<?php
###############################################################################
# Gregarius - A PHP based RSS aggregator.
# Copyright (C) 2003 - 2006 Marco Bonetti
#
###############################################################################
# This program is free software and open source software; you can redistribute
# it and/or modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation; either version 2 of the License,
# or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
# more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA or visit
# http://www.gnu.org/licenses/gpl.html
#
###############################################################################
# E-mail: mbonetti at gmail dot com
# Web page: http://gregarius.net/
#
###############################################################################
rss_require('cls/wrappers/user.php');
define ('RSS_USER_ACTION_LOGIN',0x01);
define ('RSS_USER_ACTION_COOKIE',0x02);
define ('RSS_USER_ACTION_SESSION',0x04);
define ('RSS_USER_ACTION_LOGOUT',0x08);
/**
* The RSSUser class holds all the business logic to handle Gregarius users
*/
class RSSUser {
/** Userid */
var $_uid;
/** Userlevel */
var $_level;
/** Username */
var $_uname;
/** md5 hash of the user password */
var $_hash;
/** List of valid IP subnets this user is allowed to log in via a cookie */
var $_validIPs;
/** Mobile session */
var $_mobileSession;
/** Action */
var $_action;
/** Show private feeds/items */
var $_showPrivate;
/**
* RSSUser constructor:
* Handles:
* -logout
* -cookie login (with validation)
* -login
*/
function RSSUser() {
$this -> _uid = 0;
$this -> _validIPs = array();
$this -> _level = RSS_USER_LEVEL_NOLEVEL;
$this -> _uname = '';
$this -> _realName = '';
$this -> _hash = null;
$this -> _showPrivate = 0;
$this -> _mobileSession =
isset($_POST['media']) && 'mobile' == $_POST['media'];
if ('mobile' == getThemeMedia()) {
@ini_set('session.use_trans_sid',true);
session_start();
}
if (array_key_exists('logout',$_GET)) {
$this -> logout();
rss_redirect('');
}
$cuname = $chash = null;
if (isset($_POST['username']) && isset($_POST['password'])) {
$_cuname = trim($_POST['username']);
if ($this -> _mobileSession) {
$_chash = md5(md5($_POST['password'] . $_POST['username']));
} else {
$_chash = md5($_POST['password']);
}
if ($this -> login($_cuname,$_chash)) {
$cuname = $_cuname;
$chash = $_chash;
$this -> _action = RSS_USER_ACTION_LOGIN;
}
}
elseif (isset($_COOKIE[RSS_USER_COOKIE])) {
list($cuname,$chash) = explode('|',$_COOKIE[RSS_USER_COOKIE]);
$this -> _action = RSS_USER_ACTION_COOKIE;
}
elseif(isset($_SESSION['mobile'])) {
list($cuname,$chash) = explode('|',$_SESSION['mobile']);
$this -> _mobileSession = true;
$this -> _action = RSS_USER_ACTION_SESSION;
}
if ($cuname && $chash) {
$sql = "select uid, uname, ulevel, realname, userips from " . getTable('users') . " where uname='"
.rss_real_escape_string($cuname) ."' and password='"
.preg_replace('#[^a-zA-Z0-9]#','',md5($chash)) ."'";
$rs = rss_query($sql);
if (rss_num_rows($rs) == 1) {
list($uid, $uname, $level, $realName, $tmpUserIps) = rss_fetch_row($rs);
$userIPs = explode(' ',$tmpUserIps);
$subnet = preg_replace('#^([0-9]+\.[0-9]+\.[0-9]+)\.[0-9]+$#','\1',$_SERVER['REMOTE_ADDR']);
if ((array_search($subnet, $userIPs) !== FALSE) || ($this -> _action != RSS_USER_ACTION_COOKIE)) {
$this -> _uid = $uid;
$this -> _uname = $uname;
$this -> _validIPs = $userIPs;
$this -> _level = $level;
$this -> _realName = $realName;
$this -> _hash = $chash;
}
}
}
}
/**
* Logs in a user given the username and password.
* If the user provided valid username and password,
* he is given a cookie and his IP address subnet is added
* to the list of valid IPs this user is allowed to log in
* via a cookie
*
* Returns true on a successful login, false otherwise.
*/
function login($uname,$pass) {
$sql ="select uname,ulevel,userips from " .getTable('users') . "where uname='"
.rss_real_escape_string($uname)."' and password='".md5($pass)."'";
list($uname,$ulevel,$userips) = rss_fetch_row(rss_query($sql));
if ($ulevel == '') {
$ulevel = RSS_USER_LEVEL_NOLEVEL;
return false;
} else {
// "push" the user IP into the list of logged-in IP subnets
$subnet = preg_replace('#^([0-9]+\.[0-9]+\.[0-9]+)\.[0-9]+$#','\1',$_SERVER['REMOTE_ADDR']);
$this -> _validIPs = explode(' ',$userips);
$this -> _validIPs[] = $subnet;
$sql = "update " .getTable('users')
. " set userips = '" . implode(' ', $this -> _validIPs ) ."'"
." where uname = '$uname' ";
rss_query($sql);
if ($this -> _mobileSession) {
$this -> setUserSession($uname,$pass);
} else {
$this -> setUserCookie($uname,$pass);
}
rss_invalidate_cache();
return true;
}
return false;
}
/**
* Hands the user a yummy cookie.
* The cookie holds the md5 hash of the user password
*/
function setUserCookie($user,$hash) {
$rs = rss_query(
'select value_ from ' .getTable('config') . "where key_ = 'rss.config.autologout'", false,true);
if (rss_is_sql_error(RSS_SQL_ERROR_NO_ERROR) && rss_num_rows($rs) > 0) {
list($als) = rss_fetch_row($rs);
$al = ($als == 'true');
} else {
$al = false;
}
$t = $al ? 0: time()+COOKIE_LIFESPAN;
setcookie(RSS_USER_COOKIE, $user .'|' . $hash , $t, getPath());
}
function setUserSession($user,$hash) {
$_SESSION['mobile'] = $user . "|" . $hash;
}
/**
* Logs the user out.
* - deletes the cookie
* - removes the user's IP subnet from the list of valid subnets this
* user is allowed to log in with a cookie.
*/
function logout() {
if (array_key_exists(RSS_USER_COOKIE, $_COOKIE) || isset($_SESSION['mobile'])) {
$subnet = preg_replace('#^([0-9]+\.[0-9]+\.[0-9]+)\.[0-9]+$#','\1',$_SERVER['REMOTE_ADDR']);
if (($idx = array_search($subnet, $this -> _validIPs)) !== FALSE) {
$cnt = count($this -> _validIPs);
unset($this -> _validIPs[$idx]);
$uname = trim($this -> _uname);
if ($uname && ($cnt > count($this -> _validIPs))) {
$sql = "update " .getTable('users')
. " set userips = '" . implode(' ',$this -> _validIPs) ."'"
." where uname = '$uname' ";
rss_query($sql);
}
}
// get rid of the cookie
unset($_COOKIE[RSS_USER_COOKIE]);
setcookie(RSS_USER_COOKIE, "", -1, getPath());
if (isset($_SESSION['mobile'])) {
unset($_SESSION['mobile']);
}
rss_invalidate_cache();
}
}
///// Getters //////
function getUserName() {
return $this -> _uname;
}
function getUserLevel() {
return $this -> _level;
}
function getShowPrivate() {
return true; //$this -> _showPrivate;
}
function setShowPrivate($show) {
$this -> _showPrivate = $show;
}
}
// Create the unique instance.
$GLOBALS['rssuser'] = new RSSUser();
?>