From 45f80a0855c8eb4ce38804da20d8622463c9fd85 Mon Sep 17 00:00:00 2001
From: Erik Thuning <boooink@gmail.com>
Date: Thu, 29 Feb 2024 15:44:19 +0100
Subject: [PATCH] Moved entitlement handling into the application. Any user who
 can log in via SSO but doesn't have one of the required entitlements will
 only ever see a listing of their own loans.

---
 config.php.example     | 10 +++++++++-
 include/PublicPage.php |  3 +++
 include/Responder.php  | 20 +++++++++++++++++++-
 include/functions.php  |  1 +
 index.php              |  8 ++++++--
 5 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/config.php.example b/config.php.example
index 9f5aa15..02408e6 100644
--- a/config.php.example
+++ b/config.php.example
@@ -6,7 +6,15 @@ $db_user = 'dbname';
 $db_pass = 'dbpassword';
 $db_name = 'dbuser';
 
-# Application language
+# Authentication
+# Users must have one of these entitlements in order to be able to
+# access the site. Users without any of the required entitlements
+# get redirected to their own loan listing page.
+$required_entitlements = array(
+    'urn:mace:swami.se:gmai:some-entitlement',
+);
+
+# Site language
 $language = 'en';
 
 # Site name
diff --git a/include/PublicPage.php b/include/PublicPage.php
index 92cd4d4..46c9673 100644
--- a/include/PublicPage.php
+++ b/include/PublicPage.php
@@ -14,6 +14,9 @@ class PublicPage extends Page {
 
         // The public page should not display a menu
         $this->menuitems = array();
+
+        // This page should not require any special entitlements
+        $this->authorized = true;
     }
 
     protected function render_body() {
diff --git a/include/Responder.php b/include/Responder.php
index dbc15a0..bbc9104 100644
--- a/include/Responder.php
+++ b/include/Responder.php
@@ -4,11 +4,29 @@ abstract class Responder {
     protected $ldap = null;
 
     public function __construct() {
-        global $language;
+        global $language, $required_entitlements;
+
+        $this->authorized = false;
+        $entitlements = explode(';', $_SERVER['entitlement']);
+        foreach($entitlements as $entitlement) {
+            if(in_array($entitlement, $required_entitlements)) {
+                $this->authorized = true;
+            }
+        }
+
         $this->fragments = get_fragments("./html/$language/fragments.html");
         $this->ldap = new Ldap();
     }
 
+    public function respond() {
+        if(!$this->authorized) {
+            die("Unauthorized.");
+        }
+        return $this->render();
+    }
+
+    abstract public function render();
+
     final protected function escape_tags($tags) {
         foreach($tags as $key => $tag) {
             $tags[$key] = $this->escape_string(strtolower($tag));
diff --git a/include/functions.php b/include/functions.php
index 909f55e..49f2ce1 100644
--- a/include/functions.php
+++ b/include/functions.php
@@ -84,6 +84,7 @@ function replace($assoc_arr, $subject) {
 function make_page($page) {
     switch($page) {
         default:
+            die("Invalid page.");
         case 'checkout':
             return new CheckoutPage();
         case 'return':
diff --git a/index.php b/index.php
index 052c6b9..b3a22e4 100755
--- a/index.php
+++ b/index.php
@@ -12,11 +12,15 @@ require('./include/functions.php');
 
 header('Content-Type: text/html; charset=UTF-8');
 
-$page = null;
+$page = 'checkout';
 if(isset($_GET['page'])) {
     $page = $_GET['page'];
 }
 
-make_page($page)->render();
+$page = make_page($page);
+if(!$page->authorized) {
+    $page = make_page('public');
+}
+$page->respond();
 
 ?>