public function execute($request)
{
$request->setRequestFormat('xml');
$this->date = gmdate('Y-m-d\\TH:i:s\\Z');
$this->title = sfconfig::get('app_siteTitle');
$this->description = sfconfig::get('app_siteDescription');
$this->protocolVersion = '2.0';
list($this->earliestDatestamp) = Propel::getConnection()->query('SELECT MIN(' . QubitObject::UPDATED_AT . ') FROM ' . QubitObject::TABLE_NAME)->fetch();
$this->granularity = 'YYYY-MM-DDThh:mm:ssZ';
$this->deletedRecord = 'no';
$this->compression = 'gzip';
$this->path = url_for('oai/oaiAction');
$this->attributes = $this->request->getGetParameters();
$this->attributesKeys = array_keys($this->attributes);
$this->requestAttributes = '';
foreach ($this->attributesKeys as $key) {
$this->requestAttributes .= ' ' . $key . '="' . $this->attributes[$key] . '"';
}
$criteria = new Criteria();
$criteria->add(QubitAclUserGroup::GROUP_ID, QubitAclGroup::ADMINISTRATOR_ID);
$criteria->addJoin(QubitAclUserGroup::USER_ID, QubitUser::ID);
$users = QubitUser::get($criteria);
$this->adminEmail = array();
foreach ($users as $user) {
$this->adminEmail[] = $user->getEmail() . "\n";
}
}
public function controllerChangeAction(sfEvent $event)
{
$controller = $event->getSubject();
if ('sfInstallPlugin' != $event->module) {
return;
}
$credential = $controller->getActionStack()->getLastEntry()->getActionInstance()->getCredential();
if (sfContext::getInstance()->user->hasCredential($credential)) {
return;
}
$criteria = new Criteria();
$criteria->add(QubitAclGroupI18n::NAME, $credential);
$criteria->addJoin(QubitAclGroupI18n::ID, QubitAclGroup::ID);
$criteria->addJoin(QubitAclGroup::ID, QubitAclUserGroup::GROUP_ID);
$criteria->addJoin(QubitAclUserGroup::USER_ID, QubitUser::ID);
// If for any reason the database can't be accessed, e.g.
// * config.php doesn't exist
// * config.php is misconfigured
// * the database is empty
//
// - or if no user exists with the necessary credential, then grant access
// to install actions
//
// This could only present a vulnerability if the database can't be
// accessed, or if no user exists with the necessary credential. If the
// database can't be accessed, then it isn't vulneralbe. The filesystem is
// vulnerable, so we must be careful not to read or write anything
// sensitive. We erase the database, but it isn't vulnerable
//
// Previously we granted sessions access to install actions if config.php
// was missing, because this suggests that someone can access to the
// filesystem - but we didn't link a specific session with access to the
// filesystem, like Gallery login.txt
//
// One vulnerability is that anyone who gains the necessary credential on
// one site, and knows the database username and password of another site,
// can erase that database. To fix this, sessions should be bound to a key
// stored in the database. This is superior to,
// http://trac.symfony-project.org/ticket/5683
//
// If one database can't be accessed, then anyone can reconfigure the
// database username and password, but other databases are safe as long as
// a user exists with the necessary credential
//
// Another vulnerability is that databases with incompatible schemas can be
// erased. To fix this, we must know the database username and password to
// reconfigure it. The currently configured database can be erased if it's
// schema is incombatible, but this isn't a vulnerability
try {
if (1 > count(QubitUser::get($criteria))) {
return;
}
} catch (PropelException $e) {
return;
}
$event->getSubject()->forward(sfConfig::get('sf_secure_module'), sfConfig::get('sf_secure_action'));
throw new sfStopException();
}
/**
* Admin email finder
*
* @return string the administrator email
*/
public static function getAdminEmail()
{
$criteria = new Criteria();
$criteria->addJoin(QubitUser::ID, QubitUserRoleRelation::USER_ID);
$criteria->addJoin(QubitUserRoleRelation::ROLE_ID, QubitRole::ID);
$criteria->add(QubitRole::NAME, 'administrator');
$criteria->addAscendingOrderByColumn(QubitUser::ID);
$users = QubitUser::get($criteria);
return trim($users[0]->getEmail());
}
public function execute($request)
{
$request->setRequestFormat('xml');
$this->date = gmdate('Y-m-d\\TH:i:s\\Z');
$this->path = $this->request->getUriPrefix() . $this->request->getPathInfo();
$this->attributes = $this->request->getGetParameters();
$this->attributesKeys = array_keys($this->attributes);
$this->requestAttributes = '';
foreach ($this->attributesKeys as $key) {
$this->requestAttributes .= ' ' . $key . '="' . $this->attributes[$key] . '"';
}
$criteria = new Criteria();
$criteria->addJoin(QubitUser::ID, QubitUserRoleRelation::USER_ID);
$criteria->addJoin(QubitUserRoleRelation::ROLE_ID, QubitRole::ID);
$criteria->add(QubitRole::NAME, 'administrator');
$users = QubitUser::get($criteria);
$this->adminEmail = array();
foreach ($users as $user) {
$this->adminEmail[] = $user->getEmail() . "\n";
}
}
