| 1 | <?php |
| 2 | |
| 3 | if (!defined('DC_BLOG_ID')) { |
| 4 | define('DC_BLOG_ID', $_SERVER['DC_BLOG_ID']); |
| 5 | } |
| 6 | |
| 7 | class xorgAuth extends dcAuth { |
| 8 | public $xorg_infos = array('forlife' => null, |
| 9 | 'prenom' => null, |
| 10 | 'nom' => null, |
| 11 | 'grpauth' => null, |
| 12 | 'perms' => null); |
| 13 | static public function behavior_coreBlogConstruct($blog) { |
| 14 | global $core; |
| 15 | $core->auth->sudo(array($core->auth, 'updateUserPerms'), $blog); |
| 16 | } |
| 17 | |
| 18 | public function __construct($core) { |
| 19 | parent::__construct($core); |
| 20 | $core->addBehavior('coreBlogConstruct', array('xorgAuth', 'behavior_coreBlogConstruct')); |
| 21 | } |
| 22 | |
| 23 | public function buildFromSession() { |
| 24 | global $core; |
| 25 | @header('Last-Modified:'); |
| 26 | if (!isset($core) || !isset($core->session)) { |
| 27 | return; |
| 28 | } |
| 29 | if (!session_id()) { |
| 30 | $core->session->start(); |
| 31 | } |
| 32 | $_SESSION['sess_blog_id'] = $_SERVER['DC_BLOG_ID']; |
| 33 | $user = @$_SESSION['auth-xorg']; |
| 34 | if ($user && is_null($this->xorg_infos['forlife'])) { |
| 35 | foreach ($this->xorg_infos as $key => $val) { |
| 36 | $this->xorg_infos[$key] = $_SESSION['auth-xorg-' . $key]; |
| 37 | } |
| 38 | $this->user_id = $user; |
| 39 | $this->user_admin = ($_SESSION['auth-xorg-perms'] == 'admin'); |
| 40 | parent::checkUser($this->user_id); |
| 41 | // $core->getUserBlogs(); |
| 42 | $this->setCommentCookie(); |
| 43 | } |
| 44 | } |
| 45 | |
| 46 | private function setCommentCookie() { |
| 47 | if (!isset($_COOKIE['comment_info_xorg']) || $_COOKIE['comment_info_xorg'] != $this->user_id) { |
| 48 | $cookie = $this->getInfo('user_displayname') . "\n" . $this->getInfo('user_email') . "\n" . $this->getInfo('user_url'); |
| 49 | setcookie('comment_info_xorg', $this->user_id, time() + 30 * 86400, '/'); |
| 50 | setrawcookie('comment_info', rawurlencode($cookie), time() + 30 * 86400, '/'); |
| 51 | } |
| 52 | } |
| 53 | |
| 54 | public function createUser() { |
| 55 | global $core; |
| 56 | if (!$core->userExists($_SESSION['auth-xorg'])) { |
| 57 | $cur = new cursor($this->con, 'dc_user'); |
| 58 | $cur->user_id = $_SESSION['auth-xorg']; |
| 59 | $cur->user_pwd = md5(rand()); |
| 60 | $cur->user_super = ($_SESSION['auth-xorg-perms'] == 'admin') ? '1' : '0'; |
| 61 | $cur->user_lang = 'fr'; |
| 62 | $cur->user_name = $_SESSION['auth-xorg-nom']; |
| 63 | $cur->user_firstname = $_SESSION['auth-xorg-prenom']; |
| 64 | $cur->user_displayname = $cur->user_firstname . ' ' . $cur->user_name; |
| 65 | $cur->user_email = $_SESSION['auth-xorg'] . '@polytechnique.org'; |
| 66 | $cur->user_url = 'https://www.polytechnique.org/profile/' . $_SESSION['auth-xorg']; |
| 67 | $defaults = $core->userDefaults(); |
| 68 | $defaults['post_xorg_perms'] = 'public'; |
| 69 | $cur->user_options = $defaults; |
| 70 | $cur->user_lang = 'fr'; |
| 71 | $cur->user_tz = 'Europe/Paris'; |
| 72 | $cur->user_default_blog = $_SERVER['DC_BLOG_ID']; |
| 73 | $core->addUser($cur); |
| 74 | } |
| 75 | } |
| 76 | |
| 77 | public function updateUserPerms($blog) { |
| 78 | global $core; |
| 79 | $this->buildFromSession(); |
| 80 | if (!isset($_SESSION['auth-xorg'])) { |
| 81 | return; |
| 82 | } |
| 83 | $type = $blog->settings->xorgauth->get('xorg_blog_type'); |
| 84 | $owner = $blog->settings->xorgauth->get('xorg_blog_owner'); |
| 85 | $level = $this->xorg_infos['grpauth']; |
