/** * Pull all the possible include paths out of the include directory into * a var called $path */ function __autoload($class_name) { foreach (split(':', get_include_path()) as $path) { $filename = $path . '/methods/' . $class_name . '.php'; error_logging('DEBUG', "Include path is: '{$path}'"); error_logging('DEBUG', "Including class: {$filename}"); // ensure absolute pathing if ($path[0] == '/' && is_file($filename) && is_readable($path)) { include_once $filename; break; } $filename = $path . '/wrms/' . $class_name . '.php'; error_logging('DEBUG', "Include path is: '{$path}'"); error_logging('DEBUG', "Including class: {$filename}"); // ensure absolute pathing if ($path[0] == '/' && is_file($filename) && is_readable($path)) { include_once $filename; break; } $filename = $path . '/medusa/' . $class_name . '.php'; error_logging('DEBUG', "Include path is: '{$path}'"); error_logging('DEBUG', "Including class: {$filename}"); // ensure absolute pathing if ($path[0] == '/' && is_file($filename) && is_readable($path)) { include_once $filename; break; } } }
/** * Performs a search using dynamically generated SQL from the input parameters. */ private function search() { /** * Acceptable paramters are; * */ $found = false; foreach ($this->parameters as $parameterkey => $parameterstring) { if (array_key_exists($parameterkey, $this->gettodbfields) && array_key_exists($parameterkey, $this->gettodbjoins)) { $found = true; $joinsql[] = $this->gettodbjoins[$parameterkey]; $wheresql[] = $this->formatBoolValues($this->gettodbfields[$parameterkey], $parameterstring); } } if ($found == false) { return new error("No usable search terms found."); } $sql = "SELECT DISTINCT " . $this->gettable . ".* FROM " . $this->gettable . " " . implode(' ', $joinsql) . " WHERE " . implode(' AND ', $wheresql); error_logging('DEBUG', "wrms_search auto generated {$sql}"); $result = db_query($sql); $resp = new response('Success'); while ($row = db_fetch_assoc($result)) { $object = $this->sqldata->getNewObject(); error_logging('DEBUG', "Creating new " . get_class($object) . " in wrms_search"); $object->populate($row); $object->populateChildren(); $resp->data[] = $object; } return $resp; }
public static function set($usr) { if (self::$user != null) { error_logging('ERROR', "Currentuser class being overwritten"); return new error('Invalid user.'); } else { if (get_class($usr) != 'user') { error_logging('ERROR', 'Attempt to run currentuser::set() with class of wrong type; ' . get_class($usr)); return new error('Invalid class use.'); } else { if (!$usr->populated) { error_logging('ERROR', 'Attempted to use unpopulated class as current user.'); return new error('Invalid user.'); } else { if ($usr->getID() < 1) { error_logging('ERROR', 'Attempted to use broken user class as current user. ID;' . $usr->getID()); return new error('Invalid user.'); } else { if ($usr->enabled != 1) { error_logging('ERROR', 'Attempted to use disabled user class as current user.'); return new error('Invalid user.'); } else { error_logging('DEBUG', 'currentuser setting new user id; ' . $usr->getID()); self::$user = $usr; } } } } } return self::$user; }
function __construct($search) { $this->searchtable = null; $this->gettodbfields = array(); $this->gettodbjoins = array(); $this->newobject = null; switch ($search) { case 'request': return $this->fillWorkRequest(); break; case 'workrequest': return $this->fillWorkRequest(); break; case 'roles': return $this->fillRoles(); break; case 'user': return $this->fillUser(); break; case 'users': return $this->fillUser(); break; case 'organisation': return $this->fillOrganisation(); break; default: error_logging('WARNING', "Search type {$search} doesn't exist."); break; } }
/** * Performs the fetch of the work request * * @param $params * Associative array of parameters * - $params->wr: Work Request ID or array of * - $params->user: User ID making the request * @return * - The request object on success * - Error message if access is denied, or wr was not filled. */ function run($params) { $access = access::getInstance(); if ($params['GET']['wr'] == null) { error_logging('WARNING', "No work request number (wr) provided."); return new error('No work request number (wr) provided.'); } if (!preg_match('/^(\\d+)(,\\d+)*$/', $params['GET']['wr'])) { error_logging('WARNING', 'Provided work request (wr) of; "' . $params['GET']['wr'] . '" argument does not match required format.'); return new error('Bad work request (wr) argument. Argument must be in the format of one or more integers seperated by commas.'); } $response = new response('Success'); $sql = 'SELECT * FROM request WHERE request_id IN (' . $params['GET']['wr'] . ')'; $result = db_query($sql); while ($row = db_fetch_object($result)) { if ($access->permitted('wr/view', $row->request_id)) { $object = new WrmsWorkRequest(); $object->populate($row); $object->populateChildren(); $response->data[] = $object; } else { $response->data[] = new error('You cannot access this work request.', 403); # EKM TODO add id not allowed option } } return $response; }
