/** * Return false or an array with the email and id. * * This is a static function to be reused by other forms. * * @param string Confirmation key * @return mixed Either false or array(email, id) */ public static function checkKeyHash($key) { $hash = substr($key, 0, 2); $encrypted = substr($key, 2); if ($hash != substr(md5(Pluf::f('secret_key') . $encrypted), 0, 2)) { return false; } $cr = new Pluf_Crypt(md5(Pluf::f('secret_key'))); return explode(':', $cr->decrypt($encrypted), 2); }
/** * Validate the key. * * Throw a Pluf_Form_Invalid exception if the key is not valid. * * @param string Key * @return array array($new_email, $user_id, time()) */ public static function validateKey($key) { $hash = substr($key, 0, 2); $encrypted = substr($key, 2); if ($hash != substr(md5(Pluf::f('secret_key') . $encrypted), 0, 2)) { throw new Pluf_Form_Invalid(__('The validation key is not valid. Please copy/paste it from your confirmation email.')); } $cr = new Pluf_Crypt(md5(Pluf::f('secret_key'))); return explode(':', $cr->decrypt($encrypted), 3); }
/** * Based on the request, it is automatically setting the user. * * Authenticated feeds have a token set at the end of the url in * the for of 'authenticated/url/token/234092384023woeiur/'. If * you remove 'token/234092384023woeiur/' the url is not * authenticated. * * If the user is already logged in and not anonymous and no token * is given, then the user is unset and a non authenticated user * is loaded. This is to avoid people to not understand why a * normally not authenticated feed is providing authenticated * data. */ public static function feedSetUser($request) { if (!isset($request->project)) { return true; // we do not act on non project pages at the // moment. } if (!$request->user->isAnonymous()) { // by default anonymous $request->user = new Pluf_User(); IDF_Middleware::setRights($request); } $match = array(); if (!preg_match('#/token/([^/]+)/$#', $request->query, $match)) { return true; // anonymous } $token = $match[1]; $hash = substr($token, 0, 2); $encrypted = substr($token, 2); if ($hash != substr(md5(Pluf::f('secret_key') . $encrypted), 0, 2)) { return true; // no match in the hash, anonymous } $cr = new Pluf_Crypt(md5(Pluf::f('secret_key'))); list($userid, $projectid) = explode(':', $cr->decrypt($encrypted), 2); if ($projectid != $request->project->id) { return true; // anonymous } $user = new Pluf_User($userid); if (!$user->active) { return true; // anonymous } $request->user = $user; IDF_Middleware::setRights($request); return true; }