Context Navigation

Auth_SQL.inc.php @ 319

Last change on this file since 319 was 319, checked in by quinn, 16 years ago

File size: 41.9 KB

Line
1	<?php
2	/**
3	* The Auth_SQL:: class provides a SQL implementation for authentication.
4	*
5	* @author Quinn Comendant <quinn@strangecode.com>
6	* @version 2.0
7	*/
8
9	// Available encryption types for class Auth_SQL.
10	define('AUTH_ENCRYPT_MD5', 'md5');
11	define('AUTH_ENCRYPT_CRYPT', 'crypt');
12	define('AUTH_ENCRYPT_SHA1', 'sha1');
13	define('AUTH_ENCRYPT_PLAINTEXT', 'plaintext');
14
15	require_once dirname(__FILE__) . '/Email.inc.php';
16
17	class Auth_SQL {
18
19	var $_auth = '';
20	var $_sess = '_auth_';
21	var $_authentication_tested;
22	var $_params = array();
23
24	// Default param values.
25	var $_default_params = array(
26
27	// Automatically create table and verify columns. Better set to false after site launch.
28	'create_table' => true,
29
30	// The database table containing users to authenticate.
31	'db_table' => 'user_tbl',
32
33	// The name of the primary key for the db_table.
34	'db_primary_key' => 'user_id',
35
36	// The name of the username key for the db_table.
37	'db_username_column' => 'username',
38
39	// If using the db_login_table feature, specify the db_login_table. The primary key must match the primary key for the db_table.
40	'db_login_table' => 'user_login_tbl',
41
42	// The type of encryption to use for passwords stored in the db_table. Use one of the AUTH_ENCRYPT_* types specified above.
43	'encryption_type' => AUTH_ENCRYPT_MD5,
44
45	// The URL to the login script.
46	'login_url' => '/',
47
48	// The maximum amount of time a user is allowed to be logged in. They will be forced to login again if they expire.
49	// This applies to admins and users. In seconds. 21600 seconds = 6 hours.
50	'login_timeout' => 21600,
51
52	// The maximum amount of time a user is allowed to be idle before their session expires. They will be forced to login again if they expire.
53	// This applies to admins and users. In seconds. 3600 seconds = 1 hour.
54	'idle_timeout' => 3600,
55
56	// The period of time to compare login abuse attempts. If a threshold of logins is reached in this amount of time the account is blocked.
57	// Days and hours, like this: 'DD:HH'
58	'login_abuse_timeframe' => '04:00',
59
60	// The number of warnings a user will receive (and their password reset each time) before their account is completely blocked.
61	'login_abuse_warnings' => 3,
62
63	// The maximum number of IP addresses a user can login with over the timeout period before their account is blocked.
64	'login_abuse_max_ips' => 5,
65
66	// The IP address subnet size threshold. Uses a CIDR notation network mask (see CIDR cheatsheet at bottom).
67	// Any integar between 0 and 32 is permitted. Setting this to '24' permits any address in a
68	// class C network (255.255.255.0) to be considered the same. Setting to '32' compares each IP absolutely.
69	// Setting to '0' ignores all IPs, thus disabling login_abuse checking.
70	'login_abuse_ip_bitmask' => 32,
71
72	// Specify usernames to exclude from the account abuse detection system. This is specified as a hardcoded array provided at
73	// class instantiation time, or can be saved in the db_table under the login_abuse_exempt field.
74	'login_abuse_exempt_usernames' => array(),
75
76	// An array of IP blocks that are bypass the remote_ip comparison check. Useful for dynamic IPs or those behind proxy servers.
77	'trusted_networks' => array(),
78
79	// Match the user's current remote IP against the one they logged in with.
80	'match_remote_ip' => true,
81
82	// Allow user accounts to be blocked? Requires the user table to have the columns 'blocked' and 'blocked_reason'
83	'blocking' => false,
84
85	// Use a db_login_table to detect excessive logins. This requires blocking to be enabled.
86	'abuse_detection' => false,
87	);
88
89	/**
90	* Constructs a new authentication object.
91	*
92	* @access public
93	* @param optional array $params A hash containing parameters.
94	*/
95	function Auth_SQL($auth_name=null)
96	{
97	if (isset($auth_name)) {
98	$this->_auth = $auth_name;
99	$this->_sess .= $auth_name;
100	}
101
102	// Initialize default parameters.
103	$this->setParam($this->_default_params);
104
105	// Get create tables config from global context.
106	if (!is_null(App::getParam('db_create_tables'))) {
107	$this->setParam(array('create_table' => App::getParam('db_create_tables')));
108	}
109	}
110
111	/**
112	* Setup the database tables for this class.
113	*
114	* @access public
115	* @author Quinn Comendant <quinn@strangecode.com>
116	* @since 26 Aug 2005 17:09:36
117	*/
118	function initDB($recreate_db=false)
119	{
120	static $_db_tested = false;
121
122	if ($recreate_db \|\| !$_db_tested && $this->getParam('create_table')) {
123
124	// User table.
125	if ($recreate_db) {
126	DB::query("DROP TABLE IF EXISTS " . $this->getParam('db_table'));
127	App::logMsg(sprintf('Dropping and recreating table %s.', $this->getParam('db_table')), LOG_DEBUG, __FILE__, __LINE__);
128	}
129
130	// The minimal columns for a table compatable with the Auth_SQL class.
