html/includes/authentication/mysql.inc.php

<?php


function authenticate($username, $password)
{
    $encrypted_old = md5($password);
    $row           = dbFetchRow('SELECT username,password FROM `users` WHERE `username`= ?', array($username), true);
    if ($row['username'] && $row['username'] == $username) {
        // Migrate from old, unhashed password
        if ($row['password'] == $encrypted_old) {
            $row_type = dbFetchRow('DESCRIBE users password');
            if ($row_type['Type'] == 'varchar(34)') {
                changepassword($username, $password);
            }

            return 1;
        } elseif (substr($row['password'], 0, 3) == '$1$') {
            $row_type = dbFetchRow('DESCRIBE users password');
            if ($row_type['Type'] == 'varchar(60)') {
                if ($row['password'] == crypt($password, $row['password'])) {
                    changepassword($username, $password);
                }
            }
        }

        $hasher = new PasswordHash(8, false);
        if ($hasher->CheckPassword($password, $row['password'])) {
            return 1;
        }
    }//end if

    return 0;
}//end authenticate()


function reauthenticate($sess_id, $token)
{
    list($uname,$hash) = explode('|', $token);
    $session           = dbFetchRow("SELECT * FROM `session` WHERE `session_username` = '$uname' AND session_value='$sess_id'", array(), true);
    $hasher            = new PasswordHash(8, false);
    if ($hasher->CheckPassword($uname.$session['session_token'], $hash)) {
        $_SESSION['username'] = $uname;
        return 1;
    } else {
        return 0;
    }
}//end reauthenticate()


function passwordscanchange($username = '')
{
    /*
     * By default allow the password to be modified, unless the existing
     * user is explicitly prohibited to do so.
     */

    if (empty($username) || !user_exists($username)) {
        return 1;
    } else {
        return dbFetchCell('SELECT can_modify_passwd FROM users WHERE username = ?', array($username), true);
    }
}//end passwordscanchange()


/**
 * From: http://code.activestate.com/recipes/576894-generate-a-salt/
 * This function generates a password salt as a string of x (default = 15) characters
 * ranging from a-zA-Z0-9.
 * @param $max integer The number of characters in the string
 * @author AfroSoft <scripts@afrosoft.co.cc>
 */
function generateSalt($max = 15)
{
    $characterList = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
    $i             = 0;
    $salt          = '';
    do {
        $salt .= $characterList{mt_rand(0, strlen($characterList))};
        $i++;
    } while ($i <= $max);

    return $salt;
}//end generateSalt()


function changepassword($username, $password)
{
    $hasher    = new PasswordHash(8, false);
    $encrypted = $hasher->HashPassword($password);
    return dbUpdate(array('password' => $encrypted), 'users', '`username` = ?', array($username));
}//end changepassword()


function auth_usermanagement()
{
    return 1;
}//end auth_usermanagement()


function adduser($username, $password, $level, $email = '', $realname = '', $can_modify_passwd = 1, $description = '', $twofactor = 0)
{
    if (!user_exists($username)) {
        $hasher    = new PasswordHash(8, false);
        $encrypted = $hasher->HashPassword($password);
        $userid    = dbInsert(array('username' => $username, 'password' => $encrypted, 'level' => $level, 'email' => $email, 'realname' => $realname, 'can_modify_passwd' => $can_modify_passwd, 'descr' => $description, 'twofactor' => $twofactor), 'users');
        if ($userid == false) {
            return false;
        } else {
            foreach (dbFetchRows('select notifications.* from notifications where not exists( select 1 from notifications_attribs where notifications.notifications_id = notifications_attribs.notifications_id and notifications_attribs.user_id = ?) order by notifications.notifications_id desc', array($userid)) as $notif) {
                dbInsert(array('notifications_id'=>$notif['notifications_id'],'user_id'=>$userid,'key'=>'read','value'=>1), 'notifications_attribs');
            }
        }
        return $userid;
    } else {
        return false;
    }
}//end adduser()


function user_exists($username)
{
    $return = @dbFetchCell('SELECT COUNT(*) FROM users WHERE username = ?', array($username), true);
    return $return;
}//end user_exists()


function get_userlevel($username)
{
    return dbFetchCell('SELECT `level` FROM `users` WHERE `username` = ?', array($username), true);
}//end get_userlevel()


function get_userid($username)
{
    return dbFetchCell('SELECT `user_id` FROM `users` WHERE `username` = ?', array($username), true);
}//end get_userid()


function deluser($username)
{
    dbDelete('bill_perms', '`user_name` =  ?', array($username));
    dbDelete('devices_perms', '`user_name` =  ?', array($username));
    dbDelete('ports_perms', '`user_name` =  ?', array($username));
    dbDelete('users_prefs', '`user_name` =  ?', array($username));
    dbDelete('users', '`user_name` =  ?', array($username));

    return dbDelete('users', '`username` =  ?', array($username));
}//end deluser()


