]> andersk Git - sql-web.git/blame_incremental - lib/security.lib.php
andersk / sql-web.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
mako SQL interface
[sql-web.git] / lib / security.lib.php
... / ...
CommitLineData
1<?php
2/*
3 (c) 2005 Joe Presbrey
4*/
5
6require_once('mitsql.lib.php');
7
8class Login {
9 private $id, $u, $p;
10 private $info;
11 function Login($u, $p=null) {
12 if (empty($u)) return;
13 $this->u = $u;
14 $this->p = $p;
15 if (is_null($p)) {
16 $this->id = $u;
17 $opt = sprintf(" UserId = '%s'", mysql_escape_string($u));
18 } else {
19 $opt = sprintf(" Username = '%s'", mysql_escape_string($u));
20 $opt .= (is_null($p)?'':sprintf(" AND Password='%s'", mysql_escape_string(base64_encode($p))));
21 }
22 $sql = sprintf("SELECT UserId, Username, Name, Email, UL, bEnabled
23 FROM User
24 WHERE %s", $opt);
25 $r = fetchRows(DBSelect($sql),'UserId');
26 $this->info = count($r)?array_shift($r):$r;
27 }
28 function exists() {
29 return count($this->info);
30 }
31 function isValid() {
32 return $this->getUL()>0;
33 }
34 function isEnabled() {
35 return $this->exists() && $this->info['bEnabled']==1;
36 }
37 function canLogin() {
38 return $this->isEnabled() && $this->isValid();
39 }
40 function canSignup() {
41 return !$this->isEnabled() && $this->isValid();
42 }
43 function getUserId() {
44 return $this->exists()?$this->info['UserId']:'';
45 }
46 function getUsername() {
47 return $this->exists()?$this->info['Username']:'';
48 }
49 function getName() {
50 return $this->exists()?$this->info['Name']:'';
51 }
52 function getEmail() {
53 return $this->exists()?$this->info['Email']:'';
54 }
55 function getUL() {
56 return $this->exists()?$this->info['UL']:'';
57 }
58 function expire() {
59 $this->info = null;
60 }
61 function update($name=null,$email=null) {
62 if (!$this->exists()) return;
63 $arr = array();
64 if ($name == $this->getName()) $name = null;
65 if ($email == $this->getEmail()) $email = null;
66 is_null($name) || $arr['Name'] = $name;
67 is_null($email) || $arr['Email'] = $email;
68 $upd = buildSQLSet($arr);
69 $sql = sprintf("UPDATE User SET %s WHERE UserId = '%s'",
70 $upd, mysql_escape_string($this->getUserId()));
71 if (!empty($upd) && $upd != 'SET')
72 DBUpdate($sql);
73 if (isset($arr['Name']))
74 $this->info['Name'] = $arr['Name'];
75 if (isset($arr['Email']))
76 $this->info['Email'] = $arr['Email'];
77 }
78}
79
80class User {
81 private $userId;
82 private $info;
83 private $dblist;
84 function User($userId) {
85 $this->userId = $userId;
86 $sql = sprintf("SELECT User.UserId, Username, Name, Email, UL, bEnabled, nBytesSoft, nBytesHard, nBytes, nDatabases, nDatabasesHard, IF(nBytes>nBytesHard,1,0) AS bOverQuota
87 FROM User
88 INNER JOIN UserQuota ON User.UserId = UserQuota.UserId
89 INNER JOIN UserStat ON User.UserId = UserStat.UserId
90 WHERE User.UserId = '%s'",
91 mysql_escape_string($userId));
92 $r = fetchRows(DBSelect($sql),'UserId');
93 $this->info = count($r)?array_shift($r):$r;
