Change to community logins

I've done some minor hacking on some changes to the community login
system, based on nagging (eh, sorry, feedback) from mainly JD ;-)

Specifically, not using http auth, but instead using forms auth and a
session cookie. This is so we can eventually have a separate login link
for those who don't understand systems that ask you to login only when a
login is necessary.

It will also make it possible to have pages change depending on if
you're logged in or not - but that requires code to run on wwwmaster,
which we're trying to avoid, so I'm not sure much of that will happen...

Anyway. Attached is a patch that does this, you can test the system out
on http://magnus-master.pgadmin.org. Thoughts and comments?

//Magnus
Index: handler.php
===================================================================
RCS file: /usr/local/cvsroot/pgweb/portal/system/handler.php,v
retrieving revision 1.20
diff -c -r1.20 handler.php
*** handler.php    12 Mar 2007 14:51:43 -0000    1.20
--- handler.php    12 Aug 2007 12:45:05 -0000
***************
*** 25,30 ****
--- 25,35 ----

  require_once './global/settings.php';

+ // Override config that really must be set
+ ini_set('session.use_cookies','1');
+ ini_set('session.use_only_cookies','1');
+
+
  try {
      if (isset($_GET['page']) && $_GET['page'] == 'submitthanks') {
          // Special case. Ugly, but backwards compatible ;-)
Index: form/login.php
===================================================================
RCS file: form/login.php
diff -N form/login.php
*** /dev/null    1 Jan 1970 00:00:00 -0000
--- form/login.php    12 Aug 2007 12:45:05 -0000
***************
*** 0 ****
--- 1,54 ----
+ <?php
+ class Form_Login extends PgForm {
+    function __construct() {
+       $this->title = 'Community login';
+    }
+
+    function SetupForm() {
+       $this->form->addElement('static',     null, null, gettext("Accessing this resource requires a community login.
Moretext to go here in a bit")); 
+       if (isset($_GET['badpwd']) && $_GET['badpwd'] == '1') {
+           $this->form->addElement('static', null, null, '<font color="red">' . gettext("Userid or password was
incorrect.Please try again.") . '</font>'); 
+       }
+
+       $this->form->addElement('text',       'userid', gettext("Userid:"), array('size' => 40, 'maxlength' => 100));
+       $this->form->addElement('password',   'password', gettext("Password:"), array('size' => 40, 'maxlength' =>
100));
+       $this->form->addElement('hidden', 'p', isset($_GET['p'])?$_GET['p']:'');
+
+       // Make the fields required
+       $this->form->addRule('userid', gettext("The userid is required."), 'required', null, 'client');
+       $this->form->addRule('password', gettext("The password is required."), 'required', null, 'client');
+    }
+
+    function ProcessForm($f) {
+         global $_SETTINGS;
+
+         $rs = $this->pg_query_params("SELECT userid,fullname,email,authorblurb,communitydoc_superuser FROM users
WHEREuserid=$1 AND password=$2", array($f['userid'], $f['password'])); 
+         if (pg_num_rows($rs) != 1) {
+             if (isset($f['p'])) {
+                 header('Location: /login?badpwd=1&p=' . urlencode($f['p']));
+             }
+             else {
+                 header('Location: /login?badpwd=1');
+             }
+             exit(0);
+         }
+
+         session_start();
+         $this->userinfo = pg_fetch_assoc($rs);
+         foreach ($this->userinfo as $key=>$val) {
+             $_SESSION[$key] = $val;
+         }
+         $_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
+         if ($f['p']) {
+             header('Location: ' . $f['p']);
+         }
+         else {
+             header('Location: /');
+         }
+         exit(0);
+    }
+
+    function RenderThanks() {
+    }
+ }
+ ?>
Index: global/dispatcher.php
===================================================================
RCS file: /usr/local/cvsroot/pgweb/portal/system/global/dispatcher.php,v
retrieving revision 1.2
diff -c -r1.2 dispatcher.php
*** global/dispatcher.php    26 Apr 2007 13:23:08 -0000    1.2
--- global/dispatcher.php    12 Aug 2007 12:45:05 -0000
***************
*** 51,56 ****
--- 51,57 ----
          case 'docs/techdocs': return new Page_CommunityDocs('docs',$pargs[0],0,count($pargs)>1?$pargs[1]:null);
          case 'download/mirrors-ftp': return new Page_Mirrors();
          case 'developer/ext': return new Page_FAQ($pargs[1],'developer');
+         case 'login': return new Form_Login();
          case 'search': return new Page_Search();
          case 'support/newprof': return new Form_NewProfService();
          case 'support/submitbug': return new Form_SubmitBug();
Index: global/pgpage.php
===================================================================
RCS file: /usr/local/cvsroot/pgweb/portal/system/global/pgpage.php,v
retrieving revision 1.4
diff -c -r1.4 pgpage.php
*** global/pgpage.php    12 Mar 2007 16:00:46 -0000    1.4
--- global/pgpage.php    12 Aug 2007 12:45:06 -0000
***************
*** 190,224 ****
     }

     function ValidateLogin() {
!        if (isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW']))
!        {
!            $u = $_SERVER['PHP_AUTH_USER'];
!            $p = $_SERVER['PHP_AUTH_PW'];
!
!            if ($u != pg_escape_string($u))
!                throw new Exception('Invalid character in username');

!            $res = $this->pg_query_params("SELECT userid,fullname,email,authorblurb,communitydoc_superuser FROM users
WHEREuserid=$1 AND password=$2", array($u, $p)); 
!            if (pg_num_rows($res) == 1)
!            {
!                // Both user and password matched, so return.
!                $this->userinfo = pg_fetch_assoc($res);
!                return true;
             }
-            // Otherwise, fall-through to requiring authentication again
-        }

!        // Indicate we need a login
!        header('HTTP/1.0 401 Unauthorized');
!        header('WWW-Authenticate: Basic realm="PostgreSQL Community Login"');

!        // Build a login page using our templates, if we can
!        $pgpnew = new Page_Static('community/requirelogin');
!        $pgpnew->SetLanguage($this->language, $this->language_direction);
!        $pgpnew->PreRender();
!        $pgpnew->DoRender();
!        $pgpnew->Show();
!        exit(0);
     }
  }

--- 190,218 ----
     }

     function ValidateLogin() {
!        session_start();
!        if ($this->check_login()) {
!            return;
!        }
!        // User not authenticated, redirect to login form
!        header('Location: /login?p=' . $this->url);
!        exit(0);
!    }

!    function check_login() {
!        if (isset($_SESSION['userid'])) {
!            if ($_SESSION['ip'] != $_SERVER['REMOTE_ADDR']) {
!                // Different IP, so require a login again
!                return false;
             }

!            // Copy the whole session - easier that way
!            $this->userinfo = $_SESSION;
!            return true; // Authentication succeeded
!        }

!        // No session = not logged in
!        return false;
     }
  }