Overview

Packages

  • awl
    • caldav-client-v2
    • RRule
  • davical
    • authentication
      • drivers
    • caldav
    • DAViCalSession
    • DAVTicket
    • external-bind
    • feed
    • HTTPAuthSession
    • iSchedule
    • iSchedule-POST
    • logging
    • metrics
    • Principal
    • propfind
    • PublicSession
    • Request
    • Resource
    • tzservice
  • None

Classes

  • HTTPAuthSession
  • Overview
  • Package
  • Class
  • Tree
  • Deprecated
  • Todo

Class HTTPAuthSession

A Class for handling a session using HTTP Basic Authentication

Package: davical\HTTPAuthSession
Copyright: Catalyst .Net Ltd
License: GNU GPL v2
Author: Andrew McMillan andrew@catalyst.net.nz
Located at HTTPAuthSession.php
Methods summary
public
# HTTPAuthSession( )

The constructor, which just calls the type supplied or configured

The constructor, which just calls the type supplied or configured

public
# AuthFailedResponse( string $auth_header = "" )

Authorisation failed, so we send some headers to say so.

Authorisation failed, so we send some headers to say so.

Parameters

$auth_header
The WWW-Authenticate header details.
public
# BasicAuthSession( )

Handle Basic HTTP Authentication (not secure unless https)

Handle Basic HTTP Authentication (not secure unless https)

public
# DigestAuthSession( )

Handle Digest HTTP Authentication (no passwords were harmed in this transaction!)

Handle Digest HTTP Authentication (no passwords were harmed in this transaction!)

Note that this will not actually work, unless we can either: (A) store the password plain text in the database (B) store an md5( username || realm || password ) in the database

The problem is that potentially means that the administrator can collect the sorts of things people use as passwords. I believe this is quite a bad idea. In scenario (B) while they cannot see the password itself, they can see a hash which only varies when the password varies, so can see when two users have the same password, or can use some of the reverse lookup sites to attempt to reverse the hash. I think this is a less bad idea, but not ideal. Probably better than running Basic auth of HTTP though!

public
# ParseDigestHeader( $auth_header )

Parse the HTTP Digest Auth Header - largely sourced from the PHP documentation

Parse the HTTP Digest Auth Header - largely sourced from the PHP documentation

public
# CheckPassword( $username, $password )

CheckPassword does all of the password checking and returns a user record object, or false if it all ends in tears.

CheckPassword does all of the password checking and returns a user record object, or false if it all ends in tears.

public boolean
# AllowedTo( string $whatever )

Checks whether a user is allowed to do something.

Checks whether a user is allowed to do something.

The check is performed to see if the user has that role.

Parameters

$whatever
The role we want to know if the user has.

Returns

boolean
Whether or not the user has the specified role.
public
# GetRoles( )

Internal function used to get the user's roles from the database.

Internal function used to get the user's roles from the database.

public
# AssignSessionDetails( object $principal )

Internal function used to assign the session details to a user's new session.

Internal function used to assign the session details to a user's new session.

Parameters

$principal
$u The user+session object we (probably) read from the database.
Properties summary
public HTTPAuthSession::$username $username

Username

Username

#
public HTTPAuthSession::$user_no $user_no

User ID number

User ID number

#
public HTTPAuthSession::$principal_id $principal_id

Principal ID

Principal ID

#
public HTTPAuthSession::$email $email

User e-mail

User e-mail

#
public HTTPAuthSession::$fullname $fullname

User full name

User full name

#
public HTTPAuthSession::$groups $groups

Group rights (not implemented)

Group rights (not implemented)

Todo

#
DAViCal API documentation generated by ApiGen