/**
* Pull all the possible include paths out of the include directory into
* a var called $path
*/
function __autoload($class_name)
{
foreach (split(':', get_include_path()) as $path) {
$filename = $path . '/methods/' . $class_name . '.php';
error_logging('DEBUG', "Include path is: '{$path}'");
error_logging('DEBUG', "Including class: {$filename}");
// ensure absolute pathing
if ($path[0] == '/' && is_file($filename) && is_readable($path)) {
include_once $filename;
break;
}
$filename = $path . '/wrms/' . $class_name . '.php';
error_logging('DEBUG', "Include path is: '{$path}'");
error_logging('DEBUG', "Including class: {$filename}");
// ensure absolute pathing
if ($path[0] == '/' && is_file($filename) && is_readable($path)) {
include_once $filename;
break;
}
$filename = $path . '/medusa/' . $class_name . '.php';
error_logging('DEBUG', "Include path is: '{$path}'");
error_logging('DEBUG', "Including class: {$filename}");
// ensure absolute pathing
if ($path[0] == '/' && is_file($filename) && is_readable($path)) {
include_once $filename;
break;
}
}
}
/**
* Performs a search using dynamically generated SQL from the input parameters.
*/
private function search()
{
/**
* Acceptable paramters are;
*
*/
$found = false;
foreach ($this->parameters as $parameterkey => $parameterstring) {
if (array_key_exists($parameterkey, $this->gettodbfields) && array_key_exists($parameterkey, $this->gettodbjoins)) {
$found = true;
$joinsql[] = $this->gettodbjoins[$parameterkey];
$wheresql[] = $this->formatBoolValues($this->gettodbfields[$parameterkey], $parameterstring);
}
}
if ($found == false) {
return new error("No usable search terms found.");
}
$sql = "SELECT DISTINCT " . $this->gettable . ".* FROM " . $this->gettable . " " . implode(' ', $joinsql) . " WHERE " . implode(' AND ', $wheresql);
error_logging('DEBUG', "wrms_search auto generated {$sql}");
$result = db_query($sql);
$resp = new response('Success');
while ($row = db_fetch_assoc($result)) {
$object = $this->sqldata->getNewObject();
error_logging('DEBUG', "Creating new " . get_class($object) . " in wrms_search");
$object->populate($row);
$object->populateChildren();
$resp->data[] = $object;
}
return $resp;
}
public static function set($usr)
{
if (self::$user != null) {
error_logging('ERROR', "Currentuser class being overwritten");
return new error('Invalid user.');
} else {
if (get_class($usr) != 'user') {
error_logging('ERROR', 'Attempt to run currentuser::set() with class of wrong type; ' . get_class($usr));
return new error('Invalid class use.');
} else {
if (!$usr->populated) {
error_logging('ERROR', 'Attempted to use unpopulated class as current user.');
return new error('Invalid user.');
} else {
if ($usr->getID() < 1) {
error_logging('ERROR', 'Attempted to use broken user class as current user. ID;' . $usr->getID());
return new error('Invalid user.');
} else {
if ($usr->enabled != 1) {
error_logging('ERROR', 'Attempted to use disabled user class as current user.');
return new error('Invalid user.');
} else {
error_logging('DEBUG', 'currentuser setting new user id; ' . $usr->getID());
self::$user = $usr;
}
}
}
}
}
return self::$user;
}
function __construct($search)
{
$this->searchtable = null;
$this->gettodbfields = array();
$this->gettodbjoins = array();
$this->newobject = null;
switch ($search) {
case 'request':
return $this->fillWorkRequest();
break;
case 'workrequest':
return $this->fillWorkRequest();
break;
case 'roles':
return $this->fillRoles();
break;
case 'user':
return $this->fillUser();
break;
case 'users':
return $this->fillUser();
break;
case 'organisation':
return $this->fillOrganisation();
break;
default:
error_logging('WARNING', "Search type {$search} doesn't exist.");
break;
}
}
/**
* Performs the fetch of the work request
*
* @param $params
* Associative array of parameters
* - $params->wr: Work Request ID or array of
* - $params->user: User ID making the request
* @return
* - The request object on success
* - Error message if access is denied, or wr was not filled.
*/
function run($params)
{
$access = access::getInstance();
if ($params['GET']['wr'] == null) {
error_logging('WARNING', "No work request number (wr) provided.");
return new error('No work request number (wr) provided.');
}
if (!preg_match('/^(\\d+)(,\\d+)*$/', $params['GET']['wr'])) {
error_logging('WARNING', 'Provided work request (wr) of; "' . $params['GET']['wr'] . '" argument does not match required format.');
return new error('Bad work request (wr) argument. Argument must be in the format of one or more integers seperated by commas.');
}
$response = new response('Success');
$sql = 'SELECT * FROM request WHERE request_id IN (' . $params['GET']['wr'] . ')';
$result = db_query($sql);
while ($row = db_fetch_object($result)) {
if ($access->permitted('wr/view', $row->request_id)) {
$object = new WrmsWorkRequest();
$object->populate($row);
$object->populateChildren();
$response->data[] = $object;
} else {
$response->data[] = new error('You cannot access this work request.', 403);
# EKM TODO add id not allowed option
}
}
return $response;
}
/**
* Private functions - we don't want others calling these directly
* Yay for php5!
