BMLT Root Server
json.php
Go to the documentation of this file.
1 <?php
2 /*
3  This file is part of the Basic Meeting List Toolbox (BMLT).
4 
5  Find out more at: https://bmlt.app
6 
7  BMLT is free software: you can redistribute it and/or modify
8  it under the terms of the MIT License.
9 
10  BMLT is distributed in the hope that it will be useful,
11  but WITHOUT ANY WARRANTY; without even the implied warranty of
12  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13  MIT License for more details.
14 
15  You should have received a copy of the MIT License along with this code.
16  If not, see <https://opensource.org/licenses/MIT>.
17 */
18 define('BMLT_EXEC', 1);
19 require_once(dirname(dirname(dirname(__FILE__))).'/server/config/get-config.php');
20 
21 // We only do this if the capability has been enabled in the auto-config file.
22 if (isset($g_enable_semantic_admin) && ($g_enable_semantic_admin == true)) {
23  require_once(dirname(dirname(dirname(__FILE__))).'/server/c_comdef_server.class.php');
24 
25  /***************************************************************************************************************
26  ************************************************* MAIN CONTEXT *************************************************
27  ***************************************************************************************************************/
28 
29  $http_vars = array_merge($_GET, $_POST);
30 
31  // Create an HTTP path to our XML file. We build it manually, in case this file is being used elsewhere, or we have a redirect in the domain.
32  // We allow it to be used as HTTPS.
33  $url_path = GetURLToMainServerDirectory().'local_server/server_admin/json.php';
34  $lang_enum = '';
35  $login_call = false; // We only allow login with the login call. That's to prevent users constantly sending cleartext login info.
36 
37  // We use a cookie to store the language pref.
38  if (isset($_COOKIE) && isset($_COOKIE['bmlt_admin_lang_pref']) && $_COOKIE['bmlt_admin_lang_pref']) {
39  $lang_enum = $_COOKIE['bmlt_admin_lang_pref'];
40  }
41 
42  if (isset($http_vars['lang_enum']) && $http_vars['lang_enum']) {
43  $lang_enum = $http_vars['lang_enum'];
44  }
45 
46  $http_vars['lang_enum'] = $lang_enum; // Quick and dirty way to ensure that this gets properly propagated.
47 
48  $expires = time() + (60 * 60 * 24 * 365); // Expire in one year.
49  setcookie('bmlt_admin_lang_pref', $lang_enum, $expires, '/');
50 
51  require_once(dirname(dirname(dirname(__FILE__))).'/server/shared/classes/comdef_utilityclasses.inc.php');
52  require_once(dirname(dirname(dirname(__FILE__))).'/server/shared/Array2Json.php');
53  require_once(dirname(dirname(__FILE__)).'/db_connect.php');
54 
56 
58 
59  if ($server instanceof c_comdef_server) {
60  if (!isset($_SESSION)) {
61  session_start();
62  }
63 
64  // See if we are logging in
65  if (isset($http_vars['admin_action']) && (($http_vars['admin_action'] == 'logout') || ($http_vars['admin_action'] == 'login'))) {
66  $login_call = true;
67  // Belt and suspenders -nuke the stored login.
68  $_SESSION[$admin_session_name] = null;
69  unset($_SESSION[$admin_session_name]);
70 
71  if (isset($http_vars['admin_action']) && ($http_vars['admin_action'] == 'login')) {
72  $login = $http_vars['c_comdef_admin_login'];
73  $pw = $http_vars['c_comdef_admin_password'];
74 
75  if ($login && $pw) {
76  // If this is a valid login, we'll get an encrypted password back.
77  $enc_password = $server->GetEncryptedPW($login, trim($pw));
78 
79  if (null != $enc_password) { // If we got a password, we set up the session.
80  $_SESSION[$admin_session_name] = "$login\t$enc_password";
81 
82  // Check to make sure this is a kosher user.
83  $user_obj = $server->GetCurrentUserObj();
84  if (!($user_obj instanceof c_comdef_user) || ($user_obj->GetUserLevel() == _USER_LEVEL_DISABLED) || ($user_obj->GetUserLevel() == _USER_LEVEL_SERVER_ADMIN) || ($user_obj->GetID() == 1)) {
85  // We do not allow semantic access to Server Admin functions (because security)
86  unset($user_obj); // Goodbye, Mr. Bond...
88  die('NOT AUTHORIZED');
89  }
90 
91  // If we are OK, we'll fall through.
