Home Explore Help
Sign In
bachir
/
popsu-d7
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 1bc61b12ad
Branches Tags
popsu-d7
/
authorize.php

authorize.php 6.4 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173 
  1. <?php
    2. 

  2. 

  3. /**
    4. 

  4.  * @file
    5. 

  5.  * Administrative script for running authorized file operations.
    6. 

  6.  *
    7. 

  7.  * Using this script, the site owner (the user actually owning the files on
    8. 

  8.  * the webserver) can authorize certain file-related operations to proceed
    9. 

  9.  * with elevated privileges, for example to deploy and upgrade modules or
    10. 

  10.  * themes. Users should not visit this page directly, but instead use an
    11. 

  11.  * administrative user interface which knows how to redirect the user to this
    12. 

  12.  * script as part of a multistep process. This script actually performs the
    13. 

  13.  * selected operations without loading all of Drupal, to be able to more
    14. 

  14.  * gracefully recover from errors. Access to the script is controlled by a
    15. 

  15.  * global killswitch in settings.php ('allow_authorize_operations') and via
    16. 

  16.  * the 'administer software updates' permission.
    17. 

  17.  *
    18. 

  18.  * There are helper functions for setting up an operation to run via this
    19. 

  19.  * system in modules/system/system.module. For more information, see:
    20. 

  20.  * @link authorize Authorized operation helper functions @endlink
    21. 

  21.  */
    22. 

  22. 

  23. /**
    24. 

  24.  * Root directory of Drupal installation.
    25. 

  25.  */
    26. 

  26. define('DRUPAL_ROOT', getcwd());
    27. 

  27. 

  28. /**
    29. 

  29.  * Global flag to identify update.php and authorize.php runs, and so
    30. 

  30.  * avoid various unwanted operations, such as hook_init() and
    31. 

  31.  * hook_exit() invokes, css/js preprocessing and translation, and
    32. 

  32.  * solve some theming issues. This flag is checked on several places
    33. 

  33.  * in Drupal code (not just authorize.php).
    34. 

  34.  */
    35. 

  35. define('MAINTENANCE_MODE', 'update');
    36. 

  36. 

  37. /**
    38. 

  38.  * Renders a 403 access denied page for authorize.php.
    39. 

  39.  */
    40. 

  40. function authorize_access_denied_page() {
    41. 

  41.   drupal_add_http_header('Status', '403 Forbidden');
    42. 

  42.   watchdog('access denied', 'authorize.php', NULL, WATCHDOG_WARNING);
    43. 

  43.   drupal_set_title('Access denied');
    44. 

  44.   return t('You are not allowed to access this page.');
    45. 

  45. }
    46. 

  46. 

  47. /**
    48. 

  48.  * Determines if the current user is allowed to run authorize.php.
    49. 

  49.  *
    50. 

  50.  * The killswitch in settings.php overrides all else, otherwise, the user must
    51. 

  51.  * have access to the 'administer software updates' permission.
    52. 

  52.  *
    53. 

  53.  * @return
    54. 

  54.  *   TRUE if the current user can run authorize.php, otherwise FALSE.
    55. 

  55.  */
    56. 

  56. function authorize_access_allowed() {
    57. 

  57.   return variable_get('allow_authorize_operations', TRUE) && user_access('administer software updates');
    58. 

  58. }
    59. 

  59. 

  60. // *** Real work of the script begins here. ***
    61. 

  61. 

  62. require_once DRUPAL_ROOT . '/includes/bootstrap.inc';
    63. 

  63. require_once DRUPAL_ROOT . '/includes/common.inc';
    64. 

  64. require_once DRUPAL_ROOT . '/includes/file.inc';
    65. 

  65. require_once DRUPAL_ROOT . '/includes/module.inc';
    66. 

  66. require_once DRUPAL_ROOT . '/includes/ajax.inc';
    67. 

  67. 

  68. // We prepare only a minimal bootstrap. This includes the database and
    69. 

  69. // variables, however, so we have access to the class autoloader registry.
    70. 

  70. drupal_bootstrap(DRUPAL_BOOTSTRAP_SESSION);
    71. 

  71. 

  72. // This must go after drupal_bootstrap(), which unsets globals!
    73. 

  73. global $conf;
    74. 

  74. 

  75. // We have to enable the user and system modules, even to check access and
    76. 

  76. // display errors via the maintenance theme.
    77. 

  77. $module_list['system']['filename'] = 'modules/system/system.module';
    78. 

  78. $module_list['user']['filename'] = 'modules/user/user.module';
    79. 

  79. module_list(TRUE, FALSE, FALSE, $module_list);
    80. 

  80. drupal_load('module', 'system');
    81. 

  81. drupal_load('module', 'user');
    82. 

  82. 

  83. // We also want to have the language system available, but we do *NOT* want to
    84. 

  84. // actually call drupal_bootstrap(DRUPAL_BOOTSTRAP_LANGUAGE), since that would
    85. 

