1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
|
<?php
/**
* Elgg Actions
*
* Actions are the primary controllers (The C in MVC) in Elgg. They are
* registered by {@link register_elgg_action()} and are called either by URL
* http://elggsite.org/action/action_name or {@link action($action_name}. For
* URLs, a rewrite rule in .htaccess passes the action name to
* engine/handlers/action_handler.php, which dispatches the action.
*
* An action name should be registered to exactly one file in the system, usually under
* the actions/ directory.
*
* All actions require security tokens. Using the {@elgg_view input/form} view
* will automatically add tokens as hidden inputs. To manually add hidden inputs,
* use the {@elgg_view input/securitytoken} view.
*
* To include security tokens for actions called via GET, use
* {@link elgg_add_security_tokens_to_url()}.
*
* Action tokens can be manually generated by using {@link generate_action_token()}.
*
* @tip When registered, actions can be restricted to logged in or admin users.
*
* @tip Action URLs should be called with a trailing / to prevent 301 redirects.
*
* @package Elgg.Core
* @subpackage Actions
* @link http://docs.elgg.org/Actions
* @link http://docs.elgg.org/Actions/Tokens
*/
/**
* Perform an action.
*
* This function executes the action with name $action as
* registered by {@link elgg_register_action()}.
*
* The plugin hook action, $action_name will be emitted before
* the action is executed. If a handler returns false, it will
* prevent the action from being called.
*
* @note If an action isn't registered in the system or is registered
* to an unavailable file the user will be forwarded to the site front
* page and an error will be emitted via {@link register_error()}.
*
* @warning All actions require {@link http://docs.elgg.org/Actions/Tokens Action Tokens}.
* @warning Most plugin shouldn't call this manually.
*
* @param string $action The requested action
* @param string $forwarder Optionally, the location to forward to
*
* @link http://docs.elgg.org/Actions
* @see elgg_register_action()
*
* @return void
*/
function action($action, $forwarder = "") {
global $CONFIG;
$action = rtrim($action, '/');
// @todo REMOVE THESE ONCE #1509 IS IN PLACE.
// Allow users to disable plugins without a token in order to
// remove plugins that are incompatible.
// Login and logout are for convenience.
// file/download (see #2010)
$exceptions = array(
'admin/plugins/disable',
'logout',
'login',
'file/download',
);
if (!in_array($action, $exceptions)) {
// All actions require a token.
action_gatekeeper();
}
$forwarder = str_replace(elgg_get_site_url(), "", $forwarder);
$forwarder = str_replace("http://", "", $forwarder);
$forwarder = str_replace("@", "", $forwarder);
if (substr($forwarder, 0, 1) == "/") {
$forwarder = substr($forwarder, 1);
}
if (isset($CONFIG->actions[$action])) {
if (elgg_is_admin_logged_in() || ($CONFIG->actions[$action]['access'] !== 'admin')) {
if (elgg_is_logged_in() || ($CONFIG->actions[$action]['access'] === 'public')) {
// Trigger action event
// @todo This is only called before the primary action is called.
$event_result = true;
$event_result = elgg_trigger_plugin_hook('action', $action, null, $event_result);
// Include action
// Event_result being false doesn't produce an error
// since i assume this will be handled in the hook itself.
// @todo make this better!
if ($event_result) {
if (!include($CONFIG->actions[$action]['file'])) {
register_error(elgg_echo('actionnotfound', array($action)));
}
}
} else {
register_error(elgg_echo('actionloggedout'));
}
} else {
register_error(elgg_echo('actionunauthorized'));
}
} else {
register_error(elgg_echo('actionundefined', array($action)));
}
if (!empty($forwarder)) {
forward($forwarder);
} else {
forward(REFERER);
}
}
/**
* Registers an action.
*
* Actions are registered to a single file in the system and are executed
* either by the URL http://elggsite.org/action/action_name or by calling
* {@link action()}.
*
* $filename must be the full path of the file to register, or a path relative
* to the core actions/ dir.
*
* Actions should be namedspaced for your plugin. Example:
* <code>
* elgg_register_action('myplugin/save_settings', ...);
* </code>
*
* @tip Put action files under the actions/<plugin_name> directory of your plugin.
