/bp-forums/bbpress/bb-includes/backpress/class.wp-auth.php

  1. <?php 
  2. class WP_Auth 
  3. var $db; // BBPDB object 
  4. var $users; // WP_Users object 
  5.  
  6. var $cookies; 
  7.  
  8. var $current = 0; 
  9.  
  10. function WP_Auth( &$db, &$users, $cookies ) 
  11. $this->__construct( $db, $users, $cookies ); 
  12.  
  13. /** 
  14. * @param array $cookies Array indexed by internal name of cookie. Values are arrays of array defining cookie parameters. 
  15. * $cookies = array( 
  16. * 'auth' => array( 
  17. * 0 => array( 
  18. * 'domain' => (string) cookie domain 
  19. * 'path' => (string) cookie path 
  20. * 'name' => (string) cookie name 
  21. * 'secure' => (bool) restrict cookie to HTTPS only 
  22. * ) 
  23. * ) 
  24. * ); 
  25. * 
  26. * At least one cookie is required. Give it an internal name of 'auth'. 
  27. * 
  28. * Suggested cookie structure: 
  29. * logged_in: whether or not a user is logged in. Send everywhere. 
  30. * auth: used to authorize user's actions. Send only to domains/paths that need it (e.g. wp-admin/) 
  31. * secure_auth: used to authorize user's actions. Send only to domains/paths that need it and only over HTTPS 
  32. * 
  33. * You should be very careful when setting cookie domain to ensure that it always follows the rules set out in 
  34. * the {@link http://curl.haxx.se/rfc/cookie_spec.html Set Cookie spec}. In most cases it is best to leave cookie 
  35. * set to false and allow for user configuration to define a cookie domain in a configuration file when 
  36. * cross subdomain cookies are required. 
  37. *  
  38. * @link  
  39. */ 
  40. function __construct( &$db, &$users, $cookies ) 
  41. $this->db =& $db; 
  42. $this->users =& $users; 
  43.  
  44. $cookies = wp_parse_args( $cookies, array( 'auth' => null ) ); 
  45. $_cookies = array(); 
  46. foreach ( $cookies as $_scheme => $_scheme_cookies ) { 
  47. foreach ( $_scheme_cookies as $_scheme_cookie ) { 
  48. $_cookies[$_scheme][] = wp_parse_args( $_scheme_cookie, array( 'domain' => null, 'path' => null, 'name' => '' ) ); 
  49. unset( $_scheme_cookie ); 
  50. unset( $_scheme, $_scheme_cookies ); 
  51. $this->cookies = $_cookies; 
  52. unset( $_cookies ); 
  53.  
  54. /** 
  55. * Changes the current user by ID or name 
  56. * 
  57. * Set $id to null and specify a name if you do not know a user's ID 
  58. * 
  59. * Some WordPress functionality is based on the current user and 
  60. * not based on the signed in user. Therefore, it opens the ability 
  61. * to edit and perform actions on users who aren't signed in. 
  62. * 
  63. * @since 2.0.4 
  64. * @uses do_action() Calls 'set_current_user' hook after setting the current user. 
  65. * 
  66. * @param int $id User ID 
  67. * @param string $name User's username 
  68. * @return BP_User Current user User object 
  69. */ 
  70. function set_current_user( $user_id ) 
  71. $user = $this->users->get_user( $user_id ); 
  72. if ( !$user || is_wp_error( $user ) ) { 
  73. $this->current = 0; 
  74. return $this->current; 
  75.  
  76. $user_id = $user->ID; 
  77.  
  78. if ( isset( $this->current->ID ) && $user_id == $this->current->ID ) { 
  79. return $this->current; 
  80.  
  81. if ( class_exists( 'BP_User' ) ) { 
  82. $this->current = new BP_User( $user_id ); 
  83. } else { 
  84. $this->current =& $user; 
  85.  
  86. // WP add_action( 'set_current_user', 'setup_userdata', 1 ); 
  87.  
  88. do_action( 'set_current_user', $user_id ); 
  89.  
  90. return $this->current; 
  91.  
