dbcon) { + $result = @pg_query($this->dbcon,$query); + if ($result) { + while (($t = pg_fetch_assoc($result)) !== false) + $resultarray[]=$t; + pg_free_result ($result); + return $resultarray; + }elseif ($this->cnf['debug']) + msg('PgSQL err: '.pg_last_error($this->dbcon),-1,__LINE__,__FILE__); + } + return false; + } + + /** + * Executes an update or insert query. This differs from the + * MySQL one because it does NOT return the last insertID + * + * @author Andreas Gohr + */ + function _modifyDB($query) { + if ($this->dbcon) { + $result = @pg_query($this->dbcon,$query); + if ($result) { + pg_free_result ($result); + return true; + } + if ($this->cnf['debug']){ + msg('PgSQL err: '.pg_last_error($this->dbcon),-1,__LINE__,__FILE__); + } + } + return false; + } + + /** + * Start a transaction + * + * @param $mode could be 'READ' or 'WRITE' + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function _lockTables($mode) { + if ($this->dbcon) { + $this->_modifyDB('BEGIN'); + return true; + } + return false; + } + + /** + * Commit a transaction + * + * @author Matthias Grimm <matthiasgrimm@users.sourceforge.net> + */ + function _unlockTables() { + if ($this->dbcon) { + $this->_modifyDB('COMMIT'); + return true; + } + return false; + } + + // @inherit function _createSQLFilter($sql, $filter) + + + /** + * Escape a string for insertion into the database + * + * @author Andreas Gohr <andi@splitbrain.org> + * @param string $string The string to escape + * @param boolean $like Escape wildcard chars as well? + */ + function _escape($string,$like=false){ + $string = pg_escape_string($string); + if($like){ + $string = addcslashes($string,'%_'); + } + return $string; + } + +} + +//Setup VIM: ex: et ts=2 enc=utf-8 : diff --git a/lib/dokuwiki/inc/auth/plain.class.php b/lib/dokuwiki/inc/auth/plain.class.php new file mode 100644 index 000000000..94e0c6bc2 --- /dev/null +++ b/lib/dokuwiki/inc/auth/plain.class.php @@ -0,0 +1,324 @@ +<?php +/** + * Plaintext authentication backend + * + * @license GPL 2 (http://www.gnu.org/licenses/gpl.html) + * @author Andreas Gohr <andi@splitbrain.org> + * @author Chris Smith <chris@jalakai.co.uk> + */ + +define('DOKU_AUTH', dirname(__FILE__)); +require_once(DOKU_AUTH.'/basic.class.php'); + +define('AUTH_USERFILE',DOKU_CONF.'users.auth.php'); + +class auth_plain extends auth_basic { + + var $users = null; + var $_pattern = array(); + + /** + * Constructor + * + * Carry out sanity checks to ensure the object is + * able to operate. Set capabilities. + * + * @author Christopher Smith <chris@jalakai.co.uk> + */ + function auth_plain() { + if (!@is_readable(AUTH_USERFILE)){ + $this->success = false; + }else{ + if(@is_writable(AUTH_USERFILE)){ + $this->cando['addUser'] = true; + $this->cando['delUser'] = true; + $this->cando['modLogin'] = true; + $this->cando['modPass'] = true; + $this->cando['modName'] = true; + $this->cando['modMail'] = true; + $this->cando['modGroups'] = true; + } + $this->cando['getUsers'] = true; + $this->cando['getUserCount'] = true; + } + } + + /** + * Check user+password [required auth function] + * + * Checks if the given user exists and the given + * plaintext password is correct + * + * @author Andreas Gohr <andi@splitbrain.org> + * @return bool + */ + function checkPass($user,$pass){ + + $userinfo = $this->getUserData($user); + if ($userinfo === false) return false; + + return auth_verifyPassword($pass,$this->users[$user]['pass']); + } + + /** + * Return user info + * + * Returns info about the given user needs to contain + * at least these fields: + * + * name string full name of the user + * mail string email addres of the user + * grps array list of groups the user is in + * + * @author Andreas Gohr <andi@splitbrain.org> + */ + function getUserData($user){ + + if($this->users === null) $this->_loadUserData(); + return isset($this->users[$user]) ? $this->users[$user] : false; + } + + /** + * Create a new User + * + * Returns false if the user already exists, null when an error + * occurred and true if everything went well. + * + * The new user will be added to the default group by this + * function if grps are not specified (default behaviour). + * + * @author Andreas Gohr <andi@splitbrain.org> + * @author Chris Smith <chris@jalakai.co.uk> + */ + function createUser($user,$pwd,$name,$mail,$grps=null){ + global $conf; + + // user mustn't already exist + if ($this->getUserData($user) !== false) return false; + + $pass = auth_cryptPassword($pwd); + + // set default group if no groups specified + if (!is_array($grps)) $grps = array($conf['defaultgroup']); + + // prepare user line + $groups = join(',',$grps); + $userline = join(':',array($user,$pass,$name,$mail,$groups))."