diff --git a/modules/websession/web/sessinit.inc.php.wml b/modules/websession/web/sessinit.inc.php.wml index ad8118396..c1270fa74 100644 --- a/modules/websession/web/sessinit.inc.php.wml +++ b/modules/websession/web/sessinit.inc.php.wml @@ -1,330 +1,330 @@ ## $Id$ ## Purpose: initializes CDS session management ## ## Note: based on the "PHP4 MySQL Session Handler" code from Ying ## Zhang . His code was modified to ## suit our needs. ## ## Note: for good session management operation, you need to set up in ## the 'php.ini' file the variables `session.gc_maxlifetime' ## (e.g. 86400 to mean 1 day) and `session.cookie_lifetime' to ## zero (session holds until user closes his browser). In ## adddition, the garbage collector should be called explicitely ## via `admin/gc.shtml' if you choose `session.gc_probability' ## to be zero in the `php.ini' file. ## This file is part of the CERN Document Server Software (CDSware). ## Copyright (C) 2002 CERN. ## ## The CDSware is free software; you can redistribute it and/or ## modify it under the terms of the GNU General Public License as ## published by the Free Software Foundation; either version 2 of the ## License, or (at your option) any later version. ## ## The CDSware is distributed in the hope that it will be useful, but ## WITHOUT ANY WARRANTY; without even the implied warranty of ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ## General Public License for more details. ## ## You should have received a copy of the GNU General Public License ## along with CDSware; if not, write to the Free Software Foundation, Inc., ## 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA. ## read config variables: #include "config.wml" #include "configbis.wml" "; $DBUSER = ""; $DBPASS = ""; $DBNAME = ""; $WEBDIR = ""; $WEBURL = ""; $BINDIR = ""; $ADMINEMAIL = ""; $IMAGES = "/img"; ### okay, config read, from now on the script can continue ### $SESS_DBHOST = $DBHOST; /* database server hostname */ $SESS_DBNAME = $DBNAME; /* database name */ $SESS_DBUSER = $DBUSER; /* database user */ $SESS_DBPASS = $DBPASS; /* database password */ $SESS_DBH = ""; ## open_db_connection(): function open_db_connection() { ## Open persistent connection to the database. global $SESS_DBHOST, $SESS_DBNAME, $SESS_DBUSER, $SESS_DBPASS, $SESS_DBH; if (! $SESS_DBH = mysql_pconnect($SESS_DBHOST, $SESS_DBUSER, $SESS_DBPASS)) { echo "
  • Can't connect to $SESS_DBHOST as $SESS_DBUSER"; echo "
  • MySQL Error: ", mysql_error(); die; } if (! mysql_select_db($SESS_DBNAME, $SESS_DBH)) { echo "
  • Unable to select database $SESS_DBNAME"; die; } return true; } ## getUid($cookie_string): function getUid($cookie_string) { ## Read cookie string, look up the session table, and return userID. ## If this cookie is not found, then return 0. global $SESS_DBH; $uid = 0; $query = "SELECT uid FROM session WHERE session_key='$cookie_string'"; $res = mysql_perform_query($query, $SESS_DBH); if ($row = mysql_fetch_row($res)) { if ($row[0]) { $uid = $row[0]; } } mysql_free_result($res); return($uid); } ## getEmail(): function getEmail($uid) { ## Return user email out of his UID. global $SESS_DBH; $uid_email = "guest"; $query = "SELECT email FROM user WHERE id='$uid'"; $res = mysql_perform_query($query, $SESS_DBH); if ($row = mysql_fetch_row($res)) { if ($row[0]) { $uid_email = $row[0]; } } mysql_free_result($res); return($uid_email); } function acc_authorize_action($uid, $action) { ## Authorize where $uid can perform $action by calling external ## Python CLI API of WebAccess. ## Return 1 when allowed, 0 otherwise. global $BINDIR; $auth = exec($BINDIR."