-
Notifications
You must be signed in to change notification settings - Fork 0
/
e107db_auth.php
197 lines (165 loc) · 5.36 KB
/
e107db_auth.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
<?php
/*
* e107 website system
*
* Copyright (C) 2008-2012 e107 Inc (e107.org)
* Released under the terms and conditions of the
* GNU General Public License (http://www.gnu.org/licenses/gpl.txt)
*
* e107 DB authorisation for alt_auth plugin
*
* $URL$
* $Id$
*/
/**
* e107 Alternate authorisation plugin
*
* @package e107_plugins
* @subpackage alt_auth
* @version $Id$;
*
* This connects to a 'foreign' e107 user database to validate the user
*/
/*
return values
AUTH_NOCONNECT = unable to connect to db
AUTH_NOUSER = user not found
AUTH_BADPASSWORD = supplied password incorrect
AUTH_SUCCESS = valid login
*/
class auth_login extends alt_auth_base
{
public $Available = FALSE; // Flag indicates whether DB connection available
public $ErrorText; // e107 error string on exit
private $conf; // Configuration parameters
/**
* Read configuration, initialise connection to remote e107 database
*
* @return void result code
*/
public function __construct()
{
$this->ErrorText = '';
$this->conf = $this->altAuthGetParams('e107db');
$this->Available = TRUE;
}
/**
* Retrieve and construct error strings
*
* @todo - test whether reconnect to DB is required (shouldn't be)
*/
private function makeErrorText($extra = '')
{
$this->ErrorText = $extra;
//global $mySQLserver, $mySQLuser, $mySQLpassword, $mySQLdefaultdb, $sql;
//$sql->db_Connect($mySQLserver, $mySQLuser, $mySQLpassword, $mySQLdefaultdb);
}
/**
* Validate login credentials
*
* @param string $uname - The user name requesting access
* @param string $pass - Password to use (usually plain text)
* @param pointer &$newvals - pointer to array to accept other data read from database
* @param boolean $connect_only - TRUE to simply connect to the database
*
* @return integer result (AUTH_xxxx)
*
* On a successful login, &$newvals array is filled with the requested data from the server
*/
public function login($uname, $pword, &$newvals, $connect_only = FALSE)
{
//Attempt to open connection to sql database
/* if(!$res = mysql_connect($this->conf['e107db_server'], $this->conf['e107db_username'], $this->conf['e107db_password']))
{
$this->makeErrorText('Cannot connect to remote server');
return AUTH_NOCONNECT;
}
if(!mysql_select_db($this->conf['e107db_database'], $res))
{
mysql_close($res);
$this->makeErrorText('Cannot connect to remote DB');
return AUTH_NOCONNECT;
}
if ($connect_only) return AUTH_SUCCESS; // Test mode may just want to connect to the DB
*/
// $dsn = 'mysql:dbname=' . $this->conf['e107db_database'] . ';host=' . $this->conf['e107db_server'];
$dsn = "mysql:host=".$this->conf['e107db_server'].";port=".varset($this->conf['e107db_port'],3306).";dbname=".$this->conf['e107db_database'];
try
{
$dbh = new PDO($dsn, $this->conf['e107db_username'], $this->conf['e107db_password']);
}
catch (PDOException $e)
{
$this->makeErrorText('Cannot connect to remote DB; PDOException message: ' . $e->getMessage());
return AUTH_NOCONNECT;
}
$sel_fields = array();
// Make an array of the fields we want from the source DB
foreach($this->conf as $k => $v)
{
if ($v && (strpos($k,'e107db_xf_') === 0))
{
$sel_fields[] = substr($k,strlen('e107db_xf_'));
}
}
$filterClass = intval(varset($this->conf['e107db_filter_class'], e_UC_PUBLIC));
if (($filterClass != e_UC_PUBLIC) && (!in_array('user_class',$sel_fields)))
{
$sel_fields[] = 'user_class';
}
$sel_fields[] = 'user_password';
$user_field = 'user_loginname';
//Get record containing supplied login name
$qry = 'SELECT '.implode(',',$sel_fields)." FROM ".$this->conf['e107db_prefix']."user WHERE {$user_field} = '{$uname}' AND `user_ban` = 0";
// echo "Query: {$qry}<br />";
if(!$r1 = $dbh->query($qry))
{
$this->makeErrorText('Lookup query failed');
e107::getMessage()->addDebug($qry);
return AUTH_NOCONNECT;
}
if (!$row = $r1->fetch(PDO::FETCH_BOTH))
{
$this->makeErrorText('User not found');
return AUTH_NOUSER;
}
// mysql_close($res); // Finished with 'foreign' DB now
// Got something from the DB - see whether password valid
require_once(e_PLUGIN.'alt_auth/extended_password_handler.php'); // This auto-loads the 'standard' password handler as well
$pass_check = new ExtendedPasswordHandler();
$passMethod = $pass_check->passwordMapping($this->conf['e107db_password_method']);
if ($passMethod === FALSE)
{
$this->makeErrorText('Password error - invalid method');
return AUTH_BADPASSWORD;
}
$pwFromDB = $row['user_password']; // Password stored in DB
if ($pass_check->checkPassword($pword, $uname, $pwFromDB, $passMethod) !== PASSWORD_VALID)
{
$this->makeErrorText('Password incorrect');
return AUTH_BADPASSWORD;
}
// Valid user - check he's in an appropriate class
if ($filterClass != e_UC_PUBLIC)
{
$tmp = explode(',', $row['user_class']);
if (!in_array($filterClass, $tmp))
{
$this->makeErrorText('Userc not found');
return AUTH_NOUSER; // Treat as non-existent user
}
unset($tmp);
}
// Now copy across any values we have selected
foreach($this->conf as $k => $v)
{
if ($v && (strpos($k,'e107db_xf_') === 0))
{
$f = substr($k,strlen('e107db_xf_'));
if (isset($row[$f])) $newvals[$f] = $row[$f];
}
}
$this->makeErrorText(''); // Success - just reconnect to E107 DB if needed
return AUTH_SUCCESS;
}
}