TheRON/core
1
0
Fork 0
mirror of https://framagit.org/hubzilla/core.git synced 2026-06-21 00:52:33 -04:00
Code Issues Packages Projects Releases Wiki Activity

Don't access APP:$observer directly in core

Browse Source 
Introduce helper functions to access the various fields of the xchan
stored in `App::$observer'. This removes direct access to the attribute
from core, with the aim of allowing further refactoring later.

We can not yet make the `App::$observer` attribute private, though, as
it is also accessed directly by some addons.
This commit is contained in:
Harald Eilertsen
2025-05-09 12:23:25 +02:00
parent a48a72d1cd
commit 7cb8a56b6a
4 changed files with 49 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
boot.php
View File

@@ -2151,11 +2151,12 @@ function dba_timer() {
}
/**
* @brief Returns xchan_hash from the observer.
* Get the unique hash identifying the current observer.
*
* Observer can be a local or remote channel.
*
* @return string xchan_hash from observer, otherwise empty string if no observer
* @return string Unique hash of observer, otherwise empty string if no
* observer
*/
function get_observer_hash() {
$observer = App::get_observer();
@@ -2166,6 +2167,40 @@ function get_observer_hash() {
return '';
}
/**
* Get the guid of the current observer.
*
* Observer can be a local or remote channel.
*
* @return string The GUID of the observer, otherwise empty string if no
* observer
*/
function get_observer_guid() {
$observer = App::get_observer();
if (is_array($observer)) {
return $observer['xchan_guid'];
}
return '';
}
/**
* Get the name of the current observer.
*
* Observer can be a local or remote channel.
*
* @return string The name of the observer, otherwise empty string if no
* observer
*/
function get_observer_name() {
$observer = App::get_observer();
if (is_array($observer)) {
return $observer['xchan_name'];
}
return '';
}
/**
* @brief Returns the complete URL of the current page, e.g.: http(s)://something.com/network
*

8
include/security.php
View File

@@ -607,7 +607,7 @@ function public_permissions_sql($observer_hash) {
function get_form_security_token($typename = '') {
$timestamp = time();
$guid = App::$observer['xchan_guid'] ?? '';
$guid = get_observer_guid();
$sec_hash = hash('whirlpool', $guid . ((local_channel()) ? App::$channel['channel_prvkey'] : '') . session_id() . $timestamp . $typename);
return $timestamp . '.' . $sec_hash;
@@ -623,7 +623,7 @@ function check_form_security_token($typename = '', $formname = 'form_security_to
if (time() > (IntVal($x[0]) + $max_livetime))
return false;
$sec_hash = hash('whirlpool', App::$observer['xchan_guid'] . ((local_channel()) ? App::$channel['channel_prvkey'] : '') . session_id() . $x[0] . $typename);
$sec_hash = hash('whirlpool', get_observer_guid() . ((local_channel()) ? App::$channel['channel_prvkey'] : '') . session_id() . $x[0] . $typename);
return ($sec_hash == $x[1]);
}
@@ -635,7 +635,7 @@ function check_form_security_std_err_msg() {
function check_form_security_token_redirectOnErr($err_redirect, $typename = '', $formname = 'form_security_token') {
if (!check_form_security_token($typename, $formname)) {
logger('check_form_security_token failed: user ' . App::$observer['xchan_name'] . ' - form element ' . $typename);
logger('check_form_security_token failed: user ' . get_observer_name() . ' - form element ' . $typename);
logger('check_form_security_token failed: _REQUEST data: ' . print_r($_REQUEST, true), LOGGER_DATA);
notice(check_form_security_std_err_msg());
goaway(z_root() . $err_redirect);
@@ -644,7 +644,7 @@ function check_form_security_token_redirectOnErr($err_redirect, $typename = '',
function check_form_security_token_ForbiddenOnErr($typename = '', $formname = 'form_security_token') {
if (!check_form_security_token($typename, $formname)) {
logger('check_form_security_token failed: user ' . App::$observer['xchan_name'] . ' - form element ' . $typename);
logger('check_form_security_token failed: user ' . get_observer_name() . ' - form element ' . $typename);
logger('check_form_security_token failed: _REQUEST data: ' . print_r($_REQUEST, true), LOGGER_DATA);
header('HTTP/1.1 403 Forbidden');
killme();

8
tests/unit/Module/MagicTest.php
View File

@@ -46,9 +46,9 @@ class MagicTest extends TestCase {
App::set_baseurl($baseurl);
App::$observer = [
App::set_observer([
'xchan_hash' => 'the hash',
];
]);
// We pass a local URL, and have a valid observer, but as the
// delegate param is not passed, nothing will be done except
@@ -72,9 +72,9 @@ class MagicTest extends TestCase {
App::$timezone = 'UTC';
// Simulate a foreign (to this hub) observer,
App::$observer = [
App::set_observer([
'xchan_hash' => 'foreign hash',
];
]);
// Create the channel the foreign observer wants to access
$result = create_identity([

7
tests/unit/includes/BBCodeTest.php
View File

@@ -23,6 +23,7 @@
namespace Zotlabs\Tests\Unit\includes;
use App;
use Zotlabs\Tests\Unit\UnitTestCase;
class BBCodeTest extends UnitTestCase {
@@ -42,7 +43,7 @@ class BBCodeTest extends UnitTestCase {
*/
public function test_bbcode_observer(string $src, bool $logged_in, string $lang, string $expected): void {
if ($logged_in) {
\App::$observer = [
App::set_observer([
'xchan_addr' => '',
'xchan_name' => '',
'xchan_connurl' => '',
@@ -50,9 +51,9 @@ class BBCodeTest extends UnitTestCase {
// port required in xchan url due to bug in get_rpost_path
'xchan_url' => 'https://example.com:666',
];
]);
} else {
\App::$observer = null;
App::set_observer(null);
}
\App::$language = $lang;