BMLT Root Server
xml.php
Go to the documentation of this file.
1 <?php
2 /*
3  This file is part of the Basic Meeting List Toolbox (BMLT).
4 
5  Find out more at: https://bmlt.app
6 
7  BMLT is free software: you can redistribute it and/or modify
8  it under the terms of the MIT License.
9 
10  BMLT is distributed in the hope that it will be useful,
11  but WITHOUT ANY WARRANTY; without even the implied warranty of
12  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13  MIT License for more details.
14 
15  You should have received a copy of the MIT License along with this code.
16  If not, see <https://opensource.org/licenses/MIT>.
17 */
18 define('BMLT_EXEC', 1);
19 require_once(dirname(dirname(dirname(__FILE__))).'/server/config/get-config.php');
20 
21 // We only do this if the capability has been enabled in the auto-config file.
22 if (isset($g_enable_semantic_admin) && ($g_enable_semantic_admin == true)) {
23  require_once(dirname(dirname(dirname(__FILE__))).'/server/c_comdef_server.class.php');
24 
25  /***************************************************************************************************************
26  ************************************************* MAIN CONTEXT *************************************************
27  ***************************************************************************************************************/
28 
29  $http_vars = array_merge($_GET, $_POST);
30 
31  // Create an HTTP path to our XML file. We build it manually, in case this file is being used elsewhere, or we have a redirect in the domain.
32  // We allow it to be used as HTTPS.
33  $url_path = GetURLToMainServerDirectory().'local_server/server_admin/xml.php';
34  $lang_enum = '';
35  $login_call = false; // We only allow login with the login call. That's to prevent users constantly sending cleartext login info.
36 
37  // We use a cookie to store the language pref.
38  if (isset($_COOKIE) && isset($_COOKIE['bmlt_admin_lang_pref']) && $_COOKIE['bmlt_admin_lang_pref']) {
39  $lang_enum = $_COOKIE['bmlt_admin_lang_pref'];
40  }
41 
42  if (isset($http_vars['lang_enum']) && $http_vars['lang_enum']) {
43  $lang_enum = $http_vars['lang_enum'];
44  }
45 
46  $http_vars['lang_enum'] = $lang_enum; // Quick and dirty way to ensure that this gets properly propagated.
47 
48  $expires = time() + (60 * 60 * 24 * 365); // Expire in one year.
49  setcookie('bmlt_admin_lang_pref', $lang_enum, $expires, '/');
50 
51  require_once(dirname(dirname(dirname(__FILE__))).'/server/shared/classes/comdef_utilityclasses.inc.php');
52  require_once(dirname(dirname(__FILE__)).'/db_connect.php');
53 
55 
57 
58  if ($server instanceof c_comdef_server) {
59  if (!isset($_SESSION)) {
60  session_start();
61  }
62 
63  // See if we are logging in
64  if (isset($http_vars['admin_action']) && (($http_vars['admin_action'] == 'logout') || ($http_vars['admin_action'] == 'login'))) {
65  $login_call = true;
66  // Belt and suspenders -nuke the stored login.
67  $_SESSION[$admin_session_name] = null;
68  unset($_SESSION[$admin_session_name]);
69 
70  if (isset($http_vars['admin_action']) && ($http_vars['admin_action'] == 'login')) {
71  $login = $http_vars['c_comdef_admin_login'];
72  $pw = $http_vars['c_comdef_admin_password'];
73 
74  if ($login && $pw) {
75  // If this is a valid login, we'll get an encrypted password back.
76  $enc_password = $server->GetEncryptedPW($login, trim($pw));
77 
78  if (null != $enc_password) { // If we got a password, we set up the session.
79  $_SESSION[$admin_session_name] = "$login\t$enc_password";
80 
81  // Check to make sure this is a kosher user.
