ILIAS  trunk Revision v11.0_alpha-1689-g66c127b4ae8
All Data Structures Namespaces Files Functions Variables Enumerations Enumerator Modules Pages
class.ilWebAccessChecker.php
Go to the documentation of this file.
1 <?php
2 
19 use ILIAS\HTTP\Cookies\CookieFactory;
20 use ILIAS\HTTP\Services;
21 
28 class ilWebAccessChecker
29 {
30  public const DISPOSITION = 'disposition';
31  public const STATUS_CODE = 'status_code';
32  public const REVALIDATE = 'revalidate';
33  public const CM_FILE_TOKEN = 1;
34  public const CM_FOLDER_TOKEN = 2;
35  public const CM_CHECKINGINSTANCE = 3;
36  public const CM_SECFOLDER = 4;
37 
38  protected ?ilWACPath $path_object = null;
39  protected bool $checked = false;
40  protected string $disposition = ilFileDelivery::DISP_INLINE;
41  protected string $override_mimetype = '';
42  protected bool $send_status_code = false;
43  protected bool $initialized = false;
44  protected bool $revalidate_folder_tokens = true;
45  protected static bool $use_seperate_logfile = false;
49  protected array $applied_checking_methods = [];
50 
54  public function __construct(private Services $http, private CookieFactory $cookieFactory)
55  {
56  }
57 
61  public function check(): bool
62  {
63  $path_object = new ilWACPath($this->http->request()->getRequestTarget());
64  $this->setPathObject($path_object);
65 
66  // Check if Path has been signed with a token
67  $ilWACSignedPath = new ilWACSignedPath($path_object, $this->http, $this->cookieFactory);
68  if ($ilWACSignedPath->isSignedPath()) {
69  $this->addAppliedCheckingMethod(self::CM_FILE_TOKEN);
70  if ($ilWACSignedPath->isSignedPathValid()) {
71  $this->setChecked(true);
72  $this->sendHeader('checked using token');
73 
74  return true;
75  }
76  }
77 
78  // Check if the whole secured folder has been signed
79  if ($ilWACSignedPath->isFolderSigned()) {
80  $this->addAppliedCheckingMethod(self::CM_FOLDER_TOKEN);
81  if ($ilWACSignedPath->isFolderTokenValid()) {
82  if ($this->isRevalidateFolderTokens()) {
83  $ilWACSignedPath->revalidatingFolderToken();
84  }
85  $this->setChecked(true);
86  $this->sendHeader('checked using secure folder');
87 
88  return true;
89  }
90  }
91 
92  // Fallback, have to initiate ILIAS
93  $this->initILIAS();
94 
95  // Check if Path is within accepted paths
96  if ($path_object->getModuleType() !== 'rs') {
97  $clean_path = $path_object->getCleanURLdecodedPath();
98  $path = realpath(__DIR__ . '/../../../../public/' . $clean_path);
99  $data_dir = realpath(CLIENT_WEB_DIR);
100  if (!str_starts_with($path, $data_dir)) {
101  return false;
102  }
103  if (dirname($path) === $data_dir && is_file($path)) {
104  return false;
105  }
106  }
107 
108  if (ilWACSecurePath::hasCheckingInstanceRegistered($path_object)) {
109  // Maybe the path has been registered, lets check
110  $checkingInstance = ilWACSecurePath::getCheckingInstance($path_object);
111  $this->addAppliedCheckingMethod(self::CM_CHECKINGINSTANCE);
112  $canBeDelivered = $checkingInstance->canBeDelivered($path_object);
113  if ($canBeDelivered) {
114  $this->sendHeader('checked using fallback');
115  if ($ilWACSignedPath->isFolderSigned() && $this->isRevalidateFolderTokens()) {
116  $ilWACSignedPath->revalidatingFolderToken();
117  }
118  }
119  $this->setChecked(true);
120  return $canBeDelivered;
121  }
122 
123  // none of the checking mechanisms could have been applied. no access
124  $this->setChecked(true);
125  $this->addAppliedCheckingMethod(self::CM_SECFOLDER);
126  return !$path_object->isInSecFolder();
127  }
128 
129  protected function sendHeader(string $message): void
130  {
131  $response = $this->http->response()->withHeader('X-ILIAS-WebAccessChecker', $message);
132  $this->http->saveResponse($response);
133  }
134 
135  public function initILIAS(): void
136  {
137  global $DIC;
138 
139  if ($this->isInitialized()) {
140  return;
141  }
142 
143  $GLOBALS['COOKIE_PATH'] = '/';
144 
145  $cookie = $this->cookieFactory->create('ilClientId', $this->getPathObject()->getClient())
146  ->withPath('/')
147  ->withExpires(0);
148 
149  $response = $this->http->cookieJar()
150  ->with($cookie)
151  ->renderIntoResponseHeader($this->http->response());
152 
153  $this->http->saveResponse($response);
154 
155  ilContext::init(ilContext::CONTEXT_WAC);
156  try {
157  ilInitialisation::initILIAS();
158  $this->checkUser();
159  $this->checkPublicSection();
160  } catch (Exception $e) {
161  if ($e instanceof ilWACException
162  && $e->getCode() !== ilWACException::ACCESS_DENIED_NO_LOGIN) {
163  throw $e;
164  }
165  if (($e instanceof Exception && $e->getMessage() === 'Authentication failed.')