/** * Private functions - we don't want others calling these directly * Yay for php5! */ private function __render_html() { error_logging('DEBUG', 'Rendering with __render_html'); $html = "<br />Response:<br />"; if (is_object($this->response) || is_array($this->response)) { $html = $this->__recurse_html($this->response); } elseif (!empty($this->response)) { $html = $this->response; } else { return '<p>No response</p>'; } return $html; }
public function populateNow($row = null) { error_logging('DEBUG', "usr::populateNow() - begins"); if (is_null($row)) { return false; } else { if (is_object($row)) { $row = get_object_vars($row); } } if (is_array($row)) { error_logging('DEBUG', "usr::populateNow() - Adding {$k} -> {$v}"); foreach ($row as $k => $v) { $this->{$k} = $v; } } else { return false; } }
function errorHandler($errno, $errstr, $errfile, $errline) { switch ($errno) { /* * If we hit an actual error */ case E_ERROR: case E_CORE_ERROR: case E_COMPILE_ERROR: case E_USER_ERROR: case E_RECOVERABLE_ERROR: error_logging('ERROR', $errstr . ' in ' . $errfile . ' on line ' . $errline); $response_renderer = response_renderer::getInstance(); $error = new error($errstr, 500); echo $response_renderer->render($error); exit; break; case E_WARNING: case E_CORE_WARNING: case E_COMPILE_WARNING: case E_USER_WARNING: error_logging('WARNING', $errstr . ' in ' . $errfile . ' on line ' . $errline); $error_array = explode(' ', $errstr); $response_renderer = response_renderer::getInstance(); /* * As we hit errors, we should add nice explainations here */ switch ($error_array[0]) { case 'pg_query()': $errstr = 'An error occured with a database query, please try again. If the issue persists, please contact support'; break; } $error = new error($errstr, 500); echo $response_renderer->render($error); exit; break; default: return false; break; } return true; }
/** * Performs the fetch of allocated users * * @param $params * Associative array of parameters * - $params->wr: Work Request ID * @return * An array of users on success * An error reponses */ function run($params) { if ($params['GET']['wr'] == null) { error_logging('WARNING', "No work request number (wr) provided."); return new error('No work request number (wr) provided.'); } $request_id = $params['GET']['wr']; $access = access::getInstance(); if ($access->permitted('wr/view', $request_id)) { $result = db_query('SELECT allocated_to_id FROM request_allocated WHERE request_id = %d', $request_id); $users = array(); $response = new response('Success'); while ($row = db_fetch_object($result)) { $users[] = new user($row->allocated_to_id); } $response->set('allocated', $users); return $response; } else { return new error('Access denied', '403'); } }
public function execute(&$object, &$user) { //Initialize main variables $result = false; //function returns this var, default should be false $results_map = array(); //stores the result from each called permission $local_result = false; //used to store the result generated from the current check //Iternates though the checks_queue foreach ($this->checks_queue as &$check) { //Gets the result of the current permission check //Note that $object and $user are passed by reference through the permission class error_logging('DEBUG', 'Executing performCheck on ' . get_class($check['class'])); $local_result = $check['class']->performCheck($object, $user); //If the local result is true then the final result should be true //This is to prevent false being set if a further check fails when forcing a full chain if ($local_result) { $result = true; } //Add the current result to the results map $results_map[] = array('result' => $local_result, 'class' => get_class($check['class'])); //If this is standard processing break the foreach and return the result if $local_result is true if ($local_result && !$this->options['aggegrate_results'] && !$this->options['force_full_chain']) { break; } } //If the aggegrate_results option has been set process the result if ($this->options['aggegrate_results'] && !empty($this->process_queue)) { //Iternate through the process_queue foreach ($this->process_queue as &$command) { //Execute each procesResult method //$result_map and $result are passed by reference error_logging('DEBUG', 'Executing processResult on ' . get_class($command['class'])); $command['class']->processResult($result_map, $result); } } //Return the final result return $result; }
protected function __get($name) { error_logging('DEBUG', "Calling WrmsWorkRequest.__get with {$name}"); switch ($name) { case 'timesheets': if ($this->timesheets == null) { $this->populateChildren(); } return $this->timesheets; break; case 'notes': if ($this->notes == null) { $this->populateChildren(); } return $this->notes; break; } parent::__get($name); }
