This file is indexed.

/usr/share/perl5/Jifty/API.pm is in libjifty-perl 1.10518+dfsg-1ubuntu2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
use warnings;
use strict;

package Jifty::API;

=head1 NAME

Jifty::API - Manages and allow reflection on the Jifty::Actions that
make up a Jifty application's API

=head1 SYNOPSIS

 # Find the full name of an action
 my $class = Jifty->api->qualify('SomeAction');

 # New users cannot run some actions
 if (Jifty->web->current_user->age < 18) {
     Jifty->api->deny(qr/Vote|PurchaseTobacco/);
 }

 # Some users cannot even see some actions
 if (Jifty->web->current_user->id > 10) {
     Jifty->api->hide('Foo');
     Jifty->api->show('FooBar');
     Jifty->api->hide('FooBarDeleteTheWorld');
 }

 # Fetch the class names of all actions
 my @actions = Jifty->api->all_actions;

 # Fetch the class names of all the allowed actions
 my @allowed = Jifty->api->actions;

 # Fetch all of the visible actions (some of which may not be allowed)
 my @visible = Jifty->api->visible_actions;

 # Check to see if an action is allowed
 if (Jifty->api->is_allowed('TrueFooBar')) {
     # do something...
 }

 # Check to see if an action is visible
 if (Jifty->api->is_visible('SpamOurUsers')) {
     SpamBot->be_annoying;
 }

 # Undo all allow/deny/restrict/hide calls
 Jifty->api->reset;

=head1 DESCRIPTION

You can fetch an instance of this class by calling L<Jifty/api> in
your application. This object can be used to examine the actions
available within your application and manage access to those actions.

=cut


use base qw/Class::Accessor::Fast Jifty::Object/;


__PACKAGE__->mk_accessors(qw(action_limits));

=head1 METHODS

=head2 new

Creates a new C<Jifty::API> object.

Don't use this, see L<Jifty/api> to access a reference to
C<Jifty::API> in your application.

=cut

sub new {
    my $class = shift;
    my $self  = bless {}, $class;

    # Setup the basic allow/deny rules
    $self->reset;

    # Find all the actions for the API reference (available at __actions)
    Jifty::Module::Pluggable->import(
        search_path => [
            Jifty->app_class("Action"),
            "Jifty::Action",
            map {ref($_)."::Action"} Jifty->plugins,
        ],
        except   => qr/\.#/,
        sub_name => "__actions"
    );

    return ($self);
}

=head2 qualify ACTIONNAME

Returns the fully qualified package name for the given provided
action.  If the C<ACTIONNAME> starts with C<Jifty::> or
C<ApplicationClass::Action>, simply returns the given name; otherwise,
it prefixes it with the C<ApplicationClass::Action>.

=cut

sub qualify {
    my $self   = shift;
    my $action = shift;

    # Get the application class name
    my $base_path = Jifty->config->framework('ApplicationClass');

    # Return the class now if it's already fully qualified
    return $action
        if ($action =~ /^Jifty::/
        or $action =~ /^\Q$base_path\E::/);

    # Otherwise qualify it
    return $base_path . "::Action::" . $action;
}

=head2 reset

Resets which actions are allowed to the defaults; that is, all of the
application's actions, L<Jifty::Action::AboutMe>,
L<Jifty::Action::Autocomplete>, and L<Jifty::Action::Redirect> are allowed and
visible; everything else is denied and hidden. See L</restrict> for the details
of how limits are processed.

=cut

sub reset {
    my $self = shift;

    # Set up defaults
    my $app_actions = Jifty->app_class("Action");

    # These are the default action limits
    $self->action_limits(
        [
            { deny => 1,  hide => 1, restriction => qr/.*/ },
            { allow => 1, show => 1, restriction => qr/^\Q$app_actions\E/ },
            { deny => 1,  hide => 1, restriction => qr/^\Q$app_actions\E::Record::(Create|Delete|Execute|Search|Update)$/ },
            { allow => 1, show => 1, restriction => 'Jifty::Action::AboutMe' },
            { allow => 1, show => 1, restriction => 'Jifty::Action::Autocomplete' },
            { allow => 1, show => 1, restriction => 'Jifty::Action::Redirect' },
        ]
    );
}

=head2 deny_for_get

Denies all actions except L<Jifty::Action::AboutMe>,
L<Jifty::Action::Autocomplete> and L<Jifty::Action::Redirect>. This is to
protect against a common cross-site scripting hole. In your C<before>
dispatcher rules, you can whitelist actions that are known to be read-only.

