<?php
session_start();
// load functions
include_once $_SERVER['DOCUMENT_ROOT'] . '/config/config.php';
include_once $_SERVER['DOCUMENT_ROOT'] . '/app/functions.php';
?>
<!DOCTYPE html>
<html lang="en">
<?php
// check authentication
if (empty($_SESSION['sAMAccountName'])) {
prompt_auth($_SERVER['REQUEST_URI']);
}
?>
<head>
<?php
include_once $_SERVER['DOCUMENT_ROOT'] . '/app/includes/header.php';
?>
</head>
<body>
<div class="section">
<div id="branding">
<img src="/public/images/svg/CLC_Logo_Small_PANTONE.svg" style="width:auto;height:10vh;float:left;" alt="clc logo" />
<?php
include $_SERVER['DOCUMENT_ROOT'] . '/app/includes/nav.php';
?>
</div>
<div id="leftpage">
<div id="stats">
<?php
/**
* invoke a controller based on the query arguments given
*
* this function does not return in case of an error.
* @param array $args query-arguments array
* @return mixed return value of controller that was called
*/
function invoke_controller($args)
{
global $controllers;
// change query-arguments so that we always have a arg0 and arg1
if (!isset($args[0])) {
$args[0] = array('', '');
} elseif (is_string($args[0])) {
$args[0] = array($args[0], '');
}
// load all modules
// TODO (later): fastpath for serving cached pages or files (the latter one
// is only doable when we store in the object file which module to load)
load_modules();
$match = false;
if (isset($controllers[$args[0][0] . '-' . $args[0][1]])) {
// foo/bar would match controller for "foo/bar"
$match = $controllers[$args[0][0] . '-' . $args[0][1]];
$reason = $args[0][0] . '/' . $args[0][1];
} elseif (isset($controllers[$args[0][0] . '-*'])) {
// foo/bar would match "foo/*"
$match = $controllers[$args[0][0] . '-*'];
$reason = $args[0][0] . '/*';
} elseif (isset($controllers['*-' . $args[0][1]])) {
// foo/bar would match "*/bar"
$match = $controllers['*-' . $args[0][1]];
$reason = '*/' . $args[0][1];
} elseif (isset($controllers['*-*'])) {
// foo/bar would match "*/*"
$match = $controllers['*-*'];
$reason = '*/*';
}
if ($match !== false) {
// check authentication for those controllers that require it
if (isset($match['auth']) && $match['auth']) {
if (!is_auth()) {
prompt_auth();
}
// also check the referer to prevent against cross site request
// forgery (xsrf)
// this is not really optimal, since proxies can filter the referer
// header, but as a first step..
if (!empty($_SERVER['HTTP_REFERER'])) {
$bu = base_url();
if (substr($_SERVER['HTTP_REFERER'], 0, strlen($bu)) != $bu) {
log_msg('warn', 'controller: possible xsrf detected, referer is ' . quot($_SERVER['HTTP_REFERER']) . ', arguments ' . var_dump_inl($args));
hotglue_error(400);
}
}
}
log_msg('info', 'controller: invoking controller ' . quot($reason) . ' => ' . $match['func']);
return $match['func']($args);
} else {
// normally we won't reach this as some default (*/*) controller will
// be present
log_msg('warn', 'controller: no match for ' . quot($args[0][0] . '/' . $args[0][1]));
hotglue_error(400);
}
}
$err = response('Required argument "method" missing', 400);
echo json_encode($err);
log_msg('warn', 'json: ' . $err['#data']);
die;
}
load_modules($method);
if (!($m = get_service($method))) {
$err = response('Unknown method ' . quot($method), 400);
echo json_encode($err);
log_msg('warn', 'json: ' . $err['#data']);
die;
}
// check authentication
if (isset($m['auth']) && $m['auth']) {
if (!is_auth()) {
prompt_auth(true);
}
}
if (isset($m['cross-origin']) && $m['cross-origin']) {
// output cross-origin header if requested
header('Access-Controll-Allow-Origin: *');
} else {
// otherwise check the referer to make xsrf harder
if (!empty($_SERVER['HTTP_REFERER'])) {
$bu = base_url();
if (substr($_SERVER['HTTP_REFERER'], 0, strlen($bu)) != $bu) {
echo json_encode(response('Cross-origin requests not supported for this method', 400));
log_msg('warn', 'json: possible xsrf detected, referer is ' . quot($_SERVER['HTTP_REFERER']) . ', arguments ' . var_dump_inl($args));
die;
}
}
/**
* implements serve_resource
*/
function image_serve_resource($args)
{
$obj = $args['obj'];
if (!isset($obj['type']) || $obj['type'] != 'image') {
return false;
}
// we don't have to care about symlinks here as they are being resolved
// before this hook is called
$pn = array_shift(expl('.', $obj['name']));
if (!empty($obj['image-resized-file']) && !$args['dl']) {
// we have a resized file and don't want to download the original
$fn = CONTENT_DIR . '/' . $pn . '/shared/' . $obj['image-resized-file'];
$ext = filext($fn);
if ($ext == 'jpg' || $ext == 'jpeg') {
serve_file($fn, false, 'image/jpeg');
} else {
if ($ext == 'png') {
serve_file($fn, false, 'image/png');
} else {
log_msg('warn', 'image_serve_resource: unsupported image-resized-file ' . quot($fn));
}
}
// if we're still alive it means that the resized file has not been
// found
log_msg('warn', 'image_serve_resource: could not serve image-resized-file ' . quot($fn) . ', falling back to original');
$need_auth = false;
} elseif (empty($obj['image-resized-file'])) {
// we don't have a resized file
$need_auth = false;
} else {
// we really want to download the original
$need_auth = true;
}
if (!empty($obj['image-file'])) {
// we have the original file
if ($need_auth && !is_auth()) {
// require authentication
prompt_auth(true);
}
if (empty($obj['image-file-mime'])) {
$obj['image-file-mime'] = '';
}
serve_file(CONTENT_DIR . '/' . $pn . '/shared/' . $obj['image-file'], $args['dl'], $obj['image-file-mime']);
}
// if everything fails
return false;
}
function download_serve_resource($args)
{
$obj = $args['obj'];
if (!isset($obj['type']) || $obj['type'] != 'download') {
return false;
}
$a = expl('.', $obj['name']);
// serve the resource only when it's public or we're logged in (i.e. editing)
if (isset($obj['download-public']) && $obj['download-public'] == 'public' || is_auth()) {
serve_file(CONTENT_DIR . '/' . $a[0] . '/shared/' . $obj['download-file'], $args['dl'], $obj['download-file-mime']);
} else {
if (!is_auth()) {
prompt_auth(true);
}
}
}
