[platal.git] / classes / platal.php

<?php
/***************************************************************************
 *  Copyright (C) 2003-2011 Polytechnique.org                              *
 *  http://opensource.polytechnique.org/                                   *
 *                                                                         *
 *  This program is free software; you can redistribute it and/or modify   *
 *  it under the terms of the GNU General Public License as published by   *
 *  the Free Software Foundation; either version 2 of the License, or      *
 *  (at your option) any later version.                                    *
 *                                                                         *
 *  This program is distributed in the hope that it will be useful,        *
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of         *
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the          *
 *  GNU General Public License for more details.                           *
 *                                                                         *
 *  You should have received a copy of the GNU General Public License      *
 *  along with this program; if not, write to the Free Software            *
 *  Foundation, Inc.,                                                      *
 *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA                *
 ***************************************************************************/

// Return values for handlers and hooks. This defines the behavior of both the
// plat/al engine, and the invidivual hooks.
define('PL_DO_AUTH',     300);  // User should be redirected to the login page.
define('PL_BAD_REQUEST', 400);  // Request is not valid, and could not be interpreted.
define('PL_FORBIDDEN',   403);  // User is not allowed to view page (auth or permission error).
define('PL_NOT_FOUND',   404);  // Page doesn't not exist. Engine will try to offer suggestions.
define('PL_WIKI',        500);  // Page is a wiki page, plat/al engine should yield to the wiki engine.
define('PL_JSON',        501);  // Page is valid, but result should be JSON-encoded, not HTML-encoded.

abstract class PlHook
{
    protected $auth;
    protected $perms;
    protected $type;

    protected function __construct($auth = AUTH_PUBLIC, $perms = 'user', $type = DO_AUTH)
    {
        $this->auth  = $auth;
        $this->perms = $perms;
        $this->type  = $type;
    }

    public function checkPerms()
    {
        // Don't check permissions if there are no permission requirement
        // (either no requested group membership, or public auth is allowed).
        return !$this->perms || $this->auth == AUTH_PUBLIC ||
            Platal::session()->checkPerms($this->perms);
    }

    public function hasType($type)
    {
        return ($this->type & $type) == $type;
    }

    abstract protected function run(PlPage &$page, array $args);

    public function call(PlPage &$page, array $args)
    {
        global $globals, $session, $platal;
        if (!$session->checkAuth($this->auth)) {
            if ($this->hasType(DO_AUTH)) {
                if (!$session->start($this->auth)) {
                    $platal->force_login($page);
                    return PL_FORBIDDEN;
                }
            } else {
                return PL_FORBIDDEN;
            }
        }
        if (!$this->checkPerms()) {
            if (Platal::notAllowed()) {
                return PL_FORBIDDEN;
            }
        }
        return $this->run($page, $args);
    }
}

/** The standard plat/al hook, for interactive requests.
 * It optionally does active authentication (DO_AUTH). The handler is invoked
 * with the PlPage object, and with each of the remaining path components.
 */
class PlStdHook extends PlHook
{
    private $callback;

    public function __construct($callback, $auth = AUTH_PUBLIC, $perms = 'user', $type = DO_AUTH)
    {
        parent::__construct($auth, $perms, $type);
        $this->callback = $callback;
    }

    protected function run(PlPage &$page, array $args)
    {
        global $session, $platal;

        $args[0] = $page;
        $val = call_user_func_array($this->callback, $args);
        if ($val == PL_DO_AUTH) {
            if (!$session->start($session->loggedLevel())) {
                $platal->force_login($page);
            }
            $val = call_user_func_array($this->callback, $args);
        }
        return $val;
    }
}

/** A specialized hook for API requests.
 * It is intended to be used for passive API requests, authenticated either by
 * an existing session (with a valid XSRF token), or by an alternative single
 * request auth mechanism implemented by PlSession::apiAuth.
 *
 * This hook is suitable for read-write requests against the website, provided
 * $auth is set appropriately. Note that the auth level is only checked for
 * session-authenticated users, as "apiAuth" users are assumed to always have
 * the requested level (use another hook otherwise).
 *
 * The callback will be passed as arguments the PlPage, the authenticated
 * PlUser, the JSON decoded payload, and the remaining path components, as with
 * any other hook.
 *
 * If the callback intends to JSON-encode its returned value, it is advised to
 * use PlPage::jsonAssign, and return PL_JSON to enable automatic encoding.
 */
class PlApiHook extends PlHook
{
    private $actualAuth;
    private $callback;

    public function __construct($callback, $auth = AUTH_PUBLIC, $perms = 'user', $type = NO_AUTH)
    {
        // As mentioned above, $auth is only applied for session-based auth
        // (as opposed to token-based). PlHook is initialized to AUTH_PUBLIC to
        // avoid it refusing to approve requests; this is important as the user
        // is not yet authenticated at that point (see below for the actual
        // permissions check).
        parent::__construct(AUTH_PUBLIC, $perms, $type);
        $this->actualAuth = $auth;
        $this->callback = $callback;
    }

    private function getEncodedPayload($method)
    {
        return $method == "GET" ? "" : file_get_contents("php://input");
    }

    private function decodePayload($encodedPayload)
    {
        return empty($encodedPayload) ? array() : json_decode($encodedPayload, true);
    }

    protected function run(PlPage &$page, array $args)
    {
        $method = $_SERVER['REQUEST_METHOD'];
        $encodedPayload = $this->getEncodedPayload($method);
        $jsonPayload = $this->decodePayload($encodedPayload);
        $resource = '/' . implode('/', $args);

