Authorize.class.php 1.9 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859
  1. <?php
  2. class Authorize {
  3. public function login($username, $password) {
  4. $database = SqliteDatabase::getSingleton();
  5. $sql = "SELECT rowid as user_id, username, display_name FROM users WHERE username = :username AND password = :password LIMIT 1;";
  6. $queryData = array();
  7. $queryData['username'] = $username;
  8. $queryData['password'] = Authorize::hash($password);
  9. $userData = $database->preparedQueryArray($sql, $queryData);
  10. if(count($userData) == 0 || count($userData) > 1) {
  11. //injection attack or user not found
  12. return false;
  13. }
  14. $user = $userData[0];
  15. $sql = "SELECT a.rowid, a.subdomain, a.display_name FROM user_accounts ua JOIN accounts a ON ua.account_id = a.rowid WHERE ua.user_id = :user_id";
  16. $queryData = array();
  17. $queryData['user_id'] = $user['user_id'];
  18. $domains = $database->preparedQueryArray($sql, $queryData);
  19. foreach($domains as $domain) {
  20. if(DOMAIN == $domain['subdomain']) {
  21. $response = array("authorized" => true);
  22. $response['display_name'] = $user['display_name'];
  23. $response['user_id'] = $user['user_id'];
  24. $response['domain'] = $domain['subdomain'];
  25. $response['client_id'] = $domain['rowid'];
  26. //hardcoded superuser accounts
  27. if(in_array($user['user_id'], array(1, 2))) {
  28. $response['superadmin'] = true;
  29. }
  30. $response['auth_token'] = session_id();
  31. $_SESSION = $response;
  32. return $response;
  33. }
  34. }
  35. return false;
  36. }
  37. public static function hasPermission() {
  38. $loggedIn = isset($_SESSION['authorized']) && $_SESSION['authorized'];
  39. $onAdminSession = isset($_SESSION['domain']) && $_SESSION['domain'] == "admin";
  40. $actuallyAdmin = DOMAIN == "admin";
  41. return $loggedIn && $onAdminSession && $actuallyAdmin;
  42. }
  43. public static function hash($value) {
  44. return hash("sha256", $value);
  45. }
  46. public static function isLoggedIn() {
  47. return isset($_SESSION['authorized']) && $_SESSION['authorized'];
  48. }
  49. }