function testSignValidate()
{
$cases = array();
$cases[] = array('signParams' => array('a' => 'eh', 'b' => 'bee', 'c' => NULL), 'validateParams' => array('a' => 'eh', 'b' => 'bee', 'c' => NULL), 'isValid' => TRUE);
$cases[] = array('signParams' => array('a' => 'eh', 'b' => 'bee', 'c' => NULL), 'validateParams' => array('a' => 'eh', 'b' => 'bee', 'c' => NULL, 'irrelevant' => 'totally-irrelevant'), 'isValid' => TRUE);
$cases[] = array('signParams' => array('a' => 'eh', 'b' => 'bee', 'c' => NULL), 'validateParams' => array('a' => 'eh', 'b' => 'bee', 'c' => ''), 'isValid' => TRUE);
$cases[] = array('signParams' => array('a' => 'eh', 'b' => 'bee', 'c' => NULL), 'validateParams' => array('a' => 'eh', 'b' => 'bee', 'c' => 0), 'isValid' => FALSE);
$cases[] = array('signParams' => array('a' => 'eh', 'b' => 'bee', 'c' => 0), 'validateParams' => array('a' => 'eh', 'b' => 'bee', 'c' => NULL), 'isValid' => FALSE);
$cases[] = array('signParams' => array('a' => 'eh', 'b' => 'bee', 'c' => NULL), 'validateParams' => array('a' => 'eh', 'b' => 'bay', 'c' => NULL), 'isValid' => FALSE);
$cases[] = array('signParams' => array('a' => 'eh', 'b' => 'bee', 'c' => NULL), 'validateParams' => array('a' => 'eh', 'b' => 'bee', 'c' => FALSE), 'isValid' => FALSE);
$cases[] = array('signParams' => array('a' => 1, 'b' => 'bee'), 'validateParams' => array('a' => '1', 'b' => 'bee'), 'isValid' => TRUE);
foreach ($cases as $caseId => $case) {
require_once 'CRM/Utils/Signer.php';
$signer = new CRM_Utils_Signer('secret', array('a', 'b', 'c'));
$signature = $signer->sign($case['signParams']);
$this->assertTrue(!empty($signature) && is_string($signature));
// arbitrary
$validator = new CRM_Utils_Signer('secret', array('a', 'b', 'c'));
// same as $signer but physically separate
$isValid = $validator->validate($signature, $case['validateParams']);
if ($isValid !== $case['isValid']) {
$this->fail("Case {$caseId}: Mismatch: " . var_export($case, TRUE));
}
$this->assertTrue(TRUE, 'Validation yielded expected result');
}
}
/**
* check the CMS username.
*/
public static function checkUserName()
{
$signer = new CRM_Utils_Signer(CRM_Core_Key::privateKey(), array('for', 'ts'));
$sig = CRM_Utils_Request::retrieve('sig', 'String', CRM_Core_DAO::$_nullObject);
$for = CRM_Utils_Request::retrieve('for', 'String', CRM_Core_DAO::$_nullObject);
if (CRM_Utils_Time::getTimeRaw() > $_REQUEST['ts'] + self::CHECK_USERNAME_TTL || $for != 'civicrm/ajax/cmsuser' || !$signer->validate($sig, $_REQUEST)) {
$user = array('name' => 'error');
CRM_Utils_JSON::output($user);
}
$config = CRM_Core_Config::singleton();
$username = trim(CRM_Utils_Array::value('cms_name', $_REQUEST));
$params = array('name' => $username);
$errors = array();
$config->userSystem->checkUserNameEmailExists($params, $errors);
if (isset($errors['cms_name']) || isset($errors['name'])) {
//user name is not available
$user = array('name' => 'no');
CRM_Utils_JSON::output($user);
} else {
//user name is available
$user = array('name' => 'yes');
CRM_Utils_JSON::output($user);
}
// Not reachable: JSON::output() above exits.
CRM_Utils_System::civiExit();
}
/**
* @param string $token
* A token supplied by the user.
