1
|
|
|
<?php |
2
|
|
|
/** |
3
|
|
|
* Elgg Actions |
4
|
|
|
* |
5
|
|
|
* @see http://learn.elgg.org/en/latest/guides/actions.html |
6
|
|
|
* |
7
|
|
|
* @package Elgg.Core |
8
|
|
|
* @subpackage Actions |
9
|
|
|
*/ |
10
|
|
|
|
11
|
|
|
use Elgg\Http\ResponseBuilder; |
12
|
|
|
use Elgg\Database\SiteSecret; |
13
|
|
|
|
14
|
|
|
/** |
15
|
|
|
* Handle a request for an action |
16
|
|
|
* |
17
|
|
|
* @param array $segments URL segments that make up action name |
18
|
|
|
* |
19
|
|
|
* @return ResponseBuilder|null |
20
|
|
|
* @access private |
21
|
|
|
*/ |
22
|
|
|
function _elgg_action_handler(array $segments) { |
23
|
23 |
|
return _elgg_services()->actions->execute(implode('/', $segments)); |
24
|
|
|
} |
25
|
|
|
|
26
|
|
|
/** |
27
|
|
|
* Perform an action. |
28
|
|
|
* |
29
|
|
|
* This function executes the action with name $action as registered |
30
|
|
|
* by {@link elgg_register_action()}. |
31
|
|
|
* |
32
|
|
|
* The plugin hook 'action', $action_name will be triggered before the action |
33
|
|
|
* is executed. If a handler returns false, it will prevent the action script |
34
|
|
|
* from being called. |
35
|
|
|
* |
36
|
|
|
* @note If an action isn't registered in the system or is registered |
37
|
|
|
* to an unavailable file the user will be forwarded to the site front |
38
|
|
|
* page and an error will be emitted via {@link register_error()}. |
39
|
|
|
* |
40
|
|
|
* @warning All actions require CSRF tokens. |
41
|
|
|
* |
42
|
|
|
* @param string $action The requested action |
43
|
|
|
* Name of the registered action |
44
|
|
|
* @param string $forwarder The location to forward to |
45
|
|
|
* Forwarding to this location will only take place if |
46
|
|
|
* action script file is not calling forward() |
47
|
|
|
* Defaults to index URL |
48
|
|
|
* Use REFERRER to forward to the referring page |
49
|
|
|
* @see elgg_register_action() |
50
|
|
|
* |
51
|
|
|
* @return void |
52
|
|
|
* @access private |
53
|
|
|
*/ |
54
|
|
|
function action($action, $forwarder = "") { |
55
|
|
|
$response = _elgg_services()->actions->execute($action, $forwarder); |
56
|
|
|
if ($response instanceof ResponseBuilder) { |
57
|
|
|
// in case forward() wasn't called in the action |
58
|
|
|
_elgg_services()->responseFactory->respond($response); |
59
|
|
|
} |
60
|
|
|
_elgg_services()->responseFactory->redirect(REFERRER, 'csrf'); |
61
|
|
|
} |
62
|
|
|
|
63
|
|
|
/** |
64
|
|
|
* Registers an action. |
65
|
|
|
* |
66
|
|
|
* Actions are registered to a script in the system and are executed |
67
|
|
|
* by the URL http://elggsite.org/action/action_name/. |
68
|
|
|
* |
69
|
|
|
* $filename must be the full path of the file to register or a path relative |
70
|
|
|
* to the core actions/ dir. |
71
|
|
|
* |
72
|
|
|
* Actions should be namedspaced for your plugin. Example: |
73
|
|
|
* <code> |
74
|
|
|
* elgg_register_action('myplugin/save_settings', ...); |
75
|
|
|
* </code> |
76
|
|
|
* |
77
|
|
|
* @tip Put action files under the actions/<plugin_name> directory of your plugin. |
78
|
|
|
* |
79
|
|
|
* @tip You don't need to use Elgg\Application in your action files. |