/authaction ". escapeshellarg($uid) . " " . escapeshellarg($action)); - return split(";",$auth); + return split(" , ",$auth); } function authenticate($email,$rule,$doctype="*",$action="*") { global $ADMINEMAIL; if (eregi($ADMINEMAIL,"$email")) return true; $res = mysql_query("select id from rules where name='superuser'"); $row = mysql_fetch_row($res); $id_superuser = $row[0]; $res = mysql_query("select id_user from user_rule where id_rule='${id_superuser}' and (param1='$doctype' or param1='*') and (param2 LIKE '$action' or param2='*')"); while ($row = mysql_fetch_row($res)) { $iduser = $row[0]; $emailuser = getEmail($iduser); if (eregi("$email","$emailuser")) return true; } $res = mysql_query("select id from rules where name='$rule'"); if (mysql_num_rows($res) == 0) return false; else { $row = mysql_fetch_row($res); $idrule = $row[0]; $res = mysql_query("select id_user from user_rule where id_rule='$idrule' and (param1 LIKE '$doctype' or param1='*') and (param2 LIKE '$action' or param2='*')"); while ($row = mysql_fetch_row($res)) { $iduser = $row[0]; $emailuser = getEmail($iduser); if (eregi("$email","$emailuser")) return true; } return false; } } function getRuleID($rule) { //////////////////////////// // get the id of the rule // //////////////////////////// $res = mysql_query(" SELECT id FROM rules WHERE name='$rule'"); if (mysql_num_rows($res) == 0) { // if it does not exist, attempt to create it $res = mysql_query(" INSERT INTO rules (name,description) VALUES ('$rule','')"); $idrule = mysql_insert_id(); } else { $row = mysql_fetch_row($res); $idrule = $row[0]; } return $idrule; } function mysql_perform_query($query, $link_identifier, $behaviour="die") { ## Function to call as an alternative to mysql_query. The function ## stops the execution if the query couldn't be executed and ## prints an error message (HTML formatted) (default behaviour). If ## behaviour is set to 'continue', then the function just goes on. if($behaviour == "continue") $result = mysql_query($query, $link_identifier); else { $result = mysql_query($query, $link_identifier) or die ("

    MySQL: could not execute your query
    $query" . "
    Contact the " . "CDS Support Team.
    " . "Error " . mysql_errno($link_identifier) . ": " . mysql_error($link_identifier) . ".

    "); } return $result; } ## displayLoginMenu() function displayLoginMenu($type) { global $WEBDIR,$WEBURL,$uid_email,$doctypes; print ''; print ''; if ($uid_email != "" && $uid_email != "guest") { print ''; if (authenticate($uid_email,'superuser')) { print ''; print ''; } if ($type == "search") { print ''; print ''; print ''; print ''; } if ($type == "submit") { $res = mysql_query(" SELECT * FROM sbmSUBMISSIONS WHERE email='$uid_email' and status='pending'"); $numpending = mysql_num_rows($res); $res = mysql_query(" SELECT * FROM sbmSUBMISSIONS WHERE email='$uid_email' and status='finished'"); $numfinished = mysql_num_rows($res); if ($doctypes != "account" || $numpending != 0 || $numfinished != 0) print ''; if ($doctypes != "account") print ''; if ($numpending != 0) print ''; if ($numfinished != 0) print ''; $res = mysql_query(" SELECT * FROM sbmDOCTYPE WHERE sdocname='$doctypes'"); if ($doctypes != "Main" && mysql_num_rows($res) != 0 && authenticate("$uid_email","canView","$doctypes")) print ''; // Simple approval process if (authenticate("$uid_email","referee","%","%")) print ''; } print ''; } else { if (isset($SuE)) $initialEmail = $SuE; else $initialEmail = "$uid_email"; print ''; } print '
     PERSONALIZE
    ' . '
       logged in as:' . '
        '.$uid_email.'' . '
       superuser: ' . '
        ' . '' . 'administrative area
        ' . '' . 'Your Alerts
        ' . '' . 'Your Baskets
        ' . '' . 'Your Searches
        ' . '' . 'Your Settings
       view: ' . '
        ' . 'your account' . '
        ' . 'your pending' . ' submissions
        ' . 'your completed' . ' submissions
        ' . '' . 'all completed submissions
        ' . 'the documents I referee
    ' . 'Email:'; print '
    '; print '
    Password:'; print '
    '; print '
    '; print ' (new user?)'; print '
    '; } ## okay, helper functions defined, set up user ID variables now... ## do not create new sessions from PHP; only analyze the cookie already set open_db_connection(); $uid = getUid($_COOKIE["CDSSESSION"]); $uid_email = getEmail($uid); ?>