Auth Module API Documentation

This document is to detail the API and functionality of the Auth module. The requirements and workings will be explained, followed by function documentation.

Requirements

  • PHP and a webserver
  • A SQL database (currently uses Sybase; code would need tweaking to use something else)

    • Database Layout There are 4 database tables used by Auth. There is no install script, so these would need to be created manually.
    1. users - contains basic information about users. Columns as follows:
    2. userPrivs - a list of permissions for users. Each record essentiallys says user X may do Y. The subclass start and end allow finer tuned control; i.e., user X may do Y provided Z falls within the acceptable range. Thus anything can be used for these values so long as it is comparable on the SQL server being used. The keyword 'all' is reserved for indicating that there is no subclass.
    3. userGroups - defines groups of users. Each record indicates one member of one group.
    4. userGroupPrivs - similar to userPrivs, but for groups. See that table for details.

    API

    auth/login.php - this is the main file. Include this to use the auth module.

    bool changePassword ( string username, string oldpassword, string newpassword )
    Updates the users password. Returns true on success, false on failure.

    mixed checkLogin ( )
    Examines cookies to determine if any user is logged in. Returns the name of the logged in user if there is one, otherwise returns false.

    bool createLogin ( string name, string password )
    Enters a new username / password combination into the database. Returns true on success, false on failure. Requires 'admin' authorization.

    bool deleteLogin ( string name )
    Deletes the given user. Returns true on success, false on failure. Requires 'admin' authorization.

    bool login ( string name, string password )
    Checks the username and password, then logs in the user if credentials are correct. Returns true on success, false on failure. Note this function sets a cookie, so no output can be sent to the browser prior to calling it.

    bool logout ( )
    Logs out the currently logged in user and returns true. Note this function sets a cookie, so no output can be sent to the browser prior to calling it.

    void showUsers ( )
    Prints out a table of information about current users. Requires 'admin' authorization.

    mixed validateUser ( string authorization [, string subclass ] )
    Determines who, if anyone, is logged in, and checks to see whether that user has the given authorization. Returns the logged in user's name on success, or prints error messages AND returns false on failure.

    mixed validateUserQuiet ( string authorization [, string subclass ] )
    Identical to above except no error messages are printed.

    auth/privileges.php

    bool addAuth ( string username, string authorization [, string subclass_start, string subclass_end ] )
    Adds the given authorization for the given user. Returns true on success, false on failure. Requires 'admin' authorization.

    bool checkAuth ( string username, string authorization [, string subclass ] )
    Checks if the given user has the specified authorization. Returns true or false accordingly.

    bool deleteAuth ( string username, string authorization )
    Deletes ALL matching authorizations for the user. There is currently no way to delete just a single subclass span within an authorization. Returns true on success, false on failure. Requires 'admin' authorization.

    bool showAuths ( string username )
    Prints a table of authorization information for the given user. Returns true on success, false on failure. Requires 'admin' authorization.

    auth/groups.php

    bool addAuthToGroup ( string groupname, string authorization [, string subclass_start, string subclass_end ] )
    Adds the authorization to the given group. Returns true on success, false on failure.

    bool addGroup ( string groupname, string username )
    Creates a group AND adds the user to it. Because of the database structure, a group without users isn't feasible, but such a group isn't particularly useful. Returns true on success, false on failure.

    bool addUserToGroup ( string groupname, string username )
    Adds the given user to the given group. Returns true on success false on failure.

    bool checkGroupAuth ( string groupname, string authrization [, string subclass ] )
    Checks if the group has the given authorization and returns true or false accordingly.

    bool deleteAuthFromGroup ( string groupname, string authorization )
    Deletes ALL instances of the given authorization from the given group. Returns true on success, false on failure.

    bool deleteGroup ( string groupname )
    Deletes the given group. Returns true on success, false on failure.

    bool deleteUserFromGroup ( string groupname, string username )
    Deletes the given user from the given group. Returns true on success, false on failure.

    void detailGroup ( string groupname )
    Prints tabled information about the given group including users and authorizations.

    bool showGroups ( )
    Prints a table of group information. Returns true.

    auth/utilities.php - useful functions that don't belong anywhere else

    resource dbconnect ( )
    Connects to the database and returns a MS SQL link identifier. Doesn't do any error checking. This is really only useful for moving the database, since the location and database are specified in the one spot. Actual code doesn't abstract other calls, so the mssql_* functions would have to all be replaced to switch DB providers.

    mixed getGID ( string groupname )
    Returns the group id number of the given group if it exists, otherwise returns false.

    mixed getUID ( string username )
    Returns the user id number of the given user if it exists, otherwise returns false.

    bool isAlphanumeric ( string input )
    Verifies that the string doesn't contain anything other than letters, numbers, and underscores. All user input should really be checked with this before being sent to the database to prevent SQL injection. Returns true or false accordingly.

    auth/doc This. You're reading it.

    auth/ui - A user interface for logging in and out and administering the system. Mostly straightforward. Notably, the auth module is self enforcing. A user must have the authorization 'admin' to perform many of the administrative tasks, enforced on the base level or the user interface level (or both). I think that adding a user with an empty password field to the table users and giving that user an 'admin' 'all' 'all' authorization in the table userPrivs would give you an intial admin to login with, but I haven't actually tried it. It depends how crypt deals with an empty string.

    auth/ui/loginform.php - the big kahuna for the GUI. This logs in users, but does a couple other tricks via GET. Giving a get parameter of logout=yes will logout the user. A get parameter of redirect=[url] will automatically send the user to the specified url after a successful login. Note the redirect url itself can only contain one get parameter because the ampersand would end 'redirect'; this is a known limitation.

    auth/ui/index.php - auto-redirects users to either the login page or the menu based on whether or not they're logged in. Handy in that just 'auth/ui' can be given to users as a single, all purpose bookmark.

    Usage

    Or, how do I plug this thing into my code? Well, just use validateUser or validateUserQuiet to check your user's permissions. Use auth/ui/loginform.php with the 'redirect' get parameter to provide users with a login link that will take them back to the current page - or where ever you want them to go. You could also zap them there automagically with <?php header("Location: /path/to/auth/ui/loginform.php?redirect=...") ?> And that's about that.