80
|
|
|
* |
81
|
|
|
* @param string $action The name of the action (eg "register", "account/settings/save") |
82
|
|
|
* @param string $filename Optionally, the filename where this action is located. If not specified, |
83
|
|
|
* will assume the action is in elgg/actions/<action>.php |
84
|
|
|
* @param string $access Who is allowed to execute this action: public, logged_in, admin. |
85
|
|
|
* (default: logged_in) |
86
|
|
|
* |
87
|
|
|
* @return bool |
88
|
|
|
*/ |
89
|
|
|
function elgg_register_action($action, $filename = "", $access = 'logged_in') { |
90
|
31 |
|
return _elgg_services()->actions->register($action, $filename, $access); |
91
|
|
|
} |
92
|
|
|
|
93
|
|
|
/** |
94
|
|
|
* Unregisters an action |
95
|
|
|
* |
96
|
|
|
* @param string $action Action name |
97
|
|
|
* @return bool |
98
|
|
|
* @since 1.8.1 |
99
|
|
|
*/ |
100
|
|
|
function elgg_unregister_action($action) { |
101
|
|
|
return _elgg_services()->actions->unregister($action); |
102
|
|
|
} |
103
|
|
|
|
104
|
|
|
/** |
105
|
|
|
* Get an HMAC token builder/validator object |
106
|
|
|
* |
107
|
|
|
* @param mixed $data HMAC data string or serializable data |
108
|
|
|
* @return \Elgg\Security\Hmac |
109
|
|
|
* @since 1.11 |
110
|
|
|
*/ |
111
|
|
|
function elgg_build_hmac($data) { |
112
|
5 |
|
return _elgg_services()->hmac->getHmac($data); |
113
|
|
|
} |
114
|
|
|
|
115
|
|
|
/** |
116
|
|
|
* Validate an action token. |
117
|
|
|
* |
118
|
|
|
* Calls to actions will automatically validate tokens. If tokens are not |
119
|
|
|
* present or invalid, the action will be denied and the user will be redirected. |
120
|
|
|
* |
121
|
|
|
* Plugin authors should never have to manually validate action tokens. |
122
|
|
|
* |
123
|
|
|
* @param bool $visible_errors Emit {@link register_error()} errors on failure? |
124
|
|
|
* @param mixed $token The token to test against. Default: $_REQUEST['__elgg_token'] |
125
|
|
|
* @param mixed $ts The time stamp to test against. Default: $_REQUEST['__elgg_ts'] |
126
|
|
|
* |
127
|
|
|
* @return bool |
128
|
|
|
* @see generate_action_token() |
129
|
|
|
* @access private |
130
|
|
|
*/ |
131
|
|
|
function validate_action_token($visible_errors = true, $token = null, $ts = null) { |
132
|
|
|
return _elgg_services()->actions->validateActionToken($visible_errors, $token, $ts); |
133
|
|
|
} |
134
|
|
|
|
135
|
|
|
/** |
136
|
|
|
* Validates the presence of action tokens. |
137
|
|
|
* |
138
|
|
|
* This function is called for all actions. If action tokens are missing, |
139
|
|
|
* the user will be forwarded to the site front page and an error emitted. |
140
|
|
|
* |
141
|
|
|
* This function verifies form input for security features (like a generated token), |
142
|
|
|
* and forwards if they are invalid. |
143
|
|
|
* |
144
|
|
|
* @param string $action The action being performed |
145
|
|
|
* |
146
|
|
|
* @return mixed True if valid or redirects. |
147
|
|
|
* @access private |
148
|
|
|
*/ |
149
|
|
|
function action_gatekeeper($action) { |
150
|
|
|
return _elgg_services()->actions->gatekeeper($action); |
