function testSignValidate() { $cases = array(); $cases[] = array('signParams' => array('a' => 'eh', 'b' => 'bee', 'c' => NULL), 'validateParams' => array('a' => 'eh', 'b' => 'bee', 'c' => NULL), 'isValid' => TRUE); $cases[] = array('signParams' => array('a' => 'eh', 'b' => 'bee', 'c' => NULL), 'validateParams' => array('a' => 'eh', 'b' => 'bee', 'c' => NULL, 'irrelevant' => 'totally-irrelevant'), 'isValid' => TRUE); $cases[] = array('signParams' => array('a' => 'eh', 'b' => 'bee', 'c' => NULL), 'validateParams' => array('a' => 'eh', 'b' => 'bee', 'c' => ''), 'isValid' => TRUE); $cases[] = array('signParams' => array('a' => 'eh', 'b' => 'bee', 'c' => NULL), 'validateParams' => array('a' => 'eh', 'b' => 'bee', 'c' => 0), 'isValid' => FALSE); $cases[] = array('signParams' => array('a' => 'eh', 'b' => 'bee', 'c' => 0), 'validateParams' => array('a' => 'eh', 'b' => 'bee', 'c' => NULL), 'isValid' => FALSE); $cases[] = array('signParams' => array('a' => 'eh', 'b' => 'bee', 'c' => NULL), 'validateParams' => array('a' => 'eh', 'b' => 'bay', 'c' => NULL), 'isValid' => FALSE); $cases[] = array('signParams' => array('a' => 'eh', 'b' => 'bee', 'c' => NULL), 'validateParams' => array('a' => 'eh', 'b' => 'bee', 'c' => FALSE), 'isValid' => FALSE); $cases[] = array('signParams' => array('a' => 1, 'b' => 'bee'), 'validateParams' => array('a' => '1', 'b' => 'bee'), 'isValid' => TRUE); foreach ($cases as $caseId => $case) { require_once 'CRM/Utils/Signer.php'; $signer = new CRM_Utils_Signer('secret', array('a', 'b', 'c')); $signature = $signer->sign($case['signParams']); $this->assertTrue(!empty($signature) && is_string($signature)); // arbitrary $validator = new CRM_Utils_Signer('secret', array('a', 'b', 'c')); // same as $signer but physically separate $isValid = $validator->validate($signature, $case['validateParams']); if ($isValid !== $case['isValid']) { $this->fail("Case {$caseId}: Mismatch: " . var_export($case, TRUE)); } $this->assertTrue(TRUE, 'Validation yielded expected result'); } }
/** * check the CMS username. */ public static function checkUserName() { $signer = new CRM_Utils_Signer(CRM_Core_Key::privateKey(), array('for', 'ts')); $sig = CRM_Utils_Request::retrieve('sig', 'String', CRM_Core_DAO::$_nullObject); $for = CRM_Utils_Request::retrieve('for', 'String', CRM_Core_DAO::$_nullObject); if (CRM_Utils_Time::getTimeRaw() > $_REQUEST['ts'] + self::CHECK_USERNAME_TTL || $for != 'civicrm/ajax/cmsuser' || !$signer->validate($sig, $_REQUEST)) { $user = array('name' => 'error'); CRM_Utils_JSON::output($user); } $config = CRM_Core_Config::singleton(); $username = trim(CRM_Utils_Array::value('cms_name', $_REQUEST)); $params = array('name' => $username); $errors = array(); $config->userSystem->checkUserNameEmailExists($params, $errors); if (isset($errors['cms_name']) || isset($errors['name'])) { //user name is not available $user = array('name' => 'no'); CRM_Utils_JSON::output($user); } else { //user name is available $user = array('name' => 'yes'); CRM_Utils_JSON::output($user); } // Not reachable: JSON::output() above exits. CRM_Utils_System::civiExit(); }
/** * @param string $token * A token supplied by the user. * @return bool * TRUE if the token is valid for submitting attachments * @throws Exception */ public static function checkToken($token) { list($signature, $ts) = explode(';;;', $token); $signer = new CRM_Utils_Signer(CRM_Core_Key::privateKey(), array('for', 'ts')); if (!is_numeric($ts) || CRM_Utils_Time::getTimeRaw() > $ts + self::ATTACHMENT_TOKEN_TTL) { return FALSE; } return $signer->validate($signature, array('for' => 'crmAttachment', 'ts' => $ts)); }