131	DB::query("CREATE TABLE IF NOT EXISTS " . $this->getParam('db_table') . " (
132	" . $this->getParam('db_primary_key') . " smallint(11) NOT NULL auto_increment,
133	" . $this->getParam('db_username_column') . " varchar(255) NOT NULL default '',
134	userpass varchar(255) NOT NULL default '',
135	first_name varchar(255) NOT NULL default '',
136	last_name varchar(255) NOT NULL default '',
137	email varchar(255) NOT NULL default '',
138	user_type enum('public', 'editor', 'admin', 'root') default NULL,
139	login_abuse_exempt enum('true') default NULL,
140	blocked enum('true') default NULL,
141	blocked_reason varchar(255) NOT NULL default '',
142	abuse_warning_level tinyint(4) NOT NULL default '0',
143	seconds_online int(11) NOT NULL default '0',
144	last_login_datetime datetime NOT NULL default '0000-00-00 00:00:00',
145	last_access_datetime datetime NOT NULL default '0000-00-00 00:00:00',
146	last_login_ip varchar(255) NOT NULL default '0.0.0.0',
147	added_by_user_id smallint(11) default NULL,
148	modified_by_user_id smallint(11) default NULL,
149	added_datetime datetime NOT NULL default '0000-00-00 00:00:00',
150	modified_datetime datetime NOT NULL default '0000-00-00 00:00:00',
151	PRIMARY KEY (" . $this->getParam('db_primary_key') . "),
152	KEY " . $this->getParam('db_username_column') . " (" . $this->getParam('db_username_column') . "),
153	KEY userpass (userpass),
154	KEY email (email)
155	)");
156
157	if (!DB::columnExists($this->getParam('db_table'), array(
158	$this->getParam('db_primary_key'),
159	$this->getParam('db_username_column'),
160	'userpass',
161	'first_name',
162	'last_name',
163	'email',
164	'user_type',
165	'login_abuse_exempt',
166	'blocked',
167	'blocked_reason',
168	'abuse_warning_level',
169	'seconds_online',
170	'last_login_datetime',
171	'last_access_datetime',
172	'last_login_ip',
173	'added_by_user_id',
174	'modified_by_user_id',
175	'added_datetime',
176	'modified_datetime',
177	), false, false)) {
178	App::logMsg(sprintf('Database table %s has invalid columns. Please update this table manually.', $this->getParam('db_table')), LOG_ALERT, __FILE__, __LINE__);
179	trigger_error(sprintf('Database table %s has invalid columns. Please update this table manually.', $this->getParam('db_table')), E_USER_ERROR);
180	}
181
182	// Login table is used for abuse_detection features.
183	if ($this->getParam('abuse_detection')) {
184	if ($recreate_db) {
185	DB::query("DROP TABLE IF EXISTS " . $this->getParam('db_login_table'));
186	App::logMsg(sprintf('Dropping and recreating table %s.', $this->getParam('db_login_table')), LOG_DEBUG, __FILE__, __LINE__);
187	}
188	DB::query("CREATE TABLE IF NOT EXISTS " . $this->getParam('db_login_table') . " (
189	" . $this->getParam('db_primary_key') . " smallint(11) NOT NULL default '0',
190	login_datetime datetime NOT NULL default '0000-00-00 00:00:00',
191	remote_ip_binary char(32) NOT NULL default '',
192	KEY " . $this->getParam('db_primary_key') . " (" . $this->getParam('db_primary_key') . "),
193	KEY login_datetime (login_datetime),
194	KEY remote_ip_binary (remote_ip_binary)
195	)");
196
197	if (!DB::columnExists($this->getParam('db_login_table'), array(
198	$this->getParam('db_primary_key'),
199	'login_datetime',
200	'remote_ip_binary',
201	), false, false)) {
202	App::logMsg(sprintf('Database table %s has invalid columns. Please update this table manually.', $this->getParam('db_login_table')), LOG_ALERT, __FILE__, __LINE__);
203	trigger_error(sprintf('Database table %s has invalid columns. Please update this table manually.', $this->getParam('db_login_table')), E_USER_ERROR);
204	}
205	}
206	}
207	$_db_tested = true;
208	}
209
210	/**
211	* Set the params of an auth object.
212	*
213	* @param array $params Array of parameter keys and value to set.
214	* @return bool true on success, false on failure
215	*/
216	function setParam($params)
217	{
218	if (isset($params) && is_array($params)) {
219	// Merge new parameters with old overriding only those passed.
220	$this->_params = array_merge($this->_params, $params);
221	}
222	}
223
224	/**
225	* Return the value of a parameter, if it exists.
226	*
227	* @access public
228	* @param string $param Which parameter to return.
229	* @return mixed Configured parameter value.
230	*/
231	function getParam($param)
232	{
233	if (isset($this->_params[$param])) {
234	return $this->_params[$param];
235	} else {
236	App::logMsg(sprintf('Parameter is not set: %s', $param), LOG_DEBUG, __FILE__, __LINE__);
237	return null;
238	}
239	}
240
241	/**
242	* Clear any authentication tokens in the current session. A.K.A. logout.
