projects / platal.git / blob
? search:


be22b6fd5f6659325cc3df35574a0c9e65669d12
[platal.git] / classes / platal.php
1 <?php
2 /***************************************************************************
3 * Copyright (C) 2003-2010 Polytechnique.org *
4 * http://opensource.polytechnique.org/ *
5 * *
6 * This program is free software; you can redistribute it and/or modify *
7 * it under the terms of the GNU General Public License as published by *
8 * the Free Software Foundation; either version 2 of the License, or *
9 * (at your option) any later version. *
10 * *
11 * This program is distributed in the hope that it will be useful, *
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of *
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
14 * GNU General Public License for more details. *
15 * *
16 * You should have received a copy of the GNU General Public License *
17 * along with this program; if not, write to the Free Software *
18 * Foundation, Inc., *
19 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
20 ***************************************************************************/
21
22 // Return values for handlers and hooks. This defines the behavior of both the
23 // plat/al engine, and the invidivual hooks.
24 define('PL_DO_AUTH', 300); // User should be redirected to the login page.
25 define('PL_BAD_REQUEST', 400); // Request is not valid, and could not be interpreted.
26 define('PL_FORBIDDEN', 403); // User is not allowed to view page (auth or permission error).
27 define('PL_NOT_FOUND', 404); // Page doesn't not exist. Engine will try to offer suggestions.
28 define('PL_WIKI', 500); // Page is a wiki page, plat/al engine should yield to the wiki engine.
29 define('PL_JSON', 501); // Page is valid, but result should be JSON-encoded, not HTML-encoded.
30
31 abstract class PlHook
32 {
33 protected $auth;
34 protected $perms;
35 protected $type;
36
37 protected function __construct($auth = AUTH_PUBLIC, $perms = 'user', $type = DO_AUTH)
38 {
39 $this->auth = $auth;
40 $this->perms = $perms;
41 $this->type = $type;
42 }
43
44 public function checkPerms()
45 {
46 // Don't check permissions if there are no permission requirement
47 // (either no requested group membership, or public auth is allowed).
48 return !$this->perms || $this->auth == AUTH_PUBLIC ||
49 Platal::session()->checkPerms($this->perms);
50 }
51
52 public function hasType($type)
53 {
54 return ($this->type & $type) == $type;
55 }
56
57 abstract protected function run(PlPage &$page, array $args);
58
59 public function call(PlPage &$page, array $args)
60 {
61 global $globals, $session, $platal;
62 if (!$session->checkAuth($this->auth)) {
63 if ($this->hasType(DO_AUTH)) {
64 if (!$session->start($this->auth)) {
65 $platal->force_login($page);
66 return PL_FORBIDDEN;
67 }
68 } else {
69 return PL_FORBIDDEN;
70 }
71 }
72 if (!$this->checkPerms()) {
73 if (Platal::notAllowed()) {
74 return PL_FORBIDDEN;
75 }
76 }
77 return $this->run($page, $args);
78 }
79 }
80
81 /** The standard plat/al hook, for interactive requests.
82 * It optionally does active authentication (DO_AUTH). The handler is invoked
83 * with the PlPage object, and with each of the remaining path components.
84 */
85 class PlStdHook extends PlHook
86 {
87 private $callback;
88
89 public function __construct($callback, $auth = AUTH_PUBLIC, $perms = 'user', $type = DO_AUTH)
90 {
91 parent::__construct($auth, $perms, $type);
92 $this->callback = $callback;
93 }
94
95 protected function run(PlPage &$page, array $args)
96 {
97 global $session, $platal;
98
99 $args[0] = $page;
100 $val = call_user_func_array($this->callback, $args);
101 if ($val == PL_DO_AUTH) {
102 if (!$session->start($session->loggedLevel())) {
103 $platal->force_login($page);
104 }
105 $val = call_user_func_array($this->callback, $args);
106 }
107 return $val;
108 }
109 }
110
111 /** A specialized hook for API requests.
112 * It is intended to be used for passive API requests, authenticated either by
113 * an existing session (with a valid XSRF token), or by an alternative single
114 * request auth mechanism implemented by PlSession::apiAuth.
115 *
116 * This hook is suitable for read-write requests against the website, provided
117 * $auth is set appropriately. Note that the auth level is only checked for
118 * session-authenticated users, as "apiAuth" users are assumed to always have
119 * the requested level (use another hook otherwise).
120 *
121 * The callback will be passed as arguments the PlPage, the authenticated
122 * PlUser, the JSON decoded payload, and the remaining path components, as with
123 * any other hook.
124 *
125 * If the callback intends to JSON-encode its returned value, it is advised to
126 * use PlPage::jsonAssign, and return PL_JSON to enable automatic encoding.
127 */
128 class PlApiHook extends PlHook
129 {
130 private $actualAuth;
131 private $callback;
132
133 public function __construct($callback, $auth = AUTH_PUBLIC, $perms = 'user', $type = NO_AUTH)
134 {
135 // As mentioned above, $auth is only applied for session-based auth
136 // (as opposed to token-based). PlHook is initialized to AUTH_PUBLIC to
137 // avoid it refusing to approve requests; this is important as the user
138 // is not yet authenticated at that point (see below for the actual
139 // permissions check).
140 parent::__construct(AUTH_PUBLIC, $perms, $type);
141 $this->actualAuth = $auth;
142 $this->callback = $callback;
143 }
144
145 private function getEncodedPayload($method)
146 {
147 return $method == "GET" ? "" : file_get_contents("php://input");
148 }
149
150 private function decodePayload($encodedPayload)
151 {
152 return empty($encodedPayload) ? array() : json_decode($encodedPayload, true);
153 }
154
155 protected function run(PlPage &$page, array $args)
156 {
157 $method = $_SERVER['REQUEST_METHOD'];
158 $encodedPayload = $this->getEncodedPayload($method);
159 $jsonPayload = $this->decodePayload($encodedPayload);
160 $resource = '/' . implode('/', $args);
161
162 // If the payload wasn't a valid JSON encoded object, bail out early.
163 if (is_null($jsonPayload)) {
164 $page->trigError("Could not decode the JSON-encoded payload sent with the request.");
165 return PL_BAD_REQUEST;
166 }
167
168 // Authenticate the request. Try first with the existing session (which
169 // is less expensive to check), by veryfing that the XSRF token is
170 // valid; otherwise fallbacks to API-type authentication from PlSession.
171 if (S::logged() && S::has_xsrf_token() && Platal::session()->checkAuth($this->actualAuth)) {
172 $user = S::user();
173 } else {
174 $user = Platal::session()->apiAuth($method, $resource, $encodedPayload);
175 }
176
177 // Check the permissions, unless the handler is fully public.
178 if ($this->actualAuth > AUTH_PUBLIC) {
179 if (is_null($user) || !$user->checkPerms($this->perms)) {
180 return PL_FORBIDDEN;
181 }
182 }
183
184 // Invoke the callback, whose signature is (PlPage, PlUser, jsonPayload).
185 array_shift($args);
186 array_unshift($args, $page, $user, $jsonPayload);
187 return call_user_func_array($this->callback, $args);
188 }
189 }
190
191 /** A specialized hook for token-based requests.
192 * It is intended for purely passive requests (typically for serving CSV or RSS
193 * content outside the browser), and can fallback to regular session-based
194 * authentication when the token is not valid/available.
195 *
196 * Note that $auth is only applied for session-backed authentication; it is
197 * assumed that token-based auth is always enough for the hook (otherwise, just
198 * use PlStdHook above).
199 *
200 * Also, this hook requires that the first two unmatched path components are the
201 * user and token (for instance /<matched path>/<user>/<token>/....). They will
202 * be popped before being passed to the handler, and replaced by the request's
203 * PlUser object.
204 */
205 class PlTokenHook extends PlHook
206 {
207 private $actualAuth;
208 private $callback;
209
210 public function __construct($callback, $auth = AUTH_PUBLIC, $perms = 'user', $type = NO_AUTH)
211 {
212 // See PlApiHook::__construct.
