diff --git a/include/api.php b/include/api.php
index f85379891..5e108632c 100644
--- a/include/api.php
+++ b/include/api.php
@@ -242,7 +242,7 @@ function api_login(App $a)
throw new UnauthorizedException("This API requires login");
}
- Authentication::success($record);
+ Authentication::setAuthenticatedSessionForUser($record);
$_SESSION["allow_api"] = true;
diff --git a/mod/admin.php b/mod/admin.php
index ccadfa525..094206eb9 100644
--- a/mod/admin.php
+++ b/mod/admin.php
@@ -6,6 +6,7 @@
*/
use Friendica\App;
+use Friendica\BaseModule;
use Friendica\Content\Feature;
use Friendica\Content\Text\Markdown;
use Friendica\Core\Addon;
@@ -314,7 +315,7 @@ function admin_page_tos(App $a)
'$preview' => L10n::t('Privacy Statement Preview'),
'$privtext' => $tos->privacy_complete,
'$tostext' => ['tostext', L10n::t('The Terms of Service'), Config::get('system', 'tostext'), L10n::t('Enter the Terms of Service for your node here. You can use BBCode. Headers of sections should be [h2] and below.')],
- '$form_security_token' => Security::get_form_security_token("admin_tos"),
+ '$form_security_token' => BaseModule::getFormSecurityToken("admin_tos"),
'$submit' => L10n::t('Save Settings'),
]);
}
@@ -325,7 +326,7 @@ function admin_page_tos(App $a)
*/
function admin_page_tos_post(App $a)
{
- Security::check_form_security_token_redirectOnErr('/admin/tos', 'admin_tos');
+ BaseModule::checkFormSecurityTokenRedirectOnError('/admin/tos', 'admin_tos');
if (!x($_POST, "page_tos")) {
return;
@@ -385,7 +386,7 @@ function admin_page_blocklist(App $a)
'$entries' => $blocklistform,
'$baseurl' => System::baseUrl(true),
'$confirm_delete' => L10n::t('Delete entry from blocklist?'),
- '$form_security_token' => Security::get_form_security_token("admin_blocklist")
+ '$form_security_token' => BaseModule::getFormSecurityToken("admin_blocklist")
]);
}
@@ -400,7 +401,7 @@ function admin_page_blocklist_post(App $a)
return;
}
- Security::check_form_security_token_redirectOnErr('/admin/blocklist', 'admin_blocklist');
+ BaseModule::checkFormSecurityTokenRedirectOnError('/admin/blocklist', 'admin_blocklist');
if (x($_POST['page_blocklist_save'])) {
// Add new item to blocklist
@@ -443,7 +444,7 @@ function admin_page_contactblock_post(App $a)
$contact_url = x($_POST, 'contact_url') ? $_POST['contact_url'] : '';
$contacts = x($_POST, 'contacts') ? $_POST['contacts'] : [];
- Security::check_form_security_token_redirectOnErr('/admin/contactblock', 'admin_contactblock');
+ BaseModule::checkFormSecurityTokenRedirectOnError('/admin/contactblock', 'admin_contactblock');
if (x($_POST, 'page_contactblock_block')) {
$contact_id = Contact::getIdForURL($contact_url);
@@ -500,7 +501,7 @@ function admin_page_contactblock(App $a)
'$h_newblock' => L10n::t('Block New Remote Contact'),
'$th_contacts' => [L10n::t('Photo'), L10n::t('Name'), L10n::t('Address'), L10n::t('Profile URL')],
- '$form_security_token' => Security::get_form_security_token("admin_contactblock"),
+ '$form_security_token' => BaseModule::getFormSecurityToken("admin_contactblock"),
// values //
'$baseurl' => System::baseUrl(true),
@@ -535,7 +536,7 @@ function admin_page_deleteitem(App $a)
'$intro2' => L10n::t('You need to know the GUID of the item. You can find it e.g. by looking at the display URL. The last part of http://example.com/display/123456 is the GUID, here 123456.'),
'$deleteitemguid' => ['deleteitemguid', L10n::t("GUID"), '', L10n::t("The GUID of the item you want to delete."), 'required', 'autofocus'],
'$baseurl' => System::baseUrl(),
- '$form_security_token' => Security::get_form_security_token("admin_deleteitem")
+ '$form_security_token' => BaseModule::getFormSecurityToken("admin_deleteitem")
]);
}
@@ -553,7 +554,7 @@ function admin_page_deleteitem_post(App $a)
return;
}
- Security::check_form_security_token_redirectOnErr('/admin/deleteitem/', 'admin_deleteitem');
+ BaseModule::checkFormSecurityTokenRedirectOnError('/admin/deleteitem/', 'admin_deleteitem');
if (x($_POST['page_deleteitem_submit'])) {
$guid = trim(notags($_POST['deleteitemguid']));
@@ -946,7 +947,7 @@ function admin_page_summary(App $a)
*/
function admin_page_site_post(App $a)
{
- Security::check_form_security_token_redirectOnErr('/admin/site', 'admin_site');
+ BaseModule::checkFormSecurityTokenRedirectOnError('/admin/site', 'admin_site');
if (!empty($_POST['republish_directory'])) {
Worker::add(PRIORITY_LOW, 'Directory');
@@ -1542,7 +1543,7 @@ function admin_page_site(App $a)
'$relay_server_tags' => ['relay_server_tags', L10n::t("Server tags"), Config::get('system','relay_server_tags'), L10n::t("Comma separated list of tags for the 'tags' subscription.")],
'$relay_user_tags' => ['relay_user_tags', L10n::t("Allow user tags"), Config::get('system', 'relay_user_tags', true), L10n::t("If enabled, the tags from the saved searches will used for the 'tags' subscription in addition to the 'relay_server_tags'.")],
- '$form_security_token' => Security::get_form_security_token("admin_site"),
+ '$form_security_token' => BaseModule::getFormSecurityToken("admin_site"),
'$relocate_button' => L10n::t('Start Relocation'),
]);
}
@@ -1657,7 +1658,7 @@ function admin_page_users_post(App $a)
$nu_email = defaults($_POST, 'new_user_email' , '');
$nu_language = Config::get('system', 'language');
- Security::check_form_security_token_redirectOnErr('/admin/users', 'admin_users');
+ BaseModule::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users');
if (!($nu_name === "") && !($nu_email === "") && !($nu_nickname === "")) {
try {
@@ -1773,14 +1774,14 @@ function admin_page_users(App $a)
}
switch ($a->argv[2]) {
case "delete":
- Security::check_form_security_token_redirectOnErr('/admin/users', 'admin_users', 't');
+ BaseModule::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't');
// delete user
User::remove($uid);
notice(L10n::t("User '%s' deleted", $user['username']) . EOL);
break;
case "block":
- Security::check_form_security_token_redirectOnErr('/admin/users', 'admin_users', 't');
+ BaseModule::checkFormSecurityTokenRedirectOnError('/admin/users', 'admin_users', 't');
q("UPDATE `user` SET `blocked` = %d WHERE `uid` = %s",
intval(1 - $user['blocked']),
intval($uid)
@@ -1931,7 +1932,7 @@ function admin_page_users(App $a)
'$confirm_delete_multi' => L10n::t('Selected users will be deleted!\n\nEverything these users had posted on this site will be permanently deleted!\n\nAre you sure?'),
