lib/security.lib.php

   1 <?php
   2
   3 require_once('mitsql.lib.php');
   4
   5 class Login {
   6         var $u, $p;
   7     var $info;
   8     function Login($u, $p=null) {
   9                 $this->u = $u;
  10                 $this->p = $p;
  11         $opt = is_null($p)?'':sprintf(" AND Password='%s' ", mysql_escape_string(base64_encode($p)));
  12         $sql = sprintf("SELECT UserId, Username, Name, Email, UL, bEnabled
  13                         FROM User
  14                         WHERE Username = '%s'
  15                         $opt",
  16                         mysql_escape_string($u));
  17         $r = fetchRows(DBSelect($sql),'UserId');
  18         $this->info = count($r)?array_shift($r):$r;
  19     }
  20     function exists() {
  21         return count($this->info);
  22     }
  23         function isValid() {
  24                 return $this->getUL()>0;
  25         }
  26     function isEnabled() {
  27         return $this->exists() && $this->info['bEnabled']==1;
  28     }
  29     function canLogin() {
  30         return $this->isEnabled() && $this->isValid();
  31     }
  32     function canSignup() {
  33         return !$this->isEnabled() && $this->isValid();
  34     }
  35     function getUserId() {
  36         return $this->exists()?$this->info['UserId']:'';
  37     }
  38     function getUsername() {
  39         return $this->exists()?$this->info['Username']:'';
  40     }
  41     function getName() {
  42         return $this->exists()?$this->info['Name']:'';
  43     }
  44     function getEmail() {
  45         return $this->exists()?$this->info['Email']:'';
  46     }
  47     function getUL() {
  48         return $this->exists()?$this->info['UL']:'';
  49     }
  50     function expire() {
  51         $this->info = null;
  52     }
  53     function refresh() {
  54         $this->Login($this->u,$this->p);
  55     }
  56     function update($name=null,$email=null) {
  57         if (!$this->exists()) return;
  58         $arr = array();
  59                 if ($name == $this->getName()) $name = null;
  60                 if ($email == $this->getEmail()) $email = null;
  61         is_null($name) || $arr['Name'] = $name;
  62         is_null($email) || $arr['Email'] = $email;
  63         $upd = buildSQLSet($arr);
  64         $sql = sprintf("UPDATE User %s WHERE UserId = '%s'",
  65                         $upd, mysql_escape_string($this->getUserId()));
  66         if (!empty($upd) && $upd != 'SET')
  67                 DBUpdate($sql);
  68                 if (isset($arr['Name']))
  69                         $this->name = $arr['Name'];
  70                 if (isset($arr['Email']))
  71                         $this->email = $arr['Email'];
  72         }
  73 }
  74
  75 class User {
  76         var $userId;
  77         var $info;
  78         var $pass;
  79         var $dblist;
  80     function User($userId) {
  81                 $this->userId = $userId;
  82         $sql = sprintf("SELECT UserId, Username, Password, Name, Email, UL, bEnabled
  83                         FROM User
  84                         WHERE UserId = '%s'",
  85                         mysql_escape_string($userId));
  86         $r = fetchRows(DBSelect($sql),'UserId');
  87         $this->info = count($r)?array_shift($r):$r;
  88                 $this->pass = base64_decode($this->info['Password']);
  89     }
  90     function exists() {
  91         return count($this->info);
  92     }
  93     function getUserId() {
  94         return $this->exists()?$this->info['UserId']:'';
  95     }
  96     function getUsername() {
  97         return $this->exists()?$this->info['Username']:'';
  98     }
  99         function setPassword($pwd) {
 100                 $arr['Password'] = base64_encode($pwd);
 101         $sql = sprintf("UPDATE User %s WHERE UserId = '%s'",
 102                         buildSQLSet($arr), mysql_escape_string($this->getUserId()));
 103         DBUpdate($sql);
 104         }
 105         function signup($pwd) {
 106                 $this->pass = $pwd;
 107                 $arr['Password'] = base64_encode($pwd);
 108                 $arr['bEnabled'] = 1;
 109                 $arr['dSignup'] = 'NOW()';
 110         $sql = sprintf("UPDATE User %s WHERE UserId = '%s'",
 111                         buildSQLSet($arr), mysql_escape_string($this->getUserId()));
 112         DBUpdate($sql);
 113
 114                 $this->setUsage();
 115                 $this->setAccess();
 116         }
 117         function setUsage($yes=true) {
 118                 $verb = $yes?'GRANT':'REVOKE';
 119                 $prep = $yes?'TO':'FROM';
 120                 $suffix = $yes?sprintf("IDENTIFIED BY '%s'",mysql_escape_string($this->pass)):'';
