phpBB/includes/auth/auth_apache.php

   1 <?php
   2 /**
   3 * Apache auth plug-in for phpBB3
   4 *
   5 * Authentication plug-ins is largely down to Sergey Kanareykin, our thanks to him.
   6 *
   7 * @package login
   8 * @version $Id$
   9 * @copyright (c) 2005 phpBB Group
  10 * @license http://opensource.org/licenses/gpl-license.php GNU Public License
  11 *
  12 */
  13
  14 /**
  15 * @ignore
  16 */
  17 if (!defined('IN_PHPBB'))
  18 {
  19         exit;
  20 }
  21
  22 /**
  23 * Checks whether the user is identified to apache
  24 * Only allow changing authentication to apache if the user is identified
  25 * Called in acp_board while setting authentication plugins
  26 *
  27 * @return boolean|string false if the user is identified and else an error message
  28 */
  29 function init_apache()
  30 {
  31         if (!isset($_SERVER['PHP_AUTH_USER']) || phpbb::$user->data['username'] !== $_SERVER['PHP_AUTH_USER'])
  32         {
  33                 return phpbb::$user->lang['APACHE_SETUP_BEFORE_USE'];
  34         }
  35         return false;
  36 }
  37
  38 /**
  39 * Login function
  40 */
  41 function login_apache(&$username, &$password)
  42 {
  43         // do not allow empty password
  44         if (!$password)
  45         {
  46                 return array(
  47                         'status'        => LOGIN_ERROR_PASSWORD,
  48                         'error_msg'     => 'NO_PASSWORD_SUPPLIED',
  49                         'user_row'      => array('user_id' => ANONYMOUS),
  50                 );
  51         }
  52
  53         if (!$username)
  54         {
  55                 return array(
  56                         'status'        => LOGIN_ERROR_USERNAME,
  57                         'error_msg'     => 'LOGIN_ERROR_USERNAME',
  58                         'user_row'      => array('user_id' => ANONYMOUS),
  59                 );
  60         }
  61
  62         if (!isset($_SERVER['PHP_AUTH_USER']))
  63         {
  64                 return array(
  65                         'status'                => LOGIN_ERROR_EXTERNAL_AUTH,
  66                         'error_msg'             => 'LOGIN_ERROR_EXTERNAL_AUTH_APACHE',
  67                         'user_row'              => array('user_id' => ANONYMOUS),
  68                 );
  69         }
  70
  71         $php_auth_user = $_SERVER['PHP_AUTH_USER'];
  72         $php_auth_pw = $_SERVER['PHP_AUTH_PW'];
  73
  74         if (!empty($php_auth_user) && !empty($php_auth_pw))
  75         {
  76                 if ($php_auth_user !== $username)
  77                 {
  78                         return array(
  79                                 'status'        => LOGIN_ERROR_USERNAME,
  80                                 'error_msg'     => 'LOGIN_ERROR_USERNAME',
  81                                 'user_row'      => array('user_id' => ANONYMOUS),
  82                         );
  83                 }
  84
  85                 $sql = 'SELECT user_id, username, user_password, user_passchg, user_email, user_type
  86                         FROM ' . USERS_TABLE . "
  87                         WHERE username = '" . phpbb::$db->sql_escape($php_auth_user) . "'";
  88                 $result = phpbb::$db->sql_query($sql);
  89                 $row = phpbb::$db->sql_fetchrow($result);
  90                 phpbb::$db->sql_freeresult($result);
  91
  92                 if ($row)
  93                 {
  94                         // User inactive...
  95                         if ($row['user_type'] == phpbb::USER_INACTIVE || $row['user_type'] == phpbb::USER_IGNORE)
  96                         {
  97                                 return array(
  98                                         'status'                => LOGIN_ERROR_ACTIVE,
  99                                         'error_msg'             => 'ACTIVE_ERROR',
 100                                         'user_row'              => $row,
 101                                 );
 102                         }
 103
 104                         // Successful login...
