X-Git-Url: http://git.polytechnique.org/?a=blobdiff_plain;f=classes%2Fplsession.php;h=fd374ed9b2120638374e827692dae6c3970a73c4;hb=refs%2Fheads%2Fcore%2Fmaster;hp=688f5f5477dfe0101d8767804348ece4de7f9193;hpb=5a074c2fba4ded858222b91acfa8422799b17182;p=platal.git

diff --git a/classes/plsession.php b/classes/plsession.php
index 688f5f5..fd374ed 100644
--- a/classes/plsession.php
+++ b/classes/plsession.php
@@ -1,6 +1,6 @@
 <?php
 /***************************************************************************
- *  Copyright (C) 2003-2008 Polytechnique.org                              *
+ *  Copyright (C) 2003-2011 Polytechnique.org                              *
  *  http://opensource.polytechnique.org/                                   *
  *                                                                         *
  *  This program is free software; you can redistribute it and/or modify   *
@@ -26,6 +26,8 @@
 define('AUTH_SUID',   -1);
 define('AUTH_PUBLIC', 0);
 define('AUTH_COOKIE', 5);
+define('AUTH_PASSWD', 10);
+// Backwards compatibility: AUTH_MDP must be an alias for AUTH_PASSWD.
 define('AUTH_MDP',    10);
 
 
@@ -52,7 +54,7 @@ abstract class PlSession
 
     /** Build the session structure with system fields.
      */
-    private function fillSession()
+    protected function fillSession()
     {
         S::bootstrap('user', null);
         S::bootstrap('auth', AUTH_PUBLIC);
@@ -103,7 +105,6 @@ abstract class PlSession
      */
     public function start($level)
     {
-        $backup = S::i($level);
         if ($this->checkAuth($level)) {
             return true;
         }
@@ -160,6 +161,23 @@ abstract class PlSession
      */
     abstract protected function startSessionAs($user, $level);
 
+    /** Authenticate the request for the given (method, payload) pair.
+     *
+     * Implementations are expected to provide strong authentication. It is
+     * suggested to use an HMAC-based scheme, where the signature validates the
+     * method, url, and payload (to avoid replay of the signature against other
+     * methods), and the timestamp (to avoid replay in time).
+     *
+     * @param method method of the request (GET, POST, PUT, DELETE)
+     * @param resource URL path of the resource (eg. "/api/user")
+     * @param payload binary payload sent with the request (before decoding)
+     * @return a valid PlUser object if authentication is successfull, or null.
+     */
+    public function apiAuth($method, $resource, $payload)
+    {
+        return null;  // Default implementation does nothing
+    }
+
     /** Check authentication with the given token.
      *
      * Token authentication is a light-weight authentication based on a user-specific token.
@@ -171,18 +189,26 @@ abstract class PlSession
      */
     abstract public function tokenAuth($login, $token);
 
+    /** Set the permissions to the given flagset.
+     *
+     * This function sets S::set('perms') with a flagset represeting the combination of
+     * $perms and $is_admin.
+     *
+     * $perms is an abstract object representing the permissions.
+     * $is_admin is a boolean, true if the current user has site-administration rights.
+     */
+    abstract protected function makePerms($perms, $is_admin);
 
     /*** SUID management ***/
 
     /** Start a new SUID session.
      */
-    public function startSUID($user)
+    public function startSUID($user, $perms = null)
     {
-        if (S::has('suid')) {
+        if (S::suid()) {
             return false;
         }
-        $backup   = $_SESSION;
-        $_SESSION = array();
+        $backup = S::changeSession(array());
         $this->fillSession();
         S::set('suid', $backup);
         if (!$this->startSessionAs($user, AUTH_SUID)) {
@@ -190,6 +216,9 @@ abstract class PlSession
             return false;
         }
         S::set('user', $user);
+        if (!is_null($perms)) {
+            $this->makePerms($perms, false);
+        }
         return true;
     }
 
@@ -197,10 +226,10 @@ abstract class PlSession
      */
     public function stopSUID()
     {
-        if (!S::has('suid')) {
+        if (!S::suid()) {
             return false;
         }
-        $_SESSION = $_SESSION['suid'];
+        S::changeSession(S::v('suid'));
         return true;
     }
 
@@ -216,5 +245,5 @@ abstract class PlSession
     abstract public function sureLevel();
 }
 
-// vim:set et sw=4 sts=4 sws=4 foldmethod=marker enc=utf-8:
+// vim:set et sw=4 sts=4 sws=4 foldmethod=marker fenc=utf-8:
 ?>