Timeshare security

From PeacockWiki

Contents 1 Overview 2 Auth object 2.1 get_user_id() 2.2 get_user() 2.3 get_user_name() 2.4 static get_auth() 2.5 login($username, $password) 2.6 logout() 2.7 is_authenticated() 2.8 define([[$role_name], $access]) 2.9 define_user($role_name, $user) 2.10 define_group($role_name, [$group]) 2.11 define_manager($role_name, [$group]) 2.12 define_authenticated([$role_name]) 2.13 define_not_authenticated([$role_name]) 2.14 define_everybody([$role_name]) 2.15 define_admin([$role_name]) 2.16 define_supervisor([$role_name]) 2.17 count_roles() 2.18 can([$role_name]) 2.19 static function auth_error([$error]) 2.20 end_auth([$error]) 3 Notes

Overview

Page security in timeshare revolves around the Auth object (in lib/auth.php). An instance of this object is available from all smarty HTML (*.smarty) templates in the form of a variable 'user' ($user).

Auth provides login/logout methods, and a facility to define users that should have access to a specific page, and what access they should have.

Auth object

In addition to the following functions, Auth stores a DBDataObject representing the currently logged in user. methods and functions are forwarded to the DBDataObject allowing Auth to act as if it was the DBDataObject. This allows the programmer to easily access the DBDataObject from smarty. This should rarely be required as Auth should handle most needed functions through its own methods.

Note: fields of the DBDataObject may not be accessible until get_user() is called to fetch the object. get_user() is called by most methods of Auth, so chances are it will already have been fetched when required.

get_user_id()

returns the ID of the currently logged in user.

get_user()

returns the DBDataObject representing the currenly logged in user.

get_user_name()

returns the full name of the currently logged in user.

static get_auth()

static function that returns the current instance of Auth.

login($username, $password)

Checks that the username and password match a user in the database, before setting session variables

returns

• 1 - logged in sucessfully
• -1 - incorrect password
• -2 - invalid username

logout()

is_authenticated()

define([[$role_name], $access])

'access'true add a user to a role

define_user($role_name, $user)

add a user to a role if they are the required user

define_group($role_name, [$group])

add a user to a role if they are in the required group

define_manager($role_name, [$group])

add user to a role if they manage the specified group

define_authenticated([$role_name])

define_not_authenticated([$role_name])

define_everybody([$role_name])

define_admin([$role_name])

define_supervisor([$role_name])

count_roles()

can([$role_name])

static function auth_error([$error])

end_auth([$error])

Notes

As it is intended most processing is done in smarty, there is one known disadvantage in the syntax of smarty tags.

 {generate_data_object var="statusreport" query="statusreport" id=$smarty.get.id}
 {$user->define_manager('write', $statusreport->get('group'))}

Smarty does not handle the second '->' (in $statusreport->get('group') ). This is easily solved by a simple workaround. Assign the value to a smarty variable in a seperate command

{generate_data_object var="statusreport" query="statusreport" id=$smarty.get.id}
{assign var="group" value=$statusreport->get('group')}
{$user->define_manager('write', $group)}