Source for file InviteAuthzEngine.php
Documentation is available at InviteAuthzEngine.php
* @copyright Copyright 2005-2010 RedIRIS, http://www.rediris.es/
* This file is part of phpPoA2.
* phpPoA2 is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
* phpPoA2 is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
* You should have received a copy of the GNU General Public License
* along with phpPoA2. If not, see <http://www.gnu.org/licenses/>.
* @license http://www.gnu.org/licenses/gpl.html GNU General Public License
* @author Jaime Perez <jaime.perez@rediris.es>
* Supported database types.
define('INVITES_DBA', 'InviteDBADB');
define('INVITES_MYSQL', 'InviteMySQLDB');
define('INVITES_SESSION', 'InviteSessionDB');
define('AUTHORIZED_DBA', 'AuthorizedDBADB');
define('AUTHORIZED_MYSQL', 'AuthorizedMySQLDB');
define('AUTHORIZED_SESSION', 'AuthorizedSessionDB');
* This hook is executed right before it is checked whether the user was invited or not to
* continue with authorization.
* It can be used to trick the engine to believe the user was previously invited (and therefore
* forcing authorization).
* The hook receives a boolean parameter representing whether the referenced invitation was found
* function invitesBeforeAuthorization(&$invite_exists);
* Please bear in mind that hooks must return TRUE or they'll keep other hooks from executing.
define("INVITES_BEFORE_AUTHORIZATION", "INVITES_BEFORE_AUTHORIZATION");
* Invitation based authorization engine.
* @subpackage InviteAuthorizationEngine
protected $valid_hooks = array(INVITES_BEFORE_AUTHORIZATION);
* Configure the authorization engine.
* @param file The configuration file.
* @param section The section of the configuration file to use.
parent::configure($file, $section);
// configure authorized DB
$db_t = $this->cfg->getAuthorizedDBType();
$db_t = $this->cfg->getInvitesDBType();
* Check if the specified user is authorized with the given attributes.
* @param user The name of the user to check authorization for.
* @param attrs The attributes of the user to match his identity.
* @return boolean true if the user is authorized, false otherwise.
$stored = $this->authz_db->fetch($user);
if (!$stored) { // not found
if ($stored['expires'] && $now > $stored['expires']) {
foreach ($this->cfg->getUniqueAttributes() as $attr) {
foreach ($attr as $compound) {
$partial &= isset ($stored['attributes'][$compound]) &&
isset ($attrs[$compound]) &&
$stored['attributes'][$compound] === $attrs[$compound];
$rslt |= isset ($stored['attributes'][$attr]) &&
$stored['attributes'][$attr] === $attrs[$attr];
* Get a list of all authorized users.
* @return array The list of all users currently authorized. An empty
* Get a list of all pending invitations.
* @return array The list of all pending invitations. An empty array if
* Authorize the specified user.
* @return boolean true if the user was successfully authorized, false otherwise.
public function authorize($user, $attrs, $ref, $expires = 0) {
$exists = $this->authz_db->check($user);
// run hook before actually performing authorization
// the user wasn't previously invited
if ($exists) { // the user was previously authorized
$stored = $this->authz_db->fetch($user);
foreach ($stored['attributes'] as $name => $value) {
$matches &= ($attrs[$name] == $value);
if ($matches) { // is the same user, skip
// either the invite exists or we are asked to force authorization
// check if the user has some of the mandatory attributes
$unique = $this->cfg->getUniqueAttributes();
foreach ($unique as $item) {
$save = array(); // restore on each iteration
if (is_array($item)) { // a combination of attributes
foreach ($item as $name) {
$complete &= !empty($attrs[$name]);
$save[$name] = $attrs[$name];
break; // all attributes found, ok!
} else { // a single attribute
if (!empty($attrs[$item])) { // attribute found, ok!
$save[$item] = $attrs[$item];
if (empty($save)) { // no available attributes!
// now save the user in the authorized database
if (@!$this->authz_db->replace_authorization($user, $save, $invite['email'], $expires)) {
// look for any other pending invites for this user, and delete them
foreach ($pending as $key => $stored) {
if ($stored['email'] === $invite['email']) {
* Revoke authorization for the specified user.
* @return boolean true if authorization was successfully revoked, false otherwise.
public function revoke($mail) {
// Library should leave the address as is.
//$mail = strtolower($mail);
// get a list with all users authorized
// iterate to find the user
foreach ($all as $key => $values) {
if ($values['email'] == $mail) {
* Send an invitation to an e-mail address (that is, send an e-mail to that
* address with instructions on how to get authorized and an URL to follow).
* @param mail The e-mail of the user.
* @param expires The time (POSIX) when authorization will expire. Use 0 if authorization
* should never expire. Defaults to 0.
* @return boolean true if the invitation was correctly sent, false in any other case.
public function invite($mail, $expires = 0) {
// Library should leave the address as is.
//$mail = strtolower($mail);
// generate random reference
if (@!$this->invites_db->replace_invite($ref, $mail, $expires)) {
$sep = (!strstr($this->cfg->getInviteURL(), "?")) ? "?" : "&";
$url = $this->cfg->getInviteURL(). $sep. "ref=". $ref;
$headers = "From: ". $this->cfg->getAdminEmail();
$command_params = "-f ". $this->cfg->getAdminEmail();
mail($mail, $this->cfg->getInviteSubject(), $text, $headers, $command_params);
* Remove an invitation from the database.
* @param ref The reference to the invite to remove.
* @return boolean true if the invite was removed, false otherwise.
* Perform e-mail verification for the current user according to the configuration
* @param mail The e-mail of the user.
* @param attrs The array of attributes of the user.
* @return boolean true if verification succeeds or was not performed, false otherwise.
$mail_attr = $this->cfg->getEmailVerifyAttribute();
if ($this->cfg->doEmailVerify()) {
// empty attribute, configuration error!
// attribute not set, cannot verify
if (!isset ($attrs[$mail_attr])) {
$alg_re = $this->cfg->getEmailVerifyAlgRegEx();
$val_re = $this->cfg->getEmailVerifyRegEx();
// support for attributes with multiple values
$mail_attrs = $attrs[$mail_attr];
$mail_attrs = array($attrs[$mail_attr]);
foreach ($mail_attrs as $attr_val) {
// extract function for each value
$alg = "sprintf(\"%s\",";
if (!preg_match("/". $alg_re. "/", $attr_val, $vals_alg)) {
if (!preg_match("/". $val_re. "/", $attr_val, $vals_value)) {
$received[$alg] = $vals_value[1];
// none of the mail attributes matched the regular expressions
// check all possibilities
foreach ($received as $alg => $value) {
$computed_value = eval ("return ". $alg. "\"". $mail. "\");");
if ($computed_value != $value) {
// no match, continue searching
//trigger_error(PoAUtils::msg('mail-verify-err', array($mail, $computed_value, $value)), E_USER_WARNING);
// verification is enabled but we were unable to find any matching e-mail
* Close databases and return the same value received as a parameter.
* @param value The value that must be returned.
*ÂÂ @return mixed The first param.
protected function finish($value) {
|