        // If the payload wasn't a valid JSON encoded object, bail out early.
        if (is_null($jsonPayload)) {
            $page->trigError("Could not decode the JSON-encoded payload sent with the request.");
            return PL_BAD_REQUEST;
        }

        // Authenticate the request. Try first with the existing session (which
        // is less expensive to check), by veryfing that the XSRF token is
        // valid; otherwise fallbacks to API-type authentication from PlSession.
        if (S::logged() && S::has_xsrf_token() && Platal::session()->checkAuth($this->actualAuth)) {
            $user = S::user();
        } else {
            $user = Platal::session()->apiAuth($method, $resource, $encodedPayload);
        }

        // Check the permissions, unless the handler is fully public.
        if ($this->actualAuth > AUTH_PUBLIC) {
            if (is_null($user) || !$user->checkPerms($this->perms)) {
                return PL_FORBIDDEN;
            }
        }

        // Invoke the callback, whose signature is (PlPage, PlUser, jsonPayload).
        array_shift($args);
        array_unshift($args, $page, $user, $jsonPayload);
        return call_user_func_array($this->callback, $args);
    }
}

/** A specialized hook for token-based requests.
 * It is intended for purely passive requests (typically for serving CSV or RSS
 * content outside the browser), and can fallback to regular session-based
 * authentication when the token is not valid/available.
 *
 * Note that $auth is only applied for session-backed authentication; it is
 * assumed that token-based auth is always enough for the hook (otherwise, just
 * use PlStdHook above).
 *
 * Also, this hook requires that the first two unmatched path components are the
 * user and token (for instance /<matched path>/<user>/<token>/....). They will
 * be popped before being passed to the handler, and replaced by the request's
 * PlUser object.
 */
class PlTokenHook extends PlHook
{
    private $actualAuth;
    private $callback;

    public function __construct($callback, $auth = AUTH_PUBLIC, $perms = 'user', $type = NO_AUTH)
    {
        // See PlApiHook::__construct.
        parent::__construct(AUTH_PUBLIC, $perms, $type);
        $this->actualAuth = $auth;
        $this->callback = $callback;
    }

    protected function run(PlPage &$page, array $args)
    {
        // Retrieve the user, either from the session (less expensive, as it is
        // already there), or from the in-path (user, token) pair.
        if (S::logged() && Platal::session()->checkAuth($this->actualAuth)) {
            $user = S::user();
        } else {
            $user = Platal::session()->tokenAuth(@$args[1], @$args[2]);
        }

        // Check the permissions, unless the handler is fully public.
        if ($this->actualAuth > AUTH_PUBLIC) {
            if (is_null($user) || !$user->checkPerms($this->perms)) {
                return PL_FORBIDDEN;
            }
        }

        // Replace the first three remaining elements of the path with the
        // PlPage and PlUser objects.
        array_shift($args);
        $args[0] = $page;
        $args[1] = $user;
        return call_user_func_array($this->callback, $args);
    }
}

/** A specialized plat/al hook for serving wiki pages.
 */
class PlWikiHook extends PlHook
{
    public function __construct($auth = AUTH_PUBLIC, $perms = 'user', $type = DO_AUTH)
    {
        parent::__construct($auth, $perms, $type);
    }

    protected function run(PlPage &$page, array $args)
    {
        return PL_WIKI;
    }
}

class PlHookTree
{
    public $hook = null;
    public $aliased  = null;
    public $children = array();

    public function addChildren(array $hooks)
    {
        global $platal;
        foreach ($hooks as $path=>$hook) {
            $path = explode('/', $path);
            $element  = $this;
            foreach ($path as $next) {
                $alias = null;
                if ($next{0} == '%') {
                    $alias = $next;
                    $next = $platal->hook_map(substr($next, 1));
                }
                if (!isset($element->children[$next])) {
                    $child = new PlHookTree();
                    $child->aliased = $alias;
                    $element->children[$next] = $child;
                } else {
                    $child = $element->children[$next];
                }
                $element = $child;
            }
            $element->hook = $hook;
        }
    }

    public function findChild(array $path)
    {
        $remain  = $path;
        $matched = array();
        $aliased = array();
        $element = $this;
        while (true)
        {
            $next = @$remain[0];
            if ($element->aliased) {
                $aliased = $matched;
            }
            if (empty($next) || !isset($element->children[$next])) {
                break;
            }
            $element = $element->children[$next];
            array_shift($remain);
            $matched[] = $next;
        }
        return array($element->hook, $matched, $remain, $aliased);
    }

    private function findNearestChildAux(array $remain, array $matched, array $aliased)
    {
        $next = @$remain[0];
        if ($this->aliased) {
            $aliased = $matched;
        }
        if (!empty($next)) {
            $child = @$this->children[$next];
            if (!$child) {
                $nearest_lev = 50;
                $nearest_sdx = 50;
                $match = null;
                foreach ($this->children as $path=>$hook) {
                    $lev = levenshtein($next, $path);
                    if ($lev <= $nearest_lev
                        && ($lev < strlen($next) / 2 || strpos($next, $path) !== false
                            || strpos($path, $next) !== false)) {
                        $sdx = levenshtein(soundex($next), soundex($path));
                        if ($lev == $nearest_lev || $sdx < $nearest_sdx) {
                            $child = $hook;
                            $nearest_lev = $lev;
                            $nearest_sdx = $sdx;
                            $match = $path;
                        }
                    }
                }
                $next = $match;
            }
            if ($child) {
                array_shift($remain);
                $matched[] = $next;
                return $child->findNearestChildAux($remain, $matched, $aliased);
            }
            if (($pos = strpos($next, '.php')) !== false) {
                $remain[0] = substr($next, 0, $pos);
                return $this->findNearestChildAux($remain, $matched, $aliased);
            }
        }
        return array($this->hook, $matched, $remain, $aliased);
    }

