Home Explore Help
Sign In
ShariX_Open
/
sharix-open-wiki
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
sharix-open-wik...
/
inc
/
auth.php

auth.php 38 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287 
  1. <?php
    2. 

  2. /**
    3. 

  3.  * Authentication library
    4. 

  4.  *
    5. 

  5.  * Including this file will automatically try to login
    6. 

  6.  * a user by calling auth_login()
    7. 

  7.  *
    8. 

  8.  * @license    GPL 2 (http://www.gnu.org/licenses/gpl.html)
    9. 

  9.  * @author     Andreas Gohr <andi@splitbrain.org>
    10. 

  10.  */
    11. 

  11. 

  12. use dokuwiki\Extension\AuthPlugin;
    13. 

  13. use dokuwiki\Extension\Event;
    14. 

  14. use dokuwiki\Extension\PluginController;
    15. 

  15. use dokuwiki\PassHash;
    16. 

  16. use dokuwiki\Subscriptions\RegistrationSubscriptionSender;
    17. 

  17. 

  18. /**
    19. 

  19.  * Initialize the auth system.
    20. 

  20.  *
    21. 

  21.  * This function is automatically called at the end of init.php
    22. 

  22.  *
    23. 

  23.  * This used to be the main() of the auth.php
    24. 

  24.  *
    25. 

  25.  * @todo backend loading maybe should be handled by the class autoloader
    26. 

  26.  * @todo maybe split into multiple functions at the XXX marked positions
    27. 

  27.  * @triggers AUTH_LOGIN_CHECK
    28. 

  28.  * @return bool
    29. 

  29.  */
    30. 

  30. function auth_setup() {
    31. 

  31.     global $conf;
    32. 

  32.     /* @var AuthPlugin $auth */
    33. 

  33.     global $auth;
    34. 

  34.     /* @var Input $INPUT */
    35. 

  35.     global $INPUT;
    36. 

  36.     global $AUTH_ACL;
    37. 

  37.     global $lang;
    38. 

  38.     /* @var PluginController $plugin_controller */
    39. 

  39.     global $plugin_controller;
    40. 

  40.     $AUTH_ACL = array();
    41. 

  41. 

  42.     if(!$conf['useacl']) return false;
    43. 

  43. 

  44.     // try to load auth backend from plugins
    45. 

  45.     foreach ($plugin_controller->getList('auth') as $plugin) {
    46. 

  46.         if ($conf['authtype'] === $plugin) {
    47. 

  47.             $auth = $plugin_controller->load('auth', $plugin);
    48. 

  48.             break;
    49. 

  49.         }
    50. 

  50.     }
    51. 

  51. 

  52.     if(!isset($auth) || !$auth){
    53. 

  53.         msg($lang['authtempfail'], -1);
    54. 

  54.         return false;
    55. 

  55.     }
    56. 

  56. 

  57.     if ($auth->success == false) {
    58. 

  58.         // degrade to unauthenticated user
    59. 

  59.         $auth = null;
    60. 

  60.         auth_logoff();
    61. 

  61.         msg($lang['authtempfail'], -1);
    62. 

  62.         return false;
    63. 

  63.     }
    64. 

  64. 

  65.     // do the login either by cookie or provided credentials XXX
    66. 

  66.     $INPUT->set('http_credentials', false);
    67. 

  67.     if(!$conf['rememberme']) $INPUT->set('r', false);
    68. 

  68. 

  69.     // Populate Basic Auth user/password from Authorization header
    70. 

  70.     // Note: with FastCGI, data is in REDIRECT_HTTP_AUTHORIZATION instead of HTTP_AUTHORIZATION
    71. 

  71.     $header = $INPUT->server->str('HTTP_AUTHORIZATION') ?: $INPUT->server->str('REDIRECT_HTTP_AUTHORIZATION');
    72. 

  72.     if(preg_match( '~^Basic ([a-z\d/+]*={0,2})$~i', $header, $matches )) {
    73. 

  73.         $userpass = explode(':', base64_decode($matches[1]));
    74. 

  74.         list($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']) = $userpass;
    75. 

  75.     }
    76. 

  76. 

  77.     // if no credentials were given try to use HTTP auth (for SSO)
    78. 

  78.     if (!$INPUT->str('u') && empty($_COOKIE[DOKU_COOKIE]) && !empty($INPUT->server->str('PHP_AUTH_USER'))) {
    79. 

  79.         $INPUT->set('u', $INPUT->server->str('PHP_AUTH_USER'));
    80. 

  80.         $INPUT->set('p', $INPUT->server->str('PHP_AUTH_PW'));
    81. 

  81.         $INPUT->set('http_credentials', true);
    82. 

  82.     }
    83. 

  83. 

  84.     // apply cleaning (auth specific user names, remove control chars)
    85. 

  85.     if (true === $auth->success) {
    86. 

  86.         $INPUT->set('u', $auth->cleanUser(stripctl($INPUT->str('u'))));
    87. 

  87.         $INPUT->set('p', stripctl($INPUT->str('p')));
    88. 

  88.     }
    89. 

  89. 

  90.     $ok = null;
    91. 

  91.     if (!is_null($auth) && $auth->canDo('external')) {
    92. 

  92.         $ok = $auth->trustExternal($INPUT->str('u'), $INPUT->str('p'), $INPUT->bool('r'));
    93. 

  93.     }
    94. 

  94. 

  95.     if ($ok === null) {
    96. 

  96.         // external trust mechanism not in place, or returns no result,
    97. 

  97.         // then attempt auth_login
    98. 

  98.         $evdata = array(
    99. 

  99.             'user'     => $INPUT->str('u'),
    100. 

  100.             'password' => $INPUT->str('p'),
    101. 

  101.             'sticky'   => $INPUT->bool('r'),
    102. 

  102.             'silent'   => $INPUT->bool('http_credentials')
    103. 

  103.         );
    104. 

  104.         Event::createAndTrigger('AUTH_LOGIN_CHECK', $evdata, 'auth_login_wrapper');
    105. 

  105.     }
    106. 

  106. 

  107.     //load ACL into a global array XXX
    108. 

  108.     $AUTH_ACL = auth_loadACL();
    109. 

  109. 

  110.     return true;
    111. 

  111. }
    112. 

  112. 

  113. /**
    114. 

  114.  * Loads the ACL setup and handle user wildcards
    115. 

  115.  *
    116. 

  116.  * @author Andreas Gohr <andi@splitbrain.org>
    117. 

  117.  *
    118. 

  118.  * @return array
    119. 

  119.  */
    120. 

  120. function auth_loadACL() {
    121. 

  121.     global $config_cascade;
    122. 

  122.     global $USERINFO;
    123. 

  123.     /* @var Input $INPUT */
    124. 

  124.     global $INPUT;
    125. 

  125. 

  126.     if(!is_readable($config_cascade['acl']['default'])) return array();
    127. 

  127. 

  128.     $acl = file($config_cascade['acl']['default']);
    129. 

  129. 

  130.     $out = array();
    131. 

  131.     foreach($acl as $line) {
    132. 

  132.         $line = trim($line);
    133. 

  133.         if(empty($line) || ($line[0] == '#')) continue; // skip blank lines & comments
    134. 

  134.         list($id,$rest) = preg_split('/[ \t]+/',$line,2);
    135. 

  135. 

  136.         // substitute user wildcard first (its 1:1)
    137. 

  137.         if(strstr($line, '%USER%')){
    138. 

  138.             // if user is not logged in, this ACL line is meaningless - skip it
    139. 

  139.             if (!$INPUT->server->has('REMOTE_USER')) continue;
    140. 

  140. 

  141.             $id   = str_replace('%USER%',cleanID($INPUT->server->str('REMOTE_USER')),$id);
    142. 

  142.             $rest = str_replace('%USER%',auth_nameencode($INPUT->server->str('REMOTE_USER')),$rest);
    143. 

  143.         }
    144. 

  144. 

  145.         // substitute group wildcard (its 1:m)
    146. 

  146.         if(strstr($line, '%GROUP%')){
    147. 

  147.             // if user is not logged in, grps is empty, no output will be added (i.e. skipped)
    148. 

  148.             if(isset($USERINFO['grps'])){
    149. 

  149.                 foreach((array) $USERINFO['grps'] as $grp){
    150. 

  150.                     $nid   = str_replace('%GROUP%',cleanID($grp),$id);
    151. 

  151.                     $nrest = str_replace('%GROUP%','@'.auth_nameencode($grp),$rest);
    152. 

  152.                     $out[] = "$nid\t$nrest";
    153. 

  153.                 }
    154. 

  154.             }
    155. 

  155.         } else {
    156. 

  156.             $out[] = "$id\t$rest";
    157. 

  157.         }
    158. 

  158.     }
    159. 

  159. 

  160.     return $out;
    161. 

  161. }
    162. 

  162. 

  163. /**
    164. 

  164.  * Event hook callback for AUTH_LOGIN_CHECK
    165. 

  165.  *
    166. 

  166.  * @param array $evdata
    167. 

  167.  * @return bool
    168. 

  168.  */
    169. 

  169. function auth_login_wrapper($evdata) {
    170. 

  170.     return auth_login(
    171. 

  171.         $evdata['user'],
    172. 

  172.         $evdata['password'],
    173. 

  173.         $evdata['sticky'],
    174. 

  174.         $evdata['silent']
    175. 

  175.     );
    176. 

  176. }
    177. 

  177. 

  178. /**
    179. 

  179.  * This tries to login the user based on the sent auth credentials
    180. 

  180.  *
    181. 

  181.  * The authentication works like this: if a username was given
    182. 

  182.  * a new login is assumed and user/password are checked. If they
    183. 

  183.  * are correct the password is encrypted with blowfish and stored
    184. 

  184.  * together with the username in a cookie - the same info is stored
    185. 

  185.  * in the session, too. Additonally a browserID is stored in the
    186. 

  186.  * session.
    187. 

  187.  *
    188. 

  188.  * If no username was given the cookie is checked: if the username,
    189. 

  189.  * crypted password and browserID match between session and cookie
    190. 

  190.  * no further testing is done and the user is accepted
    191. 

  191.  *
    192. 

  192.  * If a cookie was found but no session info was availabe the
    193. 

  193.  * blowfish encrypted password from the cookie is decrypted and
    194. 

  194.  * together with username rechecked by calling this function again.
    195. 

  195.  *
    196. 

  196.  * On a successful login $_SERVER[REMOTE_USER] and $USERINFO
    197. 

  197.  * are set.
    198. 

  198.  *
    199. 

  199.  * @author  Andreas Gohr <andi@splitbrain.org>
    200. 

  200.  *
    201. 

  201.  * @param   string  $user    Username
    202. 

  202.  * @param   string  $pass    Cleartext Password
    203. 

  203.  * @param   bool    $sticky  Cookie should not expire
    204. 

  204.  * @param   bool    $silent  Don't show error on bad auth
    205. 

  205.  * @return  bool             true on successful auth
    206. 

  206.  */
    207. 

  207. function auth_login($user, $pass, $sticky = false, $silent = false) {
    208. 

  208.     global $USERINFO;
    209. 

  209.     global $conf;
    210. 

  210.     global $lang;
    211. 

  211.     /* @var AuthPlugin $auth */
    212. 

  212.     global $auth;
    213. 

  213.     /* @var Input $INPUT */
    214. 

  214.     global $INPUT;
    215. 

  215. 

  216.     $sticky ? $sticky = true : $sticky = false; //sanity check
    217. 

  217. 

  218.     if(!$auth) return false;
    219. 

  219. 

  220.     if(!empty($user)) {
    221. 

  221.         //usual login
    222. 

  222.         if(!empty($pass) && $auth->checkPass($user, $pass)) {
    223. 

  223.             // make logininfo globally available
    224. 

  224.             $INPUT->server->set('REMOTE_USER', $user);
    225. 

  225.             $secret                 = auth_cookiesalt(!$sticky, true); //bind non-sticky to session
    226. 

  226.             auth_setCookie($user, auth_encrypt($pass, $secret), $sticky);
    227. 

  227.             return true;
    228. 

  228.         } else {
    229. 

  229.             //invalid credentials - log off
    230. 

  230.             if(!$silent) {
    231. 

  231.                 http_status(403, 'Login failed');
    232. 

  232.                 msg($lang['badlogin'], -1);
    233. 

  233.             }
    234. 

  234.             auth_logoff();
    235. 

  235.             return false;
    236. 

  236.         }
    237. 

  237.     } else {
    238. 

  238.         // read cookie information
    239. 

  239.         list($user, $sticky, $pass) = auth_getCookie();
    240. 

  240.         if($user && $pass) {
    241. 

  241.             // we got a cookie - see if we can trust it
    242. 

  242. 

  243.             // get session info
    244. 

  244.             if (isset($_SESSION[DOKU_COOKIE])) {
    245. 

  245.                 $session = $_SESSION[DOKU_COOKIE]['auth'];
    246. 

  246.                 if (isset($session) &&
    247. 

  247.                     $auth->useSessionCache($user) &&
    248. 

  248.                     ($session['time'] >= time() - $conf['auth_security_timeout']) &&
    249. 

  249.                     ($session['user'] == $user) &&
    250. 

  250.                     ($session['pass'] == sha1($pass)) && //still crypted
    251. 

  251.                     ($session['buid'] == auth_browseruid())
    252. 

  252.                 ) {
    253. 

  253. 

  254.                     // he has session, cookie and browser right - let him in
    255. 

  255.                     $INPUT->server->set('REMOTE_USER', $user);
    256. 

  256.                     $USERINFO = $session['info']; //FIXME move all references to session
    257. 

  257.                     return true;
    258. 

  258.                 }
    259. 

  259.             }
    260. 

  260.             // no we don't trust it yet - recheck pass but silent
    261. 

  261.             $secret = auth_cookiesalt(!$sticky, true); //bind non-sticky to session
    262. 

  262.             $pass   = auth_decrypt($pass, $secret);
    263. 

  263.             return auth_login($user, $pass, $sticky, true);
    264. 

  264.         }
    265. 

  265.     }
    266. 

  266.     //just to be sure
    267. 

  267.     auth_logoff(true);
    268. 

  268.     return false;
    269. 

  269. }
    270. 

  270. 

  271. /**
    272. 

  272.  * Builds a pseudo UID from browser and IP data
    273. 

  273.  *
    274. 

  274.  * This is neither unique nor unfakable - still it adds some
    275. 

  275.  * security. Using the first part of the IP makes sure
    276. 

  276.  * proxy farms like AOLs are still okay.
    277. 

  277.  *
    278. 

  278.  * @author  Andreas Gohr <andi@splitbrain.org>
    279. 

  279.  *
    280. 

  280.  * @return  string  a SHA256 sum of various browser headers
    281. 

  281.  */
    282. 

  282. function auth_browseruid() {
    283. 

  283.     /* @var Input $INPUT */
    284. 

  284.     global $INPUT;
    285. 

  285. 

  286.     $ip = clientIP(true);
    287. 

  287.     // convert IP string to packed binary representation
    288. 

  288.     $pip = inet_pton($ip);
    289. 

  289. 

  290.     $uid = implode("\n", [
    291. 

  291.         $INPUT->server->str('HTTP_USER_AGENT'),
    292. 

  292.         $INPUT->server->str('HTTP_ACCEPT_LANGUAGE'),
    293. 

  293.         substr($pip, 0, strlen($pip) / 2), // use half of the IP address (works for both IPv4 and IPv6)
    294. 

  294.     ]);
    295. 

  295.     return hash('sha256', $uid);
    296. 

  296. }
    297. 

  297. 

  298. /**
    299. 

  299.  * Creates a random key to encrypt the password in cookies
    300. 

  300.  *
    301. 

  301.  * This function tries to read the password for encrypting
    302. 

  302.  * cookies from $conf['metadir'].'/_htcookiesalt'
    303. 

  303.  * if no such file is found a random key is created and
    304. 

  304.  * and stored in this file.
    305. 

  305.  *
    306. 

  306.  * @author  Andreas Gohr <andi@splitbrain.org>
    307. 

  307.  *
    308. 

  308.  * @param   bool $addsession if true, the sessionid is added to the salt
    309. 

  309.  * @param   bool $secure     if security is more important than keeping the old value
    310. 

  310.  * @return  string
    311. 

  311.  */
    312. 

  312. function auth_cookiesalt($addsession = false, $secure = false) {
    313. 

  313.     if (defined('SIMPLE_TEST')) {
    314. 

  314.         return 'test';
    315. 

  315.     }
    316. 

  316.     global $conf;
    317. 

  317.     $file = $conf['metadir'].'/_htcookiesalt';
    318. 

  318.     if ($secure || !file_exists($file)) {
    319. 

  319.         $file = $conf['metadir'].'/_htcookiesalt2';
    320. 

  320.     }
    321. 

  321.     $salt = io_readFile($file);
    322. 

  322.     if(empty($salt)) {
    323. 

  323.         $salt = bin2hex(auth_randombytes(64));
    324. 

  324.         io_saveFile($file, $salt);
    325. 

  325.     }
    326. 

  326.     if($addsession) {
    327. 

  327.         $salt .= session_id();
    328. 

  328.     }
    329. 

  329.     return $salt;
    330. 

  330. }
    331. 

  331. 

  332. /**
    333. 

  333.  * Return cryptographically secure random bytes.
    334. 

  334.  *
    335. 

  335.  * @author Niklas Keller <me@kelunik.com>
    336. 

  336.  *
    337. 

  337.  * @param int $length number of bytes
    338. 

  338.  * @return string cryptographically secure random bytes
    339. 

  339.  */
    340. 

  340. function auth_randombytes($length) {
    341. 

  341.     return random_bytes($length);
    342. 

  342. }
    343. 

  343. 

  344. /**
    345. 

  345.  * Cryptographically secure random number generator.
    346. 

  346.  *
    347. 

  347.  * @author Niklas Keller <me@kelunik.com>
    348. 

  348.  *
    349. 

  349.  * @param int $min
    350. 

  350.  * @param int $max
    351. 

  351.  * @return int
    352. 

  352.  */
    353. 

  353. function auth_random($min, $max) {
    354. 

  354.     return random_int($min, $max);
    355. 

  355. }
    356. 

  356. 

  357. /**
    358. 

  358.  * Encrypt data using the given secret using AES
    359. 

  359.  *
    360. 

  360.  * The mode is CBC with a random initialization vector, the key is derived
    361. 

  361.  * using pbkdf2.
    362. 

  362.  *
    363. 

  363.  * @param string $data   The data that shall be encrypted
    364. 

  364.  * @param string $secret The secret/password that shall be used
    365. 

  365.  * @return string The ciphertext
    366. 

  366.  */
    367. 

  367. function auth_encrypt($data, $secret) {
    368. 

  368.     $iv     = auth_randombytes(16);
    369. 

  369.     $cipher = new \phpseclib\Crypt\AES();
    370. 

  370.     $cipher->setPassword($secret);
    371. 

  371. 

  372.     /*
    373. 

  373.     this uses the encrypted IV as IV as suggested in
    374. 

  374.     http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf, Appendix C
    375. 

  375.     for unique but necessarily random IVs. The resulting ciphertext is
    376. 

  376.     compatible to ciphertext that was created using a "normal" IV.
    377. 

  377.     */
    378. 

  378.     return $cipher->encrypt($iv.$data);
    379. 

  379. }
    380. 

  380. 

  381. /**
    382. 

  382.  * Decrypt the given AES ciphertext
    383. 

  383.  *
    384. 

  384.  * The mode is CBC, the key is derived using pbkdf2
    385. 

  385.  *
    386. 

  386.  * @param string $ciphertext The encrypted data
    387. 

  387.  * @param string $secret     The secret/password that shall be used
    388. 

  388.  * @return string The decrypted data
    389. 

  389.  */
    390. 

  390. function auth_decrypt($ciphertext, $secret) {
    391. 

  391.     $iv     = substr($ciphertext, 0, 16);
    392. 

  392.     $cipher = new \phpseclib\Crypt\AES();
    393. 

  393.     $cipher->setPassword($secret);
    394. 

  394.     $cipher->setIV($iv);
    395. 

  395. 

  396.     return $cipher->decrypt(substr($ciphertext, 16));
    397. 

  397. }
    398. 

  398. 

  399. /**
    400. 

  400.  * Log out the current user
    401. 

  401.  *
    402. 

  402.  * This clears all authentication data and thus log the user
    403. 

  403.  * off. It also clears session data.
    404. 

  404.  *
    405. 

  405.  * @author  Andreas Gohr <andi@splitbrain.org>
    406. 

  406.  *
    407. 

  407.  * @param bool $keepbc - when true, the breadcrumb data is not cleared
    408. 

  408.  */
    409. 

  409. function auth_logoff($keepbc = false) {
    410. 

  410.     global $conf;
    411. 

  411.     global $USERINFO;
    412. 

  412.     /* @var AuthPlugin $auth */
    413. 

  413.     global $auth;
    414. 

  414.     /* @var Input $INPUT */
    415. 

  415.     global $INPUT;
    416. 

  416. 

  417.     // make sure the session is writable (it usually is)
    418. 

  418.     @session_start();
    419. 

  419. 

  420.     if(isset($_SESSION[DOKU_COOKIE]['auth']['user']))
    421. 

  421.         unset($_SESSION[DOKU_COOKIE]['auth']['user']);
    422. 

  422.     if(isset($_SESSION[DOKU_COOKIE]['auth']['pass']))
    423. 

  423.         unset($_SESSION[DOKU_COOKIE]['auth']['pass']);
    424. 

  424.     if(isset($_SESSION[DOKU_COOKIE]['auth']['info']))
    425. 

  425.         unset($_SESSION[DOKU_COOKIE]['auth']['info']);
    426. 

  426.     if(!$keepbc && isset($_SESSION[DOKU_COOKIE]['bc']))
    427. 

  427.         unset($_SESSION[DOKU_COOKIE]['bc']);
    428. 

  428.     $INPUT->server->remove('REMOTE_USER');
    429. 

  429.     $USERINFO = null; //FIXME
    430. 

  430. 

  431.     $cookieDir = empty($conf['cookiedir']) ? DOKU_REL : $conf['cookiedir'];
    432. 

  432.     setcookie(DOKU_COOKIE, '', time() - 600000, $cookieDir, '', ($conf['securecookie'] && is_ssl()), true);
    433. 

  433. 

  434.     if($auth) $auth->logOff();
    435. 

  435. }
    436. 

  436. 

  437. /**
    438. 

  438.  * Check if a user is a manager
    439. 

  439.  *
    440. 

  440.  * Should usually be called without any parameters to check the current
    441. 

  441.  * user.
    442. 

  442.  *
    443. 

  443.  * The info is available through $INFO['ismanager'], too
    444. 

  444.  *
    445. 

  445.  * @param string $user Username
    446. 

  446.  * @param array $groups List of groups the user is in
    447. 

  447.  * @param bool $adminonly when true checks if user is admin
    448. 

  448.  * @param bool $recache set to true to refresh the cache
    449. 

  449.  * @return bool
    450. 

  450.  * @see    auth_isadmin
    451. 

  451.  *
    452. 

  452.  * @author Andreas Gohr <andi@splitbrain.org>
    453. 

  453.  */
    454. 

  454. function auth_ismanager($user = null, $groups = null, $adminonly = false, $recache=false) {
    455. 

  455.     global $conf;
    456. 

  456.     global $USERINFO;
    457. 

  457.     /* @var AuthPlugin $auth */
    458. 

  458.     global $auth;
    459. 

  459.     /* @var Input $INPUT */
    460. 

  460.     global $INPUT;
    461. 

  461. 

  462. 

  463.     if(!$auth) return false;
    464. 

  464.     if(is_null($user)) {
    465. 

  465.         if(!$INPUT->server->has('REMOTE_USER')) {
    466. 

  466.             return false;
    467. 

  467.         } else {
    468. 

  468.             $user = $INPUT->server->str('REMOTE_USER');
    469. 

  469.         }
    470. 

  470.     }
    471. 

  471.     if (is_null($groups)) {
    472. 

  472.         // checking the logged in user, or another one?
    473. 

  473.         if ($USERINFO && $user === $INPUT->server->str('REMOTE_USER')) {
    474. 

  474.             $groups =  (array) $USERINFO['grps'];
    475. 

  475.         } else {
    476. 

  476.             $groups = $auth->getUserData($user);
    477. 

  477.             $groups = $groups ? $groups['grps'] : [];
    478. 

  478.         }
    479. 

