$[That username is taken. Please choose another.]";
$EnablePost=false;
return;
}
}
if(preg_match("/^($GroupDelimiter|-)/",$new[$fn]) or preg_match("/[, ]/",$new[$fn])){
$MessagesFmt[] = "
$[Commas, and whitespaces are not allowed in your username. It also cannot start with $GroupDelimiter or a hyphen.]
";
$EnablePost=false;
return;
}
}
if (@$_POST['authid']) {
$id=stripmagic(@$_POST['authid']);
$pw=stripmagic(@$_POST['authpw']);
$authid='';
$authlist=array();
$pages=@ListPages($AuthProfileSearchPatterns);
foreach ($pages as $pn) {
$thispage=ReadPage($pn, READPAGE_CURRENT);
if($thispage["username"]==$id and $thispage["password"]==$pw){
$authid = $id;
$authgroup=FmtPageName('$Group', $pn);
$authlist[$GroupDelimiter.$authgroup] = true;
$authlist['-'.$GroupDelimiter.$authgroup] = false;
break;
}
}
if($id=='admin' and crypt($pw,$AuthProfileSalt)==$DefaultPasswords['admin']) {$authid = $id;}
if (!$authid) $GLOBALS['InvalidLogin'] = true;
else{
if (!isset($AuthId)) $AuthId = $authid;
SessionAuth($pagename, array('authid' => $authid, 'authlist' => $authlist));
}
}
else SessionAuth($pagename);
/*
This is the section where the username and passwords fields are added.
This could be the source of security vulnerabilities if not handled with care.
I worry about people having authority to publish but not set passwords being able to
set new usernames and passwords.
A clever enough person might be able to construct a bogus html POST that updates the page without
ever using the edit form.
The editattr script is only included if you are trying to edit the page first, but more importantly,
The login fields "username" and password" are only included if the person has attr authorization on the page.
That should cover the possibility of constructing a bogus html POST.
*/
if(CondAuth($pagename,'attr')){
$EditAttrFields['username'] = array('attribute' => 1, 'filter' => 'check_username');
$EditAttrFields['password'] = array('attribute' => 1);
}
if ( $action == 'edit' ) require_once("$FarmD/cookbook/editattr.php");
function AuthProfile($pagename, $level, $authprompt=true, $since=0) {
global $DefaultPasswords, $GroupAttributesFmt, $AllowName, $SitePrefix, $GroupDelimiter,
$AuthProfileCascade, $FmtV, $AuthPromptFmt, $PageStartFmt, $PageEndFmt,
$AuthId, $AuthList, $NoHTMLCache;
static $groupcache, $sitecache, $justhigher;
SDV($GroupAttributesFmt,'$Group/GroupAttributes');
SDV($AllowName,'@nopass');
$page = ReadPage($pagename, $since);
if (!$page) return false;
if (!isset($authcache))
SessionAuth($pagename, (@$_POST['authpw'])
? array('authpw' => array($_POST['authpw'] => 1))
: '');
if (@$AuthId) {
$AuthList[$AuthId] = true;
$AuthList["-$AuthId"] = false;
#undo what PmWikiAuth will do while it is still the default
#authorization mechanism.