    public function findNearestChild(array $path)
    {
        return $this->findNearestChildAux($path, array(), array());
    }
}

abstract class Platal
{
    private $mods;
    private $hooks;

    protected $https;

    public $ns;
    public $path;
    public $argv = array();

    static private $_page = null;

    public function __construct()
    {
        global $platal, $session, $globals;
        $platal  = $this;

        /* Assign globals first, then call init: init must be used for operations
         * that requires access to the content of $globals (e.g. XDB requires
         * $globals to be assigned.
         */
        $globals = $this->buildGlobals();
        $globals->init();

        /* Get the current session: assign first, then activate the session.
         */
        $session = $this->buildSession();
        if (!$session->startAvailableAuth()) {
            Platal::page()->trigError("Données d'authentification invalides.");
        }

        $modules    = func_get_args();
        if (isset($modules[0]) && is_array($modules[0])) {
            $modules = $modules[0];
        }
        $this->path = trim(Get::_get('n', null), '/');

        $this->mods  = array();
        $this->hooks = new PlHookTree();

        array_unshift($modules, 'core');
        foreach ($modules as $module) {
            $module = strtolower($module);
            $this->mods[$module] = $m = PLModule::factory($module);
            $this->hooks->addChildren($m->handlers());
        }

        if ($globals->mode == '') {
            pl_redirect('index.html');
        }
    }

    public function pl_self($n = null)
    {
        if (is_null($n))
            return $this->path;

        if ($n >= 0)
            return join('/', array_slice($this->argv, 0, $n + 1));

        if ($n <= -count($this->argv))
            return $this->argv[0];

        return join('/', array_slice($this->argv, 0, $n));
    }

    public static function wiki_hook($auth = AUTH_PUBLIC, $perms = 'user', $type = DO_AUTH)
    {
        return new PlWikiHook($auth, $perms, $type);
    }

    public function hook_map($name)
    {
        return null;
    }

    protected function find_hook()
    {
        $p = explode('/', $this->path);
        list($hook, $matched, $remain, $aliased) = $this->hooks->findChild($p);
        if (empty($hook)) {
            return null;
        }
        $this->argv = $remain;
        array_unshift($this->argv, implode('/', $matched));
        if (!empty($aliased)) {
            $this->ns = implode('/', $aliased) . '/';
        }
        $this->https = !$hook->hasType(NO_HTTPS);
        return $hook;
    }

    public function near_hook()
    {
        $p = explode('/', $this->path);
        list($hook, $matched, $remain, $aliased) = $this->hooks->findNearestChild($p);
        if (empty($hook)) {
            return null;
        }
        $url = implode('/', $matched);
        if (!empty($remain)) {
            $url .= '/' . implode('/', $remain);
        }
        if ($url == $this->path || levenshtein($url, $this->path) > strlen($url) / 3
            || !$hook->checkPerms()) {
            return null;
        }
        return $url;
    }

    private function call_hook(PlPage &$page)
    {
        $hook = $this->find_hook();
        if (empty($hook)) {
            return PL_NOT_FOUND;
        }
        global $globals, $session;
        if ($this->https && !@$_SERVER['HTTPS'] && $globals->core->secure_domain) {
            http_redirect('https://' . $globals->core->secure_domain . $_SERVER['REQUEST_URI']);
        }

        return $hook->call($page, $this->argv);
    }

    /** Show the authentication form.
     */
    abstract public function force_login(PlPage& $page);

    public function run()
    {
        $page =& self::page();

        if (empty($this->path)) {
            $this->path = 'index';
        }

        try {
            $page->assign('platal', $this);
            $res = $this->call_hook($page);
            switch ($res) {
              case PL_BAD_REQUEST:
                $this->mods['core']->handler_400($page);
                break;

              case PL_FORBIDDEN:
                $this->mods['core']->handler_403($page);
                break;

              case PL_NOT_FOUND:
                $this->mods['core']->handler_404($page);
                break;

              case PL_WIKI:
                return PL_WIKI;
            }
        } catch (Exception $e) {
            header($_SERVER['SERVER_PROTOCOL'] . ' 500 Internal Server Error');
            PlErrorReport::report($e);
            if (self::globals()->debug) {
                $page->kill(pl_entities($e->getMessage())
                            . '<pre>' . pl_entities("" . $e) . '</pre>');
            } else {
                $page->kill(pl_entities($e->getMessage()));
            }
        }

        $page->assign('platal', $this);
        if ($res == PL_JSON) {
            $page->runJSon();
        } else {
            $page->run();
        }
    }

    public function error403()
    {
        $page =& self::page();

        $this->mods['core']->handler_403($page);
        $page->assign('platal', $this);
        $page->run();
    }

    public function error404()
    {
        $page =& self::page();

