public function execute($request) { $request->setRequestFormat('xml'); $this->date = gmdate('Y-m-d\\TH:i:s\\Z'); $this->title = sfconfig::get('app_siteTitle'); $this->description = sfconfig::get('app_siteDescription'); $this->protocolVersion = '2.0'; list($this->earliestDatestamp) = Propel::getConnection()->query('SELECT MIN(' . QubitObject::UPDATED_AT . ') FROM ' . QubitObject::TABLE_NAME)->fetch(); $this->granularity = 'YYYY-MM-DDThh:mm:ssZ'; $this->deletedRecord = 'no'; $this->compression = 'gzip'; $this->path = url_for('oai/oaiAction'); $this->attributes = $this->request->getGetParameters(); $this->attributesKeys = array_keys($this->attributes); $this->requestAttributes = ''; foreach ($this->attributesKeys as $key) { $this->requestAttributes .= ' ' . $key . '="' . $this->attributes[$key] . '"'; } $criteria = new Criteria(); $criteria->add(QubitAclUserGroup::GROUP_ID, QubitAclGroup::ADMINISTRATOR_ID); $criteria->addJoin(QubitAclUserGroup::USER_ID, QubitUser::ID); $users = QubitUser::get($criteria); $this->adminEmail = array(); foreach ($users as $user) { $this->adminEmail[] = $user->getEmail() . "\n"; } }
public function check($userId, $objectId, $actionId, $parameters = array()) { $user = QubitUser::getById($userId); if (($userId == $this->userId || $user->hasGroup($this->groupId)) && $objectId == $this->objectId && $actionId == $this->actionId && $this->evaluateConditional($parameters)) { return $this->grantDeny; } }
public static function checkCredentials($username, $password, &$error) { $validCreds = false; $error = null; // anonymous is not a real user if ($username == 'anonymous') { $error = 'invalid username'; return null; } $criteria = new Criteria(); $criteria->add(QubitUser::EMAIL, $username); $user = QubitUser::getOne($criteria); // user account exists? if ($user !== null) { // password is OK? if (sha1($user->getSalt() . $password) == $user->getSha1Password()) { $validCreds = true; } else { $error = 'invalid password'; } } else { $error = 'invalid username'; } return $validCreds ? $user : null; }
public function controllerChangeAction(sfEvent $event) { $controller = $event->getSubject(); if ('sfInstallPlugin' != $event->module) { return; } $credential = $controller->getActionStack()->getLastEntry()->getActionInstance()->getCredential(); if (sfContext::getInstance()->user->hasCredential($credential)) { return; } $criteria = new Criteria(); $criteria->add(QubitAclGroupI18n::NAME, $credential); $criteria->addJoin(QubitAclGroupI18n::ID, QubitAclGroup::ID); $criteria->addJoin(QubitAclGroup::ID, QubitAclUserGroup::GROUP_ID); $criteria->addJoin(QubitAclUserGroup::USER_ID, QubitUser::ID); // If for any reason the database can't be accessed, e.g. // * config.php doesn't exist // * config.php is misconfigured // * the database is empty // // - or if no user exists with the necessary credential, then grant access // to install actions // // This could only present a vulnerability if the database can't be // accessed, or if no user exists with the necessary credential. If the // database can't be accessed, then it isn't vulneralbe. The filesystem is // vulnerable, so we must be careful not to read or write anything // sensitive. We erase the database, but it isn't vulnerable // // Previously we granted sessions access to install actions if config.php // was missing, because this suggests that someone can access to the // filesystem - but we didn't link a specific session with access to the // filesystem, like Gallery login.txt // // One vulnerability is that anyone who gains the necessary credential on // one site, and knows the database username and password of another site, // can erase that database. To fix this, sessions should be bound to a key // stored in the database. This is superior to, // http://trac.symfony-project.org/ticket/5683 // // If one database can't be accessed, then anyone can reconfigure the // database username and password, but other databases are safe as long as // a user exists with the necessary credential // // Another vulnerability is that databases with incompatible schemas can be // erased. To fix this, we must know the database username and password to // reconfigure it. The currently configured database can be erased if it's // schema is incombatible, but this isn't a vulnerability try { if (1 > count(QubitUser::get($criteria))) { return; } } catch (PropelException $e) { return; } $event->getSubject()->forward(sfConfig::get('sf_secure_module'), sfConfig::get('sf_secure_action')); throw new sfStopException(); }
