/**
* Return false or an array with the email and id.
*
* This is a static function to be reused by other forms.
*
* @param string Confirmation key
* @return mixed Either false or array(email, id)
*/
public static function checkKeyHash($key)
{
$hash = substr($key, 0, 2);
$encrypted = substr($key, 2);
if ($hash != substr(md5(Pluf::f('secret_key') . $encrypted), 0, 2)) {
return false;
}
$cr = new Pluf_Crypt(md5(Pluf::f('secret_key')));
return explode(':', $cr->decrypt($encrypted), 2);
}
/**
* Validate the key.
*
* Throw a Pluf_Form_Invalid exception if the key is not valid.
*
* @param string Key
* @return array array($new_email, $user_id, time())
*/
public static function validateKey($key)
{
$hash = substr($key, 0, 2);
$encrypted = substr($key, 2);
if ($hash != substr(md5(Pluf::f('secret_key') . $encrypted), 0, 2)) {
throw new Pluf_Form_Invalid(__('The validation key is not valid. Please copy/paste it from your confirmation email.'));
}
$cr = new Pluf_Crypt(md5(Pluf::f('secret_key')));
return explode(':', $cr->decrypt($encrypted), 3);
}
/**
* Based on the request, it is automatically setting the user.
*
* Authenticated feeds have a token set at the end of the url in
* the for of 'authenticated/url/token/234092384023woeiur/'. If
* you remove 'token/234092384023woeiur/' the url is not
* authenticated.
*
* If the user is already logged in and not anonymous and no token
* is given, then the user is unset and a non authenticated user
* is loaded. This is to avoid people to not understand why a
* normally not authenticated feed is providing authenticated
* data.
*/
public static function feedSetUser($request)
{
if (!isset($request->project)) {
return true;
// we do not act on non project pages at the
// moment.
}
if (!$request->user->isAnonymous()) {
// by default anonymous
$request->user = new Pluf_User();
IDF_Middleware::setRights($request);
}
$match = array();
if (!preg_match('#/token/([^/]+)/$#', $request->query, $match)) {
return true;
// anonymous
}
$token = $match[1];
$hash = substr($token, 0, 2);
$encrypted = substr($token, 2);
if ($hash != substr(md5(Pluf::f('secret_key') . $encrypted), 0, 2)) {
return true;
// no match in the hash, anonymous
}
$cr = new Pluf_Crypt(md5(Pluf::f('secret_key')));
list($userid, $projectid) = explode(':', $cr->decrypt($encrypted), 2);
if ($projectid != $request->project->id) {
return true;
// anonymous
}
$user = new Pluf_User($userid);
if (!$user->active) {
return true;
// anonymous
}
$request->user = $user;
IDF_Middleware::setRights($request);
return true;
}
