tao-test/app/tao/actions/class.CommonModule.php

436 lines
15 KiB
PHP
Raw Normal View History

2022-08-29 20:14:13 +02:00
<?php
/**
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; under version 2
* of the License (non-upgradable).
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*
* Copyright (c) 2002-2008 (original work) Public Research Centre Henri Tudor & University of Luxembourg (under the project TAO & TAO2);
* 2008-2010 (update and modification) Deutsche Institut für Internationale Pädagogische Forschung (under the project TAO-TRANSFER);
* 2009-2012 (update and modification) Public Research Centre Henri Tudor (under the project TAO-SUSTAIN & TAO-DEV);
* 2013-2019 (update and modification) Open Assessment Technologies SA;
*/
use oat\oatbox\user\User;
use oat\tao\model\http\LegacyController;
use oat\tao\helpers\LegacySessionUtils;
use oat\tao\model\action\CommonModuleInterface;
use oat\tao\model\mvc\RendererTrait;
use oat\tao\model\security\ActionProtector;
use oat\tao\helpers\Template;
use oat\tao\helpers\JavaScript;
use oat\oatbox\service\ServiceManager;
use oat\tao\model\accessControl\AclProxy;
use oat\oatbox\service\ServiceManagerAwareTrait;
use oat\oatbox\service\ServiceManagerAwareInterface;
use oat\tao\model\accessControl\ActionAccessControl;
use oat\tao\model\accessControl\Context as AclContext;
use oat\oatbox\service\exception\InvalidServiceManagerException;
use oat\oatbox\log\LoggerAwareTrait;
use function GuzzleHttp\Psr7\stream_for;
use oat\tao\model\security\xsrf\TokenService;
use Zend\ServiceManager\ServiceLocatorInterface;
/**
* Top level controller
* All children extensions module should extends the CommonModule to access the shared data
*
* @author CRP Henri Tudor - TAO Team - {@link http://www.tao.lu}
* @license GPLv2 http://www.opensource.org/licenses/gpl-2.0.php
* @package tao
*
*/
abstract class tao_actions_CommonModule extends LegacyController implements ServiceManagerAwareInterface, CommonModuleInterface
{
use ServiceManagerAwareTrait {
getServiceManager as protected getOriginalServiceManager;
getServiceLocator as protected getOriginalServiceLocator;
setServiceLocator as protected setOriginalServiceLocator;
}
use LoggerAwareTrait;
use RendererTrait {
setView as protected setRendererView;
}
use LegacySessionUtils;
/**
* The Modules access the models through the service instance
*
* @var tao_models_classes_Service
* @deprecated
*/
protected $service;
/**
* tao_actions_CommonModule constructor.
* @security("hide");
*/
public function __construct()
{
}
/**
* @inheritdoc
*/
public function initialize()
{
/** @var ActionProtector $actionProtector */
$actionProtector = $this->getServiceLocator()->get(ActionProtector::SERVICE_ID);
$actionProtector->setHeaders();
}
/**
* Whenever or not the current user has access to a specific action
* using functional and data access control
*
* @param string $controllerClass
* @param string $action
* @param array $parameters
* @return boolean
* @throws common_exception_Error
*/
protected function hasAccess($controllerClass, $action, $parameters = [])
{
$user = $this->getSession()->getUser();
return AclProxy::hasAccess($user, $controllerClass, $action, $parameters);
}
/**
* @deprecated Use $this->hasWriteAccessByContext()
*/
protected function hasWriteAccessToAction(string $action, ?User $user = null): bool
{
$context = new AclContext([
AclContext::PARAM_CONTROLLER => static::class,
AclContext::PARAM_ACTION => $action,
AclContext::PARAM_USER => $user,
]);
return $this->hasWriteAccessByContext($context);
}
protected function hasReadAccessByContext(AclContext $context): bool
{
return $this->getActionAccessControl()->contextHasReadAccess($context);
}
protected function hasWriteAccessByContext(AclContext $context): bool
{
return $this->getActionAccessControl()->contextHasWriteAccess($context);
}
