lib/WikiUser/PdoDb.php

   1 <?php
   2
   3 /*
   4  * Copyright (C) 2004, 2005 ReiniUrban
   5  *
   6  * This file is part of PhpWiki.
   7  *
   8  * PhpWiki is free software; you can redistribute it and/or modify
   9  * it under the terms of the GNU General Public License as published by
  10  * the Free Software Foundation; either version 2 of the License, or
  11  * (at your option) any later version.
  12  *
  13  * PhpWiki is distributed in the hope that it will be useful,
  14  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  15  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16  * GNU General Public License for more details.
  17  *
  18  * You should have received a copy of the GNU General Public License along
  19  * with PhpWiki; if not, write to the Free Software Foundation, Inc.,
  20  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
  21  */
  22
  23 include_once 'lib/WikiUser/Db.php';
  24
  25 class _PdoDbPassUser
  26     extends _DbPassUser
  27     /**
  28      * PDO DB methods (PHP5)
  29      *   prepare, bind, execute.
  30      * We use numrical FETCH_MODE_ROW, so we don't need aliases in the auth_* SQL statements.
  31      *
  32      * @tables: user
  33      * @tables: pref
  34      */
  35 {
  36     public $_authmethod = 'PDODb';
  37
  38     function _PdoDbPassUser($UserName = '', $prefs = false)
  39     {
  40
  41         if (!$this->_prefs and isa($this, "_PdoDbPassUser")) {
  42             if ($prefs) $this->_prefs = $prefs;
  43         }
  44         if (!isset($this->_prefs->_method))
  45             _PassUser::_PassUser($UserName);
  46         elseif (!$this->isValidName($UserName)) {
  47             trigger_error(_("Invalid username."), E_USER_WARNING);
  48             return false;
  49         }
  50         $this->_userid = $UserName;
  51         // make use of session data. generally we only initialize this every time,
  52         // but do auth checks only once
  53         $this->_auth_crypt_method = $GLOBALS['request']->_dbi->getAuthParam('auth_crypt_method');
  54         return $this;
  55     }
  56
  57     function getPreferences()
  58     {
  59         // override the generic slow method here for efficiency and not to
  60         // clutter the homepage metadata with prefs.
  61         _AnonUser::getPreferences();
  62         $this->getAuthDbh();
  63         if (isset($this->_prefs->_select)) {
  64             $dbh =& $this->_auth_dbi;
  65             $db_result = $dbh->query(sprintf($this->_prefs->_select, $dbh->quote($this->_userid)));
  66             // patched by frederik@pandora.be
  67             $prefs = $db_result->fetch(PDO_FETCH_BOTH);
  68             $prefs_blob = @$prefs["prefs"];
  69             if ($restored_from_db = $this->_prefs->retrieve($prefs_blob)) {
  70                 $this->_prefs->updatePrefs($restored_from_db);
  71                 return $this->_prefs;
  72             }
  73         }
  74         if ($this->_HomePagehandle) {
  75             if ($restored_from_page = $this->_prefs->retrieve
  76             ($this->_HomePagehandle->get('pref'))
  77             ) {
  78                 $this->_prefs->updatePrefs($restored_from_page);
  79                 return $this->_prefs;
  80             }
  81         }
  82         return $this->_prefs;
  83     }
  84
  85     function setPreferences($prefs, $id_only = false)
  86     {
  87         // if the prefs are changed
  88         if ($count = _AnonUser::setPreferences($prefs, 1)) {
  89             $this->getAuthDbh();
  90             $packed = $this->_prefs->store();
  91             if (!$id_only and isset($this->_prefs->_update)) {
  92                 $dbh =& $this->_auth_dbi;
  93                 try {
  94                     $sth = $dbh->prepare($this->_prefs->_update);
  95                     $sth->bindParam("prefs", $packed);
  96                     $sth->bindParam("user", $this->_userid);
  97                     $sth->execute();
  98                 } catch (PDOException $e) {
  99                     trigger_error("SQL Error: " . $e->getMessage(), E_USER_WARNING);
 100                     return false;
 101                 }
 102                 //delete pageprefs:
 103                 if ($this->_HomePagehandle and $this->_HomePagehandle->get('pref'))
 104                     $this->_HomePagehandle->set('pref', '');
 105             } else {
 106                 //store prefs in homepage, not in cookie
 107                 if ($this->_HomePagehandle and !$id_only)
 108                     $this->_HomePagehandle->set('pref', $packed);
 109             }
 110             return $count;
 111         }
 112         return 0;
 113     }
 114
 115     function userExists()
 116     {
 117         $this->getAuthDbh();
 118         $dbh = &$this->_auth_dbi;
 119         if (!$dbh) { // needed?
