From 225398d87d56257e63f03504fb1a0452a8d9ae02 Mon Sep 17 00:00:00 2001
From: Philip Häusler <msquare@notrademark.de>
Date: Fri, 3 Jun 2011 15:30:17 +0200
Subject: json auth service complete

---
 includes/sys_auth.php      | 79 ++++++++++++++++++++++++++++++++++------------
 www-ssl/index.php          | 10 ++++--
 www-ssl/nonpublic/auth.php | 45 +++-----------------------
 3 files changed, 70 insertions(+), 64 deletions(-)

diff --git a/includes/sys_auth.php b/includes/sys_auth.php
index 009be2d8..15c5591a 100644
--- a/includes/sys_auth.php
+++ b/includes/sys_auth.php
@@ -3,7 +3,7 @@
 
 // Testet ob ein User eingeloggt ist und lädt die entsprechenden Privilegien
 function load_auth() {
-	global $user;
+	global $user, $privileges;
 
 	if (!isset ($_SESSION['IP']))
 		$_SESSION['IP'] = $_SERVER['REMOTE_ADDR'];
@@ -19,30 +19,12 @@ function load_auth() {
 		if (count($user) > 0) {
 			// User ist eingeloggt, Datensatz zur Verfügung stellen und Timestamp updaten
 			list ($user) = $user;
-			sql_query("UPDATE `User` SET "
-				. "`lastLogIn` = '" . time() . "'"
-				. " WHERE `UID` = '" . sql_escape($_SESSION['uid']) . "' LIMIT 1;"
-			);
+			sql_query("UPDATE `User` SET " . "`lastLogIn` = '" . time() . "'" . " WHERE `UID` = '" . sql_escape($_SESSION['uid']) . "' LIMIT 1;");
 		} else
 			unset ($_SESSION['uid']);
 	}
 
-	load_privileges();
-}
-
-function load_privileges() {
-	global $privileges, $user;
-
-	$privileges = array ();
-	if (isset ($user)) {
-		$user_privs = sql_select("SELECT `Privileges`.`name` FROM `User` JOIN `UserGroups` ON (`User`.`UID` = `UserGroups`.`uid`) JOIN `GroupPrivileges` ON (`UserGroups`.`group_id` = `GroupPrivileges`.`group_id`) JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `User`.`UID`=" . sql_escape($user['UID']) . ";");
-		foreach ($user_privs as $user_priv)
-			$privileges[] = $user_priv['name'];
-	} else {
-		$guest_privs = sql_select("SELECT * FROM `GroupPrivileges` JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `group_id`=-1;");
-		foreach ($guest_privs as $guest_priv)
-			$privileges[] = $guest_priv['name'];
-	}
+	$privileges = isset ($user) ? privileges_for_user($user['UID']) : privileges_for_group(-1);
 }
 
 function PassCrypt($passwort) {
@@ -55,4 +37,59 @@ function PassCrypt($passwort) {
 			return md5($passwort);
 	}
 }
+
+// JSON Authorisierungs-Schnittstelle
+function json_auth_service() {
+	global $CurrentExternAuthPass;
+
+	header("Content-Type: application/json");
+
+	$User = $_REQUEST['user'];
+	$Pass = $_REQUEST['pw'];
+	$SourceOuth = $_REQUEST['so'];
+
+	if (isset ($CurrentExternAuthPass) && $SourceOuth == $CurrentExternAuthPass) {
+		$sql = "SELECT * FROM `User` WHERE `Nick`='" . sql_escape($User) . "'";
+		$Erg = sql_query($sql);
+
+		if (mysql_num_rows($Erg) == 1) {
+			if (mysql_result($Erg, 0, "Passwort") == PassCrypt($Pass)) {
+				$UID = mysql_result($Erg, 0, "UID");
+
+				$user_privs = sql_select("SELECT `Privileges`.`name` FROM `User` JOIN `UserGroups` ON (`User`.`UID` = `UserGroups`.`uid`) JOIN `GroupPrivileges` ON (`UserGroups`.`group_id` = `GroupPrivileges`.`group_id`) JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `User`.`UID`=" . sql_escape($UID) . ";");
+				foreach ($user_privs as $user_priv)
+					$privileges[] = $user_priv['name'];
+
+				$msg = array (
+					'status' => 'success',
+					'rights' => $privileges
+				);
+				echo json_encode($msg);
+				die();
+			}
+		}
+	}
+
+	echo json_encode(array (
+		'status' => 'failed',
+		'error' => "JSON Service GET syntax: https://engelsystem.de/?auth&user=<user>&pw=<password>&so=<key>, POST is possible too"
+	));
+	die();
+}
+
+function privileges_for_user($user_id) {
+	$privileges = array ();
+	$user_privs = sql_select("SELECT `Privileges`.`name` FROM `User` JOIN `UserGroups` ON (`User`.`UID` = `UserGroups`.`uid`) JOIN `GroupPrivileges` ON (`UserGroups`.`group_id` = `GroupPrivileges`.`group_id`) JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `User`.`UID`=" . sql_escape($user_id) . ";");
+	foreach ($user_privs as $user_priv)
+		$privileges[] = $user_priv['name'];
+	return $privileges;
+}
+
+function privileges_for_group($group_id) {
+	$privileges = array ();
+	$groups_privs = sql_select("SELECT * FROM `GroupPrivileges` JOIN `Privileges` ON (`GroupPrivileges`.`privilege_id` = `Privileges`.`id`) WHERE `group_id`=" . sql_escape($group_id));
+	foreach ($groups_privs as $guest_priv)
+		$privileges[] = $guest_priv['name'];
+	return $privileges;
+}
 ?>
diff --git a/www-ssl/index.php b/www-ssl/index.php
index 7c65abb2..214ec54a 100644
--- a/www-ssl/index.php
+++ b/www-ssl/index.php
@@ -22,6 +22,10 @@ sql_connect($config['host'], $config['user'], $config['pw'], $config['db']);
 
