summaryrefslogtreecommitdiffstats
path: root/app/acf_www-controller.lua
blob: 8878a8b1ec729d6ba2bfd74b23868f3d791fe11b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
--[[ Code for the Alpine Configuration WEB framework 
      see http://wiki.alpinelinux.org
      Copyright (C) 2007  Nathan Angelacos
      Licensed under the terms of GPL2
   ]]--
-- Required global libraries

module(..., package.seeall)

-- This is not in the global namespace, but future
-- require statements shouldn't need to go to the disk lib
require "posix"

-- We use the parent exception handler in a last-case situation
local parent_exception_handler

local function build_menus(self)
	m=require("menubuilder")
	roll = require ("roles")

	-- Build the permissions table
	local roles = {}
	if self.sessiondata.userinfo and self.sessiondata.userinfo.roles then
		roles = self.sessiondata.userinfo.roles
	end
	local permissions = roll.get_roles_perm(self,roles)
	self.sessiondata.permissions = permissions
	
	--Build the menu
	local cats = m.get_menuitems(self)
	-- now, loop through menu and remove actions without permission
	-- go in reverse so we can remove entries while looping
	for x = #cats,1,-1 do
		local cat = cats[x]
		for y = #cat.groups,1,-1 do
			local group = cat.groups[y]
			for z = #group.tabs,1,-1 do
				local tab = group.tabs[z]
				if nil == permissions[tab.prefix] or nil == permissions[tab.prefix][tab.controller] or nil == permissions[tab.prefix][tab.controller][tab.action] then
					table.remove(group.tabs, z)
				end
			end
			if 0 == #group.tabs then
				table.remove(cat.groups, y)
			end
		end
		if 0 == #cat.groups then
			table.remove(cats, x)
		end
	end
	self.sessiondata.menu = {}
	self.sessiondata.menu.cats = cats

	-- Debug: Timestamp on menu creation
	self.sessiondata.menu.timestamp = {tab="Menu_created: " .. os.date(),action="Menu_created: " .. os.date(),}
end

local check_permission = function(self, prefix, controller, action)
	--logevent("Trying "..(prefix or "/")..(controller or "nil").."/"..(action or "nil"))
	if nil == self.sessiondata.permissions then return false end
	if prefix and controller then
		if nil == self.sessiondata.permissions[prefix] or nil == self.sessiondata.permissions[prefix][controller] then return false end
		if action and nil == self.sessiondata.permissions[prefix][controller][action] then return false end
	end
	return true
end

local check_permission_string = function (self, str)
	local prefix, controller, action = parse_redir_string(str)
	if prefix == "/" then prefix = self.conf.prefix end
	if controller == "" then controller = self.conf.controller end
	
	if "" == action then
		action = rawget(self.worker, "default_action") or ""
	end
	return check_permission(self, prefix, controller, action)
end

-- look for a template
-- ctlr-action-view, then  ctlr-view, then action-view, then view
-- cannot be local function because of recursion
find_template = function ( appdir, prefix, controller, action, viewtype )
	if string.find(appdir, ",") then
		local template
		for p in string.gmatch(appdir, "[^,]+") do
			template = find_template(p, prefix, controller, action, viewtype)
			if template then break end
		end
		return template
	end			

	local targets = {
			appdir .. prefix .. "template-" .. controller .. "-" .. 
				action .. "-" .. viewtype .. ".lsp",
			appdir .. prefix .. "template-" .. controller .. "-" .. 
				viewtype .. ".lsp",
			appdir .. prefix .. "template-" .. action .. "-" ..
				viewtype .. ".lsp",
			appdir .. prefix .. "template-" .. viewtype .. ".lsp"
			}
	local file
	for k,v in pairs(targets) do
		file = io.open (v)
		if file then
			io.close (file)
			return v
		end
	end
	-- not found, so try one level higher
	if prefix == "/" then -- already at the top level - fail
		return nil
	end
	prefix = posix.dirname (prefix) 
	return find_template ( appdir, prefix, controller, action, viewtype )
end