 120             return $this->_tryNextUser();
 121         }
 122         if (!$this->isValidName()) {
 123             trigger_error(_("Invalid username."), E_USER_WARNING);
 124             return $this->_tryNextUser();
 125         }
 126         $dbi =& $GLOBALS['request']->_dbi;
 127         if ($dbi->getAuthParam('auth_check') and empty($this->_authselect)) {
 128             try {
 129                 $this->_authselect = $dbh->prepare($dbi->getAuthParam('auth_check'));
 130             } catch (PDOException $e) {
 131                 trigger_error("SQL Error: " . $e->getMessage(), E_USER_WARNING);
 132                 return false;
 133             }
 134         }
 135         //NOTE: for auth_crypt_method='crypt' no special auth_user_exists is needed
 136         if (!$dbi->getAuthParam('auth_user_exists')
 137             and $this->_auth_crypt_method == 'crypt'
 138                 and $this->_authselect
 139         ) {
 140             try {
 141                 $this->_authselect->bindParam("userid", $this->_userid, PDO_PARAM_STR, 48);
 142                 $this->_authselect->execute();
 143             } catch (PDOException $e) {
 144                 trigger_error("SQL Error: " . $e->getMessage(), E_USER_WARNING);
 145                 return false;
 146             }
 147             if ($this->_authselect->fetchSingle())
 148                 return true;
 149         } else {
 150             if (!$dbi->getAuthParam('auth_user_exists'))
 151                 trigger_error(fmt("%s is missing", 'DBAUTH_AUTH_USER_EXISTS'),
 152                     E_USER_WARNING);
 153             $this->_authcheck = $dbh->prepare($dbi->getAuthParam('auth_check'));
 154             $this->_authcheck->bindParam("userid", $this->_userid, PDO_PARAM_STR, 48);
 155             $this->_authcheck->execute();
 156             if ($this->_authcheck->fetchSingle())
 157                 return true;
 158         }
 159         // User does not exist yet.
 160         // Maybe the user is allowed to create himself. Generally not wanted in
 161         // external databases, but maybe wanted for the wiki database, for performance
 162         // reasons
 163         if (empty($this->_authcreate) and $dbi->getAuthParam('auth_create')) {
 164             try {
 165                 $this->_authcreate = $dbh->prepare($dbi->getAuthParam('auth_create'));
 166             } catch (PDOException $e) {
 167                 trigger_error("SQL Error: " . $e->getMessage(), E_USER_WARNING);
 168                 return false;
 169             }
 170         }
 171         if (!empty($this->_authcreate) and
 172             isset($GLOBALS['HTTP_POST_VARS']['auth']) and
 173                 isset($GLOBALS['HTTP_POST_VARS']['auth']['passwd'])
 174         ) {
 175             $passwd = $GLOBALS['HTTP_POST_VARS']['auth']['passwd'];
 176             try {
 177                 $this->_authcreate->bindParam("userid", $this->_userid, PDO_PARAM_STR, 48);
 178                 $this->_authcreate->bindParam("password", $passwd, PDO_PARAM_STR, 48);
 179                 $rs = $this->_authselect->execute();
 180             } catch (PDOException $e) {
 181                 trigger_error("SQL Error: " . $e->getMessage(), E_USER_WARNING);
 182                 return false;
 183             }
 184             if ($rs)
 185                 return true;
 186         }
 187         return $this->_tryNextUser();
 188     }
 189
 190     function checkPass($submitted_password)
 191     {
 192         //global $DBAuthParams;
 193         $this->getAuthDbh();
 194         if (!$this->_auth_dbi) { // needed?