213 parent::__construct(AUTH_PUBLIC, $perms, $type);
214 $this->actualAuth = $auth;
215 $this->callback = $callback;
216 }
217
218 protected function run(PlPage &$page, array $args)
219 {
220 // Retrieve the user, either from the session (less expensive, as it is
221 // already there), or from the in-path (user, token) pair.
222 if (S::logged() && Platal::session()->checkAuth($this->actualAuth)) {
223 $user = S::user();
224 } else {
225 $user = Platal::session()->tokenAuth(@$args[1], @$args[2]);
226 }
227
228 // Check the permissions, unless the handler is fully public.
229 if ($this->actualAuth > AUTH_PUBLIC) {
230 if (is_null($user) || !$user->checkPerms($this->perms)) {
231 return PL_FORBIDDEN;
232 }
233 }
234
235 // Replace the first three remaining elements of the path with the
236 // PlPage and PlUser objects.
237 array_shift($args);
238 $args[0] = $page;
239 $args[1] = $user;
240 return call_user_func_array($this->callback, $args);
241 }
242 }
243
244 /** A specialized plat/al hook for serving wiki pages.
245 */
246 class PlWikiHook extends PlHook
247 {
248 public function __construct($auth = AUTH_PUBLIC, $perms = 'user', $type = DO_AUTH)
249 {
250 parent::__construct($auth, $perms, $type);
251 }
252
253 protected function run(PlPage &$page, array $args)
254 {
255 return PL_WIKI;
256 }
257 }
258
259 class PlHookTree
260 {
261 public $hook = null;
262 public $aliased = null;
263 public $children = array();
264
265 public function addChild(array $path, PlHook $hook)
266 {
267 global $platal;
268 $next = array_shift($path);
269 $alias = null;
270 if ($next && $next{0} == '%') {
271 $alias = $next;
272 $next = $platal->hook_map(substr($next, 1));
273 }
274 if (!$next) {
275 return;
276 }
277 @$child =& $this->children[$next];
278 if (!$child) {
279 $child = new PlHookTree();
280 $this->children[$next] =& $child;
281 $child->aliased = $alias;
282 }
283 if (empty($path)) {
284 $child->hook = $hook;
285 } else {
286 $child->addChild($path, $hook);
287 }
288 }
289
290 private function findChildAux(array $remain, array $matched, array $aliased)
291 {
292 $next = @$remain[0];
293 if ($this->aliased) {
294 $aliased = $matched;
295 }
296 if (!empty($next)) {
297 $child = @$this->children[$next];
298 if ($child) {
299 array_shift($remain);
300 $matched[] = $next;
301 return $child->findChildAux($remain, $matched, $aliased);
302 }
303 }
304 return array($this->hook, $matched, $remain, $aliased);
305 }
306
307 public function findChild(array $path)
308 {
309 return $this->findChildAux($path, array(), array());
310 }
311
312 private function findNearestChildAux(array $remain, array $matched, array $aliased)
313 {
314 $next = @$remain[0];
315 if ($this->aliased) {
316 $aliased = $matched;
317 }
318 if (!empty($next)) {
319 $child = @$this->children[$next];
320 if (!$child) {
321 $nearest_lev = 50;
322 $nearest_sdx = 50;
323 $match = null;
324 foreach ($this->children as $path=>$hook) {
325 $lev = levenshtein($next, $path);
326 if ($lev <= $nearest_lev
327 && ($lev < strlen($next) / 2 || strpos($next, $path) !== false
328 || strpos($path, $next) !== false)) {
329 $sdx = levenshtein(soundex($next), soundex($path));
330 if ($lev == $nearest_lev || $sdx < $nearest_sdx) {
331 $child = $hook;
332 $nearest_lev = $lev;
333 $nearest_sdx = $sdx;
334 $match = $path;
335 }
336 }
337 }
338 $next = $match;
339 }
340 if ($child) {
341 array_shift($remain);
342 $matched[] = $next;
343 return $child->findNearestChildAux($remain, $matched, $aliased);
344 }
345 if (($pos = strpos($next, '.php')) !== false) {
346 $remain[0] = substr($next, 0, $pos);
347 return $this->findNearestChildAux($remain, $matched, $aliased);
348 }
349 }
350 return array($this->hook, $matched, $remain, $aliased);
351 }
352
353 public function findNearestChild(array $path)
354 {
355 return $this->findNearestChildAux($path, array(), array());
356 }
357 }
358
359 abstract class Platal
360 {
361 private $mods;
362 private $hooks;
363
364 protected $https;
365
366 public $ns;
367 public $path;
368 public $argv = array();
369
370 static private $_page = null;
371
372 public function __construct()
373 {
374 global $platal, $session, $globals;
375 $platal = $this;
376
377 /* Assign globals first, then call init: init must be used for operations
378 * that requires access to the content of $globals (e.g. XDB requires
379 * $globals to be assigned.
