public function executeImpl($partner_id, $subp_id, $puser_id, $partner_prefix, $puser_kuser)
{
// make sure the secret fits the one in the partner's table
$ks_str = "";
$expiry = $this->getP("expiry", 86400);
$widget_id = $this->getPM("widget_id");
$widget = widgetPeer::retrieveByPK($widget_id);
if (!$widget) {
$this->addError(APIErrors::INVALID_WIDGET_ID, $widget_id);
return;
}
$partner_id = $widget->getPartnerId();
$partner = PartnerPeer::retrieveByPK($partner_id);
// TODO - see how to decide if the partner has a URL to redirect to
// according to the partner's policy and the widget's policy - define the privileges of the ks
// TODO - decide !! - for now only view - any kshow
$privileges = "view:*,widget:1";
if ($widget->getSecurityType() == widget::WIDGET_SECURITY_TYPE_FORCE_KS) {
if (!$this->ks) {
// the one from the defPartnerservices2Action
$this->addException(APIErrors::MISSING_KS);
}
$ks_str = $this->getP("ks");
$widget_partner_id = $widget->getPartnerId();
$res = kSessionUtils::validateKSession2(1, $widget_partner_id, $puser_id, $ks_str, $this->ks);
if (0 >= $res) {
// chaned this to be an exception rather than an error
$this->addException(APIErrors::INVALID_KS, $ks_str, $res, ks::getErrorStr($res));
}
} else {
// the session will be for NON admins and privileges of view only
$puser_id = 0;
$result = kSessionUtils::createKSessionNoValidations($partner_id, $puser_id, $ks_str, $expiry, false, "", $privileges);
}
if ($result >= 0) {
$this->addMsg("ks", $ks_str);
$this->addMsg("partner_id", $partner_id);
$this->addMsg("subp_id", $widget->getSubpId());
$this->addMsg("uid", "0");
} else {
// TODO - see that there is a good error for when the invalid login count exceed s the max
$this->addError(APIErrors::START_WIDGET_SESSION_ERROR, $widget_id);
}
}
/**
* Throws an error if the non-onwer session user is trying to update entitledPusersEdit or entitledPusersPublish
*
* @param KalturaBaseEntry $entry
* @param entry $dbEntry
*/
protected function validateEntitledUsersUpdate(KalturaBaseEntry $entry, entry $dbEntry)
{
if (!$this->getKs() || !$this->getKs()->isAdmin()) {
//non owner cannot change entitledUsersEdit and entitledUsersPublish
if ($this->getKuser()->getId() != $dbEntry->getKuserId()) {
if ($entry->entitledUsersEdit !== null && strtolower($entry->entitledUsersEdit) != strtolower($dbEntry->getEntitledPusersEdit())) {
throw new KalturaAPIException(KalturaErrors::INVALID_KS, "", ks::INVALID_TYPE, ks::getErrorStr(ks::INVALID_TYPE));
}
if ($entry->entitledUsersPublish !== null && strtolower($entry->entitledUsersPublish) != strtolower($dbEntry->getEntitledPusersPublish())) {
throw new KalturaAPIException(KalturaErrors::INVALID_KS, "", ks::INVALID_TYPE, ks::getErrorStr(ks::INVALID_TYPE));
}
}
}
}
/**
* Sets the valid user for the entry
* Throws an error if the session user is trying to update entry to another user and not using an admin session
*
* @param KalturaBaseEntry $entry
* @param entry $dbEntry
*/
protected function checkAndSetValidUserUpdate(KalturaBaseEntry $entry, entry $dbEntry)
{
KalturaLog::debug("DB puser id [" . $dbEntry->getPuserId() . "] kuser id [" . $dbEntry->getKuserId() . "]");
// user id not being changed
if ($entry->userId === null) {
KalturaLog::debug("entry->userId is null, not changing user");
return;
}
if (!$this->getKs() || !$this->getKs()->isAdmin()) {
$entryPuserId = $dbEntry->getPuserId();
// non admin cannot change the owner of an existing entry
if (strtolower($entry->userId) != strtolower($entryPuserId)) {
KalturaLog::debug('API entry userId [' . $entry->userId . '], DB entry userId [' . $entryPuserId . '] - change required but KS is not admin');
throw new KalturaAPIException(KalturaErrors::INVALID_KS, "", ks::INVALID_TYPE, ks::getErrorStr(ks::INVALID_TYPE));
}
}
// need to create kuser if this is an admin changing the owner of the entry to a different user
