[sql-web.git] / lib / security.lib.php

<?php

require_once('mitsql.lib.php');

class Login {
	var $u, $p;
    var $info;
    function Login($u, $p=null) {
		if (empty($u)) return;
		$this->u = $u;
		$this->p = $p;
		$opt = sprintf(" Username = '%s'", mysql_escape_string($u));
        $opt .= (is_null($p)?'':sprintf(" AND Password='%s'", mysql_escape_string(base64_encode($p))));
		is_numeric($u) && $opt = sprintf(" UserId = '%s'", mysql_escape_string($u));
        $sql = sprintf("SELECT UserId, Username, Name, Email, UL, bEnabled
                        FROM User
                        WHERE %s", $opt);
        $r = fetchRows(DBSelect($sql),'UserId');
        $this->info = count($r)?array_shift($r):$r;
    }
    function exists() {
        return count($this->info);
    }
	function isValid() {
		return $this->getUL()>0;
	}
    function isEnabled() {
        return $this->exists() && $this->info['bEnabled']==1;
    }
    function canLogin() {
        return $this->isEnabled() && $this->isValid();
    }
    function canSignup() {
        return !$this->isEnabled() && $this->isValid();
    }
    function getUserId() {
        return $this->exists()?$this->info['UserId']:'';
    }
    function getUsername() {
        return $this->exists()?$this->info['Username']:'';
    }
    function getName() {
        return $this->exists()?$this->info['Name']:'';
    }
    function getEmail() {
        return $this->exists()?$this->info['Email']:'';
    }
    function getUL() {
        return $this->exists()?$this->info['UL']:'';
    }
    function expire() {
        $this->info = null;
    }
    function refresh() {
        $this->Login($this->u,$this->p);
    }
    function update($name=null,$email=null) {
        if (!$this->exists()) return;
        $arr = array();
		if ($name == $this->getName()) $name = null;
		if ($email == $this->getEmail()) $email = null;
        is_null($name) || $arr['Name'] = $name;
        is_null($email) || $arr['Email'] = $email;
	$upd = buildSQLSet($arr);
        $sql = sprintf("UPDATE User %s WHERE UserId = '%s'",
                        $upd, mysql_escape_string($this->getUserId()));
	if (!empty($upd) && $upd != 'SET')
		DBUpdate($sql);
		if (isset($arr['Name']))
			$this->info['Name'] = $arr['Name'];
		if (isset($arr['Email']))
			$this->info['Email'] = $arr['Email'];
	}
}

class User {
	var $userId;
	var $info;
	var $dblist;
    function User($userId) {
		$this->userId = $userId;
        $sql = sprintf("SELECT UserId, Username, Password, Name, Email, UL, bEnabled
                        FROM User
                        WHERE UserId = '%s'",
                        mysql_escape_string($userId));
        $r = fetchRows(DBSelect($sql),'UserId');
        $this->info = count($r)?array_shift($r):$r;
		$this->dblist = $this->getDBList();
//		$this->pass = base64_decode($this->info['Password']);
    }
    function exists() {
        return count($this->info);
    }
    function getUserId() {
        return $this->exists()?$this->info['UserId']:'';
    }
    function getUsername() {
        return $this->exists()?$this->info['Username']:'';
    }
	function setPassword($pwd) {
		$arr['Password'] = base64_encode($pwd);
        $sql = sprintf("UPDATE User %s WHERE UserId = '%s'",
                        buildSQLSet($arr), mysql_escape_string($this->getUserId()));
        DBUpdate($sql);
		$sql = sprintf('SET PASSWORD FOR \'%s\'@\'%%\'=PASSWORD(\'%s\')',
						mysql_escape_string($this->getUsername()),
						mysql_escape_string($pwd));
		DBSet($sql);
	}
	function signup($pwd) {
		$this->pass = $pwd;
		$arr['Password'] = base64_encode($pwd);
		$arr['bEnabled'] = 1;
		$arr['dSignup'] = 'NOW()';
        $sql = sprintf("UPDATE User %s WHERE UserId = '%s'",
                        buildSQLSet($arr), mysql_escape_string($this->getUserId()));
        DBUpdate($sql);

		$this->setUsage();
		$this->setAccess();
	}
	function setUsage($yes=true) {
		$verb = $yes?'GRANT':'REVOKE';
		$prep = $yes?'TO':'FROM';
		$suffix = $yes?sprintf("IDENTIFIED BY '%s'",mysql_escape_string($this->pass)):'';
		$sql = sprintf("%s USAGE ON * . * %s '%s'@'%s' %s",
						mysql_escape_string($verb),
						mysql_escape_string($prep),
						mysql_escape_string($this->getUsername()),
						'%',
						$suffix);
		DBGrant($sql);
	}
	function setAccess($db=null,$yes=true) {
		$verb = $yes?'GRANT':'REVOKE';
		$prep = $yes?'TO':'FROM';
		if (is_null($db)) {
			$this->dblist = $this->getDBList();
			$dbs = $this->dblist;
		} else {
			$dbs[] = array('Name'=>$db);
		}
		foreach($dbs as $db) {
			$name = $db['Name'];
			$sql = sprintf("%s ALL PRIVILEGES ON `%s` . * %s '%s'@'%s'",
							mysql_escape_string($verb),
							mysql_escape_string($name),
							mysql_escape_string($prep),
							mysql_escape_string($this->getUsername()),
							'%');
			DBGrant($sql);
		}
	}
	function getDBList() {
		$sql = sprintf("SELECT *
						FROM DBOwner
						INNER JOIN DB ON DB.DatabaseId = DBOwner.DatabaseId
						LEFT JOIN DBQuota ON DBQuota.DatabaseId = DBOwner.DatabaseId
						WHERE UserId = '%s' AND DB.bEnabled=1",
						mysql_escape_string($this->getUserId()));
		$r = fetchRows(DBSelect($sql),'DatabaseId');
		return $r;
	}
	function addDB($name) {
		if (!addDB($name, $this->getUserId())) return false;
		$this->setAccess($name);
		return true;
	}
}


function isLoggedIn($aLogin=null) {
    if (is_null($aLogin)) {
        global $Login;
        $aLogin = $Login;
    }
    return !empty($aLogin) && is_a($aLogin, 'Login') && $aLogin->canLogin();
}

function isSSL() {
	return $_SERVER['SERVER_PORT'] == 443;
}

function getSSLCert() {
    if (DEVEL && file_exists('.forceauth')) {
        $fu = explode('|',file_get_contents('.forceauth'));
        $name = trim($fu[0]);
        $email = trim($fu[1]);
    } else {
        $name = isset($_SERVER['SSL_CLIENT_S_DN_CN'])?$_SERVER['SSL_CLIENT_S_DN_CN']:null;
        $email = isset($_SERVER['SSL_CLIENT_S_DN_Email'])?$_SERVER['SSL_CLIENT_S_DN_Email']:null;
    }
    if (!is_null($email)) {
        $user = explode('@',$email);
		$user = $user[0];
        return array('Username'=>$user, 'Name'=>$name, 'Email'=>$email);
	} else {
		return null;
	}
}

## 302 REDIRECTS

function redirect($target=null,$secure=null) {
    $base = (is_null($target)||substr($target,0,1)=='?')?$_SERVER['REDIRECT_URL']:(dirname($_SERVER['REDIRECT_URL']).'/');
    redirectFull(is_null($target)?$base:($base.$target),$secure);
}
function redirectFull($target,$secure) {
	redirect2((((isSSL()&&is_null($secure))||$secure==true)?'https://':'http://').$_SERVER['SERVER_NAME'].$target);
}
function redirect2($target) {
	header('Location: '.$target);
	exit;
}
function flipSSL() {
	return (isSSL()?'http://':'https://').$_SERVER['SERVER_NAME'].$_SERVER['REDIRECT_URL'];
}

## USER SCRIPTS

function addUser($sslCredentials) {
    global $_NEW_USER, $_NEW_USERQUOTA, $_NEW_USERSTAT;

    $arr = array_merge($sslCredentials, $_NEW_USER);
    $sql = sprintf("INSERT INTO User %s",
                    buildSQLInsert($arr));
    $UserId = DBInsert($sql);

	$arr = $_NEW_USERQUOTA;
	$arr['UserId'] = $UserId;
    $sql = sprintf("INSERT INTO UserQuota %s",
                    buildSQLInsert($arr));
	DBInsert($sql);

	$arr = $_NEW_USERSTAT;
	$arr['UserId'] = $UserId;
    $sql = sprintf("INSERT INTO UserStat %s",
                    buildSQLInsert($arr));
	DBInsert($sql);

	return $UserId;
}

function addDB($dbname,$userid) {
    global $_NEW_DB, $_NEW_DBQUOTA, $_NEW_DBOWNER;

	DBCreate(sprintf('CREATE DATABASE `%s`', mysql_escape_string($dbname)));
	if (mysql_error()) return false;

	$newdb['Name'] = $dbname;
    $arr = array_merge($newdb, $_NEW_DB);
	$arr['bEnabled'] = 1;
    $sql = sprintf("INSERT INTO DB %s",
                    buildSQLInsert($arr));
    $DBId = DBInsert($sql);

	$arr = $_NEW_DBQUOTA;
	$arr['DatabaseId'] = $DBId;
    $sql = sprintf("INSERT INTO DBQuota %s",
                    buildSQLInsert($arr));
	DBInsert($sql);

	$arr = $_NEW_DBOWNER;
	$arr['DatabaseId'] = $DBId;
	$arr['UserId'] = $userid;
    $sql = sprintf("INSERT INTO DBOwner %s",
                    buildSQLInsert($arr));
	DBInsert($sql);

	return $DBId;
}

?>
Commit	Line	Data
997305cf JP	1	<?php
	2
	3	require_once('mitsql.lib.php');
	4
	5	class Login {
dc478ec8	6	var $u, $p;
997305cf JP	7	var $info;
997305cf JP	8	function Login($u, $p=null) {
377015e0	9	if (empty($u)) return;
dc478ec8 JP	10	$this->u = $u;
dc478ec8 JP	11	$this->p = $p;
377015e0 JP	12	$opt = sprintf(" Username = '%s'", mysql_escape_string($u));
	13	$opt .= (is_null($p)?'':sprintf(" AND Password='%s'", mysql_escape_string(base64_encode($p))));
	14	is_numeric($u) && $opt = sprintf(" UserId = '%s'", mysql_escape_string($u));
997305cf JP	15	$sql = sprintf("SELECT UserId, Username, Name, Email, UL, bEnabled
997305cf JP	16	FROM User
377015e0	17	WHERE %s", $opt);
997305cf	18	$r = fetchRows(DBSelect($sql),'UserId');
dc478ec8	19	$this->info = count($r)?array_shift($r):$r;
997305cf JP	20	}
997305cf JP	21	function exists() {
dc478ec8	22	return count($this->info);
997305cf	23	}
dc478ec8 JP	24	function isValid() {
	25	return $this->getUL()>0;
	26	}
997305cf JP	27	function isEnabled() {
	28	return $this->exists() && $this->info['bEnabled']==1;
	29	}
dc478ec8 JP	30	function canLogin() {
	31	return $this->isEnabled() && $this->isValid();
	32	}
	33	function canSignup() {
	34	return !$this->isEnabled() && $this->isValid();
	35	}
997305cf	36	function getUserId() {
dc478ec8	37	return $this->exists()?$this->info['UserId']:'';
997305cf JP	38	}
997305cf JP	39	function getUsername() {
dc478ec8	40	return $this->exists()?$this->info['Username']:'';
997305cf JP	41	}
997305cf JP	42	function getName() {
dc478ec8	43	return $this->exists()?$this->info['Name']:'';
997305cf JP	44	}
997305cf JP	45	function getEmail() {
dc478ec8	46	return $this->exists()?$this->info['Email']:'';
997305cf JP	47	}
997305cf JP	48	function getUL() {
dc478ec8	49	return $this->exists()?$this->info['UL']:'';
997305cf JP	50	}
	51	function expire() {
	52	$this->info = null;
	53	}
	54	function refresh() {
dc478ec8	55	$this->Login($this->u,$this->p);
997305cf JP	56	}
	57	function update($name=null,$email=null) {
	58	if (!$this->exists()) return;
	59	$arr = array();
dc478ec8 JP	60	if ($name == $this->getName()) $name = null;
dc478ec8 JP	61	if ($email == $this->getEmail()) $email = null;
997305cf JP	62	is_null($name) \|\| $arr['Name'] = $name;
997305cf JP	63	is_null($email) \|\| $arr['Email'] = $email;
3ebfe9a3	64	$upd = buildSQLSet($arr);
997305cf	65	$sql = sprintf("UPDATE User %s WHERE UserId = '%s'",
3ebfe9a3 JP	66	$upd, mysql_escape_string($this->getUserId()));
	67	if (!empty($upd) && $upd != 'SET')
	68	DBUpdate($sql);
dc478ec8	69	if (isset($arr['Name']))
377015e0	70	$this->info['Name'] = $arr['Name'];
dc478ec8	71	if (isset($arr['Email']))
377015e0	72	$this->info['Email'] = $arr['Email'];
