lib/helper.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65

helpers do

  # Authentification
  def protected!(subjectid)
    if env["session"]
      unless authorized?(subjectid)
        flash[:notice] = "You don't have access to this section: "
        redirect back
      end
    elsif !env["session"] && subjectid
      unless authorized?(subjectid)
        LOGGER.debug "URI not authorized: clean: " + clean_uri("#{request.env['rack.url_scheme']}://#{request.env['HTTP_HOST']}#{request.env['REQUEST_URI']}").to_s + " full: #{request.env['rack.url_scheme']}://#{request.env['HTTP_HOST']}#{request.env['REQUEST_URI']} with request: #{request.env['REQUEST_METHOD']}"
        raise OpenTox::NotAuthorizedError.new "Not authorized" 
      end
    else
      raise OpenTox::NotAuthorizedError.new "Not authorized" unless authorized?(subjectid)
    end
  end

  #Check Authorization for URI with method and subjectid. 
  def authorized?(subjectid)
    request_method = request.env['REQUEST_METHOD']
    uri = clean_uri("#{request.env['rack.url_scheme']}://#{request.env['HTTP_HOST']}#{request.env['REQUEST_URI']}")
    request_method = "GET" if request_method == "POST" &&  uri =~ /\/model\/\d+\/?$/
    return OpenTox::Authorization.authorized?(uri, request_method, subjectid)
  end

  #cleans URI from querystring and file-extension. Sets port 80 to emptystring
  # @param [String] uri 
  def clean_uri(uri)
    uri = uri.sub(" ", "%20")          #dirty hacks => to fix
    uri = uri[0,uri.index("InChI=")] if uri.index("InChI=") 
    
    out = URI.parse(uri)
    out.path = out.path[0, out.path.length - (out.path.reverse.rindex(/\/{1}\d+\/{1}/))] if out.path.index(/\/{1}\d+\/{1}/)  #cuts after /id/ for a&a 
    "#{out.scheme}:" + (out.port != 80 ? out.port : "") + "//#{out.host}#{out.path.chomp('/')}"
  end

  #unprotected uri for login
  def login_requests
    return env['REQUEST_URI'] =~ /\/login$/ 
   end

end

before do
  unless !AA_SERVER or login_requests or CONFIG[:authorization][:free_request].include?(env['REQUEST_METHOD']) 
    begin
      subjectid = nil
      subjectid = session[:subjectid] if session[:subjectid]
      subjectid = params[:subjectid]  if params[:subjectid] and !subjectid
      subjectid = request.env['HTTP_SUBJECTID'] if request.env['HTTP_SUBJECTID'] and !subjectid
      subjectid = request.cookies["subjectid"] unless subjectid
      # see http://rack.rubyforge.org/doc/SPEC.html
      subjectid = CGI.unescape(subjectid) if subjectid.include?("%23")
      @subjectid = subjectid
    rescue
      #LOGGER.debug "OpenTox ruby api wrapper: helper before filter: NO subjectid for URI: #{request.env['rack.url_scheme']}://#{request.env['HTTP_HOST']}#{request.env['REQUEST_URI']}"
      subjectid = ""
    end
    @subjectid = subjectid
    protected!(subjectid)
  end
end