Third Commit

4 files changed, 96 insertions, 22 deletions

diff --git a/inc/image.inc.php b/inc/image.inc.php
new file mode 100644
index 0000000..2c0ec74
--- /dev/null
+++ b/inc/image.inc.php
@@ -0,0 +1,14 @@
+<?php
+
+class Image
+{
+
+	public static function deleteOwnedBy($userid)
+	{
+		if ($userid === false || !is_numeric($userid))
+			return false;
+		return Database::exec('DELETE FROM image WHERE ownerid = :userid', array('userid' => $userid));
+	}
+
+}
+
diff --git a/inc/session.inc.php b/inc/session.inc.php
index b9adfcb..6718006 100644
--- a/inc/session.inc.php
+++ b/inc/session.inc.php
@@ -4,8 +4,8 @@
 class Session
 {
 	private static $sid = false;
-	private static $uid = false;
 	private static $data = false;
+	private static $needUpdate = true;
 	
 	private static function generateSessionId()
 	{
@@ -26,7 +26,6 @@ class Session
 	public static function create()
 	{
 		self::generateSessionId();
-		self::$uid = 0;
 		self::$data = array();
 	}
 
@@ -38,20 +37,19 @@ class Session
 		if (self::readSessionData()) return true;
 		// Loading session data failed
 		self::delete();
+		return false;
 	}
 
 	public static function getUid()
 	{
-		return self::$uid;
+		return self::get('uid');
 	}
 
 	public static function setUid($value)
 	{
-		if (self::$uid === false)
-			Util::traceError('Tried to set session data with no active session');
 		if (!is_numeric($value) || $value < 1)
 			Util::traceError('Invalid user id: ' . $value);
-		self::$uid = $value;
+		self::set('uid', (int)$value);
 	}
 
 	public static function get($key)
@@ -61,6 +59,16 @@ class Session
 		return false;
 	}
 
+	public static function set($key, $value)
+	{
+		if (!is_array(self::$data))
+			Util::traceError('Tried to set session data with no active session');
+		if (isset(self::$data[$key]) && self::$data[$key] === $value)
+			return;
+		self::$data[$key] = $value;
+		self::$needUpdate = true;
+	}
+
 	private static function loadSessionId()
 	{
 		if (self::$sid !== false)
@@ -73,27 +81,49 @@ class Session
 		self::$sid = $id;
 		return true;
 	}
-	
+
 	public static function delete()
 	{
 		if (self::$sid === false) return;
 		Database::exec('DELETE FROM websession WHERE sid = :sid', array('sid' => self::$sid));
 		@setcookie('sid', '', time() - 8640000, null, null, !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off', true);
 		self::$sid = false;
-		self::$uid = false;
+		self::$data = false;
 	}
-	
+
 	public static function save()
 	{
-		if (self::$sid === false || self::$uid === false || self::$uid === 0)
+		if (self::$sid === false || self::$data === false || !self::$needUpdate)
 			return;
-		$ret = Database::exec('INSERT INTO websession (sid, userid, dateline) '
-			. ' VALUES (:sid, :uid, UNIX_TIMESTAMP()) '
-			. ' ON DUPLICATE KEY UPDATE userid = VALUES(userid), dateline = VALUES(dateline)',
-			array('sid' => self::$sid, 'uid' => self::$uid));
-		if (!$ret) Util::traceError('Storing session data  in dahdähbank failed.');
+		$data = json_encode(self::$data);
+		$ret = Database::exec('INSERT INTO websession (sid, dateline, data) '
+			. ' VALUES (:sid, UNIX_TIMESTAMP(), :data) '
+			. ' ON DUPLICATE KEY UPDATE dateline = VALUES(dateline), data = VALUES(data)',
+			array('sid' => self::$sid, 'data' => $data));
+		if ($ret === false)
+			Util::traceError('Storing session data in Dahdähbank failed.');
 		$ret = @setcookie('sid', self::$sid, time() + CONFIG_SESSION_TIMEOUT, null, null, !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off', true);
-		if (!$ret) Util::traceError('Error: Could not set Cookie for Client (headers already sent)');
+		if ($ret === false)
+			Util::traceError('Error: Could not set Cookie for Client (headers already sent)');
 	}
+
+	public static function readSessionData()
+	{
+		if (self::$sid === false || self::$data !== false)
+			Util::traceError('Tried to readSessionData on an active session!');
+		$data = Database::queryFirst('SELECT dateline, data FROM websession WHERE sid = :sid LIMIT 1', array('sid' => self::$sid));
+		if ($data === false)
+			return false;
+		if ($data['dateline'] + CONFIG_SESSION_TIMEOUT < time()) {
+			self::delete();
+			return false;
+		}
+		self::$needUpdate = ($data['dateline'] + 3600 < time());
+		self::$data = @json_decode($data['data'], true);
+		if (!is_array(self::$data))
+			self::$data = array();
+		return true;
+	}
+
 }
 
diff --git a/inc/user.inc.php b/inc/user.inc.php
index f023ae7..496857e 100644
--- a/inc/user.inc.php
+++ b/inc/user.inc.php
@@ -7,6 +7,7 @@ class User
 	private static $organization = NULL;
 	private static $isShib = false;
 	private static $isInDb = false;
+	private static $isAnonymous = false;
 
 	public static function isLoggedIn()
 	{
@@ -28,11 +29,23 @@ class User
 		return self::$user !== false && self::$isShib === false;
 	}
 