243	*
244	* @access public
245	*/
246	function clearAuth()
247	{
248	$this->initDB();
249
250	DB::query("
251	UPDATE " . $this->_params['db_table'] . " SET
252	seconds_online = seconds_online + (UNIX_TIMESTAMP() - UNIX_TIMESTAMP(last_access_datetime)),
253	last_login_datetime = '0000-00-00 00:00:00'
254	WHERE " . $this->_params['db_primary_key'] . " = '" . $this->getVal('user_id') . "'
255	");
256	$_SESSION[$this->_sess] = array('authenticated' => false);
257	}
258
259	/**
260	* Sets a variable into a registered auth session.
261	*
262	* @access public
263	* @param mixed $key Which value to set.
264	* @param mixed $val Value to set variable to.
265	*/
266	function setVal($key, $val)
267	{
268	if (!isset($_SESSION[$this->_sess]['user_data'])) {
269	$_SESSION[$this->_sess]['user_data'] = array();
270	}
271	$_SESSION[$this->_sess]['user_data'][$key] = $val;
272	}
273
274	/**
275	* Returns a specified value from a registered auth session.
276	*
277	* @access public
278	* @param mixed $key Which value to return.
279	* @param mixed $default Value to return if key not found in user_data.
280	* @return mixed Value stored in session.
281	*/
282	function getVal($key, $default='')
283	{
284	if (isset($_SESSION[$this->_sess][$key])) {
285	return $_SESSION[$this->_sess][$key];
286	} else if (isset($_SESSION[$this->_sess]['user_data'][$key])) {
287	return $_SESSION[$this->_sess]['user_data'][$key];
288	} else {
289	return $default;
290	}
291	}
292
293	/**
294	* Find out if a set of login credentials are valid.
295	*
296	* @access private
297	* @param string $username The username to check.
298	* @param string $password The password to compare to username.
299	* @return mixed False if credentials not found in DB, or returns DB row matching credentials.
300	*/
301	function authenticate($username, $password)
302	{
303	$this->initDB();
304
305	switch ($this->_params['encryption_type']) {
306	case AUTH_ENCRYPT_CRYPT :
307	// Query DB for user matching credentials. Compare cyphertext with salted-encrypted password.
308	$qid = DB::query("
309	SELECT *, " . $this->_params['db_primary_key'] . " AS user_id
310	FROM " . $this->_params['db_table'] . "
311	WHERE " . $this->_params['db_username_column'] . " = '" . DB::escapeString($username) . "'
312	AND BINARY userpass = ENCRYPT('" . DB::escapeString($password) . "', LEFT(userpass, 2)))
313	");
314	break;
315	case AUTH_ENCRYPT_PLAINTEXT :
316	case AUTH_ENCRYPT_MD5 :
317	case AUTH_ENCRYPT_SHA1 :
318	default :
319	// Query DB for user matching credentials. Directly compare cyphertext with result from encryptPassword().
320	$qid = DB::query("
321	SELECT *, " . $this->_params['db_primary_key'] . " AS user_id
322	FROM " . $this->_params['db_table'] . "
323	WHERE " . $this->_params['db_username_column'] . " = '" . DB::escapeString($username) . "'
324	AND BINARY userpass = '" . DB::escapeString($this->encryptPassword($password)) . "'
325	");
326	break;
327	}
328
329	// Return user data if found.
330	if ($user_data = mysql_fetch_assoc($qid)) {
331	App::logMsg(sprintf('Authentication successful for %s %s (%s)', $this->_auth, $user_data['user_id'], $username), LOG_INFO, __FILE__, __LINE__);
332	return $user_data;
333	} else {
334	App::logMsg(sprintf('Authentication failed for %s %s (encrypted attempted password: %s)', $this->_auth, $username, $this->encryptPassword($password)), LOG_NOTICE, __FILE__, __LINE__);
335	return false;
336	}
337	}
338
339	/**
340	* If user authenticated, register login into session.
341	*
342	* @access private
343	* @param string $username The username to check.
344	* @param string $password The password to compare to username.
345	* @return boolean Whether or not the credentials are valid.
346	*/
347	function login($username, $password)
348	{
349	$this->initDB();
350
351	$this->clearAuth();
352
353	if (!$user_data = $this->authenticate($username, $password)) {
354	// No login: failed authentication!
355	return false;
356	}
357
358	// Register authenticated session.
359	$_SESSION[$this->_sess] = array(
360	'authenticated' => true,
361	'user_id' => $user_data['user_id'],
362	'auth_name' => $this->_auth,
363	'username' => $username,
364	'login_datetime' => date('Y-m-d H:i:s'),
365	'last_access_datetime' => date('Y-m-d H:i:s'),
366	'remote_ip' => getRemoteAddr(),
367	'login_abuse_exempt' => isset($user_data['login_abuse_exempt']) ? !empty($user_data['login_abuse_exempt']) : in_array($username, $this->_params['login_abuse_exempt_usernames']),
368	'user_data' => $user_data
369	);
370
371	/**
372	* Check if the account is blocked, respond in context to reason. Cancel the login if blocked.
373	*/
374	if ($this->getParam('blocking')) {
375	if (!empty($user_data['blocked'])) {
376
377	App::logMsg(sprintf('%s %s (%s) login failed due to blocked account: %s', ucfirst($this->_auth), $this->getVal('user_id'), $this->getVal('username'), $this->getVal('blocked_reason')), LOG_NOTICE, __FILE__, __LINE__);
378
379	switch ($user_data['blocked_reason']) {
380	case 'account abuse' :
381	App::raiseMsg(sprintf(_("This account has been blocked due to possible account abuse. Please contact us to reactivate."), null), MSG_WARNING, __FILE__, __LINE__);
382	break;
383	default :
384	App::raiseMsg(sprintf(_("This account is currently not active. %s"), $user_data['blocked_reason']), MSG_WARNING, __FILE__, __LINE__);
385	break;
386	}
387
388	// No login: user is blocked!
