/**
* Checks if the user is allowed to access the given module.
*
* @return void
*/
protected function checkAccessModulePermissions()
{
$logger = $this->getLogger();
$module = $this->_request->getModuleName();
$action = $this->_request->getActionName();
if ($action == self::ACCESS_DENIED_ACTION) {
$logger->debug("forwarding to unchecked action {$module} ({$action})");
return true;
}
$logger->debug("starting authorization check for module '{$module}'");
$realm = Opus_Security_Realm::getInstance();
if (!$realm->skipSecurityChecks()) {
// Check, if the user has accesss to the module...
if (true !== $realm->checkModule($module)) {
$logger->debug("FAILED authorization check for module '{$module}'");
return $this->_forward(self::ACCESS_DENIED_ACTION);
}
// Check, if the user has the right permission...
if (true !== $this->checkPermissions()) {
$logger->debug("FAILED authorization through ACLs");
return $this->_forward(self::ACCESS_DENIED_ACTION);
}
}
// Check, controller-specific constraints...
if (true !== $this->customAccessCheck()) {
$logger->debug("FAILED custom authorization check for module '{$module}'");
return $this->_forward(self::ACCESS_DENIED_ACTION);
}
$logger->debug("authorization check for module '{$module}' successful");
return;
}
/**
* @return boolean
*/
private function checkPermission()
{
if ($this->_document->getServerState() === 'published') {
return true;
}
$accessControl = Zend_Controller_Action_HelperBroker::getStaticHelper('accessControl');
return Opus_Security_Realm::getInstance()->checkDocument($this->_document->getId()) || $accessControl->accessAllowed('documents');
}
/**
* @return array All associated Opus_File objects that are visible in OAI and accessible by user
*/
private function getAccessibleFiles()
{
$realm = Opus_Security_Realm::getInstance();
// admins sollen immer durchgelassen werden, nutzer nur wenn das doc im publizierten Zustand ist
if (!$realm->skipSecurityChecks()) {
// kein administrator
// PUBLISHED Dokumente sind immer verfügbar (Zugriff auf Modul kann eingeschränkt sein)
if ($this->doc->getServerState() !== 'published') {
// Dokument nicht published
if (!$realm->checkDocument($this->docId)) {
// Dokument ist nicht verfügbar für aktuellen Nutzer
$this->logErrorMessage('document id =' . $this->docId . ' is not published and access is not allowed for current user');
throw new Oai_Model_Exception('access to requested document is forbidden');
}
}
}
$files = array();
$filesToCheck = $this->doc->getFile();
foreach ($filesToCheck as $file) {
$filename = $this->getFilesPath() . $this->docId . DIRECTORY_SEPARATOR . $file->getPathName();
if (is_readable($filename)) {
array_push($files, $file);
} else {
$this->logErrorMessage("skip non-readable file {$filename}");
}
}
if (empty($files)) {
$this->logErrorMessage('document with id ' . $this->docId . ' does not have any associated files');
throw new Oai_Model_Exception('requested document does not have any associated readable files');
}
$containerFiles = array();
foreach ($files as $file) {
if ($file->getVisibleInOai() && $realm->checkFile($file->getId())) {
array_push($containerFiles, $file);
}
}
if (empty($containerFiles)) {
$this->logErrorMessage('document with id ' . $this->docId . ' does not have associated files that are accessible');
throw new Oai_Model_Exception('access denied on all files that are associated to the requested document');
}
return $containerFiles;
}
public function indexAction()
{
$exportParam = $this->getRequest()->getParam('export');
if (is_null($exportParam)) {
throw new Application_Exception('export format is not specified');
}
// currently only xml is supported here
if ($exportParam !== 'xml') {
throw new Application_Exception('export format is not supported' . $exportParam);
}
// parameter stylesheet is mandatory (only administrator is able to see raw output)
// non-administrative users can only reference user-defined stylesheets