        $this->mods['core']->handler_404($page);
        $page->assign('platal', $this);
        $page->run();
    }

    public static function notAllowed()
    {
        if (S::admin()) {
            self::page()->trigWarning('Tu accèdes à cette page car tu es administrateur du site.');
            return false;
        } else {
            return true;
        }
    }

    public static function load($modname, $include = null)
    {
        global $platal;
        $modname = strtolower($modname);
        if (isset($platal->mods[$modname])) {
            if (is_null($include)) {
                return;
            }
            $platal->mods[$modname]->load($include);
        } else {
            if (is_null($include)) {
                require_once PLModule::path($modname) . '.php';
            } else {
                require_once PLModule::path($modname) . '/' . $include;
            }
        }
    }

    public static function assert($cond, $error, $userfriendly = null)
    {
        if ($cond === false) {
            if ($userfriendly == null) {
                $userfriendly = "Une erreur interne s'est produite.
                    Merci de réessayer la manipulation qui a déclenché l'erreur ;
                    si cela ne fonctionne toujours pas, merci de nous signaler le problème rencontré.";
            }
            throw new PlException($userfriendly, $error);
        }
    }

    public function &buildLogger($uid, $suid = 0)
    {
        if (defined('PL_LOGGER_CLASS')) {
            $class = PL_LOGGER_CLASS;
            $logger = new $class($uid, $suid);
            return $logger;
        } else {
            return PlLogger::dummy($uid, $suid);
        }
    }

    protected function &buildPage()
    {
        $pageclass = PL_PAGE_CLASS;
        $page = new $pageclass();
        return $page;
    }

    static public function &page()
    {
        if (is_null(self::$_page)) {
            global $platal;
            self::$_page = $platal->buildPage();
        }
        return self::$_page;
    }

    protected function &buildSession()
    {
        $sessionclass = PL_SESSION_CLASS;
        $session = new $sessionclass();
        return $session;
    }

    static public function &session()
    {
        global $session;
        return $session;
    }

    protected function &buildGlobals()
    {
        $globalclass = PL_GLOBALS_CLASS;
        $globals = new $globalclass();
        return $globals;
    }

    static public function &globals()
    {
        global $globals;
        return $globals;
    }
}

// vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8:
?>
Commit	Line	Data
b62f8858	1	<?php
b62f8858	2	/***************************************************************************
e92ecb8c	3	* Copyright (C) 2003-2011 Polytechnique.org *
b62f8858	4	* http://opensource.polytechnique.org/ *
	5	* *
	6	* This program is free software; you can redistribute it and/or modify *
	7	* it under the terms of the GNU General Public License as published by *
	8	* the Free Software Foundation; either version 2 of the License, or *
	9	* (at your option) any later version. *
	10	* *
	11	* This program is distributed in the hope that it will be useful, *
	12	* but WITHOUT ANY WARRANTY; without even the implied warranty of *
	13	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
	14	* GNU General Public License for more details. *
	15	* *
	16	* You should have received a copy of the GNU General Public License *
	17	* along with this program; if not, write to the Free Software *
	18	* Foundation, Inc., *
	19	* 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
	20	***************************************************************************/
	21
1547b0f6 VZ	22	// Return values for handlers and hooks. This defines the behavior of both the
	23	// plat/al engine, and the invidivual hooks.
	24	define('PL_DO_AUTH', 300); // User should be redirected to the login page.
	25	define('PL_BAD_REQUEST', 400); // Request is not valid, and could not be interpreted.
	26	define('PL_FORBIDDEN', 403); // User is not allowed to view page (auth or permission error).
	27	define('PL_NOT_FOUND', 404); // Page doesn't not exist. Engine will try to offer suggestions.
	28	define('PL_WIKI', 500); // Page is a wiki page, plat/al engine should yield to the wiki engine.
	29	define('PL_JSON', 501); // Page is valid, but result should be JSON-encoded, not HTML-encoded.
46ca2746 FB	30
	31	abstract class PlHook
	32	{
	33	protected $auth;
	34	protected $perms;
	35	protected $type;
	36
	37	protected function __construct($auth = AUTH_PUBLIC, $perms = 'user', $type = DO_AUTH)
	38	{
	39	$this->auth = $auth;
	40	$this->perms = $perms;
	41	$this->type = $type;
	42	}
	43
46ca2746 FB	44	public function checkPerms()
46ca2746 FB	45	{
a59a4446 VZ	46	// Don't check permissions if there are no permission requirement
	47	// (either no requested group membership, or public auth is allowed).
	48	return !$this->perms \|\| $this->auth == AUTH_PUBLIC \|\|
	49	Platal::session()->checkPerms($this->perms);
46ca2746 FB	50	}
	51
	52	public function hasType($type)
	53	{
	54	return ($this->type & $type) == $type;
	55	}
	56
	57	abstract protected function run(PlPage &$page, array $args);
	58
	59	public function call(PlPage &$page, array $args)
	60	{
	61	global $globals, $session, $platal;
a59a4446	62	if (!$session->checkAuth($this->auth)) {
46ca2746 FB	63	if ($this->hasType(DO_AUTH)) {
	64	if (!$session->start($this->auth)) {
	65	$platal->force_login($page);
bbeb39f7	66	return PL_FORBIDDEN;
46ca2746 FB	67	}
	68	} else {
	69	return PL_FORBIDDEN;
	70	}
	71	}
	72	if (!$this->checkPerms()) {
a86feb89	73	if (Platal::notAllowed()) {
46ca2746 FB	74	return PL_FORBIDDEN;
	75	}
	76	}
	77	return $this->run($page, $args);
	78	}
	79	}
	80
a59a4446 VZ	81	/** The standard plat/al hook, for interactive requests.
	82	* It optionally does active authentication (DO_AUTH). The handler is invoked
	83	* with the PlPage object, and with each of the remaining path components.
	84	*/
46ca2746 FB	85	class PlStdHook extends PlHook
46ca2746 FB	86	{
a59a4446	87	private $callback;
46ca2746 FB	88
	89	public function __construct($callback, $auth = AUTH_PUBLIC, $perms = 'user', $type = DO_AUTH)
	90	{
	91	parent::__construct($auth, $perms, $type);
a59a4446	92	$this->callback = $callback;
46ca2746 FB	93	}
	94
	95	protected function run(PlPage &$page, array $args)
	96	{
	97	global $session, $platal;
	98
	99	$args[0] = $page;
a59a4446	100	$val = call_user_func_array($this->callback, $args);
46ca2746 FB	101	if ($val == PL_DO_AUTH) {
	102	if (!$session->start($session->loggedLevel())) {
	103	$platal->force_login($page);
	104	}
a59a4446	105	$val = call_user_func_array($this->callback, $args);
46ca2746 FB	106	}
	107	return $val;
	108	}
	109	}
	110
504647c5 VZ	111	/** A specialized hook for API requests.
	112	* It is intended to be used for passive API requests, authenticated either by
	113	* an existing session (with a valid XSRF token), or by an alternative single
	114	* request auth mechanism implemented by PlSession::apiAuth.
	115	*
	116	* This hook is suitable for read-write requests against the website, provided
	117	* $auth is set appropriately. Note that the auth level is only checked for
	118	* session-authenticated users, as "apiAuth" users are assumed to always have
	119	* the requested level (use another hook otherwise).
	120	*
	121	* The callback will be passed as arguments the PlPage, the authenticated
	122	* PlUser, the JSON decoded payload, and the remaining path components, as with
	123	* any other hook.
	124	*
	125	* If the callback intends to JSON-encode its returned value, it is advised to
	126	* use PlPage::jsonAssign, and return PL_JSON to enable automatic encoding.
	127	*/
	128	class PlApiHook extends PlHook
	129	{
	130	private $actualAuth;
	131	private $callback;
	132
	133	public function __construct($callback, $auth = AUTH_PUBLIC, $perms = 'user', $type = NO_AUTH)
	134	{
	135	// As mentioned above, $auth is only applied for session-based auth
	136	// (as opposed to token-based). PlHook is initialized to AUTH_PUBLIC to
	137	// avoid it refusing to approve requests; this is important as the user
	138	// is not yet authenticated at that point (see below for the actual
	139	// permissions check).
	140	parent::__construct(AUTH_PUBLIC, $perms, $type);
	141	$this->actualAuth = $auth;
	142	$this->callback = $callback;
	143	}
	144
	145	private function getEncodedPayload($method)
	146	{
	147	return $method == "GET" ? "" : file_get_contents("php://input");
	148	}
	149
	150	private function decodePayload($encodedPayload)
	151	{
	152	return empty($encodedPayload) ? array() : json_decode($encodedPayload, true);
	153	}
	154
	155	protected function run(PlPage &$page, array $args)
	156	{
	157	$method = $_SERVER['REQUEST_METHOD'];
	158	$encodedPayload = $this->getEncodedPayload($method);
	159	$jsonPayload = $this->decodePayload($encodedPayload);
	160	$resource = '/' . implode('/', $args);
	161
	162	// If the payload wasn't a valid JSON encoded object, bail out early.
	163	if (is_null($jsonPayload)) {
	164	$page->trigError("Could not decode the JSON-encoded payload sent with the request.");
	165	return PL_BAD_REQUEST;
	166	}
	167
	168	// Authenticate the request. Try first with the existing session (which
	169	// is less expensive to check), by veryfing that the XSRF token is
	170	// valid; otherwise fallbacks to API-type authentication from PlSession.
	171	if (S::logged() && S::has_xsrf_token() && Platal::session()->checkAuth($this->actualAuth)) {
	172	$user = S::user();
	173	} else {
	174	$user = Platal::session()->apiAuth($method, $resource, $encodedPayload);
175	}
176
177	// Check the permissions, unless the handler is fully public.
178	if ($this->actualAuth > AUTH_PUBLIC) {
179	if (is_null($user) \|\| !$user->checkPerms($this->perms)) {
180	return PL_FORBIDDEN;
181	}
182	}
183
184	// Invoke the callback, whose signature is (PlPage, PlUser, jsonPayload).
185	array_shift($args);
186	array_unshift($args, $page, $user, $jsonPayload);
187	return call_user_func_array($this->callback, $args);
188	}
189	}
190
a59a4446 VZ	191	/** A specialized hook for token-based requests.
	192	* It is intended for purely passive requests (typically for serving CSV or RSS
	193	* content outside the browser), and can fallback to regular session-based
	194	* authentication when the token is not valid/available.
	195	*
	196	* Note that $auth is only applied for session-backed authentication; it is
	197	* assumed that token-based auth is always enough for the hook (otherwise, just
	198	* use PlStdHook above).
	199	*
	200	* Also, this hook requires that the first two unmatched path components are the
	201	* user and token (for instance /<matched path>/<user>/<token>/....). They will
	202	* be popped before being passed to the handler, and replaced by the request's
	203	* PlUser object.
	204	*/
	205	class PlTokenHook extends PlHook
	206	{
	207	private $actualAuth;
	208	private $callback;
	209
	210	public function __construct($callback, $auth = AUTH_PUBLIC, $perms = 'user', $type = NO_AUTH)
	211	{
504647c5	212	// See PlApiHook::__construct.
a59a4446 VZ	213	parent::__construct(AUTH_PUBLIC, $perms, $type);
	214	$this->actualAuth = $auth;
	215	$this->callback = $callback;
	216	}
	217
	218	protected function run(PlPage &$page, array $args)
	219	{
	220	// Retrieve the user, either from the session (less expensive, as it is
	221	// already there), or from the in-path (user, token) pair.
	222	if (S::logged() && Platal::session()->checkAuth($this->actualAuth)) {
	223	$user = S::user();
	224	} else {
	225	$user = Platal::session()->tokenAuth(@$args[1], @$args[2]);
	226	}
	227
	228	// Check the permissions, unless the handler is fully public.
	229	if ($this->actualAuth > AUTH_PUBLIC) {
	230	if (is_null($user) \|\| !$user->checkPerms($this->perms)) {
	231	return PL_FORBIDDEN;
	232	}
	233	}
	234
	235	// Replace the first three remaining elements of the path with the
	236	// PlPage and PlUser objects.
	237	array_shift($args);
	238	$args[0] = $page;
	239	$args[1] = $user;
	240	return call_user_func_array($this->callback, $args);
	241	}
	242	}
	243
	244	/** A specialized plat/al hook for serving wiki pages.
	245	*/
46ca2746 FB	246	class PlWikiHook extends PlHook
46ca2746 FB	247	{
41e571e3	248	public function __construct($auth = AUTH_PUBLIC, $perms = 'user', $type = DO_AUTH)
46ca2746 FB	249	{
	250	parent::__construct($auth, $perms, $type);
	251	}
	252
	253	protected function run(PlPage &$page, array $args)
	254	{
	255	return PL_WIKI;
	256	}
	257	}
	258
	259	class PlHookTree
	260	{
	261	public $hook = null;
	262	public $aliased = null;
	263	public $children = array();
	264
5f6b3a28	265	public function addChildren(array $hooks)
46ca2746 FB	266	{
46ca2746 FB	267	global $platal;
5f6b3a28 FB	268	foreach ($hooks as $path=>$hook) {
	269	$path = explode('/', $path);
	270	$element = $this;
	271	foreach ($path as $next) {
	272	$alias = null;
	273	if ($next{0} == '%') {
	274	$alias = $next;
	275	$next = $platal->hook_map(substr($next, 1));
	276	}
	277	if (!isset($element->children[$next])) {
	278	$child = new PlHookTree();
	279	$child->aliased = $alias;
	280	$element->children[$next] = $child;
	281	} else {
	282	$child = $element->children[$next];
	283	}
	284	$element = $child;
46ca2746	285	}
5f6b3a28	286	$element->hook = $hook;
46ca2746	287	}
46ca2746 FB	288	}
	289
	290	public function findChild(array $path)
	291	{
5f6b3a28 FB	292	$remain = $path;
	293	$matched = array();
	294	$aliased = array();
	295	$element = $this;
	296	while (true)
	297	{
	298	$next = @$remain[0];
	299	if ($element->aliased) {
	300	$aliased = $matched;
	301	}
	302	if (empty($next) \|\| !isset($element->children[$next])) {
	303	break;
	304	}
	305	$element = $element->children[$next];
	306	array_shift($remain);
	307	$matched[] = $next;
	308	}
	309	return array($element->hook, $matched, $remain, $aliased);
46ca2746 FB	310	}
	311
	312	private function findNearestChildAux(array $remain, array $matched, array $aliased)
	313	{
	314	$next = @$remain[0];
	315	if ($this->aliased) {
	316	$aliased = $matched;
	317	}
	318	if (!empty($next)) {
	319	$child = @$this->children[$next];
	320	if (!$child) {
	321	$nearest_lev = 50;
	322	$nearest_sdx = 50;
	323	$match = null;
	324	foreach ($this->children as $path=>$hook) {
	325	$lev = levenshtein($next, $path);
	326	if ($lev <= $nearest_lev
	327	&& ($lev < strlen($next) / 2 \|\| strpos($next, $path) !== false
	328	\|\| strpos($path, $next) !== false)) {
	329	$sdx = levenshtein(soundex($next), soundex($path));
	330	if ($lev == $nearest_lev \|\| $sdx < $nearest_sdx) {
	331	$child = $hook;
	332	$nearest_lev = $lev;
	333	$nearest_sdx = $sdx;
	334	$match = $path;
	335	}
	336	}
	337	}
	338	$next = $match;
	339	}
	340	if ($child) {
	341	array_shift($remain);
	342	$matched[] = $next;
	343	return $child->findNearestChildAux($remain, $matched, $aliased);
	344	}
	345	if (($pos = strpos($next, '.php')) !== false) {
	346	$remain[0] = substr($next, 0, $pos);
	347	return $this->findNearestChildAux($remain, $matched, $aliased);
	348	}
	349	}
	350	return array($this->hook, $matched, $remain, $aliased);
	351	}
	352
	353	public function findNearestChild(array $path)
	354	{
	355	return $this->findNearestChildAux($path, array(), array());
	356	}
	357	}
	358
c158b99a	359	abstract class Platal
b62f8858	360	{
46ca2746 FB	361	private $mods;
46ca2746 FB	362	private $hooks;
b62f8858	363
8fc4efa3	364	protected $https;
8fc4efa3	365
2b1ee50b	366	public $ns;
2b1ee50b	367	public $path;
786bffb5	368	public $argv = array();
b62f8858	369
abde67b1 FB	370	static private $_page = null;
abde67b1 FB	371
2b1ee50b	372	public function __construct()
b62f8858	373	{
c0799142	374	global $platal, $session, $globals;
faeb823b	375	$platal = $this;
ca6384fb FB	376
	377	/* Assign globals first, then call init: init must be used for operations
	378	* that requires access to the content of $globals (e.g. XDB requires
	379	* $globals to be assigned.
	380	*/
	381	$globals = $this->buildGlobals();
d95d46a7	382	$globals->init();
ca6384fb FB	383
	384	/* Get the current session: assign first, then activate the session.
	385	*/
	386	$session = $this->buildSession();
c0799142	387	if (!$session->startAvailableAuth()) {
2d08839a	388	Platal::page()->trigError("Données d'authentification invalides.");
c0799142	389	}
abde67b1	390
e77c7ea2	391	$modules = func_get_args();
5640f093	392	if (isset($modules[0]) && is_array($modules[0])) {
2b1ee50b	393	$modules = $modules[0];
2b1ee50b	394	}
27472b85	395	$this->path = trim(Get::_get('n', null), '/');
b62f8858	396
46ca2746 FB	397	$this->mods = array();
46ca2746 FB	398	$this->hooks = new PlHookTree();
b62f8858	399
5de0b7e1	400	array_unshift($modules, 'core');
e77c7ea2	401	foreach ($modules as $module) {
a18afbdc	402	$module = strtolower($module);
46ca2746	403	$this->mods[$module] = $m = PLModule::factory($module);
5f6b3a28	404	$this->hooks->addChildren($m->handlers());
b62f8858	405	}
fe556813	406
fe556813 FB	407	if ($globals->mode == '') {
	408	pl_redirect('index.html');
	409	}
b62f8858	410	}
b62f8858	411
2b1ee50b	412	public function pl_self($n = null)
d1ebc57a	413	{
	414	if (is_null($n))
	415	return $this->path;
	416
	417	if ($n >= 0)
	418	return join('/', array_slice($this->argv, 0, $n + 1));
	419
	420	if ($n <= -count($this->argv))
	421	return $this->argv[0];
	422
	423	return join('/', array_slice($this->argv, 0, $n));
	424	}
	425
bfb9093b FB	426	public static function wiki_hook($auth = AUTH_PUBLIC, $perms = 'user', $type = DO_AUTH)
bfb9093b FB	427	{
46ca2746	428	return new PlWikiHook($auth, $perms, $type);
bfb9093b FB	429	}
bfb9093b FB	430
46ca2746	431	public function hook_map($name)
b62f8858	432	{
46ca2746	433	return null;
7c6e0aff	434	}
7c6e0aff	435
46ca2746	436	protected function find_hook()
409de7a7	437	{
9e394323	438	$p = explode('/', $this->path);
46ca2746 FB	439	list($hook, $matched, $remain, $aliased) = $this->hooks->findChild($p);
	440	if (empty($hook)) {
	441	return null;
409de7a7	442	}
46ca2746 FB	443	$this->argv = $remain;
	444	array_unshift($this->argv, implode('/', $matched));
	445	if (!empty($aliased)) {
	446	$this->ns = implode('/', $aliased) . '/';
409de7a7	447	}
46ca2746 FB	448	$this->https = !$hook->hasType(NO_HTTPS);
46ca2746 FB	449	return $hook;
409de7a7	450	}
409de7a7	451
02838718	452	public function near_hook()
409de7a7	453	{
9e394323	454	$p = explode('/', $this->path);
46ca2746 FB	455	list($hook, $matched, $remain, $aliased) = $this->hooks->findNearestChild($p);
	456	if (empty($hook)) {
	457	return null;
6d407683	458	}
46ca2746 FB	459	$url = implode('/', $matched);
	460	if (!empty($remain)) {
	461	$url .= '/' . implode('/', $remain);
6d407683	462	}
46ca2746 FB	463	if ($url == $this->path \|\| levenshtein($url, $this->path) > strlen($url) / 3
	464	\|\| !$hook->checkPerms()) {
	465	return null;
bf517daf	466	}
46ca2746	467	return $url;
bf517daf	468	}
bf517daf	469
04334c61	470	private function call_hook(PlPage &$page)
7c6e0aff	471	{
7c6e0aff	472	$hook = $this->find_hook();
409de7a7	473	if (empty($hook)) {
15a094c0	474	return PL_NOT_FOUND;
15a094c0	475	}
abde67b1	476	global $globals, $session;
748b27d2	477	if ($this->https && !@$_SERVER['HTTPS'] && $globals->core->secure_domain) {
8fc4efa3	478	http_redirect('https://' . $globals->core->secure_domain . $_SERVER['REQUEST_URI']);
8fc4efa3	479	}
15a094c0	480
46ca2746	481	return $hook->call($page, $this->argv);
b62f8858	482	}
b62f8858	483
c158b99a FB	484	/** Show the authentication form.
	485	*/
	486	abstract public function force_login(PlPage& $page);
63528107	487
2b1ee50b	488	public function run()
b62f8858	489	{
abde67b1	490	$page =& self::page();
b62f8858	491
b62f8858	492	if (empty($this->path)) {
c9178c75	493	$this->path = 'index';
	494	}
	495
7f6d1063 FB	496	try {
7f6d1063 FB	497	$page->assign('platal', $this);
c67e49ea FB	498	$res = $this->call_hook($page);
c67e49ea FB	499	switch ($res) {
1547b0f6 VZ	500	case PL_BAD_REQUEST:
	501	$this->mods['core']->handler_400($page);
	502	break;
	503
7f6d1063 FB	504	case PL_FORBIDDEN:
	505	$this->mods['core']->handler_403($page);
	506	break;
	507
	508	case PL_NOT_FOUND:
	509	$this->mods['core']->handler_404($page);
	510	break;
	511
	512	case PL_WIKI:
	513	return PL_WIKI;
	514	}
	515	} catch (Exception $e) {
	516	header($_SERVER['SERVER_PROTOCOL'] . ' 500 Internal Server Error');
40b79bfc	517	PlErrorReport::report($e);
7f6d1063 FB	518	if (self::globals()->debug) {
	519	$page->kill(pl_entities($e->getMessage())
	520	. '<pre>' . pl_entities("" . $e) . '</pre>');
	521	} else {
	522	$page->kill(pl_entities($e->getMessage()));
	523	}
b62f8858	524	}
e979cd2b	525
e979cd2b	526	$page->assign('platal', $this);
c67e49ea FB	527	if ($res == PL_JSON) {
	528	$page->runJSon();
	529	} else {
	530	$page->run();
	531	}
b62f8858	532	}
8d8f7607	533
b0a04fb2 FB	534	public function error403()
	535	{
	536	$page =& self::page();
	537
46ca2746	538	$this->mods['core']->handler_403($page);
b0a04fb2 FB	539	$page->assign('platal', $this);
	540	$page->run();
	541	}
	542
	543	public function error404()
	544	{
	545	$page =& self::page();
	546
46ca2746	547	$this->mods['core']->handler_404($page);
b0a04fb2 FB	548	$page->assign('platal', $this);
	549	$page->run();
	550	}
	551
179658ec FB	552	public static function notAllowed()
	553	{
	554	if (S::admin()) {
	555	self::page()->trigWarning('Tu accèdes à cette page car tu es administrateur du site.');
	556	return false;
	557	} else {
	558	return true;
	559	}
	560	}
	561
ac2f544d FB	562	public static function load($modname, $include = null)
	563	{
	564	global $platal;
	565	$modname = strtolower($modname);
46ca2746	566	if (isset($platal->mods[$modname])) {
ac2f544d FB	567	if (is_null($include)) {
	568	return;
	569	}
46ca2746	570	$platal->mods[$modname]->load($include);
ac2f544d FB	571	} else {
	572	if (is_null($include)) {
	573	require_once PLModule::path($modname) . '.php';
	574	} else {
	575	require_once PLModule::path($modname) . '/' . $include;
	576	}
	577	}
	578	}
	579
84f658d2	580	public static function assert($cond, $error, $userfriendly = null)
ca6384fb	581	{
ca6384fb	582	if ($cond === false) {
84f658d2 RB	583	if ($userfriendly == null) {
	584	$userfriendly = "Une erreur interne s'est produite.
	585	Merci de réessayer la manipulation qui a déclenché l'erreur ;
	586	si cela ne fonctionne toujours pas, merci de nous signaler le problème rencontré.";
	587	}
7f6d1063	588	throw new PlException($userfriendly, $error);
ca6384fb FB	589	}
	590	}
	591
faeb823b	592	public function &buildLogger($uid, $suid = 0)
ca6384fb	593	{
c7608455	594	if (defined('PL_LOGGER_CLASS')) {
ca6384fb	595	$class = PL_LOGGER_CLASS;
7f8e81bb PC	596	$logger = new $class($uid, $suid);
7f8e81bb PC	597	return $logger;
ca6384fb	598	} else {
faeb823b	599	return PlLogger::dummy($uid, $suid);
ca6384fb FB	600	}
ca6384fb FB	601	}
ec60dba7	602
ca6384fb FB	603	protected function &buildPage()
	604	{
	605	$pageclass = PL_PAGE_CLASS;
	606	$page = new $pageclass();
	607	return $page;
	608	}
ec60dba7	609
abde67b1 FB	610	static public function &page()
abde67b1 FB	611	{
abde67b1	612	if (is_null(self::$_page)) {
ca6384fb FB	613	global $platal;
ca6384fb FB	614	self::$_page = $platal->buildPage();
abde67b1 FB	615	}
	616	return self::$_page;
	617	}
47fa97fe	618
ca6384fb FB	619	protected function &buildSession()
	620	{
	621	$sessionclass = PL_SESSION_CLASS;
	622	$session = new $sessionclass();
	623	return $session;
	624	}
	625
47fa97fe FB	626	static public function &session()
	627	{
	628	global $session;
	629	return $session;
	630	}
	631
ca6384fb FB	632	protected function &buildGlobals()
	633	{
	634	$globalclass = PL_GLOBALS_CLASS;
	635	$globals = new $globalclass();
	636	return $globals;
	637	}
	638
47fa97fe FB	639	static public function &globals()
	640	{
	641	global $globals;
	642	return $globals;
	643	}
b62f8858	644	}
b62f8858	645
a7de4ef7	646	// vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8:
b62f8858	647	?>