'$confirm_delete' => L10n::t('The user {0} will be deleted!\n\nEverything this user has posted on this site will be permanently deleted!\n\nAre you sure?'),
- '$form_security_token' => Security::get_form_security_token("admin_users"),
+ '$form_security_token' => BaseModule::getFormSecurityToken("admin_users"),
// values //
'$baseurl' => System::baseUrl(true),
@@ -1976,7 +1977,7 @@ function admin_page_addons(App $a)
}
if (x($_GET, "a") && $_GET['a'] == "t") {
- Security::check_form_security_token_redirectOnErr('/admin/addons', 'admin_themes', 't');
+ BaseModule::checkFormSecurityTokenRedirectOnError('/admin/addons', 'admin_themes', 't');
// Toggle addon status
$idx = array_search($addon, $a->addons);
@@ -2038,7 +2039,7 @@ function admin_page_addons(App $a)
'$screenshot' => '',
'$readme' => $readme,
- '$form_security_token' => Security::get_form_security_token("admin_themes"),
+ '$form_security_token' => BaseModule::getFormSecurityToken("admin_themes"),
]);
}
@@ -2046,7 +2047,7 @@ function admin_page_addons(App $a)
* List addons
*/
if (x($_GET, "a") && $_GET['a'] == "r") {
- Security::check_form_security_token_redirectOnErr(System::baseUrl() . '/admin/addons', 'admin_themes', 't');
+ BaseModule::checkFormSecurityTokenRedirectOnError(System::baseUrl() . '/admin/addons', 'admin_themes', 't');
Addon::reload();
info("Addons reloaded");
goaway(System::baseUrl() . '/admin/addons');
@@ -2089,7 +2090,7 @@ function admin_page_addons(App $a)
'$addons' => $addons,
'$pcount' => count($addons),
'$noplugshint' => L10n::t('There are currently no addons available on your node. You can find the official addon repository at %1$s and might find other interesting addons in the open addon registry at %2$s', 'https://github.com/friendica/friendica-addons', 'http://addons.friendi.ca'),
- '$form_security_token' => Security::get_form_security_token("admin_themes"),
+ '$form_security_token' => BaseModule::getFormSecurityToken("admin_themes"),
]);
}
@@ -2224,7 +2225,7 @@ function admin_page_themes(App $a)
}
if (x($_GET, "a") && $_GET['a'] == "t") {
- Security::check_form_security_token_redirectOnErr('/admin/themes', 'admin_themes', 't');
+ BaseModule::checkFormSecurityTokenRedirectOnError('/admin/themes', 'admin_themes', 't');
// Toggle theme status
@@ -2306,13 +2307,13 @@ function admin_page_themes(App $a)
'$screenshot' => $screenshot,
'$readme' => $readme,
- '$form_security_token' => Security::get_form_security_token("admin_themes"),
+ '$form_security_token' => BaseModule::getFormSecurityToken("admin_themes"),
]);
}
// reload active themes
if (x($_GET, "a") && $_GET['a'] == "r") {
- Security::check_form_security_token_redirectOnErr(System::baseUrl() . '/admin/themes', 'admin_themes', 't');
+ BaseModule::checkFormSecurityTokenRedirectOnError(System::baseUrl() . '/admin/themes', 'admin_themes', 't');
foreach ($themes as $th) {
if ($th['allowed']) {
Theme::uninstall($th['name']);
@@ -2345,7 +2346,7 @@ function admin_page_themes(App $a)
'$noplugshint' => L10n::t('No themes found on the system. They should be placed in %1$s', '/view/themes'),
'$experimental' => L10n::t('[Experimental]'),
'$unsupported' => L10n::t('[Unsupported]'),
- '$form_security_token' => Security::get_form_security_token("admin_themes"),
+ '$form_security_token' => BaseModule::getFormSecurityToken("admin_themes"),
]);
}
@@ -2357,7 +2358,7 @@ function admin_page_themes(App $a)
function admin_page_logs_post(App $a)
{
if (x($_POST, "page_logs")) {
- Security::check_form_security_token_redirectOnErr('/admin/logs', 'admin_logs');
+ BaseModule::checkFormSecurityTokenRedirectOnError('/admin/logs', 'admin_logs');
$logfile = ((x($_POST,'logfile')) ? notags(trim($_POST['logfile'])) : '');
$debugging = ((x($_POST,'debugging')) ? true : false);
@@ -2419,7 +2420,7 @@ function admin_page_logs(App $a)
'$debugging' => ['debugging', L10n::t("Enable Debugging"), Config::get('system', 'debugging'), ""],
'$logfile' => ['logfile', L10n::t("Log file"), Config::get('system', 'logfile'), L10n::t("Must be writable by web server. Relative to your Friendica top-level directory.")],
'$loglevel' => ['loglevel', L10n::t("Log level"), Config::get('system', 'loglevel'), "", $log_choices],
- '$form_security_token' => Security::get_form_security_token("admin_logs"),
+ '$form_security_token' => BaseModule::getFormSecurityToken("admin_logs"),
'$phpheader' => L10n::t("PHP logging"),
'$phphint' => L10n::t("To temporarily enable logging of PHP errors and warnings you can prepend the following to the index.php file of your installation. The filename set in the 'error_log' line is relative to the friendica top-level directory and must be writeable by the web server. The option '1' for 'log_errors' and 'display_errors' is to enable these options, set to '0' to disable them."),
'$phplogcode' => "error_reporting(E_ERROR | E_WARNING | E_PARSE);\nini_set('error_log','php.out');\nini_set('log_errors','1');\nini_set('display_errors', '1');",
@@ -2490,7 +2491,7 @@ function admin_page_viewlogs(App $a)
*/
function admin_page_features_post(App $a)
{
- Security::check_form_security_token_redirectOnErr('/admin/features', 'admin_manage_features');
+ BaseModule::checkFormSecurityTokenRedirectOnError('/admin/features', 'admin_manage_features');
logger('postvars: ' . print_r($_POST, true), LOGGER_DATA);
@@ -2555,7 +2556,7 @@ function admin_page_features(App $a)
$tpl = get_markup_template('admin/settings_features.tpl');
$o = replace_macros($tpl, [
- '$form_security_token' => Security::get_form_security_token("admin_manage_features"),
+ '$form_security_token' => BaseModule::getFormSecurityToken("admin_manage_features"),
'$title' => L10n::t('Manage Additional Features'),
'$features' => $arr,
'$submit' => L10n::t('Save Settings'),
diff --git a/mod/attach.php b/mod/attach.php
index 97eb10997..9ca701ba3 100644
--- a/mod/attach.php
+++ b/mod/attach.php
@@ -27,7 +27,7 @@ function attach_init(App $a)
return;
}
- $sql_extra = Security::permissions_sql($r['uid']);
+ $sql_extra = Security::getPermissionsSQLByUserId($r['uid']);
// Now we'll see if we can access the attachment
diff --git a/mod/cal.php b/mod/cal.php
index cc6973d47..b55e078d8 100644
--- a/mod/cal.php
+++ b/mod/cal.php
@@ -17,6 +17,7 @@ use Friendica\Database\DBA;
use Friendica\Model\Contact;
use Friendica\Model\Event;
use Friendica\Model\Group;
+use Friendica\Model\Item;
use Friendica\Model\Profile;
use Friendica\Protocol\DFRN;
use Friendica\Util\DateTimeFormat;
@@ -142,7 +143,7 @@ function cal_content(App $a)
}
// get the permissions
