Christian Web Host, Java Programming - Cheap Web Hosting Blog

206 Part II: Developing Intranet Solutions TABLE 7-1 INTRANET DATABASE TABLES (Continued) Table Description MSG_VIEWER Holds the message viewer data, the message number (MSG_ID), and the viewer ID (VIEWER_ID). It relates which message should be viewed by which user. THEME Holds information about the available intranet themes that can be used by the user. It contains the theme number (THEME_ID) and the name of the theme (THEME_NAME). ACTIVITY Holds information about the user login/logout activities, discussed in Chapter 5. It contains the user ID (USER_ID), action type (ACTION_TYPE), and action timestamp (ACTION_TS). USER_DETAILS This table contains detailed user information. This table holds the user ID (USER_ID), first name (FIRST), last name (LAST), address line #1 (ADDRESS1), address line #2 (ADDRESS2), city (CITY), state (STATE), zip code (ZIPCODE), country (COUNTRY), phone number (PHONE), and start date of the user in the intranet (START_DATE). USER_PREFERENCE Contains the user preference information: the user ID (USER_ID), preference ID (PREFERENCE_ID), and value (VALUE). intranet.mysql is an implementation of the intranet database in MySQL. It s included on this book s CD-ROM (CDROM/ch07/sql/intranet.mysql). To use this database for these applications, create a database called INTRANET in your database server and run the following command: mysql -u root -p -D INTRANET < INTRANET.sql Make sure that you change the user name (root) to whatever is appropriate for your MySQL database system. The INTRANET database must be set up before you start designing the PHP classes, which are needed to implement the intranet applications.

Chapter 7: Intranet System 205 Figure 7-1: Intranet system ER diagram. The users table is shown in the ER diagram to clarify the relationship. It actually does not belong in the INTRANET database but in the central user- authentication database called auth discussed in Chapter 5. Users who appear in the authdatabase in the users table have access to the intranet. Table 7-1 describes the details of each table in details. TABLE 7-1 INTRANET DATABASE TABLES Table Description MESSAGE Holds the message title (MSG_TITLE), message number (MSG_ID), message contents (MSG_CONTENTS), message date (MSG_DATE), message type (MSG_TYPE), flag (FLAG), and ID of the author who created the message (AUTHOR_ID). The message number (MSG_ID) is automatically generated by the database. MSG_TRACK Contains the message tracking information. It holds the user ID (USER_ID) of the user who received the message, the message number (MSG_ID), and the time stamp when the message is read by the viewer user (READ_TS). Continued

204 Part II: Developing Intranet Solutions . A simple messaging application that enables users and administrators to send messages in the form of notes: For example, a user should be able to send a note via the intranet to another user about a task deadline or a meeting. We will implement this messaging tool, which we named here as the Message of the Day (MOTD) tool. . A simple document-publishing application that enables intranet users to publish HTML documents in an organized manner: This tool enables users to provide feedback to each posted document. Also, whenever a new document is added or an existing one is updated, users who have access to the document should be automatically notified via the messaging system previously mentioned. The applications for this suite are built in Chapter 8. . A simple central contact-manager application that enables intranet users to access common contact information such as that for vendors, customers, partners, and co-workers: These applications are built in Chapter 9. . A simple central event-calendar application suite that enables users to publish and view important events: These applications are built in Chapter 10. . A simple Internet resource manager application suite that allows users to share Internet resources such as Web and FTP sites: These applications are built in Chapter 10. The intranet applications that we develop here require the central login/logout and user-management components of the intranet discussed in the previous three chapters in this section. You ll need to have those applications (login, logout, user-management) already implemented so that we can develop the base intranet home and access applications in this chapter. Designing the Database Since we are designing the intranet to support small to large number of users, we need a SQL server as the data storage. Like previous chapters and rest of he book, we will assume that you are going use MySQL for the database here as well. The authentication database (auth) previously built for central authentication will still be used for storing user information such as username, password, active flag, and so on. Here we will develop a database that stores intranet messages, user details, preferences, theme choices, and user-access activity log data. Figure 7-1 shows the database diagram for the intranet system.

