示例#1
0
function shn_main_front_controller()
{

    global $global;
    global $conf;

    $action = $global['action'];
    $module = $global['module'];


    // check if we should enable database logging....
    if (isset($conf['enable_monitor_sql']) && $conf['enable_monitor_sql'] == true) {
        $global['db']->LogSQL();
    }
    // are we streaming PLUS SOAP Services?
    if (isset($_REQUEST['wsdl'])) {
        shn_main_plus_server();
        exit();
    }

    // is the user confirming an account registration?
    if (isset($_REQUEST['register'])) {
        shn_main_plus_register();
        exit();
    }

    // are we straming anything else?
    if (isset($_REQUEST['stream'])) {
        $stream = "_" . $_REQUEST['stream'];
    } else {
        $stream = null;
    }

    // check if the appropriate stream library exists
    if (array_key_exists('stream', $_REQUEST) && file_exists($global['approot'] . '/inc/lib_stream' . $stream . '.inc')) {
        require_once($global['approot'] . '/inc/lib_stream' . $stream . '.inc');

        // else revert to the html stream
    } else {
        if (array_key_exists('stream', $_REQUEST)) {
            add_error(_t('The stream requested is not valid.'));
        }
        require_once($global['approot'] . "/inc/lib_stream_html.inc");
        $stream = null;
    }

    // Redirect the module based on the action performed
    // redirect admin functions through the admin module
    if (preg_match('/^adm/', $action)) {
        $global['effective_module'] = $module = 'admin';
        $global['effective_action'] = $action = 'modadmin';
    }


    // fixes the security vulnerability associated with null characters in the $module string
    $module = str_replace("\0", "", $module);


    // load stream file if exists...
    $module_stream_file = $global['approot'] . 'mod/' . $module . '/stream.inc';
    if (file_exists($module_stream_file)) {
        include_once($module_stream_file);
    }
    // identify the correct module file based on action and module
    $module_file = $global['approot'] . 'mod/' . $module . '/main.inc';

    // check if module exists (modules main.inc)
    if (file_exists($module_file)) {
        include_once($module_file);
    } else {
        // default to the home page if the module main does not exist
        add_error(_t('The requested module is not installed in Vesuvius'));
        $module = 'home';
        $action = 'default';
        include_once($global['approot'] . 'mod/home/main.inc');
    }

    // identify the name of the module function based on the action, stream and module
    $module_function = 'shn' . $stream . '_' . $module . '_' . $action;

    // if function does not exist re-direct
    if (!function_exists($module_function)) {

        // try to see if there is a generic Xstream function instead
        $module_function = 'shn_XST_' . $module . '_' . $action;

        if (!function_exists($module_function)) {

            // display the error on the relevant stream
            if ($stream == null) {
                add_error(_t('The action requested is not available'));
                $module_function = 'shn_' . $module . '_default';
            } else {
                // if this does not exist display the error in the html homepage
                add_error(_t('This action does not support the stream type.'));
                $module_function = "display_errors"; // just display the errors
            }
        }
    }

    // list of exceptions generated by calling the function.
    $global['exception_list'] = array();

    // initialize stream based on selected steam POST value this includes the inclusion of various sections in XHTML including the HTTP header,content header, menubar, login
    shn_stream_init();

    if ($stream == null) {

        if ((($global['action'] == 'signup2') || ($global['action'] == 'signup') || ($global['action'] == 'forgotPassword') || ($global['action'] == 'loginForm')) && ($global['module'] = 'pref')) {
            if (shn_acl_is_signup_enabled()) {
                $module_function();
            }
        } else {
            // if not a self-signup action
            $allowed_mods = shn_get_allowed_mods_current_user();

            // check if requested module is within users allowed modules
            $res = array_search($module, $allowed_mods, false);

            if (false !== $res) {
                if (shn_acl_check_perms($module, $module_function) == ALLOWED) {
                    // check if the user just logged in.... request_time = session expiry, if so, great them! :)
                    $q = "
						SELECT count(*)
						FROM sessions
						WHERE expiry = '" . mysql_real_escape_string($_SERVER['REQUEST_TIME']) . "';
					";
                    $result = $global['db']->Execute($q);
                    //if($result === false) { daoErrorLog(__FILE__, __LINE__, __METHOD__, __CLASS__, __FUNCTION__, $global['db']->ErrorMsg(), "getEventListUser 1"); }
                    if ($result->fields["count(*)"] == '1') {
                        add_confirmation("Login successful");
                    }
                    $module_function();
                } else {
                    shn_error_display_restricted_access();
                }
            } else {
                shn_error_display_restricted_access();
            }
        }

