public function execute($request)
{
$request->setRequestFormat('xml');
$this->date = gmdate('Y-m-d\\TH:i:s\\Z');
$this->title = sfconfig::get('app_siteTitle');
$this->description = sfconfig::get('app_siteDescription');
$this->protocolVersion = '2.0';
list($this->earliestDatestamp) = Propel::getConnection()->query('SELECT MIN(' . QubitObject::UPDATED_AT . ') FROM ' . QubitObject::TABLE_NAME)->fetch();
$this->granularity = 'YYYY-MM-DDThh:mm:ssZ';
$this->deletedRecord = 'no';
$this->compression = 'gzip';
$this->path = url_for('oai/oaiAction');
$this->attributes = $this->request->getGetParameters();
$this->attributesKeys = array_keys($this->attributes);
$this->requestAttributes = '';
foreach ($this->attributesKeys as $key) {
$this->requestAttributes .= ' ' . $key . '="' . $this->attributes[$key] . '"';
}
$criteria = new Criteria();
$criteria->add(QubitAclUserGroup::GROUP_ID, QubitAclGroup::ADMINISTRATOR_ID);
$criteria->addJoin(QubitAclUserGroup::USER_ID, QubitUser::ID);
$users = QubitUser::get($criteria);
$this->adminEmail = array();
foreach ($users as $user) {
$this->adminEmail[] = $user->getEmail() . "\n";
}
}
public function check($userId, $objectId, $actionId, $parameters = array())
{
$user = QubitUser::getById($userId);
if (($userId == $this->userId || $user->hasGroup($this->groupId)) && $objectId == $this->objectId && $actionId == $this->actionId && $this->evaluateConditional($parameters)) {
return $this->grantDeny;
}
}
public static function checkCredentials($username, $password, &$error)
{
$validCreds = false;
$error = null;
// anonymous is not a real user
if ($username == 'anonymous') {
$error = 'invalid username';
return null;
}
$criteria = new Criteria();
$criteria->add(QubitUser::EMAIL, $username);
$user = QubitUser::getOne($criteria);
// user account exists?
if ($user !== null) {
// password is OK?
if (sha1($user->getSalt() . $password) == $user->getSha1Password()) {
$validCreds = true;
} else {
$error = 'invalid password';
}
} else {
$error = 'invalid username';
}
return $validCreds ? $user : null;
}
public function controllerChangeAction(sfEvent $event)
{
$controller = $event->getSubject();
if ('sfInstallPlugin' != $event->module) {
return;
}
$credential = $controller->getActionStack()->getLastEntry()->getActionInstance()->getCredential();
if (sfContext::getInstance()->user->hasCredential($credential)) {
return;
}
$criteria = new Criteria();
$criteria->add(QubitAclGroupI18n::NAME, $credential);
$criteria->addJoin(QubitAclGroupI18n::ID, QubitAclGroup::ID);
$criteria->addJoin(QubitAclGroup::ID, QubitAclUserGroup::GROUP_ID);
$criteria->addJoin(QubitAclUserGroup::USER_ID, QubitUser::ID);
// If for any reason the database can't be accessed, e.g.
// * config.php doesn't exist
// * config.php is misconfigured
// * the database is empty
//
// - or if no user exists with the necessary credential, then grant access
// to install actions
//
// This could only present a vulnerability if the database can't be
// accessed, or if no user exists with the necessary credential. If the
// database can't be accessed, then it isn't vulneralbe. The filesystem is
// vulnerable, so we must be careful not to read or write anything
// sensitive. We erase the database, but it isn't vulnerable
//
// Previously we granted sessions access to install actions if config.php
// was missing, because this suggests that someone can access to the
// filesystem - but we didn't link a specific session with access to the
// filesystem, like Gallery login.txt
//
// One vulnerability is that anyone who gains the necessary credential on
// one site, and knows the database username and password of another site,
// can erase that database. To fix this, sessions should be bound to a key
// stored in the database. This is superior to,
// http://trac.symfony-project.org/ticket/5683
//
// If one database can't be accessed, then anyone can reconfigure the
// database username and password, but other databases are safe as long as
// a user exists with the necessary credential
//
// Another vulnerability is that databases with incompatible schemas can be
// erased. To fix this, we must know the database username and password to
// reconfigure it. The currently configured database can be erased if it's
