Changeset 103
- Timestamp:
- Apr 19, 2006 3:14:28 AM (18 years ago)
- Location:
- trunk
- Files:
-
- 6 edited
-
lib/App.inc.php (modified) (15 diffs)
-
lib/Auth_File.inc.php (modified) (10 diffs)
-
lib/Auth_SQL.inc.php (modified) (6 diffs)
-
lib/Utilities.inc.php (modified) (2 diffs)
-
services/login.php (modified) (1 diff)
-
services/logout.php (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/lib/App.inc.php
r102 r103 222 222 */ 223 223 224 if ( $this->getParam('enable_db')) {224 if (true === $this->getParam('enable_db')) { 225 225 226 226 // DB connection parameters taken from environment variables in the httpd.conf file, readable only by root. … … 337 337 { 338 338 session_write_close(); 339 $this->db->close();340 339 restore_include_path(); 341 340 $this->running = false; 341 if (true === $this->getParam('enable_db')) { 342 $this->db->close(); 343 } 342 344 } 343 345 … … 364 366 365 367 if (!$this->running || '' == $message) { 368 $this->logMsg(sprintf('Canceled method call %s, application not running or message is an empty string.', __FUNCTION__), LOG_DEBUG, __FILE__, __LINE__); 366 369 return false; 367 370 } … … 397 400 398 401 if (!$this->running) { 402 $this->logMsg(sprintf('Canceled method call %s, application not running.', __FUNCTION__), LOG_DEBUG, __FILE__, __LINE__); 399 403 return false; 400 404 } … … 421 425 422 426 if (!$this->running) { 427 $this->logMsg(sprintf('Canceled method call %s, application not running.', __FUNCTION__), LOG_DEBUG, __FILE__, __LINE__); 423 428 return false; 424 429 } … … 441 446 442 447 if (!$this->running) { 448 $this->logMsg(sprintf('Canceled method call %s, application not running.', __FUNCTION__), LOG_DEBUG, __FILE__, __LINE__); 443 449 return false; 444 450 } … … 650 656 651 657 if (!$this->running) { 658 $this->logMsg(sprintf('Canceled method call %s, application not running.', __FUNCTION__), LOG_DEBUG, __FILE__, __LINE__); 652 659 return false; 653 660 } … … 769 776 770 777 if (!$this->running) { 778 $this->logMsg(sprintf('Canceled method call %s, application not running.', __FUNCTION__), LOG_DEBUG, __FILE__, __LINE__); 771 779 return false; 772 780 } … … 831 839 832 840 if (!$this->running) { 841 $this->logMsg(sprintf('Canceled method call %s, application not running.', __FUNCTION__), LOG_DEBUG, __FILE__, __LINE__); 833 842 return false; 834 843 } … … 879 888 880 889 if (!$this->running) { 890 $this->logMsg(sprintf('Canceled method call %s, application not running.', __FUNCTION__), LOG_DEBUG, __FILE__, __LINE__); 881 891 return false; 882 892 } … … 925 935 926 936 if (!$this->running) { 937 $this->logMsg(sprintf('Canceled method call %s, application not running.', __FUNCTION__), LOG_DEBUG, __FILE__, __LINE__); 927 938 return false; 928 939 } … … 966 977 967 978 if (!$this->running) { 979 $this->logMsg(sprintf('Canceled method call %s, application not running.', __FUNCTION__), LOG_DEBUG, __FILE__, __LINE__); 968 980 return false; 969 981 } … … 994 1006 995 1007 if (!$this->running) { 1008 $this->logMsg(sprintf('Canceled method call %s, application not running.', __FUNCTION__), LOG_DEBUG, __FILE__, __LINE__); 996 1009 return false; 997 1010 } … … 1007 1020 1008 1021 /** 1009 * Check if a valid boomerang URL value has been set. 1010 * if it is not the current url, andhas not been accessed within n seconds.1011 * 1012 * @return bool True if it is set and not the current URL.1022 * Check if a valid boomerang URL value has been set. A boomerang URL is considered 1023 * valid if: 1) it is not empty, 2) it is not the current URL, and 3) has not been accessed within n seconds. 1024 * 1025 * @return bool True if it is set and valid, false otherwise. 1013 1026 */ 1014 1027 function validBoomerangURL($id=null, $use_nonspecificboomerang=false) … … 1019 1032 1020 1033 if (!$this->running) { 1034 $this->logMsg(sprintf('Canceled method call %s, application not running.', __FUNCTION__), LOG_DEBUG, __FILE__, __LINE__); 1021 1035 return false; 1022 1036 } 1023 1037 1024 1038 if (!isset($_SESSION[$this->app]['boomerang']['url'])) { 1039 $this->logMsg(sprintf('validBoomerangURL(%s) no boomerang URL set.', $id, $url), LOG_DEBUG, __FILE__, __LINE__); 1025 1040 return false; 1026 1041 } -
