diff options
-rw-r--r-- | phpBB/includes/auth/auth_apache.php | 24 | ||||
-rw-r--r-- | phpBB/includes/auth/auth_db.php | 17 | ||||
-rw-r--r-- | phpBB/includes/auth/auth_ldap.php | 35 |
3 files changed, 45 insertions, 31 deletions
diff --git a/phpBB/includes/auth/auth_apache.php b/phpBB/includes/auth/auth_apache.php index 88d5be4f4f..f87ad738c0 100644 --- a/phpBB/includes/auth/auth_apache.php +++ b/phpBB/includes/auth/auth_apache.php @@ -1,24 +1,32 @@ <?php +// Authentication plug-ins is largely down to Sergey Kanareykin, our thanks to him. // -// Authentication plug-ins is largely down to -// Sergey Kanareykin, our thanks to him. +// This is for initial authentication via Apaches basic realm authentication methods, +// user data is then obtained from the integrated user table // +// You can do any kind of checking you like here ... the return data format is +// either the resulting row of user information, an integer zero (indicating an +// inactive user) or some error string function login_apache(&$username, &$password) { - global $HTTP_SERVER_VARS, $HTTP_ENV_VARS; + global $db; - $php_auth_user = ( !empty($HTTP_SERVER_VARS['PHP_AUTH_USER']) ) ? $HTTP_SERVER_VARS['PHP_AUTH_USER'] : $HTTP_GET_VARS['PHP_AUTH_USER']; - $php_auth_pw = ( !empty($HTTP_SERVER_VARS['PHP_AUTH_PW']) ) ? $HTTP_SERVER_VARS['PHP_AUTH_PW'] : $HTTP_GET_VARS['PHP_AUTH_PW']; + $php_auth_user = (!empty($_SERVER['PHP_AUTH_USER'])) ? $_SERVER['PHP_AUTH_USER'] : $_GET['PHP_AUTH_USER']; + $php_auth_pw = (!empty($_SERVER['PHP_AUTH_PW'])) ? $_SERVER['PHP_AUTH_PW'] : $_GET['PHP_AUTH_PW']; - if ( $php_auth_user && $php_auth_pw ) + if ($php_auth_user && $php_auth_pw) { $sql = "SELECT user_id, username, user_password, user_email, user_active FROM " . USERS_TABLE . " - WHERE username = '" . str_replace("\'", "''", $username) . "'"; + WHERE username = '" . $db->sql_escape($username) . "'"; $result = $db->sql_query($sql); - return ( $row = $db->sql_fetchrow($result) ) ? $row : false; + if ($row = $db->sql_fetchrow($result)) + { + $db->sql_freeresult($result); + return (empty($row['user_active'])) ? 0 : $row; + } } return false; diff --git a/phpBB/includes/auth/auth_db.php b/phpBB/includes/auth/auth_db.php index d91655ff04..3666eeb105 100644 --- a/phpBB/includes/auth/auth_db.php +++ b/phpBB/includes/auth/auth_db.php @@ -1,24 +1,27 @@ <?php +// Authentication plug-ins is largely down to Sergey Kanareykin, our thanks to him. // -// Authentication plug-ins is largely down to -// Sergey Kanareykin, our thanks to him. +// This is for authentication via the integrated user table // +// You can do any kind of checking you like here ... the return data format is +// either the resulting row of user information, an integer zero (indicating an +// inactive user) or some error string function login_db(&$username, &$password) { - global $db, $board_config; + global $db, $config; $sql = "SELECT user_id, username, user_password, user_email, user_active FROM " . USERS_TABLE . " - WHERE username = '" . str_replace("\'", "''", $username) . "'"; + WHERE username = '" . $db->sql_escape($username) . "'"; $result = $db->sql_query($sql); - if ( $row = $db->sql_fetchrow($result) ) + if ($row = $db->sql_fetchrow($result)) { $db->sql_freeresult($result); - if ( md5($password) == $row['user_password'] && $row['user_active'] ) + if (md5($password) == $row['user_password']) { - return $row; + return (empty($row['user_active'])) ? 0 : $row; } } diff --git a/phpBB/includes/auth/auth_ldap.php b/phpBB/includes/auth/auth_ldap.php index 79af7a23e6..7df48722de 100644 --- a/phpBB/includes/auth/auth_ldap.php +++ b/phpBB/includes/auth/auth_ldap.php @@ -1,38 +1,46 @@ <?php +// Authentication plug-ins is largely down to Sergey Kanareykin, our thanks to him. // -// Authentication plug-ins is largely down to -// Sergey Kanareykin, our thanks to him. +// This is for initial authentication via an LDAP server, user information is then +// obtained from the integrated user table // +// You can do any kind of checking you like here ... the return data format is +// either the resulting row of user information, an integer zero (indicating an +// inactive user) or some error string function login_ldap(&$username, &$password) { - global $board_config; + global $db, $config; - if ( !extension_loaded('ldap') ) + if (!extension_loaded('ldap')) { return 'LDAP extension not available'; } - if ( !($ldap = @ldap_connect($board_config['ldap_server'])) ) + if (!($ldap = @ldap_connect($config['ldap_server']))) { return 'Could not connect to LDAP server'; } - $search = @ldap_search($ldap, $board_config['ldap_base_dn'], $board_config['ldap_uid'] . '=' . $username, array($board_config['ldap_uid'])); + $search = @ldap_search($ldap, $config['ldap_base_dn'], $config['ldap_uid'] . '=' . $username, array($config['ldap_uid'])); $result = @ldap_get_entries($ldap, $search); - if ( is_array($result) && count($result) > 1 ) + if (is_array($result) && count($result) > 1) { - if ( @ldap_bind($ldap, $result[0]['dn'], $password) ) + if (@ldap_bind($ldap, $result[0]['dn'], $password)) { @ldap_close($ldap); $sql = "SELECT user_id, username, user_password, user_email, user_active FROM " . USERS_TABLE . " - WHERE username = '" . str_replace("\'", "''", $username) . "'"; + WHERE username = '" . $db->sql_escape($username) . "'"; $result = $db->sql_query($sql); - return ( $row = $db->sql_fetchrow($result) ) ? $row : false; + if ($row = $db->sql_fetchrow($result)) + { + $db->sql_freeresult($result); + return (empty($row['user_active'])) ? 0 : $row; + } } } @@ -41,10 +49,8 @@ function login_ldap(&$username, &$password) return false; } -// // This function is used to output any required fields in the authentication // admin panel. It also defines any required configuration table fields. -// function admin_ldap(&$new) { global $user; @@ -64,22 +70,19 @@ function admin_ldap(&$new) </tr> <?php - // // These are fields required in the config table - // return array('ldap_server', 'ldap_base_dn', 'ldap_uid'); } -// // Would be nice to allow syncing of 'appropriate' data when user updates // their username, password, etc. ... should be up to the plugin what data // is updated. // // $mode perhaps being one of NEW, UPDATE, DELETE -// function usercp_ldap($mode) { + global $db, $config; } |