166  || $e->getCode() === ilWACException::ACCESS_DENIED_NO_LOGIN) {
167  $this->initAnonymousSession();
168  $this->checkUser();
169  $this->checkPublicSection();
170  }
171  }
172  $this->setInitialized(true);
173 
174  // This workaround is needed because these issues:
175  // https://mantis.ilias.de/view.php?id=32284 and
176  // https://mantis.ilias.de/view.php?id=32063
177  if ($DIC->user()->getId() === 0) {
178  $DIC->user()->setId(ANONYMOUS_USER_ID);
179  }
180  }
181 
185  protected function checkPublicSection(): void
186  {
187  global $DIC;
188  $is_anonymous = ((int) $DIC->user()->getId() === (int) ANONYMOUS_USER_ID);
189  $is_null_user = ($DIC->user()->getId() === 0);
190  $pub_section_activated = (bool) $DIC['ilSetting']->get('pub_section');
191  $isset = isset($DIC['ilSetting']);
192  $instanceof = $DIC['ilSetting'] instanceof ilSetting;
193 
194  if (!$isset || !$instanceof) {
195  throw new ilWACException(ilWACException::ACCESS_DENIED_NO_PUB);
196  }
197 
198  if ($pub_section_activated && ($is_null_user || $is_anonymous)) {
199  // Request is initiated from an enabled public area
200  return;
201  }
202 
203  if ($is_anonymous || $is_null_user) {
204  throw new ilWACException(ilWACException::ACCESS_DENIED_NO_PUB);
205  }
206  }
207 
208  protected function checkUser(): void
209  {
210  global $DIC;
211 
212  $is_user = $DIC->user() instanceof ilObjUser;
213  $user_id_is_zero = ((int) $DIC->user()->getId() === 0);
214  if (!$is_user || $user_id_is_zero) {
215  throw new ilWACException(ilWACException::ACCESS_DENIED_NO_LOGIN);
216  }
217  }
218 
219  public function isChecked(): bool
220  {
221  return $this->checked;
222  }
223 
224  public function setChecked(bool $checked): void
225  {
226  $this->checked = $checked;
227  }
228 
229  public function getPathObject(): ?\ilWACPath
230  {
231  return $this->path_object;
232  }
233 
234  public function setPathObject(ilWACPath $path_object): void
235  {
236  $this->path_object = $path_object;
237  }
238 
239  public function getDisposition(): string
240  {
241  return $this->disposition;
242  }
243 
244  public function setDisposition(string $disposition): void
245  {
246  $this->disposition = $disposition;
247  }
248 
249  public function getOverrideMimetype(): string
250  {
251  return $this->override_mimetype;
252  }
253 
254  public function setOverrideMimetype(string $override_mimetype): void
255  {
256  $this->override_mimetype = $override_mimetype;
257  }
258 
259  public function isInitialized(): bool
260  {
261  return $this->initialized;
262  }
263 
264  public function setInitialized(bool $initialized): void
265  {
266  $this->initialized = $initialized;
267  }
268 
269  public function isSendStatusCode(): bool
270  {
271  return $this->send_status_code;
272  }
273 
274  public function setSendStatusCode(bool $send_status_code): void
275  {
276  $this->send_status_code = $send_status_code;
277  }
278 
279  public function isRevalidateFolderTokens(): bool
280  {
281  return $this->revalidate_folder_tokens;
282  }
283 
284  public function setRevalidateFolderTokens(bool $revalidate_folder_tokens): void
285  {
286  $this->revalidate_folder_tokens = $revalidate_folder_tokens;
287  }
288 
289  public static function isUseSeperateLogfile(): bool
290  {
291  return self::$use_seperate_logfile;
292  }
293 
294  public static function setUseSeperateLogfile(bool $use_seperate_logfile): void
295  {
296  self::$use_seperate_logfile = $use_seperate_logfile;
297  }
298 
302  public function getAppliedCheckingMethods(): array
303  {
304  return $this->applied_checking_methods;
305  }
306 
