function PmWikiAuth($pagename, $level, $authprompt=true, $since=0) {
global $DefaultPasswords, $GroupAttributesFmt, $AllowPassword,
$AuthCascade, $FmtV, $AuthPromptFmt, $PageStartFmt, $PageEndFmt,
$AuthId, $AuthList, $NoHTMLCache;
static $acache;
SDV($GroupAttributesFmt,'$Group/GroupAttributes');
SDV($AllowPassword,'nopass');
$page = ReadPage($pagename, $since);
if (!$page) { return false; }
if (!isset($acache))
SessionAuth($pagename, (@$_POST['authpw'])
? array('authpw' => array($_POST['authpw'] => 1))
: '');
if (@$AuthId) {
$AuthList["id:$AuthId"] = 1;
$AuthList["id:-$AuthId"] = -1;
$AuthList["id:*"] = 1;
}
$gn = FmtPageName($GroupAttributesFmt, $pagename);
if (!isset($acache[$gn])) {
$gp = ReadPage($gn, READPAGE_CURRENT);
foreach($DefaultPasswords as $k => $v) {
$x = array(2, array(), '');
$acache['@site'][$k] = IsAuthorized($v, 'site', $x);
$AuthList["@_site_$k"] = $acache['@site'][$k][0] ? 1 : 0;
$acache[$gn][$k] = IsAuthorized($gp["passwd$k"], 'group',
$acache['@site'][$k]);
}
}
foreach($DefaultPasswords as $k => $v)
list($page['=auth'][$k], $page['=passwd'][$k], $page['=pwsource'][$k]) =
IsAuthorized($page["passwd$k"], 'page', $acache[$gn][$k]);
foreach($AuthCascade as $k => $t) {
if ($page['=auth'][$k]+0 == 2) {
$page['=auth'][$k] = $page['=auth'][$t];
if ($page['=passwd'][$k] = $page['=passwd'][$t]) # assign
$page['=pwsource'][$k] = "cascade:$t";
}
}
if (@$page['=auth']['admin'])
foreach($page['=auth'] as $lv=>$a) @$page['=auth'][$lv] = 3;
if (@$page['=passwd']['read']) $NoHTMLCache |= 2;
if ($level=='ALWAYS' || @$page['=auth'][$level]) return $page;
if (!$authprompt) return false;
$GLOBALS['AuthNeeded'] = (@$_POST['authpw'])
? $page['=pwsource'][$level] . ' ' . $level : '';
PCache($pagename, $page);
$postvars = '';
foreach($_POST as $k=>$v) {
if ($k == 'authpw' || $k == 'authid') continue;
$v = str_replace('$', '$',
htmlspecialchars(stripmagic($v), ENT_COMPAT));
$postvars .= "<input type='hidden' name='$k' value=\"$v\" />\n";
}
$FmtV['$PostVars'] = $postvars;
SDV($AuthPromptFmt,array(&$PageStartFmt,
"<p><b>$[Password required]</b></p>
<form name='authform' action='{$_SERVER['REQUEST_URI']}' method='post'>
$[Password]: <input tabindex='1' type='password' name='authpw'
value='' />
<input type='submit' value='OK' />\$PostVars</form>
<script language='javascript' type='text/javascript'><!--
document.authform.authpw.focus() //--></script>", &$PageEndFmt));
PrintFmt($pagename,$AuthPromptFmt);
exit;
}
function AuthUserId($pagename, $id, $pw = NULL)
{
global $AuthUser, $AuthUserPageFmt, $AuthUserFunctions, $AuthId, $MessagesFmt;
foreach ((array) $AuthUser as $k => $v) {
$auth[$k] = (array) $v;
}
$authid = '';
# load information from Site.AuthUser (or page in $AuthUserPageFmt)
SDV($AuthUserPageFmt, '$SiteGroup.AuthUser');
SDVA($AuthUserFunctions, array('htpasswd' => 'AuthUserHtPasswd', 'ldap' => 'AuthUserLDAP', $id => 'AuthUserConfig'));
$pn = FmtPageName($AuthUserPageFmt, $pagename);
$apage = ReadPage($pn, READPAGE_CURRENT);
if ($apage && preg_match_all("/^\\s*([@\\w][^\\s:]*):(.*)/m", $apage['text'], $matches, PREG_SET_ORDER)) {
foreach ($matches as $m) {
if (!preg_match_all('/\\bldaps?:\\S+|[^\\s,]+/', $m[2], $v)) {
continue;
}
if ($m[1][0] == '@') {
foreach ($v[0] as $g) {
$auth[$g][] = $m[1];
}
} else {
$auth[$m[1]] = array_merge((array) @$auth[$m[1]], $v[0]);
}
}
}
if (is_null($pw)) {
$authid = $id;
} else {
foreach ($AuthUserFunctions as $k => $fn) {
