PEAR: Latest releases for krausbn

LiveUser 0.16.13

2008-01-28T03:29:59-05:00

- #9418: Initialization for example 5 wrong
- #9575: Example trips over MySQL boolean/int
- #9581: Add support for session.cookie_httponly

LiveUser 0.16.12

2006-08-22T13:34:20-05:00

- wrong use of pdo fetch method, when no result could be fetched it returns
false with no error. Swith to using fetchAll and check for an empty array
- we cannot decrypt most of the encryption method used by the hash extension so
we default to returning the unmodified string
- the wrong variable was used to report the type of permission container when an
error occured
- push an error on the stack when the encryption method cannot be found
- make sequence columns primary key
- properly disconnect the pdo object
- make it possible to set the status message mapping
- register options for create (Bug #7704)
- use the hash extension if it is present for the password encryption
- refactored decryptPW() and encryptPW() into static methods in the LiveUser class
- force null instead of false for PDO fetch() calls that return empty sets
- fixed logging into example1
- debug => false in conf doesn't work (Bug #7564; thx to Matthias)
- added support for user defined handle fields
in DB, MDB, MDB2 and PDO containers you can set a list of fields in your auth
container storage config, default is 'handle', example:
'handles' => array('handle', 'auth_user_id', 'email')
these fields are now used to find the right user on login (Request #7781)
- fixed LiveUser::decryptPW(): added missing third parameter 'secret'
- check if safe_mode is enabled in fileExists() to determine what algo to use (Bug #8296)

LiveUser 0.16.11

2006-04-19T04:44:56-05:00

- parse error typo fix in PEARAuth container (bug #6968)
- minor improvements to the phpdoc comments in PEARAuth container
- use ugly fopen() hack in fileExists()
http://marc.theaimsgroup.com/?l=pear-dev&m=114148949106207&w=2
- changed API for readuserData(), auth_user_id parameter now contains the
auth_user_id to use
- login() now supports passing in an auth_user_id instead of the handle/password
- made stack property public
- typo fix in PDO container readImplyingRights() method (bug #7195)
- expanded error handling in Log instance creation
- handle if no proper credentials where passed to readUserData() (bug #7262)
- replace isset() with array_key_exists() where applicable
- disable __autoload() in class_exists() calls (bug #7304)
- brought property names in line s/rights/right_ids *BC break*
- MDB2_Schema 0.5 and MDB2 2.0.1 handles nulls in schema files properly so
there is no need to disable MDB2_PORTABILITY_EMPTY_TO_NULL in the installer

LiveUser 0.16.10

2006-02-27T13:17:51-05:00

- Do not include Cache.php since its only a concept and not implemented yet
- fixed serious issue with right reading in the Medium and Complex container
- right_level may not be null in schema (use default if not explicitly set)
- phpdoc improvements
- bumped dependency for MDB2 to first stable release
- added missing optional dependency on mcrypt
- made admin user a superadmin in example4
- bumped copyright to 2006

LiveUser 0.16.9

2006-02-21T14:38:18-05:00

This releases fixes a minor security issue that is limited to the optional
remember me feature. This issue was report to us by GulfTech Security Research.

The issue would allow an attacker to determine the existance of files inside the
file system, as well as being able to delete files:
- if the relativ path is shorter than 32 characters (including a null
byte)
- if null bytes are handled inside the "_COOKIE" superglobal, for example
through usage of magic_quotes_gpc, the issue becomes essentially limited to
files ending with ".lu".

All installations using the remember me feature are strongly urged to update.
This release also changes some other aspects including a BC break so developers
can optionally patch their current installations from the changes in the
following commit:
http://cvs.php.net/viewcvs.cgi/pear/LiveUser/LiveUser.php?r1=1.148&r2=1.149&diff_format=u

- fixed major bug in PEARAuth container: auth_user_id is not an optional property
- added passwordEncryptionMode and secret to phpdoc comment
- made cryptRC4() method public to match usage in auth common in the client and admin api
- fixed handling of the secret user defineable property (bug #6551)
- added support for user_group_ids (bug #6517)
- allow grouprights and groupusers table to join eachother
- updateProperty doesn't update the session (bug #6612)
- renamed "connection" config option to "dbc" *BC BREAK*
- cleaned up and unified init() in the storage classes
- added example for dumping SQL to a file to installer
- add support for force_seq to installer
- removed allowDuplicateHandles and allowEmptyPasswords options, they are now
handled through the table definition in the given Globals.php (overwriteable
via the config array) *BC BREAK*
- initial untested support for PDO in the installer
- added examples for setting length and defaults to installer
- use overwrite when unlink is enabled in the installer
- reworked handling of merging user with group rights *BC BREAK*
When using the Medium or Complex container a user may gain rights through direct
assignment or through membership in a group that has rights assigned. The user
and group rights are merged with the following logic:
* if the right is only assigned to a member group but not the user the right is
available to the user at the level at which the group has the right
* if the right is only assigned to the user at a level greater than zero but not
to a member group the right is available to the user at the level at which
user has the right
* if the right is only assigned to the user at a level equal to zero but not
to a member group the right is available to the user at the level at which
user has the right
* if the right is only assigned to the user at a level lower than zero but not
to a member group then the right is unavailable to the user
* if the is assigned to a member group and the user and the level at which the
user has the right is greater than zero, then the right is available to the
user at higher level of the two
* if the is assigned to a member group and the user and the level at which the
user has the right is equal to zero, then the right is unavailable to the user
* if the is assigned to a member group and the user and the level at which the
user has the right is lower than zero, then the right is available to the
user at the minimum of the group assigned level and the addition of the
negativ user level and the maximum level
Example:
The user as the following right_id => level pairs
array
1 => 3
2 => -2
3 => 0
5 => -1

