/**
* mb_form
*/
function mb_form($params, $content, &$smarty, &$repeat)
{
$fields = array("m" => CMbArray::extract($params, "m", null, true), "dosql" => CMbArray::extract($params, "dosql"), "tab" => CMbArray::extract($params, "tab"), "a" => CMbArray::extract($params, "a"));
$attributes = array("name" => CMbArray::extract($params, "name", null, true), "method" => CMbArray::extract($params, "method", "get"), "action" => CMbArray::extract($params, "action", "?"), "class" => CMbArray::extract($params, "className", ""));
// If protection enabled
if (CAppUI::conf("csrf_protection")) {
// During opening tag, we generate the token
if ($repeat) {
// Form is open
self::$is_open = true;
} else {
if (strtoupper($attributes["method"]) == "POST") {
$lifetime = CMbArray::extract($params, "lifetime", CAppUI::conf("csrf_token_lifetime"));
$lifetime = abs(round($lifetime));
$token = CCSRF::generateToken();
if ($token) {
// Key is token, value is expiration date and fields to check
$_SESSION["tokens"][$token] = array("lifetime" => time() + $lifetime, "fields" => self::$csrf_values);
// In order to add the hidden input
$fields["csrf"] = $token;
self::$csrf_values = array();
}
}
// Form is closing
self::$is_open = false;
}
}
$attributes += $params;
$fields = array_filter($fields);
$_content = "";
foreach ($fields as $name => $value) {
$_content .= "\n" . CHTMLResourceLoader::getTag("input", array("type" => "hidden", "name" => $name, "value" => $value));
}
$_content .= $content;
return CHTMLResourceLoader::getTag("form", $attributes, $_content);
}
if (CAppUI::$instance->weak_password && (!CAppUI::$instance->user_remote || CAppUI::conf("admin CUser apply_all_users"))) {
CAppUI::redirect("m=admin&tab=chpwd&forceChange=1");
}
// If we want to force user to periodically change password
if (CAppUI::conf("admin CUser force_changing_password") || $user->_ref_user->force_change_password) {
// Need to change
if ($user->_ref_user->force_change_password) {
CAppUI::redirect("m=admin&tab=chpwd&forceChange=1");
}
if (CMbDT::dateTime("-" . CAppUI::conf("admin CUser password_life_duration")) > $user->_ref_user->user_password_last_change) {
CAppUI::redirect("m=admin&tab=chpwd&forceChange=1&lifeDuration=1");
}
}
}
// Check CSRF protection
CCSRF::checkProtection();
// do some db work if dosql is set
if ($dosql) {
// dP remover super hack
if (!CModule::getInstalled($m)) {
if (!CModule::getInstalled("dP{$m}")) {
CAppUI::redirect("m=system&a=module_missing&mod={$m}");
}
$m = "dP{$m}";
}
// controller in controllers/ directory
if (is_file("./modules/{$m}/controllers/{$dosql}.php")) {
include "./modules/{$m}/controllers/{$dosql}.php";
}
}
// Permissions checked on POST $m, but we redirect to GET $m
/**
* Put a random token into a form in order to prevent from CSRF attacks
*
* @param array $params Array of parameters
*
* @return string|null
*/
function mb_token($params)
{
if (!CAppUI::conf("csrf_protection")) {
return null;
}
$lifetime = CMbArray::extract($params, "lifetime", CAppUI::conf("csrf_token_lifetime"));
$lifetime = abs(round($lifetime));
$token = CCSRF::generateToken();
if ($token) {
// Store in session
if (isset($_SESSION)) {
// Key is token, value is expiration date
$_SESSION["tokens"][$token] = array("lifetime" => time() + $lifetime, "fields" => array());
return "<input type=\"hidden\" name=\"csrf\" value=\"" . $token . "\" />";
}
}
return null;
}