function get_userlist()
{
    return dbFetchRows('SELECT * FROM `users`');
}//end get_userlist()


function can_update_users()
{
    // supported so return 1
    return 1;
}//end can_update_users()


function get_user($user_id)
{
    return dbFetchRow('SELECT * FROM `users` WHERE `user_id` = ?', array($user_id), true);
}//end get_user()


function update_user($user_id, $realname, $level, $can_modify_passwd, $email)
{
    dbUpdate(array('realname' => $realname, 'level' => $level, 'can_modify_passwd' => $can_modify_passwd, 'email' => $email), 'users', '`user_id` = ?', array($user_id));
}//end update_user()
auth modules! please test http-auth again, i haven't, but i think i got it right... git-svn-id: http://www.observium.org/svn/observer/trunk@973 61d68cd4-352d-0410-923a-c4978735b2b8 2010-02-28 13:04:07 +00:00			`<?php`

Fix coding style part 2 2015-07-13 20:10:26 +02:00
PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`function authenticate($username, $password)`
			`{`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`$encrypted_old = md5($password);`
Added `$nocache` parameter Fixed typo in caching Excluded caching for MySQL-Authentication & /poll-log/ 2015-09-30 15:20:06 +00:00			$row = dbFetchRow('SELECT username,password FROM `users` WHERE `username`= ?', array($username), true);
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`if ($row['username'] && $row['username'] == $username) {`
			`// Migrate from old, unhashed password`
			`if ($row['password'] == $encrypted_old) {`
			`$row_type = dbFetchRow('DESCRIBE users password');`
			`if ($row_type['Type'] == 'varchar(34)') {`
			`changepassword($username, $password);`
			`}`

			`return 1;`
PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`} elseif (substr($row['password'], 0, 3) == '$1$') {`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`$row_type = dbFetchRow('DESCRIBE users password');`
			`if ($row_type['Type'] == 'varchar(60)') {`
			`if ($row['password'] == crypt($password, $row['password'])) {`
			`changepassword($username, $password);`
			`}`
			`}`
			`}`

			`$hasher = new PasswordHash(8, false);`
			`if ($hasher->CheckPassword($password, $row['password'])) {`
			`return 1;`
Updated mysql auth to use PHPass 2014-02-03 10:45:34 +00:00			`}`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`}//end if`

			`return 0;`
			`}//end authenticate()`


PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`function reauthenticate($sess_id, $token)`
			`{`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`list($uname,$hash) = explode('\|', $token);`
Added `$nocache` parameter Fixed typo in caching Excluded caching for MySQL-Authentication & /poll-log/ 2015-09-30 15:20:06 +00:00			$session = dbFetchRow("SELECT * FROM `session` WHERE `session_username` = '$uname' AND session_value='$sess_id'", array(), true);
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`$hasher = new PasswordHash(8, false);`
			`if ($hasher->CheckPassword($uname.$session['session_token'], $hash)) {`
			`$_SESSION['username'] = $uname;`
			`return 1;`
PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`} else {`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`return 0;`
change from unsalted md5 to salted md5 passwords, migrating passwords as authentication succeeds git-svn-id: http://www.observium.org/svn/observer/trunk@1936 61d68cd4-352d-0410-923a-c4978735b2b8 2011-03-19 20:23:23 +00:00			`}`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`}//end reauthenticate()`


PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`function passwordscanchange($username = '')`
			`{`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`/*`
			`* By default allow the password to be modified, unless the existing`
			`* user is explicitly prohibited to do so.`
			`*/`

			`if (empty($username) \|\| !user_exists($username)) {`
			`return 1;`
PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`} else {`
Added `$nocache` parameter Fixed typo in caching Excluded caching for MySQL-Authentication & /poll-log/ 2015-09-30 15:20:06 +00:00			`return dbFetchCell('SELECT can_modify_passwd FROM users WHERE username = ?', array($username), true);`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`}`
			`}//end passwordscanchange()`

change password option in the auth modules, not used in the webinterface yet git-svn-id: http://www.observium.org/svn/observer/trunk@990 61d68cd4-352d-0410-923a-c4978735b2b8 2010-03-06 00:00:05 +00:00
change from unsalted md5 to salted md5 passwords, migrating passwords as authentication succeeds git-svn-id: http://www.observium.org/svn/observer/trunk@1936 61d68cd4-352d-0410-923a-c4978735b2b8 2011-03-19 20:23:23 +00:00			`/**`
			`* From: http://code.activestate.com/recipes/576894-generate-a-salt/`
			`* This function generates a password salt as a string of x (default = 15) characters`
			`* ranging from a-zA-Z0-9.`
			`* @param $max integer The number of characters in the string`
			`* @author AfroSoft <scripts@afrosoft.co.cc>`
			`*/`
PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`function generateSalt($max = 15)`
			`{`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`$characterList = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';`
			`$i = 0;`
			`$salt = '';`
			`do {`
			`$salt .= $characterList{mt_rand(0, strlen($characterList))};`
			`$i++;`
			`} while ($i <= $max);`

