/** preview a page that is maybe still under embargo/already expired * * if the user has permissions to preview the specified page, she is * redirected to the regular site with a special one-time permission to view * a page, even if that page is under embargo or already expired (which * normally would prevent any user from viewing that page). * * There are several ways to implement such a one-off permit, e.g. * by setting a quasi-random string in the session and specifying that * string as a parameter to index.php. If (in index.php) the string provided matches * ths string in the session, the user is granted access. However, this * leaves room for the user to manually change the node id to _any_ * number, even a node that that user is not supposed to see. * * Another solution might have been to simply include index.php. * I decided against that; I don't want to have to deal with a mix * of admin.php and index.php-code in the same run. * * I took a slightly different approach, as follows. * First I generate a quasi-random string of N (N=32) characters. * (The lenght of 32 is an arbitrary choice.) * This string is stored in the session variable. * Then I store the requested node in the session variable, too. * After that I calculate the md5sum of the combination of the * random string and the node id. This yields a hash. * This hash is passed on to index.php as the sole parameter. * * Note that the quasi-random key never leaves the server: it is * only stored in the session variables. Also, the node id is not * one of the parameters of index.php, this too is only stored in * the session variables. * * Once index.php is processed, the specified md5sum is retrieved * and a check is performed on the node id and the quasi-random string * in the session variables in order to see if the hashes match. If * this is the case, index.php can proceed to show the page preview. * Note that there is no way for the user to manipulate the node id, * because that number never travels to the user's browser in plain * text. * * Making a bookmark for the preview will use the hash, but the hash * depends on a quasi-random string stored in the session. It means * that when the session is terminated, the bookmarked page will no * longer be visible, which is good. Also, whenever another page * preview is requested, a new quasi-random string is generated, * which also invalidates the bookmarked page. * * The only thing that CAN happen is that the user saves the preview in * a place where it can be seen by others. Also, the page will probably * be cached in the user's browser. * * With respect to permissions: I consider the preview privilege equivalent * with edit permission: if the user is able to edit the node she can see * the content of the node anyway. However, maybe we should look at different * permissions. Put it on the todo-list. * * @return void results are returned as output in $this->output * @uses $CFG * @todo the check on permissions can be improved (is PERMISSION_XXXX_EDIT_NODE enough?) * @todo there is an issue with redirecting to another site: * officially the url should be fully qualified (ie. $CFG->www). * I use the shorthand, possibly without scheme and hostname * ($CFG->www_short). This might pose a problem with picky browsers. * See {@link calculate_uri_shortcuts} for more information. */ function task_page_preview() { global $CFG; // 1A -- do we have a sane value for node_id? $node_id = get_parameter_int('node', 0); $anode = array('{NODE}' => strval($node_id)); if ($node_id == 0 || !isset($this->tree[$node_id])) { // are they trying to trick us, specifying a node from another area? logger(__FUNCTION__ . "(): weird: user previews node '{$node_id}' working in area '{$this->area_id}'?"); $this->output->add_message(t('invalid_node', 'admin', $anode)); $this->task_treeview(); return; } // 1B -- is it a page? if (!$this->tree[$node_id]['is_page']) { logger(__CLASS__ . ": weird: cannot preview content of a section (section '{$node_id}')"); $this->task_treeview(); return; } // 2 -- does the user have permission to edit and thus view this page at all? $user_has_permission = $this->permission_edit_node_content($node_id) || $this->permission_edit_node($node_id, $this->tree[$node_id]['is_page']); if ($user_has_permission) { $random_string = quasi_random_string(32); $_SESSION['preview_salt'] = $random_string; $_SESSION['preview_node'] = $node_id; $_SESSION['preview_area'] = $this->area_id; $hash = md5($_SESSION['preview_salt'] . $_SESSION['preview_node']); session_write_close(); redirect_and_exit($CFG->www_short . '/index.php?preview=' . $hash); // we never reach this point } else { $msg = t('access_denied', 'admin'); $this->output->add_message($msg); $this->output->add_popup_bottom($msg); $this->output->add_content('<h2>' . $msg . '</h2>'); $this->output->add_content(t('access_denied_preview', 'admin')); } }
/** generate a quasi random string to salt the password hash * * this generates a quasi-randomg string of digits and letters * to be used as a salt when calculating a password hash. * * @param int $length the number of characters in the generated string * @return string quasi-random string */ function password_salt($length = 12) { return quasi_random_string($length, QUASI_RANDOM_DIGITS_UPPER_LOWER); }