trunk/lib/Auth_File.inc.php
r102 r103 5 5 * 6 6 * @author Quinn Comendant <quinn@strangecode.com> 7 * @version 1. 17 * @version 1.2 8 8 */ 9 10 // Usage example: 11 // $auth = new Auth_File(); 12 // $auth->setParam(array( 13 // 'htpasswd_file' => COMMON_BASE . '/global/site_users.htpasswd', 14 // 'login_timeout' => 21600, 15 // 'idle_timeout' => 3600, 16 // 'login_url' => '/login.php' 17 // )); 9 18 10 19 // Available encryption types for class Auth_SQL. … … 16 25 class Auth_File { 17 26 18 var $_params = array( 27 var $_auth = ''; 28 var $_sess = '_auth_'; 29 var $_params = array(); 30 var $_default_params = array( 31 32 // Full path to htpasswd file. 33 'htpasswd_file' => null, 34 35 // The type of encryption to use for passwords stored in the db_table. Use one of the AUTH_ENCRYPT_* types specified above. 19 36 'encryption_type' => AUTH_ENCRYPT_CRYPT, 20 'htpasswd_file' => null, 21 'login_timeout' => 21600, // 6 hours. 22 'idle_timeout' => 3600, // 1 hour. 23 'login_url' => '/login.php', 37 38 // The URL to the login script. 39 'login_url' => '/', 40 41 // The maximum amount of time a user is allowed to be logged in. They will be forced to login again if they expire. 42 // This applies to admins and users. In seconds. 21600 seconds = 6 hours. 43 'login_timeout' => 21600, 44 45 // The maximum amount of time a user is allowed to be idle before their session expires. They will be forced to login again if they expire. 46 // This applies to admins and users. In seconds. 3600 seconds = 1 hour. 47 'idle_timeout' => 3600, 48 49 // An array of IP blocks that are bypass the remote_ip comparison check. Useful for dynamic IPs or those behind proxy servers. 50 'trusted_networks' => array(), 24 51 ); 52 53 // Associative array of usernames to hashed passwords. 25 54 var $_users = array(); 26 55 … … 32 61 * @param optional array $params A hash containing parameters. 33 62 */ 34 function Auth_File($params = array()) 35 { 36 $this->_params = array_merge($this->_params, $params); 37 38 if (!empty($this->_params['htpasswd_file'])) { 39 if (false === ($users = file($this->_params['htpasswd_file']))) { 40 App::logMsg(sprintf(_("Could not read htpasswd file: %s"), $this->_params['htpasswd_file']), LOG_ERR, __FILE__, __LINE__); 41 } 42 if (is_array($users)) { 43 foreach ($users as $line) { 44 list($user, $pass) = explode(':', $line, 2); 45 $this->_users[trim($user)] = trim($pass); 46 } 47 } 48 } 63 function Auth_File($auth_name=null) 64 { 65 if (isset($auth_name)) { 66 $this->_auth = $auth_name; 67 $this->_sess .= $auth_name; 68 } 69 70 // Initialize default parameters. 71 $this->setParam($this->_default_params); 49 72 } 50 73 … … 87 110 function clearAuth() 88 111 { 89 $_SESSION['_auth_file'] = array('authenticated' => false); 90 } 91 112 $_SESSION[$this->_sess] = array('authenticated' => false); 113 } 114 115 116 /** 117 * Sets a variable into a registered auth session. 118 * 119 * @access public 120 * @param mixed $key Which value to set. 121 * @param mixed $val Value to set variable to. 122 */ 123 function setVal($key, $val) 124 { 125 if (!isset($_SESSION[$this->_sess]['user_data'])) { 126 $_SESSION[$this->_sess]['user_data'] = array(); 127 } 128 $_SESSION[$this->_sess]['user_data'][$key] = $val; 129 } 130 131 /** 132 * Returns a specified value from a registered auth session. 