/** * function to delete a file attachment from an entity table / entity ID * * @static * @access public */ static function deleteAttachment() { $params = array(); $params['entityTable'] = CRM_Utils_Request::retrieve('entityTable', 'String', CRM_Core_DAO::$_nullObject, TRUE); $params['entityID'] = CRM_Utils_Request::retrieve('entityID', 'Positive', CRM_Core_DAO::$_nullObject, TRUE); $params['fileID'] = CRM_Utils_Request::retrieve('fileID', 'Positive', CRM_Core_DAO::$_nullObject, TRUE); $signature = CRM_Utils_Request::retrieve('_sgn', 'String', CRM_Core_DAO::$_nullObject, TRUE); $signer = new CRM_Utils_Signer(CRM_Core_Key::privateKey(), self::$_signableFields); if (!$signer->validate($signature, $params)) { CRM_Core_Error::fatal('Request signature is invalid'); } CRM_Core_BAO_File::deleteEntityFile($params['entityTable'], $params['entityID'], NULL, $params['fileID']); }
public static function fixOrder() { $signature = CRM_Utils_Request::retrieve('_sgn', 'String', CRM_Core_DAO::$_nullObject); $signer = new CRM_Utils_Signer(CRM_Core_Key::privateKey(), self::$SIGNABLE_FIELDS); // Validate $_GET values b/c subsequent code reads $_GET (via CRM_Utils_Request::retrieve) if (!$signer->validate($signature, $_GET)) { CRM_Core_Error::fatal('Request signature is invalid'); } // Note: Ensure this list matches self::$SIGNABLE_FIELDS $daoName = CRM_Utils_Request::retrieve('dao', 'String', CRM_Core_DAO::$_nullObject); $id = CRM_Utils_Request::retrieve('id', 'Integer', CRM_Core_DAO::$_nullObject); $idName = CRM_Utils_Request::retrieve('idName', 'String', CRM_Core_DAO::$_nullObject); $url = CRM_Utils_Request::retrieve('url', 'String', CRM_Core_DAO::$_nullObject); $filter = CRM_Utils_Request::retrieve('filter', 'String', CRM_Core_DAO::$_nullObject); $src = CRM_Utils_Request::retrieve('src', 'Integer', CRM_Core_DAO::$_nullObject); $dst = CRM_Utils_Request::retrieve('dst', 'Integer', CRM_Core_DAO::$_nullObject); $dir = CRM_Utils_Request::retrieve('dir', 'String', CRM_Core_DAO::$_nullObject); $object = new $daoName(); $srcWeight = CRM_Core_DAO::getFieldValue($daoName, $src, 'weight', $idName); $dstWeight = CRM_Core_DAO::getFieldValue($daoName, $dst, 'weight', $idName); if ($srcWeight == $dstWeight) { self::fixOrderOutput($url); } $tableName = $object->tableName(); $query = "UPDATE {$tableName} SET weight = %1 WHERE {$idName} = %2"; $params = array(1 => array($dstWeight, 'Integer'), 2 => array($src, 'Integer')); CRM_Core_DAO::executeQuery($query, $params); if ($dir == 'swap') { $params = array(1 => array($srcWeight, 'Integer'), 2 => array($dst, 'Integer')); CRM_Core_DAO::executeQuery($query, $params); } elseif ($dir == 'first') { // increment the rest by one $query = "UPDATE {$tableName} SET weight = weight + 1 WHERE {$idName} != %1 AND weight < %2"; if ($filter) { $query .= " AND {$filter}"; } $params = array(1 => array($src, 'Integer'), 2 => array($srcWeight, 'Integer')); CRM_Core_DAO::executeQuery($query, $params); } elseif ($dir == 'last') { // increment the rest by one $query = "UPDATE {$tableName} SET weight = weight - 1 WHERE {$idName} != %1 AND weight > %2"; if ($filter) { $query .= " AND {$filter}"; } $params = array(1 => array($src, 'Integer'), 2 => array($srcWeight, 'Integer')); CRM_Core_DAO::executeQuery($query, $params); } self::fixOrderOutput($url); }
/** *Function to check the CMS username * */ public static function checkUserName() { $signer = new CRM_Utils_Signer(CRM_Core_Key::privateKey(), array('for', 'ts')); if (CRM_Utils_Time::getTimeRaw() > $_REQUEST['ts'] + self::CHECK_USERNAME_TTL || $_REQUEST['for'] != 'civicrm/ajax/cmsuser' || !$signer->validate($_REQUEST['sig'], $_REQUEST)) { $user = array('name' => 'error'); echo json_encode($user); CRM_Utils_System::civiExit(); } $config = CRM_Core_Config::singleton(); $username = trim($_REQUEST['cms_name']); $params = array('name' => $username); $errors = array(); $config->userSystem->checkUserNameEmailExists($params, $errors); if (isset($errors['cms_name']) || isset($errors['name'])) { //user name is not availble $user = array('name' => 'no'); echo json_encode($user); } else { //user name is available $user = array('name' => 'yes'); echo json_encode($user); } CRM_Utils_System::civiExit(); }