Commit b9c3f610 authored by Richard Mansfield's avatar Richard Mansfield
Browse files

Use a special cookie for collection secret url access


Signed-off-by: default avatarRichard Mansfield <richardm@catalyst.net.nz>
parent a9376cfa
......@@ -685,4 +685,17 @@ class Collection {
}
}
public function find_by_view($viewid) {
$record = get_record_sql('
SELECT c.*
FROM {collection} c JOIN {collection_view} cv ON c.id = cv.collection
WHERE cv.view = ?',
array($viewid)
);
if ($record) {
return new Collection(0, $record);
}
return false;
}
}
......@@ -1552,7 +1552,7 @@ function pieform_template_dir($file, $pluginlocation='') {
*
* @returns boolean Wether the specified user can look at the specified view.
*/
function can_view_view($view_id, $user_id=null, $usertoken=null, $mnettoken=null) {
function can_view_view($view_id, $user_id=null) {
global $USER, $SESSION;
if (defined('BULKEXPORT')) {
......@@ -1574,12 +1574,10 @@ function can_view_view($view_id, $user_id=null, $usertoken=null, $mnettoken=null
}
require_once(get_config('libroot') . 'view.php');
$view = new View($view_id);
if ($USER->is_logged_in()) {
$view = new View($view_id);
if ($USER->can_edit_view($view)) {
return true;
}
if ($USER->is_logged_in() && $USER->can_edit_view($view)) {
return true;
}
$access = View::user_access_records($view_id, $user_id);
......@@ -1588,7 +1586,7 @@ function can_view_view($view_id, $user_id=null, $usertoken=null, $mnettoken=null
return false;
}
if ($SESSION->get('mnetuser') && !$mnettoken) {
if ($SESSION->get('mnetuser')) {
$mnettoken = get_cookie('mviewaccess:'.$view_id);
}
......@@ -1602,7 +1600,7 @@ function can_view_view($view_id, $user_id=null, $usertoken=null, $mnettoken=null
}
}
else if ($a->token) {
$usertoken = $usertoken ? $usertoken : get_cookie('viewaccess:'.$view_id);
$usertoken = get_cookie('viewaccess:'.$view_id);
if ($a->token == $usertoken && $publicviews) {
return true;
}
......@@ -1615,6 +1613,14 @@ function can_view_view($view_id, $user_id=null, $usertoken=null, $mnettoken=null
$SESSION->set('mnetviewaccess', $mnetviewlist);
return true;
}
// Don't bother to pull the collection out unless the user actually
// has some collection access cookies.
if ($ctokens = get_cookies('caccess:')) {
$cid = $view->collection_id();
if ($cid && isset($ctokens[$cid]) && $a->token == $ctokens[$cid]) {
return true;
}
}
}
else if ($USER->is_logged_in()) {
if ($a->accesstype == 'friends') {
......@@ -1647,7 +1653,10 @@ function can_view_view($view_id, $user_id=null, $usertoken=null, $mnettoken=null
}
/* return the view associated with a given token */
/**
* Return the view associated with a given token, and set the
* appropriate access cookie.
*/
function get_view_from_token($token, $visible=true) {
if (!$token) {
return false;
......@@ -1667,18 +1676,28 @@ function get_view_from_token($token, $visible=true) {
if (count($viewids) > 1) {
// if any of the views are in collection(s), pick one of the ones
// with the lowest displayorder.
$order = get_column_sql('
SELECT cv.view
$order = get_records_sql_array('
SELECT cv.view, collection
FROM {collection_view} cv
WHERE cv.view IN (' . join(',', $viewids) . ')
ORDER BY displayorder, collection',
array()
);
if ($order) {
return $order[0];
if ($token != get_cookie('caccess:'.$order[0]->collection)) {
set_cookie('caccess:'.$order[0]->collection, $token);
}
return $order[0]->view;
}
}
return $viewids[0];
$viewid = $viewids[0];
if (!$visible && $token != get_cookie('mviewaccess:'.$viewid)) {
set_cookie('mviewaccess:'.$viewid, $token);
}
if ($visible && $token != get_cookie('viewaccess:'.$viewid)) {
set_cookie('viewaccess:'.$viewid, $token);
}
return $viewid;
}
/**
......
......@@ -67,6 +67,7 @@ class View {
private $visits;
private $allowcomments;
private $approvecomments;
private $collection;
/**
* Valid view layouts. These are read at install time and inserted into
......@@ -359,6 +360,9 @@ class View {
if ($field == 'categorydata') {
return $this->get_category_data();
}
if ($field == 'collection') {
return $this->get_collection();
}
return $this->{$field};
}
......@@ -382,6 +386,21 @@ class View {
return $this->tags;
}
public function get_collection() {
if (!isset($this->collection)) {
require_once(get_config('libroot') . 'collection.php');
$this->collection = Collection::find_by_view($this->id);
}
return $this->collection;
}
public function collection_id() {
if ($collection = $this->get_collection()) {
return $collection->get('id');
}
return false;
}
/**
* View destructor. Calls commit if necessary.
*
......@@ -2991,6 +3010,8 @@ class View {
$mnettoken = get_cookie('mviewaccess:'.$this->id);
$usertoken = get_cookie('viewaccess:'.$this->id);
$cid = $this->collection_id();
$ctoken = $cid ? get_cookie('caccess:'.$cid) : null;
foreach ($access as $a) {
if ($a->accesstype == 'public') {
......@@ -2998,7 +3019,8 @@ class View {
continue;
}
}
else if ($a->token && $a->token != $mnettoken && ($a->token != $usertoken || !$publicviews)) {
else if ($a->token && $a->token != $mnettoken
&& (!$publicviews || ($a->token != $usertoken && $a->token != $ctoken))) {
continue;
}
else if (!$user->is_logged_in()) {
......
......@@ -1317,6 +1317,20 @@ function get_cookie($name) {
return (isset($_COOKIE[$name])) ? $_COOKIE[$name] : null;
}
function get_cookies($prefix) {
static $prefixes = array();
if (!isset($prefixes[$prefix])) {
$prefixes[$prefix] = array();
$cprefix = get_config('cookieprefix') . $prefix;
foreach ($_COOKIE as $k => $v) {
if (strpos($k, $cprefix) === 0) {
$prefixes[$prefix][substr($k, strlen($cprefix))] = $v;
}
}
}
return $prefixes[$prefix];
}
/**
* Sets a cookie, respecting the configured cookie prefix
*
......
......@@ -47,17 +47,11 @@ if ($mnettoken) {
if (!$viewid = get_view_from_token($mnettoken, false)) {
throw new AccessDeniedException(get_string('accessdenied', 'error'));
}
if ($mnettoken != get_cookie('mviewaccess:'.$viewid)) {
set_cookie('mviewaccess:'.$viewid, $mnettoken);
}
}
else if ($usertoken) {
if (!$viewid = get_view_from_token($usertoken, true)) {
throw new AccessDeniedException(get_string('accessdenied', 'error'));
}
if ($usertoken != get_cookie('viewaccess:'.$viewid)) {
set_cookie('viewaccess:'.$viewid, $usertoken);
}
}
else {
$viewid = param_integer('id');
......@@ -65,7 +59,7 @@ else {
$new = param_boolean('new');
if (!can_view_view($viewid, null, $usertoken, $mnettoken)) {
if (!can_view_view($viewid)) {
throw new AccessDeniedException(get_string('accessdenied', 'error'));
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment