function PmWikiAuth($pagename, $level, $authprompt=true, $since=0) { global $DefaultPasswords, $GroupAttributesFmt, $AllowPassword, $AuthCascade, $FmtV, $AuthPromptFmt, $PageStartFmt, $PageEndFmt, $AuthId, $AuthList, $NoHTMLCache; static $acache; SDV($GroupAttributesFmt,'$Group/GroupAttributes'); SDV($AllowPassword,'nopass'); $page = ReadPage($pagename, $since); if (!$page) { return false; } if (!isset($acache)) SessionAuth($pagename, (@$_POST['authpw']) ? array('authpw' => array($_POST['authpw'] => 1)) : ''); if (@$AuthId) { $AuthList["id:$AuthId"] = 1; $AuthList["id:-$AuthId"] = -1; $AuthList["id:*"] = 1; } $gn = FmtPageName($GroupAttributesFmt, $pagename); if (!isset($acache[$gn])) { $gp = ReadPage($gn, READPAGE_CURRENT); foreach($DefaultPasswords as $k => $v) { $x = array(2, array(), ''); $acache['@site'][$k] = IsAuthorized($v, 'site', $x); $AuthList["@_site_$k"] = $acache['@site'][$k][0] ? 1 : 0; $acache[$gn][$k] = IsAuthorized($gp["passwd$k"], 'group', $acache['@site'][$k]); } } foreach($DefaultPasswords as $k => $v) list($page['=auth'][$k], $page['=passwd'][$k], $page['=pwsource'][$k]) = IsAuthorized($page["passwd$k"], 'page', $acache[$gn][$k]); foreach($AuthCascade as $k => $t) { if ($page['=auth'][$k]+0 == 2) { $page['=auth'][$k] = $page['=auth'][$t]; if ($page['=passwd'][$k] = $page['=passwd'][$t]) # assign $page['=pwsource'][$k] = "cascade:$t"; } } if (@$page['=auth']['admin']) foreach($page['=auth'] as $lv=>$a) @$page['=auth'][$lv] = 3; if (@$page['=passwd']['read']) $NoHTMLCache |= 2; if ($level=='ALWAYS' || @$page['=auth'][$level]) return $page; if (!$authprompt) return false; $GLOBALS['AuthNeeded'] = (@$_POST['authpw']) ? $page['=pwsource'][$level] . ' ' . $level : ''; PCache($pagename, $page); $postvars = ''; foreach($_POST as $k=>$v) { if ($k == 'authpw' || $k == 'authid') continue; $v = str_replace('$', '$', htmlspecialchars(stripmagic($v), ENT_COMPAT)); $postvars .= "<input type='hidden' name='$k' value=\"$v\" />\n"; } $FmtV['$PostVars'] = $postvars; SDV($AuthPromptFmt,array(&$PageStartFmt, "<p><b>$[Password required]</b></p> <form name='authform' action='{$_SERVER['REQUEST_URI']}' method='post'> $[Password]: <input tabindex='1' type='password' name='authpw' value='' /> <input type='submit' value='OK' />\$PostVars</form> <script language='javascript' type='text/javascript'><!-- document.authform.authpw.focus() //--></script>", &$PageEndFmt)); PrintFmt($pagename,$AuthPromptFmt); exit; }
function AuthUserId($pagename, $id, $pw = NULL) { global $AuthUser, $AuthUserPageFmt, $AuthUserFunctions, $AuthId, $MessagesFmt; foreach ((array) $AuthUser as $k => $v) { $auth[$k] = (array) $v; } $authid = ''; # load information from Site.AuthUser (or page in $AuthUserPageFmt) SDV($AuthUserPageFmt, '$SiteGroup.AuthUser'); SDVA($AuthUserFunctions, array('htpasswd' => 'AuthUserHtPasswd', 'ldap' => 'AuthUserLDAP', $id => 'AuthUserConfig')); $pn = FmtPageName($AuthUserPageFmt, $pagename); $apage = ReadPage($pn, READPAGE_CURRENT); if ($apage && preg_match_all("/^\\s*([@\\w][^\\s:]*):(.*)/m", $apage['text'], $matches, PREG_SET_ORDER)) { foreach ($matches as $m) { if (!preg_match_all('/\\bldaps?:\\S+|[^\\s,]+/', $m[2], $v)) { continue; } if ($m[1][0] == '@') { foreach ($v[0] as $g) { $auth[$g][] = $m[1]; } } else { $auth[$m[1]] = array_merge((array) @$auth[$m[1]], $v[0]); } } } if (is_null($pw)) { $authid = $id; } else { foreach ($AuthUserFunctions as $k => $fn) { if ($auth[$k] && $fn($pagename, $id, $pw, $auth[$k])) { $authid = $id; break; } } } if (!