if (is_null($this->getRequest()->getParam('stylesheet')) && !Opus_Security_Realm::getInstance()->checkModule('admin')) {
throw new Application_Exception('missing parameter stylesheet');
}
$this->stylesheet = $this->getRequest()->getParam('stylesheet');
$this->stylesheetDirectory = 'stylesheets-custom';
$this->loadStyleSheet($this->exportModel->buildStylesheetPath($this->stylesheet, $this->view->getScriptPath('') . $this->stylesheetDirectory));
$this->exportModel->prepareXml($this->_xml, $this->_proc, $this->getRequest());
}
public function indexAction()
{
$docId = $this->_getParam('docId', null);
$path = $this->_getParam('file', null);
$realm = Opus_Security_Realm::getInstance();
$file_model = null;
try {
$file_model = new Frontdoor_Model_File($docId, $path);
} catch (Frontdoor_Model_FrontdoorDeliveryException $e) {
$this->handleDeliveryError($e);
return;
}
$file_object = null;
try {
$file_object = $file_model->getFileObject($realm);
} catch (Frontdoor_Model_FrontdoorDeliveryException $e) {
$this->handleDeliveryError($e);
return;
}
if (!$file_object->exists()) {
$this->handleDeliveryError(new Frontdoor_Model_FileNotFoundException());
return;
}
$full_filename = $file_object->getPath();
$base_filename = basename($full_filename);
$base_filename = self::quoteFileName($base_filename);
$this->disableViewRendering();
$this->getResponse()->clearAllHeaders()->setHeader('Content-Disposition', 'attachment; filename="' . $base_filename . '"', true)->setHeader('Content-type', $file_object->getMimeType(), true)->setHeader('Cache-Control', 'private', true)->setHeader('Pragma', 'cache', true);
$this->_helper->SendFile->setLogger(Zend_Registry::get('Zend_Log'));
try {
$this->_helper->SendFile($full_filename);
} catch (Exception $e) {
$this->logError($e);
$response = $this->getResponse();
$response->clearAllHeaders();
$response->clearBody();
$response->setHttpResponseCode(500);
}
return;
}
/**
* Set up Opus_Navigation.
*
* @param Zend_Controller_Request_Abstract $request The current request.
* @return void
*/
public function routeStartup(Zend_Controller_Request_Abstract $request)
{
// Hide menu entries based on privileges
$navigation = Zend_Registry::get('Opus_Navigation');
if (empty($navigation)) {
return;
}
// Create a Realm instance.
$realm = Opus_Security_Realm::getInstance();
// Der folgende Code sorgt dafür, daß für Nutzer mit Zugriff auf das 'admin' und das 'review' Modul der Link
// zu den Review Seiten in der Administration angezeigt wird.
if ($realm->checkModule('admin') or !$realm->checkModule('review')) {
// Entferne Link zu Review
$page = $navigation->findBy('label', 'review_menu_label');
$navigation->removePage($page);
}
if (!$realm->checkModule('admin')) {
// Entferne Link zu Admin
$page = $navigation->findBy('label', 'admin_menu_label');
$navigation->removePage($page);
}
}
/**
Zend_Debug::dump * Liefert ein Zend_Acl Objekt für den aktuellen Nutzer zurück.
*/
public function getAcls()
{
$logger = $this->getLogger();
$acl = new Zend_Acl();
$this->loadResources($acl);
$realm = Opus_Security_Realm::getInstance();
if (isset($_SERVER['REMOTE_ADDR']) and preg_match('/:/', $_SERVER['REMOTE_ADDR']) === 0) {
$realm->setIp($_SERVER['REMOTE_ADDR']);
}
$user = Zend_Auth::getInstance()->getIdentity();
if (!is_null($user)) {
$realm->setUser($user);
}
$parents = $realm->getRoles();
$this->loadRoles($acl, $parents);
// create role for user on-the-fly with assigned roles as parents
if (Zend_Registry::get('LOG_LEVEL') >= Zend_LOG::DEBUG) {
$logger->debug("ACL: Create role '" . $user . "' with parents " . "(" . implode(", ", $parents) . ")");
}
// Add role for current user
$acl->addRole(new Zend_Acl_Role(self::ACTIVE_ROLE), $parents);
return $acl;
}
/**
* Determine the current User's security role and set up Opus_Security_Realm.
*
* @param Zend_Controller_Request_Abstract $request The current request.
