static function login($user) { if (identity::is_writable()) { $user->login_count += 1; $user->last_login = time(); $user->save(); } identity::set_active_user($user); log::info("user", t("User %name logged in", array("name" => $user->name))); module::event("user_login", $user); }
static function gallery_ready() { $sso_username = Input::instance()->server("REMOTE_USER"); $user = Session::instance()->get("user"); if (empty($user) || $user->name != $sso_username) { try { identity::set_active_user(identity::lookup_user_by_name($sso_username)); } catch (Exception $e) { Kohana_Log::add("error", "Couldn't authenticate as {$sso_username}: " . $e->getMessage() . "\n" . $e->getTraceAsString()); } } }
public function viewable_test() { $root = ORM::factory("item", 1); $album = album::create($root, rand(), rand(), rand()); $item = self::_create_random_item($album); identity::set_active_user(identity::guest()); // We can see the item when permissions are granted access::allow(identity::everybody(), "view", $album); $this->assert_equal(1, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all()); // We can't see the item when permissions are denied access::deny(identity::everybody(), "view", $album); $this->assert_equal(0, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all()); }
public function viewable_test() { $album = test::random_album(); $item = test::random_photo($album); $album->reload(); identity::set_active_user(identity::guest()); // We can see the item when permissions are granted access::allow(identity::everybody(), "view", $album); $this->assert_equal(1, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all()); // We can't see the item when permissions are denied access::deny(identity::everybody(), "view", $album); $this->assert_equal(0, ORM::factory("item")->viewable()->where("id", "=", $item->id)->count_all()); }
public function cant_view_comments_for_unviewable_items_test() { $root = ORM::factory("item", 1); $album = album::create($root, rand(), rand(), rand()); $comment = comment::create($album, identity::guest(), "text", "name", "email", "url"); identity::set_active_user(identity::guest()); // We can see the comment when permissions are granted on the album access::allow(identity::everybody(), "view", $album); $this->assert_equal(1, ORM::factory("comment")->viewable()->where("comments.id", "=", $comment->id)->count_all()); // We can't see the comment when permissions are denied on the album access::deny(identity::everybody(), "view", $album); $this->assert_equal(0, ORM::factory("comment")->viewable()->where("comments.id", "=", $comment->id)->count_all()); }
public function post_fails_without_permissions_test() { access::deny(identity::everybody(), "edit", item::root()); identity::set_active_user(identity::guest()); try { $request->params->name = "test tag"; tags_rest::post($request); } catch (Exception $e) { $this->assert_equal(403, $e->getCode()); return; } $this->assert_true(false, "Shouldnt get here"); }
static function change_provider($new_provider) { if (!identity::active_user()->admin && PHP_SAPI != "cli") { // Below, the active user is set to the primary admin. access::forbidden(); } $current_provider = module::get_var("gallery", "identity_provider"); if (!empty($current_provider)) { module::uninstall($current_provider); } try { IdentityProvider::reset(); $provider = new IdentityProvider($new_provider); module::set_var("gallery", "identity_provider", $new_provider); if (class_exists("{$new_provider}_installer") && method_exists("{$new_provider}_installer", "initialize")) { call_user_func("{$new_provider}_installer::initialize"); } if (!$provider->admin_user()) { throw new Exception("IdentityProvider {$new_provider}: Couldn't find the admin user!"); } module::event("identity_provider_changed", $current_provider, $new_provider); identity::set_active_user($provider->admin_user()); Session::instance()->regenerate(); } catch (Exception $e) { static $restore_already_running; // In case of error, make an attempt to restore the old provider. Since that's calling into // this function again and can fail, we should be sure not to get into an infinite recursion. if (!$restore_already_running) { $restore_already_running = true; // Make sure new provider is not in the database try { module::uninstall($new_provider); } catch (Exception $e2) { Kohana_Log::add("error", "Error uninstalling failed new provider\n" . $e2->getMessage() . "\n" . $e2->getTraceAsString()); } try { // Lets reset to the current provider so that the gallery installation is still // working. module::set_var("gallery", "identity_provider", null); IdentityProvider::change_provider($current_provider); module::activate($current_provider); } catch (Exception $e2) { Kohana_Log::add("error", "Error restoring original identity provider\n" . $e2->getMessage() . "\n" . $e2->getTraceAsString()); } message::error(t("Error attempting to enable \"%new_provider\" identity provider, reverted to \"%old_provider\" identity provider", array("new_provider" => $new_provider, "old_provider" => $current_provider))); $restore_already_running = false; } throw $e; } }
