[ Index ] |
PHP Cross Reference of BackPress |
[Summary view] [Print] [Text view]
1 <?php 2 class WP_Auth 3 { 4 var $db; // BBPDB object 5 var $users; // WP_Users object 6 7 var $cookies; 8 9 var $current = 0; 10 11 function WP_Auth( &$db, &$users, $cookies ) 12 { 13 self::__construct( $db, $users, $cookies ); 14 } 15 16 /** 17 * @param array $cookies Array indexed by internal name of cookie. Values are arrays of array defining cookie parameters. 18 * $cookies = array( 19 * 'auth' => array( 20 * 0 => array( 21 * 'domain' => (string) cookie domain 22 * 'path' => (string) cookie path 23 * 'name' => (string) cookie name 24 * 'secure' => (bool) restrict cookie to HTTPS only 25 * ) 26 * ) 27 * ); 28 * 29 * At least one cookie is required. Give it an internal name of 'auth'. 30 * 31 * Suggested cookie structure: 32 * logged_in: whether or not a user is logged in. Send everywhere. 33 * auth: used to authorize user's actions. Send only to domains/paths that need it (e.g. wp-admin/) 34 * secure_auth: used to authorize user's actions. Send only to domains/paths that need it and only over HTTPS 35 * 36 * You should be very careful when setting cookie domain to ensure that it always follows the rules set out in 37 * the {@link http://curl.haxx.se/rfc/cookie_spec.html Set Cookie spec}. In most cases it is best to leave cookie 38 * set to false and allow for user configuration to define a cookie domain in a configuration file when 39 * cross subdomain cookies are required. 40 * 41 * @link 42 */ 43 function __construct( &$db, &$users, $cookies ) 44 { 45 $this->db =& $db; 46 $this->users =& $users; 47 48 $cookies = wp_parse_args( $cookies, array( 'auth' => null ) ); 49 $_cookies = array(); 50 foreach ( $cookies as $_scheme => $_scheme_cookies ) { 51 foreach ( $_scheme_cookies as $_scheme_cookie ) { 52 $_cookies[$_scheme][] = wp_parse_args( $_scheme_cookie, array( 'domain' => null, 'path' => null, 'name' => '' ) ); 53 } 54 unset( $_scheme_cookie ); 55 } 56 unset( $_scheme, $_scheme_cookies ); 57 $this->cookies = $_cookies; 58 unset( $_cookies ); 59 } 60 61 /** 62 * Changes the current user by ID or name 63 * 64 * Set $id to null and specify a name if you do not know a user's ID 65 * 66 * Some WordPress functionality is based on the current user and 67 * not based on the signed in user. Therefore, it opens the ability 68 * to edit and perform actions on users who aren't signed in. 69 * 70 * @since 2.0.4 71 * @uses do_action() Calls 'set_current_user' hook after setting the current user. 72 * 73 * @param int $id User ID 74 * @param string $name User's username 75 * @return BP_User Current user User object 76 */ 77 function set_current_user( $user_id ) 78 { 79 $user = $this->users->get_user( $user_id ); 80 if ( !$user || is_wp_error( $user ) ) { 81 $this->current = 0; 82 return $this->current; 83 } 84 85 $user_id = $user->ID; 86 87 if ( isset( $this->current->ID ) && $user_id == $this->current->ID ) { 88 return $this->current; 89 } 90 91 if ( class_exists( 'BP_User' ) ) { 92 $this->current = new BP_User( $user_id ); 93 } else { 94 $this->current =& $user; 95 } 96 97 // WP add_action( 'set_current_user', 'setup_userdata', 1 ); 98 99 do_action( 'set_current_user', $user_id ); 100 101 return $this->current; 102 } 103 104 /** 105 * Populate variables with information about the currently logged in user 106 * 107 * Will set the current user, if the current user is not set. The current 108 * user will be set to the logged in person. If no user is logged in, then 109 * it will set the current user to 0, which is invalid and won't have any 110 * permissions. 111 * 112 * @since 0.71 113 * @uses $current_user Checks if the current user is set 114 * @uses wp_validate_auth_cookie() Retrieves current logged in user. 115 * 116 * @return bool|null False on XMLRPC Request and invalid auth cookie. Null when current user set 117 */ 118 function get_current_user() 119 { 120 if ( !empty( $this->current ) ) { 121 return $this->current; 122 } 123 124 if ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST ) { 125 $this->set_current_user( 0 ); 126 } elseif ( $user_id = $this->validate_auth_cookie( null, 'logged_in' ) ) { 127 $this->set_current_user( $user_id ); 128 } else { 129 $this->set_current_user( 0 ); 130 } 131 132 return $this->current; 133 } 134 135 /** 136 * Validates authentication cookie 137 * 138 * The checks include making sure that the authentication cookie 139 * is set and pulling in the contents (if $cookie is not used). 140 * 141 * Makes sure the cookie is not expired. Verifies the hash in 142 * cookie is what is should be and compares the two. 143 * 144 * @since 2.5 145 * 146 * @param string $cookie Optional. If used, will validate contents instead of cookie's 147 * @return bool|int False if invalid cookie, User ID if valid. 148 */ 149 function validate_auth_cookie( $cookie = null, $scheme = 'auth' ) 150 { 151 if ( empty( $cookie ) ) { 152 foreach ( $this->cookies[$scheme] as $_scheme_cookie ) { 153 // Take the first cookie of type scheme that exists 154 if ( !empty( $_COOKIE[$_scheme_cookie['name']] ) ) { 155 $cookie = $_COOKIE[$_scheme_cookie['name']]; 156 break; 157 } 158 } 159 } 160 161 if ( !$cookie ) { 162 return false; 163 } 164 165 $cookie_elements = explode( '|', $cookie ); 166 if ( count( $cookie_elements ) != 3 ) { 167 do_action( 'auth_cookie_malformed', $cookie, $scheme ); 168 return false; 169 } 170 171 list( $username, $expiration, $hmac ) = $cookie_elements; 172 173 $expired = $expiration; 174 175 // Allow a grace period for POST and AJAX requests 176 if ( defined( 'DOING_AJAX' ) || 'POST' == $_SERVER['REQUEST_METHOD'] ) { 177 $expired += 3600; 178 } 179 180 if ( $expired < time() ) { 181 do_action( 'auth_cookie_expired', $cookie_elements ); 182 return false; 183 } 184 185 $user = $this->users->get_user( $username, array( 'by' => 'login' ) ); 186 if ( !$user || is_wp_error( $user ) ) { 187 do_action( 'auth_cookie_bad_username', $cookie_elements ); 188 return $user; 189 } 190 191 $pass_frag = ''; 192 if ( 1 < WP_AUTH_COOKIE_VERSION ) { 193 $pass_frag = substr( $user->user_pass, 8, 4 ); 194 } 195 196 $key = call_user_func( backpress_get_option( 'hash_function_name' ), $username . $pass_frag . '|' . $expiration, $scheme ); 197 $hash = hash_hmac( 'md5', $username . '|' . $expiration, $key ); 198 199 if ( $hmac != $hash ) { 200 do_action( 'auth_cookie_bad_hash', $cookie_elements ); 201 return false; 202 } 203 204 do_action( 'auth_cookie_valid', $cookie_elements, $user ); 205 206 return $user->ID; 207 } 208 209 /** 210 * Generate authentication cookie contents 211 * 212 * @since 2.5 213 * @uses apply_filters() Calls 'auth_cookie' hook on $cookie contents, User ID 214 * and expiration of cookie. 215 * 216 * @param int $user_id User ID 217 * @param int $expiration Cookie expiration in seconds 218 * @return string Authentication cookie contents 219 */ 220 function generate_auth_cookie( $user_id, $expiration, $scheme = 'auth' ) 221 { 222 $user = $this->users->get_user( $user_id ); 223 if ( !$user || is_wp_error( $user ) ) { 224 return $user; 225 } 226 227 $pass_frag = ''; 228 if ( 1 < WP_AUTH_COOKIE_VERSION ) { 229 $pass_frag = substr( $user->user_pass, 8, 4 ); 230 } 231 232 $key = call_user_func( backpress_get_option( 'hash_function_name' ), $user->user_login . $pass_frag . '|' . $expiration, $scheme ); 233 $hash = hash_hmac('md5', $user->user_login . '|' . $expiration, $key); 234 235 $cookie = $user->user_login . '|' . $expiration . '|' . $hash; 236 237 return apply_filters( 'auth_cookie', $cookie, $user_id, $expiration, $scheme ); 238 } 239 240 /** 241 * Sets the authentication cookies based User ID 242 * 243 * The $remember parameter increases the time that the cookie will 244 * be kept. The default the cookie is kept without remembering is 245 * two days. When $remember is set, the cookies will be kept for 246 * 14 days or two weeks. 247 * 248 * @since 2.5 249 * 250 * @param int $user_id User ID 251 * @param int $expiration the UNIX time after which the cookie's authentication token is no longer valid 252 * @param int $expire the UNIX time at which the cookie expires 253 * @param int $scheme name of the 254 */ 255 function set_auth_cookie( $user_id, $expiration = 0, $expire = 0, $scheme = 'auth' ) 256 { 257 if ( !isset( $this->cookies[$scheme] ) ) { 258 return; 259 } 260 261 if ( !$expiration = absint( $expiration ) ) { 262 $expiration = time() + 172800; // 2 days 263 } 264 265 $expire = absint( $expire ); 266 267 foreach ( $this->cookies[$scheme] as $_cookie ) { 268 $cookie = $this->generate_auth_cookie( $user_id, $expiration, $scheme ); 269 if ( is_wp_error( $cookie ) ) { 270 return $cookie; 271 } 272 273 do_action( 'set_' . $scheme . '_cookie', $cookie, $expire, $expiration, $user_id, $scheme ); 274 275 $domain = $_cookie['domain']; 276 $secure = isset($_cookie['secure']) ? (bool) $_cookie['secure'] : false; 277 278 // Set httponly if the php version is >= 5.2.0 279 if ( version_compare( phpversion(), '5.2.0', 'ge' ) ) { 280 backpress_set_cookie( $_cookie['name'], $cookie, $expire, $_cookie['path'], $domain, $secure, true ); 281 } else { 282 $domain = ( empty( $domain ) ) ? $domain : $domain . '; HttpOnly'; 283 backpress_set_cookie( $_cookie['name'], $cookie, $expire, $_cookie['path'], $domain, $secure ); 284 } 285 } 286 unset( $_cookie ); 287 } 288 289 /** 290 * Deletes all of the cookies associated with authentication 291 * 292 * @since 2.5 293 */ 294 function clear_auth_cookie() 295 { 296 do_action( 'clear_auth_cookie' ); 297 foreach ( $this->cookies as $_scheme => $_scheme_cookies ) { 298 foreach ( $_scheme_cookies as $_cookie ) { 299 backpress_set_cookie( $_cookie['name'], ' ', time() - 31536000, $_cookie['path'], $_cookie['domain'] ); 300 } 301 unset( $_cookie ); 302 } 303 unset( $_scheme, $_scheme_cookies ); 304 } 305 }
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
Generated: Sat Nov 23 01:00:54 2024 | Cross-referenced by PHPXref 0.7.1 |