$authid) { $GLOBALS['InvalidLogin'] = 1; return; } if (!isset($AuthId)) { $AuthId = $authid; } $authlist["id:{$authid}"] = 1; $authlist["id:-{$authid}"] = -1; foreach (preg_grep('/^@/', (array) @$auth[$authid]) as $g) { $authlist[$g] = 1; } foreach (preg_grep('/^@/', (array) @$auth['*']) as $g) { $authlist[$g] = 1; } foreach (preg_grep('/^@/', array_keys($auth)) as $g) { if (in_array($authid, $auth[$g])) { $authlist[$g] = 1; } } if ($auth['htgroup']) { foreach (AuthUserHtGroup($pagename, $id, $pw, $auth['htgroup']) as $g) { $authlist["@{$g}"] = 1; } } SessionAuth($pagename, array('authid' => $authid, 'authlist' => $authlist)); }
function PmWikiAuth($pagename, $level, $authprompt = true, $since = 0) { global $DefaultPasswords, $AllowPassword, $GroupAttributesFmt, $AuthCascade, $FmtV, $AuthPromptFmt, $PageStartFmt, $PageEndFmt, $AuthId, $AuthList, $AuthPw; static $grouppasswd; SDV($GroupAttributesFmt, '$Group/GroupAttributes'); SDV($AllowPassword, 'nopass'); $page = ReadPage($pagename, $since); if (!$page) { return false; } if (!isset($grouppasswd)) { SessionAuth($pagename, @$_POST['authpw'] ? array('authpw' => array($_POST['authpw'] => 1)) : ''); } if (@$AuthId) { $AuthList["id:{$AuthId}"] = 1; $AuthList["id:-{$AuthId}"] = -1; $AuthList["id:*"] = 1; } $groupattr = FmtPageName($GroupAttributesFmt, $pagename); if (!isset($grouppasswd[$groupattr])) { $grouppasswd[$groupattr] = array(); $gp = ReadPage($groupattr, READPAGE_CURRENT); foreach ($DefaultPasswords as $k => $v) { $grouppasswd[$groupattr][$k] = isset($gp["passwd{$k}"]) ? NormalizeAuth($gp["passwd{$k}"], 'group') : NormalizeAuth($v, 'site'); } } foreach ($DefaultPasswords as $k => $v) { $passwd[$k] = isset($page["passwd{$k}"]) ? NormalizeAuth($page["passwd{$k}"], 'page') : $grouppasswd[$groupattr][$k]; $page['=pwsource'][$k] = @$passwd[$k]['=pwsource']; unset($passwd[$k]['=pwsource']); } $page['=passwd'] = $passwd; foreach ($AuthCascade as $k => $t) { if (!$passwd[$k] && $passwd[$t]) { $passwd[$k] = $passwd[$t]; $page['=pwsource'][$k] = "cascade:{$t}"; } } foreach ($passwd as $lv => $a) { if (!$a) { @$page['=auth'][$lv]++; continue; } foreach ((array) $a as $pwchal) { if (preg_match('/^@|^\\w+:/', $pwchal)) { if (@$AuthList[$pwchal] > 0) { @$page['=auth'][$lv]++; continue 2; } if (@$AuthList[$pwchal] < 0) { continue 2; } continue; } if (crypt($AllowPassword, $pwchal) == $pwchal) { @$page['=auth'][$lv]++; continue 2; } foreach ((array) $AuthPw as $pwresp) { if (crypt($pwresp, $pwchal) == $pwchal) { @$page['=auth'][$lv]++; continue 2; } } } } if (@$page['=auth']['admin']) { foreach ($passwd as $lv => $a) { @$page['=auth'][$lv]++; } } if (@$page['=auth'][$level]) { return $page; } if (!$authprompt) { return false; } $GLOBALS['AuthNeeded'] = @$_POST['authpw'] ? $page['=pwsource'][$level] . ' ' . $level : ''; PCache($pagename, $page); $postvars = ''; foreach ($_POST as $k => $v) { if ($k == 'authpw' || $k == 'authid') { continue; } $v = str_replace('$', '$', htmlspecialchars(stripmagic($v), ENT_COMPAT)); $postvars .= "<input type='hidden' name='{$k}' value=\"{$v}\" />\n"; } $FmtV['$PostVars'] = $postvars; SDV($AuthPromptFmt, array(&$PageStartFmt, "<p><b>\$[Password required]</b></p>\n <form name='authform' action='{$_SERVER['REQUEST_URI']}' method='post'>\n \$[Password]: <input tabindex='1' type='password' name='authpw' \n value='' />\n <input type='submit' value='OK' />\$PostVars</form>\n <script language='javascript' type='text/javascript'><!--\n document.authform.authpw.focus() //--></script>", &$PageEndFmt)); PrintFmt($pagename, $AuthPromptFmt); exit; }
