X-Git-Url: http://andersk.mit.edu/gitweb/sql-web.git/blobdiff_plain/3ebfe9a36acba9515fadc37791a8931749a5bd51..6e7cd1d32919a750f4182730bfc549b16a3bca86:/lib/security.lib.php diff --git a/lib/security.lib.php b/lib/security.lib.php index fe9bd0b..2084e53 100644 --- a/lib/security.lib.php +++ b/lib/security.lib.php @@ -3,20 +3,25 @@ require_once('mitsql.lib.php'); class Login { - var $u, $p; - var $info; + private $id, $u, $p; + private $info; function Login($u, $p=null) { - $this->u = $u; + if (empty($u)) return; + $this->u = $u; $this->p = $p; - $opt = is_null($p)?'':sprintf(" AND Password='%s' ", mysql_escape_string(base64_encode($p))); + if (is_numeric($u)) { + $this->id = $u; + $opt = sprintf(" Username = '%s' OR UserId = '%s'", mysql_escape_string($u), mysql_escape_string($u)); + } else { + $opt = sprintf(" Username = '%s'", mysql_escape_string($u)); + $opt .= (is_null($p)?'':sprintf(" AND Password='%s'", mysql_escape_string(base64_encode($p)))); + } $sql = sprintf("SELECT UserId, Username, Name, Email, UL, bEnabled FROM User - WHERE Username = '%s' - $opt", - mysql_escape_string($u)); + WHERE %s", $opt); $r = fetchRows(DBSelect($sql),'UserId'); - $this->info = count($r)?array_shift($r):$r; - } + $this->info = count($r)?array_shift($r):$r; + } function exists() { return count($this->info); } @@ -51,7 +56,11 @@ class Login { $this->info = null; } function refresh() { - $this->Login($this->u,$this->p); + if (!empty($this->id)) { + $this->Login($this->id); + } else { + $this->Login($this->u,$this->p); + } } function update($name=null,$email=null) { if (!$this->exists()) return; @@ -60,33 +69,48 @@ class Login { if ($email == $this->getEmail()) $email = null; is_null($name) || $arr['Name'] = $name; is_null($email) || $arr['Email'] = $email; - $upd = buildSQLSet($arr); + $upd = buildSQLSet($arr); $sql = sprintf("UPDATE User %s WHERE UserId = '%s'", $upd, mysql_escape_string($this->getUserId())); - if (!empty($upd) && $upd != 'SET') - DBUpdate($sql); + if (!empty($upd) && $upd != 'SET') + DBUpdate($sql); if (isset($arr['Name'])) - $this->name = $arr['Name']; + $this->info['Name'] = $arr['Name']; if (isset($arr['Email'])) - $this->email = $arr['Email']; + $this->info['Email'] = $arr['Email']; } } class User { - var $userId; - var $info; - var $pass; - var $dblist; + private $userId; + private $info; + private $dblist; function User($userId) { $this->userId = $userId; - $sql = sprintf("SELECT UserId, Username, Password, Name, Email, UL, bEnabled + $sql = sprintf("SELECT User.UserId, Username, Name, Email, UL, bEnabled, nBytesSoft, nBytesHard, nBytes, nDatabases, nDatabasesHard, IF(nBytes>nBytesHard,1,0) AS bOverQuota FROM User - WHERE UserId = '%s'", + INNER JOIN UserQuota ON User.UserId = UserQuota.UserId + INNER JOIN UserStat ON User.UserId = UserStat.UserId + WHERE User.UserId = '%s'", mysql_escape_string($userId)); $r = fetchRows(DBSelect($sql),'UserId'); $this->info = count($r)?array_shift($r):$r; - $this->pass = base64_decode($this->info['Password']); + $this->dblist = $this->getDBList(); } + function refresh() { + unset($this->dblist); + $this->User($this->userId); + /* + $sql = sprintf("SELECT UserId, Username, Name, Email, UL, bEnabled + FROM User + WHERE UserId = '%s'", + mysql_escape_string($this->userId)); + $r = fetchRows(DBSelect($sql),'UserId'); + $this->info = count($r)?array_shift($r):$r; + unset($this->dblist); + $this->getDBList(); + */ + } function exists() { return count($this->info); } @@ -95,12 +119,27 @@ class User { } function getUsername() { return $this->exists()?