3 /* Copyright (C) 2004 ReiniUrban
4 * This file is part of PhpWiki. Terms and Conditions see LICENSE. (GPL2)
8 * We have two possibilities here.
9 * 1) The webserver location is already HTTP protected. Usually Basic, but also
10 * NTLM or Digest. Then just use this username and do nothing.
11 * 2) The webserver location is not protected, so we enforce basic HTTP Protection
12 * by sending a 401 error and let the client display the login dialog.
13 * This makes only sense if HttpAuth is the last method in USER_AUTH_ORDER,
14 * since the other methods cannot be transparently called after this enforced
16 * Try the available auth methods (most likely Bogo) and sent this header back.
17 * header('Authorization: Basic '.base64_encode("$userid:$passwd")."\r\n";
19 class _HttpAuthPassUser
22 function _HttpAuthPassUser($UserName='', $prefs=false) {
23 if ($prefs) $this->_prefs = $prefs;
24 if (!isset($this->_prefs->_method))
25 _PassUser::_PassUser($UserName);
26 if ($UserName) $this->_userid = $UserName;
27 $this->_authmethod = 'HttpAuth';
29 // Is this double check really needed?
30 // It is not expensive so we keep it for now.
31 if ($this->userExists()) {
34 return $GLOBALS['ForbiddenUser'];
38 // FIXME! This doesn't work yet!
39 // Allow httpauth by other method: Admin for now only
40 function _fake_auth($userid, $passwd) {
43 header('WWW-Authenticate: Basic realm="'.WIKI_NAME.'"');
44 header("Authorization: Basic ".base64_encode($userid.":".$passwd));
46 $_SERVER =& $GLOBALS['HTTP_SERVER_VARS'];
47 $GLOBALS['REMOTE_USER'] = $userid;
48 $_SERVER['PHP_AUTH_USER'] = $userid;
49 $_SERVER['PHP_AUTH_PW'] = $passwd;
50 //$GLOBALS['request']->setStatus(200);
55 $_SERVER =& $GLOBALS['HTTP_SERVER_VARS'];
56 // Maybe we should random the realm to really force a logout.
57 // But the next login will fail.
58 // better_srand(); $realm = microtime().rand();
59 // TODO: On AUTH_TYPE=NTLM this will fail. Only Basic supported so far.
60 header('WWW-Authenticate: Basic realm="'.WIKI_NAME.'"');
61 if (strstr(php_sapi_name(), 'apache'))
62 header('HTTP/1.0 401 Unauthorized');
64 header("Status: 401 Access Denied"); //IIS and CGI need that
65 unset($GLOBALS['REMOTE_USER']);
66 unset($_SERVER['PHP_AUTH_USER']);
67 unset($_SERVER['PHP_AUTH_PW']);
70 function _http_username() {
72 $_SERVER =& $GLOBALS['HTTP_SERVER_VARS'];
73 if (!empty($_SERVER['PHP_AUTH_USER']))
74 return $_SERVER['PHP_AUTH_USER'];
75 if (!empty($_SERVER['REMOTE_USER']))
76 return $_SERVER['REMOTE_USER'];
77 if (!empty($GLOBALS['HTTP_ENV_VARS']['REMOTE_USER']))
78 return $GLOBALS['HTTP_ENV_VARS']['REMOTE_USER'];
79 if (!empty($GLOBALS['REMOTE_USER']))
80 return $GLOBALS['REMOTE_USER'];
82 if (!empty($_SERVER['HTTP_AUTHORIZATION'])) {
83 list($userid, $passwd) = explode(':',
84 base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
90 // force http auth authorization
91 function userExists() {
93 $_SERVER =& $GLOBALS['HTTP_SERVER_VARS'];
94 $username = $this->_http_username();
95 if (strstr($username, "\\")
96 and isset($_SERVER['AUTH_TYPE'])
97 and $_SERVER['AUTH_TYPE'] == 'NTLM')
99 // allow domain\user, change userid to domain/user
100 $username = str_ireplace("\\\\", "\\", $username); // php bug with _SERVER
101 $username = str_ireplace("\\", SUBPAGE_SEPARATOR, $username);
102 $this->_userid = str_ireplace("\\", SUBPAGE_SEPARATOR, $this->_userid);
104 // FIXME: if AUTH_TYPE = NTLM there's a domain\\name <> domain\name mismatch
106 or strtolower($username) != strtolower($this->_userid))
109 $user = $GLOBALS['ForbiddenUser'];
110 $user->_userid = $this->_userid = "";
111 $this->_level = WIKIAUTH_FORBIDDEN;
115 $this->_userid = $username;
116 // we should check if he is a member of admin,
117 // because HttpAuth has its own logic.
118 $this->_level = WIKIAUTH_USER;
119 if ($this->isAdmin())
120 $this->_level = WIKIAUTH_ADMIN;
124 // ignore password, this is checked by the webservers http auth.
125 function checkPass($submitted_password) {
126 return $this->userExists()
127 ? ($this->isAdmin() ? WIKIAUTH_ADMIN : WIKIAUTH_USER)
131 function mayChangePass() {
140 // c-hanging-comment-ender-p: nil
141 // indent-tabs-mode: nil