<?php

/*

 * Enano - an open-source CMS capable of wiki functions, Drupal-like sidebar blocks, and everything in between

 * Version 1.0.2 (Coblynau)

 * Copyright (C) 2006-2007 Dan Fuhry

 * sessions.php - everything related to security and user management

 *

 * This program is Free Software; you can redistribute and/or modify it under the terms of the GNU General Public License

 * as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.

 *

 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied

 * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for details.

 */

// Prepare a string for insertion into a MySQL database

function filter($str) { return $db->escape($str); }

/**

 * Anything and everything related to security and user management. This includes AES encryption, which is illegal in some countries.

 * Documenting the API was not easy - I hope you folks enjoy it.

 * @package Enano

 * @subpackage Session manager

 * @category security, user management, logins, etc.

 */

class sessionManager {

  # Variables

  /**

   * Whether we're logged in or not

   * @var bool

   */

  var $user_logged_in = false;

  /**

   * Our current low-privilege session key

   * @var string

   */

  var $sid;

  /**

   * Username of currently logged-in user, or IP address if not logged in

   * @var string

   */

  var $username;

  /**

   * User ID of currently logged-in user, or -1 if not logged in

   * @var int

   */

  var $user_id;

  /**

   * Real name of currently logged-in user, or blank if not logged in

   * @var string

   */

  var $real_name;

  /**

   * E-mail address of currently logged-in user, or blank if not logged in

   * @var string

   */

  var $email;

  /**

   * List of "extra" user information fields (IM handles, etc.)

   * @var array (associative)

   */

  var $user_extra;

  /**

   * User level of current user

   * USER_LEVEL_GUEST: guest

   * USER_LEVEL_MEMBER: regular user

   * USER_LEVEL_CHPREF: default - pseudo-level that allows changing password and e-mail address (requires re-authentication)

   * USER_LEVEL_MOD: moderator

   * USER_LEVEL_ADMIN: administrator

   * @var int

   */

  var $user_level;

  /**

   * High-privilege session key

   * @var string or false if not running on high-level authentication

   */

  var $sid_super;

  /**

   * The user's theme preference, defaults to $template->default_theme

   * @var string

   */

  var $theme;

  /**

   * The user's style preference, or style auto-detected based on theme if not logged in

   * @var string

   */

  var $style;

  /**

   * Signature of current user - appended to comments, etc.

   * @var string

   */

  var $signature;

  /**

   * UNIX timestamp of when we were registered, or 0 if not logged in

   * @var int

   */

  var $reg_time;

  /**

   * MD5 hash of the current user's password, if applicable

   * @var string OR bool false

   */

  var $password_hash;

  /**

   * The number of unread private messages this user has.

   * @var int

   */

  var $unread_pms = 0;

  /**

   * AES key used to encrypt passwords and session key info - irreversibly destroyed when disallow_password_grab() is called

   * @var string

   */

  var $private_key;

  /**

   * Regex that defines a valid username, minus the ^ and $, these are added later

   * @var string

   */

  //var $valid_username = '([A-Za-z0-9 \!\@\(\)-]+)';

  var $valid_username = '([^<>_&\?\'"%\n\r\t\a\/]+)';

  /**

   * What we're allowed to do as far as permissions go. This changes based on the value of the "auth" URI param.

   * @var string

   */

  var $auth_level = -1;

  /**

   * State variable to track if a session timed out

   * @var bool

   */

  var $sw_timed_out = false;

  /**

   * Switch to track if we're started or not.

   * @access private

   * @var bool

   */

  var $started = false;

  /**

   * Switch to control compatibility mode (for older Enano websites being upgraded)

   * @access private

   * @var bool

   */

  var $compat = false;

  /**

   * Our list of permission types.

   * @access private

   * @var array

   */

  var $acl_types = Array();

  /**

   * The list of descriptions for the permission types

   * @var array

   */

  var $acl_descs = Array();

  /**

   * A list of dependencies for ACL types.

   * @var array

   */

  var $acl_deps = Array();

  /**

   * Our tell-all list of permissions.

   * @access private - or, preferably, protected

   * @var array

   */

  var $perms = Array();

  /**

   * A cache variable - saved after sitewide permissions are checked but before page-specific permissions.

   * @var array

   * @access private

   */

  var $acl_base_cache = Array();

  /**

   * Stores the scope information for ACL types.

   * @var array

   * @access private

   */

  var $acl_scope = Array();

  /**

   * Array to track which default permissions are being used

   * @var array

   * @access private

   */

  var $acl_defaults_used = Array();

  /**

   * Array to track group membership.

   * @var array

   */

  var $groups = Array();

  /**

   * Associative array to track group modship.

