Geeklog
[ class tree: Geeklog ] [ index: Geeklog ] [ all elements ]

Procedural File: lib-security.php

Source Location: /system/lib-security.php



Classes:

HashFunction
Class defining constants for encryptions algorithms. These values are stored in the user database to indicate the hash function the user's password is encrypted with.


Page Details:








CSRF_TOKEN [line 73]

CSRF_TOKEN = '_glsectoken'

[ Top ]



USER_ACCOUNT_ACTIVE [line 69]

USER_ACCOUNT_ACTIVE = 3

[ Top ]



USER_ACCOUNT_AWAITING_ACTIVATION [line 67]

USER_ACCOUNT_AWAITING_ACTIVATION = 1

[ Top ]



USER_ACCOUNT_AWAITING_APPROVAL [line 68]

USER_ACCOUNT_AWAITING_APPROVAL = 2

[ Top ]



USER_ACCOUNT_DISABLED [line 66]

USER_ACCOUNT_DISABLED = 0
This is the security library for Geeklog. This is used to implement Geeklog's *nix-style security system.

Programming notes: For items you need security on you need the following for each record in your database: owner_id | mediumint(8) group_id | mediumint(8) perm_owner | tinyint(1) unsigned perm_group | tinyint(1) unsigned perm_members | tinyint(1) unsigned perm_anon | tinyint(1) unsigned For display one function can handle most needs: function SEC_hasAccess($owner_id,$group_id,$perm_owner,$perm_group,$perm_members,$perm_anon) A call to this function will allow you to determine if the current user should see the item. For the admin screen several functions will make life easier: function SEC_getPermissionsHTML($perm_owner,$perm_group,$perm_members,$perm_anon) This function displays the permissions widget with arrays for each permission function SEC_getPermissionValues($perm_owner,$perm_group,$perm_members,$perm_anon) This function takes the permissions from the previous function and converts them into an integer for saving back to the database.



[ Top ]




SEC_addUserToGroup [line 937]

boolean SEC_addUserToGroup( string $uid, string $gname)

Add user to a group

work in progress Rather self explanitory shortcut function Is this the right place for this, Dirk?




Tags:

return:  status, true or false.
author:  Trinity L Bays, trinity93 AT gmail DOT com


Parameters

string   $uid   Their user id
string   $gname   The group name
[ Top ]



SEC_authenticate [line 737]

int SEC_authenticate( string $username, string $password, &$uid, int $uid)

Attempt to login a user.

Checks a users username and password against the database. Returns users status.




Tags:

return:  user status, -1 for fail.


Parameters

string   $username   who is logging in?
string   $password   what they claim is their password
int   $uid   This is an OUTPUT param, pass by ref, sends back UID inside it.
   &$uid  
[ Top ]



SEC_buildAccessSql [line 988]

string SEC_buildAccessSql( [string $clause = 'AND'])

Common function used to build group access SQL



Tags:

return:  Formatted SQL string to be appended in calling script SQL statement


Parameters

string   $clause   Optional parm 'WHERE' - default is 'AND'
[ Top ]



SEC_checkToken [line 1368]

boolean SEC_checkToken( )

Check a security token.

Checks the POST and GET data for a security token, if one exists, validates that it's for this user and URL. If the token is not valid, it asks the user to re-authenticate and resends the request if authentication was successful.




Tags:

return:  true if the token is valid; does not return if not!
see:  SECINT_checkToken
link:  http://wiki.geeklog.net/index.php/Re-Authentication_for_expired_Tokens


[ Top ]



SEC_checkUserStatus [line 781]

int SEC_checkUserStatus( int $userid)

Return the current user status for a user.

NOTE: May not return for banned/non-approved users.




Tags:

return:  user status, 0-3


Parameters

int   $userid   Valid uid value.
[ Top ]



SEC_collectRemoteAuthenticationModules [line 906]

array SEC_collectRemoteAuthenticationModules( )

Return available modules for Remote Authentication



Tags:

return:  Names of available remote authentication modules


[ Top ]



SEC_collectRemoteOAuthModules [line 1954]

array SEC_collectRemoteOAuthModules( )

Return available modules for Remote OAuth



Tags:

return:  Names of available remote OAuth modules


[ Top ]



SEC_createToken [line 1313]

string SEC_createToken( [int $ttl = 1200])

Generate a security token.

This generates and stores a one time security token. Security tokens are added to forms and urls in the admin section as a non-cookie double-check that the admin user really wanted to do that...




