/** * @action getCsvUrl * @param int $id * @param int $reportPartnerId * @return string */ function getCsvUrlAction($id, $reportPartnerId) { $dbReport = ReportPeer::retrieveByPK($id); if (is_null($dbReport)) { throw new KalturaAPIException(KalturaErrors::REPORT_NOT_FOUND, $id); } $dbPartner = PartnerPeer::retrieveByPK($reportPartnerId); if (is_null($dbPartner)) { throw new KalturaAPIException(KalturaErrors::INVALID_PARTNER_ID, $reportPartnerId); } // allow creating urls for reports that are associated with partner 0 and the report owner if ($dbReport->getPartnerId() !== 0 && $dbReport->getPartnerId() !== $reportPartnerId) { throw new KalturaAPIException(KalturaErrors::REPORT_NOT_PUBLIC, $id); } $ks = new ks(); $ks->valid_until = time() + 2 * 365 * 24 * 60 * 60; // 2 years $ks->type = ks::TYPE_KS; $ks->partner_id = $reportPartnerId; $ks->master_partner_id = null; $ks->partner_pattern = $reportPartnerId; $ks->error = 0; $ks->rand = microtime(true); $ks->user = ''; $ks->privileges = 'setrole:REPORT_VIEWER_ROLE'; $ks->additional_data = null; $ks_str = $ks->toSecureString(); $paramsArray = $this->getParametersAction($id); $paramsStrArray = array(); foreach ($paramsArray as $param) { $paramsStrArray[] = $param->value . '={' . $param->value . '}'; } $url = "http://" . kConf::get("www_host") . "/api_v3/index.php/service/report/action/getCsvFromStringParams/id/{$id}/ks/" . $ks_str . "/params/" . implode(';', $paramsStrArray); return $url; }
/** * @param ks $ks * @return invalidSession */ public static function invalidateKs(ks $ks) { $invalidSession = new invalidSession(); $invalidSession->setKs(base64_decode($ks->getOriginalString())); $invalidSession->setKsValidUntil($ks->valid_until); $invalidSession->save(); return $invalidSession; }
/** * @param ks $ks * @return invalidSession */ public static function invalidateKs(ks $ks, PropelPDO $con = null) { $result = self::invalidateByKey($ks->getHash(), invalidSession::INVALID_SESSION_TYPE_KS, $ks->valid_until, $con); $sessionId = $ks->getSessionIdHash(); if ($sessionId) { self::invalidateByKey($sessionId, invalidSession::INVALID_SESSION_TYPE_SESSION_ID, time() + 24 * 60 * 60, $con); } return $result; }
/** * @param ks $ks * @return invalidSession */ public static function invalidateKs(ks $ks, PropelPDO $con = null) { $criteria = new Criteria(); $criteria->add(invalidSessionPeer::KS, $ks->getHash()); $invalidSession = invalidSessionPeer::doSelectOne($criteria, $con); if (!$invalidSession) { $invalidSession = new invalidSession(); $invalidSession->setKs($ks->getHash()); $invalidSession->setKsValidUntil($ks->valid_until); } $invalidSession->setActionsLimit(null); $invalidSession->save(); return $invalidSession; }
/** * KS from Secure String * @action fromSecureString * @param string $str * @return KalturaInternalToolsSession * */ public static function fromSecureStringAction($str) { $ks = ks::fromSecureString($str); $ksFromSecureString = new KalturaInternalToolsSession(); $ksFromSecureString->fromObject($ks); return $ksFromSecureString; }
/** * @param ks $v */ public function setKs($v) { if (is_string($v)) { $v = ks::fromSecureString($v); } $this->ks = $v; }
public function execute() { $ksStr = $this->getP("ks"); if ($ksStr) { $ksObj = null; try { $ksObj = ks::fromSecureString($ksStr); } catch (Exception $e) { } if ($ksObj) { $partner = PartnerPeer::retrieveByPK($ksObj->partner_id); if (!$partner) { KExternalErrors::dieError(KExternalErrors::PARTNER_NOT_FOUND); } if (!$partner->validateApiAccessControl()) { KExternalErrors::dieError(KExternalErrors::SERVICE_ACCESS_CONTROL_RESTRICTED); } $ksObj->kill(); } KalturaLog::info("Killing session with ks - [{$ksStr}], decoded - [" . base64_decode($ksStr) . "]"); } else { KalturaLog::err('logoutAction called with no KS'); } setcookie('pid', "", 0, "/"); setcookie('subpid', "", 0, "/"); setcookie('kmcks', "", 0, "/"); return sfView::NONE; //redirection to kmc/kmc is done from java script }
/** * KS from Secure String * @action fromSecureString * @param string $str * @return KalturaInternalToolsSession * */ public function fromSecureStringAction($str) { $ks = ks::fromSecureString($str); $ksFromSecureString = new KalturaInternalToolsSession(); $ksFromSecureString->fromObject($ks, $this->getResponseProfile()); return $ksFromSecureString; }