94 $this->dblist = $this->getDBList();
95 }
96 function refresh() {
97 unset($this->dblist);
98 $this->User($this->userId);
99 /*
100 $sql = sprintf("SELECT UserId, Username, Name, Email, UL, bEnabled
101 FROM User
102 WHERE UserId = '%s'",
103 mysql_escape_string($this->userId));
104 $r = fetchRows(DBSelect($sql),'UserId');
105 $this->info = count($r)?array_shift($r):$r;
106 unset($this->dblist);
107 $this->getDBList();
108 */
109 }
110 function exists() {
111 return count($this->info);
112 }
113 function getUserId() {
114 return $this->exists()?$this->info['UserId']:'';
115 }
116 function getUsername() {
117 return $this->exists()?$this->info['Username']:'';
118 }
119 function isOverQuota() {
120 return $this->exists()?($this->info['bOverQuota']>0?true:false):'';
121 }
122 function getDBQuotaHard() {
123 return $this->exists()?$this->info['nDatabasesHard']:0;
124 }
125 function getBytes() {
126 if($this->exists()) {
127 $arr['nBytes'] = $this->info['nBytes'];
128 $arr['nBytesSoft'] = $this->info['nBytesSoft'];
129 $arr['nBytesHard'] = $this->info['nBytesHard'];
130 return $arr;
131 }
132 }
133 function setPassword($pwd) {
134 $arr['Password'] = base64_encode($pwd);
135 $sql = sprintf("UPDATE User SET %s WHERE UserId = '%s'",
136 buildSQLSet($arr), mysql_escape_string($this->getUserId()));
137 DBUpdate($sql);
138 $sql = sprintf('SET PASSWORD FOR \'%s\'@\'%%\'=PASSWORD(\'%s\')',
139 mysql_escape_string($this->getUsername()),
140 mysql_escape_string($pwd));
141 DBSet($sql);
142 }
143 function signup($pwd) {
144 $this->pass = $pwd;
145 $arr['Password'] = base64_encode($pwd);
146 $arr['bEnabled'] = 1;
147 $arr['dSignup'] = 'NOW()';
148 $sql = sprintf("UPDATE User SET %s WHERE UserId = '%s'",
149 buildSQLSet($arr), mysql_escape_string($this->getUserId()));
150 DBUpdate($sql);
151
152 $this->setUsage();
153 $this->setAccess();
154 }
155 function setUsage($yes=true) {
156 $verb = $yes?'GRANT':'REVOKE';
157 $prep = $yes?'TO':'FROM';
158 $suffix = $yes?sprintf("IDENTIFIED BY '%s'",mysql_escape_string($this->pass)):'';
159 $sql = sprintf("%s USAGE ON * . * %s '%s'@'%s' %s",
160 mysql_escape_string($verb),
161 mysql_escape_string($prep),
162 mysql_escape_string($this->getUsername()),
163 '%',
164 $suffix);
165 DBGrant($sql);
166 }
167 function setAccess($db=null,$yes=true) {
168 $verb = $yes?'GRANT':'REVOKE';
169 $prep = $yes?'TO':'FROM';
170 if (is_null($db)) {
171 $dbs = $this->getDBList();
172 } else {
173 $dbs[] = array('Name'=>$db);
174 }
175 foreach($dbs as $db) {
176 $name = $db['Name'];
177 $sql = sprintf("%s ALL PRIVILEGES ON `%s` . * %s '%s'@'%s'",
178 mysql_escape_string($verb),
179 mysql_escape_string($name),
180 mysql_escape_string($prep),
181 mysql_escape_string($this->getUsername()),
182 '%');
183 DBGrant($sql);
184 }
185 }
186 function getDBList() {
187 if (isset($this->dblist)) {
188 return $this->dblist;
189 } else {
190 // LEFT JOIN DBQuota ON DBQuota.DatabaseId = DBOwner.DatabaseId
191 $sql = sprintf("SELECT *
192 FROM DBOwner