 105                         return array(
 106                                 'status'                => LOGIN_SUCCESS,
 107                                 'error_msg'             => false,
 108                                 'user_row'              => $row,
 109                         );
 110                 }
 111
 112                 // this is the user's first login so create an empty profile
 113                 return array(
 114                         'status'                => LOGIN_SUCCESS_CREATE_PROFILE,
 115                         'error_msg'             => false,
 116                         'user_row'              => user_row_apache($php_auth_user, $php_auth_pw),
 117                 );
 118         }
 119
 120         // Not logged into apache
 121         return array(
 122                 'status'                => LOGIN_ERROR_EXTERNAL_AUTH,
 123                 'error_msg'             => 'LOGIN_ERROR_EXTERNAL_AUTH_APACHE',
 124                 'user_row'              => array('user_id' => ANONYMOUS),
 125         );
 126 }
 127
 128 /**
 129 * Autologin function
 130 *
 131 * @return array containing the user row or empty if no auto login should take place
 132 */
 133 function autologin_apache()
 134 {
 135         if (!isset($_SERVER['PHP_AUTH_USER']))
 136         {
 137                 return array();
 138         }
 139
 140         $php_auth_user = $_SERVER['PHP_AUTH_USER'];
 141         $php_auth_pw = $_SERVER['PHP_AUTH_PW'];
 142
 143         if (!empty($php_auth_user) && !empty($php_auth_pw))
 144         {
 145                 set_var($php_auth_user, $php_auth_user, 'string', true);
 146                 set_var($php_auth_pw, $php_auth_pw, 'string', true);
 147
 148                 $sql = 'SELECT *
 149                         FROM ' . USERS_TABLE . "
 150                         WHERE username = '" . phpbb::$db->sql_escape($php_auth_user) . "'";
 151                 $result = phpbb::$db->sql_query($sql);
 152                 $row = phpbb::$db->sql_fetchrow($result);
 153                 phpbb::$db->sql_freeresult($result);
 154
 155                 if ($row)
 156                 {
 157                         return ($row['user_type'] == phpbb::USER_INACTIVE || $row['user_type'] == phpbb::USER_IGNORE) ? array() : $row;
 158                 }
 159
 160                 if (!function_exists('user_add'))
 161                 {
 162                         include(PHPBB_ROOT_PATH . 'includes/functions_user.' . PHP_EXT);
 163                 }
 164
 165                 // create the user if he does not exist yet
 166                 user_add(user_row_apache($php_auth_user, $php_auth_pw));
 167
 168                 $sql = 'SELECT *
 169                         FROM ' . USERS_TABLE . "
 170                         WHERE username_clean = '" . phpbb::$db->sql_escape(utf8_clean_string($php_auth_user)) . "'";
 171                 $result = phpbb::$db->sql_query($sql);
 172                 $row = phpbb::$db->sql_fetchrow($result);
 173                 phpbb::$db->sql_freeresult($result);
 174
 175                 if ($row)
 176                 {
 177                         return $row;
 178                 }
 179         }
 180
 181         return array();
 182 }
 183
 184 /**
 185 * This function generates an array which can be passed to the user_add function in order to create a user
 186 */
 187 function user_row_apache($username, $password)
 188 {
 189         // first retrieve default group id
 190         $sql = 'SELECT group_id
 191                 FROM ' . GROUPS_TABLE . "
 192                 WHERE group_name_clean = '" . phpbb::$db->sql_escape('registered') . "'
 193                         AND group_type = " . GROUP_SPECIAL;
 194         $result = phpbb::$db->sql_query($sql);
 195         $row = phpbb::$db->sql_fetchrow($result);
 196         phpbb::$db->sql_freeresult($result);
 197
 198         if (!$row)
 199         {
 200                 trigger_error('NO_GROUP');
 201         }
 202
 203         // generate user account data
 204         return array(
 205                 'username'              => $username,
 206                 'user_password' => phpbb_hash($password),
 207                 'user_email'    => '',
 208                 'group_id'              => (int) $row['group_id'],
 209                 'user_type'             => phpbb::USER_NORMAL,
 210                 'user_ip'               => phpbb::$user->ip,
 211         );
 212 }
 213
 214 /**
 215 * The session validation function checks whether the user is still logged in
 216 *
 217 * @return boolean true if the given user is authenticated or false if the session should be closed
 218 */
 219 function validate_session_apache(&$user)
 220 {
 221         // We only need to check authenticated users. For anonymous user as well as bots the session of course did not expire.
 222         if ($user['user_id'] == ANONYMOUS)
 223         {
 224                 return true;
 225         }
 226
 227         // Checking for a bot is a bit mroe complicated... but we are able to check this with the user type (anonymous has the same as bots)
 228         if ($user['user_type'] == USER_IGNORE)
 229         {
 230                 return true;
 231         }
 232
 233         if (!isset($_SERVER['PHP_AUTH_USER']))
 234         {
 235                 $php_auth_user = '';
 236                 set_var($php_auth_user, $_SERVER['PHP_AUTH_USER'], 'string', true);
 237
 238                 return ($php_auth_user === $user['username']) ? true : false;
 239         }
 240
 241         // PHP_AUTH_USER is not set. A valid session is now determined by the user type (anonymous/bot or not)
 242         if ($user['user_type'] == USER_IGNORE)
 243         {
 244                 return true;
 245         }
 246
 247         return false;
 248 }
 249
 250 ?>