  85. // also force us through the DRUPAL_BOOTSTRAP_PAGE_HEADER phase, which loads
    86. 

  86. // all the modules, and that's exactly what we're trying to avoid.
    87. 

  87. drupal_language_initialize();
    88. 

  88. 

  89. // Initialize the maintenance theme for this administrative script.
    90. 

  90. drupal_maintenance_theme();
    91. 

  91. 

  92. $output = '';
    93. 

  93. $show_messages = TRUE;
    94. 

  94. 

  95. if (authorize_access_allowed()) {
    96. 

  96.   // Load both the Form API and Batch API.
    97. 

  97.   require_once DRUPAL_ROOT . '/includes/form.inc';
    98. 

  98.   require_once DRUPAL_ROOT . '/includes/batch.inc';
    99. 

  99.   // Load the code that drives the authorize process.
    100. 

  100.   require_once DRUPAL_ROOT . '/includes/authorize.inc';
    101. 

  101. 

  102.   // For the sake of Batch API and a few other low-level functions, we need to
    103. 

  103.   // initialize the URL path into $_GET['q']. However, we do not want to raise
    104. 

  104.   // our bootstrap level, nor do we want to call drupal_initialize_path(),
    105. 

  105.   // since that is assuming that modules are loaded and invoking hooks.
    106. 

  106.   // However, all we really care is if we're in the middle of a batch, in which
    107. 

  107.   // case $_GET['q'] will already be set, we just initialize it to an empty
    108. 

  108.   // string if it's not already defined.
    109. 

  109.   if (!isset($_GET['q'])) {
    110. 

  110.     $_GET['q'] = '';
    111. 

  111.   }
    112. 

  112. 

  113.   if (isset($_SESSION['authorize_operation']['page_title'])) {
    114. 

  114.     drupal_set_title($_SESSION['authorize_operation']['page_title']);
    115. 

  115.   }
    116. 

  116.   else {
    117. 

  117.     drupal_set_title(t('Authorize file system changes'));
    118. 

  118.   }
    119. 

  119. 

  120.   // See if we've run the operation and need to display a report.
    121. 

  121.   if (isset($_SESSION['authorize_results']) && $results = $_SESSION['authorize_results']) {
    122. 

  122. 

  123.     // Clear the session out.
    124. 

  124.     unset($_SESSION['authorize_results']);
    125. 

  125.     unset($_SESSION['authorize_operation']);
    126. 

  126.     unset($_SESSION['authorize_filetransfer_info']);
    127. 

  127. 

  128.     if (!empty($results['page_title'])) {
    129. 

  129.       drupal_set_title($results['page_title']);
    130. 

  130.     }
    131. 

  131.     if (!empty($results['page_message'])) {
    132. 

  132.       drupal_set_message($results['page_message']['message'], $results['page_message']['type']);
    133. 

  133.     }
    134. 

  134. 

  135.     $output = theme('authorize_report', array('messages' => $results['messages']));
    136. 

  136. 

  137.     $links = array();
    138. 

  138.     if (is_array($results['tasks'])) {
    139. 

  139.       $links += $results['tasks'];
    140. 

  140.     }
    141. 

  141.     else {
    142. 

  142.       $links = array_merge($links, array(
    143. 

  143.         l(t('Administration pages'), 'admin'),
    144. 

  144.         l(t('Front page'), '<front>'),
    145. 

  145.       ));
    146. 

  146.     }
    147. 

  147. 

  148.     $output .= theme('item_list', array('items' => $links, 'title' => t('Next steps')));
    149. 

  149.   }
    150. 

  150.   // If a batch is running, let it run.
    151. 

  151.   elseif (isset($_GET['batch'])) {
    152. 

  152.     $output = _batch_page();
    153. 

  153.   }
    154. 

  154.   else {
    155. 

  155.     if (empty($_SESSION['authorize_operation']) || empty($_SESSION['authorize_filetransfer_info'])) {
    156. 

  156.       $output = t('It appears you have reached this page in error.');
    157. 

  157.     }
    158. 

  158.     elseif (!$batch = batch_get()) {
    159. 

  159.       // We have a batch to process, show the filetransfer form.
    160. 

  160.       $elements = drupal_get_form('authorize_filetransfer_form');
    161. 

  161.       $output = drupal_render($elements);
    162. 

  162.     }
    163. 

  163.   }
    164. 

  164.   // We defer the display of messages until all operations are done.
    165. 

  165.   $show_messages = !(($batch = batch_get()) && isset($batch['running']));
    166. 

  166. }
    167. 

  167. else {
    168. 

  168.   $output = authorize_access_denied_page();
    169. 

  169. }
    170. 

  170. 

  171. if (!empty($output)) {
    172. 

  172.   print theme('update_page', array('content' => $output, 'show_messages' => $show_messages));
    173. 

  173. }
    174.