Planning our Framework [ 38 ] User authentication Our user authentication class needs to: Process login requests Check to see if the user is logged in Log out the user Maintain information about the currently logged-in user (we could extend this to use a User object if we wish) Firstly, we need our class and some methods: <?php /** * Authentication manager * * * @version 1.0 * @author Michael Peacock */ class authentication { private $userID; private $loggedIn = false; private $admin = false; private $groups = array(); private $banned = false; private $username; private $justProcessed = false; public function __construct() {} These are just the core properties we need to maintain, and will need to access. The next stage is to check for any authentication requests or current login—this will be called by our framework once the database has been connected to. This should rst check to see if a user may be logged in; if this is the case, it should verify this. If not, it should then check to see if a user is trying to log in. The following function does this, and passes control to an appropriate method depending on the situation. public function checkForAuthentication() { if( isset( $_SESSION['phpecomf_auth_session_uid'] ) && intval( $_SESSION['phpecomf_auth_session_uid'] ) > 0 ) { $this->sessionAuthenticate( intval( $_SESSION['phpecomf_auth_session_uid'] ) ); • • • • This material is copyright and is licensed for the sole use by jackie tracey on 23rd February 2010 953 Quincy Drive, , Brick, , 08724 Chapter 2 [ 39 ] } elseif( isset( $_POST['ecomf_auth_user'] ) && $_POST['ecomf_auth_user'] != '' && isset( $_POST['ecomf_auth_pass'] ) && $_POST['ecomf_auth_pass'] != '') { $this->postAuthenticate( PeacockCarterFrameworkRegistry::getObject('db')-> sanitizeData( $_POST['ecomf_auth_user'] ), md5( $_POST['ecomf_auth_pass'] ) ); } //echo $this->userID; } We can authenticate a user who is logged in from session data: if we store the user's ID in a session, we can check this is valid and the user is active. private function sessionAuthenticate( $uid ) { $sql = "SELECT u.ID, u.username, u.active, u.email, u.admin, u.banned, u.name, (SELECT GROUP_CONCAT( g.name SEPARATOR '-groupsep-' ) FROM groups g, group_memberships gm WHERE g.ID = gm.group AND gm.user = u.ID ) AS groupmemberships FROM users u WHERE u.ID={$uid}"; PeacockCarterFrameworkRegistry::getObject('db')-> executeQuery( $sql ); if( PeacockCarterFrameworkRegistry::getObject('db')-> numRows() == 1 ) { Even if the user exists, we can't just log them in. But, what if their user account is not active, or has been marked as "banned"? $userData = PeacockCarterFrameworkRegistry::getObject('db')-> getRows(); if( $userData['active'] == 0 ) { $this->loggedIn = false; $this->loginFailureReason = 'inactive'; $this->active = false; } elseif( $userData['banned'] != 0) { $this->loggedIn = false; $this->loginFailureReason = 'banned'; $this->banned = false; } This material is copyright and is licensed for the sole use by jackie tracey on 23rd February 2010 953 Quincy Drive, , Brick, , 08724 Planning our Framework [ 40 ] else { $this->loggedIn = true; $this->userID = $uid; $this->admin = ( $userData['admin'] == 1 ) ? true : false; $this->username = $userData['username']; $this->name = $userData['name']; All of a user's group memberships are returned as a single eld from the user lookup query. We can then split this into the individual groups and store them in the object. $groups = explode( '-groupsep-', $userData['groupmemberships'] ); $this->groups = $groups; } } else { $this->loggedIn = false; $this->loginFailureReason = 'nouser'; if( $this->loggedIn == false ) { $this->logout(); } } If the user is trying to log in, we must look up his or her username and password to verify them. This is very similar to the above function, except it uses the username and password provided by the user, rather than a session-stored user ID. private function postAuthenticate( $u, $p ) { $this->justProcessed = true; $sql = "SELECT u.ID, u.username, u.email, u.admin, u.banned, u.active, u.name, (SELECT GROUP_CONCAT( g.name SEPARATOR '-groupsep-' ) FROM groups g, group_memberships gm WHERE g.ID = gm.group AND gm.user = u.ID ) AS groupmemberships FROM users u WHERE u.username='{$u}' AND u.password_hash='{$p}'"; //echo $sql; PeacockCarterFrameworkRegistry::getObject('db')-> executeQuery( $sql ); if( PeacockCarterFrameworkRegistry::getObject('db')-> numRows() == 1 ) { $userData = PeacockCarterFrameworkRegistry::getObject('db')-> getRows(); This material is copyright and is licensed for the sole use by jackie tracey on 23rd February 2010 953 Quincy Drive, , Brick, , 08724 Chapter 2 [ 41 ] As with before, once we nd a user, we must check to see that they are active, and not banned from the site. if( $userData['active'] == 0 ) { $this->loggedIn = false; $this->loginFailureReason = 'inactive'; $this->active = false; } elseif( $userData['banned'] != 0) { $this->loggedIn = false; $this->loginFailureReason = 'banned'; $this->banned = false; } else { $this->loggedIn = true; $this->userID = $userData['ID']; $this->admin = ( $userData['admin'] == 1 ) ? true : false; $_SESSION['phpecomf_auth_session_uid'] = $userData['ID']; $groups = explode( '-groupsep-', $userData['groupmemberships'] ); $this->groups = $groups; } } else { $this->loggedIn = false; $this->loginFailureReason = 'invalidcredentials'; } } Logging out can be done simply by cleaning the session data for the user. function logout() { $_SESSION['phpecomf_auth_session_uid'] = ''; } Finally, we need some getter methods to return various properties of the current user. public function getUserID() { return $this->userID; This material is copyright and is licensed for the sole use by jackie tracey on 23rd February 2010 953 Quincy Drive, , Brick, , 08724 Planning our Framework [ 42 ] } public function isLoggedIn() { return $this->loggedIn; } public function isAdmin() { return $this->admin; } public function getUsername() { return $this->username; } public function isMemberOfGroup( $group ) { if( in_array( $group, $this->groups ) { return true; } else { return false; } } } ?> Template management The template management functionality is easily broken down into two aspects: an object to manage the actual content (a page object), and a template object to manage the interaction with the content along with the parsing of the content within it. Let's take a look at the code for template.class.php: <?php /** * Views: Template manager * Page content and structure is managed with a seperate page object. * * @version 1.0 * @author Michael Peacock */ class template { This material is copyright and is licensed for the sole use by jackie tracey on 23rd February 2010 953 Quincy Drive, , Brick, , 08724 . $_SESSION['phpecomf_auth_session_uid'] ) && intval( $_SESSION['phpecomf_auth_session_uid'] ) > 0 ) { $this->sessionAuthenticate( intval( $_SESSION['phpecomf_auth_session_uid']. the parsing of the content within it. Let's take a look at the code for template.class .php: < ?php /** * Views: Template manager * Page content and structure is managed with a seperate. material is copyright and is licensed for the sole use by jackie tracey on 23rd February 2010 953 Quincy Drive, , Brick, , 08724 Chapter 2 [ 39 ] } elseif( isset( $_POST['ecomf_auth_user']