$kuser = kuserPeer::createKuserForPartner($dbEntry->getPartnerId(), $entry->userId);
KalturaLog::debug("Set kuser id [" . $kuser->getId() . "] line [" . __LINE__ . "]");
$dbEntry->setKuserId($kuser->getId());
}
public static function initKsPartnerUser($ksString, $requestedPartnerId = null, $requestedPuserId = null)
{
if (!$ksString) {
kCurrentContext::$ks = null;
kCurrentContext::$ks_partner_id = null;
kCurrentContext::$ks_uid = null;
kCurrentContext::$master_partner_id = null;
kCurrentContext::$partner_id = $requestedPartnerId;
kCurrentContext::$uid = $requestedPuserId;
kCurrentContext::$is_admin_session = false;
} else {
try {
$ksObj = kSessionUtils::crackKs($ksString);
} catch (Exception $ex) {
if (strpos($ex->getMessage(), "INVALID_STR") !== null) {
//TODO: throw different type of error
throw new KalturaAPIException(APIErrors::INVALID_KS, $ksString, ks::INVALID_STR, ks::getErrorStr(ks::INVALID_STR));
} else {
throw $ex;
}
}
kCurrentContext::$ks = $ksString;
kCurrentContext::$ks_object = $ksObj;
kCurrentContext::$ks_partner_id = $ksObj->partner_id;
kCurrentContext::$ks_uid = $ksObj->user;
kCurrentContext::$master_partner_id = $ksObj->master_partner_id ? $ksObj->master_partner_id : kCurrentContext::$ks_partner_id;
kCurrentContext::$is_admin_session = $ksObj->isAdmin();
kCurrentContext::$partner_id = $requestedPartnerId;
kCurrentContext::$uid = $requestedPuserId;
}
// set partner ID for logger
if (kCurrentContext::$partner_id) {
$GLOBALS["partnerId"] = kCurrentContext::$partner_id;
} else {
if (kCurrentContext::$ks_partner_id) {
$GLOBALS["partnerId"] = kCurrentContext::$ks_partner_id;
}
}
self::$ksPartnerUserInitialized = true;
}
/**
* @param string $objectClass
* @param string $objectId
* @param string $privilege optional
* @param string $options optional
* @throws KalturaErrors::INVALID_KS
*/
protected function validateUser($objectClass, $objectId, $privilege = null, $options = null)
{
// don't allow operations without ks
if (!kCurrentContext::$ks_object) {
throw new KalturaAPIException(KalturaErrors::INVALID_KS, "", ks::INVALID_TYPE, ks::getErrorStr(ks::INVALID_TYPE));
}
// if admin always allowed
if (kCurrentContext::$is_admin_session) {
return;
}
$objectGetters = null;
if (strstr($objectClass, '::')) {
$objectGetters = explode('::', $objectClass);
$objectClass = array_shift($objectGetters);
}
$objectClassPeer = "{$objectClass}Peer";
if (!class_exists($objectClassPeer)) {
return;
}
$dbObject = $objectClassPeer::retrieveByPK($objectId);
if ($objectGetters) {
foreach ($objectGetters as $objectGetter) {
$getterMethod = "get{$objectGetter}";
$reflector = new ReflectionObject($dbObject);
if (!$reflector->hasMethod($getterMethod)) {
KalturaLog::err("Method " . $getterMethod . " does not exist for class " . $reflector->getName());
return;
}
$dbObject = $dbObject->{$getterMethod}();
}
}
if (!$dbObject instanceof IOwnable) {
return;
}
if ($privilege) {
// check if all ids are privileged
if (kCurrentContext::$ks_object->verifyPrivileges($privilege, ks::PRIVILEGE_WILDCARD)) {
return;
}
// check if object id is privileged
if (kCurrentContext::$ks_object->verifyPrivileges($privilege, $dbObject->getId())) {
return;
}
}
if (strtolower($dbObject->getPuserId()) != strtolower(kCurrentContext::$ks_uid)) {
$optionsArray = array();
if ($options) {
$optionsArray = explode(",", $options);
}
if (!$dbObject->isEntitledKuserEdit(kCurrentContext::getCurrentKsKuserId()) || in_array(self::OWNER_ONLY_OPTION, $optionsArray)) {
throw new KalturaAPIException(KalturaErrors::INVALID_KS, "", ks::INVALID_TYPE, ks::getErrorStr(ks::INVALID_TYPE));
}
}
}
private function validateTicketSetPartner($partner_id, $subp_id, $puser_id, $ks_str)
{
if ($ks_str) {
// 1. crack the ks -
$ks = kSessionUtils::crackKs($ks_str);
// 2. extract partner_id
$ks_partner_id = $ks->partner_id;
$master_partner_id = $ks->master_partner_id;
if (!$master_partner_id) {
