Issues in ActionsService.php - All Issues - Inspection of "chore(blog): moved draft status info to entity imp..." - Elgg/Elgg - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( caf222...deba87 )

by Jeroen

created 2017-10-18 14:13 UTC

engine/classes/Elgg/ActionsService.php (1 issue)

Labels

Severity

Major 1

Ismayil Khayredinov 1

<?php
namespace Elgg;

use Elgg\Http\ResponseBuilder;
use ElggCrypto;
use ElggSession;

/**
 * WARNING: API IN FLUX. DO NOT USE DIRECTLY.
 *
 * Use the elgg_* versions instead.
 *
 * @access private
 *
 * @package    Elgg.Core
 * @subpackage Actions
 * @since      1.9.0
 */
class ActionsService {

	use \Elgg\TimeUsing;
	
	/**
	 * @var Config
	 */
	private $config;

	/**
	 * @var ElggSession
	 */
	private $session;

	/**
	 * @var ElggCrypto
	 */
	private $crypto;

	/**
	 * Registered actions storage
	 *
	 * Each element has keys:
	 *   "file" => filename
	 *   "access" => access level
	 *
	 * @var array
	 */
	private $actions = [];

	/**
	 * The current action being processed
	 * @var string
	 */
	private $currentAction = null;

	/**
	 * @var string[]
	 */
	private static $access_levels = ['public', 'logged_in', 'admin'];

	/**
	 * Constructor
	 *
	 * @param Config      $config  Config
	 * @param ElggSession $session Session
	 * @param ElggCrypto  $crypto  Crypto service
	 */
	public function __construct(Config $config, ElggSession $session, ElggCrypto $crypto) {
		$this->config = $config;
		$this->session = $session;
		$this->crypto = $crypto;
	}

	/**
	 * Executes an action
	 * If called from action() redirect will be issued by the response factory
	 * If called as /action page handler response will be handled by \Elgg\Router
	 *
	 * @param string $action    Action name
	 * @param string $forwarder URL to forward to after completion
	 * @return ResponseBuilder|null
	 * @see action()
	 * @access private
	 */
	public function execute($action, $forwarder = "") {
		$action = rtrim($action, '/');
		$this->currentAction = $action;
		
		// Logout is for convenience.
		$exceptions = [
			'logout',
		];
	
		if (!in_array($action, $exceptions)) {
			// All actions require a token.
			$pass = $this->gatekeeper($action);
			if (!$pass) {
				return;
			}
		}
	
		$forwarder = str_replace($this->config->wwwroot, "", $forwarder);
		$forwarder = str_replace("http://", "", $forwarder);
		$forwarder = str_replace("@", "", $forwarder);
		if (substr($forwarder, 0, 1) == "/") {
			$forwarder = substr($forwarder, 1);
		}

		$ob_started = false;

		/**
		 * Prepare action response
		 *
		 * @param string $error_key   Error message key
		 * @param int    $status_code HTTP status code
		 * @return ResponseBuilder
		 */
		$forward = function ($error_key = '', $status_code = ELGG_HTTP_OK) use ($action, $forwarder, &$ob_started) {
			if ($error_key) {
				if ($ob_started) {
					ob_end_clean();
				}
				$msg = _elgg_services()->translator->translate($error_key, [$action]);
				_elgg_services()->systemMessages->addErrorMessage($msg);
				$response = new \Elgg\Http\ErrorResponse($msg, $status_code);
			} else {
				$content = ob_get_clean();
				$response = new \Elgg\Http\OkResponse($content, $status_code);
			}
			
			$forwarder = empty($forwarder) ? REFERER : $forwarder;
			$response->setForwardURL($forwarder);
			return $response;
		};

		if (!isset($this->actions[$action])) {
			return $forward('actionundefined', ELGG_HTTP_NOT_IMPLEMENTED);
		}

		$user = $this->session->getLoggedInUser();

