Page MenuHomec4science
Files F68473808

sessinit.inc.php.wml
No OneTemporary
Actions

File Metadata

Created
Thu, Jun 27, 13:44

sessinit.inc.php.wml
View Options

## $Id$
## Purpose: initializes CDS session management
##
## Note: based on the "PHP4 MySQL Session Handler" code from Ying
## Zhang <ying@zippydesign.com>. His code was modified to
## suit our needs.
##
## Note: for good session management operation, you need to set up in
## the 'php.ini' file the variables `session.gc_maxlifetime'
## (e.g. 86400 to mean 1 day) and `session.cookie_lifetime' to
## zero (session holds until user closes his browser). In
## adddition, the garbage collector should be called explicitely
## via `admin/gc.shtml' if you choose `session.gc_probability'
## to be zero in the `php.ini' file.
## This file is part of the CERN Document Server Software (CDSware).
## Copyright (C) 2002 CERN.
##
## The CDSware is free software; you can redistribute it and/or
## modify it under the terms of the GNU General Public License as
## published by the Free Software Foundation; either version 2 of the
## License, or (at your option) any later version.
##
## The CDSware is distributed in the hope that it will be useful, but
## WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
## General Public License for more details.
##
## You should have received a copy of the GNU General Public License
## along with CDSware; if not, write to the Free Software Foundation, Inc.,
## 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
## read config variables:
#include "config.wml"
#include "configbis.wml"
<?
$DBHOST = "<DBHOST>";
$DBUSER = "<DBUSER>";
$DBPASS = "<DBPASS>";
$DBNAME = "<DBNAME>";
$WEBDIR = "<WEBDIR>";
$WEBURL = "<WEBURL>";
$BINDIR = "<BINDIR>";
$ADMINEMAIL = "<ADMINEMAIL>";
$IMAGES = "<WEBURL>/img";
### okay, config read, from now on the script can continue ###
<protect>
$SESS_DBHOST = $DBHOST; /* database server hostname */
$SESS_DBNAME = $DBNAME; /* database name */
$SESS_DBUSER = $DBUSER; /* database user */
$SESS_DBPASS = $DBPASS; /* database password */
$SESS_DBH = "";
## open_db_connection():
function open_db_connection() {
## Open persistent connection to the database.
global $SESS_DBHOST, $SESS_DBNAME, $SESS_DBUSER, $SESS_DBPASS, $SESS_DBH;
if (! $SESS_DBH = mysql_pconnect($SESS_DBHOST, $SESS_DBUSER, $SESS_DBPASS)) {
echo "<li>Can't connect to $SESS_DBHOST as $SESS_DBUSER";
echo "<li>MySQL Error: ", mysql_error();
die;
}
if (! mysql_select_db($SESS_DBNAME, $SESS_DBH)) {
echo "<li>Unable to select database $SESS_DBNAME";
die;
}
return true;
}
## getUid($cookie_string):
function getUid($cookie_string) {
## Read cookie string, look up the session table, and return userID.
## If this cookie is not found, then return 0.
global $SESS_DBH;
$uid = 0;
$query = "SELECT uid FROM session WHERE session_key='$cookie_string'";
$res = mysql_perform_query($query, $SESS_DBH);
if ($row = mysql_fetch_row($res)) {
if ($row[0]) {
$uid = $row[0];
}
}
mysql_free_result($res);
return($uid);
}
## getEmail():
function getEmail($uid) {
## Return user email out of his UID.
global $SESS_DBH;
$uid_email = "guest";
$query = "SELECT email FROM user WHERE id='$uid'";
$res = mysql_perform_query($query, $SESS_DBH);
if ($row = mysql_fetch_row($res)) {
if ($row[0]) {
$uid_email = $row[0];
}
}
mysql_free_result($res);
return($uid_email);
}
function acc_authorize_action($uid, $action) {