// schema is incombatible, but this isn't a vulnerability
try {
if (1 > count(QubitUser::get($criteria))) {
return;
}
} catch (PropelException $e) {
return;
}
$event->getSubject()->forward(sfConfig::get('sf_secure_module'), sfConfig::get('sf_secure_action'));
throw new sfStopException();
}
/**
* Admin email finder
*
* @return string the administrator email
*/
public static function getAdminEmail()
{
$criteria = new Criteria();
$criteria->addJoin(QubitUser::ID, QubitUserRoleRelation::USER_ID);
$criteria->addJoin(QubitUserRoleRelation::ROLE_ID, QubitRole::ID);
$criteria->add(QubitRole::NAME, 'administrator');
$criteria->addAscendingOrderByColumn(QubitUser::ID);
$users = QubitUser::get($criteria);
return trim($users[0]->getEmail());
}
public function execute($request)
{
$this->form = new sfForm();
$this->form->setValidator('confirmPassword', new sfValidatorString(array('required' => true)));
$this->form->setWidget('confirmPassword', new sfWidgetFormInputPassword());
$this->form->setValidator('email', new sfValidatorEmail(array('required' => true)));
$this->form->setWidget('email', new sfWidgetFormInput());
$this->form->setValidator('password', new sfValidatorString(array('required' => true)));
$this->form->setWidget('password', new sfWidgetFormInputPassword());
$this->form->setValidator('siteDescription', new sfValidatorString());
$this->form->setWidget('siteDescription', new sfWidgetFormInput());
$this->form->setValidator('siteTitle', new sfValidatorString(array('required' => true)));
$this->form->setWidget('siteTitle', new sfWidgetFormInput());
$this->form->setValidator('username', new sfValidatorString(array('required' => true)));
$this->form->setWidget('username', new sfWidgetFormInput());
$this->form->getValidatorSchema()->setPostValidator(new sfValidatorSchemaCompare('password', '==', 'confirmPassword'));
if ($request->isMethod('post')) {
$this->form->bind($request->getPostParameters());
if ($this->form->isValid()) {
$setting = new QubitSetting();
$setting->name = 'siteTitle';
$setting->value = $this->form->getValue('siteTitle');
$setting->save();
$setting = new QubitSetting();
$setting->name = 'siteDescription';
$setting->value = $this->form->getValue('siteDescription');
$setting->save();
$user = new QubitUser();
$user->username = $this->form->getValue('username');
$user->email = $this->form->getValue('email');
$user->setPassword($this->form->getValue('password'));
$user->save();
$aclUserGroup = new QubitAclUserGroup();
$aclUserGroup->userId = $user->id;
$aclUserGroup->groupId = QubitAclGroup::ADMINISTRATOR_ID;
$aclUserGroup->save();
$this->redirect(array('module' => 'sfInstallPlugin', 'action' => 'clearCache'));
}
}
}
public static function hasPermission($sfUser, array $options = array())
{
$qubitUser = QubitUser::getById($sfUser->getUserId());
if (!$qubitUser) {
return false;
}
switch ($options['module']) {
case 'informationobject':
if ($sfUser->hasCredential(array('administrator', 'editor', 'contributor'), false)) {
return true;
} else {
return false;
}
case 'actor':
if ($sfUser->hasCredential(array('administrator', 'editor', 'contributor'), false)) {
return true;
} else {
return false;
}
case 'repository':
if ($sfUser->hasCredential(array('administrator', 'editor', 'contributor'), false)) {
return true;
} else {
return false;
}
case 'term':
if ($sfUser->hasCredential(array('administrator', 'editor'), false)) {
return true;
} else {
return false;
}
case 'staticpage':
if ($sfUser->hasCredential(array('administrator', 'translator'), false)) {
return true;
} else {
return false;
}
case 'user':
if ($sfUser->hasCredential(array('administrator'), false)) {
return true;
} else {
if ($options['action'] == 'show') {
return true;
} else {
return false;
}
}
}
return false;
}
public function execute($filterChain)
{
if ($this->isFirstCall()) {
if (!isset($_SERVER['PHP_AUTH_USER'])) {
$this->sendHeaders();
exit;
}
$user = QubitUser::checkCredentials($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'], $error);
if (null === $user) {
$this->sendHeaders();
return;
}
$user = new myUser(new sfEventDispatcher(), new sfNoStorage());
$user->authenticate($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']);