    } else {
        // if the steam is not HTML
        $allowed_mods = shn_get_allowed_mods_current_user();

        // check if requested module is within users allowed modules
        $res = array_search($module, $allowed_mods, false);

        // hack for messaging module receive function
        $res = ($stream = 'text' & $action = 'receive_message') ? true : $res;
        if (false !== $res) {
            if (shn_acl_check_perms($module, $module_function) == ALLOWED) {
                $module_function();
            } else {
                add_error(shn_error_get_restricted_access_message());
            }
        } else {
            add_error(shn_error_get_restricted_access_message());
        }
    }

    // close up the stream. In HTML send the footer
    shn_stream_close();
}
示例#2
0
 /**
  * Validates that the current user is authorized to view the current page, using
  * the access guidelines outlined in this class's private $access.
  *
  * If access is denied, an error message is automatically displayed.
  *
  * @access public
  * @param $error_msg		- true to output an error message if not authorized, false to suppress it
  * @param $new_getvars	- (optional), if specified, these getvars will be checked for authorization
  * 							instead of the default ones
  * @return true if the user is authorized, false if not
  */
 public function isAuthorized($error_msg = true, $new_getvars = null)
 {
     global $dao;
     if (is_null($new_getvars)) {
         $auth_vars = $this->getvars;
     } else {
         $auth_vars = $new_getvars;
     }
     //store a variable to represent if 'act' is set and present in our list
     if (isset($auth_vars['act'])) {
         $act_found = in_array($auth_vars['act'], array_keys($this->access));
     } else {
         $act_found = false;
     }
     //store a variable to represent if 'vm_action' is set and present in our list
     if (isset($auth_vars['vm_action']) && $act_found) {
         $vm_act_found = in_array($auth_vars['vm_action'], array_keys($this->access[$auth_vars['act']]));
     } else {
         $vm_act_found = false;
     }
     /*
      * Store the appropriate 'act' and 'vm_action' into $act and $vm_act respectively. If $vm_act is not found, use
      * 'default' for it, and if $act is not found, use 'volunteer' for $act and 'default' for $vm_action
      */
     if ($act_found && $vm_act_found) {
         $act = $auth_vars['act'];
         $vm_action = $auth_vars['vm_action'];
     } else {
         if ($act_found) {
             $act = $auth_vars['act'];
             $vm_action = 'default';
         } else {
             $act = 'volunteer';
             $vm_action = 'default';
         }
     }
     //assume the user passes to begin with
     $passed_sahana_acl = true;
     $passed_vm_acl = true;
     //check for database information access
     if (is_array($this->access[$act][$vm_action]['tables'])) {
         if (shn_acl_is_enabled() == true) {
             ///check for authorization only if ACL is enabled
             $passed_sahana_acl = $this->dataAccessIsAuthorized($this->access[$act][$vm_action]['tables'], false);
         } else {
             $passed_sahana_acl = true;
         }
     }
     //check for possible constraints/overrides imposed through the 'extra' array
     if (is_array($this->access[$act][$vm_action]['extra'])) {
         foreach ($this->access[$act][$vm_action]['extra'] as $value) {
             //user must be logged in
             if ($value == 'req_login') {
                 $passed_vm_acl = $passed_vm_acl && $_SESSION['logged_in'];
             }
             //user must be a volunteer
             if ($value == 'req_volunteer') {
                 $passed_vm_acl = $passed_vm_acl && $dao->isVolunteer($_SESSION['user_id']);
             }
             //user must be an approved site manager
             if ($value == 'req_manager') {
                 $passed_vm_acl = $passed_vm_acl && $dao->isSiteManager($_SESSION['user_id']);
             }
             //override if user is an approved site manager
             if ($value == 'ovr_manager') {
                 if ($dao->isSiteManager($_SESSION['user_id'])) {
                     return true;
                 }
             }
             //override if user is requesting access to his own information
             if ($value == 'ovr_my_info') {
                 if ($auth_vars['p_uuid'] == $_SESSION['user_id']) {
                     return true;
                 }
             }
             //override if user is requesting access to one of his own project's information
             if ($value == 'ovr_my_proj') {
                 if (in_array($auth_vars['proj_id'], array_keys($dao->listProjects($_SESSION['user_id'])))) {
                     return true;
                 }
             }
