User management for the world wide web

Login.php

<?php
session_start();

class GenieGate_Api_User {

    //  Holds all the info, to make session serialization easier.
    var $FIELDS;

    var $L;

    var $PROPS;

    function GenieGate_Api_User($l,$info) {
        $this->FIELDS = $info;
        $this->L = $l;
    }
    function getProperties($section = "genie.form.Public"){
        if(! isset($this->PROPS[$section])){
            $this->PROPS[$section] = array(); // Force an is_set next time.
            $sect = mysql_escape_string($section);
            // Get our table names.
            $ua_psect = $this->L->_make_table_name("ua_psect");
            $ua_prnam = $this->L->_make_table_name("ua_prnam");
            $ua_prop = $this->L->_make_table_name("ua_prop");
            $uid = mysql_escape_string($this->getUserId());        
            $sql = "SELECT n.pkey,p.val FROM $ua_psect AS s, $ua_prnam AS n, $ua_prop AS p ";
            $sql .= "WHERE p.uid='$uid' AND skey='$sect' AND s.sid=n.sid AND p.prid=n.prid";
            $dbh = $this->L->_get_dbh();
            $result = mysql_query($sql,$dbh) or die(mysql_error($dbh));
            if($result){
                while($row = mysql_fetch_row($result)){
                    $k = $row[0];
                    $this->PROPS[$section][$k] = $row[1];
                }
            }
        }
        return($this->PROPS[$section]);
    }

    function checkPassword($password){
        return(crypt($password,$this->FIELDS[password]) == $this->FIELDS[password]);
    }
    function checkSessionKey($key){
        return(crypt($key,$this->FIELDS[SESSION_KEY]) == $this->FIELDS[SESSION_KEY]);
    }
    function isActivated() {
        return($this->FIELDS[confirm] == "Y");
    }

    function getName(){ return($this->FIELDS[name]); }

    function getUserId(){ return($this->FIELDS[uid]); }
    
    function getEmail(){ return($this->FIELDS[email]); }

    function getGroups() { 
        if(is_array($this->FIELDS[GROUPS])){
            return($this->FIELDS[GROUPS]); 
        }
        return(array());
    }

    

    function checkGroups(&$groups){
        $member = $this->FIELDS[GROUPS];
        if(! $member){
            $member = array();
        }
        foreach($groups as $gid){
            if(! in_array($gid,$member)){
                return(FALSE);
            }
        }
        return(TRUE);
    }
}

class GenieGate_Api_Login {
    var $DBH;

    var $DBN;

    var $FORM_USERID   = "GG_USERID";
    var $FORM_PASSWORD = "GG_PASSWORD";

    var $VIEW = FALSE;

    var $SESSION_VARIABLE = "GG_USERACC";
    
    var $REALM = "Restricted";

    var $USE_HTTP_AUTH = TRUE;

    var $CHECK_IP = FALSE;

    var $DB_PERSISTANT = TRUE;

    var $ALLOW_CACHE = FALSE;

    var $SESSION_KEY_NAME="GGSESKEY";
    
    // The session key that was either read or generated. Don't use.    
    var $SESSION_KEY = FALSE;


    function GenieGate_Api_Login($DBLink = FALSE, $DBName = FALSE){
        $this->_session_key(); // Initialize as soon as possible.
        if($DBLink){
            $this->DBH = $DBLink;
        }
        if($DBName){
            $this->DBN = $DBName;
        }
    }


    function login($groups = array()){        
        $user = $this->passiveLogin($groups);
        if(! $user){
            $this->prompt();
            exit();
        }
        return($user);
    }

    function passiveLogin($groups = array()){
        // Comming in from a form?        
        if(strlen($_REQUEST[$this->FORM_USERID])){
            $user = $this->_check_form();            
            if($user){
                return($this->_valid_or_false($user,$groups));
            }
        }        
        $user = $this->_check_session();
        if($user){         
            return($this->_valid_or_false($user,$groups));                     
        }
        return($this->_valid_or_false($this->_check_auth(),$groups));
    }