			`return $salt;`
			`}//end generateSalt()`


PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`function changepassword($username, $password)`
			`{`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`$hasher = new PasswordHash(8, false);`
Updated mysql auth to use PHPass 2014-02-03 10:45:34 +00:00			`$encrypted = $hasher->HashPassword($password);`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			return dbUpdate(array('password' => $encrypted), 'users', '`username` = ?', array($username));
			`}//end changepassword()`


PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`function auth_usermanagement()`
			`{`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`return 1;`
			`}//end auth_usermanagement()`


PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`function adduser($username, $password, $level, $email = '', $realname = '', $can_modify_passwd = 1, $description = '', $twofactor = 0)`
			`{`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`if (!user_exists($username)) {`
			`$hasher = new PasswordHash(8, false);`
			`$encrypted = $hasher->HashPassword($password);`
Automatically mark all news as read for new users Renamed Schema for old system 2015-11-21 11:40:24 +00:00			`$userid = dbInsert(array('username' => $username, 'password' => $encrypted, 'level' => $level, 'email' => $email, 'realname' => $realname, 'can_modify_passwd' => $can_modify_passwd, 'descr' => $description, 'twofactor' => $twofactor), 'users');`
			`if ($userid == false) {`
			`return false;`
PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`} else {`
			`foreach (dbFetchRows('select notifications.* from notifications where not exists( select 1 from notifications_attribs where notifications.notifications_id = notifications_attribs.notifications_id and notifications_attribs.user_id = ?) order by notifications.notifications_id desc', array($userid)) as $notif) {`
			`dbInsert(array('notifications_id'=>$notif['notifications_id'],'user_id'=>$userid,'key'=>'read','value'=>1), 'notifications_attribs');`
Automatically mark all news as read for new users Renamed Schema for old system 2015-11-21 11:40:24 +00:00			`}`
			`}`
			`return $userid;`
PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`} else {`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`return false;`
			`}`
			`}//end adduser()`


PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`function user_exists($username)`
			`{`
Added `$nocache` parameter Fixed typo in caching Excluded caching for MySQL-Authentication & /poll-log/ 2015-09-30 15:20:06 +00:00			`$return = @dbFetchCell('SELECT COUNT(*) FROM users WHERE username = ?', array($username), true);`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`return $return;`
			`}//end user_exists()`


PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`function get_userlevel($username)`
			`{`
Added `$nocache` parameter Fixed typo in caching Excluded caching for MySQL-Authentication & /poll-log/ 2015-09-30 15:20:06 +00:00			return dbFetchCell('SELECT `level` FROM `users` WHERE `username` = ?', array($username), true);
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`}//end get_userlevel()`


PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`function get_userid($username)`
			`{`
Added `$nocache` parameter Fixed typo in caching Excluded caching for MySQL-Authentication & /poll-log/ 2015-09-30 15:20:06 +00:00			return dbFetchCell('SELECT `user_id` FROM `users` WHERE `username` = ?', array($username), true);
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`}//end get_userid()`


PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`function deluser($username)`
			`{`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			dbDelete('bill_perms', '`user_name` = ?', array($username));
			dbDelete('devices_perms', '`user_name` = ?', array($username));
			dbDelete('ports_perms', '`user_name` = ?', array($username));
			dbDelete('users_prefs', '`user_name` = ?', array($username));
			dbDelete('users', '`user_name` = ?', array($username));

			return dbDelete('users', '`username` = ?', array($username));
			`}//end deluser()`


PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`function get_userlist()`
			`{`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			return dbFetchRows('SELECT * FROM `users`');
			`}//end get_userlist()`


PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`function can_update_users()`
			`{`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`// supported so return 1`
			`return 1;`
			`}//end can_update_users()`


PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`function get_user($user_id)`
			`{`
Added `$nocache` parameter Fixed typo in caching Excluded caching for MySQL-Authentication & /poll-log/ 2015-09-30 15:20:06 +00:00			return dbFetchRow('SELECT * FROM `users` WHERE `user_id` = ?', array($user_id), true);
Fix coding style part 2 2015-07-13 20:10:26 +02:00			`}//end get_user()`


PSR2 Cleanup: /html edition Travis tests for code conformance. Ignore warnings for now. Fixed all errors, left most warnings. 2016-08-18 20:28:22 -05:00			`function update_user($user_id, $realname, $level, $can_modify_passwd, $email)`
			`{`
Fix coding style part 2 2015-07-13 20:10:26 +02:00			dbUpdate(array('realname' => $realname, 'level' => $level, 'can_modify_passwd' => $can_modify_passwd, 'email' => $email), 'users', '`user_id` = ?', array($user_id));
			`}//end update_user()`