-- look for a view
-- ctlr-action-view, then  ctlr-view
local find_view = function ( appdir, prefix, controller, action, viewtype )
	for p in string.gmatch(appdir, "[^,]+") do
		local names = { p .. prefix .. controller .. "-" ..
					action .. "-" .. viewtype .. ".lsp",
				p .. prefix .. controller .. "-" ..
					viewtype .. ".lsp" }
		local file
		-- search for view
		for i,filename in ipairs (names) do
			file = io.open(filename)
			if file then
				file:close()
				return filename
			end
		end
	end
	return nil
end

local has_view = function(self)
	require("fs")
	for p in string.gmatch(self.conf.appdir, "[^,]+") do
		local file = posix.stat(p .. self.conf.prefix .. self.conf.controller .. "-" .. self.conf.action .. "-" .. (self.conf.viewtype or "html") .. ".lsp", "type")
		if file == "regular" or file == "link" then return true end
	end
	return false
end

-- This function is made available within the view to allow loading of components
local dispatch_component = function(self, str, clientdata, suppress_view)
	-- Before we call dispatch, we have to set up conf and clientdata like it was really called for this component
	local tempconf = self.conf
	self.conf = {}
	for x,y in pairs(tempconf) do
		self.conf[x] = y
	end
	self.conf.component = true
	self.conf.suppress_view = suppress_view
	self.conf.orig_action = self.conf.orig_action or self.conf.prefix .. self.conf.controller .. "/" .. self.conf.action
	local tempclientdata = self.clientdata
	self.clientdata = clientdata or {}
	self.clientdata.sessionid = tempclientdata.sessionid

	local prefix, controller, action = parse_redir_string(str)
	if prefix == "/" then prefix = self.conf.prefix end
	if controller == "" then controller = self.conf.controller end
	local viewtable = self.dispatch(self, prefix, controller, action)

	-- Revert to the old conf and clientdata
	self.conf = nil
	if not (self.conf) then self.conf = tempconf end
	self.clientdata = nil
	if not (self.clientdata) then self.clientdata = tempclientdata end

	return viewtable
end

local create_helper_library = function ( self )
	local library = {}
--[[	-- If we have a separate library, here's how we could do it
	local library = require("library_name")
	for name,func in pairs(library) do
		if type(func) == "function" then
			library.name = function(...) return func(self, ...) end
		end
	end
--]]
	library.dispatch_component = function(...) return dispatch_component(self, ...) end
	library.check_permission = function(...) return check_permission_string(self, ...) end
	return library
end

-- Our local view resolver called by our dispatch
local view_resolver = function(self)
	local template, viewname, viewlibrary
	local viewtype = self.conf.viewtype or "html"

	-- search for template
	if self.conf.component ~= true then
		template = find_template ( self.conf.appdir, self.conf.prefix,
			self.conf.controller, self.conf.action, viewtype )
	end
	
	-- search for view
	viewname = find_view ( self.conf.appdir, self.conf.prefix,
		self.conf.controller, self.conf.action, viewtype )

	local func = function() end
	if template then
		-- We have a template
		func = haserl.loadfile (template)
	elseif viewname then
		-- No template, but have a view
		func = haserl.loadfile (viewname)
	end
	
	-- create the view helper library
	viewlibrary = create_helper_library ( self )

	local pageinfo =  { viewfile = viewname,
				controller = self.conf.controller,
				action = self.conf.action,
				prefix = self.conf.prefix,
				script = self.conf.script,
				wwwprefix = self.conf.wwwprefix or "",
				staticdir = self.conf.staticdir or "",
				skin = self.conf.skin or "",
				orig_action = self.conf.orig_action or self.conf.prefix .. self.conf.controller .. "/" .. self.conf.action,
				clientdata = self.clientdata,
				}
	if self.sessiondata.userinfo and self.sessiondata.userinfo.skin and self.sessiondata.userinfo.skin ~= "" then
		pageinfo.skin = self.sessiondata.userinfo.skin
	end

	return func, viewlibrary, pageinfo, self.sessiondata
end

mvc = {}
mvc.on_load = function (self, parent)
	-- open the log file
	if self.conf.logfile then
		self.conf.loghandle = io.open (self.conf.logfile, "a+")
	end

	--logevent("acf_www-controller mvc.on_load")

	-- Make sure we have some kind of sane defaults for libdir, wwwdir, and sessiondir
	self.conf.libdir = self.conf.libdir or ( string.match(self.conf.appdir, "[^,]+/") .. "/lib/" )
	self.conf.wwwdir = self.conf.wwwdir or ( string.match(self.conf.appdir, "[^,]+/") .. "/www/" )
	self.conf.sessiondir = self.conf.sessiondir or "/tmp/"
	self.conf.script = ENV.SCRIPT_NAME
	self.conf.default_prefix = "/acf-util/"
	self.conf.default_controller = self.conf.default_controller or "welcome"
	self.clientdata = FORM
	self.conf.clientip = ENV.REMOTE_ADDR

	parent_exception_handler = parent.exception_handler
	
	-- this sets the package path for us and our children
	package.path = string.gsub(self.conf.libdir, ",", "/?.lua;") .. "/?.lua;" .. package.path
	
	sessionlib=require ("session")

	-- before we look at sessions, remove old sessions and events
	-- this prevents us from giving a "session timeout" message, but I'm ok with that
	sessionlib.expired_events(self.conf.sessiondir, self.conf.sessiontimeout)

	-- Load the session data
	self.sessiondata = nil
	self.sessiondata = {}
	if nil ~= self.clientdata.sessionid then
		--logevent("Found session id = " .. self.clientdata.sessionid)
		-- Load existing session data
		local timestamp
		timestamp, self.sessiondata = 
			sessionlib.load_session(self.conf.sessiondir,
				self.clientdata.sessionid)
		if timestamp == nil then 
			-- invalid session id, report event and create new one
			sessionlib.record_event(self.conf.sessiondir, nil,
				sessionlib.hash_ip_addr(self.conf.clientip))
			--logevent("Didn't find session")
		else
			--logevent("Found session")
			-- We read in a valid session, check if it's ok
			if sessionlib.count_events(self.conf.sessiondir,self.conf.userid or "", sessionlib.hash_ip_addr(self.conf.clientip), self.conf.lockouttime, self.conf.lockouteventlimit) then
				--logevent("Bad session, erasing")
				-- Too many events on this id / ip, kill the session
				sessionlib.unlink_session(self.conf.sessiondir, self.clientdata.sessionid)
				self.sessiondata.id = nil
			end
		end
	end

	if nil == self.sessiondata.id then
		self.sessiondata = {}
		self.sessiondata.id = sessionlib.random_hash(512)
		--logevent("New session = " .. self.sessiondata.id)
	end
	if nil == self.sessiondata.permissions or nil == self.sessiondata.menu then
		--logevent("Build menus")
		build_menus(self)
	end
end

mvc.on_unload = function (self)
	sessionlib=require ("session")
	if self.sessiondata.id then
		sessionlib.save_session(self.conf.sessiondir, self.sessiondata)
        end
	-- Close the logfile
	--logevent("acf_www-controller mvc.on_unload")
	if self.conf.loghandle then
		self.conf.loghandle:close()
	end
end

-- Overload the MVC's exception handler with our own to handle redirection
exception_handler = function (self, message )
	local html = require ("html")
	local viewtable
	if type(message) == "table" then
		if self.conf.component == true then
			io.write ("Component cannot be found")
		elseif message.type == "dispatch" and self.sessiondata.userinfo and self.sessiondata.userinfo.userid then
			viewtable = message
			self.conf.prefix = "/"
			self.conf.controller = "dispatcherror"
			self.conf.action = ""
		elseif message.type == "redir" or message.type == "redir_to_referrer" or message.type == "dispatch" then
			--if self.sessiondata.id then logevent("Redirecting " .. self.sessiondata.id) end
			io.write ("Status: 302 Moved\n")
			if message.type == "redir" then
				io.write ("Location: " .. ENV["SCRIPT_NAME"] ..
				  	message.prefix .. message.controller ..
					"/" .. message.action .. 
					(message.extra or "" ) .. "\n")
			elseif message.type == "dispatch" then
				-- We got a dispatch error because the user session timed out
				-- We want to save the URL and any get / post data to resubmit after logon
				self.sessiondata.logonredirect = message
				self.sessiondata.logonredirect.clientdata = self.clientdata
				self.sessiondata.logonredirect.clientdata.sessionid = nil
				self.sessiondata.logonredirect.referrer = ENV.HTTP_REFERER
				io.write ("Location: " .. ENV["SCRIPT_NAME"] .. "/acf-util/logon/logon?redir="..message.prefix..message.controller.."/"..message.action.."\n")
			else
				io.write ("Location: " .. ENV.HTTP_REFERER .. "\n")
			end
			if self.sessiondata.id then
				io.write (html.cookie.set("sessionid", self.sessiondata.id))
			else
				io.write (html.cookie.unset("sessionid"))
			end
			io.write ( "Content-Type: text/html\n\n" )
		else
			parent_exception_handler(self, message)
		end
	else
		logevent("Exception: "..message)
		viewtable = {message = message}
		self.conf.prefix = "/"
		self.conf.controller = "exception"
		self.conf.action = ""
	end

