[ Index ]

PHP Cross Reference of BackPress

title

Body

[close]

/includes/ -> class.wp-auth.php (source)

   1  <?php
   2  class WP_Auth
   3  {
   4      var $db; // BBPDB object
   5      var $users; // WP_Users object
   6  
   7      var $cookies;
   8  
   9      var $current = 0;
  10  
  11  	function WP_Auth( &$db, &$users, $cookies )
  12      {
  13          self::__construct( $db, $users, $cookies );
  14      }
  15  
  16      /**
  17       * @param array $cookies Array indexed by internal name of cookie.  Values are arrays of array defining cookie parameters.
  18       * $cookies = array(
  19       *    'auth' => array(
  20       *        0 => array(
  21       *            'domain' => (string) cookie domain
  22       *            'path' => (string) cookie path
  23       *            'name' => (string) cookie name
  24       *            'secure' => (bool) restrict cookie to HTTPS only
  25       *        )
  26       *    )
  27       * );
  28       *
  29       * At least one cookie is required.  Give it an internal name of 'auth'.
  30       *
  31       * Suggested cookie structure:
  32       *     logged_in: whether or not a user is logged in.  Send everywhere.
  33       *    auth: used to authorize user's actions.  Send only to domains/paths that need it (e.g. wp-admin/)
  34       *    secure_auth: used to authorize user's actions.  Send only to domains/paths that need it and only over HTTPS
  35       *
  36       * You should be very careful when setting cookie domain to ensure that it always follows the rules set out in
  37       * the {@link http://curl.haxx.se/rfc/cookie_spec.html Set Cookie spec}.  In most cases it is best to leave cookie
  38       * set to false and allow for user configuration to define a cookie domain in a configuration file when
  39       * cross subdomain cookies are required.
  40       * 
  41       * @link 
  42       */
  43  	function __construct( &$db, &$users, $cookies )
  44      {
  45          $this->db =& $db;
  46          $this->users =& $users;
  47          
  48          $cookies = wp_parse_args( $cookies, array( 'auth' => null ) );
  49          $_cookies = array();
  50          foreach ( $cookies as $_scheme => $_scheme_cookies ) {
  51              foreach ( $_scheme_cookies as $_scheme_cookie ) {
  52                  $_cookies[$_scheme][] = wp_parse_args( $_scheme_cookie, array( 'domain' => null, 'path' => null, 'name' => '' ) );
  53              }
  54              unset( $_scheme_cookie );
  55          }
  56          unset( $_scheme, $_scheme_cookies );
  57          $this->cookies = $_cookies;
  58          unset( $_cookies );
  59      }
  60  
  61      /**
  62       * Changes the current user by ID or name
  63       *
  64       * Set $id to null and specify a name if you do not know a user's ID
  65       *
  66       * Some WordPress functionality is based on the current user and
  67       * not based on the signed in user. Therefore, it opens the ability
  68       * to edit and perform actions on users who aren't signed in.
  69       *
  70       * @since 2.0.4
  71       * @uses do_action() Calls 'set_current_user' hook after setting the current user.
  72       *
  73       * @param int $id User ID
  74       * @param string $name User's username
  75       * @return BP_User Current user User object
  76       */
  77  	function set_current_user( $user_id )
  78      {
  79          $user = $this->users->get_user( $user_id );
  80          if ( !$user || is_wp_error( $user ) ) {
  81              $this->current = 0;
  82              return $this->current;
  83          }
  84  
  85          $user_id = $user->ID;
  86  
  87          if ( isset( $this->current->ID ) && $user_id == $this->current->ID ) {
  88              return $this->current;
  89          }
  90  
  91          if ( class_exists( 'BP_User' ) ) {
  92              $this->current = new BP_User( $user_id );
  93          } else {
  94              $this->current =& $user;
  95          }
  96  
  97          // WP add_action( 'set_current_user', 'setup_userdata', 1 );
  98  
  99          do_action( 'set_current_user', $user_id );
 100  
 101          return $this->current;
