function testSignValidate()
{
$cases = array();
$cases[] = array('signParams' => array('a' => 'eh', 'b' => 'bee', 'c' => NULL), 'validateParams' => array('a' => 'eh', 'b' => 'bee', 'c' => NULL), 'isValid' => TRUE);
$cases[] = array('signParams' => array('a' => 'eh', 'b' => 'bee', 'c' => NULL), 'validateParams' => array('a' => 'eh', 'b' => 'bee', 'c' => NULL, 'irrelevant' => 'totally-irrelevant'), 'isValid' => TRUE);
$cases[] = array('signParams' => array('a' => 'eh', 'b' => 'bee', 'c' => NULL), 'validateParams' => array('a' => 'eh', 'b' => 'bee', 'c' => ''), 'isValid' => TRUE);
$cases[] = array('signParams' => array('a' => 'eh', 'b' => 'bee', 'c' => NULL), 'validateParams' => array('a' => 'eh', 'b' => 'bee', 'c' => 0), 'isValid' => FALSE);
$cases[] = array('signParams' => array('a' => 'eh', 'b' => 'bee', 'c' => 0), 'validateParams' => array('a' => 'eh', 'b' => 'bee', 'c' => NULL), 'isValid' => FALSE);
$cases[] = array('signParams' => array('a' => 'eh', 'b' => 'bee', 'c' => NULL), 'validateParams' => array('a' => 'eh', 'b' => 'bay', 'c' => NULL), 'isValid' => FALSE);
$cases[] = array('signParams' => array('a' => 'eh', 'b' => 'bee', 'c' => NULL), 'validateParams' => array('a' => 'eh', 'b' => 'bee', 'c' => FALSE), 'isValid' => FALSE);
$cases[] = array('signParams' => array('a' => 1, 'b' => 'bee'), 'validateParams' => array('a' => '1', 'b' => 'bee'), 'isValid' => TRUE);
foreach ($cases as $caseId => $case) {
require_once 'CRM/Utils/Signer.php';
$signer = new CRM_Utils_Signer('secret', array('a', 'b', 'c'));
$signature = $signer->sign($case['signParams']);
$this->assertTrue(!empty($signature) && is_string($signature));
// arbitrary
$validator = new CRM_Utils_Signer('secret', array('a', 'b', 'c'));
// same as $signer but physically separate
$isValid = $validator->validate($signature, $case['validateParams']);
if ($isValid !== $case['isValid']) {
$this->fail("Case {$caseId}: Mismatch: " . var_export($case, TRUE));
}
$this->assertTrue(TRUE, 'Validation yielded expected result');
}
}
/**
* Generate a secure signature
*
* {code}
* {crmSigner var=mySig extra=123}
* var urlParams = ts={$mySig.ts}&extra={$mySig.extra}&sig={$mySig.signature}
* {endcode}
*
* @param $params array with keys:
* - var: string, a smarty variable to generate
* - ts: int, the current time (if omitted, autogenerated)
* - any other vars are put into the signature (sorted)
*/
function smarty_function_crmSigner($params, &$smarty)
{
$var = $params['var'];
unset($params['var']);
$params['ts'] = CRM_Utils_Time::getTimeRaw();
$fields = array_keys($params);
sort($fields);
$signer = new CRM_Utils_Signer(CRM_Core_Key::privateKey(), $fields);
$params['signature'] = $signer->sign($params);
$smarty->assign($var, $params);
}
/**
* check the CMS username.
*/
public static function checkUserName()
{
$signer = new CRM_Utils_Signer(CRM_Core_Key::privateKey(), array('for', 'ts'));
$sig = CRM_Utils_Request::retrieve('sig', 'String', CRM_Core_DAO::$_nullObject);
$for = CRM_Utils_Request::retrieve('for', 'String', CRM_Core_DAO::$_nullObject);
if (CRM_Utils_Time::getTimeRaw() > $_REQUEST['ts'] + self::CHECK_USERNAME_TTL || $for != 'civicrm/ajax/cmsuser' || !$signer->validate($sig, $_REQUEST)) {
$user = array('name' => 'error');
CRM_Utils_JSON::output($user);
}
$config = CRM_Core_Config::singleton();
$username = trim(CRM_Utils_Array::value('cms_name', $_REQUEST));
$params = array('name' => $username);
$errors = array();
$config->userSystem->checkUserNameEmailExists($params, $errors);
if (isset($errors['cms_name']) || isset($errors['name'])) {
//user name is not available
$user = array('name' => 'no');
CRM_Utils_JSON::output($user);
} else {
//user name is available
$user = array('name' => 'yes');
CRM_Utils_JSON::output($user);
}
// Not reachable: JSON::output() above exits.
CRM_Utils_System::civiExit();
}
/**
* @param string $token
* A token supplied by the user.
* @return bool
* TRUE if the token is valid for submitting attachments
* @throws Exception
*/
public static function checkToken($token)
{
list($signature, $ts) = explode(';;;', $token);
$signer = new CRM_Utils_Signer(CRM_Core_Key::privateKey(), array('for', 'ts'));
if (!is_numeric($ts) || CRM_Utils_Time::getTimeRaw() > $ts + self::ATTACHMENT_TOKEN_TTL) {
return FALSE;
}
return $signer->validate($signature, array('for' => 'crmAttachment', 'ts' => $ts));
}
/**
* function to delete a file attachment from an entity table / entity ID
*
* @static
* @access public
*/
static function deleteAttachment()
{
$params = array();
$params['entityTable'] = CRM_Utils_Request::retrieve('entityTable', 'String', CRM_Core_DAO::$_nullObject, TRUE);
$params['entityID'] = CRM_Utils_Request::retrieve('entityID', 'Positive', CRM_Core_DAO::$_nullObject, TRUE);
$params['fileID'] = CRM_Utils_Request::retrieve('fileID', 'Positive', CRM_Core_DAO::$_nullObject, TRUE);
$signature = CRM_Utils_Request::retrieve('_sgn', 'String', CRM_Core_DAO::$_nullObject, TRUE);
$signer = new CRM_Utils_Signer(CRM_Core_Key::privateKey(), self::$_signableFields);
if (!$signer->validate($signature, $params)) {
CRM_Core_Error::fatal('Request signature is invalid');
}
CRM_Core_BAO_File::deleteEntityFile($params['entityTable'], $params['entityID'], NULL, $params['fileID']);
}
public static function fixOrder()
{
$signature = CRM_Utils_Request::retrieve('_sgn', 'String', CRM_Core_DAO::$_nullObject);
$signer = new CRM_Utils_Signer(CRM_Core_Key::privateKey(), self::$SIGNABLE_FIELDS);
// Validate $_GET values b/c subsequent code reads $_GET (via CRM_Utils_Request::retrieve)
if (!$signer->validate($signature, $_GET)) {
CRM_Core_Error::fatal('Request signature is invalid');
}
// Note: Ensure this list matches self::$SIGNABLE_FIELDS
$daoName = CRM_Utils_Request::retrieve('dao', 'String', CRM_Core_DAO::$_nullObject);
$id = CRM_Utils_Request::retrieve('id', 'Integer', CRM_Core_DAO::$_nullObject);
$idName = CRM_Utils_Request::retrieve('idName', 'String', CRM_Core_DAO::$_nullObject);
$url = CRM_Utils_Request::retrieve('url', 'String', CRM_Core_DAO::$_nullObject);
$filter = CRM_Utils_Request::retrieve('filter', 'String', CRM_Core_DAO::$_nullObject);
$src = CRM_Utils_Request::retrieve('src', 'Integer', CRM_Core_DAO::$_nullObject);
$dst = CRM_Utils_Request::retrieve('dst', 'Integer', CRM_Core_DAO::$_nullObject);
$dir = CRM_Utils_Request::retrieve('dir', 'String', CRM_Core_DAO::$_nullObject);
$object = new $daoName();
$srcWeight = CRM_Core_DAO::getFieldValue($daoName, $src, 'weight', $idName);
$dstWeight = CRM_Core_DAO::getFieldValue($daoName, $dst, 'weight', $idName);
if ($srcWeight == $dstWeight) {
self::fixOrderOutput($url);
}
$tableName = $object->tableName();
$query = "UPDATE {$tableName} SET weight = %1 WHERE {$idName} = %2";
$params = array(1 => array($dstWeight, 'Integer'), 2 => array($src, 'Integer'));
CRM_Core_DAO::executeQuery($query, $params);
if ($dir == 'swap') {
$params = array(1 => array($srcWeight, 'Integer'), 2 => array($dst, 'Integer'));
CRM_Core_DAO::executeQuery($query, $params);
} elseif ($dir == 'first') {
// increment the rest by one
$query = "UPDATE {$tableName} SET weight = weight + 1 WHERE {$idName} != %1 AND weight < %2";
if ($filter) {
$query .= " AND {$filter}";
}
$params = array(1 => array($src, 'Integer'), 2 => array($srcWeight, 'Integer'));
CRM_Core_DAO::executeQuery($query, $params);
} elseif ($dir == 'last') {
// increment the rest by one
$query = "UPDATE {$tableName} SET weight = weight - 1 WHERE {$idName} != %1 AND weight > %2";
if ($filter) {
$query .= " AND {$filter}";
}
$params = array(1 => array($src, 'Integer'), 2 => array($srcWeight, 'Integer'));
CRM_Core_DAO::executeQuery($query, $params);
}
self::fixOrderOutput($url);
}
/**
*Function to check the CMS username
*
*/
public static function checkUserName()
{
$signer = new CRM_Utils_Signer(CRM_Core_Key::privateKey(), array('for', 'ts'));
