From 205846e41a0fbd446d92a0c3e21df54a91d99db5 Mon Sep 17 00:00:00 2001
From: Marcin Haba <marcin.haba@bacula.pl>
Date: Wed, 30 Dec 2015 00:03:51 +0100
Subject: [PATCH] baculum: Prevent opening new sessions for each request

---
 gui/baculum/protected/Class/API.php           |  1 +
 gui/baculum/protected/Class/BaculumAPI.php    |  2 +-
 gui/baculum/protected/Class/BaculumUser.php   |  6 +++-
 .../protected/Class/BaculumUsersManager.php   | 34 +++++++++++++++----
 4 files changed, 34 insertions(+), 9 deletions(-)

diff --git a/gui/baculum/protected/Class/API.php b/gui/baculum/protected/Class/API.php
index 9d109fbb4d..b04df45407 100644
--- a/gui/baculum/protected/Class/API.php
+++ b/gui/baculum/protected/Class/API.php
@@ -39,6 +39,7 @@ class API extends TModule {
 		curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
 		curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
 		curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+		curl_setopt($ch, CURLOPT_COOKIE, 'PHPSESSID=' . md5(session_id()));
 		curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
 		curl_setopt($ch, CURLOPT_USERPWD, $this->appCfg['baculum']['login'] . ':' . $this->appCfg['baculum']['password']);
 		return $ch;
diff --git a/gui/baculum/protected/Class/BaculumAPI.php b/gui/baculum/protected/Class/BaculumAPI.php
index 50d4526cfd..0ed249aede 100644
--- a/gui/baculum/protected/Class/BaculumAPI.php
+++ b/gui/baculum/protected/Class/BaculumAPI.php
@@ -53,7 +53,7 @@ abstract class BaculumAPI extends TPage
 		$user = isset($_SERVER['HTTP_X_BACULUM_USER']) ? $_SERVER['HTTP_X_BACULUM_USER']: null;
 		$pwd = isset($_SERVER['HTTP_X_BACULUM_PWD']) ? $_SERVER['HTTP_X_BACULUM_PWD']: null;
 		if(!is_null($user) && !is_null($pwd)) {
-			$logged = $this->Application->getModule('auth')->login($user, $pwd);
+			$logged = $this->Application->getModule('users')->loginUser($user, $pwd);
 			if ($logged === true) {
 				$this->user = ($this->User->getIsAdmin() === false) ? $user : null;
 			} else {
diff --git a/gui/baculum/protected/Class/BaculumUser.php b/gui/baculum/protected/Class/BaculumUser.php
index 4cf3a8eaa9..d5116e5b05 100644
--- a/gui/baculum/protected/Class/BaculumUser.php
+++ b/gui/baculum/protected/Class/BaculumUser.php
@@ -22,7 +22,7 @@
 
 Prado::using('System.Security.TUser');
 
-class BaculumUser extends TUser {
+class BaculumUser extends TUser implements IUser {
 
 	private $_id;
 	private $_pwd;
@@ -46,5 +46,9 @@ class BaculumUser extends TUser {
 	public function getIsAdmin() {
 		return $this->isInRole('admin');
 	}
+
+	public function getIsUser() {
+		return $this->isInRole('user');
+	}
 }
 ?>
diff --git a/gui/baculum/protected/Class/BaculumUsersManager.php b/gui/baculum/protected/Class/BaculumUsersManager.php
index f47e0b57e5..cb7a08862d 100644
--- a/gui/baculum/protected/Class/BaculumUsersManager.php
+++ b/gui/baculum/protected/Class/BaculumUsersManager.php
@@ -50,11 +50,11 @@ class BaculumUsersManager extends TModule implements IUserManager {
 
 	public function getUser($username = null) {
 		$user = new BaculumUser($this);
+		$user->setIsGuest(false);
 		$id = sha1(time());
 		$user->setID($id);
 		$user->setName($username);
-		$user->setIsGuest(false);
-		if ($username != null) {
+		if (!is_null($username)) {
 			$user->setPwd($this->users[$username]);
 		}
 		if(is_null($this->config) || $this->config['baculum']['login'] === $username) {
@@ -66,16 +66,36 @@ class BaculumUsersManager extends TModule implements IUserManager {
 	}
 
 	public function getUserFromCookie($cookie) {
-		return;
+		$data = $cookie->Value;
+		if (!empty($data)) {
+			$data = $this->Application->SecurityManager->validateData($data);
+			if ($data != false) {
+				$data = unserialize($data);
+				if (is_array($data) && count($data) === 3) {
+					list($username, $address, $token) = $data;
+					return $this->getUser($username);
+				}
+			}
+		}
 	}
 
 	public function saveUserToCookie($cookie) {
-		return;
+		$address = $this->Application->Request->UserHostAddress;
+		$username = $this->User->getName();
+		$token = $this->User->getID();
+		$data = array($username, $address, $token);
+		$data = serialize($data);
+		$data = $this->Application->SecurityManager->hashData($data);
+		$cookie->setValue($data);
 	}
 
-	public function loginUser() {
-		$enc_pwd = $this->Application->getModule('configuration')->getCryptedPassword($_SERVER['PHP_AUTH_PW']);
-		$logged = $this->Application->getModule('auth')->login($_SERVER['PHP_AUTH_USER'], $enc_pwd);
+	public function loginUser($user = null, $pwd = null) {
+		if (is_null($user) && is_null($pwd)) {
+			$user = $_SERVER['PHP_AUTH_USER'];
+			$pwd = $this->Application->getModule('configuration')->getCryptedPassword($_SERVER['PHP_AUTH_PW']);
+		}
+		$logged = $this->Application->getModule('auth')->login($user, $pwd, 86400);
+		return $logged;
 	}
 }
 ?>
-- 
2.39.2