+	public static function isAnonymous()
+	{
+		return self::$isAnonymous;
+	}
+
 	public static function getData()
 	{
 		return self::$user;
 	}
 
+	public static function getId()
+	{
+		if (!isset(self::$user['userid']))
+			return false;
+		return (int)self::$user['userid'];
+	}
+
 	public static function getName()
 	{
 		if (!self::isLoggedIn())
@@ -97,7 +110,7 @@ class User
 	{
 		if (self::isLoggedIn())
 			return true;
-		Session::load();
+		$hasSession = Session::load();
 		if (empty($_SERVER['persistent-id'])) {
 			if (Session::getUid() === false)
 				return false;
@@ -106,6 +119,11 @@ class User
 			return self::$user !== false;
 		}
 		// Try bwIDM etc.
+		if (!$hasSession) {
+			Session::create();
+			Session::set('token', md5(mt_rand() . $_SERVER['REMOTE_ADDR'] . microtime(true) . $_SERVER['persistent-id'] . mt_rand()));
+			Session::save();
+		}
 		self::$isShib = true;
 		if (!isset($_SERVER['sn'])) $_SERVER['sn'] = '';
 		if (!isset($_SERVER['givenName'])) $_SERVER['givenName'] = '';
@@ -133,9 +151,14 @@ class User
 			// No match in database, user is not signed up
 			return true;
 		}
+		if (Session::getUid() === false) {
+			Session::setUid($user['userid']);
+			Session::save();
+		}
 		// Already signed up, see if we can fetch missing fields from DB
 		self::$user['login'] = $user['login'];
 		self::$isInDb = true;
+		self::$isAnonymous = (empty($user['firstname']) && empty($user['lastname']));
 		foreach (array('firstname', 'lastname', 'email') as $key) {
 			if (empty(self::$user[$key]))
 				self::$user[$key] = $user[$key];
@@ -149,13 +172,15 @@ class User
 			Util::traceError('NO SHIBID');
 		if ($anonymous) {
 			Database::exec("INSERT INTO user (shibid, login, organizationid, firstname, lastname, email) "
-				. " VALUES (:shibid, :shibid, :org, '', '', '')", array(
+				. " VALUES (:shibid, :shibid, :org, '', '', '') "
+				. " ON DUPLICATE KEY UPDATE firstname = '', lastname = '', email = ''", array(
 					'shibid' => self::$user['shibid'],
 					'org'    => self::getOrganizationId()
 			));
 		} else {
 			Database::exec("INSERT INTO user (shibid, login, organizationid, firstname, lastname, email) "
-				. " VALUES (:shibid, :shibid, :org, :firstname, :lastname, :email)", array(
+				. " VALUES (:shibid, :shibid, :org, :firstname, :lastname, :email) "
+				. " ON DUPLICATE KEY UPDATE firstname = VALUES(firstname), lastname = VALUES(lastname), email = VALUES(email)", array(
 					'shibid' => self::$user['shibid'],
 					'firstname' => self::$user['firstname'],
 					'lastname' => self::$user['lastname'],
@@ -181,8 +206,13 @@ class User
 
 	public static function logout()
 	{
+		foreach ($_COOKIE as $name => $value) {
+			if (substr($name, 0, 5) !== '_shib')
+				continue;
+			@setcookie($name, '', time() - 8640000, null, null, !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off', true);
+		}
 		Session::delete();
-		Header('Location: ?do=Main&fromlogout');
+		Header('Location: ?do=Logout&noredirect=yes');
 		exit(0);
 	}
 
diff --git a/inc/util.inc.php b/inc/util.inc.php
index 4378a08..aaf46c6 100644
--- a/inc/util.inc.php
+++ b/inc/util.inc.php
@@ -95,11 +95,11 @@ SADFACE;
 	 */
 	public static function verifyToken()
 	{
-		if (Session::get('token') === false)
+		if (Session::get('token') === false && Session::getUid() === false)
 			return true;
 		if (isset($_REQUEST['token']) && Session::get('token') === $_REQUEST['token'])
 			return true;
-		Message::addError('token');
+		Message::addError('Fehlerhaftes Token!');
 		return false;
 	}