389	$this->clearAuth();
390	return false;
391	}
392	}
393
394	/**
395	* Check the db_login_table for too many logins under this account.
396	* (1) Count the number of unique IP addresses that logged in under this user within the login_abuse_timeframe
397	* (2) If this number exceeds the login_abuse_max_ips, assume multiple people are logging in under the same account.
398	**/
399	if ($this->getParam('abuse_detection') && !$this->getVal('login_abuse_exempt')) {
400	$qid = DB::query("
401	SELECT COUNT(DISTINCT LEFT(remote_ip_binary, " . $this->_params['login_abuse_ip_bitmask'] . "))
402	FROM " . $this->_params['db_login_table'] . "
403	WHERE " . $this->_params['db_primary_key'] . " = '" . $this->getVal('user_id') . "'
404	AND DATE_ADD(login_datetime, INTERVAL '" . $this->_params['login_abuse_timeframe'] . "' DAY_HOUR) > NOW()
405	");
406	list($distinct_ips) = mysql_fetch_row($qid);
407	if ($distinct_ips > $this->_params['login_abuse_max_ips']) {
408	if ($this->getVal('abuse_warning_level') < $this->_params['login_abuse_warnings']) {
409	// Warn the user with a password reset.
410	$this->resetPassword(null, _("This is a security precaution. We have detected this account has been accessed from multiple computers simultaneously. It is against policy to share login information with others. If further account abuse is detected this account will be blocked."));
411	App::raiseMsg(_("Your password has been reset as a security precaution. Please check your email for more information."), MSG_NOTICE, __FILE__, __LINE__);
412	App::logMsg(sprintf('Account abuse detected for %s %s (%s) from IP %s', $this->_auth, $this->getVal('user_id'), $this->getVal('username'), $this->getVal('remote_ip')), LOG_WARNING, __FILE__, __LINE__);
413	} else {
414	// Block the account with the reason of account abuse.
415	$this->blockAccount(null, 'account abuse');
416	App::raiseMsg(_("Your account has been blocked as a security precaution. Please contact us for more information."), MSG_NOTICE, __FILE__, __LINE__);
417	App::logMsg(sprintf('Account blocked for %s %s (%s) from IP %s', $this->_auth, $this->getVal('user_id'), $this->getVal('username'), $this->getVal('remote_ip')), LOG_ALERT, __FILE__, __LINE__);
418	}
419	// Increment user's warning level.
420	DB::query("UPDATE " . $this->_params['db_table'] . " SET abuse_warning_level = abuse_warning_level + 1 WHERE " . $this->_params['db_primary_key'] . " = '" . $this->getVal('user_id') . "'");
421	// Reset the login counter for this user.
422	DB::query("DELETE FROM " . $this->_params['db_login_table'] . " WHERE " . $this->_params['db_primary_key'] . " = '" . $this->getVal('user_id') . "'");
423	// No login: reset password because of account abuse!
424	$this->clearAuth();
425	return false;
426	}
427
428	// Update the login counter table with this login access. Convert IP to binary.
429	DB::query("
430	INSERT INTO " . $this->_params['db_login_table'] . " (
431	" . $this->_params['db_primary_key'] . ",
432	login_datetime,
433	remote_ip_binary
434	) VALUES (
435	'" . $this->getVal('user_id') . "',
436	'" . $this->getVal('login_datetime') . "',
437	'" . sprintf('%032b', ip2long($this->getVal('remote_ip'))) . "'
438	)
439	");
440	}
441
442	// Update user table with this login.
443	DB::query("
444	UPDATE " . $this->_params['db_table'] . " SET
445	last_login_datetime = '" . $this->getVal('login_datetime') . "',
446	last_access_datetime = '" . $this->getVal('login_datetime') . "',
447	last_login_ip = '" . $this->getVal('remote_ip') . "'
448	WHERE " . $this->_params['db_primary_key'] . " = '" . $this->getVal('user_id') . "'
449	");
450
451	// We're logged-in!
452	return true;
453	}
454
455	/**
456	* Test if user has a currently logged-in session.
457	* - authentication flag set to true
458	* - username not empty
459	* - total logged-in time is not greater than login_timeout
460	* - idle time is not greater than idle_timeout
461	* - remote address is the same as the login remote address (aol users excluded).
462	*
463	* @access public
464	*/
465	function isLoggedIn($user_id=null)
466	{
467	$this->initDB();
468
469	if (isset($user_id)) {
470	// Check the login status of a specific user.
471	$qid = DB::query("
472	SELECT 1 FROM " . $this->_params['db_table'] . "
473	WHERE " . $this->_params['db_primary_key'] . " = '" . DB::escapeString($user_id) . "'
474	AND DATE_ADD(last_login_datetime, INTERVAL '" . $this->_params['login_timeout'] . "' SECOND) > NOW()
475	AND DATE_ADD(last_access_datetime, INTERVAL '" . $this->_params['idle_timeout'] . "' SECOND) > NOW()
476	");
477	return (mysql_num_rows($qid) > 0);
478	}
479
480	// User login test need only be run once per script execution. We cache the result in the session.