function PmWikiAuth($pagename, $level, $authprompt = true, $since = 0) { global $DefaultPasswords, $GroupAttributesFmt, $AllowPassword, $AuthCascade, $FmtV, $AuthPromptFmt, $PageStartFmt, $PageEndFmt, $AuthId, $AuthList, $NoHTMLCache; static $acache; SDV($GroupAttributesFmt, '$Group/GroupAttributes'); SDV($AllowPassword, 'nopass'); $page = ReadPage($pagename, $since); if (!$page) { return false; } if (!isset($acache)) { SessionAuth($pagename, @$_POST['authpw'] ? array('authpw' => array($_POST['authpw'] => 1)) : ''); } if (@$AuthId) { $AuthList["id:{$AuthId}"] = 1; $AuthList["id:-{$AuthId}"] = -1; $AuthList["id:*"] = 1; } ## To allow @_site_edit in GroupAttributes, we cache it first if (!isset($acache['@site'])) { foreach ($DefaultPasswords as $k => $v) { $x = array(2, array(), ''); $acache['@site'][$k] = IsAuthorized($v, 'site', $x); $AuthList["@_site_{$k}"] = $acache['@site'][$k][0] ? 1 : 0; } } $gn = FmtPageName($GroupAttributesFmt, $pagename); if (!isset($acache[$gn])) { $gp = ReadPage($gn, READPAGE_CURRENT); foreach ($DefaultPasswords as $k => $v) { $acache[$gn][$k] = IsAuthorized(@$gp["passwd{$k}"], 'group', $acache['@site'][$k]); } } foreach ($DefaultPasswords as $k => $v) { list($page['=auth'][$k], $page['=passwd'][$k], $page['=pwsource'][$k]) = IsAuthorized(@$page["passwd{$k}"], 'page', $acache[$gn][$k]); } foreach ($AuthCascade as $k => $t) { if ($page['=auth'][$k] + 0 == 2) { $page['=auth'][$k] = $page['=auth'][$t]; if ($page['=passwd'][$k] = $page['=passwd'][$t]) { # assign $page['=pwsource'][$k] = "cascade:{$t}"; } } } if (@$page['=auth']['admin']) { foreach ($page['=auth'] as $lv => $a) { @($page['=auth'][$lv] = 3); } } if (@$page['=passwd']['read']) { $NoHTMLCache |= 2; } if ($level == 'ALWAYS' || @$page['=auth'][$level]) { return $page; } if (!$authprompt) { return false; } $GLOBALS['AuthNeeded'] = @$_POST['authpw'] ? $page['=pwsource'][$level] . ' ' . $level : ''; PCache($pagename, $page); $postvars = ''; foreach ($_POST as $k => $v) { if ($k == 'authpw' || $k == 'authid') { continue; } $k = PHSC(stripmagic($k), ENT_QUOTES); if (is_array($v)) { foreach ($v as $vk => $vv) { $vk = PHSC(stripmagic($vk), ENT_QUOTES); $vv = str_replace('$', '$', PHSC(stripmagic($vv), ENT_COMPAT)); $postvars .= "<input type='hidden' name='{$k}[{$vk}]' value=\"{$vv}\" />\n"; } } else { $v = str_replace('$', '$', PHSC(stripmagic($v), ENT_COMPAT)); $postvars .= "<input type='hidden' name='{$k}' value=\"{$v}\" />\n"; } } $FmtV['$PostVars'] = $postvars; $r = str_replace("'", '%37', stripmagic($_SERVER['REQUEST_URI'])); SDV($AuthPromptFmt, array(&$PageStartFmt, "<p><b>\$[Password required]</b></p>\n <form name='authform' action='{$r}' method='post'>\n \$[Password]: <input tabindex='1' type='password' name='authpw' \n value='' />\n <input type='submit' value='\$[OK]' />\$PostVars</form>\n <script language='javascript' type='text/javascript'><!--\n document.authform.authpw.focus() //--></script>", &$PageEndFmt)); PrintFmt($pagename, $AuthPromptFmt); exit; }