310  public function setAppliedCheckingMethods(array $applied_checking_methods): void
311  {
312  $this->applied_checking_methods = $applied_checking_methods;
313  }
314 
315  protected function addAppliedCheckingMethod(int $method): void
316  {
317  $this->applied_checking_methods[] = $method;
318  }
319 
320  protected function initAnonymousSession(): void
321  {
322  global $DIC;
323  session_destroy();
324  ilContext::init(ilContext::CONTEXT_WAC);
325  ilInitialisation::reInitUser();
329  $ilAuthSession = $DIC['ilAuthSession'];
330  $ilAuthSession->regenerateId();
331  $ilAuthSession->setUserId(ANONYMOUS_USER_ID);
332  $ilAuthSession->setAuthenticated(false, ANONYMOUS_USER_ID);
333  $DIC->user()->setId(ANONYMOUS_USER_ID);
334  }
335 }
ilWebAccessChecker\setPathObject
setPathObject(ilWACPath $path_object)
Definition: class.ilWebAccessChecker.php:234
ilContext\CONTEXT_WAC
const CONTEXT_WAC
Definition: class.ilContext.php:43
ANONYMOUS_USER_ID
const ANONYMOUS_USER_ID
Definition: constants.php:27
$data_dir
$data_dir
Definition: invalid_class_map.php:21
$response
$response
Definition: xapitoken.php:93
ilWebAccessChecker\setAppliedCheckingMethods
setAppliedCheckingMethods(array $applied_checking_methods)
Definition: class.ilWebAccessChecker.php:310
ilWebAccessChecker\setInitialized
setInitialized(bool $initialized)
Definition: class.ilWebAccessChecker.php:264
$http
$http
Definition: deliver.php:30
ilWACPath
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
Definition: class.ilWACPath.php:26
ilWebAccessChecker\setOverrideMimetype
setOverrideMimetype(string $override_mimetype)
Definition: class.ilWebAccessChecker.php:254
$path
$path
Definition: ltiservices.php:29
null
while($session_entry=$r->fetchRow(ilDBConstants::FETCHMODE_ASSOC)) return null
Definition: shib_logout.php:142
ilInitialisation\initILIAS
static initILIAS()
ilias initialisation
Definition: class.ilInitialisation.php:1145
ilWebAccessChecker\setSendStatusCode
setSendStatusCode(bool $send_status_code)
Definition: class.ilWebAccessChecker.php:274
ILIAS\FileDelivery\http
static http()
Fetches the global http state from ILIAS.
Definition: HttpServiceAware.php:55
$GLOBALS
$GLOBALS["DIC"]
Definition: wac.php:53
ilWebAccessChecker
Class ilWebAccessChecker.
Definition: class.ilWebAccessChecker.php:28
$DIC
global $DIC
Definition: shib_login.php:22
CLIENT_WEB_DIR
const CLIENT_WEB_DIR
Definition: constants.php:47
CookieFactory
This file is part of ILIAS, a powerful learning management system published by ILIAS open source e-Le...
ilWebAccessChecker\setRevalidateFolderTokens
setRevalidateFolderTokens(bool $revalidate_folder_tokens)
Definition: class.ilWebAccessChecker.php:284
ilWACSecurePath\hasCheckingInstanceRegistered
static hasCheckingInstanceRegistered(ilWACPath $ilWACPath)
Searches a checking instance for the given wac path.
Definition: class.ilWACSecurePath.php:78
ilContext\init
static init(string $a_type)
Init context by type.
Definition: class.ilContext.php:52
ilWebAccessChecker\setUseSeperateLogfile
static setUseSeperateLogfile(bool $use_seperate_logfile)
Definition: class.ilWebAccessChecker.php:294
ilWebAccessChecker\setDisposition
setDisposition(string $disposition)
Definition: class.ilWebAccessChecker.php:244
$message
$message
Definition: xapiexit.php:31
ilWACPath\getCleanURLdecodedPath
getCleanURLdecodedPath()
Returns a clean (everything behind ? is removed and rawurldecoded path.
Definition: class.ilWACPath.php:424
ilWebAccessChecker\__construct
__construct(private Services $http, private CookieFactory $cookieFactory)
ilWebAccessChecker constructor.
Definition: class.ilWebAccessChecker.php:54