481	if ($this->_authentication_tested && isset($_SESSION[$this->_sess]['authenticated'])) {
482	return $_SESSION[$this->_sess]['authenticated'];
483	}
484
485	// Tesing login should occur once. This is the first time. Set flag.
486	$this->_authentication_tested = true;
487
488	// Some users will access from networks with a changing IP number (i.e. behind a proxy server). These users must be allowed entry by adding their IP to the list of trusted_networks.
489	if ($trusted_net = ipInRange(getRemoteAddr(), $this->_params['trusted_networks'])) {
490	$user_in_trusted_network = true;
491	App::logMsg(sprintf('%s%s accessing from trusted network %s',
492	ucfirst($this->_auth),
493	($this->getVal('user_id') ? ' ' . $this->getVal('user_id') . ' (' . $this->getVal('username') . ')' : ''),
494	$trusted_net
495	), LOG_DEBUG, __FILE__, __LINE__);
496	} else if (preg_match('/proxy.aol.com$/i', getRemoteAddr(true))) {
497	$user_in_trusted_network = true;
498	App::logMsg(sprintf('%s%s accessing from trusted network proxy.aol.com',
499	ucfirst($this->_auth),
500	($this->getVal('user_id') ? ' ' . $this->getVal('user_id') . ' (' . $this->getVal('username') . ')' : '')
501	), LOG_DEBUG, __FILE__, __LINE__);
502	} else {
503	$user_in_trusted_network = false;
504	}
505
506	// Test login with information stored in session. Skip IP matching for users from trusted networks.
507	if (isset($_SESSION[$this->_sess])
508	&& isset($_SESSION[$this->_sess]['authenticated']) && true === $_SESSION[$this->_sess]['authenticated']
509	&& !empty($_SESSION[$this->_sess]['username'])
510	&& strtotime($_SESSION[$this->_sess]['login_datetime']) > time() - $this->_params['login_timeout']
511	&& strtotime($_SESSION[$this->_sess]['last_access_datetime']) > time() - $this->_params['idle_timeout']
512	&& (!$this->_params['match_remote_ip'] \|\| $_SESSION[$this->_sess]['remote_ip'] == getRemoteAddr() \|\| $user_in_trusted_network)
513	) {
514	// User is authenticated!
515	$_SESSION[$this->_sess]['last_access_datetime'] = date('Y-m-d H:i:s');
516
517	// Update the DB with the last_access_datetime and increment the seconds_online.
518	DB::query("
519	UPDATE " . $this->_params['db_table'] . " SET
520	seconds_online = seconds_online + (UNIX_TIMESTAMP() - UNIX_TIMESTAMP(last_access_datetime)) + 1,
521	last_access_datetime = '" . $this->getVal('last_access_datetime') . "'
522	WHERE " . $this->_params['db_primary_key'] . " = '" . $this->getVal('user_id') . "'
523	");
524	if (mysql_affected_rows(DB::getDBH()) > 0) {
525	// User record still exists in DB. Do this to ensure user was not delete from DB between accesses. Notice "+ 1" in SQL above to ensure record is modified.
526	return true;
527	} else {
528	App::logMsg(sprintf('User update failed. Record not found for %s %s (%s).', $this->_auth, $this->getVal('user_id'), $this->getVal('username')), LOG_NOTICE, __FILE__, __LINE__);
529	}
530	} else if (isset($_SESSION[$this->_sess]['authenticated']) && true === $_SESSION[$this->_sess]['authenticated']) {
531	// User is authenticated, but login has expired.
532	if (strtotime($_SESSION[$this->_sess]['last_access_datetime']) > time() - 43200) {
533	// Only raise message if last session is less than 12 hours old.
534	App::raiseMsg(sprintf(_("Your %s session has closed. You need to log-in again."), strtolower($this->_auth)), MSG_NOTICE, __FILE__, __LINE__);
535	}
536
537	// Log the reason for login expiration.
538	$expire_reasons = array();
539	if (empty($_SESSION[$this->_sess]['username'])) {
540	$expire_reasons[] = 'username not found';
541	}
542	if (strtotime($_SESSION[$this->_sess]['login_datetime']) <= time() - $this->_params['login_timeout']) {
543	$expire_reasons[] = 'login_timeout expired';
544	}
545	if (strtotime($_SESSION[$this->_sess]['last_access_datetime']) <= time() - $this->_params['idle_timeout']) {
546	$expire_reasons[] = 'idle_timeout expired';
547	}
548	if ($_SESSION[$this->_sess]['remote_ip'] != getRemoteAddr() && !$user_in_trusted_network) {
549	$expire_reasons[] = sprintf('remote_ip not matched (%s != %s)', $_SESSION[$this->_sess]['remote_ip'], getRemoteAddr());
550	}
551	App::logMsg(sprintf('%s %s (%s) session expired: %s', ucfirst($this->_auth), $this->getVal('user_id'), $this->getVal('username'), join(', ', $expire_reasons)), LOG_INFO, __FILE__, __LINE__);
552	}
553
554	// User is not authenticated.
555	$this->clearAuth();
556	return false;
557	}
558
559	/**
560	* Redirect user to login page if they are not logged in.
561	*
562	* @param string $message The text description of a message to raise.
