public function execute($request) { $request->setRequestFormat('xml'); $this->date = gmdate('Y-m-d\\TH:i:s\\Z'); $this->title = sfconfig::get('app_siteTitle'); $this->description = sfconfig::get('app_siteDescription'); $this->protocolVersion = '2.0'; list($this->earliestDatestamp) = Propel::getConnection()->query('SELECT MIN(' . QubitObject::UPDATED_AT . ') FROM ' . QubitObject::TABLE_NAME)->fetch(); $this->granularity = 'YYYY-MM-DDThh:mm:ssZ'; $this->deletedRecord = 'no'; $this->compression = 'gzip'; $this->path = url_for('oai/oaiAction'); $this->attributes = $this->request->getGetParameters(); $this->attributesKeys = array_keys($this->attributes); $this->requestAttributes = ''; foreach ($this->attributesKeys as $key) { $this->requestAttributes .= ' ' . $key . '="' . $this->attributes[$key] . '"'; } $criteria = new Criteria(); $criteria->add(QubitAclUserGroup::GROUP_ID, QubitAclGroup::ADMINISTRATOR_ID); $criteria->addJoin(QubitAclUserGroup::USER_ID, QubitUser::ID); $users = QubitUser::get($criteria); $this->adminEmail = array(); foreach ($users as $user) { $this->adminEmail[] = $user->getEmail() . "\n"; } }
public function controllerChangeAction(sfEvent $event) { $controller = $event->getSubject(); if ('sfInstallPlugin' != $event->module) { return; } $credential = $controller->getActionStack()->getLastEntry()->getActionInstance()->getCredential(); if (sfContext::getInstance()->user->hasCredential($credential)) { return; } $criteria = new Criteria(); $criteria->add(QubitAclGroupI18n::NAME, $credential); $criteria->addJoin(QubitAclGroupI18n::ID, QubitAclGroup::ID); $criteria->addJoin(QubitAclGroup::ID, QubitAclUserGroup::GROUP_ID); $criteria->addJoin(QubitAclUserGroup::USER_ID, QubitUser::ID); // If for any reason the database can't be accessed, e.g. // * config.php doesn't exist // * config.php is misconfigured // * the database is empty // // - or if no user exists with the necessary credential, then grant access // to install actions // // This could only present a vulnerability if the database can't be // accessed, or if no user exists with the necessary credential. If the // database can't be accessed, then it isn't vulneralbe. The filesystem is // vulnerable, so we must be careful not to read or write anything // sensitive. We erase the database, but it isn't vulnerable // // Previously we granted sessions access to install actions if config.php // was missing, because this suggests that someone can access to the // filesystem - but we didn't link a specific session with access to the // filesystem, like Gallery login.txt // // One vulnerability is that anyone who gains the necessary credential on // one site, and knows the database username and password of another site, // can erase that database. To fix this, sessions should be bound to a key // stored in the database. This is superior to, // http://trac.symfony-project.org/ticket/5683 // // If one database can't be accessed, then anyone can reconfigure the // database username and password, but other databases are safe as long as // a user exists with the necessary credential // // Another vulnerability is that databases with incompatible schemas can be // erased. To fix this, we must know the database username and password to // reconfigure it. The currently configured database can be erased if it's // schema is incombatible, but this isn't a vulnerability try { if (1 > count(QubitUser::get($criteria))) { return; } } catch (PropelException $e) { return; } $event->getSubject()->forward(sfConfig::get('sf_secure_module'), sfConfig::get('sf_secure_action')); throw new sfStopException(); }
/** * Admin email finder * * @return string the administrator email */ public static function getAdminEmail() { $criteria = new Criteria(); $criteria->addJoin(QubitUser::ID, QubitUserRoleRelation::USER_ID); $criteria->addJoin(QubitUserRoleRelation::ROLE_ID, QubitRole::ID); $criteria->add(QubitRole::NAME, 'administrator'); $criteria->addAscendingOrderByColumn(QubitUser::ID); $users = QubitUser::get($criteria); return trim($users[0]->getEmail()); }
public function execute($request) { $request->setRequestFormat('xml'); $this->date = gmdate('Y-m-d\\TH:i:s\\Z'); $this->path = $this->request->getUriPrefix() . $this->request->getPathInfo(); $this->attributes = $this->request->getGetParameters(); $this->attributesKeys = array_keys($this->attributes); $this->requestAttributes = ''; foreach ($this->attributesKeys as $key) { $this->requestAttributes .= ' ' . $key . '="' . $this->attributes[$key] . '"'; } $criteria = new Criteria(); $criteria->addJoin(QubitUser::ID, QubitUserRoleRelation::USER_ID); $criteria->addJoin(QubitUserRoleRelation::ROLE_ID, QubitRole::ID); $criteria->add(QubitRole::NAME, 'administrator'); $users = QubitUser::get($criteria); $this->adminEmail = array(); foreach ($users as $user) { $this->adminEmail[] = $user->getEmail() . "\n"; } }