*/
private function __render_html()
{
error_logging('DEBUG', 'Rendering with __render_html');
$html = "<br />Response:<br />";
if (is_object($this->response) || is_array($this->response)) {
$html = $this->__recurse_html($this->response);
} elseif (!empty($this->response)) {
$html = $this->response;
} else {
return '<p>No response</p>';
}
return $html;
}
public function populateNow($row = null)
{
error_logging('DEBUG', "usr::populateNow() - begins");
if (is_null($row)) {
return false;
} else {
if (is_object($row)) {
$row = get_object_vars($row);
}
}
if (is_array($row)) {
error_logging('DEBUG', "usr::populateNow() - Adding {$k} -> {$v}");
foreach ($row as $k => $v) {
$this->{$k} = $v;
}
} else {
return false;
}
}
function errorHandler($errno, $errstr, $errfile, $errline)
{
switch ($errno) {
/*
* If we hit an actual error
*/
case E_ERROR:
case E_CORE_ERROR:
case E_COMPILE_ERROR:
case E_USER_ERROR:
case E_RECOVERABLE_ERROR:
error_logging('ERROR', $errstr . ' in ' . $errfile . ' on line ' . $errline);
$response_renderer = response_renderer::getInstance();
$error = new error($errstr, 500);
echo $response_renderer->render($error);
exit;
break;
case E_WARNING:
case E_CORE_WARNING:
case E_COMPILE_WARNING:
case E_USER_WARNING:
error_logging('WARNING', $errstr . ' in ' . $errfile . ' on line ' . $errline);
$error_array = explode(' ', $errstr);
$response_renderer = response_renderer::getInstance();
/*
* As we hit errors, we should add nice explainations here
*/
switch ($error_array[0]) {
case 'pg_query()':
$errstr = 'An error occured with a database query, please try again. If the issue persists, please contact support';
break;
}
$error = new error($errstr, 500);
echo $response_renderer->render($error);
exit;
break;
default:
return false;
break;
}
return true;
}
/**
* Performs the fetch of allocated users
*
* @param $params
* Associative array of parameters
* - $params->wr: Work Request ID
* @return
* An array of users on success
* An error reponses
*/
function run($params)
{
if ($params['GET']['wr'] == null) {
error_logging('WARNING', "No work request number (wr) provided.");
return new error('No work request number (wr) provided.');
}
$request_id = $params['GET']['wr'];
$access = access::getInstance();
if ($access->permitted('wr/view', $request_id)) {
$result = db_query('SELECT allocated_to_id FROM request_allocated WHERE request_id = %d', $request_id);
$users = array();
$response = new response('Success');
while ($row = db_fetch_object($result)) {
$users[] = new user($row->allocated_to_id);
}
$response->set('allocated', $users);
return $response;
} else {
return new error('Access denied', '403');
}
}
public function execute(&$object, &$user)
{
//Initialize main variables
$result = false;
//function returns this var, default should be false
$results_map = array();
//stores the result from each called permission
$local_result = false;
//used to store the result generated from the current check
//Iternates though the checks_queue
foreach ($this->checks_queue as &$check) {
//Gets the result of the current permission check
//Note that $object and $user are passed by reference through the permission class
error_logging('DEBUG', 'Executing performCheck on ' . get_class($check['class']));
$local_result = $check['class']->performCheck($object, $user);
//If the local result is true then the final result should be true
//This is to prevent false being set if a further check fails when forcing a full chain
if ($local_result) {
$result = true;
}
//Add the current result to the results map
$results_map[] = array('result' => $local_result, 'class' => get_class($check['class']));
//If this is standard processing break the foreach and return the result if $local_result is true
if ($local_result && !$this->options['aggegrate_results'] && !$this->options['force_full_chain']) {
break;
}
}
//If the aggegrate_results option has been set process the result
if ($this->options['aggegrate_results'] && !empty($this->process_queue)) {
//Iternate through the process_queue
foreach ($this->process_queue as &$command) {
//Execute each procesResult method
//$result_map and $result are passed by reference
error_logging('DEBUG', 'Executing processResult on ' . get_class($command['class']));
$command['class']->processResult($result_map, $result);
}
}
//Return the final result
return $result;
}
protected function __get($name)
{
error_logging('DEBUG', "Calling WrmsWorkRequest.__get with {$name}");
switch ($name) {
case 'timesheets':
if ($this->timesheets == null) {
$this->populateChildren();
}
return $this->timesheets;
break;
case 'notes':
if ($this->notes == null) {
$this->populateChildren();
}
return $this->notes;
break;
}
parent::__get($name);
}
}
if (is_null($params['POST']['session_id'])) {
# Problem, complain not logged in and boot out, unless doing a login
if ($method == 'wrms_login' && class_exists($method)) {
error_logging('DEBUG', "Creating class login::");
$class = new wrms_login();
$result = $class->run($params);
} else {
$result = new error("Session not set.");
error_logging('WARNING', 'session_id not set');
}
} else {
currentuser::set(new user(login::check_session($params['POST']['session_id'])));