Tags:

return:  Generated token, it'll be an MD5 hash (32chars)
see:  SEC_checkToken()


Parameters

int   $ttl   Time to live for token in seconds. Default is 20 minutes.
[ Top ]



SEC_encryptPassword [line 1111]

string SEC_encryptPassword( string $password, [string $salt = ''], [int $algorithm = null], [int $stretch = null])

Encrypt password Encrypts $password using the specified salt, hash algorithm, and stretch count.



Tags:

return:  encrypted password


Parameters

string   $password   the password to encrypt, in clear text
string   $salt   salt to prepend to the password prior to hashing
int   $algorithm   hash algorithm to use to encrypt the password
int   $stretch   number of times hash function should be applied to the password.
[ Top ]



SEC_encryptUserPassword [line 1200]

int SEC_encryptUserPassword( string $password, [int $uid = ''])

Encrypt User Password Verify that the provided password authenticates the specified user (defualts to the current user).



Tags:

return:  0 for success, non-zero for failure or error


Parameters

string   $password   password to verify
int   $uid   user id to authenticate
[ Top ]



SEC_filterPermissions [line 1703]

array SEC_filterPermissions( array $A)

Prepare an array of the standard permission values

This helper functions does the following: 1) filter permission values, e.g. after a POST request 2) translates the permission checkbox arrays into numerical values 3) ensures that all the standard permission entries are set, so you don't have to check with isset() all the time

  1.  $PERM SEC_filterPermissions($_POST);
  2.  if ($PERM['perm_anon'!= 0...




Tags:

return:  array of only the 6 standard permission values
see:  SEC_getPermissionValues()


Parameters

array   $A   array to filter on, e.g. $_POST
[ Top ]



SEC_generateRandomPassword [line 1257]

string SEC_generateRandomPassword( )

Generate Random Password Generates a random string of human readable characters.



Tags:

return:  generated random password


[ Top ]



SEC_generateSalt [line 1179]

string SEC_generateSalt( )

Generate password salt This function produces a random string of 22 characters from a 64 character set.

The size is needed for password salting, but is useful any function that needs a random set of human readable characters.




Tags:

return:  generated salt


[ Top ]



SEC_getDefaultRootUser [line 1989]

int SEC_getDefaultRootUser( )

Returns the default Root user id



Tags:

return:  The id of the default Root user


[ Top ]



SEC_getFeatureGroup [line 688]

int SEC_getFeatureGroup( string $feature, [int $uid = ''])

Return the group to a given feature.

Scenario: We have a feature and we want to know from which group the user got this feature. Always returns the lowest group ID, in case the feature has been inherited from more than one group.




Tags:

return:  group ID or 0


Parameters

string   $feature   the feature, e.g 'story.edit'
int   $uid   (optional) user ID
[ Top ]



SEC_getGroupDropdown [line 1056]

string SEC_getGroupDropdown( int $group_id, int $access)

Create a group dropdown Creates the group dropdown menu that's used on pretty much every admin page



Tags:

return:  HTML for the dropdown


Parameters

int   $group_id   current group id (to be selected)
int   $access   access permission
[ Top ]



SEC_getPermissionsHTML [line 472]

string SEC_getPermissionsHTML( int $perm_owner, int $perm_group, int $perm_members, int $perm_anon)

Shows security control for an object This will return the HTML needed to create the security control seen on the admin screen for GL objects (i.e. stories, etc)



Tags:

return:  needed HTML (table) in HTML $perm_owner = array of permissions [edit,read], etc edit = 1 if permission, read = 2 if permission


Parameters

int   $perm_owner   Permissions the owner has 1 = edit 2 = read 3 = read/edit
int   $perm_group   Permission the group has
int   $perm_members   Permissions logged in members have
int   $perm_anon   Permissions anonymous users have
[ Top ]



SEC_getPermissionValue [line 647]

int SEC_getPermissionValue( array $perm_x)

Converts permission array into numeric value

This function converts an array of permissions for either the owner/group/members/anon and returns the numeric equivalent. This is typically called by the admin screens to prepare the permissions to be save to the database




Tags:

return:  int representation of a permission array 2 = read 3 = edit/read
see:  SEC_getPermissionValues()


Parameters

array   $perm_x   Array of permission values
[ Top ]



SEC_getPermissionValues [line 593]

array SEC_getPermissionValues( array $perm_owner, array $perm_group, array $perm_members, array $perm_anon)

Converts permissions to numeric values This function will take all permissions for an object and get the numeric value that can then be used to save the database.