dc478ec8 JP	73	}
	74	}
	75
	76	class User {
	77	var $userId;
	78	var $info;
dc478ec8 JP	79	var $dblist;
	80	function User($userId) {
	81	$this->userId = $userId;
	82	$sql = sprintf("SELECT UserId, Username, Password, Name, Email, UL, bEnabled
	83	FROM User
	84	WHERE UserId = '%s'",
	85	mysql_escape_string($userId));
	86	$r = fetchRows(DBSelect($sql),'UserId');
	87	$this->info = count($r)?array_shift($r):$r;
377015e0 JP	88	$this->dblist = $this->getDBList();
377015e0 JP	89	// $this->pass = base64_decode($this->info['Password']);
997305cf	90	}
dc478ec8 JP	91	function exists() {
	92	return count($this->info);
	93	}
	94	function getUserId() {
	95	return $this->exists()?$this->info['UserId']:'';
	96	}
	97	function getUsername() {
	98	return $this->exists()?$this->info['Username']:'';
	99	}
	100	function setPassword($pwd) {
	101	$arr['Password'] = base64_encode($pwd);
	102	$sql = sprintf("UPDATE User %s WHERE UserId = '%s'",
	103	buildSQLSet($arr), mysql_escape_string($this->getUserId()));
	104	DBUpdate($sql);
377015e0 JP	105	$sql = sprintf('SET PASSWORD FOR \'%s\'@\'%%\'=PASSWORD(\'%s\')',
	106	mysql_escape_string($this->getUsername()),
	107	mysql_escape_string($pwd));
	108	DBSet($sql);
dc478ec8 JP	109	}
	110	function signup($pwd) {
	111	$this->pass = $pwd;
	112	$arr['Password'] = base64_encode($pwd);
	113	$arr['bEnabled'] = 1;
	114	$arr['dSignup'] = 'NOW()';
	115	$sql = sprintf("UPDATE User %s WHERE UserId = '%s'",
	116	buildSQLSet($arr), mysql_escape_string($this->getUserId()));
	117	DBUpdate($sql);
	118
	119	$this->setUsage();
	120	$this->setAccess();
	121	}
	122	function setUsage($yes=true) {
	123	$verb = $yes?'GRANT':'REVOKE';
	124	$prep = $yes?'TO':'FROM';
3ebfe9a3	125	$suffix = $yes?sprintf("IDENTIFIED BY '%s'",mysql_escape_string($this->pass)):'';
dc478ec8 JP	126	$sql = sprintf("%s USAGE ON * . * %s '%s'@'%s' %s",
	127	mysql_escape_string($verb),
	128	mysql_escape_string($prep),
	129	mysql_escape_string($this->getUsername()),
	130	'%',
3ebfe9a3	131	$suffix);
dc478ec8 JP	132	DBGrant($sql);
	133	}
	134	function setAccess($db=null,$yes=true) {
	135	$verb = $yes?'GRANT':'REVOKE';
	136	$prep = $yes?'TO':'FROM';
	137	if (is_null($db)) {
	138	$this->dblist = $this->getDBList();
	139	$dbs = $this->dblist;
	140	} else {
	141	$dbs[] = array('Name'=>$db);
	142	}
	143	foreach($dbs as $db) {
	144	$name = $db['Name'];
	145	$sql = sprintf("%s ALL PRIVILEGES ON `%s` . * %s '%s'@'%s'",
	146	mysql_escape_string($verb),
	147	mysql_escape_string($name),
	148	mysql_escape_string($prep),
377015e0	149	mysql_escape_string($this->getUsername()),
dc478ec8 JP	150	'%');
	151	DBGrant($sql);
	152	}
	153	}
	154	function getDBList() {
	155	$sql = sprintf("SELECT *
	156	FROM DBOwner
	157	INNER JOIN DB ON DB.DatabaseId = DBOwner.DatabaseId
377015e0 JP	158	LEFT JOIN DBQuota ON DBQuota.DatabaseId = DBOwner.DatabaseId
377015e0 JP	159	WHERE UserId = '%s' AND DB.bEnabled=1",
dc478ec8 JP	160	mysql_escape_string($this->getUserId()));
	161	$r = fetchRows(DBSelect($sql),'DatabaseId');
	162	return $r;
	163	}
377015e0 JP	164	function addDB($name) {
	165	if (!addDB($name, $this->getUserId())) return false;
	166	$this->setAccess($name);
	167	return true;
	168	}
997305cf JP	169	}
	170
	171
	172	function isLoggedIn($aLogin=null) {
	173	if (is_null($aLogin)) {
	174	global $Login;
	175	$aLogin = $Login;
	176	}
dc478ec8	177	return !empty($aLogin) && is_a($aLogin, 'Login') && $aLogin->canLogin();
997305cf JP	178	}
	179
	180	function isSSL() {
	181	return $_SERVER['SERVER_PORT'] == 443;
	182	}
	183
	184	function getSSLCert() {
	185	if (DEVEL && file_exists('.forceauth')) {
	186	$fu = explode('\|',file_get_contents('.forceauth'));
dc478ec8 JP	187	$name = trim($fu[0]);
dc478ec8 JP	188	$email = trim($fu[1]);
997305cf JP	189	} else {
	190	$name = isset($_SERVER['SSL_CLIENT_S_DN_CN'])?$_SERVER['SSL_CLIENT_S_DN_CN']:null;
	191	$email = isset($_SERVER['SSL_CLIENT_S_DN_Email'])?$_SERVER['SSL_CLIENT_S_DN_Email']:null;
	192	}
	193	if (!is_null($email)) {
	194	$user = explode('@',$email);
	195	$user = $user[0];
	196	return array('Username'=>$user, 'Name'=>$name, 'Email'=>$email);
	197	} else {
	198	return null;
	199	}
	200	}
	201
	202	## 302 REDIRECTS
	203
1389493c	204	function redirect($target=null,$secure=null) {
997305cf	205	$base = (is_null($target)\|\|substr($target,0,1)=='?')?$_SERVER['REDIRECT_URL']:(dirname($_SERVER['REDIRECT_URL']).'/');
dc478ec8	206	redirectFull(is_null($target)?$base:($base.$target),$secure);
997305cf	207	}
dc478ec8	208	function redirectFull($target,$secure) {
1389493c	209	redirect2((((isSSL()&&is_null($secure))\|\|$secure==true)?'https://':'http://').$_SERVER['SERVER_NAME'].$target);
997305cf JP	210	}
	211	function redirect2($target) {
	212	header('Location: '.$target);
	213	exit;
	214	}
dc478ec8 JP	215	function flipSSL() {
	216	return (isSSL()?'http://':'https://').$_SERVER['SERVER_NAME'].$_SERVER['REDIRECT_URL'];
	217	}
997305cf JP	218
	219	## USER SCRIPTS
	220
	221	function addUser($sslCredentials) {
dc478ec8 JP	222	global $_NEW_USER, $_NEW_USERQUOTA, $_NEW_USERSTAT;
dc478ec8 JP	223
997305cf JP	224	$arr = array_merge($sslCredentials, $_NEW_USER);
	225	$sql = sprintf("INSERT INTO User %s",
	226	buildSQLInsert($arr));
dc478ec8 JP	227	$UserId = DBInsert($sql);
	228
	229	$arr = $_NEW_USERQUOTA;
	230	$arr['UserId'] = $UserId;
	231	$sql = sprintf("INSERT INTO UserQuota %s",
	232	buildSQLInsert($arr));
	233	DBInsert($sql);
	234
	235	$arr = $_NEW_USERSTAT;
	236	$arr['UserId'] = $UserId;
1389493c	237	$sql = sprintf("INSERT INTO UserStat %s",
dc478ec8 JP	238	buildSQLInsert($arr));
	239	DBInsert($sql);
	240
	241	return $UserId;
997305cf JP	242	}
997305cf JP	243
377015e0 JP	244	function addDB($dbname,$userid) {
	245	global $_NEW_DB, $_NEW_DBQUOTA, $_NEW_DBOWNER;
	246
	247	DBCreate(sprintf('CREATE DATABASE `%s`', mysql_escape_string($dbname)));
	248	if (mysql_error()) return false;
	249
	250	$newdb['Name'] = $dbname;
	251	$arr = array_merge($newdb, $_NEW_DB);
	252	$arr['bEnabled'] = 1;
	253	$sql = sprintf("INSERT INTO DB %s",
	254	buildSQLInsert($arr));
	255	$DBId = DBInsert($sql);
	256
	257	$arr = $_NEW_DBQUOTA;
	258	$arr['DatabaseId'] = $DBId;
	259	$sql = sprintf("INSERT INTO DBQuota %s",
	260	buildSQLInsert($arr));
	261	DBInsert($sql);
	262
	263	$arr = $_NEW_DBOWNER;
	264	$arr['DatabaseId'] = $DBId;
	265	$arr['UserId'] = $userid;
	266	$sql = sprintf("INSERT INTO DBOwner %s",
	267	buildSQLInsert($arr));
	268	DBInsert($sql);
	269
	270	return $DBId;
	271	}
	272
	273	?>