/WebSVN/include/auth.inc
1,242 → 1,242
<?php
# vim:et:ts=3:sts=3:sw=3:fdm=marker:
 
// WebSVN - Subversion repository viewing via the web using PHP
// Copyright © 2004-2006 Tim Armes, Matt Sicker
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation; either version 2 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
//
// --
//
// auth.inc
//
// Handle reading and interpretation of an SVN auth file
 
require_once("include/accessfile.inc");
 
define("UNDEFINED", 0);
define("ALLOW", 1);
define("DENY", 2);
 
class Authentication
{
var $rights;
var $user;
var $usersGroups = array();
// {{{ __construct
 
function Authentication($accessfile)
{
$this->rights = new IniFile();
$this->rights->readIniFile($accessfile);
$this->setUsername("");
$this->identifyGroups();
}
 
// }}}
// {{{ setUsername($username)
//
// Set the username if it is given, or
// get the user of the current http session
 
function setUsername($username)
{
if ($username == "") // Use the current user
{
$this->user = @$_SERVER["REMOTE_USER"];
}
else
{
$this->user = $username;
}
}
 
// }}}
 
// {{{ identifyGroups()
//
// Checks to see which groups the user belongs to
 
function identifyGroups()
{
$this->usersGroups[] = "*";
 
if (is_array($this->rights->getValues("groups")))
{
foreach ($this->rights->getValues("groups") as $group => $names)
{
if (in_array(strtolower($this->user), preg_split('/\s*,\s*/', $names)))
$this->usersGroups[] = "@" . $group;
}
}
}
 
// }}}
 
// {{{ inList
//
// Check if the user is in the given list and return their read status
// if they are (UNDEFINED, ALLOW or DENY)
function inList($accessors, $user)
{
$output = UNDEFINED;
foreach($accessors As $key => $rights)
{
$keymatch = false;
if (in_array($key, $this->usersGroups) || !strcmp($key, strtolower($user)))
$keymatch = true;
if ($keymatch)
{
if (strpos($rights, "r") !== false)
return ALLOW;
else
$output = DENY;
}
}
return $output;
}
 
// }}}
// {{{ hasReadAccess
//
// Returns true if the user has read access to the given path
function hasReadAccess($repos, $path, $checkSubFolders = false)
{
$access = UNDEFINED;
if ($path{0} != "/")
$path = "/$path";
// If were told to, we should check sub folders of the path to see if there's
// a read access below this level. This is used to display the folders needed
// to get to the folder to which read access is granted.
if ($checkSubFolders)
{
$sections = $this->rights->getSections();
foreach($sections As $section => $accessers)
{
$qualified = $repos.":".$path;
$len = strlen($qualified);
if ($len < strlen($section) && strncmp($section, $qualified, strlen($qualified)) == 0)
{
$access = $this->inList($accessers, $this->user);
}
 
if ($access != ALLOW)
{
$len = strlen($path);
if ($len < strlen($section) && strncmp($section, $path, strlen($path)) == 0)
{
$access = $this->inList($accessers, $this->user);
}
}
if ($access == ALLOW)
break;
}
}
// If we still don't have access, check each subpath of the path until we find an
// access level...
if ($access != ALLOW)
{
$access = UNDEFINED;
do
{
$accessers = $this->rights->getValues($repos.":".$path);
if (!empty($accessers))
$access = $this->inList($accessers, $this->user);
if ($access == UNDEFINED)
{
$accessers = $this->rights->getValues($path);
if (!empty($accessers))
$access = $this->inList($accessers, $this->user);
}
// If we've not got a match, remove the sub directory and start again
if ($access == UNDEFINED)
{
if ($path == "/") break;
$path = substr($path, 0, strrpos(substr($path, 0, -1), "/") + 1);
}
} while ($access == UNDEFINED && $path != "");
}
return $access == ALLOW;
}
 
// }}}
// {{{ hasUnrestrictedReadAccess
//
// Returns true if the user has read access to the given path and too
// all subfolders
function hasUnrestrictedReadAccess($repos, $path)
{
// First make sure that we have full read access at this level
if (!$this->hasReadAccess($repos, $path, false))
return false;
// Now check to see if there is a sub folder that's protected
$sections = $this->rights->getSections();
foreach($sections As $section => $accessers)
{
$qualified = $repos.":".$path;
$len = strlen($qualified);
$access = UNDEFINED;
if ($len < strlen($section) && strncmp($section, $qualified, strlen($qualified)) == 0)
{
$access = $this->inList($accessers, $this->user);
}
 
if ($access != DENY)
{
$len = strlen($path);
if ($len < strlen($section) && strncmp($section, $path, strlen($qualified)) == 0)
{
$access = $this->inList($accessers, $this->user);
}
}
if ($access == DENY)
return false;
}
return true;
}
 
