jmueller17 · jmueller17 · Jan 18, 2019 · Nov 20, 2018 · Dec 8, 2018 · Dec 10, 2018
diff --git a/activate_roles.php b/activate_roles.php
@@ -14,10 +14,10 @@
     <?php echo aixada_js_src(); ?>
 
  	<script type="text/javascript" src="js/jqueryui/i18n/jquery.ui.datepicker-<?=$language;?>.js" ></script>
-
 
-
-    <?php $the_role = $_SESSION['userdata']['current_role']; ?>
+    <?php 
+        $the_role = get_current_role();
+    ?>
 	<script type="text/javascript">
 	$(function(){
 		$.ajaxSetup({ cache: false });

diff --git a/js/aixadacart/jquery.aixadacart.js b/js/aixadacart/jquery.aixadacart.js
@@ -143,7 +143,11 @@
 
   							    },
   							   error : function(XMLHttpRequest, textStatus, errorThrown){
-  							    	$this.data('aixadacart').submitError.call($this,XMLHttpRequest.responseText);
+                                    if (XMLHttpRequest.responseText === $.aixadaUtilities_lang.NOT_LOGGED_IN) {
+                                        $.AixadaNotLoggedInMsg();
+                                    } else {
+                                        $this.data('aixadacart').submitError.call($this,XMLHttpRequest.responseText);
+                                    }
   							    	//alert(errorThrown);
 
   							    	//updateCartTips.call($this,'error',XMLHttpRequest.responseText);

diff --git a/js/aixadautilities/i18n/aixadaUtilities-ca-va.js b/js/aixadautilities/i18n/aixadaUtilities-ca-va.js
@@ -0,0 +1,10 @@
+(function($){
+	$.extend({
+		aixadaUtilities_lang : {
+            NOT_LOGGED_IN: "Not logged in",
+			btn_ok: "D'acord",
+            not_logged_in: "La sessió d'usuari no està iniciada",
+            must_identify: "Ha d'identificar-se!"
+		}
+	});
+})(jQuery);
diff --git a/js/aixadautilities/i18n/aixadaUtilities-en.js b/js/aixadautilities/i18n/aixadaUtilities-en.js
@@ -0,0 +1,10 @@
+(function($){
+	$.extend({
+		aixadaUtilities_lang: {
+            NOT_LOGGED_IN: "Not logged in",
+            btn_ok: "Ok",
+            not_logged_in: "User is not logged in",
+            must:identify: "You must identify!"
+		}
+	});
+})(jQuery);
diff --git a/js/aixadautilities/i18n/aixadaUtilities-es.js b/js/aixadautilities/i18n/aixadaUtilities-es.js
@@ -0,0 +1,10 @@
+(function($){
+	$.extend({
+		aixadaUtilities_lang: {
+            NOT_LOGGED_IN: "Not logged in",
+			btn_ok: "De acuerdo",
+            not_logget_in: "La sesión de usuario no está iniciada",
+            must_identify: "¡Debe identificarse!"
+		}
+	});
+})(jQuery);
diff --git a/js/aixadautilities/jquery.aixadaMenu.js b/js/aixadautilities/jquery.aixadaMenu.js
@@ -54,10 +54,9 @@ $(function(){
 		var rq_uri = window.location;
    		$.ajaxQueue({
    			type: "POST",
-            url: "php/ctrl/Cookie.php?change_role_to=" + new_role + "&originating_uri=" + rq_uri,
+            url: "php/ctrl/AixadaSession.php?change_role_to=" + new_role + "&originating_uri=" + rq_uri,
             dataType: "xml",
             success:  function(xml){
-		document.cookie = 'USERAUTH=' + escape($(xml).find('cookie').text());
 		window.location.href = $(xml).find('navigation').text(); 
    			}   		
    		});
@@ -87,7 +86,7 @@ $(function(){
 		var rq_uri = window.location;
    		$.ajaxQueue({
    			type: "POST",
-            url: "php/ctrl/Cookie.php?change_lang_to=" + new_lang + "&originating_uri=" + rq_uri,
+            url: "php/ctrl/AixadaSession.php?change_lang_to=" + new_lang + "&originating_uri=" + rq_uri,
             dataType: "xml",
             success:  function(xml){
             window.location.href = $(xml).find('navigation').text();

diff --git a/js/aixadautilities/jquery.aixadaUtilities.js b/js/aixadautilities/jquery.aixadaUtilities.js
@@ -323,6 +323,22 @@ $(function(){
 		closeMsg : function(){
 			$('#aixada_msg').dialog( "close" );
 