This file defines an alternate authentication scheme based on the HTTP Basic authentication protocol (i.e., the scheme used by default in PmWiki 1). */ ## If the webserver has already authenticated someone, then use ## that identifier for our authorization id. We also disable ## the use of the browser's Basic Auth form later, since it tends ## to confuse webservers. if (IsEnabled($EnableRemoteUserAuth, 1) && @$_SERVER['REMOTE_USER']) { SDV($EnableHTTPBasicAuth, 0); SDV($AuthId, $_SERVER['REMOTE_USER']); } ## If the browser supplied a password, add that password to the ## list of passwords used for authentication if (@$_SERVER['PHP_AUTH_PW']) { SessionAuth($pagename, array('authpw' => array($_SERVER['PHP_AUTH_PW'] => 1))); } ## $EnableHTTPBasicAuth tells PmWikiAuth to use the browser's ## HTTP Basic protocol prompt instead of a form-based prompt. if (IsEnabled($EnableHTTPBasicAuth, 1)) { SDV($AuthPromptFmt, 'function:HTTPBasicAuthPrompt'); } ## HTTPBasicAuthPrompt replaces PmWikiAuth's form-based password ## prompt with the browser-based HTTP Basic prompt. function HTTPBasicAuthPrompt($pagename) { global $AuthRealmFmt, $AuthDeniedFmt; SDV($AuthRealmFmt, $GLOBALS['WikiTitle']); SDV($AuthDeniedFmt, 'A valid password is required to access this feature.'); $realm = FmtPageName($AuthRealmFmt, $pagename); header("WWW-Authenticate: Basic realm=\"{$realm}\"");
function AuthUserId($pagename, $id, $pw=NULL) { global $AuthUser, $AuthUserPageFmt, $AuthUserFunctions, $AuthId, $MessagesFmt, $AuthUserPat; $auth = array(); foreach((array)$AuthUser as $k=>$v) $auth[$k] = (array)$v; $authid = ''; # load information from SiteAdmin.AuthUser (or page in $AuthUserPageFmt) SDV($AuthUserPageFmt, '$SiteAdminGroup.AuthUser'); SDVA($AuthUserFunctions, array( 'htpasswd' => 'AuthUserHtPasswd', 'ldap' => 'AuthUserLDAP', # 'mysql' => 'AuthUserMySQL', $id => 'AuthUserConfig')); SDV($AuthUserPat, "/^\\s*([@\\w][^\\s:]*):(.*)/m"); $pn = FmtPageName($AuthUserPageFmt, $pagename); $apage = ReadPage($pn, READPAGE_CURRENT); if ($apage && preg_match_all($AuthUserPat, $apage['text'], $matches, PREG_SET_ORDER)) { foreach($matches as $m) { if (!preg_match_all('/\\bldaps?:\\S+|[^\\s,]+/', $m[2], $v)) continue; if ($m[1]{0} == '@') foreach($v[0] as $g) $auth[$g][] = $m[1]; else $auth[$m[1]] = array_merge((array)@$auth[$m[1]], $v[0]); } } if (func_num_args()==2) $authid = $id; else foreach($AuthUserFunctions as $k => $fn) if (@$auth[$k] && $fn($pagename, $id, $pw, $auth[$k], $authlist)) { $authid = $id; break; } if (!$authid) { $GLOBALS['InvalidLogin'] = 1; return; } if (!isset($AuthId)) $AuthId = $authid; $authlist["id:$authid"] = 1; $authlist["id:-$authid"] = -1; foreach(preg_grep('/^@/', (array)@$auth[$authid]) as $g) $authlist[$g] = 1; foreach(preg_grep('/^@/', (array)@$auth['*']) as $g) $authlist[$g] = 1; foreach(preg_grep('/^@/', array_keys($auth)) as $g) # useless? PITS:01201 if (in_array($authid, $auth[$g])) $authlist[$g] = 1; if ($auth['htgroup']) { foreach(AuthUserHtGroup($pagename, $id, $pw, $auth['htgroup']) as $g) $authlist["@$g"] = 1; } foreach(preg_grep('/^@/', (array)@$auth["-$authid"]) as $g) unset($authlist[$g]); SessionAuth($pagename, array('authid' => $authid, 'authlist' => $authlist)); }