<?php session_start(); // load functions include_once $_SERVER['DOCUMENT_ROOT'] . '/config/config.php'; include_once $_SERVER['DOCUMENT_ROOT'] . '/app/functions.php'; ?> <!DOCTYPE html> <html lang="en"> <?php // check authentication if (empty($_SESSION['sAMAccountName'])) { prompt_auth($_SERVER['REQUEST_URI']); } ?> <head> <?php include_once $_SERVER['DOCUMENT_ROOT'] . '/app/includes/header.php'; ?> </head> <body> <div class="section"> <div id="branding"> <img src="/public/images/svg/CLC_Logo_Small_PANTONE.svg" style="width:auto;height:10vh;float:left;" alt="clc logo" /> <?php include $_SERVER['DOCUMENT_ROOT'] . '/app/includes/nav.php'; ?> </div> <div id="leftpage"> <div id="stats"> <?php
/** * invoke a controller based on the query arguments given * * this function does not return in case of an error. * @param array $args query-arguments array * @return mixed return value of controller that was called */ function invoke_controller($args) { global $controllers; // change query-arguments so that we always have a arg0 and arg1 if (!isset($args[0])) { $args[0] = array('', ''); } elseif (is_string($args[0])) { $args[0] = array($args[0], ''); } // load all modules // TODO (later): fastpath for serving cached pages or files (the latter one // is only doable when we store in the object file which module to load) load_modules(); $match = false; if (isset($controllers[$args[0][0] . '-' . $args[0][1]])) { // foo/bar would match controller for "foo/bar" $match = $controllers[$args[0][0] . '-' . $args[0][1]]; $reason = $args[0][0] . '/' . $args[0][1]; } elseif (isset($controllers[$args[0][0] . '-*'])) { // foo/bar would match "foo/*" $match = $controllers[$args[0][0] . '-*']; $reason = $args[0][0] . '/*'; } elseif (isset($controllers['*-' . $args[0][1]])) { // foo/bar would match "*/bar" $match = $controllers['*-' . $args[0][1]]; $reason = '*/' . $args[0][1]; } elseif (isset($controllers['*-*'])) { // foo/bar would match "*/*" $match = $controllers['*-*']; $reason = '*/*'; } if ($match !== false) { // check authentication for those controllers that require it if (isset($match['auth']) && $match['auth']) { if (!is_auth()) { prompt_auth(); } // also check the referer to prevent against cross site request // forgery (xsrf) // this is not really optimal, since proxies can filter the referer // header, but as a first step.. if (!empty($_SERVER['HTTP_REFERER'])) { $bu = base_url(); if (substr($_SERVER['HTTP_REFERER'], 0, strlen($bu)) != $bu) { log_msg('warn', 'controller: possible xsrf detected, referer is ' . quot($_SERVER['HTTP_REFERER']) . ', arguments ' . var_dump_inl($args)); hotglue_error(400); } } } log_msg('info', 'controller: invoking controller ' . quot($reason) . ' => ' . $match['func']); return $match['func']($args); } else { // normally we won't reach this as some default (*/*) controller will // be present log_msg('warn', 'controller: no match for ' . quot($args[0][0] . '/' . $args[0][1])); hotglue_error(400); } }
$err = response('Required argument "method" missing', 400); echo json_encode($err); log_msg('warn', 'json: ' . $err['#data']); die; } load_modules($method); if (!($m = get_service($method))) { $err = response('Unknown method ' . quot($method), 400); echo json_encode($err); log_msg('warn', 'json: ' . $err['#data']); die; } // check authentication if (isset($m['auth']) && $m['auth']) { if (!is_auth()) { prompt_auth(true); } } if (isset($m['cross-origin']) && $m['cross-origin']) { // output cross-origin header if requested header('Access-Controll-Allow-Origin: *'); } else { // otherwise check the referer to make xsrf harder if (!empty($_SERVER['HTTP_REFERER'])) { $bu = base_url(); if (substr($_SERVER['HTTP_REFERER'], 0, strlen($bu)) != $bu) { echo json_encode(response('Cross-origin requests not supported for this method', 400)); log_msg('warn', 'json: possible xsrf detected, referer is ' . quot($_SERVER['HTTP_REFERER']) . ', arguments ' . var_dump_inl($args)); die; } }
/** * implements serve_resource */ function image_serve_resource($args) { $obj = $args['obj']; if (!isset($obj['type']) || $obj['type'] != 'image') { return false; } // we don't have to care about symlinks here as they are being resolved // before this hook is called $pn = array_shift(expl('.', $obj['name'])); if (!empty($obj['image-resized-file']) && !$args['dl']) { // we have a resized file and don't want to download the original $fn = CONTENT_DIR . '/' . $pn . '/shared/' . $obj['image-resized-file']; $ext = filext($fn); if ($ext == 'jpg' || $ext == 'jpeg') { serve_file($fn, false, 'image/jpeg'); } else { if ($ext == 'png') { serve_file($fn, false, 'image/png'); } else { log_msg('warn', 'image_serve_resource: unsupported image-resized-file ' . quot($fn)); } } // if we're still alive it means that the resized file has not been // found log_msg('warn', 'image_serve_resource: could not serve image-resized-file ' . quot($fn) . ', falling back to original'); $need_auth = false; } elseif (empty($obj['image-resized-file'])) { // we don't have a resized file $need_auth = false; } else { // we really want to download the original $need_auth = true; } if (!empty($obj['image-file'])) { // we have the original file if ($need_auth && !is_auth()) { // require authentication prompt_auth(true); } if (empty($obj['image-file-mime'])) { $obj['image-file-mime'] = ''; } serve_file(CONTENT_DIR . '/' . $pn . '/shared/' . $obj['image-file'], $args['dl'], $obj['image-file-mime']); } // if everything fails return false; }
function download_serve_resource($args) { $obj = $args['obj']; if (!isset($obj['type']) || $obj['type'] != 'download') { return false; } $a = expl('.', $obj['name']); // serve the resource only when it's public or we're logged in (i.e. editing) if (isset($obj['download-public']) && $obj['download-public'] == 'public' || is_auth()) { serve_file(CONTENT_DIR . '/' . $a[0] . '/shared/' . $obj['download-file'], $args['dl'], $obj['download-file-mime']); } else { if (!is_auth()) { prompt_auth(true); } } }