563	* @param int $type The type of message: MSG_NOTICE,
564	* MSG_SUCCESS, MSG_WARNING, or MSG_ERR.
565	* @param string $file __FILE__.
566	* @param string $line __LINE__.
567	* @access public
568	*/
569	function requireLogin($message='', $type=MSG_NOTICE, $file=null, $line=null)
570	{
571	if (!$this->isLoggedIn()) {
572	// Display message for requiring login. (RaiseMsg will ignore empty strings.)
573	App::raiseMsg($message, $type, $file, $line);
574
575	// Login scripts must have the same 'login' tag for boomerangURL verification/manipulation.
576	App::setBoomerangURL(absoluteMe(), 'login');
577	App::dieURL($this->_params['login_url']);
578	}
579	}
580
581	/**
582	* Tests if the "blocked" flag is set for a user.
583	*
584	* @param int $user_id User id to look for.
585	* @return boolean True if the user is blocked, false otherwise.
586	*/
587	function isBlocked($user_id=null)
588	{
589	$this->initDB();
590
591	if ($this->getParam('blocking')) {
592	// Get user_id if specified.
593	$user_id = isset($user_id) ? $user_id : $this->getVal('user_id');
594	$qid = DB::query("
595	SELECT 1
596	FROM " . $this->_params['db_table'] . "
597	WHERE blocked = 'true'
598	AND " . $this->_params['db_primary_key'] . " = '" . DB::escapeString($user_id) . "'
599	");
600	return mysql_num_rows($qid) === 1;
601	}
602	}
603
604	/**
605	* This sets the 'blocked' field for a user in the db_table, and also
606	* adds an optional reason
607	*
608	* @param string $reason The reason for blocking the account.
609	*/
610	function blockAccount($user_id=null, $reason='')
611	{
612	$this->initDB();
613
614	if ($this->getParam('blocking')) {
615	if (strlen(DB::escapeString($reason)) > 255) {
616	// blocked_reason field is varchar(255).
617	App::logMsg(sprintf('Blocked reason provided is greater than 255 characters: %s', $reason), LOG_WARNING, __FILE__, __LINE__);
618	}
619
620	// Get user_id if specified.
621	$user_id = isset($user_id) ? $user_id : $this->getVal('user_id');
622	DB::query("
623	UPDATE " . $this->_params['db_table'] . " SET
624	blocked = 'true',
625	blocked_reason = '" . DB::escapeString($reason) . "'
626	WHERE " . $this->_params['db_primary_key'] . " = '" . DB::escapeString($user_id) . "'
627	");
628	}
629	}
630
631	/**
632	* Unblocks a user in the db_table, and clears any blocked_reason.
633	*/
634	function unblockAccount($user_id=null)
635	{
636	$this->initDB();
637
638	if ($this->getParam('blocking')) {
639	// Get user_id if specified.
640	$user_id = isset($user_id) ? $user_id : $this->getVal('user_id');
641	DB::query("
642	UPDATE " . $this->_params['db_table'] . " SET
643	blocked = '',
644	blocked_reason = ''
645	WHERE " . $this->_params['db_primary_key'] . " = '" . DB::escapeString($user_id) . "'
646	");
647	}
648	}
649
650	/**
651	* Returns true if username already exists in database.
652	*
653	* @param string $username Username to look for.
654	* @return bool True if username exists.
655	*/
656	function usernameExists($username)
657	{
658	$this->initDB();
659
660	$qid = DB::query("
661	SELECT 1
662	FROM " . $this->_params['db_table'] . "
663	WHERE " . $this->_params['db_username_column'] . " = '" . DB::escapeString($username) . "'
664	");
665	return (mysql_num_rows($qid) > 0);
666	}
667
668	/**
669	* Returns a username for a specified user id.
670	*
671	* @param string $user_id User id to look for.
672	* @return string Username, or false if none found.
673	*/
674	function getUsername($user_id)
675	{
676	$this->initDB();
677
678	$qid = DB::query("
679	SELECT " . $this->_params['db_username_column'] . "
680	FROM " . $this->_params['db_table'] . "
681	WHERE " . $this->_params['db_primary_key'] . " = '" . DB::escapeString($user_id) . "'
682	");
683	if (list($username) = mysql_fetch_row($qid)) {
684	return $username;
685	} else {
686	return false;
687	}
688	}
689
690	/**
691	* Returns a randomly generated password based on $pattern. The pattern is any
692	* sequence of 'x', 'V', 'C', 'v', 'c', or 'd' and if it is something like 'cvccv' this
693	* function will generate a pronouncable password. Recommend using more complex
694	* patterns, at minimum the US State Department standard: cvcddcvc.
695	*
696	* - x a random upper or lower alpha character or digit
697	* - C a random upper or lower consanant
698	* - V a random upper or lower vowel
699	* - c a random lowercase consanant
700	* - v a random lowercase vowel
701	* - d a random digit
702	*
703	* @param string $pattern a sequence of character types, above.
704	* @return string a password
705	*/
706	function generatePassword($pattern='CvccvCdd')
707	{
708	mt_srand((double) microtime() * 10000000);
709	$str = '';
710	for ($i=0; $i<strlen($pattern); $i++) {
711	$x = substr('bcdfghjklmnprstvwxzBCDFGHJKLMNPRSTVWXZaeiouyAEIOUY0123456789', (mt_rand() % 60), 1);
712	$c = substr('bcdfghjklmnprstvwxz', (mt_rand() % 19), 1);
713	$C = substr('bcdfghjklmnprstvwxzBCDFGHJKLMNPRSTVWXZ', (mt_rand() % 38), 1);
714	$v = substr('aeiouy', (mt_rand() % 6), 1);
715	$V = substr('aeiouyAEIOUY', (mt_rand() % 12), 1);
716	$d = substr('0123456789', (mt_rand() % 10), 1);
717	$str .= $$pattern{$i};
718	}
719	return $str;
720	}
721
722	/**
723	*
724	*/
725	function encryptPassword($password, $salt=null)
726	{
727	switch ($this->_params['encryption_type']) {
728	case AUTH_ENCRYPT_PLAINTEXT :
729	return $password;
730	break;
731
732	case AUTH_ENCRYPT_CRYPT :
733	// If comparing clear-text password with encrypted text, provide encrypted text as the salt.
734	return isset($salt) ? crypt($password, substr($salt, 0, 2)) : crypt($password);
735	break;
736
737	case AUTH_ENCRYPT_SHA1 :
738	return sha1($password);
739	break;
740
741	case AUTH_ENCRYPT_MD5 :
742	default :
743	return md5($password);
744	break;
745	}
746	}
747
748	/**
749	*
750	*/
751	function setPassword($user_id=null, $password)
752	{
753	$this->initDB();
754
755	// Get user_id if specified.
756	$user_id = isset($user_id) ? $user_id : $this->getVal('user_id');
757
758	// Get old password.
759	$qid = DB::query("
760	SELECT userpass
761	FROM " . $this->_params['db_table'] . "
762	WHERE " . $this->_params['db_primary_key'] . " = '" . DB::escapeString($user_id) . "'
763	");
764	if (!list($old_encrypted_password) = mysql_fetch_row($qid)) {
765	App::logMsg(sprintf('Cannot set password for nonexistant user_id %s', $user_id), LOG_NOTICE, __FILE__, __LINE__);
766	return false;
767	}
768
769	// Compare old with new to ensure we're actually changing the password.
770	$encrypted_password = $this->encryptPassword($password);
771	if ($old_encrypted_password == $encrypted_password) {
772	App::logMsg(sprintf('Not setting password: new is the same as old.', null), LOG_INFO, __FILE__, __LINE__);
773	return false;
774	}
775
776	// Issue the password change query.
777	DB::query("
778	UPDATE " . $this->_params['db_table'] . "
779	SET userpass = '" . DB::escapeString($encrypted_password) . "'
780	WHERE " . $this->_params['db_primary_key'] . " = '" . DB::escapeString($user_id) . "'
781	");
782
783	if (mysql_affected_rows(DB::getDBH()) != 1) {
784	App::logMsg(sprintf('Failed to update password for user %s', $user_id), LOG_WARNING, __FILE__, __LINE__);
785	return false;
786	}
787
788	return true;
789	}
790
791	/**
792	* Resets the password for the user with the specified id.
793	*
794	* @param string $user_id The id of the user to reset.
795	* @param string $reason Additional message to add to the reset email.
796	* @return string The user's new password.
797	*/
798	function resetPassword($user_id=null, $reason='')
799	{
800	$this->initDB();
801
802	// Get user_id if specified.
803	$user_id = isset($user_id) ? $user_id : $this->getVal('user_id');
804
805	// Reset password of a specific user.
806	$qid = DB::query("
807	SELECT * FROM " . $this->_params['db_table'] . "
808	WHERE " . $this->_params['db_primary_key'] . " = '" . DB::escapeString($user_id) . "'
809	");
810	if (!$user_data = mysql_fetch_assoc($qid)) {
811	App::logMsg(sprintf('Reset password failed. %s %s not found.', ucfirst($this->_auth), $user_id), LOG_NOTICE, __FILE__, __LINE__);
812	return false;
813	}
814
815	// Get new password.
816	$password = $this->generatePassword();
817
818	// Update password query.
819	$this->setPassword($user_id, $password);
820
821	// Make sure user has an email on record before continuing.
822	if (!isset($user_data['email']) \|\| '' == trim($user_data['email'])) {
823	App::logMsg(sprintf('Password reset but notification failed, no email address for %s %s (%s).', $this->_auth, $user_data[$this->_params['db_primary_key']], $user_data[$this->_params['db_username_column']]), LOG_NOTICE, __FILE__, __LINE__);
824	} else {
825	// Body for email.
826	$email_body = <<<EOF
827	Hello {NAME},
828
829	Your password at {SITE_NAME} has been reset. {REASON}
830	Your new login information is:
831
832	USERNAME: {USERNAME}
833	PASSWORD: {PASSWORD}
834
835	If you have any questions or concerns please reply to this email or visit the website below.
836
837	Thank you,
838	{SITE_NAME}
839	{SITE_URL}/
840
841	EOF;
842	$email = new Email(array(
843	'to' => $user_data['email'],
844	'from' => sprintf('%s <%s>', App::getParam('site_name'), App::getParam('site_email')),
845	'subject' => sprintf('%s password change', App::getParam('site_name'))
846	));
847	$email->setString($email_body);
848	$email->replace(array(
849	'site_name' => App::getParam('site_name'),
850	'site_url' => App::getParam('site_url'),
851	'name' => ('' != $user_data['first_name'] . $user_data['last_name'] ? $user_data['first_name'] . ' ' . $user_data['last_name'] : $user_data[$this->_params['db_username_column']]),
852	'username' => $user_data[$this->_params['db_username_column']],
853	'password' => $password,
854	'reason' => $reason,
855	));
856	$email->send();
857	}
858
859	return array(
860	'username' => $user_data[$this->_params['db_username_column']],
861	'userpass' => $password
862	);
863	}
864
865	/**
866	* If the current user has access to the specified $security_zone, return true.
