Moved entitlement handling into the application.

Any user who can log in via SSO but doesn't have one of the required entitlements will only ever see a listing of their own loans.
2024-02-29 15:44:19 +01:00 · 2024-02-29 15:44:19 +01:00 · 45f80a0855
commit 45f80a0855
parent 22608f1aa7
5 changed files with 38 additions and 4 deletions
--- a/config.php.example
+++ b/config.php.example
@ -6,7 +6,15 @@ $db_user = 'dbname';
 $db_pass = 'dbpassword';
 $db_name = 'dbuser';

-# Application language
+# Authentication
+# Users must have one of these entitlements in order to be able to
+# access the site. Users without any of the required entitlements
+# get redirected to their own loan listing page.
+$required_entitlements = array(
+    'urn:mace:swami.se:gmai:some-entitlement',
+);
+
+# Site language
 $language = 'en';

 # Site name
--- a/include/PublicPage.php
+++ b/include/PublicPage.php
@ -14,6 +14,9 @@ class PublicPage extends Page {

        // The public page should not display a menu
        $this->menuitems = array();
+
+        // This page should not require any special entitlements
+        $this->authorized = true;
    }

    protected function render_body() {
--- a/include/Responder.php
+++ b/include/Responder.php
@ -4,11 +4,29 @@ abstract class Responder {
    protected $ldap = null;

    public function __construct() {
-        global $language;
+        global $language, $required_entitlements;
+
+        $this->authorized = false;
+        $entitlements = explode(';', $_SERVER['entitlement']);
+        foreach($entitlements as $entitlement) {
+            if(in_array($entitlement, $required_entitlements)) {
+                $this->authorized = true;
+            }
+        }
+
        $this->fragments = get_fragments("./html/$language/fragments.html");
        $this->ldap = new Ldap();
    }

+    public function respond() {
+        if(!$this->authorized) {
+            die("Unauthorized.");
+        }
+        return $this->render();
+    }
+
+    abstract public function render();
+
    final protected function escape_tags($tags) {
        foreach($tags as $key => $tag) {
            $tags[$key] = $this->escape_string(strtolower($tag));
--- a/include/functions.php
+++ b/include/functions.php
@ -84,6 +84,7 @@ function replace($assoc_arr, $subject) {
 function make_page($page) {
    switch($page) {
        default:
+            die("Invalid page.");
        case 'checkout':
            return new CheckoutPage();
        case 'return':
--- a/index.php
+++ b/index.php
@ -12,11 +12,15 @@ require('./include/functions.php');

 header('Content-Type: text/html; charset=UTF-8');

-$page = null;
+$page = 'checkout';
 if(isset($_GET['page'])) {
    $page = $_GET['page'];
 }

-make_page($page)->render();
+$page = make_page($page);
+if(!$page->authorized) {
+    $page = make_page('public');
+}
+$page->respond();

 ?>