		// access checks
		switch ($this->actions[$action]['access']) {
			case 'public':
				break;
			case 'logged_in':
				if (!$user) {
					return $forward('actionloggedout', ELGG_HTTP_FORBIDDEN);
				}
				break;
			default:
				// admin or misspelling
				if (!$user || !$user->isAdmin()) {
					return $forward('actionunauthorized', ELGG_HTTP_FORBIDDEN);
				}
		}

		ob_start();
		
		// To quietly cancel the file, return a falsey value in the "action" hook.
		if (!_elgg_services()->hooks->trigger('action', $action, null, true)) {
			return $forward('', ELGG_HTTP_OK);
		}

		$file = $this->actions[$action]['file'];

		if (!is_file($file) || !is_readable($file)) {
			ob_end_clean();
			return $forward('actionnotfound', ELGG_HTTP_NOT_IMPLEMENTED);
		}

		// set the maximum execution time for actions
		$action_timeout = $this->config->action_time_limit;
		if (isset($action_timeout)) {
			set_time_limit($action_timeout);
		}

		$result = Includer::includeFile($file);
		if ($result instanceof ResponseBuilder) {
			ob_end_clean();
			return $result;
		}

		return $forward('', ELGG_HTTP_OK);
	}
	
	/**
	 * @see elgg_register_action()
	 * @access private
	 */
	public function register($action, $filename = "", $access = 'logged_in') {
		// plugins are encouraged to call actions with a trailing / to prevent 301
		// redirects but we store the actions without it
		$action = rtrim($action, '/');
	
		if (empty($filename)) {
			$path = __DIR__ . '/../../../actions';
			$filename = realpath("$path/$action.php");
		}

		if (!in_array($access, self::$access_levels)) {
			_elgg_services()->logger->error("Unrecognized value '$access' for \$access in " . __METHOD__);
			$access = 'admin';
		}
	
		$this->actions[$action] = [
			'file' => $filename,
			'access' => $access,
		];
		return true;
	}
	
	/**
	 * @see elgg_unregister_action()
	 * @access private
	 */
	public function unregister($action) {
		if (isset($this->actions[$action])) {
			unset($this->actions[$action]);
			return true;
		} else {
			return false;
		}
	}

	/**
	 * @see validate_action_token()
	 * @access private
	 */
	public function validateActionToken($visible_errors = true, $token = null, $ts = null) {
		if (!$token) {
			$token = get_input('__elgg_token');
		}
	
		if (!$ts) {
			$ts = get_input('__elgg_ts');
		}

		$session_id = $this->session->getId();

		if (($token) && ($ts) && ($session_id)) {
			if ($this->validateTokenOwnership($token, $ts)) {
				if ($this->validateTokenTimestamp($ts)) {
					// We have already got this far, so unless anything
					// else says something to the contrary we assume we're ok
					$returnval = _elgg_services()->hooks->trigger('action_gatekeeper:permissions:check', 'all', [
						'token' => $token,
						'time' => $ts
					], true);

					if ($returnval) {
						return true;
					} else if ($visible_errors) {
						register_error(_elgg_services()->translator->translate('actiongatekeeper:pluginprevents'));
					}
				} else if ($visible_errors) {
					// this is necessary because of #5133
					if (elgg_is_xhr()) {
						register_error(_elgg_services()->translator->translate(
							'js:security:token_refresh_failed',
							[$this->config->wwwroot]
						));
					} else {
						register_error(_elgg_services()->translator->translate('actiongatekeeper:timeerror'));
					}
				}
			} else if ($visible_errors) {
				// this is necessary because of #5133
				if (elgg_is_xhr()) {
					register_error(_elgg_services()->translator->translate('js:security:token_refresh_failed', [$this->config->wwwroot]));
				} else {
					register_error(_elgg_services()->translator->translate('actiongatekeeper:tokeninvalid'));
				}
			}
		} else {
			$req = _elgg_services()->request;
			$length = $req->server->get('CONTENT_LENGTH');
			$post_count = count($req->request);
			if ($length && $post_count < 1) {
				// The size of $_POST or uploaded file has exceed the size limit
				$error_msg = _elgg_services()->hooks->trigger('action_gatekeeper:upload_exceeded_msg', 'all', [
					'post_size' => $length,
					'visible_errors' => $visible_errors,
				], _elgg_services()->translator->translate('actiongatekeeper:uploadexceeded'));
			} else {
				$error_msg = _elgg_services()->translator->translate('actiongatekeeper:missingfields');
			}
			if ($visible_errors) {
				register_error($error_msg);
			}
		}

