public function makeReturnToUrl(HTTPRequest $request, $url) { $urlToken = parse_url($url); $finaleUrl = ''; $server_url = ''; if (array_key_exists('host', $urlToken) && $urlToken['host']) { $server_url = $urlToken['scheme'] . '://' . $urlToken['host']; if (array_key_exists('port', $urlToken) && $urlToken['port']) { $server_url .= ':' . $urlToken['port']; } } else { if ($request->isSSL() && $this->shouldRedirectToHTTP($request)) { $server_url = 'http://' . $GLOBALS['sys_default_domain']; } } $finaleUrl = $server_url; if (array_key_exists('path', $urlToken) && $urlToken['path']) { $finaleUrl .= $urlToken['path']; } if ($request->existAndNonEmpty('return_to')) { $return_to_parameter = 'return_to='; /* * We do not want redirect to an external website * @see https://cwe.mitre.org/data/definitions/601.html */ $url_verifier = new URLVerification(); if ($url_verifier->isInternal($request->get('return_to'))) { $return_to_parameter .= $request->get('return_to'); } else { $return_to_parameter .= '/'; } if (array_key_exists('query', $urlToken) && $urlToken['query']) { $finaleUrl .= '?' . $urlToken['query'] . '&' . $return_to_parameter; } else { $finaleUrl .= '?' . $return_to_parameter; } if (strstr($request->get('return_to'), 'pv=2')) { $finaleUrl .= '&pv=2'; } } else { if (array_key_exists('query', $urlToken) && $urlToken['query']) { $finaleUrl .= '?' . $urlToken['query']; } } if (array_key_exists('fragment', $urlToken) && $urlToken['fragment']) { $finaleUrl .= '#' . $urlToken['fragment']; } return $finaleUrl; }
/** * Ensure given user can access given project * * @param PFUser $user * @param Project $project * @return boolean * @throws Project_AccessProjectNotFoundException * @throws Project_AccessDeletedException * @throws Project_AccessRestrictedException * @throws Project_AccessPrivateException */ public function userCanAccessProject(PFUser $user, Project $project) { $tracker_manager = new TrackerManager(); if ($tracker_manager->userCanAdminAllProjectTrackers($user)) { return true; } return parent::userCanAccessProject($user, $project); }
/** * Checks if the URL is valid or not and throw an error if needed. * * Assume it's an url to be taken into account by this class. The conditions are: * - The used host is defined as webdav host * - The webdav host is different of default host (defined by sys_default_domain or sys_https_host) * * For the second point, this is to avoid the webdav URL checker override * default url checker for the web part. For instance, if sys_default_domain is example.com * and webdav host is also example.com, the webdav url verification will be used to test * access to example.com/tracker/... instead of default url checker. * * @see URLVerification#assertValidUrl($server) * * @param Array $server * * @return void */ public function assertValidUrl($server) { if (strcmp($server['HTTP_HOST'], $this->getWebDAVHost()) == 0 && strcmp($this->getWebDAVHost(), $GLOBALS['sys_default_domain']) != 0 && strcmp($this->getWebDAVHost(), $GLOBALS['sys_https_host']) != 0) { if (!$this->isUsingSSL($server) && $GLOBALS['sys_force_ssl'] == 1) { $this->forbiddenError(); } } else { parent::assertValidUrl($server); } }
/** * Get a project repository by its id * * @return GitRepository the repository or null if not found */ public function getRepositoryByIdUserCanSee(PFUser $user, $id) { if ($id == GitRepositoryGitoliteAdmin::ID) { return new GitRepositoryGitoliteAdmin(); } $dar = $this->dao->searchProjectRepositoryById($id); $repository = $this->getRepositoryFromDar($dar); if ($repository === null) { throw new GitRepoNotFoundException(); } $project = $repository->getProject(); $url_verification = new URLVerification(); try { $url_verification->userCanAccessProject($user, $project); } catch (Exception $exception) { throw $exception; } if (!$repository->userCanRead($user)) { throw new GitRepoNotReadableException(); } return $repository; }
public function getSearchResults(array $result) { $results = array(); $validator = new ElasticSearch_1_2_ResultValidator(); if (!isset($result['hits']['hits'])) { return $results; } $user = $this->user_manager->getCurrentUser(); foreach ($result['hits']['hits'] as $hit) { $project = $this->project_manager->getProject($this->extractGroupIdFromHit($hit)); $index = $this->extractIndexFromHit($hit); if ($project->isError()) { continue; } try { $this->url_verification->userCanAccessProject($user, $project); } catch (Project_AccessPrivateException $exception) { continue; } switch ($index) { case fulltextsearchPlugin::SEARCH_DOCMAN_TYPE: if (!$validator->isDocmanResultValid($hit)) { continue; } $results[] = new ElasticSearch_SearchResultDocman($hit, $project); break; case fulltextsearchPlugin::SEARCH_WIKI_TYPE: if (!$validator->isWikiResultValid($hit)) { continue; } $wiki = new Wiki($project->getID()); if ($wiki->isAutorized($user->getId())) { $results[] = new ElasticSearch_SearchResultWiki($hit, $project); } break; case fulltextsearchPlugin::SEARCH_TRACKER_TYPE: if (!$validator->isArtifactResultValid($hit)) { continue; } $artifact = Tracker_ArtifactFactory::instance()->getArtifactById($hit['fields']['id'][0]); if ($artifact->userCanView($user)) { $results[] = new ElasticSearch_SearchResultTracker($hit, $project, $artifact); } break; default: } } return $results; }