public function post_fails_without_permissions_test() { // We have to remove edit permissions from everywhere Database::instance()->query("UPDATE {access_caches} SET edit_1=0"); identity::set_active_user(identity::guest()); try { $request = new stdClass(); $request->params = new stdClass(); $request->params->name = "test tag"; tags_rest::post($request); } catch (Exception $e) { $this->assert_equal(403, $e->getCode()); return; } $this->assert_true(false, "Shouldnt get here"); }
public function cant_view_comments_for_unviewable_items_test() { $album = test::random_album(); $comment = ORM::factory("comment"); $comment->item_id = $album->id; $comment->author_id = identity::admin_user()->id; $comment->text = "text"; $comment->save(); identity::set_active_user(identity::guest()); // We can see the comment when permissions are granted on the album access::allow(identity::everybody(), "view", $album); $this->assert_true(ORM::factory("comment")->viewable()->where("comments.id", "=", $comment->id)->count_all()); // We can't see the comment when permissions are denied on the album access::deny(identity::everybody(), "view", $album); $this->assert_false(ORM::factory("comment")->viewable()->where("comments.id", "=", $comment->id)->count_all()); }
static function set_active_user($access_token) { if (empty($access_token)) { identity::set_active_user(identity::guest()); return; } $key = ORM::factory("user_access_token")->where("access_key", "=", $access_token)->find(); if (!$key->loaded()) { throw new Rest_Exception("Forbidden", 403); } $user = identity::lookup_user($key->user_id); if (empty($user)) { throw new Rest_Exception("Forbidden", 403); } identity::set_active_user($user); }
private function _authenticate() { $auth = new Sabre_HTTP_BasicAuth(); $auth->setRealm(item::root()->title); $authResult = $auth->getUserPass(); list($username, $password) = $authResult; if (!$username || !$password) { $auth->requireLogin(); return false; } $user = identity::lookup_user_by_name($username); if (empty($user) || !identity::is_correct_password($user, $password)) { $auth->requireLogin(); return false; } identity::set_active_user($user); return true; }
public function illegal_access_test() { $album = test::random_album(); $photo = test::random_photo($album); $album->reload(); access::deny(identity::everybody(), "view", $album); identity::set_active_user(identity::guest()); $request = new stdClass(); $request->url = rest::url("data", $photo, "thumb"); $request->params = new stdClass(); $request->params->size = "thumb"; try { data_rest::get($request); $this->assert_true(false); } catch (Kohana_404_Exception $e) { // pass } }
static function set_active_user($access_key) { if (empty($access_key)) { if (module::get_var("rest", "allow_guest_access")) { identity::set_active_user(identity::guest()); return; } else { throw new Rest_Exception("Forbidden", 403); } } $key = ORM::factory("user_access_key")->where("access_key", "=", $access_key)->find(); if (!$key->loaded()) { throw new Rest_Exception("Forbidden", 403); } $user = identity::lookup_user($key->user_id); if (empty($user)) { throw new Rest_Exception("Forbidden", 403); } identity::set_active_user($user); }
/** * Make sure that we have a session and group_ids cached in the session. */ static function load_user() { try { // Call IdentityProvider::instance() now to force the load of the user interface classes. // We are about to load the active user from the session and which needs the user definition // class, which can't be reached by Kohana's heiracrchical lookup. IdentityProvider::instance(); $session = Session::instance(); if (!($user = $session->get("user"))) { identity::set_active_user($user = identity::guest()); } // The installer cannot set a user into the session, so it just sets an id which we should // upconvert into a user. // @todo set the user name into the session instead of 2 and then use it to get the // user object if ($user === 2) { $session->delete("user"); // delete it so that identity code isn't confused by the integer auth::login(IdentityProvider::instance()->admin_user()); } // Cache the group ids for a day to trade off performance for security updates. if (!$session->get("group_ids") || $session->get("group_ids_timeout", 0) < time()) { $ids = array(); foreach ($user->groups() as $group) { $ids[] = $group->id; } $session->set("group_ids", $ids); $session->set("group_ids_timeout", time() + 86400); } } catch (Exception $e) { // Log it, so we at least have so notification that we swallowed the exception. Kohana_Log::add("error", "load_user Exception: " . $e->getMessage() . "\n" . $e->getTraceAsString()); try { Session::instance()->destroy(); } catch (Exception $e) { // We don't care if there was a problem destroying the session. } url::redirect(item::root()->abs_url()); } }