$this->info['Username']:''; + } + function isOverQuota() { + return $this->exists()?($this->info['bOverQuota']>0?true:false):''; + } + function getBytes() { + if($this->exists()) { + $arr['nBytes'] = $this->info['nBytes']; + $arr['nBytesSoft'] = $this->info['nBytesSoft']; + $arr['nBytesHard'] = $this->info['nBytesHard']; + return $arr; + } } function setPassword($pwd) { $arr['Password'] = base64_encode($pwd); $sql = sprintf("UPDATE User %s WHERE UserId = '%s'", buildSQLSet($arr), mysql_escape_string($this->getUserId())); DBUpdate($sql); + $sql = sprintf('SET PASSWORD FOR \'%s\'@\'%%\'=PASSWORD(\'%s\')', + mysql_escape_string($this->getUsername()), + mysql_escape_string($pwd)); + DBSet($sql); } function signup($pwd) { $this->pass = $pwd; @@ -130,8 +169,7 @@ class User { $verb = $yes?'GRANT':'REVOKE'; $prep = $yes?'TO':'FROM'; if (is_null($db)) { - $this->dblist = $this->getDBList(); - $dbs = $this->dblist; + $dbs = $this->getDBList(); } else { $dbs[] = array('Name'=>$db); } @@ -141,20 +179,39 @@ class User { mysql_escape_string($verb), mysql_escape_string($name), mysql_escape_string($prep), - $this->getUsername, + mysql_escape_string($this->getUsername()), '%'); DBGrant($sql); } } function getDBList() { - $sql = sprintf("SELECT * + if (isset($this->dblist)) { + return $this->dblist; + } else { + // LEFT JOIN DBQuota ON DBQuota.DatabaseId = DBOwner.DatabaseId + $sql = sprintf("SELECT * FROM DBOwner INNER JOIN DB ON DB.DatabaseId = DBOwner.DatabaseId INNER JOIN DBQuota ON DBQuota.DatabaseId = DBOwner.DatabaseId - WHERE UserId = '%s'", + WHERE DBOwner.UserId = '%s' AND DB.bEnabled=1", mysql_escape_string($this->getUserId())); - $r = fetchRows(DBSelect($sql),'DatabaseId'); - return $r; +// $r = fetchRows(DBSelect($sql),'DatabaseId'); + $r = fetchRows(DBSelect($sql),'Name'); + ksort($r); + return $r; + } + } + function addDB($name) { + if (in_array($name, array_keys($this->getDBList()))) return false; + if (!addDB($name, $this->getUserId())) return false; + $this->setAccess($name); + return true; + } + function delDB($name) { + if (!in_array($name, array_keys($this->getDBList()))) return false; + if (!delDB($name)) return false;//, $this->getUserId())) return false; + $this->setAccess($name,false); + return true; } } @@ -164,11 +221,51 @@ function isLoggedIn($aLogin=null) { global $Login; $aLogin = $Login; } - return !empty($aLogin) && is_a($aLogin, 'Login') && $aLogin->canLogin(); + return !empty($aLogin) && ($aLogin instanceof Login) && $aLogin->canLogin(); +} + +function isAdmin($aLogin=null) { + if (is_null($aLogin)) { + global $Login; + $aLogin = $Login; + } + return !empty($aLogin) && ($aLogin instanceof Login) && $aLogin->getUL()>=100; +} + +function isImpersonating() { + return isSess('_UserId') && isSess('UserId'); +} + +function isOffline() { + return (defined('OFFLINE') && OFFLINE); +} + +function isOnline() { + return !isOffline(); +} + +function impersonate($userId=null) { + $wasImpersonating = isImpersonating(); + if ($wasImpersonating) { + if (is_null($userId) || empty($userId)) { + sess('UserId',sess('_UserId')); + sess('_UserId',''); + } elseif ($userId>0) { + sess('UserId',$userId); + } else { + return false; + } + } elseif (isLoggedIn()) { + sess('_UserId',sess('UserId')); + sess('UserId',$userId); + return true; + } else { + return false; + } } function isSSL() { - return $_SERVER['SERVER_PORT'] == 443; + return isset($_SERVER['SERVER_PORT'])?