DAViCal
HTTPAuthSession Class Reference

Public Member Functions

 __construct ()
 
 AuthFailedResponse ( $auth_header="")
 
 BasicAuthSession ()
 
 DigestAuthSession ()
 
 ParseDigestHeader ($auth_header)
 
 CheckPassword ( $username, $password)
 
 AllowedTo ( $whatever)
 
 GetRoles ()
 
 AssignSessionDetails ( $principal)
 

Public Attributes

 $username
 
 $user_no
 
 $principal_id
 
 $email
 
 $fullname
 
 $groups
 
 $principal
 

Private Attributes

 $dav_name
 
 $logged_in
 
 $roles
 

Detailed Description

Definition at line 17 of file HTTPAuthSession.php.

Constructor & Destructor Documentation

◆ __construct()

HTTPAuthSession::__construct ( )

#- The constructor, which just calls the type supplied or configured

Definition at line 71 of file HTTPAuthSession.php.

Member Function Documentation

◆ AllowedTo()

HTTPAuthSession::AllowedTo (   $whatever)

Checks whether a user is allowed to do something.

The check is performed to see if the user has that role.

Parameters
string$whateverThe role we want to know if the user has.
Returns
boolean Whether or not the user has the specified role.

Definition at line 358 of file HTTPAuthSession.php.

◆ AssignSessionDetails()

HTTPAuthSession::AssignSessionDetails (   $principal)

Internal function used to assign the session details to a user's new session.

Parameters
object$uThe user+session object we (probably) read from the database.

Definition at line 382 of file HTTPAuthSession.php.

◆ AuthFailedResponse()

HTTPAuthSession::AuthFailedResponse (   $auth_header = "")

Authorisation failed, so we send some headers to say so.

Parameters
string$auth_headerThe WWW-Authenticate header details.

Definition at line 93 of file HTTPAuthSession.php.

◆ BasicAuthSession()

HTTPAuthSession::BasicAuthSession ( )

Handle Basic HTTP Authentication (not secure unless https)

Get HTTP Auth to work with PHP+FastCGI

The authentication has happened in the server, and we should accept it.

Since we still need to get the user's details from somewhere. We change the default authentication hook to auth_external which simply retrieves a user row from the DB and does no password checking.

Fall through to the normal PHP authentication variables.

Maybe some external authentication didn't return false for an inactive user, so we'll be pedantic here.

Definition at line 123 of file HTTPAuthSession.php.

◆ CheckPassword()

HTTPAuthSession::CheckPassword (   $username,
  $password 
)

CheckPassword does all of the password checking and returns a user record object, or false if it all ends in tears.

The authenticate hook needs to:

  • Accept a username / password
  • Confirm the username / password are correct
  • Create (or update) a 'usr' record in our database
  • Return the 'usr' record as an object
  • Return === false when authentication fails

It can expect that:

  • Configuration data will be in $c->authenticate_hook['config'], which might be an array, or whatever is needed.

Definition at line 309 of file HTTPAuthSession.php.

◆ DigestAuthSession()

HTTPAuthSession::DigestAuthSession ( )

Handle Digest HTTP Authentication (no passwords were harmed in this transaction!)

Note that this will not actually work, unless we can either: (A) store the password plain text in the database (B) store an md5( username || realm || password ) in the database

The problem is that potentially means that the administrator can collect the sorts of things people use as passwords. I believe this is quite a bad idea. In scenario (B) while they cannot see the password itself, they can see a hash which only varies when the password varies, so can see when two users have the same password, or can use some of the reverse lookup sites to attempt to reverse the hash. I think this is a less bad idea, but not ideal. Probably better than running Basic auth of HTTP though!

Definition at line 214 of file HTTPAuthSession.php.

◆ GetRoles()

HTTPAuthSession::GetRoles ( )

Internal function used to get the user's roles from the database.

Definition at line 366 of file HTTPAuthSession.php.

◆ ParseDigestHeader()

HTTPAuthSession::ParseDigestHeader (   $auth_header)

Parse the HTTP Digest Auth Header

  • largely sourced from the PHP documentation

Definition at line 276 of file HTTPAuthSession.php.


The documentation for this class was generated from the following file: