2 /***************************************************************************
3 * Copyright (C) 2003-2011 Polytechnique.org *
4 * http://opensource.polytechnique.org/ *
6 * This program is free software; you can redistribute it and/or modify *
7 * it under the terms of the GNU General Public License as published by *
8 * the Free Software Foundation; either version 2 of the License, or *
9 * (at your option) any later version. *
11 * This program is distributed in the hope that it will be useful, *
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of *
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
14 * GNU General Public License for more details. *
16 * You should have received a copy of the GNU General Public License *
17 * along with this program; if not, write to the Free Software *
19 * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA *
20 ***************************************************************************/
22 // Return values for handlers and hooks. This defines the behavior of both the
23 // plat/al engine, and the invidivual hooks.
24 define('PL_DO_AUTH', 300); // User should be redirected to the login page.
25 define('PL_BAD_REQUEST', 400); // Request is not valid, and could not be interpreted.
26 define('PL_FORBIDDEN', 403); // User is not allowed to view page (auth or permission error).
27 define('PL_NOT_FOUND', 404); // Page doesn't not exist. Engine will try to offer suggestions.
28 define('PL_WIKI', 500); // Page is a wiki page, plat/al engine should yield to the wiki engine.
29 define('PL_JSON', 501); // Page is valid, but result should be JSON-encoded, not HTML-encoded.
37 protected function __construct($auth = AUTH_PUBLIC
, $perms = 'user', $type = DO_AUTH
)
40 $this->perms
= $perms;
44 public function checkPerms()
46 // Don't check permissions if there are no permission requirement
47 // (either no requested group membership, or public auth is allowed).
48 return !$this->perms ||
$this->auth
== AUTH_PUBLIC ||
49 Platal
::session()->checkPerms($this->perms
);
52 public function hasType($type)
54 return ($this->type
& $type) == $type;
57 abstract protected function run(PlPage
$page, array $args);
59 public function call(PlPage
$page, array $args)
61 global $globals, $session, $platal;
62 if (!$session->checkAuth($this->auth
)) {
63 if ($this->hasType(DO_AUTH
)) {
64 if (!$session->start($this->auth
)) {
65 $platal->force_login($page);
72 if (!$this->checkPerms()) {
73 if (Platal
::notAllowed()) {
77 return $this->run($page, $args);
81 /** The standard plat/al hook, for interactive requests.
82 * It optionally does active authentication (DO_AUTH). The handler is invoked
83 * with the PlPage object, and with each of the remaining path components.
85 class PlStdHook
extends PlHook
89 public function __construct($callback, $auth = AUTH_PUBLIC
, $perms = 'user', $type = DO_AUTH
)
91 parent
::__construct($auth, $perms, $type);
92 $this->callback
= $callback;
95 protected function run(PlPage
$page, array $args)
97 global $session, $platal;
100 $val = call_user_func_array($this->callback
, $args);
101 if ($val == PL_DO_AUTH
) {
102 if (!$session->start($session->loggedLevel())) {
103 $platal->force_login($page);
105 $val = call_user_func_array($this->callback
, $args);
111 /** A specialized hook for API requests.
112 * It is intended to be used for passive API requests, authenticated either by
113 * an existing session (with a valid XSRF token), or by an alternative single
114 * request auth mechanism implemented by PlSession::apiAuth.
116 * This hook is suitable for read-write requests against the website, provided
117 * $auth is set appropriately. Note that the auth level is only checked for
118 * session-authenticated users, as "apiAuth" users are assumed to always have
119 * the requested level (use another hook otherwise).
121 * The callback will be passed as arguments the PlPage, the authenticated
122 * PlUser, the JSON decoded payload, and the remaining path components, as with
125 * If the callback intends to JSON-encode its returned value, it is advised to
126 * use PlPage::jsonAssign, and return PL_JSON to enable automatic encoding.
128 class PlApiHook
extends PlHook
133 public function __construct($callback, $auth = AUTH_PUBLIC
, $perms = 'user', $type = NO_AUTH
)
135 // As mentioned above, $auth is only applied for session-based auth
136 // (as opposed to token-based). PlHook is initialized to AUTH_PUBLIC to
137 // avoid it refusing to approve requests; this is important as the user
138 // is not yet authenticated at that point (see below for the actual
139 // permissions check).
140 parent
::__construct(AUTH_PUBLIC
, $perms, $type);
141 $this->actualAuth
= $auth;
142 $this->callback
= $callback;
145 private function getEncodedPayload($method)
147 return $method == "GET" ?
"" : file_get_contents("php://input");
150 private function decodePayload($encodedPayload)
152 return empty($encodedPayload) ?
array() : json_decode($encodedPayload, true
);
155 protected function run(PlPage
$page, array $args)
157 $method = $_SERVER['REQUEST_METHOD'];
158 $encodedPayload = $this->getEncodedPayload($method);
159 $jsonPayload = $this->decodePayload($encodedPayload);
160 $resource = '/' . implode('/', $args);
162 // If the payload wasn't a valid JSON encoded object, bail out early.
163 if (is_null($jsonPayload)) {
164 $page->trigError("Could not decode the JSON-encoded payload sent with the request.");
165 return PL_BAD_REQUEST
;
168 // Authenticate the request. Try first with the existing session (which
169 // is less expensive to check), by veryfing that the XSRF token is
170 // valid; otherwise fallbacks to API-type authentication from PlSession.
171 if (S
::logged() && S
::has_xsrf_token() && Platal
::session()->checkAuth($this->actualAuth
)) {
174 $user = Platal
::session()->apiAuth($method, $resource, $encodedPayload);
177 // Check the permissions, unless the handler is fully public.
178 if ($this->actualAuth
> AUTH_PUBLIC
) {
179 if (is_null($user) ||
!$user->checkPerms($this->perms
)) {
184 // Invoke the callback, whose signature is (PlPage, PlUser, jsonPayload).
186 array_unshift($args, $page, $user, $jsonPayload);
187 return call_user_func_array($this->callback
, $args);
191 /** A specialized hook for token-based requests.
192 * It is intended for purely passive requests (typically for serving CSV or RSS
193 * content outside the browser), and can fallback to regular session-based
194 * authentication when the token is not valid/available.
196 * Note that $auth is only applied for session-backed authentication; it is
197 * assumed that token-based auth is always enough for the hook (otherwise, just
198 * use PlStdHook above).
200 * Also, this hook requires that the first two unmatched path components are the
201 * user and token (for instance /<matched path>/<user>/<token>/....). They will
202 * be popped before being passed to the handler, and replaced by the request's
205 class PlTokenHook
extends PlHook
210 public function __construct($callback, $auth = AUTH_PUBLIC
, $perms = 'user', $type = NO_AUTH
)
212 // See PlApiHook::__construct.
213 parent
::__construct(AUTH_PUBLIC
, $perms, $type);
214 $this->actualAuth
= $auth;
215 $this->callback
= $callback;
218 protected function run(PlPage
$page, array $args)
220 // Retrieve the user, either from the session (less expensive, as it is
221 // already there), or from the in-path (user, token) pair.
222 if (S
::logged() && Platal
::session()->checkAuth($this->actualAuth
)) {
225 $user = Platal
::session()->tokenAuth(@$args[1], @$args[2]);
228 // Check the permissions, unless the handler is fully public.
229 if ($this->actualAuth
> AUTH_PUBLIC
) {
230 if (is_null($user) ||
!$user->checkPerms($this->perms
)) {
235 // Replace the first three remaining elements of the path with the
236 // PlPage and PlUser objects.
240 return call_user_func_array($this->callback
, $args);
244 /** A specialized plat/al hook for serving wiki pages.
246 class PlWikiHook
extends PlHook
248 public function __construct($auth = AUTH_PUBLIC
, $perms = 'user', $type = DO_AUTH
)
250 parent
::__construct($auth, $perms, $type);
253 protected function run(PlPage
$page, array $args)
262 public $aliased = null
;
263 public $children = array();
265 public function addChildren(array $hooks)
268 foreach ($hooks as $path=>$hook) {
269 $path = explode('/', $path);
271 foreach ($path as $next) {
273 if ($next{0} == '%') {
275 $next = $platal->hook_map(substr($next, 1));
277 if (!isset($element->children
[$next])) {
278 $child = new PlHookTree();
279 $child->aliased
= $alias;
280 $element->children
[$next] = $child;
282 $child = $element->children
[$next];
286 $element->hook
= $hook;
290 public function findChild(array $path)
299 if ($element->aliased
) {
302 if (empty($next) ||
!isset($element->children
[$next])) {
305 $element = $element->children
[$next];
306 array_shift($remain);
309 return array($element->hook
, $matched, $remain, $aliased);
312 private function findNearestChildAux(array $remain, array $matched, array $aliased)
315 if ($this->aliased
) {
319 $child = @$this->children
[$next];
324 foreach ($this->children
as $path=>$hook) {
326 $lev = levenshtein($next, $path);
327 if ($lev <= $nearest_lev
328 && ($lev < strlen($next) / 2 ||
strpos($next, $path) !== false
329 ||
strpos($path, $next) !== false
)) {
330 $sdx = levenshtein(soundex($next), soundex($path));
331 if ($lev == $nearest_lev ||
$sdx < $nearest_sdx) {
343 array_shift($remain);
345 return $child->findNearestChildAux($remain, $matched, $aliased);
347 if (($pos = strpos($next, '.php')) !== false
) {
348 $remain[0] = substr($next, 0, $pos);
349 return $this->findNearestChildAux($remain, $matched, $aliased);
352 return array($this->hook
, $matched, $remain, $aliased);
355 public function findNearestChild(array $path)
357 return $this->findNearestChildAux($path, array(), array());
361 abstract class Platal
370 public $argv = array();
372 static private $_page = null
;
374 public function __construct()
376 global $platal, $session, $globals;
379 /* Assign globals first, then call init: init must be used for operations
380 * that requires access to the content of $globals (e.g. XDB requires
381 * $globals to be assigned.
383 $globals = $this->buildGlobals();
386 /* Get the current session: assign first, then activate the session.
388 $session = $this->buildSession();
389 if (!$session->startAvailableAuth()) {
390 Platal
::page()->trigError("Données d'authentification invalides.");
393 $modules = func_get_args();
394 if (isset($modules[0]) && is_array($modules[0])) {
395 $modules = $modules[0];
397 $this->path
= trim(Get
::_get('n', null
), '/');
399 $this->mods
= array();
400 $this->hooks
= new PlHookTree();
402 array_unshift($modules, 'core');
403 foreach ($modules as $module) {
404 $module = strtolower($module);
405 $this->mods
[$module] = $m = PLModule
::factory($module);
406 $this->hooks
->addChildren($m->handlers());
409 if ($globals->mode
== '') {
410 pl_redirect('index.html');
414 public function pl_self($n = null
)
420 return join('/', array_slice($this->argv
, 0, $n +
1));
422 if ($n <= -count($this->argv
))
423 return $this->argv
[0];
425 return join('/', array_slice($this->argv
, 0, $n));
428 public static function wiki_hook($auth = AUTH_PUBLIC
, $perms = 'user', $type = DO_AUTH
)
430 return new PlWikiHook($auth, $perms, $type);
433 public function hook_map($name)
438 protected function find_hook()
440 $p = explode('/', $this->path
);
441 list($hook, $matched, $remain, $aliased) = $this->hooks
->findChild($p);
445 $this->argv
= $remain;
446 array_unshift($this->argv
, implode('/', $matched));
447 if (!empty($aliased)) {
448 $this->ns
= implode('/', $aliased) . '/';
450 $this->https
= !$hook->hasType(NO_HTTPS
);
454 public function near_hook()
456 $p = explode('/', $this->path
);
457 list($hook, $matched, $remain, $aliased) = $this->hooks
->findNearestChild($p);
461 $url = implode('/', $matched);
462 if (!empty($remain)) {
463 $url .= '/' . implode('/', $remain);
465 if ($url == $this->path ||
levenshtein($url, $this->path
) > strlen($url) / 3
466 ||
!$hook->checkPerms()) {
472 private function call_hook(PlPage
$page)
474 $hook = $this->find_hook();
478 global $globals, $session;
479 if ($this->https
&& !@$_SERVER['HTTPS'] && $globals->core
->secure_domain
) {
480 http_redirect('https://' . $globals->core
->secure_domain
. $_SERVER['REQUEST_URI']);
483 return $hook->call($page, $this->argv
);
486 /** Show the authentication form.
488 abstract public function force_login(PlPage
$page);
490 protected function report_error($error)
492 PlErrorReport
::report($error);
495 public function run()
497 $page =& self
::page();
499 if (empty($this->path
)) {
500 $this->path
= 'index';
504 $page->assign('platal', $this);
505 $res = $this->call_hook($page);
508 $this->mods
['core']->handler_400($page);
512 $this->mods
['core']->handler_403($page);
516 $this->mods
['core']->handler_404($page);
522 } catch (Exception
$e) {
523 header($_SERVER['SERVER_PROTOCOL'] . ' 500 Internal Server Error');
524 $this->report_error($e);
525 if (self
::globals()->debug
) {
526 $page->kill(pl_entities($e->getMessage())
527 . '<pre>' . pl_entities("" . $e) . '</pre>');
529 $page->kill(pl_entities($e->getMessage()));
533 $page->assign('platal', $this);
534 if ($res == PL_JSON
) {
541 public function error403()
543 $page =& self
::page();
545 $this->mods
['core']->handler_403($page);
546 $page->assign('platal', $this);
550 public function error404()
552 $page =& self
::page();
554 $this->mods
['core']->handler_404($page);
555 $page->assign('platal', $this);
559 public static function notAllowed()
562 self
::page()->trigWarning('Tu accèdes à cette page car tu es administrateur du site.');
569 public static function load($modname, $include = null
)
572 $modname = strtolower($modname);
573 if (isset($platal->mods
[$modname])) {
574 if (is_null($include)) {
577 $platal->mods
[$modname]->load($include);
579 if (is_null($include)) {
580 require_once PLModule
::path($modname) . '.php';
582 require_once PLModule
::path($modname) . '/' . $include;
587 public static function assert($cond, $error, $userfriendly = null
)
589 if ($cond === false
) {
590 if ($userfriendly == null
) {
591 $userfriendly = "Une erreur interne s'est produite.
592 Merci de réessayer la manipulation qui a déclenché l'erreur ;
593 si cela ne fonctionne toujours pas, merci de nous signaler le problème rencontré.";
595 throw new PlException($userfriendly, $error);
599 public function &buildLogger($uid, $suid = 0)
601 if (defined('PL_LOGGER_CLASS')) {
602 $class = PL_LOGGER_CLASS
;
603 $logger = new $class($uid, $suid);
606 return PlLogger
::dummy($uid, $suid);
610 protected function &buildPage()
612 $pageclass = PL_PAGE_CLASS
;
613 $page = new $pageclass();
617 static public function &page()
619 if (is_null(self
::$_page)) {
621 self
::$_page = $platal->buildPage();
626 protected function &buildSession()
628 $sessionclass = PL_SESSION_CLASS
;
629 $session = new $sessionclass();
633 static public function &session()
639 protected function &buildGlobals()
641 $globalclass = PL_GLOBALS_CLASS
;
642 $globals = new $globalclass();
646 static public function &globals()
653 // vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8: