| <?php 
// ----------------------------------------------------------------------
// LEMP - Lightweight Efficient Modular PHP Application Framework
//  @copyright 2002-2003 The CGI Open Source Federation. (http://cosf.sf.net)
//  @version $Id: auth.php,v 1.13 2004/05/16 20:59:10 cogs Exp $
// ----------------------------------------------------------------------
// LICENSE
// This program is free software; you can redistribute it and/or
// modify it under the terms of the GNU General Public License (GPL)
// as published by the Free Software Foundation; either version 2
// of the License, or (at your option) any later version.
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
// GNU General Public License for more details.
// You should have recieved the lincence included with the disribution.
// If not visit http://www.gnu.org/copyleft/gpl.html
// ----------------------------------------------------------------------
/**
 * User Manage is a compact suite which can easily be used to any PHP script.
 * We modeled it like a puzzle: the "core" handles basic
 * authentication, and can be extended with modules which include
 * a database handler that help top-level modules like a permissions
 * handler.  Developers can now build applications with the standard user
 * authentication complete, and with drop-in modules, they can handle extra user
 * information and functions with compact objects.
 */
class UM extends LEMP {
    /**
     * UM::UM() User Manage's constructor method.
     * 
     * @access private 
     * @return void 
     */
    function UM ()
    {
        LEMP::LEMP ();
    } 
    /**
     * UM::create_user() Add a new user to the database.
     * 
     * @param string $uname Username of the user to be created.
     * @param string $CreatePassword Password of the user to be created.
     * @param string $ConfirmCreatePassword Used to confirm the password of the user to be created.
     * @return boolean Successful | Unsuccessful
     */
    function create_user ($uname, $pass, $confirm_pass)
    {
        $trig_args = compact('uname', 'pass', 'confirm_pass');
        trigger_event ('auth:create_user:pre', $trig_args);
        $table = get_table_columns('auth_user_info');
        // Check if the password fields are set
        if ($pass == '' || $confirm_pass == '') {
            $errors[] = AUTH_PW_NOT_ENTERED;
        } 
        // Check pass length
        if (!empty ($auth_config['min_pass_length']) && strlen($pass) < $auth_config['min_pass_length']) {
            $errors[] = AUTH_PW_SHORT;
        } 
        if (!empty ($auth_config['max_pass_length']) && strlen($pass) > $auth_config['max_pass_length']) {
            $errors[] = AUTH_PW_LONG;
        } 
        // Check if pass matches confirm pass
        if ($pass != $confirm_pass) {
            $errors[] = AUTH_PW_MISMATCH;
        } 
        // Check for errors
        // If so, return false and add the errors
        if (isset($errors)) {
            trigger_event ('auth:create_user:unsuccessful', $trig_args);
            return error_add ($errors);
        } 
        // Create md5 hash of password.  Passwords are always encrypted
        $pass = md5 ($pass); 
        // Check if username is in use
        $count = $this->db->query_fetch ("SELECT COUNT(*) FROM {$table['_name']} WHERE {$table['uname']} = '" . addslashes($uname) . '\';', LEMP_SCALAR); 
        // If count is 0 than uname is free.
        if ($count == 0) {
            // Increment id
            $nextuid = $this->db->query_fetch ("SELECT {$table['uid']} FROM {$table['_name']} ORDER BY {$table['uid']} DESC LIMIT 1;", LEMP_SCALAR);
            if ($nextuid == '' || ++$nextuid < 0) {
                $nextuid = 0;
            } 
            $result = $this->db->query ("INSERT INTO {$table['_name']} SET {$table['uname']} = '" . addslashes($uname) . "', {$table['pass']} = '" . addslashes ($pass) . "', {$table['uid']} = '$nextuid';");
            if ($result == false) {
                trigger_event ('auth:create_user:unsuccessful', $trig_args);
                return error_add ('Could not add new user', __FILE__, __LINE__, true);
            } 
            $trig_args['uid'] = $nextuid;
            trigger_event ('auth:create_user:successful', $trig_args);
            return $nextuid;
        } else { // If not return FALSE and add error
            return error_add (AUTH_DUP_UNAME);
        } 
    } 
    /**
     * UM::modify_user() Modify user information.
