inc/DAViCalSession.php

   1 <?php
   2 /**
   3 * DAViCal extensions to AWL Session handling
   4 *
   5 * @package   davical
   6 * @subpackage   DAViCalSession
   7 * @author Andrew McMillan <andrew@mcmillan.net.nz>
   8 * @copyright Catalyst .Net Ltd, Morphoss Ltd <http://www.morphoss.com/>
   9 * @license   http://gnu.org/copyleft/gpl.html GNU GPL v2
  10 */
  11
  12 /**
  13 * @global resource $session
  14 * @name $session
  15 * The session object is global.
  16 */
  17 $session = 1;  // Fake initialisation
  18
  19 // The Session object uses some (optional) configurable SQL to load
  20 // the records related to the logged-on user...  (the where clause gets added).
  21 // It's very important that someone not be able to externally control this,
  22 // so we make it a function rather than a variable.
  23 /**
  24 * @todo Make this a defined constant
  25 */
  26 function local_session_sql() {
  27   $sql = <<<EOSQL
  28 SELECT session.*, usr.*, principal.*
  29         FROM session JOIN usr USING(user_no) JOIN principal USING(user_no)
  30 EOSQL;
  31   return $sql;
  32 }
  33
  34 /**
  35 * We extend the AWL Session class.
  36 */
  37 require('Session.php');
  38 include_once('DAVResource.php');
  39
  40
  41 @Session::_CheckLogout();
  42
  43 /**
  44 * A class for creating and holding session information.
  45 *
  46 * @package   davical
  47 */
  48 class DAViCalSession extends Session
  49 {
  50
  51   public $principal_id;
  52   private $privilege_resources = array();
  53
  54   /**
  55   * Create a new DAViCalSession object.
  56   *
  57   * We create a Session and extend it with some additional useful DAViCal
  58   * related information.
  59   *
  60   * @param string $sid A session identifier.
  61   */
  62   function __construct( $sid='' ) {
  63     $this->principal_id = null;
  64     $this->Session($sid);
  65   }
  66
  67
  68   /**
  69   * Internal function used to assign the session details to a user's new session.
  70   * @param object $u The user+session object we (probably) read from the database.
  71   */
  72   function AssignSessionDetails( $u ) {
  73     if ( !isset($u->principal_id) ) {
  74       // If they don't have a principal_id set then we should re-read from our local database
  75       $qry = new AwlQuery('SELECT * FROM dav_principal WHERE username = :username', array(':username' => $u->username) );
  76       if ( $qry->Exec() && $qry->rows() == 1 ) {
  77         $u = $qry->Fetch();
  78       }
  79     }
  80
  81     parent::AssignSessionDetails( $u );
  82     $this->GetRoles();
  83     if ( function_exists('awl_set_locale') && isset($this->locale) && $this->locale != '' ) {
  84       awl_set_locale($this->locale);
  85     }
  86   }
  87
  88
  89   /**
  90   * Method used to get the user's roles
  91   */
  92   function GetRoles () {
  93     $this->roles = array();
  94     $sql = 'SELECT role_name FROM roles JOIN role_member ON roles.role_no=role_member.role_no WHERE user_no = '.$this->user_no;
  95     $qry = new AwlQuery( $sql );
  96     if ( $qry->Exec('DAViCalSession') && $qry->rows() > 0 ) {
  97       while( $role = $qry->Fetch() ) {
  98         $this->roles[$role->role_name] = 1;
  99       }
 100     }
 101   }
 102
 103
 104   /**
 105    * Does the user have the privileges to do what is requested.
 106    * @param $do_what mixed The request privilege name, or array of privilege names, to be checked.
 107    * @param $path string The path we want that permission for
 108    * @param $any boolean Whether we accept any of the privileges. The default is true, unless the requested privilege is 'all', when it is false.
 109    * @return boolean Whether they do have one of those privileges against the specified path.
 110    */
 111   function HavePrivilegeTo( $do_what, $path, $any = null ) {
 112     if ( $this->AllowedTo('Admin') ) return true;
 113     if ( !isset($this->privilege_resources[$path]) ) {
 114       $this->privilege_resources[$path] = new DAVResource($path);
 115     }
 116     $resource = $this->privilege_resources[$path];
 117     if ( isset($resource) && $resource->Exists() ) {
 118       return $resource->HavePrivilegeTo($do_what,$any);
 119     }
 120     return false;
 121   }
 122
 123
 124
 125   /**
 126   * Checks that this user is logged in, and presents a login screen if they aren't.
 127   *
 128   * The function can optionally confirm whether they are a member of one of a list
 129   * of roles, and deny access if they are not a member of any of them.
 130   *
 131   * @param string $roles The list of roles that the user must be a member of one of to be allowed to proceed.
 132   * @return boolean Whether or not the user is logged in and is a member of one of the required roles.
 133   */
 134   function LoginRequired( $roles = '' ) {
 135     global $c, $session, $main_menu, $sub_menu, $tab_menu;
 136
 137     $current_domain = (isset($_SERVER['SERVER_NAME'])?$_SERVER['SERVER_NAME']:$_SERVER['SERVER_ADDR']);
 138     if ( (isset($c->restrict_admin_domain) && $c->restrict_admin_domain != $current_domain)
 139       || (isset($c->restrict_admin_port) && $c->restrict_admin_port != $_SERVER['SERVER_PORT'] ) ) {
 140       header('Location: caldav.php');
 141       dbg_error_log( 'LOG WARNING', 'Access to "%s" via "%s:%d" rejected.', $_SERVER['REQUEST_URI'], $current_domain, $_SERVER['SERVER_PORT'] );
 142       @ob_flush(); exit(0);
 143     }
 144     if ( isset($c->restrict_admin_roles) && $roles == '' ) $roles = $c->restrict_admin_roles;
 145     if ( $this->logged_in && $roles == '' ) return;
 146
 147     /**
 148      * We allow basic auth to apply also, if present, though we check everything else first...
 149      */
 150     if ( isset($_SERVER['PHP_AUTH_USER']) && !$this->logged_in && $_SERVER['PHP_AUTH_USER'] != "" && $_SERVER['PHP_AUTH_PW'] != "" && ! $_COOKIE['NoAutoLogin'] ) {
 151       if ( $this->Login($_SERVER['PHP_AUTH_USER'],$_SERVER['PHP_AUTH_PW'],false)) {
 152         setcookie('NoAutoLogin',1,0);
 153         return;
 154       }
 155     }
 156     if ( ! $this->logged_in ) {
 157       $c->messages[] = i18n('You must log in to use this system.');
 158       include_once('page-header.php');
 159       if ( function_exists('local_index_not_logged_in') ) {
 160         local_index_not_logged_in();
 161       }
 162       else {
 163         if ( $this->login_failed ) {
 164           $c->messages[] = i18n('Invalid user name or password.');
 165         }
 166         echo '<h1>'.translate('Log On Please')."</h1>\n";
 167         echo '<p>'.translate('For access to the')
 168                   .' '.translate($c->system_name).' '
 169                   .translate('you should log on with the username and password that have been issued to you.')
 170             ."</p>\n";
 171         echo '<p>'.translate('If you would like to request access, please e-mail').' '.$c->admin_email."</p>\n";
 172         echo $this->RenderLoginPanel();
 173       }
 174     }
 175     else {
 176       $valid_roles = explode(',', $roles);
 177       foreach( $valid_roles AS $k => $v ) {
 178         if ( $this->AllowedTo($v) ) return;
 179       }
 180       $c->messages[] = i18n('You are not authorised to use this function.');
 181       include_once('page-header.php');
 182     }
 183
 184     include('page-footer.php');
 185     @ob_flush(); exit(0);
 186   }
 187 }
 188
 189 $session = new DAViCalSession();
 190 $session->_CheckLogin();
 191