function shn_main_front_controller() { global $global; global $conf; $action = $global['action']; $module = $global['module']; // check if we should enable database logging.... if (isset($conf['enable_monitor_sql']) && $conf['enable_monitor_sql'] == true) { $global['db']->LogSQL(); } // are we streaming PLUS SOAP Services? if (isset($_REQUEST['wsdl'])) { shn_main_plus_server(); exit(); } // is the user confirming an account registration? if (isset($_REQUEST['register'])) { shn_main_plus_register(); exit(); } // are we straming anything else? if (isset($_REQUEST['stream'])) { $stream = "_" . $_REQUEST['stream']; } else { $stream = null; } // check if the appropriate stream library exists if (array_key_exists('stream', $_REQUEST) && file_exists($global['approot'] . '/inc/lib_stream' . $stream . '.inc')) { require_once($global['approot'] . '/inc/lib_stream' . $stream . '.inc'); // else revert to the html stream } else { if (array_key_exists('stream', $_REQUEST)) { add_error(_t('The stream requested is not valid.')); } require_once($global['approot'] . "/inc/lib_stream_html.inc"); $stream = null; } // Redirect the module based on the action performed // redirect admin functions through the admin module if (preg_match('/^adm/', $action)) { $global['effective_module'] = $module = 'admin'; $global['effective_action'] = $action = 'modadmin'; } // fixes the security vulnerability associated with null characters in the $module string $module = str_replace("\0", "", $module); // load stream file if exists... $module_stream_file = $global['approot'] . 'mod/' . $module . '/stream.inc'; if (file_exists($module_stream_file)) { include_once($module_stream_file); } // identify the correct module file based on action and module $module_file = $global['approot'] . 'mod/' . $module . '/main.inc'; // check if module exists (modules main.inc) if (file_exists($module_file)) { include_once($module_file); } else { // default to the home page if the module main does not exist add_error(_t('The requested module is not installed in Vesuvius')); $module = 'home'; $action = 'default'; include_once($global['approot'] . 'mod/home/main.inc'); } // identify the name of the module function based on the action, stream and module $module_function = 'shn' . $stream . '_' . $module . '_' . $action; // if function does not exist re-direct if (!function_exists($module_function)) { // try to see if there is a generic Xstream function instead $module_function = 'shn_XST_' . $module . '_' . $action; if (!function_exists($module_function)) { // display the error on the relevant stream if ($stream == null) { add_error(_t('The action requested is not available')); $module_function = 'shn_' . $module . '_default'; } else { // if this does not exist display the error in the html homepage add_error(_t('This action does not support the stream type.')); $module_function = "display_errors"; // just display the errors } } } // list of exceptions generated by calling the function. $global['exception_list'] = array(); // initialize stream based on selected steam POST value this includes the inclusion of various sections in XHTML including the HTTP header,content header, menubar, login shn_stream_init(); if ($stream == null) { if ((($global['action'] == 'signup2') || ($global['action'] == 'signup') || ($global['action'] == 'forgotPassword') || ($global['action'] == 'loginForm')) && ($global['module'] = 'pref')) { if (shn_acl_is_signup_enabled()) { $module_function(); } } else { // if not a self-signup action $allowed_mods = shn_get_allowed_mods_current_user(); // check if requested module is within users allowed modules $res = array_search($module, $allowed_mods, false); if (false !== $res) { if (shn_acl_check_perms($module, $module_function) == ALLOWED) { // check if the user just logged in.... request_time = session expiry, if so, great them! :) $q = " SELECT count(*) FROM sessions WHERE expiry = '" . mysql_real_escape_string($_SERVER['REQUEST_TIME']) . "'; "; $result = $global['db']->Execute($q); //if($result === false) { daoErrorLog(__FILE__, __LINE__, __METHOD__, __CLASS__, __FUNCTION__, $global['db']->ErrorMsg(), "getEventListUser 1"); } if ($result->fields["count(*)"] == '1') { add_confirmation("Login successful"); } $module_function(); } else { shn_error_display_restricted_access(); } } else { shn_error_display_restricted_access(); } } } else { // if the steam is not HTML $allowed_mods = shn_get_allowed_mods_current_user(); // check if requested module is within users allowed modules $res = array_search($module, $allowed_mods, false); // hack for messaging module receive function $res = ($stream = 'text' & $action = 'receive_message') ? true : $res; if (false !== $res) { if (shn_acl_check_perms($module, $module_function) == ALLOWED) { $module_function(); } else { add_error(shn_error_get_restricted_access_message()); } } else { add_error(shn_error_get_restricted_access_message()); } } // close up the stream. In HTML send the footer shn_stream_close(); }
/** * Validates that the current user is authorized to view the current page, using * the access guidelines outlined in this class's private $access. * * If access is denied, an error message is automatically displayed. * * @access public * @param $error_msg - true to output an error message if not authorized, false to suppress it * @param $new_getvars - (optional), if specified, these getvars will be checked for authorization * instead of the default ones * @return true if the user is authorized, false if not */ public function isAuthorized($error_msg = true, $new_getvars = null) { global $dao; if (is_null($new_getvars)) { $auth_vars = $this->getvars; } else { $auth_vars = $new_getvars; } //store a variable to represent if 'act' is set and present in our list if (isset($auth_vars['act'])) { $act_found = in_array($auth_vars['act'], array_keys($this->access)); } else { $act_found = false; } //store a variable to represent if 'vm_action' is set and present in our list if (isset($auth_vars['vm_action']) && $act_found) { $vm_act_found = in_array($auth_vars['vm_action'], array_keys($this->access[$auth_vars['act']])); } else { $vm_act_found = false; } /* * Store the appropriate 'act' and 'vm_action' into $act and $vm_act respectively. If $vm_act is not found, use * 'default' for it, and if $act is not found, use 'volunteer' for $act and 'default' for $vm_action */ if ($act_found && $vm_act_found) { $act = $auth_vars['act']; $vm_action = $auth_vars['vm_action']; } else { if ($act_found) { $act = $auth_vars['act']; $vm_action = 'default'; } else { $act = 'volunteer'; $vm_action = 'default'; } } //assume the user passes to begin with $passed_sahana_acl = true; $passed_vm_acl = true; //check for database information access if (is_array($this->access[$act][$vm_action]['tables'])) { if (shn_acl_is_enabled() == true) { ///check for authorization only if ACL is enabled $passed_sahana_acl = $this->dataAccessIsAuthorized($this->access[$act][$vm_action]['tables'], false); } else { $passed_sahana_acl = true; } } //check for possible constraints/overrides imposed through the 'extra' array if (is_array($this->access[$act][$vm_action]['extra'])) { foreach ($this->access[$act][$vm_action]['extra'] as $value) { //user must be logged in if ($value == 'req_login') { $passed_vm_acl = $passed_vm_acl && $_SESSION['logged_in']; } //user must be a volunteer if ($value == 'req_volunteer') { $passed_vm_acl = $passed_vm_acl && $dao->isVolunteer($_SESSION['user_id']); } //user must be an approved site manager if ($value == 'req_manager') { $passed_vm_acl = $passed_vm_acl && $dao->isSiteManager($_SESSION['user_id']); } //override if user is an approved site manager if ($value == 'ovr_manager') { if ($dao->isSiteManager($_SESSION['user_id'])) { return true; } } //override if user is requesting access to his own information if ($value == 'ovr_my_info') { if ($auth_vars['p_uuid'] == $_SESSION['user_id']) { return true; } } //override if user is requesting access to one of his own project's information if ($value == 'ovr_my_proj') { if (in_array($auth_vars['proj_id'], array_keys($dao->listProjects($_SESSION['user_id'])))) { return true; } } //override if the user is requesting access to one of the projects he is a site manager for if ($value == 'ovr_mgr_proj') { if ($dao->isSiteManagerForProject($_SESSION['user_id'], $auth_vars['proj_id'])) { return true; } } //override if the user has the Main Operations handler role if ($value == 'ovr_mainops') { if (in_array(MAINOPS, array_keys(_shn_acl_get_roles($_SESSION['user_id'])))) { return true; } } //override if the user is a site manager who is requesting access to one of his projects' positions' information (active or retired) if ($value == 'ovr_mgr_pos') { if ($dao->isPositionUnderManager($auth_vars['pos_id'], $_SESSION['user_id'])) { return true; } } } } if ($passed_vm_acl && $passed_sahana_acl) { return true; } else { if ($error_msg) { shn_error_display_restricted_access(); } return false; } }
function shn_main_front_controller() { global $global, $APPROOT, $conf; $action = $global['action']; $module = $global['module']; // define which stream library to use base on POST "stream" if (isset($_REQUEST['stream']) && file_exists($APPROOT . "/inc/lib_stream_{$_REQUEST['stream']}.inc")) { require_once $APPROOT . "/inc/lib_stream_{$_REQUEST['stream']}.inc"; $stream_ = $_REQUEST['stream'] . "_"; } else { // default to the HTML stream require_once $APPROOT . "/inc/lib_stream_html.inc"; $stream_ = null; } // Redirect the module based on the action performed // redirect admin functions through the admin module if (preg_match('/^adm/', $action)) { $global['effective_module'] = $module = 'admin'; $global['effective_action'] = $action = 'modadmin'; } // the orignal module and action is stored in $global // This is a redirect for the report action if (preg_match('/^rpt/', $action)) { $global['effective_module'] = $module = 'rs'; $global['effective_action'] = $action = 'modreports'; } // check the users access permissions for this action $module_function = 'shn_' . $stream_ . $module . '_' . $action; // fixes the security vulnerability associated with null characters in the $module string $module = str_replace("", "", $module); // include the correct module file based on action and module $module_file = $APPROOT . 'mod/' . $module . '/main.inc'; // default to the home page if the module main does not exist if (file_exists($module_file)) { include $module_file; } else { include $APPROOT . 'mod/home/main.inc'; } // stream (XHTML, XML, TEXT, etc) initialization // this includes the inclusion of various sections in XHTML including the HTTP header, // content header, menubar, login shn_stream_init(); if (isset($_SESSION['first_time_run']) && $_SESSION['first_time_run'] == true) { $_SESSION['first_time_run'] = false; include_once $APPROOT . 'mod/home/main.inc'; // first time welcome view. // the first time flag will be cleared inside the method. shn_home_welcome(); } else { // default behavior // compose and call the relevant module function if (!function_exists($module_function)) { $module_function = 'shn_' . $stream_ . $module . '_default'; } $_SESSION['last_module'] = $module; $_SESSION['last_action'] = $action; if ($stream_ == null) { if (($global['action'] == 'signup_cr' or $global['action'] == 'signup') && ($global['module'] = "pref")) { $acl = shn_acl_is_signup_enabled(); if ($acl == true) { $module_function(); } else { } } else { $mods = shn_get_allowed_mods_current_user(); $res = array_search($module, $mods, false); if (FALSE !== $res) { if (shn_acl_check_perms($module, $module_function) == ALLOWED) { $module_function(); } else { //shn_error_display_restricted_access(); } } else { shn_error_display_restricted_access(); } } } else { $stream_acl_funct = 'shn_' . $stream_ . 'check_perms'; if ($stream_acl_funct() == ALLOWED) { $module_function(); } else { } } } // close up the stream. In HTML send the footer shn_stream_close(); }