	if viewtable then
		if not self.conf.suppress_view then
			local success, err = xpcall ( function () 
				local viewfunc, p1, p2, p3 = view_resolver(self)
				viewfunc (viewtable, p1, p2, p3)
			end, 
			self:soft_traceback()
			)

			if not success then
				parent_exception_handler(self, err)
			end
		end
	end
end

-- Overload the MVC's dispatch function with our own
-- check permissions and redirect if not allowed to see
-- pass more parameters to the view
-- allow display of views without actions
dispatch = function (self, userprefix, userctlr, useraction) 
	local controller = nil
	local viewtable
	local success, err = xpcall ( function () 

	if userprefix == nil then
		self.conf.prefix, self.conf.controller, self.conf.action =
			parse_path_info(ENV["PATH_INFO"])
		self.conf.wwwprefix = string.gsub(ENV["SCRIPT_NAME"] or "", "/?cgi%-bin/acf.*", "")
	else
		self.conf.prefix = userprefix
		self.conf.controller = userctlr or ""
		self.conf.action = useraction or ""
	end

	-- This is for get / post data saved for after logon
	if self.sessiondata.logonredirect and self.conf.prefix == self.sessiondata.logonredirect.prefix
	and self.conf.controller == self.sessiondata.logonredirect.controller
	and self.conf.action == self.sessiondata.logonredirect.action then
		ENV.HTTP_REFERER = self.sessiondata.logonredirect.referrer or ENV.HTTP_REFERER
		self.clientdata = self.sessiondata.logonredirect.clientdata
		self.sessiondata.logonredirect = nil
	end

	-- Find the proper controller/action combo
	local origconf = {}
	for name,value in pairs(self.conf) do origconf[name]=value end
	if "" == self.conf.controller and self.sessiondata.userinfo and self.sessiondata.userinfo.home and self.sessiondata.userinfo.home ~= "" then
		self.conf.prefix, self.conf.controller, self.conf.action =
			parse_path_info(self.sessiondata.userinfo.home)
	end
	if "" == self.conf.controller then
		self.conf.prefix = self.conf.default_prefix or "/"
		self.conf.controller = self.conf.default_controller or ""
		self.conf.action = ""
	end
	if "" ~= self.conf.controller then
		-- We now know the controller / action combo, check if we're allowed to do it
		local perm = check_permission(self, self.conf.prefix, self.conf.controller)
		local worker_loaded = false

		if perm then
			controller, worker_loaded = self:new(self.conf.prefix .. self.conf.controller)
		end
		if worker_loaded then
			local default_action = rawget(controller.worker, "default_action") or ""
			if self.conf.action == "" then self.conf.action = default_action end
			if "" ~= self.conf.action then
				local perm = check_permission(controller, self.conf.prefix, self.conf.controller, self.conf.action)
				-- Because of the inheritance, normally the 
				-- controller.worker.action will flow up, so that all children have
				-- actions of all parents.  We use rawget to make sure that only
				-- controller defined actions are used on dispatch
				if (not perm) or (type(rawget(controller.worker, self.conf.action)) ~= "function") then
					controller:destroy()
					controller = nil
				end
			end
		elseif controller then
			controller:destroy()
			controller = nil
		end
	end

	-- If we have different controller / action, redirect
	if self.conf.controller ~= origconf.controller or self.conf.action ~= origconf.action then
		redirect(self, self.conf.action) -- controller and prefix already in self.conf
	end