  479.     }
    480. 

  480. 

  481.     // prefer cached result
    482. 

  482.     static $cache = [];
    483. 

  483.     $cachekey = serialize([$user, $adminonly, $groups]);
    484. 

  484.     if (!isset($cache[$cachekey]) || $recache) {
    485. 

  485.         // check superuser match
    486. 

  486.         $ok = auth_isMember($conf['superuser'], $user, $groups);
    487. 

  487. 

  488.         // check managers
    489. 

  489.         if (!$ok && !$adminonly) {
    490. 

  490.             $ok = auth_isMember($conf['manager'], $user, $groups);
    491. 

  491.         }
    492. 

  492. 

  493.         $cache[$cachekey] = $ok;
    494. 

  494.     }
    495. 

  495. 

  496.     return $cache[$cachekey];
    497. 

  497. }
    498. 

  498. 

  499. /**
    500. 

  500.  * Check if a user is admin
    501. 

  501.  *
    502. 

  502.  * Alias to auth_ismanager with adminonly=true
    503. 

  503.  *
    504. 

  504.  * The info is available through $INFO['isadmin'], too
    505. 

  505.  *
    506. 

  506.  * @param string $user Username
    507. 

  507.  * @param array $groups List of groups the user is in
    508. 

  508.  * @param bool $recache set to true to refresh the cache
    509. 

  509.  * @return bool
    510. 

  510.  * @author Andreas Gohr <andi@splitbrain.org>
    511. 

  511.  * @see auth_ismanager()
    512. 

  512.  *
    513. 

  513.  */
    514. 

  514. function auth_isadmin($user = null, $groups = null, $recache=false) {
    515. 

  515.     return auth_ismanager($user, $groups, true, $recache);
    516. 

  516. }
    517. 

  517. 

  518. /**
    519. 

  519.  * Match a user and his groups against a comma separated list of
    520. 

  520.  * users and groups to determine membership status
    521. 

  521.  *
    522. 

  522.  * Note: all input should NOT be nameencoded.
    523. 

  523.  *
    524. 

  524.  * @param string $memberlist commaseparated list of allowed users and groups
    525. 

  525.  * @param string $user       user to match against
    526. 

  526.  * @param array  $groups     groups the user is member of
    527. 

  527.  * @return bool       true for membership acknowledged
    528. 

  528.  */
    529. 

  529. function auth_isMember($memberlist, $user, array $groups) {
    530. 

  530.     /* @var AuthPlugin $auth */
    531. 

  531.     global $auth;
    532. 

  532.     if(!$auth) return false;
    533. 

  533. 

  534.     // clean user and groups
    535. 

  535.     if(!$auth->isCaseSensitive()) {
    536. 

  536.         $user   = \dokuwiki\Utf8\PhpString::strtolower($user);
    537. 

  537.         $groups = array_map([\dokuwiki\Utf8\PhpString::class, 'strtolower'], $groups);
    538. 

  538.     }
    539. 

  539.     $user   = $auth->cleanUser($user);
    540. 

  540.     $groups = array_map(array($auth, 'cleanGroup'), $groups);
    541. 

  541. 

  542.     // extract the memberlist
    543. 

  543.     $members = explode(',', $memberlist);
    544. 

  544.     $members = array_map('trim', $members);
    545. 

  545.     $members = array_unique($members);
    546. 

  546.     $members = array_filter($members);
    547. 

  547. 

  548.     // compare cleaned values
    549. 

  549.     foreach($members as $member) {
    550. 

  550.         if($member == '@ALL' ) return true;
    551. 

  551.         if(!$auth->isCaseSensitive()) $member = \dokuwiki\Utf8\PhpString::strtolower($member);
    552. 

  552.         if($member[0] == '@') {
    553. 

  553.             $member = $auth->cleanGroup(substr($member, 1));
    554. 

  554.             if(in_array($member, $groups)) return true;
    555. 

  555.         } else {
    556. 

  556.             $member = $auth->cleanUser($member);
    557. 

  557.             if($member == $user) return true;
    558. 

  558.         }
    559. 

  559.     }
    560. 

  560. 

  561.     // still here? not a member!
    562. 

  562.     return false;
    563. 

  563. }
    564. 

  564. 

  565. /**
    566. 

  566.  * Convinience function for auth_aclcheck()
    567. 

  567.  *
    568. 

  568.  * This checks the permissions for the current user
    569. 

  569.  *
    570. 

  570.  * @author  Andreas Gohr <andi@splitbrain.org>
    571. 

  571.  *
    572. 

  572.  * @param  string  $id  page ID (needs to be resolved and cleaned)
    573. 

  573.  * @return int          permission level
    574. 

  574.  */
    575. 

  575. function auth_quickaclcheck($id) {
    576. 

  576.     global $conf;
    577. 

  577.     global $USERINFO;
    578. 

  578.     /* @var Input $INPUT */
    579. 

  579.     global $INPUT;
    580. 

  580.     # if no ACL is used always return upload rights
    581. 

  581.     if(!$conf['useacl']) return AUTH_UPLOAD;
    582. 

  582.     return auth_aclcheck($id, $INPUT->server->str('REMOTE_USER'), is_array($USERINFO) ? $USERINFO['grps'] : array());
    583. 

  583. }
    584. 

  584. 

  585. /**
    586. 

  586.  * Returns the maximum rights a user has for the given ID or its namespace
    587. 

  587.  *
    588. 

  588.  * @author  Andreas Gohr <andi@splitbrain.org>
    589. 

  589.  *
    590. 

  590.  * @triggers AUTH_ACL_CHECK
    591. 

  591.  * @param  string       $id     page ID (needs to be resolved and cleaned)
    592. 

  592.  * @param  string       $user   Username
    593. 

  593.  * @param  array|null   $groups Array of groups the user is in
    594. 

  594.  * @return int             permission level
    595. 

  595.  */
    596. 

  596. function auth_aclcheck($id, $user, $groups) {
    597. 

  597.     $data = array(
    598. 

  598.         'id'     => $id ?? '',
    599. 

  599.         'user'   => $user,
    600. 

  600.         'groups' => $groups
    601. 

  601.     );
    602. 

  602. 

  603.     return Event::createAndTrigger('AUTH_ACL_CHECK', $data, 'auth_aclcheck_cb');
    604. 

  604. }
    605. 

  605. 

  606. /**
    607. 

  607.  * default ACL check method
    608. 

  608.  *
    609. 

  609.  * DO NOT CALL DIRECTLY, use auth_aclcheck() instead
    610. 

  610.  *
    611. 

  611.  * @author  Andreas Gohr <andi@splitbrain.org>
    612. 

  612.  *
    613. 

  613.  * @param  array $data event data
    614. 

  614.  * @return int   permission level
    615. 

  615.  */
    616. 

  616. function auth_aclcheck_cb($data) {
    617. 

  617.     $id     =& $data['id'];
    618. 

  618.     $user   =& $data['user'];
    619. 

  619.     $groups =& $data['groups'];
    620. 

  620. 

  621.     global $conf;
    622. 

  622.     global $AUTH_ACL;
    623. 

  623.     /* @var AuthPlugin $auth */
    624. 

  624.     global $auth;
    625. 

  625. 

  626.     // if no ACL is used always return upload rights
    627. 

  627.     if(!$conf['useacl']) return AUTH_UPLOAD;
    628. 

  628.     if(!$auth) return AUTH_NONE;
    629. 

  629.     if(!is_array($AUTH_ACL)) return AUTH_NONE;
    630. 

  630. 

  631.     //make sure groups is an array
    632. 

  632.     if(!is_array($groups)) $groups = array();
    633. 

  633. 

  634.     //if user is superuser or in superusergroup return 255 (acl_admin)
    635. 

  635.     if(auth_isadmin($user, $groups)) {
    636. 

  636.         return AUTH_ADMIN;
    637. 

  637.     }
    638. 

  638. 

  639.     if(!$auth->isCaseSensitive()) {
    640. 

  640.         $user   = \dokuwiki\Utf8\PhpString::strtolower($user);
    641. 

  641.         $groups = array_map([\dokuwiki\Utf8\PhpString::class, 'strtolower'], $groups);
    642. 

  642.     }
    643. 

  643.     $user   = auth_nameencode($auth->cleanUser($user));
    644. 

  644.     $groups = array_map(array($auth, 'cleanGroup'), (array) $groups);
    645. 

  645. 

  646.     //prepend groups with @ and nameencode
    647. 

  647.     foreach($groups as &$group) {
    648. 

  648.         $group = '@'.auth_nameencode($group);
    649. 

  649.     }
    650. 

  650. 

  651.     $ns   = getNS($id);
    652. 

  652.     $perm = -1;
    653. 

  653. 

  654.     //add ALL group
    655. 

  655.     $groups[] = '@ALL';
    656. 

  656. 

  657.     //add User
    658. 

  658.     if($user) $groups[] = $user;
    659. 

  659. 

  660.     //check exact match first
    661. 

  661.     $matches = preg_grep('/^'.preg_quote($id, '/').'[ \t]+([^ \t]+)[ \t]+/', $AUTH_ACL);
    662. 

  662.     if(count($matches)) {
    663. 

  663.         foreach($matches as $match) {
    664. 

  664.             $match = preg_replace('/#.*$/', '', $match); //ignore comments
    665. 

  665.             $acl   = preg_split('/[ \t]+/', $match);
    666. 

  666.             if(!$auth->isCaseSensitive() && $acl[1] !== '@ALL') {
    667. 

  667.                 $acl[1] = \dokuwiki\Utf8\PhpString::strtolower($acl[1]);
    668. 

  668.             }
    669. 

  669.             if(!in_array($acl[1], $groups)) {
    670. 

  670.                 continue;
    671. 

  671.             }
    672. 

  672.             if($acl[2] > AUTH_DELETE) $acl[2] = AUTH_DELETE; //no admins in the ACL!
    673. 

  673.             if($acl[2] > $perm) {
    674. 

  674.                 $perm = $acl[2];
    675. 

  675.             }
    676. 

  676.         }
    677. 

  677.         if($perm > -1) {
    678. 

  678.             //we had a match - return it
    679. 

  679.             return (int) $perm;
    680. 

  680.         }
    681. 

  681.     }
    682. 

  682. 

  683.     //still here? do the namespace checks
    684. 

  684.     if($ns) {
    685. 

  685.         $path = $ns.':*';
    686. 

  686.     } else {
    687. 

  687.         $path = '*'; //root document
    688. 

  688.     }
    689. 

  689. 

  690.     do {
    691. 

  691.         $matches = preg_grep('/^'.preg_quote($path, '/').'[ \t]+([^ \t]+)[ \t]+/', $AUTH_ACL);
    692. 

  692.         if(count($matches)) {
    693. 

  693.             foreach($matches as $match) {
    694. 

  694.                 $match = preg_replace('/#.*$/', '', $match); //ignore comments
    695. 

  695.                 $acl   = preg_split('/[ \t]+/', $match);
    696. 

  696.                 if(!$auth->isCaseSensitive() && $acl[1] !== '@ALL') {
    697. 

  697.                     $acl[1] = \dokuwiki\Utf8\PhpString::strtolower($acl[1]);
    698. 

  698.                 }
    699. 

  699.                 if(!in_array($acl[1], $groups)) {
    700. 

  700.                     continue;
    701. 

  701.                 }
    702. 

  702.                 if($acl[2] > AUTH_DELETE) $acl[2] = AUTH_DELETE; //no admins in the ACL!
    703. 

  703.                 if($acl[2] > $perm) {
    704. 

  704.                     $perm = $acl[2];
    705. 

  705.                 }
    706. 

  706.             }
    707. 

  707.             //we had a match - return it
    708. 

  708.             if($perm != -1) {
    709. 

  709.                 return (int) $perm;
    710. 

  710.             }
    711. 

  711.         }
    712. 

  712.         //get next higher namespace
    713. 

  713.         $ns = getNS($ns);
    714. 

  714. 

  715.         if($path != '*') {
    716. 

  716.             $path = $ns.':*';
    717. 

  717.             if($path == ':*') $path = '*';
    718. 

  718.         } else {
    719. 

  719.             //we did this already
    720. 

  720.             //looks like there is something wrong with the ACL
    721. 

  721.             //break here
    722. 

  722.             msg('No ACL setup yet! Denying access to everyone.');
    723. 

  723.             return AUTH_NONE;
    724. 

  724.         }
    725. 

  725.     } while(1); //this should never loop endless
    726. 

  726.     return AUTH_NONE;
    727. 

  727. }
    728. 

  728. 

  729. /**
    730. 

  730.  * Encode ASCII special chars
    731. 

  731.  *
    732. 

  732.  * Some auth backends allow special chars in their user and groupnames
    733. 

  733.  * The special chars are encoded with this function. Only ASCII chars
    734. 

  734.  * are encoded UTF-8 multibyte are left as is (different from usual
    735. 

  735.  * urlencoding!).
    736. 

  736.  *
    737. 

  737.  * Decoding can be done with rawurldecode
    738. 

  738.  *
    739. 

  739.  * @author Andreas Gohr <gohr@cosmocode.de>
    740. 

  740.  * @see rawurldecode()
    741. 

  741.  *
    742. 

  742.  * @param string $name
    743. 

  743.  * @param bool $skip_group
    744. 

  744.  * @return string
    745. 

  745.  */
    746. 

  746. function auth_nameencode($name, $skip_group = false) {
    747. 

  747.     global $cache_authname;
    748. 

  748.     $cache =& $cache_authname;
    749. 

  749.     $name  = (string) $name;
    750. 

  750. 

  751.     // never encode wildcard FS#1955
    752. 

  752.     if($name == '%USER%') return $name;
    753. 

  753.     if($name == '%GROUP%') return $name;
    754. 

  754. 

  755.     if(!isset($cache[$name][$skip_group])) {
    756. 

  756.         if($skip_group && $name[0] == '@') {
    757. 

  757.             $cache[$name][$skip_group] = '@'.preg_replace_callback(
    758. 

  758.                 '/([\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f])/',
    759. 

  759.                 'auth_nameencode_callback', substr($name, 1)
    760. 

  760.             );
    761. 

  761.         } else {
    762. 

  762.             $cache[$name][$skip_group] = preg_replace_callback(
    763. 

  763.                 '/([\x00-\x2f\x3a-\x40\x5b-\x60\x7b-\x7f])/',
    764. 

  764.                 'auth_nameencode_callback', $name
    765. 

  765.             );
    766. 

  766.         }
    767. 

  767.     }
    768. 

  768. 

  769.     return $cache[$name][$skip_group];
    770. 

  770. }
    771. 

  771. 

  772. /**
    773. 

  773.  * callback encodes the matches
    774. 

  774.  *
    775. 

  775.  * @param array $matches first complete match, next matching subpatterms
    776. 

  776.  * @return string
    777. 

  777.  */
    778. 

  778. function auth_nameencode_callback($matches) {
    779. 

  779.     return '%'.dechex(ord(substr($matches[1],-1)));
    780. 

  780. }
    781. 

  781. 

  782. /**
    783. 

  783.  * Create a pronouncable password
    784. 

  784.  *
    785. 

  785.  * The $foruser variable might be used by plugins to run additional password
    786. 

  786.  * policy checks, but is not used by the default implementation
    787. 

  787.  *
    788. 

  788.  * @author   Andreas Gohr <andi@splitbrain.org>
    789. 

  789.  * @link     http://www.phpbuilder.com/annotate/message.php3?id=1014451
    790. 

  790.  * @triggers AUTH_PASSWORD_GENERATE
    791. 

  791.  *
    792. 

  792.  * @param  string $foruser username for which the password is generated
    793. 

  793.  * @return string  pronouncable password
    794. 

  794.  */
    795. 

  795. function auth_pwgen($foruser = '') {
    796. 

  796.     $data = array(
    797. 

  797.         'password' => '',
    798. 

  798.         'foruser'  => $foruser
    799. 

  799.     );
    800. 

  800. 

  801.     $evt = new Event('AUTH_PASSWORD_GENERATE', $data);
    802. 

  802.     if($evt->advise_before(true)) {
    803. 

  803.         $c = 'bcdfghjklmnprstvwz'; //consonants except hard to speak ones
    804. 

  804.         $v = 'aeiou'; //vowels
    805. 

  805.         $a = $c.$v; //both
    806. 

  806.         $s = '!$%&?+*~#-_:.;,'; // specials
    807. 

