<?php
/**************************************************************************
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
@Authors: Ryan Thompson(hide@address.com)
***************************************************************************/
/*$Id: class.security.php,v 1.2 2003/12/08 05:30:18 rthomp Exp $*/
class security
{
var $ssl = FALSE; //Use HTTPS ???
var $protocol = 'http://';
/*!
@function get_protocol()
@author Ryan Thompson
@abstract Returns the protocol to use in generating URLs for links
@version 0.1
@return $this->protocol - The protocol to use in generating links
@since 11-10-2003
*/
function protocol()
{
if($this->ssl)
{
return $this->protocol = 'https://';
} else {
return $this->protocol = 'http://';
}
}
/*!
@function get_accessible_services()
@author Ryan Thompson
@abstract Returns a list of services accessible by user
@version 0.1
@params $user_id
@return $services
@since 05-12-2003
*/
function get_accessible_services($user_id)
{
GLOBAL $db;
$sql = "SELECT o_services.* FROM o_services LEFT JOIN o_user_rights
ON o_services.code=o_user_rights.service WHERE o_user_rights.user_id='$user_id'
AND o_user_rights.rights > '0' ORDER BY sort_order";
$db->query($sql);
while($db->fetch_results())
{
$services[] = $db->record;
}
return $services;
}
/*!
@function random_string()
@author Ryan Thompson
@abstract Generates a random string of given length $len (Generally used to generate passwords)
@version 0.1
@params $len - Length of string to generate
@return $str - The generated string
*/
function random_string($len = 8)
{
$chars = array('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v',
'w','x','y','z','A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U',
'V','W','X','Y','Z','1','2','3','4','5','6','7','8','9','0');
$str = NULL;
for($i = 0; $i < $len; $i++)
{
$seed = rand(0, count($chars));
$str .= $chars[$seed];
}
return $str;
}
/*!
@function encrypt_password()
@author Ryan Thompson
@abstract Generates a 32-bit MD5 x2 hash from $password
@version 0.1
@params $password - Plain text password to encrypt
@return $password - Hashed password
@since 11-10-2003
*/
function encrypt_password($password)
{
return md5(md5($password));
}
/*!
@function account_enabled()
@author Ryan Thompson
@abstract Determines whether given user account is enabled or disabled
@version 0.1
@params $user_id - User ID of account to be checked
@return TRUE/FALSE
*/
function account_enabled($user_id)
{
GLOBAL $error, $db;
$sql = "SELECT disabled FROM o_user_security WHERE user_id='". $user_id ."'";
$db->query($sql);
$db->fetch_results();
if(!is_null($db->record['disabled']))
{
$error->get_message(1002);
return FALSE;
} else {
//Not disabled
return TRUE;
}
}
/*!
@function check_password()
@author Ryan Thompson
@abstract Checks given password against password in Database
@version 0.1
@params $date - Array containing username and password
@return $user_id - User ID of match account.
@since 25-03-2003
*/
function check_password($username, $password)
{
GLOBAL $error, $db;
$db->query("SELECT user_id FROM o_users WHERE username='$username' AND password='$password'");
if($db->num_rows == 0)
{
$error->get_message(1000);
return FALSE;
} else {
$db->fetch_results();
return $db->record['user_id'];
}
}
/*!
@function unique_id()
@author Ryan Thompson
@abstract Generates a unique session id
@version 0.1
@return $unique_id - Random 32-bit string
@since 11-10-2003
*/
function unique_id()
{
return md5(uniqid(rand(),1));
}
/*!
@function update_password()
@author Ryan Thompson
@abstract Updates user password
@version 0.1
@params $passwords - array containing old password and new password
@return TRUE/FALSE
*/
function update_password($passwords)
{
GLOBAL $db, $user;
$old_password = $this->encrypt_password($passwords['old_password']);
$sql = "SELECT username, password FROM o_users WHERE user_id='". $user->user_id ."' AND password='$old_password'";
$db->query($sql);
if($db->num_rows == 0)
{
echo "Wrong Password";
return FALSE;
}
$db->fetch_results();
if(!$this->password_length($passwords['new_password']))
{
echo "Too short";
return FALSE;
}
$new_password = $this->encrypt_password($passwords['new_password']);
$sql = "UPDATE o_users SET password='$new_password' WHERE user_id='". $user->user_id ."'";
$db->query($sql);
return TRUE;
}
/*!
@function password_length()
@author Ryan Thompson
@abstract Verifies that password meets minimum length requirements (Default 8 set in DB)
@version 0.1
@params $password - Password to verify
@return TRUE/FALSE
@since 11-10-2003
*/
function password_length($password)
{
GLOBAL $db;
$sql = "SELECT value FROM o_settings WHERE setting_id='1'";
$db->query($sql);
$db->fetch_results();
if(strlen($password) < $db->record['value'])
{
return FALSE;
} else {
return TRUE;
}
}
/*!
@function compare()
@author Ryan Thompson
@abstract Compares old_password with new_password (Don't remember purpose)
@version 0.1
@params $new_password
@params $old_password
*/
function compare($new_password, $old_password)
{
if($new_password != $old_password)
{
return FALSE;
} else {
return TRUE;
}
}
/*!
@function account_expired()
@author Ryan Thompson
@abstract Determines if account is expired
@version 0.1
@params $user_id - User ID of account to check
*/
function account_expired($user_id)
{
GLOBAL $db, $error;
$sql = "SELECT password_change, password_expire, expire_type FROM o_user_security WHERE user_id='$user_id'";
$db->query($sql);
$db->fetch_results();
if($db->record['expire_type'] == 'days')
{
//changed
$seconds_from = $db->record['password_expire'] * 86400;
$date_of_expiry = $db->record['password_change'] + $seconds_from;
if($date_of_expiry < time())
{
//Need account expiry error
$error->get_message(1001);
return TRUE;
}
} else {
if(time() > $db->record['password_expire'])
{
//Need account expiry error
$error->get_message(1001);
return TRUE;
}
}
return FALSE;
}
/*!
@function system_locked()
@author Ryan Thompson
@abstract Looks to see if System is in lockdown state
@version 0.1
@return TRUE/FALSE
@since 25-03-2003
*/
function system_locked()
{
GLOBAL $error, $db;
$db->query("SELECT value FROM o_settings WHERE setting_id='10'");
$db->fetch_results();
if($db->record['value'] == 'FALSE')
{
return FALSE;
} else {
$error->get_message(1004);
return TRUE;
}
}
/*!
@function global_page()
@author Ryan Thompson
@abstract Looks to see if the current script can be accessed without a general session
@version 0.3
@return TRUE/FALSE
@Deprecated -- Replaced by $service['no_session'] variable
*/
function global_page()
{
$script = $_SERVER['SCRIPT_NAME'];
if(strstr($script, '/login.php') || strstr($script,'/forgot.php') || strstr($script, 'cron_job.php') || strstr($script, '/config/'))
{
return TRUE;
} else {
return FALSE;
}
}
/*!
@function enable_access()
@author Ryan Thompson
@abstract Adds user permission to access a service
@version 0.1
@params $user_id - User to be added
@params $service - Service to give access to
@params $access_level - Permission level 0 - 3
@params $username - Optional - Used in case required by specific service and user info added (ie File Manager)
@since 11-10-2003
*/
function enable_access($user_id, $service, $access_level, $username = NULL)
{
GLOBAL $db;
$sql = "INSERT INTO o_user_rights (user_id, service, rights) VALUES ('$user_id','$service','$access_level')";
$db->query($sql);
$this->add_to_service($service, $user_id, $username);
}
/*!
@function update_access()
@author Ryan Thompson
@abstract Updates user access rights to service
@version 0.1
@params $user_id - User ID of user to update
@params $service - Service to update access to
@params $rights - New access rights
@since 11-10-2003
*/
function update_access($user_id, $service, $rights)
{
GLOBAL $db;
//First check to see if it exists (used to handle plugins)
$sql = "SELECT rights FROM o_user_rights WHERE user_id='$user_id' AND service='$service'";
$db->query($sql);
if($db->num_rows == 0)
{
$this->enable_access($user_id, $service, $rights);
} else {
$sql = "UPDATE o_user_rights SET rights='$rights' WHERE user_id='$user_id' AND service='$service'";
$db->query($sql);
}
return;
}
/*!
@function write_file()
@author Ryan Thompson
@abstract Removes all access to all services for a user. (Usually for account dropping)
@version 0.2
@params $user_id - User ID to drop access to.
@params $service - I don't think is needed
@since 11-10-2003
*/
function remove_all_access($user_id, $service = NULL)
{
GLOBAL $db;
$sql = "DELETE FROM o_user_rights WHERE user_id='". $user_id ."'";
$db->query($sql);
return;
}
/*!
@function add_to_service()
@author Ryan Thompson
@abstract Runs service specific ADD USER script
@version 0.2
@params $service - Service User being added to
@params $user_id - User ID of user being added to service
@params $username - Optional - In case required for service specific scripts.
@since 11-10-2003
*/
function add_to_service($service, $user_id, $username = NULL)
{
GLOBAL $O, $db;
$sql = "SELECT location FROM o_services WHERE code='$service'";
$db->query($sql);
$db->fetch_results();
$location = $db->record['location'];
//Protect from crashes in case service doesn't require (hasn't added the file)
$add_script = "{$O->dir}/$location/config/add_user.php";
if(file_exists($add_script))
{
include($add_script);
}
}
/*!
@function add_to_service()
@author Ryan Thompson
@abstract Runs service specific ADD USER script
@version 0.2
@params $service - Service User being dropped from
@params $username - Optional - In case required for service specific scripts.
@params $user_id - User ID of user being dropped from service
@since 11-10-2003
*/
function delete_from_service($service, $username, $user_id)
{
GLOBAL $O;
$drop_script = "{$O->dir}/$service/config/drop_user.php";
if(file_exists($drop_script))
{
include($drop_script);
}
}
/*!
@function get_access_level()
@author Ryan Thompson
@abstract Returns access level of script for a user
@version 0.2
@params $user_id
@params $service
@return $access_level
@since 11-10-2003
*/
function get_access_level($user_id, $service)
{
GLOBAL $db;
if(empty($service))
{
$service='ad';
}
$sql = "SELECT rights FROM o_user_rights WHERE user_id='$user_id' AND service='$service'";
$db->query($sql);
$db->fetch_results();
return $db->record['rights'];
}
}