diff --git a/html/includes/authenticate.inc.php b/html/includes/authenticate.inc.php index bf01c8672..7b01b2c3d 100644 --- a/html/includes/authenticate.inc.php +++ b/html/includes/authenticate.inc.php @@ -23,81 +23,51 @@ if(isset($_COOKIE['username']) && isset($_COOKIE['password'])){ $_SESSION['password'] = mres($_COOKIE['password']); } -if(isset($_SERVER['REMOTE_USER'])) { - $_SESSION['username'] = mres($_SERVER['REMOTE_USER']); - // we don't set a password here because we're using HTTP AUTH +if (!isset($config['auth_mechanism'])) +{ + $config['auth_mechanism'] = "mysql"; +} + +if (file_exists('includes/authentication/' . $config['auth_mechanism'] . '.inc.php')) +{ + include('includes/authentication/' . $config['auth_mechanism'] . '.inc.php'); +} +else +{ + # FIXME use standard error message box? + echo "ERROR: no valid auth_mechanism defined."; + exit(); } $auth_success = 0; if (isset($_SESSION['username'])) { - if ($config['auth_mechanism'] == "mysql" || $config['auth_mechanism'] == "http-auth" || !$config['auth_mechanism']) + if (authenticate($_SESSION['username'],$_SESSION['password'])) { - $sql = "SELECT username FROM `users` WHERE `username`='".$_SESSION['username']; - if ($config['auth_mechanism'] != "http-auth") - { - $encrypted = md5($_SESSION['password']); - $sql .= "' AND `password`='".$encrypted."';"; - } else { - $sql .= "';"; - } - $query = mysql_query($sql); + #FIXME below should also come from auth module, get_userlevel, etc + $sql = "SELECT * FROM `users` WHERE `username`='".$_SESSION['username']."'"; + $query = mysql_query($sql); $row = @mysql_fetch_array($query); - if($row['username'] && $row['username'] == $_SESSION['username']) { - $auth_success = 1; - } else { - $_SESSION['username'] = $config['http_auth_guest']; - $auth_success = 1; - } - } - else if ($config['auth_mechanism'] == "ldap") - { - $ds=@ldap_connect($config['auth_ldap_server'],$config['auth_ldap_port']); - if ($ds) + $_SESSION['userlevel'] = $row['level']; + $_SESSION['user_id'] = $row['user_id']; + if(!$_SESSION['authenticated']) { - if (ldap_bind($ds, $config['auth_ldap_prefix'] . $_SESSION['username'] . $config['auth_ldap_suffix'], $_SESSION['password'])) - { - if (!$config['auth_ldap_group']) - { - $auth_success = 1; - } - else - { - if (ldap_compare($ds,$config['auth_ldap_group'],'memberUid',$_SESSION['username'])) - { - $auth_success = 1; - } - } - } + $_SESSION['authenticated'] = true; + mysql_query("INSERT INTO authlog (`user`,`address`,`result`) VALUES ('".$_SESSION['username']."', '".$_SERVER["REMOTE_ADDR"]."', 'logged in')"); + header("Location: ".$_SERVER['REQUEST_URI']); } + if(isset($_POST['remember'])) + { + setcookie("username", $_SESSION['username'], time()+60*60*24*100, "/"); + setcookie("password", $_SESSION['password'], time()+60*60*24*100, "/"); + } + } + elseif (isset($_SESSION['username'])) + { + $auth_message = "Authentication Failed"; + unset ($_SESSION['authenticated']); + mysql_query("INSERT INTO authlog (`user`,`address`,`result`) VALUES ('".$_SESSION['username']."', '".$_SERVER["REMOTE_ADDR"]."', 'authentication failure')"); } - else - { - echo "ERROR: no valid auth_mechanism defined."; - exit(); - } -} - -if ($auth_success) { - $sql = "SELECT * FROM `users` WHERE `username`='".$_SESSION['username']."'"; - $query = mysql_query($sql); - $row = @mysql_fetch_array($query); - $_SESSION['userlevel'] = $row['level']; - $_SESSION['user_id'] = $row['user_id']; - if(!$_SESSION['authenticated']) { - $_SESSION['authenticated'] = true; - mysql_query("INSERT INTO authlog (`user`,`address`,`result`) VALUES ('".$_SESSION['username']."', '".$_SERVER["REMOTE_ADDR"]."', 'logged in')"); - header("Location: ".$_SERVER['REQUEST_URI']); - } - if(isset($_POST['remember'])) { - setcookie("username", $_SESSION['username'], time()+60*60*24*100, "/"); - setcookie("password", $_SESSION['password'], time()+60*60*24*100, "/"); - } -} -elseif (isset($_SESSION['username'])) { - $auth_message = "Authentication Failed"; - unset ($_SESSION['authenticated']); - mysql_query("INSERT INTO authlog (`user`,`address`,`result`) VALUES ('".$_SESSION['username']."', '".$_SERVER["REMOTE_ADDR"]."', 'authentication failure')"); } ?> diff --git a/html/includes/authentication/http-auth.inc.php b/html/includes/authentication/http-auth.inc.php new file mode 100644 index 000000000..55000d3b6 --- /dev/null +++ b/html/includes/authentication/http-auth.inc.php @@ -0,0 +1,27 @@ + \ No newline at end of file diff --git a/html/includes/authentication/ldap.inc.php b/html/includes/authentication/ldap.inc.php new file mode 100644 index 000000000..daf7941d0 --- /dev/null +++ b/html/includes/authentication/ldap.inc.php @@ -0,0 +1,33 @@ + \ No newline at end of file diff --git a/html/includes/authentication/mysql.inc.php b/html/includes/authentication/mysql.inc.php new file mode 100644 index 000000000..d106f288d --- /dev/null +++ b/html/includes/authentication/mysql.inc.php @@ -0,0 +1,16 @@ + \ No newline at end of file diff --git a/html/index.php b/html/index.php index a0f027e4a..668e3b5d1 100755 --- a/html/index.php +++ b/html/index.php @@ -98,7 +98,7 @@ function popUp(URL) {
-
diff --git a/html/pages/logon.inc b/html/pages/logon.inc index 106f3d7e6..fed0dae13 100644 --- a/html/pages/logon.inc +++ b/html/pages/logon.inc @@ -24,7 +24,7 @@ ' . $auth_message . ''); } ?> @@ -38,7 +38,7 @@ if($auth_message) { print_optionbar_end(); -if($config['login_message']) { +if(isset($config['login_message'])) { echo('
'.$config['login_message'].'
'); } ?>