/** * Checks if the user is allowed to access the given module. * * @return void */ protected function checkAccessModulePermissions() { $logger = $this->getLogger(); $module = $this->_request->getModuleName(); $action = $this->_request->getActionName(); if ($action == self::ACCESS_DENIED_ACTION) { $logger->debug("forwarding to unchecked action {$module} ({$action})"); return true; } $logger->debug("starting authorization check for module '{$module}'"); $realm = Opus_Security_Realm::getInstance(); if (!$realm->skipSecurityChecks()) { // Check, if the user has accesss to the module... if (true !== $realm->checkModule($module)) { $logger->debug("FAILED authorization check for module '{$module}'"); return $this->_forward(self::ACCESS_DENIED_ACTION); } // Check, if the user has the right permission... if (true !== $this->checkPermissions()) { $logger->debug("FAILED authorization through ACLs"); return $this->_forward(self::ACCESS_DENIED_ACTION); } } // Check, controller-specific constraints... if (true !== $this->customAccessCheck()) { $logger->debug("FAILED custom authorization check for module '{$module}'"); return $this->_forward(self::ACCESS_DENIED_ACTION); } $logger->debug("authorization check for module '{$module}' successful"); return; }
/** * @return boolean */ private function checkPermission() { if ($this->_document->getServerState() === 'published') { return true; } $accessControl = Zend_Controller_Action_HelperBroker::getStaticHelper('accessControl'); return Opus_Security_Realm::getInstance()->checkDocument($this->_document->getId()) || $accessControl->accessAllowed('documents'); }
/** * @return array All associated Opus_File objects that are visible in OAI and accessible by user */ private function getAccessibleFiles() { $realm = Opus_Security_Realm::getInstance(); // admins sollen immer durchgelassen werden, nutzer nur wenn das doc im publizierten Zustand ist if (!$realm->skipSecurityChecks()) { // kein administrator // PUBLISHED Dokumente sind immer verfügbar (Zugriff auf Modul kann eingeschränkt sein) if ($this->doc->getServerState() !== 'published') { // Dokument nicht published if (!$realm->checkDocument($this->docId)) { // Dokument ist nicht verfügbar für aktuellen Nutzer $this->logErrorMessage('document id =' . $this->docId . ' is not published and access is not allowed for current user'); throw new Oai_Model_Exception('access to requested document is forbidden'); } } } $files = array(); $filesToCheck = $this->doc->getFile(); foreach ($filesToCheck as $file) { $filename = $this->getFilesPath() . $this->docId . DIRECTORY_SEPARATOR . $file->getPathName(); if (is_readable($filename)) { array_push($files, $file); } else { $this->logErrorMessage("skip non-readable file {$filename}"); } } if (empty($files)) { $this->logErrorMessage('document with id ' . $this->docId . ' does not have any associated files'); throw new Oai_Model_Exception('requested document does not have any associated readable files'); } $containerFiles = array(); foreach ($files as $file) { if ($file->getVisibleInOai() && $realm->checkFile($file->getId())) { array_push($containerFiles, $file); } } if (empty($containerFiles)) { $this->logErrorMessage('document with id ' . $this->docId . ' does not have associated files that are accessible'); throw new Oai_Model_Exception('access denied on all files that are associated to the requested document'); } return $containerFiles; }