$master_partner_id = $ks_partner_id;
}
if (!$partner_id) {
$partner_id = $ks_partner_id;
}
// use the user from the ks if not explicity set
if (!$puser_id) {
$puser_id = $ks->user;
}
kCurrentContext::$ks = $ks_str;
kCurrentContext::$partner_id = $partner_id;
kCurrentContext::$ks_partner_id = $ks_partner_id;
kCurrentContext::$master_partner_id = $master_partner_id;
kCurrentContext::$uid = $puser_id;
kCurrentContext::$ks_uid = $ks->user;
// 3. retrieve partner
$ks_partner = PartnerPeer::retrieveByPK($ks_partner_id);
// the service_confgi is assumed to be the one of the operating_partner == ks_partner
if (!$ks_partner) {
$this->addException(APIErrors::UNKNOWN_PARTNER_ID, $ks_partner_id);
}
$this->setServiceConfigFromPartner($ks_partner);
if ($ks_partner && !$ks_partner->getStatus()) {
$this->addException(APIErrors::SERVICE_FORBIDDEN_PARTNER_DELETED);
}
// 4. validate ticket per service for the ticket's partner
$ticket_type = $this->ticketType2();
if ($ticket_type == kSessionUtils::REQUIED_TICKET_NOT_ACCESSIBLE) {
// partner cannot access this service
$this->addException(APIErrors::SERVICE_FORBIDDEN);
}
if ($this->force_ticket_check && $ticket_type != kSessionUtils::REQUIED_TICKET_NONE) {
// TODO - which user is this ? from the ks ? from the puser_id ?
$ks_puser_id = $ks->user;
//$ks = null;
$res = kSessionUtils::validateKSession2($ticket_type, $ks_partner_id, $ks_puser_id, $ks_str, $ks);
if (0 >= $res) {
// chaned this to be an exception rather than an error
$this->addException(APIErrors::INVALID_KS, $ks_str, $res, ks::getErrorStr($res));
}
$this->ks = $ks;
} elseif ($ticket_type == kSessionUtils::REQUIED_TICKET_NONE && $ks_str) {
$ks_puser_id = $ks->user;
$res = kSessionUtils::validateKSession2($ticket_type, $ks_partner_id, $ks_puser_id, $ks_str, $ks);
if ($res > 0) {
$this->ks = $ks;
}
}
// 5. see partner is allowed to access the desired partner (if himself - easy, else - should appear in the partnerGroup)
$allow_access = myPartnerUtils::allowPartnerAccessPartner($ks_partner_id, $this->partnerGroup2(), $partner_id);
if (!$allow_access) {
$this->addException(APIErrors::PARTNER_ACCESS_FORBIDDEN, $ks_partner_id, $partner_id);
}
// 6. set the partner to be the desired partner and the operating_partner to be the one from the ks
$this->partner = PartnerPeer::retrieveByPK($partner_id);
$this->operating_partner = $ks_partner;
// the config is that of the ks_partner NOT of the partner
// $this->setServiceConfigFromPartner( $ks_partner ); - was already set above to extract the ks
// TODO - should change service_config to be the one of the partner_id ??
// 7. if ok - return the partner_id to be used from this point onwards
return array($partner_id, $subp_id, $puser_id, true);
// allow private_partner_data
} else {
// no ks_str
// 1. extract partner by partner_id +
// 2. retrieve partner
$this->partner = PartnerPeer::retrieveByPK($partner_id);
if (!$this->partner) {
$this->partner = null;
// go to the default config
$this->setServiceConfigFromPartner(null);
if ($this->requirePartner2()) {
$this->addException(APIErrors::UNKNOWN_PARTNER_ID, $partner_id);
}
}
if ($this->partner && !$this->partner->getStatus()) {
$this->addException(APIErrors::SERVICE_FORBIDDEN_PARTNER_DELETED);
}
kCurrentContext::$ks = null;
kCurrentContext::$partner_id = $partner_id;
kCurrentContext::$ks_partner_id = null;
kCurrentContext::$uid = $puser_id;
kCurrentContext::$ks_uid = null;
// 3. make sure the service can be accessed with no ticket
$this->setServiceConfigFromPartner($this->partner);
$ticket_type = $this->ticketType2();
if ($ticket_type == kSessionUtils::REQUIED_TICKET_NOT_ACCESSIBLE) {
// partner cannot access this service
$this->addException(APIErrors::SERVICE_FORBIDDEN);
}
if ($this->force_ticket_check && $ticket_type != kSessionUtils::REQUIED_TICKET_NONE) {
// NEW: 2008-12-28
// Instead of throwing an exception, see if the service allows KN.