 121                 $sql = sprintf("%s USAGE ON * . * %s '%s'@'%s' %s",
 122                                                 mysql_escape_string($verb),
 123                                                 mysql_escape_string($prep),
 124                                                 mysql_escape_string($this->getUsername()),
 125                                                 '%',
 126                                                 $suffix);
 127                 DBGrant($sql);
 128         }
 129         function setAccess($db=null,$yes=true) {
 130                 $verb = $yes?'GRANT':'REVOKE';
 131                 $prep = $yes?'TO':'FROM';
 132                 if (is_null($db)) {
 133                         $this->dblist = $this->getDBList();
 134                         $dbs = $this->dblist;
 135                 } else {
 136                         $dbs[] = array('Name'=>$db);
 137                 }
 138                 foreach($dbs as $db) {
 139                         $name = $db['Name'];
 140                         $sql = sprintf("%s ALL PRIVILEGES ON `%s` . * %s '%s'@'%s'",
 141                                                         mysql_escape_string($verb),
 142                                                         mysql_escape_string($name),
 143                                                         mysql_escape_string($prep),
 144                                                         $this->getUsername,
 145                                                         '%');
 146                         DBGrant($sql);
 147                 }
 148         }
 149         function getDBList() {
 150                 $sql = sprintf("SELECT *
 151                                                 FROM DBOwner
 152                                                 INNER JOIN DB ON DB.DatabaseId = DBOwner.DatabaseId
 153                                                 INNER JOIN DBQuota ON DBQuota.DatabaseId = DBOwner.DatabaseId
 154                                                 WHERE UserId = '%s'",
 155                                                 mysql_escape_string($this->getUserId()));
 156                 $r = fetchRows(DBSelect($sql),'DatabaseId');
 157                 return $r;
 158         }
 159 }
 160
 161
 162 function isLoggedIn($aLogin=null) {
 163     if (is_null($aLogin)) {
 164         global $Login;
 165         $aLogin = $Login;
 166     }
 167     return !empty($aLogin) && is_a($aLogin, 'Login') && $aLogin->canLogin();
 168 }
 169
 170 function isSSL() {
 171         return $_SERVER['SERVER_PORT'] == 443;
 172 }
 173
 174 function getSSLCert() {
 175     if (DEVEL && file_exists('.forceauth')) {
 176         $fu = explode('|',file_get_contents('.forceauth'));
 177         $name = trim($fu[0]);
 178         $email = trim($fu[1]);
 179     } else {
 180         $name = isset($_SERVER['SSL_CLIENT_S_DN_CN'])?$_SERVER['SSL_CLIENT_S_DN_CN']:null;
 181         $email = isset($_SERVER['SSL_CLIENT_S_DN_Email'])?$_SERVER['SSL_CLIENT_S_DN_Email']:null;
 182     }
 183     if (!is_null($email)) {
 184         $user = explode('@',$email);
 185                 $user = $user[0];
 186         return array('Username'=>$user, 'Name'=>$name, 'Email'=>$email);
 187         } else {
 188                 return null;
 189         }
 190 }
 191
 192 ## 302 REDIRECTS
 193
 194 function redirect($target=null,$secure=null) {
 195     $base = (is_null($target)||substr($target,0,1)=='?')?$_SERVER['REDIRECT_URL']:(dirname($_SERVER['REDIRECT_URL']).'/');
 196     redirectFull(is_null($target)?$base:($base.$target),$secure);
 197 }
 198 function redirectFull($target,$secure) {
 199         redirect2((((isSSL()&&is_null($secure))||$secure==true)?'https://':'http://').$_SERVER['SERVER_NAME'].$target);
 200 }
 201 function redirect2($target) {
 202         header('Location: '.$target);
 203         exit;
 204 }
 205 function flipSSL() {
 206         return (isSSL()?'http://':'https://').$_SERVER['SERVER_NAME'].$_SERVER['REDIRECT_URL'];
 207 }
 208
 209 ## USER SCRIPTS
 210
 211 function addUser($sslCredentials) {
 212     global $_NEW_USER, $_NEW_USERQUOTA, $_NEW_USERSTAT;
 213
 214     $arr = array_merge($sslCredentials, $_NEW_USER);
 215     $sql = sprintf("INSERT INTO User %s",
 216                     buildSQLInsert($arr));
 217     $UserId = DBInsert($sql);
 218
 219         $arr = $_NEW_USERQUOTA;
 220         $arr['UserId'] = $UserId;
 221     $sql = sprintf("INSERT INTO UserQuota %s",
 222                     buildSQLInsert($arr));
 223         DBInsert($sql);
 224
 225         $arr = $_NEW_USERSTAT;
 226         $arr['UserId'] = $UserId;
 227     $sql = sprintf("INSERT INTO UserStat %s",
 228                     buildSQLInsert($arr));
 229         DBInsert($sql);
 230
 231         return $UserId;
 232 }
 233
 234 ?>