public function indexAction() { $exportParam = $this->getRequest()->getParam('export'); if (is_null($exportParam)) { throw new Application_Exception('export format is not specified'); } // currently only xml is supported here if ($exportParam !== 'xml') { throw new Application_Exception('export format is not supported' . $exportParam); } // parameter stylesheet is mandatory (only administrator is able to see raw output) // non-administrative users can only reference user-defined stylesheets if (is_null($this->getRequest()->getParam('stylesheet')) && !Opus_Security_Realm::getInstance()->checkModule('admin')) { throw new Application_Exception('missing parameter stylesheet'); } $this->stylesheet = $this->getRequest()->getParam('stylesheet'); $this->stylesheetDirectory = 'stylesheets-custom'; $this->loadStyleSheet($this->exportModel->buildStylesheetPath($this->stylesheet, $this->view->getScriptPath('') . $this->stylesheetDirectory)); $this->exportModel->prepareXml($this->_xml, $this->_proc, $this->getRequest()); }
public function indexAction() { $docId = $this->_getParam('docId', null); $path = $this->_getParam('file', null); $realm = Opus_Security_Realm::getInstance(); $file_model = null; try { $file_model = new Frontdoor_Model_File($docId, $path); } catch (Frontdoor_Model_FrontdoorDeliveryException $e) { $this->handleDeliveryError($e); return; } $file_object = null; try { $file_object = $file_model->getFileObject($realm); } catch (Frontdoor_Model_FrontdoorDeliveryException $e) { $this->handleDeliveryError($e); return; } if (!$file_object->exists()) { $this->handleDeliveryError(new Frontdoor_Model_FileNotFoundException()); return; } $full_filename = $file_object->getPath(); $base_filename = basename($full_filename); $base_filename = self::quoteFileName($base_filename); $this->disableViewRendering(); $this->getResponse()->clearAllHeaders()->setHeader('Content-Disposition', 'attachment; filename="' . $base_filename . '"', true)->setHeader('Content-type', $file_object->getMimeType(), true)->setHeader('Cache-Control', 'private', true)->setHeader('Pragma', 'cache', true); $this->_helper->SendFile->setLogger(Zend_Registry::get('Zend_Log')); try { $this->_helper->SendFile($full_filename); } catch (Exception $e) { $this->logError($e); $response = $this->getResponse(); $response->clearAllHeaders(); $response->clearBody(); $response->setHttpResponseCode(500); } return; }
/** * Set up Opus_Navigation. * * @param Zend_Controller_Request_Abstract $request The current request. * @return void */ public function routeStartup(Zend_Controller_Request_Abstract $request) { // Hide menu entries based on privileges $navigation = Zend_Registry::get('Opus_Navigation'); if (empty($navigation)) { return; } // Create a Realm instance. $realm = Opus_Security_Realm::getInstance(); // Der folgende Code sorgt dafür, daß für Nutzer mit Zugriff auf das 'admin' und das 'review' Modul der Link // zu den Review Seiten in der Administration angezeigt wird. if ($realm->checkModule('admin') or !$realm->checkModule('review')) { // Entferne Link zu Review $page = $navigation->findBy('label', 'review_menu_label'); $navigation->removePage($page); } if (!$realm->checkModule('admin')) { // Entferne Link zu Admin $page = $navigation->findBy('label', 'admin_menu_label'); $navigation->removePage($page); } }
/** Zend_Debug::dump * Liefert ein Zend_Acl Objekt für den aktuellen Nutzer zurück. */ public function getAcls() { $logger = $this->getLogger(); $acl = new Zend_Acl(); $this->loadResources($acl); $realm = Opus_Security_Realm::getInstance(); if (isset($_SERVER['REMOTE_ADDR']) and preg_match('/:/', $_SERVER['REMOTE_ADDR']) === 0) { $realm->setIp($_SERVER['REMOTE_ADDR']); } $user = Zend_Auth::getInstance()->getIdentity(); if (!is_null($user)) { $realm->setUser($user); } $parents = $realm->getRoles(); $this->loadRoles($acl, $parents); // create role for user on-the-fly with assigned roles as parents if (Zend_Registry::get('LOG_LEVEL') >= Zend_LOG::DEBUG) { $logger->debug("ACL: Create role '" . $user . "' with parents " . "(" . implode(", ", $parents) . ")"); } // Add role for current user $acl->addRole(new Zend_Acl_Role(self::ACTIVE_ROLE), $parents); return $acl; }