This is called automatically during any C<GET> request.

=cut

sub deny_for_get {
    my $self = shift;
    $self->deny(qr/.*/);
    $self->allow("Jifty::Action::AboutMe");
    $self->allow("Jifty::Action::Autocomplete");
    $self->allow("Jifty::Action::Redirect");
}

=head2 allow RESTRICTIONS

Takes a list of strings or regular expressions, and adds them in order
to the list of limits for the purposes of L</is_allowed>.  See
L</restrict> for the details of how limits are processed.

Allowing actions also L</show> them.

=cut

sub allow {
    my $self = shift;
    $self->restrict( allow => @_ );
}

=head2 deny RESTRICTIONS

Takes a list of strings or regular expressions, and adds them in order
to the list of limits for the purposes of L</is_allowed>.  See
L</restrict> for the details of how limits are processed.

=cut

sub deny {
    my $self = shift;
    $self->restrict( deny => @_ );
}

=head2 hide RESTRICTIONS

Takes a list of strings or regular expressions, and adds them in order
to the list of limits for the purposes of L</is_visible>.  See
L</restrict> for the details of how limits are processed.

Hiding actions also L</deny> them.

=cut

sub hide {
    my $self = shift;
    $self->restrict( hide => @_ );
}

=head2 show RESTRICTIONS

Takes a list of strings or regular expressions, and adds them in order
to the list of limits for the purposes of L</is_visible>.  See
L</restrict> for the details of how limits are processed.

=cut

sub show {
    my $self = shift;
    $self->restrict( show => @_ );
}

=head2 restrict POLARITY RESTRICTIONS

Method that L</allow>, L</deny>, L</hide>, and L</show> call internally;
I<POLARITY> is one of C<allow>, C<deny>, C<hide>, or C<show>. Limits are
evaluated in the order they're called. The last limit that applies will be the
one which takes effect. Regexes are matched against the class; strings are
fully L</qualify|qualified> and used as an exact match against the class name.
The base set of restrictions (which is reset every request) is set in
L</reset>, and usually modified by the application's L<Jifty::Dispatcher> if
need be.

If you call:

    Jifty->api->deny  ( qr'Foo' );
    Jifty->api->allow ( qr'FooBar' );
    Jifty->api->deny  ( qr'FooBarDeleteTheWorld' );

..then:

    calls to MyApp::Action::Baz will succeed.
    calls to MyApp::Action::Foo will fail.
    calls to MyApp::Action::FooBar will pass.
    calls to MyApp::Action::TrueFoo will fail.
    calls to MyApp::Action::TrueFooBar will pass.
    calls to MyApp::Action::TrueFooBarDeleteTheWorld will fail.
    calls to MyApp::Action::FooBarDeleteTheWorld will fail.

=cut

my %valid_polarity = map { $_ => 1 } qw/allow deny hide show/;

sub restrict {
    my $self         = shift;
    my $polarity     = shift;
    my @restrictions = @_;

    my(undef, $file, $line) = (caller(1));

    # Check the sanity of the polarity
    die "Polarity must be one of: " . join(', ', sort keys %valid_polarity)
        unless $valid_polarity{$polarity};

    for my $restriction (@restrictions) {

        # Don't let the user "allow .*"
        die "For security reasons, Jifty won't let you allow all actions"
            if $polarity eq "allow"
            and ref $restriction
            and $restriction =~ /^\(\?\^?[-xismadlu]*:\^?\.\*\$?\)$/;

        # Fully qualify it if it's a string
        $restriction = $self->qualify($restriction)
            unless ref $restriction;


        if ($polarity eq 'hide') {
            # Hiding an action also denies it
            push @{ $self->action_limits },
                { deny => 1, hide => 1, restriction => $restriction, from => "$file:$line" };
        } elsif ($polarity eq 'allow') {
            # Allowing an action also shows it
            push @{ $self->action_limits },
                { allow => 1, show => 1, restriction => $restriction, from => "$file:$line" };
        } else {
            # Otherwise, add to list of restrictions unmodified
            push @{ $self->action_limits },
                { $polarity => 1, restriction => $restriction, from => "$file:$line" };
        }
    }
}

=head2 is_allowed CLASS

Returns true if the I<CLASS> name (which is fully qualified if it is
not already) is allowed to be executed.  See L</restrict> above for
the rules that the class name must pass.

