mirror of
https://framagit.org/hubzilla/core.git
synced 2026-06-21 00:52:33 -04:00
Merge branch 'remove-direct-access-to-app-observer' into 'dev'
Don't access App::$observer directly in core See merge request hubzilla/core!2197
This commit is contained in:
Mario
17
boot.php
17
boot.php
@@ -49,6 +49,7 @@ require_once('include/text.php');
|
||||
require_once('include/datetime.php');
|
||||
require_once('include/language.php');
|
||||
require_once('include/nav.php');
|
||||
require_once('include/observer.php');
|
||||
require_once('include/permissions.php');
|
||||
require_once('include/features.php');
|
||||
require_once('include/taxonomy.php');
|
||||
@@ -2150,22 +2151,6 @@ function dba_timer() {
|
||||
return microtime(true);
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Returns xchan_hash from the observer.
|
||||
*
|
||||
* Observer can be a local or remote channel.
|
||||
*
|
||||
* @return string xchan_hash from observer, otherwise empty string if no observer
|
||||
*/
|
||||
function get_observer_hash() {
|
||||
$observer = App::get_observer();
|
||||
if (is_array($observer)) {
|
||||
return $observer['xchan_hash'];
|
||||
}
|
||||
|
||||
return '';
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Returns the complete URL of the current page, e.g.: http(s)://something.com/network
|
||||
*
|
||||
|
||||
68
include/observer.php
Normal file
68
include/observer.php
Normal file
@@ -0,0 +1,68 @@
|
||||
<?php
|
||||
/**
|
||||
* Helper functions for getting info about the observer.
|
||||
*
|
||||
* SPDX-FileCopyrightText: 2025 The Hubzilla Community
|
||||
* SPDX-FileContributor: Harald Eilertsen <haraldei@anduin.net>
|
||||
*
|
||||
* SPDX-License-Identifier: MIT
|
||||
*
|
||||
* The _observer_ in Hubzilla is the channel visiting the site in the current
|
||||
* session. This could be a local channel, or a remote channel logged in via
|
||||
* OpenWebAuth.
|
||||
*
|
||||
* If the observer is not set, or empty, this indicates an unauthenticated
|
||||
* visitor, which may mean a visitor from another site that don't support, or
|
||||
* has not enabled OpenWebAuth.
|
||||
*/
|
||||
|
||||
/**
|
||||
* Get the unique hash identifying the current observer.
|
||||
*
|
||||
* Observer can be a local or remote channel.
|
||||
*
|
||||
* @return string Unique hash of observer, otherwise empty string if no
|
||||
* observer
|
||||
*/
|
||||
function get_observer_hash() {
|
||||
$observer = App::get_observer();
|
||||
if (is_array($observer)) {
|
||||
return $observer['xchan_hash'];
|
||||
}
|
||||
|
||||
return '';
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the guid of the current observer.
|
||||
*
|
||||
* Observer can be a local or remote channel.
|
||||
*
|
||||
* @return string The GUID of the observer, otherwise empty string if no
|
||||
* observer
|
||||
*/
|
||||
function get_observer_guid() {
|
||||
$observer = App::get_observer();
|
||||
if (is_array($observer)) {
|
||||
return $observer['xchan_guid'];
|
||||
}
|
||||
|
||||
return '';
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the name of the current observer.
|
||||
*
|
||||
* Observer can be a local or remote channel.
|
||||
*
|
||||
* @return string The name of the observer, otherwise empty string if no
|
||||
* observer
|
||||
*/
|
||||
function get_observer_name() {
|
||||
$observer = App::get_observer();
|
||||
if (is_array($observer)) {
|
||||
return $observer['xchan_name'];
|
||||
}
|
||||
|
||||
return '';
|
||||
}
|
||||
@@ -607,7 +607,7 @@ function public_permissions_sql($observer_hash) {
|
||||
function get_form_security_token($typename = '') {
|
||||
|
||||
$timestamp = time();
|
||||
$guid = App::$observer['xchan_guid'] ?? '';
|
||||
$guid = get_observer_guid();
|
||||
$sec_hash = hash('whirlpool', $guid . ((local_channel()) ? App::$channel['channel_prvkey'] : '') . session_id() . $timestamp . $typename);
|
||||
|
||||
return $timestamp . '.' . $sec_hash;
|
||||
@@ -623,7 +623,7 @@ function check_form_security_token($typename = '', $formname = 'form_security_to
|
||||
if (time() > (IntVal($x[0]) + $max_livetime))
|
||||
return false;
|
||||
|
||||
$sec_hash = hash('whirlpool', App::$observer['xchan_guid'] . ((local_channel()) ? App::$channel['channel_prvkey'] : '') . session_id() . $x[0] . $typename);
|
||||
$sec_hash = hash('whirlpool', get_observer_guid() . ((local_channel()) ? App::$channel['channel_prvkey'] : '') . session_id() . $x[0] . $typename);
|
||||
|
||||
return ($sec_hash == $x[1]);
|
||||
}
|
||||
@@ -635,7 +635,7 @@ function check_form_security_std_err_msg() {
|
||||
|
||||
function check_form_security_token_redirectOnErr($err_redirect, $typename = '', $formname = 'form_security_token') {
|
||||
if (!check_form_security_token($typename, $formname)) {
|
||||
logger('check_form_security_token failed: user ' . App::$observer['xchan_name'] . ' - form element ' . $typename);
|
||||
logger('check_form_security_token failed: user ' . get_observer_name() . ' - form element ' . $typename);
|
||||
logger('check_form_security_token failed: _REQUEST data: ' . print_r($_REQUEST, true), LOGGER_DATA);
|
||||
notice(check_form_security_std_err_msg());
|
||||
goaway(z_root() . $err_redirect);
|
||||
@@ -644,7 +644,7 @@ function check_form_security_token_redirectOnErr($err_redirect, $typename = '',
|
||||
|
||||
function check_form_security_token_ForbiddenOnErr($typename = '', $formname = 'form_security_token') {
|
||||
if (!check_form_security_token($typename, $formname)) {
|
||||
logger('check_form_security_token failed: user ' . App::$observer['xchan_name'] . ' - form element ' . $typename);
|
||||
logger('check_form_security_token failed: user ' . get_observer_name() . ' - form element ' . $typename);
|
||||
logger('check_form_security_token failed: _REQUEST data: ' . print_r($_REQUEST, true), LOGGER_DATA);
|
||||
header('HTTP/1.1 403 Forbidden');
|
||||
killme();
|
||||
|
||||
@@ -46,9 +46,9 @@ class MagicTest extends TestCase {
|
||||
|
||||
App::set_baseurl($baseurl);
|
||||
|
||||
App::$observer = [
|
||||
App::set_observer([
|
||||
'xchan_hash' => 'the hash',
|
||||
];
|
||||
]);
|
||||
|
||||
// We pass a local URL, and have a valid observer, but as the
|
||||
// delegate param is not passed, nothing will be done except
|
||||
@@ -72,9 +72,9 @@ class MagicTest extends TestCase {
|
||||
App::$timezone = 'UTC';
|
||||
|
||||
// Simulate a foreign (to this hub) observer,
|
||||
App::$observer = [
|
||||
App::set_observer([
|
||||
'xchan_hash' => 'foreign hash',
|
||||
];
|
||||
]);
|
||||
|
||||
// Create the channel the foreign observer wants to access
|
||||
$result = create_identity([
|
||||
|
||||
@@ -23,6 +23,7 @@
|
||||
|
||||
namespace Zotlabs\Tests\Unit\includes;
|
||||
|
||||
use App;
|
||||
use Zotlabs\Tests\Unit\UnitTestCase;
|
||||
|
||||
class BBCodeTest extends UnitTestCase {
|
||||
@@ -42,7 +43,7 @@ class BBCodeTest extends UnitTestCase {
|
||||
*/
|
||||
public function test_bbcode_observer(string $src, bool $logged_in, string $lang, string $expected): void {
|
||||
if ($logged_in) {
|
||||
\App::$observer = [
|
||||
App::set_observer([
|
||||
'xchan_addr' => '',
|
||||
'xchan_name' => '',
|
||||
'xchan_connurl' => '',
|
||||
@@ -50,9 +51,9 @@ class BBCodeTest extends UnitTestCase {
|
||||
|
||||
// port required in xchan url due to bug in get_rpost_path
|
||||
'xchan_url' => 'https://example.com:666',
|
||||
];
|
||||
]);
|
||||
} else {
|
||||
\App::$observer = null;
|
||||
App::set_observer(null);
|
||||
}
|
||||
|
||||
\App::$language = $lang;
|
||||
|
||||
Reference in New Issue
Block a user