protected function getKsUniqueString() { if ($this->ks) { return $this->ks->getUniqueString(); } else { return substr(md5(rand(10000, 99999) . microtime(true)), 1, 7); //throw new Exception ( "Cannot find unique string" ); } }
public static function getCurrentSessionType() { if (!self::$ks_object) { return kSessionBase::SESSION_TYPE_NONE; } if (self::$ks_object->isAdmin()) { return kSessionBase::SESSION_TYPE_ADMIN; } if (self::$ks_object->isWidgetSession()) { return kSessionBase::SESSION_TYPE_WIDGET; } return kSessionBase::SESSION_TYPE_USER; }
public function executeImpl($partner_id, $subp_id, $puser_id, $partner_prefix, $puser_kuser, $create_cachekey = false) { myDbHelper::$use_alternative_con = myDbHelper::DB_HELPER_CONN_PROPEL3; // TODO - verify permissions for viewing lists $detailed = $this->getP("detailed", false); if (!$detailed) { $detailed = false; } $playlist_id = $this->getPM("playlist_id"); if ($create_cachekey) { if ($this->isAdmin()) { return null; } $ks_partner_id = null; $privileges = null; $ks = ks::fromSecureString(kCurrentContext::$ks); if ($ks) { $ks_partner_id = $ks->getPartnerId(); $privileges = $ks->getPrivileges(); } $cache_key_arr = array("playlist_id" => $playlist_id, "partner_id" => $partner_id, "ks_partner_id" => $ks_partner_id, "detailed" => $detailed, "user" => kCurrentContext::$ks_uid, "privileges" => $privileges, "is_admin" => $this->isAdmin(), "protocol" => infraRequestUtils::getProtocol()); $cahce_key = new executionCacheKey(); $cahce_key->expiry = 600; $cahce_key->key = md5(print_r($cache_key_arr, true)); return $cahce_key; } // this service is executed twice! (first time for the cache key, second time for the execution) if (is_null($this->playlist)) { $playlist = entryPeer::retrieveByPK($playlist_id); if (!$playlist) { throw new APIException(APIErrors::INVALID_ENTRY_ID, "Playlist", $playlist_id); } myPartnerUtils::addPartnerToCriteria('accessControl', $playlist->getPartnerId(), $this->getPrivatePartnerData(), $this->partnerGroup2(), null); $this->playlist = $playlist; } if ($this->isAdmin()) { myPlaylistUtils::setIsAdminKs(true); } $entry_list = myPlaylistUtils::executePlaylistById($partner_id, $playlist_id, null, $detailed); myEntryUtils::updatePuserIdsForEntries($entry_list); $level = $detailed ? objectWrapperBase::DETAIL_LEVEL_DETAILED : objectWrapperBase::DETAIL_LEVEL_REGULAR; $wrapper = objectWrapperBase::getWrapperClass($entry_list, $level); $this->addMsg("count", count($entry_list)); $this->addMsg($this->getObjectPrefix(), $wrapper); }
public function executeImpl($partner_id, $subp_id, $puser_id, $partner_prefix, $puser_kuser) { // make sure the secret fits the one in the partner's table $ks_str = ""; $expiry = $this->getP("expiry", 86400); $widget_id = $this->getPM("widget_id"); $widget = widgetPeer::retrieveByPK($widget_id); if (!$widget) { $this->addError(APIErrors::INVALID_WIDGET_ID, $widget_id); return; } $partner_id = $widget->getPartnerId(); $partner = PartnerPeer::retrieveByPK($partner_id); // TODO - see how to decide if the partner has a URL to redirect to // according to the partner's policy and the widget's policy - define the privileges of the ks // TODO - decide !! - for now only view - any kshow $privileges = "view:*,widget:1"; if ($widget->getSecurityType() == widget::WIDGET_SECURITY_TYPE_FORCE_KS) { if (!$this->ks) { // the one from the defPartnerservices2Action $this->addException(APIErrors::MISSING_KS); } $ks_str = $this->getP("ks"); $widget_partner_id = $widget->getPartnerId(); $res = kSessionUtils::validateKSession2(1, $widget_partner_id, $puser_id, $ks_str, $this->ks); if (0 >= $res) { // chaned this to be an exception rather than an error $this->addException(APIErrors::INVALID_KS, $ks_str, $res, ks::getErrorStr($res)); } } else { // the session will be for NON admins and privileges of view only $puser_id = 0; $result = kSessionUtils::createKSessionNoValidations($partner_id, $puser_id, $ks_str, $expiry, false, "", $privileges); } if ($result >= 0) { $this->addMsg("ks", $ks_str); $this->addMsg("partner_id", $partner_id); $this->addMsg("subp_id", $widget->getSubpId()); $this->addMsg("uid", "0"); } else { // TODO - see that there is a good error for when the invalid login count exceed s the max $this->addError(APIErrors::START_WIDGET_SESSION_ERROR, $widget_id); } }
