User and Security

[Flype]

i'm wondering how to add a user management part in my program.

as my program will be used by various users, they will need to login by entering their name and password at the start of the program.

It's the first time i intend to add such a feature,
so i'm not sure of what 'ive done...
particularly for some security reasons.

in my idea, a user allowed to create a user list (an admin) can generate a crypted file on disk. this file is loaded and decrypted in the user login part.

so i've created an include file in order to do all what i said above.

there's 3 pb files :
1/ the 'UserLib' pb include
2/ creating a userlist
3/ login request

Code: Select all

;---------------------------------------------
;- PB INCLUDE FOR USERLIST MANAGEMENT
;---------------------------------------------

#USER_KEY = "kg"
#USER_SEP = ","
#USER_CSV = ";"

Enumeration ; Type d'utilisateur
  #USER_TYPE_GUEST
  #USER_TYPE_ADMIN
  #USER_TYPE_USER
EndEnumeration
Enumeration ; Gadgets pour la requête
  #USER_GAD_INFO
  #USER_GAD_NOM
  #USER_GAD_MDP
  #USER_GAD_OK
EndEnumeration

Structure USER
  type.b ; Invité, Utilisateur, Administrateur
  nom.s  ; Nom de l'utilisateur
  mdp.s  ; Mot de passe
EndStructure

NewList UserList.USER()

Procedure USER_ExisteDeja(nom.s)
  ForEach UserList()
    If UserList()\nom=nom
      ProcedureReturn #True
    EndIf
  Next
  ProcedureReturn #False
EndProcedure
Procedure USER_Ajouter(type.b,nom.s,mdp.s)
  If nom<>"" And mdp<>""
    If type>#USER_TYPE_GUEST
      If USER_ExisteDeja(nom)=#False
        AddElement(UserList())
        UserList()\type=type
        UserList()\nom=nom
        UserList()\mdp=DESFingerprint(mdp,#USER_KEY)
        ProcedureReturn #True
      EndIf
    EndIf
  EndIf
  ProcedureReturn #False
EndProcedure
Procedure USER_Identifier(nom.s,mdp.s)
  ForEach UserList()
    If UserList()\nom=nom
      If UserList()\mdp=DESFingerprint(mdp,#USER_KEY)
        ProcedureReturn UserList()\type
      EndIf
    EndIf
  Next
  ProcedureReturn #USER_TYPE_GUEST
EndProcedure
Procedure USER_Enregistrer(fichier.s)
  If CreatePack(fichier)
    ligne.s=""
    ForEach UserList()
      ligne+Str(UserList()\type)+#USER_SEP
      ligne+UserList()\nom+#USER_SEP
      ligne+UserList()\mdp+#USER_CSV
    Next
    AddPackMemory(@ligne,Len(ligne),9)
    ClosePack()
    ProcedureReturn #True
  EndIf
  ProcedureReturn #False
EndProcedure
Procedure USER_Charger(fichier.s)
  hFichier.l=OpenPack(fichier)
  If hFichier=#Null
    ProcedureReturn #False
  EndIf
  UserData$=PeekS(NextPackFile())
  ClearList(UserList())
  i=1
  Repeat
    ligne$=StringField(UserData$,i,#USER_CSV)
    If ligne$="" : Break : EndIf
    If AddElement(UserList())
      UserList()\type=Val(StringField(ligne$,1,#USER_SEP))
      UserList()\nom=StringField(ligne$,2,#USER_SEP)
      UserList()\mdp=StringField(ligne$,3,#USER_SEP)
    EndIf
    i+1
  ForEver
  ClosePack()
  ProcedureReturn #True
EndProcedure
Procedure USER_RemplirGadget(Gadget.l)
  ForEach UserList()
    AddGadgetItem(Gadget,-1,UserList()\nom)
  Next
EndProcedure
Procedure USER_Login(Titre.s)
  fenetre=OpenWindow(#PB_Any,0,0,255,75,#PB_Window_ScreenCentered,Titre)
  If fenetre=#Null
    ProcedureReturn #False
  EndIf
  ShowCloseButton(WindowID(),#True)
  MakeToolWindow(WindowID(),#True)
  MakeStayOnTop(WindowID(),#True)
  CreateGadgetList(WindowID())
  TextGadget(#USER_GAD_INFO,5,5,245,18,"Veuillez choisir votre nom dans la liste",#PB_Text_Center)
  ComboBoxGadget(#USER_GAD_NOM,5,25,120,100)
  StringGadget(#USER_GAD_MDP,130,25,120,21,"",#PB_String_Password)
  ButtonGadget(#USER_GAD_OK,98,52,60,21,"OK")
  police=LoadFont(#PB_Any,"Arial",8,#PB_Font_Bold)
  If police<>#Null
    SetGadgetFont(#USER_GAD_INFO,FontID())
    SetGadgetFont(#USER_GAD_OK,FontID())
  EndIf
  DisableGadget(#USER_GAD_OK,#True)
  USER_RemplirGadget(#USER_GAD_NOM)
  Repeat
    Select WaitWindowEvent()
      Case #PB_Event_CloseWindow : Break
      Case #PB_Event_Gadget
        Select EventGadgetID()
          Case #USER_GAD_OK : Break
          Case #USER_GAD_NOM
            If EventType()=1
              DisableGadget(#USER_GAD_OK,#True)
              SetGadgetText(#USER_GAD_MDP,"")
              SetGadgetText(#USER_GAD_INFO,"Veuillez saisir votre mot de passe")
            EndIf
        EndSelect
      Case 258
        Select USER_Identifier(GetGadgetText(#USER_GAD_NOM),GetGadgetText(#USER_GAD_MDP))
          Case #USER_TYPE_GUEST : SetGadgetText(#USER_GAD_INFO,"Utilisateur non identifié") : DisableGadget(#USER_GAD_OK,#True)
          Case #USER_TYPE_USER  : SetGadgetText(#USER_GAD_INFO,"Utilisateur identifié") : DisableGadget(#USER_GAD_OK,#False)
          Case #USER_TYPE_ADMIN : SetGadgetText(#USER_GAD_INFO,"Administrateur identifié") : DisableGadget(#USER_GAD_OK,#False)
        EndSelect
    EndSelect
  ForEver
  CloseFont(police)
  CloseWindow(fenetre)
EndProcedure

Code: Select all

;---------------------------------------
; MAKE A USERLIST CRYPTED FILE
;---------------------------------------
IncludeFile "UserLib.pb"
USER_Ajouter(#USER_TYPE_ADMIN,"Flype","toto")
USER_Ajouter(#USER_TYPE_ADMIN,"Fred","pb")
USER_Ajouter(#USER_TYPE_USER,"Denis","riri")
USER_Ajouter(#USER_TYPE_USER,"Regis","fifi")
USER_Ajouter(#USER_TYPE_USER,"Cederavic","loulou")
USER_Enregistrer("users")

Code: Select all

;--------------------------------
; LOGIN
;--------------------------------
IncludeFile "UserLib.pb"
USER_Charger("users")
USER_Login("Login")

so if someone can test it and report me any problem (bug,security)... thanx

[dell_jockey]

Bonjour Flype,

why do you want to manage users local to your application? Why not create an access group on your OS and allow this access group to use your application? No programming involved!

[Flype]

yes that the question...

What you said is the best, i know.
But in my company, at this moment, i'm not allowed to configure the OS Access Group's. #?!@#$!

So my solution is to load the user file from a net path like \\CompanyWorkgroup\MySoftware\users

[thefool]

removed

[Flype]

sorry but i didn't understand your reply at all
however my english isn't so bad