/** * Admin email finder * * @return string the administrator email */ public static function getAdminEmail() { $criteria = new Criteria(); $criteria->addJoin(QubitUser::ID, QubitUserRoleRelation::USER_ID); $criteria->addJoin(QubitUserRoleRelation::ROLE_ID, QubitRole::ID); $criteria->add(QubitRole::NAME, 'administrator'); $criteria->addAscendingOrderByColumn(QubitUser::ID); $users = QubitUser::get($criteria); return trim($users[0]->getEmail()); }
public function execute($request) { $this->form = new sfForm(); $this->form->setValidator('confirmPassword', new sfValidatorString(array('required' => true))); $this->form->setWidget('confirmPassword', new sfWidgetFormInputPassword()); $this->form->setValidator('email', new sfValidatorEmail(array('required' => true))); $this->form->setWidget('email', new sfWidgetFormInput()); $this->form->setValidator('password', new sfValidatorString(array('required' => true))); $this->form->setWidget('password', new sfWidgetFormInputPassword()); $this->form->setValidator('siteDescription', new sfValidatorString()); $this->form->setWidget('siteDescription', new sfWidgetFormInput()); $this->form->setValidator('siteTitle', new sfValidatorString(array('required' => true))); $this->form->setWidget('siteTitle', new sfWidgetFormInput()); $this->form->setValidator('username', new sfValidatorString(array('required' => true))); $this->form->setWidget('username', new sfWidgetFormInput()); $this->form->getValidatorSchema()->setPostValidator(new sfValidatorSchemaCompare('password', '==', 'confirmPassword')); if ($request->isMethod('post')) { $this->form->bind($request->getPostParameters()); if ($this->form->isValid()) { $setting = new QubitSetting(); $setting->name = 'siteTitle'; $setting->value = $this->form->getValue('siteTitle'); $setting->save(); $setting = new QubitSetting(); $setting->name = 'siteDescription'; $setting->value = $this->form->getValue('siteDescription'); $setting->save(); $user = new QubitUser(); $user->username = $this->form->getValue('username'); $user->email = $this->form->getValue('email'); $user->setPassword($this->form->getValue('password')); $user->save(); $aclUserGroup = new QubitAclUserGroup(); $aclUserGroup->userId = $user->id; $aclUserGroup->groupId = QubitAclGroup::ADMINISTRATOR_ID; $aclUserGroup->save(); $this->redirect(array('module' => 'sfInstallPlugin', 'action' => 'clearCache')); } } }
public static function hasPermission($sfUser, array $options = array()) { $qubitUser = QubitUser::getById($sfUser->getUserId()); if (!$qubitUser) { return false; } switch ($options['module']) { case 'informationobject': if ($sfUser->hasCredential(array('administrator', 'editor', 'contributor'), false)) { return true; } else { return false; } case 'actor': if ($sfUser->hasCredential(array('administrator', 'editor', 'contributor'), false)) { return true; } else { return false; } case 'repository': if ($sfUser->hasCredential(array('administrator', 'editor', 'contributor'), false)) { return true; } else { return false; } case 'term': if ($sfUser->hasCredential(array('administrator', 'editor'), false)) { return true; } else { return false; } case 'staticpage': if ($sfUser->hasCredential(array('administrator', 'translator'), false)) { return true; } else { return false; } case 'user': if ($sfUser->hasCredential(array('administrator'), false)) { return true; } else { if ($options['action'] == 'show') { return true; } else { return false; } } } return false; }
public function execute($filterChain) { if ($this->isFirstCall()) { if (!isset($_SERVER['PHP_AUTH_USER'])) { $this->sendHeaders(); exit; } $user = QubitUser::checkCredentials($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'], $error); if (null === $user) { $this->sendHeaders(); return; } $user = new myUser(new sfEventDispatcher(), new sfNoStorage()); $user->authenticate($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']); // We'll need username/email details later sfContext::getInstance()->request->setAttribute('user', $user); } $filterChain->execute(); }
public function execute($request) { $request->setRequestFormat('xml'); $this->date = gmdate('Y-m-d\\TH:i:s\\Z'); $this->path = $this->request->getUriPrefix() . $this->request->getPathInfo(); $this->attributes = $this->request->getGetParameters(); $this->attributesKeys = array_keys($this->attributes); $this->requestAttributes = ''; foreach ($this->attributesKeys as $key) { $this->requestAttributes .= ' ' . $key . '="' . $this->attributes[$key] . '"'; } $criteria = new Criteria(); $criteria->addJoin(QubitUser::ID, QubitUserRoleRelation::USER_ID); $criteria->addJoin(QubitUserRoleRelation::ROLE_ID, QubitRole::ID); $criteria->add(QubitRole::NAME, 'administrator'); $users = QubitUser::get($criteria); $this->adminEmail = array(); foreach ($users as $user) { $this->adminEmail[] = $user->getEmail() . "\n"; } }
protected function earlyExecute() { $this->form->getValidatorSchema()->setOption('allow_extra_fields', true); $this->form->getValidatorSchema()->setPostValidator(new sfValidatorSchemaCompare('password', '==', 'confirmPassword', array(), array('invalid' => $this->context->i18n->__('Your password confirmation did not match you password.')))); $this->resource = new QubitUser(); if (isset($this->getRoute()->resource)) { $this->resource = $this->getRoute()->resource; } // HACK: because $this->user->getAclPermissions() is erroneously calling // QubitObject::getaclPermissionsById() $this->permissions = null; if (isset($this->resource->id)) { $permissions = QubitUser::getaclPermissionsById($this->resource->id, array('self' => $this))->orderBy('constants')->orderBy('object_id'); foreach ($permissions as $item) { $repoId = $item->getConstants(array('name' => 'repositoryId')); $this->permissions[$repoId][$item->objectId][$item->action] = $item->grantDeny; } } // List of actions without translate $this->basicActions = QubitInformationObjectAcl::$ACTIONS; unset($this->basicActions['translate']); }
<?php require_once dirname(__FILE__) . '/../../bootstrap/functional.php'; $browser = new sfTestFunctional(new sfBrowser()); $user = new QubitUser(); $user->username = '******'; $user->email = '*****@*****.**'; $user->setPassword('test1234'); $user->save(); $browser->info('Log in')->post(';user/login', array('email' => '*****@*****.**', 'password' => 'test1234'))->with('request')->begin()->isParameter('module', 'user')->isParameter('action', 'login')->end(); $browser->test()->ok($browser->getUser()->isAuthenticated(), 'User is authenticated'); $browser->test()->isa_ok($browser->getUser()->user, 'QubitUser', 'myUser->user is QubitUser'); $browser->info('Log out')->get('/')->with('request')->begin()->isParameter('module', 'staticpage')->isParameter('action', 'static')->end()->click('Log out')->with('request')->begin()->isParameter('module', 'user')->isParameter('action', 'logout')->end(); $browser->test()->ok(!$browser->getUser()->isAuthenticated(), 'User isn\'t authenticated'); $browser = new sfTestFunctional(new sfBrowser()); $browser->info('Incorrect log in')->post(';user/login', array('email' => '*****@*****.**', 'password' => 'wrongpass'))->with('request')->begin()->isParameter('module', 'user')->isParameter('action', 'login')->end(); $browser->test()->ok(!$browser->getUser()->isAuthenticated(), 'User isn\'t authenticated'); $browser->test()->is($browser->getUser()->user, null, 'myUser->user is null'); $browser = new sfTestFunctional(new sfBrowser()); $browser->info('"localhost" "next" parameter, issue 1342')->post(';user/login', array('email' => '*****@*****.**', 'password' => 'test1234', 'next' => 'http://localhost/example'))->with('request')->begin()->isParameter('module', 'user')->isParameter('action', 'login')->end(); $browser->test()->ok($browser->getUser()->isAuthenticated(), 'User is authenticated'); $browser->test()->isa_ok($browser->getUser()->user, 'QubitUser', 'myUser->user is QubitUser'); $browser = new sfTestFunctional(new sfBrowser()); $browser->info('Empty "next" parameter')->post(';user/login', array('email' => '*****@*****.**', 'password' => 'test1234', 'next' => ''))->with('request')->begin()->isParameter('module', 'user')->isParameter('action', 'login')->end(); $browser->test()->ok($browser->getUser()->isAuthenticated(), 'User is authenticated'); $browser->test()->isa_ok($browser->getUser()->user, 'QubitUser', 'myUser->user is QubitUser'); $user->delete();
