bitPickups/friendica_2021.01_tupambae_shared_hosting
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

connection confirm notification mail via notification()

Browse source 
remove unused email templates
add a check for unexpected reponse from server
This commit is contained in:
fabrixxm 2014-09-06 17:28:46 +02:00
commit 1bdddebd44
58 changed files with 96 additions and 1314 deletions
Download patch file Download diff file Expand all files Collapse all files

119
mod/dfrn_confirm.php
View file

@ -9,11 +9,13 @@
* 1. A form was submitted by our user approving a friendship that originated elsewhere.
* This may also be called from dfrn_request to automatically approve a friendship.
*
* 2. We may be the target or other side of the conversation to scenario 1, and will
* 2. We may be the target or other side of the conversation to scenario 1, and will
* interact with that process on our own user's behalf.
*
*
*/
require_once('include/enotify.php');
function dfrn_confirm_post(&$a,$handsfree = null) {
if(is_array($handsfree)) {
@ -35,11 +37,11 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
/**
*
* Main entry point. Scenario 1. Our user received a friend request notification (perhaps
* from another site) and clicked 'Approve'.
* Main entry point. Scenario 1. Our user received a friend request notification (perhaps
* from another site) and clicked 'Approve'.
* $POST['source_url'] is not set. If it is, it indicates Scenario 2.
*
* We may also have been called directly from dfrn_request ($handsfree != null) due to
* We may also have been called directly from dfrn_request ($handsfree != null) due to
* this being a page type which supports automatic friend acceptance. That is also Scenario 1
* since we are operating on behalf of our registered user to approve a friendship.
*
@ -67,7 +69,7 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
// These data elements may come from either the friend request notification form or $handsfree array.
if(is_array($handsfree)) {
logger('dfrn_confirm: Confirm in handsfree mode');
logger('Confirm in handsfree mode');
$dfrn_id = $handsfree['dfrn_id'];
$intro_id = $handsfree['intro_id'];
$duplex = $handsfree['duplex'];
@ -86,7 +88,7 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
/**
*
* Ensure that dfrn_id has precedence when we go to find the contact record.
* We only want to search based on contact id if there is no dfrn_id,
* We only want to search based on contact id if there is no dfrn_id,
* e.g. for OStatus network followers.
*
*/
@ -94,15 +96,15 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
if(strlen($dfrn_id))
$cid = 0;
logger('dfrn_confirm: Confirming request for dfrn_id (issued) ' . $dfrn_id);
logger('Confirming request for dfrn_id (issued) ' . $dfrn_id);
if($cid)
logger('dfrn_confirm: Confirming follower with contact_id: ' . $cid);
logger('Confirming follower with contact_id: ' . $cid);
/**
*
* The other person will have been issued an ID when they first requested friendship.
* Locate their record. At this time, their record will have both pending and blocked set to 1.
* Locate their record. At this time, their record will have both pending and blocked set to 1.
* There won't be any dfrn_id if this is a network follower, so use the contact_id instead.
*
*/
@ -114,7 +116,7 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
);
if(! count($r)) {
logger('dfrn_confirm: Contact not found in DB.');
logger('Contact not found in DB.');
notice( t('Contact not found.') . EOL );
notice( t('This may occasionally happen if contact was requested by both persons and it has already been approved.') . EOL );
return;
@ -127,7 +129,7 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
$site_pubkey = $contact['site-pubkey'];
$dfrn_confirm = $contact['confirm'];
$aes_allow = $contact['aes_allow'];
$network = ((strlen($contact['issued-id'])) ? NETWORK_DFRN : NETWORK_OSTATUS);
if($contact['network'])
@ -139,15 +141,16 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
*
* Generate a key pair for all further communications with this person.
* We have a keypair for every contact, and a site key for unknown people.
* This provides a means to carry on relationships with other people if
* any single key is compromised. It is a robust key. We're much more
* worried about key leakage than anybody cracking it.
