/includes/ -> auth_inc.php
1 <?php
2
3 // auth_inc.php - Takes care of authorization.
4 // auth_inc.php - author: Nico Stuurman <nicost@sourceforge.net>
5 /***************************************************************************
6 * Copyright (c) 2001 by Nico Stuurman *
7 * ------------------------------------------------------------------------ *
8 * Part of phplabware, a web-driven groupware suite for research labs *
9 * *
10 * ------------------------------------------------------------------------ *
11 * This program is free software; you can redistribute it and/or modify it *
12 * under the terms of the GNU General Public License as published by the *
13 * Free Software Foundation; either version 2 of the License, or (at your *
14 * option) any later version. *
15 \**************************************************************************/
16
17
18 $client = new cl_client;
19
20 // protect from outside variables
21 $auth=false;
22 $use_sessions=true;
23
24 if ($use_sessions) {
25 if (isset($system_settings['tmpdir']))
26 session_save_path($system_settings['tmpdir']);
27 if (function_exists ('session_cache_limiter'))
28 session_cache_limiter('private');
29 session_start();
30
31 // if this is a login, authenticate the user:
32 if ($HTTP_POST_VARS['logon']=='true') {
33 $PHP_AUTH_USER=$HTTP_POST_VARS['user'];
34 $PHP_AUTH_PW=$HTTP_POST_VARS['pwd'];
35 if ($PHP_AUTH_USER && $PHP_AUTH_PW) {
36
37 // check submitted login and passwd in SQL database
38 $pwd=md5($PHP_AUTH_PW);
39 $db_query = "SELECT login FROM users WHERE login='$PHP_AUTH_USER' AND pwd='$pwd'";
40 $db_result = $db->Execute($db_query);
41 if ($db_result)
42 $auth=$db_result->fields['login'];
43 // check that there is no one else like this
44 $db_result->Movenext();
45 if (!$db_result->EOF)
46 $auth=false;
47
48 // if pam_prg is present, check whether the user is known on the system
49 $pam_prg=$system_settings['checkpwd'];
50 if ($system_settings['authmethod']==2 && $pam_prg && ! $auth) {
51 // this only makes sense if the user has an account on sidb
52 if (get_cell($db,'users','login','login',$PHP_AUTH_USER)) {
53 $esc_user = escapeshellarg($PHP_AUTH_USER);
54 $esc_pass = escapeshellarg($PHP_AUTH_PW);
55 $test = exec ("echo $esc_pass | $pam_prg $esc_user", $dummy,$result);
56 if ($result) { // we are authenticated
57 $auth = true;
58 $authmethod='pam';
59 }
60 }
61 }
62
63 // if authenticated, this session is OK:
64 if ($auth) {
65 if ($HTTP_SESSION_VARS['javascript_enabled'] || $HTTP_POST_VARS["javascript_enabled"])
66 $HTTP_SESSION_VARS['javascript_enabled']=true;
67 else
68 $HTTP_SESSION_VARS['javascript_enabled']=false;
69 session_register('javascript_enabled');
70 if (!$authmethod)
71 $authmethod='sql';
72 $HTTP_SESSION_VARS['authmethod']=$authmethod;
73 session_register ('authmethod');
74 $HTTP_SESSION_VARS['PHP_AUTH_USER']=$PHP_AUTH_USER;
75 session_register ('PHP_AUTH_USER');
76 // when the login was secure but user does not wanna stay secure
77 if (getenv('HTTPS') && !$HTTP_POST_VARS['ssl']) {
78 // send meta tag redirecting to http page and exit
79 $PHP_SELF=$HTTP_SERVER_VARS['PHP_SELF'];
80 $server= getenv ('HTTP_HOST');
81 $url="http://$server$PHP_SELF";
82 $get_string=getenv('QUERY_STRING');
83 $url=url_get_string($url);
84 echo "<html>\n<head>\n";
85 echo "<meta http-equiv='refresh' content=0;URL='$url'>";
86 //echo "<meta http-equiv='refresh' content=0;URL='$url'>\n";
87 echo "</head>\n</html>";
88 exit();
89 }
90 }
91 else {
92 $PHP_AUTH_USER = false;
93 loginscreen("<h4>Your credentials were not accepted, Please try again</h4>");
94 exit();
95 }
96 }
97 else {
98 loginscreen("<h4>Please enter your username and password</h4>");
99 exit();
100 }
101 }
102
103 // if the $PHP_AUTH_USER is not set, we need to identify and authenticate
104 if (!$PHP_AUTH_USER)
105 $PHP_AUTH_USER = $HTTP_SESSION_VARS['PHP_AUTH_USER'];
106 // need to call this to maintain javascript state
107 $javascript_enabled=$HTTP_SESSION_VARS['javascript_enabled'];
108 if (!$PHP_AUTH_USER) {
109 // display logon screen
110 loginscreen();
111 exit();
112 }
113 else {
114 // we must have been authenticated directly or through the session
115 $db_query = "SELECT * FROM users WHERE login='$PHP_AUTH_USER'";
116 $db_result = $db->Execute($db_query);
117 if (! ($db_result) ) {
118 echo "Fatal database error.<br>";
119 exit();
120 }
121 // save frequently used variables
122 $USER=$db_result->fields;
123 $USER['settings']=unserialize($USER['settings']);
124 $USER['group_list']=$USER['groupid'];
125 $USER['group_array'][]=$USER['groupid'];
126 $rg=$db->Execute("SELECT groupsid FROM usersxgroups WHERE usersid='".$USER["id"]."'");
127 while ($rg && !$rg->EOF) {
128 $USER['group_list'].=','.$rg->fields['groupsid'];
129 $USER['group_array'][]=$rg->fields['groupsid'];
130 $rg->MoveNext();
131 }
132
133 // check whether account allows logins
134 $active = $USER['permissions'] & $ACTIVE;
135 if ($active) {
136 $BROWSER = $client->browser;
137 $NAME = $USER['firstname'] . ' ' . $USER['lastname'];
138 }
139 else {
140 loginscreen();
141 exit();
142 }
143 }
144 }
145
146 ?>