82  $user_obj = $server->GetCurrentUserObj();
83  if (!($user_obj instanceof c_comdef_user) || ($user_obj->GetUserLevel() == _USER_LEVEL_DISABLED) || ($user_obj->GetUserLevel() == _USER_LEVEL_SERVER_ADMIN) || ($user_obj->GetID() == 1)) {
84  // We do not allow semantic access to Server Admin functions (because security)
85  unset($user_obj); // Goodbye, Mr. Bond...
87  die('<h1>NOT AUTHORIZED</h1>');
88  }
89 
90  // If we are OK, we'll fall through.
91  } else // These seem redundant, but a basic security posture of mine is to immediatly kill execution upon discovering a security breach.
92  {
94  die('<h1>NOT AUTHORIZED</h1>');
95  }
96  } else {
98  die('<h1>NOT AUTHORIZED</h1>');
99  }
100  } else // Logout gets a "bye".
101  {
103  die('BYE');
104  }
105  }
106 
107  // If we are logged in, and this isn't the login call, then we get to play in the admin playground...
108  if (!$login_call && isset($_SESSION[$admin_session_name])) {
109  // Belt and suspenders. We just check one more time...
110  $user_obj = $server->GetCurrentUserObj();
111  if (!($user_obj instanceof c_comdef_user) || ($user_obj->GetUserLevel() == _USER_LEVEL_DISABLED) || ($user_obj->GetUserLevel() == _USER_LEVEL_SERVER_ADMIN) || ($user_obj->GetID() == 1)) {
113  die('<h1>NOT AUTHORIZED</h1>');
114  } else // If everything is OK, then we actually include the class, instantiate the object, and process the request.
115  {
116  if (isset($http_vars['admin_action']) && $http_vars['admin_action']) { // Must have an admin_action.
117  require_once(dirname(__FILE__).'/c_comdef_admin_xml_handler.class.php');
118 
120 
121  if ($handler instanceof c_comdef_admin_xml_handler) {
122  $ret = $handler->process_commands(); // Do what you do so well...
123 
124  if (preg_match('|^<\?xml|', $ret)) { // Only output an XML header is we are actually returning XML.
125  header('Content-Type:application/xml; charset=UTF-8');
126  }
127 
128  if (zlib_get_coding_type() === false) {
129  ob_start("ob_gzhandler");
130  } else {
131  ob_start();
132  }
133  echo ( $ret );
134  ob_end_flush();
135  } else {
136  $ret = '<h1>ERROR</h1>';
137  }
138 
139  // Just making sure...
140  unset($handler);
141  unset($server);
142  unset($http_vars);
143  } else {
144  die('<h1>BAD ADMIN ACTION</h1>');
145  }
146  }
147  } elseif ($login_call && isset($_SESSION[$admin_session_name])) { // Simple login just gets an "OK".
148  ob_start();
149  echo ( 'OK' );
150  ob_end_flush();
151  } else {
153  die('<h1>NOT AUTHORIZED</h1>');
154  }
155  } else {
156  die('<h1>NO SERVER!</h1>');
157  }
158 }
$handler
Definition: index.php:486
if(file_exists($config_file_path)) $url_path
Definition: index.php:64
This class handles BMLT users. One instance is created for each user on the server.
DB_Connect_and_Upgrade()
This function checks to make sure the database is correct for the current version.
Definition: db_connect.php:21
$ret
Definition: contact.php:226
const _USER_LEVEL_DISABLED
c_comdef_LogoutUser()
This function can be called to terminate the session.
const _USER_LEVEL_SERVER_ADMIN
$lang_enum
Definition: index.php:23
global $http_vars
Definition: index.php:21
$server
Definition: GetLangs.php:25
GetURLToMainServerDirectory($inAllowHTTPS=true)
Returns a URL (HTTP) to the main_server directory (or renamed).
static MakeServer()
This is the factory for the server instantiation. It makes sure that only one instance exists...
This class is the main server class. It instantiates a PDO database object, and is the starting point...
$user_obj
Definition: index.php:7
Controls handling of the admin semantic interface.
$_GET['switcher']