 195             return $this->_tryNextPass($submitted_password);
 196         }
 197         if (!$this->isValidName()) {
 198             return $this->_tryNextPass($submitted_password);
 199         }
 200         if (!$this->_checkPassLength($submitted_password)) {
 201             return WIKIAUTH_FORBIDDEN;
 202         }
 203         if (!isset($this->_authselect))
 204             $this->userExists();
 205         if (!isset($this->_authselect))
 206             trigger_error(fmt("Either %s is missing or DATABASE_TYPE != “%s”",
 207                     'DBAUTH_AUTH_CHECK', 'SQL'),
 208                 E_USER_WARNING);
 209
 210         //NOTE: for auth_crypt_method='crypt'  defined('ENCRYPTED_PASSWD',true) must be set
 211         if ($this->_auth_crypt_method == 'crypt') {
 212             try {
 213                 $this->_authselect->bindParam("userid", $this->_userid, PDO_PARAM_STR, 48);
 214                 $this->_authselect->execute();
 215                 $rs = $this->_authselect->fetch(PDO_FETCH_BOTH);
 216             } catch (PDOException $e) {
 217                 trigger_error("SQL Error: " . $e->getMessage(), E_USER_WARNING);
 218                 return false;
 219             }
 220             $stored_password = @$rs[0];
 221             $result = $this->_checkPass($submitted_password, $stored_password);
 222         } else {
 223             try {
 224                 $this->_authselect->bindParam("password", $submitted_password, PDO_PARAM_STR, 48);
 225                 $this->_authselect->bindParam("userid", $this->_userid, PDO_PARAM_STR, 48);
 226                 $this->_authselect->execute();
 227                 $rs = $this->_authselect->fetch(PDO_FETCH_BOTH);
 228             } catch (PDOException $e) {
 229                 trigger_error("SQL Error: " . $e->getMessage(), E_USER_WARNING);
 230                 return false;
 231             }
 232             $okay = @$rs[0];
 233             $result = !empty($okay);
 234         }
 235
 236         if ($result) {
 237             $this->_level = WIKIAUTH_USER;
 238             return $this->_level;
 239         } elseif (USER_AUTH_POLICY === 'strict') {
 240             $this->_level = WIKIAUTH_FORBIDDEN;
 241             return $this->_level;
 242         } else {
 243             return $this->_tryNextPass($submitted_password);
 244         }
 245     }
 246
 247     function mayChangePass()
 248     {
 249         return $GLOBALS['request']->_dbi->getAuthParam('auth_update');
 250     }
 251
 252     function storePass($submitted_password)
 253     {
 254         if (!$this->isValidName()) {
 255             return false;
 256         }
 257         $this->getAuthDbh();
 258         $dbh = &$this->_auth_dbi;
 259         $dbi =& $GLOBALS['request']->_dbi;
 260         if ($dbi->getAuthParam('auth_update') and empty($this->_authupdate)) {
 261             try {
 262                 $this->_authupdate = $dbh->prepare($dbi->getAuthParam('auth_update'));
 263             } catch (PDOException $e) {
 264                 trigger_error("SQL Error: " . $e->getMessage(), E_USER_WARNING);
 265                 return false;
 266             }
 267         }
 268         if (empty($this->_authupdate)) {
 269             trigger_error(fmt("Either %s is missing or DATABASE_TYPE != “%s”",
 270                     'DBAUTH_AUTH_UPDATE', 'SQL'),
 271                 E_USER_WARNING);
 272             return false;
 273         }
 274
 275         if ($this->_auth_crypt_method == 'crypt') {
 276             if (function_exists('crypt'))
 277                 $submitted_password = crypt($submitted_password);
 278         }
 279         try {
 280             $this->_authupdate->bindParam("password", $submitted_password, PDO_PARAM_STR, 48);
 281             $this->_authupdate->bindParam("userid", $this->_userid, PDO_PARAM_STR, 48);
 282             $this->_authupdate->execute();
 283         } catch (PDOException $e) {
 284             trigger_error("SQL Error: " . $e->getMessage(), E_USER_WARNING);
 285             return false;
 286         }
 287         return true;
 288     }
 289 }
 290
 291 // Local Variables:
 292 // mode: php
 293 // tab-width: 8
 294 // c-basic-offset: 4
 295 // c-hanging-comment-ender-p: nil
 296 // indent-tabs-mode: nil
 297 // End: