nextcloud/lib/user/database.php

<?php

/**
 * ownCloud
 *
 * @author Frank Karlitschek
 * @copyright 2012 Frank Karlitschek frank@owncloud.org
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
 * License as published by the Free Software Foundation; either
 * version 3 of the License, or any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU AFFERO GENERAL PUBLIC LICENSE for more details.
 *
 * You should have received a copy of the GNU Affero General Public
 * License along with this library.  If not, see <http://www.gnu.org/licenses/>.
 *
 */
/*
 *
 * The following SQL statement is just a help for developers and will not be
 * executed!
 *
 * CREATE TABLE `users` (
 *   `uid` varchar(64) COLLATE utf8_unicode_ci NOT NULL,
 *   `password` varchar(255) COLLATE utf8_unicode_ci NOT NULL,
 *   PRIMARY KEY (`uid`)
 * ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
 *
 */

require_once 'phpass/PasswordHash.php';

/**
 * Class for user management in a SQL Database (e.g. MySQL, SQLite)
 */
class OC_User_Database extends OC_User_Backend {
	/**
	 * @var PasswordHash
	 */
	static private $hasher=null;

	private function getHasher() {
		if(!self::$hasher) {
			//we don't want to use DES based crypt(), since it doesn't return a has with a recognisable prefix
			$forcePortable=(CRYPT_BLOWFISH!=1);
			self::$hasher=new PasswordHash(8,$forcePortable);
		}
		return self::$hasher;

	}

	/**
	 * @brief Create a new user
	 * @param $uid The username of the user to create
	 * @param $password The password of the new user
	 * @returns true/false
	 *
	 * Creates a new user. Basic checking of username is done in OC_User
	 * itself, not in its subclasses.
	 */
	public function createUser( $uid, $password ) {
		if( $this->userExists($uid) ) {
			return false;
		}else{
			$hasher=$this->getHasher();
			$hash = $hasher->HashPassword($password.OC_Config::getValue('passwordsalt', ''));
			$query = OC_DB::prepare( 'INSERT INTO `*PREFIX*users` ( `uid`, `password` ) VALUES( ?, ? )' );
			$result = $query->execute( array( $uid, $hash));

			return $result ? true : false;
		}
	}

	/**
	 * @brief delete a user
	 * @param $uid The username of the user to delete
	 * @returns true/false
	 *
	 * Deletes a user
	 */
	public function deleteUser( $uid ) {
		// Delete user-group-relation
		$query = OC_DB::prepare( 'DELETE FROM `*PREFIX*users` WHERE uid = ?' );
		$query->execute( array( $uid ));
		return true;
	}

	/**
	 * @brief Set password
	 * @param $uid The username
	 * @param $password The new password
	 * @returns true/false
	 *
	 * Change the password of a user
	 */
	public function setPassword( $uid, $password ) {
		if( $this->userExists($uid) ) {
			$hasher=$this->getHasher();
			$hash = $hasher->HashPassword($password.OC_Config::getValue('passwordsalt', ''));
			$query = OC_DB::prepare( 'UPDATE `*PREFIX*users` SET `password` = ? WHERE `uid` = ?' );
			$query->execute( array( $hash, $uid ));

			return true;
		}else{
			return false;
		}
	}

	/**
	 * @brief Check if the password is correct
	 * @param $uid The username
	 * @param $password The password
	 * @returns string
	 *
	 * Check if the password is correct without logging in the user
	 * returns the user id or false
	 */
	public function checkPassword( $uid, $password ) {
		$query = OC_DB::prepare( 'SELECT `uid`, `password` FROM `*PREFIX*users` WHERE LOWER(`uid`) = LOWER(?)' );
		$result = $query->execute( array( $uid));

		$row=$result->fetchRow();
		if($row) {
			$storedHash=$row['password'];
			if ($storedHash[0]=='$') {//the new phpass based hashing
				$hasher=$this->getHasher();
				if($hasher->CheckPassword($password.OC_Config::getValue('passwordsalt', ''), $storedHash)) {
					return $row['uid'];
				}else{
					return false;
				}
			}else{//old sha1 based hashing
				if(sha1($password)==$storedHash) {
					//upgrade to new hashing
					$this->setPassword($row['uid'],$password);
					return $row['uid'];
				}else{
					return false;
				}
			}
		}else{
			return false;
		}
	}

	/**
	 * @brief Get a list of all users
	 * @returns array with all uids
	 *
	 * Get a list of all users.
	 */
	public function getUsers($search = '', $limit = null, $offset = null) {
		$query = OC_DB::prepare('SELECT `uid` FROM `*PREFIX*users` WHERE LOWER(`uid`) LIKE LOWER(?)',$limit,$offset);
		$result = $query->execute(array($search.'%'));
		$users = array();
		while ($row = $result->fetchRow()) {
			$users[] = $row['uid'];
		}
		return $users;
	}

	/**
	 * @brief check if a user exists
	 * @param string $uid the username
	 * @return boolean
	 */
	public function userExists($uid) {
		$query = OC_DB::prepare( 'SELECT * FROM `*PREFIX*users` WHERE LOWER(`uid`) = LOWER(?)' );
		$result = $query->execute( array( $uid ));

		return $result->numRows() > 0;
	}

	/**
	* @brief get the user's home directory
	* @param string $uid the username
	* @return boolean
	*/
	public function getHome($uid) {
		if($this->userExists($uid)) {
			return OC_Config::getValue( "datadirectory", OC::$SERVERROOT."/data" ) . '/' . $uid;
		}else{
			return false;
		}
	}
}
Support for mod_auth added 2010-07-15 08:09:22 -04:00			`<?php`

			`/**`
First version of the new user management 2011-04-15 11:14:02 -04:00			`* ownCloud`
			`*`
			`* @author Frank Karlitschek`
update copyright 2012-05-26 13:14:24 -04:00			`* @copyright 2012 Frank Karlitschek frank@owncloud.org`
First version of the new user management 2011-04-15 11:14:02 -04:00			`*`
			`* This library is free software; you can redistribute it and/or`
			`* modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE`
			`* License as published by the Free Software Foundation; either`
			`* version 3 of the License, or any later version.`
			`*`
			`* This library is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU AFFERO GENERAL PUBLIC LICENSE for more details.`
			`*`
			`* You should have received a copy of the GNU Affero General Public`
			`* License along with this library. If not, see <http://www.gnu.org/licenses/>.`
			`*`
			`*/`
			`/*`
			`*`
			`* The following SQL statement is just a help for developers and will not be`
			`* executed!`
			`*`
			* CREATE TABLE `users` (
			* `uid` varchar(64) COLLATE utf8_unicode_ci NOT NULL,
			* `password` varchar(255) COLLATE utf8_unicode_ci NOT NULL,
			* PRIMARY KEY (`uid`)
			`* ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;`
			`*`
			`*/`
Support for mod_auth added 2010-07-15 08:09:22 -04:00
improved password hashing based one phpass old passwords are automatically upgraded on login 2012-02-26 07:49:51 -05:00			`require_once 'phpass/PasswordHash.php';`

Support for mod_auth added 2010-07-15 08:09:22 -04:00			`/**`
Created class `OC_USER_BACKEND` for general user managment It's possible to use `OC_USER` as normal but the real stuff is done by the `OC_USER::$_backend` class, setted using `OC_USER::setBackend()` (this is done in inc/lib_user.php) 2010-07-21 11:53:51 -04:00			`* Class for user management in a SQL Database (e.g. MySQL, SQLite)`
Support for mod_auth added 2010-07-15 08:09:22 -04:00			`*/`
Renaming classes :-) 2011-07-29 15:36:03 -04:00			`class OC_User_Database extends OC_User_Backend {`
improved password hashing based one phpass old passwords are automatically upgraded on login 2012-02-26 07:49:51 -05:00			`/**`
			`* @var PasswordHash`
			`*/`
			`static private $hasher=null;`
Merged branch 'master' 2012-10-16 11:57:07 -04:00
			`private function getHasher() {`
			`if(!self::$hasher) {`
improved password hashing based one phpass old passwords are automatically upgraded on login 2012-02-26 07:49:51 -05:00			`//we don't want to use DES based crypt(), since it doesn't return a has with a recognisable prefix`
			`$forcePortable=(CRYPT_BLOWFISH!=1);`
			`self::$hasher=new PasswordHash(8,$forcePortable);`
			`}`
			`return self::$hasher;`
Start of the refactoring. Commit is quite big because I forgot to use git right from the beginning. Sorry. 2011-03-01 17:20:16 -05:00
improved password hashing based one phpass old passwords are automatically upgraded on login 2012-02-26 07:49:51 -05:00			`}`
Merged branch 'master' 2012-10-16 11:57:07 -04:00
Support for mod_auth added 2010-07-15 08:09:22 -04:00			`/**`
Better documentation for OC_USER 2011-04-18 04:41:01 -04:00			`* @brief Create a new user`
Added tons of Hooks to OC_USER and OC_GROUP 2011-04-18 05:39:29 -04:00			`* @param $uid The username of the user to create`
Better documentation for OC_USER 2011-04-18 04:41:01 -04:00			`* @param $password The password of the new user`
			`* @returns true/false`
Cleaned up and added some documentation 2010-07-22 17:42:18 -04:00			`*`
Renaming classes :-) 2011-07-29 15:36:03 -04:00			`* Creates a new user. Basic checking of username is done in OC_User`
Added tons of Hooks to OC_USER and OC_GROUP 2011-04-18 05:39:29 -04:00			`* itself, not in its subclasses.`
Cleaned up and added some documentation 2010-07-22 17:42:18 -04:00			`*/`
Merged branch 'master' 2012-10-16 11:57:07 -04:00			`public function createUser( $uid, $password ) {`
			`if( $this->userExists($uid) ) {`
Support for mod_auth added 2010-07-15 08:09:22 -04:00			`return false;`
improved password hashing based one phpass old passwords are automatically upgraded on login 2012-02-26 07:49:51 -05:00			`}else{`
			`$hasher=$this->getHasher();`
generate a random salt during installation and store it in the config.php. use it to salt the password hashing. 2012-06-08 06:31:37 -04:00			`$hash = $hasher->HashPassword($password.OC_Config::getValue('passwordsalt', ''));`
Merged branch 'master' 2012-10-16 11:57:07 -04:00			$query = OC_DB::prepare( 'INSERT INTO `PREFIXusers` ( `uid`, `password` ) VALUES( ?, ? )' );
improved password hashing based one phpass old passwords are automatically upgraded on login 2012-02-26 07:49:51 -05:00			`$result = $query->execute( array( $uid, $hash));`
First version of the new user management 2011-04-15 11:14:02 -04:00
Cleaned up and added some documentation 2010-07-22 17:42:18 -04:00			`return $result ? true : false;`
Fixed a cache-check in `OC_USER_Database::getGroupName()` and minor style changes * Added spaces here and there * Using camelCase for same variable 2010-07-15 13:56:13 -04:00			`}`
Created class `OC_USER_BACKEND` for general user managment It's possible to use `OC_USER` as normal but the real stuff is done by the `OC_USER::$_backend` class, setted using `OC_USER::setBackend()` (this is done in inc/lib_user.php) 2010-07-21 11:53:51 -04:00			`}`
Cleaned up and added some documentation 2010-07-22 17:42:18 -04:00
Some work on the fancy user management 2011-04-16 19:04:23 -04:00			`/**`
Better documentation for OC_USER 2011-04-18 04:41:01 -04:00			`* @brief delete a user`
			`* @param $uid The username of the user to delete`
			`* @returns true/false`
Some work on the fancy user management 2011-04-16 19:04:23 -04:00			`*`
Better documentation for OC_USER 2011-04-18 04:41:01 -04:00			`* Deletes a user`
Some work on the fancy user management 2011-04-16 19:04:23 -04:00			`*/`
Merged branch 'master' 2012-10-16 11:57:07 -04:00			`public function deleteUser( $uid ) {`
Better documentation for OC_USER 2011-04-18 04:41:01 -04:00			`// Delete user-group-relation`
Merged branch 'master' 2012-10-16 11:57:07 -04:00			$query = OC_DB::prepare( 'DELETE FROM `PREFIXusers` WHERE uid = ?' );
			`$query->execute( array( $uid ));`
Some work on the fancy user management 2011-04-16 19:04:23 -04:00			`return true;`
			`}`