+		},
+		AixadaNotLoggedInMsg: function() {
+		    var buttonClick = {};
+		    buttonClick[$.aixadaUtilities_lang.btn_ok] = function(){
+		        $(this).dialog("close");
+		        window.location.href = 'login.php';
+		    };
+		    $.showMsg({
+		        title: $.aixadaUtilities_lang.not_logged_in,
+		        msg:   $.aixadaUtilities_lang.must_identify,
+		        buttons: buttonClick,
+		        type: 'error'
+		    });
+		    $("#aixada_msg").on("dialogclose", function() {
+		        window.location.href = 'login.php';
+		    });
 		}
 	});
 

diff --git a/js/aixadautilities/jquery.aixadaXML2HTML.js b/js/aixadautilities/jquery.aixadaXML2HTML.js
@@ -164,8 +164,15 @@
 									},//end success
 
 									error : function(XMLHttpRequest, textStatus, errorThrown){
-	  							    	alert('An error "' + errorThrown + '", status "' + textStatus + '" occurred during loading data: ' + XMLHttpRequest.responseText);
-
+                                        if (XMLHttpRequest.responseText === $.aixadaUtilities_lang.NOT_LOGGED_IN) {
+                                            $.AixadaNotLoggedInMsg();
+                                        } else {
+                                            alert('An error "' + errorThrown + 
+                                                '", status "' + textStatus + 
+                                                '" occurred during loading data: ' +
+                                                XMLHttpRequest.responseText
+                                            );
+                                        }
 	  							    },
 	  							   complete : function(msg){
 

diff --git a/local_config/config.php.sample b/local_config/config.php.sample
@@ -357,26 +357,6 @@ class configuration_vars {
    * users if available. 
    */
   public $incidents_email_list = ""; 
-
-
-
-
-
-  /**
-   * CODE OPTIMIZATIONS
-   */
-
-  /**
-   * @var bool In case the database is parsed, this variable controls if the table_manager objects are stored in $_SESSION or not. Setting this variable to true cuts down considerably on execution time.
-   */
-  public $use_session_cache = true;
-
-  /**
-   * @var bool If true, this variable says to not parse the database every time a page is loaded, but to read the pre-compiled responses from the file canned_responses.php.  Setting this variable to true cuts down considerably on execution time.
-   */
-  public $use_canned_responses = true;
-
-
 
   /**
    * 

diff --git a/login.php b/login.php
@@ -3,13 +3,11 @@
 
 require_once(__ROOT__ . 'php'.DS.'inc'.DS.'authentication.inc.php');
 
-// This controls if the table_manager objects are stored in $_SESSION or not.
-// It looks like doing it cuts down considerably on execution time.
-$use_session_cache = configuration_vars::get_instance()->use_session_cache;
-
 if (!isset($_SESSION)) {
     session_start();
- }
+    $_SESSION['aixada'] = true;
+    session_commit(); // Force write session to create it and able to open $_SESSION faster.
+}
 
 ?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
@@ -41,9 +39,6 @@
 	<script type="text/javascript">
 		$(function(){
 			$.ajaxSetup({ cache: false });
-
-			document.cookie = 'USERAUTH=';
-
 			/**
 			 *	logon stuff
 			 */
@@ -55,21 +50,7 @@
 					type: "POST",
                     url: "php/ctrl/Login.php?oper=login",
 					data:dataSerial,		
-					success: function(returned_cookie){
-					    /*
-					      FIXME
-					      there are two very basic security issues here:
-					      1. the dataSerial is posted unencrypted, and so is visible to everyone!
-					      Even encrypting the username/password is no solution, because anyone who intercepts the communication
-					      can just send the encrypted text without knowing what it decrypts to, but can log in anyways.
-					      The solution could be to implement an SSL protocol.
-					      2. The cookie never expires.
-					      This has two parts: here in document.cookie we could set an expiry date;
-					      on the other hand, if the cookie is seen to have expired in cookie.inc.php, 
-					      it is just renewed without any consequence.
-					     */
-					    document.cookie = 'USERAUTH=' + escape(returned_cookie);
-
+					success: function() {
 					    top.location.href = 'index.php';
 
 					},

diff --git a/manage_data.php b/manage_data.php
@@ -15,24 +15,25 @@ function check_manager_exist($table_name) {
     }
 
 	/**
-	 * This function looks at the current_role written to the
-	 * cookie and the $_SESSION['userdata'] to determine if the table
+	 * This function looks at the current_role to determine if the table
 	 * currently requested may be edited by the user in the current role.
 	 */
     function may_edit_table($data_table) {
         $table_aux = strstr($data_table, '_');
         $prefix = strstr($data_table, '_', true);
         if ($prefix !== 'aixada') {
-            $table_aux = '_'.$prefix.$table_aux;
+            $table_aux = '_' . $prefix.$table_aux;
         }
-        $property = 'may_edit'.$table_aux;
-        if (in_array($property, 
-                     configuration_vars::get_instance()->rights_of[$_SESSION['userdata']['current_role']])) {
-            return true;
-        } else {
-            return false;
+        if (is_created_session()) {
+            $rights_of = get_config('rights_of');
+            $current_role = get_current_role();
+            if (in_array('may_edit' . $table_aux, $rights_of[$current_role])) {
+                return true;
+            }
         }
+        return false;
     }
+
     $is_edit = 'false';
     if ($data_manager){
         if (may_edit_table($table_name)) {

diff --git a/manage_ufmember.php b/manage_ufmember.php
@@ -42,7 +42,9 @@
 
 
 		//show/hide reset pwd. 
-		var isAdmin = "<?=$_SESSION['userdata']['current_role'];?>";
+		var isAdmin = "<?php
+            echo get_current_role();
+        ?>";
 		isAdmin = (isAdmin == "Hacker Commission")? true:false; 
 
 

diff --git a/php/ctrl/Account.php b/php/ctrl/Account.php
@@ -8,16 +8,9 @@
 require_once(__ROOT__ . "php/utilities/general.php");
 require_once(__ROOT__ . "php/lib/account_operations.php");
 
-
-$use_session_cache = true; 
-
-
-if (!isset($_SESSION)) {
-    session_start();
- }
-
-
 try{ 
+    validate_session(); // The user must be logged in.
+
    	$ao = new account_operations();
  	switch ($_REQUEST['oper']) {
         case 'getAccounts':

diff --git a/php/ctrl/ActivateProducts.php b/php/ctrl/ActivateProducts.php
@@ -10,22 +10,11 @@
 require_once(__ROOT__ . "php/utilities/dates.php");
 require_once(__ROOT__ . "php/utilities/shop_and_order.php");
 
-
-
-// This controls if the table_manager objects are stored in $_SESSION or not.
-// It looks like doing it cuts down considerably on execution time.
-$use_session_cache = configuration_vars::get_instance()->use_session_cache;
-
-
-
-if (!isset($_SESSION)) {
-    session_start();
- }
-
 //DBWrap::get_instance()->debug = true;
 
 try{
-
+  validate_session(); // The user must be logged in.
+
   switch($_REQUEST['oper']) {
 
 	  case 'listAllOrderableProviders':

diff --git a/php/ctrl/ActivateRoles.php b/php/ctrl/ActivateRoles.php
@@ -7,19 +7,9 @@
 require_once(__ROOT__ . "php/inc/database.php");
 require_once(__ROOT__ . "php/utilities/general.php");
 
-if (!isset($_SESSION)) {
-    session_start();
- }
-
-DBWrap::get_instance()->debug = true;
-
-function get_deactivated_roles($member_id)
-{
-
-}
-
 try{
-  $op_id = $_SESSION['userdata']['uf_id'];
+  validate_session(); // The user must be logged in.
+
   $user_id = isset($_REQUEST['user_id']) ? $_REQUEST['user_id'] : '';
 
 

diff --git a/php/ctrl/Admin.php b/php/ctrl/Admin.php
@@ -7,12 +7,8 @@
 require_once __ROOT__ . "php/inc/adminDatabase.php";
 require_once __ROOT__ . "php/utilities/general.php";
 
-if (!isset($_SESSION)) {
-    session_start();
- }
-
 try{
-
+  validate_session(); // The user must be logged in.
 
   switch (get_param('oper')) {
 

diff --git a/php/ctrl/AixadaSession.php b/php/ctrl/AixadaSession.php
@@ -0,0 +1,47 @@
+<?php
+
+define('DS', DIRECTORY_SEPARATOR);
+define('__ROOT__', dirname(dirname(dirname(__FILE__))).DS); 
+
+require_once __ROOT__ . 'php/lib/exceptions.php';
+require_once __ROOT__ . 'php/utilities/general.php';
+
+try {
+
+    $uri = (isset($_REQUEST['originating_uri']) ? $_REQUEST['originating_uri'] : 'index.php');
+    if (isset($_REQUEST['change_role_to'])) {
+        $new_role = $_REQUEST['change_role_to'];
+        if (is_created_session()) {
+            change_session_role($new_role);
+            $fp = get_config('forbidden_pages');
+            if (!$uri || isset($fp[$new_role])) {
+                foreach($fp[$new_role] as $page) {
+                    if (strpos($uri, $page) !== false) {
+                        $uri = 'index.php';
+                        break;
+                    }
+                }
+            }
+        } else {
+            $uri = 'login.php';
+        }
+        printXML('<row><navigation>' . $uri . '</navigation></row>');
+        exit;
+    }
+
+    if (isset($_REQUEST['change_lang_to'])) {
+        $new_lang = $_REQUEST['change_lang_to'];
+        if (is_created_session()) {
+            change_session_language($new_lang);
+        } else {
+            $uri = 'login.php';
+        }
+        printXML('<row><navigation>' . $uri . '</navigation></row>');
+        exit;        
+    }
+}
+
+catch(Exception $e) {
+  header('HTTP/1.0 401 ' . $e->getMessage());
+  die($e->getMessage());
+}