From dff68e21ac958ebfb8164bca4cb2143c427f4330 Mon Sep 17 00:00:00 2001
From: Christian Weiske <cweiske@cweiske.de>
Date: Mon, 17 Sep 2012 23:01:07 +0200
Subject: [PATCH] use deny-by-default security

---
 data/templates/forbidden.htm | 26 ++++++++---------------
 www/delete.php               |  3 ---
 www/display.php              |  4 +---
 www/doap.php                 |  1 +
 www/edit.php                 |  3 ---
 www/forbidden.php            | 11 ++++++++++
 www/fork.php                 |  3 ---
 www/index.php                |  7 ++++++-
 www/list.php                 |  4 +---
 www/login.php                |  1 +
 www/new.php                  |  4 +---
 www/raw.php                  |  7 +++----
 www/revision.php             |  6 ++----
 www/search.php               |  1 +
 www/user.php                 |  3 ---
 www/www-header.php           |  2 ++
 www/www-security.php         | 40 ++++++++++++++++++++++++++++++++++++
 17 files changed, 78 insertions(+), 48 deletions(-)
 create mode 100644 www/forbidden.php
 create mode 100644 www/www-security.php

diff --git a/data/templates/forbidden.htm b/data/templates/forbidden.htm
index d7d3b61..04b8fb6 100644
--- a/data/templates/forbidden.htm
+++ b/data/templates/forbidden.htm
@@ -3,23 +3,13 @@
 
 {% block content %}
 
-<fieldset>
-  <legend>Access Denied</legend>
-  <img src="/images/access_denied.png" align='left'>
-  <p>We're sorry, your identity is not authorized:</p>
-  <p><code>{{ identity }}</code></p>
-  <p>If you feel this message is in error, please notify the site admin
-    and include your identity.</p>
-</fieldset>
+<img src="/images/access_denied.png" align='left' alt="acces denied"/>
+<h2>Access Denied</h2>
+<p>
+ We're sorry; but you are not allowed to access this page.
+</p>
+<p>
+ You may <a href="/login">log in</a> if you want.
+</p>
 {% endblock %}
 
-{% block sidebar %}
- {% if recents.results %}
- <h3>Recently created</h3>
- <ul>
- {% for repo in recents.repos %}
-   {% include 'repo-sidebar-list.htm' %}
- {% endfor %}
- </ul>
- {% endif %}
-{% endblock %}
diff --git a/www/delete.php b/www/delete.php
index 85f6258..6d68ae4 100644
--- a/www/delete.php
+++ b/www/delete.php
@@ -4,9 +4,6 @@ namespace phorkie;
  * Delete paste or ask for deletion
  */
 require_once 'www-header.php';
-if ($GLOBALS['phorkie']['auth']['secure'] > 0) {
-    include_once 'secure.php';
-}
 
 $repo = new Repository();
 $repo->loadFromRequest();
diff --git a/www/display.php b/www/display.php
index 6f754d9..534a119 100644
--- a/www/display.php
+++ b/www/display.php
@@ -3,10 +3,8 @@ namespace phorkie;
 /**
  * Display paste contents
  */
+$pageRequiresLogin = false;
 require_once 'www-header.php';
-if ($GLOBALS['phorkie']['auth']['secure'] == 2) {
-    include_once 'secure.php';
-}
 
 $repo = new Repository();
 $repo->loadFromRequest();
diff --git a/www/doap.php b/www/doap.php
index db00df4..f374dba 100644
--- a/www/doap.php
+++ b/www/doap.php
@@ -4,6 +4,7 @@ namespace phorkie;
  * Display DOAP of the paste.
  * Contains a machine-readable project description with Git URL.
  */
+$pageRequiresLogin = false;
 require_once 'www-header.php';
 
 $repo = new Repository();
diff --git a/www/edit.php b/www/edit.php
index 20e7793..897aada 100644
--- a/www/edit.php
+++ b/www/edit.php
@@ -4,9 +4,6 @@ namespace phorkie;
  * Edit paste contents
  */
 require_once 'www-header.php';
-if ($GLOBALS['phorkie']['auth']['secure'] > 0) {
-    include_once 'secure.php';
-}
 
 $repo = new Repository();
 $repo->loadFromRequest();
diff --git a/www/forbidden.php b/www/forbidden.php
new file mode 100644
index 0000000..fc166eb
--- /dev/null
+++ b/www/forbidden.php
@@ -0,0 +1,11 @@
+<?php
+namespace phorkie;
+/**
+ * Show an access denied error
+ */
+
+render(
+    'forbidden'
+);
+exit();
+?>
diff --git a/www/fork.php b/www/fork.php
index 64dceb9..3d1c4b7 100644
--- a/www/fork.php
+++ b/www/fork.php
@@ -4,9 +4,6 @@
  */
 namespace phorkie;
 require_once 'www-header.php';
-if ($GLOBALS['phorkie']['auth']['secure'] > 0) {
-    include_once 'secure.php';
-}
 
 if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
     throw new Exception_Input('Forking only possible via POST');
diff --git a/www/index.php b/www/index.php
index 7ac6fcf..1801831 100644
--- a/www/index.php
+++ b/www/index.php
@@ -3,6 +3,11 @@
  * Jump to the index as per the configuration
  */
 namespace phorkie;
+$pageRequiresLogin = false;
 require_once 'www-header.php';
-require_once $GLOBALS['phorkie']['cfg']['index'].".php";
+
+header(
+    'Location: '
+    . Tools::fullUrl('/' . $GLOBALS['phorkie']['cfg']['index'])
+);
 ?>
diff --git a/www/list.php b/www/list.php
index 5a394eb..721d20c 100644
--- a/www/list.php
+++ b/www/list.php
@@ -3,10 +3,8 @@
  * List a repository
  */
 namespace phorkie;
+$pageRequiresLogin = false;
 require_once 'www-header.php';
-if ($GLOBALS['phorkie']['auth']['secure'] == 2) {
-    include_once 'secure.php';
-}
 $rs = new Repositories();
 
