[ Index ]

PHP Cross Reference of DokuWiki




/inc/ -> auth.php (summary)

Authentication library Including this file will automatically try to login a user by calling auth_login()

Author: Andreas Gohr
License: GPL 2 (http://www.gnu.org/licenses/gpl.html)
File Size: 1279 lines (39 kb)
Included or required: 1 time
Referenced: 0 times
Includes or requires: 0 files

Defines 29 functions


Functions that are not part of a class:

auth_setup()   X-Ref
Initialize the auth system.

This function is automatically called at the end of init.php

This used to be the main() of the auth.php

return: bool

auth_loadACL()   X-Ref
Loads the ACL setup and handle user wildcards

author: Andreas Gohr <andi@splitbrain.org>
return: array

auth_login_wrapper($evdata)   X-Ref
Event hook callback for AUTH_LOGIN_CHECK

param: array $evdata
return: bool

auth_login($user, $pass, $sticky = false, $silent = false)   X-Ref
This tries to login the user based on the sent auth credentials

The authentication works like this: if a username was given
a new login is assumed and user/password are checked. If they
are correct the password is encrypted with blowfish and stored
together with the username in a cookie - the same info is stored
in the session, too. Additonally a browserID is stored in the

If no username was given the cookie is checked: if the username,
crypted password and browserID match between session and cookie
no further testing is done and the user is accepted

If a cookie was found but no session info was availabe the
blowfish encrypted password from the cookie is decrypted and
together with username rechecked by calling this function again.

On a successful login $_SERVER[REMOTE_USER] and $USERINFO
are set.

param: string  $user    Username
param: string  $pass    Cleartext Password
param: bool    $sticky  Cookie should not expire
param: bool    $silent  Don't show error on bad auth
author: Andreas Gohr <andi@splitbrain.org>
return: bool             true on successful auth

auth_browseruid()   X-Ref
Builds a pseudo UID from browser and IP data

This is neither unique nor unfakable - still it adds some
security. Using the first part of the IP makes sure
proxy farms like AOLs are still okay.

author: Andreas Gohr <andi@splitbrain.org>
return: string  a MD5 sum of various browser headers

auth_cookiesalt($addsession = false, $secure = false)   X-Ref
Creates a random key to encrypt the password in cookies

This function tries to read the password for encrypting
cookies from $conf['metadir'].'/_htcookiesalt'
if no such file is found a random key is created and
and stored in this file.

param: bool $addsession if true, the sessionid is added to the salt
param: bool $secure     if security is more important than keeping the old value
author: Andreas Gohr <andi@splitbrain.org>
return: string

auth_randombytes($length)   X-Ref
Return cryptographically secure random bytes.

param: int $length number of bytes
author: Niklas Keller <me@kelunik.com>
return: string cryptographically secure random bytes

auth_random($min, $max)   X-Ref
Cryptographically secure random number generator.

param: int $min
param: int $max
author: Niklas Keller <me@kelunik.com>
return: int

auth_encrypt($data, $secret)   X-Ref
Encrypt data using the given secret using AES

The mode is CBC with a random initialization vector, the key is derived
using pbkdf2.

param: string $data   The data that shall be encrypted
param: string $secret The secret/password that shall be used
return: string The ciphertext

auth_decrypt($ciphertext, $secret)   X-Ref
Decrypt the given AES ciphertext

The mode is CBC, the key is derived using pbkdf2

param: string $ciphertext The encrypted data
param: string $secret     The secret/password that shall be used
return: string The decrypted data

auth_logoff($keepbc = false)   X-Ref
Log out the current user

This clears all authentication data and thus log the user
off. It also clears session data.

param: bool $keepbc - when true, the breadcrumb data is not cleared
author: Andreas Gohr <andi@splitbrain.org>

auth_ismanager($user = null, $groups = null, $adminonly = false, $recache=false)   X-Ref
Check if a user is a manager

Should usually be called without any parameters to check the current

The info is available through $INFO['ismanager'], too

param: string $user Username
param: array $groups List of groups the user is in
param: bool $adminonly when true checks if user is admin
param: bool $recache set to true to refresh the cache
see: auth_isadmin
author: Andreas Gohr <andi@splitbrain.org>
return: bool

auth_isadmin($user = null, $groups = null, $recache=false)   X-Ref
Check if a user is admin

