home *** CD-ROM | disk | FTP | other *** search
Wrap
<?php /* Copyright Intermesh 2003 Author: Merijn Schering <mschering@intermesh.nl> Version: 1.0 Release date: 08 July 2003 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. */ class GO_SECURITY extends db { var $user_id = 0; var $logged_in = false; var $group_everyone = "2"; var $group_root = "1"; var $ldap; var $imap; function GO_SECURITY() { global $GO_CONFIG; $this->db(); if (isset($_SESSION['GO_SESSION']['user_id']) && $_SESSION['GO_SESSION']['user_id'] > 0) { $this->logged_in=true; $this->user_id=$_SESSION['GO_SESSION']['user_id']; } } function logout() { session_destroy(); $this->user_id = 0; $this->logged_in = false; } //attempts to login a user and registers user_id in a session. //returns true on success. Stores general preferences in sessions ////////////////////////////////////////////////////////////// function login($username, $password, $auth_mail_server_key=-1) { global $GO_CONFIG, $GO_SECURITY, $GO_LANGUAGE; require_once($GO_CONFIG->class_path.'users.class.inc'); $users = new users(); $this->logged_in = false; $this->user_id = 0; $_SESSION['GO_SESSION']['auth_src'] = 'sql'; $_SESSION['GO_SESSION']['password'] = $password; $_SESSION['GO_SESSION']['old_password'] = $password; switch($GO_CONFIG->auth_db_type) { case 'ldap': $_SESSION['GO_SESSION']['auth_src'] = "ldap"; $ldap = new ldap(); $ldap->connect(); $ldap->bind( $GO_CONFIG->auth_db_user, $GO_CONFIG->auth_db_pass ); $ldap->search( "uid=$username", $ldap->PeopleDN ); if ( $ldap->next_entry() ) { $dn = $ldap->dn(); $username = substr( $dn, 0, strpos( $dn, "," ) ); $username = substr( $username, strpos( $username, "=" )+1 ); } if ( $ldap->bind( $dn, $password ) ) { // Search directory for user information... $ldap->search("uid=$username", $ldap->PeopleDN); if ($ldap->next_entry()) { $user_id = $ldap->first_value("uidNumber"); if ($user_id > 0) { $this->query("SELECT id FROM users WHERE username='".smart_addslashes($username)."'"); if ($this->num_rows() < 1) { //if the administrator has set a maximum amount of users and it's reached then abort if ($users->max_users_reached()) { return false; } // User does not exist in SQL so wie create him. // TODO: This could be optimized by users->add_user - but we need to take care that // the uidNumber is the same in SQL and LDAP. $acl_id = $GO_SECURITY->get_new_acl( $_SESSION['GO_SESSION']['email'] ); $authcode = $users->random_password(); require_once($GO_CONFIG->class_path.'profiles.class.inc'); $profiles = new profiles(); if (!$profile = $profiles->get_profile($user_id)) { die('FATAL ERROR: Couldn\'t get profile from LDAP user'); } if ( $GO_CONFIG->auth_db_ldap_um ) { // No need to add the User to SQL $GO_SECURITY->set_acl_owner($acl_id, $user_id); }else { // Check if this is the first login $this->query("SELECT id FROM users WHERE username='".smart_addslashes($username)."'"); if ($this->num_rows() < 1) { //if the administrator has set a maximum amount of users and it's reached then abort if ($users->max_users_reached()) { return false; } // User does not exist in SQL so wie create him. // TODO: This could be optimized by users->add_user - but we need to take care that // the uidNumber is the same in SQL and LDAP. $acl_id = $GO_SECURITY->get_new_acl( $_SESSION['GO_SESSION']['email'] ); $authcode = $users->random_password(); require_once($GO_CONFIG->class_path.'profiles.class.inc'); $profiles = new profiles(); if (!