public static function initKsPartnerUser($ksString, $requestedPartnerId = null, $requestedPuserId = null) { if (!$ksString) { kCurrentContext::$ks = null; kCurrentContext::$ks_partner_id = null; kCurrentContext::$ks_uid = null; kCurrentContext::$master_partner_id = null; kCurrentContext::$partner_id = $requestedPartnerId; kCurrentContext::$uid = $requestedPuserId; kCurrentContext::$is_admin_session = false; } else { try { $ksObj = kSessionUtils::crackKs($ksString); } catch (Exception $ex) { if (strpos($ex->getMessage(), "INVALID_STR") !== null) { //TODO: throw different type of error throw new KalturaAPIException(APIErrors::INVALID_KS, $ksString, ks::INVALID_STR, ks::getErrorStr(ks::INVALID_STR)); } else { throw $ex; } } kCurrentContext::$ks = $ksString; kCurrentContext::$ks_object = $ksObj; kCurrentContext::$ks_partner_id = $ksObj->partner_id; kCurrentContext::$ks_uid = $ksObj->user; kCurrentContext::$master_partner_id = $ksObj->master_partner_id ? $ksObj->master_partner_id : kCurrentContext::$ks_partner_id; kCurrentContext::$is_admin_session = $ksObj->isAdmin(); kCurrentContext::$partner_id = $requestedPartnerId; kCurrentContext::$uid = $requestedPuserId; } // set partner ID for logger if (kCurrentContext::$partner_id) { $GLOBALS["partnerId"] = kCurrentContext::$partner_id; } else { if (kCurrentContext::$ks_partner_id) { $GLOBALS["partnerId"] = kCurrentContext::$ks_partner_id; } } self::$ksPartnerUserInitialized = true; }
/** * @param string $objectClass * @param string $objectId * @param string $privilege optional * @param string $options optional * @throws KalturaErrors::INVALID_KS */ protected function validateUser($objectClass, $objectId, $privilege = null, $options = null) { // don't allow operations without ks if (!kCurrentContext::$ks_object) { throw new KalturaAPIException(KalturaErrors::INVALID_KS, "", ks::INVALID_TYPE, ks::getErrorStr(ks::INVALID_TYPE)); } // if admin always allowed if (kCurrentContext::$is_admin_session) { return; } $objectGetters = null; if (strstr($objectClass, '::')) { $objectGetters = explode('::', $objectClass); $objectClass = array_shift($objectGetters); } $objectClassPeer = "{$objectClass}Peer"; if (!class_exists($objectClassPeer)) { return; } $dbObject = $objectClassPeer::retrieveByPK($objectId); if ($objectGetters) { foreach ($objectGetters as $objectGetter) { $getterMethod = "get{$objectGetter}"; $reflector = new ReflectionObject($dbObject); if (!$reflector->hasMethod($getterMethod)) { KalturaLog::err("Method " . $getterMethod . " does not exist for class " . $reflector->getName()); return; } $dbObject = $dbObject->{$getterMethod}(); } } if (!$dbObject instanceof IOwnable) { return; } if ($privilege) { // check if all ids are privileged if (kCurrentContext::$ks_object->verifyPrivileges($privilege, ks::PRIVILEGE_WILDCARD)) { return; } // check if object id is privileged if (kCurrentContext::$ks_object->verifyPrivileges($privilege, $dbObject->getId())) { return; } } if (strtolower($dbObject->getPuserId()) != strtolower(kCurrentContext::$ks_uid)) { $optionsArray = array(); if ($options) { $optionsArray = explode(",", $options); } if (!$dbObject->isEntitledKuserEdit(kCurrentContext::getCurrentKsKuserId()) || in_array(self::OWNER_ONLY_OPTION, $optionsArray)) { throw new KalturaAPIException(KalturaErrors::INVALID_KS, "", ks::INVALID_TYPE, ks::getErrorStr(ks::INVALID_TYPE)); } } }
/** * @param string $encoded_str * @return ks */ public static function fromSecureString($encoded_str) { if (empty($encoded_str)) { return null; } $ks = new ks(); if (!$ks->parseKS($encoded_str)) { throw new Exception(self::getErrorStr(self::INVALID_STR)); } $ks->valid_string = true; return $ks; }