             //override if the user is requesting access to one of the projects he is a site manager for
             if ($value == 'ovr_mgr_proj') {
                 if ($dao->isSiteManagerForProject($_SESSION['user_id'], $auth_vars['proj_id'])) {
                     return true;
                 }
             }
             //override if the user has the Main Operations handler role
             if ($value == 'ovr_mainops') {
                 if (in_array(MAINOPS, array_keys(_shn_acl_get_roles($_SESSION['user_id'])))) {
                     return true;
                 }
             }
             //override if the user is a site manager who is requesting access to one of his projects' positions' information (active or retired)
             if ($value == 'ovr_mgr_pos') {
                 if ($dao->isPositionUnderManager($auth_vars['pos_id'], $_SESSION['user_id'])) {
                     return true;
                 }
             }
         }
     }
     if ($passed_vm_acl && $passed_sahana_acl) {
         return true;
     } else {
         if ($error_msg) {
             shn_error_display_restricted_access();
         }
         return false;
     }
 }
示例#3
0
function shn_main_front_controller()
{
    global $global, $APPROOT, $conf;
    $action = $global['action'];
    $module = $global['module'];
    // define which stream library to use base on POST "stream"
    if (isset($_REQUEST['stream']) && file_exists($APPROOT . "/inc/lib_stream_{$_REQUEST['stream']}.inc")) {
        require_once $APPROOT . "/inc/lib_stream_{$_REQUEST['stream']}.inc";
        $stream_ = $_REQUEST['stream'] . "_";
    } else {
        // default to the HTML stream
        require_once $APPROOT . "/inc/lib_stream_html.inc";
        $stream_ = null;
    }
    // Redirect the module based on the action performed
    // redirect admin functions through the admin module
    if (preg_match('/^adm/', $action)) {
        $global['effective_module'] = $module = 'admin';
        $global['effective_action'] = $action = 'modadmin';
    }
    // the orignal module and action is stored in $global
    // This is a redirect for the report action
    if (preg_match('/^rpt/', $action)) {
        $global['effective_module'] = $module = 'rs';
        $global['effective_action'] = $action = 'modreports';
    }
    // check the users access permissions for this action
    $module_function = 'shn_' . $stream_ . $module . '_' . $action;
    // fixes the security vulnerability associated with null characters in the $module string
    $module = str_replace("", "", $module);
    // include the correct module file based on action and module
    $module_file = $APPROOT . 'mod/' . $module . '/main.inc';
    // default to the home page if the module main does not exist
    if (file_exists($module_file)) {
        include $module_file;
    } else {
        include $APPROOT . 'mod/home/main.inc';
    }
    // stream (XHTML, XML, TEXT, etc) initialization
    // this includes the inclusion of various sections in XHTML including the HTTP header,
    // content header, menubar, login
    shn_stream_init();
    if (isset($_SESSION['first_time_run']) && $_SESSION['first_time_run'] == true) {
        $_SESSION['first_time_run'] = false;
        include_once $APPROOT . 'mod/home/main.inc';
        // first time welcome view.
        // the first time flag will be cleared inside the method.
        shn_home_welcome();
    } else {
        // default behavior
        // compose and call the relevant module function
        if (!function_exists($module_function)) {
            $module_function = 'shn_' . $stream_ . $module . '_default';
        }
        $_SESSION['last_module'] = $module;
        $_SESSION['last_action'] = $action;
        if ($stream_ == null) {
            if (($global['action'] == 'signup_cr' or $global['action'] == 'signup') && ($global['module'] = "pref")) {
                $acl = shn_acl_is_signup_enabled();
                if ($acl == true) {
                    $module_function();
                } else {
                }
            } else {
                $mods = shn_get_allowed_mods_current_user();
                $res = array_search($module, $mods, false);
                if (FALSE !== $res) {
                    if (shn_acl_check_perms($module, $module_function) == ALLOWED) {
                        $module_function();
                    } else {
                        //shn_error_display_restricted_access();
                    }
                } else {
                    shn_error_display_restricted_access();
                }
            }
        } else {
            $stream_acl_funct = 'shn_' . $stream_ . 'check_perms';
            if ($stream_acl_funct() == ALLOWED) {
                $module_function();
            } else {
            }
        }
    }
    // close up the stream. In HTML send the footer
    shn_stream_close();
}