3 /* Copyright (C) 2004 ReiniUrban
4 * This file is part of PhpWiki. Terms and Conditions see LICENSE. (GPL2)
8 * We have two possibilities here.
9 * 1) The webserver location is already HTTP protected. Usually Basic, but also
10 * NTLM or Digest. Then just use this username and do nothing.
11 * 2) The webserver location is not protected, so we enforce basic HTTP Protection
12 * by sending a 401 error and let the client display the login dialog.
13 * This makes only sense if HttpAuth is the last method in USER_AUTH_ORDER,
14 * since the other methods cannot be transparently called after this enforced
16 * Try the available auth methods (most likely Bogo) and sent this header back.
17 * header('Authorization: Basic '.base64_encode("$userid:$passwd")."\r\n";
19 class _HttpAuthPassUser
22 function _HttpAuthPassUser($UserName='', $prefs=false) {
23 if ($prefs) $this->_prefs = $prefs;
24 if (!isset($this->_prefs->_method))
25 _PassUser::_PassUser($UserName);
26 if ($UserName) $this->_userid = $UserName;
27 $this->_authmethod = 'HttpAuth';
29 // Is this double check really needed?
30 // It is not expensive so we keep it for now.
31 if ($this->userExists()) {
34 return $GLOBALS['ForbiddenUser'];
38 // FIXME! This doesn't work yet!
39 // Allow httpauth by other method: Admin for now only
40 function _fake_auth($userid, $passwd) {
43 header('WWW-Authenticate: Basic realm="'.WIKI_NAME.'"');
44 header("Authorization: Basic ".base64_encode($userid.":".$passwd));
46 $_SERVER =& $GLOBALS['HTTP_SERVER_VARS'];
47 $GLOBALS['REMOTE_USER'] = $userid;
48 $_SERVER['PHP_AUTH_USER'] = $userid;
49 $_SERVER['PHP_AUTH_PW'] = $passwd;
50 //$GLOBALS['request']->setStatus(200);
55 $_SERVER =& $GLOBALS['HTTP_SERVER_VARS'];
56 // Maybe we should random the realm to really force a logout.
57 // But the next login will fail.
58 // better_srand(); $realm = microtime().rand();
59 // TODO: On AUTH_TYPE=NTLM this will fail. Only Basic supported so far.
60 header('WWW-Authenticate: Basic realm="'.WIKI_NAME.'"');
61 if (strstr(php_sapi_name(), 'apache'))
62 header('HTTP/1.0 401 Unauthorized');
64 header("Status: 401 Access Denied"); //IIS and CGI need that
65 unset($GLOBALS['REMOTE_USER']);
66 unset($_SERVER['PHP_AUTH_USER']);
67 unset($_SERVER['PHP_AUTH_PW']);
70 function _http_username() {
72 $_SERVER =& $GLOBALS['HTTP_SERVER_VARS'];
73 if (!empty($_SERVER['PHP_AUTH_USER']))
74 return $_SERVER['PHP_AUTH_USER'];
75 if (!empty($_SERVER['REMOTE_USER']))
76 return $_SERVER['REMOTE_USER'];
77 if (!empty($GLOBALS['HTTP_ENV_VARS']['REMOTE_USER']))
78 return $GLOBALS['HTTP_ENV_VARS']['REMOTE_USER'];
79 if (!empty($GLOBALS['REMOTE_USER']))
80 return $GLOBALS['REMOTE_USER'];
82 if (!empty($_SERVER['HTTP_AUTHORIZATION'])) {
83 list($userid, $passwd) = explode(':',
84 base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
90 // force http auth authorization
91 function userExists() {
93 $_SERVER =& $GLOBALS['HTTP_SERVER_VARS'];
94 $username = $this->_http_username();
95 if (strstr($username, "\\")
96 and isset($_SERVER['AUTH_TYPE'])
97 and $_SERVER['AUTH_TYPE'] == 'NTLM')
99 // allow domain\user, change userid to domain/user
100 $username = str_ireplace("\\\\", "\\", $username); // php bug with _SERVER
101 $username = str_ireplace("\\", SUBPAGE_SEPARATOR, $username);
102 $this->_userid = str_ireplace("\\", SUBPAGE_SEPARATOR, $this->_userid);
104 // FIXME: if AUTH_TYPE = NTLM there's a domain\\name <> domain\name mismatch
106 or strtolower($username) != strtolower($this->_userid))
109 $user = $GLOBALS['ForbiddenUser'];
110 $user->_userid = $this->_userid = "";
111 $this->_level = WIKIAUTH_FORBIDDEN;
115 $this->_userid = $username;
116 // we should check if he is a member of admin,
117 // because HttpAuth has its own logic.
118 $this->_level = WIKIAUTH_USER;
119 if ($this->isAdmin())
120 $this->_level = WIKIAUTH_ADMIN;
124 // ignore password, this is checked by the webservers http auth.
125 function checkPass($submitted_password) {
126 return $this->userExists()
127 ? ($this->isAdmin() ? WIKIAUTH_ADMIN : WIKIAUTH_USER)
131 function mayChangePass() {
136 // $Log: not supported by cvs2svn $
137 // Revision 1.7 2006/09/03 10:10:00 rurban
138 // oops: reset this->_userid also
140 // Revision 1.6 2006/09/03 09:57:19 rurban
141 // Support AUTH_TYPE=NTLM (Windows domain\username)
142 // Workaround PHP _SERVER bug adding \\ => \\\\
144 // Revision 1.5 2005/02/28 20:35:45 rurban
147 // Revision 1.4 2004/12/26 17:11:16 rurban
150 // Revision 1.3 2004/12/19 00:58:02 rurban
151 // Enforce PASSWORD_LENGTH_MINIMUM in almost all PassUser checks,
152 // Provide an errormessage if so. Just PersonalPage and BogoLogin not.
153 // Simplify httpauth logout handling and set sessions for all methods.
154 // fix main.php unknown index "x" getLevelDescription() warning.
156 // Revision 1.2 2004/12/17 12:31:57 rurban
157 // better logout, fake httpauth not yet
159 // Revision 1.1 2004/11/01 10:43:58 rurban
160 // seperate PassUser methods into seperate dir (memory usage)
161 // fix WikiUser (old) overlarge data session
162 // remove wikidb arg from various page class methods, use global ->_dbi instead
170 // c-hanging-comment-ender-p: nil
171 // indent-tabs-mode: nil