header('Strict-Transport-Security: max-age=31536000');
header('X-Frame-Options: deny');
header('X-Content-Type-Options: nosniff');
header('X-XSS-Protection: 1; mode=block');
} else {
$uri = 'https://' . URL_INTRANET . $_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING'];
header('HTTP/1.1 301 Moved Permanently');
header("Location: {$uri}");
die;
}
// @TODO move this logic to appropriate controllers
if (!Authentication::isAuthenticated($SESSION, 'internal')) {
header('Location: https://' . URL_VENTUS . '/index.php?next=' . $_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING']);
exit;
} else {
Authentication::isAuthorized($SESSION, \Ventus\Utilities\URI::getCurrentURL());
}
header('Content-Type: text/html; charset=utf-8');
header('Content-Language: ' . $l10n->getLanguage());
?>
<!DOCTYPE html>
<html lang='<?php
echo $l10n->getLanguage();
?>
' class='no-js'>
<meta charset='utf-8'>
<meta name='viewport' content='width=device-width,initial-scale=1.0'>
<link rel="stylesheet" media="screen" type="text/css" href="../includes/css/ventus.css">
<link rel='stylesheet' media='screen' type='text/css' href='//<?php
echo URL_VENDOR_FRONTEND;
/**
* This controller will either grant or refuse a read-only session request to a user
*/
// Session, config
require '../includes/php/bootstrap.php';
$SESSION = new \Zend_Session_Namespace('internal', true);
// Kill existing student session if one exists
\Zend_Session::namespaceUnset('student');
//Models
$model = new StudentProfile($dbo);
$module = \Ventus\Utilities\Functions::getModuleNameFromURL($_SERVER['HTTP_REFERER']);
$module === 'specialist' ? $url = URL_SPECIALIST : ($url = URL_ACCESS_RECEPTION);
//We first check if the employee has a valid session and is authorized to access the Specialist module
\Ventus\Utilities\Authentication::isAuthenticated($SESSION, 'internal');
\Ventus\Utilities\Authentication::isAuthorized($SESSION, 'https://' . $url);
//Check and decrypt read only session key
if (empty($_GET['key']) || empty($_GET['iv'])) {
//No key exists...we have a problem
$loggers['audit']->error('Attempted access to student read-only session without key.');
header('location: https://' . URL_PHP . '/error-external.php?eid=R9001');
exit;
}
$student = mcrypt_decrypt(MCRYPT_BLOWFISH, hash('md5', HASH_GENERATION_RANDOM_STRING), base64_decode($_GET['key']), MCRYPT_MODE_ECB, base64_decode($_GET['iv']));
$student = unserialize($student);
$log_in = $model->validateUserForReadOnlySession($student);
if (!$log_in) {
//No student found...we have a problem
$loggers['audit']->warning("Attempted access to student read-only session for invalid student {$student['student_num']}.");
header('location: https://' . URL_PHP . '/error-external.php?eid=R9002');
exit;