// We'll need username/email details later
sfContext::getInstance()->request->setAttribute('user', $user);
}
$filterChain->execute();
}
public function execute($request)
{
$request->setRequestFormat('xml');
$this->date = gmdate('Y-m-d\\TH:i:s\\Z');
$this->path = $this->request->getUriPrefix() . $this->request->getPathInfo();
$this->attributes = $this->request->getGetParameters();
$this->attributesKeys = array_keys($this->attributes);
$this->requestAttributes = '';
foreach ($this->attributesKeys as $key) {
$this->requestAttributes .= ' ' . $key . '="' . $this->attributes[$key] . '"';
}
$criteria = new Criteria();
$criteria->addJoin(QubitUser::ID, QubitUserRoleRelation::USER_ID);
$criteria->addJoin(QubitUserRoleRelation::ROLE_ID, QubitRole::ID);
$criteria->add(QubitRole::NAME, 'administrator');
$users = QubitUser::get($criteria);
$this->adminEmail = array();
foreach ($users as $user) {
$this->adminEmail[] = $user->getEmail() . "\n";
}
}
protected function earlyExecute()
{
$this->form->getValidatorSchema()->setOption('allow_extra_fields', true);
$this->form->getValidatorSchema()->setPostValidator(new sfValidatorSchemaCompare('password', '==', 'confirmPassword', array(), array('invalid' => $this->context->i18n->__('Your password confirmation did not match you password.'))));
$this->resource = new QubitUser();
if (isset($this->getRoute()->resource)) {
$this->resource = $this->getRoute()->resource;
}
// HACK: because $this->user->getAclPermissions() is erroneously calling
// QubitObject::getaclPermissionsById()
$this->permissions = null;
if (isset($this->resource->id)) {
$permissions = QubitUser::getaclPermissionsById($this->resource->id, array('self' => $this))->orderBy('constants')->orderBy('object_id');
foreach ($permissions as $item) {
$repoId = $item->getConstants(array('name' => 'repositoryId'));
$this->permissions[$repoId][$item->objectId][$item->action] = $item->grantDeny;
}
}
// List of actions without translate
$this->basicActions = QubitInformationObjectAcl::$ACTIONS;
unset($this->basicActions['translate']);
}
<?php
require_once dirname(__FILE__) . '/../../bootstrap/functional.php';
$browser = new sfTestFunctional(new sfBrowser());
$user = new QubitUser();
$user->username = '******';
$user->email = '*****@*****.**';
$user->setPassword('test1234');
$user->save();
$browser->info('Log in')->post(';user/login', array('email' => '*****@*****.**', 'password' => 'test1234'))->with('request')->begin()->isParameter('module', 'user')->isParameter('action', 'login')->end();
$browser->test()->ok($browser->getUser()->isAuthenticated(), 'User is authenticated');
$browser->test()->isa_ok($browser->getUser()->user, 'QubitUser', 'myUser->user is QubitUser');
$browser->info('Log out')->get('/')->with('request')->begin()->isParameter('module', 'staticpage')->isParameter('action', 'static')->end()->click('Log out')->with('request')->begin()->isParameter('module', 'user')->isParameter('action', 'logout')->end();
$browser->test()->ok(!$browser->getUser()->isAuthenticated(), 'User isn\'t authenticated');
$browser = new sfTestFunctional(new sfBrowser());
$browser->info('Incorrect log in')->post(';user/login', array('email' => '*****@*****.**', 'password' => 'wrongpass'))->with('request')->begin()->isParameter('module', 'user')->isParameter('action', 'login')->end();
$browser->test()->ok(!$browser->getUser()->isAuthenticated(), 'User isn\'t authenticated');
$browser->test()->is($browser->getUser()->user, null, 'myUser->user is null');
$browser = new sfTestFunctional(new sfBrowser());
$browser->info('"localhost" "next" parameter, issue 1342')->post(';user/login', array('email' => '*****@*****.**', 'password' => 'test1234', 'next' => 'http://localhost/example'))->with('request')->begin()->isParameter('module', 'user')->isParameter('action', 'login')->end();
$browser->test()->ok($browser->getUser()->isAuthenticated(), 'User is authenticated');
$browser->test()->isa_ok($browser->getUser()->user, 'QubitUser', 'myUser->user is QubitUser');
$browser = new sfTestFunctional(new sfBrowser());
$browser->info('Empty "next" parameter')->post(';user/login', array('email' => '*****@*****.**', 'password' => 'test1234', 'next' => ''))->with('request')->begin()->isParameter('module', 'user')->isParameter('action', 'login')->end();
