From 6cc8f7714561a681428c2d402b15666e8e0af0fd Mon Sep 17 00:00:00 2001 From: Cash Costello Date: Sat, 30 Oct 2010 16:58:33 +0000 Subject: working around use_only_cookies --- start.php | 66 ++++++++++++++++++++++++++++ views/default/tidypics/forms/ajax_upload.php | 16 +++---- 2 files changed, 74 insertions(+), 8 deletions(-) diff --git a/start.php b/start.php index c44bc9f1e..4d2b12798 100644 --- a/start.php +++ b/start.php @@ -68,6 +68,9 @@ function tidypics_init() { // slideshow plugin hook register_plugin_hook('tp_slideshow', 'album', 'tidypics_slideshow'); + + // ajax handler for uploads when use_only_cookies is set + register_plugin_hook('forward', 'system', 'tidypics_ajax_session_handler'); } /** @@ -451,10 +454,73 @@ function tidypics_slideshow($hook, $entity_type, $returnvalue, $params) { return $slideshow_link; } +/** + * Convenience function for listing recent images + * + * @param int $max + * @param bool $pagination + * @return string + */ function tp_mostrecentimages($max = 8, $pagination = true) { return list_entities("object", "image", 0, $max, false, false, $pagination); } +/** + * Work around for Flash/session issues + * + * @param string $hook + * @param string $entity_type + * @param string $returnvalue + * @param array $params + */ +function tidypics_ajax_session_handler($hook, $entity_type, $returnvalue, $params) { + global $CONFIG; + + $url = current_page_url(); + if ($url !== "{$CONFIG->wwwroot}action/tidypics/ajax_upload/") { + return; + } + + if (get_loggedin_userid() != 0) { + return; + } + + // action_gatekeeper rejected ajax call from Flash due to session issue + + // Validate token + $token = get_input('__elgg_token'); + $ts = get_input('__elgg_ts'); + $session_id = get_input('Elgg'); + $tidypics_token = get_input('tidypics_token'); + $user_guid = get_input('user_guid'); + + $user = get_user($user_guid); + if (!$user) { + return; + } + + if (!$token || !$ts || !$session_id || !$tidypics_token) { + return; + } + + $hour = 60*60; + $now = time(); + if ($ts < $now-$hour || $ts > $now+$hour) { + return; + } + + $generated_token = md5($session_id . get_site_secret() . $ts . $user->salt); + + if ($tidypics_token !== $generated_token) { + return; + } + + // passed token test, so login and process action + login($user); + include $CONFIG->actions['tidypics/ajax_upload']['file']; + + exit; +} // Make sure tidypics_init is called on initialization register_elgg_event_handler('init', 'system', 'tidypics_init'); diff --git a/views/default/tidypics/forms/ajax_upload.php b/views/default/tidypics/forms/ajax_upload.php index 1d2a240ad..87a6ad0ed 100644 --- a/views/default/tidypics/forms/ajax_upload.php +++ b/views/default/tidypics/forms/ajax_upload.php @@ -3,15 +3,13 @@ extend_view('metatags', 'tidypics/js/uploader'); $album = $vars['album']; -$access_id = $album->access_id; $ts = time(); $token = generate_action_token($ts); - $batch = time(); +$tidypics_token = md5(session_id() . get_site_secret() . $ts . get_loggedin_user()->salt); $basic_uploader_url = current_page_url() . '/basic'; - $upload_endpoint_url = "{$vars['url']}action/tidypics/ajax_upload/"; $upload_complete_url = "{$vars['url']}action/tidypics/ajax_upload_complete/"; @@ -73,11 +71,13 @@ $("#uploadify").uploadify({ 'uploader' : 'mod/tidypics/vendors/uploadify/uploadify.swf', 'script' : '', 'scriptData' : { - 'album_guid' : 'guid; ?>', - '__elgg_token' : '', - '__elgg_ts' : '', - 'Elgg' : '', - 'batch' : '' + 'album_guid' : 'guid; ?>', + 'user_guid' : '', + '__elgg_token' : '', + '__elgg_ts' : '', + 'Elgg' : '', + 'tidypics_token' : '', + 'batch' : '' }, 'fileDataName' : 'Image', 'cancelImg' : '_graphics/icon_customise_remove.gif', -- cgit v1.2.3