diff --git a/admin/deco.php b/admin/deco.php index 079036f..4957f70 100644 --- a/admin/deco.php +++ b/admin/deco.php @@ -2,5 +2,8 @@ session_start(); $_SESSION = array(); session_destroy(); -header("Location: index.php"); +require_once("../phpCAS-1.3.6/CAS.php"); +phpCAS::client(CAS_VERSION_2_0, "cas.insa-toulouse.fr", 443, 'cas', true); +phpCAS::setNoCasServerValidation(); +phpCAS::logout(); ?> \ No newline at end of file diff --git a/admin/gestion_des_acces.php b/admin/gestion_des_acces.php index 17e5217..19f04b0 100644 --- a/admin/gestion_des_acces.php +++ b/admin/gestion_des_acces.php @@ -70,11 +70,10 @@ if(isset($_GET['adm']) AND !empty($_GET['adm'])) if(isset($_POST['send'])) { - if(isset($_POST['pseudo']) AND !empty($_POST['pseudo']) AND isset($_POST['mdp']) AND !empty($_POST['mdp']) AND isset($_POST['perm']) AND !empty($_POST['perm'])) { + if(isset($_POST['pseudo']) AND !empty($_POST['pseudo']) AND isset($_POST['perm']) AND !empty($_POST['perm'])) { if($user['perm'] >= 2) { $pseudo = htmlspecialchars($_POST['pseudo']); - $mdp = htmlspecialchars($_POST['mdp']); $perm = htmlspecialchars($_POST['perm']); switch ($perm) { @@ -94,8 +93,8 @@ if(isset($_POST['send'])) { $req->execute(array($pseudo)); $pseudo_exist = $req->rowCount(); if ($pseudo_exist == 0) { - $req = $db->prepare("INSERT INTO admin(pseudo, mdp, perm) VALUES(?, ?, ?)"); - $req->execute(array($pseudo, password_hash($mdp, PASSWORD_DEFAULT), $perm_int)); + $req = $db->prepare("INSERT INTO admin(pseudo, perm) VALUES(?, ?)"); + $req->execute(array($pseudo, $perm_int)); header('refresh:0'); } else { $error = "pseudo déja utilisé"; @@ -119,8 +118,7 @@ if(isset($_POST['send'])) { <body> <main> <form method="POST"> - <input type="text" placeholder="identifiant" name="pseudo" class="input_inline"> - <input type="password" placeholder="mot de passe" name="mdp" class="input_inline"> + <input type="text" placeholder="identifiant INSA" name="pseudo" class="input_inline"> <select name="perm" class="input_inline"> <option value="v0">GDA - Perm 0</option> <option value="v1">Bureau - Perm 1</option> @@ -137,7 +135,7 @@ if(isset($_POST['send'])) { <table class="acces"> <tr> <th width="10%">ID (db)</td> - <th width="40%">Identifiant</td> + <th width="40%">Identifiant INSA</td> <th width="40%">Perm</td> <th width="10%">Actions</td> </tr> diff --git a/admin/index.php b/admin/index.php index c9ab73f..1128a70 100644 --- a/admin/index.php +++ b/admin/index.php @@ -1,31 +1,48 @@ <?php $page = "index"; include "script.php"; -if(isset($_POST['login'])) { - if (!empty($_POST['pseudo']) and !empty($_POST['password'])) { - $pseudo = htmlspecialchars($_POST['pseudo']); - $password = htmlspecialchars($_POST['password']); +//CAS +require_once("../phpCAS-1.3.6/CAS.php"); - $req = $db->prepare("SELECT id, mdp FROM admin WHERE pseudo = ?"); - $req->execute(array($pseudo)); - $user_exist = $req->rowcount(); - if ($user_exist == 1) { +// Initialize phpCAS +phpCAS::client(CAS_VERSION_2_0, "cas.insa-toulouse.fr", 443, 'cas', true); + +// For production use set the CA certificate that is the issuer of the cert +// on the CAS server and uncomment the line below +// phpCAS::setCasServerCACert($cas_server_ca_cert_path); + +// For quick testing you can disable SSL validation of the CAS server. +// THIS SETTING IS NOT RECOMMENDED FOR PRODUCTION. +// VALIDATING THE CAS SERVER IS CRUCIAL TO THE SECURITY OF THE CAS PROTOCOL! +phpCAS::setNoCasServerValidation(); + +// force CAS authentication +phpCAS::forceAuthentication(); + +// at this step, the user has been authenticated by the CAS server +// and the user's login name can be read with phpCAS::getUser(). +$pseudo = phpCAS::getUser(); + +if(!isset($_SESSION['id'])) { + $req = $db->prepare("SELECT id FROM admin WHERE pseudo = ?"); + $req->execute(array($pseudo)); + $user_exist = $req->rowcount(); + if ($user_exist == 1) { while ($user_login = $req->fetch()) { - $passwd = $user_login['mdp']; - if ((password_verify($password, $passwd)) == 1) { - $_SESSION['id'] = $user_login['id']; - header('Refresh:0'); - } else { - $error = "Mot de passe invalide !"; - } - } - } else { - $error = "Identifiant invalide !"; + $_SESSION['id'] = $user_login['id']; + header('Refresh:0'); } } else { - $error = "Tout les champs doivent être complétés"; + $error = "Identifiant invalide !"; } } + +if(isset($_POST['login'])) { + session_start(); + $_SESSION = array(); + session_destroy(); + header('Refresh:0'); +} ?> <!DOCTYPE html> <html> @@ -54,8 +71,6 @@ if(isset($_POST['login'])) { } else { ?> <form method="POST"> - <input type="text" placeholder="Identifiant" name="pseudo" class="input"> - <input type="password" placeholder="mot de passe" name="password" class="input"> <input type="submit" name="login" value="Se connecter" class="submit"> </form> <?php