/** * Determine the current User's security role and set up Opus_Security_Realm. * * @param Zend_Controller_Request_Abstract $request The current request. * @return void */ public function routeStartup(Zend_Controller_Request_Abstract $request) { // Create a Realm instance. Initialize privileges to empty. $realm = Opus_Security_Realm::getInstance(); $realm->setUser(null); $realm->setIp(null); // Overwrite default user if current user is logged on. $auth = Zend_Auth::getInstance(); $identity = $auth->getIdentity(); if (false === empty($identity)) { try { $realm->setUser($identity); } catch (Exception $e) { $auth->clearIdentity(); throw new Exception($e); } } // OPUS_Security does not support IPv6. Skip setting IP address, if // IPv6 address has been detected. This means, that authentication by // IPv6 address does not work, but username-password still does. if (isset($_SERVER['REMOTE_ADDR']) and preg_match('/:/', $_SERVER['REMOTE_ADDR']) === 0) { $realm->setIp($_SERVER['REMOTE_ADDR']); } }
/** * Shows a confirmation for the user, when the publication process is * finished. */ public function confirmAction() { // redirecting if action is called directly if (is_null($this->session->depositConfirmDocumentId)) { return $this->_redirectToAndExit('index', null, 'index'); } $this->view->docId = $this->session->depositConfirmDocumentId; $accessControl = Zend_Controller_Action_HelperBroker::getStaticHelper('accessControl'); if (true === Opus_Security_Realm::getInstance()->check('clearance') || true === $accessControl->accessAllowed('documents')) { $this->view->showFrontdoor = true; } //unset all possible session content $this->session->unsetAll(); }
* Foundation; either version 2 of the Licence, or any later version. * OPUS is distributed in the hope that it will be useful, but WITHOUT ANY * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more * details. You should have received a copy of the GNU General Public License * along with OPUS; if not, write to the Free Software Foundation, Inc., 51 * Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. * * @category Application * @author Pascal-Nicolas Becker <*****@*****.**> * @author Ralf Claussnitzer <*****@*****.**> * @author Thoralf Klein <*****@*****.**> * @author Felix Ostrowski <*****@*****.**> * @copyright Copyright (c) 2009-2010, OPUS 4 development team * @license http://www.gnu.org/licenses/gpl.html General Public License * @version $Id: console.php 8423 2011-05-27 16:58:20Z sszott $ */ $config = Zend_Registry::get('Zend_Config'); if ($config->security !== '0') { // setup realm $realm = Opus_Security_Realm::getInstance(); } while (1) { $input = readline('opus> '); readline_add_history($input); try { eval($input); } catch (Exception $e) { echo 'Caught exception ' . get_class($e) . ': ' . $e->getMessage() . "\n" . $e->getTraceAsString() . "\n"; } }
public static function getStylesheet() { $config = Zend_Registry::get('Zend_Config'); if (isset($config->export->stylesheet->frontdoor) && Opus_Security_Realm::getInstance()->checkModule('export')) { return $config->export->stylesheet->frontdoor; } return ''; }
/** * The export functionality should not be present for guests. */ public function testXmlExportButtonNotPresentForGuest() { $this->enableSecurity(); $config = Zend_Registry::get('Zend_Config'); $config->merge(new Zend_Config(array('export' => array('stylesheet' => array('search' => 'example'))))); $this->dispatch('/solrsearch/index/search/searchtype/all'); $this->assertFalse(Opus_Security_Realm::getInstance()->checkModule('export')); $this->assertNotQuery('//a[@href="/solrsearch/index/search/searchtype/all/export/xml/stylesheet/example"]'); }
/** * Delivers the singleton instance. * * @return Opus_Security_Realm */ public static final function getInstance() { if (null === self::$instance) { $class = get_called_class(); self::$instance = new $class(); } return self::$instance; }
public function logoutUser() { $instance = Zend_Auth::getInstance(); if (!is_null($instance)) { $instance->clearIdentity(); } $realm = Opus_Security_Realm::getInstance(); $realm->setUser(null); $realm->setIp(null); }
