ILIAS  trunk Revision v12.0_alpha-377-g3641b37b9db
class.ilWebAccessChecker.php
Go to the documentation of this file.
1<?php
2
19use ILIAS\HTTP\Cookies\CookieFactory;
20use ILIAS\HTTP\Services;
21
28class ilWebAccessChecker
29{
30 public const DISPOSITION = 'disposition';
31 public const STATUS_CODE = 'status_code';
32 public const REVALIDATE = 'revalidate';
33 public const CM_FILE_TOKEN = 1;
34 public const CM_FOLDER_TOKEN = 2;
35 public const CM_CHECKINGINSTANCE = 3;
36 public const CM_SECFOLDER = 4;
37
38 protected ?ilWACPath $path_object = null;
39 protected bool $checked = false;
40 protected string $disposition = ilFileDelivery::DISP_INLINE;
41 protected string $override_mimetype = '';
42 protected bool $send_status_code = false;
43 protected bool $initialized = false;
44 protected bool $revalidate_folder_tokens = true;
45 protected static bool $use_seperate_logfile = false;
49 protected array $applied_checking_methods = [];
50
54 public function __construct(private Services $http, private CookieFactory $cookieFactory)
55 {
56 }
57
61 public function check(): bool
62 {
63 $path_object = new ilWACPath($this->http->request()->getRequestTarget());
64 $this->setPathObject($path_object);
65
66 // Check if Path has been signed with a token
67 $ilWACSignedPath = new ilWACSignedPath($path_object, $this->http, $this->cookieFactory);
68 if ($ilWACSignedPath->isSignedPath()) {
69 $this->addAppliedCheckingMethod(self::CM_FILE_TOKEN);
70 if ($ilWACSignedPath->isSignedPathValid()) {
71 $this->setChecked(true);
72 $this->sendHeader('checked using token');
73
74 return true;
75 }
76 }
77
78 // Check if the whole secured folder has been signed
79 if ($ilWACSignedPath->isFolderSigned()) {
80 $this->addAppliedCheckingMethod(self::CM_FOLDER_TOKEN);
81 if ($ilWACSignedPath->isFolderTokenValid()) {
82 if ($this->isRevalidateFolderTokens()) {
83 $ilWACSignedPath->revalidatingFolderToken();
84 }
85 $this->setChecked(true);
86 $this->sendHeader('checked using secure folder');
87
88 return true;
89 }
90 }
91
92 // Fallback, have to initiate ILIAS
93 $this->initILIAS();
94
95 // Check if Path is within accepted paths
96 if ($path_object->getModuleType() !== 'rs') {
97 $clean_path = $path_object->getCleanURLdecodedPath();
98 $path = realpath(__DIR__ . '/../../../../public/' . $clean_path);
99 $data_dir = realpath(CLIENT_WEB_DIR);
100 if (!str_starts_with($path, $data_dir)) {
101 return false;
102 }
103 if (dirname($path) === $data_dir && is_file($path)) {
104 return false;
105 }
106 }
107
108 if (ilWACSecurePath::hasCheckingInstanceRegistered($path_object)) {
109 // Maybe the path has been registered, lets check
110 $checkingInstance = ilWACSecurePath::getCheckingInstance($path_object);
111 $this->addAppliedCheckingMethod(self::CM_CHECKINGINSTANCE);
112 $canBeDelivered = $checkingInstance->canBeDelivered($path_object);
113 if ($canBeDelivered) {
114 $this->sendHeader('checked using fallback');
115 if ($ilWACSignedPath->isFolderSigned() && $this->isRevalidateFolderTokens()) {
116 $ilWACSignedPath->revalidatingFolderToken();
117 }
118 }
119 $this->setChecked(true);
120 return $canBeDelivered;
121 }
122
123 // none of the checking mechanisms could have been applied. no access
124 $this->setChecked(true);
125 $this->addAppliedCheckingMethod(self::CM_SECFOLDER);
126 return !$path_object->isInSecFolder();
127 }
128
129 protected function sendHeader(string $message): void
130 {
131 $response = $this->http->response()->withHeader('X-ILIAS-WebAccessChecker', $message);
132 $this->http->saveResponse($response);
133 }
134
135 public function initILIAS(): void
136 {
137 global $DIC;
138
139 if ($this->isInitialized()) {
140 return;
141 }
142
143 $GLOBALS['COOKIE_PATH'] = '/';
144
145 $cookie = $this->cookieFactory->create('ilClientId', $this->getPathObject()->getClient())
146 ->withPath('/')
147 ->withExpires(0);
148
149 $response = $this->http->cookieJar()
150 ->with($cookie)
151 ->renderIntoResponseHeader($this->http->response());
152
153 $this->http->saveResponse($response);
154
155 ilContext::init(ilContext::CONTEXT_WAC);
156 try {
157 require_once(__DIR__ . "/../../../../artifacts/bootstrap_default.php");
158 entry_point("ILIAS Legacy Initialisation Adapter");
159
160 $this->checkUser();
161 $this->checkPublicSection();
162 } catch (Exception $e) {
163 if ($e instanceof ilWACException
164 && $e->getCode() !== ilWACException::ACCESS_DENIED_NO_LOGIN) {
165 throw $e;
166 }
167 if (($e instanceof Exception && $e->getMessage() === 'Authentication failed.')