*
* @tip You don't need to include engine/start.php, call {@link gatekeeper()},
* or call {@link admin_gatekeeper()}.
*
* @internal Actions are saved in $CONFIG->actions as an array in the form:
* <code>
* array(
* 'file' => '/location/to/file.php',
* 'access' => 'public', 'logged_in', or 'admin'
* )
* </code>
*
* @param string $action The name of the action (eg "register", "account/settings/save")
* @param string $filename Optionally, the filename where this action is located. If not specified,
* will assume the action is in elgg/actions/<action>.php
* @param string $access Who is allowed to execute this action: admin, public, or logged_in.
*
* @see action()
* @see http://docs.elgg.org/Actions
*
* @return true
*/
function elgg_register_action($action, $filename = "", $access = 'logged_in') {
global $CONFIG;
// plugins are encouraged to call actions with a trailing / to prevent 301
// redirects but we store the actions without it
$action = rtrim($action, '/');
if (!isset($CONFIG->actions)) {
$CONFIG->actions = array();
}
if (empty($filename)) {
$path = "";
if (isset($CONFIG->path)) {
$path = $CONFIG->path;
}
$filename = $path . "actions/" . $action . ".php";
}
$CONFIG->actions[$action] = array(
'file' => $filename,
'access' => $access,
);
return true;
}
/**
* Validate an action token.
*
* Calls to actions will automatically validate tokens.
* If tokens are not present or invalid, the action will be
* denied and the user will be redirected to the front page.
*
* Plugin authors should never have to manually validate action tokens.
*
* @access private
*
* @param bool $visibleerrors Emit {@link register_error()} errors on failure?
* @param mixed $token The token to test against. Default: $_REQUEST['__elgg_token']
* @param mixed $ts The time stamp to test against. Default: $_REQUEST['__elgg_ts']
*
* @return bool
* @see generate_action_token()
* @link http://docs.elgg.org/Actions/Tokens
*/
function validate_action_token($visibleerrors = TRUE, $token = NULL, $ts = NULL) {
global $CONFIG;
if (!$token) {
$token = get_input('__elgg_token');
}
if (!$ts) {
$ts = get_input('__elgg_ts');
}
if (!isset($CONFIG->action_token_timeout)) {
// default to 2 hours
$timeout = 2;
} else {
$timeout = $CONFIG->action_token_timeout;
}
$session_id = session_id();
if (($token) && ($ts) && ($session_id)) {
// generate token, check with input and forward if invalid
$generated_token = generate_action_token($ts);
// Validate token
if ($token == $generated_token) {
$hour = 60 * 60;
$timeout = $timeout * $hour;
$now = time();
// Validate time to ensure its not crazy
if ($timeout == 0 || ($ts > $now - $timeout) && ($ts < $now + $timeout)) {
// We have already got this far, so unless anything
// else says something to the contry we assume we're ok
$returnval = true;
$returnval = elgg_trigger_plugin_hook('action_gatekeeper:permissions:check', 'all', array(
'token' => $token,
'time' => $ts
), $returnval);
if ($returnval) {
return true;
} else if ($visibleerrors) {
register_error(elgg_echo('actiongatekeeper:pluginprevents'));
}
} else if ($visibleerrors) {
register_error(elgg_echo('actiongatekeeper:timeerror'));
}
} else if ($visibleerrors) {
register_error(elgg_echo('actiongatekeeper:tokeninvalid'));
}
} else if ($visibleerrors) {
register_error(elgg_echo('actiongatekeeper:missingfields'));
}
return FALSE;
}
/**
* Validates the presence of action tokens.
*
* This function is called for all actions. If action tokens are missing,
* the user will be forwarded to the site front page and an error emitted.
*
* This function verifies form input for security features (like a generated token), and forwards
* the page if they are invalid.
*
* @access private
* @return mixed True if valid, or redirects to front page and exists.
*/
function action_gatekeeper() {
if (validate_action_token()) {
return TRUE;
}
forward(REFERER, 'csrf');
}
/**
* Generate an action token.