/** * Return view helper output. Depending on if a user is logged on, an login link or an logout link * is returned respectivly. * * @return string */ public function __toString() { $returnParams = Zend_Controller_Action_HelperBroker::getStaticHelper('ReturnParams'); $identity = Zend_Auth::getInstance()->getIdentity(); if (empty($identity) === true) { $url = $this->view->url(array_merge($this->_login_url, $returnParams->getReturnParameters())); return '<a rel="nofollow" href="' . $url . '">' . $this->view->translate('default_auth_index') . '</a>'; } // Default setting for edit own account: allow and add link. $addAccountLink = false; // Prüfe, ob Nutzer Zugriff auf Account Modul hat $realm = Opus_Security_Realm::getInstance(); if ($realm->checkModule('account') == true) { // Prüfe, ob Nutzer ihren Account editieren dürfen $config = Zend_Registry::get('Zend_Config'); if (isset($config) and isset($config->account->editOwnAccount)) { $addAccountLink = $config->account->editOwnAccount; } } $url = $this->view->url(array_merge($this->_logout_url, $returnParams->getReturnParameters())); $logoutLink = '<a rel="nofollow" href="' . $url . '">' . $this->view->translate('default_auth_logout') . ' (' . htmlspecialchars($identity) . ')</a>'; if ($addAccountLink) { $accountUrl = $this->view->url(array('module' => 'account'), null, true); return '<a rel="nofollow" style="padding-right: 1em" href="' . $accountUrl . '">' . $this->view->translate('default_auth_account') . '</a> ' . $logoutLink; } return $logoutLink; }
/** * Prüft, ob der User vom Test "testLoginAdmin" nicht mehr eingeloggt ist. * * Regression Test für OPUSVIER-3283 */ public function testTearDownDidLogout() { $this->enableSecurity(); $realm = Opus_Security_Realm::getInstance(); $this->assertNotContains('administrator', $realm->getRoles()); }
public function searchAction() { // TODO OPUSVIER-3324 Mischform in der url entfernen // check if searchtype = latest and params parsed incorrect if (strpos($this->getRequest()->getParam('searchtype'), 'latest/export') !== false) { $paramArray = explode('/', $this->getParam('searchtype')); $params = $this->getRequest()->getParams(); $params['searchtype'] = 'latest'; $params['export'] = $paramArray[2]; $params['stylesheet'] = $paramArray[4]; return $this->redirectToExport($params); } if (!is_null($this->getRequest()->getParam('export'))) { $params = $this->getRequest()->getParams(); // export module ignores pagination parameters return $this->redirectToExport($params); } $config = Zend_Registry::get('Zend_Config'); if (isset($config->export->stylesheet->search) && Opus_Security_Realm::getInstance()->checkModule('export')) { $this->view->stylesheet = $config->export->stylesheet->search; } $this->query = $this->buildQuery(); $this->performSearch(); $this->setViewValues(); $this->setViewFacets(); $this->setLinkRelCanonical(); if ($this->numOfHits === 0 || $this->query->getStart() >= $this->numOfHits) { $this->render('nohits'); } else { $this->render('results'); } }
/** * Prepare document finder. * * @return Opus_DocumentFinder */ protected function _prepareDocumentFinder() { $finder = new Opus_DocumentFinder(); $finder->setServerState(self::$_reviewServerState); $logger = $this->getLogger(); $userId = $this->_loggedUser->getUserId(); $onlyReviewerByUserId = false; // Add constraint for reviewer, if current user is *not* admin. if (Opus_Security_Realm::getInstance()->checkModule('admin')) { $message = "Review: Showing all unpublished documents to admin"; $logger->debug($message . " (user_id: {$userId})"); } elseif (Opus_Security_Realm::getInstance()->checkModule('review')) { if ($onlyReviewerByUserId) { $message = "Review: Showing only documents belonging to reviewer"; $finder->setEnrichmentKeyValue('reviewer.user_id', $userId); } else { $message = "Review: Showing all unpublished documents to reviewer"; } $logger->debug($message . " (user_id: {$userId})"); } else { $message = 'Review: Access to unpublished documents denied.'; $logger->err($message . " (user_id: {$userId})"); throw new Application_Exception($message); } return $finder; }