* @return void
*/
public function routeStartup(Zend_Controller_Request_Abstract $request)
{
// Create a Realm instance. Initialize privileges to empty.
$realm = Opus_Security_Realm::getInstance();
$realm->setUser(null);
$realm->setIp(null);
// Overwrite default user if current user is logged on.
$auth = Zend_Auth::getInstance();
$identity = $auth->getIdentity();
if (false === empty($identity)) {
try {
$realm->setUser($identity);
} catch (Exception $e) {
$auth->clearIdentity();
throw new Exception($e);
}
}
// OPUS_Security does not support IPv6. Skip setting IP address, if
// IPv6 address has been detected. This means, that authentication by
// IPv6 address does not work, but username-password still does.
if (isset($_SERVER['REMOTE_ADDR']) and preg_match('/:/', $_SERVER['REMOTE_ADDR']) === 0) {
$realm->setIp($_SERVER['REMOTE_ADDR']);
}
}
/**
* Shows a confirmation for the user, when the publication process is
* finished.
*/
public function confirmAction()
{
// redirecting if action is called directly
if (is_null($this->session->depositConfirmDocumentId)) {
return $this->_redirectToAndExit('index', null, 'index');
}
$this->view->docId = $this->session->depositConfirmDocumentId;
$accessControl = Zend_Controller_Action_HelperBroker::getStaticHelper('accessControl');
if (true === Opus_Security_Realm::getInstance()->check('clearance') || true === $accessControl->accessAllowed('documents')) {
$this->view->showFrontdoor = true;
}
//unset all possible session content
$this->session->unsetAll();
}
* Foundation; either version 2 of the Licence, or any later version.
* OPUS is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details. You should have received a copy of the GNU General Public License
* along with OPUS; if not, write to the Free Software Foundation, Inc., 51
* Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* @category Application
* @author Pascal-Nicolas Becker <*****@*****.**>
* @author Ralf Claussnitzer <*****@*****.**>
* @author Thoralf Klein <*****@*****.**>
* @author Felix Ostrowski <*****@*****.**>
* @copyright Copyright (c) 2009-2010, OPUS 4 development team
* @license http://www.gnu.org/licenses/gpl.html General Public License
* @version $Id: console.php 8423 2011-05-27 16:58:20Z sszott $
*/
$config = Zend_Registry::get('Zend_Config');
if ($config->security !== '0') {
// setup realm
$realm = Opus_Security_Realm::getInstance();
}
while (1) {
$input = readline('opus> ');
readline_add_history($input);
try {
eval($input);
} catch (Exception $e) {
echo 'Caught exception ' . get_class($e) . ': ' . $e->getMessage() . "\n" . $e->getTraceAsString() . "\n";
}
}
public static function getStylesheet()
{
$config = Zend_Registry::get('Zend_Config');
if (isset($config->export->stylesheet->frontdoor) && Opus_Security_Realm::getInstance()->checkModule('export')) {
return $config->export->stylesheet->frontdoor;
}
return '';
}
/**
* The export functionality should not be present for guests.
*/
public function testXmlExportButtonNotPresentForGuest()
{
$this->enableSecurity();
$config = Zend_Registry::get('Zend_Config');
$config->merge(new Zend_Config(array('export' => array('stylesheet' => array('search' => 'example')))));
$this->dispatch('/solrsearch/index/search/searchtype/all');
$this->assertFalse(Opus_Security_Realm::getInstance()->checkModule('export'));
$this->assertNotQuery('//a[@href="/solrsearch/index/search/searchtype/all/export/xml/stylesheet/example"]');
}
/**
* Delivers the singleton instance.
*
* @return Opus_Security_Realm
*/
public static final function getInstance()
{
if (null === self::$instance) {
$class = get_called_class();
self::$instance = new $class();
}
return self::$instance;
}
public function logoutUser()
{
$instance = Zend_Auth::getInstance();
if (!is_null($instance)) {
$instance->clearIdentity();
}
$realm = Opus_Security_Realm::getInstance();
$realm->setUser(null);
$realm->setIp(null);
}
/**
* Return view helper output. Depending on if a user is logged on, an login link or an logout link
* is returned respectivly.
