<?php

/*
Miniature WebDAV implementation for calendaring purposes.
(c) 2008-9 Ulrich M. Schwarz

$Id: publish.php,v 1.7 2009/01/04 11:42:50 ulmi Exp $

Permission is granted to run this code, to make changes for personal use,
and to distribute unmodified copies of this file.
NO permission is granted to distribute modified version of this code.

This software is not intended for productive use. Find the hidden loophole 
that erases your drive first!

Put this file into the directory of the calendars and use the URL 
http://location/of/publish.php/Calendar.ics to access.

Creation of new calendars is disabled by default.
Deletion of calendars is disabled by default.
Uploading of calendars is enabled by default.

There is no access protection, _do_ use the server's HTTP authentication.

We keep a list of IPs that have downloaded the most recent version of the file, 
because empirically, Apple iCal does not appear to update immediately before uploading
a new file. If the calendar has changed in the meantime, the upload will be denied
with error 409. Yes, there is still a race condition, but this should be sufficient
if you don't have a gazillion hits per minute.

Important note: this whitelist is _not_ on a per-calendar basis!

*/

/* CONFIGURATION SECTION */
define('LOGGING', 1); // set to 0 to disable logging, 2 to log downloads, too.
define('MAY_CREATE', 0); // set to 1 to enable creation of new calendars.
define('MAY_DELETE', 0); // set to 1 to enable deletion of calendars. (DANGEROUS!)
define('MAY_UPDATE', 1); // set to 0 to disable writing.
define('KEEP_BACKUP', 5); // keep n+1 levels of old files.
define('CALENDAR_PATH', './');

define('UA_BLACKLIST', "/iCal.*MacOS/"); 
  // these clients are forbidden from PUT and DELETE because they are not
  // shared-calendar safe. I'm looking at you, Apple.

/* END OF CONFIGURATION */

// toggle logging
if(LOGGING > 0) {
  if( ! $logfile = fopen('publish_log.txt','a') ) {
    define('LOGGING', 0); // hack: log file not there
    err('500 Cannot access log file');
  }
}

if (!isset($_SERVER['PATH_INFO']))
  err('500 Only works if PATH_INFO is set');


$whitefile = fopen('./currentusers.txt', 'r');
while($whiteusers[] = fgets($whitefile));
fclose($whitefile);

$icsfile = getICSfilename();
$icsfullpath= CALENDAR_PATH.$icsfile.".ics";


switch($_SERVER['REQUEST_METHOD']){

  case 'DELETE':
    if (MAY_DELETE==0 || ereg(UA_BLACKLIST, $_SERVER['HTTP_USER_AGENT']))
      err('403 Cannot remotely remove calendar.');

    if (file_exists($icsfullpath) 
        && is_writeable($icsfullpath)
        && is_file($icsfullpath)
       ) {
      unlink($icsfullpath);
    }
    
    break;
  
  case 'GET':

    // get calendar data
    if (file_exists($icsfullpath) 
        && is_readable($icsfullpath)
        && is_file($icsfullpath)
       ) {
      echo file_get_contents($icsfullpath);
      logmsg(2,'downloaded calendar ' . $icsfile);

      $inlist=false;
      foreach($whiteusers as $whiteuser){
        $inlist |= ($whiteuser == $_SERVER['REMOTE_ADDR'] . "\n");
      }
      if (!$inlist)
        $whiteusers[] = $_SERVER['REMOTE_ADDR'] . "\n";
     } else {
      err('404 File '.$icsfullpath.' not found');
    }
    break;
  
  case 'PUT':
  
    // hack: Apple iCal is not a team player.
    if(MAY_UPDATE==0 || ereg(UA_BLACKLIST, $_SERVER['HTTP_USER_AGENT'])){
      err('501 Writing disabled');
    }

    logmsg(1,'PUT request for '.$icsfile);

    $inlist=false;
    foreach($whiteusers as $whiteuser){
      $inlist |= ($whiteuser == $_SERVER['REMOTE_ADDR'] . "\n");
    }
    if (!$inlist){
      err("409 You don't have the most recent calendar file");
    }

    // get calendar data
    if($datain = fopen('php://input','r')){
      while(!@feof($datain)){
        $data .= fgets($datain,4096);
      }
      @fclose($datain);
    }else{
      err('500 Cannot read your uploaded file');
    }
        
    if(!isset($data)){
      err('400 No data supplied');
    }

    if((MAY_CREATE==0) && 
       !(file_exists($icsfullpath) && is_file($icsfullpath))
      ){
      err('404 Invalid calendar name '.$icsfile);
    }

    logmsg(1,'Updating calendar: '.$icsfile);

    $bupctr = KEEP_BACKUP;
    while($bupctr>0){
      if (file_exists($icsfullpath."~".$bupctr)){
        unlink($icsfullpath."~".($bupctr+1));
        rename($icsfullpath."~".$bupctr, $icsfullpath."~".($bupctr+1));
      }
      $bupctr--;
    }
    unlink($icsfullpath."~1");
    rename($icsfullpath, $icsfullpath."~1");

    if ($dataout = fopen($icsfullpath,'w+')){
      // write to file
      fputs($dataout, $data, strlen($data) );
      @fclose($dataout);
      $whiteusers=array($_SERVER['REMOTE_ADDR'] . "\n");
    } else {
      err('500 writing file failed');
    }

    break;
  
  default:
  
    err("501 I have no clue what you're talking about: " . $_SERVER['REQUEST_METHOD']);
}

$whitefile = fopen('./currentusers.txt', 'w');
foreach($whiteusers as $whiteuser){
  fputs($whitefile, $whiteuser, strlen($whiteuser));
}
fclose($whitefile);


if(LOGGING > 0) {
  fclose($logfile);
}

header('HTTP/1.1 200 OK');
exit;

// for erroring
function err($str){
  global $logfile;
  logmsg(1,$str);
  header('HTTP/1.1 '.$str);
  echo $str;
  if(LOGGING > 0) {
    fclose($logfile);
  }
  exit;
}

// for logging
function logmsg($level, $str){
  global $logfile;

  if(LOGGING >= $level){
    $user =  $_SERVER['REMOTE_USER'];

    $logline = date('Y-m-d H:i:s ') 
             . $_SERVER['REMOTE_ADDR'] . ' ' 
             . $user . ' ' 
             . $_SERVER['HTTP_USER_AGENT'] ." " 
             . $str . "\n";

    fputs($logfile, $logline, strlen($logline) );
  }
}

// obtaining the ics file name, cleaned and everything.
// note: no trailing .ics here, no leading path.
function getICSfilename(){
  global $logfile;
  preg_match("/\/([^\/]*).ics[^\/]*$/i",$_SERVER['PATH_INFO'],$matches);
  logmsg(3,"user requests " . $matches[1]);
  $calendar_name = urldecode($matches[1]);
  logmsg(3,"user requests " . $calendar_name);
  $calendar_name = preg_replace("/[^\w\.\- ]/", '', $calendar_name);
  logmsg(3,"user requests " . $calendar_name);
  if ($calendar_name=="")
    err('403 Invalid filename');
  return $calendar_name;
}

?>