3 /* Copyright (C) 2004,2007 ReiniUrban
4 * This file is part of PhpWiki. Terms and Conditions see LICENSE. (GPL2)
8 * We have two possibilities here:
9 * 1) The webserver location is already HTTP protected.
10 * Usually Basic by some auth module (ldap, mysql, ...), but also NTLM or Digest.
11 * Then just use this username and do nothing.
12 * 2) The webserver location is not protected, so we enforce basic HTTP Protection
13 * by sending a 401 error and let the client display the login dialog.
14 * This makes only sense if HttpAuth is the last method in USER_AUTH_ORDER,
15 * since the other methods cannot be transparently called after this enforced
17 * Try the available auth methods (most likely Bogo) and sent this header back.
18 * header('Authorization: Basic '.base64_encode("$userid:$passwd")."\r\n";
20 class _HttpAuthUpperPassUser
23 function _HttpAuthUpperPassUser($UserName='', $prefs=false) {
24 if ($prefs) $this->_prefs = $prefs;
25 if (!isset($this->_prefs->_method))
26 _PassUser::_PassUser($UserName);
28 $this->_userid = $UserName;
29 $this->_authmethod = 'HttpAuthUpper';
31 // Is this double check really needed?
32 // It is not expensive so we keep it for now.
33 if ($this->userExists()) {
36 return $GLOBALS['ForbiddenUser'];
40 // FIXME! This doesn't work yet!
41 // Allow httpauth by other method: Admin for now only
42 function _fake_auth($userid, $passwd) {
45 header('WWW-Authenticate: Basic realm="'.WIKI_NAME.'"');
46 header("Authorization: Basic ".base64_encode($userid.":".$passwd));
48 $_SERVER =& $GLOBALS['HTTP_SERVER_VARS'];
49 $GLOBALS['REMOTE_USER'] = $userid;
50 $_SERVER['PHP_AUTH_USER'] = $userid;
51 $_SERVER['PHP_AUTH_PW'] = $passwd;
52 //$GLOBALS['request']->setStatus(200);
57 $_SERVER =& $GLOBALS['HTTP_SERVER_VARS'];
58 // Maybe we should random the realm to really force a logout.
59 // But the next login will fail.
60 // better_srand(); $realm = microtime().rand();
61 // TODO: On AUTH_TYPE=NTLM this will fail. Only Basic supported so far.
62 header('WWW-Authenticate: Basic realm="'.WIKI_NAME.'"');
63 if (strstr(php_sapi_name(), 'apache'))
64 header('HTTP/1.0 401 Unauthorized');
66 header("Status: 401 Access Denied"); //IIS and CGI need that
67 unset($GLOBALS['REMOTE_USER']);
68 unset($_SERVER['PHP_AUTH_USER']);
69 unset($_SERVER['PHP_AUTH_PW']);
72 function _http_username() {
74 $_SERVER =& $GLOBALS['HTTP_SERVER_VARS'];
75 if (!empty($_SERVER['PHP_AUTH_USER']))
76 return $_SERVER['PHP_AUTH_USER'];
77 if (!empty($_SERVER['REMOTE_USER']))
78 return $_SERVER['REMOTE_USER'];
79 if (!empty($GLOBALS['HTTP_ENV_VARS']['REMOTE_USER']))
80 return $GLOBALS['HTTP_ENV_VARS']['REMOTE_USER'];
81 if (!empty($GLOBALS['REMOTE_USER']))
82 return $GLOBALS['REMOTE_USER'];
84 if (!empty($_SERVER['HTTP_AUTHORIZATION'])) {
85 list($userid, $passwd) = explode(':',
86 base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6)));
92 // special: force upcase username
94 if (!empty($this->_userid)) {
95 $this->_userid = strtoupper($this->_userid);
96 return strtoupper($this->_userid);
100 // force http auth authorization
101 function userExists() {
102 if (!isset($_SERVER))
103 $_SERVER =& $GLOBALS['HTTP_SERVER_VARS'];
104 $username = strtoupper($this->_http_username());
105 if (strstr($username, "\\")
106 and isset($_SERVER['AUTH_TYPE'])
107 and $_SERVER['AUTH_TYPE'] == 'NTLM')
109 // allow domain\user, change userid to domain/user
110 $username = str_ireplace("\\\\", "\\", $username); // php bug with _SERVER
111 $username = str_ireplace("\\", SUBPAGE_SEPARATOR, $username);
112 $this->_userid = str_ireplace("\\", SUBPAGE_SEPARATOR, $this->_userid);
114 // FIXME: if AUTH_TYPE = NTLM there's a domain\\name <> domain\name mismatch
116 or strtolower($username) != strtolower($this->_userid))
119 $user = $GLOBALS['ForbiddenUser'];
120 $user->_userid = $this->_userid = "";
121 $this->_level = WIKIAUTH_FORBIDDEN;
125 $this->_userid = strtoupper($username);
126 // we should check if he is a member of admin,
127 // because HttpAuth has its own logic.
128 $this->_level = WIKIAUTH_USER;
129 if ($this->isAdmin())
130 $this->_level = WIKIAUTH_ADMIN;
134 // ignore password, this is checked by the webservers http auth.
135 function checkPass($submitted_password) {
136 return $this->userExists()
137 ? ($this->isAdmin() ? WIKIAUTH_ADMIN : WIKIAUTH_USER)
141 function mayChangePass() {
150 // c-hanging-comment-ender-p: nil
151 // indent-tabs-mode: nil