The groups he is a member of have the following right_id => level pairs
array
1 => 1
2 => 3
3 => 3
4 => 2

The final right_id => level pairs are as follows
array
1 => 3 // user has a higher level (3) than the group level (1)
2 => 1 // 3 - 2 means a maximum possible level of 1
4 => 2 // only group has the right at level 2
5 => 2 // only user has the right at level 3 - 1 = 2

LiveUser 0.16.8

2005-12-21T06:27:16-05:00

- clearer status and error messages
- fix a bug with the passed Log object being discarded
- extra debug info when the auth container is instantiated
- more helpful error message when the class cannot be loaded
- make the PEAR::Auth wrapper use the passed handle and password
- fixed phpdoc typo in singleton method (bug #5668)
- fixed ability to call singleton() with only the conf parameter set, even if
singleton was never called before (bug #5669)
- fixed issue in factoryStorage() that would lead to modifying the config array (bug #5526)
- added ability to disable executing the sql commands on installSchema()
- set status after logging out not before
- tweaked error messages for failed factory method calls
- fix for calling singleton without a signature string (bug #5905)
- attempt at checking if it is safe to start the session, add an error to the stack if not and return
- minor performance tweak in login()
- reordered code inside login() to make onFailedMapping events more powerful
- improved handling of INACTIVE status
- stop using backendArrayIndex infavor of containerName property in the auth instance
- removed loginTimeout feature (disable lastlogin if you are concerned about
the cost of updating the lastlogin time)
- handle option user data properties in readUserData() in the PEAR::Auth wrapper
- added a few return true's for method that returned void so far
- tons of phpdoc and whitespace fixes and additions
- add missing css file in example5
- only read remember me cookie in login() if remember was passed as true (bug #6215)
- handle and password are passed to reeadUserData in the PEARAuth container
- reworked file loading in loadClass() to work around issues in safe_mode with
LiveUser::fileExists() (bug #6226)
- moved all explict handling of logout() and login() out of the init() method *BC BREAK*
- made setRememberCookie(), readRememberCookie() and deleteRememberCookie public
- setRememberCookie() no longer accepts a remember parameter
- added PDO backend and optional pdo based config for example5

LiveUser 0.16.7

2005-10-10T06:53:15-05:00

- typo fix getMessage => getMessage() (bug #5283)
- added parameter to unlink backup file to force new creation in installSchema()
- fixed join points in implied_rights table in the perm Globals.php
- removed unnecessary join in readUserRights() of the database containers
- removed autoInit (all init() manually instead) *BC BREAK*
- reworked log/debug handling (there is a new 'debug' conf option which can
either be a bool or a log instance)
- made the log property public which made it possible to remove addErrorLog()
- renamed loadPEARLog() to PEARLogFactory and reworked it to return a Log
instance as a static method
- added an optional signature parameter to singleton() instead of using the
handle/password/confName parameters (which no longer exist) *BC BREAK*
- made login() and logout() public
- made freeze() private
- prefixed all private properties/methods with an underscore

LiveUser 0.16.6

2005-09-02T08:43:24-05:00

- various fixes to the Session auth container
- various fixes to the PEARAuth auth container
- added error handler and more comments to the install.php
- removed updateLastLogin option
- delete remember me cookie in all error cases while reading the remember me cookie
- cosmetic fixes to the examples in demodata.php
- (re-)added example5 (more or less the same as example4)

LiveUser 0.16.5

2005-08-17T08:26:53-05:00

- fixed bugs related to is_active handling (resulting in users being able to
login that are set to in active!) *SECURITY ISSUE*
- fixed bug in getProperty() that would make it impossible to fetch the values
of internal config properties (bug #5110)
- pass the storage config array by ref after all

LiveUser 0.16.4

2005-08-15T10:53:47-05:00

- writeSchema returns error objects and not false on error
- added error handling around call to parent::init()
- assign _storage property by ref in the permission container
- moved area admin code from the medium into the complex container
- tweaked error handling in login()/readUserData()
- only assign the perm instance to _perm if mapUser/unfreeze succeeded
- fixed bug in the auth container common class that made is_active a required
and not optional feature as intended
- fixed bug in MDB/MDB2 perm storage layer that could lead to incorrect
datatype being used when the alias feature is used