Rev 8 | Blame | Compare with Previous | Last modification | View Log | Download | RSS feed
<?php
/*
* Filename: auth.class.php
*
* Description:
* Authorization class for web application.
* Requires database table with following minimal structure
* id int unsigned not null auto_increment
* name varchar(64)
* passwd varchar(256)
* access text
* defaults are table _user, with columns name, passwd and access
* name and pass are matched against database entries, then name
* and access are stored in instantiation of class
*
* passwd should be able to handle 256 chars as hashes become
* longer.
*
*
* $Rev:: 10 $: Revision in Repository
* $Author:: rodolico $: Last Author
* $Date:: 2017-07-28 0$: Last Commit
*
*
* History:
* 20170728 - RWR - 1.0
* Initial build
*/
require_once( 'DBQuery.class.php' );
global $DEBUG;
class Auth {
// all data stored in $parameters. We will initialize $parameters
// with some default data
protected $parameters = array(
'table name' => '_user', // table storing auth info
'column username' => 'username', // field to match username to
'column password' => 'passwd', // field to match password to
'column access' => 'access', // field which contains access information
'column id' => '_user_id', // unique user id in table
);
// constructor simply loads parameters into array from
public function __construct( $parameters = array() ) {
// first, gather all info from the parameters array
foreach ( $parameters as $key => $value )
$this->parameters[$key] = $value;
$this->logIt( 1, 'Constructed Auth' );
} // construct
protected function logIt ( $level, $message, $file = null, $class = null, $function = null, $line = null ) {
global $DEBUG;
if ( isset( $DEBUG ) ) {
$DEBUG->writeLog( $level, $message, $file, $class, $function, $line );
}
} // logIt
public function save() {
return $this->parameters;
} // save
public function load( $parameters ) {
$this->parameters = $parameters;
} // load
public function __get( $parameter ) {
return $this->parameters[$parameter];
} // function get
public function __set ($parameter, $value ) {
$oldValue = $this->parameters[$parameter];
$this->parameters[$parameter] = $value;
return $oldValue;
} // function set
/*
* authorizes access to a resource
* just a shell at this time.
*/
public function authorize ( $resource = '' ) {
if ( isset( $this->parameters['username'] ) ) {
/*
* code here to actually determine if user is authorized
* for this page
*/
return true;
} elseif ( isset( $this->parameters['login page'] ) ) {
// redirect to login page
$loginPage = $this->parameters['login page'];
header( "Location: $loginPage" );
exit();
} else {
print $this->createLoginPage();
exit();
}
} // function authorize
/*
* Checks if the username and password are valid.
* username can either be taken from parameters or from $this->parameters
* on success, sets username, password, user_id and access from
* database (I know username should not change, but I want the db val
*/
function verifyLogin( $password, $username = null ) {
if ( isset( $username ) )
$this->parameters['username'] = $username;
if ( isset( $this->parameters['username'] ) && isset( $password ) ) {
$sql = "select " .
$this->parameters['column id'] . " 'id'," .
$this->parameters['column username'] . " 'username'," .
$this->parameters['column password'] . " 'password'," .
$this->parameters['column access'] . " 'access' " .
" from " .
$this->parameters['table name'] .
" where " .
$this->parameters['column username'] . " = " .
DBQuery::makeSafeSQLConstant( $this->parameters['username'] );
$this->logIt( 3, "Query = $sql", null, __CLASS__, __FUNCTION__, __LINE__ );
$results = new DBQuery( $sql );
if ( $results->getOneRow() ) {
// a special case is when the password stored in the database is null
// in which case we give full access. This allows us to do a manual reset
// if passwords are lost.
$data = $results->__get( 'returnData' );
$this->logIt( 4, "\nResults = \n" . print_r( $results, true) , null, __CLASS__, __FUNCTION__, __LINE__ );
$this->logIt( 3, "\nData = \n" . print_r( $data, true) , null, __CLASS__, __FUNCTION__, __LINE__ );
if ( $data->password == '' || $data->password == null || password_verify( $password, $data->password ) ) {
$this->parameters['username'] = $data['username'];
$this->parameters['user_id'] = $data['id'];
$this->parameters['access'] = $data['access'];
$this->logIt( 2, "Access Granted = \n" . print_r( array( 'username' => $data['username'], 'user_id' => $data['id'], 'access' => $data['access'] ), true) , null, __CLASS__, __FUNCTION__, __LINE__ );
return array( 'username' => $data['username'], 'user_id' => $data['id'], 'access' => $data['access'] );
} // if password verifies
} // if the query executed
} // if we have a username and a password
return false;
} // function verifyLogin
/* update password hash from parameter passed in, saving it in database */
function setPassword ( $password ) {
$hash = password_hash( $password, PASSWORD_DEFAULT );
$sql = "update $this->parameters[table name]
set $this->parameters[column password] = '$hash'
where $this->parameters[column id] = $this->parameters[user id]";
return new DBQuery( $sql, true );
} // setPassword
public function createLoginPage () {
return '<?php
session_start();
if (isset( $_POST["submit"])) {
include_once( "Auth.class.php" );
$_SESSION["authorization information"] = new Auth();
?>
<html><body>
<h3 align="center">Enter your username and password below</h3>
<FORM action="login.html" method="POST" enctype="multipart/form-data">
<table border="1" cellpadding="2" align="center">
<tbody>
<tr>
<td>User Name</td>
<td><input type="text" name="login" size="20"></td>
</tr>
<tr>
<td>Password</td>
<td><input type="password" name="pass" size="20"></td>
</tr>
<tr><TD colspan="2" align="center"><INPUT type="submit" name="Login" value="Log In"></TD></tr>
</tbody>
</table>
</FORM></body></html>';
} // function createLoginPag
} // class Auth
?>