Tags:

return:  returns numeric equivalent for each permissions array (2 = read, 3=edit/read)
see:  SEC_getPermissionValue()
see:  SEC_getPermissionsHTML()


Parameters

array   $perm_owner   Array of owner permissions These arrays are set up by SEC_getPermissionsHTML
array   $perm_group   Array of group permissions
array   $perm_members   Array of member permissions
array   $perm_anon   Array of anonymous user permissions
[ Top ]



SEC_getTokenExpiryNotice [line 1626]

string SEC_getTokenExpiryNotice( string $token, [string $extra_msg = ''])

Create a message informing the user when the security token is about to expire This message is only created for Remote Users who logged in using OpenID, since the re-authentication does not work with OpenID.



Tags:

return:  formatted HTML of message
see:  SEC_checkToken()


Parameters

string   $token   the token
string   $extra_msg   (optional) additional text to include in notice
[ Top ]



SEC_getTokenExpiryTime [line 1597]

int SEC_getTokenExpiryTime( string $token)

Get a token's expiry time



Tags:

return:  UNIX timestamp of the expiry time or 0


Parameters

string   $token   the token we're looking for
[ Top ]



SEC_getUserGroups [line 88]

array SEC_getUserGroups( [int $uid = ''])

Returns the groups a user belongs to

This is part of the GL security implementation. This function returns all the groups a user belongs to. This function is called recursively as groups can belong to other groups Note: this is an expensive function -- if you are concerned about speed it should only be used once at the beginning of a page. The resulting array $_GROUPS can then be used through out the page.




Tags:

return:  Associative Array grp_name -> ug_main_grp_id of group ID's user belongs to


Parameters

int   $uid   User ID to get information for. If empty current user.
[ Top ]



SEC_getUserPermissions [line 528]

string SEC_getUserPermissions( [int $grp_id = ''], [int $uid = ''])

Gets everything a user has permissions to within the system This is part of the Geeklog security implementation. This function will get all the permissions the current user has. Calls itself recursively.



Tags:

return:  returns comma delimited list of features the user has access to


Parameters

int   $grp_id   DO NOT USE (Used for recursion) Current group function is working on
int   $uid   User to check, if empty current user.
[ Top ]



SEC_groupIsRemoteUserAndHaveAccess [line 164]

boolean SEC_groupIsRemoteUserAndHaveAccess( groupid $groupid, groups $groups)

Checks to see if a user has admin access to the "Remote Users" group

Admin users will probably not be members, but, User Admin, Root, and group admin will have access to it. However, we can not be sure what the group id for "Remote User" group is, because it's a later static group, and upgraded systems could have it in any id slot.




Parameters

groupid   $groupid   int The id of a group, which might be the remote users group
groups   $groups   array Array of group ids the user has access to.
[ Top ]



SEC_hasAccess [line 355]

int SEC_hasAccess( int $owner_id, int $group_id, int $perm_owner, int $perm_group, int $perm_members, int $perm_anon, [int $uid = 0])

Checks if current user has access to the given object

This function takes the access info from a Geeklog object and let's us know if they have access to the object returns 3 for read/edit, 2 for read only and 0 for no access




Tags:

return:  returns 3 for read/edit 2 for read only 0 for no access


Parameters

int   $owner_id   ID of the owner of object
int   $group_id   ID of group object belongs to
int   $perm_owner   Permissions the owner has
int   $perm_group   Permissions the gorup has
int   $perm_members   Permissions logged in members have
int   $perm_anon   Permissions anonymous users have
int   $uid   User id or 0 = current user
[ Top ]



SEC_hasAccess2 [line 1747]

int SEC_hasAccess2( array $A)

Helper function for when you want to call SEC_hasAccess and have all the values to check in an array.



Tags:

return:  returns 3 for read/edit 2 for read only 0 for no access
see:  SEC_hasAccess()


Parameters

array   $A   array with the standard permission values
[ Top ]



SEC_hasConfigAccess [line 257]

boolean SEC_hasConfigAccess( )

Checks to see if current user has access to a configuration



Tags:

return:  returns if user has any config. rights


[ Top ]



SEC_hasConfigAcess [line 274]

void SEC_hasConfigAcess( )

Deprecated - use SEC_hasConfigAccess instead



Tags:

see:  SEC_hasConfigAccess()
deprecated:  since Geeklog 2.0.0


[ Top ]



SEC_hasModerationAccess [line 284]

boolean SEC_hasModerationAccess( )

Checks to see if current user has access to a admin moderation page



[ Top ]



SEC_hasRights [line 401]

boolean SEC_hasRights( string|array $features, [string $operator = 'AND'])

Checks if current user has rights to a feature Takes either a single feature or an array of features and returns an array of whether the user has those rights



Tags:

return:  Return true if current user has access to feature(s), otherwise false.