  807. 

  808.         //use thre syllables...
    809. 

  809.         for($i = 0; $i < 3; $i++) {
    810. 

  810.             $data['password'] .= $c[auth_random(0, strlen($c) - 1)];
    811. 

  811.             $data['password'] .= $v[auth_random(0, strlen($v) - 1)];
    812. 

  812.             $data['password'] .= $a[auth_random(0, strlen($a) - 1)];
    813. 

  813.         }
    814. 

  814.         //... and add a nice number and special
    815. 

  815.         $data['password'] .= $s[auth_random(0, strlen($s) - 1)].auth_random(10, 99);
    816. 

  816.     }
    817. 

  817.     $evt->advise_after();
    818. 

  818. 

  819.     return $data['password'];
    820. 

  820. }
    821. 

  821. 

  822. /**
    823. 

  823.  * Sends a password to the given user
    824. 

  824.  *
    825. 

  825.  * @author  Andreas Gohr <andi@splitbrain.org>
    826. 

  826.  *
    827. 

  827.  * @param string $user Login name of the user
    828. 

  828.  * @param string $password The new password in clear text
    829. 

  829.  * @return bool  true on success
    830. 

  830.  */
    831. 

  831. function auth_sendPassword($user, $password) {
    832. 

  832.     global $lang;
    833. 

  833.     /* @var AuthPlugin $auth */
    834. 

  834.     global $auth;
    835. 

  835.     if(!$auth) return false;
    836. 

  836. 

  837.     $user     = $auth->cleanUser($user);
    838. 

  838.     $userinfo = $auth->getUserData($user, $requireGroups = false);
    839. 

  839. 

  840.     if(!$userinfo['mail']) return false;
    841. 

  841. 

  842.     $text = rawLocale('password');
    843. 

  843.     $trep = array(
    844. 

  844.         'FULLNAME' => $userinfo['name'],
    845. 

  845.         'LOGIN'    => $user,
    846. 

  846.         'PASSWORD' => $password
    847. 

  847.     );
    848. 

  848. 

  849.     $mail = new Mailer();
    850. 

  850.     $mail->to($mail->getCleanName($userinfo['name']).' <'.$userinfo['mail'].'>');
    851. 

  851.     $mail->subject($lang['regpwmail']);
    852. 

  852.     $mail->setBody($text, $trep);
    853. 

  853.     return $mail->send();
    854. 

  854. }
    855. 

  855. 

  856. /**
    857. 

  857.  * Register a new user
    858. 

  858.  *
    859. 

  859.  * This registers a new user - Data is read directly from $_POST
    860. 

  860.  *
    861. 

  861.  * @author  Andreas Gohr <andi@splitbrain.org>
    862. 

  862.  *
    863. 

  863.  * @return bool  true on success, false on any error
    864. 

  864.  */
    865. 

  865. function register() {
    866. 

  866.     global $lang;
    867. 

  867.     global $conf;
    868. 

  868.     /* @var \dokuwiki\Extension\AuthPlugin $auth */
    869. 

  869.     global $auth;
    870. 

  870.     global $INPUT;
    871. 

  871. 

  872.     if(!$INPUT->post->bool('save')) return false;
    873. 

  873.     if(!actionOK('register')) return false;
    874. 

  874. 

  875.     // gather input
    876. 

  876.     $login    = trim($auth->cleanUser($INPUT->post->str('login')));
    877. 

  877.     $fullname = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/', '', $INPUT->post->str('fullname')));
    878. 

  878.     $email    = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/', '', $INPUT->post->str('email')));
    879. 

  879.     $pass     = $INPUT->post->str('pass');
    880. 

  880.     $passchk  = $INPUT->post->str('passchk');
    881. 

  881. 

  882.     if(empty($login) || empty($fullname) || empty($email)) {
    883. 

  883.         msg($lang['regmissing'], -1);
    884. 

  884.         return false;
    885. 

  885.     }
    886. 

  886. 

  887.     if($conf['autopasswd']) {
    888. 

  888.         $pass = auth_pwgen($login); // automatically generate password
    889. 

  889.     } elseif(empty($pass) || empty($passchk)) {
    890. 

  890.         msg($lang['regmissing'], -1); // complain about missing passwords
    891. 

  891.         return false;
    892. 

  892.     } elseif($pass != $passchk) {
    893. 

  893.         msg($lang['regbadpass'], -1); // complain about misspelled passwords
    894. 

  894.         return false;
    895. 

  895.     }
    896. 

  896. 

  897.     //check mail
    898. 

  898.     if(!mail_isvalid($email)) {
    899. 

  899.         msg($lang['regbadmail'], -1);
    900. 

  900.         return false;
    901. 

  901.     }
    902. 

  902. 

  903.     //okay try to create the user
    904. 

  904.     if(!$auth->triggerUserMod('create', array($login, $pass, $fullname, $email))) {
    905. 

  905.         msg($lang['regfail'], -1);
    906. 

  906.         return false;
    907. 

  907.     }
    908. 

  908. 

  909.     // send notification about the new user
    910. 

  910.     $subscription = new RegistrationSubscriptionSender();
    911. 

  911.     $subscription->sendRegister($login, $fullname, $email);
    912. 

  912. 

  913.     // are we done?
    914. 

  914.     if(!$conf['autopasswd']) {
    915. 

  915.         msg($lang['regsuccess2'], 1);
    916. 

  916.         return true;
    917. 

  917.     }
    918. 

  918. 

  919.     // autogenerated password? then send password to user
    920. 

  920.     if(auth_sendPassword($login, $pass)) {
    921. 

  921.         msg($lang['regsuccess'], 1);
    922. 

  922.         return true;
    923. 

  923.     } else {
    924. 

  924.         msg($lang['regmailfail'], -1);
    925. 

  925.         return false;
    926. 

  926.     }
    927. 

  927. }
    928. 

  928. 

  929. /**
    930. 

  930.  * Update user profile
    931. 

  931.  *
    932. 

  932.  * @author    Christopher Smith <chris@jalakai.co.uk>
    933. 

  933.  */
    934. 

  934. function updateprofile() {
    935. 

  935.     global $conf;
    936. 

  936.     global $lang;
    937. 

  937.     /* @var AuthPlugin $auth */
    938. 

  938.     global $auth;
    939. 

  939.     /* @var Input $INPUT */
    940. 

  940.     global $INPUT;
    941. 

  941. 

  942.     if(!$INPUT->post->bool('save')) return false;
    943. 

  943.     if(!checkSecurityToken()) return false;
    944. 

  944. 

  945.     if(!actionOK('profile')) {
    946. 

  946.         msg($lang['profna'], -1);
    947. 

  947.         return false;
    948. 

  948.     }
    949. 

  949. 

  950.     $changes         = array();
    951. 

  951.     $changes['pass'] = $INPUT->post->str('newpass');
    952. 

  952.     $changes['name'] = $INPUT->post->str('fullname');
    953. 

  953.     $changes['mail'] = $INPUT->post->str('email');
    954. 

  954. 

  955.     // check misspelled passwords
    956. 

  956.     if($changes['pass'] != $INPUT->post->str('passchk')) {
    957. 

  957.         msg($lang['regbadpass'], -1);
    958. 

  958.         return false;
    959. 

  959.     }
    960. 

  960. 

  961.     // clean fullname and email
    962. 

  962.     $changes['name'] = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/', '', $changes['name']));
    963. 

  963.     $changes['mail'] = trim(preg_replace('/[\x00-\x1f:<>&%,;]+/', '', $changes['mail']));
    964. 

  964. 

  965.     // no empty name and email (except the backend doesn't support them)
    966. 

  966.     if((empty($changes['name']) && $auth->canDo('modName')) ||
    967. 

  967.         (empty($changes['mail']) && $auth->canDo('modMail'))
    968. 

  968.     ) {
    969. 

  969.         msg($lang['profnoempty'], -1);
    970. 

  970.         return false;
    971. 

  971.     }
    972. 

  972.     if(!mail_isvalid($changes['mail']) && $auth->canDo('modMail')) {
    973. 

  973.         msg($lang['regbadmail'], -1);
    974. 

  974.         return false;
    975. 

  975.     }
    976. 

  976. 

  977.     $changes = array_filter($changes);
    978. 

  978. 