=cut

sub is_allowed {
    my $self   = shift;
    my $action = shift;

    $self->decide_action_polarity($action, 'allow', 'deny');
}

=head2 is_visible CLASS

Returns true if the I<CLASS> name (which is fully qualified if it is
not already) is allowed to be seen.  See L</restrict> above for
the rules that the class name must pass.

=cut

sub is_visible {
    my $self   = shift;
    my $action = shift;

    $self->decide_action_polarity($action, 'show', 'hide');
}

=head2 decide_action_polarity CLASS, ALLOW, DENY

Returns true if the I<CLASS> name it has the ALLOW restriction, false if it has
the DENY restriction. This is a helper method used by L</is_allowed> and
L</is_visible>.

If no restrictions apply to this action, then false will be returned.

=cut

sub decide_action_polarity {
    my $self  = shift;
    my $class = shift;
    my $allow = shift;
    my $deny  = shift;

    # Qualify the action
    $class = $self->qualify($class);

    # Assume that it doesn't pass; however, the real fallbacks are
    # controlled by L</reset>, above.
    my $valid = 0;

    # Walk all of the limits
    for my $limit ( @{ $self->action_limits } ) {

        # Regexes are =~ matches, strigns are eq matches
        if ( ( ref $limit->{restriction} and $class =~ $limit->{restriction} )
            or ( $class eq $limit->{restriction} ) )
        {

            # If the restriction passes, set the current $allow/$deny
            # bit according to if this was a positive or negative
            # limit
            if ($limit->{$allow}) {
                $valid = 1;
            }
            if ($limit->{$deny}) {
                $valid = 0;
            }
        }
    }

    return $valid;
}

=head2 explain CLASS

Returns a string describing what allow, deny, show, and hide rules
apply to the class name.

=cut

sub explain {
    my $self = shift;
    my $class = shift;

    $class = $self->qualify($class);

    my $str = "";
    for my $limit ( @{$self->action_limits} ) {
        next unless $limit->{from};
        if ( ( ref $limit->{restriction} and $class =~ $limit->{restriction} )
            or ( $class eq $limit->{restriction} ) )
        {
            for my $type (qw/allow deny show hide/) {
                $str .= ucfirst($type)." at ".$limit->{from}.", matches ".$limit->{restriction}."\n"
                    if $limit->{$type};
            }
        }
    }
    return $str;
}

=head2 all_actions

Lists the class names of all actions for this Jifty application,
regardless of which are allowed or hidden.  See also L</actions> and
L</visible_actions>.

=cut

# Plugin actions under Jifty::Plugin::*::Action are mirrored under
# AppName::Action by Jifty::ClassLoader; this code makes all_actions
# reflect this mirroring.
sub all_actions {
    my $self = shift;
    unless ( $self->{all_actions} ) {
        my @actions = $self->__actions;
        my %seen;
        $seen{$_}++ for @actions;
        for (@actions) {
            if (/^Jifty::Plugin::(.*)::Action::(.*)$/) {
                my $classname = Jifty->app_class( Action => $2 );
                push @actions, $classname unless $seen{$classname};
            }
        }
        $self->{all_actions} = \@actions;
    }
    return @{ $self->{all_actions} };
}

=head2 actions

Lists the class names of all of the B<allowed> actions for this Jifty
application; this may include actions under the C<Jifty::Action::>
namespace, in addition to your application's actions.  See also
L</all_actions> and L</visible_actions>.

=cut

sub actions {
    my $self = shift;
    return sort grep { $self->is_allowed($_) } $self->all_actions;
}

=head2 visible_actions

Lists the class names of all of the B<visible> actions for this Jifty
application; this may include actions under the C<Jifty::Action::>
namespace, in addition to your application's actions.  See also
L</all_actions> and L</actions>.

=cut

sub visible_actions {
    my $self = shift;
    return sort grep { $self->is_visible($_) } $self->all_actions;
}

=head1 SEE ALSO

L<Jifty>, L<Jifty::Web>, L<Jifty::Action>

=head1 LICENSE

Jifty is Copyright 2005-2010 Best Practical Solutions, LLC. 
Jifty is distributed under the same terms as Perl itself.

=cut

1;