private static function errorIfKsNotValid() { // if no ks in current context - no need to check anything if (!self::$ksString) { return; } $ksObj = null; $res = kSessionUtils::validateKSessionNoTicket(self::$ksPartnerId, self::$ksUserId, self::$ksString, $ksObj); if (0 >= $res) { switch ($res) { case ks::INVALID_STR: KalturaLog::err('Invalid KS [' . self::$ksString . ']'); break; case ks::INVALID_PARTNER: KalturaLog::err('Wrong partner [' . self::$ksPartnerId . '] actual partner [' . $ksObj->partner_id . ']'); break; case ks::INVALID_USER: KalturaLog::err('Wrong user [' . self::$ksUserId . '] actual user [' . $ksObj->user . ']'); break; case ks::EXPIRED: KalturaLog::err('KS Expired [' . date('Y-m-d H:i:s', $ksObj->valid_until) . ']'); break; case ks::LOGOUT: KalturaLog::err('KS already logged out'); break; } throw new KalturaAPIException(APIErrors::INVALID_KS, self::$ksString, $res, ks::getErrorStr($res)); } }
private function validateTicketSetPartner($partner_id, $subp_id, $puser_id, $ks_str) { if ($ks_str) { // 1. crack the ks - $ks = kSessionUtils::crackKs($ks_str); // 2. extract partner_id $ks_partner_id = $ks->partner_id; $master_partner_id = $ks->master_partner_id; if (!$master_partner_id) { $master_partner_id = $ks_partner_id; } if (!$partner_id) { $partner_id = $ks_partner_id; } // use the user from the ks if not explicity set if (!$puser_id) { $puser_id = $ks->user; } kCurrentContext::$ks = $ks_str; kCurrentContext::$partner_id = $partner_id; kCurrentContext::$ks_partner_id = $ks_partner_id; kCurrentContext::$master_partner_id = $master_partner_id; kCurrentContext::$uid = $puser_id; kCurrentContext::$ks_uid = $ks->user; // 3. retrieve partner $ks_partner = PartnerPeer::retrieveByPK($ks_partner_id); // the service_confgi is assumed to be the one of the operating_partner == ks_partner if (!$ks_partner) { $this->addException(APIErrors::UNKNOWN_PARTNER_ID, $ks_partner_id); } $this->setServiceConfigFromPartner($ks_partner); if ($ks_partner && !$ks_partner->getStatus()) { $this->addException(APIErrors::SERVICE_FORBIDDEN_PARTNER_DELETED); } // 4. validate ticket per service for the ticket's partner $ticket_type = $this->ticketType2(); if ($ticket_type == kSessionUtils::REQUIED_TICKET_NOT_ACCESSIBLE) { // partner cannot access this service $this->addException(APIErrors::SERVICE_FORBIDDEN); } if ($this->force_ticket_check && $ticket_type != kSessionUtils::REQUIED_TICKET_NONE) { // TODO - which user is this ? from the ks ? from the puser_id ? $ks_puser_id = $ks->user; //$ks = null; $res = kSessionUtils::validateKSession2($ticket_type, $ks_partner_id, $ks_puser_id, $ks_str, $ks); if (0 >= $res) { // chaned this to be an exception rather than an error $this->addException(APIErrors::INVALID_KS, $ks_str, $res, ks::getErrorStr($res)); } $this->ks = $ks; } elseif ($ticket_type == kSessionUtils::REQUIED_TICKET_NONE && $ks_str) { $ks_puser_id = $ks->user; $res = kSessionUtils::validateKSession2($ticket_type, $ks_partner_id, $ks_puser_id, $ks_str, $ks); if ($res > 0) { $this->ks = $ks; } } // 5. see partner is allowed to access the desired partner (if himself - easy, else - should appear in the partnerGroup) $allow_access = myPartnerUtils::allowPartnerAccessPartner($ks_partner_id, $this->partnerGroup2(), $partner_id); if (!$allow_access) { $this->addException(APIErrors::PARTNER_ACCESS_FORBIDDEN, $ks_partner_id, $partner_id); } // 6. set the partner to be the desired partner and the operating_partner to be the one from the ks $this->partner = PartnerPeer::retrieveByPK($partner_id); $this->operating_partner = $ks_partner; // the config is that of the ks_partner NOT of the partner // $this->setServiceConfigFromPartner( $ks_partner ); - was already set above to extract the ks // TODO - should change service_config to be the one of the partner_id ?? // 7. if ok - return the partner_id to be used from this point onwards return array($partner_id, $subp_id, $puser_id, true); // allow private_partner_data } else { // no ks_str // 1. extract partner by partner_id + // 2. retrieve partner $this->partner = PartnerPeer::retrieveByPK($partner_id); if (!$this->partner) { $this->partner = null; // go to the default config $this->setServiceConfigFromPartner(null); if ($this->requirePartner2()) { $this->addException(APIErrors::UNKNOWN_PARTNER_ID, $partner_id); } } if ($this->partner && !