blob: 04300e0f733b45456c8642188d9eb7d806f976e4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
=begin
helpers do
# Authentification
def protected!(subjectid)
if env["session"]
unless authorized?(subjectid)
flash[:notice] = "You don't have access to this section: "
redirect back
end
elsif !env["session"] && subjectid
unless authorized?(subjectid)
LOGGER.debug "URI not authorized: clean: " + clean_uri("#{request.env['rack.url_scheme']}://#{request.env['HTTP_HOST']}#{request.env['REQUEST_URI']}").to_s + " full: #{request.env['rack.url_scheme']}://#{request.env['HTTP_HOST']}#{request.env['REQUEST_URI']} with request: #{request.env['REQUEST_METHOD']}"
raise OpenTox::NotAuthorizedError.new "Not authorized"
end
else
raise OpenTox::NotAuthorizedError.new "Not authorized" unless authorized?(subjectid)
end
end
#Check Authorization for URI with method and subjectid.
def authorized?(subjectid)
request_method = request.env['REQUEST_METHOD']
uri = clean_uri("#{request.env['rack.url_scheme']}://#{request.env['HTTP_HOST']}#{request.env['REQUEST_URI']}")
request_method = "GET" if request_method == "POST" && uri =~ /\/model\/\d+\/?$/
return OpenTox::Authorization.authorized?(uri, request_method, subjectid)
end
#cleans URI from querystring and file-extension. Sets port 80 to emptystring
# @param [String] uri
def clean_uri(uri)
uri = uri.sub(" ", "%20") #dirty hacks => to fix
uri = uri[0,uri.index("InChI=")] if uri.index("InChI=")
out = URI.parse(uri)
out.path = out.path[0, out.path.length - (out.path.reverse.rindex(/\/{1}\d+\/{1}/))] if out.path.index(/\/{1}\d+\/{1}/) #cuts after /id/ for a&a
port = (out.scheme=="http" && out.port==80)||(out.scheme=="https" && out.port==443) ? "" : ":#{out.port.to_s}"
"#{out.scheme}://#{out.host}#{port}#{out.path.chomp("/")}" #"
end
#unprotected uri for login
def login_requests
return env['REQUEST_URI'] =~ /\/login$/
end
def uri_available?(urlStr)
url = URI.parse(urlStr)
subjectidstr = @subjectid ? "?subjectid=#{CGI.escape @subjectid}" : ""
Net::HTTP.start(url.host, url.port) do |http|
return http.head("#{url.request_uri}#{subjectidstr}").code == "200"
end
end
def get_subjectid
begin
subjectid = nil
subjectid = session[:subjectid] if session[:subjectid]
subjectid = params[:subjectid] if params[:subjectid] and !subjectid
subjectid = request.env['HTTP_SUBJECTID'] if request.env['HTTP_SUBJECTID'] and !subjectid
subjectid = request.cookies["subjectid"] unless subjectid
# see http://rack.rubyforge.org/doc/SPEC.html
subjectid = CGI.unescape(subjectid) if subjectid.include?("%23")
@subjectid = subjectid
rescue
subjectid = nil
end
end
def get_extension
extension = File.extname(request.path_info)
unless extension.empty?
case extension.gsub(".","")
when "html"
@accept = 'text/html'
when "yaml"
@accept = 'application/x-yaml'
when "csv"
@accept = 'text/csv'
when "rdfxml"
@accept = 'application/rdf+xml'
when "xls"
@accept = 'application/ms-excel'
when "css"
@accept = 'text/css'
else
# halt 404, "File format #{extension} not supported."
end
end
end
end
before do
@subjectid = get_subjectid()
@accept = get_extension()
unless !AA_SERVER or login_requests or CONFIG[:authorization][:free_request].include?(env['REQUEST_METHOD'])
protected!(@subjectid)
end
end
=end
|