if (CRM_Utils_Time::getTimeRaw() > $_REQUEST['ts'] + self::CHECK_USERNAME_TTL || $_REQUEST['for'] != 'civicrm/ajax/cmsuser' || !$signer->validate($_REQUEST['sig'], $_REQUEST)) {
$user = array('name' => 'error');
echo json_encode($user);
CRM_Utils_System::civiExit();
}
$config = CRM_Core_Config::singleton();
$username = trim($_REQUEST['cms_name']);
$params = array('name' => $username);
$errors = array();
$config->userSystem->checkUserNameEmailExists($params, $errors);
if (isset($errors['cms_name']) || isset($errors['name'])) {
//user name is not availble
$user = array('name' => 'no');
echo json_encode($user);
} else {
//user name is available
$user = array('name' => 'yes');
echo json_encode($user);
}
CRM_Utils_System::civiExit();
}
/**
* This function for building custom fields
*
* @param object $qf form object (reference)
* @param string $elementName name of the custom field
* @param boolean $inactiveNeeded
* @param boolean $userRequired true if required else false
* @param boolean $search true if used for search else false
* @param string $label label for custom field
*
* @access public
* @static
*/
public static function addQuickFormElement(&$qf, $elementName, $fieldId, $inactiveNeeded = FALSE, $useRequired = TRUE, $search = FALSE, $label = NULL)
{
// we use $_POST directly, since we dont want to use session memory, CRM-4677
if (isset($_POST['_qf_Relationship_refresh']) && ($_POST['_qf_Relationship_refresh'] == 'Search' || $_POST['_qf_Relationship_refresh'] == 'Search Again')) {
$useRequired = FALSE;
}
$field = self::getFieldObject($fieldId);
// Custom field HTML should indicate group+field name
$groupName = CRM_Core_DAO::getFieldValue('CRM_Core_DAO_CustomGroup', $field->custom_group_id);
$dataCrmCustomVal = $groupName . ':' . $field->name;
$dataCrmCustomAttr = 'data-crm-custom="' . $dataCrmCustomVal . '"';
$field->attributes .= $dataCrmCustomAttr;
// Fixed for Issue CRM-2183
if ($field->html_type == 'TextArea' && $search) {
$field->html_type = 'Text';
}
if (!isset($label)) {
$label = $field->label;
}
/**
* at some point in time we might want to split the below into small functions
**/
switch ($field->html_type) {
case 'Text':
if ($field->is_search_range && $search) {
$qf->add('text', $elementName . '_from', $label . ' ' . ts('From'), $field->attributes);
$qf->add('text', $elementName . '_to', ts('To'), $field->attributes);
} else {
$element =& $qf->add(strtolower($field->html_type), $elementName, $label, $field->attributes, $useRequired && !$search);
}
break;
case 'TextArea':
$attributes = $dataCrmCustomAttr;
if ($field->note_rows) {
$attributes .= 'rows=' . $field->note_rows;
} else {
$attributes .= 'rows=4';
}
if ($field->note_columns) {
$attributes .= ' cols=' . $field->note_columns;
} else {
$attributes .= ' cols=60';
}
if ($field->text_length) {
$attributes .= ' maxlength=' . $field->text_length;
}
$element =& $qf->add(strtolower($field->html_type), $elementName, $label, $attributes, $useRequired && !$search);
break;
case 'Select Date':
if ($field->is_search_range && $search) {
$qf->addDate($elementName . '_from', $label . ' - ' . ts('From'), FALSE, array('format' => $field->date_format, 'timeFormat' => $field->time_format, 'startOffset' => $field->start_date_years, 'endOffset' => $field->end_date_years, 'data-crm-custom' => $dataCrmCustomVal));
$qf->addDate($elementName . '_to', ts('To'), FALSE, array('format' => $field->date_format, 'timeFormat' => $field->time_format, 'startOffset' => $field->start_date_years, 'endOffset' => $field->end_date_years, 'data-crm-custom' => $dataCrmCustomVal));
} else {
$required = $useRequired && !$search;
$qf->addDate($elementName, $label, $required, array('format' => $field->date_format, 'timeFormat' => $field->time_format, 'startOffset' => $field->start_date_years, 'endOffset' => $field->end_date_years, 'data-crm-custom' => $dataCrmCustomVal));
}
break;
case 'Radio':
$choice = array();
if ($field->data_type != 'Boolean') {
