<?php
// WebSVN - Subversion repository viewing via the web using PHP
// Copyright (C) 2004-2006 Tim Armes
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation; either version 2 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.	See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA	02111-1307	USA
//
// --
//
// authz.php
//
// Handle SVN access file

class Authorization {
	var $accessCache	= array();
	var $accessFile		= null;
	var $user			= null;

	// {{{ __construct

	function __construct() {
		$this->setUsername();
	}

	// }}}

	function hasUsername() {
		return $this->user !== null;
	}

	function addAccessFile($accessFile) {
		$this->accessFile = $accessFile;
	}

	// {{{ setUsername()
	//
	// Set the username from the current http session

	function setUsername() {
		if (isset($_SERVER['REMOTE_USER'])) {
			$this->user = $_SERVER['REMOTE_USER'];
		} else if (isset($_SERVER['REDIRECT_REMOTE_USER'])) {
			$this->user = $_SERVER['REDIRECT_REMOTE_USER'];
		} else if (isset($_SERVER['PHP_AUTH_USER'])) {
			$this->user = $_SERVER['PHP_AUTH_USER'];
		}
	}

	// }}}

	// Private function to simplify creation of common SVN authz command string text.
	function svnAuthzCommandString($repo, $path, $checkSubDirs = false) {
		global $config;

		$cmd			= $config->getSvnAuthzCommand();
		$repoAndPath	= '--repository ' . quote($repo) . ' --path ' . quote($path);
		$username		= !$this->hasUsername()	? '' : '--username ' . quote($this->user);
		$subDirs		= !$checkSubDirs		? '' : '-R';
		$authzFile		= quote($this->accessFile);
		$retVal			= "{$cmd} {$repoAndPath} {$username} {$subDirs} {$authzFile}";

		return $retVal;
	}

	// {{{ hasReadAccess
	//
	// Returns true if the user has read access to the given path

	function hasReadAccess($repos, $path, $checkSubDirs = false) {
		if ($this->accessFile == null)
			return false;

		if ($path == '' || $path[0] != '/') {
			$path = '/'.$path;
		}

		$cmd	= $this->svnAuthzCommandString($repos, $path, $checkSubDirs);
		$result	= 'no';

		// Access checks might be issued multiple times for the same repos and paths within one and
		// the same request, introducing a lot of overhead because of "svnauthz" especially with
		// many repos under Windows. The easiest way to somewhat optimize it for different scenarios
		// is using a cache.
		//
		// https://github.com/websvnphp/websvn/issues/78#issuecomment-489306169
		$cache			=& $this->accessCache;
		$cached			= isset($cache[$cmd])	? $cache[$cmd]		: null;
		$cachedWhen		= isset($cached)		? $cached['when']	: 0;
		$cachedExpired	= (time() - 60) > $cachedWhen;

		if ($cachedExpired) {
			// Sorting by "when" should be established somehow to only remove the oldest element
			// instead of an arbitrary first one, which might be the newest added last time.
			if (count($cache) >= 1000) {
				array_shift($cache);
			}

			$result			= runCommand($cmd)[0];
			$cache[$cmd]	= array('when'		=> time(),
									'result'	=> $result);
		} else {
			$result = $cached['result'];
		}

		return $result != 'no';
	}

	// }}}

	// {{{ hasUnrestrictedReadAccess
	//
	// Returns true if the user has read access to the given path and too
	// all subdirectories

	function hasUnrestrictedReadAccess($repos, $path) {
		return $this->hasReadAccess($repos, $path, true);
	}

	// }}}

}