if (currentuser::getInstance() != null) {
if (substr($method, 0, 5) == 'wrms_' && class_exists($method)) {
$access = access::getInstance();
$access->setUser(currentuser::getInstance());
error_logging('DEBUG', "method {$method} exists");
$class = new $method();
error_logging('DEBUG', "about to run {$method}");
$result = $class->run($params);
} else {
error_logging('WARNING', "Method {$method} does not exist");
$result = new error("The method you are trying to call does not exist");
}
} else {
error_logging('DEBUG', "Session is invalid, timed out, or no longer exists.");
$result = new error("Session is invalid, timed out, or no longer exists.");
}
}
echo $response_renderer->render($result);
public function permitted($action, $object)
{
error_logging('DEBUG', "Executing permissions check for {$action}");
if (defined('AUTHORIZE_FREE_ACCESS') && constant('AUTHORIZE_FREE_ACCESS')) {
//Free access to all requests including anonymous
error_logging('DEBUG', "Allowing access to all sessions including anonymous");
return true;
}
if (defined('AUTHORIZE_ALLOW_ALL') && constant('AUTHORIZE_ALLOW_ALL')) {
//Free access to logged in users
error_logging('DEBUG', "Allowing access to all autheticated sessions");
if ($this->user) {
//Got a filled user object, thus a logged in users
error_logging('DEBUG', "User is logged in, granting permission");
return true;
} else {
//Empty users object, must be an anonymous user
error_logging('DEBUG', "User is not logged in, witholding permission");
return false;
}
}
$queue = $this->getQueue($action);
if (!empty($queue)) {
if (isset($this->chains[$action])) {
//This permission chain was already created
//So reuse it
return $this->chains[$action]->execute($object, $this->user);
} else {
//A brand new permission chain is necessary
$this->chains[$action] = new permissionsChain();
foreach ($queue as $item) {
//Foreach queued permission include the file and add to the chain
$this->includeFile($item['file']);
$this->chains[$action]->addCommand(new $item['class'](), $item['weight']);
}
$this->chains[$action]->sortCommands();
//Sorts commands into correct order
return $this->chains[$action]->execute($object, $this->user);
}
} else {
//No permissions to process so return false as default
return false;
}
}
/**
* Checks the username and password of a user and returns their ID if they are valid
* @param $username The username of the person logging in - unclean data
* @param $password The password of the person logging in - unclean data
* @param $user_id The ID of the user, which we will set if their details are correct (passed by reference)
* @param $response A string of text explaining the true/false result
* @return TRUE if credentials are valid, FALSE if they are not
*/
private function valid_credentials($username, $password, &$user_id, &$response)
{
assert(!is_null($username));
assert(!is_null($password));
error_logging('DEBUG', "checking credentials of {$username}, {$password}");
// See if they even exist
$result = db_query("SELECT user_no, password, active from usr where username=%s", $username);
// Handles the unclean username - <3 Database Abstraction
if (!($row = db_fetch_object($result))) {
// Invalid username, but lets not give any clues.
error_logging('DEBUG', "{$username} was not found in the usr table");
$response = "Invalid username or password";
return false;
}
$hash = $row->password;
/*
* This is a cheap and easy way to check mulitple passwords, should eventually refactor into something better
*
* Alternate password format: *salt*SHA1hash
*/
if (preg_match('/^\\*(.+)\\*{[A-Z]+}.+$/', $hash, $matches)) {
//Get the salf and the hash of the password received
$salt = $matches[1];
$hash_of_received = sprintf("*%s*{SSHA}%s", $salt, base64_encode(sha1($password . $salt, true) . $salt));
//Compare our hashes
if ($hash_of_received == $hash) {
//Check to see if they are still active
if ($row->active == 't') {
$user_id = $row->user_no;
return true;
} else {
$response = "Your account has been disabled.";
return false;
}
} else {
$response = "Invalid username or password";
return false;
}
} elseif (preg_match('/^\\*(.+)\\*.+$/', $hash, $matches)) {
// Get the salt and has the password we received
$salt = $matches[1];
$hash_of_received = sprintf("*%s*%s", $salt, md5($salt . $password));
// Handles the unclean password
// Compare our hashes
if ($hash_of_received == $hash) {
// Check to see if they are still active.
if ($row->active == 't') {
$user_id = $row->user_no;
return true;
} else {
$response = "Your account has been disabled.";
return false;
}
} else {
$response = "Invalid username or password";
return false;
}
} else {
$response = "Invalid password format";
return false;
}
}
/**
* query database
* @param array two-element array with SQL query in 0 and binds array in 1
* @return PDOStatement PDO statement that may be iterated over
*/
public static function query($query)
{
try {
$stmt = self::connect()->prepare($query[0]);
$stmt->execute($query[1]);
return $stmt;
} catch (PDOException $e) {
error_logging('ERROR', 'QUERY FAILED: ' . $query[0] . ' ' . print_r($query[1], true) . ' ' . $e->getMessage());
return false;
}
}