     * 
     * @param integer $UID User ID of user to modify.
     * @param string $uname Replace username with $uname.
     * @param string $pass Replace user's password with $pass.
     * @param string $confirm_pass Used to confirm the new password.
     * @return boolean 
     */
    function modify_user ($uid, $uname = '', $pass = '', $confirm_pass = '')
    {
        $count = 0;
        $trig_args = compact('pass', 'confirm_pass', 'uname', 'uid');
        trigger_event ('auth:modify_user:pre', $trig_args);
        $table = get_config('tables', 'auth_user_info'); 
        // Check if uid is a number
        if (!is_numeric($uid)) {
            $errors[] = AUTH_INCORRECT_UID;
        } 
        // Check if the password fields are set
        if ($pass != '' || $confirm_pass != '') {
            // Check pass length
            if (!empty ($auth_config['min_pass_length']) && strlen($pass) < $auth_config['min_pass_length']) {
                $errors[] = AUTH_PW_SHORT;
            } 
            if (!empty ($auth_config['max_pass_length']) && strlen($pass) > $auth_config['max_pass_length']) {
                $errors[] = AUTH_PW_LONG;
            } 
            // Check if pass matches confirm pass
            if ($pass != $confirm_pass) {
                $errors[] = AUTH_PW_MISMATCH;
            } 
        } else {
            // Create md5 hash of password.  passs are always encrypted.
            $pass = md5 ($pass);
        } 
        // Check if username exists
        if ($uname != '') {
            $count = $this->db->query_fetch ("SELECT COUNT(*) FROM {$table['_name']} WHERE {$table['uname']} = '" . addslashes($uname) . "' && {$table['uid']} != '" . addslashes($uid) . '\';', LEMP_SCALAR);
            if ($count === false) {
                return error_add ('Could not get a count of existing users named: ' . $uname, __FILE__, __LINE__, true);
            } 
        } 
        // Return false and add append to log if any errors are found
        if (isset($errors)) {
            trigger_event ('auth:modify_user:unsuccessful', $trig_args);
            return error_add ($errors);
        } 
        // If count is 1 than uname exists.
        if ($uname == '' && $pass != '') {
            $result = $this->db->query ("UPDATE {$table['_name']} SET {$table['pass']} = '" . addslashes ($pass) . "' WHERE {$table['uid']} = '" . addslashes ($uid) . '\';');
        } elseif ($count == 0 && $uname != '') {
            $query = "UPDATE {$table['_name']} SET {$table['uname']} = '" . addslashes ($uname) . "'";
            if ($pass != '') {
                $query .= ", {$table['pass']} = '" . addslashes ($pass) . '\'';
            } 
            $query .= " WHERE {$table['uid']} = '" . addslashes ($uid) . '\';';
            $result = $this->db->query ($query);
        } else { // If not return FALSE and add error
            return error_add (AUTH_DUP_UNAME);
        } 
        if ($result == false) {
            trigger_event ('auth:modify_user:unsuccessful', $trig_args);
            return error_add ('Could not add new user', __FILE__, __LINE__, true);
        } 
        trigger_event ('auth:modify_user:successful', $trig_args);
        return true;
    } 
    /**
     * UM::delete_user() Delete a user from database.
     * 
     * @param string $uid user id of user to delete
     * @return result 
     */
    function delete_user ($uid)
    {
        $table = get_table_columns('auth_user_info');
        $return = $this->dbquery ("DELETE FROM {$table['_name']} WHERE {$table['uid']} = '" . addslashes($uid) . '\' LIMIT 1;');
        if (!$return) {
            return error_add ('Could not remove uid: ' . $uid);
            trigger_event ('auth:delete_user:unsuccessful', array($uid));
        } 
        trigger_event ('auth:delete_user:successful', array($uid));
        return true;
    } 
    /**
     * UM::is_user() Checks if a user exists.
     * 
     * @param string $user The username of the user.