Chapter 7 Intranet System IN THIS CHAPTER . Developing a base intranet-application . Using login/logout information to generate access reports . Developing a simple messaging application A BASE INTRANET APPLICATION is an application which is used to provide a home page for each user. This application shows links to other applications. In this chapter, we will develop the base intranet application that shows each user a home page. When a user logs in, she sees a generated page with information, such as notes from other intranet users, or she can access other intranet tools that we will build in later chapters. Identifying Functionality Requirements The base intranet application system consists of the following features: . A central user authentication and user management facility: We built this in the first two chapters in this section of the book. In this chapter, we will add a set of applications called Access Reporter, Admin Access Reporter, and Daily Logbook that will allow intranet users, administra tions to access login/logout access information. Each regular user will be allowed to access only her own access report while administrators will have full access to all user access report and summaries. In a company environment, these access reports can serve as office attendance record. . A user home application: Each user should be able to log in and view a dynamic home page that enables that user to access information and applications available on the intranet system. The home application will have two small utilities to display tips and handle user preferences related to screen themes.

202 Part II: Developing Intranet Solutions Figure 6-8: Changing a password. Summary In this chapter I discussed how you can manage users using a central user management system consisting of a few applications. This user management (create, modify, delete and forgotten password support) system works with the central Login/Logout system previously developed in the earlier chapter. The very idea of having a central user authentication (login/logout) and a user management system is to ease user management and make access to various applications as seamless as possible. In the future chapters the applications we will develop will simply rely on these systems.

Chapter 6: Central User Management System 201 /* ————–END TABLE NAMES ———————- */ $STATUS_TEMPLATE = usermngr_status.html ; $USERMNGR_MENU_TEMPLATE = usermngr_menu.html ; $USERMNGR_USER_TEMPLATE = usermngr_user_form.html ; $USERMNGR_PWD_REQUEST_TEMPLATE= usermngr_forgotten_pwd.html ; $USERMNGR_PWD_EMAIL_TEMPLATE = usermngr_forgotten_pwd_email.html ; $USERMNGR_PWD_RESET_TEMPLATE = usermngr_pwd_reset.html ; $USERMNGR_PWD_CHANGE_TEMPLATE = usermngr_pwd_change.html ; $ADMINISTRATIVE_USER = 9; $STANDARD_USER = 1; $USER_TYPE = array( 9 => Administrator , 1 => Standard User ); ?> To make it easy for users to reset forgotten passwords, you can add the forgotten- password application link in the login interface template. Figure 6-7 shows such a login interface. Figure 6-7: Central login interface with forgotten-password link. Testing the forgotten-password recovery application To test the forgotten password application, simply click the forgotten-password link on the login interface. Submit a user s e-mail address and wait for an e-mail to appear in the user s mailbox. Click on the link in the e-mail and change the password. (See Figure 6-8.) After you ve changed the password, you can log in to any application that uses the central authentication system with the user s name and the new password.

200 Part II: Developing Intranet Solutions Listing 6-7 (Continued) $APP_MENU = /home/home.php ; $APPLICATION_NAME = USER_MNGR ; $XMAILER_ID = Example User Manager Version 1.0 ; $DEFAULT_LANGUAGE = US ; $DEFAULT_DOMAIN = example.com ; $ROOT_PATH = $_SERVER[ DOCUMENT_ROOT ]; $REL_ROOT_PATH = /user_mngr ; $REL_APP_PATH = $REL_ROOT_PATH . /apps ; $TEMPLATE_DIR = $ROOT_PATH . $REL_APP_PATH . /templates ; $CLASS_DIR = $ROOT_PATH . $REL_APP_PATH . /class ; $REL_TEMPLATE_DIR = $REL_APP_PATH . /templates/ ; require_once user_mngr.errors ; require_once user_mngr.messages ; require_once DB.php ; require_once $APP_FRAMEWORK_DIR . / . constants.php ; require_once $APP_FRAMEWORK_DIR . / . $APPLICATION_CLASS; require_once $APP_FRAMEWORK_DIR . / . $ERROR_HANDLER_CLASS; require_once $APP_FRAMEWORK_DIR . / . $AUTHENTICATION_CLASS; require_once $APP_FRAMEWORK_DIR . / . $DBI_CLASS; require_once $APP_FRAMEWORK_DIR . / . $USER_CLASS; require_once $TEMPLATE_CLASS; $MIN_USERNAME_SIZE= 3; $MIN_PASSWORD_SIZE= 3; $DUMMY_PASSWD = 1234567890 ; $ROOT_USER = kabir@evoknow.com ; $SECRET = 916489; $CHAR_SET = charset=iso-8859-1 ; // Application names $USERMNGR_MNGR = user_mngr.php ; $USERMNGR_FORGOTTEN_APP = user_mngr_forgotten_pwd.php ; $USERMNGR_CHANGE_PWD_APP = user_mngr_passwd.php ; /* ————–START TABLE NAMES ———————- */ $APP_DB_URL = mysql://root:foobar@localhost/auth ; $AUTH_DB_TBL = users ;

Chapter 6: Central User Management System 199 Method Description checkPassword() Checks the user-entered password for length and confirmation tests. get_username() Called by showScreen() method when displaying the user name entry interface as the first step in resetting the forgotten password. reset_pwd() Called by showScreen() method when displaying the password entry interface as the third step in resetting the forgotten password. authorize() Because anyone can request to change her password, the authorization method always returns TRUE. Listing 6-7 shows the code for the forgotten-password recovery application. Listing 6-7: usermngr_forgotten_pwd.php

198 Part II: Developing Intranet Solutions 4. It creates a User object, $userObj, and calls getUserInfo() to load the user information. 5. It calls updateUser() with $hash as the parameter. updateUser() performs the actual database operation of updating the password. It only updates the password because $hash contains only the password information. 6. It displays the appropriate success or failure status message. . email(): This method is called by showScreen() to populate the e-mail template, which becomes the HTML message sent to the user who is requesting the change for a forgotten password. It works as follows: 1. It creates a User object, $userObj, and uses getUserIDByName() to retrieve the user s ID. 2. It returns FALSE if the user ID is not found. Otherwise, it uses getCheckSum() to generate a checksum for the current user ID. 3. It incorporates the checksum value in a URL along with the user ID and step value set to 3. 4. It embeds the forgotten password application URL into the HTML template by replacing the PASSWORD_URL tag with the URL value. 5. It returns TRUE status. The following are other methods implemented in this application. Method Description run() Calls the resetPasswordDriver(), which is responsible for managing the entire forgotten-password process. sendEmail() Sends an e-mail link to the user, which she can use to return to the forgotten password application to enter a new password. The e-mail message is read as an HTML template, which is processed by the showScreen() method. The showScreen() method calls the email() method to create the actual message, which sendEmail() method sends to the user. getCheckSum() Creates a checksum value using the user ID and a secret random number loaded from the configuration file. The checksum number is used to protect the e-mailed link from being generated by an unfriendly user.

Chapter 6: Central User Management System 197 Implementing the forgotten-password recovery application The forgotten-password recovery application implements the methods: . resetPasswordDriver(): This method uses the global form variable, $step, to determine phases of the forgotten password recovery process. The tasks performed by this method are as follows: 1. When $step is unset, the first step in the process is assumed and the user is provided an interface to enter her username (EMAIL) address. 2. When the user has entered the username, the interface supplies a new value (2) for $step, which is embedded as a hidden field within the HTML form displayed in the first step. 3. In the second step, the method calls sendEmail() to send an e-mail to the user with a link that enables her to return to this application and enter the third step. 4. When the user clicks on the e-mailed link, a user interface that enables the user to change her password is presented. Submitting the new password with the confirmation password makes the method enter the final step. 5. In the final step, the method calls resetPassword() to reset the existing password with the newly entered password. . resetPassword(): This method performs the actual task of resetting the existing password to the newly entered password. It works as follows: 1. It uses getCheckSum() to calculate the checksum of the request, and then compares it with the given checksum. If they don t match, the application shows an alert message and returns the user to the last screen. 2. It uses checkPassword() to check the password for length and dummy password issues. 3. It creates a two-character salt using two random characters, and then encrypts the user-entered password, adding it to an associative array called $hash.