User authenticationOur user authentication class needs to: Process login requests Check to see if the user is logged in Log out the user Maintain information about the currently logged-i
Trang 1User authentication
Our user authentication class needs to:
Process login requests
Check to see if the user is logged in
Log out the user
Maintain information about the currently logged-in user (we could extend
this to use a User object if we wish)
Firstly, we need our class and some methods:
<?php
/**
* Authentication manager
*
*
* @version 1.0
* @author Michael Peacock
*/
class authentication {
private $userID;
private $loggedIn = false;
private $admin = false;
private $groups = array();
private $banned = false;
private $username;
private $justProcessed = false;
public function construct() {}
These are just the core properties we need to maintain, and will need to access The
next stage is to check for any authentication requests or current login—this will be
called by our framework once the database has been connected to This should first
check to see if a user may be logged in; if this is the case, it should verify this If not,
it should then check to see if a user is trying to log in The following function does
this, and passes control to an appropriate method depending on the situation.
public function checkForAuthentication()
{
if( isset( $_SESSION['phpecomf_auth_session_uid'] ) &&
intval( $_SESSION['phpecomf_auth_session_uid'] ) > 0 )
{
$this->sessionAuthenticate( intval(
$_SESSION['phpecomf_auth_session_uid'] ) );
•
•
•
•
Trang 2}
elseif( isset( $_POST['ecomf_auth_user'] ) &&
$_POST['ecomf_auth_user'] != '' &&
isset( $_POST['ecomf_auth_pass'] ) &&
$_POST['ecomf_auth_pass'] != '')
{
$this->postAuthenticate(
PeacockCarterFrameworkRegistry::getObject('db')->
sanitizeData( $_POST['ecomf_auth_user'] ),
md5( $_POST['ecomf_auth_pass'] ) );
}
//echo $this->userID;
}
We can authenticate a user who is logged in from session data: if we store the user's
ID in a session, we can check this is valid and the user is active.
private function sessionAuthenticate( $uid )
{
$sql = "SELECT u.ID, u.username, u.active, u.email, u.admin,
u.banned, u.name, (SELECT GROUP_CONCAT( g.name SEPARATOR
'-groupsep-' ) FROM groups g, group_memberships gm
WHERE g.ID = gm.group AND gm.user = u.ID ) AS groupmemberships
FROM users u WHERE u.ID={$uid}";
PeacockCarterFrameworkRegistry::getObject('db')->
executeQuery( $sql );
if( PeacockCarterFrameworkRegistry::getObject('db')->
numRows() == 1 )
{
Even if the user exists, we can't just log them in But, what if their user account is not
active, or has been marked as "banned"?
$userData = PeacockCarterFrameworkRegistry::getObject('db')->
getRows();
if( $userData['active'] == 0 )
{
$this->loggedIn = false;
$this->loginFailureReason = 'inactive';
$this->active = false;
}
elseif( $userData['banned'] != 0)
{
$this->loggedIn = false;
$this->loginFailureReason = 'banned';
$this->banned = false;
}
Trang 3else
{
$this->loggedIn = true;
$this->userID = $uid;
$this->admin = ( $userData['admin'] == 1 ) ? true : false;
$this->username = $userData['username'];
$this->name = $userData['name'];
All of a user's group memberships are returned as a single field from the user lookup
query We can then split this into the individual groups and store them in the object.
$groups = explode( '-groupsep-',
$userData['groupmemberships'] );
$this->groups = $groups;
}
}
else
{
$this->loggedIn = false;
$this->loginFailureReason = 'nouser';
if( $this->loggedIn == false )
{
$this->logout();
}
}
If the user is trying to log in, we must look up his or her username and password to
verify them This is very similar to the above function, except it uses the username
and password provided by the user, rather than a session-stored user ID.
private function postAuthenticate( $u, $p )
{
$this->justProcessed = true;
$sql = "SELECT u.ID, u.username, u.email, u.admin, u.banned,
u.active, u.name, (SELECT GROUP_CONCAT( g.name SEPARATOR
'-groupsep-' ) FROM groups g, group_memberships gm WHERE
g.ID = gm.group AND gm.user = u.ID ) AS groupmemberships
FROM users u WHERE u.username='{$u}'
AND u.password_hash='{$p}'";
//echo $sql;
PeacockCarterFrameworkRegistry::getObject('db')->
executeQuery( $sql );
if( PeacockCarterFrameworkRegistry::getObject('db')->
numRows() == 1 )
{
$userData = PeacockCarterFrameworkRegistry::getObject('db')->
getRows();
Trang 4As with before, once we find a user, we must check to see that they are active, and
not banned from the site.
if( $userData['active'] == 0 )
{
$this->loggedIn = false;
$this->loginFailureReason = 'inactive';
$this->active = false;
}
elseif( $userData['banned'] != 0)
{
$this->loggedIn = false;
$this->loginFailureReason = 'banned';
$this->banned = false;
}
else
{
$this->loggedIn = true;
$this->userID = $userData['ID'];
$this->admin = ( $userData['admin'] == 1 ) ? true : false;
$_SESSION['phpecomf_auth_session_uid'] = $userData['ID'];
$groups = explode( '-groupsep-',
$userData['groupmemberships'] );
$this->groups = $groups;
}
}
else
{
$this->loggedIn = false;
$this->loginFailureReason = 'invalidcredentials';
}
}
Logging out can be done simply by cleaning the session data for the user.
function logout()
{
$_SESSION['phpecomf_auth_session_uid'] = '';
}
Finally, we need some getter methods to return various properties of the
current user.
public function getUserID()
{
return $this->userID;
Trang 5}
public function isLoggedIn()
{
return $this->loggedIn;
}
public function isAdmin()
{
return $this->admin;
}
public function getUsername()
{
return $this->username;
}
public function isMemberOfGroup( $group )
{
if( in_array( $group, $this->groups )
{
return true;
}
else
{
return false;
}
}
}
?>
Template management
The template management functionality is easily broken down into two aspects: an
object to manage the actual content (a page object), and a template object to manage
the interaction with the content along with the parsing of the content within it.
Let's take a look at the code for template.class.php:
<?php
/**
* Views: Template manager
* Page content and structure is managed with a seperate page object
*
* @version 1.0
* @author Michael Peacock
*/
class template {