| [ Index ] |
|
Code source de CakePHP 1.1.13.4450 |
1 <?php 2 /* SVN FILE: $Id: security.php 4409 2007-02-02 13:20:59Z phpnut $ */ 3 /** 4 * Short description for file. 5 * 6 * Long description for file 7 * 8 * PHP versions 4 and 5 9 * 10 * CakePHP(tm) : Rapid Development Framework <http://www.cakephp.org/> 11 * Copyright 2005-2007, Cake Software Foundation, Inc. 12 * 1785 E. Sahara Avenue, Suite 490-204 13 * Las Vegas, Nevada 89104 14 * 15 * Licensed under The MIT License 16 * Redistributions of files must retain the above copyright notice. 17 * 18 * @filesource 19 * @copyright Copyright 2005-2007, Cake Software Foundation, Inc. 20 * @link http://www.cakefoundation.org/projects/info/cakephp CakePHP(tm) Project 21 * @package cake 22 * @subpackage cake.cake.libs.controller.components 23 * @since CakePHP(tm) v 0.10.8.2156 24 * @version $Revision: 4409 $ 25 * @modifiedby $LastChangedBy: phpnut $ 26 * @lastmodified $Date: 2007-02-02 07:20:59 -0600 (Fri, 02 Feb 2007) $ 27 * @license http://www.opensource.org/licenses/mit-license.php The MIT License 28 */ 29 /** 30 * Short description for file. 31 * 32 * Long description for file 33 * 34 * @package cake 35 * @subpackage cake.cake.libs.controller.components 36 */ 37 class SecurityComponent extends Object { 38 /** 39 * Holds an instance of the core Security object 40 * 41 * @var object Security 42 * @access public 43 */ 44 var $Security = null; 45 /** 46 * The controller method that will be called if this request is black-hole'd 47 * 48 * @var string 49 * @access public 50 */ 51 var $blackHoleCallback = null; 52 /** 53 * List of controller actions for which a POST request is required 54 * 55 * @var array 56 * @access public 57 * @see SecurityComponent::requirePost() 58 */ 59 var $requirePost = array(); 60 /** 61 * List of actions that require a valid authentication key 62 * 63 * @var array 64 * @access public 65 * @see SecurityComponent::requireAuth() 66 */ 67 var $requireAuth = array(); 68 /** 69 * Controllers from which actions of the current controller are allowed to receive 70 * requests. 71 * 72 * @var array 73 * @see SecurityComponent::requireAuth() 74 */ 75 var $allowedControllers = array(); 76 /** 77 * Actions from which actions of the current controller are allowed to receive 78 * requests. 79 * 80 * @var array 81 * @see SecurityComponent::requireAuth() 82 */ 83 var $allowedActions = array(); 84 /** 85 * Other components used by the Security component 86 * 87 * @var array 88 * @access public 89 */ 90 var $components = array('RequestHandler', 'Session'); 91 /** 92 * Security class constructor 93 */ 94 function __construct () { 95 $this->Security = Security::getInstance(); 96 } 97 /** 98 * Component startup. All security checking happens here. 99 * 100 * @param object $controller 101 * @return unknown 102 * @access public 103 */ 104 function startup(&$controller) { 105 if (is_array($this->requirePost) && !empty($this->requirePost)) { 106 107 if (in_array($controller->action, $this->requirePost)) { 108 109 if (!$this->RequestHandler->isPost()) { 110 111 if (!$this->blackHole($controller)) { 112 return null; 113 } 114 } 115 } 116 } 117 118 if (is_array($this->requireAuth) && !empty($this->requireAuth) && !empty($controller->params['form'])) { 119 if (in_array($controller->action, $this->requireAuth)) { 120 121 if (!isset($controller->params['data']['_Token'])) { 122 123 if (!$this->blackHole($controller)) { 124 return null; 125 } 126 } 127 $token = $controller->params['data']['_Token']['key']; 128 129 if ($this->Session->check('_Token')) { 130 $tData = $this->Session->read('_Token'); 131 if (!(intval($tData['expires']) > strtotime('now')) || $tData['key'] !== $token) { 132 133 if (!$this->blackHole($controller)) { 134 return null; 135 } 136 } 137 138 if (!empty($tData['allowedControllers']) && !in_array($controller->params['controller'], $tData['allowedControllers']) ||!empty($tData['allowedActions']) && !in_array($controller->params['action'], $tData['allowedActions'])) { 139 if (!$this->blackHole($controller)) { 140 return null; 141 } 142 } 143 } else { 144 if (!$this->blackHole($controller)) { 145 return null; 146 } 147 } 148 } 149 } 150 151 // Add auth key for new form posts 152 $authKey = Security::generateAuthKey(); 153 $expires = strtotime('+'.Security::inactiveMins().' minutes'); 154 $token = array( 155 'key' => $authKey, 156 'expires' => $expires, 157 'allowedControllers' => $this->allowedControllers, 158 'allowedActions' => $this->allowedActions 159 ); 160 if (!isset($controller->params['data'])) { 161 $controller->params['data'] = array(); 162 } 163 $controller->params['_Token'] = $token; 164 $this->Session->write('_Token', $token); 165 } 166 /** 167 * Black-hole an invalid request with a 404 error or custom callback 168 * 169 * @param object $controller 170 * @return callback in controller 171 * @access public 172 */ 173 function blackHole(&$controller) { 174 if ($this->blackHoleCallback == null) { 175 header('HTTP/1.0 404 Not Found'); 176 exit(); 177 } elseif (method_exists($controller, $this->blackHoleCallback)) { 178 return $controller->{$this->blackHoleCallback}(); 179 } 180 } 181 /** 182 * Sets the actions that require a POST request, or empty for all actions 183 * 184 * @access public 185 * @return void 186 */ 187 function requirePost() { 188 $this->requirePost = func_get_args(); 189 } 190 /** 191 * Sets the actions that require an authenticated request, or empty for all actions 192 * 193 * @access public 194 * @return void 195 */ 196 function requireAuth() { 197 $this->requireAuth = func_get_args(); 198 } 199 } 200 ?>
titre
Description
Corps
titre
Description
Corps
titre
Description
Corps
titre
Corps
| Généré le : Sun Feb 25 19:27:47 2007 | par Balluche grâce à PHPXref 0.7 |