include_once S3DB_SERVER_ROOT . '/s3dbapi/inc/SQL.php'; include_once S3DB_SERVER_ROOT . '/s3dbapi/inc/htmlgen.php'; include_once S3DB_SERVER_ROOT . '/s3dbapi/inc/permissions.php'; include_once S3DB_SERVER_ROOT . '/s3dbapi/inc/validation_engine.php'; include_once S3DB_SERVER_ROOT . '/s3dbapi/inc/important_vars.php'; require_once S3DB_SERVER_ROOT . '/s3dbapi/inc/class.db.inc.php'; require_once 'Structures/DataGrid.php'; #include_once(S3DB_SERVER_ROOT.'/usercheck.php'); session_start(); Header("Cache-control: private"); //IE fix //$db = $_SESSION['db']; //echo $db->User; if (!isset($_SESSION['user'])) { if ($_REQUEST['key'] != '') { if (check_key_validity($_REQUEST['key'])) { #echo 'ola'; echo '<META HTTP-EQUIV="Refresh" Content= "0; URL="../login.php?error=2">'; } } Header('Location: ?error=2'); exit; } foreach ($_GET as $name => $value) { if (ereg('s3db_', $name)) { $extra_vars .= '&' . $name . '=' . urlencode($value); } } if ($extra_vars) { $extra_vars = '?' . substr($extra_vars, 1, strlen($extra_vars)); }
function authenticate($key, $user_id) { if ($key != '') { $key_valid = check_key_validity($key, $db); if ($key_valid) { return 0; } elseif (!$key_valid) { #if key is not valid, check if there is a username (including remote url) and a key if ($user_id == '') { #sorry, no access :-( return 1; exit; } else { $valid = authenticate_remote_user($key, $user_id); return $valid; } } } elseif ($key == '') { if ($_SESSION['db'] != '') { $db = $_SESSION['db']; $user_id = $_SESSION['user']['account_id']; } elseif (in_array('key', array_keys($_REQUEST))) { #the url seems prepared to take in a key, but it is empty echo '<S3QL>'; echo '<error>0</error>'; echo '<connection>Successfully connected to <uri>' . $http . $def . S3DB_URI_BASE . '/</uri></connection><BR>'; echo '<message>Please provide a key to access S3DB</message><BR>'; echo '<message>For syntax specification and instructions refer to http://s3db.org/apibasic.html</message>'; echo '</S3QL>'; exit; } else { #no key and no session found echo '<body onload="window.parent.location=\'' . S3DB_URI_BASE . '/login.php?error=2\'">'; exit; } } }
function authenticate($key, $url) { if ($key != '') { $key_valid = check_key_validity($key, $db); if ($key_valid) { return 0; } elseif (!$key_valid) { #if key is not valid, check if there is a username (including remote url) and a key #$url = $_REQUEST['url']; if ($url == '') { #sorry, no access :-( return 1; exit; } else { #URL contains info on user in the last part of the path. (for example: URL=https://ibl.mdanderson.org/s3db/U4) $user_id_info = uid($url); $db = CreateObject('s3dbapi.db'); $db->Halt_On_Error = 'no'; $db->Host = $GLOBALS['s3db_info']['server']['db']['db_host']; $db->Type = $GLOBALS['s3db_info']['server']['db']['db_type']; $db->Database = $GLOBALS['s3db_info']['server']['db']['db_name']; $db->User = $GLOBALS['s3db_info']['server']['db']['db_user']; $db->Password = $GLOBALS['s3db_info']['server']['db']['db_pass']; $db->connect(); #test url validity $user = $user_id_info['uid']; $url2call = remoteURLretrieval($user_id_info, $db); #now remove the user from the uri, to get to the real URL $rawUrl = $url2call . '/URI.php?key=' . $key; #echo $rawUrl;exit; if (!http_test_existance($rawUrl)) { return 4; } #go to remote url URI.php to find a username and user_id #check if the key that was provided is valid in the remote url $h = fopen($rawUrl, 'r'); $urldata = fread($h, '10000'); $account_info = html2cell($urldata); #if key is valid in the remote url, check if locally the user has been authorized to access data (there should be an entry on users table where the username is the url+user_id+uname(since this one can be changed, it might not be such a good idea to keep it here. Alternativelly, unam has to be remotelly verified once in a while...) if (is_array($account_info)) { #data has been found in remote url if ($user == $user_id_info['Did'] . '/' . 'U' . $account_info[2]['account_id']) { if (validate_remote_user($account_info[2], $url, $key)) { #user was authenticated IN REMOTE!!! Now we have to authenticate it in local #create a key for this user that is the same as the one he just provided return 0; } else { #we can introduce it now...let's allow for this option to be configured with s3db config if ($GLOBALS['s3db_info']['server']['allow_peer_authentication'] == '1') { if (insert_remote_user($account_info[2], $url)) { if (validate_remote_user($account_info[2], $url, $key)) { #now we can validate it again return 0; } else { return 2; } } else { return 5; } } else { return 2; } } } else { return 3; } } else { return 4; } } } } elseif ($key == '') { if ($_SESSION['db'] != '') { $db = $_SESSION['db']; $user_id = $_SESSION['user']['account_id']; } elseif (in_array('key', array_keys($_REQUEST))) { #the url seems prepared to take in a key, but it is empty echo '<S3QL>'; echo '<error>0</error>'; echo '<connection>Successfully connected to <uri>' . $http . $def . S3DB_URI_BASE . '/</uri></connection><BR>'; echo '<message>Please provide a key to access S3DB</message><BR>'; echo '<message>For syntax specification and instructions refer to http://s3db.org/apibasic.html</message>'; echo '</S3QL>'; exit; } else { #no key and no session found echo '<body onload="window.parent.location=\'' . S3DB_URI_BASE . '/login.php?error=2\'">'; exit; } } }