$customOption =& CRM_Core_BAO_CustomOption::valuesByID($field->id, $field->option_group_id);
foreach ($customOption as $v => $l) {
$choice[] = $qf->createElement('radio', NULL, '', $l, (string) $v, $field->attributes);
}
$qf->addGroup($choice, $elementName, $label);
} else {
$choice[] = $qf->createElement('radio', NULL, '', ts('Yes'), '1', $field->attributes);
$choice[] = $qf->createElement('radio', NULL, '', ts('No'), '0', $field->attributes);
$qf->addGroup($choice, $elementName, $label);
}
if ($useRequired && !$search) {
$qf->addRule($elementName, ts('%1 is a required field.', array(1 => $label)), 'required');
}
break;
case 'Select':
$selectOption =& CRM_Core_BAO_CustomOption::valuesByID($field->id, $field->option_group_id);
$qf->add('select', $elementName, $label, array('' => ts('- select -')) + $selectOption, $useRequired && !$search, $dataCrmCustomAttr);
break;
//added for select multiple
//added for select multiple
case 'AdvMulti-Select':
$selectOption =& CRM_Core_BAO_CustomOption::valuesByID($field->id, $field->option_group_id);
if ($search && count($selectOption) > 1) {
$selectOption['CiviCRM_OP_OR'] = ts('Select to match ANY; unselect to match ALL');
}
$include =& $qf->addElement('advmultiselect', $elementName, $label, $selectOption, array('size' => 5, 'style' => '', 'class' => 'advmultiselect', 'data-crm-custom' => $dataCrmCustomVal));
$include->setButtonAttributes('add', array('value' => ts('Add >>')));
$include->setButtonAttributes('remove', array('value' => ts('<< Remove')));
if ($useRequired && !$search) {
$qf->addRule($elementName, ts('%1 is a required field.', array(1 => $label)), 'required');
}
break;
case 'Multi-Select':
$selectOption =& CRM_Core_BAO_CustomOption::valuesByID($field->id, $field->option_group_id);
if ($search && count($selectOption) > 1) {
$selectOption['CiviCRM_OP_OR'] = ts('Select to match ANY; unselect to match ALL');
}
$qf->addElement('select', $elementName, $label, $selectOption, array('size' => '5', 'multiple', 'data-crm-custom' => $dataCrmCustomVal));
if ($useRequired && !$search) {
$qf->addRule($elementName, ts('%1 is a required field.', array(1 => $label)), 'required');
}
break;
case 'CheckBox':
$customOption = CRM_Core_BAO_CustomOption::valuesByID($field->id, $field->option_group_id);
$check = array();
foreach ($customOption as $v => $l) {
$check[] =& $qf->addElement('advcheckbox', $v, NULL, $l, array('data-crm-custom' => $dataCrmCustomVal));
}
if ($search && count($check) > 1) {
$check[] =& $qf->addElement('advcheckbox', 'CiviCRM_OP_OR', NULL, ts('Check to match ANY; uncheck to match ALL'), array('data-crm-custom' => $dataCrmCustomVal));
}
$qf->addGroup($check, $elementName, $label);
if ($useRequired && !$search) {
$qf->addRule($elementName, ts('%1 is a required field.', array(1 => $label)), 'required');
}
break;
case 'File':
// we should not build upload file in search mode
if ($search) {
return;
}
$qf->add(strtolower($field->html_type), $elementName, $label, $field->attributes, $useRequired && !$search);
$qf->addUploadElement($elementName);
break;
case 'Select State/Province':
//Add State
$stateOption = array('' => ts('- select -')) + CRM_Core_PseudoConstant::stateProvince();
$qf->add('select', $elementName, $label, $stateOption, $useRequired && !$search, $dataCrmCustomAttr);
break;
case 'Multi-Select State/Province':
//Add Multi-select State/Province
$stateOption = CRM_Core_PseudoConstant::stateProvince();
$qf->addElement('select', $elementName, $label, $stateOption, array('size' => '5', 'multiple', 'data-crm-custom' => $dataCrmCustomVal));
if ($useRequired && !$search) {
$qf->addRule($elementName, ts('%1 is a required field.', array(1 => $label)), 'required');
}
break;
case 'Select Country':
//Add Country
$countryOption = array('' => ts('- select -')) + CRM_Core_PseudoConstant::country();
$qf->add('select', $elementName, $label, $countryOption, $useRequired && !$search, $dataCrmCustomAttr);
break;
case 'Multi-Select Country':
//Add Country
$countryOption = CRM_Core_PseudoConstant::country();
