CHIEFSOFT\ameye
154 lines
4.7 KiB
PHP
154 lines
4.7 KiB
PHP
<?php
|
|
/**
|
|
* @file classes/security/authorization/DataObjectRequiredPolicy.php
|
|
*
|
|
* Copyright (c) 2014-2021 Simon Fraser University
|
|
* Copyright (c) 2000-2021 John Willinsky
|
|
* Distributed under the GNU GPL v3. For full terms see the file docs/COPYING.
|
|
*
|
|
* @class DataObjectRequiredPolicy
|
|
*
|
|
* @ingroup security_authorization
|
|
*
|
|
* @brief Abstract base class for policies that check for a data object from a parameter.
|
|
*/
|
|
|
|
namespace PKP\security\authorization;
|
|
|
|
use Exception;
|
|
use PKP\core\PKPRequest;
|
|
|
|
class DataObjectRequiredPolicy extends AuthorizationPolicy
|
|
{
|
|
/** @var PKPRequest */
|
|
public $_request;
|
|
|
|
/** @var array */
|
|
public $_args;
|
|
|
|
public ?string $_parameterName;
|
|
|
|
/** @var array */
|
|
public $_operations;
|
|
|
|
//
|
|
// Getters and Setters
|
|
//
|
|
/**
|
|
* Return the request.
|
|
*
|
|
* @return PKPRequest
|
|
*/
|
|
public function &getRequest()
|
|
{
|
|
return $this->_request;
|
|
}
|
|
|
|
/**
|
|
* Return the request arguments
|
|
*
|
|
* @return array
|
|
*/
|
|
public function &getArgs()
|
|
{
|
|
return $this->_args;
|
|
}
|
|
|
|
/**
|
|
* Constructor
|
|
*
|
|
* @param PKPRequest $request
|
|
* @param array $args request parameters
|
|
* @param ?string $parameterName the request parameter we expect
|
|
* @param string $message
|
|
* @param array $operations Optional list of operations for which this check takes effect. If specified, operations outside this set will not be checked against this policy.
|
|
*/
|
|
public function __construct($request, &$args, ?string $parameterName, $message = null, $operations = null)
|
|
{
|
|
parent::__construct($message);
|
|
$this->_request = $request;
|
|
assert(is_array($args));
|
|
$this->_args = & $args;
|
|
$this->_parameterName = $parameterName;
|
|
$this->_operations = $operations;
|
|
}
|
|
|
|
//
|
|
// Implement template methods from AuthorizationPolicy
|
|
//
|
|
/**
|
|
* @see AuthorizationPolicy::effect()
|
|
*/
|
|
public function effect()
|
|
{
|
|
// Check if the object is required for the requested Op. (No operations means check for all.)
|
|
if (is_array($this->_operations) && !in_array($this->_request->getRequestedOp(), $this->_operations)) {
|
|
return AuthorizationPolicy::AUTHORIZATION_PERMIT;
|
|
} else {
|
|
return $this->dataObjectEffect();
|
|
}
|
|
}
|
|
|
|
//
|
|
// Protected helper method
|
|
//
|
|
/**
|
|
* Test the data object's effect
|
|
*
|
|
* @return int AUTHORIZATION_DENY|AUTHORIZATION_ACCEPT
|
|
*/
|
|
public function dataObjectEffect()
|
|
{
|
|
// Deny by default. Must be implemented by subclass.
|
|
return AuthorizationPolicy::AUTHORIZATION_DENY;
|
|
}
|
|
|
|
/**
|
|
* Identifies a data object id in the request.
|
|
*
|
|
* @param bool $lookOnlyByParameterName True iff page router
|
|
* requests should only look for named parameters.
|
|
*
|
|
* @return int|false returns false if no valid submission id could be found.
|
|
*/
|
|
public function getDataObjectId($lookOnlyByParameterName = false)
|
|
{
|
|
// Identify the data object id.
|
|
$router = $this->_request->getRouter();
|
|
switch (true) {
|
|
case $router instanceof \PKP\core\PKPPageRouter:
|
|
if ($this->_parameterName !== null && ctype_digit((string) $this->_request->getUserVar($this->_parameterName))) {
|
|
// We may expect a object id in the user vars
|
|
return (int) $this->_request->getUserVar($this->_parameterName);
|
|
} elseif (!$lookOnlyByParameterName && isset($this->_args[0]) && ctype_digit((string) $this->_args[0])) {
|
|
// Or the object id can be expected as the first path in the argument list
|
|
return (int) $this->_args[0];
|
|
}
|
|
break;
|
|
|
|
case $router instanceof \PKP\core\PKPComponentRouter:
|
|
// We expect a named object id argument.
|
|
if ($this->_parameterName !== null && isset($this->_args[$this->_parameterName])
|
|
&& ctype_digit((string) $this->_args[$this->_parameterName])) {
|
|
return (int) $this->_args[$this->_parameterName];
|
|
}
|
|
break;
|
|
|
|
case $router instanceof \PKP\core\APIRouter:
|
|
if ($this->_parameterName !== null) {
|
|
$handler = $router->getHandler();
|
|
return $handler->getParameter($this->_parameterName);
|
|
}
|
|
break;
|
|
|
|
default: throw new Exception('DataObjectRequiredPolicy does not support routers of type ' . get_class($router) . '!');
|
|
}
|
|
|
|
return false;
|
|
}
|
|
}
|
|
|
|
if (!PKP_STRICT_MODE) {
|
|
class_alias('\PKP\security\authorization\DataObjectRequiredPolicy', '\DataObjectRequiredPolicy');
|
|
}
|