From 02d0c23fac8f80eff8cbcb300e4d2ee9f7224474 Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Mon, 25 Oct 2010 11:44:24 +0000
Subject: [PATCH] statistics: Combine access control in a single file.

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@2596 44740490-163a-0410-bde0-09ae8108e29a
---
 modules/statistics/lib/AccessCheck.php | 87 ++++++++++++++++++++++++++
 modules/statistics/www/showstats.php   | 74 +---------------------
 modules/statistics/www/statmeta.php    | 50 +--------------
 3 files changed, 89 insertions(+), 122 deletions(-)
 create mode 100644 modules/statistics/lib/AccessCheck.php

diff --git a/modules/statistics/lib/AccessCheck.php b/modules/statistics/lib/AccessCheck.php
new file mode 100644
index 000000000..1a73ddf00
--- /dev/null
+++ b/modules/statistics/lib/AccessCheck.php
@@ -0,0 +1,87 @@
+<?php
+
+/**
+ * Class implementing the access checker function for the statistics module.
+ *
+ * @package simpleSAMLphp
+ * @version $Id$
+ */
+class sspmod_statistics_AccessCheck {
+
+
+	/**
+	 * Check that the user has access to the statistics.
+	 *
+	 * If the user doesn't have access, send the user to the login page.
+	 */
+	public static function checkAccess(SimpleSAML_Configuration $statconfig) {
+		$session = SimpleSAML_Session::getInstance();
+		$protected = $statconfig->getBoolean('protected', FALSE);
+		$authsource = $statconfig->getString('auth', NULL);
+		$allowedusers = $statconfig->getValue('allowedUsers', NULL);
+		$useridattr = $statconfig->getString('useridattr', 'eduPersonPrincipalName');
+
+		$acl = $statconfig->getValue('acl', NULL);
+		if ($acl !== NULL && !is_string($acl) && !is_array($acl)) {
+			throw new SimpleSAML_Error_Exception('Invalid value for \'acl\'-option. Should be an array or a string.');
+		}
+
+		if ($protected) {
+
+			if (SimpleSAML_Utilities::isAdmin()) {
+				// User logged in as admin. OK.
+				SimpleSAML_Logger::debug('Statistics auth - logged in as admin, access granted');
+
+			} elseif(isset($authsource) && $session->isValid($authsource) ) {
+
+				// User logged in with auth source.
+				SimpleSAML_Logger::debug('Statistics auth - valid login with auth source [' . $authsource . ']');
+
+				// Retrieving attributes
+				$attributes = $session->getAttributes();
+
+				$allow = FALSE;
+				if (!empty($allowedusers)) {
+					// Check if userid exists
+					if (!isset($attributes[$useridattr][0]))
+						throw new Exception('User ID is missing');
+
+					// Check if userid is allowed access..
+					if (!in_array($attributes[$useridattr][0], $allowedusers)) {
+						SimpleSAML_Logger::debug('Statistics auth - User denied access by user ID [' . $attributes[$useridattr][0] . ']');
+					} else {
+						SimpleSAML_Logger::debug('Statistics auth - User granted access by user ID [' . $attributes[$useridattr][0] . ']');
+						$allow = TRUE;
+					}
+				} else {
+					SimpleSAML_Logger::debug('Statistics auth - no allowedUsers list.');
+				}
+
+				if (!$allow && !is_null($acl)) {
+					$acl = new sspmod_core_ACL($acl);
+					if (!$acl->allows($attributes)) {
+						SimpleSAML_Logger::debug('Statistics auth - denied access by ACL.');
+					} else {
+						SimpleSAML_Logger::debug('Statistics auth - allowed access by ACL.');
+						$allow = TRUE;
+					}
+				} else {
+					SimpleSAML_Logger::debug('Statistics auth - no ACL configured.');
+				}
+
+				if (!$allow) {
+					throw new SimpleSAML_Error_Exception('Access denied to the current user.');
+				}
+
+			} elseif(isset($authsource)) {
+				// If user is not logged in init login with authrouce if authsousrce is defined.
+				SimpleSAML_Auth_Default::initLogin($authsource, SimpleSAML_Utilities::selfURL());
+
+			} else {
+				// If authsource is not defined, init admin login.
+				SimpleSAML_Utilities::requireAdmin();
+			}
+		}
+	}
+
+}
\ No newline at end of file
diff --git a/modules/statistics/www/showstats.php b/modules/statistics/www/showstats.php
index ac8287a53..babdcf2cd 100644
--- a/modules/statistics/www/showstats.php
+++ b/modules/statistics/www/showstats.php
@@ -5,79 +5,7 @@ $statconfig = SimpleSAML_Configuration::getConfig('module_statistics.php');
 $session = SimpleSAML_Session::getInstance();
 
 
-/**
- * AUTHENTICATION and Authorization for access to the statistics.
- */
-$protected = $statconfig->getBoolean('protected', FALSE);
-$authsource = $statconfig->getString('auth', NULL);
-$allowedusers = $statconfig->getValue('allowedUsers', NULL);
-$useridattr = $statconfig->getString('useridattr', 'eduPersonPrincipalName');
-
-$acl = $statconfig->getValue('acl', NULL);
-if ($acl !== NULL && !is_string($acl) && !is_array($acl)) {
-	throw new SimpleSAML_Error_Exception('Invalid value for \'acl\'-option. Should be an array or a string.');
-}
-
-if ($protected) {
-
-	if (SimpleSAML_Utilities::isAdmin()) {
-		// User logged in as admin. OK.
-		SimpleSAML_Logger::debug('Statistics auth - logged in as admin, access granted');
-		
-	} elseif(isset($authsource) && $session->isValid($authsource) ) {
-	
-		// User logged in with auth source.
-		SimpleSAML_Logger::debug('Statistics auth - valid login with auth source [' . $authsource . ']');
-		
-		// Retrieving attributes
-		$attributes = $session->getAttributes();
-
-		$allow = FALSE;
-		if (!empty($allowedusers)) {
-			// Check if userid exists
-			if (!isset($attributes[$useridattr][0]))
-				throw new Exception('User ID is missing');
-
-			// Check if userid is allowed access..
-			if (!in_array($attributes[$useridattr][0], $allowedusers)) {
-				SimpleSAML_Logger::debug('Statistics auth - User denied access by user ID [' . $attributes[$useridattr][0] . ']');
-			} else {
-				SimpleSAML_Logger::debug('Statistics auth - User granted access by user ID [' . $attributes[$useridattr][0] . ']');
-				$allow = TRUE;
-			}
-		} else {
-			SimpleSAML_Logger::debug('Statistics auth - no allowedUsers list.');
-		}
-
-		if (!$allow && !is_null($acl)) {
-			$acl = new sspmod_core_ACL($acl);
-			if (!$acl->allows($attributes)) {
-				SimpleSAML_Logger::debug('Statistics auth - denied access by ACL.');
-			} else {
-				SimpleSAML_Logger::debug('Statistics auth - allowed access by ACL.');
-				$allow = TRUE;
-			}
-		} else {
-			SimpleSAML_Logger::debug('Statistics auth - no ACL configured.');
-		}
-
-		if (!$allow) {
-			throw new SimpleSAML_Error_Exception('Access denied to the current user.');
-		}
-
-	} elseif(isset($authsource)) {
-		// If user is not logged in init login with authrouce if authsousrce is defined.
-		SimpleSAML_Auth_Default::initLogin($authsource, SimpleSAML_Utilities::selfURL());
-		
-	} else {
-		// If authsource is not defined, init admin login.
-		SimpleSAML_Utilities::requireAdmin();
-	}
-}
-/**
- * AUTHENTICATION and Authorization for access to the statistics.  ------
- */
-
+sspmod_statistics_AccessCheck::checkAccess($statconfig);
 
 
 /*
diff --git a/modules/statistics/www/statmeta.php b/modules/statistics/www/statmeta.php
index 8b99a686f..46c5ddb01 100644
--- a/modules/statistics/www/statmeta.php
+++ b/modules/statistics/www/statmeta.php
@@ -2,61 +2,13 @@
 
 $config = SimpleSAML_Configuration::getInstance();
 $statconfig = SimpleSAML_Configuration::getConfig('module_statistics.php');
-$session = SimpleSAML_Session::getInstance();
 
-
-/**
- * AUTHENTICATION and Authorization for access to the statistics.
- */
-$protected = $statconfig->getBoolean('protected', FALSE);
-$authsource = $statconfig->getString('auth', NULL);
-$allowedusers = $statconfig->getValue('allowedUsers', NULL);
-$useridattr = $statconfig->getString('useridattr', 'eduPersonPrincipalName');
-
-if ($protected) {
-
-	if (SimpleSAML_Utilities::isAdmin()) {
-		// User logged in as admin. OK.
-		SimpleSAML_Logger::debug('Statistics auth - logged in as admin, access granted');
-		
-	} elseif(isset($authsource) && $session->isValid($authsource) ) {
-	
-		// User logged in with auth source.
-		SimpleSAML_Logger::debug('Statistics auth - valid login with auth source [' . $authsource . ']');
-		
-		// Retrieving attributes
-		$attributes = $session->getAttributes();
-		
-		// Check if userid exists
-		if (!isset($attributes[$useridattr])) 
-			throw new Exception('User ID is missing');
-		
-		// Check if userid is allowed access..
-		if (!in_array($attributes[$useridattr][0], $allowedusers)) {
-			SimpleSAML_Logger::debug('Statistics auth - User denied access by user ID [' . $attributes[$useridattr][0] . ']');
-			throw new Exception('Access denied for this user.');
-		}
-		SimpleSAML_Logger::debug('Statistics auth - User granted access by user ID [' . $attributes[$useridattr][0] . ']');		
-		
-	} elseif(isset($authsource)) {
-		// If user is not logged in init login with authrouce if authsousrce is defined.
-		SimpleSAML_Auth_Default::initLogin($authsource, SimpleSAML_Utilities::selfURL());
-		
-	} else {
-		// If authsource is not defined, init admin login.
-		SimpleSAML_Utilities::requireAdmin();
-	}
-}
+sspmod_statistics_AccessCheck::checkAccess($statconfig);
 
 $aggr = new sspmod_statistics_Aggregator();
 $aggr->loadMetadata();
 $metadata = $aggr->getMetadata();
 
-// echo('<pre>'); print_r($metadata);
-
-/**
- * AUTHENTICATION and Authorization for access to the statistics.  ------
- */
 
 $t = new SimpleSAML_XHTML_Template($config, 'statistics:statmeta-tpl.php');
 $t->data['metadata'] =  $metadata;
-- 
GitLab