* This provides a means to carry on relationships with other people if
* any single key is compromised. It is a robust key. We're much more
* worried about key leakage than anybody cracking it.
*
*/
require_once('include/crypto.php');
$res = new_keypair(4096);
$private_key = $res['prvkey'];
$public_key = $res['pubkey'];
@ -156,23 +159,23 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
$r = q("UPDATE `contact` SET `prvkey` = '%s' WHERE `id` = %d AND `uid` = %d",
dbesc($private_key),
intval($contact_id),
intval($uid)
intval($uid)
);
$params = array();
/**
*
* Per the DFRN protocol, we will verify both ends by encrypting the dfrn_id with our
* Per the DFRN protocol, we will verify both ends by encrypting the dfrn_id with our
* site private key (person on the other end can decrypt it with our site public key).
* Then encrypt our profile URL with the other person's site public key. They can decrypt
* it with their site private key. If the decryption on the other end fails for either
* item, it indicates tampering or key failure on at least one site and we will not be
* item, it indicates tampering or key failure on at least one site and we will not be
* able to provide a secure communication pathway.
*
* If other site is willing to accept full encryption, (aes_allow is 1 AND we have php5.3
* or later) then we encrypt the personal public key we send them using AES-256-CBC and a
* random key which is encrypted with their site public key.
* If other site is willing to accept full encryption, (aes_allow is 1 AND we have php5.3
* or later) then we encrypt the personal public key we send them using AES-256-CBC and a
* random key which is encrypted with their site public key.
*
*/
@ -205,7 +208,7 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
if($user[0]['page-flags'] == PAGE_PRVGROUP)
$params['page'] = 2;
logger('dfrn_confirm: Confirm: posting data to ' . $dfrn_confirm . ': ' . print_r($params,true), LOGGER_DATA);
logger('Confirm: posting data to ' . $dfrn_confirm . ': ' . print_r($params,true), LOGGER_DATA);
/**
*
@ -219,10 +222,10 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
$res = post_url($dfrn_confirm,$params);
logger('dfrn_confirm: Confirm: received data: ' . $res, LOGGER_DATA);
logger(' Confirm: received data: ' . $res, LOGGER_DATA);
// Now figure out what they responded. Try to be robust if the remote site is
// having difficulty and throwing up errors of some kind.
// Now figure out what they responded. Try to be robust if the remote site is
// having difficulty and throwing up errors of some kind.
$leading_junk = substr($res,0,strpos($res,'<?xml'));
@ -232,20 +235,26 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
// No XML at all, this exchange is messed up really bad.
// We shouldn't proceed, because the xml parser might choke,
// and $status is going to be zero, which indicates success.
// We can hardly call this a success.
// We can hardly call this a success.
notice( t('Response from remote site was not understood.') . EOL);
return;
}
if(strlen($leading_junk) && get_config('system','debugging')) {
// This might be more common. Mixed error text and some XML.
// If we're configured for debugging, show the text. Proceed in either case.
notice( t('Unexpected response from remote site: ') . EOL . $leading_junk . EOL );
}
if(stristr($res, "<status")===false) {
// wrong xml! stop here!
notice( t('Unexpected response from remote site: ') . EOL . htmlspecialchars($res) . EOL );
return;
}
$xml = parse_xml_string($res);
$status = (int) $xml->status;
$message = unxmlify($xml->message); // human readable text of what may have gone wrong.
@ -261,7 +270,7 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
$r = q("UPDATE contact SET `issued-id` = '%s' WHERE `id` = %d AND `uid` = %d",
dbesc($new_dfrn_id),
intval($contact_id),
intval($uid)
intval($uid)
);
case 2:
@ -307,7 +316,7 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
require_once('include/Photo.php');
$photos = import_profile_photo($contact['photo'],$uid,$contact_id);
logger('dfrn_confirm: confirm - imported photos');
if($network === NETWORK_DFRN) {
@ -455,7 +464,7 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
if(count($self)) {
$arr = array();
$arr['uri'] = $arr['parent-uri'] = item_new_uri($a->get_hostname(), $uid);
$arr['uri'] = $arr['parent-uri'] = item_new_uri($a->get_hostname(), $uid);
$arr['uid'] = $uid;
$arr['contact-id'] = $self[0]['id'];
$arr['wall'] = 1;
@ -522,7 +531,7 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
*
* Begin Scenario 2. This is the remote response to the above scenario.