$browser->test()->ok($browser->getUser()->isAuthenticated(), 'User is authenticated');
$browser->test()->isa_ok($browser->getUser()->user, 'QubitUser', 'myUser->user is QubitUser');
$user->delete();
<?php
include dirname(__FILE__) . '/../../bootstrap/functional.php';
$browser = new sfTestFunctional(new sfBrowser());
$email = rand() . '@example.com';
$password = rand();
$user = new QubitUser();
$user->email = $email;
$user->setPassword($password);
$user->save();
$relation = new QubitUserRoleRelation();
$relation->userId = $user->id;
$relation->roleId = QubitRole::ADMINISTRATOR_ID;
$relation->save();
$browser->post(';user/login', array('login' => array('email' => $email, 'password' => $password)));
$scopeAndContent = rand();
$identifier = rand();
$title = rand();
$informationObject = new QubitInformationObject();
$informationObject->parentId = QubitInformationObject::ROOT_ID;
$informationObject->scopeAndContent = $scopeAndContent;
$informationObject->identifier = $identifier;
$informationObject->title = $title;
$informationObject->save();
$browser->get('/' . $informationObject->id . ';dc?sf_format=xml');
$user->delete();
$informationObject->delete();
$doc = new DOMDocument();
$doc->loadXML($browser->getResponse()->getContent());
$xpath = new DOMXPath($doc);
$xpath->registerNamespace('dc', 'http://purl.org/dc/elements/1.1/');
public function authenticate($username, $password)
{
$authenticated = false;
// anonymous is not a real user
if ($username == 'anonymous') {
return false;
}
$user = QubitUser::checkCredentials($username, $password, $error);
// user account exists?
if ($user !== null) {
$authenticated = true;
$this->signIn($user);
}
return $authenticated;
}
/**
* Updates user's access privileges from Shibboleth data
*
* @param QubitUser $user the current user
* @param sfWebRequest $request the current web request
*
*/
protected function updateUserFromShibInfo($request, $user)
{
$params = $request->getPathInfoArray();
$isMemberOf = explode(";", $params['isMemberOf']);
// read group mapping from config file
$mapings = array('ADMINISTRATOR_ID' => explode(';', sfConfig::get('app_shibboleth_administrator_groups')), 'EDITOR_ID' => explode(';', sfConfig::get('app_shibboleth_editor_groups')), 'CONTRIBUTOR_ID' => explode(';', sfConfig::get('app_shibboleth_contributor_groups')), 'TRANSLATOR_ID' => explode(';', sfConfig::get('app_shibboleth_translator_groups')));
// for each privilege class, check whether the current user should have it and assign it if not yet assigned
foreach ($mapings as $key => $array) {
if (0 < count(array_intersect($array, $isMemberOf))) {
if (!$user->hasGroup(constant("QubitAclGroup::{$key}"))) {
$aclUserGroup = new QubitAclUserGroup();
$aclUserGroup->userId = $user->id;
$aclUserGroup->groupId = constant("QubitAclGroup::{$key}");
$aclUserGroup->save();
}
} else {
// remove the user from groups he should not be in
if ($user->hasGroup(constant("QubitAclGroup::{$key}"))) {
foreach ($user->aclUserGroups as $membership) {
if ($membership->groupId == constant("QubitAclGroup::{$key}")) {
$membership->delete();
}
}
}
}
}
return true;
}
?>
</h1>
<div class="messages error">
<?php
echo __('The upload limit of %1% GB for <a href="%2%">%3%</a> has been exceeded (%4% GB currently used)', array('%1%' => $resource->uploadLimit, '%2%' => url_for(array($resource, 'module' => 'repository')), '%3%' => $resource->__toString(), '%4%' => $resource->getDiskUsage(array('units' => 'G'))));
?>
</div>
<div>
<?php
echo __('To upload a new %1%', array('%1%' => strtolower(sfConfig::get('app_ui_label_digitalobject'))));
?>
<ul>
<li><?php
echo __('Email your <a href="mailto:%1%">system administrator</a> and request a larger upload limit', array('%1%' => QubitUser::getSystemAdmin()->email));
?>
</li>
<li><?php
echo __('Delete an <a href="%1%">existing %2%</a> to reduce disk usage', array('%1%' => url_for(array(null, 'module' => 'search', 'query' => '+repositorySlug:' . $resource->slug . ' +hasDigitalObject:true')), '%2%' => strtolower(sfConfig::get('app_ui_label_digitalobject'))));
?>
</li>
</ul>
</div>
<div class="actions section">
<h2 class="element-invisible"><?php
echo __('Actions');
?>
</h2>