  979.     // check for unavailable capabilities
    980. 

  980.     if(!$auth->canDo('modName')) unset($changes['name']);
    981. 

  981.     if(!$auth->canDo('modMail')) unset($changes['mail']);
    982. 

  982.     if(!$auth->canDo('modPass')) unset($changes['pass']);
    983. 

  983. 

  984.     // anything to do?
    985. 

  985.     if(!count($changes)) {
    986. 

  986.         msg($lang['profnochange'], -1);
    987. 

  987.         return false;
    988. 

  988.     }
    989. 

  989. 

  990.     if($conf['profileconfirm']) {
    991. 

  991.         if(!$auth->checkPass($INPUT->server->str('REMOTE_USER'), $INPUT->post->str('oldpass'))) {
    992. 

  992.             msg($lang['badpassconfirm'], -1);
    993. 

  993.             return false;
    994. 

  994.         }
    995. 

  995.     }
    996. 

  996. 

  997.     if(!$auth->triggerUserMod('modify', array($INPUT->server->str('REMOTE_USER'), &$changes))) {
    998. 

  998.         msg($lang['proffail'], -1);
    999. 

  999.         return false;
    1000. 

  1000.     }
    1001. 

  1001. 

  1002.     if($changes['pass']) {
    1003. 

  1003.         // update cookie and session with the changed data
    1004. 

  1004.         list( /*user*/, $sticky, /*pass*/) = auth_getCookie();
    1005. 

  1005.         $pass = auth_encrypt($changes['pass'], auth_cookiesalt(!$sticky, true));
    1006. 

  1006.         auth_setCookie($INPUT->server->str('REMOTE_USER'), $pass, (bool) $sticky);
    1007. 

  1007.     } else {
    1008. 

  1008.         // make sure the session is writable
    1009. 

  1009.         @session_start();
    1010. 

  1010.         // invalidate session cache
    1011. 

  1011.         $_SESSION[DOKU_COOKIE]['auth']['time'] = 0;
    1012. 

  1012.         session_write_close();
    1013. 

  1013.     }
    1014. 

  1014. 

  1015.     return true;
    1016. 

  1016. }
    1017. 

  1017. 

  1018. /**
    1019. 

  1019.  * Delete the current logged-in user
    1020. 

  1020.  *
    1021. 

  1021.  * @return bool true on success, false on any error
    1022. 

  1022.  */
    1023. 

  1023. function auth_deleteprofile(){
    1024. 

  1024.     global $conf;
    1025. 

  1025.     global $lang;
    1026. 

  1026.     /* @var \dokuwiki\Extension\AuthPlugin $auth */
    1027. 

  1027.     global $auth;
    1028. 

  1028.     /* @var Input $INPUT */
    1029. 

  1029.     global $INPUT;
    1030. 

  1030. 

  1031.     if(!$INPUT->post->bool('delete')) return false;
    1032. 

  1032.     if(!checkSecurityToken()) return false;
    1033. 

  1033. 

  1034.     // action prevented or auth module disallows
    1035. 

  1035.     if(!actionOK('profile_delete') || !$auth->canDo('delUser')) {
    1036. 

  1036.         msg($lang['profnodelete'], -1);
    1037. 

  1037.         return false;
    1038. 

  1038.     }
    1039. 

  1039. 

  1040.     if(!$INPUT->post->bool('confirm_delete')){
    1041. 

  1041.         msg($lang['profconfdeletemissing'], -1);
    1042. 

  1042.         return false;
    1043. 

  1043.     }
    1044. 

  1044. 

  1045.     if($conf['profileconfirm']) {
    1046. 

  1046.         if(!$auth->checkPass($INPUT->server->str('REMOTE_USER'), $INPUT->post->str('oldpass'))) {
    1047. 

  1047.             msg($lang['badpassconfirm'], -1);
    1048. 

  1048.             return false;
    1049. 

  1049.         }
    1050. 

  1050.     }
    1051. 

  1051. 

  1052.     $deleted = array();
    1053. 

  1053.     $deleted[] = $INPUT->server->str('REMOTE_USER');
    1054. 

  1054.     if($auth->triggerUserMod('delete', array($deleted))) {
    1055. 

  1055.         // force and immediate logout including removing the sticky cookie
    1056. 

  1056.         auth_logoff();
    1057. 

  1057.         return true;
    1058. 

  1058.     }
    1059. 

  1059. 

  1060.     return false;
    1061. 

  1061. }
    1062. 

  1062. 

  1063. /**
    1064. 

  1064.  * Send a  new password
    1065. 

  1065.  *
    1066. 

  1066.  * This function handles both phases of the password reset:
    1067. 

  1067.  *
    1068. 

  1068.  *   - handling the first request of password reset
    1069. 

  1069.  *   - validating the password reset auth token
    1070. 

  1070.  *
    1071. 

  1071.  * @author Benoit Chesneau <benoit@bchesneau.info>
    1072. 

  1072.  * @author Chris Smith <chris@jalakai.co.uk>
    1073. 

  1073.  * @author Andreas Gohr <andi@splitbrain.org>
    1074. 

  1074.  *
    1075. 

  1075.  * @return bool true on success, false on any error
    1076. 

  1076.  */
    1077. 

  1077. function act_resendpwd() {
    1078. 

  1078.     global $lang;
    1079. 

  1079.     global $conf;
    1080. 

  1080.     /* @var AuthPlugin $auth */
    1081. 

  1081.     global $auth;
    1082. 

  1082.     /* @var Input $INPUT */
    1083. 

  1083.     global $INPUT;
    1084. 

  1084. 

  1085.     if(!actionOK('resendpwd')) {
    1086. 

  1086.         msg($lang['resendna'], -1);
    1087. 

  1087.         return false;
    1088. 

  1088.     }
    1089. 

  1089. 

  1090.     $token = preg_replace('/[^a-f0-9]+/', '', $INPUT->str('pwauth'));
    1091. 

  1091. 

  1092.     if($token) {
    1093. 

  1093.         // we're in token phase - get user info from token
    1094. 

  1094. 

  1095.         $tfile = $conf['cachedir'].'/'.$token[0].'/'.$token.'.pwauth';
    1096. 

  1096.         if(!file_exists($tfile)) {
    1097. 

  1097.             msg($lang['resendpwdbadauth'], -1);
    1098. 

  1098.             $INPUT->remove('pwauth');
    1099. 

  1099.             return false;
    1100. 

  1100.         }
    1101. 

  1101.         // token is only valid for 3 days
    1102. 

  1102.         if((time() - filemtime($tfile)) > (3 * 60 * 60 * 24)) {
    1103. 

  1103.             msg($lang['resendpwdbadauth'], -1);
    1104. 

  1104.             $INPUT->remove('pwauth');
    1105. 

  1105.             @unlink($tfile);
    1106. 

  1106.             return false;
    1107. 

  1107.         }
    1108. 

  1108. 

  1109.         $user     = io_readfile($tfile);
    1110. 

  1110.         $userinfo = $auth->getUserData($user, $requireGroups = false);
    1111. 

  1111.         if(!$userinfo['mail']) {
    1112. 

  1112.             msg($lang['resendpwdnouser'], -1);
    1113. 

  1113.             return false;
    1114. 

  1114.         }
    1115. 

  1115. 

  1116.         if(!$conf['autopasswd']) { // we let the user choose a password
    1117. 

  1117.             $pass = $INPUT->str('pass');
    1118. 

  1118. 

  1119.             // password given correctly?
    1120. 

  1120.             if(!$pass) return false;
    1121. 

  1121.             if($pass != $INPUT->str('passchk')) {
    1122. 

  1122.                 msg($lang['regbadpass'], -1);
    1123. 

  1123.                 return false;
    1124. 

  1124.             }
    1125. 

  1125. 

  1126.             // change it
    1127. 

  1127.             if(!$auth->triggerUserMod('modify', array($user, array('pass' => $pass)))) {
    1128. 

  1128.                 msg($lang['proffail'], -1);
    1129. 

  1129.                 return false;
    1130. 

  1130.             }
    1131. 

  1131. 

  1132.         } else { // autogenerate the password and send by mail
    1133. 

  1133. 

  1134.             $pass = auth_pwgen($user);
    1135. 

  1135.             if(!$auth->triggerUserMod('modify', array($user, array('pass' => $pass)))) {
    1136. 