133 * 134 * @access public 135 * @param mixed $key Which value to return. 136 * @param mixed $default Value to return if key not found in user_data. 137 * @return mixed Value stored in session. 138 */ 139 function getVal($key, $default='') 140 { 141 if (isset($_SESSION[$this->_sess][$key])) { 142 return $_SESSION[$this->_sess][$key]; 143 } else if (isset($_SESSION[$this->_sess]['user_data'][$key])) { 144 return $_SESSION[$this->_sess]['user_data'][$key]; 145 } else { 146 return $default; 147 } 148 } 92 149 /** 93 150 * Find out if a set of login credentials are valid. Only supports … … 104 161 { 105 162 if ('' == trim($password)) { 106 App::logMsg(_("No password provided for htpasswd authentication."), LOG_INFO, __FILE__, __LINE__); 107 return false; 108 } 163 App::logMsg(_("No password provided for authentication."), LOG_INFO, __FILE__, __LINE__); 164 return false; 165 } 166 167 // Load users file. 168 $this->_loadHTPasswdFile(); 109 169 110 170 if (!isset($this->_users[$username])) { … … 113 173 } 114 174 115 if ($this->_encrypt($password, $this->_users[$username]) == $this->_users[$username]) { 116 return true; 117 } else { 175 if ($this->_encrypt($password, $this->_users[$username]) != $this->_users[$username]) { 118 176 App::logMsg(sprintf('Authentication failed for user %s', $username), LOG_INFO, __FILE__, __LINE__); 119 177 return false; 120 178 } 179 180 // Authentication successful! 181 return true; 121 182 } 122 183 … … 137 198 $this->clearAuth(); 138 199 139 if ($this->authenticate($username, $password)) { 140 $_SESSION['_auth_file'] = array( 141 'authenticated' => true, 142 'username' => $username, 143 'login_datetime' => date('Y-m-d H:i:s'), 144 'last_access_datetime' => date('Y-m-d H:i:s'), 145 'remote_addr' => getRemoteAddr() 146 ); 147 return true; 148 } 149 return false; 200 if (!$this->authenticate($username, $password)) { 201 // No login: failed authentication! 202 return false; 203 } 204 205 $_SESSION[$this->_sess] = array( 206 'authenticated' => true, 207 'username' => $username, 208 'login_datetime' => date('Y-m-d H:i:s'), 209 'last_access_datetime' => date('Y-m-d H:i:s'), 210 'remote_ip' => getRemoteAddr() 211 ); 212 213 // We're logged-in! 214 return true; 150 215 } 151 216 … … 162 227 function isLoggedIn() 163 228 { 164 if (isset($_SESSION['_auth_file'])) { 165 if (true === $_SESSION['_auth_file']['authenticated'] 166 && !empty($_SESSION['_auth_file']['username']) 167 && strtotime($_SESSION['_auth_file']['login_datetime']) > time() - $this->_params['login_timeout'] 168 && strtotime($_SESSION['_auth_file']['last_access_datetime']) > time() - $this->_params['idle_timeout'] 169 && $_SESSION['_auth_file']['remote_addr'] == getRemoteAddr() 170 ) { 171 $_SESSION['_auth_file']['last_access_datetime'] = date('Y-m-d H:i:s'); 172 return true; 173 } else if (true === $_SESSION['_auth_file']['authenticated']) { 229 // Some users will access from networks with a changing IP number (i.e. behind a proxy server). These users must be allowed entry by adding their IP to the list of trusted_networks. 230 if ($trusted_net = ipInRange(getRemoteAddr(), $this->_params['trusted_networks'])) { 231 $user_in_trusted_network = true; 232 App::logMsg(sprintf('User %s accessing from trusted network %s', $_SESSION[$this->_sess]['username'], $trusted_net), LOG_DEBUG, __FILE__, __LINE__); 233 } else if (preg_match('/proxy.aol.com$/i', getRemoteAddr(true))) { 234 $user_in_trusted_network = true; 235 App::logMsg(sprintf('User %s accessing from trusted network proxy.aol.com', $_SESSION[$this->_sess]['username']), LOG_DEBUG, __FILE__, __LINE__); 236 } else { 237 $user_in_trusted_network = false; 238 } 239 240 // Test login with information stored in session. Skip IP matching for users from trusted networks. 241 if (isset($_SESSION[$this->_sess]) 242 && true === $_SESSION[$this->_sess]['authenticated'] 243 && !empty($_SESSION[$this->_sess]['username']) 244 && strtotime($_SESSION[$this->_sess]['login_datetime']) > time() - $this->_params['login_timeout'] 245 && strtotime($_SESSION[$this->_sess]['last_access_datetime']) > time() - $this->_params['idle_timeout'] 246 && ($_SESSION[$this->_sess]['remote_ip'] == getRemoteAddr() || $user_in_trusted_network) 247 ) { 248 // User is authenticated! 249 $_SESSION[$this->_sess]['last_access_datetime'] = date('Y-m-d H:i:s'); 250 return true; 251 } else if (isset($_SESSION[$this->_sess]) && true === $_SESSION[$this->_sess]['authenticated']) { 252 if (strtotime($_SESSION[$this->_sess]['last_access_datetime']) > time() - 43200) { 253 // Only raise message if last session is less than 12 hours old. 174 254 App::raiseMsg(_("Your session has closed. You need to log-in again."), MSG_NOTICE, __FILE__, __LINE__); 175 $this->clearAuth(); 176 return false; 177 } 178 } 255 } 256 257 // Log the reason for login expiration. 258 $expire_reasons = array(); 259 if (empty($_SESSION[$this->_sess]['username'])) { 260 $expire_reasons[] = 'username not found'; 261 } 262 if (strtotime($_SESSION[$this->_sess]['login_datetime']) <= time() - $this->_params['login_timeout']) { 263 $expire_reasons[] = 'login_timeout expired'; 264 } 265 if (strtotime($_SESSION[$this->_sess]['last_access_datetime']) <= time() - $this->_params['idle_timeout']) { 266 $expire_reasons[] = 'idle_timeout expired'; 267 } 268 if ($_SESSION[$this->_sess]['remote_ip'] != getRemoteAddr() && !$user_in_trusted_network) { 269 $expire_reasons[] = sprintf('remote_ip not matched (%s != %s)', $_SESSION[$this->_sess]['remote_ip'], getRemoteAddr()); 270 } 271 App::logMsg(sprintf('User %s session expired: %s', $_SESSION[$this->_sess]['username'], join(', ', $expire_reasons)), LOG_INFO, __FILE__, __LINE__); 272 } 273 179 274 return false; 180 275 } … … 193 288 { 194 289 if (!$this->isLoggedIn()) { 195 // Display message for requiring login. 290 // Display message for requiring login. (RaiseMsg will ignore empty strings.) 196 291 App::raiseMsg($message, $type, $file, $line); 197 292 … … 200 295 App::dieURL($this->_params['login_url']); 201 296 } 297 } 298 299 /* 300 * Reads the configured htpasswd file into the _users array. 301 * 302 * @access public 303 * @return false on error, true on success. 304 * @author Quinn Comendant <quinn@strangecode.com> 305 * @version 1.0 306 * @since 18 Apr 2006 18:17:48 307 */ 308 function _loadHTPasswdFile() 309 { 310 static $users = null; 311 312 if (!file_exists($this->_params['htpasswd_file'])) { 313 App::logMsg(sprintf('htpasswd file missing or not specified: %s', $this->_params['htpasswd_file']), LOG_ERR, __FILE__, __LINE__); 314 return false; 315 } 316 317 if (!isset($users)) { 318 if (false === ($users = file($this->_params['htpasswd_file']))) { 319 App::logMsg(sprintf(_("Could not read htpasswd file: %s"), $this->_params['htpasswd_file']), LOG_ERR, __FILE__, __LINE__); 320 return false; 321 } 322 } 323 324 if (is_array($users)) { 325 foreach ($users as $u) { 326 list($user, $pass) = explode(':', $u, 2); 327 $this->_users[trim($user)] = trim($pass); 328 } 329 return true; 330 } 331 return false; 202 332 } 203 333 -
trunk/lib/Auth_SQL.inc.php
r102 r103 25 25 var $_default_params = array( 26 26 27 // Message displayed by requireLogin().28 'login_required_message' => 'Please login',29 30 27 // Automatically create table and verify columns. Better set to false after site launch. 31 28 'create_table' => true, … … 77 74 'login_abuse_exempt_usernames' => array(), 78 75 79 // An array of IP blocks that are bypass the remote_ addrcomparison check. Useful for dynamic IPs or those behind proxy servers.76 // An array of IP blocks that are bypass the remote_ip comparison check. Useful for dynamic IPs or those behind proxy servers. 80 77 'trusted_networks' => array(), 81 78 … … 209 206 210 207 /** 208 * Set the params of an auth object. 209 * 210 * @param array $params Array of parameter keys and value to set. 211 * @return bool true on success, false on failure 212 */ 213 function setParam($params) 214 { 215 if (isset($params) && is_array($params)) { 216 // Merge new parameters with old overriding only those passed. 217 $this->_params = array_merge($this->_params, $params); 218 } 219 } 220 221 /** 222 * Return the value of a parameter, if it exists. 223 * 224 * @access public 225 * @param string $param Which parameter to return. 226 * @return mixed Configured parameter value. 227 */ 228 function getParam($param) 229 { 230 if (isset($this->_params[$param])) { 231 return $this->_params[$param]; 232 } else { 233 App::logMsg(sprintf('Parameter is not set: %s', $param), LOG_DEBUG, __FILE__, __LINE__); 234 return null; 235 } 236 } 237 238 /** 239 * Clear any authentication tokens in the current session. A.K.A. logout. 240 * 241 * @access public 242 */ 243 function clearAuth() 244 { 245 $this->initDB(); 246 247 DB::query(" 248 UPDATE " . $this->_params['db_table'] . " SET 249 seconds_online = seconds_online + (UNIX_TIMESTAMP() - UNIX_TIMESTAMP(last_access_datetime)), 250 last_login_datetime = '0000-00-00 00:00:00' 251 WHERE " . $this->_params['db_primary_key'] . " = '" . $this->getVal('user_id') . "' 252 "); 253 $_SESSION['_auth_file'] = array('authenticated' => false); 254 } 255 256 /** 211 257 * Sets a variable into a registered auth session. 212 258 * … … 240 286 return $default; 241 287 } 242 }243 244 /**245 * Set the params of an auth object.246 *247 * @param array $params Array of parameter keys and value to set.248 * @return bool true on success, false on failure249 */250 function setParam($params)251 {252 if (isset($params) && is_array($params)) {253 // Merge new parameters with old overriding only those passed.254 $this->_params = array_merge($this->_params, $params);255 }256 }257 258 /**259 * Return the value of a parameter, if it exists.260 *261 * @access public262 * @param string $param Which parameter to return.263 * @return mixed Configured parameter value.264 */265 function getParam($param)266 {267 if (isset($this->_params[$param])) {268 return $this->_params[$param];269 } else {270 App::logMsg(sprintf('Parameter is not set: %s', $param), LOG_DEBUG, __FILE__, __LINE__);271 return null;272 }273 }274 275 /**276 * Clear any authentication tokens in the current session. A.K.A. logout.277 *278 * @access public279 */280 function clearAuth()281 {282 $this->initDB();283 284 DB::query("285 UPDATE " . $this->_params['db_table'] . " SET286 seconds_online = seconds_online + (UNIX_TIMESTAMP() - UNIX_TIMESTAMP(last_access_datetime)),287 last_login_datetime = '0000-00-00 00:00:00'288 WHERE " . $this->_params['db_primary_key'] . " = '" . $this->getVal('user_id') . "'289 ");290 $_SESSION[$this->_sess] = array();291 $_SESSION[$this->_sess]['authenticated'] = false;292 288 } 293 289 … … 532 528 $expire_reasons[] = 'idle_timeout expired'; 533 529 } 534 if ($_SESSION[ $this->_sess]['remote_ip'] != getRemoteAddr()) {530 if ($_SESSION['_auth_file']['remote_ip'] != getRemoteAddr() && !$user_in_trusted_network) { 535 531 $expire_reasons[] = sprintf('remote_ip not matched (%s != %s)', $_SESSION[$this->_sess]['remote_ip'], getRemoteAddr()); 536 532 } … … 556 552 { 557 553 if (!$this->isLoggedIn()) { 558 // Display message for requiring login. 554 // Display message for requiring login. (RaiseMsg will ignore empty strings.) 559 555 App::raiseMsg($message, $type, $file, $line); 560 556 -