	-- If the controller or action are missing, display an error view
	if nil == controller then
		-- If we have a view w/o an action, just display the view (passing in the clientdata)
		if (not self.conf.suppress_view) and has_view(self) and check_permission(self, self.conf.prefix, self.conf.controller, self.conf.action) then
			viewtable = self.clientdata
		else
			origconf.type = "dispatch"
			error (origconf)
		end
	end

	if controller then
		-- run the (first found) pre_exec code, starting at the controller 
		-- and moving up the parents
		if  type(controller.worker.mvc.pre_exec) == "function" then
			controller.worker.mvc.pre_exec ( controller )
		end

		-- run the action
		viewtable = controller.worker[self.conf.action](controller)

		-- run the post_exec code
		if  type(controller.worker.mvc.post_exec) == "function" then
			controller.worker.mvc.post_exec ( controller )
		end

		-- we're done with the controller, destroy it
		controller:destroy()
		controller = nil
	end

	if not self.conf.suppress_view then
		local viewfunc, p1, p2, p3 = view_resolver(self)
		viewfunc (viewtable, p1, p2, p3)
	end
		
	end, 
	self:soft_traceback(message)
	)

	if not success then
		if controller then 
			controller:exception_handler(err)
			controller:destroy()
			controller = nil
		else
			self:exception_handler(err)
		end
	end

	return viewtable
end

-- Cause a redirect to specified (or default) action
-- We use the self.conf table because it already has prefix,controller,etc
-- The actual redirection is defined in exception_handler above
redirect = function (self, str, result)
	if result then
		self.sessiondata[self.conf.action.."result"] = result
	end
	local prefix, controller, action = parse_redir_string(str)
	if prefix ~= "/" then self.conf.prefix = prefix end
	if controller ~= "" then self.conf.controller = controller end
	
	if "" == action then
		action = rawget(self.worker, "default_action") or ""
	end
	self.conf.action = action
	self.conf.type = "redir"
	error(self.conf)
end

-- If we've done something, cause a redirect to the referring page (assuming it's different)
-- Also handles retrieving the result of a previously redirected action
redirect_to_referrer = function(self, result)
	if result and not self.conf.component then
		-- If we have a result, then we did something, so we might have to redirect
		if not ENV.HTTP_REFERER then
			-- If no referrer, we have a potential problem.
			if not find_view(self.conf.appdir, self.conf.prefix, self.conf.controller, self.conf.action, self.conf.viewtype or "html") then
				-- Action does not have view, so redirect to default action for this controller.
				self:redirect()
			end
		else
			local p = ENV.HTTP_REFERER:gsub("%?.*", ""):gsub("%%(%x%x)",
				function(h) return string.char(tonumber(h, 16)) end )
			local prefix, controller, action = self.parse_path_info(p)
			if prefix ~= self.conf.prefix or controller ~= self.conf.controller or action ~= self.conf.action then
				self.sessiondata[self.conf.action.."result"] = result
				error({type="redir_to_referrer"})
			end
		end
	elseif self.sessiondata[self.conf.action.."result"] then
		-- If we don't have a result, but there's a result in the session data,
		-- then we're a component redirected as above.  Return the last result.
		result = self.sessiondata[self.conf.action.."result"]
		self.sessiondata[self.conf.action.."result"] = nil
	end
	return result
end

-- parse a "URI" like string into a prefix, controller and action
-- this is the same as URI string, but opposite preference
-- if only one is defined, it's assumed to be the action
parse_redir_string = function( str )
	str = str or "" 
	str = string.gsub(str, "/+$", "")
	local action = string.match(str, "[^/]+$") or ""
	str = string.gsub(str, "/*[^/]*$", "")
	local controller = string.match(str, "[^/]+$") or ""
	str = string.gsub(str, "/*[^/]*$", "")
	local prefix = string.match(str, "[^/]+$") or ""
	if prefix == "" then
		prefix = "/"
	else
		prefix = "/"..prefix.."/"
	end
	return prefix, controller, action
end

logevent = function ( message )
	if conf.loghandle then
		conf.loghandle:write (string.format("%s: %s\n", os.date(), message or ""))
	else
		-- call to parent's handler
		__index.logevent(message)
	end
end