		return false;
	}

	/**
	 * Is the token timestamp within acceptable range?
	 *
	 * @param int $ts timestamp from the CSRF token
	 *
	 * @return bool
	 */
	protected function validateTokenTimestamp($ts) {
		$timeout = $this->getActionTokenTimeout();
		$now = $this->getCurrentTime()->getTimestamp();
		return ($timeout == 0 || ($ts > $now - $timeout) && ($ts < $now + $timeout));
	}

	/**
	 * @see ActionsService::validateActionToken
	 * @access private
	 * @since 1.9.0
	 * @return int number of seconds that action token is valid
	 */
	public function getActionTokenTimeout() {
		if (($timeout = $this->config->action_token_timeout) === null) {
			// default to 2 hours
			$timeout = 2;
		}
		$hour = 60 * 60;
		return (int) ((float) $timeout * $hour);
	}

	/**
	 * @return bool
	 * @see action_gatekeeper()
	 * @access private
	 */
	public function gatekeeper($action) {
		if ($action === 'login') {
			if ($this->validateActionToken(false)) {
				return true;
			}

			$token = get_input('__elgg_token');
			$ts = (int) get_input('__elgg_ts');
			if ($token && $this->validateTokenTimestamp($ts)) {
				// The tokens are present and the time looks valid: this is probably a mismatch due to the
				// login form being on a different domain.
				register_error(_elgg_services()->translator->translate('actiongatekeeper:crosssitelogin'));
				_elgg_services()->responseFactory->redirect('login', 'csrf');
				return false;
			}
		}
		
		if ($this->validateActionToken()) {
			return true;
		}
			
		_elgg_services()->responseFactory->redirect(REFERER, 'csrf');
		return false;
	}

	/**
	 * Was the given token generated for the session defined by session_token?
	 *
	 * @param string $token         CSRF token
	 * @param int    $timestamp     Unix time
	 * @param string $session_token Session-specific token
	 *
	 * @return bool
	 * @access private
	 */
	public function validateTokenOwnership($token, $timestamp, $session_token = '') {
		$required_token = $this->generateActionToken($timestamp, $session_token);

		return _elgg_services()->crypto->areEqual($token, $required_token);
	}
	
	/**
	 * Generate a token from a session token (specifying the user), the timestamp, and the site key.
	 *
	 * @see generate_action_token()
	 *
	 * @param int    $timestamp     Unix timestamp
	 * @param string $session_token Session-specific token
	 *
	 * @return string
	 * @access private
	 */
	public function generateActionToken($timestamp, $session_token = '') {
		if (!$session_token) {
			$session_token = elgg_get_session()->get('__elgg_session');
			if (!$session_token) {
				return false;
			}
		}

		return _elgg_services()->hmac->getHmac([(int) $timestamp, $session_token], 'md5')
			->getToken();
	}
	
	/**
	 * @see elgg_action_exists()
	 * @access private
	 */
	public function exists($action) {
		return (isset($this->actions[$action]) && file_exists($this->actions[$action]['file']));
	}
	
	/**
	 * Get all actions
	 *
	 * @return array
	 */
	public function getAllActions() {
		return $this->actions;
	}

	/**
	 * Send an updated CSRF token, provided the page's current tokens were not fake.
	 *
	 * @return ResponseBuilder
	 * @access private
	 */
	public function handleTokenRefreshRequest() {
		if (!elgg_is_xhr()) {
			return false;