trunk/lib/Utilities.inc.php
r102 r103 104 104 105 105 /** 106 * Returns text with stylistic modifications. 106 * Returns text with stylistic modifications. Warning: this will break some HTML attibutes! 107 * FIXME: Allow a string such as this to be passted: <a href="javascript:openPopup('/foo/bar.php')">Click here</a> 107 108 * 108 109 * @param string $txt Text to clean. … … 111 112 function fancyTxt($txt) 112 113 { 113 return $txt; /// FIXME. 114 115 // $search = array(); 116 // $replace = array(); 117 // 118 // // "double quoted text" becomes “double quoted text” 119 // $search['double_quotes'] = '/(^|[^\w=])(?:"|"|"|"|“)([^"]+?)(?:"|"|"|"|”)([^\w]|$)/'; // " is the same as " and " and " 120 // $replace['double_quotes'] = '\\1“\\2”\\3'; 121 // 122 // // text's apostrophes become text’s apostrophes 123 // $search['apostrophe'] = '/(\w)(?:\'|'|')(\w)/'; 124 // $replace['apostrophe'] = '\\1’\\2'; 125 // 126 // // 'single quoted text' becomes ‘single quoted text’ 127 // $search['single_quotes'] = '/(^|[^\w=])(?:\'|'|‘)([^\']+?)(?:\'|'|’)([^\w]|$)/'; 128 // $replace['single_quotes'] = '\\1‘\\2’\\3'; 129 // 130 // // em--dashes become em—dashes 131 // $search['em_dash'] = '/(\s*[^!<-])--([^>-]\s*)/'; 132 // $replace['em_dash'] = '\\1—\\2'; 133 // 134 // return preg_replace($search, $replace, $txt); 114 $search = array(); 115 $replace = array(); 116 117 // "double quoted text" becomes “double quoted text” 118 $search['double_quotes'] = '/(^|[^\w=])(?:"|"|"|"|“)([^"]+?)(?:"|"|"|"|”)([^\w]|$)/ms'; // " is the same as " and " and " 119 $replace['double_quotes'] = '$1“$2”$3'; 120 121 // text's apostrophes become text’s apostrophes 122 $search['apostrophe'] = '/(\w)(?:\'|'|')(\w)/ms'; 123 $replace['apostrophe'] = '$1’$2'; 124 125 // 'single quoted text' becomes ‘single quoted text’ 126 $search['single_quotes'] = '/(^|[^\w=])(?:\'|'|‘)([^\']+?)(?:\'|'|’)([^\w]|$)/ms'; 127 $replace['single_quotes'] = '$1‘$2’$3'; 128 129 // plural posessives' apostrophes become posessives’ 130 $search['apostrophes'] = '/(s)(?:\'|'|')(\s)/ms'; 131 $replace['apostrophes'] = '$1’$2'; 132 133 // em--dashes become em—dashes 134 $search['em_dash'] = '/(\s*[^!<-])--([^>-]\s*)/'; 135 $replace['em_dash'] = '$1—$2'; 136 137 return preg_replace($search, $replace, $txt); 135 138 } 136 139 -
trunk/services/login.php
r102 r103 16 16 17 17 if (getFormdata('username', false)) { 18 / * form has been submitted, check if the user login information is correct */18 // Form has been submitted, check if the user login information is correct. 19 19 20 20 if ($auth->login($frm['username'], $frm['password'])) { -
trunk/services/logout.php
r102 r103 5 5 */ 6 6 7 require_once 'codebase/lib/RecordLock.inc.php'; 8 9 // Delete this admin's record locks. 10 if (!isset($lock) || !is_a($lock, 'RecordLock')) { 7 if (is_a($auth_object, 'Auth_SQL')) { 8 // Delete the current user's record locks. 9 require_once 'codebase/lib/RecordLock.inc.php'; 11 10 $lock =& RecordLock::getInstance($auth); 11 $lock->removeAll($auth->getVal('user_id')); 12 12 } 13 $lock->removeAll($auth->getVal('user_id'));14 13 15 14 // Logout.
Note: See TracChangeset
for help on using the changeset viewer.