867	* If the optional $priv is supplied, test that against the zone.
868	*
869	* @param constant $security_zone string of comma delimited priviliges for the zone
870	* @param string $priv a privilege that might be found in a zone
871	* @return bool true if user is a member of security zone, false otherwise
872	*/
873	function inClearanceZone($security_zone, $priv='')
874	{
875	return true;
876	$zone_members = preg_split('/,\s*/', $security_zone);
877	$priv = empty($priv) ? $this->getVal('priv') : $priv;
878
879	// If the current user's privilege level is NOT in that array or if the
880	// user has no privilege, return false. Otherwise the user is clear.
881	if (!in_array($priv, $zone_members) \|\| empty($priv)) {
882	return false;
883	} else {
884	return true;
885	}
886	}
887
888	/**
889	* This function tests a list of arguments $security_zone against the priv that the current user has.
890	* If the user doesn't have one of the supplied privs, die.
891	*
892	* @param constant $security_zone string of comma delimited priviliges for the zone
893	*/
894	function requireAccessClearance($security_zone, $message='')
895	{
896	return true;
897	$zone_members = preg_split('/,\s*/', $security_zone);
898
899	/* If the current user's privilege level is NOT in that array or if the
900	* user has no privilege, DIE with a message. */
901	if (!in_array($this->getVal('priv'), $zone_members) \|\| !$this->getVal('priv')) {
902	$message = empty($message) ? _("You have insufficient privileges to view that page.") : $message;
903	App::raiseMsg($message, MSG_NOTICE, __FILE__, __LINE__);
904	App::dieBoomerangURL();
905	}
906	}
907
908	} // end class
909
910	// CIDR cheat-sheet
911	//
912	// Netmask Netmask (binary) CIDR Notes
913	// _____________________________________________________________________________
914	// 255.255.255.255 11111111.11111111.11111111.11111111 /32 Host (single addr)
915	// 255.255.255.254 11111111.11111111.11111111.11111110 /31 Unusable
916	// 255.255.255.252 11111111.11111111.11111111.11111100 /30 2 useable
917	// 255.255.255.248 11111111.11111111.11111111.11111000 /29 6 useable
918	// 255.255.255.240 11111111.11111111.11111111.11110000 /28 14 useable
919	// 255.255.255.224 11111111.11111111.11111111.11100000 /27 30 useable
920	// 255.255.255.192 11111111.11111111.11111111.11000000 /26 62 useable
921	// 255.255.255.128 11111111.11111111.11111111.10000000 /25 126 useable
922	// 255.255.255.0 11111111.11111111.11111111.00000000 /24 "Class C" 254 useable
923	//
924	// 255.255.254.0 11111111.11111111.11111110.00000000 /23 2 Class C's
925	// 255.255.252.0 11111111.11111111.11111100.00000000 /22 4 Class C's
926	// 255.255.248.0 11111111.11111111.11111000.00000000 /21 8 Class C's
927	// 255.255.240.0 11111111.11111111.11110000.00000000 /20 16 Class C's
928	// 255.255.224.0 11111111.11111111.11100000.00000000 /19 32 Class C's
929	// 255.255.192.0 11111111.11111111.11000000.00000000 /18 64 Class C's
930	// 255.255.128.0 11111111.11111111.10000000.00000000 /17 128 Class C's
931	// 255.255.0.0 11111111.11111111.00000000.00000000 /16 "Class B"
932	//
933	// 255.254.0.0 11111111.11111110.00000000.00000000 /15 2 Class B's
934	// 255.252.0.0 11111111.11111100.00000000.00000000 /14 4 Class B's
935	// 255.248.0.0 11111111.11111000.00000000.00000000 /13 8 Class B's
936	// 255.240.0.0 11111111.11110000.00000000.00000000 /12 16 Class B's
937	// 255.224.0.0 11111111.11100000.00000000.00000000 /11 32 Class B's
938	// 255.192.0.0 11111111.11000000.00000000.00000000 /10 64 Class B's
939	// 255.128.0.0 11111111.10000000.00000000.00000000 /9 128 Class B's
940	// 255.0.0.0 11111111.00000000.00000000.00000000 /8 "Class A"
941	//
942	// 254.0.0.0 11111110.00000000.00000000.00000000 /7
943	// 252.0.0.0 11111100.00000000.00000000.00000000 /6
944	// 248.0.0.0 11111000.00000000.00000000.00000000 /5
945	// 240.0.0.0 11110000.00000000.00000000.00000000 /4
946	// 224.0.0.0 11100000.00000000.00000000.00000000 /3
947	// 192.0.0.0 11000000.00000000.00000000.00000000 /2
948	// 128.0.0.0 10000000.00000000.00000000.00000000 /1
949	// 0.0.0.0 00000000.00000000.00000000.00000000 /0 IP space
950	?>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: tags/2.0.2/lib/Auth_SQL.inc.php @ 319

Download in other formats: