diff options
-rw-r--r-- | includes/sys_auth.php | 79 | ||||
-rw-r--r-- | www-ssl/index.php | 10 | ||||
-rw-r--r-- | www-ssl/nonpublic/auth.php | 45 |
3 files changed, 70 insertions, 64 deletions
diff --git a/includes/sys_auth.php b/includes/sys_auth.php index 009be2d8..15c5591a 100644 --- a/includes/sys_auth.php +++ b/includes/sys_auth.php @@ -3,7 +3,7 @@ // Testet ob ein User eingeloggt ist und lädt die entsprechenden Privilegien function load_auth() { - global $user; + global $user, $privileges; if (!isset ($_SESSION['IP'])) $_SESSION['IP'] = $_SERVER['REMOTE_ADDR']; @@ -19,30 +19,12 @@ function load_auth() { if (count($user) > 0) { // User ist eingeloggt, Datensatz zur Verfügung stellen und Timestamp updaten list ($user) = $user; - sql_query("UPDATE `User` SET " - . "`lastLogIn` = '" . time() . "'" - . " WHERE `UID` = '" . sql_escape($_SESSION['uid']) . "' LIMIT 1;" - ); + sql_query("UPDATE `User` SET " . "`lastLogIn` = '" . time() . "'" . " WHERE `UID` = '" . sql_escape($_SESSION['uid']) . "' LIMIT 1;"); } else unset ($_SESSION['uid']); } - load_privileges(); -} - -function load_privileges() { - global $privileges, $user; - - $privileges = array (); - if (isset ($user)) { - $user_privs = sql_select("SELECT `Privileges`.`name` FROM `User` JOIN `UserGroups` ON (`User`.`UID` = `UserGroups`.`uid`) JOIN `GroupPrivileges` ON (`UserGroups`.`group_id` = `GroupPrivileges`.`group_id`) JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `User`.`UID`=" . sql_escape($user['UID']) . ";"); - foreach ($user_privs as $user_priv) - $privileges[] = $user_priv['name']; - } else { - $guest_privs = sql_select("SELECT * FROM `GroupPrivileges` JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `group_id`=-1;"); - foreach ($guest_privs as $guest_priv) - $privileges[] = $guest_priv['name']; - } + $privileges = isset ($user) ? privileges_for_user($user['UID']) : privileges_for_group(-1); } function PassCrypt($passwort) { @@ -55,4 +37,59 @@ function PassCrypt($passwort) { return md5($passwort); } } + +// JSON Authorisierungs-Schnittstelle +function json_auth_service() { + global $CurrentExternAuthPass; + + header("Content-Type: application/json"); + + $User = $_REQUEST['user']; + $Pass = $_REQUEST['pw']; + $SourceOuth = $_REQUEST['so']; + + if (isset ($CurrentExternAuthPass) && $SourceOuth == $CurrentExternAuthPass) { + $sql = "SELECT * FROM `User` WHERE `Nick`='" . sql_escape($User) . "'"; + $Erg = sql_query($sql); + + if (mysql_num_rows($Erg) == 1) { + if (mysql_result($Erg, 0, "Passwort") == PassCrypt($Pass)) { + $UID = mysql_result($Erg, 0, "UID"); + + $user_privs = sql_select("SELECT `Privileges`.`name` FROM `User` JOIN `UserGroups` ON (`User`.`UID` = `UserGroups`.`uid`) JOIN `GroupPrivileges` ON (`UserGroups`.`group_id` = `GroupPrivileges`.`group_id`) JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `User`.`UID`=" . sql_escape($UID) . ";"); + foreach ($user_privs as $user_priv) + $privileges[] = $user_priv['name']; + + $msg = array ( + 'status' => 'success', + 'rights' => $privileges + ); + echo json_encode($msg); + die(); + } + } + } + + echo json_encode(array ( + 'status' => 'failed', + 'error' => "JSON Service GET syntax: https://engelsystem.de/?auth&user=<user>&pw=<password>&so=<key>, POST is possible too" + )); + die(); +} + +function privileges_for_user($user_id) { + $privileges = array (); + $user_privs = sql_select("SELECT `Privileges`.`name` FROM `User` JOIN `UserGroups` ON (`User`.`UID` = `UserGroups`.`uid`) JOIN `GroupPrivileges` ON (`UserGroups`.`group_id` = `GroupPrivileges`.`group_id`) JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `User`.`UID`=" . sql_escape($user_id) . ";"); + foreach ($user_privs as $user_priv) + $privileges[] = $user_priv['name']; + return $privileges; +} + +function privileges_for_group($group_id) { + $privileges = array (); + $groups_privs = sql_select("SELECT * FROM `GroupPrivileges` JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `group_id`=" . sql_escape($group_id)); + foreach ($groups_privs as $guest_priv) + $privileges[] = $guest_priv['name']; + return $privileges; +} ?> diff --git a/www-ssl/index.php b/www-ssl/index.php index 7c65abb2..214ec54a 100644 --- a/www-ssl/index.php +++ b/www-ssl/index.php @@ -22,6 +22,10 @@ sql_connect($config['host'], $config['user'], $config['pw'], $config['db']); load_auth(); +// JSON Authorisierung gewünscht? +if (isset ($_REQUEST['auth'])) + json_auth_service(); + // Gewünschte Seite/Funktion $p = isset ($user) ? "news" : "start"; if (isset ($_REQUEST['p'])) @@ -89,15 +93,15 @@ if (in_array($p, $privileges)) { elseif ($p == "admin_groups") { require_once ('includes/pages/admin_groups.php'); $content = admin_groups(); - } + } elseif ($p == "admin_faq") { require_once ('includes/pages/admin_faq.php'); $content = admin_faq(); - } + } elseif ($p == "admin_language") { require_once ('includes/pages/admin_language.php'); $content = admin_language(); - } + } elseif ($p == "admin_log") { require_once ('includes/pages/admin_log.php'); $content = admin_log(); diff --git a/www-ssl/nonpublic/auth.php b/www-ssl/nonpublic/auth.php index 7d58988c..143ea8c8 100644 --- a/www-ssl/nonpublic/auth.php +++ b/www-ssl/nonpublic/auth.php @@ -1,43 +1,8 @@ <?php -require_once ('../bootstrap.php'); -header("Content-Type: application/json"); - -include "includes/config.php"; -include "includes/config_db.php"; - -$User = $_POST['user']; -$Pass = $_POST['pw']; -$SourceOuth = $_POST['so']; - -if (isset ($CurrentExternAuthPass) && $SourceOuth == $CurrentExternAuthPass) { - $sql = "SELECT * FROM `User` WHERE `Nick`='" . $User . "'"; - $Erg = mysql_query($sql, $con); - - if (mysql_num_rows($Erg) == 1) { - if (mysql_result($Erg, 0, "Passwort") == $Pass) { - $UID = mysql_result($Erg, 0, "UID"); - - // get CVS import Data - $SQL = "SELECT * FROM `UserCVS` WHERE `UID`='" . $UID . "'"; - $Erg_CVS = mysql_query($SQL, $con); - $CVS = mysql_fetch_array($Erg_CVS); - - $msg = array ( - 'status' => 'success', - 'rights' => $CVS - ); - echo json_encode($msg); - } else - echo json_encode(array ( - 'status' => 'failed' - )); - } else - echo json_encode(array ( - 'status' => 'failed' - )); -} else - echo json_encode(array ( - 'status' => 'failed' - )); +// Bleibt erstmal, damit Benutzer, die die Schnittstelle nutzen mitkriegen, dass diese Umgezogen ist +echo json_encode(array ( + 'status' => 'failed', + 'error' => "JSON Service moved to https://engelsystem.de/?auth&user=<user>&pw=<password>&so=<key>" +)); ?> |