*
* @return string
*/
public function __toString()
{
$returnParams = Zend_Controller_Action_HelperBroker::getStaticHelper('ReturnParams');
$identity = Zend_Auth::getInstance()->getIdentity();
if (empty($identity) === true) {
$url = $this->view->url(array_merge($this->_login_url, $returnParams->getReturnParameters()));
return '<a rel="nofollow" href="' . $url . '">' . $this->view->translate('default_auth_index') . '</a>';
}
// Default setting for edit own account: allow and add link.
$addAccountLink = false;
// Prüfe, ob Nutzer Zugriff auf Account Modul hat
$realm = Opus_Security_Realm::getInstance();
if ($realm->checkModule('account') == true) {
// Prüfe, ob Nutzer ihren Account editieren dürfen
$config = Zend_Registry::get('Zend_Config');
if (isset($config) and isset($config->account->editOwnAccount)) {
$addAccountLink = $config->account->editOwnAccount;
}
}
$url = $this->view->url(array_merge($this->_logout_url, $returnParams->getReturnParameters()));
$logoutLink = '<a rel="nofollow" href="' . $url . '">' . $this->view->translate('default_auth_logout') . ' (' . htmlspecialchars($identity) . ')</a>';
if ($addAccountLink) {
$accountUrl = $this->view->url(array('module' => 'account'), null, true);
return '<a rel="nofollow" style="padding-right: 1em" href="' . $accountUrl . '">' . $this->view->translate('default_auth_account') . '</a> ' . $logoutLink;
}
return $logoutLink;
}
/**
* Prüft, ob der User vom Test "testLoginAdmin" nicht mehr eingeloggt ist.
*
* Regression Test für OPUSVIER-3283
*/
public function testTearDownDidLogout()
{
$this->enableSecurity();
$realm = Opus_Security_Realm::getInstance();
$this->assertNotContains('administrator', $realm->getRoles());
}
public function searchAction()
{
// TODO OPUSVIER-3324 Mischform in der url entfernen
// check if searchtype = latest and params parsed incorrect
if (strpos($this->getRequest()->getParam('searchtype'), 'latest/export') !== false) {
$paramArray = explode('/', $this->getParam('searchtype'));
$params = $this->getRequest()->getParams();
$params['searchtype'] = 'latest';
$params['export'] = $paramArray[2];
$params['stylesheet'] = $paramArray[4];
return $this->redirectToExport($params);
}
if (!is_null($this->getRequest()->getParam('export'))) {
$params = $this->getRequest()->getParams();
// export module ignores pagination parameters
return $this->redirectToExport($params);
}
$config = Zend_Registry::get('Zend_Config');
if (isset($config->export->stylesheet->search) && Opus_Security_Realm::getInstance()->checkModule('export')) {
$this->view->stylesheet = $config->export->stylesheet->search;
}
$this->query = $this->buildQuery();
$this->performSearch();
$this->setViewValues();
$this->setViewFacets();
$this->setLinkRelCanonical();
if ($this->numOfHits === 0 || $this->query->getStart() >= $this->numOfHits) {
$this->render('nohits');
} else {
$this->render('results');
}
}
/**
* Prepare document finder.
*
* @return Opus_DocumentFinder
*/
protected function _prepareDocumentFinder()
{
$finder = new Opus_DocumentFinder();
$finder->setServerState(self::$_reviewServerState);
$logger = $this->getLogger();
$userId = $this->_loggedUser->getUserId();
$onlyReviewerByUserId = false;
// Add constraint for reviewer, if current user is *not* admin.
if (Opus_Security_Realm::getInstance()->checkModule('admin')) {
$message = "Review: Showing all unpublished documents to admin";
$logger->debug($message . " (user_id: {$userId})");
} elseif (Opus_Security_Realm::getInstance()->checkModule('review')) {
if ($onlyReviewerByUserId) {
$message = "Review: Showing only documents belonging to reviewer";
$finder->setEnrichmentKeyValue('reviewer.user_id', $userId);
} else {
$message = "Review: Showing all unpublished documents to reviewer";
}
$logger->debug($message . " (user_id: {$userId})");
} else {
$message = 'Review: Access to unpublished documents denied.';
$logger->err($message . " (user_id: {$userId})");
throw new Application_Exception($message);
}
return $finder;
}
/**
* Checks the availability of a metadataPrefix.