  92. /** 
  93. * Populate variables with information about the currently logged in user 
  94. * 
  95. * Will set the current user, if the current user is not set. The current 
  96. * user will be set to the logged in person. If no user is logged in, then 
  97. * it will set the current user to 0, which is invalid and won't have any 
  98. * permissions. 
  99. * 
  100. * @since 0.71 
  101. * @uses $current_user Checks if the current user is set 
  102. * @uses wp_validate_auth_cookie() Retrieves current logged in user. 
  103. * 
  104. * @return bool|null False on XMLRPC Request and invalid auth cookie. Null when current user set 
  105. */ 
  106. function get_current_user() 
  107. if ( !empty( $this->current ) ) { 
  108. return $this->current; 
  109.  
  110. if ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST ) { 
  111. $this->set_current_user( 0 ); 
  112. } elseif ( $user_id = $this->validate_auth_cookie( null, 'logged_in' ) ) { 
  113. $this->set_current_user( $user_id ); 
  114. } else { 
  115. $this->set_current_user( 0 ); 
  116.  
  117. return $this->current; 
  118.  
  119. /** 
  120. * Validates authentication cookie 
  121. * 
  122. * The checks include making sure that the authentication cookie 
  123. * is set and pulling in the contents (if $cookie is not used). 
  124. * 
  125. * Makes sure the cookie is not expired. Verifies the hash in 
  126. * cookie is what is should be and compares the two. 
  127. * 
  128. * @since 2.5 
  129. * 
  130. * @param string $cookie Optional. If used, will validate contents instead of cookie's 
  131. * @return bool|int False if invalid cookie, User ID if valid. 
  132. */ 
  133. function validate_auth_cookie( $cookie = null, $scheme = 'auth' ) 
  134. if ( empty( $cookie ) ) { 
  135. foreach ( $this->cookies[$scheme] as $_scheme_cookie ) { 
  136. // Take the first cookie of type scheme that exists 
  137. if ( !empty( $_COOKIE[$_scheme_cookie['name']] ) ) { 
  138. $cookie = $_COOKIE[$_scheme_cookie['name']]; 
  139. break; 
  140.  
  141. if ( !$cookie ) { 
  142. return false; 
  143.  
  144. $cookie_elements = explode( '|', $cookie ); 
  145. if ( count( $cookie_elements ) != 3 ) { 
  146. do_action( 'auth_cookie_malformed', $cookie, $scheme ); 
  147. return false; 
  148.  
  149. list( $username, $expiration, $hmac ) = $cookie_elements; 
  150.  
  151. $expired = $expiration; 
  152.  
  153. // Allow a grace period for POST and AJAX requests 
  154. if ( defined( 'DOING_AJAX' ) || 'POST' == $_SERVER['REQUEST_METHOD'] ) { 
  155. $expired += 3600; 
  156.  
  157. if ( $expired < time() ) { 
  158. do_action( 'auth_cookie_expired', $cookie_elements ); 
  159. return false; 
  160.  
  161. $user = $this->users->get_user( $username, array( 'by' => 'login' ) ); 
  162. if ( !$user || is_wp_error( $user ) ) { 
  163. do_action( 'auth_cookie_bad_username', $cookie_elements ); 
  164. return $user; 
  165.  
  166. $pass_frag = ''; 
  167. if ( 1 < WP_AUTH_COOKIE_VERSION ) { 
  168. $pass_frag = substr( $user->user_pass, 8, 4 ); 
  169.  
  170. $key = call_user_func( backpress_get_option( 'hash_function_name' ), $username . $pass_frag . '|' . $expiration, $scheme ); 
  171. $hash = hash_hmac( 'md5', $username . '|' . $expiration, $key ); 
  172.  
  173. if ( $hmac != $hash ) { 
  174. do_action( 'auth_cookie_bad_hash', $cookie_elements ); 
  175. return false; 
  176.  
  177. do_action( 'auth_cookie_valid', $cookie_elements, $user ); 
  178.  
  179. return $user->ID; 
  180.  
