/** * Verifies security for the incoming request (but does not check user access). * Initially ensures that the request is coming in on a valid and enabled course/controller (rejects it if not). * The password is then checked, and it can handle prim-passwords and object-specific passwords. * * @param bool $require If true, the function will NOT return on authentication failure. Rather, it will terminate the script with an error message. * @return bool true if successful in authenticating the request, or false if not. */ function authenticate_request($require = true) { // Make sure that the request data has been processed if (!$this->request->is_request_data_processed()) { $this->request->process_request_data(); } // Make sure the controller ID parameter was specified if ($this->request->get_controller_id($require) === null) { return false; } // Make sure we've got a valid course and controller object if (!$this->course->controller->is_loaded()) { if ($require) { $this->response->quick_output(-514, 'COURSE', 'Course controller could not be accessed.', false); exit; } return false; } if (!$this->course->is_loaded()) { if ($require) { $this->response->quick_output(-512, 'COURSE', 'Course could not be accessed.', false); exit; } return false; } // Make sure the course is available if (!$this->course->is_available()) { if ($require) { $this->response->quick_output(-513, 'COURSE', 'Course not available.', false); exit; } return false; } // Make sure the contrller is available if (!$this->course->controller->is_available()) { if ($require) { $this->response->quick_output(-514, 'COURSE', 'Course controller not available.', false); exit; } return false; } // Make sure the controller is enabled if (!$this->course->controller->is_enabled()) { if ($require) { $this->response->quick_output(-514, 'COURSE', 'Course controller disabled.', false); exit; } return false; } // Get the password parameter $password = $this->request->get_password($require); if ($password == null) { if ($require) { $this->response->quick_output(-212, 'OBJECT_AUTH', 'Prim Password cannot be empty.', false); exit; } return false; } // Does the password contain an object UUID? $parts = explode('|', $password); if (count($parts) >= 2) { $objuuid = $parts[0]; $objpwd = $parts[1]; // Make sure the password was provided if (empty($objpwd)) { if ($require) { $this->response->quick_output(-212, 'OBJECT_AUTH', 'Object-specific password not specified.', false); exit; } return false; } // Verify the object's authorisation if ($this->course->controller->check_authorisation($objuuid, $objpwd)) { // Passed authorisation - make sure the object is registered as being still active $this->course->controller->ping_object($objuuid); return true; } if ($require) { $this->response->quick_output(-213, 'OBJECT_AUTH', 'Object-specific password was invalid.', false); exit; } return false; } // Get the controller password $controllerpwd = $this->course->controller->get_password(); // Prim Password access is disabled if no password has been specified if (strlen($controllerpwd) == 0) { if ($require) { $this->response->quick_output(-213, 'OBJECT_AUTH', 'Access to this Controller by prim password has been disabled.', false); exit; } return false; } // Check that the passwords match if ($password != $this->course->controller->get_password()) { if ($require) { $this->response->quick_output(-213, 'OBJECT_AUTH', 'Prim password was invalid.', false); exit; } return false; } return true; }