projects / platal.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Release plat/al core v1.1.13
[platal.git] / classes / platal.php
1 <?php
2 /***************************************************************************
3 * Copyright (C) 2003-2011 Polytechnique.org *
4 * http://opensource.polytechnique.org/ *
5 * *
6 * This program is free software; you can redistribute it and/or modify *
7 * it under the terms of the GNU General Public License as published by *
8 * the Free Software Foundation; either version 2 of the License, or *
9 * (at your option) any later version. *
10 * *
11 * This program is distributed in the hope that it will be useful, *
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of *
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
14 * GNU General Public License for more details. *
15 * *
16 * You should have received a copy of the GNU General Public License *
17 * along with this program; if not, write to the Free Software *
18 * Foundation, Inc., *
19 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
20 ***************************************************************************/
21
22 // Return values for handlers and hooks. This defines the behavior of both the
23 // plat/al engine, and the invidivual hooks.
24 define('PL_DO_AUTH', 300); // User should be redirected to the login page.
25 define('PL_BAD_REQUEST', 400); // Request is not valid, and could not be interpreted.
26 define('PL_FORBIDDEN', 403); // User is not allowed to view page (auth or permission error).
27 define('PL_NOT_FOUND', 404); // Page doesn't not exist. Engine will try to offer suggestions.
28 define('PL_WIKI', 500); // Page is a wiki page, plat/al engine should yield to the wiki engine.
29 define('PL_JSON', 501); // Page is valid, but result should be JSON-encoded, not HTML-encoded.
30
31 abstract class PlHook
32 {
33 protected $auth;
34 protected $perms;
35 protected $type;
36
37 protected function __construct($auth = AUTH_PUBLIC, $perms = 'user', $type = DO_AUTH)
38 {
39 $this->auth = $auth;
40 $this->perms = $perms;
41 $this->type = $type;
42 }
43
44 public function checkPerms()
45 {
46 // Don't check permissions if there are no permission requirement
47 // (either no requested group membership, or public auth is allowed).
48 return !$this->perms || $this->auth == AUTH_PUBLIC ||
49 Platal::session()->checkPerms($this->perms);
50 }
51
52 public function hasType($type)
53 {
54 return ($this->type & $type) == $type;
55 }
56
57 abstract protected function run(PlPage $page, array $args);
58
59 public function call(PlPage $page, array $args)
60 {
61 global $globals, $session, $platal;
62 if (!$session->checkAuth($this->auth)) {
63 if ($this->hasType(DO_AUTH)) {
64 if (!$session->start($this->auth)) {
65 $platal->force_login($page);
66 return PL_FORBIDDEN;
67 }
68 } else {
69 return PL_FORBIDDEN;
70 }
71 }
72 if (!$this->checkPerms()) {
73 if (Platal::notAllowed()) {
74 return PL_FORBIDDEN;
75 }
76 }
77 return $this->run($page, $args);
78 }
79 }
80
81 /** The standard plat/al hook, for interactive requests.
82 * It optionally does active authentication (DO_AUTH). The handler is invoked
83 * with the PlPage object, and with each of the remaining path components.
84 */
85 class PlStdHook extends PlHook
86 {
87 private $callback;
88
89 public function __construct($callback, $auth = AUTH_PUBLIC, $perms = 'user', $type = DO_AUTH)
90 {
91 parent::__construct($auth, $perms, $type);
92 $this->callback = $callback;
93 }
94
95 protected function run(PlPage $page, array $args)
96 {
97 global $session, $platal;
98
99 $args[0] = $page;
100 $val = call_user_func_array($this->callback, $args);
101 if ($val == PL_DO_AUTH) {
102 if (!$session->start($session->loggedLevel())) {
103 $platal->force_login($page);
104 }
105 $val = call_user_func_array($this->callback, $args);
106 }
107 return $val;
108 }
109 }
110
111 /** A specialized hook for API requests.
112 * It is intended to be used for passive API requests, authenticated either by
113 * an existing session (with a valid XSRF token), or by an alternative single
114 * request auth mechanism implemented by PlSession::apiAuth.
