]>
Commit | Line | Data |
---|---|---|
0ec4ac8a TC |
1 | package BSE::UI::AdminDispatch; |
2 | use strict; | |
3 | use base qw(BSE::UI::Dispatch); | |
4 | use BSE::CfgInfo qw(admin_base_url); | |
5 | use Carp qw(confess); | |
6 | ||
7 | # checks we're coming from HTTPS | |
8 | sub check_secure { | |
9 | my ($class, $req, $rresult) = @_; | |
10 | ||
11 | my $securl = admin_base_url($req->cfg); | |
12 | my ($protocol, $host) = $securl =~ m!^(\w+)://([-\w.]+)! | |
13 | or confess "Invalid [site].secureurl\n"; | |
14 | ||
15 | $host = lc $host; | |
16 | ||
17 | my $curr_host = lc $ENV{SERVER_NAME}; | |
c5f849c7 TC |
18 | my $forward_from = $req->cfg->entry('site', 'forward_from'); |
19 | if ($forward_from) { | |
20 | $forward_from =~ s/\./\\./g; | |
21 | $forward_from =~ s/\*/.*/g; | |
22 | if ($ENV{REMOTE_ADDR} =~ /^(?:$forward_from)$/ | |
23 | && $ENV{HTTP_X_FORWARDED_SERVER}) { | |
24 | $curr_host = $ENV{HTTP_X_FORWARDED_SERVER}; | |
25 | } | |
26 | } | |
0ec4ac8a TC |
27 | my $curr_https = exists $ENV{HTTPS} || exists $ENV{SSL_CIPHER}; |
28 | my $curr_proto = $curr_https ? 'https' : 'http'; | |
29 | ||
30 | return 1 if $curr_host eq $host && $curr_proto eq $protocol; | |
31 | ||
9dc9668f TC |
32 | return 1 unless $req->cfg->entry('site', 'securl_redirect', 1); |
33 | ||
7c877fd3 TC |
34 | if ($req->cgi->param('did_admin_url_dispatch')) { |
35 | $$rresult = $class->error($req, "Your admin URL '$securl' is probably misconfigured, we did a redirect to the admin URL and is still isn't correct - we appear to be on '$curr_proto://$curr_host'"); | |
36 | return; | |
37 | } | |
38 | ||
0ec4ac8a TC |
39 | print STDERR "User is coming to use via a non-secure URL\n"; |
40 | print STDERR "curr host >$curr_host< secure_host >$host<\n"; | |
41 | print STDERR "curr proto >$curr_proto< secure_proto >$protocol<\n"; | |
42 | ||
43 | # refresh back to the secure URL | |
44 | my $target = ($ENV{SCRIPT_NAME} =~ /(\w+)\.pl$/)[0] or die; | |
7c877fd3 TC |
45 | my $action = $class->action_prefix . $class->default_action; |
46 | my $url = $req->url($target => { $action => 1, did_admin_url_dispatch => 1 }); | |
0ec4ac8a TC |
47 | $$rresult = BSE::Template->get_refresh($url, $req->cfg); |
48 | ||
49 | return; | |
50 | } | |
51 | ||
52 | sub check_action { | |
53 | my ($class, $req, $action, $rresult) = @_; | |
54 | ||
55 | # this is admin, the user must be logged on | |
56 | unless ($req->check_admin_logon) { | |
57 | # time to logon | |
58 | # if this was a GET, try to refresh back to it after logon | |
ebc63b18 TC |
59 | if ($req->is_ajax || $req->cgi->param("_")) { |
60 | $$rresult = $req->json_content | |
61 | ( | |
62 | success => 0, | |
63 | error_code => "LOGON", | |
64 | message => "Access forbidden: user not logged on", | |
65 | errors => {}, | |
66 | ); | |
67 | } | |
68 | else { | |
69 | my %extras = | |
70 | ( | |
71 | 'm' => 'You must logon to use this function' | |
72 | ); | |
73 | if ($ENV{REQUEST_METHOD} eq 'GET') { | |
74 | my $rurl = admin_base_url($req->cfg) . $ENV{SCRIPT_NAME}; | |
75 | $rurl .= "?" . $ENV{QUERY_STRING} if $ENV{QUERY_STRING}; | |
76 | $rurl .= $rurl =~ /\?/ ? '&' : '?'; | |
77 | $rurl .= "refreshed=1"; | |
78 | $extras{r} = $rurl; | |
79 | } | |
80 | my $url = $req->url(logon => \%extras); | |
81 | $$rresult = $req->get_refresh($url); | |
0ec4ac8a | 82 | } |
0ec4ac8a TC |
83 | return; |
84 | } | |
85 | ||
86 | my $security = $class->rights; | |
87 | ||
88 | return 1 unless $security->{$action}; | |
89 | ||
90 | my $msg; | |
91 | my $rights = $security->{$action}; | |
92 | ref $rights or $rights = [ split /,/, $rights ]; | |
93 | for my $right (@$rights) { | |
94 | unless ($req->user_can($right, -1, \$msg)) { | |
ea88a18a TC |
95 | if ($req->is_ajax || $req->param("_")) { |
96 | $$rresult = $req->json_content | |
97 | ( | |
98 | success => 0, | |
99 | error_code => "ACCESS", | |
100 | message => "You do not have access to this function $msg", | |
101 | ); | |
102 | } | |
103 | else { | |
104 | my $url = $req->url(menu => | |
105 | { 'm' => 'You do not have access to this function '.$msg }); | |
106 | $$rresult = $req->get_refresh($url); | |
107 | } | |
0ec4ac8a TC |
108 | return; |
109 | } | |
110 | } | |
111 | ||
112 | return 1; | |
113 | } | |
114 | ||
20d6805f TC |
115 | sub error { |
116 | my ($class, $req, $errors, $template) = @_; | |
117 | ||
118 | $template ||= 'admin/error'; | |
119 | ||
120 | return $class->SUPER::error($req, $errors, $template); | |
121 | } | |
122 | ||
0ec4ac8a | 123 | 1; |