Support for mod_auth added 2010-07-15 08:09:22 -04:00			`/**`
Better documentation for OC_USER 2011-04-18 04:41:01 -04:00			`* @brief Set password`
			`* @param $uid The username`
			`* @param $password The new password`
			`* @returns true/false`
Cleaned up and added some documentation 2010-07-22 17:42:18 -04:00			`*`
Better documentation for OC_USER 2011-04-18 04:41:01 -04:00			`* Change the password of a user`
Cleaned up and added some documentation 2010-07-22 17:42:18 -04:00			`*/`
Merged branch 'master' 2012-10-16 11:57:07 -04:00			`public function setPassword( $uid, $password ) {`
			`if( $this->userExists($uid) ) {`
improved password hashing based one phpass old passwords are automatically upgraded on login 2012-02-26 07:49:51 -05:00			`$hasher=$this->getHasher();`
generate a random salt during installation and store it in the config.php. use it to salt the password hashing. 2012-06-08 06:31:37 -04:00			`$hash = $hasher->HashPassword($password.OC_Config::getValue('passwordsalt', ''));`
Merged branch 'master' 2012-10-16 11:57:07 -04:00			$query = OC_DB::prepare( 'UPDATE `PREFIXusers` SET `password` = ? WHERE `uid` = ?' );
			`$query->execute( array( $hash, $uid ));`
Better documentation for OC_USER 2011-04-18 04:41:01 -04:00
			`return true;`
Merged branch 'master' 2012-10-16 11:57:07 -04:00			`}else{`
Made the "change password" thingie in settings working 2011-04-18 09:07:14 -04:00			`return false;`
			`}`
Support for mod_auth added 2010-07-15 08:09:22 -04:00			`}`
Reverted to self::$classType syntax and fixed the use of self in non-object 2010-07-19 12:52:49 -04:00
Support for mod_auth added 2010-07-15 08:09:22 -04:00			`/**`
Better documentation for OC_USER 2011-04-18 04:41:01 -04:00			`* @brief Check if the password is correct`
			`* @param $uid The username`
			`* @param $password The password`
update documentation of oc_user::checkpassword 2012-05-16 18:57:43 -04:00			`* @returns string`
Cleaned up and added some documentation 2010-07-22 17:42:18 -04:00			`*`
Better documentation for OC_USER 2011-04-18 04:41:01 -04:00			`* Check if the password is correct without logging in the user`
update documentation of oc_user::checkpassword 2012-05-16 18:57:43 -04:00			`* returns the user id or false`
Cleaned up and added some documentation 2010-07-22 17:42:18 -04:00			`*/`
Merged branch 'master' 2012-10-16 11:57:07 -04:00			`public function checkPassword( $uid, $password ) {`
			$query = OC_DB::prepare( 'SELECT `uid`, `password` FROM `PREFIXusers` WHERE LOWER(`uid`) = LOWER(?)' );
improved password hashing based one phpass old passwords are automatically upgraded on login 2012-02-26 07:49:51 -05:00			`$result = $query->execute( array( $uid));`
Support for mod_auth added 2010-07-15 08:09:22 -04:00
dont use numRows when it's not needed since it can be expensive 2011-09-16 20:36:04 -04:00			`$row=$result->fetchRow();`
Merged branch 'master' 2012-10-16 11:57:07 -04:00			`if($row) {`
improved password hashing based one phpass old passwords are automatically upgraded on login 2012-02-26 07:49:51 -05:00			`$storedHash=$row['password'];`
Merged branch 'master' 2012-10-16 11:57:07 -04:00			`if ($storedHash[0]=='$') {//the new phpass based hashing`
improved password hashing based one phpass old passwords are automatically upgraded on login 2012-02-26 07:49:51 -05:00			`$hasher=$this->getHasher();`
Merged branch 'master' 2012-10-16 11:57:07 -04:00			`if($hasher->CheckPassword($password.OC_Config::getValue('passwordsalt', ''), $storedHash)) {`
improved password hashing based one phpass old passwords are automatically upgraded on login 2012-02-26 07:49:51 -05:00			`return $row['uid'];`
			`}else{`
			`return false;`
			`}`
			`}else{//old sha1 based hashing`
Merged branch 'master' 2012-10-16 11:57:07 -04:00			`if(sha1($password)==$storedHash) {`
improved password hashing based one phpass old passwords are automatically upgraded on login 2012-02-26 07:49:51 -05:00			`//upgrade to new hashing`
			`$this->setPassword($row['uid'],$password);`
			`return $row['uid'];`
			`}else{`
			`return false;`
			`}`
			`}`
fix issue with login being case insensitve 2011-08-25 15:51:04 -04:00			`}else{`
Support for mod_auth added 2010-07-15 08:09:22 -04:00			`return false;`
			`}`
			`}`

use caching for user-group relations 2010-09-12 11:04:52 -04:00			`/**`
Better documentation for OC_USER 2011-04-18 04:41:01 -04:00			`* @brief Get a list of all users`
			`* @returns array with all uids`
use caching for user-group relations 2010-09-12 11:04:52 -04:00			`*`
Better documentation for OC_USER 2011-04-18 04:41:01 -04:00			`* Get a list of all users.`
use caching for user-group relations 2010-09-12 11:04:52 -04:00			`*/`
Merged branch 'master' 2012-10-16 11:57:07 -04:00			`public function getUsers($search = '', $limit = null, $offset = null) {`
			$query = OC_DB::prepare('SELECT `uid` FROM `PREFIXusers` WHERE LOWER(`uid`) LIKE LOWER(?)',$limit,$offset);
			`$result = $query->execute(array($search.'%'));`
			`$users = array();`
			`while ($row = $result->fetchRow()) {`
			`$users[] = $row['uid'];`
use caching for user-group relations 2010-09-12 11:04:52 -04:00			`}`
			`return $users;`
			`}`
Multiply changes to user system keeping tracked of the logged in user is no longer done by the active backend but by oc_user directly instead multiply backends can be active at the same time, allowing alternative authentication procedures like openid or tokens to be used next to the regular user system 2011-06-21 13:28:46 -04:00
			`/**`
			`* @brief check if a user exists`
			`* @param string $uid the username`
			`* @return boolean`
			`*/`
Merged branch 'master' 2012-10-16 11:57:07 -04:00			`public function userExists($uid) {`
			$query = OC_DB::prepare( 'SELECT * FROM `PREFIXusers` WHERE LOWER(`uid`) = LOWER(?)' );
Multiply changes to user system keeping tracked of the logged in user is no longer done by the active backend but by oc_user directly instead multiply backends can be active at the same time, allowing alternative authentication procedures like openid or tokens to be used next to the regular user system 2011-06-21 13:28:46 -04:00			`$result = $query->execute( array( $uid ));`
Merged branch 'master' 2012-10-16 11:57:07 -04:00
Multiply changes to user system keeping tracked of the logged in user is no longer done by the active backend but by oc_user directly instead multiply backends can be active at the same time, allowing alternative authentication procedures like openid or tokens to be used next to the regular user system 2011-06-21 13:28:46 -04:00			`return $result->numRows() > 0;`
			`}`
Merged branch 'master' 2012-10-16 11:57:07 -04:00
			`/**`
			`* @brief get the user's home directory`
			`* @param string $uid the username`
			`* @return boolean`
			`*/`
			`public function getHome($uid) {`
			`if($this->userExists($uid)) {`
			`return OC_Config::getValue( "datadirectory", OC::$SERVERROOT."/data" ) . '/' . $uid;`
			`}else{`
			`return false;`
			`}`
			`}`
Fixed a cache-check in `OC_USER_Database::getGroupName()` and minor style changes * Added spaces here and there * Using camelCase for same variable 2010-07-15 13:56:13 -04:00			`}`