		}

		// the page's session_token might have expired (not matching __elgg_session in the session), but
		// we still allow it to be given to validate the tokens in the page.
		$session_token = get_input('session_token', null, false);
		$pairs = (array) get_input('pairs', [], false);
		$valid_tokens = (object) [];
		foreach ($pairs as $pair) {
			list($ts, $token) = explode(',', $pair, 2);
			if ($this->validateTokenOwnership($token, $ts, $session_token)) {
				$valid_tokens->{$token} = true;
			}
		}

		$ts = $this->getCurrentTime()->getTimestamp();
		$token = $this->generateActionToken($ts);
		$data = [
			'token' => [
				'__elgg_ts' => $ts,
				'__elgg_token' => $token,
				'logged_in' => $this->session->isLoggedIn(),
			],
			'valid_tokens' => $valid_tokens,
			'session_token' => $this->session->get('__elgg_session'),
			'user_guid' => $this->session->getLoggedInUserGuid(),
		];

		elgg_set_http_header("Content-Type: application/json;charset=utf-8");
		return elgg_ok_response($data);
	}
}



1			<?php
2			namespace Elgg;
3
4			use Elgg\Http\ResponseBuilder;
5			use ElggCrypto;
6			use ElggSession;
7
8			/**
9			* WARNING: API IN FLUX. DO NOT USE DIRECTLY.
10			*
11			* Use the elgg_* versions instead.
12			*
13			* @access private
14			*
15			* @package Elgg.Core
16			* @subpackage Actions
17			* @since 1.9.0
18			*/
19			class ActionsService {
20
21			use \Elgg\TimeUsing;
22
23			/**
24			* @var Config
25			*/
26			private $config;
27
28			/**
29			* @var ElggSession
30			*/
31			private $session;
32
33			/**
34			* @var ElggCrypto
35			*/
36			private $crypto;
37
38			/**
39			* Registered actions storage
40			*
41			* Each element has keys:
42			* "file" => filename
43			* "access" => access level
44			*
45			* @var array
46			*/
47			private $actions = [];
48
49			/**
50			* The current action being processed
51			* @var string
52			*/
53			private $currentAction = null;
54
55			/**
56			* @var string[]
57			*/
58			private static $access_levels = ['public', 'logged_in', 'admin'];
59
60			/**
61			* Constructor
62			*
63			* @param Config $config Config
64			* @param ElggSession $session Session
65			* @param ElggCrypto $crypto Crypto service
66			*/
67	341		public function __construct(Config $config, ElggSession $session, ElggCrypto $crypto) {
68	341		$this->config = $config;
69	341		$this->session = $session;
70	341		$this->crypto = $crypto;
71	341		}
72
73			/**
74			* Executes an action
75			* If called from action() redirect will be issued by the response factory
76			* If called as /action page handler response will be handled by \Elgg\Router
77			*
78			* @param string $action Action name
79			* @param string $forwarder URL to forward to after completion
80			* @return ResponseBuilder\|null
81			* @see action()
82			* @access private
83			*/
84	35		public function execute($action, $forwarder = "") {
85	35		$action = rtrim($action, '/');
86	35		$this->currentAction = $action;
87
88			// Logout is for convenience.
89			$exceptions = [
90	35		'logout',
91			];
92
93	35		if (!in_array($action, $exceptions)) {
94			// All actions require a token.
95	35		$pass = $this->gatekeeper($action);
96	35		if (!$pass) {
97	1		return;
98			}
99			}
100
101	34		$forwarder = str_replace($this->config->wwwroot, "", $forwarder);
102	34		$forwarder = str_replace("http://", "", $forwarder);
103	34		$forwarder = str_replace("@", "", $forwarder);
104	34		if (substr($forwarder, 0, 1) == "/") {
105	1		$forwarder = substr($forwarder, 1);
106			}
107
108	34		$ob_started = false;
109
110			/**
111			* Prepare action response
112			*
113			* @param string $error_key Error message key
114			* @param int $status_code HTTP status code
115			* @return ResponseBuilder