\n"; + + if (io_saveFile(AUTH_USERFILE,$userline,true)) { + $this->users[$user] = compact('pass','name','mail','grps'); + return $pwd; + } + + msg('The '.AUTH_USERFILE.' file is not writable. Please inform the Wiki-Admin',-1); + return null; + } + + /** + * Modify user data + * + * @author Chris Smith <chris@jalakai.co.uk> + * @param $user nick of the user to be changed + * @param $changes array of field/value pairs to be changed (password will be clear text) + * @return bool + */ + function modifyUser($user, $changes) { + global $conf; + global $ACT; + global $INFO; + + // sanity checks, user must already exist and there must be something to change + if (($userinfo = $this->getUserData($user)) === false) return false; + if (!is_array($changes) || !count($changes)) return true; + + // update userinfo with new data, remembering to encrypt any password + $newuser = $user; + foreach ($changes as $field => $value) { + if ($field == 'user') { + $newuser = $value; + continue; + } + if ($field == 'pass') $value = auth_cryptPassword($value); + $userinfo[$field] = $value; + } + + $groups = join(',',$userinfo['grps']); + $userline = join(':',array($newuser, $userinfo['pass'], $userinfo['name'], $userinfo['mail'], $groups))."\n"; + + if (!$this->deleteUsers(array($user))) { + msg('Unable to modify user data. Please inform the Wiki-Admin',-1); + return false; + } + + if (!io_saveFile(AUTH_USERFILE,$userline,true)) { + msg('There was an error modifying your user data. You should register again.',-1); + // FIXME, user has been deleted but not recreated, should force a logout and redirect to login page + $ACT == 'register'; + return false; + } + + $this->users[$newuser] = $userinfo; + return true; + } + + /** + * Remove one or more users from the list of registered users + * + * @author Christopher Smith <chris@jalakai.co.uk> + * @param array $users array of users to be deleted + * @return int the number of users deleted + */ + function deleteUsers($users) { + + if (!is_array($users) || empty($users)) return 0; + + if ($this->users === null) $this->_loadUserData(); + + $deleted = array(); + foreach ($users as $user) { + if (isset($this->users[$user])) $deleted[] = preg_quote($user,'/'); + } + + if (empty($deleted)) return 0; + + $pattern = '/^('.join('|',$deleted).'):/'; + + if (io_deleteFromFile(AUTH_USERFILE,$pattern,true)) { + foreach ($deleted as $user) unset($this->users[$user]); + return count($deleted); + } + + // problem deleting, reload the user list and count the difference + $count = count($this->users); + $this->_loadUserData(); + $count -= count($this->users); + return $count; + } + + /** + * Return a count of the number of user which meet $filter criteria + * + * @author Chris Smith <chris@jalakai.co.uk> + */ + function getUserCount($filter=array()) { + if($this->users === null) $this->_loadUserData(); + + if (!count($filter)) return count($this->users); + + $count = 0; + $this->_constructPattern($filter); + + foreach ($this->users as $user => $info) { + $count += $this->_filter($user, $info); + } + + return $count; + } + + /** + * Bulk retrieval of user data + * + * @author Chris Smith <chris@jalakai.co.uk> + * @param start index of first user to be returned + * @param limit max number of users to be returned + * @param filter array of field/pattern pairs + * @return array of userinfo (refer getUserData for internal userinfo details) + */ + function retrieveUsers($start=0,$limit=0,$filter=array()) { + + if ($this->users === null) $this->_loadUserData(); + + ksort($this->users); + + $i = 0; + $count = 0; + $out = array(); + $this->_constructPattern($filter); + + foreach ($this->users as $user => $info) { + if ($this->_filter($user, $info)) { + if ($i >= $start) { + $out[$user] = $info; + $count++; + if (($limit > 0) && ($count >= $limit)) break; + } + $i++; + } + } + + return $out; + } + + /** + * Only valid pageid's (no namespaces) for usernames + */ + function cleanUser($user){ + global $conf; + return cleanID(str_replace(':',$conf['sepchar'],$user)); + } + + /** + * Only valid pageid's (no namespaces) for groupnames + */ + function cleanGroup($group){ + global $conf; + return cleanID(str_replace(':',$conf['sepchar'],$group)); + } + + /** + * Load all user data + * + * loads the user file into a datastructure + * + * @author Andreas Gohr <andi@splitbrain.org> + */ + function _loadUserData(){ + $this->users = array(); + + if(!@file_exists(AUTH_USERFILE)) return; + + $lines = file(AUTH_USERFILE); + foreach($lines as $line){ + $line = preg_replace('/#.*$/','',$line); //ignore comments + $line = trim($line); + if(empty($line)) continue; + + $row = explode(":",$line,5); + $groups = array_values(array_filter(explode(",",$row[4]))); + + $this->users[$row[0]]['pass'] = $row[1]; + $this->users[$row[0]]['name'] = urldecode($row[2]); + $this->users[$row[0]]['mail'] = $row[3]; + $this->users[$row[0]]['grps'] = $groups; + } + } + + /** + * return 1 if $user + $info match $filter criteria, 0 otherwise + * + * @author Chris Smith <chris@jalakai.co.uk> + */ + function _filter($user, $info) { + // FIXME + foreach ($this->_pattern as $item => $pattern) { + if ($item == 'user') { + if (!preg_match($pattern, $user)) return 0; + } else if ($item == 'grps') { + if (!count(preg_grep($pattern, $info['grps']))) return 0; + } else { + if (!preg_match($pattern, $info[$item])) return 0; + } + } + return 1; + } + + function _constructPattern($filter) { + $this->_pattern = array(); + foreach ($filter as $item => $pattern) { +// $this->_pattern[$item] = '/'.preg_quote($pattern,"/").'/i'; // don't allow regex characters + $this->_pattern[$item] = '/'.str_replace('/','\/',$pattern).'/i'; // allow regex characters + } + } +} + +//Setup VIM: ex: et ts=2 enc=utf-8 : |