     * @return boolean 
     */
    function is_user ($user)
    {
        $table = get_table_columns('auth_user_info');
        $result = $this->dbquery ("SELECT count(*) >= 1 FROM {$table['_name']} WHERE {$table['uname']} = '" . addslashes ($user) . '\' LIMIT 1;');
        if ($result === false) {
            return error_add ("Could not get uid of user: $user", __FILE__, __LINE__, true);
        } elseif ($result == '1') {
            return true;
        } else {
            return false;
        } 
    } 
    /**
     * UM::get_uid() Get user id from user name.
     * 
     * @param string $uname 
     */
    function get_uid ($uname = '')
    {
        $table = get_table_columns('auth_user_info');
        $result = $this->dbquery ("SELECT {$table['uid']} FROM {$table['_name']} WHERE {$table['uname']} = '" . addslashes($uname) . '\' LIMIT 1;');
        return ($result === false)? false : $db->fetch ($result, LEMP_SCALAR);
    } 
    /**
     * UM::get_uname() Get user name from uid.
     * 
     * @param string $uid The user's userid.
     * @return result 
     */
    function get_uname ($uid)
    {
        $table = get_table_columns('auth_user_info');
        $result = $this->dbquery ("SELECT {$table['uname']} FROM {$table['_name']} WHERE {$table['uid']} = '" . addslashes($uid) . '\' LIMIT 1;');
        return ($result === false)? false : $this->dbfetch ($result, LEMP_SCALAR);
    } 
} 
/*
 * This authentication object handles the current logged in user.
 */
class auth extends UM {
    var $access; // Stores login status of user.
    var $uname; // Username
    var $uid; // User id
    var $pass; // Encrypted user pass
    var $sid; // User's current session (stored in database)
    var $authok; // Session ID (stored on client)
    /**
     * auth::auth() Auth's constructor.  Invoked when class is initiated.  Prepares variables for use.
     * 
     * @param bool|int $uid set to false of you do not want to check for cookies.
     * @access private 
     * @return void 
     */
    function auth ($uid = '')
    {
        UM::UM ();
        $this->access = 0;
        $auth_config = get_config('auth_config');
        if (isset($this->in[$auth_config['session_name']])) {
            $this->authok = $this->in[$auth_config['session_name']];
        } 
        // echo 'HERE';
        // var_dump ($_REQUEST);
        // exit ();
        if ($this->verify_session() === true) {
            if (isset($this->authok)) {
                $table = get_table_columns('auth_user_info');
                $userdat = $this->dbquery_fetch ("SELECT * FROM {$table['_name']} WHERE {$table['sid']} = '{$this->authok}' LIMIT 1;");
                $this->uname = $userdat['uname'];
                $this->uid = $userdat['uid'];
                $this->pass = $userdat['pass'];
                $this->sid = $userdat['sid'];
                $this->access = 1;
            } 
        } 
    } 
    /**
     * auth::verify_session() Check if user is logged in.
     * 
     * @param boolean $must_login Set if user must be logged in
     * @return boolean This function returns TRUE, if logged in, or FALSE if not
     */
    function verify_session ($must_login = false)
    {
        $auth_config = get_config('auth_config');
        if (empty($auth_config['scheme']) || $auth_config['scheme'] != 'cookie') {
            $result = trigger_event ('auth:verify_session:alternative', array('must_login' => $must_login), 1);
            if ($result === false) {
                return ($must_login)? error_add (AUTH_NOT_LOGED_IN) : false;
            } else {
                return true;
            } 
        } 
        $table = get_table_columns('auth_user_info');
        if (!isset($this->authok)) { // Is cookie set?
            $this->access = 0;
            return ($must_login)? error_add (AUTH_NOT_LOGED_IN) : false;
        } else {
            // Check if sid matches in database
            $result = $this->dbquery_fetch ("SELECT count(*) >= 1 FROM {$table['_name']} WHERE {$table['sid']} = '{$this->authok}';", LEMP_SCALAR);
            if ($result == '1') { // Check to see if authok matches sid
                return true;
            } else {
                return error_add (AUTH_SESSION_TIMEOUT);
            } 
        } 
    } 
    /**
     * auth::logout() Log-Out the current user.
     * 
     * @return true 
     */
    function logout ()
    {
        trigger_event ('auth:logout:pre'); 
        // Get config vars
        $auth_config = get_config('auth_config');
        $table = get_table_columns('auth_user_info');
        $hostname = get_config('config', 'hostname');
        if (empty ($hostname)) {
            $hostname = $_SERVER['HTTP_HOST'];
        } 
        $this->dbquery ("UPDATE {$table['_name']} SET {$table['sid']} = '' WHERE {$table['uid']} = '{$this->uid}';");
        if (empty($auth_config['scheme']) || $auth_config['scheme'] == 'cookie') {
            session_start ();
            session_unset ();
            session_destroy ();
            setcookie ($auth_config['session_name'], '', time() - $auth_config['session_expire'], "/", $hostname, 0);
        } else {
            trigger_event ('auth:logout:alternate', $args);
        } 
        trigger_event ('auth:logout:successful');
        return true;
    } 
    /**
     * auth::check_login() Check whether username matches a password in the database
     * 
     * @param string $username 
     * @param string $password 
     * @param string $error Pass a reference to collect any errors.  ex)
     * check_login ($username, $password, &$error);
     * if there are any errors, $error will contain the error message either AUTH_UNAME_NOT_FOUND or AUTH_BAD_PW
     * @return bool true or false depending on results
     */
    function check_login ($username, $password, $error = '')
    {
        $table = get_table_columns('auth_user_info');
        $trig_args = array ($username, $password);
        trigger_event ('auth:check_login:pre', $trig_args); 
        // Check if user exists and get user info
        $password = md5($password);
        $user_pass = $this->dbquery_fetch ("SELECT {$table['pass']} FROM {$table['_name']} WHERE {$table['uname']} = '" . addslashes ($username) . '\' LIMIT 1;', LEMP_SCALAR);
        if (!$user_pass) {
            $error = AUTH_UNAME_NOT_FOUND;
        } elseif ($password != $user_pass) {
            $error = AUTH_BAD_PW;
        } 
        if ($error != '') {
            trigger_event ('auth:check_login:unsuccessful', $trig_args);
            return false;
        } else {
            return true;
        } 
    } 
    /**
     * auth::login() Login current user
     * 
     * @param string $UserName Username of the user to be logged in.
     * @param string $Password Password of the user to be logged in.
     * @param string $mode Accepts 'normal', 'persistent', or 'secure'.
     * In normal mode, the cookie will last $auth_config['session_expire'] (set in config.php).
     * In persistent mode, the cookie will last $auth_config['session_expire_ext'] (set in config.php).
     * In secure mode, the cookie will expire when the browser is closed.
     * @return bool Successful | Not Successful
     */
    function login ($username, $password, $mode = 'normal')
    {
        $trig_args = compact('username', 'password', 'mode'); 
        // Get config vars
        $table = get_table_columns('auth_user_info');
        $hostname = get_config('config', 'hostname'); // Get config vars 
        if (empty ($hostname)) {
            $hostname = $_SERVER['HTTP_HOST'];
        } 
        $auth_config = get_config('auth_config');
        trigger_event ('auth:login:pre', $trig_args); 
        // Check if user exists and get user info
        if ($this->check_login ($username, $password, &$error) !== true) {
            trigger_event ('auth:login:unsuccessful', $trig_args);
            return error_add ($error);
        } 
        if (empty($auth_config['scheme']) || $auth_config['scheme'] == 'cookie') {
            session_start();
            $sid = session_id();
            $this->dbquery ("UPDATE {$table['_name']} SET {$table['sid']} = '$sid' WHERE {$table['uname']} = '" . addslashes ($username) . '\' LIMIT 1;');
            $session_expire = ($mode == 'secure')? 0 : ($mode == 'persistent')? time() + $auth_config['session_expire_ext'] : time() + $auth_config['session_expire'];
            $return = setcookie ($auth_config['session_name'], $sid, $session_expire, "/", $hostname, 0);
        } else {
            trigger_event ('auth:login:alternate', $trig_args);
        } 
        trigger_event ('auth:login:successful', $trig_args);
        return true;
    } 
} 
?>
 |