193 INNER JOIN DB ON DB.DatabaseId = DBOwner.DatabaseId
194 INNER JOIN DBQuota ON DBQuota.DatabaseId = DBOwner.DatabaseId
195 WHERE DBOwner.UserId = '%s' AND DB.bEnabled=1",
196 mysql_escape_string($this->getUserId()));
197// $r = fetchRows(DBSelect($sql),'DatabaseId');
198 $r = fetchRows(DBSelect($sql),'Name');
199 ksort($r);
200 return $r;
201 }
202 }
203 function addDB($name) {
204 if (in_array($name, array_keys($this->getDBList()))) return false;
205 if (!addDB($name, $this->getUserId())) return false;
206 $this->setAccess($name);
207 return true;
208 }
209 function delDB($name) {
210 if (!in_array($name, array_keys($this->getDBList()))) return false;
211 if (!delDB($name)) return false;//, $this->getUserId())) return false;
212 $this->setAccess($name,false);
213 return true;
214 }
215}
216
217
218function isLoggedIn($aLogin=null) {
219 if (is_null($aLogin)) {
220 global $Login;
221 $aLogin = $Login;
222 }
223 return !empty($aLogin) && ($aLogin instanceof Login) && $aLogin->canLogin();
224}
225
226function isAdmin($aLogin=null) {
227 if (is_null($aLogin)) {
228 global $Login;
229 $aLogin = $Login;
230 }
231 return !empty($aLogin) && ($aLogin instanceof Login) && $aLogin->getUL()>=100;
232}
233
234function isImpersonating() {
235 return isSess('_UserId') && isSess('UserId');
236}
237
238function isOffline() {
239 return (defined('OFFLINE') && OFFLINE);
240}
241
242function isOnline() {
243 return !isOffline();
244}
245
246function impersonate($userId=null) {
247 $wasImpersonating = isImpersonating();
248 if ($wasImpersonating) {
249 if (is_null($userId) || empty($userId)) {
250 sess('UserId',sess('_UserId'));
251 sess('_UserId','');
252 } elseif ($userId>0) {
253 sess('UserId',$userId);
254 } else {
255 return false;
256 }
257 } elseif (isLoggedIn()) {
258 sess('_UserId',sess('UserId'));
259 sess('UserId',$userId);
260 return true;
261 } else {
262 return false;
263 }
264}
265
266function isSSL() {
267 return isset($_SERVER['SERVER_PORT'])?($_SERVER['SERVER_PORT'] == 443):false;
268}
269
270function getSSLCert() {
271 if (DEVEL && file_exists('.forceauth')) {
272 $fu = explode('|',file_get_contents('.forceauth'));
273 $name = trim($fu[0]);
274 $email = trim($fu[1]);
275 } else {
276 $name = isset($_SERVER['SSL_CLIENT_S_DN_CN'])?$_SERVER['SSL_CLIENT_S_DN_CN']:null;
277 $email = isset($_SERVER['REMOTE_USER'])?$_SERVER['REMOTE_USER']:null;
278 }
279 if (!is_null($email)) {
280 $user = explode('@',$email);
281 $user = $user[0];
282 return array('Username'=>$user, 'Name'=>$name, 'Email'=>$email);
283 } else {
284 return null;
285 }
286}
287
288function getUsernameID($username) {
289 $sql = sprintf("SELECT UserId FROM User USE INDEX (UsernameID) WHERE Username = '%s'", mysql_escape_string($username));
290 $r = fetchRows(DBSelect($sql), 'UserId');
291 $r = array_shift($r);
292 return count($r)?$r['UserId']:null;
293}
294
295## 302 REDIRECTS
296
297function redirect($target=null,$secure=null) {
298 $base = (is_null($target)||substr($target,0,1)=='?')?URI:((strlen(dirname(URI))>1?dirname(URI).'/':'/'));