  181. /** 
  182. * Generate authentication cookie contents 
  183. * 
  184. * @since 2.5 
  185. * @uses apply_filters() Calls 'auth_cookie' hook on $cookie contents, User ID 
  186. * and expiration of cookie. 
  187. * 
  188. * @param int $user_id User ID 
  189. * @param int $expiration Cookie expiration in seconds 
  190. * @return string Authentication cookie contents 
  191. */ 
  192. function generate_auth_cookie( $user_id, $expiration, $scheme = 'auth' ) 
  193. $user = $this->users->get_user( $user_id ); 
  194. if ( !$user || is_wp_error( $user ) ) { 
  195. return $user; 
  196.  
  197. $pass_frag = ''; 
  198. if ( 1 < WP_AUTH_COOKIE_VERSION ) { 
  199. $pass_frag = substr( $user->user_pass, 8, 4 ); 
  200.  
  201. $key = call_user_func( backpress_get_option( 'hash_function_name' ), $user->user_login . $pass_frag . '|' . $expiration, $scheme ); 
  202. $hash = hash_hmac('md5', $user->user_login . '|' . $expiration, $key); 
  203.  
  204. $cookie = $user->user_login . '|' . $expiration . '|' . $hash; 
  205.  
  206. return apply_filters( 'auth_cookie', $cookie, $user_id, $expiration, $scheme ); 
  207.  
  208. /** 
  209. * Sets the authentication cookies based User ID 
  210. * 
  211. * The $remember parameter increases the time that the cookie will 
  212. * be kept. The default the cookie is kept without remembering is 
  213. * two days. When $remember is set, the cookies will be kept for 
  214. * 14 days or two weeks. 
  215. * 
  216. * @since 2.5 
  217. * 
  218. * @param int $user_id User ID 
  219. * @param int $expiration the UNIX time after which the cookie's authentication token is no longer valid 
  220. * @param int $expire the UNIX time at which the cookie expires 
  221. * @param int $scheme name of the  
  222. */ 
  223. function set_auth_cookie( $user_id, $expiration = 0, $expire = 0, $scheme = 'auth' ) 
  224. if ( !isset( $this->cookies[$scheme] ) ) { 
  225. return; 
  226.  
  227. if ( !$expiration = absint( $expiration ) ) { 
  228. $expiration = time() + 172800; // 2 days 
  229.  
  230. $expire = absint( $expire ); 
  231.  
  232. foreach ( $this->cookies[$scheme] as $_cookie ) { 
  233. $cookie = $this->generate_auth_cookie( $user_id, $expiration, $scheme ); 
  234. if ( is_wp_error( $cookie ) ) { 
  235. return $cookie; 
  236.  
  237. do_action( 'set_' . $scheme . '_cookie', $cookie, $expire, $expiration, $user_id, $scheme ); 
  238.  
  239. $domain = $_cookie['domain']; 
  240. $secure = isset($_cookie['secure']) ? (bool) $_cookie['secure'] : false; 
  241.  
  242. // Set httponly if the php version is >= 5.2.0 
  243. if ( version_compare( phpversion(), '5.2.0', 'ge' ) ) { 
  244. backpress_set_cookie( $_cookie['name'], $cookie, $expire, $_cookie['path'], $domain, $secure, true ); 
  245. } else { 
  246. $domain = ( empty( $domain ) ) ? $domain : $domain . '; HttpOnly'; 
  247. backpress_set_cookie( $_cookie['name'], $cookie, $expire, $_cookie['path'], $domain, $secure ); 
  248. unset( $_cookie ); 
  249.  
  250. /** 
  251. * Deletes all of the cookies associated with authentication 
  252. * 
  253. * @since 2.5 
  254. */ 
  255. function clear_auth_cookie() 
  256. do_action( 'clear_auth_cookie' ); 
  257. foreach ( $this->cookies as $_scheme => $_scheme_cookies ) { 
  258. foreach ( $_scheme_cookies as $_cookie ) { 
  259. backpress_set_cookie( $_cookie['name'], ' ', time() - 31536000, $_cookie['path'], $_cookie['domain'] ); 
  260. unset( $_cookie ); 
  261. unset( $_scheme, $_scheme_cookies ); 
.