 load_auth();
 
+// JSON Authorisierung gewünscht?
+if (isset ($_REQUEST['auth']))
+	json_auth_service();
+
 // Gewünschte Seite/Funktion
 $p = isset ($user) ? "news" : "start";
 if (isset ($_REQUEST['p']))
@@ -89,15 +93,15 @@ if (in_array($p, $privileges)) {
 	elseif ($p == "admin_groups") {
 		require_once ('includes/pages/admin_groups.php');
 		$content = admin_groups();
-	} 
+	}
 	elseif ($p == "admin_faq") {
 		require_once ('includes/pages/admin_faq.php');
 		$content = admin_faq();
-	} 
+	}
 	elseif ($p == "admin_language") {
 		require_once ('includes/pages/admin_language.php');
 		$content = admin_language();
-	}  
+	}
 	elseif ($p == "admin_log") {
 		require_once ('includes/pages/admin_log.php');
 		$content = admin_log();
diff --git a/www-ssl/nonpublic/auth.php b/www-ssl/nonpublic/auth.php
index 7d58988c..143ea8c8 100644
--- a/www-ssl/nonpublic/auth.php
+++ b/www-ssl/nonpublic/auth.php
@@ -1,43 +1,8 @@
 <?php
-require_once ('../bootstrap.php');
 
-header("Content-Type: application/json");
-
-include "includes/config.php";
-include "includes/config_db.php";
-
-$User = $_POST['user'];
-$Pass = $_POST['pw'];
-$SourceOuth = $_POST['so'];
-
-if (isset ($CurrentExternAuthPass) && $SourceOuth == $CurrentExternAuthPass) {
-	$sql = "SELECT * FROM `User` WHERE `Nick`='" . $User . "'";
-	$Erg = mysql_query($sql, $con);
-
-	if (mysql_num_rows($Erg) == 1) {
-		if (mysql_result($Erg, 0, "Passwort") == $Pass) {
-			$UID = mysql_result($Erg, 0, "UID");
-
-			// get CVS import Data
-			$SQL = "SELECT * FROM `UserCVS` WHERE `UID`='" . $UID . "'";
-			$Erg_CVS = mysql_query($SQL, $con);
-			$CVS = mysql_fetch_array($Erg_CVS);
-
-			$msg = array (
-				'status' => 'success',
-				'rights' => $CVS
-			);
-			echo json_encode($msg);
-		} else
-			echo json_encode(array (
-				'status' => 'failed'
-			));
-	} else
-		echo json_encode(array (
-			'status' => 'failed'
-		));
-} else
-	echo json_encode(array (
-		'status' => 'failed'
-	));
+// Bleibt erstmal, damit Benutzer, die die Schnittstelle nutzen mitkriegen, dass diese Umgezogen ist
+echo json_encode(array (
+	'status' => 'failed',
+	'error' => "JSON Service moved to https://engelsystem.de/?auth&user=<user>&pw=<password>&so=<key>"
+));
 ?>
-- 
cgit v1.2.3-70-g09d2