*
* Action tokens are based on timestamps as returned by {@link time()}.
* They are valid for one hour.
*
* Action tokens should be passed to all actions name __elgg_ts and __elgg_token.
*
* @warning Action tokens are required for all actions.
*
* @param int $timestamp Unix timestamp
*
* @see @elgg_view input/securitytoken
* @see @elgg_view input/form
* @example actions/manual_tokens.php
*
* @return string|false
*/
function generate_action_token($timestamp) {
$site_secret = get_site_secret();
$session_id = session_id();
// Session token
$st = $_SESSION['__elgg_session'];
if (($site_secret) && ($session_id)) {
return md5($site_secret . $timestamp . $session_id . $st);
}
return FALSE;
}
/**
* Initialise the site secret hash.
*
* Used during installation and saves as a datalist.
*
* @return mixed The site secret hash or false
* @access private
* @todo Move to better file.
*/
function init_site_secret() {
$secret = md5(rand() . microtime());
if (datalist_set('__site_secret__', $secret)) {
return $secret;
}
return FALSE;
}
/**
* Returns the site secret.
*
* Used to generate difficult to guess hashes for sessions and action tokens.
*
* @return string Site secret.
* @access private
* @todo Move to better file.
*/
function get_site_secret() {
$secret = datalist_get('__site_secret__');
if (!$secret) {
$secret = init_site_secret();
}
return $secret;
}
/**
* Check if an action is registered and its file exists.
*
* @param string $action Action name
*
* @return bool
* @since 1.8.0
*/
function elgg_action_exists($action) {
global $CONFIG;
return (isset($CONFIG->actions[$action]) && file_exists($CONFIG->actions[$action]['file']));
}
/**
* Initialize some ajaxy actions features
*/
function actions_init() {
elgg_register_action('security/refreshtoken', '', 'public');
elgg_register_simplecache_view('js/languages/en');
elgg_register_plugin_hook_handler('action', 'all', 'ajax_action_hook');
elgg_register_plugin_hook_handler('forward', 'all', 'ajax_forward_hook');
}
/**
* Checks whether the request was requested via ajax
*
* @return bool whether page was requested via ajax
*/
function elgg_is_xhr() {
return isset($_SERVER['HTTP_X_REQUESTED_WITH'])
&& strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest';
}
/**
* Catch calls to forward() in ajax request and force an exit.
*
* Forces response is json of the following form:
* <pre>
* {
* "current_url": "the.url.we/were/coming/from",
* "forward_url": "the.url.we/were/going/to",
* "system_messages": {
* "messages": ["msg1", "msg2", ...],
* "errors": ["err1", "err2", ...]
* },
* "status": -1 //or 0 for success if there are no error messages present
* }
* </pre>
* where "system_messages" is all message registers at the point of forwarding
*
* @param string $hook
* @param string $type
* @param string $reason
* @param array $params
*
*/
function ajax_forward_hook($hook, $type, $reason, $params) {
if (elgg_is_xhr()) {
// always pass the full structure to avoid boilerplate JS code.
$params = array(
'output' => '',
'status' => 0,
'system_messages' => array(
'error' => array(),
'success' => array()
)
);
//grab any data echo'd in the action
$output = ob_get_clean();
//Avoid double-encoding in case data is json
$json = json_decode($output);
if (isset($json)) {
$params['output'] = $json;
} else {
$params['output'] = $output;
}
//Grab any system messages so we can inject them via ajax too
$system_messages = system_messages(NULL, "");
if (isset($system_messages['success'])) {
$params['system_messages']['success'] = $system_messages['success'];
}
if (isset($system_messages['error'])) {
$params['system_messages']['error'] = $system_messages['error'];
$params['status'] = -1;
} else {
$params['status'] = 0;
}
header("Content-type: application/json");
echo json_encode($params);
exit;
}
}
/**
* Buffer all output echo'd directly in the action for inclusion in the returned JSON.
*/
function ajax_action_hook() {
if (elgg_is_xhr()) {
ob_start();
}
}
elgg_register_event_handler('init', 'system', 'actions_init');
|