| 86 | $rec = $core->getUser($this->user_id); |
| 87 | $wasAdmin = $rec->f('user_super'); |
| 88 | $isAdmin = $this->xorg_infos['perms'] == 'admin'; |
| 89 | if (($wasAdmin && !$isAdmin) || (!$wasAdmin && $isAdmin)) { |
| 90 | $cur = new cursor($this->con, 'dc_user'); |
| 91 | $cur->user_super = $isAdmin ? '1' : '0'; |
| 92 | $core->updUser($this->user_id, $cur); |
| 93 | } |
| 94 | if ($_SESSION['xorg-group'] != $owner) { |
| 95 | $this->killSession(); |
| 96 | return; |
| 97 | } |
| 98 | if (($type == 'group-admin' || $type == 'group-member' || $type == 'connected') && $level == 'admin') { |
| 99 | $perms = array('usage' => true, |
| 100 | 'contentadmin' => true, |
| 101 | 'admin' => true); |
| 102 | } else if ($type == 'group-member' && $level == 'membre') { |
| 103 | $perms = array('usage' => true); |
| 104 | } else if ($type == 'connected' && $this->xorg_infos['forlife'] != '') { |
| 105 | $perms = array('usage' => true); |
| 106 | } else if ($type == 'user' && $owner == $this->xorg_infos['forlife']) { |
| 107 | $perms = array('usage' => true, |
| 108 | 'contentadmin' => true, |
| 109 | 'admin' => true); |
| 110 | } else if ($type != 'user') { |
| 111 | $perms = array(); |
| 112 | } else { |
| 113 | return; |
| 114 | } |
| 115 | $core->setUserBlogPermissions($_SESSION['auth-xorg'], |
| 116 | $blog->id, |
| 117 | $perms); |
| 118 | } |
| 119 | |
| 120 | |
| 121 | /** Xorg SSO API */ |
| 122 | |
| 123 | public function callXorg($path = null) { |
| 124 | $this->buildFromSession(); |
| 125 | if (@$_SESSION['auth-xorg']) { |
| 126 | return true; |
| 127 | } |
| 128 | global $core; |
| 129 | if (!session_id()) { |
| 130 | $core->session->start(); |
| 131 | } |
| 132 | if (is_null($path)) { |
| 133 | $path = @$_SERVER['PATH_INFO']; |
| 134 | } |
| 135 | $_SESSION["auth-x-challenge"] = md5(uniqid(rand(), 1)); |
| 136 | $_SESSION['xorg-group'] = $core->blog->settings->xorgauth->get('xorg_blog_owner'); |
| 137 | $url = "https://www.polytechnique.org/auth-groupex/utf8"; |
| 138 | $url .= "?session=" . session_id(); |
| 139 | $url .= "&challenge=" . $_SESSION["auth-x-challenge"]; |
| 140 | $url .= "&pass=" . md5($_SESSION["auth-x-challenge"] . XORG_AUTH_KEY); |
| 141 | $type = $core->blog->settings->xorgauth->get('xorg_blog_type'); |
| 142 | if ($type == 'group-member' || $type == 'group-admin' || $type == 'connected') { |
| 143 | $url .= '&group=' . $core->blog->settings->xorgauth->get('xorg_blog_owner'); |
| 144 | } |
| 145 | $url .= "&url=" . urlencode($core->blog->url . "auth/XorgReturn?path=" . $path); |
| 146 | session_write_close(); |
| 147 | header("Location: $url"); |
| 148 | exit; |
| 149 | } |
| 150 | |
| 151 | public function returnXorg() { |
| 152 | if (!isset($_GET['auth'])) { |
| 153 | return false; |
| 154 | } |
| 155 | $params = ''; |
| 156 | global $core; |
| 157 | $_COOKIE[DC_SESSION_NAME] = $_GET['PHPSESSID']; |
| 158 | unset($_GET['PHPSESSID']); |
| 159 | if (!session_id()) { |
| 160 | $core->session->start(); |
| 161 | } |
| 162 | foreach($this->xorg_infos as $key => $val) { |
| 163 | if(!isset($_GET[$key])) { |
| 164 | return false; |
| 165 | } |
| 166 | $_SESSION['auth-xorg-' . $key] = $_GET[$key]; |
| 167 | $params .= $_GET[$key]; |
| 168 | } |
| 169 | if (md5('1' . $_SESSION['auth-x-challenge'] . XORG_AUTH_KEY . $params . '1') == $_GET['auth']) { |
| 170 | unset($_GET['auth']); |
| 171 | $_SESSION['sess_user_id'] = $_SESSION['auth-xorg'] = $_GET['forlife']; |