  1136.                 msg($lang['proffail'], -1);
    1137. 

  1137.                 return false;
    1138. 

  1138.             }
    1139. 

  1139. 

  1140.             if(auth_sendPassword($user, $pass)) {
    1141. 

  1141.                 msg($lang['resendpwdsuccess'], 1);
    1142. 

  1142.             } else {
    1143. 

  1143.                 msg($lang['regmailfail'], -1);
    1144. 

  1144.             }
    1145. 

  1145.         }
    1146. 

  1146. 

  1147.         @unlink($tfile);
    1148. 

  1148.         return true;
    1149. 

  1149. 

  1150.     } else {
    1151. 

  1151.         // we're in request phase
    1152. 

  1152. 

  1153.         if(!$INPUT->post->bool('save')) return false;
    1154. 

  1154. 

  1155.         if(!$INPUT->post->str('login')) {
    1156. 

  1156.             msg($lang['resendpwdmissing'], -1);
    1157. 

  1157.             return false;
    1158. 

  1158.         } else {
    1159. 

  1159.             $user = trim($auth->cleanUser($INPUT->post->str('login')));
    1160. 

  1160.         }
    1161. 

  1161. 

  1162.         $userinfo = $auth->getUserData($user, $requireGroups = false);
    1163. 

  1163.         if(!$userinfo['mail']) {
    1164. 

  1164.             msg($lang['resendpwdnouser'], -1);
    1165. 

  1165.             return false;
    1166. 

  1166.         }
    1167. 

  1167. 

  1168.         // generate auth token
    1169. 

  1169.         $token = md5(auth_randombytes(16)); // random secret
    1170. 

  1170.         $tfile = $conf['cachedir'].'/'.$token[0].'/'.$token.'.pwauth';
    1171. 

  1171.         $url   = wl('', array('do'=> 'resendpwd', 'pwauth'=> $token), true, '&');
    1172. 

  1172. 

  1173.         io_saveFile($tfile, $user);
    1174. 

  1174. 

  1175.         $text = rawLocale('pwconfirm');
    1176. 

  1176.         $trep = array(
    1177. 

  1177.             'FULLNAME' => $userinfo['name'],
    1178. 

  1178.             'LOGIN'    => $user,
    1179. 

  1179.             'CONFIRM'  => $url
    1180. 

  1180.         );
    1181. 

  1181. 

  1182.         $mail = new Mailer();
    1183. 

  1183.         $mail->to($userinfo['name'].' <'.$userinfo['mail'].'>');
    1184. 

  1184.         $mail->subject($lang['regpwmail']);
    1185. 

  1185.         $mail->setBody($text, $trep);
    1186. 

  1186.         if($mail->send()) {
    1187. 

  1187.             msg($lang['resendpwdconfirm'], 1);
    1188. 

  1188.         } else {
    1189. 

  1189.             msg($lang['regmailfail'], -1);
    1190. 

  1190.         }
    1191. 

  1191.         return true;
    1192. 

  1192.     }
    1193. 

  1193.     // never reached
    1194. 

  1194. }
    1195. 

  1195. 

  1196. /**
    1197. 

  1197.  * Encrypts a password using the given method and salt
    1198. 

  1198.  *
    1199. 

  1199.  * If the selected method needs a salt and none was given, a random one
    1200. 

  1200.  * is chosen.
    1201. 

  1201.  *
    1202. 

  1202.  * @author  Andreas Gohr <andi@splitbrain.org>
    1203. 

  1203.  *
    1204. 

  1204.  * @param string $clear The clear text password
    1205. 

  1205.  * @param string $method The hashing method
    1206. 

  1206.  * @param string $salt A salt, null for random
    1207. 

  1207.  * @return  string  The crypted password
    1208. 

  1208.  */
    1209. 

  1209. function auth_cryptPassword($clear, $method = '', $salt = null) {
    1210. 

  1210.     global $conf;
    1211. 

  1211.     if(empty($method)) $method = $conf['passcrypt'];
    1212. 

  1212. 

  1213.     $pass = new PassHash();
    1214. 

  1214.     $call = 'hash_'.$method;
    1215. 

  1215. 

  1216.     if(!method_exists($pass, $call)) {
    1217. 

  1217.         msg("Unsupported crypt method $method", -1);
    1218. 

  1218.         return false;
    1219. 

  1219.     }
    1220. 

  1220. 

  1221.     return $pass->$call($clear, $salt);
    1222. 

  1222. }
    1223. 

  1223. 

  1224. /**
    1225. 

  1225.  * Verifies a cleartext password against a crypted hash
    1226. 

  1226.  *
    1227. 

  1227.  * @author Andreas Gohr <andi@splitbrain.org>
    1228. 

  1228.  *
    1229. 

  1229.  * @param  string $clear The clear text password
    1230. 

  1230.  * @param  string $crypt The hash to compare with
    1231. 

  1231.  * @return bool true if both match
    1232. 

  1232.  */
    1233. 

  1233. function auth_verifyPassword($clear, $crypt) {
    1234. 

  1234.     $pass = new PassHash();
    1235. 

  1235.     return $pass->verify_hash($clear, $crypt);
    1236. 

  1236. }
    1237. 

  1237. 

  1238. /**
    1239. 

  1239.  * Set the authentication cookie and add user identification data to the session
    1240. 

  1240.  *
    1241. 

  1241.  * @param string  $user       username
    1242. 

  1242.  * @param string  $pass       encrypted password
    1243. 

  1243.  * @param bool    $sticky     whether or not the cookie will last beyond the session
    1244. 

  1244.  * @return bool
    1245. 

  1245.  */
    1246. 

  1246. function auth_setCookie($user, $pass, $sticky) {
    1247. 

  1247.     global $conf;
    1248. 

  1248.     /* @var AuthPlugin $auth */
    1249. 

  1249.     global $auth;
    1250. 

  1250.     global $USERINFO;
    1251. 

  1251. 

  1252.     if(!$auth) return false;
    1253. 

  1253.     $USERINFO = $auth->getUserData($user);
    1254. 

  1254. 

  1255.     // set cookie
    1256. 

  1256.     $cookie    = base64_encode($user).'|'.((int) $sticky).'|'.base64_encode($pass);
    1257. 

  1257.     $cookieDir = empty($conf['cookiedir']) ? DOKU_REL : $conf['cookiedir'];
    1258. 

  1258.     $time      = $sticky ? (time() + 60 * 60 * 24 * 365) : 0; //one year
    1259. 

  1259.     setcookie(DOKU_COOKIE, $cookie, $time, $cookieDir, '', ($conf['securecookie'] && is_ssl()), true);
    1260. 

  1260. 

  1261.     // set session
    1262. 

  1262.     $_SESSION[DOKU_COOKIE]['auth']['user'] = $user;
    1263. 

  1263.     $_SESSION[DOKU_COOKIE]['auth']['pass'] = sha1($pass);
    1264. 

  1264.     $_SESSION[DOKU_COOKIE]['auth']['buid'] = auth_browseruid();
    1265. 

  1265.     $_SESSION[DOKU_COOKIE]['auth']['info'] = $USERINFO;
    1266. 

  1266.     $_SESSION[DOKU_COOKIE]['auth']['time'] = time();
    1267. 

  1267. 

  1268.     return true;
    1269. 

  1269. }
    1270. 

  1270. 

  1271. /**
    1272. 

  1272.  * Returns the user, (encrypted) password and sticky bit from cookie
    1273. 

  1273.  *
    1274. 

  1274.  * @returns array
    1275. 

  1275.  */
    1276. 

  1276. function auth_getCookie() {
    1277. 

  1277.     if(!isset($_COOKIE[DOKU_COOKIE])) {
    1278. 

  1278.         return array(null, null, null);
    1279. 

  1279.     }
    1280. 

  1280.     list($user, $sticky, $pass) = sexplode('|', $_COOKIE[DOKU_COOKIE], 3, '');
    1281. 

  1281.     $sticky = (bool) $sticky;
    1282. 

  1282.     $pass   = base64_decode($pass);
    1283. 

  1283.     $user   = base64_decode($user);
    1284. 

  1284.     return array($user, $sticky, $pass);
    1285. 

  1285. }
    1286. 

  1286. 

  1287. //Setup VIM: ex: et ts=2 :
    1288.