4 * Copyright (C) 2004,2007 ReiniUrban
6 * This file is part of PhpWiki.
8 * PhpWiki is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * PhpWiki is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with PhpWiki; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
24 * We have two possibilities here:
25 * 1) The webserver location is already HTTP protected.
26 * Usually Basic by some auth module (ldap, mysql, ...), but also NTLM or Digest.
27 * Then just use this username and do nothing.
28 * 2) The webserver location is not protected, so we enforce basic HTTP Protection
29 * by sending a 401 error and let the client display the login dialog.
30 * This makes only sense if HttpAuth is the last method in USER_AUTH_ORDER,
31 * since the other methods cannot be transparently called after this enforced
33 * Try the available auth methods (most likely Bogo) and sent this header back.
34 * header('Authorization: Basic '.base64_encode("$userid:$passwd")."\r\n";
36 class _HttpAuthUpperPassUser
39 function _HttpAuthUpperPassUser($UserName='', $prefs=false) {
40 if ($prefs) $this->_prefs = $prefs;
41 if (!isset($this->_prefs->_method))
42 _PassUser::_PassUser($UserName);
44 $this->_userid = $UserName;
45 $this->_authmethod = 'HttpAuthUpper';
47 // Is this double check really needed?
48 // It is not expensive so we keep it for now.
49 if ($this->userExists()) {
52 return $GLOBALS['ForbiddenUser'];
56 // FIXME! This doesn't work yet!
57 // Allow httpauth by other method: Admin for now only
58 function _fake_auth($userid, $passwd) {
61 header('WWW-Authenticate: Basic realm="'.WIKI_NAME.'"');
62 header("Authorization: Basic ".base64_encode($userid.":".$passwd));
64 $_SERVER =& $GLOBALS['HTTP_SERVER_VARS'];
65 $GLOBALS['REMOTE_USER'] = $userid;
66 $_SERVER['PHP_AUTH_USER'] = $userid;
67 $_SERVER['PHP_AUTH_PW'] = $passwd;
68 //$GLOBALS['request']->setStatus(200);
73 $_SERVER =& $GLOBALS['HTTP_SERVER_VARS'];
74 // Maybe we should random the realm to really force a logout.
75 // But the next login will fail.
76 // better_srand(); $realm = microtime().rand();
77 // TODO: On AUTH_TYPE=NTLM this will fail. Only Basic supported so far.
78 header('WWW-Authenticate: Basic realm="'.WIKI_NAME.'"');
79 if (strstr(php_sapi_name(), 'apache'))
80 header('HTTP/1.0 401 Unauthorized');
82 header("Status: 401 Access Denied"); //IIS and CGI need that
83 unset($GLOBALS['REMOTE_USER']);
84 unset($_SERVER['PHP_AUTH_USER']);
85 unset($_SERVER['PHP_AUTH_PW']);
88 function _http_username() {
90 $_SERVER =& $GLOBALS['HTTP_SERVER_VARS'];
91 if (!empty($_SERVER['PHP_AUTH_USER']))
92 return $_SERVER['PHP_AUTH_USER'];
93 if (!empty($_SERVER['REMOTE_USER']))
94 return $_SERVER['REMOTE_USER'];
95 if (!empty($GLOBALS['HTTP_ENV_VARS']['REMOTE_USER']))
96 return $GLOBALS['HTTP_ENV_VARS']['REMOTE_USER'];
97 if (!empty($GLOBALS['REMOTE_USER']))
98 return $GLOBALS['REMOTE_USER'];
100 if (!empty($_SERVER['HTTP_AUTHORIZATION'])) {
101 list($userid, $passwd) = explode(':',
102 base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
108 // special: force upcase username
109 function UserName() {
110 if (!empty($this->_userid)) {
111 $this->_userid = strtoupper($this->_userid);
112 return strtoupper($this->_userid);
116 // force http auth authorization
117 function userExists() {
118 if (!isset($_SERVER))
119 $_SERVER =& $GLOBALS['HTTP_SERVER_VARS'];
120 $username = strtoupper($this->_http_username());
121 if (strstr($username, "\\")
122 and isset($_SERVER['AUTH_TYPE'])
123 and $_SERVER['AUTH_TYPE'] == 'NTLM')
125 // allow domain\user, change userid to domain/user
126 $username = str_ireplace("\\\\", "\\", $username); // php bug with _SERVER
127 $username = str_ireplace("\\", SUBPAGE_SEPARATOR, $username);
128 $this->_userid = str_ireplace("\\", SUBPAGE_SEPARATOR, $this->_userid);
130 // FIXME: if AUTH_TYPE = NTLM there's a domain\\name <> domain\name mismatch
132 or strtolower($username) != strtolower($this->_userid))
135 $user = $GLOBALS['ForbiddenUser'];
136 $user->_userid = $this->_userid = "";
137 $this->_level = WIKIAUTH_FORBIDDEN;
141 $this->_userid = strtoupper($username);
142 // we should check if he is a member of admin,
143 // because HttpAuth has its own logic.
144 $this->_level = WIKIAUTH_USER;
145 if ($this->isAdmin())
146 $this->_level = WIKIAUTH_ADMIN;
150 // ignore password, this is checked by the webservers http auth.
151 function checkPass($submitted_password) {
152 return $this->userExists()
153 ? ($this->isAdmin() ? WIKIAUTH_ADMIN : WIKIAUTH_USER)
157 function mayChangePass() {
166 // c-hanging-comment-ender-p: nil
167 // indent-tabs-mode: nil