<?php
// WebSVN - Subversion repository viewing via the web using PHP
// Copyright (C) 2004-2006 Tim Armes
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation; either version 2 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
//
// --
//
// authz.php
//
// Handle SVN access file
class Authorization {
var $accessCache = array();
var $accessFile = null;
var $user = null;
// {{{ __construct
function __construct() {
$this->setUsername();
}
// }}}
function hasUsername() {
return $this->user !== null;
}
function addAccessFile($accessFile) {
$this->accessFile = $accessFile;
}
// {{{ setUsername()
//
// Set the username from the current http session
function setUsername() {
if (isset($_SERVER['REMOTE_USER'])) {
$this->user = $_SERVER['REMOTE_USER'];
} else if (isset($_SERVER['REDIRECT_REMOTE_USER'])) {
$this->user = $_SERVER['REDIRECT_REMOTE_USER'];
} else if (isset($_SERVER['PHP_AUTH_USER'])) {
$this->user = $_SERVER['PHP_AUTH_USER'];
}
}
// }}}
// Private function to simplify creation of common SVN authz command string text.
function svnAuthzCommandString($repo, $path, $checkSubDirs = false) {
global $config;
$cmd = $config->getSvnAuthzCommand();
$repoAndPath = '--repository ' . quote($repo) . ' --path ' . quote($path);
$username = !$this->hasUsername() ? '' : '--username ' . quote($this->user);
$subDirs = !$checkSubDirs ? '' : '-R';
$authzFile = quote($this->accessFile);
$retVal = "{$cmd} {$repoAndPath} {$username} {$subDirs} {$authzFile}";
return $retVal;
}
// {{{ hasReadAccess
//
// Returns true if the user has read access to the given path
function hasReadAccess($repos, $path, $checkSubDirs = false) {
if ($this->accessFile == null)
return false;
if ($path == '' || $path[0] != '/') {
$path = '/'.$path;
}
$cmd = $this->svnAuthzCommandString($repos, $path, $checkSubDirs);
$result = 'no';
// Access checks might be issued multiple times for the same repos and paths within one and
// the same request, introducing a lot of overhead because of "svnauthz" especially with
// many repos under Windows. The easiest way to somewhat optimize it for different scenarios
// is using a cache.
//
// https://github.com/websvnphp/websvn/issues/78#issuecomment-489306169
$cache =& $this->accessCache;
$cached = isset($cache[$cmd]) ? $cache[$cmd] : null;
$cachedWhen = isset($cached) ? $cached['when'] : 0;
$cachedExpired = (time() - 60) > $cachedWhen;
if ($cachedExpired) {
// Sorting by "when" should be established somehow to only remove the oldest element
// instead of an arbitrary first one, which might be the newest added last time.
if (count($cache) >= 1000) {
array_shift($cache);
}
$result = runCommand($cmd)[0];
$cache[$cmd] = array('when' => time(),
'result' => $result);
} else {
$result = $cached['result'];
}
return $result != 'no';
}
// }}}
// {{{ hasUnrestrictedReadAccess
//
// Returns true if the user has read access to the given path and too
// all subdirectories
function hasUnrestrictedReadAccess($repos, $path) {
return $this->hasReadAccess($repos, $path, true);
}
// }}}
}