- $sql_perms = Security::item_permissions_sql($owner_uid, $remote_contact, $groups);
+ $sql_perms = Item::getPermissionsSQLByUserId($owner_uid, $remote_contact, $groups);
// we only want to have the events of the profile owner
$sql_extra = " AND `event`.`cid` = 0 " . $sql_perms;
diff --git a/mod/delegate.php b/mod/delegate.php
index f711f593f..2b29632dd 100644
--- a/mod/delegate.php
+++ b/mod/delegate.php
@@ -4,6 +4,7 @@
*/
use Friendica\App;
+use Friendica\BaseModule;
use Friendica\Core\L10n;
use Friendica\Core\Protocol;
use Friendica\Core\System;
@@ -29,7 +30,7 @@ function delegate_post(App $a)
return;
}
- Security::check_form_security_token_redirectOnErr('/delegate', 'delegate');
+ BaseModule::checkFormSecurityTokenRedirectOnError('/delegate', 'delegate');
$parent_uid = defaults($_POST, 'parent_user', 0);
$parent_password = defaults($_POST, 'parent_password', '');
@@ -163,7 +164,7 @@ function delegate_content(App $a)
}
$o = replace_macros(get_markup_template('delegate.tpl'), [
- '$form_security_token' => Security::get_form_security_token('delegate'),
+ '$form_security_token' => BaseModule::getFormSecurityToken('delegate'),
'$parent_header' => L10n::t('Parent User'),
'$parent_user' => $parent_user,
'$parent_password' => $parent_password,
diff --git a/mod/display.php b/mod/display.php
index 0c1cc9037..081c3ce6c 100644
--- a/mod/display.php
+++ b/mod/display.php
@@ -325,7 +325,7 @@ function display_content(App $a, $update = false, $update_uid = 0)
$o .= status_editor($a, $x, 0, true);
}
- $sql_extra = Security::item_permissions_sql($a->profile['uid'], $is_remote_contact, $groups);
+ $sql_extra = Item::getPermissionsSQLByUserId($a->profile['uid'], $is_remote_contact, $groups);
if (local_user() && (local_user() == $a->profile['uid'])) {
$condition = ['parent-uri' => $item_parent_uri, 'uid' => local_user(), 'unseen' => true];
diff --git a/mod/group.php b/mod/group.php
index 09fe676c1..129cf18c2 100644
--- a/mod/group.php
+++ b/mod/group.php
@@ -6,6 +6,7 @@
*/
use Friendica\App;
+use Friendica\BaseModule;
use Friendica\Core\Config;
use Friendica\Core\L10n;
use Friendica\Core\PConfig;
@@ -29,7 +30,7 @@ function group_post(App $a) {
}
if (($a->argc == 2) && ($a->argv[1] === 'new')) {
- Security::check_form_security_token_redirectOnErr('/group/new', 'group_edit');
+ BaseModule::checkFormSecurityTokenRedirectOnError('/group/new', 'group_edit');
$name = notags(trim($_POST['groupname']));
$r = Model\Group::create(local_user(), $name);
@@ -47,7 +48,7 @@ function group_post(App $a) {
}
if (($a->argc == 2) && intval($a->argv[1])) {
- Security::check_form_security_token_redirectOnErr('/group', 'group_edit');
+ BaseModule::checkFormSecurityTokenRedirectOnError('/group', 'group_edit');
$r = q("SELECT * FROM `group` WHERE `id` = %d AND `uid` = %d LIMIT 1",
intval($a->argv[1]),
@@ -108,7 +109,7 @@ function group_content(App $a) {
'$title' => L10n::t('Create a group of contacts/friends.'),
'$gname' => ['groupname', L10n::t('Group Name: '), '', ''],
'$gid' => 'new',
- '$form_security_token' => Security::get_form_security_token("group_edit"),
+ '$form_security_token' => BaseModule::getFormSecurityToken("group_edit"),
]);
@@ -138,7 +139,7 @@ function group_content(App $a) {
if (($a->argc == 3) && ($a->argv[1] === 'drop')) {
- Security::check_form_security_token_redirectOnErr('/group', 'group_drop', 't');
+ BaseModule::checkFormSecurityTokenRedirectOnError('/group', 'group_drop', 't');
if (intval($a->argv[2])) {
$r = q("SELECT `name` FROM `group` WHERE `id` = %d AND `uid` = %d LIMIT 1",
@@ -163,7 +164,7 @@ function group_content(App $a) {
}
if (($a->argc > 2) && intval($a->argv[1]) && intval($a->argv[2])) {
- Security::check_form_security_token_ForbiddenOnErr('group_member_change', 't');
+ BaseModule::checkFormSecurityTokenForbiddenOnError('group_member_change', 't');
$r = q("SELECT `id` FROM `contact` WHERE `id` = %d AND `uid` = %d and `self` = 0 and `blocked` = 0 AND `pending` = 0 LIMIT 1",
intval($a->argv[2]),
@@ -217,7 +218,7 @@ function group_content(App $a) {
$drop_txt = replace_macros($drop_tpl, [
'$id' => $group['id'],
'$delete' => L10n::t('Delete Group'),
- '$form_security_token' => Security::get_form_security_token("group_drop"),
+ '$form_security_token' => BaseModule::getFormSecurityToken("group_drop"),
]);
@@ -226,7 +227,7 @@ function group_content(App $a) {
'$gname' => ['groupname', L10n::t('Group Name: '), $group['name'], ''],
'$gid' => $group['id'],
'$drop' => $drop_txt,
- '$form_security_token' => Security::get_form_security_token('group_edit'),
+ '$form_security_token' => BaseModule::getFormSecurityToken('group_edit'),
'$edit_name' => L10n::t('Edit Group Name'),
'$editable' => 1,
];
@@ -245,7 +246,7 @@ function group_content(App $a) {
'contacts' => [],
];
- $sec_token = addslashes(Security::get_form_security_token('group_member_change'));
+ $sec_token = addslashes(BaseModule::getFormSecurityToken('group_member_change'));
// Format the data of the group members
foreach ($members as $member) {
diff --git a/mod/invite.php b/mod/invite.php
index cd9de6cc0..e73ef01ed 100644
--- a/mod/invite.php
+++ b/mod/invite.php
@@ -7,6 +7,7 @@
*/
use Friendica\App;
+use Friendica\BaseModule;
use Friendica\Core\Config;
use Friendica\Core\L10n;
use Friendica\Core\PConfig;
@@ -23,7 +24,7 @@ function invite_post(App $a)
return;
}
- Security::check_form_security_token_redirectOnErr('/', 'send_invite');
+ BaseModule::checkFormSecurityTokenRedirectOnError('/', 'send_invite');
$max_invites = intval(Config::get('system', 'max_invites'));
if (! $max_invites) {
@@ -145,7 +146,7 @@ function invite_content(App $a) {
}
$o = replace_macros($tpl, [
- '$form_security_token' => Security::get_form_security_token("send_invite"),
+ '$form_security_token' => BaseModule::getFormSecurityToken("send_invite"),
'$title' => L10n::t('Send invitations'),
'$recipients' => ['recipients', L10n::t('Enter email addresses, one per line:')],
'$message' => ['message', L10n::t('Your message:'),L10n::t('You are cordially invited to join me and other close friends on Friendica - and help us to create a better social web.') . "\r\n" . "\r\n"
diff --git a/mod/item.php b/mod/item.php
index 98ab1cbd8..dc93a9f79 100644
--- a/mod/item.php
+++ b/mod/item.php
@@ -161,7 +161,7 @@ function item_post(App $a) {
$allow_comment = local_user() && ($profile_uid == 0) && $parent && in_array($parent_item['network'], [Protocol::ACTIVITYPUB, Protocol::OSTATUS, Protocol::DIASPORA, Protocol::DFRN]);
// Now check that valid personal details have been provided
- if (!Security::can_write_wall($profile_uid) && !$allow_comment) {
+ if (!Security::canWriteToUserWall($profile_uid) && !$allow_comment) {
notice(L10n::t('Permission denied.') . EOL) ;
if (!empty($_REQUEST['return'])) {
diff --git a/mod/manage.php b/mod/manage.php
index 9e724c1e9..d38d90ce6 100644
--- a/mod/manage.php
+++ b/mod/manage.php
@@ -110,7 +110,7 @@ function manage_post(App $a) {
unset($_SESSION['sysmsg_info']);
}
- Authentication::success($r[0], true, true);
+ Authentication::setAuthenticatedSessionForUser($r[0], true, true);
if ($limited_id) {
$_SESSION['submanage'] = $original_id;
diff --git a/mod/openid.php b/mod/openid.php
index ca1129fd5..41aabe7a9 100644
--- a/mod/openid.php
+++ b/mod/openid.php
@@ -51,7 +51,7 @@ function openid_content(App $a) {
unset($_SESSION['openid']);
- Authentication::success($r[0],true,true);
+ Authentication::setAuthenticatedSessionForUser($r[0],true,true);
// just in case there was no return url set
// and we fell through
diff --git a/mod/photo.php b/mod/photo.php
index 3a0a199d8..083b7cfc9 100644
--- a/mod/photo.php
+++ b/mod/photo.php
@@ -110,7 +110,7 @@ function photo_init(App $a)
intval($resolution)
);
if (DBA::isResult($r)) {
- $sql_extra = Security::permissions_sql($r[0]['uid']);
+ $sql_extra = Security::getPermissionsSQLByUserId($r[0]['uid']);
// Now we'll see if we can access the photo
$r = q("SELECT * FROM `photo` WHERE `resource-id` = '%s' AND `scale` <= %d $sql_extra ORDER BY scale DESC LIMIT 1",
diff --git a/mod/photos.php b/mod/photos.php
index 4208e2275..55c8881e4 100644
--- a/mod/photos.php
+++ b/mod/photos.php
@@ -1052,7 +1052,7 @@ function photos_content(App $a)
return;
}
- $sql_extra = Security::permissions_sql($owner_uid, $remote_contact, $groups);
+ $sql_extra = Security::getPermissionsSQLByUserId($owner_uid, $remote_contact, $groups);
$o = "";
@@ -1472,7 +1472,7 @@ function photos_content(App $a)
$tpl = get_markup_template('photo_item.tpl');
$return_url = $a->cmd;
- if ($can_post || Security::can_write_wall($owner_uid)) {
+ if ($can_post || Security::canWriteToUserWall($owner_uid)) {
$like_tpl = get_markup_template('like_noshare.tpl');
$likebuttons = replace_macros($like_tpl, [
'$id' => $link_item['id'],
@@ -1484,7 +1484,7 @@ function photos_content(App $a)
}
if (!DBA::isResult($items)) {
- if (($can_post || Security::can_write_wall($owner_uid))) {
+ if (($can_post || Security::canWriteToUserWall($owner_uid))) {
$comments .= replace_macros($cmnt_tpl, [
'$return_path' => '',
'$jsreload' => $return_url,
@@ -1523,7 +1523,7 @@ function photos_content(App $a)
$dislike = format_like($conv_responses['dislike'][$link_item['uri']], $conv_responses['dislike'][$link_item['uri'] . '-l'], 'dislike', $link_item['id']);
}
- if (($can_post || Security::can_write_wall($owner_uid))) {
+ if (($can_post || Security::canWriteToUserWall($owner_uid))) {
$comments .= replace_macros($cmnt_tpl,[
'$return_path' => '',
'$jsreload' => $return_url,
@@ -1583,7 +1583,7 @@ function photos_content(App $a)
'$comment' => $comment
]);
- if (($can_post || Security::can_write_wall($owner_uid))) {
+ if (($can_post || Security::canWriteToUserWall($owner_uid))) {
$comments .= replace_macros($cmnt_tpl, [
'$return_path' => '',
'$jsreload' => $return_url,
diff --git a/mod/profile.php b/mod/profile.php
index 5484beb26..8d5ae8758 100644
--- a/mod/profile.php
+++ b/mod/profile.php
@@ -210,7 +210,7 @@ function profile_content(App $a, $update = 0)
$a->page['aside'] .= Widget::categories(System::baseUrl(true) . '/profile/' . $a->profile['nickname'], (!empty($category) ? xmlify($category) : ''));
$a->page['aside'] .= Widget::tagCloud();
- if (Security::can_write_wall($a->profile['profile_uid'])) {
+ if (Security::canWriteToUserWall($a->profile['profile_uid'])) {
$x = [
'is_owner' => $is_owner,
'allow_location' => ($is_owner || $commvisitor) && $a->profile['allow_location'],
@@ -234,7 +234,7 @@ function profile_content(App $a, $update = 0)
// Get permissions SQL - if $remote_contact is true, our remote user has been pre-verified and we already have fetched his/her groups
- $sql_extra = Security::item_permissions_sql($a->profile['profile_uid'], $remote_contact, $groups);
+ $sql_extra = Item::getPermissionsSQLByUserId($a->profile['profile_uid'], $remote_contact, $groups);
$sql_extra2 = '';
if ($update) {
diff --git a/mod/profile_photo.php b/mod/profile_photo.php
index 492be7e4a..1e0687c65 100644
--- a/mod/profile_photo.php
+++ b/mod/profile_photo.php
@@ -4,6 +4,7 @@
*/
use Friendica\App;
+use Friendica\BaseModule;
use Friendica\Core\Config;
use Friendica\Core\L10n;
use Friendica\Core\System;
@@ -31,7 +32,7 @@ function profile_photo_post(App $a)
return;
}
- Security::check_form_security_token_redirectOnErr('/profile_photo', 'profile_photo');
+ BaseModule::checkFormSecurityTokenRedirectOnError('/profile_photo', 'profile_photo');
if (!empty($_POST['cropfinal']) && $_POST['cropfinal'] == 1) {
@@ -247,7 +248,7 @@ function profile_photo_content(App $a)
'$title' => L10n::t('Upload Profile Photo'),
'$submit' => L10n::t('Upload'),
'$profiles' => $profiles,
- '$form_security_token' => Security::get_form_security_token("profile_photo"),
+ '$form_security_token' => BaseModule::getFormSecurityToken("profile_photo"),
'$select' => sprintf('%s %s', L10n::t('or'),
($newuser) ? '' . L10n::t('skip this step') . '' : '' . L10n::t('select a photo from your photo albums') . '')
]);
@@ -264,7 +265,7 @@ function profile_photo_content(App $a)
'$image_url' => System::baseUrl() . '/photo/' . $filename,
'$title' => L10n::t('Crop Image'),
'$desc' => L10n::t('Please adjust the image cropping for optimum viewing.'),
- '$form_security_token' => Security::get_form_security_token("profile_photo"),
+ '$form_security_token' => BaseModule::getFormSecurityToken("profile_photo"),
'$done' => L10n::t('Done Editing')
]);
return $o;
diff --git a/mod/register.php b/mod/register.php
index 9a2ad0f48..7b53e907e 100644
--- a/mod/register.php
+++ b/mod/register.php
@@ -4,6 +4,7 @@
*/
use Friendica\App;
+use Friendica\BaseModule;
use Friendica\Content\Text\BBCode;
use Friendica\Core\Addon;
use Friendica\Core\Config;
@@ -21,7 +22,7 @@ require_once 'include/enotify.php';
function register_post(App $a)
{
- Security::check_form_security_token_redirectOnErr('/register', 'register');
+ BaseModule::checkFormSecurityTokenRedirectOnError('/register', 'register');
$verified = 0;
$blocked = 1;