protected function getUserRoles(): array
{
return $this->getSession()->getUser()->getRoles();
}
/**
*
* @see Module::setView()
* @param string $path
* view identifier
* @param string $extensionID
* use the views in the specified extension instead of the current extension
*/
public function setView($path, $extensionID = null)
{
$this->setRendererView(Template::getTemplate($path, $extensionID));
}
/**
* Retrieve the data from the url and make the base initialization
*
* @return void
* @throws common_ext_ExtensionException
*/
protected function defaultData()
{
$context = Context::getInstance();
$this->setData('extension', $context->getExtensionName());
$this->setData('module', $context->getModuleName());
$this->setData('action', $context->getActionName());
if ($this->hasRequestParameter('uri')) {
// inform the client of new classUri
$this->setData('uri', $this->getRequestParameter('uri'));
}
if ($this->hasRequestParameter('classUri')) {
// inform the client of new classUri
$this->setData('uri', $this->getRequestParameter('classUri'));
}
if ($this->getRequestParameter('message')) {
$this->setData('message', $this->getRequestParameter('message'));
}
if ($this->getRequestParameter('errorMessage')) {
$this->setData('errorMessage', $this->getRequestParameter('errorMessage'));
}
$this->setData('client_timeout', $this->getClientTimeout());
$this->setData('client_config_url', $this->getClientConfigUrl());
}
/**
* Function to return an user readable error
* Does not work with ajax Requests yet
*
* @param string $description error to show
* @param boolean $returnLink whenever or not to add a return link
* @param int $httpStatus
* @throws common_Exception
*/
protected function returnError($description, $returnLink = true, $httpStatus = null)
{
if ($this->isXmlHttpRequest()) {
$this->logWarning('Called ' . __FUNCTION__ . ' in an unsupported AJAX context');
throw new common_Exception($description);
}
$this->setData('message', $description);
$this->setData('returnLink', $returnLink);
if (parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST) == parse_url(ROOT_URL, PHP_URL_HOST)) {
$this->setData('returnUrl', htmlentities($_SERVER['HTTP_REFERER'],ENT_QUOTES));
}else{
$this->setData('returnUrl', false);
}
if ($httpStatus !== null && file_exists(Template::getTemplate("error/error${httpStatus}.tpl"))) {
$this->setView("error/error${httpStatus}.tpl", 'tao');
} else {
$this->setView('error/user_error.tpl', 'tao');
}
}
/**
* Returns the absolute path to the specified template
*
* @param string $identifier
* @param string $extensionID
* @return string
* @throws common_exception_Error
* @throws common_ext_ExtensionException
*/
protected static function getTemplatePath($identifier, $extensionID = null)
{
if ($extensionID === true) {
$extensionID = 'tao';
common_Logger::d('Deprecated use of setView() using a boolean');
}
if ($extensionID === null) {
$extensionID = Context::getInstance()->getExtensionName();
}
$ext = common_ext_ExtensionsManager::singleton()->getExtensionById($extensionID);
return $ext->getConstant('DIR_VIEWS') . 'templates' . DIRECTORY_SEPARATOR . $identifier;
}
/**
* Helps you to add the URL of the client side config file
*
* @param array $extraParameters additional parameters to append to the URL
* @return string the URL
*/
protected function getClientConfigUrl($extraParameters = [])
{
return JavaScript::getClientConfigUrl($extraParameters);
}
/**
* Get the client timeout value from the config.
*
* @return int the timeout value in seconds
* @throws common_ext_ExtensionException
*/
protected function getClientTimeout()
{
$ext = $this->getServiceManager()->get(common_ext_ExtensionsManager::SERVICE_ID)->getExtensionById('tao');
$config = $ext->getConfig('js');
if ($config !== null && isset($config['timeout'])) {
return (int)$config['timeout'];
}
return 30;
}
/**
* Return json response.
*
* @param array|\JsonSerializable $data
* @param int $httpStatus
*
* @deprecated use \oat\tao\model\http\HttpJsonResponseTrait::setSuccessJsonResponse for standard response
* @deprecated use \oat\tao\model\http\HttpJsonResponseTrait::setErrorJsonResponse for standard response
*/
protected function returnJson($data, $httpStatus = 200)
{
header(HTTPToolkit::statusCodeHeader($httpStatus));
Context::getInstance()->getResponse()->setContentHeader('application/json');
$this->response = $this->getPsrResponse()->withBody(stream_for(json_encode($data)));
}
/**
* Returns a report
*
* @param common_report_Report $report
*/
protected function returnReport(common_report_Report $report)
{
$data = $report->getData();
$successes = $report->getSuccesses();
// if report has no data, try to get it from the sub report
while ($data === null && count($successes) > 0) {
$firstSubReport = current($successes);
$data = $firstSubReport->getData();
$successes = $firstSubReport->getSuccesses();
}
if ($data !== null && $data instanceof core_kernel_classes_Resource) {
$this->setData('selectNode', tao_helpers_Uri::encode($data->getUri()));
}
$this->setData('report', $report);
$this->setView('report.tpl', 'tao');
}
/**
* Get the current session
*
* @return common_session_Session
* @throws common_exception_Error
*/
protected function getSession()
{
return common_session_SessionManager::getSession();
}
/**
* Get the service Manager
*
* @deprecated Use $this->propagate or $this->registerService to access ServiceManager functionalities
* @deprecated To get the service dependencies manager, use $this->getServiceLocator
*
* @return ServiceManager
*/
protected function getServiceManager()
{
try {
$serviceManager = $this->getOriginalServiceManager();
} catch (InvalidServiceManagerException $e) {
$serviceManager = ServiceManager::getServiceManager();
}
return $serviceManager;
}
/**
* @return ServiceLocatorInterface
* @security("hide");
*/
public function getServiceLocator()
{
return $this->getOriginalServiceLocator();
}
/**
* @param ServiceLocatorInterface $serviceLocator
* @return mixed
* @security("hide");
*/
public function setServiceLocator(ServiceLocatorInterface $serviceLocator)
{
return $this->setOriginalServiceLocator($serviceLocator);
}
/**
* Validate a CSRF token, based on the CSRF header.
*
* @throws common_exception_Unauthorized
*/
protected function validateCsrf()
{
if (!$this->getPsrRequest()->hasHeader(TokenService::CSRF_TOKEN_HEADER)) {
$this->logCsrfFailure(sprintf('Missing %s header.', TokenService::CSRF_TOKEN_HEADER));
}
$csrfTokenHeader = $this->getPsrRequest()->getHeader(TokenService::CSRF_TOKEN_HEADER);
$csrfToken = current($csrfTokenHeader);
/** @var TokenService $tokenService */
$tokenService = $this->getServiceLocator()->get(TokenService::SERVICE_ID);
$newToken = null;
try {
if ($tokenService->validateToken($csrfToken)) {
$newToken = $tokenService->createToken()->getValue();
}
} catch (common_exception_Unauthorized $e) {
$this->logCsrfFailure($e->getMessage(), $csrfToken);
}
$this->response = $this->getPsrResponse()->withHeader(TokenService::CSRF_TOKEN_HEADER, $newToken);
}
/**
* Logs a CSRF validation error
*
* @param string $exceptionMessage
* @param null $token
* @throws common_exception_Unauthorized
*/
private function logCsrfFailure($exceptionMessage, $token = null)
{
try {
$userIdentifier = $this->getSession()->getUser()->getIdentifier();
} catch (common_exception_Error $e) {
$this->logError('Unable to retrieve session! ' . $e->getMessage());
throw new common_exception_Unauthorized($exceptionMessage);
}
$requestMethod = $this->getPsrRequest()->getMethod();
$requestUri = $this->getPsrRequest()->getUri();
$requestHeaders = $this->getHeaders();
$this->logWarning(
'[CSRF] - Failed to validate CSRF token. The following exception occurred: ' . $exceptionMessage
);
$this->logWarning(
"[CSRF] \n" .
"CSRF validation information: \n" .
'Provided token: ' . ($token ?: 'none') . " \n" .
'User identifier: ' . $userIdentifier . " \n" .
'Request: [' . $requestMethod . '] ' . $requestUri . " \n" .
"Request Headers : \n" .
urldecode(http_build_query($requestHeaders, '', "\n"))
);
throw new common_exception_Unauthorized($exceptionMessage);
}
/**
* Ensure the template is rendered as part of the response
* {@inheritDoc}
* @see \oat\tao\model\http\Controller::getPsrResponse()
*/
public function getPsrResponse()
{
$response = parent::getPsrResponse();
return $this->hasView()
? $response->withBody(stream_for($this->getRenderer()->render()))
: $response;
}
private function getActionAccessControl(): ActionAccessControl
{
return $this->getServiceLocator()->get(ActionAccessControl::SERVICE_ID);
}
}