if ($auth[$k] && $fn($pagename, $id, $pw, $auth[$k])) {
$authid = $id;
break;
}
}
}
if (!$authid) {
$GLOBALS['InvalidLogin'] = 1;
return;
}
if (!isset($AuthId)) {
$AuthId = $authid;
}
$authlist["id:{$authid}"] = 1;
$authlist["id:-{$authid}"] = -1;
foreach (preg_grep('/^@/', (array) @$auth[$authid]) as $g) {
$authlist[$g] = 1;
}
foreach (preg_grep('/^@/', (array) @$auth['*']) as $g) {
$authlist[$g] = 1;
}
foreach (preg_grep('/^@/', array_keys($auth)) as $g) {
if (in_array($authid, $auth[$g])) {
$authlist[$g] = 1;
}
}
if ($auth['htgroup']) {
foreach (AuthUserHtGroup($pagename, $id, $pw, $auth['htgroup']) as $g) {
$authlist["@{$g}"] = 1;
}
}
SessionAuth($pagename, array('authid' => $authid, 'authlist' => $authlist));
}
function PmWikiAuth($pagename, $level, $authprompt = true, $since = 0)
{
global $DefaultPasswords, $AllowPassword, $GroupAttributesFmt, $AuthCascade, $FmtV, $AuthPromptFmt, $PageStartFmt, $PageEndFmt, $AuthId, $AuthList, $AuthPw;
static $grouppasswd;
SDV($GroupAttributesFmt, '$Group/GroupAttributes');
SDV($AllowPassword, 'nopass');
$page = ReadPage($pagename, $since);
if (!$page) {
return false;
}
if (!isset($grouppasswd)) {
SessionAuth($pagename, @$_POST['authpw'] ? array('authpw' => array($_POST['authpw'] => 1)) : '');
}
if (@$AuthId) {
$AuthList["id:{$AuthId}"] = 1;
$AuthList["id:-{$AuthId}"] = -1;
$AuthList["id:*"] = 1;
}
$groupattr = FmtPageName($GroupAttributesFmt, $pagename);
if (!isset($grouppasswd[$groupattr])) {
$grouppasswd[$groupattr] = array();
$gp = ReadPage($groupattr, READPAGE_CURRENT);
foreach ($DefaultPasswords as $k => $v) {
$grouppasswd[$groupattr][$k] = isset($gp["passwd{$k}"]) ? NormalizeAuth($gp["passwd{$k}"], 'group') : NormalizeAuth($v, 'site');
}
}
foreach ($DefaultPasswords as $k => $v) {
$passwd[$k] = isset($page["passwd{$k}"]) ? NormalizeAuth($page["passwd{$k}"], 'page') : $grouppasswd[$groupattr][$k];
$page['=pwsource'][$k] = @$passwd[$k]['=pwsource'];
unset($passwd[$k]['=pwsource']);
}
$page['=passwd'] = $passwd;
foreach ($AuthCascade as $k => $t) {
if (!$passwd[$k] && $passwd[$t]) {
$passwd[$k] = $passwd[$t];
$page['=pwsource'][$k] = "cascade:{$t}";
}
}
foreach ($passwd as $lv => $a) {
if (!$a) {
@$page['=auth'][$lv]++;
continue;
}
foreach ((array) $a as $pwchal) {
if (preg_match('/^@|^\\w+:/', $pwchal)) {
if (@$AuthList[$pwchal] > 0) {
@$page['=auth'][$lv]++;
continue 2;
}
if (@$AuthList[$pwchal] < 0) {
continue 2;
}
continue;
}
if (crypt($AllowPassword, $pwchal) == $pwchal) {
@$page['=auth'][$lv]++;
continue 2;
}
foreach ((array) $AuthPw as $pwresp) {
if (crypt($pwresp, $pwchal) == $pwchal) {
@$page['=auth'][$lv]++;
continue 2;
}
}
}
}
if (@$page['=auth']['admin']) {
foreach ($passwd as $lv => $a) {
@$page['=auth'][$lv]++;
}
}
if (@$page['=auth'][$level]) {
return $page;
}
if (!$authprompt) {
return false;
}
$GLOBALS['AuthNeeded'] = @$_POST['authpw'] ? $page['=pwsource'][$level] . ' ' . $level : '';
PCache($pagename, $page);
$postvars = '';
foreach ($_POST as $k => $v) {
if ($k == 'authpw' || $k == 'authid') {
continue;
}
$v = str_replace('$', '$', htmlspecialchars(stripmagic($v), ENT_COMPAT));
$postvars .= "<input type='hidden' name='{$k}' value=\"{$v}\" />\n";
}
$FmtV['$PostVars'] = $postvars;
SDV($AuthPromptFmt, array(&$PageStartFmt, "<p><b>\$[Password required]</b></p>\n <form name='authform' action='{$_SERVER['REQUEST_URI']}' method='post'>\n \$[Password]: <input tabindex='1' type='password' name='authpw' \n value='' />\n <input type='submit' value='OK' />\$PostVars</form>\n <script language='javascript' type='text/javascript'><!--\n document.authform.authpw.focus() //--></script>", &$PageEndFmt));
PrintFmt($pagename, $AuthPromptFmt);
exit;
}
function PmWikiAuth($pagename, $level, $authprompt = true, $since = 0)
{
global $DefaultPasswords, $GroupAttributesFmt, $AllowPassword, $AuthCascade, $FmtV, $AuthPromptFmt, $PageStartFmt, $PageEndFmt, $AuthId, $AuthList, $NoHTMLCache;
static $acache;
SDV($GroupAttributesFmt, '$Group/GroupAttributes');
SDV($AllowPassword, 'nopass');
$page = ReadPage($pagename, $since);
if (!$page) {
return false;
}
if (!isset($acache)) {
SessionAuth($pagename, @$_POST['authpw'] ? array('authpw' => array($_POST['authpw'] => 1)) : '');
}
if (@$AuthId) {
$AuthList["id:{$AuthId}"] = 1;
$AuthList["id:-{$AuthId}"] = -1;
$AuthList["id:*"] = 1;
}
## To allow @_site_edit in GroupAttributes, we cache it first
if (!isset($acache['@site'])) {
foreach ($DefaultPasswords as $k => $v) {
$x = array(2, array(), '');
$acache['@site'][$k] = IsAuthorized($v, 'site', $x);
$AuthList["@_site_{$k}"] = $acache['@site'][$k][0] ? 1 : 0;
}
}
$gn = FmtPageName($GroupAttributesFmt, $pagename);
if (!isset($acache[$gn])) {
$gp = ReadPage($gn, READPAGE_CURRENT);
foreach ($DefaultPasswords as $k => $v) {
$acache[$gn][$k] = IsAuthorized(@$gp["passwd{$k}"], 'group', $acache['@site'][$k]);
}
}
foreach ($DefaultPasswords as $k => $v) {
list($page['=auth'][$k], $page['=passwd'][$k], $page['=pwsource'][$k]) = IsAuthorized(@$page["passwd{$k}"], 'page', $acache[$gn][$k]);
}
foreach ($AuthCascade as $k => $t) {
if ($page['=auth'][$k] + 0 == 2) {
$page['=auth'][$k] = $page['=auth'][$t];
if ($page['=passwd'][$k] = $page['=passwd'][$t]) {
# assign
$page['=pwsource'][$k] = "cascade:{$t}";
}
}
}
if (@$page['=auth']['admin']) {
foreach ($page['=auth'] as $lv => $a) {
@($page['=auth'][$lv] = 3);
}
}
if (@$page['=passwd']['read']) {
$NoHTMLCache |= 2;
}
if ($level == 'ALWAYS' || @$page['=auth'][$level]) {
return $page;
}
if (!$authprompt) {
return false;
}
$GLOBALS['AuthNeeded'] = @$_POST['authpw'] ? $page['=pwsource'][$level] . ' ' . $level : '';
PCache($pagename, $page);
$postvars = '';
foreach ($_POST as $k => $v) {
if ($k == 'authpw' || $k == 'authid') {
continue;
}
$k = PHSC(stripmagic($k), ENT_QUOTES);
if (is_array($v)) {
foreach ($v as $vk => $vv) {
$vk = PHSC(stripmagic($vk), ENT_QUOTES);
$vv = str_replace('$', '$', PHSC(stripmagic($vv), ENT_COMPAT));
$postvars .= "<input type='hidden' name='{$k}[{$vk}]' value=\"{$vv}\" />\n";
}
} else {
$v = str_replace('$', '$', PHSC(stripmagic($v), ENT_COMPAT));
$postvars .= "<input type='hidden' name='{$k}' value=\"{$v}\" />\n";
}
}
$FmtV['$PostVars'] = $postvars;
$r = str_replace("'", '%37', stripmagic($_SERVER['REQUEST_URI']));
SDV($AuthPromptFmt, array(&$PageStartFmt, "<p><b>\$[Password required]</b></p>\n <form name='authform' action='{$r}' method='post'>\n \$[Password]: <input tabindex='1' type='password' name='authpw' \n value='' />\n <input type='submit' value='\$[OK]' />\$PostVars</form>\n <script language='javascript' type='text/javascript'><!--\n document.authform.authpw.focus() //--></script>", &$PageEndFmt));
PrintFmt($pagename, $AuthPromptFmt);
exit;
}
This file defines an alternate authentication scheme based on the
HTTP Basic authentication protocol (i.e., the scheme used by default
in PmWiki 1).