* This will take place on the site that originally initiated the friend request.
* In the section above where the confirming party makes a POST and
* In the section above where the confirming party makes a POST and
* retrieves xml status information, they are communicating with the following code.
*
*/
@ -603,7 +612,7 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
// this is either a bogus confirmation (?) or we deleted the original introduction.
$message = t('Contact record was not found for you on our site.');
xml_status(3,$message);
return; // NOTREACHED
return; // NOTREACHED
}
}
@ -731,33 +740,21 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
$combined = $r[0];
if((count($r)) && ($r[0]['notify-flags'] & NOTIFY_CONFIRM)) {
push_lang($r[0]['language']);
$tpl = (($new_relation == CONTACT_IS_FRIEND)
? get_intltext_template('friend_complete_eml.tpl')
: get_intltext_template('intro_complete_eml.tpl'));
$email_tpl = replace_macros($tpl, array(
'$sitename' => $a->config['sitename'],
'$siteurl' => $a->get_baseurl(),
'$username' => $r[0]['username'],
'$email' => $r[0]['email'],
'$fn' => $r[0]['name'],
'$dfrn_url' => $r[0]['url'],
'$uid' => $newuid )
);
require_once('include/email.php');
$res = mail($r[0]['email'], email_header_encode( sprintf( t("Connection accepted at %s") , $a->config['sitename']),'UTF-8'),
$email_tpl,
'From: ' . 'Administrator' . '@' . $_SERVER['SERVER_NAME'] . "\n"
. 'Content-type: text/plain; charset=UTF-8' . "\n"
. 'Content-transfer-encoding: 8bit' );
if(!$res) {
// pointless throwing an error here and confusing the person at the other end of the wire.
}
pop_lang();
$mutual = ($new_relation == CONTACT_IS_FRIEND);
notification(array(
'type' => NOTIFY_CONFIRM,
'notify_flags' => $r[0]['notify-flags'],
'language' => $r[0]['language'],
'to_name' => $r[0]['username'],
'to_email' => $r[0]['email'],
'uid' => $r[0]['uid'],
'link' => $a->get_baseurl() . '/contacts/' . $dfrn_record,
'source_name' => ((strlen(stripslashes($r[0]['name']))) ? stripslashes($r[0]['name']) : t('[Name Withheld]')),
'source_link' => $r[0]['url'],
'source_photo' => $r[0]['photo'],
'verb' => ($mutual?ACTIVITY_FRIEND:ACTIVITY_FOLLOW),
'otype' => 'intro'
));
}
// Send a new friend post if we are allowed to...
@ -778,7 +775,7 @@ function dfrn_confirm_post(&$a,$handsfree = null) {
if(count($self)) {
$arr = array();
$arr['uri'] = $arr['parent-uri'] = item_new_uri($a->get_hostname(), $local_uid);
$arr['uri'] = $arr['parent-uri'] = item_new_uri($a->get_hostname(), $local_uid);
$arr['uid'] = $local_uid;
$arr['contact-id'] = $self[0]['id'];
$arr['wall'] = 1;

74
mod/dfrn_request.php
View file

@ -9,6 +9,8 @@
*
*/
require_once('include/enotify.php');
if(! function_exists('dfrn_request_init')) {
function dfrn_request_init(&$a) {
@ -45,13 +47,13 @@ function dfrn_request_post(&$a) {
if(x($_POST, 'cancel')) {
goaway(z_root());
}
}
/**
*
* Scenario 2: We've introduced ourself to another cell, then have been returned to our own cell
* to confirm the request, and then we've clicked submit (perhaps after logging in).
* to confirm the request, and then we've clicked submit (perhaps after logging in).
* That brings us here:
*
*/
@ -145,7 +147,7 @@ function dfrn_request_post(&$a) {
*/
$r = q("INSERT INTO `contact` ( `uid`, `created`,`url`, `nurl`, `name`, `nick`, `photo`, `site-pubkey`,
`request`, `confirm`, `notify`, `poll`, `poco`, `network`, `aes_allow`, `hidden`)
`request`, `confirm`, `notify`, `poll`, `poco`, `network`, `aes_allow`, `hidden`)
VALUES ( %d, '%s', '%s', '%s', '%s' , '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', %d, %d)",
intval(local_user()),
datetime_convert(),
@ -216,17 +218,17 @@ function dfrn_request_post(&$a) {
/**
* Otherwise:
*
*
* Scenario 1:
* We are the requestee. A person from a remote cell has made an introduction
* on our profile web page and clicked submit. We will use their DFRN-URL to
* figure out how to contact their cell.
* We are the requestee. A person from a remote cell has made an introduction
* on our profile web page and clicked submit. We will use their DFRN-URL to
* figure out how to contact their cell.
*
* Scrape the originating DFRN-URL for everything we need. Create a contact record
* and an introduction to show our user next time he/she logs in.
* Finally redirect back to the requestor so that their site can record the request.
* If our user (the requestee) later confirms this request, a record of it will need
* to exist on the requestor's cell in order for the confirmation process to complete..
* If our user (the requestee) later confirms this request, a record of it will need
* to exist on the requestor's cell in order for the confirmation process to complete..
*
* It's possible that neither the requestor or the requestee are logged in at the moment,
* and the requestor does not yet have any credentials to the requestee profile.
@ -266,19 +268,19 @@ function dfrn_request_post(&$a) {
notice( t('Spam protection measures have been invoked.') . EOL);
notice( t('Friends are advised to please try again in 24 hours.') . EOL);
return;
}
}
}
/**
*
* Cleanup old introductions that remain blocked.
* Cleanup old introductions that remain blocked.
* Also remove the contact record, but only if there is no existing relationship
* Do not remove email contacts as these may be awaiting email verification
*/
$r = q("SELECT `intro`.*, `intro`.`id` AS `iid`, `contact`.`id` AS `cid`, `contact`.`rel`
$r = q("SELECT `intro`.*, `intro`.`id` AS `iid`, `contact`.`id` AS `cid`, `contact`.`rel`
FROM `intro` LEFT JOIN `contact` on `intro`.`contact-id` = `contact`.`id`
WHERE `intro`.`blocked` = 1 AND `contact`.`self` = 0
WHERE `intro`.`blocked` = 1 AND `contact`.`self` = 0
AND `contact`.`network` != '%s'
AND `intro`.`datetime` < UTC_TIMESTAMP() - INTERVAL 30 MINUTE ",
dbesc(NETWORK_MAIL2)
@ -401,13 +403,13 @@ function dfrn_request_post(&$a) {
$photo = avatar_img($addr);
$r = q("UPDATE `contact` SET
`photo` = '%s',
$r = q("UPDATE `contact` SET
`photo` = '%s',
`thumb` = '%s',
`micro` = '%s',
`name-date` = '%s',
`uri-date` = '%s',
`avatar-date` = '%s',
`micro` = '%s',
`name-date` = '%s',
`uri-date` = '%s',
`avatar-date` = '%s',
`hidden` = 0,
WHERE `id` = %d
",
@ -464,7 +466,7 @@ function dfrn_request_post(&$a) {
if($network === NETWORK_DFRN) {
$ret = q("SELECT * FROM `contact` WHERE `uid` = %d AND `url` = '%s' AND `self` = 0 LIMIT 1",
$ret = q("SELECT * FROM `contact` WHERE `uid` = %d AND `url` = '%s' AND `self` = 0 LIMIT 1",
intval($uid),
dbesc($url)
);
@ -506,7 +508,7 @@ function dfrn_request_post(&$a) {
goaway($a->get_baseurl() . '/' . $a->cmd);
return; // NOTREACHED
}
require_once('include/Scrape.php');
@ -521,12 +523,12 @@ function dfrn_request_post(&$a) {
notice( t('Warning: profile location has no identifiable owner name.') . EOL );
if(! x($parms,'photo'))
notice( t('Warning: profile location has no profile photo.') . EOL );
$invalid = validate_dfrn($parms);
$invalid = validate_dfrn($parms);
if($invalid) {
notice( sprintf( tt("%d required parameter was not found at the given location",
"%d required parameters were not found at the given location",
$invalid), $invalid) . EOL );
return;
}
}
@ -591,7 +593,7 @@ function dfrn_request_post(&$a) {
// This notice will only be seen by the requestor if the requestor and requestee are on the same server.