*
* @param mixed $oaiMetadataPrefix
* @return boolean
*/
private function _validateMetadataPrefix($oaiMetadataPrefix)
{
// we assuming that a metadata prefix file ends with xslt
$possibleFiles = glob($this->_pathToMetadataPrefixFiles . DIRECTORY_SEPARATOR . '*.xslt');
// we support both spellings, xMetaDissPlus and XMetaDissPlus TODO really?
$availableMetadataPrefixes = array('xMetaDissPlus');
foreach ($possibleFiles as $prefixFile) {
$availableMetadataPrefixes[] = basename($prefixFile, '.xslt');
}
// only adminstrators can request copy_xml format
if (!Opus_Security_Realm::getInstance()->checkModule('admin')) {
$availableMetadataPrefixes = array_diff($availableMetadataPrefixes, array('copy_xml'));
}
$result = in_array($oaiMetadataPrefix, $availableMetadataPrefixes);
if (false === $result) {
// MetadataPrefix not available.
$this->setErrorCode(Oai_Model_Error::CANNOTDISSEMINATEFORMAT);
$this->setErrorMessage('The metadata format "' . $oaiMetadataPrefix . '" given by metadataPrefix is not supported by the item or this repository.');
}
return $result;
}
public function searchAction()
{
// TODO OPUSVIER-3324 Mischform in der url entfernen
// check if searchtype = latest and params parsed incorrect
$searchType = $this->getParam('searchtype');
$request = $this->getRequest();
if (in_array($searchType, array('advanced', 'authorsearch')) && !is_null($this->getParam('Reset'))) {
$this->_redirectTo('advanced', null, 'index', 'solrsearch');
return;
}
if (strpos($searchType, 'latest/export') !== false) {
$paramArray = explode('/', $searchType);
$params = $request->getParams();
$params['searchtype'] = 'latest';
$params['export'] = $paramArray[2];
$params['stylesheet'] = $paramArray[4];
$this->redirectToExport($params);
return;
}
if (!is_null($request->getParam('export'))) {
$params = $request->getParams();
// export module ignores pagination parameters
$this->redirectToExport($params);
return;
}
// TODO does the following make sense after the above?
$config = $this->getConfig();
if (isset($config->export->stylesheet->search) && Opus_Security_Realm::getInstance()->checkModule('export')) {
$this->view->stylesheet = $config->export->stylesheet->search;
}
$query = $this->buildQuery();
// if query is null, redirect has already been set
if (!is_null($query)) {
$this->_query = $query;
$this->performSearch();
$this->setViewValues();
$this->_facetMenu->prepareViewFacets($this->_resultList, $this->getRequest());
$this->view->facets = $this->_facetMenu->getFacets();
$this->view->selectedFacets = $this->_facetMenu->getSelectedFacets();
$this->view->facetNumberContainer = $this->_facetMenu->getFacetNumberContainer();
$this->view->showFacetExtender = $this->_facetMenu->getShowFacetExtender();
$this->setLinkRelCanonical();
switch ($searchType) {
case 'advanced':
case 'authorsearch':
$form = new Solrsearch_Form_AdvancedSearch($searchType);
$form->populate($this->getAllParams());
$form->setAction($this->view->url(array('module' => 'solrsearch', 'controller' => 'dispatch', 'action' => 'index'), null, true));
$this->view->form = $form;
break;
case 'latest':
$form = new Solrsearch_Form_Options();
$form->setMethod(Zend_FORM::METHOD_GET);
$form->setAction($this->view->url(array('module' => 'solrsearch', 'controller' => 'index', 'action' => 'search'), null, true));
$form->populate($this->getAllParams());
$this->view->form = $form;
break;
default:
break;
}
if ($this->_numOfHits === 0 || $this->_query->getStart() >= $this->_numOfHits) {
$this->render('nohits');
} else {
$this->render('results');
}
}
}