 102      }
 103  
 104      /**
 105       * Populate variables with information about the currently logged in user
 106       *
 107       * Will set the current user, if the current user is not set. The current
 108       * user will be set to the logged in person. If no user is logged in, then
 109       * it will set the current user to 0, which is invalid and won't have any
 110       * permissions.
 111        *
 112       * @since 0.71
 113        * @uses $current_user Checks if the current user is set
 114        * @uses wp_validate_auth_cookie() Retrieves current logged in user.
 115        *
 116        * @return bool|null False on XMLRPC Request and invalid auth cookie. Null when current user set
 117        */
 118  	function get_current_user()
 119      {
 120          if ( !empty( $this->current ) ) {
 121              return $this->current;
 122          }
 123  
 124          if ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST ) {
 125              $this->set_current_user( 0 );
 126          } elseif ( $user_id = $this->validate_auth_cookie( null, 'logged_in' ) ) {
 127              $this->set_current_user( $user_id );
 128          } else {
 129              $this->set_current_user( 0 );
 130          }
 131  
 132          return $this->current;
 133      }
 134  
 135      /**
 136       * Validates authentication cookie
 137       *
 138       * The checks include making sure that the authentication cookie
 139       * is set and pulling in the contents (if $cookie is not used).
 140       *
 141       * Makes sure the cookie is not expired. Verifies the hash in
 142       * cookie is what is should be and compares the two.
 143       *
 144       * @since 2.5
 145       *
 146       * @param string $cookie Optional. If used, will validate contents instead of cookie's
 147       * @return bool|int False if invalid cookie, User ID if valid.
 148       */
 149  	function validate_auth_cookie( $cookie = null, $scheme = 'auth' )
 150      {
 151          if ( empty( $cookie ) ) {
 152              foreach ( $this->cookies[$scheme] as $_scheme_cookie ) {
 153                  // Take the first cookie of type scheme that exists
 154                  if ( !empty( $_COOKIE[$_scheme_cookie['name']] ) ) {
 155                      $cookie = $_COOKIE[$_scheme_cookie['name']];
 156                      break;
 157                  }
 158              }
 159          }
 160          
 161          if ( !$cookie ) {
 162              return false;
 163          }
 164  
 165          $cookie_elements = explode( '|', $cookie );
 166          if ( count( $cookie_elements ) != 3 ) {
 167              do_action( 'auth_cookie_malformed', $cookie, $scheme );
 168              return false;
 169          }
 170  
 171          list( $username, $expiration, $hmac ) = $cookie_elements;
 172  
 173          $expired = $expiration;
 174  
 175          // Allow a grace period for POST and AJAX requests
 176          if ( defined( 'DOING_AJAX' ) || 'POST' == $_SERVER['REQUEST_METHOD'] ) {
 177              $expired += 3600;
 178          }
 179  
 180          if ( $expired < time() ) {
 181              do_action( 'auth_cookie_expired', $cookie_elements );
 182              return false;
 183          }
 184  
 185          $user = $this->users->get_user( $username, array( 'by' => 'login' ) );
 186          if ( !$user || is_wp_error( $user ) ) {
 187              do_action( 'auth_cookie_bad_username', $cookie_elements );
 188              return $user;
 189          }
 190  
 191          $pass_frag = '';
 192          if ( 1 < WP_AUTH_COOKIE_VERSION ) {
 193              $pass_frag = substr( $user->user_pass, 8, 4 );
 194          }
 195  
 196          $key  = call_user_func( backpress_get_option( 'hash_function_name' ), $username . $pass_frag . '|' . $expiration, $scheme );
 197          $hash = hash_hmac( 'md5', $username . '|' . $expiration, $key );
 198      
 199          if ( $hmac != $hash ) {
 200              do_action( 'auth_cookie_bad_hash', $cookie_elements );
 201              return false;
 202          }
 203  
 204          do_action( 'auth_cookie_valid', $cookie_elements, $user );
 205  
 206          return $user->ID;
 207      }