// If so - a relativly week partner access
if ($this->kalturaNetwork2()) {
// if the service supports KN - continue without private data
return array($partner_id, $subp_id, $puser_id, false);
// DONT allow private_partner_data
}
// chaned this to be an exception rather than an error
$this->addException(APIErrors::MISSING_KS);
}
// 4. set the partner & operating_partner to be the one-and-only partner of this session
$this->operating_partner = $this->partner;
return array($partner_id, $subp_id, $puser_id, true);
// allow private_partner_data
}
}
private static function errorIfKsNotValid()
{
// if no ks in current context - no need to check anything
if (!self::$ksString) {
return;
}
$ksObj = null;
$res = kSessionUtils::validateKSessionNoTicket(self::$ksPartnerId, self::$ksUserId, self::$ksString, $ksObj);
if (0 >= $res) {
switch ($res) {
case ks::INVALID_STR:
KalturaLog::err('Invalid KS [' . self::$ksString . ']');
break;
case ks::INVALID_PARTNER:
KalturaLog::err('Wrong partner [' . self::$ksPartnerId . '] actual partner [' . $ksObj->partner_id . ']');
break;
case ks::INVALID_USER:
KalturaLog::err('Wrong user [' . self::$ksUserId . '] actual user [' . $ksObj->user . ']');
break;
case ks::EXPIRED:
KalturaLog::err('KS Expired [' . date('Y-m-d H:i:s', $ksObj->valid_until) . ']');
break;
case ks::LOGOUT:
KalturaLog::err('KS already logged out');
break;
case ks::EXCEEDED_ACTIONS_LIMIT:
KalturaLog::err('KS exceeded number of actions limit');
break;
case ks::EXCEEDED_RESTRICTED_IP:
KalturaLog::err('IP does not match KS restriction');
break;
}
throw new kCoreException("Invalid KS", kCoreException::INVALID_KS, ks::getErrorStr($res));
}
}
/**
* Throws an error if the user is trying to update entry that doesn't belong to him and the session is not admin
*
* @param entry $dbEntry
*/
protected function checkIfUserAllowedToUpdateEntry(entry $dbEntry)
{
// if session is not admin, but privileges are
// edit:* or edit:ENTRY_ID or editplaylist:PLAYLIST_ID
// edit is allowed
if (!$this->getKs() || !$this->getKs()->isAdmin()) {
// check if wildcard on 'edit'
if ($this->getKs()->verifyPrivileges(ks::PRIVILEGE_EDIT, ks::PRIVILEGE_WILDCARD)) {
return;
}
// check if entryID on 'edit'
if ($this->getKs()->verifyPrivileges(ks::PRIVILEGE_EDIT, $dbEntry->getId())) {
return;
}
//
if ($this->getKs()->verifyPlaylistPrivileges(ks::PRIVILEGE_EDIT_ENTRY_OF_PLAYLIST, $dbEntry->getId(), $this->getPartnerId())) {
return;
}
}
// if user is not the entry owner, and the KS is user type - do not allow update
if ($dbEntry->getKuserId() != $this->getKuser()->getId() && (!$this->getKs() || !$this->getKs()->isAdmin())) {
throw new KalturaAPIException(KalturaErrors::INVALID_KS, "", ks::INVALID_TYPE, ks::getErrorStr(ks::INVALID_TYPE));
}
}
private static function errorIfKsNotValid()
{
// if no ks in current context - no need to check anything
if (!self::$ksString) {
return;
}
$ksObj = null;
$res = kSessionUtils::validateKSessionNoTicket(self::$ksPartnerId, self::$ksUserId, self::$ksString, $ksObj);
if (0 >= $res) {
switch ($res) {
case ks::INVALID_STR:
KalturaLog::err('Invalid KS [' . self::$ksString . ']');
break;
case ks::INVALID_PARTNER:
KalturaLog::err('Wrong partner [' . self::$ksPartnerId . '] actual partner [' . $ksObj->partner_id . ']');
break;
case ks::INVALID_USER:
KalturaLog::err('Wrong user [' . self::$ksUserId . '] actual user [' . $ksObj->user . ']');
break;
case ks::EXPIRED:
KalturaLog::err('KS Expired [' . date('Y-m-d H:i:s', $ksObj->valid_until) . ']');
break;
case ks::LOGOUT:
KalturaLog::err('KS already logged out');
break;
}
throw new KalturaAPIException(APIErrors::INVALID_KS, self::$ksString, $res, ks::getErrorStr($res));
}
}