116			*/
117	34		$forward = function ($error_key = '', $status_code = ELGG_HTTP_OK) use ($action, $forwarder, &$ob_started) {
118	23		if ($error_key) {
119	9		if ($ob_started) {
120			ob_end_clean();
121			}
122	9		$msg = _elgg_services()->translator->translate($error_key, [$action]);
123	9		_elgg_services()->systemMessages->addErrorMessage($msg);
124	9		$response = new \Elgg\Http\ErrorResponse($msg, $status_code);
125			} else {
126	14		$content = ob_get_clean();
127	14		$response = new \Elgg\Http\OkResponse($content, $status_code);
128			}
129
130	23		$forwarder = empty($forwarder) ? REFERER : $forwarder;
131	23		$response->setForwardURL($forwarder);
132	23		return $response;
133	34		};
134
135	34		if (!isset($this->actions[$action])) {
136	5		return $forward('actionundefined', ELGG_HTTP_NOT_IMPLEMENTED);
137			}
138
139	29		$user = $this->session->getLoggedInUser();
140
141			// access checks
142	29		switch ($this->actions[$action]['access']) {
143	29		case 'public':
144	27		break;
145	2		case 'logged_in':
146	1		if (!$user) {
147	1		return $forward('actionloggedout', ELGG_HTTP_FORBIDDEN);
148			}
149			break;
150			default:
151			// admin or misspelling
152	1		if (!$user \|\| !$user->isAdmin()) {
153	1		return $forward('actionunauthorized', ELGG_HTTP_FORBIDDEN);
154			}
155			}
156
157	27		ob_start();
158
159			// To quietly cancel the file, return a falsey value in the "action" hook.
160	27		if (!_elgg_services()->hooks->trigger('action', $action, null, true)) {
161	1		return $forward('', ELGG_HTTP_OK);
162			}
163
164	26		$file = $this->actions[$action]['file'];
165
166	26		if (!is_file($file) \|\| !is_readable($file)) {
167	2		ob_end_clean();
168	2		return $forward('actionnotfound', ELGG_HTTP_NOT_IMPLEMENTED);
169			}
170
171			// set the maximum execution time for actions
172	24		$action_timeout = $this->config->action_time_limit;
173	24		if (isset($action_timeout)) {
174			set_time_limit($action_timeout);
175			}
176
177	24		$result = Includer::includeFile($file);
178	24		if ($result instanceof ResponseBuilder) {
179	11		ob_end_clean();
180	11		return $result;
181			}
182
183	13		return $forward('', ELGG_HTTP_OK);
184			}
185
186			/**
187			* @see elgg_register_action()
188			* @access private
189			*/
190	329		public function register($action, $filename = "", $access = 'logged_in') {
191			// plugins are encouraged to call actions with a trailing / to prevent 301
192			// redirects but we store the actions without it
193	329		$action = rtrim($action, '/');
194
195	329		if (empty($filename)) {
196	294		$path = __DIR__ . '/../../../actions';
197	294		$filename = realpath("$path/$action.php");
198			}
199
200	329		if (!in_array($access, self::$access_levels)) {
201	1		_elgg_services()->logger->error("Unrecognized value '$access' for \$access in " . __METHOD__);
202	1		$access = 'admin';
203			}
204
205	329		$this->actions[$action] = [
206	329		'file' => $filename,
207	329		'access' => $access,
208			];
209	329		return true;
210			}
211
212			/**
213			* @see elgg_unregister_action()
214			* @access private
215			*/
216	1		public function unregister($action) {
217	1		if (isset($this->actions[$action])) {
218	1		unset($this->actions[$action]);
219	1		return true;
220			} else {
221	1		return false;
222			}
223			}
224
225			/**
226			* @see validate_action_token()
227			* @access private
228			*/
229	39		public function validateActionToken($visible_errors = true, $token = null, $ts = null) {
230	39		if (!$token) {
231	36		$token = get_input('__elgg_token');
232			}
233
234	39		if (!$ts) {
235	36		$ts = get_input('__elgg_ts');
236			}
237
238	39		$session_id = $this->session->getId();
239
240	39		if (($token) && ($ts) && ($session_id)) {
