]> andersk Git - sql-web.git/blob - lib/security.lib.php
andersk / sql-web.git / blob
? search:


86676fb38837b7ff89293e74f5fe6048d4e11b1d
[sql-web.git] / lib / security.lib.php
1 <?php
2
3 require_once('mitsql.lib.php');
4
5 class Login {
6         var $id, $u, $p;
7     var $info;
8     function Login($u, $p=null) {
9                 if (empty($u)) return;
10                 $this->u = $u;
11                 $this->p = $p;
12                 if (is_numeric($u)) {
13                         $this->id = $u;
14                         $opt = sprintf(" UserId = '%s'", mysql_escape_string($u));
15                 } else {
16                         $opt = sprintf(" Username = '%s'", mysql_escape_string($u));
17                         $opt .= (is_null($p)?'':sprintf(" AND Password='%s'", mysql_escape_string(base64_encode($p))));
18                 }
19         $sql = sprintf("SELECT UserId, Username, Name, Email, UL, bEnabled
20                         FROM User
21                         WHERE %s", $opt);
22         $r = fetchRows(DBSelect($sql),'UserId');
23                 $this->info = count($r)?array_shift($r):$r;
24         }
25     function exists() {
26         return count($this->info);
27     }
28         function isValid() {
29                 return $this->getUL()>0;
30         }
31     function isEnabled() {
32         return $this->exists() && $this->info['bEnabled']==1;
33     }
34     function canLogin() {
35         return $this->isEnabled() && $this->isValid();
36     }
37     function canSignup() {
38         return !$this->isEnabled() && $this->isValid();
39     }
40     function getUserId() {
41         return $this->exists()?$this->info['UserId']:'';
42     }
43     function getUsername() {
44         return $this->exists()?$this->info['Username']:'';
45     }
46     function getName() {
47         return $this->exists()?$this->info['Name']:'';
48     }
49     function getEmail() {
50         return $this->exists()?$this->info['Email']:'';
51     }
52     function getUL() {
53         return $this->exists()?$this->info['UL']:'';
54     }
55     function expire() {
56         $this->info = null;
57     }
58     function refresh() {
59                 if (!empty($this->id)) {
60                         $this->Login($this->id);
61                 } else {
62                         $this->Login($this->u,$this->p);
63                 }
64     }
65     function update($name=null,$email=null) {
66         if (!$this->exists()) return;
67         $arr = array();
68                 if ($name == $this->getName()) $name = null;
69                 if ($email == $this->getEmail()) $email = null;
70         is_null($name) || $arr['Name'] = $name;
71         is_null($email) || $arr['Email'] = $email;
72                 $upd = buildSQLSet($arr);
73         $sql = sprintf("UPDATE User %s WHERE UserId = '%s'",
74                         $upd, mysql_escape_string($this->getUserId()));
75                 if (!empty($upd) && $upd != 'SET')
76                         DBUpdate($sql);
77                 if (isset($arr['Name']))
78                         $this->info['Name'] = $arr['Name'];
79                 if (isset($arr['Email']))
80                         $this->info['Email'] = $arr['Email'];
81         }
82 }
83
84 class User {
85         var $userId;
86         var $info;
87         var $dblist;
88     function User($userId) {
89                 $this->userId = $userId;
90         $sql = sprintf("SELECT User.UserId, Username, Password, Name, Email, UL, bEnabled, nBytesSoft, nBytesHard, nBytes, nDatabases, nDatabasesHard, IF(nBytes>nBytesHard,1,0) AS bOverQuota
91                         FROM User
92                                                 INNER JOIN UserQuota ON User.UserId = UserQuota.UserId
93                                                 INNER JOIN UserStat ON User.UserId = UserStat.UserId
94                         WHERE User.UserId = '%s'",
95                         mysql_escape_string($userId));
96         $r = fetchRows(DBSelect($sql),'UserId');
97         $this->info = count($r)?array_shift($r):$r;
98                 $this->dblist = $this->getDBList();
99 //              $this->pass = base64_decode($this->info['Password']);
100     }
101         function refresh() {
102                 unset($this->dblist);
103                 $this->User($this->userId);
104                 /*
105         $sql = sprintf("SELECT UserId, Username, Password, Name, Email, UL, bEnabled
106                         FROM User
107                         WHERE UserId = '%s'",
108                         mysql_escape_string($this->userId));
109         $r = fetchRows(DBSelect($sql),'UserId');
110         $this->info = count($r)?array_shift($r):$r;
111                 unset($this->dblist);
112                 $this->getDBList();
113                 */
114         }
115     function exists() {
116         return count($this->info);
117     }
118     function getUserId() {
119         return $this->exists()?$this->info['UserId']:'';
120     }
121     function getUsername() {
122         return $this->exists()?$this->info['Username']:'';
123     }
124     function isOverQuota() {
125         return $this->exists()?($this->info['bOverQuota']>0?true:false):'';
126     }
127     function getBytes() {
128         if($this->exists()) {
129                         $arr['nBytes'] = $this->info['nBytes'];
130                         $arr['nBytesSoft'] = $this->info['nBytesSoft'];
131                         $arr['nBytesHard'] = $this->info['nBytesHard'];
132                         return $arr;
133                 }
134     }
135         function setPassword($pwd) {
136                 $arr['Password'] = base64_encode($pwd);
137         $sql = sprintf("UPDATE User %s WHERE UserId = '%s'",
138                         buildSQLSet($arr), mysql_escape_string($this->getUserId()));
139         DBUpdate($sql);
140                 $sql = sprintf('SET PASSWORD FOR \'%s\'@\'%%\'=PASSWORD(\'%s\')',
141                                                 mysql_escape_string($this->getUsername()),
142                                                 mysql_escape_string($pwd));
143                 DBSet($sql);
144         }
145         function signup($pwd) {
146                 $this->pass = $pwd;
147                 $arr['Password'] = base64_encode($pwd);
148                 $arr['bEnabled'] = 1;
149                 $arr['dSignup'] = 'NOW()';
150         $sql = sprintf("UPDATE User %s WHERE UserId = '%s'",
151                         buildSQLSet($arr), mysql_escape_string($this->getUserId()));
152         DBUpdate($sql);
153
154                 $this->setUsage();
155                 $this->setAccess();
156         }
157         function setUsage($yes=true) {
158                 $verb = $yes?'GRANT':'REVOKE';
159                 $prep = $yes?'TO':'FROM';
160                 $suffix = $yes?sprintf("IDENTIFIED BY '%s'",mysql_escape_string($this->pass)):'';
161                 $sql = sprintf("%s USAGE ON * . * %s '%s'@'%s' %s",
162                                                 mysql_escape_string($verb),
163                                                 mysql_escape_string($prep),
164                                                 mysql_escape_string($this->getUsername()),
165                                                 '%',
166                                                 $suffix);
167                 DBGrant($sql);
168         }
169         function setAccess($db=null,$yes=true) {
170                 $verb = $yes?'GRANT':'REVOKE';
171                 $prep = $yes?'TO':'FROM';
172                 if (is_null($db)) {
173                         $dbs = $this->getDBList();
174                 } else {
175                         $dbs[] = array('Name'=>$db);
176                 }
177                 foreach($dbs as $db) {
178                         $name = $db['Name'];
179                         $sql = sprintf("%s ALL PRIVILEGES ON `%s` . * %s '%s'@'%s'",
180                                                         mysql_escape_string($verb),
181                                                         mysql_escape_string($name),
182                                                         mysql_escape_string($prep),