@@ -292,7 +293,7 @@ function register_content(App $a)
'$showprivstatement' => Config::get('system', 'tosprivstatement'),
'$privstatement' => $tos->privacy_complete,
'$baseurl' => System::baseurl(),
- '$form_security_token' => Security::get_form_security_token("register"),
+ '$form_security_token' => BaseModule::getFormSecurityToken("register"),
'$explicit_content' => Config::get('system', 'explicit_content', false),
'$explicit_content_note' => L10n::t('Note: This node explicitly contains adult content')
]);
diff --git a/mod/settings.php b/mod/settings.php
index 3737aeada..cb8882399 100644
--- a/mod/settings.php
+++ b/mod/settings.php
@@ -4,6 +4,7 @@
*/
use Friendica\App;
+use Friendica\BaseModule;
use Friendica\Content\Feature;
use Friendica\Content\Nav;
use Friendica\Core\ACL;
@@ -155,7 +156,7 @@ function settings_post(App $a)
$old_page_flags = $a->user['page-flags'];
if (($a->argc > 1) && ($a->argv[1] === 'oauth') && x($_POST, 'remove')) {
- Security::check_form_security_token_redirectOnErr('/settings/oauth', 'settings_oauth');
+ BaseModule::checkFormSecurityTokenRedirectOnError('/settings/oauth', 'settings_oauth');
$key = $_POST['remove'];
DBA::delete('tokens', ['id' => $key, 'uid' => local_user()]);
@@ -164,7 +165,7 @@ function settings_post(App $a)
}
if (($a->argc > 2) && ($a->argv[1] === 'oauth') && ($a->argv[2] === 'edit'||($a->argv[2] === 'add')) && x($_POST, 'submit')) {
- Security::check_form_security_token_redirectOnErr('/settings/oauth', 'settings_oauth');
+ BaseModule::checkFormSecurityTokenRedirectOnError('/settings/oauth', 'settings_oauth');
$name = defaults($_POST, 'name' , '');
$key = defaults($_POST, 'key' , '');
@@ -210,14 +211,14 @@ function settings_post(App $a)
}
if (($a->argc > 1) && ($a->argv[1] == 'addon')) {
- Security::check_form_security_token_redirectOnErr('/settings/addon', 'settings_addon');
+ BaseModule::checkFormSecurityTokenRedirectOnError('/settings/addon', 'settings_addon');
Addon::callHooks('addon_settings_post', $_POST);
return;
}
if (($a->argc > 1) && ($a->argv[1] == 'connectors')) {
- Security::check_form_security_token_redirectOnErr('/settings/connectors', 'settings_connectors');
+ BaseModule::checkFormSecurityTokenRedirectOnError('/settings/connectors', 'settings_connectors');
if (x($_POST, 'general-submit')) {
PConfig::set(local_user(), 'system', 'disable_cw', intval($_POST['disable_cw']));
@@ -299,7 +300,7 @@ function settings_post(App $a)
}
if (($a->argc > 1) && ($a->argv[1] === 'features')) {
- Security::check_form_security_token_redirectOnErr('/settings/features', 'settings_features');
+ BaseModule::checkFormSecurityTokenRedirectOnError('/settings/features', 'settings_features');
foreach ($_POST as $k => $v) {
if (strpos($k, 'feature_') === 0) {
PConfig::set(local_user(), 'feature', substr($k, 8), ((intval($v)) ? 1 : 0));
@@ -310,7 +311,7 @@ function settings_post(App $a)
}
if (($a->argc > 1) && ($a->argv[1] === 'display')) {
- Security::check_form_security_token_redirectOnErr('/settings/display', 'settings_display');
+ BaseModule::checkFormSecurityTokenRedirectOnError('/settings/display', 'settings_display');
$theme = x($_POST, 'theme') ? notags(trim($_POST['theme'])) : $a->user['theme'];
$mobile_theme = x($_POST, 'mobile_theme') ? notags(trim($_POST['mobile_theme'])) : '';
@@ -374,7 +375,7 @@ function settings_post(App $a)
return; // NOTREACHED
}
- Security::check_form_security_token_redirectOnErr('/settings', 'settings');
+ BaseModule::checkFormSecurityTokenRedirectOnError('/settings', 'settings');
if (x($_POST,'resend_relocate')) {
Worker::add(PRIORITY_HIGH, 'Notifier', 'relocate', local_user());
@@ -672,7 +673,7 @@ function settings_content(App $a)
if (($a->argc > 2) && ($a->argv[2] === 'add')) {
$tpl = get_markup_template('settings/oauth_edit.tpl');
$o .= replace_macros($tpl, [
- '$form_security_token' => Security::get_form_security_token("settings_oauth"),
+ '$form_security_token' => BaseModule::getFormSecurityToken("settings_oauth"),
'$title' => L10n::t('Add application'),
'$submit' => L10n::t('Save Settings'),
'$cancel' => L10n::t('Cancel'),
@@ -698,7 +699,7 @@ function settings_content(App $a)
$tpl = get_markup_template('settings/oauth_edit.tpl');
$o .= replace_macros($tpl, [
- '$form_security_token' => Security::get_form_security_token("settings_oauth"),
+ '$form_security_token' => BaseModule::getFormSecurityToken("settings_oauth"),
'$title' => L10n::t('Add application'),
'$submit' => L10n::t('Update'),
'$cancel' => L10n::t('Cancel'),
@@ -712,7 +713,7 @@ function settings_content(App $a)
}
if (($a->argc > 3) && ($a->argv[2] === 'delete')) {
- Security::check_form_security_token_redirectOnErr('/settings/oauth', 'settings_oauth', 't');
+ BaseModule::checkFormSecurityTokenRedirectOnError('/settings/oauth', 'settings_oauth', 't');
DBA::delete('clients', ['client_id' => $a->argv[3], 'uid' => local_user()]);
goaway(System::baseUrl(true)."/settings/oauth/");
@@ -730,7 +731,7 @@ function settings_content(App $a)
$tpl = get_markup_template('settings/oauth.tpl');
$o .= replace_macros($tpl, [
- '$form_security_token' => Security::get_form_security_token("settings_oauth"),
+ '$form_security_token' => BaseModule::getFormSecurityToken("settings_oauth"),
'$baseurl' => System::baseUrl(true),
'$title' => L10n::t('Connected Apps'),
'$add' => L10n::t('Add application'),
@@ -757,7 +758,7 @@ function settings_content(App $a)
$tpl = get_markup_template('settings/addons.tpl');
$o .= replace_macros($tpl, [
- '$form_security_token' => Security::get_form_security_token("settings_addon"),
+ '$form_security_token' => BaseModule::getFormSecurityToken("settings_addon"),
'$title' => L10n::t('Addon Settings'),
'$settings_addons' => $settings_addons
]);
@@ -778,7 +779,7 @@ function settings_content(App $a)
$tpl = get_markup_template('settings/features.tpl');
$o .= replace_macros($tpl, [
- '$form_security_token' => Security::get_form_security_token("settings_features"),
+ '$form_security_token' => BaseModule::getFormSecurityToken("settings_features"),
'$title' => L10n::t('Additional Features'),
'$features' => $arr,
'$submit' => L10n::t('Save Settings'),
@@ -837,7 +838,7 @@ function settings_content(App $a)
$mail_disabled_message = (($mail_disabled) ? L10n::t('Email access is disabled on this site.') : '');
$o .= replace_macros($tpl, [
- '$form_security_token' => Security::get_form_security_token("settings_connectors"),
+ '$form_security_token' => BaseModule::getFormSecurityToken("settings_connectors"),
