public function redirect($url, Request $request, Response $response, $code = 302)
{
// prevent header attacks
$url = str_replace(array("\n", "\r"), '', $url);
if (!preg_match('|^[a-z]+://|', $url)) {
$base = rtrim($request->getBaseUrl(), '/');
if ($base && '/' != $base) {
$url = $base . '/' . ltrim($url, '/');
} else {
$url = '/' . ltrim($url, '/');
}
}
if (!preg_match('#^(https?|ftp)://#', $url)) {
$host = isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : '';
$proto = isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== "off" ? 'https' : 'http';
$port = isset($_SERVER['SERVER_PORT']) ? $_SERVER['SERVER_PORT'] : 80;
$uri = $proto . '://' . $host;
if ('http' == $proto && 80 != $port || 'https' == $proto && 443 != $port) {
// do not append if HTTP_HOST already contains port
if (strrchr($host, ':') === false) {
$uri .= ':' . $port;
}
}
$url = $uri . '/' . ltrim($url, '/');
}
$response->setRedirect($url, $code);
$response->sendHeaders();
exit;
}
public function handle(Request $request, Response $response, array $config)
{
$view = new View(__DIR__ . '/../View');
$view->page = $request->getRequestUri();
header("Status: 404 Not Found");
echo $view->render('404');
}
public function run()
{
try {
$request = new Request();
$response = new Response();
$matches = $this->config->get('mapper')->match($this->urlPath ? $this->urlPath : $request->getRequestUri());
if ($matches === false) {
$error = new \Error\Pages\Index();
$error->doHandle($request, $response, $this->config->all());
} else {
if (!class_exists($matches['class'])) {
throw new \RuntimeException($matches['class'] . ' class does not exist');
}
/**
* Class to module - page map
*
* Test\Pages\Index
* \__/ \___/
* module page
*/
// figure out module
$module = substr($matches['class'], 0, stripos($matches['class'], '\\'));
// add module to request
$request->setModule($module);
// add page to request
$request->setPage(substr($matches['class'], strrpos($matches['class'], '\\') + 1));
// set the request params
$request->setParams($matches['matches']);
// initiate the page
$page = new $matches['class']();
// if module config is enabled, merge it with the main config
if ($page->isConfigEnabled() && file_exists($file = BASE_PATH . '/app/' . $module . '/Config/module.ini')) {
$moduleConfig = new Configuration($file);
$this->config->merge($moduleConfig);
}
// start output buffering
$level = ob_get_level();
ob_start();
// execute page code
$page->doHandle($request, $response, $this->config->all());
$content = ob_get_clean();
$response->appendBody($content);
$response->sendResponse();
}
} catch (\Exception $e) {
if ($this->config->get('env') == 'development') {
$level = ob_get_level();
while (ob_get_level() > $level) {
ob_end_clean();
}
$exc = new \Error\Pages\Exc();
$exc->debug($e);
}
}
}
/**
* Check to see if the user is allowed for the request.
*
* @param Request $request
* @return boolean
*/
public function isAllowed(Request $request)
{
$mod = $request->getModule();
$page = $request->getPage();
foreach ($this->resources as $res) {
if ($res['module'] === $mod && $res['page'] === $page) {
$request->setResourceParams($res['params']);
return true;
}
}
return false;
}
/**
* Each request needs to be checked against CSRF.
*
* @param Request $request
* @param Response $response
* @param array $config
*/
public function doHandle(Request $request, Response $response, array $config)
{
$isAjax = $request->isXmlHttpRequest();
$acl = Acl::getInstance();
// bail out if user doesn't have permissions
if (!$acl->isAllowed($request)) {
$this->forward($request, $response, $isAjax);
return;
}
$user = $acl->getUser();
// bail out if the user is locked
if ($user && $user['is_locked'] == 1) {
$this->forward($request, $response);
return;
}
/**
* Ajax - check CSRF.
*/
if ($isAjax && ($headers = apache_request_headers()) && (!isset($headers['X-CSRF-Token']) || $headers['X-CSRF-Token'] !== $_SESSION['__token'])) {
$this->forward($request, $response, true);
return;
}
/**
* Don't deliver sensitive data against GET request.
*
* POST - check CSRF.
*
* @TODO IMPROVE / FIND AN EFFICIENT WAY TO CHECK AGAINST GET REQUESTS
*/
if (!$isAjax && $request->isPost() && (($sec = $request->getParam('sec')) === null || (!isset($_SESSION['__token']) || $_SESSION['__token'] !== $sec))) {
var_dump($_SESSION);
exit;
$this->forward($request, $response);
return;
}
return $this->handle($request, $response, $config);
}