CopperWire
/
daktylos


			
							12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061
							<?php
class Authorize {
	public function login($username, $password) {
		$database = SqliteDatabase::getSingleton();
		$sql = "SELECT rowid as user_id, username, display_name FROM users WHERE username = :username AND password = :password LIMIT 1;";
		$queryData = array();
		$queryData['username'] = $username;
		$queryData['password'] = Authorize::hash($password);
		$userData = $database->preparedQueryArray($sql, $queryData);
		if(count($userData) == 0 || count($userData) > 1) {
			//injection attack or user not found
			return false;
		}
		$user = $userData[0];
		
		$sql = "SELECT a.rowid, a.subdomain, a.display_name  FROM user_accounts ua JOIN accounts a ON ua.account_id = a.rowid WHERE ua.user_id = :user_id";
		
		$queryData = array();
		$queryData['user_id'] = $user['user_id'];
		$domains = $database->preparedQueryArray($sql, $queryData);

		foreach($domains as $domain) {
			if(DOMAIN == $domain['subdomain']) {
				$response = array("authorized" => true);
				$response['display_name'] = $user['display_name'];
				$response['user_id'] = $user['user_id'];
				$response['domain'] = $domain['subdomain'];
				$response['client_id'] = $domain['rowid'];
				$_SESSION = $response;
				$loggerData = array();
				$loggerData['display_name'] = $user['display_name'];
				$loggerData['user_id'] = $user['user_id'];
				SecurityLogger::action("login", $loggerData, time());
				return $response;
			}
		}
		$loggerData = array();
					$loggerData['attempted_username'] = $username;
					$loggerData['ip_address'] = $_SERVER['REMOTE_ADDR'];
					SecurityLogger::action("login-failed", $loggerData, time());
		return false;
	}

	public static function hasPermission() {
		$loggedIn = isset($_SESSION['authorized']) && $_SESSION['authorized'];
		$onAdminSession = isset($_SESSION['domain']) && $_SESSION['domain'] == "admin";
		$actuallyAdmin = DOMAIN == "admin";

		return $loggedIn && $onAdminSession && $actuallyAdmin;
	}


	public static function hash($value) {
		return hash("sha256", $value);
	}

	public static function isLoggedIn() {
		return isset($_SESSION['authorized']) && $_SESSION['authorized'];
	}
}