   * @var array

   */

  var $group_mod = Array();

  # Basic functions

  /**

   * Constructor.

   */

  function __construct()

  {

    global $db, $session, $paths, $template, $plugins; // Common objects

    include(ENANO_ROOT.'/config.php');

    unset($dbhost, $dbname, $dbuser, $dbpasswd);

    if(isset($crypto_key))

    {

      $this->private_key = $crypto_key;

      $this->private_key = hexdecode($this->private_key);

    }

    else

    {

      if(is_writable(ENANO_ROOT.'/config.php'))

      {

        // Generate and stash a private key

        // This should only happen during an automated silent gradual migration to the new encryption platform.

        $aes = new AESCrypt(AES_BITS, AES_BLOCKSIZE);

        $this->private_key = $aes->gen_readymade_key();

        $config = file_get_contents(ENANO_ROOT.'/config.php');

        if(!$config)

        {

          die('$session->__construct(): can\'t get the contents of config.php');

        }

        $config = str_replace("?>", "\$crypto_key = '{$this->private_key}';\n?>", $config);

        // And while we're at it...

        $config = str_replace('MIDGET_INSTALLED', 'ENANO_INSTALLED', $config);

        $fh = @fopen(ENANO_ROOT.'/config.php', 'w');

        if ( !$fh ) 

        {

          die('$session->__construct(): Couldn\'t open config file for writing to store the private key, I tried to avoid something like this...');

        }

        fwrite($fh, $config);

        fclose($fh);

      }

      else

      {

        die_semicritical('Crypto error', '<p>No private key was found in the config file, and we can\'t generate one because we don\'t have write access to the config file. Please CHMOD config.php to 666 or 777 and reload this page.</p>');

      }

    }

    // Check for compatibility mode

    if(defined('IN_ENANO_INSTALL'))

    {

      $q = $db->sql_query('SELECT old_encryption FROM '.table_prefix.'users LIMIT 1;');

      if(!$q)

      {

        $error = mysql_error();

        if(strstr($error, "Unknown column 'old_encryption'"))

          $this->compat = true;

        else

          $db->_die('This should never happen and is a bug - the only error that was supposed to happen here didn\'t happen. (sessions.php in constructor, during compat mode check)');

      }

      $db->free_result();

    }

  }

  /**

   * PHP 4 compatible constructor.

   */

  function sessionManager()

  {

    $this->__construct();

  }

  /**

   * Wrapper function to sanitize strings for MySQL and HTML

   * @param string $text The text to sanitize

   * @return string

   */

  function prepare_text($text)

  {

    global $db;

    return $db->escape(htmlspecialchars($text));

  }

  /**

   * Makes a SQL query and handles error checking

   * @param string $query The SQL query to make

   * @return resource

   */

  function sql($query)

  {

    global $db, $session, $paths, $template, $plugins; // Common objects

    $result = $db->sql_query($query);

    if(!$result)

    {

      $db->_die('The error seems to have occurred somewhere in the session management code.');

    }

    return $result;

  }

  # Session restoration and permissions

  /**

   * Initializes the basic state of things, including most user prefs, login data, cookie stuff

   */

  function start()

  {

    global $db, $session, $paths, $template, $plugins; // Common objects

    if($this->started) return;

    $this->started = true;

    $user = false;

    if(isset($_COOKIE['sid']))

    {

      if($this->compat)

      {

        $userdata = $this->compat_validate_session($_COOKIE['sid']);

      }

      else

      {

        $userdata = $this->validate_session($_COOKIE['sid']);

      }

      if(is_array($userdata))

      {

        $data = RenderMan::strToPageID($paths->get_pageid_from_url());

        if(!$this->compat && $userdata['account_active'] != 1 && $data[1] != 'Special' && $data[1] != 'Admin')

        {

          $this->logout();

          $a = getConfig('account_activation');

          switch($a)

          {

            case 'none':

            default:

              $solution = 'Your account was most likely deactivated by an administrator. Please contact the site administration for further assistance.';

              break;

            case 'user':

              $solution = 'Please check your e-mail; you should have been sent a message with instructions on how to activate your account. If you do not receive an e-mail from this site within 24 hours, please contact the site administration for further assistance.';

              break;

            case 'admin':

              $solution = 'This website has been configured so that all user accounts must be activated by the administrator before they can be used, so your account will most likely be activated the next time an administrator visits the site.';

              break;

          }

          // admin activation request opportunity

          $q = $db->sql_query('SELECT 1 FROM '.table_prefix.'logs WHERE log_type=\'admin\' AND action=\'activ_req\' AND edit_summary=\'' . $db->escape($userdata['username']) . '\';');

          if ( !$q )