$this->partner->getStatus()) { $this->addException(APIErrors::SERVICE_FORBIDDEN_PARTNER_DELETED); } kCurrentContext::$ks = null; kCurrentContext::$partner_id = $partner_id; kCurrentContext::$ks_partner_id = null; kCurrentContext::$uid = $puser_id; kCurrentContext::$ks_uid = null; // 3. make sure the service can be accessed with no ticket $this->setServiceConfigFromPartner($this->partner); $ticket_type = $this->ticketType2(); if ($ticket_type == kSessionUtils::REQUIED_TICKET_NOT_ACCESSIBLE) { // partner cannot access this service $this->addException(APIErrors::SERVICE_FORBIDDEN); } if ($this->force_ticket_check && $ticket_type != kSessionUtils::REQUIED_TICKET_NONE) { // NEW: 2008-12-28 // Instead of throwing an exception, see if the service allows KN. // If so - a relativly week partner access if ($this->kalturaNetwork2()) { // if the service supports KN - continue without private data return array($partner_id, $subp_id, $puser_id, false); // DONT allow private_partner_data } // chaned this to be an exception rather than an error $this->addException(APIErrors::MISSING_KS); } // 4. set the partner & operating_partner to be the one-and-only partner of this session $this->operating_partner = $this->partner; return array($partner_id, $subp_id, $puser_id, true); // allow private_partner_data } }
function normalizeKS($value, $ks) { $ksObj = new ks(); if (!$ksObj->parseKS($ks)) { return $value; } $ksFields = array($ksObj->partner_id, $ksObj->partner_id, 0, $ksObj->type, 0, $ksObj->user, $ksObj->privileges, $ksObj->master_partner_id, $ksObj->additional_data); $ksFields = implode(';', $ksFields); return str_replace($ks, $ksFields, $value); }
public static function getKsPrivacyContext() { $partnerId = kCurrentContext::$ks_partner_id ? kCurrentContext::$ks_partner_id : kCurrentContext::$partner_id; $ks = ks::fromSecureString(kCurrentContext::$ks); if (!$ks) { return array(self::DEFAULT_CONTEXT . $partnerId); } $ksPrivacyContexts = $ks->getPrivacyContext(); if (is_null($ksPrivacyContexts) || $ksPrivacyContexts == '') { return array(self::DEFAULT_CONTEXT . $partnerId); } return explode(',', $ksPrivacyContexts); }
/** * Indicates that the KS user is the owner of the entry * @return bool */ protected function isKsUserOwnsEntry() { return !$this->isKsWidget() && $this->ks && $this->entry && $this->entry->getKuserId() == $this->ks->getKuserId(); }
/** * @param string $encoded_str * @return ks */ public static function fromSecureString($encoded_str) { if (empty($encoded_str)) { return null; } $str = base64_decode($encoded_str, true); // encode this string $ks = new ks(); $real_str = $str; @(list($hash, $real_str) = @explode("|", $str, 2)); // echo "[$str]<br>[$hash]<br>[$real_str]<br>[" . self::hash ( $real_str ) . "]<br>"; $ks->original_str = $encoded_str; $parts = explode(self::SEPARATOR, $real_str); list($ks->partner_id, $ks->partner_pattern, $ks->valid_until, $ks->type, $ks->rand, ) = $parts; if (isset($parts[5])) { $ks->user = $parts[5]; } if (isset($parts[6])) { $ks->privileges = $parts[6]; } if (isset($parts[7])) { $ks->master_partner_id = $parts[7]; } if (isset($parts[8])) { $ks->additional_data = $parts[8]; } $salt = $ks->getSalt(); if (self::hash($salt, $real_str) != $hash) { throw new Exception(self::getErrorStr(self::INVALID_STR)); //$ks->valid_string = false; //return $ks; } $ks->valid_string = true; return $ks; }
private static function errorIfKsNotValid() { // if no ks in current context - no need to check anything if (!self::$ksString) { return; } $ksObj = null; $res = kSessionUtils::validateKSessionNoTicket(self::$ksPartnerId, self::$ksUserId, self::$ksString, $ksObj); if (0 >= $res) { switch ($res) { case ks::INVALID_STR: KalturaLog::err('Invalid KS [' . self::$ksString . ']'); break; case ks::INVALID_PARTNER: KalturaLog::err('Wrong partner [' . self::$ksPartnerId . '] actual partner [' . $ksObj->partner_id . ']'); break; case ks::INVALID_USER: KalturaLog::err('Wrong user [' . self::$ksUserId . '] actual user [' . $ksObj->user . ']'); break; case ks::EXPIRED: KalturaLog::err('KS Expired [' . date('Y-m-d H:i:s', $ksObj->valid_until) . ']'); break; case ks::LOGOUT: KalturaLog::err('KS already logged out'); break; case ks::EXCEEDED_ACTIONS_LIMIT: KalturaLog::err('KS exceeded number of actions limit'); break; case ks::EXCEEDED_RESTRICTED_IP: KalturaLog::err('IP does not match KS restriction'); break; } throw new kCoreException("Invalid KS", kCoreException::INVALID_KS, ks::getErrorStr($res)); } }
/** * Parse session key and return its info * * @action get * @param string $session The KS to be parsed, keep it empty to use current session. * @return KalturaSessionInfo * * @throws APIErrors::START_SESSION_ERROR */ function getAction($session = null) { if (!$session) { $session = kCurrentContext::$ks; } $ks = ks::fromSecureString($session); $sessionInfo = new KalturaSessionInfo(); $sessionInfo->ks = $session; $sessionInfo->partnerId = $ks->partner_id; $sessionInfo->userId = $ks->user; $sessionInfo->expiry = $ks->valid_until; $sessionInfo->sessionType = $ks->type; $sessionInfo->privileges = $ks->privileges; return $sessionInfo; }
/** * Throws an error if the user is trying to update entry that doesn't belong to him and the session is not admin * * @param entry $dbEntry */ protected function checkIfUserAllowedToUpdateEntry(entry $dbEntry) { // if session is not admin, but privileges are // edit:* or edit:ENTRY_ID or editplaylist:PLAYLIST_ID // edit is allowed if (!$this->getKs() || !$this->getKs()->isAdmin()) { // check if wildcard on 'edit' if ($this->getKs()->verifyPrivileges(ks::PRIVILEGE_EDIT, ks::PRIVILEGE_WILDCARD)) { return; } // check if entryID on 'edit' if ($this->getKs()->verifyPrivileges(ks::PRIVILEGE_EDIT, $dbEntry->getId())) { return; } // if ($this->getKs()->verifyPlaylistPrivileges(ks::PRIVILEGE_EDIT_ENTRY_OF_PLAYLIST, $dbEntry->getId(), $this->getPartnerId())) { return; } } // if user is not the entry owner, and the KS is user type - do not allow update if ($dbEntry->getKuserId() != $this->getKuser()->getId() && (!$this->getKs() || !$this->getKs()->isAdmin())) { throw new KalturaAPIException(KalturaErrors::INVALID_KS, "", ks::INVALID_TYPE, ks::getErrorStr(ks::INVALID_TYPE)); } }
/** * Sets the valid user for the entry * Throws an error if the session user is trying to update entry to another user and not using an admin session * * @param KalturaBaseEntry $entry * @param entry $dbEntry */ protected function checkAndSetValidUserUpdate(KalturaBaseEntry $entry, entry $dbEntry) { KalturaLog::debug("DB puser id [" . $dbEntry->getPuserId() . "] kuser id [" . $dbEntry->getKuserId() . "]"); // user id not being changed if ($entry->userId === null) { KalturaLog::debug("entry->userId is null, not changing user"); return; } if (!$this->getKs() || !$this->getKs()->isAdmin()) { $entryPuserId = $dbEntry->getPuserId(); // non admin cannot change the owner of an existing entry if (strtolower($entry->userId) != strtolower($entryPuserId)) { KalturaLog::debug('API entry userId [' . $entry->userId . '], DB entry userId [' . $entryPuserId . '] - change required but KS is not admin'); throw new KalturaAPIException(KalturaErrors::INVALID_KS, "", ks::INVALID_TYPE, ks::getErrorStr(ks::INVALID_TYPE)); } } // need to create kuser if this is an admin changing the owner of the entry to a different user $kuser = kuserPeer::createKuserForPartner($dbEntry->getPartnerId(), $entry->userId); KalturaLog::debug("Set kuser id [" . $kuser->getId() . "] line [" . __LINE__ . "]"); $dbEntry->setKuserId($kuser->getId()); }
public static function setDefaultCriteriaFilter() { if (self::$s_criteria_filter == null) { self::$s_criteria_filter = new criteriaFilter(); } $c = KalturaCriteria::create(entryPeer::OM_CLASS); $c->addAnd(entryPeer::STATUS, entryStatus::DELETED, Criteria::NOT_EQUAL); $critEntitled = null; $ks = ks::fromSecureString(kCurrentContext::$ks); //when entitlement is enable and admin session or user session with list:* privilege if (kEntitlementUtils::getEntitlementEnforcement() && (kCurrentContext::$is_admin_session || !self::$userContentOnly)) { $privacyContexts = kEntitlementUtils::getPrivacyContextSearch(); $critEntitled = $c->getNewCriterion(self::PRIVACY_BY_CONTEXTS, $privacyContexts, KalturaCriteria::IN_LIKE); $critEntitled->addTag(KalturaCriterion::TAG_ENTITLEMENT_ENTRY); if (kCurrentContext::getCurrentKsKuserId()) { //ENTITLED_KUSERS field includes $this->entitledUserEdit, $this->entitledUserEdit, and users on work groups categories. $entitledKuserByPrivacyContext = kEntitlementUtils::getEntitledKuserByPrivacyContext(); $critEntitledKusers = $c->getNewCriterion(self::ENTITLED_KUSERS, $entitledKuserByPrivacyContext, KalturaCriteria::IN_LIKE); $critEntitledKusers->addTag(KalturaCriterion::TAG_ENTITLEMENT_ENTRY); $categoriesIds = array(); $categoriesIds = categoryPeer::retrieveEntitledAndNonIndexedByKuser(kCurrentContext::getCurrentKsKuserId(), kConf::get('category_search_limit')); if (count($categoriesIds) >= kConf::get('category_search_limit')) { self::$kuserBlongToMoreThanMaxCategoriesForSearch = true; } if (count($categoriesIds)) { $critCategories = $c->getNewCriterion(self::CATEGORIES_IDS, $categoriesIds, KalturaCriteria::IN_LIKE); $critCategories->addTag(KalturaCriterion::TAG_ENTITLEMENT_ENTRY); $critEntitled->addOr($critCategories); } $critEntitled->addOr($critEntitledKusers); } //user should be able to get all entries s\he uploaded - outside the privacy context $kuser = kCurrentContext::getCurrentKsKuserId(); if ($kuser !== 0) { $critKuser = $c->getNewCriterion(entryPeer::KUSER_ID, $kuser, Criteria::EQUAL); $critKuser->addTag(KalturaCriterion::TAG_ENTITLEMENT_ENTRY); $critEntitled->addOr($critKuser); } } elseif (self::$userContentOnly) { $critEntitled = $c->getNewCriterion(entryPeer::KUSER_ID, kCurrentContext::getCurrentKsKuserId(), Criteria::EQUAL); $critEntitled->addTag(KalturaCriterion::TAG_WIDGET_SESSION); } if ($ks && count($ks->getDisableEntitlementForEntry())) { $entryCrit = $c->getNewCriterion(entryPeer::ENTRY_ID, $ks->getDisableEntitlementForEntry(), Criteria::IN); $entryCrit->addTag(KalturaCriterion::TAG_ENTITLEMENT_ENTRY); if ($critEntitled) { $critEntitled->addOr($entryCrit); } else { $critEntitled = $entryCrit; } } if ($critEntitled) { $c->addAnd($critEntitled); } self::$s_criteria_filter->setFilter($c); }
/** * Throws an error if the non-onwer session user is trying to update entitledPusersEdit or entitledPusersPublish * * @param KalturaBaseEntry $entry * @param entry $dbEntry */ protected function validateEntitledUsersUpdate(KalturaBaseEntry $entry, entry $dbEntry) { if (!$this->getKs() || !$this->getKs()->isAdmin()) { //non owner cannot change entitledUsersEdit and entitledUsersPublish if ($this->getKuser()->getId() != $dbEntry->getKuserId()) { if ($entry->entitledUsersEdit !== null && strtolower($entry->entitledUsersEdit) != strtolower($dbEntry->getEntitledPusersEdit())) { throw new KalturaAPIException(KalturaErrors::INVALID_KS, "", ks::INVALID_TYPE, ks::getErrorStr(ks::INVALID_TYPE)); } if ($entry->entitledUsersPublish !== null && strtolower($entry->entitledUsersPublish) != strtolower($dbEntry->getEntitledPusersPublish())) { throw new KalturaAPIException(KalturaErrors::INVALID_KS, "", ks::INVALID_TYPE, ks::getErrorStr(ks::INVALID_TYPE)); } } } }
public function executeImpl($partner_id, $subp_id, $puser_id, $partner_prefix, $puser_kuser, $create_cachekey = false) { myDbHelper::$use_alternative_con = myDbHelper::DB_HELPER_CONN_PROPEL3; // TODO - verify permissions for viewing lists $detailed = $this->getP("detailed", false); if (!$detailed) { $detailed = false; } $limit = $this->getP("page_size", 10); $limit = $this->maxPageSize($limit); $page = $this->getP("page", 1); $user_filter_prefix = $this->getP("fp", "filter"); $offset = ($page - 1) * $limit; // TODO - should limit search to partner ?? // kuserPeer::setUseCriteriaFilter( false ); // entryPeer::setUseCriteriaFilter( false ); $playlist_id = $this->getPM("playlist_id"); $input_params = $this->getInputParams(); $extra_filters = array(); for ($i = 1; $i < self::MAX_FILTER_COUNT; $i++) { // filter $extra_filter = new entryFilter(); $fields_set = $extra_filter->fillObjectFromRequest($input_params, "{$user_filter_prefix}{$i}_", null); if ($fields_set) { $extra_filters[$i] = $extra_filter; } } if ($create_cachekey) { if ($this->isAdmin()) { return null; } $ks_partner_id = null; $privileges = null; $ks = ks::fromSecureString(kCurrentContext::$ks); if ($ks) { $ks_partner_id = $ks->getPartnerId(); $privileges = $ks->getPrivileges(); } $cache_key_arr = array("playlist_id" => $playlist_id, "filters" => $extra_filters, "partner_id" => $partner_id, "ks_partner_id" => $ks_partner_id, "detailed" => $detailed, "user" => kCurrentContext::$ks_uid, "privileges" => $privileges, "is_admin" => $this->isAdmin()); $cahce_key = new executionCacheKey(); $cahce_key->expiry = 600; $cahce_key->key = md5(print_r($cache_key_arr, true)); return $cahce_key; } // this service is executed twice! (first time for the cache key, second time for the execution) if (is_null($this->playlist)) { $playlist = entryPeer::retrieveByPK($playlist_id); if (!$playlist) { throw new APIException(APIErrors::INVALID_ENTRY_ID, "Playlist", $playlist_id); } myPartnerUtils::addPartnerToCriteria(new accessControlPeer(), $playlist->getPartnerId(), $this->getPrivatePartnerData(), $this->partnerGroup2(), null); $this->playlist = $playlist; } if ($this->isAdmin()) { myPlaylistUtils::setIsAdminKs(true); } $entry_list = myPlaylistUtils::executePlaylistById($partner_id, $playlist_id, $extra_filters, $detailed); myEntryUtils::updatePuserIdsForEntries($entry_list); $level = $detailed ? objectWrapperBase::DETAIL_LEVEL_DETAILED : objectWrapperBase::DETAIL_LEVEL_REGULAR; $wrapper = objectWrapperBase::getWrapperClass($entry_list, $level); $this->addMsg("count", count($entry_list)); $this->addMsg($this->getObjectPrefix(), $wrapper); }
public function isKsWidget() { return !$this->ksStr || $this->ks && $this->ks->isWidgetSession(); }
public function execute() { $this->forceSystemAuthentication(); $secret = ""; $str = $this->getP("str"); $algo = $this->getP("algo", "wiki_decode"); $res = ""; $key = null; if ($algo == "wiki_encode") { $res = str_replace(array("|", "/"), array("|01", "|02"), base64_encode(serialize($str))); } elseif ($algo == "wiki_decode") { $res = @unserialize(base64_decode(str_replace(array("|02", "|01"), array("/", "|"), $str))); } elseif ($algo == "wiki_decode_no_serialize") { $res = base64_decode(str_replace(array("|02", "|01"), array("/", "|"), $str)); } elseif ($algo == "base64_encode") { $res = base64_encode($str); } elseif ($algo == "base64_decode") { $res = base64_decode($str); } elseif ($algo == "base64_3des_encode") { $key = $this->getP("des_key"); echo "[{$key}]"; $input = $str; $td = mcrypt_module_open('tripledes', '', 'ecb', ''); $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND); $key = substr($key, 0, mcrypt_enc_get_key_size($td)); mcrypt_generic_init($td, $key, $iv); $encrypted_data = mcrypt_generic($td, $input); mcrypt_generic_deinit($td); mcrypt_module_close($td); $res = base64_encode($encrypted_data); $this->des_key = $key; } elseif ($algo == "base64_3des_decode") { $key = $this->getP("des_key"); echo "[{$key}]"; $input = base64_decode($str); $td = mcrypt_module_open('tripledes', '', 'ecb', ''); $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND); $key = substr($key, 0, mcrypt_enc_get_key_size($td)); mcrypt_generic_init($td, $key, $iv); $encrypted_data = mdecrypt_generic($td, $input); mcrypt_generic_deinit($td); mcrypt_module_close($td); $res = $encrypted_data; $this->des_key = $key; } elseif ($algo == "ks") { $ks = ks::fromSecureString($str); $res = print_r($ks, true); if ($ks != null) { $expired = $ks->valid_until; $expired_str = self::formatThisData($expired); $now = time(); $now_str = self::formatThisData($now); $res .= "<br>" . "valid until: " . $expired_str . "<br>now: {$now} ({$now_str})"; } } elseif ($algo == "kwid") { $kwid_str = @base64_decode($str); if (!$kwid_str) { // invalid string return ""; } /* $kwid = new kwid(); list ( $kwid->kshow_id , $kwid->partner_id , $kwid->subp_id ,$kwid->article_name ,$kwid->widget_id , $kwid->hash ) = @explode ( self::KWID_SEPARATOR , $str ); */ $cracked = @explode("|", $kwid_str); $names = array("kshow_id", "partner_id", "subp_id", "article_name", "widget_id", "hash"); $combined = array_combine($names, $cracked); $secret = $this->getP("secret"); $md5 = md5($combined["kshow_id"] . $combined["partner_id"] . $combined["subp_id"] . $combined["article_name"] . $combined["widget_id"] . $secret); $combined["secret"] = $secret; $combined["calculated hash"] = substr($md5, 1, 10); $res = print_r($combined, true); } elseif ($algo == "ip") { $ip_geo = new myIPGeocoder(); if ($str) { $remote_addr = $str; } else { $remote_addr = requestUtils::getRemoteAddress(); } $res = $ip_geo->iptocountry($remote_addr); } $this->key = $key; $this->secret = $secret; $this->str = $str; $this->res = $res; $this->algo = $algo; }