115 *
116 * This hook is suitable for read-write requests against the website, provided
117 * $auth is set appropriately. Note that the auth level is only checked for
118 * session-authenticated users, as "apiAuth" users are assumed to always have
119 * the requested level (use another hook otherwise).
120 *
121 * The callback will be passed as arguments the PlPage, the authenticated
122 * PlUser, the JSON decoded payload, and the remaining path components, as with
123 * any other hook.
124 *
125 * If the callback intends to JSON-encode its returned value, it is advised to
126 * use PlPage::jsonAssign, and return PL_JSON to enable automatic encoding.
127 */
128 class PlApiHook extends PlHook
129 {
130 private $actualAuth;
131 private $callback;
132
133 public function __construct($callback, $auth = AUTH_PUBLIC, $perms = 'user', $type = NO_AUTH)
134 {
135 // As mentioned above, $auth is only applied for session-based auth
136 // (as opposed to token-based). PlHook is initialized to AUTH_PUBLIC to
137 // avoid it refusing to approve requests; this is important as the user
138 // is not yet authenticated at that point (see below for the actual
139 // permissions check).
140 parent::__construct(AUTH_PUBLIC, $perms, $type);
141 $this->actualAuth = $auth;
142 $this->callback = $callback;
143 }
144
145 private function getEncodedPayload($method)
146 {
147 return $method == "GET" ? "" : file_get_contents("php://input");
148 }
149
150 private function decodePayload($encodedPayload)
151 {
152 return empty($encodedPayload) ? array() : json_decode($encodedPayload, true);
153 }
154
155 protected function run(PlPage $page, array $args)
156 {
157 $method = $_SERVER['REQUEST_METHOD'];
158 $encodedPayload = $this->getEncodedPayload($method);
159 $jsonPayload = $this->decodePayload($encodedPayload);
160 $resource = '/' . implode('/', $args);
161
162 // If the payload wasn't a valid JSON encoded object, bail out early.
163 if (is_null($jsonPayload)) {
164 $page->trigError("Could not decode the JSON-encoded payload sent with the request.");
165 return PL_BAD_REQUEST;
166 }
167
168 // Authenticate the request. Try first with the existing session (which
169 // is less expensive to check), by veryfing that the XSRF token is
170 // valid; otherwise fallbacks to API-type authentication from PlSession.
171 if (S::logged() && S::has_xsrf_token() && Platal::session()->checkAuth($this->actualAuth)) {
172 $user = S::user();
173 } else {
174 $user = Platal::session()->apiAuth($method, $resource, $encodedPayload);
175 }
176
177 // Check the permissions, unless the handler is fully public.
178 if ($this->actualAuth > AUTH_PUBLIC) {
179 if (is_null($user) || !$user->checkPerms($this->perms)) {
180 return PL_FORBIDDEN;
181 }
182 }
183
184 // Invoke the callback, whose signature is (PlPage, PlUser, jsonPayload).
185 array_shift($args);
186 array_unshift($args, $page, $user, $jsonPayload);
187 return call_user_func_array($this->callback, $args);
188 }
189 }
190
191 /** A specialized hook for token-based requests.
192 * It is intended for purely passive requests (typically for serving CSV or RSS
193 * content outside the browser), and can fallback to regular session-based
194 * authentication when the token is not valid/available.
195 *
196 * Note that $auth is only applied for session-backed authentication; it is
197 * assumed that token-based auth is always enough for the hook (otherwise, just
198 * use PlStdHook above).
199 *
200 * Also, this hook requires that the first two unmatched path components are the
201 * user and token (for instance /<matched path>/<user>/<token>/....). They will
202 * be popped before being passed to the handler, and replaced by the request's
203 * PlUser object.
204 */
205 class PlTokenHook extends PlHook
206 {
207 private $actualAuth;
208 private $callback;
209
210 public function __construct($callback, $auth = AUTH_PUBLIC, $perms = 'user', $type = NO_AUTH)
211 {
212 // See PlApiHook::__construct.