($_SERVER['SERVER_PORT'] == 443):false; } function getSSLCert() { @@ -195,15 +292,20 @@ function redirect($target=null,$secure=null) { $base = (is_null($target)||substr($target,0,1)=='?')?$_SERVER['REDIRECT_URL']:(dirname($_SERVER['REDIRECT_URL']).'/'); redirectFull(is_null($target)?$base:($base.$target),$secure); } +function redirectStart() { + redirectFull(BASE_URL,null); +} function redirectFull($target,$secure) { - redirect2((((isSSL()&&is_null($secure))||$secure==true)?'https://':'http://').$_SERVER['SERVER_NAME'].$target); + //redirect2((((isSSL()&&is_null($secure))||$secure==true)?'https://':'http://').$_SERVER['SERVER_NAME'].$target); + redirect2((((isSSL()&&is_null($secure))||$secure==true)?'https://scripts-cert.mit.edu':'http://scripts.mit.edu').$target); } function redirect2($target) { header('Location: '.$target); exit; } function flipSSL() { - return (isSSL()?'http://':'https://').$_SERVER['SERVER_NAME'].$_SERVER['REDIRECT_URL']; + //return (isSSL()?'http://':'https://').$_SERVER['SERVER_NAME'].$_SERVER['REDIRECT_URL']; + return (isSSL()?'http://scripts.mit.edu':'https://scripts-cert.mit.edu').$_SERVER['REDIRECT_URL']; } ## USER SCRIPTS @@ -231,4 +333,65 @@ function addUser($sslCredentials) { return $UserId; } +function addDB($dbname,$userid) { + global $_NEW_DB, $_NEW_DBQUOTA, $_NEW_DBOWNER; + + DBCreate(sprintf('CREATE DATABASE `%s`', mysql_escape_string($dbname))); + if (mysql_error()) return false; + + $newdb['Name'] = $dbname; + $arr = array_merge($newdb, $_NEW_DB); + $arr['bEnabled'] = 1; + $sql = sprintf("INSERT IGNORE INTO DB %s", + buildSQLInsert($arr)); + $DBId = DBInsert($sql); + if (empty($DBId)) { + $sql = sprintf("SELECT DatabaseId FROM DB WHERE Name = '%s'", + mysql_escape_string($dbname)); + $r = fetchRows(DBSelect($sql), 'DatabaseId'); + if (count($r)) { + $r = array_shift($r); + $DBId = $r['DatabaseId']; + } else { + return false; + } + $sql = sprintf("UPDATE DB %s WHERE DB.DatabaseId = '%s'", + buildSQLSet($arr), + $DBId); + DBUpdate($sql); + } + + DBDelete(sprintf("DELETE FROM DBOwner WHERE DatabaseId = '%s'", mysql_escape_string($DBId))); + DBDelete(sprintf("DELETE FROM DBQuota WHERE DatabaseId = '%s'", mysql_escape_string($DBId))); + + $arr = $_NEW_DBQUOTA; + $arr['DatabaseId'] = $DBId; + $sql = sprintf("INSERT IGNORE INTO DBQuota %s", + buildSQLInsert($arr)); + DBInsert($sql); + + $arr = $_NEW_DBOWNER; + $arr['DatabaseId'] = $DBId; + $arr['UserId'] = $userid; + $sql = sprintf("INSERT IGNORE INTO DBOwner %s", + buildSQLInsert($arr)); + DBInsert($sql); + + return $DBId; +} + +function delDB($dbname) { + global $_NEW_DB, $_NEW_DBQUOTA, $_NEW_DBOWNER; + + DBCreate(sprintf('DROP DATABASE `%s`', mysql_escape_string($dbname))); + + $arr['bEnabled'] = 0; + $sql = sprintf("UPDATE DB %s WHERE DB.Name = '%s'", + buildSQLSet($arr), + $dbname); + DBUpdate($sql); + + return true; +} + ?>