Authorize.class.php 2.1 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061
  1. <?php
  2. class Authorize {
  3. public function login($username, $password) {
  4. $database = SqliteDatabase::getSingleton();
  5. $sql = "SELECT rowid as user_id, username, display_name FROM users WHERE username = :username AND password = :password LIMIT 1;";
  6. $queryData = array();
  7. $queryData['username'] = $username;
  8. $queryData['password'] = Authorize::hash($password);
  9. $userData = $database->preparedQueryArray($sql, $queryData);
  10. if(count($userData) == 0 || count($userData) > 1) {
  11. //injection attack or user not found
  12. return false;
  13. }
  14. $user = $userData[0];
  15. $sql = "SELECT a.rowid, a.subdomain, a.display_name FROM user_accounts ua JOIN accounts a ON ua.account_id = a.rowid WHERE ua.user_id = :user_id";
  16. $queryData = array();
  17. $queryData['user_id'] = $user['user_id'];
  18. $domains = $database->preparedQueryArray($sql, $queryData);
  19. foreach($domains as $domain) {
  20. if(DOMAIN == $domain['subdomain']) {
  21. $response = array("authorized" => true);
  22. $response['display_name'] = $user['display_name'];
  23. $response['user_id'] = $user['user_id'];
  24. $response['domain'] = $domain['subdomain'];
  25. $response['client_id'] = $domain['rowid'];
  26. $_SESSION = $response;
  27. $loggerData = array();
  28. $loggerData['display_name'] = $user['display_name'];
  29. $loggerData['user_id'] = $user['user_id'];
  30. SecurityLogger::action("login", $loggerData, time());
  31. return $response;
  32. }
  33. }
  34. $loggerData = array();
  35. $loggerData['attempted_username'] = $username;
  36. $loggerData['ip_address'] = $_SERVER['REMOTE_ADDR'];
  37. SecurityLogger::action("login-failed", $loggerData, time());
  38. return false;
  39. }
  40. public static function hasPermission() {
  41. $loggedIn = isset($_SESSION['authorized']) && $_SESSION['authorized'];
  42. $onAdminSession = isset($_SESSION['domain']) && $_SESSION['domain'] == "admin";
  43. $actuallyAdmin = DOMAIN == "admin";
  44. return $loggedIn && $onAdminSession && $actuallyAdmin;
  45. }
  46. public static function hash($value) {
  47. return hash("sha256", $value);
  48. }
  49. public static function isLoggedIn() {
  50. return isset($_SESSION['authorized']) && $_SESSION['authorized'];
  51. }
  52. }