4 * This file is (c) Copyright 2010 by Olivier BERGER, Madhumita DHAR, Institut TELECOM
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version 2
9 * of the License, or (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
20 * This program has been developed in the frame of the COCLICO
21 * project with financial support of its funders.
25 // User authorization endpoint
27 // This displays the request token authorization dialog to the user
29 //should be changed as session_require_login returns with error if not logged in
31 //session_require_login ();
33 require_once('../../env.inc.php');
34 require_once $gfwww.'include/pre.php';
35 require $gfconfig.'/plugins/oauthprovider/config.php';
36 require_once 'checks.php';
38 //non-admin users shud be able to do authorisations
39 //session_require_global_perm('project_admin');
41 $pluginname = 'oauthprovider';
46 $req = OAuthRequest::from_request();
49 $p_token = $req->get_parameter('oauth_token');
50 // echo "token : $p_token";
52 $t_request_token = OauthAuthzRequestToken::load_by_key($p_token);
54 oauthprovider_CheckUser();
56 echo '<h2>'. _('Pending authorization requests via OAuth') .'</h2>';
58 if($type=="group") $groupname = $name;
59 else $groupname = null;
60 $group = group_get_object_by_name($groupname);
61 $user_id = user_getid();
62 //echo "user: ".$user_id;
63 //echo "group: ".$groupid;
64 $user = user_get_object($user_id);
67 foreach (RBACEngine::getInstance()->getAvailableRolesForUser($user) as $role) {
71 if ($role->getHomeProject()) {
73 if ($role->getHomeProject()->getID() == $group->getID()) {
87 if($t_request_token) {
88 $consumer = OauthAuthzConsumer::load($t_request_token->getConsumerId());
89 // don't allow to authorize tokens older than 24 hours
90 $time_stamp = $t_request_token->gettime_stamp();
92 if ($time_stamp < ($now - (int)(24 * 3600))) {
94 $date = "more than 24 hours ago";
97 $date = "on ".date(DATE_RFC822, $time_stamp);
100 $callback_url = $req->get_parameter('oauth_callback');
102 // check if there are already access_tokens already authorized for that same consumer
103 $t_access_tokens = OauthAuthzAccessToken::load_by_consumer($consumer->getId(), $user_id);
104 $already_authorized = count($t_access_tokens);
106 if ($already_authorized > 0) {
107 echo "<p><b>ATTENTION: You have already $already_authorized authorized access for this consumer on your behalf. You are advised to delete previous access tokens first.</b></p>";
111 // Now we can display the pending request token and point to the authorization confirmation dialog
112 echo sprintf( _('Consumer <b>"%s"</b> wants to be authorized to access Fusionforge on your behalf (asked %s)'), $consumer->getName(), $date ) . ' ';
113 echo "<table><tr><td>";
114 if( isset($time_stamp) ) {
115 // the time_stamp is recent enough so we can allow authorization
117 echo '<form action="token_authorize.php" method="post">';
118 echo '<input type="hidden" name="plugin_oauthprovider_token_authorize_token" value="'.form_generate_key().'"/>';
119 echo '<input type="hidden" name="token_id" value="'.$t_request_token->getId().'"/>';
120 echo '<input type="hidden" name="callback_url" value="'.urlencode($callback_url).'"/>';
122 echo "<table><tr><td>Role:</td><td><select name=\"rolelist\">";
123 foreach($roles as $role) {
124 echo '<option value="'.$role->getID().'">'.$role->getDisplayableName().'</option>';
126 echo "</select></td>";
128 echo '<td><input type="submit" value="'. _('Authorize') .'"/></td></tr></table>';
133 // just display an inactive authorization link
134 print "<a href=\"\">". _('Authorize') ."</a>" ;
137 // Denying it is always an option
138 echo '<form action="token_deny.php" method="post">';
139 echo '<input type="hidden" name="plugin_oauthprovider_token_deny_token" value="'.form_generate_key().'"/>';
140 echo '<input type="hidden" name="token_id" value="'.$t_request_token->getId().'"/>';
141 echo "<table><tr><td><b>OR</b></td>";
142 echo '<td><input type="submit" value="'. _('Deny') .'"/></td></tr></table>';
144 echo '</td></tr></table>'
148 <?php // TODO needs translation ?>
149 <p><b>Security-related notices :</b></p>
151 <li>Fusionforge cannot assert in a fully trusted way if this request was
152 actually made by the right OAuth Consumer. You should be able to tell,
153 since you have been redirected here from that Consumer application.</li>
154 <li>Currently, this feature implements only a one-time access to a dummy page</li>
162 <p>Could not find token <?php echo "$p_token" ?>!</p>
169 } catch (OAuthException $e) {
171 error_parameters($e->getMessage(), "OauthAuthz");
172 exit_error( "Oauth authorisation error!", 'oauthprovider' );
175 site_project_footer(array());