Timeshare security
From PeacockWiki
| Revision as of 11:42, 20 September 2005 (edit) Trevorp (Talk | contribs) (→Auth object) ← Previous diff |
Revision as of 11:44, 20 September 2005 (edit) Trevorp (Talk | contribs) (→Auth object) Next diff → |
||
| Line 20: | Line 20: | ||
| Checks that the username and password match a user in the database, before setting session variables | Checks that the username and password match a user in the database, before setting session variables | ||
| - | returns | + | Returns: |
| - | *1 - logged in sucessfully | + | * 1 - logged in sucessfully |
| *-1 - incorrect password | *-1 - incorrect password | ||
| *-2 - invalid username | *-2 - invalid username | ||
| ===logout()=== | ===logout()=== | ||
| + | Loggs out the currenly logged in user, removing any session variables | ||
| ===is_authenticated()=== | ===is_authenticated()=== | ||
| + | returns true if there is a user logged in | ||
| ===define([[$role_name], $access])=== | ===define([[$role_name], $access])=== | ||
| 'access'true | 'access'true | ||
Revision as of 11:44, 20 September 2005
Overview
Page security in timeshare revolves around the Auth object (in lib/auth.php). An instance of this object is available from all smarty HTML (*.smarty) templates in the form of a variable 'user' ($user).
Auth provides login/logout methods, and a facility to define users that should have access to a specific page, and what access they should have.
Auth object
In addition to the following functions, Auth stores a DBDataObject representing the currently logged in user. methods and functions are forwarded to the DBDataObject allowing Auth to act as if it was the DBDataObject. This allows the programmer to easily access the DBDataObject from smarty. This should rarely be required as Auth should handle most needed functions through its own methods.
Note: fields of the DBDataObject may not be accessible until get_user() is called to fetch the object. get_user() is called by most methods of Auth, so chances are it will already have been fetched when required.
get_user_id()
returns the ID of the currently logged in user.
get_user()
returns the DBDataObject representing the currenly logged in user.
get_user_name()
returns the full name of the currently logged in user.
static get_auth()
static function that returns the current instance of Auth.
login($username, $password)
Checks that the username and password match a user in the database, before setting session variables
Returns:
- 1 - logged in sucessfully
- -1 - incorrect password
- -2 - invalid username
logout()
Loggs out the currenly logged in user, removing any session variables
is_authenticated()
returns true if there is a user logged in
define([[$role_name], $access])
'access'true add a user to a role
define_user($role_name, $user)
add a user to a role if they are the required user
define_group($role_name, [$group])
add a user to a role if they are in the required group
define_manager($role_name, [$group])
add user to a role if they manage the specified group
define_authenticated([$role_name])
define_not_authenticated([$role_name])
define_everybody([$role_name])
define_admin([$role_name])
define_supervisor([$role_name])
count_roles()
can([$role_name])
static function auth_error([$error])
end_auth([$error])
Notes
As it is intended most processing is done in smarty, there is one known disadvantage in the syntax of smarty tags.
{generate_data_object var="statusreport" query="statusreport" id=$smarty.get.id}
{$user->define_manager('write', $statusreport->get('group'))}
Smarty does not handle the second '->' (in $statusreport->get('group') ). This is easily solved by a simple workaround. Assign the value to a smarty variable in a seperate command
{generate_data_object var="statusreport" query="statusreport" id=$smarty.get.id}
{assign var="group" value=$statusreport->get('group')}
{$user->define_manager('write', $group)}
