From: Michael M Slusarz Date: Sat, 9 Oct 2010 07:30:07 +0000 (-0600) Subject: Use the Horde:: token checking methods X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=b65c24d82666bba302bee7960b2f1260e02ad6ae;p=horde.git Use the Horde:: token checking methods --- diff --git a/koward/lib/Koward.php b/koward/lib/Koward.php index afc3140ab..9ef47b087 100644 --- a/koward/lib/Koward.php +++ b/koward/lib/Koward.php @@ -94,39 +94,6 @@ class Koward { return self::$server; } - /** - * Get a token for protecting a form. - * - * @param string $seed TODO - * - * @return TODO - */ - static public function getRequestToken($seed) - { - $token = Horde_Token::generateId($seed); - $_SESSION['horde_form_secrets'][$token] = time(); - return $token; - } - - /** - * Check if a token for a form is valid. - * - * @param string $seed TODO - * @param string $token TODO - * - * @throws Horde_Exception - */ - static public function checkRequestToken($seed, $token) - { - if (empty($_SESSION['horde_form_secrets'][$token])) { - throw new Horde_Exception(_("We cannot verify that this request was really sent by you. It could be a malicious request. If you intended to perform this action, you can retry it now.")); - } - - if ($_SESSION['horde_form_secrets'][$token] + $GLOBALS['conf']['server']['token_lifetime'] < time()) { - throw new Horde_Exception(sprintf(_("This request cannot be completed because the link you followed or the form you submitted was only valid for %d minutes. Please try again now."), round($GLOBALS['conf']['server']['token_lifetime'] / 60))); - } - } - public function getObject($uid) { return $this->getServer()->fetch($uid); diff --git a/koward/lib/Koward/Cli.php b/koward/lib/Koward/Cli.php index 2fe7ccc1f..8e09c3d42 100644 --- a/koward/lib/Koward/Cli.php +++ b/koward/lib/Koward/Cli.php @@ -135,8 +135,7 @@ class Koward_Cli extends Horde_Controller_Request_Base * to use the standard form mechanisms via CLI. Think of some * alternatives here. */ - $koward = &Koward::singleton(); - $token = $koward->getRequestToken('cli'); + $token = Horde::getRequestToken('cli'); $this->_cmd_argv['koward_form_object_formToken'] = $token; /** @@ -196,8 +195,7 @@ class Koward_Cli extends Horde_Controller_Request_Base /** * Provide a token for immediate deletion. */ - $koward = &Koward::singleton(); - $this->_cmd_argv['token'] = $koward->getRequestToken('object.delete'); + $this->_cmd_argv['token'] = Horde::getRequestToken('object.delete'); break; } diff --git a/koward/lib/Koward/Controller/ObjectController.php b/koward/lib/Koward/Controller/ObjectController.php index 9a84b9ba0..4ebbbc79a 100644 --- a/koward/lib/Koward/Controller/ObjectController.php +++ b/koward/lib/Koward/Controller/ObjectController.php @@ -95,7 +95,7 @@ class ObjectController extends Koward_Controller_Application $this->submit_url = $this->urlFor(array('controller' => 'object', 'action' => 'delete', 'id' => $this->params->id, - 'token' => $this->koward->getRequestToken('object.delete'))); + 'token' => Horde::getRequestToken('object.delete'))); $this->return_url = $this->urlFor(array('controller' => 'object', 'action' => 'listall')); @@ -105,7 +105,7 @@ class ObjectController extends Koward_Controller_Application } else { $token = $this->params->token; } - $this->koward->checkRequestToken('object.delete', $token); + Horde::checkRequestToken('object.delete', $token); $result = $this->object->delete(); if ($result === true) { $this->koward->notification->push(sprintf(_("Successfully deleted the object \"%s\""), @@ -159,7 +159,7 @@ class ObjectController extends Koward_Controller_Application } else { $token = $this->params->token; } - $this->koward->checkRequestToken('object.' . $this->params->oaction, $token); + Horde::checkRequestToken('object.' . $this->params->oaction, $token); $action = $this->params->oaction; $result = $this->object->$action(); @@ -193,7 +193,7 @@ class ObjectController extends Koward_Controller_Application 'action' => 'view', 'id' => $this->params->id, 'action' => $action, - 'token' => $this->koward->getRequestToken('object.' . $action))); + 'token' => Horde::getRequestToken('object.' . $action))); $this->return_url = $this->urlFor(array('controller' => 'object', 'action' => 'view', 'id' => $this->params->id)); diff --git a/koward/test/Koward/KowardTest.php b/koward/test/Koward/KowardTest.php index 11430a622..c109d4c44 100644 --- a/koward/test/Koward/KowardTest.php +++ b/koward/test/Koward/KowardTest.php @@ -64,32 +64,4 @@ class Koward_KowardTest extends Koward_Test $this->assertType('Horde_Kolab_Server_Object', $this->koward->getObject('cn=Gunnar Wrobel,dc=example,dc=org')); } - /** - * Verify token processing mechanisms. - * - * @return NULL - */ - public function testToken() - { - // Get the token. - $token = $this->koward->getRequestToken('test'); - // Checking it should be fine. - $this->koward->checkRequestToken('test', $token); - // Now we set the token to a value that will be considered a timeout. - $_SESSION['horde_form_secrets'][$token] = time() - 100000; - try { - $this->koward->checkRequestToken('test', $token); - $this->fail('The rquest token is still valid which was not expected.'); - } catch (Horde_Exception $e) { - $this->assertContains(_("This request cannot be completed because the link you followed or the form you submitted was only valid for"), $e->getMessage()); - } - // Now we remove the token - unset($_SESSION['horde_form_secrets'][$token]); - try { - $this->koward->checkRequestToken('test', $token); - $this->fail('The rquest token is still valid which was not expected.'); - } catch (Horde_Exception $e) { - $this->assertEquals(_("We cannot verify that this request was really sent by you. It could be a malicious request. If you intended to perform this action, you can retry it now."), $e->getMessage()); - } - } }