380 */
381 $globals = $this->buildGlobals();
382 $globals->init();
383
384 /* Get the current session: assign first, then activate the session.
385 */
386 $session = $this->buildSession();
387 if (!$session->startAvailableAuth()) {
388 Platal::page()->trigError("Données d'authentification invalides.");
389 }
390
391 $modules = func_get_args();
392 if (isset($modules[0]) && is_array($modules[0])) {
393 $modules = $modules[0];
394 }
395 $this->path = trim(Get::_get('n', null), '/');
396
397 $this->mods = array();
398 $this->hooks = new PlHookTree();
399
400 array_unshift($modules, 'core');
401 foreach ($modules as $module) {
402 $module = strtolower($module);
403 $this->mods[$module] = $m = PLModule::factory($module);
404 $hooks = $m->handlers();
405 foreach ($hooks as $path=>$hook) {
406 $this->hooks->addChild(explode('/', $path), $hook);
407 }
408 }
409
410 if ($globals->mode == '') {
411 pl_redirect('index.html');
412 }
413 }
414
415 public function pl_self($n = null)
416 {
417 if (is_null($n))
418 return $this->path;
419
420 if ($n >= 0)
421 return join('/', array_slice($this->argv, 0, $n + 1));
422
423 if ($n <= -count($this->argv))
424 return $this->argv[0];
425
426 return join('/', array_slice($this->argv, 0, $n));
427 }
428
429 public static function wiki_hook($auth = AUTH_PUBLIC, $perms = 'user', $type = DO_AUTH)
430 {
431 return new PlWikiHook($auth, $perms, $type);
432 }
433
434 public function hook_map($name)
435 {
436 return null;
437 }
438
439 protected function find_hook()
440 {
441 $p = explode('/', $this->path);
442 list($hook, $matched, $remain, $aliased) = $this->hooks->findChild($p);
443 if (empty($hook)) {
444 return null;
445 }
446 $this->argv = $remain;
447 array_unshift($this->argv, implode('/', $matched));
448 if (!empty($aliased)) {
449 $this->ns = implode('/', $aliased) . '/';
450 }
451 $this->https = !$hook->hasType(NO_HTTPS);
452 return $hook;
453 }
454
455 public function near_hook()
456 {
457 $p = explode('/', $this->path);
458 list($hook, $matched, $remain, $aliased) = $this->hooks->findNearestChild($p);
459 if (empty($hook)) {
460 return null;
461 }
462 $url = implode('/', $matched);
463 if (!empty($remain)) {
464 $url .= '/' . implode('/', $remain);
465 }
466 if ($url == $this->path || levenshtein($url, $this->path) > strlen($url) / 3
467 || !$hook->checkPerms()) {
468 return null;
469 }
470 return $url;
471 }
472
473 private function call_hook(PlPage &$page)
474 {
475 $hook = $this->find_hook();
476 if (empty($hook)) {
477 return PL_NOT_FOUND;
478 }
479 global $globals, $session;
480 if ($this->https && !@$_SERVER['HTTPS'] && $globals->core->secure_domain) {
481 http_redirect('https://' . $globals->core->secure_domain . $_SERVER['REQUEST_URI']);
482 }
483
484 return $hook->call($page, $this->argv);
485 }
486
487 /** Show the authentication form.