*/
## If the webserver has already authenticated someone, then use
## that identifier for our authorization id. We also disable
## the use of the browser's Basic Auth form later, since it tends
## to confuse webservers.
if (IsEnabled($EnableRemoteUserAuth, 1) && @$_SERVER['REMOTE_USER']) {
SDV($EnableHTTPBasicAuth, 0);
SDV($AuthId, $_SERVER['REMOTE_USER']);
}
## If the browser supplied a password, add that password to the
## list of passwords used for authentication
if (@$_SERVER['PHP_AUTH_PW']) {
SessionAuth($pagename, array('authpw' => array($_SERVER['PHP_AUTH_PW'] => 1)));
}
## $EnableHTTPBasicAuth tells PmWikiAuth to use the browser's
## HTTP Basic protocol prompt instead of a form-based prompt.
if (IsEnabled($EnableHTTPBasicAuth, 1)) {
SDV($AuthPromptFmt, 'function:HTTPBasicAuthPrompt');
}
## HTTPBasicAuthPrompt replaces PmWikiAuth's form-based password
## prompt with the browser-based HTTP Basic prompt.
function HTTPBasicAuthPrompt($pagename)
{
global $AuthRealmFmt, $AuthDeniedFmt;
SDV($AuthRealmFmt, $GLOBALS['WikiTitle']);
SDV($AuthDeniedFmt, 'A valid password is required to access this feature.');
$realm = FmtPageName($AuthRealmFmt, $pagename);
header("WWW-Authenticate: Basic realm=\"{$realm}\"");
function AuthUserId($pagename, $id, $pw=NULL) {
global $AuthUser, $AuthUserPageFmt, $AuthUserFunctions,
$AuthId, $MessagesFmt, $AuthUserPat;
$auth = array();
foreach((array)$AuthUser as $k=>$v) $auth[$k] = (array)$v;
$authid = '';
# load information from SiteAdmin.AuthUser (or page in $AuthUserPageFmt)
SDV($AuthUserPageFmt, '$SiteAdminGroup.AuthUser');
SDVA($AuthUserFunctions, array(
'htpasswd' => 'AuthUserHtPasswd',
'ldap' => 'AuthUserLDAP',
# 'mysql' => 'AuthUserMySQL',
$id => 'AuthUserConfig'));
SDV($AuthUserPat, "/^\\s*([@\\w][^\\s:]*):(.*)/m");
$pn = FmtPageName($AuthUserPageFmt, $pagename);
$apage = ReadPage($pn, READPAGE_CURRENT);
if ($apage && preg_match_all($AuthUserPat,
$apage['text'], $matches, PREG_SET_ORDER)) {
foreach($matches as $m) {
if (!preg_match_all('/\\bldaps?:\\S+|[^\\s,]+/', $m[2], $v))
continue;
if ($m[1]{0} == '@')
foreach($v[0] as $g) $auth[$g][] = $m[1];
else $auth[$m[1]] = array_merge((array)@$auth[$m[1]], $v[0]);
}
}
if (func_num_args()==2) $authid = $id;
else
foreach($AuthUserFunctions as $k => $fn)
if (@$auth[$k] && $fn($pagename, $id, $pw, $auth[$k], $authlist))
{ $authid = $id; break; }
if (!$authid) { $GLOBALS['InvalidLogin'] = 1; return; }
if (!isset($AuthId)) $AuthId = $authid;
$authlist["id:$authid"] = 1;
$authlist["id:-$authid"] = -1;
foreach(preg_grep('/^@/', (array)@$auth[$authid]) as $g)
$authlist[$g] = 1;
foreach(preg_grep('/^@/', (array)@$auth['*']) as $g)
$authlist[$g] = 1;
foreach(preg_grep('/^@/', array_keys($auth)) as $g) # useless? PITS:01201
if (in_array($authid, $auth[$g])) $authlist[$g] = 1;
if ($auth['htgroup']) {
foreach(AuthUserHtGroup($pagename, $id, $pw, $auth['htgroup']) as $g)
$authlist["@$g"] = 1;
}
foreach(preg_grep('/^@/', (array)@$auth["-$authid"]) as $g)
unset($authlist[$g]);
SessionAuth($pagename, array('authid' => $authid, 'authlist' => $authlist));
}