Parameters

string|array   $features   Features to check
string   $operator   Either 'and' or 'or'. Default is 'and'. Used if checking more than one feature.
[ Top ]



SEC_hasTopicAccess [line 325]

int SEC_hasTopicAccess( string $tid)

Checks to see if current user has access to a topic



Tags:

return:  returns 3 for read/edit 2 for read only 0 for no access


Parameters

string   $tid   ID for topic to check on
[ Top ]



SEC_inGroup [line 198]

boolean SEC_inGroup( string $grp_to_verify, [int $uid = ''], [string $cur_grp_id = ''])

Determines if user belongs to specified group This is part of the Geeklog security implementation. This function looks up whether a user belongs to a specified group



Tags:

return:  true if user is in group, otherwise false


Parameters

string   $grp_to_verify   Group we want to see if user belongs to
int   $uid   ID for user to check. If empty current user.
string   $cur_grp_id   NOT USED Current group we are working with in hierarchy
[ Top ]



SEC_isModerator [line 235]

boolean SEC_isModerator( )

Determines if current user is a moderator of any kind Checks to see if this user is a moderator for any of the GL features OR GL plugins



Tags:

return:  returns if user has any .moderate rights


[ Top ]



SEC_loginForm [line 1780]

string SEC_loginForm( [array $use_config = array()])

Displays a login form

This is the version of the login form displayed in the content area of the page (not the side bar). It will present all options (remote authentication

  • including OpenID, new registration link, etc.) according to the current
configuration settings.




Tags:

return:  HTML of the login form


Parameters

array   $use_config   options to override some of the defaults
[ Top ]



SEC_loginRequiredForm [line 1758]

string SEC_loginRequiredForm( )

Display a "to access this area you need to be logged in" message



Tags:

return:  HTML for the message


[ Top ]



SEC_remoteAuthentication [line 833]

int SEC_remoteAuthentication( &$loginname, string $passwd, string $service, &$uid, string $loginname, string $uid)

Check to see if we can authenticate this user with a remote server

A user has not managed to login localy, but has an @ in their user name and we have enabled distributed authentication. Firstly, try to see if we have cached the module that we used to authenticate them when they signed up (i.e. they've actualy changed their password elsewhere and we need to synch.) If not, then try to authenticate them with /every/ authentication module. If this suceeds, create a user for them.




Tags:

return:  user status, -1 for fail.


Parameters

string   $loginname   Their username
string   $passwd   The password entered
string   $service   The service portion of $username
string   $uid   OUTPUT parameter, pass it by ref to get uid back.
   &$loginname  
   &$uid  
[ Top ]



SEC_removeFeatureFromDB [line 1017]

void SEC_removeFeatureFromDB( string $feature_name, [boolean $logging = false])

Remove a feature from the database entirely.

This function can be used by plugins during uninstall.




Parameters

string   $feature_name   name of the feature, e.g. 'foo.edit'
boolean   $logging   whether to log progress in error.log
[ Top ]



SEC_setCookie [line 1666]

void SEC_setCookie( string $name, string $value, [int $expire = 0], [string $path = null], [string $domain = null], [boolean $secure = null])

Set a cookie using the HttpOnly flag Use this function to set "important" cookies (session, password, ...).

Browsers that support the HttpOnly flag will not allow JavaScript access to such a cookie.




Tags:



Parameters

string   $name   cookie name
string   $value   cookie value
int   $expire   expire time
string   $path   path on the server or $_CONF['cookie_path']
string   $domain   domain or $_CONF['cookiedomain']
boolean   $secure   whether to use HTTPS or $_CONF['cookiesecure']
[ Top ]



SEC_setDefaultPermissions [line 951]

void SEC_setDefaultPermissions( &$A, [array $use_permissions = array()], array $A)

Set default permissions for an object



Parameters

array   $A   target array
array   $use_permissions   permissions to set
   &$A  
[ Top ]



SEC_updateUserPassword [line 1272]

int SEC_updateUserPassword( [ &$password = ''], [int $uid = ''], string $password)

Update User Password Updates the users password for current hash algorithm and stretch site settings.

If not password is specified, a random password will be generated.




Tags:

return:  0 for success, non-zero indicates error.


Parameters

string   $password   Password to encrypt
int   $uid   User id to update
   &$password  
[ Top ]



Documentation generated on Sun, 02 Oct 2016 07:51:35 +0000 by phpDocumentor 1.4.3