<?php include dirname(__FILE__) . '/../../bootstrap/functional.php'; $browser = new sfTestFunctional(new sfBrowser()); $email = rand() . '@example.com'; $password = rand(); $user = new QubitUser(); $user->email = $email; $user->setPassword($password); $user->save(); $relation = new QubitUserRoleRelation(); $relation->userId = $user->id; $relation->roleId = QubitRole::ADMINISTRATOR_ID; $relation->save(); $browser->post(';user/login', array('login' => array('email' => $email, 'password' => $password))); $scopeAndContent = rand(); $identifier = rand(); $title = rand(); $informationObject = new QubitInformationObject(); $informationObject->parentId = QubitInformationObject::ROOT_ID; $informationObject->scopeAndContent = $scopeAndContent; $informationObject->identifier = $identifier; $informationObject->title = $title; $informationObject->save(); $browser->get('/' . $informationObject->id . ';dc?sf_format=xml'); $user->delete(); $informationObject->delete(); $doc = new DOMDocument(); $doc->loadXML($browser->getResponse()->getContent()); $xpath = new DOMXPath($doc); $xpath->registerNamespace('dc', 'http://purl.org/dc/elements/1.1/');
public function authenticate($username, $password) { $authenticated = false; // anonymous is not a real user if ($username == 'anonymous') { return false; } $user = QubitUser::checkCredentials($username, $password, $error); // user account exists? if ($user !== null) { $authenticated = true; $this->signIn($user); } return $authenticated; }
/** * Updates user's access privileges from Shibboleth data * * @param QubitUser $user the current user * @param sfWebRequest $request the current web request * */ protected function updateUserFromShibInfo($request, $user) { $params = $request->getPathInfoArray(); $isMemberOf = explode(";", $params['isMemberOf']); // read group mapping from config file $mapings = array('ADMINISTRATOR_ID' => explode(';', sfConfig::get('app_shibboleth_administrator_groups')), 'EDITOR_ID' => explode(';', sfConfig::get('app_shibboleth_editor_groups')), 'CONTRIBUTOR_ID' => explode(';', sfConfig::get('app_shibboleth_contributor_groups')), 'TRANSLATOR_ID' => explode(';', sfConfig::get('app_shibboleth_translator_groups'))); // for each privilege class, check whether the current user should have it and assign it if not yet assigned foreach ($mapings as $key => $array) { if (0 < count(array_intersect($array, $isMemberOf))) { if (!$user->hasGroup(constant("QubitAclGroup::{$key}"))) { $aclUserGroup = new QubitAclUserGroup(); $aclUserGroup->userId = $user->id; $aclUserGroup->groupId = constant("QubitAclGroup::{$key}"); $aclUserGroup->save(); } } else { // remove the user from groups he should not be in if ($user->hasGroup(constant("QubitAclGroup::{$key}"))) { foreach ($user->aclUserGroups as $membership) { if ($membership->groupId == constant("QubitAclGroup::{$key}")) { $membership->delete(); } } } } } return true; }
?> </h1> <div class="messages error"> <?php echo __('The upload limit of %1% GB for <a href="%2%">%3%</a> has been exceeded (%4% GB currently used)', array('%1%' => $resource->uploadLimit, '%2%' => url_for(array($resource, 'module' => 'repository')), '%3%' => $resource->__toString(), '%4%' => $resource->getDiskUsage(array('units' => 'G')))); ?> </div> <div> <?php echo __('To upload a new %1%', array('%1%' => strtolower(sfConfig::get('app_ui_label_digitalobject')))); ?> <ul> <li><?php echo __('Email your <a href="mailto:%1%">system administrator</a> and request a larger upload limit', array('%1%' => QubitUser::getSystemAdmin()->email)); ?> </li> <li><?php echo __('Delete an <a href="%1%">existing %2%</a> to reduce disk usage', array('%1%' => url_for(array(null, 'module' => 'search', 'query' => '+repositorySlug:' . $resource->slug . ' +hasDigitalObject:true')), '%2%' => strtolower(sfConfig::get('app_ui_label_digitalobject')))); ?> </li> </ul> </div> <div class="actions section"> <h2 class="element-invisible"><?php echo __('Actions'); ?> </h2>