2018-02-09 03:49:49 +00:00
< ? php
2020-02-09 14:45:36 +00:00
/**
2021-03-29 06:40:20 +00:00
* @ copyright Copyright ( C ) 2010 - 2021 , the Friendica project
2020-02-09 14:45:36 +00:00
*
* @ license GNU AGPL version 3 or any later version
*
* This program is free software : you can redistribute it and / or modify
* it under the terms of the GNU Affero General Public License as
* published by the Free Software Foundation , either version 3 of the
* License , or ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU Affero General Public License for more details .
*
* You should have received a copy of the GNU Affero General Public License
* along with this program . If not , see < https :// www . gnu . org / licenses />.
*
*/
2018-02-09 03:49:49 +00:00
namespace Friendica ;
2021-11-14 19:28:36 +00:00
use Friendica\Capabilities\ICanHandleRequests ;
2018-10-29 21:20:46 +00:00
use Friendica\Core\Logger ;
2021-08-08 10:14:56 +00:00
use Friendica\Model\User ;
2018-10-17 19:30:41 +00:00
2018-02-09 03:49:49 +00:00
/**
* All modules in Friendica should extend BaseModule , although not all modules
* need to extend all the methods described here
*
2018-04-03 14:33:39 +00:00
* The filename of the module in src / Module needs to match the class name
* exactly to make the module available .
*
2018-09-15 23:28:38 +00:00
* @ author Hypolite Petovan < hypolite @ mrpetovan . com >
2018-02-09 03:49:49 +00:00
*/
2021-11-14 19:28:36 +00:00
abstract class BaseModule implements ICanHandleRequests
2018-02-09 03:49:49 +00:00
{
2021-11-14 19:28:36 +00:00
/** @var array */
protected static $parameters = [];
public function __construct ( array $parameters = [])
{
static :: $parameters = $parameters ;
}
/**
* { @ inheritDoc }
2018-02-09 03:49:49 +00:00
*/
2021-11-14 22:13:47 +00:00
public function init ()
2018-02-09 03:49:49 +00:00
{
2018-09-30 20:47:28 +00:00
}
2018-02-09 03:49:49 +00:00
2018-09-30 20:47:28 +00:00
/**
2021-11-14 19:28:36 +00:00
* { @ inheritDoc }
2018-09-30 20:47:28 +00:00
*/
2021-11-14 22:13:47 +00:00
public function rawContent ()
2018-09-30 20:47:28 +00:00
{
2019-11-05 22:01:45 +00:00
// echo '';
// exit;
2018-02-09 03:49:49 +00:00
}
/**
2021-11-14 19:28:36 +00:00
* { @ inheritDoc }
2018-02-09 03:49:49 +00:00
*/
2021-11-14 22:13:47 +00:00
public function content () : string
2018-02-09 03:49:49 +00:00
{
2021-11-14 19:28:36 +00:00
return '' ;
2018-02-09 03:49:49 +00:00
}
2021-05-08 09:14:19 +00:00
/**
2021-11-14 19:28:36 +00:00
* { @ inheritDoc }
2021-05-08 09:14:19 +00:00
*/
2021-11-14 22:13:47 +00:00
public function delete ()
2021-05-08 09:14:19 +00:00
{
}
/**
2021-11-14 19:28:36 +00:00
* { @ inheritDoc }
2021-05-08 09:14:19 +00:00
*/
2021-11-14 22:13:47 +00:00
public function patch ()
2021-05-08 09:14:19 +00:00
{
}
2018-02-09 03:49:49 +00:00
/**
2021-11-14 19:28:36 +00:00
* { @ inheritDoc }
2018-02-09 03:49:49 +00:00
*/
2021-11-14 22:13:47 +00:00
public function post ()
2018-02-09 03:49:49 +00:00
{
2019-11-03 01:19:42 +00:00
// DI::baseurl()->redirect('module');
2018-02-09 03:49:49 +00:00
}
/**
2021-11-14 19:28:36 +00:00
* { @ inheritDoc }
2018-02-09 03:49:49 +00:00
*/
2021-11-14 22:13:47 +00:00
public function afterpost ()
2018-02-09 03:49:49 +00:00
{
}
2018-10-17 19:30:41 +00:00
2021-05-08 09:14:19 +00:00
/**
2021-11-14 19:28:36 +00:00
* { @ inheritDoc }
2021-05-08 09:14:19 +00:00
*/
2021-11-14 22:13:47 +00:00
public function put ()
2021-05-08 09:14:19 +00:00
{
}
2021-11-14 19:28:36 +00:00
/** Gets the name of the current class */
2021-11-14 22:13:47 +00:00
public function getClassName () : string
2021-11-14 19:28:36 +00:00
{
return static :: class ;
}
2018-10-17 19:30:41 +00:00
/*
* Functions used to protect against Cross - Site Request Forgery
* The security token has to base on at least one value that an attacker can 't know - here it' s the session ID and the private key .
* In this implementation , a security token is reusable ( if the user submits a form , goes back and resubmits the form , maybe with small changes ;
2020-07-09 19:08:09 +00:00
* or if the security token is used for ajax - calls that happen several times ), but only valid for a certain amount of time ( 3 hours ) .
* The " typename " separates the security tokens of different types of forms . This could be relevant in the following case :
* A security token is used to protect a link from CSRF ( e . g . the " delete this profile " - link ) .
2018-10-17 19:30:41 +00:00
* If the new page contains by any chance external elements , then the used security token is exposed by the referrer .