183                                                         mysql_escape_string($this->getUsername()),
184                                                         '%');
185                         DBGrant($sql);
186                 }
187         }
188         function getDBList() {
189                 if (isset($this->dblist)) {
190                         return $this->dblist;
191                 } else {
192                         //                      LEFT JOIN DBQuota ON DBQuota.DatabaseId = DBOwner.DatabaseId
193                         $sql = sprintf("SELECT *
194                                                 FROM DBOwner
195                                                 INNER JOIN DB ON DB.DatabaseId = DBOwner.DatabaseId
196                                                 INNER JOIN DBQuota ON DBQuota.DatabaseId = DBOwner.DatabaseId
197                                                 WHERE DBOwner.UserId = '%s' AND DB.bEnabled=1",
198                                                 mysql_escape_string($this->getUserId()));
199 //                      $r = fetchRows(DBSelect($sql),'DatabaseId');
200                         $r = fetchRows(DBSelect($sql),'Name');
201                         ksort($r);
202                         return $r;
203                 }
204         }
205         function addDB($name) {
206                 if (in_array($name, array_keys($this->getDBList()))) return false;
207                 if (!addDB($name, $this->getUserId())) return false;
208                 $this->setAccess($name);
209                 return true;
210         }
211         function delDB($name) {
212                 if (!in_array($name, array_keys($this->getDBList()))) return false;
213                 if (!delDB($name)) return false;//, $this->getUserId())) return false;
214                 $this->setAccess($name,false);
215                 return true;
216         }
217 }
218
219
220 function isLoggedIn($aLogin=null) {
221     if (is_null($aLogin)) {
222         global $Login;
223         $aLogin = $Login;
224     }
225     return !empty($aLogin) && is_a($aLogin, 'Login') && $aLogin->canLogin();
226 }
227
228 function isAdmin($aLogin=null) {
229     if (is_null($aLogin)) {
230         global $Login;
231         $aLogin = $Login;
232     }
233     return !empty($aLogin) && is_a($aLogin, 'Login') && $aLogin->getUL()>=100;
234 }
235
236 function isImpersonating() {
237         return isSess('_UserId') && isSess('UserId');
238 }
239
240 function isOffline() {
241         return (defined('OFFLINE') && OFFLINE);
242 }
243
244 function isOnline() {
245         return !isOffline();
246 }
247
248 function impersonate($userId=null) {
249         $wasImpersonating = isImpersonating();
250         if ($wasImpersonating) {
251                 if (is_null($userId) || empty($userId)) {
252                         sess('UserId',sess('_UserId'));
253                         sess('_UserId','');
254                 } elseif ($userId>0) {
255                         sess('UserId',$userId);
256                 } else {
257                         return false;
258                 }
259         } elseif (isLoggedIn()) {
260                 sess('_UserId',sess('UserId'));
261                 sess('UserId',$userId);
262                 return true;
263         } else {
264                 return false;
265         }
266 }
267
268 function isSSL() {
269         return isset($_SERVER['SERVER_PORT'])?($_SERVER['SERVER_PORT'] == 443):false;
270 }
271
272 function getSSLCert() {
273     if (DEVEL && file_exists('.forceauth')) {
274         $fu = explode('|',file_get_contents('.forceauth'));
275         $name = trim($fu[0]);
276         $email = trim($fu[1]);
277     } else {
278         $name = isset($_SERVER['SSL_CLIENT_S_DN_CN'])?$_SERVER['SSL_CLIENT_S_DN_CN']:null;
279         $email = isset($_SERVER['SSL_CLIENT_S_DN_Email'])?$_SERVER['SSL_CLIENT_S_DN_Email']:null;
280     }
281     if (!is_null($email)) {
282         $user = explode('@',$email);
283                 $user = $user[0];
284         return array('Username'=>$user, 'Name'=>$name, 'Email'=>$email);
285         } else {
286                 return null;
287         }
288 }
289
290 ## 302 REDIRECTS
291
292 function redirect($target=null,$secure=null) {
293     $base = (is_null($target)||substr($target,0,1)=='?')?$_SERVER['REDIRECT_URL']:(dirname($_SERVER['REDIRECT_URL']).'/');
294     redirectFull(is_null($target)?$base:($base.$target),$secure);
295 }
296 function redirectStart() {
297         redirectFull(BASE_URL,null);
298 }
299 function redirectFull($target,$secure) {
300         redirect2((((isSSL()&&is_null($secure))||$secure==true)?'https://':'http://').$_SERVER['SERVER_NAME'].$target);
301 }
302 function redirect2($target) {
303         header('Location: '.$target);
304         exit;
305 }
306 function flipSSL() {
307         return (isSSL()?'http://':'https://').$_SERVER['SERVER_NAME'].$_SERVER['REDIRECT_URL'];
308 }
309
310 ## USER SCRIPTS
311
312 function addUser($sslCredentials) {
313     global $_NEW_USER, $_NEW_USERQUOTA, $_NEW_USERSTAT;
314
315     $arr = array_merge($sslCredentials, $_NEW_USER);
316     $sql = sprintf("INSERT INTO User %s",
317                     buildSQLInsert($arr));
318     $UserId = DBInsert($sql);
319
320         $arr = $_NEW_USERQUOTA;
321         $arr['UserId'] = $UserId;
322     $sql = sprintf("INSERT INTO UserQuota %s",
323                     buildSQLInsert($arr));
324         DBInsert($sql);
325
326         $arr = $_NEW_USERSTAT;
327         $arr['UserId'] = $UserId;
328     $sql = sprintf("INSERT INTO UserStat %s",
329                     buildSQLInsert($arr));
330         DBInsert($sql);
331
332         return $UserId;
333 }
334
335 function addDB($dbname,$userid) {
336         global $_NEW_DB, $_NEW_DBQUOTA, $_NEW_DBOWNER;
337
338         DBCreate(sprintf('CREATE DATABASE `%s`', mysql_escape_string($dbname)));
339
340         $newdb['Name'] = $dbname;
341         $arr = array_merge($newdb, $_NEW_DB);
342         $arr['bEnabled'] = 1;
343         $sql = sprintf("INSERT IGNORE INTO DB %s",
344                     buildSQLInsert($arr));
345         $DBId = DBInsert($sql);
346         if (empty($DBId)) {
347                 $sql = sprintf("SELECT DatabaseId FROM DB WHERE Name = '%s'",
348                                                 mysql_escape_string($dbname));
349                 $r = fetchRows(DBSelect($sql), 'DatabaseId');
350                 if (count($r)) {
351                         $r = array_shift($r);
352                         $DBId = $r['DatabaseId'];
353                 } else {
354                         return false;
355                 }
356                 $sql = sprintf("UPDATE DB %s WHERE DB.DatabaseId = '%s'",
357                                                 buildSQLSet($arr),
358                                                 $DBId);
359                 DBUpdate($sql);
360                 return $DBId;
361         } else {
362                 $arr = $_NEW_DBQUOTA;
363                 $arr['DatabaseId'] = $DBId;
364                 $sql = sprintf("INSERT IGNORE INTO DBQuota %s",
365                                                 buildSQLInsert($arr));
366                 DBInsert($sql);
367
368                 $arr = $_NEW_DBOWNER;
369                 $arr['DatabaseId'] = $DBId;
370                 $arr['UserId'] = $userid;
371                 $sql = sprintf("INSERT IGNORE INTO DBOwner %s",
372                                                 buildSQLInsert($arr));
373                 DBInsert($sql);
374
375                 return $DBId;
376         }
377 }
378
379 function delDB($dbname) {
380         global $_NEW_DB, $_NEW_DBQUOTA, $_NEW_DBOWNER;
381
382         DBCreate(sprintf('DROP DATABASE `%s`', mysql_escape_string($dbname)));
383
384         $arr['bEnabled'] = 0;
385         $sql = sprintf("UPDATE DB %s WHERE DB.Name = '%s'",
386                                         buildSQLSet($arr),
387                                         $dbname);
388         DBUpdate($sql);
389
390         return true;
391 }
392
393 ?>
Unnamed repository; edit this file 'description' to name the repository.
This page took 0.05479 seconds and 3 git commands to generate.