public function delete_album_fails_without_permission_test() { $album1 = test::random_album(); access::deny(identity::everybody(), "edit", $album1); identity::set_active_user(identity::guest()); $request->url = rest::url("item", $album1); try { item_rest::delete($request); } catch (Exception $e) { $this->assert_equal("@todo FORBIDDEN", $e->getMessage()); return; } $this->assert_true(false, "Shouldn't get here"); }
public function as_restful_array_with_edit_bit_test() { $response = item::root()->as_restful_array(); $this->assert_true($response["can_edit"]); identity::set_active_user(identity::guest()); $response = item::root()->as_restful_array(); $this->assert_false($response["can_edit"]); }
public function as_restful_array_with_add_bit_test() { $response = item::root()->as_restful_array(); $this->assert_true($response["can_add"]); access::deny(identity::everybody(), "add", item::root()); identity::set_active_user(identity::guest()); $response = item::root()->as_restful_array(); $this->assert_false($response["can_add"]); }
public function moved_items_inherit_new_permissions_test() { identity::set_active_user(identity::lookup_user_by_name("admin")); $public_album = test::random_album(); $public_photo = test::random_photo($public_album); access::allow(identity::everybody(), "view", $public_album); access::allow(identity::everybody(), "edit", $public_album); item::root()->reload(); // Account for MPTT changes $private_album = test::random_album(); access::deny(identity::everybody(), "view", $private_album); access::deny(identity::everybody(), "edit", $private_album); $private_photo = test::random_photo($private_album); // Make sure that we now have a public photo and private photo. $this->assert_true(access::group_can(identity::everybody(), "view", $public_photo)); $this->assert_false(access::group_can(identity::everybody(), "view", $private_photo)); // Swap the photos item::move($public_photo, $private_album); $private_album->reload(); // Reload to get new MPTT pointers and cached perms. $public_album->reload(); $private_photo->reload(); $public_photo->reload(); item::move($private_photo, $public_album); $private_album->reload(); // Reload to get new MPTT pointers and cached perms. $public_album->reload(); $private_photo->reload(); $public_photo->reload(); // Make sure that the public_photo is now private, and the private_photo is now public. $this->assert_false(access::group_can(identity::everybody(), "view", $public_photo)); $this->assert_false(access::group_can(identity::everybody(), "edit", $public_photo)); $this->assert_true(access::group_can(identity::everybody(), "view", $private_photo)); $this->assert_true(access::group_can(identity::everybody(), "edit", $private_photo)); }
public function teardown() { list($_GET, $_POST, $_SERVER) = $this->_save; identity::set_active_user(identity::admin_user()); }
public function need_view_full_permission_to_view_original_test() { $album = test::random_album(); $photo = test::random_photo($album); $album = $album->reload(); // adding the photo changed the album in the db $_SERVER["REQUEST_URI"] = url::file("var/albums/{$album->name}/{$photo->name}"); $controller = new File_Proxy_Controller(); access::deny(identity::everybody(), "view_full", $album); identity::set_active_user(identity::guest()); try { $controller->__call("", array()); $this->assert_true(false); } catch (Kohana_404_Exception $e) { $this->assert_same(5, $e->test_fail_code); } }
public function moved_items_inherit_new_permissions_test() { identity::set_active_user(identity::lookup_user_by_name("admin")); $root = ORM::factory("item", 1); $public_album = album::create($root, rand(), "public album"); $public_photo = photo::create($public_album, MODPATH . "gallery/images/gallery.png", "", ""); access::allow(identity::everybody(), "view", $public_album); $root->reload(); // Account for MPTT changes $private_album = album::create($root, rand(), "private album"); access::deny(identity::everybody(), "view", $private_album); $private_photo = photo::create($private_album, MODPATH . "gallery/images/gallery.png", "", ""); // Make sure that we now have a public photo and private photo. $this->assert_true(access::group_can(identity::everybody(), "view", $public_photo)); $this->assert_false(access::group_can(identity::everybody(), "view", $private_photo)); // Swap the photos item::move($public_photo, $private_album); $private_album->reload(); // Reload to get new MPTT pointers and cached perms. $public_album->reload(); $private_photo->reload(); $public_photo->reload(); item::move($private_photo, $public_album); $private_album->reload(); // Reload to get new MPTT pointers and cached perms. $public_album->reload(); $private_photo->reload(); $public_photo->reload(); // Make sure that the public_photo is now private, and the private_photo is now public. $this->assert_false(access::group_can(identity::everybody(), "view", $public_photo)); $this->assert_true(access::group_can(identity::everybody(), "view", $private_photo)); }