2020-07-09 19:08:09 +00:00
* Actually , important actions should not be triggered by Links / GET - Requests at all , but sometimes they still are ,
2018-10-17 19:30:41 +00:00
* so this mechanism brings in some damage control ( the attacker would be able to forge a request to a form of this type , but not to forms of other types ) .
*/
public static function getFormSecurityToken ( $typename = '' )
{
2021-08-09 20:33:46 +00:00
$user = User :: getById ( DI :: app () -> getLoggedInUserId (), [ 'guid' , 'prvkey' ]);
2018-10-17 19:30:41 +00:00
$timestamp = time ();
2021-08-08 10:14:56 +00:00
$sec_hash = hash ( 'whirlpool' , ( $user [ 'guid' ] ? ? '' ) . ( $user [ 'prvkey' ] ? ? '' ) . session_id () . $timestamp . $typename );
2018-10-17 19:30:41 +00:00
return $timestamp . '.' . $sec_hash ;
}
public static function checkFormSecurityToken ( $typename = '' , $formname = 'form_security_token' )
{
$hash = null ;
if ( ! empty ( $_REQUEST [ $formname ])) {
/// @TODO Careful, not secured!
$hash = $_REQUEST [ $formname ];
}
if ( ! empty ( $_SERVER [ 'HTTP_X_CSRF_TOKEN' ])) {
/// @TODO Careful, not secured!
$hash = $_SERVER [ 'HTTP_X_CSRF_TOKEN' ];
}
if ( empty ( $hash )) {
return false ;
}
$max_livetime = 10800 ; // 3 hours
2021-08-09 20:33:46 +00:00
$user = User :: getById ( DI :: app () -> getLoggedInUserId (), [ 'guid' , 'prvkey' ]);
2018-10-17 19:30:41 +00:00
$x = explode ( '.' , $hash );
2019-10-07 18:10:30 +00:00
if ( time () > ( intval ( $x [ 0 ]) + $max_livetime )) {
2018-10-17 19:30:41 +00:00
return false ;
}
2021-08-08 10:14:56 +00:00
$sec_hash = hash ( 'whirlpool' , ( $user [ 'guid' ] ? ? '' ) . ( $user [ 'prvkey' ] ? ? '' ) . session_id () . $x [ 0 ] . $typename );
2018-10-17 19:30:41 +00:00
return ( $sec_hash == $x [ 1 ]);
}
public static function getFormSecurityStandardErrorMessage ()
{
2020-01-18 19:52:34 +00:00
return DI :: l10n () -> t ( " The form security token was not correct. This probably happened because the form has been opened for too long \x28 >3 hours \x29 before submitting it. " ) . EOL ;
2018-10-17 19:30:41 +00:00
}
public static function checkFormSecurityTokenRedirectOnError ( $err_redirect , $typename = '' , $formname = 'form_security_token' )
{
if ( ! self :: checkFormSecurityToken ( $typename , $formname )) {
2021-10-20 18:53:52 +00:00
Logger :: notice ( 'checkFormSecurityToken failed: user ' . DI :: app () -> getLoggedInUserNickname () . ' - form element ' . $typename );
Logger :: debug ( 'checkFormSecurityToken failed' , [ 'request' => $_REQUEST ]);
2018-10-19 08:03:52 +00:00
notice ( self :: getFormSecurityStandardErrorMessage ());
2019-12-15 23:28:31 +00:00
DI :: baseUrl () -> redirect ( $err_redirect );
2018-10-17 19:30:41 +00:00
}
}
public static function checkFormSecurityTokenForbiddenOnError ( $typename = '' , $formname = 'form_security_token' )
{
if ( ! self :: checkFormSecurityToken ( $typename , $formname )) {
2021-10-20 18:53:52 +00:00
Logger :: notice ( 'checkFormSecurityToken failed: user ' . DI :: app () -> getLoggedInUserNickname () . ' - form element ' . $typename );
Logger :: debug ( 'checkFormSecurityToken failed' , [ 'request' => $_REQUEST ]);
2018-12-26 05:40:12 +00:00
2019-05-02 03:16:10 +00:00
throw new \Friendica\Network\HTTPException\ForbiddenException ();
2018-10-17 19:30:41 +00:00
}
}
2020-08-06 14:34:11 +00:00
protected static function getContactFilterTabs ( string $baseUrl , string $current , bool $displayCommonTab )
{
$tabs = [
[
'label' => DI :: l10n () -> t ( 'All contacts' ),
'url' => $baseUrl . '/contacts' ,
'sel' => ! $current || $current == 'all' ? 'active' : '' ,
],
[
'label' => DI :: l10n () -> t ( 'Followers' ),
'url' => $baseUrl . '/contacts/followers' ,
'sel' => $current == 'followers' ? 'active' : '' ,
],
[
'label' => DI :: l10n () -> t ( 'Following' ),
'url' => $baseUrl . '/contacts/following' ,
'sel' => $current == 'following' ? 'active' : '' ,
],
[
'label' => DI :: l10n () -> t ( 'Mutual friends' ),
'url' => $baseUrl . '/contacts/mutuals' ,
'sel' => $current == 'mutuals' ? 'active' : '' ,
],
];
if ( $displayCommonTab ) {
$tabs [] = [
'label' => DI :: l10n () -> t ( 'Common' ),
'url' => $baseUrl . '/contacts/common' ,
'sel' => $current == 'common' ? 'active' : '' ,
];
}
return $tabs ;
}
2018-02-09 03:49:49 +00:00
}