## Authorize where $uid can perform $action by calling external
## Python CLI API of WebAccess.
## Return 1 when allowed, 0 otherwise.
global $BINDIR;
$auth = exec($BINDIR."/authaction ". escapeshellarg($uid) . " " . escapeshellarg($action));
return split(" - ",$auth, 2);
}
function authenticate($email,$rule,$doctype="*",$action="*")
{
global $ADMINEMAIL;
if (eregi($ADMINEMAIL,"$email"))
return true;
$res = mysql_query("select id from rules where name='superuser'");
$row = mysql_fetch_row($res);
$id_superuser = $row[0];
$res = mysql_query("select id_user from user_rule where id_rule='${id_superuser}' and (param1='$doctype' or param1='*') and (param2 LIKE '$action' or param2='*')");
while ($row = mysql_fetch_row($res))
{
$iduser = $row[0];
$emailuser = getEmail($iduser);
if (eregi("$email","$emailuser"))
return true;
}
$res = mysql_query("select id from rules where name='$rule'");
if (mysql_num_rows($res) == 0)
return false;
else
{
$row = mysql_fetch_row($res);
$idrule = $row[0];
$res = mysql_query("select id_user from user_rule where id_rule='$idrule' and (param1 LIKE '$doctype' or param1='*') and (param2 LIKE '$action' or param2='*')");
while ($row = mysql_fetch_row($res))
{
$iduser = $row[0];
$emailuser = getEmail($iduser);
if (eregi("$email","$emailuser"))
return true;
}
return false;
}
}
function getRuleID($rule)
{
////////////////////////////
// get the id of the rule //
////////////////////////////
$res = mysql_query("
SELECT id
FROM rules
WHERE name='$rule'");
if (mysql_num_rows($res) == 0)
{
// if it does not exist, attempt to create it
$res = mysql_query("
INSERT
INTO rules (name,description)
VALUES ('$rule','')");
$idrule = mysql_insert_id();
}
else
{
$row = mysql_fetch_row($res);
$idrule = $row[0];
}
return $idrule;
}
function mysql_perform_query($query, $link_identifier, $behaviour="die") {
## Function to call as an alternative to mysql_query. The function
## stops the execution if the query couldn't be executed and
## prints an error message (HTML formatted) (default behaviour). If
## behaviour is set to 'continue', then the function just goes on.
if($behaviour == "continue")
$result = mysql_query($query, $link_identifier);
else {
$result = mysql_query($query, $link_identifier)
or die ("<p>MySQL: could not execute your query<br>$query" .
"<br>Contact the <a href=\"mailto:search.support@cds.cern.ch\">" .
"CDS Support Team</a>.<br>" .
"Error " . mysql_errno($link_identifier) .
": " . mysql_error($link_identifier) . ".</p>");
}
return $result;
}
## displayLoginMenu()
function displayLoginMenu($type) {
global $WEBDIR,$WEBURL,$uid_email,$doctypes;
print '<table width=100% cellpadding=0 cellspacing=0 border=0>';
print '<tr><td>&nbsp;<small><b>PERSONALIZE</b></small></td></tr>';
if ($uid_email != "" && $uid_email != "guest")
{
print '<tr><td>'
. '<form action="'.$WEBURL.'/personalize/youraccount.shtml?action='
. 'logout" method="post"><small>&nbsp;&nbsp;&nbsp;<strong>logged in as:</strong>'
. '<br><font color="green">&nbsp;&nbsp;&nbsp;&nbsp;'.$uid_email.'</font>'
. '</td></tr>';
if (authenticate($uid_email,'superuser'))
{
print '<tr><td><font size="-1">&nbsp;&nbsp;&nbsp;<strong>superuser:&nbsp;</strong>'
. '</font></td></tr>';
print '<tr><td><font size="-1">&nbsp;&nbsp;&nbsp;&nbsp;'
. '<A href="'.$WEBURL.'/admin">'
. 'administrative&nbsp;area</A></font></td></tr>';
}