unset($AuthList["id:$AuthId"]);
unset($AuthList["id:-$AuthId"]);
unset($AuthList["id:*"]);
unset($AuthList['']);
}
if(!isset($justhigher))
foreach(array_keys($DefaultPasswords) as $k)
foreach($AuthProfileCascade as $higherauth=>$v)
if(in_array($k, (array)$v))
$justhigher[$k][]=$GroupDelimiter.$SitePrefix.$higherauth;
$group=FmtPageName('$Group',$pagename);
if(@!isset($sitecache[$group])) {
$PasswordGroup=substr($group,strlen($SitePrefix));
$issitegroup=in_array($PasswordGroup, array_keys($DefaultPasswords));
$authhigher=AuthHigherThan('edit');
foreach(array_keys($DefaultPasswords) as $k){
if(($k=='edit' or in_array($k,$authhigher)) and $issitegroup){
if($justhigher[$PasswordGroup]) $sitecache[$group][$k]=implode(', ',$justhigher[$PasswordGroup]);
else $sitecache[$group][$k]='@lock';
}
else $sitecache[$group][$k]=$GroupDelimiter.$SitePrefix.$k;
}
}
$groupattr = FmtPageName($GroupAttributesFmt, $pagename);
if(@!isset($groupcache[$groupattr])) {
$gp = ReadPage($groupattr, READPAGE_CURRENT);
foreach(array_keys($DefaultPasswords) as $k) $groupcache[$groupattr][$k]=$gp["passwd$k"];
}
foreach(array_keys($DefaultPasswords) as $k) {
if(@$page["passwd$k"]) {
$page['=pwsource'][$k]='page';
$page['=passwd'][$k]=$page["passwd$k"];
$page['=auth'][$k]=UserIsAuthorized($page['=passwd'][$k]);
continue;
}
if(@$groupcache[$groupattr][$k]) {
$page['=pwsource'][$k]='group';
$page['=passwd'][$k]=$groupcache[$groupattr][$k];
$page['=auth'][$k]=UserIsAuthorized($page['=passwd'][$k]);
continue;
}
else{
$page['=pwsource'][$k]='site';
$page['=passwd'][$k]=$sitecache[$group][$k];
$page['=auth'][$k]=UserIsAuthorized($page['=passwd'][$k]);
}
}
#make sure that you can edit your own page
if(@$AuthId and @$AuthId==$page["username"]) $page['=auth']['attr']=true;
AuthCascade($page);
#ok, an admin can do anything.
if ($AuthId=='admin')
foreach(array_keys($DefaultPasswords) as $k)
$page['=auth'][$k]=true;
if (@$page['=passwd']['read']) $NoHTMLCache |= 2;
if ($level=='ALWAYS' || @$page['=auth'][$level]) return $page;
if (!$authprompt) return false;
$GLOBALS['AuthNeeded'] = (@$_POST['authpw'])
? $page['=pwsource'][$level] . ' ' . $level : '';
PCache($pagename, $page);
$postvars = '';
foreach($_POST as $k=>$v) {
if ($k == 'authpw' || $k == 'authid') continue;
$k = htmlspecialchars(stripmagic($k), ENT_QUOTES);
$v = str_replace('$', '$',
htmlspecialchars(stripmagic($v), ENT_COMPAT));
$postvars .= "\n";
}
$FmtV['$PostVars'] = $postvars;
$r = str_replace("'", '%37', stripmagic($_SERVER['REQUEST_URI']));
SDV($AuthPromptFmt,array(&$PageStartFmt,
"
$[Password required]
", &$PageEndFmt));
PrintFmt($pagename,$AuthPromptFmt);
exit;
}
function UserIsAuthorized($args) {
global $AuthList, $AllowName;
foreach(preg_split("/[\s,]+/", $args) as $name)
if(@$AuthList[$name] || $name==$AllowName)
return true;
return false;
}
function AuthHigherThan($auth){
global $AuthProfileCascade;
static $AuthHigherThanList;
foreach($AuthProfileCascade as $higherauth=>$v)
if(in_array($auth, (array)$v) and !in_array($higherauth,$AuthHigherThanList[$auth])){
$AuthHigherThanList[$auth][]=$higherauth;
$AuthEvenHigherThanList=AuthHigherThan($higherauth);
$AuthHigherThanList[$auth]=array_merge($AuthHigherThanList[$auth],$AuthEvenHigherThanList);
}
return $AuthHigherThanList[$auth];
}
function AuthCascade(&$page){
global $AuthProfileCascade;
foreach($AuthProfileCascade as $k=>$v)
if (@$page['=auth'][$k])
foreach((array)$v as $value)
if(!@$page['=auth'][$value]){
$page['=auth'][$value] = $page['=auth'][$k];
if ($page['=passwd'][$value] = $page['=passwd'][$k]) # assign
$page['=pwsource'][$value] = "cascade:$k";
AuthCascade($page);
}
}