'$title' => L10n::t('Social Networks'),
@@ -957,7 +958,7 @@ function settings_content(App $a)
$tpl = get_markup_template('settings/display.tpl');
$o = replace_macros($tpl, [
'$ptitle' => L10n::t('Display Settings'),
- '$form_security_token' => Security::get_form_security_token("settings_display"),
+ '$form_security_token' => BaseModule::getFormSecurityToken("settings_display"),
'$submit' => L10n::t('Save Settings'),
'$baseurl' => System::baseUrl(true),
'$uid' => local_user(),
@@ -1186,7 +1187,7 @@ function settings_content(App $a)
'$submit' => L10n::t('Save Settings'),
'$baseurl' => System::baseUrl(true),
'$uid' => local_user(),
- '$form_security_token' => Security::get_form_security_token("settings"),
+ '$form_security_token' => BaseModule::getFormSecurityToken("settings"),
'$nickname_block' => $prof_addr,
'$h_pass' => L10n::t('Password Settings'),
diff --git a/mod/subthread.php b/mod/subthread.php
index 8bd60e8fe..0082021df 100644
--- a/mod/subthread.php
+++ b/mod/subthread.php
@@ -32,7 +32,7 @@ function subthread_content(App $a) {
$owner_uid = $item['uid'];
- if (!Security::can_write_wall($owner_uid)) {
+ if (!Security::canWriteToUserWall($owner_uid)) {
return;
}
diff --git a/mod/videos.php b/mod/videos.php
index 50ce361d8..54451a74b 100644
--- a/mod/videos.php
+++ b/mod/videos.php
@@ -301,7 +301,7 @@ function videos_content(App $a)
return;
}
- $sql_extra = Security::permissions_sql($owner_uid, $remote_contact, $groups);
+ $sql_extra = Security::getPermissionsSQLByUserId($owner_uid, $remote_contact, $groups);
$o = "";
diff --git a/src/BaseModule.php b/src/BaseModule.php
index 1da9397a7..0f6fbd785 100644
--- a/src/BaseModule.php
+++ b/src/BaseModule.php
@@ -2,6 +2,9 @@
namespace Friendica;
+use Friendica\Core\L10n;
+use Friendica\Core\System;
+
/**
* All modules in Friendica should extend BaseModule, although not all modules
* need to extend all the methods described here
@@ -69,4 +72,84 @@ abstract class BaseModule extends BaseObject
{
}
+
+ /*
+ * Functions used to protect against Cross-Site Request Forgery
+ * The security token has to base on at least one value that an attacker can't know - here it's the session ID and the private key.
+ * In this implementation, a security token is reusable (if the user submits a form, goes back and resubmits the form, maybe with small changes;
+ * or if the security token is used for ajax-calls that happen several times), but only valid for a certain amout of time (3hours).
+ * The "typename" seperates the security tokens of different types of forms. This could be relevant in the following case:
+ * A security token is used to protekt a link from CSRF (e.g. the "delete this profile"-link).
+ * If the new page contains by any chance external elements, then the used security token is exposed by the referrer.
+ * Actually, important actions should not be triggered by Links / GET-Requests at all, but somethimes they still are,
+ * so this mechanism brings in some damage control (the attacker would be able to forge a request to a form of this type, but not to forms of other types).
+ */
+ public static function getFormSecurityToken($typename = '')
+ {
+ $a = get_app();
+
+ $timestamp = time();
+ $sec_hash = hash('whirlpool', $a->user['guid'] . $a->user['prvkey'] . session_id() . $timestamp . $typename);
+
+ return $timestamp . '.' . $sec_hash;
+ }
+
+ public static function checkFormSecurityToken($typename = '', $formname = 'form_security_token')
+ {
+ $hash = null;
+
+ if (!empty($_REQUEST[$formname])) {
+ /// @TODO Careful, not secured!
+ $hash = $_REQUEST[$formname];
+ }
+
+ if (!empty($_SERVER['HTTP_X_CSRF_TOKEN'])) {
+ /// @TODO Careful, not secured!
+ $hash = $_SERVER['HTTP_X_CSRF_TOKEN'];
+ }
+
+ if (empty($hash)) {
+ return false;
+ }
+
+ $max_livetime = 10800; // 3 hours
+
+ $a = get_app();
+
+ $x = explode('.', $hash);
+ if (time() > (IntVal($x[0]) + $max_livetime)) {
+ return false;
+ }
+
+ $sec_hash = hash('whirlpool', $a->user['guid'] . $a->user['prvkey'] . session_id() . $x[0] . $typename);
+
+ return ($sec_hash == $x[1]);
+ }
+
+ public static function getFormSecurityStandardErrorMessage()
+ {
+ return L10n::t("The form security token was not correct. This probably happened because the form has been opened for too long \x28>3 hours\x29 before submitting it.") . EOL;
+ }
+
+ public static function checkFormSecurityTokenRedirectOnError($err_redirect, $typename = '', $formname = 'form_security_token')
+ {
+ if (!self::checkFormSecurityToken($typename, $formname)) {
+ $a = get_app();
+ logger('check_form_security_token failed: user ' . $a->user['guid'] . ' - form element ' . $typename);
+ logger('check_form_security_token failed: _REQUEST data: ' . print_r($_REQUEST, true), LOGGER_DATA);
+ notice(check_form_security_std_err_msg());
+ goaway(System::baseUrl() . $err_redirect);
+ }
+ }
+
+ public static function checkFormSecurityTokenForbiddenOnError($typename = '', $formname = 'form_security_token')
+ {
+ if (!self::checkFormSecurityToken($typename, $formname)) {
+ $a = get_app();
+ logger('check_form_security_token failed: user ' . $a->user['guid'] . ' - form element ' . $typename);
+ logger('check_form_security_token failed: _REQUEST data: ' . print_r($_REQUEST, true), LOGGER_DATA);
+ header('HTTP/1.1 403 Forbidden');
+ killme();
+ }
+ }
}
diff --git a/src/Content/Widget/TagCloud.php b/src/Content/Widget/TagCloud.php
index 3a2b01123..309f9a5bd 100644
--- a/src/Content/Widget/TagCloud.php
+++ b/src/Content/Widget/TagCloud.php
@@ -9,6 +9,7 @@ namespace Friendica\Content\Widget;
use Friendica\Core\L10n;
use Friendica\Core\System;
use Friendica\Database\DBA;
+use Friendica\Model\Item;
use Friendica\Util\Security;
require_once 'include/dba.php';
@@ -73,7 +74,7 @@ class TagCloud
*/
private static function tagadelic($uid, $count = 0, $owner_id = 0, $flags = '', $type = TERM_HASHTAG)
{
- $sql_options = Security::item_permissions_sql($uid);
+ $sql_options = Item::getPermissionsSQLByUserId($uid);
$limit = $count ? sprintf('LIMIT %d', intval($count)) : '';
if ($flags) {
diff --git a/src/Core/Authentication.php b/src/Core/Authentication.php
index 2fbadcc92..3a4471d2a 100644
--- a/src/Core/Authentication.php
+++ b/src/Core/Authentication.php
@@ -25,7 +25,7 @@ class Authentication extends BaseObject
*
* @return string Hashed data
*/
- public static function cookie_hash($user)
+ public static function getCookieHashForUser($user)
{
return(hash("sha256", Config::get("system", "site_prvkey") .
$user["prvkey"] .
@@ -38,7 +38,7 @@ class Authentication extends BaseObject
* @param int $time
* @param array $user Record from "user" table
*/
- public static function new_cookie($time, $user = [])
+ public static function setCookie($time, $user = [])
{
if ($time != 0) {
$time = $time + time();
@@ -46,7 +46,7 @@ class Authentication extends BaseObject
if ($user) {
$value = json_encode(["uid" => $user["uid"],
- "hash" => self::cookie_hash($user),
+ "hash" => self::getCookieHashForUser($user),
"ip" => defaults($_SERVER, 'REMOTE_ADDR', '0.0.0.0')]);
} else {
$value = "";
@@ -65,7 +65,7 @@ class Authentication extends BaseObject
* @param type $interactive
* @param type $login_refresh
*/
- public static function success($user_record, $login_initial = false, $interactive = false, $login_refresh = false)
+ public static function setAuthenticatedSessionForUser($user_record, $login_initial = false, $interactive = false, $login_refresh = false)
{
$a = self::getApp();
@@ -185,7 +185,7 @@ class Authentication extends BaseObject
*/
if (!empty($_SESSION['remember'])) {
logger('Injecting cookie for remembered user ' . $a->user['nickname']);
- self::new_cookie(604800, $user_record);
+ self::setCookie(604800, $user_record);
unset($_SESSION['remember']);
}
}
@@ -202,12 +202,11 @@ class Authentication extends BaseObject
/**
* @brief Kills the "Friendica" cookie and all session data
*/
- public static function nuke_session()
+ public static function deleteSession()
{
- self::new_cookie(-3600); // make sure cookie is deleted on browser close, as a security measure
+ self::setCookie(-3600); // make sure cookie is deleted on browser close, as a security measure
session_unset();
session_destroy();
}
}
-?>
diff --git a/src/Model/Group.php b/src/Model/Group.php
index 4f6f97c49..4d0bd87e6 100644
--- a/src/Model/Group.php
+++ b/src/Model/Group.php
@@ -4,6 +4,7 @@
*/
namespace Friendica\Model;
+use Friendica\BaseModule;
use Friendica\BaseObject;
use Friendica\Core\L10n;
use Friendica\Database\DBA;
@@ -410,7 +411,7 @@ class Group extends BaseObject
'$createtext' => L10n::t('Create a new group'),
'$creategroup' => L10n::t('Group Name: '),
'$editgroupstext' => L10n::t('Edit groups'),
- '$form_security_token' => Security::get_form_security_token('group_edit'),
+ '$form_security_token' => BaseModule::getFormSecurityToken('group_edit'),
]);
diff --git a/src/Model/Item.php b/src/Model/Item.php
index 9513f4787..bc31f3d81 100644
--- a/src/Model/Item.php
+++ b/src/Model/Item.php
@@ -3246,4 +3246,41 @@ class Item extends BaseObject
}
}
}
+
+ public static function getPermissionsSQLByUserId($owner_id, $remote_verified = false, $groups = null)
+ {
+ $local_user = local_user();
+ $remote_user = remote_user();
+
+ /*
+ * Construct permissions
+ *
+ * default permissions - anonymous user
+ */
+ $sql = " AND NOT `item`.`private`";
+
+ // Profile owner - everything is visible
+ if ($local_user && ($local_user == $owner_id)) {
+ $sql = '';
+ } elseif ($remote_user) {
+ /*
+ * Authenticated visitor. Unless pre-verified,
+ * check that the contact belongs to this $owner_id
+ * and load the groups the visitor belongs to.
+ * If pre-verified, the caller is expected to have already
+ * done this and passed the groups into this function.
+ */
+ $set = PermissionSet::get($owner_id, $remote_user, $groups);
+
+ if (!empty($set)) {
+ $sql_set = " OR (`item`.`private` IN (1,2) AND `item`.`wall` AND `item`.`psid` IN (" . implode(',', $set) . "))";
+ } else {
+ $sql_set = '';
+ }
+
+ $sql = " AND (NOT `item`.`private`" . $sql_set . ")";
+ }
+
+ return $sql;
+ }
}
diff --git a/src/Model/Photo.php b/src/Model/Photo.php
index 9abd73e76..372e875ea 100644
--- a/src/Model/Photo.php
+++ b/src/Model/Photo.php
@@ -227,7 +227,7 @@ class Photo
*/
public static function getAlbums($uid, $update = false)
{
- $sql_extra = Security::permissions_sql($uid);
+ $sql_extra = Security::getPermissionsSQLByUserId($uid);
$key = "photo_albums:".$uid.":".local_user().":".remote_user();
$albums = Cache::get($key);
diff --git a/src/Module/Login.php b/src/Module/Login.php
index fc3b3fb49..deb6afcfb 100644
--- a/src/Module/Login.php
+++ b/src/Module/Login.php
@@ -148,13 +148,13 @@ class Login extends BaseModule
}
if (!$remember) {
- Authentication::new_cookie(0); // 0 means delete on browser exit
+ Authentication::setCookie(0); // 0 means delete on browser exit
}
// if we haven't failed up this point, log them in.
$_SESSION['remember'] = $remember;
$_SESSION['last_login_date'] = DateTimeFormat::utcNow();
- Authentication::success($record, true, true);
+ Authentication::setAuthenticatedSessionForUser($record, true, true);
if (x($_SESSION, 'return_url')) {
$return_url = $_SESSION['return_url'];
@@ -188,9 +188,9 @@ class Login extends BaseModule
]
);
if (DBA::isResult($user)) {
- if ($data->hash != Authentication::cookie_hash($user)) {
+ if ($data->hash != Authentication::getCookieHashForUser($user)) {
logger("Hash for user " . $data->uid . " doesn't fit.");
- Authentication::nuke_session();
+ Authentication::deleteSession();
goaway(self::getApp()->getBaseURL());
}
@@ -198,11 +198,11 @@ class Login extends BaseModule
// Expires after 7 days by default,
// can be set via system.auth_cookie_lifetime
$authcookiedays = Config::get('system', 'auth_cookie_lifetime', 7);
- Authentication::new_cookie($authcookiedays * 24 * 60 * 60, $user);
+ Authentication::setCookie($authcookiedays * 24 * 60 * 60, $user);
// Do the authentification if not done by now
if (!isset($_SESSION) || !isset($_SESSION['authenticated'])) {
- Authentication::success($user);
+ Authentication::setAuthenticatedSessionForUser($user);
if (Config::get('system', 'paranoia')) {
$_SESSION['addr'] = $data->ip;
@@ -227,7 +227,7 @@ class Login extends BaseModule
if ($check && ($_SESSION['addr'] != $_SERVER['REMOTE_ADDR'])) {
logger('Session address changed. Paranoid setting in effect, blocking session. ' .
$_SESSION['addr'] . ' != ' . $_SERVER['REMOTE_ADDR']);
- Authentication::nuke_session();
+ Authentication::deleteSession();
goaway(self::getApp()->getBaseURL());
}
@@ -241,7 +241,7 @@ class Login extends BaseModule
]
);
if (!DBA::isResult($user)) {
- Authentication::nuke_session();
+ Authentication::deleteSession();
goaway(self::getApp()->getBaseURL());
}
@@ -255,7 +255,7 @@ class Login extends BaseModule
$_SESSION['last_login_date'] = DateTimeFormat::utcNow();
$login_refresh = true;
}
- Authentication::success($user, false, false, $login_refresh);
+ Authentication::setAuthenticatedSessionForUser($user, false, false, $login_refresh);
}
}
}
diff --git a/src/Module/Logout.php b/src/Module/Logout.php
index b2c03bf91..b12ba1028 100644
--- a/src/Module/Logout.php
+++ b/src/Module/Logout.php
@@ -24,7 +24,7 @@ class Logout extends BaseModule
public static function init()
{
Addon::callHooks("logging_out");
- Authentication::nuke_session();
+ Authentication::deleteSession();
info(L10n::t('Logged out.') . EOL);
goaway(self::getApp()->getBaseURL());
}
diff --git a/src/Object/Thread.php b/src/Object/Thread.php
index 89ccc566e..08c04f546 100644
--- a/src/Object/Thread.php
+++ b/src/Object/Thread.php
@@ -62,11 +62,11 @@ class Thread extends BaseObject
break;
case 'profile':
$this->profile_owner = $a->profile['profile_uid'];
- $this->writable = Security::can_write_wall($this->profile_owner);
+ $this->writable = Security::canWriteToUserWall($this->profile_owner);
break;
case 'display':
$this->profile_owner = $a->profile['uid'];
- $this->writable = Security::can_write_wall($this->profile_owner) || $writable;
+ $this->writable = Security::canWriteToUserWall($this->profile_owner) || $writable;
break;
case 'community':
$this->profile_owner = 0;
diff --git a/src/Util/Security.php b/src/Util/Security.php
index 1eb0c3f49..11059c0bc 100644
--- a/src/Util/Security.php
+++ b/src/Util/Security.php
@@ -18,7 +18,7 @@ use Friendica\Core\System;
*/
class Security extends BaseObject
{
- public static function can_write_wall($owner)
+ public static function canWriteToUserWall($owner)
{
static $verified = 0;
@@ -84,12 +84,12 @@ class Security extends BaseObject
}
/// @TODO $groups should be array
- public static function permissions_sql($owner_id, $remote_verified = false, $groups = null)
+ public static function getPermissionsSQLByUserId($owner_id, $remote_verified = false, $groups = null)
{
$local_user = local_user();
$remote_user = remote_user();
- /**
+ /*
* Construct permissions
*
* default permissions - anonymous user
@@ -100,12 +100,12 @@ class Security extends BaseObject
AND deny_gid = ''
";
- /**
+ /*
* Profile owner - everything is visible
*/
if ($local_user && $local_user == $owner_id) {
$sql = '';
- /**
+ /*
* Authenticated visitor. Unless pre-verified,
* check that the contact belongs to this $owner_id
* and load the groups the visitor belongs to.
@@ -152,122 +152,4 @@ class Security extends BaseObject
return $sql;
}
- public static function item_permissions_sql($owner_id, $remote_verified = false, $groups = null)
- {
- $local_user = local_user();
- $remote_user = remote_user();
-
- /*
- * Construct permissions
- *
- * default permissions - anonymous user
- */
- $sql = " AND NOT `item`.`private`";
-
- // Profile owner - everything is visible
- if ($local_user && ($local_user == $owner_id)) {
- $sql = '';
- } elseif ($remote_user) {
- /*
- * Authenticated visitor. Unless pre-verified,
- * check that the contact belongs to this $owner_id
- * and load the groups the visitor belongs to.
- * If pre-verified, the caller is expected to have already
- * done this and passed the groups into this function.
- */
- $set = PermissionSet::get($owner_id, $remote_user, $groups);
-
- if (!empty($set)) {
- $sql_set = " OR (`item`.`private` IN (1,2) AND `item`.`wall` AND `item`.`psid` IN (" . implode(',', $set) . "))";
- } else {
- $sql_set = '';
- }
-
- $sql = " AND (NOT `item`.`private`" . $sql_set . ")";
- }
-
- return $sql;
- }
-
- /*
- * Functions used to protect against Cross-Site Request Forgery
- * The security token has to base on at least one value that an attacker can't know - here it's the session ID and the private key.
- * In this implementation, a security token is reusable (if the user submits a form, goes back and resubmits the form, maybe with small changes;
- * or if the security token is used for ajax-calls that happen several times), but only valid for a certain amout of time (3hours).
- * The "typename" seperates the security tokens of different types of forms. This could be relevant in the following case:
- * A security token is used to protekt a link from CSRF (e.g. the "delete this profile"-link).
- * If the new page contains by any chance external elements, then the used security token is exposed by the referrer.
- * Actually, important actions should not be triggered by Links / GET-Requests at all, but somethimes they still are,
- * so this mechanism brings in some damage control (the attacker would be able to forge a request to a form of this type, but not to forms of other types).
- */
- public static function get_form_security_token($typename = '')
- {
- $a = get_app();
-
- $timestamp = time();
- $sec_hash = hash('whirlpool', $a->user['guid'] . $a->user['prvkey'] . session_id() . $timestamp . $typename);
-
- return $timestamp . '.' . $sec_hash;
- }
-
- public static function check_form_security_token($typename = '', $formname = 'form_security_token')
- {
- $hash = null;
-
- if (!empty($_REQUEST[$formname])) {
- /// @TODO Careful, not secured!
- $hash = $_REQUEST[$formname];
- }
-
- if (!empty($_SERVER['HTTP_X_CSRF_TOKEN'])) {
- /// @TODO Careful, not secured!
- $hash = $_SERVER['HTTP_X_CSRF_TOKEN'];
- }
-
- if (empty($hash)) {
- return false;
- }
-
- $max_livetime = 10800; // 3 hours
-
- $a = get_app();
-
- $x = explode('.', $hash);
- if (time() > (IntVal($x[0]) + $max_livetime)) {
- return false;
- }
-
- $sec_hash = hash('whirlpool', $a->user['guid'] . $a->user['prvkey'] . session_id() . $x[0] . $typename);
-
- return ($sec_hash == $x[1]);
- }
-
- private static function check_form_security_std_err_msg()
- {
- return L10n::t("The form security token was not correct. This probably happened because the form has been opened for too long \x28>3 hours\x29 before submitting it.") . EOL;
- }
-
- public static function check_form_security_token_redirectOnErr($err_redirect, $typename = '', $formname = 'form_security_token')
- {
- if (!check_form_security_token($typename, $formname)) {
- $a = get_app();
- logger('check_form_security_token failed: user ' . $a->user['guid'] . ' - form element ' . $typename);
- logger('check_form_security_token failed: _REQUEST data: ' . print_r($_REQUEST, true), LOGGER_DATA);
- notice(check_form_security_std_err_msg());
- goaway(System::baseUrl() . $err_redirect);
- }
- }
-
- public static function check_form_security_token_ForbiddenOnErr($typename = '', $formname = 'form_security_token')
- {
- if (!check_form_security_token($typename, $formname)) {
- $a = get_app();
- logger('check_form_security_token failed: user ' . $a->user['guid'] . ' - form element ' . $typename);
- logger('check_form_security_token failed: _REQUEST data: ' . print_r($_REQUEST, true), LOGGER_DATA);
- header('HTTP/1.1 403 Forbidden');
- killme();
- }
- }
}
-
-?>
\ No newline at end of file