diff options
| -rw-r--r-- | boot.php | 17 | ||||
| -rw-r--r-- | include/observer.php | 68 | ||||
| -rw-r--r-- | include/security.php | 8 | ||||
| -rw-r--r-- | tests/unit/Module/MagicTest.php | 8 | ||||
| -rw-r--r-- | tests/unit/includes/BBCodeTest.php | 7 |
5 files changed, 81 insertions, 27 deletions
@@ -49,6 +49,7 @@ require_once('include/text.php'); require_once('include/datetime.php'); require_once('include/language.php'); require_once('include/nav.php'); +require_once('include/observer.php'); require_once('include/permissions.php'); require_once('include/features.php'); require_once('include/taxonomy.php'); @@ -2151,22 +2152,6 @@ function dba_timer() { } /** - * @brief Returns xchan_hash from the observer. - * - * Observer can be a local or remote channel. - * - * @return string xchan_hash from observer, otherwise empty string if no observer - */ -function get_observer_hash() { - $observer = App::get_observer(); - if (is_array($observer)) { - return $observer['xchan_hash']; - } - - return ''; -} - -/** * @brief Returns the complete URL of the current page, e.g.: http(s)://something.com/network * * Taken from http://webcheatsheet.com/php/get_current_page_url.php diff --git a/include/observer.php b/include/observer.php new file mode 100644 index 000000000..4483e1d8b --- /dev/null +++ b/include/observer.php @@ -0,0 +1,68 @@ +<?php +/** + * Helper functions for getting info about the observer. + * + * SPDX-FileCopyrightText: 2025 The Hubzilla Community + * SPDX-FileContributor: Harald Eilertsen <haraldei@anduin.net> + * + * SPDX-License-Identifier: MIT + * + * The _observer_ in Hubzilla is the channel visiting the site in the current + * session. This could be a local channel, or a remote channel logged in via + * OpenWebAuth. + * + * If the observer is not set, or empty, this indicates an unauthenticated + * visitor, which may mean a visitor from another site that don't support, or + * has not enabled OpenWebAuth. + */ + +/** + * Get the unique hash identifying the current observer. + * + * Observer can be a local or remote channel. + * + * @return string Unique hash of observer, otherwise empty string if no + * observer + */ +function get_observer_hash() { + $observer = App::get_observer(); + if (is_array($observer)) { + return $observer['xchan_hash']; + } + + return ''; +} + +/** + * Get the guid of the current observer. + * + * Observer can be a local or remote channel. + * + * @return string The GUID of the observer, otherwise empty string if no + * observer + */ +function get_observer_guid() { + $observer = App::get_observer(); + if (is_array($observer)) { + return $observer['xchan_guid']; + } + + return ''; +} + +/** + * Get the name of the current observer. + * + * Observer can be a local or remote channel. + * + * @return string The name of the observer, otherwise empty string if no + * observer + */ +function get_observer_name() { + $observer = App::get_observer(); + if (is_array($observer)) { + return $observer['xchan_name']; + } + + return ''; +} diff --git a/include/security.php b/include/security.php index 8e13d4195..32ca4f268 100644 --- a/include/security.php +++ b/include/security.php @@ -607,7 +607,7 @@ function public_permissions_sql($observer_hash) { function get_form_security_token($typename = '') { $timestamp = time(); - $guid = App::$observer['xchan_guid'] ?? ''; + $guid = get_observer_guid(); $sec_hash = hash('whirlpool', $guid . ((local_channel()) ? App::$channel['channel_prvkey'] : '') . session_id() . $timestamp . $typename); return $timestamp . '.' . $sec_hash; @@ -623,7 +623,7 @@ function check_form_security_token($typename = '', $formname = 'form_security_to if (time() > (IntVal($x[0]) + $max_livetime)) return false; - $sec_hash = hash('whirlpool', App::$observer['xchan_guid'] . ((local_channel()) ? App::$channel['channel_prvkey'] : '') . session_id() . $x[0] . $typename); + $sec_hash = hash('whirlpool', get_observer_guid() . ((local_channel()) ? App::$channel['channel_prvkey'] : '') . session_id() . $x[0] . $typename); return ($sec_hash == $x[1]); } @@ -635,7 +635,7 @@ function check_form_security_std_err_msg() { function check_form_security_token_redirectOnErr($err_redirect, $typename = '', $formname = 'form_security_token') { if (!check_form_security_token($typename, $formname)) { - logger('check_form_security_token failed: user ' . App::$observer['xchan_name'] . ' - form element ' . $typename); + logger('check_form_security_token failed: user ' . get_observer_name() . ' - form element ' . $typename); logger('check_form_security_token failed: _REQUEST data: ' . print_r($_REQUEST, true), LOGGER_DATA); notice(check_form_security_std_err_msg()); goaway(z_root() . $err_redirect); @@ -644,7 +644,7 @@ function check_form_security_token_redirectOnErr($err_redirect, $typename = '', function check_form_security_token_ForbiddenOnErr($typename = '', $formname = 'form_security_token') { if (!check_form_security_token($typename, $formname)) { - logger('check_form_security_token failed: user ' . App::$observer['xchan_name'] . ' - form element ' . $typename); + logger('check_form_security_token failed: user ' . get_observer_name() . ' - form element ' . $typename); logger('check_form_security_token failed: _REQUEST data: ' . print_r($_REQUEST, true), LOGGER_DATA); header('HTTP/1.1 403 Forbidden'); killme(); diff --git a/tests/unit/Module/MagicTest.php b/tests/unit/Module/MagicTest.php index 4a03d9d57..2c426bf76 100644 --- a/tests/unit/Module/MagicTest.php +++ b/tests/unit/Module/MagicTest.php @@ -46,9 +46,9 @@ class MagicTest extends TestCase { App::set_baseurl($baseurl); - App::$observer = [ + App::set_observer([ 'xchan_hash' => 'the hash', - ]; + ]); // We pass a local URL, and have a valid observer, but as the // delegate param is not passed, nothing will be done except @@ -72,9 +72,9 @@ class MagicTest extends TestCase { App::$timezone = 'UTC'; // Simulate a foreign (to this hub) observer, - App::$observer = [ + App::set_observer([ 'xchan_hash' => 'foreign hash', - ]; + ]); // Create the channel the foreign observer wants to access $result = create_identity([ diff --git a/tests/unit/includes/BBCodeTest.php b/tests/unit/includes/BBCodeTest.php index 136fc6e0e..50475efea 100644 --- a/tests/unit/includes/BBCodeTest.php +++ b/tests/unit/includes/BBCodeTest.php @@ -23,6 +23,7 @@ namespace Zotlabs\Tests\Unit\includes; +use App; use Zotlabs\Tests\Unit\UnitTestCase; class BBCodeTest extends UnitTestCase { @@ -42,7 +43,7 @@ class BBCodeTest extends UnitTestCase { */ public function test_bbcode_observer(string $src, bool $logged_in, string $lang, string $expected): void { if ($logged_in) { - \App::$observer = [ + App::set_observer([ 'xchan_addr' => '', 'xchan_name' => '', 'xchan_connurl' => '', @@ -50,9 +51,9 @@ class BBCodeTest extends UnitTestCase { // port required in xchan url due to bug in get_rpost_path 'xchan_url' => 'https://example.com:666', - ]; + ]); } else { - \App::$observer = null; + App::set_observer(null); } \App::$language = $lang; |