Alias to auth_ismanager with adminonly=true

The info is available through $INFO['isadmin'], too

param: string $user Username
param: array $groups List of groups the user is in
param: bool $recache set to true to refresh the cache
see: auth_ismanager()
author: Andreas Gohr <andi@splitbrain.org>
return: bool

auth_isMember($memberlist, $user, array $groups)   X-Ref
Match a user and his groups against a comma separated list of
users and groups to determine membership status

Note: all input should NOT be nameencoded.

param: string $memberlist commaseparated list of allowed users and groups
param: string $user       user to match against
param: array  $groups     groups the user is member of
return: bool       true for membership acknowledged

auth_quickaclcheck($id)   X-Ref
Convinience function for auth_aclcheck()

This checks the permissions for the current user

param: string  $id  page ID (needs to be resolved and cleaned)
author: Andreas Gohr <andi@splitbrain.org>
return: int          permission level

auth_aclcheck($id, $user, $groups)   X-Ref
Returns the maximum rights a user has for the given ID or its namespace

param: string       $id     page ID (needs to be resolved and cleaned)
param: string       $user   Username
param: array|null   $groups Array of groups the user is in
author: Andreas Gohr <andi@splitbrain.org>
triggers: AUTH_ACL_CHECK
return: int             permission level

auth_aclcheck_cb($data)   X-Ref
default ACL check method

DO NOT CALL DIRECTLY, use auth_aclcheck() instead

param: array $data event data
author: Andreas Gohr <andi@splitbrain.org>
return: int   permission level

auth_nameencode($name, $skip_group = false)   X-Ref
Encode ASCII special chars

Some auth backends allow special chars in their user and groupnames
The special chars are encoded with this function. Only ASCII chars
are encoded UTF-8 multibyte are left as is (different from usual

Decoding can be done with rawurldecode

param: string $name
param: bool $skip_group
see: rawurldecode()
author: Andreas Gohr <gohr@cosmocode.de>
return: string

auth_nameencode_callback($matches)   X-Ref
callback encodes the matches

param: array $matches first complete match, next matching subpatterms
return: string

auth_pwgen($foruser = '')   X-Ref
Create a pronouncable password

The $foruser variable might be used by plugins to run additional password
policy checks, but is not used by the default implementation

link: http://www.phpbuilder.com/annotate/message.php3?id=1014451
param: string $foruser username for which the password is generated
author: Andreas Gohr <andi@splitbrain.org>
return: string  pronouncable password

auth_sendPassword($user, $password)   X-Ref
Sends a password to the given user

param: string $user Login name of the user
param: string $password The new password in clear text
author: Andreas Gohr <andi@splitbrain.org>
return: bool  true on success

register()   X-Ref
Register a new user

This registers a new user - Data is read directly from $_POST

author: Andreas Gohr <andi@splitbrain.org>
return: bool  true on success, false on any error

updateprofile()   X-Ref
Update user profile

author: Christopher Smith <chris@jalakai.co.uk>

auth_deleteprofile()   X-Ref
Delete the current logged-in user

return: bool true on success, false on any error

act_resendpwd()   X-Ref
Send a  new password

This function handles both phases of the password reset:

- handling the first request of password reset
- validating the password reset auth token

author: Benoit Chesneau <benoit@bchesneau.info>
author: Chris Smith <chris@jalakai.co.uk>
author: Andreas Gohr <andi@splitbrain.org>
return: bool true on success, false on any error

auth_cryptPassword($clear, $method = '', $salt = null)   X-Ref
Encrypts a password using the given method and salt

If the selected method needs a salt and none was given, a random one
is chosen.

param: string $clear The clear text password
param: string $method The hashing method
param: string $salt A salt, null for random
author: Andreas Gohr <andi@splitbrain.org>
return: string  The crypted password

auth_verifyPassword($clear, $crypt)   X-Ref
Verifies a cleartext password against a crypted hash

param: string $clear The clear text password
param: string $crypt The hash to compare with
author: Andreas Gohr <andi@splitbrain.org>
return: bool true if both match

auth_setCookie($user, $pass, $sticky)   X-Ref
Set the authentication cookie and add user identification data to the session

param: string  $user       username
param: string  $pass       encrypted password
param: bool    $sticky     whether or not the cookie will last beyond the session
return: bool

auth_getCookie()   X-Ref
Returns the user, (encrypted) password and sticky bit from cookie

returns: array