213 parent::__construct(AUTH_PUBLIC, $perms, $type);
214 $this->actualAuth = $auth;
215 $this->callback = $callback;
216 }
217
218 protected function run(PlPage $page, array $args)
219 {
220 // Retrieve the user, either from the session (less expensive, as it is
221 // already there), or from the in-path (user, token) pair.
222 if (S::logged() && Platal::session()->checkAuth($this->actualAuth)) {
223 $user = S::user();
224 } else {
225 $user = Platal::session()->tokenAuth(@$args[1], @$args[2]);
226 }
227
228 // Check the permissions, unless the handler is fully public.
229 if ($this->actualAuth > AUTH_PUBLIC) {
230 if (is_null($user) || !$user->checkPerms($this->perms)) {
231 return PL_FORBIDDEN;
232 }
233 }
234
235 // Replace the first three remaining elements of the path with the
236 // PlPage and PlUser objects.
237 array_shift($args);
238 $args[0] = $page;
239 $args[1] = $user;
240 return call_user_func_array($this->callback, $args);
241 }
242 }
243
244 /** A specialized plat/al hook for serving wiki pages.
245 */
246 class PlWikiHook extends PlHook
247 {
248 public function __construct($auth = AUTH_PUBLIC, $perms = 'user', $type = DO_AUTH)
249 {
250 parent::__construct($auth, $perms, $type);
251 }
252
253 protected function run(PlPage $page, array $args)
254 {
255 return PL_WIKI;
256 }
257 }
258
259 class PlHookTree
260 {
261 public $hook = null;
262 public $aliased = null;
263 public $children = array();
264
265 public function addChildren(array $hooks)
266 {
267 global $platal;
268 foreach ($hooks as $path=>$hook) {
269 $path = explode('/', $path);
270 $element = $this;
271 foreach ($path as $next) {
272 $alias = null;
273 if ($next{0} == '%') {
274 $alias = $next;
275 $next = $platal->hook_map(substr($next, 1));
276 }
277 if (!isset($element->children[$next])) {
278 $child = new PlHookTree();
279 $child->aliased = $alias;
280 $element->children[$next] = $child;
281 } else {
282 $child = $element->children[$next];
283 }
284 $element = $child;
285 }
286 $element->hook = $hook;
287 }
288 }
289
290 public function findChild(array $path)
291 {
292 $remain = $path;
293 $matched = array();
294 $aliased = array();
295 $element = $this;
296 while (true)
297 {
298 $next = @$remain[0];
299 if ($element->aliased) {
300 $aliased = $matched;
301 }
302 if (empty($next) || !isset($element->children[$next])) {
303 break;
304 }
305 $element = $element->children[$next];
306 array_shift($remain);
307 $matched[] = $next;
308 }
309 return array($element->hook, $matched, $remain, $aliased);
310 }
311
312 private function findNearestChildAux(array $remain, array $matched, array $aliased)
313 {
314 $next = @$remain[0];
315 if ($this->aliased) {
316 $aliased = $matched;
317 }
318 if (!empty($next)) {
319 $child = @$this->children[$next];
320 if (!$child) {
321 $nearest_lev = 50;
322 $nearest_sdx = 50;
323 $match = null;
324 foreach ($this->children as $path=>$hook) {
325 if ($path) {
326 $lev = levenshtein($next, $path);
327 if ($lev <= $nearest_lev
328 && ($lev < strlen($next) / 2 || strpos($next, $path) !== false
329 || strpos($path, $next) !== false)) {
330 $sdx = levenshtein(soundex($next), soundex($path));
331 if ($lev == $nearest_lev || $sdx < $nearest_sdx) {
332 $child = $hook;
333 $nearest_lev = $lev;
334 $nearest_sdx = $sdx;
335 $match = $path;
336 }
337 }
338 }
339 }
340 $next = $match;
341 }
342 if ($child) {
343 array_shift($remain);
344 $matched[] = $next;
345 return $child->findNearestChildAux($remain, $matched, $aliased);
346 }
347 if (($pos = strpos($next, '.php')) !== false) {
348 $remain[0] = substr($next, 0, $pos);
349 return $this->findNearestChildAux($remain, $matched, $aliased);
350 }
351 }
352 return array($this->hook, $matched, $remain, $aliased);
353 }
354
355 public function findNearestChild(array $path)
356 {
357 return $this->findNearestChildAux($path, array(), array());
358 }
359 }
360
361 abstract class Platal
362 {
363 private $mods;
364 private $hooks;
365
366 protected $https;
367
368 public $ns;
369 public $path;
370 public $argv = array();
371
372 static private $_page = null;
373
374 public function __construct()
375 {
376 global $platal, $session, $globals;
377 $platal = $this;
378
379 /* Assign globals first, then call init: init must be used for operations
380 * that requires access to the content of $globals (e.g. XDB requires
381 * $globals to be assigned.
382 */
383 $globals = $this->buildGlobals();
384 $globals->init();
385
386 /* Get the current session: assign first, then activate the session.
387 */
388 $session = $this->buildSession();
389 if (!$session->startAvailableAuth()) {
390 Platal::page()->trigError("Données d'authentification invalides.");
391 }
392
393 $modules = func_get_args();
394 if (isset($modules[0]) && is_array($modules[0])) {
395 $modules = $modules[0];
396 }
397 $this->path = trim(Get::_get('n', null), '/');
398
399 $this->mods = array();
400 $this->hooks = new PlHookTree();
401
402 array_unshift($modules, 'core');
403 foreach ($modules as $module) {
404 $module = strtolower($module);
405 $this->mods[$module] = $m = PLModule::factory($module);
406 $this->hooks->addChildren($m->handlers());
407 }
408
409 if ($globals->mode == '') {
410 pl_redirect('index.html');
411 }
412 }
413
414 public function pl_self($n = null)
415 {
416 if (is_null($n))
417 return $this->path;
418
419 if ($n >= 0)
420 return join('/', array_slice($this->argv, 0, $n + 1));
421
422 if ($n <= -count($this->argv))
423 return $this->argv[0];
424
425 return join('/', array_slice($this->argv, 0, $n));
426 }
427
428 public static function wiki_hook($auth = AUTH_PUBLIC, $perms = 'user', $type = DO_AUTH)
429 {
430 return new PlWikiHook($auth, $perms, $type);
431 }
432
433 public function hook_map($name)
434 {
435 return null;
436 }
437
438 protected function find_hook()
439 {
440 $p = explode('/', $this->path);
441 list($hook, $matched, $remain, $aliased) = $this->hooks->findChild($p);
442 if (empty($hook)) {
443 return null;
444 }
445 $this->argv = $remain;
446 array_unshift($this->argv, implode('/', $matched));
447 if (!empty($aliased)) {
448 $this->ns = implode('/', $aliased) . '/';
449 }
450 $this->https = !$hook->hasType(NO_HTTPS);
451 return $hook;
452 }
453
454 public function near_hook()
455 {
456 $p = explode('/', $this->path);
457 list($hook, $matched, $remain, $aliased) = $this->hooks->findNearestChild($p);
458 if (empty($hook)) {
459 return null;
460 }
461 $url = implode('/', $matched);
462 if (!empty($remain)) {
463 $url .= '/' . implode('/', $remain);
464 }
465 if ($url == $this->path || levenshtein($url, $this->path) > strlen($url) / 3
466 || !$hook->checkPerms()) {
467 return null;
468 }
469 return $url;
470 }
471
472 private function call_hook(PlPage $page)
473 {
474 $hook = $this->find_hook();
475 if (empty($hook)) {
476 return PL_NOT_FOUND;
477 }
478 global $globals, $session;
479 if ($this->https && !@$_SERVER['HTTPS'] && $globals->core->secure_domain) {
480 http_redirect('https://' . $globals->core->secure_domain . $_SERVER['REQUEST_URI']);
481 }
482
483 return $hook->call($page, $this->argv);
484 }
485
486 /** Show the authentication form.
487 */
488 abstract public function force_login(PlPage $page);
489
490 protected function report_error($error)
491 {
492 PlErrorReport::report($error);
493 }
494
495 public function run()
496 {
497 $page =& self::page();
498
499 if (empty($this->path)) {
500 $this->path = 'index';
501 }
502
503 try {
504 $page->assign('platal', $this);
505 $res = $this->call_hook($page);
506 switch ($res) {
507 case PL_BAD_REQUEST:
508 $this->mods['core']->handler_400($page);
509 break;
510
511 case PL_FORBIDDEN:
512 $this->mods['core']->handler_403($page);
513 break;
514
515 case PL_NOT_FOUND:
516 $this->mods['core']->handler_404($page);
517 break;
518
519 case PL_WIKI:
520 return PL_WIKI;
521 }
522 } catch (Exception $e) {
523 header($_SERVER['SERVER_PROTOCOL'] . ' 500 Internal Server Error');
524 $this->report_error($e);
525 if (self::globals()->debug) {
526 $page->kill(pl_entities($e->getMessage())
527 . '<pre>' . pl_entities("" . $e) . '</pre>');
528 } else {
529 $page->kill(pl_entities($e->getMessage()));
530 }
531 }
532
533 $page->assign('platal', $this);
534 if ($res == PL_JSON) {
535 $page->runJSon();
536 } else {
537 $page->run();
538 }
539 }
540
541 public function error403()
542 {
543 $page =& self::page();
544
545 $this->mods['core']->handler_403($page);
546 $page->assign('platal', $this);
547 $page->run();
548 }
549
550 public function error404()
551 {
552 $page =& self::page();
553
554 $this->mods['core']->handler_404($page);
555 $page->assign('platal', $this);
556 $page->run();
557 }
558
559 public static function notAllowed()
560 {
561 if (S::admin()) {
562 self::page()->trigWarning('Tu accèdes à cette page car tu es administrateur du site.');
563 return false;
564 } else {
565 return true;
566 }
567 }
568
569 public static function load($modname, $include = null)
570 {
571 global $platal;
572 $modname = strtolower($modname);
573 if (isset($platal->mods[$modname])) {
574 if (is_null($include)) {
575 return;
576 }
577 $platal->mods[$modname]->load($include);
578 } else {
579 if (is_null($include)) {
580 require_once PLModule::path($modname) . '.php';
581 } else {
582 require_once PLModule::path($modname) . '/' . $include;
583 }
584 }
585 }
586
587 public static function assert($cond, $error, $userfriendly = null)
588 {
589 if ($cond === false) {
590 if ($userfriendly == null) {
591 $userfriendly = "Une erreur interne s'est produite.
592 Merci de réessayer la manipulation qui a déclenché l'erreur ;
593 si cela ne fonctionne toujours pas, merci de nous signaler le problème rencontré.";
594 }
595 throw new PlException($userfriendly, $error);
596 }
597 }
598
599 public function &buildLogger($uid, $suid = 0)
600 {
601 if (defined('PL_LOGGER_CLASS')) {
602 $class = PL_LOGGER_CLASS;
603 $logger = new $class($uid, $suid);
604 return $logger;
605 } else {
606 return PlLogger::dummy($uid, $suid);
607 }
608 }
609
610 protected function &buildPage()
611 {
612 $pageclass = PL_PAGE_CLASS;
613 $page = new $pageclass();
614 return $page;
615 }
616
617 static public function &page()
618 {
619 if (is_null(self::$_page)) {
620 global $platal;
621 self::$_page = $platal->buildPage();
622 }
623 return self::$_page;
624 }
625
626 protected function &buildSession()
627 {
628 $sessionclass = PL_SESSION_CLASS;
629 $session = new $sessionclass();
630 return $session;
631 }
632
633 static public function &session()
634 {
635 global $session;
636 return $session;
637 }
638
639 protected function &buildGlobals()
640 {
641 $globalclass = PL_GLOBALS_CLASS;
642 $globals = new $globalclass();
643 return $globals;
644 }
645
646 static public function &globals()
647 {
648 global $globals;
649 return $globals;
650 }
651 }
652
653 // vim:set et sw=4 sts=4 sws=4 foldmethod=marker fenc=utf-8:
654 ?>
plat/al