if ($type == "search")
{
print '<tr><td><font size="-1">&nbsp;&nbsp;&nbsp;&nbsp;'
. '<A href="'.$WEBURL.'/personalize/youralerts.shtml">'
. 'Your&nbsp;Alerts</A></font></td></tr>';
print '<tr><td><font size="-1">&nbsp;&nbsp;&nbsp;&nbsp;'
. '<A href="'.$WEBURL.'/personalize/yourbaskets.shtml">'
. 'Your&nbsp;Baskets</A></font></td></tr>';
print '<tr><td><font size="-1">&nbsp;&nbsp;&nbsp;&nbsp;'
. '<A href="'.$WEBURL.'/personalize/yoursearches.shtml">'
. 'Your&nbsp;Searches</A></font></td></tr>';
print '<tr><td><font size="-1">&nbsp;&nbsp;&nbsp;&nbsp;'
. '<A href="'.$WEBURL.'/personalize/yoursettings.shtml">'
. 'Your&nbsp;Settings</A></font></td></tr>';
}
if ($type == "submit")
{
$res = mysql_query("
SELECT *
FROM sbmSUBMISSIONS
WHERE email='$uid_email' and
status='pending'");
$numpending = mysql_num_rows($res);
$res = mysql_query("
SELECT *
FROM sbmSUBMISSIONS
WHERE email='$uid_email' and
status='finished'");
$numfinished = mysql_num_rows($res);
if ($doctypes != "account" || $numpending != 0 || $numfinished != 0)
print '<tr><td><font size="-1">&nbsp;&nbsp;&nbsp;<strong>view:&nbsp;</strong>'
. '</font></td></tr>';
if ($doctypes != "account")
print '<tr><td><font size="-1">&nbsp;&nbsp;&nbsp;&nbsp;'
. '<A href="'.$WEBURL.'/personalize/youraccount.shtml">your&nbsp;account'
. '</A></font></td></tr>';
if ($numpending != 0)
print '<tr><td><font size="-1">&nbsp;&nbsp;&nbsp;&nbsp;'
. '<A href="'.$WEBURL.'/submit/mycds/pending.shtml">your&nbsp;pending'
. '&nbsp;submissions</A></font></td></tr>';
if ($numfinished != 0)
print '<tr><td><font size="-1">&nbsp;&nbsp;&nbsp;&nbsp;'
. '<A href="'.$WEBURL.'/submit/mycds/finished.shtml">your&nbsp;completed'
. '&nbsp;submissions</A></font></td></tr>';
$res = mysql_query("
SELECT *
FROM sbmDOCTYPE
WHERE sdocname='$doctypes'");
if ($doctypes != "Main"
&& mysql_num_rows($res) != 0
&& authenticate("$uid_email","canView","$doctypes"))
print '<tr><td><font size="-1">&nbsp;&nbsp;&nbsp;&nbsp;'
. '<A href="'.$WEBURL.'/submit/mycds/submitlist.shtml?doctype='.$doctypes.'">'
. 'all&nbsp;completed&nbsp;submissions</A></font></td></tr>';
// Simple approval process
if (authenticate("$uid_email","referee","%","%"))
print '<tr><td><font size="-1">&nbsp;&nbsp;&nbsp;&nbsp;'
. '<A href="'.$WEBURL.'/submit/mycds/simpleapproval.shtml?doctype='
. $doctypes.'">the documents I referee</A></font></td></tr>';
}
print '<tr><td><small><input type="submit" name="action" '
. 'value="logout"></small></form></td></tr>';
}
else
{
if (isset($SuE))
$initialEmail = $SuE;
else
$initialEmail = "$uid_email";
print '<tr><td><form action="'.$WEBURL
. '/personalize/youraccount.shtml?action=login" method="post"><small>'
. '<strong>Email:</strong>';
print '<br><input type="text" size="13" name="p_email" value="'
. $initialEmail.'">';
print '<br><strong>Password:</strong>';
print '<br><input type="password" size="13" name="p_pw" '
. 'value="">';
print '<br><input type="submit" name="action" value="login">';
print ' (<a href="'.$WEBURL.'/personalize/youraccount.shtml?'
. 'action=register">new user?</a>)';
print '</small></form></td></tr>';
}
print '</table>';
}
## okay, helper functions defined, set up user ID variables now...
## do not create new sessions from PHP; only analyze the cookie already set
open_db_connection();
$uid = getUid($_COOKIE["CDSSESSION"]);
$uid_email = getEmail($uid);
</protect>
?>

Event Timeline

c4science · Help