public function restrictedUserCanAccessUrl($user, $url, $request_uri, $script_name) { return parent::restrictedUserCanAccessUrl($user, $url, $request_uri, $script_name); }
function testVerifyHostInvalidHostForceSslEquals1() { $server = array('HTTP_HOST' => 'test.codendi.org', 'SERVER_NAME' => 'test.codendi.org', 'HTTPS' => 'on', 'SCRIPT_NAME' => ''); $GLOBALS['sys_force_ssl'] = 1; $GLOBALS['sys_default_domain'] = 'codendi.org'; $GLOBALS['sys_https_host'] = 'secure.codendi.org'; $urlVerification = new URLVerification(); $urlVerification->verifyHost($server); $chunks = $urlVerification->getUrlChunks(); $this->assertEqual($chunks['host'], 'secure.codendi.org'); }
private function needAuthentication(GitRepository $repository, Git_URL $url) { return $this->url_verification->doesPlatformRequireLogin() || $this->isGitPush($url) || !$this->canBeReadByAnonymous($repository) || $this->isInPrivateProject($repository); }
/** * Always permit requests for localhost, or for api or soap scripts and for system tracker templates * * @param Array $server * * @return Boolean */ function isException($server) { $userRequestsDefaultTemplates = $server['REQUEST_URI'] == TRACKER_BASE_URL . '/index.php?group_id=100' && HTTPRequest::instance()->isAjax(); return $userRequestsDefaultTemplates || parent::isException($server); }
function getPageChangeEmails($notify) { $emails = array(); $userids = array(); foreach ($notify as $page => $users) { if (glob_match($page, $this->_pagename)) { foreach ($users as $userid => $user) { $um = UserManager::instance(); $dbUser = $um->getUserByUserName($userid); $wiki = new Wiki($_REQUEST['group_id']); $wp = new WikiPage($_REQUEST['group_id'], $_REQUEST['pagename']); $project = ProjectManager::instance()->getProject($_REQUEST['group_id']); $url_verifier = new URLVerification(); $user_can_access_project = false; try { $user_can_access_project = $dbUser !== null && $url_verifier->userCanAccessProject($dbUser, $project); } catch (Project_AccessException $e) { continue; } if ($user_can_access_project && $wiki->isAutorized($dbUser->getId()) && $wp->isAutorized($dbUser->getId())) { if (!$user) { // handle the case for ModeratePage: no prefs, just userid's. global $request; $u = $request->getUser(); if ($u->UserName() == $userid) { $prefs = $u->getPreferences(); } else { // not current user if (ENABLE_USER_NEW) { $u = WikiUser($userid); $u->getPreferences(); $prefs =& $u->_prefs; } else { $u = new WikiUser($GLOBALS['request'], $userid); $prefs = $u->getPreferences(); } } $emails[] = user_getemail_from_unix($userid); $userids[] = $userid; } else { if (!empty($user['verified']) and !empty($user['email'])) { $emails[] = user_getemail_from_unix($userid); $userids[] = $userid; } elseif (!empty($user['email'])) { global $request; // do a dynamic emailVerified check update $u = $request->getUser(); if ($u->UserName() == $userid) { if ($request->_prefs->get('emailVerified')) { $emails[] = user_getemail_from_unix($userid); $userids[] = $userid; $notify[$page][$userid]['verified'] = 1; $request->_dbi->set('notify', $notify); } } else { // not current user if (ENABLE_USER_NEW) { $u = WikiUser($userid); $u->getPreferences(); $prefs =& $u->_prefs; } else { $u = new WikiUser($GLOBALS['request'], $userid); $prefs = $u->getPreferences(); } if ($prefs->get('emailVerified')) { $emails[] = user_getemail_from_unix($userid); $userids[] = $userid; $notify[$page][$userid]['verified'] = 1; $request->_dbi->set('notify', $notify); } } // ignore verification /* if (DEBUG) { if (!in_array($user['email'],$emails)) $emails[] = $user['email']; } */ } } } } } } $emails = array_unique($emails); $userids = array_unique($userids); return array($emails, $userids); }
require 'pre.php'; $hp = Codendi_HTMLPurifier::instance(); $vPv = new Valid_Pv(); if ($request->valid($vPv) && $request->get('pv') == 2) { $pv = 2; $HTML->pv_header(array()); } else { $pv = 0; site_header(array('title' => $Language->getText('my_redirect', 'page_title'))); } $vReturnTo = new Valid_String('return_to'); $vReturnTo->required(); if ($request->valid($vReturnTo)) { // Re-serialize feedback to display it on the 'return_to' page. $HTML->_serializeFeedback(); $url_verifier = new URLVerification(); $return_url = '/'; if ($url_verifier->isInternal($request->get('return_to'))) { $return_url = $request->get('return_to'); } $redirect = $Language->getText('my_redirect', 'return_to', array($hp->purify($return_url, CODENDI_PURIFIER_CONVERT_HTML))); print ' <script type="text/javascript"> function return_to_url() { window.location="' . $hp->purify($return_url, CODENDI_PURIFIER_JS_QUOTE) . '"; } setTimeout("return_to_url()",1000); </script> '; } else {