/** * Checks the availability of a metadataPrefix. * * @param mixed $oaiMetadataPrefix * @return boolean */ private function _validateMetadataPrefix($oaiMetadataPrefix) { // we assuming that a metadata prefix file ends with xslt $possibleFiles = glob($this->_pathToMetadataPrefixFiles . DIRECTORY_SEPARATOR . '*.xslt'); // we support both spellings, xMetaDissPlus and XMetaDissPlus TODO really? $availableMetadataPrefixes = array('xMetaDissPlus'); foreach ($possibleFiles as $prefixFile) { $availableMetadataPrefixes[] = basename($prefixFile, '.xslt'); } // only adminstrators can request copy_xml format if (!Opus_Security_Realm::getInstance()->checkModule('admin')) { $availableMetadataPrefixes = array_diff($availableMetadataPrefixes, array('copy_xml')); } $result = in_array($oaiMetadataPrefix, $availableMetadataPrefixes); if (false === $result) { // MetadataPrefix not available. $this->setErrorCode(Oai_Model_Error::CANNOTDISSEMINATEFORMAT); $this->setErrorMessage('The metadata format "' . $oaiMetadataPrefix . '" given by metadataPrefix is not supported by the item or this repository.'); } return $result; }
public function searchAction() { // TODO OPUSVIER-3324 Mischform in der url entfernen // check if searchtype = latest and params parsed incorrect $searchType = $this->getParam('searchtype'); $request = $this->getRequest(); if (in_array($searchType, array('advanced', 'authorsearch')) && !is_null($this->getParam('Reset'))) { $this->_redirectTo('advanced', null, 'index', 'solrsearch'); return; } if (strpos($searchType, 'latest/export') !== false) { $paramArray = explode('/', $searchType); $params = $request->getParams(); $params['searchtype'] = 'latest'; $params['export'] = $paramArray[2]; $params['stylesheet'] = $paramArray[4]; $this->redirectToExport($params); return; } if (!is_null($request->getParam('export'))) { $params = $request->getParams(); // export module ignores pagination parameters $this->redirectToExport($params); return; } // TODO does the following make sense after the above? $config = $this->getConfig(); if (isset($config->export->stylesheet->search) && Opus_Security_Realm::getInstance()->checkModule('export')) { $this->view->stylesheet = $config->export->stylesheet->search; } $query = $this->buildQuery(); // if query is null, redirect has already been set if (!is_null($query)) { $this->_query = $query; $this->performSearch(); $this->setViewValues(); $this->_facetMenu->prepareViewFacets($this->_resultList, $this->getRequest()); $this->view->facets = $this->_facetMenu->getFacets(); $this->view->selectedFacets = $this->_facetMenu->getSelectedFacets(); $this->view->facetNumberContainer = $this->_facetMenu->getFacetNumberContainer(); $this->view->showFacetExtender = $this->_facetMenu->getShowFacetExtender(); $this->setLinkRelCanonical(); switch ($searchType) { case 'advanced': case 'authorsearch': $form = new Solrsearch_Form_AdvancedSearch($searchType); $form->populate($this->getAllParams()); $form->setAction($this->view->url(array('module' => 'solrsearch', 'controller' => 'dispatch', 'action' => 'index'), null, true)); $this->view->form = $form; break; case 'latest': $form = new Solrsearch_Form_Options(); $form->setMethod(Zend_FORM::METHOD_GET); $form->setAction($this->view->url(array('module' => 'solrsearch', 'controller' => 'index', 'action' => 'search'), null, true)); $form->populate($this->getAllParams()); $this->view->form = $form; break; default: break; } if ($this->_numOfHits === 0 || $this->_query->getStart() >= $this->_numOfHits) { $this->render('nohits'); } else { $this->render('results'); } } }