<?php use Ventus\Utilities\Authentication; if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https' or isset($_SERVER['HTTPS']) && !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off') { header('Strict-Transport-Security: max-age=31536000'); header('X-Frame-Options: deny'); header('X-Content-Type-Options: nosniff'); header('X-XSS-Protection: 1; mode=block'); } else { $uri = 'https://' . URL_INTRANET . $_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING']; header('HTTP/1.1 301 Moved Permanently'); header("Location: {$uri}"); die; } // @TODO move this logic to appropriate controllers if (!Authentication::isAuthenticated($SESSION, 'internal')) { header('Location: https://' . URL_VENTUS . '/index.php?next=' . $_SERVER['PHP_SELF'] . '?' . $_SERVER['QUERY_STRING']); exit; } else { Authentication::isAuthorized($SESSION, \Ventus\Utilities\URI::getCurrentURL()); } header('Content-Type: text/html; charset=utf-8'); header('Content-Language: ' . $l10n->getLanguage()); ?> <!DOCTYPE html> <html lang='<?php echo $l10n->getLanguage(); ?> ' class='no-js'> <meta charset='utf-8'> <meta name='viewport' content='width=device-width,initial-scale=1.0'>
namespace Ventus\Student; /** * This controller will either grant or refuse a read-only session request to a user */ // Session, config require '../includes/php/bootstrap.php'; $SESSION = new \Zend_Session_Namespace('internal', true); // Kill existing student session if one exists \Zend_Session::namespaceUnset('student'); //Models $model = new StudentProfile($dbo); $module = \Ventus\Utilities\Functions::getModuleNameFromURL($_SERVER['HTTP_REFERER']); $module === 'specialist' ? $url = URL_SPECIALIST : ($url = URL_ACCESS_RECEPTION); //We first check if the employee has a valid session and is authorized to access the Specialist module \Ventus\Utilities\Authentication::isAuthenticated($SESSION, 'internal'); \Ventus\Utilities\Authentication::isAuthorized($SESSION, 'https://' . $url); //Check and decrypt read only session key if (empty($_GET['key']) || empty($_GET['iv'])) { //No key exists...we have a problem $loggers['audit']->error('Attempted access to student read-only session without key.'); header('location: https://' . URL_PHP . '/error-external.php?eid=R9001'); exit; } $student = mcrypt_decrypt(MCRYPT_BLOWFISH, hash('md5', HASH_GENERATION_RANDOM_STRING), base64_decode($_GET['key']), MCRYPT_MODE_ECB, base64_decode($_GET['iv'])); $student = unserialize($student); $log_in = $model->validateUserForReadOnlySession($student); if (!$log_in) { //No student found...we have a problem $loggers['audit']->warning("Attempted access to student read-only session for invalid student {$student['student_num']}."); header('location: https://' . URL_PHP . '/error-external.php?eid=R9002');