 $page = 0;
diff --git a/www/login.php b/www/login.php
index f05f980..b8cb512 100644
--- a/www/login.php
+++ b/www/login.php
@@ -18,6 +18,7 @@ set_include_path(
     . PATH_SEPARATOR . get_include_path()
 );
 
+$pageRequiresLogin = false;
 require_once 'www-header.php';
 require_once 'openid/config.php';
 
diff --git a/www/new.php b/www/new.php
index 0675b4d..5d370f5 100644
--- a/www/new.php
+++ b/www/new.php
@@ -10,10 +10,8 @@ namespace phorkie;
  *
  * Creates and redirects to display page
  */
+$pageRequiresLogin = true;
 require_once 'www-header.php';
-if ($GLOBALS['phorkie']['auth']['secure'] > 0) {
-    include_once 'secure.php';
-}
 
 $repopo = new Repository_Post();
 if ($repopo->process($_POST, $_SESSION)) {
diff --git a/www/raw.php b/www/raw.php
index 6b20633..634576d 100644
--- a/www/raw.php
+++ b/www/raw.php
@@ -1,12 +1,11 @@
 <?php
+namespace phorkie;
 /**
  * Displays a file
  */
-namespace phorkie;
+$pageRequiresLogin = false;
 require_once 'www-header.php';
-if ($GLOBALS['phorkie']['auth']['secure'] == 2) {
-    include_once 'secure.php';
-}
+
 $repo = new Repository();
 $repo->loadFromRequest();
 
diff --git a/www/revision.php b/www/revision.php
index 06462af..c4ce9e8 100644
--- a/www/revision.php
+++ b/www/revision.php
@@ -1,12 +1,10 @@
 <?php
 namespace phorkie;
 /**
- * Display paste contents
+ * Display historic paste contents
  */
+$pageRequiresLogin = false;
 require_once 'www-header.php';
-if ($GLOBALS['phorkie']['auth']['secure'] == 2) {
-    require_once 'secure.php';
-}
 
 $repo = new Repository();
 $repo->loadFromRequest();
diff --git a/www/search.php b/www/search.php
index cb72c6a..8701911 100644
--- a/www/search.php
+++ b/www/search.php
@@ -3,6 +3,7 @@ namespace phorkie;
 /**
  * Search for a search term
  */
+$pageRequiresLogin = false;
 require_once 'www-header.php';
 
 if (!isset($_GET['q']) || $_GET['q'] == '') {
diff --git a/www/user.php b/www/user.php
index fd851c4..8f305da 100644
--- a/www/user.php
+++ b/www/user.php
@@ -4,9 +4,6 @@
  */
 namespace phorkie;
 require_once 'www-header.php';
-if (!isset($_SESSION['identity'])) {
-    include_once 'secure.php';
-}
 
 if (isset($_POST['name'])) {
     $_SESSION['name'] = substr(filter_var($_POST['name'], FILTER_SANITIZE_STRING), 0, 35);
diff --git a/www/www-header.php b/www/www-header.php
index c840315..290e680 100644
--- a/www/www-header.php
+++ b/www/www-header.php
@@ -72,6 +72,8 @@ $twig = new \Twig_Environment(
 );
 //$twig->addExtension(new \Twig_Extension_Debug());
 
+require __DIR__ . '/www-security.php';
+
 function render($tplname, $vars = array())
 {
     $vars['css'] = $GLOBALS['phorkie']['cfg']['css'];
diff --git a/www/www-security.php b/www/www-security.php
new file mode 100644
index 0000000..241f866
--- /dev/null
+++ b/www/www-security.php
@@ -0,0 +1,40 @@
+<?php
+namespace phorkie;
+/**
+ * security levels + login requirement:
+ */
+
+if (!isset($GLOBALS['phorkie']['auth']['secure'])) {
+    //not set? highest level of security
+    $GLOBALS['phorkie']['auth']['secure'] = 2;
+}
+
+if ($GLOBALS['phorkie']['auth']['secure'] == 0) {
+    //everyone may do everything
+    return;
+}
+
+$logged_in = false;
+if (!isset($_SESSION['identity'])) {
+    //not logged in 
+} else if ($GLOBALS['phorkie']['auth']['userlist']) {
+    if (in_array($_SESSION['identity'], $GLOBALS['phorkie']['users'])) {
+        $logged_in = true;
+    }
+} else {
+    //session identity exists, no special checks required
+    $logged_in = true;
+}
+
+if ($logged_in) {
+    //logged in? all fine
+    return;
+} else if ($GLOBALS['phorkie']['auth']['secure'] == 2) {
+    //not logged in and security level 2 => error
+    require 'forbidden.php';
+} else if (isset($pageRequiresLogin) && !$pageRequiresLogin) {
+    return;
+}
+
+require 'forbidden.php';
+?>
\ No newline at end of file
-- 
2.30.2