 208  
 209      /**
 210       * Generate authentication cookie contents
 211       *
 212       * @since 2.5
 213       * @uses apply_filters() Calls 'auth_cookie' hook on $cookie contents, User ID
 214       *        and expiration of cookie.
 215       *
 216       * @param int $user_id User ID
 217       * @param int $expiration Cookie expiration in seconds
 218       * @return string Authentication cookie contents
 219       */
 220  	function generate_auth_cookie( $user_id, $expiration, $scheme = 'auth' )
 221      {
 222          $user = $this->users->get_user( $user_id );
 223          if ( !$user || is_wp_error( $user ) ) {
 224              return $user;
 225          }
 226  
 227          $pass_frag = '';
 228          if ( 1 < WP_AUTH_COOKIE_VERSION ) {
 229              $pass_frag = substr( $user->user_pass, 8, 4 );
 230          }
 231  
 232          $key  = call_user_func( backpress_get_option( 'hash_function_name' ), $user->user_login . $pass_frag . '|' . $expiration, $scheme );
 233          $hash = hash_hmac('md5', $user->user_login . '|' . $expiration, $key);
 234  
 235          $cookie = $user->user_login . '|' . $expiration . '|' . $hash;
 236  
 237          return apply_filters( 'auth_cookie', $cookie, $user_id, $expiration, $scheme );
 238      }
 239  
 240      /**
 241       * Sets the authentication cookies based User ID
 242       *
 243       * The $remember parameter increases the time that the cookie will
 244       * be kept. The default the cookie is kept without remembering is
 245       * two days. When $remember is set, the cookies will be kept for
 246       * 14 days or two weeks.
 247       *
 248       * @since 2.5
 249       *
 250       * @param int $user_id User ID
 251       * @param int $expiration the UNIX time after which the cookie's authentication token is no longer valid
 252       * @param int $expire the UNIX time at which the cookie expires
 253       * @param int $scheme name of the 
 254       */
 255  	function set_auth_cookie( $user_id, $expiration = 0, $expire = 0, $scheme = 'auth' )
 256      {
 257          if ( !isset( $this->cookies[$scheme] ) ) {
 258              return;
 259          }
 260  
 261          if ( !$expiration = absint( $expiration ) ) {
 262              $expiration = time() + 172800; // 2 days
 263          }
 264  
 265          $expire = absint( $expire );
 266  
 267          foreach ( $this->cookies[$scheme] as $_cookie ) {
 268              $cookie = $this->generate_auth_cookie( $user_id, $expiration, $scheme );
 269              if ( is_wp_error( $cookie ) ) {
 270                  return $cookie;
 271              }
 272  
 273              do_action( 'set_' . $scheme . '_cookie', $cookie, $expire, $expiration, $user_id, $scheme );
 274  
 275              $domain = $_cookie['domain'];
 276              $secure = isset($_cookie['secure']) ? (bool) $_cookie['secure'] : false;
 277  
 278              // Set httponly if the php version is >= 5.2.0
 279              if ( version_compare( phpversion(), '5.2.0', 'ge' ) ) {
 280                  backpress_set_cookie( $_cookie['name'], $cookie, $expire, $_cookie['path'], $domain, $secure, true );
 281              } else {
 282                  $domain = ( empty( $domain ) ) ? $domain : $domain . '; HttpOnly';
 283                  backpress_set_cookie( $_cookie['name'], $cookie, $expire, $_cookie['path'], $domain, $secure );
 284              }
 285          }
 286          unset( $_cookie );
 287      }
 288  
 289      /**
 290       * Deletes all of the cookies associated with authentication
 291       *
 292       * @since 2.5
 293       */
 294  	function clear_auth_cookie()
 295      {
 296          do_action( 'clear_auth_cookie' );
 297          foreach ( $this->cookies as $_scheme => $_scheme_cookies ) {
 298              foreach ( $_scheme_cookies as $_cookie ) {
 299                  backpress_set_cookie( $_cookie['name'], ' ', time() - 31536000, $_cookie['path'], $_cookie['domain'] );
 300              }
 301              unset( $_cookie );
 302          }
 303          unset( $_scheme, $_scheme_cookies );
 304      }
 305  }


Generated: Wed Dec 19 01:01:51 2018 Cross-referenced by PHPXref 0.7.1