299 redirectFull(is_null($target)?$base:($base.$target),$secure);
300}
301function redirectStart() {
302 redirectFull(BASE_URL,null);
303}
304function redirectFull($target,$secure) {
305 redirect2((((isSSL()&&is_null($secure))||$secure==true)?BASE_HTTPS:BASE_HTTP).$target);
306}
307function redirect2($target) {
308 header('Location: '.$target);
309 exit;
310}
311function flipSSL() {
312 return (isSSL()?BASE_HTTP:BASE_HTTPS).URI;
313}
314
315## USER SCRIPTS
316
317function addUser($sslCredentials) {
318 global $_NEW_USER, $_NEW_USERQUOTA, $_NEW_USERSTAT;
319
320 $arr = array_merge($sslCredentials, $_NEW_USER);
321 $sql = sprintf("INSERT INTO User %s",
322 buildSQLInsert($arr));
323 $UserId = DBInsert($sql);
324
325 $arr = $_NEW_USERQUOTA;
326 $arr['UserId'] = $UserId;
327 $sql = sprintf("INSERT INTO UserQuota %s",
328 buildSQLInsert($arr));
329 DBInsert($sql);
330
331 $arr = $_NEW_USERSTAT;
332 $arr['UserId'] = $UserId;
333 $sql = sprintf("INSERT INTO UserStat %s",
334 buildSQLInsert($arr));
335 DBInsert($sql);
336
337 return $UserId;
338}
339
340function addDB($dbname,$userid) {
341 global $_NEW_DB, $_NEW_DBQUOTA, $_NEW_DBOWNER;
342
343 DBCreate(sprintf('CREATE DATABASE `%s`', mysql_escape_string($dbname)));
344 if (mysql_error()) return false;
345
346 $newdb['Name'] = $dbname;
347 $arr = array_merge($newdb, $_NEW_DB);
348 $arr['bEnabled'] = 1;
349 $sql = sprintf("INSERT IGNORE INTO DB %s",
350 buildSQLInsert($arr));
351 $DBId = DBInsert($sql);
352 if (empty($DBId)) {
353 $sql = sprintf("SELECT DatabaseId FROM DB WHERE Name = '%s'",
354 mysql_escape_string($dbname));
355 $r = fetchRows(DBSelect($sql), 'DatabaseId');
356 if (count($r)) {
357 $r = array_shift($r);
358 $DBId = $r['DatabaseId'];
359 } else {
360 return false;
361 }
362 $sql = sprintf("UPDATE DB SET %s WHERE DB.DatabaseId = '%s'",
363 buildSQLSet($arr),
364 $DBId);
365 DBUpdate($sql);
366 }
367
368 DBDelete(sprintf("DELETE FROM DBOwner WHERE DatabaseId = '%s'", mysql_escape_string($DBId)));
369 DBDelete(sprintf("DELETE FROM DBQuota WHERE DatabaseId = '%s'", mysql_escape_string($DBId)));
370
371 $arr = $_NEW_DBQUOTA;
372 $arr['DatabaseId'] = $DBId;
373 $sql = sprintf("INSERT IGNORE INTO DBQuota %s",
374 buildSQLInsert($arr));
375 DBInsert($sql);
376
377 $arr = $_NEW_DBOWNER;
378 $arr['DatabaseId'] = $DBId;
379 $arr['UserId'] = $userid;
380 $sql = sprintf("INSERT IGNORE INTO DBOwner %s",
381 buildSQLInsert($arr));
382 DBInsert($sql);
383
384 return $DBId;
385}
386
387function delDB($dbname) {
388 global $_NEW_DB, $_NEW_DBQUOTA, $_NEW_DBOWNER;
389
390 DBCreate(sprintf('DROP DATABASE `%s`', mysql_escape_string($dbname)));
391
392 $arr['bEnabled'] = 0;
393 $sql = sprintf("UPDATE DB SET %s WHERE DB.Name = '%s'",
394 buildSQLSet($arr),
395 $dbname);
396 DBUpdate($sql);
397
398 return true;
399}
400
401?>
Unnamed repository; edit this file 'description' to name the repository.
This page took 0.061738 seconds and 5 git commands to generate.