Timeshare security

From PeacockWiki

Contents 1 Overview 2 Auth object 2.1 get_user_id() 2.2 get_user() 2.3 get_user_name() 2.4 static function get_auth() 2.5 login($username, $password) 2.6 logout() 2.7 is_authenticated() 2.8 define([[$role_name], $access]) 2.9 define_user($role_name, $user) 2.10 define_group($role_name, [$group]) 2.11 define_manager($role_name, [$group]) 2.12 define_authenticated([$role_name]) 2.13 define_not_authenticated([$role_name]) 2.14 define_everybody([$role_name]) 2.15 define_admin([$role_name]) 2.16 define_supervisor([$role_name]) 2.17 count_roles() 2.18 can([$role_name]) 2.19 static function auth_error([$error]) 2.20 end_auth([$error]) 3 Notes

Overview

Page security in timeshare revolves around the Auth object (in lib/auth.php). An instance of this object is available from all smarty HTML (*.smarty) templates in the form of a variable 'user' ($user).

Auth provides login/logout methods, and a facility to define users that should have access to a specific page, and what access they should have.

Auth object

In addition to the following functions, Auth stores a DBDataObject representing the currently logged in user. methods and functions are forwarded to the DBDataObject allowing Auth to act as if it was the DBDataObject. This allows the programmer to easily access the DBDataObject from smarty. This should rarely be required as Auth should handle most needed functions through its own methods.

get_user_id()

get_user()

get_user_name()

static function get_auth()

login($username, $password)

logout()

is_authenticated()

define([[$role_name], $access])

'access'true add a user to a role

define_user($role_name, $user)

add a user to a role if they are the required user

define_group($role_name, [$group])

add a user to a role if they are in the required group

define_manager($role_name, [$group])

add user to a role if they manage the specified group

define_authenticated([$role_name])

define_not_authenticated([$role_name])

define_everybody([$role_name])

define_admin([$role_name])

define_supervisor([$role_name])

count_roles()

can([$role_name])

static function auth_error([$error])

end_auth([$error])

Notes

As it is intended most processing is done in smarty, there is one known disadvantage in the syntax of smarty tags.

 {generate_data_object var="statusreport" query="statusreport" id=$smarty.get.id}
 {$user->define_manager('write', $statusreport->get('group'))}

Smarty does not handle the second '->' (in $statusreport->get('group') ). This is easily solved by a simple workaround. Assign the value to a smarty variable in a seperate command

{generate_data_object var="statusreport" query="statusreport" id=$smarty.get.id}
{assign var="group" value=$statusreport->get('group')}
{$user->define_manager('write', $group)}