168 || $e->getCode() === ilWACException::ACCESS_DENIED_NO_LOGIN) {
169 $this->initAnonymousSession();
170 $this->checkUser();
171 $this->checkPublicSection();
172 }
173 }
174 $this->setInitialized(true);
175
176 // This workaround is needed because these issues:
177 // https://mantis.ilias.de/view.php?id=32284 and
178 // https://mantis.ilias.de/view.php?id=32063
179 if ($DIC->user()->getId() === 0) {
180 $DIC->user()->setId(ANONYMOUS_USER_ID);
181 }
182 }
183
187 protected function checkPublicSection(): void
188 {
189 global $DIC;
190 $is_anonymous = ((int) $DIC->user()->getId() === (int) ANONYMOUS_USER_ID);
191 $is_null_user = ($DIC->user()->getId() === 0);
192 $pub_section_activated = (bool) $DIC['ilSetting']->get('pub_section');
193 $isset = isset($DIC['ilSetting']);
194 $instanceof = $DIC['ilSetting'] instanceof ilSetting;
195
196 if (!$isset || !$instanceof) {
197 throw new ilWACException(ilWACException::ACCESS_DENIED_NO_PUB);
198 }
199
200 if ($pub_section_activated && ($is_null_user || $is_anonymous)) {
201 // Request is initiated from an enabled public area
202 return;
203 }
204
205 if ($is_anonymous || $is_null_user) {
206 throw new ilWACException(ilWACException::ACCESS_DENIED_NO_PUB);
207 }
208 }
209
210 protected function checkUser(): void
211 {
212 global $DIC;
213
214 $is_user = $DIC->user() instanceof ilObjUser;
215 $user_id_is_zero = ((int) $DIC->user()->getId() === 0);
216 if (!$is_user || $user_id_is_zero) {
217 throw new ilWACException(ilWACException::ACCESS_DENIED_NO_LOGIN);
218 }
219 }
220
221 public function isChecked(): bool
222 {
223 return $this->checked;
224 }
225
226 public function setChecked(bool $checked): void
227 {
228 $this->checked = $checked;
229 }
230
231 public function getPathObject(): ?\ilWACPath
232 {
233 return $this->path_object;
234 }
235
236 public function setPathObject(ilWACPath $path_object): void
237 {
238 $this->path_object = $path_object;
239 }
240
241 public function getDisposition(): string
242 {
243 return $this->disposition;
244 }
245
246 public function setDisposition(string $disposition): void
247 {
248 $this->disposition = $disposition;
249 }
250
251 public function getOverrideMimetype(): string
252 {
253 return $this->override_mimetype;
254 }
255
256 public function setOverrideMimetype(string $override_mimetype): void
257 {
258 $this->override_mimetype = $override_mimetype;
259 }
260
261 public function isInitialized(): bool
262 {
263 return $this->initialized;
264 }
265
266 public function setInitialized(bool $initialized): void
267 {
268 $this->initialized = $initialized;
269 }
270
271 public function isSendStatusCode(): bool
272 {
273 return $this->send_status_code;
274 }
275
276 public function setSendStatusCode(bool $send_status_code): void
277 {
278 $this->send_status_code = $send_status_code;
279 }
280
281 public function isRevalidateFolderTokens(): bool
282 {
283 return $this->revalidate_folder_tokens;
284 }
285
286 public function setRevalidateFolderTokens(bool $revalidate_folder_tokens): void
287 {
288 $this->revalidate_folder_tokens = $revalidate_folder_tokens;
289 }
290
291 public static function isUseSeperateLogfile(): bool
292 {
293 return self::$use_seperate_logfile;
294 }
295
296 public static function setUseSeperateLogfile(bool $use_seperate_logfile): void
297 {
298 self::$use_seperate_logfile = $use_seperate_logfile;
299 }
300
304 public function getAppliedCheckingMethods(): array
305 {
306 return $this->applied_checking_methods;
307 }
308
312 public function setAppliedCheckingMethods(array $applied_checking_methods): void
313 {
314 $this->applied_checking_methods = $applied_checking_methods;
315 }
316
317 protected function addAppliedCheckingMethod(int $method): void
318 {
319 $this->applied_checking_methods[] = $method;
320 }
321
322 protected function initAnonymousSession(): void
323 {
324 global $DIC;
325 session_destroy();
326 ilContext::init(ilContext::CONTEXT_WAC);
327 ilInitialisation::reInitUser();
331 $ilAuthSession = $DIC['ilAuthSession'];
332 $ilAuthSession->regenerateId();
333 $ilAuthSession->setUserId(ANONYMOUS_USER_ID);
334 $ilAuthSession->setAuthenticated(false, ANONYMOUS_USER_ID);
335 $DIC->user()->setId(ANONYMOUS_USER_ID);
336 }
337}
ILIAS\HTTP\Services
Class Services.
