search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Remove duplicate function.
[adorno.git] / inc / Session.php
blob583bf69324705a15194b33616f904ff907ae0841
1 <?php
2 // Session handling
3 // - set up the session object
4
5 include_once('PgQuery.php');
6
7 if ( isset($logout) )
8 {
9 error_log("$sysname: Session: DBG: Logging out");
10 setcookie( 'sid', '', 0,'/');
11 unset($sid);
12 }
13
14
15 // Enable for debugging...
16 $debuggroups['Session'] = 1;
17 $debuggroups['Login'] = 1;
18 $debuggroups['querystring'] = 1;
19
20 if ( !isset($session) ) {
21 $session = new Session();
22
23 if ( isset($username) && isset($password) ) {
24 // Try and log in if we have a username and password
25 $session->Login( $username, $password );
26 if ( $debuggroups['Login'] )
27 error_log( "$system_name: vpw: DBG: User $username - $session->fullname ($session->user_no) login status is $session->logged_in" );
28 }
29 }
30
31 function session_salted_md5( $instr, $salt = "" ) {
32 if ( $salt == "" ) $salt = substr( md5(rand(100000,999999)), 2, 8);
33 return ( "*$salt*" . md5($salt . $instr) );
34 }
35
36 function session_validate_password( $they_sent, $we_have ) {
37 global $system_name, $debuggroups;
38
39 // In some cases they send us a salted md5 of the password, rather
40 // than the password itself (i.e. if it is in a cookie)
41 $pwcompare = $we_have;
42 if ( ereg('^\*(.+)\*.+$', $they_sent, $regs ) ) {
43 $pwcompare = session_salted_md5( $we_have, $regs[1] );
44 if ( $they_sent == $pwcompare ) return true;
45 }
46
47 if ( ereg('^\*\*.+$', $we_have ) ) {
48 // The "forced" style of "**plaintext" to allow easier admin setting
49 // error_log( "$system_name: vpw: DBG: comparing=**they_sent" );
50 return ( "**$they_sent" == $pwcompare );
51 }
52
53 if ( ereg('^\*(.+)\*.+$', $we_have, $regs ) ) {
54 // A nicely salted md5sum like "*<salt>*<salted_md5>"
55 $salt = $regs[1];
56 $md5_sent = session_salted_md5( $they_sent, $salt ) ;
57 if ( $debuggroups['Login'] )
58 error_log( "$system_name: vpw: DBG: Salt=$salt, comparing=$md5_sent with $pwcompare" );
59 return ( $md5_sent == $pwcompare );
60 }
61
62 // Blank passwords are bad
63 if ( "" == "$we_have" || "" == "$they_sent" ) return false;
64
65 // Otherwise they just have a plain text string, which we
66 // compare directly, but case-insensitively
67 return ( $they_sent == $pwcompare || strtolower($they_sent) == strtolower($we_have) );
68 }
69
70 class Session
71 {
72 var $user_no = 0;
73 var $session_id = 0;
74 var $name = 'guest';
75 var $full_name = 'Guest';
76 var $email = '';
77 var $centre_id = -1;
78 var $region_id = -1;
79 var $centre_name = '';
80 var $roles;
81 var $logged_in = false;
82 var $cause = '';
83
84 function Session()
85 {
86 global $sid, $sysname;
87
88 $this->roles = array();
89 $this->logged_in = false;
90
91 if ( ! isset($sid) ) return;
92
93 list( $session_id, $session_key ) = explode( ';', $sid, 2 );
94
95 if ( $GLOBALS['pg_version'] == 7.2 ) {
96 $sql = "SELECT session.*, usr.*, organisation.*
97 FROM session, usr, organisation
98 WHERE usr.user_no = session.user_no
99 AND session_id = ?
100 AND (session_key = ? OR session_key = ?)
101 AND organisation.org_code = usr.org_code
102 ORDER BY session_start DESC LIMIT 1";
103 }
104 else {
105 $sql = "SELECT session.*, usr.*, organisation.*
106 FROM session, usr, organisation
107 WHERE usr.user_no = session.user_no
108 AND session_id = ?
109 AND (md5(session_start::text) = ? OR session_key = ?)
110 AND organisation.org_code = usr.org_code
111 ORDER BY session_start DESC LIMIT 1";
112 }
113
114 $qry = new PgQuery($sql, $session_id, $session_key, $session_key);
115 if ( $qry->Exec('Session') && $qry->rows == 1 )
116 {
117 $this->AssignSessionDetails( $qry->Fetch() );
118 $qry = new PgQuery('UPDATE session SET session_end = current_timestamp WHERE session_id=?', $session_id);
119 $qry->Exec('Session');
120 }
121 else
122 {
123 // Kill the existing cookie, which appears to be bogus
124 setcookie('sid', '', 0,'/');
125 $this->cause = 'ERR: Other than one session record matches. ' . $qry->rows;
126 error_log( "$sysname Login $this->cause" );
127 }
128 }
129
130
131 function AllowedTo ( $whatever )
132 {
133 return ( $this->logged_in && isset($this->roles[$whatever]) && $this->roles[$whatever] );
134 }
135
136
137 function GetRoles ()
138 {
139 $this->roles = array();
140 $qry = new PgQuery( 'SELECT group_name AS role_name FROM group_member m join ugroup g ON g.group_no = m.group_no WHERE user_no = ? ', $this->user_no );
141 if ( $qry->Exec('Login') && $qry->rows > 0 )
142 {
143 while( $role = $qry->Fetch() )
144 {
145 $this->roles[$role->role_name] = true;
146 }
147 }
148 }
149
150
151 function AssignSessionDetails( $u )
152 {
153 $this->user_no = $u->user_no;
154 $this->name = $u->name;
155 $this->fullname = $u->fullname;
156 $this->email = $u->email;
157 $this->org_code = $u->org_code;
158 $this->config_data = $u->config_data;
159 $this->session_id = $u->session_id;
160
161 // $this->roles = explode( "|", $session_stuff->roles );
162 $this->GetRoles();
163 $this->logged_in = true;
164 }
165
166
167 function Login( $username, $password )
168 {
169 global $sysname, $sid, $debuggroups;
170 if ( $debuggroups['Login'] )
171 error_log( "$sysname: Login: DBG: Attempting login for $username" );
172
173 $sql = "SELECT * FROM usr WHERE lower(username) = ? ";
174 $qry = new PgQuery( $sql, strtolower($username), md5($password), $password );
175 if ( $qry->Exec('Login') && $qry->rows == 1 ) {
176 $usr = $qry->Fetch();
177 if ( session_validate_password( $password, $usr->password ) ) {
178 // Now get the next session ID to create one from...
179 $qry = new PgQuery( "SELECT nextval('session_session_id_seq')" );
180 if ( $qry->Exec('Login') && $qry->rows == 1 ) {
181 $seq = $qry->Fetch();
182 $session_id = $seq->nextval;
183 $session_key = md5( rand(1010101,1999999999) . microtime() ); // just some random shite
184 if ( $debuggroups['Login'] )
185 error_log( "$sysname: Login: DBG: Valid username/password for $username ($usr->user_no)" );
186
187 // And create a session
188 $sql = "INSERT INTO session (session_id, user_no, session_key) VALUES( ?, ?, ? )";
189 $qry = new PgQuery( $sql, $session_id, $usr->user_no, $session_key );
190 if ( $qry->Exec('Login') ) {
191 // Assign our session ID variable
192 $sid = "$session_id;$session_key";
193
194 // Create a cookie for the sesssion
195 setcookie('sid',$sid, 0,'/');
196 // Recognise that we have started a session now too...
197 $this->Session();
198 error_log( "$sysname: Login: INFO: New session $session_id started for $username ($usr->user_no)" );
199 return true;
200 }
201 // else ...
202 $this->cause = 'ERR: Could not create new session.';
203 }
204 else {
205 $this->cause = 'ERR: Could not increment session sequence.';
206 }
207 }
208 else {
209 if ( $debuggroups['Login'] )
210 $this->cause = 'WARN: Invalid password.';
211 else
212 $this->cause = 'WARN: Invalid username or password.';
213 }
214 }
215 else {
216 if ( $debuggroups['Login'] )
217 $this->cause = 'WARN: Invalid username.';
218 else
219 $this->cause = 'WARN: Invalid username or password.';
220 }
221
222 error_log( "$sysname Login $this->cause" );
223 return false;
224 }
225 }
226
227 ?>
A web interface to play music