// }}}
 
}
?>
<?php
# vim:et:ts=3:sts=3:sw=3:fdm=marker:
 
// WebSVN - Subversion repository viewing via the web using PHP
// Copyright © 2004-2006 Tim Armes, Matt Sicker
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation; either version 2 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
//
// --
//
// auth.inc
//
// Handle reading and interpretation of an SVN auth file
 
require_once("include/accessfile.inc");
 
define("UNDEFINED", 0);
define("ALLOW", 1);
define("DENY", 2);
 
class Authentication
{
var $rights;
var $user;
var $usersGroups = array();
// {{{ __construct
 
function Authentication($accessfile)
{
$this->rights = new IniFile();
$this->rights->readIniFile($accessfile);
$this->setUsername("");
$this->identifyGroups();
}
 
// }}}
// {{{ setUsername($username)
//
// Set the username if it is given, or
// get the user of the current http session
 
function setUsername($username)
{
if ($username == "") // Use the current user
{
$this->user = @$_SERVER["REMOTE_USER"];
}
else
{
$this->user = $username;
}
}
 
// }}}
 
// {{{ identifyGroups()
//
// Checks to see which groups the user belongs to
 
function identifyGroups()
{
$this->usersGroups[] = "*";
 
if (is_array($this->rights->getValues("groups")))
{
foreach ($this->rights->getValues("groups") as $group => $names)
{
if (in_array(strtolower($this->user), preg_split('/\s*,\s*/', $names)))
$this->usersGroups[] = "@" . $group;
}
}
}
 
// }}}
 
// {{{ inList
//
// Check if the user is in the given list and return their read status
// if they are (UNDEFINED, ALLOW or DENY)
function inList($accessors, $user)
{
$output = UNDEFINED;
foreach($accessors As $key => $rights)
{
$keymatch = false;
if (in_array($key, $this->usersGroups) || !strcmp($key, strtolower($user)))
$keymatch = true;
if ($keymatch)
{
if (strpos($rights, "r") !== false)
return ALLOW;
else
$output = DENY;
}
}
return $output;
}
 
// }}}
// {{{ hasReadAccess
//
// Returns true if the user has read access to the given path
function hasReadAccess($repos, $path, $checkSubFolders = false)
{
$access = UNDEFINED;
if ($path{0} != "/")
$path = "/$path";
// If were told to, we should check sub folders of the path to see if there's
// a read access below this level. This is used to display the folders needed
// to get to the folder to which read access is granted.
if ($checkSubFolders)
{
$sections = $this->rights->getSections();
foreach($sections As $section => $accessers)
{
$qualified = $repos.":".$path;
$len = strlen($qualified);
if ($len < strlen($section) && strncmp($section, $qualified, strlen($qualified)) == 0)
{
$access = $this->inList($accessers, $this->user);
}
 
if ($access != ALLOW)
{
$len = strlen($path);
if ($len < strlen($section) && strncmp($section, $path, strlen($path)) == 0)
{
$access = $this->inList($accessers, $this->user);
}
}
if ($access == ALLOW)
break;
}
}
// If we still don't have access, check each subpath of the path until we find an
// access level...
if ($access != ALLOW)
{
$access = UNDEFINED;
do
{
$accessers = $this->rights->getValues($repos.":".$path);
if (!empty($accessers))
$access = $this->inList($accessers, $this->user);
if ($access == UNDEFINED)
{
$accessers = $this->rights->getValues($path);
if (!empty($accessers))
$access = $this->inList($accessers, $this->user);
}
// If we've not got a match, remove the sub directory and start again
if ($access == UNDEFINED)
{
if ($path == "/") break;
$path = substr($path, 0, strrpos(substr($path, 0, -1), "/") + 1);
}
} while ($access == UNDEFINED && $path != "");
}
return $access == ALLOW;
}
 
// }}}
// {{{ hasUnrestrictedReadAccess
//
// Returns true if the user has read access to the given path and too
// all subfolders
function hasUnrestrictedReadAccess($repos, $path)
{
// First make sure that we have full read access at this level
if (!$this->hasReadAccess($repos, $path, false))
return false;
// Now check to see if there is a sub folder that's protected
$sections = $this->rights->getSections();
foreach($sections As $section => $accessers)
{
$qualified = $repos.":".$path;
$len = strlen($qualified);
$access = UNDEFINED;
if ($len < strlen($section) && strncmp($section, $qualified, strlen($qualified)) == 0)
{
$access = $this->inList($accessers, $this->user);
}
 
if ($access != DENY)
{
$len = strlen($path);
if ($len < strlen($section) && strncmp($section, $path, strlen($qualified)) == 0)
{
$access = $this->inList($accessers, $this->user);
}
}
if ($access == DENY)
return false;
}
return true;
}
 
// }}}
 
}
?>