488 */
489 abstract public function force_login(PlPage& $page);
490
491 public function run()
492 {
493 $page =& self::page();
494
495 if (empty($this->path)) {
496 $this->path = 'index';
497 }
498
499 try {
500 $page->assign('platal', $this);
501 $res = $this->call_hook($page);
502 switch ($res) {
503 case PL_BAD_REQUEST:
504 $this->mods['core']->handler_400($page);
505 break;
506
507 case PL_FORBIDDEN:
508 $this->mods['core']->handler_403($page);
509 break;
510
511 case PL_NOT_FOUND:
512 $this->mods['core']->handler_404($page);
513 break;
514
515 case PL_WIKI:
516 return PL_WIKI;
517 }
518 } catch (Exception $e) {
519 header($_SERVER['SERVER_PROTOCOL'] . ' 500 Internal Server Error');
520 PlErrorReport::report($e);
521 if (self::globals()->debug) {
522 $page->kill(pl_entities($e->getMessage())
523 . '<pre>' . pl_entities("" . $e) . '</pre>');
524 } else {
525 $page->kill(pl_entities($e->getMessage()));
526 }
527 }
528
529 $page->assign('platal', $this);
530 if ($res == PL_JSON) {
531 $page->runJSon();
532 } else {
533 $page->run();
534 }
535 }
536
537 public function error403()
538 {
539 $page =& self::page();
540
541 $this->mods['core']->handler_403($page);
542 $page->assign('platal', $this);
543 $page->run();
544 }
545
546 public function error404()
547 {
548 $page =& self::page();
549
550 $this->mods['core']->handler_404($page);
551 $page->assign('platal', $this);
552 $page->run();
553 }
554
555 public static function notAllowed()
556 {
557 if (S::admin()) {
558 self::page()->trigWarning('Tu accèdes à cette page car tu es administrateur du site.');
559 return false;
560 } else {
561 return true;
562 }
563 }
564
565 public static function load($modname, $include = null)
566 {
567 global $platal;
568 $modname = strtolower($modname);
569 if (isset($platal->mods[$modname])) {
570 if (is_null($include)) {
571 return;
572 }
573 $platal->mods[$modname]->load($include);
574 } else {
575 if (is_null($include)) {
576 require_once PLModule::path($modname) . '.php';
577 } else {
578 require_once PLModule::path($modname) . '/' . $include;
579 }
580 }
581 }
582
583 public static function assert($cond, $error, $userfriendly = null)
584 {
585 if ($cond === false) {
586 if ($userfriendly == null) {
587 $userfriendly = "Une erreur interne s'est produite.
588 Merci de réessayer la manipulation qui a déclenché l'erreur ;
589 si cela ne fonctionne toujours pas, merci de nous signaler le problème rencontré.";
590 }
591 throw new PlException($userfriendly, $error);
592 }
593 }
594
595 public function &buildLogger($uid, $suid = 0)
596 {
597 if (defined('PL_LOGGER_CLASS')) {
598 $class = PL_LOGGER_CLASS;
599 $logger = new $class($uid, $suid);
600 return $logger;
601 } else {
602 return PlLogger::dummy($uid, $suid);
603 }
604 }
605
606 protected function &buildPage()
607 {
608 $pageclass = PL_PAGE_CLASS;
609 $page = new $pageclass();
610 return $page;
611 }
612
613 static public function &page()
614 {
615 if (is_null(self::$_page)) {
616 global $platal;
617 self::$_page = $platal->buildPage();
618 }
619 return self::$_page;
620 }
621
622 protected function &buildSession()
623 {
624 $sessionclass = PL_SESSION_CLASS;
625 $session = new $sessionclass();
626 return $session;
627 }
628
629 static public function &session()
630 {
631 global $session;
632 return $session;
633 }
634
635 protected function &buildGlobals()
636 {
637 $globalclass = PL_GLOBALS_CLASS;
638 $globals = new $globalclass();
639 return $globals;
640 }
641
642 static public function &globals()
643 {
644 global $globals;
645 return $globals;
646 }
647 }
648
649 // vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8:
650 ?>
plat/al