} if (is_null($params['POST']['session_id'])) { # Problem, complain not logged in and boot out, unless doing a login if ($method == 'wrms_login' && class_exists($method)) { error_logging('DEBUG', "Creating class login::"); $class = new wrms_login(); $result = $class->run($params); } else { $result = new error("Session not set."); error_logging('WARNING', 'session_id not set'); } } else { currentuser::set(new user(login::check_session($params['POST']['session_id']))); if (currentuser::getInstance() != null) { if (substr($method, 0, 5) == 'wrms_' && class_exists($method)) { $access = access::getInstance(); $access->setUser(currentuser::getInstance()); error_logging('DEBUG', "method {$method} exists"); $class = new $method(); error_logging('DEBUG', "about to run {$method}"); $result = $class->run($params); } else { error_logging('WARNING', "Method {$method} does not exist"); $result = new error("The method you are trying to call does not exist"); } } else { error_logging('DEBUG', "Session is invalid, timed out, or no longer exists."); $result = new error("Session is invalid, timed out, or no longer exists."); } } echo $response_renderer->render($result);
public function permitted($action, $object) { error_logging('DEBUG', "Executing permissions check for {$action}"); if (defined('AUTHORIZE_FREE_ACCESS') && constant('AUTHORIZE_FREE_ACCESS')) { //Free access to all requests including anonymous error_logging('DEBUG', "Allowing access to all sessions including anonymous"); return true; } if (defined('AUTHORIZE_ALLOW_ALL') && constant('AUTHORIZE_ALLOW_ALL')) { //Free access to logged in users error_logging('DEBUG', "Allowing access to all autheticated sessions"); if ($this->user) { //Got a filled user object, thus a logged in users error_logging('DEBUG', "User is logged in, granting permission"); return true; } else { //Empty users object, must be an anonymous user error_logging('DEBUG', "User is not logged in, witholding permission"); return false; } } $queue = $this->getQueue($action); if (!empty($queue)) { if (isset($this->chains[$action])) { //This permission chain was already created //So reuse it return $this->chains[$action]->execute($object, $this->user); } else { //A brand new permission chain is necessary $this->chains[$action] = new permissionsChain(); foreach ($queue as $item) { //Foreach queued permission include the file and add to the chain $this->includeFile($item['file']); $this->chains[$action]->addCommand(new $item['class'](), $item['weight']); } $this->chains[$action]->sortCommands(); //Sorts commands into correct order return $this->chains[$action]->execute($object, $this->user); } } else { //No permissions to process so return false as default return false; } }
/** * Checks the username and password of a user and returns their ID if they are valid * @param $username The username of the person logging in - unclean data * @param $password The password of the person logging in - unclean data * @param $user_id The ID of the user, which we will set if their details are correct (passed by reference) * @param $response A string of text explaining the true/false result * @return TRUE if credentials are valid, FALSE if they are not */ private function valid_credentials($username, $password, &$user_id, &$response) { assert(!is_null($username)); assert(!is_null($password)); error_logging('DEBUG', "checking credentials of {$username}, {$password}"); // See if they even exist $result = db_query("SELECT user_no, password, active from usr where username=%s", $username); // Handles the unclean username - <3 Database Abstraction if (!($row = db_fetch_object($result))) { // Invalid username, but lets not give any clues. error_logging('DEBUG', "{$username} was not found in the usr table"); $response = "Invalid username or password"; return false; } $hash = $row->password; /* * This is a cheap and easy way to check mulitple passwords, should eventually refactor into something better * * Alternate password format: *salt*SHA1hash */ if (preg_match('/^\\*(.+)\\*{[A-Z]+}.+$/', $hash, $matches)) { //Get the salf and the hash of the password received $salt = $matches[1]; $hash_of_received = sprintf("*%s*{SSHA}%s", $salt, base64_encode(sha1($password . $salt, true) . $salt)); //Compare our hashes if ($hash_of_received == $hash) { //Check to see if they are still active if ($row->active == 't') { $user_id = $row->user_no; return true; } else { $response = "Your account has been disabled."; return false; } } else { $response = "Invalid username or password"; return false; } } elseif (preg_match('/^\\*(.+)\\*.+$/', $hash, $matches)) { // Get the salt and has the password we received $salt = $matches[1]; $hash_of_received = sprintf("*%s*%s", $salt, md5($salt . $password)); // Handles the unclean password // Compare our hashes if ($hash_of_received == $hash) { // Check to see if they are still active. if ($row->active == 't') { $user_id = $row->user_no; return true; } else { $response = "Your account has been disabled."; return false; } } else { $response = "Invalid username or password"; return false; } } else { $response = "Invalid password format"; return false; } }
/** * query database * @param array two-element array with SQL query in 0 and binds array in 1 * @return PDOStatement PDO statement that may be iterated over */ public static function query($query) { try { $stmt = self::connect()->prepare($query[0]); $stmt->execute($query[1]); return $stmt; } catch (PDOException $e) { error_logging('ERROR', 'QUERY FAILED: ' . $query[0] . ' ' . print_r($query[1], true) . ' ' . $e->getMessage()); return false; } }