if(! $failed)
if(! $failed)
info( t('Your introduction has been sent.') . EOL );
// "Homecoming" - send the requestor back to their site to record the introduction.
@ -599,21 +601,21 @@ function dfrn_request_post(&$a) {
$dfrn_url = bin2hex($a->get_baseurl() . '/profile/' . $nickname);
$aes_allow = ((function_exists('openssl_encrypt')) ? 1 : 0);
goaway($parms['dfrn-request'] . "?dfrn_url=$dfrn_url"
. '&dfrn_version=' . DFRN_PROTOCOL_VERSION
. '&confirm_key=' . $hash
goaway($parms['dfrn-request'] . "?dfrn_url=$dfrn_url"
. '&dfrn_version=' . DFRN_PROTOCOL_VERSION
. '&confirm_key=' . $hash
. (($aes_allow) ? "&aes_allow=1" : "")
);
// NOTREACHED
// END $network === NETWORK_DFRN
}
elseif($network === NETWORK_OSTATUS) {
/**
*
* OStatus network
* Check contact existence
* Try and scrape together enough information to create a contact record,
* Try and scrape together enough information to create a contact record,
* with us as CONTACT_IS_FOLLOWER
* Substitute our user's feed URL into $url template
* Send the subscriber home to subscribe
@ -655,7 +657,7 @@ function dfrn_request_content(&$a) {
return login();
}
// Edge case, but can easily happen in the wild. This person is authenticated,
// Edge case, but can easily happen in the wild. This person is authenticated,
// but not as the person who needs to deal with this request.
if ($a->user['nickname'] != $a->argv[1]) {
@ -683,11 +685,11 @@ function dfrn_request_content(&$a) {
return $o;
}
elseif((x($_GET,'confirm_key')) && strlen($_GET['confirm_key'])) {
elseif((x($_GET,'confirm_key')) && strlen($_GET['confirm_key'])) {
// we are the requestee and it is now safe to send our user their introduction,
// We could just unblock it, but first we have to jump through a few hoops to
// send an email, or even to find out if we need to send an email.
// We could just unblock it, but first we have to jump through a few hoops to
// send an email, or even to find out if we need to send an email.
$intro = q("SELECT * FROM `intro` WHERE `hash` = '%s' LIMIT 1",
dbesc($_GET['confirm_key'])
@ -707,7 +709,7 @@ function dfrn_request_content(&$a) {
$auto_confirm = true;
if(! $auto_confirm) {
require_once('include/enotify.php');
notification(array(
'type' => NOTIFY_INTRO,
'notify_flags' => $r[0]['notify-flags'],
@ -758,7 +760,7 @@ function dfrn_request_content(&$a) {
/**
* Normal web request. Display our user's introduction form.
*/
if((get_config('system','block_public')) && (! local_user()) && (! remote_user())) {
if(! get_config('system','local_block')) {
notice( t('Public access denied.') . EOL);
@ -793,7 +795,7 @@ function dfrn_request_content(&$a) {
/**
*
* The auto_request form only has the profile address
* because nobody is going to read the comments and
* because nobody is going to read the comments and
* it doesn't matter if they know you or not.
*
*/