92  } else // These seem redundant, but a basic security posture of mine is to immediatly kill execution upon discovering a security breach.
93  {
95  die('NOT AUTHORIZED');
96  }
97  } else {
99  die('NOT AUTHORIZED');
100  }
101  } else // Logout gets a "bye".
102  {
104  die('BYE');
105  }
106  }
107 
108  // If we are logged in, and this isn't the login call, then we get to play in the admin playground...
109  if (!$login_call && isset($_SESSION[$admin_session_name])) {
110  // Belt and suspenders. We just check one more time...
111  $user_obj = $server->GetCurrentUserObj();
112  if (!($user_obj instanceof c_comdef_user) || ($user_obj->GetUserLevel() == _USER_LEVEL_DISABLED) || ($user_obj->GetUserLevel() == _USER_LEVEL_SERVER_ADMIN) || ($user_obj->GetID() == 1)) {
114  die('NOT AUTHORIZED');
115  } else // If everything is OK, then we actually include the class, instantiate the object, and process the request.
116  {
117  if (isset($http_vars['admin_action']) && $http_vars['admin_action']) { // Must have an admin_action.
118  require_once(dirname(__FILE__).'/c_comdef_admin_xml_handler.class.php');
119 
121 
122  if ($handler instanceof c_comdef_admin_xml_handler) {
123  $ret = $handler->process_commands();
124  $ret = simplexml_load_string($ret);
125  $json = json_encode((Array)$ret, JSON_NUMERIC_CHECK);
126 
127  $pattern = '/\{\"\@attributes\"\:\{(.*?)\}\}/'; // Replace attribute objects with direct objects, to remove the extra layer.
128  $replacement = '{\1}';
129  do {
130  $old_json = $json;
131  $json = preg_replace($pattern, $replacement, $json);
132  } while ($json && ($old_json != $json));
133 
134  $pattern = '/\"\@attributes\"\:\{(\"sequence_index\"\:(\d+?))\}\,/';
135  $replacement = '';
136  do {
137  $old_json = $json;
138  $json = preg_replace($pattern, $replacement, $json);
139  } while ($json && ($old_json != $json));
140 
141  $pattern = '/\"row\"\:\{\"sequence_index\"\:(\d*?)\}\,/'; // Replace sequence index object, to remove the extra layer.
142  do {
143  $old_json = $json;
144  $json = preg_replace($pattern, "", $json);
145  } while ($json && ($old_json != $json));
146 
147  if (isset($json) && $json) {
148  header('Content-Type:application/json; charset=UTF-8');
149  if (zlib_get_coding_type() === false) {
150  ob_start("ob_gzhandler");
151  } else {
152  ob_start();
153  }
154  echo ( $json );
155  ob_end_flush();
156  } else {
157  $ret = 'ERROR';
158  }
159  } else {
160  $ret = 'ERROR';
161  }
162 
163  // Just making sure...
164  unset($handler);
165  unset($server);
166  unset($http_vars);
167  } else {
168  die('BAD ADMIN ACTION');
169  }
170  }
171  } elseif ($login_call && isset($_SESSION[$admin_session_name])) { // Simple login just gets an "OK".
172  ob_start();
173  echo ( 'OK' );
174  ob_end_flush();
175  } else {
177  die('NOT AUTHORIZED');
178  }
179  } else {
180  die('NO SERVER!');
181  }
182 }
$handler
Definition: index.php:486
if(file_exists($config_file_path)) $url_path
Definition: index.php:64
This class handles BMLT users. One instance is created for each user on the server.
DB_Connect_and_Upgrade()
This function checks to make sure the database is correct for the current version.
Definition: db_connect.php:21
$ret
Definition: contact.php:226
const _USER_LEVEL_DISABLED
c_comdef_LogoutUser()
This function can be called to terminate the session.
const _USER_LEVEL_SERVER_ADMIN
$lang_enum
Definition: index.php:23
global $http_vars
Definition: index.php:21
$server
Definition: GetLangs.php:25
GetURLToMainServerDirectory($inAllowHTTPS=true)
Returns a URL (HTTP) to the main_server directory (or renamed).
static MakeServer()
This is the factory for the server instantiation. It makes sure that only one instance exists...
This class is the main server class. It instantiates a PDO database object, and is the starting point...
$user_obj
Definition: index.php:7
Controls handling of the admin semantic interface.
$_GET['switcher']