$qf->addElement('select', $elementName, $label, $countryOption, array('size' => '5', 'multiple', 'data-crm-custom' => $dataCrmCustomVal));
if ($useRequired && !$search) {
$qf->addRule($elementName, ts('%1 is a required field.', array(1 => $label)), 'required');
}
break;
case 'RichTextEditor':
$attributes = array('rows' => $field->note_rows, 'cols' => $field->note_columns, 'data-crm-custom' => $dataCrmCustomVal);
if ($field->text_length) {
$attributes['maxlength'] = $field->text_length;
}
$qf->addWysiwyg($elementName, $label, $attributes, $search);
break;
case 'Autocomplete-Select':
$qf->add('text', $elementName, $label, $field->attributes, $useRequired && !$search);
$hiddenEleName = $elementName . '_id';
if (substr($elementName, -1) == ']') {
$hiddenEleName = substr($elementName, 0, -1) . '_id]';
}
$qf->addElement('hidden', $hiddenEleName, '', array('id' => str_replace(array(']', '['), array('', '_'), $hiddenEleName)));
static $customUrls = array();
if ($field->data_type == 'ContactReference') {
//$urlParams = "className=CRM_Contact_Page_AJAX&fnName=getContactList&json=1&reset=1&context=customfield&id={$field->id}";
$urlParams = "context=customfield&id={$field->id}";
$customUrls[$elementName] = CRM_Utils_System::url('civicrm/ajax/contactref', $urlParams, FALSE, NULL, FALSE);
$actualElementValue = $qf->getSubmitValue($hiddenEleName);
$qf->addRule($elementName, ts('Select a valid contact for %1.', array(1 => $label)), 'validContact', $actualElementValue);
} else {
$signer = new CRM_Utils_Signer(CRM_Core_Key::privateKey(), array('cfid', 'ogid', 'sigts'));
$signParams = array('reset' => 1, 'sigts' => CRM_Utils_Time::getTimeRaw(), 'ogid' => $field->option_group_id, 'cfid' => $field->id);
$signParams['sig'] = $signer->sign($signParams);
$customUrls[$elementName] = CRM_Utils_System::url('civicrm/ajax/auto', $signParams, FALSE, NULL, FALSE);
$qf->addRule($elementName, ts('Select a valid value for %1.', array(1 => $label)), 'autocomplete', array('fieldID' => $field->id, 'optionGroupID' => $field->option_group_id));
}
$qf->assign('customUrls', $customUrls);
break;
}
switch ($field->data_type) {
case 'Int':
// integers will have numeric rule applied to them.
if ($field->is_search_range && $search) {
$qf->addRule($elementName . '_from', ts('%1 From must be an integer (whole number).', array(1 => $label)), 'integer');
$qf->addRule($elementName . '_to', ts('%1 To must be an integer (whole number).', array(1 => $label)), 'integer');
} else {
$qf->addRule($elementName, ts('%1 must be an integer (whole number).', array(1 => $label)), 'integer');
}
break;
case 'Float':
if ($field->is_search_range && $search) {
$qf->addRule($elementName . '_from', ts('%1 From must be a number (with or without decimal point).', array(1 => $label)), 'numeric');
$qf->addRule($elementName . '_to', ts('%1 To must be a number (with or without decimal point).', array(1 => $label)), 'numeric');
} else {
$qf->addRule($elementName, ts('%1 must be a number (with or without decimal point).', array(1 => $label)), 'numeric');
}
break;
case 'Money':
if ($field->is_search_range && $search) {
$qf->addRule($elementName . '_from', ts('%1 From must in proper money format. (decimal point/comma/space is allowed).', array(1 => $label)), 'money');
$qf->addRule($elementName . '_to', ts('%1 To must in proper money format. (decimal point/comma/space is allowed).', array(1 => $label)), 'money');
} else {
$qf->addRule($elementName, ts('%1 must be in proper money format. (decimal point/comma/space is allowed).', array(1 => $label)), 'money');
}
break;
case 'Link':
$qf->add('text', $elementName, $label, array('onfocus' => "if (!this.value) { this.value='http://';} else return false", 'onblur' => "if ( this.value == 'http://') { this.value='';} else return false", 'data-crm-custom' => $dataCrmCustomVal), $useRequired && !$search);
$qf->addRule($elementName, ts('Enter a valid Website.'), 'wikiURL');
break;
}
if ($field->is_view && !$search) {
$qf->freeze($elementName);
}
}
