daktylos/libs/Authorize.class.php

<?php
class Authorize {
	public function login($username, $password) {
		$database = SqliteDatabase::getSingleton();
		$sql = "SELECT rowid as user_id, username, display_name FROM users WHERE username = :username AND password = :password LIMIT 1;";
		$queryData = array();
		$queryData['username'] = $username;
		$queryData['password'] = Authorize::hash($password);
		$userData = $database->preparedQueryArray($sql, $queryData);
		if(count($userData) == 0 || count($userData) > 1) {
			//injection attack or user not found
			return false;
		}
		$user = $userData[0];
		
		$sql = "SELECT a.rowid, a.subdomain, a.display_name  FROM user_accounts ua JOIN accounts a ON ua.account_id = a.rowid WHERE ua.user_id = :user_id";
		
		$queryData = array();
		$queryData['user_id'] = $user['user_id'];
		$domains = $database->preparedQueryArray($sql, $queryData);

		foreach($domains as $domain) {
			if(DOMAIN == $domain['subdomain']) {
				$response = array("authorized" => true);
				$response['display_name'] = $user['display_name'];
				$response['user_id'] = $user['user_id'];
				$response['domain'] = $domain['subdomain'];
				$response['client_id'] = $domain['rowid'];
				//hardcoded superuser accounts
				if(in_array($user['user_id'], array(1, 2))) {
					$response['superadmin'] = true;
				}
				$response['auth_token'] = session_id();
				$_SESSION = $response;
				
				return $response;
			}
		}
		return false;
	}

	public static function hasPermission() {
		$loggedIn = isset($_SESSION['authorized']) && $_SESSION['authorized'];
		$onAdminSession = isset($_SESSION['domain']) && $_SESSION['domain'] == "admin";
		$actuallyAdmin = DOMAIN == "admin";

		return $loggedIn && $onAdminSession && $actuallyAdmin;
	}



	public static function hash($value) {
		return hash("sha256", $value);
	}

	public static function isLoggedIn() {
		return isset($_SESSION['authorized']) && $_SESSION['authorized'];
	}
}