Definition: Services.php:38
ilContext\init
static init(string $a_type)
Init context by type.
Definition: class.ilContext.php:52
ilContext\CONTEXT_WAC
const CONTEXT_WAC
Definition: class.ilContext.php:43
ilObjUser
User class.
Definition: class.ilObjUser.php:48
ilSetting
ILIAS Setting Class.
Definition: class.ilSetting.php:27
ilWACException
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilWACException.php:26
ilWACPath
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilWACPath.php:27
ilWACPath\getCleanURLdecodedPath
getCleanURLdecodedPath()
Returns a clean (everything behind ? is removed and rawurldecoded path.
Definition: class.ilWACPath.php:424
ilWACSecurePath\hasCheckingInstanceRegistered
static hasCheckingInstanceRegistered(ilWACPath $ilWACPath)
Searches a checking instance for the given wac path.
Definition: class.ilWACSecurePath.php:79
ilWACSignedPath
Class ilWACSignedPath.
Definition: class.ilWACSignedPath.php:32
ilWebAccessChecker
Class ilWebAccessChecker.
Definition: class.ilWebAccessChecker.php:29
ilWebAccessChecker\setInitialized
setInitialized(bool $initialized)
Definition: class.ilWebAccessChecker.php:266
ilWebAccessChecker\__construct
__construct(private Services $http, private CookieFactory $cookieFactory)
ilWebAccessChecker constructor.
Definition: class.ilWebAccessChecker.php:54
ilWebAccessChecker\setOverrideMimetype
setOverrideMimetype(string $override_mimetype)
Definition: class.ilWebAccessChecker.php:256
ilWebAccessChecker\setSendStatusCode
setSendStatusCode(bool $send_status_code)
Definition: class.ilWebAccessChecker.php:276
ilWebAccessChecker\setAppliedCheckingMethods
setAppliedCheckingMethods(array $applied_checking_methods)
Definition: class.ilWebAccessChecker.php:312
ilWebAccessChecker\setRevalidateFolderTokens
setRevalidateFolderTokens(bool $revalidate_folder_tokens)
Definition: class.ilWebAccessChecker.php:286
ilWebAccessChecker\setPathObject
setPathObject(ilWACPath $path_object)
Definition: class.ilWebAccessChecker.php:236
ilWebAccessChecker\setDisposition
setDisposition(string $disposition)
Definition: class.ilWebAccessChecker.php:246
ilWebAccessChecker\setUseSeperateLogfile
static setUseSeperateLogfile(bool $use_seperate_logfile)
Definition: class.ilWebAccessChecker.php:296
CLIENT_WEB_DIR
const CLIENT_WEB_DIR
Definition: constants.php:47
ANONYMOUS_USER_ID
const ANONYMOUS_USER_ID
Definition: constants.php:27
$http
$http
Definition: deliver.php:30
$data_dir
$data_dir
Definition: invalid_class_map.php:21
$path
$path
Definition: ltiservices.php:30
ILIAS\FileDelivery\http
static http()
Fetches the global http state from ILIAS.
Definition: HttpServiceAware.php:55
entry_point
entry_point(string $name)
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: result1.php:21
$DIC
global $DIC
Definition: shib_login.php:26
$GLOBALS
$GLOBALS["DIC"]
Definition: wac.php:54
$response
$response
Definition: xapitoken.php:90