151
|
|
|
} |
152
|
|
|
|
153
|
|
|
/** |
154
|
|
|
* Generate an action token. |
155
|
|
|
* |
156
|
|
|
* Action tokens are based on timestamps as returned by {@link time()}. |
157
|
|
|
* They are valid for one hour. |
158
|
|
|
* |
159
|
|
|
* Action tokens should be passed to all actions name __elgg_ts and __elgg_token. |
160
|
|
|
* |
161
|
|
|
* @warning Action tokens are required for all actions. |
162
|
|
|
* |
163
|
|
|
* @param int $timestamp Unix timestamp |
164
|
|
|
* |
165
|
|
|
* @see @elgg_view input/securitytoken |
166
|
|
|
* @see @elgg_view input/form |
167
|
|
|
* |
168
|
|
|
* @return string|false |
169
|
|
|
*/ |
170
|
|
|
function generate_action_token($timestamp) { |
171
|
1 |
|
return _elgg_services()->actions->generateActionToken($timestamp); |
172
|
|
|
} |
173
|
|
|
|
174
|
|
|
/** |
175
|
|
|
* Regenerate a new site key (32 bytes: "z" to indicate format + 186-bit key in Base64 URL). |
176
|
|
|
* |
177
|
|
|
* @return mixed The site secret hash |
178
|
|
|
* @access private |
179
|
|
|
*/ |
180
|
|
|
function init_site_secret() { |
181
|
2 |
|
$secret = SiteSecret::regenerate(_elgg_services()->crypto, _elgg_services()->configTable); |
182
|
2 |
|
_elgg_services()->setValue('siteSecret', $secret); |
183
|
2 |
|
return $secret->get(); |
184
|
|
|
} |
185
|
|
|
|
186
|
|
|
/** |
187
|
|
|
* Get the strength of the site secret |
188
|
|
|
* |
189
|
|
|
* @return string "strong", "moderate", or "weak" |
190
|
|
|
* @access private |
191
|
|
|
*/ |
192
|
|
|
function _elgg_get_site_secret_strength() { |
193
|
|
|
return _elgg_services()->siteSecret->getStrength(); |
194
|
|
|
} |
195
|
|
|
|
196
|
|
|
/** |
197
|
|
|
* Check if an action is registered and its script exists. |
198
|
|
|
* |
199
|
|
|
* @param string $action Action name |
200
|
|
|
* |
201
|
|
|
* @return bool |
202
|
|
|
* @since 1.8.0 |
203
|
|
|
*/ |
204
|
|
|
function elgg_action_exists($action) { |
205
|
|
|
return _elgg_services()->actions->exists($action); |
206
|
|
|
} |
207
|
|
|
|
208
|
|
|
/** |
209
|
|
|
* Checks whether the request was requested via ajax |
210
|
|
|
* |
211
|
|
|
* @return bool whether page was requested via ajax |
212
|
|
|
* @since 1.8.0 |
213
|
|
|
*/ |
214
|
|
|
function elgg_is_xhr() { |
215
|
23 |
|
return _elgg_services()->request->isXmlHttpRequest(); |
216
|
|
|
} |
217
|
|
|
|
218
|
|
|
/** |
219
|
|
|
* Send an updated CSRF token, provided the page's current tokens were not fake. |
220
|
|
|
* |
221
|
|
|
* @return ResponseBuilder |
222
|
|
|
* @access private |
223
|
|
|
*/ |
224
|
|
|
function _elgg_csrf_token_refresh() { |
225
|
|
|
return _elgg_services()->actions->handleTokenRefreshRequest(); |
226
|
|
|
} |
227
|
|
|
|
228
|
|
|
/** |
229
|
|
|
* @see \Elgg\Application::loadCore Do not do work here. Just register for events. |
230
|
|
|
*/ |
231
|
|
|
return function(\Elgg\EventsService $events, \Elgg\HooksRegistrationService $hooks) { |
|
|
|
|
232
|
|
|
|
233
|
|
|
}; |
234
|
|
|
|
This check looks for parameters that have been defined for a function or method, but which are not used in the method body.