first commit

lib/pkp/classes/security/authorization/DataObjectRequiredPolicy.php

@@ -0,0 +1,153 @@
+<?php
+/**
+ * @file classes/security/authorization/DataObjectRequiredPolicy.php
+ *
+ * Copyright (c) 2014-2021 Simon Fraser University
+ * Copyright (c) 2000-2021 John Willinsky
+ * Distributed under the GNU GPL v3. For full terms see the file docs/COPYING.
+ *
+ * @class DataObjectRequiredPolicy
+ *
+ * @ingroup security_authorization
+ *
+ * @brief Abstract base class for policies that check for a data object from a parameter.
+ */
+
+namespace PKP\security\authorization;
+
+use Exception;
+use PKP\core\PKPRequest;
+
+class DataObjectRequiredPolicy extends AuthorizationPolicy
+{
+    /** @var PKPRequest */
+    public $_request;
+
+    /** @var array */
+    public $_args;
+
+    public ?string $_parameterName;
+
+    /** @var array */
+    public $_operations;
+
+    //
+    // Getters and Setters
+    //
+    /**
+     * Return the request.
+     *
+     * @return PKPRequest
+     */
+    public function &getRequest()
+    {
+        return $this->_request;
+    }
+
+    /**
+     * Return the request arguments
+     *
+     * @return array
+     */
+    public function &getArgs()
+    {
+        return $this->_args;
+    }
+
+    /**
+     * Constructor
+     *
+     * @param PKPRequest $request
+     * @param array $args request parameters
+     * @param ?string $parameterName the request parameter we expect
+     * @param string $message
+     * @param array $operations Optional list of operations for which this check takes effect. If specified, operations outside this set will not be checked against this policy.
+     */
+    public function __construct($request, &$args, ?string $parameterName, $message = null, $operations = null)
+    {
+        parent::__construct($message);
+        $this->_request = $request;
+        assert(is_array($args));
+        $this->_args = & $args;
+        $this->_parameterName = $parameterName;
+        $this->_operations = $operations;
+    }
+
+    //
+    // Implement template methods from AuthorizationPolicy
+    //
+    /**
+     * @see AuthorizationPolicy::effect()
+     */
+    public function effect()
+    {
+        // Check if the object is required for the requested Op. (No operations means check for all.)
+        if (is_array($this->_operations) && !in_array($this->_request->getRequestedOp(), $this->_operations)) {
+            return AuthorizationPolicy::AUTHORIZATION_PERMIT;
+        } else {
+            return $this->dataObjectEffect();
+        }
+    }
+
+    //
+    // Protected helper method
+    //
+    /**
+     * Test the data object's effect
+     *
+     * @return int AUTHORIZATION_DENY|AUTHORIZATION_ACCEPT
+     */
+    public function dataObjectEffect()
+    {
+        // Deny by default. Must be implemented by subclass.
+        return AuthorizationPolicy::AUTHORIZATION_DENY;
+    }
+
+    /**
+     * Identifies a data object id in the request.
+     *
+     * @param bool $lookOnlyByParameterName True iff page router
+     *  requests should only look for named parameters.
+     *
+     * @return int|false returns false if no valid submission id could be found.
+     */
+    public function getDataObjectId($lookOnlyByParameterName = false)
+    {
+        // Identify the data object id.
+        $router = $this->_request->getRouter();
+        switch (true) {
+            case $router instanceof \PKP\core\PKPPageRouter:
+                if ($this->_parameterName !== null && ctype_digit((string) $this->_request->getUserVar($this->_parameterName))) {
+                    // We may expect a object id in the user vars
+                    return (int) $this->_request->getUserVar($this->_parameterName);
+                } elseif (!$lookOnlyByParameterName && isset($this->_args[0]) && ctype_digit((string) $this->_args[0])) {
+                    // Or the object id can be expected as the first path in the argument list
+                    return (int) $this->_args[0];
+                }
+                break;
+
+            case $router instanceof \PKP\core\PKPComponentRouter:
+                // We expect a named object id argument.
+                if ($this->_parameterName !== null && isset($this->_args[$this->_parameterName])
+                        && ctype_digit((string) $this->_args[$this->_parameterName])) {
+                    return (int) $this->_args[$this->_parameterName];
+                }
+                break;
+
+            case $router instanceof \PKP\core\APIRouter:
+                if ($this->_parameterName !== null) {
+                    $handler = $router->getHandler();
+                    return $handler->getParameter($this->_parameterName);
+                }
+                break;
+
+            default: throw new Exception('DataObjectRequiredPolicy does not support routers of type ' . get_class($router) . '!');
+        }
+
+        return false;
+    }
+}
+
+if (!PKP_STRICT_MODE) {
+    class_alias('\PKP\security\authorization\DataObjectRequiredPolicy', '\DataObjectRequiredPolicy');
+}