241	39		if ($this->validateTokenOwnership($token, $ts)) {
242	37		if ($this->validateTokenTimestamp($ts)) {
243			// We have already got this far, so unless anything
244			// else says something to the contrary we assume we're ok
245	36		$returnval = _elgg_services()->hooks->trigger('action_gatekeeper:permissions:check', 'all', [
246	36		'token' => $token,
247	36		'time' => $ts
248	36		], true);
249
250	36		if ($returnval) {
251	36		return true;
252			} else if ($visible_errors) {
253			register_error(_elgg_services()->translator->translate('actiongatekeeper:pluginprevents'));
254			}
255	1	View Code Duplication	} else if ($visible_errors) {
256			// this is necessary because of #5133
257			if (elgg_is_xhr()) {
258			register_error(_elgg_services()->translator->translate(
259			'js:security:token_refresh_failed',
260			[$this->config->wwwroot]
261			));
262			} else {
263	1		register_error(_elgg_services()->translator->translate('actiongatekeeper:timeerror'));
264			}
265			}
266	3	View Code Duplication	} else if ($visible_errors) {
267			// this is necessary because of #5133
268	1		if (elgg_is_xhr()) {
269			register_error(_elgg_services()->translator->translate('js:security:token_refresh_failed', [$this->config->wwwroot]));
270			} else {
271	4		register_error(_elgg_services()->translator->translate('actiongatekeeper:tokeninvalid'));
272			}
273			}
274			} else {
275	1		$req = _elgg_services()->request;
276	1		$length = $req->server->get('CONTENT_LENGTH');
277	1		$post_count = count($req->request);
278	1		if ($length && $post_count < 1) {
279			// The size of $_POST or uploaded file has exceed the size limit
280			$error_msg = _elgg_services()->hooks->trigger('action_gatekeeper:upload_exceeded_msg', 'all', [
281			'post_size' => $length,
282			'visible_errors' => $visible_errors,
283			], _elgg_services()->translator->translate('actiongatekeeper:uploadexceeded'));
284			} else {
285	1		$error_msg = _elgg_services()->translator->translate('actiongatekeeper:missingfields');
286			}
287	1		if ($visible_errors) {
288	1		register_error($error_msg);
289			}
290			}
291
292	5		return false;
293			}
294
295			/**
296			* Is the token timestamp within acceptable range?
297			*
298			* @param int $ts timestamp from the CSRF token
299			*
300			* @return bool
301			*/
302	37		protected function validateTokenTimestamp($ts) {
303	37		$timeout = $this->getActionTokenTimeout();
304	37		$now = $this->getCurrentTime()->getTimestamp();
305	37		return ($timeout == 0 \|\| ($ts > $now - $timeout) && ($ts < $now + $timeout));
306			}
307
308			/**
309			* @see ActionsService::validateActionToken
310			* @access private
311			* @since 1.9.0
312			* @return int number of seconds that action token is valid
313			*/
314	38		public function getActionTokenTimeout() {
315	38		if (($timeout = $this->config->action_token_timeout) === null) {
316			// default to 2 hours
317	38		$timeout = 2;
318			}
319	38		$hour = 60 * 60;
320	38		return (int) ((float) $timeout * $hour);
321			}
322
323			/**
324			* @return bool
325			* @see action_gatekeeper()
326			* @access private
327			*/
328	36		public function gatekeeper($action) {
329	36		if ($action === 'login') {
330			if ($this->validateActionToken(false)) {
331			return true;
332			}
333
334			$token = get_input('__elgg_token');
335			$ts = (int) get_input('__elgg_ts');
336			if ($token && $this->validateTokenTimestamp($ts)) {
337			// The tokens are present and the time looks valid: this is probably a mismatch due to the
338			// login form being on a different domain.
339			register_error(_elgg_services()->translator->translate('actiongatekeeper:crosssitelogin'));
340			_elgg_services()->responseFactory->redirect('login', 'csrf');