| 172 | $_SESSION['sess_browser_uid'] = http::browserUID(DC_MASTER_KEY); |
| 173 | $_SESSION['sess_blog_id'] = 'default'; |
| 174 | $this->sudo(array($this, 'createUser')); |
| 175 | $path = $_GET['path']; |
| 176 | header('Location: ' . $core->blog->url . $_GET['path']); |
| 177 | exit; |
| 178 | } |
| 179 | unset($_SESSION['auth-xorg']); |
| 180 | unset($_SESSION['sess_user_id']); |
| 181 | unset($_GET['auth']); |
| 182 | echo "Failed !!!"; |
| 183 | return false; |
| 184 | } |
| 185 | |
| 186 | public function killSession() { |
| 187 | global $core; |
| 188 | if (!session_id()) { |
| 189 | $core->session->start(); |
| 190 | } |
| 191 | $core->session->destroy(); |
| 192 | if (!isset($core->blog)) { |
| 193 | $blog = $core->getBlog(DC_BLOG_ID); |
| 194 | } else { |
| 195 | $blog = $core->blog; |
| 196 | } |
| 197 | $url = @$blog->url; |
| 198 | if (!$url) { |
| 199 | $url = $blog->f('blog_url'); |
| 200 | } |
| 201 | |
| 202 | header('Location: ' . $url); |
| 203 | exit; |
| 204 | } |
| 205 | |
| 206 | |
| 207 | /** Dotclear dcAuth API */ |
| 208 | |
| 209 | public function checkUser($user_id, $pwd = null, $user_key = null) { |
| 210 | return $this->callXorg(); |
| 211 | } |
| 212 | |
| 213 | public function check($permissions, $blog_id) { |
| 214 | $this->buildFromSession(); |
| 215 | return parent::check($permissions, $blog_id); |
| 216 | } |
| 217 | |
| 218 | public function checkPassword($pwd) { |
| 219 | $this->buildFromSession(); |
| 220 | return !empty($this->user_id); |
| 221 | } |
| 222 | |
| 223 | public function allowPassChange() { |
| 224 | return false; |
| 225 | } |
| 226 | |
| 227 | public function userID() { |
| 228 | $this->buildFromSession(); |
| 229 | $isadmin = preg_match('@/admin/[^/]+\.php$@i', $_SERVER['SCRIPT_FILENAME']); |
| 230 | if (!$isadmin) { |
| 231 | return null; |
| 232 | } |
| 233 | return parent::userID(); |
| 234 | } |
| 235 | |
| 236 | public function getPermissions($blog_id) { |
| 237 | $this->buildFromSession(); |
| 238 | return parent::getPermissions($blog_id); |
| 239 | } |
| 240 | |
| 241 | public function getInfo($n) { |
| 242 | $this->buildFromSession(); |
| 243 | if ($n == 'xorg_group_member') { |
| 244 | global $core; |
| 245 | if ($core->blog->settings->xorgauth->get('xorg_blog_owner') != $_SESSION['xorg-group']) { |
| 246 | return false; |
| 247 | } |
| 248 | $perm = $this->xorg_infos['grpauth']; |
| 249 | return $this->isSuperAdmin() || $perm == 'admin' || $perm == 'membre'; |
| 250 | } |
| 251 | return parent::getInfo($n); |
| 252 | } |
| 253 | |
| 254 | public function getOption($n) { |
| 255 | $this->buildFromSession(); |
| 256 | return parent::getOption($n); |
| 257 | } |
| 258 | |
| 259 | public function getOptions() { |
| 260 | $this->buildFromSession(); |
| 261 | return parent::getOptions(); |
| 262 | } |
| 263 | |
| 264 | public function authForm() { |
| 265 | global $core; |
| 266 | if (!isset($core->blog)) { |
| 267 | $blog = @$core->getBlog(DC_BLOG_ID); |
| 268 | } else { |
| 269 | $blog = $core->blog; |
| 270 | } |
| 271 | $path = @$blog->url; |
| 272 | if (!$path) { |
| 273 | $path = $blog->f('blog_url'); |
| 274 | } |
| 275 | |
| 276 | return '<fieldset>'. |
| 277 | '<p><a href="' . $path . 'auth/Xorg?path=/admin/index.php">Via Polytechnique.org</a></p>' . |
| 278 | '</fieldset>'. |
| 279 | '<p>'.__('You must accept cookies in order to use the private area.').'</p>'; |
| 280 | } |
| 281 | } |
| 282 | |
| 283 | ?> |