    // Activated? In all groups?
    //\internal
    function _valid_or_false($user,$groups){
        if(! $user){
            $this->_clear_session();  
            return(FALSE);
        }
        if($user->isActivated()){        
            if($user->checkGroups($groups)){ 
                return($user);
            }
        }
        $this->_clear_session();  
        return(FALSE);
    }


    // Get/Set the session key. (Needed for session based login)
    // this will set a cookie.
    function _session_key(){
        if(! $this->SESSION_KEY) {
            $cv = $this->SESSION_KEY_NAME;
            if(! $_COOKIE[$cv]){
                $this->SESSION_KEY = md5(uniqid(rand(),1)); 
                setcookie($cv,$this->SESSION_KEY,FALSE,"/");               
            }else{
                $this->SESSION_KEY = $_COOKIE[$cv];
            }
        }
        return($this->SESSION_KEY);
    }


    function logout(){
        $this->_clear_session();
    }

    function setPromptView(&$view){
        $this->VIEW = $view;
    }

    function prompt(){
        $this->_send_authenicate_header();
        if(! $this->VIEW){
            $this->_default_prompt_html();
            exit;
        }
        if(is_object($this->VIEW)){
            $this->VIEW->display();
        }else{
            include($this->VIEW);
        }
        exit();
    }
    
    function _send_authenicate_header(){
        if($this->USE_HTTP_AUTH){
            if(! headers_sent()){
                header('WWW-Authenticate: Basic realm="' . $this->REALM . '"');
                header('HTTP/1.0 401 Unauthorized');
            }
        }
    }

    // Check authentication method.
    function _check_auth(){     
        if(! $this->USE_HTTP_AUTH){
            return(FALSE);
        }
        $this->_clear_session();                 
        $user = $this->lookupUser($_SERVER['PHP_AUTH_USER']);
        if($user){                                 
            if($user->checkPassword($_SERVER['PHP_AUTH_PW'])){                
                $this->_store_in_session($user);              
                return($user);
            }else{
                return(FALSE);
            }
        }
        return(FALSE);
    }

    // Look in session.
    function _check_session(){                               
        $sv = $this->SESSION_VARIABLE;                
        if(is_array($_SESSION[$sv])){            
            $user = new GenieGate_Api_User($this,$_SESSION[$sv][USER]);                      
            if($this->CHECK_IP) {
                if($_SESSION[$sv][LAST_IP] != $_SERVER[REMOTE_ADDR]){                    
                    return(FALSE);
                }
            }
            // Session key correct?
            if($user->checkSessionKey($this->_session_key())){ 
                if($this->ALLOW_CACHE){
                    return($user);
                }else{
                    // refresh.
                    $id = $user->getUserId();                   
                    $user = $this->lookupUser($id);                  
                    $this->_store_in_session($user);
                    return($user);
                }
            }else{
                return(FALSE); // Would fall through anyway, but we want the logic clearer.
            }
        }                
        return(FALSE); // Not in session.
    }

    // Inspect the form, return GenieGate_Api_User on PASS.
    function _check_form(){
        $uid = $_REQUEST[$this->FORM_USERID];                  
        $password = $_REQUEST[$this->FORM_PASSWORD];
        $user = $this->lookupUser($uid);
        if($user){         
            if($user->checkPassword($password)){                                
                $this->_store_in_session($user);
                return($user);
            }else{
                return(FALSE);
            }                        
        }
        return(FALSE);
    }
    // Make a table name, this API uses the fully qualified tablename in it's
    // queries, because $DBH may or may not be pointed at the correct database.
    function _make_table_name($name){
        if($this->DBN){
            return($this->DBN . "." . $name);
        }
        return($name);
    }


    // Store data in the session variable.
    function _store_in_session($user){
        $sv = $this->SESSION_VARIABLE;
        if(! $user->FIELDS[SESSION_KEY]){
            $user->FIELDS[SESSION_KEY] = crypt($this->_session_key());
        }
        $_SESSION[$sv][USER] = $user->FIELDS;
        $_SESSION[$sv][LAST_IP] = $_SERVER[REMOTE_ADDR];
        
    }
    function _clear_session(){
        $v = $this->SESSION_VARIABLE;
        unset($_SESSION[$v]);
    }

    function _get_dbh(){
        if($this->DBH){
            return($this->DBH);
        }
        if($this->DB_PERSISTANT){
            $this->DBH = mysql_pconnect();
        }else{
            $this->DBH = mysql_connect();
        }
        if(! $this->DBH){
            die(mysql_errno() . " " .  mysql_error());      
        } 
    }

    function lookupUser($uid){
        if(! strlen($uid)){
            return(FALSE); // Do a sanity check.
        }
        $dbh = $this->_get_dbh();
        $tbl = $this->_make_table_name("ua_users"); // Fully qualified table.
        $fields = array();
        $uid = mysql_escape_string($uid);        
        $sql = "SELECT uid,password,confirm,name,email FROM $tbl WHERE uid='$uid'";
        $result = mysql_query($sql,$dbh) or die(mysql_error($dbh));        
        if($result) {
            $fields = mysql_fetch_assoc($result);
            $fields[password] = crypt($fields[password]); // Don't keep plain-text passwords around.
        }else{
            return(FALSE);
        }
        $fields[GROUPS] = array();
        $gt = $this->_make_table_name("ua_members");
        $result = mysql_query("SELECT gid FROM $gt WHERE uid='$uid'",$dbh) or die(mysql_error($dbh));

        if($result){
            while($row = mysql_fetch_row($result)){
                array_push($fields[GROUPS],$row[0]);
            }
        }
        return(new GenieGate_Api_User($this,$fields));
    }

    // Builds up all the form variables.
    function _build_form_vars(&$req){
        $buf = "";      
        foreach($req as $k => $v){
            if(is_array($v)){
                $nm = $k . "[]"; // Attempt to deal with multiple values.
                foreach($v as $av){
                    $buf .= $this->_build_form_var($nm,$av);
                }
            }else{
                $buf .= $this->_build_form_var($k,$v);
            }
        }
        return($buf);
    }
    // Creates a single form variable.
    function _build_form_var($name,$val){
        $name = htmlentities($name);
        $val = htmlentities($val);
        $val = str_replace("\n", "&#10;",$val); // Attempt to deal with \r's and \n's.           
        $val = str_replace("\r", "&#13;",$val);
        return("<INPUT TYPE=\"HIDDEN\" NAME=\"$name\" VALUE=\"$val\">\n");
    }

    // NOTE: Don't be tempted to change this HTML, see the documentation for 
    // the prompt() method. (this method is called as a last resort to produce 
    // the HTML for a login box.)
    function _default_prompt_html(){      
        if($_SERVER[REQUEST_METHOD] == "GET"){
            $hidden = $this->_build_form_vars($_GET);
        }else{
            $hidden = $this->_build_form_vars($_POST);
        }
        echo "<FORM ACTION=\"$_SERVER[PHP_SELF]\" METHOD=\"POST\"> ";
        echo $hidden;
?>  
      <TABLE COLS="2" ALIGN="CENTER" WIDTH="40%" CLASS="loginBox">      
     <TR> 
       <TH COLSPAN="2">Login Required</TH>
     </TR>
      <TR>
        <TH>User ID</TH>
        <TD><INPUT NAME="<?php echo $this->FORM_USERID; ?>" ></TD>
      </TR>
      <TR>
         <TH>Password</TH>
         <TD>
           <INPUT TYPE="PASSWORD" NAME="<?php echo $this->FORM_PASSWORD; ?>" >
         </TD>
      </TR>
      <TR>
        <TD COLSPAN="2" ALIGN="CENTER"><INPUT TYPE="SUBMIT" VALUE="Login"></TD>
      </TR>
      </TABLE>
</FORM>
<?php              
    }


}
?>

---

Documentation generated by DoxyGen