$profile = $profiles->get_profile($user_id)) { die('FATAL ERROR: Couldn\'t get profile from LDAP user'); } if ($user_id = $users->add_user($username, $password, $profile['first_name'], $profile['last_name'],$profile['initials'], $profile['sex'], $profile['birtday'], $profile['email'], $authcode, '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', $acl_id, false, $user_id)) { $GO_SECURITY->set_acl_owner($acl_id, $user_id); // add user to the everyone group require_once( $GO_CONFIG->class_path."groups.class.inc" ); $groups = new groups(); $groups->add_user_to_group( $user_id, $GO_SECURITY->group_everyone ); // add administrator to the users acl $GO_SECURITY->add_group_to_acl($GO_SECURITY->group_root, $acl_id); $old_umask = umask( 000); @mkdir($GO_CONFIG->file_storage_path.$username, $GO_CONFIG->create_mode ); umask($old_umask); } else { die('FATAL ERROR: Failed adding LDAP user to Group-Office'); $GO_SECURITY->delete_acl($acl_id); } } } } } } } break; case 'mail': if ($auth_mail_server_key != '' && $auth_mail_server_key > -1) { require($GO_CONFIG->root_path.'auth_mail_servers.inc'); $_SESSION['GO_SESSION']['auth_src'] = 'mail'; require_once($GO_CONFIG->class_path.'imap.class.inc'); $imap = new imap(); $email_address = $username.'@'.$auth_mail_servers[$auth_mail_server_key]['domain']; if ($auth_mail_servers[$auth_mail_server_key]['add_domain_to_username'] == 'true') { $username = $email_address; } if ($imap->open($auth_mail_servers[$auth_mail_server_key]['ip'], $auth_mail_servers[$auth_mail_server_key]['type'], $auth_mail_servers[$auth_mail_server_key]['port'], $username, $password)) { $imap->close(); $email = eregi("^([a-z0-9]+)([._-]([a-z0-9]+))*[@]([a-z0-9]+)([._-]([a-z0-9]+))*[.]([a-z0-9]){2}([a-z0-9])?([a-z0-9])?$", $username) ? $username : $username.'@'.$auth_mail_servers[$auth_mail_server_key]['domain']; $this->query("SELECT id FROM users WHERE username='".smart_addslashes($email_address)."'"); if ($this->num_rows() > 0) { $this->next_record(); $user_id = $this->f('id'); }else { //if the administrator has set a maximum amount of users and it's reached then abort if ($users->max_users_reached()) { return false; } $acl_id = $GO_SECURITY->get_new_acl($email); $authcode = $users->random_password(); if ($user_id = $users->add_user($email_address, $password, '', '', '','','', 'M', '',$email, $authcode, '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', $acl_id)) { $GO_SECURITY->set_acl_owner($acl_id, $user_id); // add user to the everyone group require_once( $GO_CONFIG->class_path."groups.class.inc" ); $groups = new groups(); $groups->add_user_to_group($user_id, $GO_SECURITY->group_everyone); // add administrator to the users acl $GO_SECURITY->add_group_to_acl($GO_SECURITY->group_root, $acl_id); $old_umask = umask( 000 ); @mkdir( $GO_CONFIG->file_storage_path.$email_address, $GO_CONFIG->create_mode ); umask($old_umask); require_once($GO_CONFIG->class_path."email.class.inc"); require($GO_LANGUAGE->get_language_file('email')); $email_client = new email(); if (!$account_id = $email_client->add_account($user_id, $auth_mail_servers[$auth_mail_server_key]['type'],$auth_mail_servers[$auth_mail_server_key]['ip'], $auth_mail_servers[$auth_mail_server_key]['port'], $auth_mail_servers[$auth_mail_server_key]['mbroot'], $username, $password, $username, $email_address, "", $ml_sent_items, $ml_spam, $ml_trash)) { require($GO_LANGUAGE->get_language_file('email')); echo "<p class=\"Error\">".$registration_email_error."</p>"; echo "<p class=\"Error\">".$email_client->last_error."</p>"; } }else { die('FATAL ERROR: Failed adding mail user to Group-Office'); $GO_SECURITY->delete_acl($acl_id); } } $username = $email_address; } } break; } if (!isset($user_id) || $user_id < 1) { $sql = "SELECT id FROM users WHERE username='".smart_addslashes($username)."' AND password='".md5($password)."'"; $this->query($sql); if ($this->next_record()) { $user_id = $this->f('id'); } } if(isset($user_id) && $user_id > 0) { require_once($GO_CONFIG->class_path.'profiles.class.inc'); $profiles = new profiles(); $profile = $profiles->get_profile($user_id); if($GO_CONFIG->auth_db_type != 'sql' && md5($password) != $profile['password']) { $users->update_password($user_id, $password); if ($GO_CONFIG->auth_db_type == 'mail' && $auth_mail_server_key > -1) { require_once($GO_CONFIG->class_path."email.class.inc"); $email_client = new email(); $email_client->update_password($auth_mail_servers[$auth_mail_server_key]['ip'], $username, $password); } } $_SESSION['GO_SESSION']['user_id'] = $user_id; $_SESSION['GO_SESSION']['password'] = $password; $middle_name = $profile['middle_name'] == '' ? '' : $profile['middle_name'].' '; $_SESSION['GO_SESSION']['name'] = $profile['first_name'].' '.$middle_name.$profile['last_name']; $_SESSION['GO_SESSION']['first_name'] = $profile['first_name']; $_SESSION['GO_SESSION']['middle_name'] = $profile['middle_name']; $_SESSION['GO_SESSION']['last_name'] = $profile['last_name']; $_SESSION['GO_SESSION']['email'] = $profile['email']; $_SESSION['GO_SESSION']['username'] = $username; $_SESSION['GO_SESSION']['password'] = $password; $_SESSION['GO_SESSION']['old_password'] = $password; $_SESSION['GO_SESSION']['thousands_seperator'] = $profile['thousands_seperator']; $_SESSION['GO_SESSION']['decimal_seperator'] = $profile['decimal_seperator'];; $_SESSION['GO_SESSION']['date_format'] = $profile['date_format']; $_SESSION['GO_SESSION']['time_format'] = $profile['time_format']; $_SESSION['GO_SESSION']['currency'] = $profile['currency']; $_SESSION['GO_SESSION']['mail_client'] = $profile['mail_client']; $_SESSION['GO_SESSION']['lastlogin'] = $profile['lastlogin']; $_SESSION['GO_SESSION']['max_rows_list'] = $profile['max_rows_list']; $_SESSION['GO_SESSION']['timezone'] = $profile['timezone']; $_SESSION['GO_SESSION']['start_module'] = $profile['start_module']; $_SESSION['GO_SESSION']['theme'] = $profile['theme']; $_SESSION['GO_SESSION']['language'] = $profile['language']; $_SESSION['GO_SESSION']['first_weekday'] = $profile['first_weekday']; $this->user_id = $user_id; $this->logged_in = true; $logins = $profile["logins"] + 1; $sql = "UPDATE users SET logins='$logins', lastlogin='".get_gmt_time()."' WHERE id='$this->user_id'"; $this->query($sql); return true; }else { return false; } } //Checks if a user is logged in. if not it attempts to log in //based on stored cookies. If that fails it attempts to authenticate //by http authentication /////////////////////////////////////////////////////////////// function authenticate($admin = false) { global $GO_CONFIG; $GO_AUTH_MAIL_SERVER_KEY = isset($_COOKIE['GO_AUTH_MAIL_SERVER_KEY']) ? $_COOKIE['GO_AUTH_MAIL_SERVER_KEY'] : ''; if ($this->logged_in == false) { if (!isset($_COOKIE['GO_UN']) || !isset($_COOKIE['GO_PW']) || $_COOKIE['GO_UN'] =='' || $_COOKIE['GO_PW'] == '' || !$this->login($_COOKIE['GO_UN'], $_COOKIE['GO_PW'], $GO_AUTH_MAIL_SERVER_KEY)) { header('Location: '.$GO_CONFIG->host.'index.php?return_to='.urlencode($_SERVER['REQUEST_URI'])); exit(); } } if ($admin && !$this->has_admin_permission($this->user_id)) { header("Location: ".$GO_CONFIG->host."error_docs/403.php"); exit(); } } //Create and returns a new acl item. ////////////////////////////////////////////////////////////////// function get_new_acl($description, $user_id=-1) { if ($user_id == -1) { $user_id = $this->user_id; } $id = $this->nextid("acl_items"); if ($id > 0) { $this->query("INSERT INTO acl_items (id, description, user_id) VALUES ('$id', '$description', '$user_id')"); return $id; }else { return false; } } function user_owns_acl($user_id, $acl_id) { $this->query("SELECT user_id FROM acl_items WHERE id='$acl_id'"); if ($this->next_record()) { if ($user_id == $this->f('user_id')) { return true; }elseif($this->f('user_id') == '0') { return $this->has_admin_permission($user_id); } } return false; } //Deletes an acl ////////////////////////////////////////////////////////////////// function delete_acl($acl_id) { $this->query("DELETE FROM acl WHERE acl_id='$acl_id'"); $this->query("DELETE FROM acl_items WHERE id='$acl_id'"); return true; } //add user to acl ////////////////////////////////////////////////////////////////// function add_user_to_acl($user_id,$acl_id) { $this->query("INSERT INTO acl (acl_id,user_id) VALUES ('$acl_id','$user_id')"); if ($this->affected_rows() > 0) { return true; }else { return false; } } function delete_user_from_acl($user_id, $acl_id) { $sql = "DELETE FROM acl WHERE user_id='$user_id' AND acl_id='$acl_id'"; return $this->query($sql); } //add group to acl ////////////////////////////////////////////////////////////////// function add_group_to_acl($group_id,$acl_id) { $this->query("INSERT INTO acl (acl_id,group_id) VALUES ('$acl_id','$group_id')"); if ($this->affected_rows() > 0) { return true; }else { return false; } } function delete_group_from_acl($group_id, $acl_id) { $sql = "DELETE FROM acl WHERE group_id='$group_id' AND acl_id='$acl_id'"; return $this->query($sql); } function clear_acl($acl_id) { $this->query("DELETE FROM acl WHERE acl_id='$acl_id'"); } //Checks if a user has permission for an acl ///////////////////////////////////////////////////////////////// function has_permission($user_id, $acl_id) { global $GO_CONFIG; if ($user_id > 0 && $acl_id > 0) { if ( $GO_CONFIG->auth_db_ldap_um ) { $ldap = new ldap(); $ldap->connect(); $ldap->bind(); ## Get the UserID Entries from LDAP for checking $ldap->search( "(uidNumber=$user_id)", $GO_CONFIG->auth_db_ldap_basedn ); $ldap->next_entry(); $uid_array = $ldap->get_values("uid"); $sql = "SELECT acl.group_id FROM acl WHERE acl.acl_id=". $acl_id." AND acl.user_id='0' ORDER BY group_id ASC"; $this->query($sql); $this->next_record(); while ( $this->Record != "" ) { $result = $this->Record; $group_id = $result["group_id"]; ## If there are only the new UserIDs we can burst the search //require_once($GO_CONFIG->class_path."users.class.inc"); //$users = new users(); //$uid=$users->get_user($user_id); $uid=$uid["username"]; //$ldap->search( // "(&(gidNumber=$group_id)(memberUid=$uid))", // $GO_CONFIG->auth_db_ldap_basedn ); //$ldap->next_entry(); //if ( $ldap->get_values("gidNumber") ) // return true; $ldap->search( "(gidNumber=$group_id)", $GO_CONFIG->auth_db_ldap_basedn ); $ldap->next_entry(); $is_in_group = $ldap->get_values("memberUid"); if ( $is_in_group ) foreach ( $uid_array as $value ) if ( @in_array( $value, $is_in_group ) ) return true; $this->next_record(); } } $sql = "SELECT acl.acl_id FROM acl, users_groups WHERE". " acl.acl_id='$acl_id' AND (acl.user_id='$user_id' OR". " (acl.group_id=users_groups.group_id AND". " users_groups.user_id='$user_id')) GROUP BY acl.acl_id"; $this->query($sql); if ($this->num_rows() > 0) return true; } return false; } function set_acl_owner($acl_id, $user_id) { return $this->query("UPDATE acl_items SET user_id='$user_id' WHERE id='$acl_id'"); } function has_admin_permission($user_id) { global $GO_CONFIG; require_once($GO_CONFIG->class_path."groups.class.inc"); $groups = new groups; return $groups->is_in_group($user_id, $this->group_root); } function get_groups_in_acl($acl_id) { global $GO_CONFIG; if ( $GO_CONFIG->auth_db_ldap_um ) { $sql = "SELECT * FROM acl WHERE acl_id='$acl_id' AND user_id=0"; $this->query($sql); return $this->num_rows(); } else { $sql = "SELECT groups.* FROM groups INNER JOIN acl ON". " acl.group_id=groups.id WHERE acl.acl_id='$acl_id'". " ORDER BY groups.name"; $this->query($sql); return $this->num_rows(); } } function get_users_in_acl($acl_id) { global $GO_CONFIG; if ( $GO_CONFIG->auth_db_ldap_um ) { $sql = "SELECT * FROM acl WHERE acl_id='$acl_id' AND group_id=0"; $this->query($sql); return $this->num_rows(); } else { $sql = "SELECT users.* FROM users INNER JOIN acl ON acl.user_id=users.id WHERE acl.acl_id='$acl_id' ORDER BY users.first_name ASC, users.last_name ASC"; $this->query($sql); return $this->num_rows(); } } function user_in_acl($user_id, $acl_id) { $sql = "SELECT user_id FROM acl WHERE acl_id='$acl_id' AND user_id='$user_id'"; $this->query($sql); if ($this->num_rows() > 0) { return true; }else { return false; } } function user_is_visible($user_id) { if ($this->user_id == $user_id) return true; $sql = "SELECT acl_id FROM users WHERE id='$user_id'"; $this->query($sql); $this->next_record(); return $this->has_permission($this->user_id, $this->f("acl_id")); } function group_in_acl($group_id, $acl_id) { $sql = "SELECT group_id FROM acl WHERE acl_id='$acl_id' AND group_id='$group_id'"; $this->query($sql); if ($this->num_rows() > 0) { return true; }else { return false; } } function get_acl_id($description) { $sql = "SELECT id FROM acl_items WHERE description='$description'"; $this->query($sql); if ($this->next_record()) { return $this->f('id'); } return false; } function copy_acl($sAcl, $dAcl) { global $GO_CONFIG; require_once($GO_CONFIG->class_path."groups.class.inc"); $groups = new groups(); $this->clear_acl($dAcl); $sql = "SELECT * FROM acl WHERE acl_id='$sAcl'"; $security = new GO_SECURITY(); $this->query($sql); while($this->next_record()) { $new_security = new GO_SECURITY(); if ($this->f("group_id") != 0 && $groups->group_is_visible($this->user_id, $this->f("group_id"))) { $new_security->add_group_to_acl($this->f("group_id"), $dAcl); } if ($this->f("user_id") != 0 && ($security->user_is_visible($this->f("user_id")) || $this->f("user_id") == $this->user_id)) { $new_security->add_user_to_acl($this->f("user_id"), $dAcl); } } } /*deprecated*/ function delete_user($user_id) { $sql = "DELETE FROM acl WHERE user_id='$user_id'"; $this->query($sql); } function delete_group($group_id) { $sql = "DELETE FROM acl WHERE group_id='$group_id'"; $this->query($sql); } } ?>