341			return false;
342			}
343			}
344
345	36		if ($this->validateActionToken()) {
346	35		return true;
347			}
348
349	2		_elgg_services()->responseFactory->redirect(REFERER, 'csrf');
350	2		return false;
351			}
352
353			/**
354			* Was the given token generated for the session defined by session_token?
355			*
356			* @param string $token CSRF token
357			* @param int $timestamp Unix time
358			* @param string $session_token Session-specific token
359			*
360			* @return bool
361			* @access private
362			*/
363	40		public function validateTokenOwnership($token, $timestamp, $session_token = '') {
364	40		$required_token = $this->generateActionToken($timestamp, $session_token);
365
366	40		return _elgg_services()->crypto->areEqual($token, $required_token);
367			}
368
369			/**
370			* Generate a token from a session token (specifying the user), the timestamp, and the site key.
371			*
372			* @see generate_action_token()
373			*
374			* @param int $timestamp Unix timestamp
375			* @param string $session_token Session-specific token
376			*
377			* @return string
378			* @access private
379			*/
380	40		public function generateActionToken($timestamp, $session_token = '') {
381	40		if (!$session_token) {
382	40		$session_token = elgg_get_session()->get('__elgg_session');
383	40		if (!$session_token) {
384			return false;
385			}
386			}
387
388	40		return _elgg_services()->hmac->getHmac([(int) $timestamp, $session_token], 'md5')
389	40		->getToken();
390			}
391
392			/**
393			* @see elgg_action_exists()
394			* @access private
395			*/
396	4		public function exists($action) {
397	4		return (isset($this->actions[$action]) && file_exists($this->actions[$action]['file']));
398			}
399
400			/**
401			* Get all actions
402			*
403			* @return array
404			*/
405	3		public function getAllActions() {
406	3		return $this->actions;
407			}
408
409			/**
410			* Send an updated CSRF token, provided the page's current tokens were not fake.
411			*
412			* @return ResponseBuilder
413			* @access private
414			*/
415	1		public function handleTokenRefreshRequest() {
416	1		if (!elgg_is_xhr()) {
417			return false;
			0 ignored issues – show Bug Best Practice introduced 2017-10-16 06:19 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `return false` returns the type `false` which is incompatible with the documented return type `Elgg\Http\ResponseBuilder`. Loading history...
418			}
419
420			// the page's session_token might have expired (not matching __elgg_session in the session), but
421			// we still allow it to be given to validate the tokens in the page.
422	1		$session_token = get_input('session_token', null, false);
423	1		$pairs = (array) get_input('pairs', [], false);
424	1		$valid_tokens = (object) [];
425	1		foreach ($pairs as $pair) {
426	1		list($ts, $token) = explode(',', $pair, 2);
427	1		if ($this->validateTokenOwnership($token, $ts, $session_token)) {
428	1		$valid_tokens->{$token} = true;
429			}
430			}
431
432	1		$ts = $this->getCurrentTime()->getTimestamp();
433	1		$token = $this->generateActionToken($ts);
434			$data = [
435			'token' => [
436	1		'__elgg_ts' => $ts,
437	1		'__elgg_token' => $token,
438	1		'logged_in' => $this->session->isLoggedIn(),
439			],
440	1		'valid_tokens' => $valid_tokens,
441	1		'session_token' => $this->session->get('__elgg_session'),
442	1		'user_guid' => $this->session->getLoggedInUserGuid(),
443			];
444
445	1		elgg_set_http_header("Content-Type: application/json;charset=utf-8");
446	1		return elgg_ok_response($data);
447			}
448			}
449
450

Elgg / Elgg

Push — master ( caf222...deba87 )

engine/classes/Elgg/ActionsService.php (1 issue)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like