Overview

Packages

  • awl
    • caldav-client-v2
    • RRule
  • davical
    • authentication
      • drivers
    • caldav
    • DAViCalSession
    • DAVTicket
    • external-bind
    • feed
    • HTTPAuthSession
    • iSchedule
    • iSchedule-POST
    • logging
    • metrics
    • Principal
    • propfind
    • PublicSession
    • Request
    • Resource
    • tzservice
  • None
  • PHP

Classes

  • HTTPAuthSession
  • Overview
  • Package
  • Class
  • Tree
  • Deprecated
  • Todo

Class HTTPAuthSession

A Class for handling a session using HTTP Basic Authentication

Package: davical\HTTPAuthSession
Copyright: Catalyst .Net Ltd
License: GNU GPL v2
Author: Andrew McMillan <andrew@catalyst.net.nz>
Located at HTTPAuthSession.php
Methods summary
public
# HTTPAuthSession( )

The constructor, which just calls the type supplied or configured

The constructor, which just calls the type supplied or configured

public
# AuthFailedResponse( string $auth_header = "" )

Authorisation failed, so we send some headers to say so.

Authorisation failed, so we send some headers to say so.

Parameters

$auth_header
string
$auth_header The WWW-Authenticate header details.
public
# BasicAuthSession( )

Handle Basic HTTP Authentication (not secure unless https)

Handle Basic HTTP Authentication (not secure unless https)

public
# DigestAuthSession( )

Handle Digest HTTP Authentication (no passwords were harmed in this transaction!)

Handle Digest HTTP Authentication (no passwords were harmed in this transaction!)

Note that this will not actually work, unless we can either: (A) store the password plain text in the database (B) store an md5( username || realm || password ) in the database

The problem is that potentially means that the administrator can collect the sorts of things people use as passwords. I believe this is quite a bad idea. In scenario (B) while they cannot see the password itself, they can see a hash which only varies when the password varies, so can see when two users have the same password, or can use some of the reverse lookup sites to attempt to reverse the hash. I think this is a less bad idea, but not ideal. Probably better than running Basic auth of HTTP though!

public
# ParseDigestHeader( mixed $auth_header )

Parse the HTTP Digest Auth Header
- largely sourced from the PHP documentation

Parse the HTTP Digest Auth Header - largely sourced from the PHP documentation

public
# CheckPassword( mixed $username, mixed $password )

CheckPassword does all of the password checking and returns a user record object, or false if it all ends in tears.

CheckPassword does all of the password checking and returns a user record object, or false if it all ends in tears.

public boolean
# AllowedTo( string $whatever )

Checks whether a user is allowed to do something.

Checks whether a user is allowed to do something.

The check is performed to see if the user has that role.

Parameters

$whatever
string
$whatever The role we want to know if the user has.

Returns

boolean
Whether or not the user has the specified role.
public
# GetRoles( )

Internal function used to get the user's roles from the database.

Internal function used to get the user's roles from the database.

public
# AssignSessionDetails( object $principal )

Internal function used to assign the session details to a user's new session.

Internal function used to assign the session details to a user's new session.

Parameters

$principal
object
$u The user+session object we (probably) read from the database.
Properties summary
public HTTPAuthSession::$username $username
#

Username

Username

public HTTPAuthSession::$user_no $user_no
#

User ID number

User ID number

public HTTPAuthSession::$principal_id $principal_id
#

Principal ID

Principal ID

public HTTPAuthSession::$email $email
#

User e-mail

User e-mail

public HTTPAuthSession::$fullname $fullname
#

User full name

User full name

public HTTPAuthSession::$groups $groups
#

Group rights (not implemented)

Group rights (not implemented)

Todo

DAViCal API documentation generated by ApiGen 2.8.0