            $db->_die();

          $can_request = ( $db->numrows() < 1 );

          $db->free_result();

          if ( isset($_POST['logout']) )

          {

            $this->sid = $_COOKIE['sid'];

            $this->user_logged_in = true;

            $this->user_id =       intval($userdata['user_id']);

            $this->username =      $userdata['username'];

            $this->auth_level =    USER_LEVEL_MEMBER;

            $this->user_level =    USER_LEVEL_MEMBER;

            $this->logout();

            redirect(scriptPath . '/', 'Logged out', 'You have successfully been logged out. All cookies cleared.', 4);

          }

          if ( $can_request && !isset($_POST['activation_request']) )

          {

            $form = '<p>If you are having trouble or did not receive the e-mail, you can request account activation from the administrators of this site.</p>

                     <form action="' . makeUrlNS('System', 'ActivateStub') . '" method="post">

                       <p><input type="submit" name="activation_request" value="Request account activation" /> <input type="submit" name="logout" value="Log out" /></p>

                     </form>';

          }

          else

          {

            if ( $can_request && isset($_POST['activation_request']) )

            {

              $this->admin_activation_request($userdata['username']);

              $form = '<p>A request has just been sent to the administrators of this site. They will be able to activate your account or send you another activation e-mail if needed.</p>

                       <form action="' . makeUrlNS('System', 'ActivateStub') . '" method="post">

                         <p><input type="submit" name="logout" value="Log out" /></p>

                       </form>';

            }

            else

            {

              $form = '<p>There is an active request in the administrators\' control panel for your account to be activated.</p>

                       <form action="' . makeUrlNS('System', 'ActivateStub') . '" method="post">

                         <p><input type="submit" name="logout" value="Log out" /></p>

                       </form>';

            }

          }

          die_semicritical('Account error', '<p>It appears that your user account has not yet been activated. '.$solution.'</p>' . $form);

        }

        $this->sid = $_COOKIE['sid'];

        $this->user_logged_in = true;

        $this->user_id =       intval($userdata['user_id']);

        $this->username =      $userdata['username'];

        $this->password_hash = $userdata['password'];

        $this->user_level =    intval($userdata['user_level']);

        $this->real_name =     $userdata['real_name'];

        $this->email =         $userdata['email'];

        $this->unread_pms =    $userdata['num_pms'];

        if(!$this->compat)

        {

          $this->theme =         $userdata['theme'];

          $this->style =         $userdata['style'];

          $this->signature =     $userdata['signature'];

          $this->reg_time =      $userdata['reg_time'];

        }

        // Small security risk here - it allows someone who has already authenticated as an administrator to store the "super" key in

        // the cookie. Change this to USER_LEVEL_MEMBER to override that. The same 15-minute restriction applies to this "exploit".

        $this->auth_level =    $userdata['auth_level'];

        if(!isset($template->named_theme_list[$this->theme]))

        {

          if($this->compat || !is_object($template))

          {

            $this->theme = 'oxygen';

            $this->style = 'bleu';

          }

          else

          {

            $this->theme = $template->default_theme;

            $this->style = $template->default_style;

          }

        }

        $user = true;

        if(isset($_REQUEST['auth']) && !$this->sid_super)

        {

          // Now he thinks he's a moderator. Or maybe even an administrator. Let's find out if he's telling the truth.

          if($this->compat)

          {

            $key = $_REQUEST['auth'];

            $super = $this->compat_validate_session($key);

          }

          else

          {

            $key = strrev($_REQUEST['auth']);

            $super = $this->validate_session($key);

          }

          if(is_array($super))

          {

            $this->auth_level = intval($super['auth_level']);

            $this->sid_super = $_REQUEST['auth'];

          }

        }

      }

    }

    if(!$user)

    {

      //exit;

      $this->register_guest_session();

    }

    if(!$this->compat)

    {

      // init groups

      $q = $this->sql('SELECT g.group_name,g.group_id,m.is_mod FROM '.table_prefix.'groups AS g

          LEFT JOIN '.table_prefix.'group_members AS m

            ON g.group_id=m.group_id

          WHERE ( m.user_id='.$this->user_id.' 

            OR g.group_name=\'Everyone\')

            ' . ( enano_version() == '1.0RC1' ? '' : 'AND ( m.pending != 1 OR m.pending IS NULL )' ) . '

          ORDER BY group_id ASC;'); // Make sure "Everyone" comes first so the permissions can be overridden

      if($row = $db->fetchrow())

      {

        do {

          $this->groups[$row['group_id']] = $row['group_name'];

          $this->group_mod[$row['group_id']] = ( intval($row['is_mod']) == 1 );