* @return bool
* TRUE if the token is valid for submitting attachments
* @throws Exception
*/
public static function checkToken($token)
{
list($signature, $ts) = explode(';;;', $token);
$signer = new CRM_Utils_Signer(CRM_Core_Key::privateKey(), array('for', 'ts'));
if (!is_numeric($ts) || CRM_Utils_Time::getTimeRaw() > $ts + self::ATTACHMENT_TOKEN_TTL) {
return FALSE;
}
return $signer->validate($signature, array('for' => 'crmAttachment', 'ts' => $ts));
}
/**
* function to delete a file attachment from an entity table / entity ID
*
* @static
* @access public
*/
static function deleteAttachment()
{
$params = array();
$params['entityTable'] = CRM_Utils_Request::retrieve('entityTable', 'String', CRM_Core_DAO::$_nullObject, TRUE);
$params['entityID'] = CRM_Utils_Request::retrieve('entityID', 'Positive', CRM_Core_DAO::$_nullObject, TRUE);
$params['fileID'] = CRM_Utils_Request::retrieve('fileID', 'Positive', CRM_Core_DAO::$_nullObject, TRUE);
$signature = CRM_Utils_Request::retrieve('_sgn', 'String', CRM_Core_DAO::$_nullObject, TRUE);
$signer = new CRM_Utils_Signer(CRM_Core_Key::privateKey(), self::$_signableFields);
if (!$signer->validate($signature, $params)) {
CRM_Core_Error::fatal('Request signature is invalid');
}
CRM_Core_BAO_File::deleteEntityFile($params['entityTable'], $params['entityID'], NULL, $params['fileID']);
}
public static function fixOrder()
{
$signature = CRM_Utils_Request::retrieve('_sgn', 'String', CRM_Core_DAO::$_nullObject);
$signer = new CRM_Utils_Signer(CRM_Core_Key::privateKey(), self::$SIGNABLE_FIELDS);
// Validate $_GET values b/c subsequent code reads $_GET (via CRM_Utils_Request::retrieve)
if (!$signer->validate($signature, $_GET)) {
CRM_Core_Error::fatal('Request signature is invalid');
}
// Note: Ensure this list matches self::$SIGNABLE_FIELDS
$daoName = CRM_Utils_Request::retrieve('dao', 'String', CRM_Core_DAO::$_nullObject);
$id = CRM_Utils_Request::retrieve('id', 'Integer', CRM_Core_DAO::$_nullObject);
$idName = CRM_Utils_Request::retrieve('idName', 'String', CRM_Core_DAO::$_nullObject);
$url = CRM_Utils_Request::retrieve('url', 'String', CRM_Core_DAO::$_nullObject);
$filter = CRM_Utils_Request::retrieve('filter', 'String', CRM_Core_DAO::$_nullObject);
$src = CRM_Utils_Request::retrieve('src', 'Integer', CRM_Core_DAO::$_nullObject);
$dst = CRM_Utils_Request::retrieve('dst', 'Integer', CRM_Core_DAO::$_nullObject);
$dir = CRM_Utils_Request::retrieve('dir', 'String', CRM_Core_DAO::$_nullObject);
$object = new $daoName();
$srcWeight = CRM_Core_DAO::getFieldValue($daoName, $src, 'weight', $idName);
$dstWeight = CRM_Core_DAO::getFieldValue($daoName, $dst, 'weight', $idName);
if ($srcWeight == $dstWeight) {
self::fixOrderOutput($url);
}
$tableName = $object->tableName();
$query = "UPDATE {$tableName} SET weight = %1 WHERE {$idName} = %2";
$params = array(1 => array($dstWeight, 'Integer'), 2 => array($src, 'Integer'));
CRM_Core_DAO::executeQuery($query, $params);
if ($dir == 'swap') {
$params = array(1 => array($srcWeight, 'Integer'), 2 => array($dst, 'Integer'));
CRM_Core_DAO::executeQuery($query, $params);
} elseif ($dir == 'first') {
// increment the rest by one
$query = "UPDATE {$tableName} SET weight = weight + 1 WHERE {$idName} != %1 AND weight < %2";
if ($filter) {
$query .= " AND {$filter}";
}
$params = array(1 => array($src, 'Integer'), 2 => array($srcWeight, 'Integer'));
CRM_Core_DAO::executeQuery($query, $params);
} elseif ($dir == 'last') {
// increment the rest by one
$query = "UPDATE {$tableName} SET weight = weight - 1 WHERE {$idName} != %1 AND weight > %2";
if ($filter) {
$query .= " AND {$filter}";
}
$params = array(1 => array($src, 'Integer'), 2 => array($srcWeight, 'Integer'));
CRM_Core_DAO::executeQuery($query, $params);
}
self::fixOrderOutput($url);
}
/**
*Function to check the CMS username
*
*/
public static function checkUserName()
{
$signer = new CRM_Utils_Signer(CRM_Core_Key::privateKey(), array('for', 'ts'));
if (CRM_Utils_Time::getTimeRaw() > $_REQUEST['ts'] + self::CHECK_USERNAME_TTL || $_REQUEST['for'] != 'civicrm/ajax/cmsuser' || !$signer->validate($_REQUEST['sig'], $_REQUEST)) {
$user = array('name' => 'error');
echo json_encode($user);
CRM_Utils_System::civiExit();
}
$config = CRM_Core_Config::singleton();
$username = trim($_REQUEST['cms_name']);
$params = array('name' => $username);
$errors = array();
$config->userSystem->checkUserNameEmailExists($params, $errors);
if (isset($errors['cms_name']) || isset($errors['name'])) {
//user name is not availble
$user = array('name' => 'no');
echo json_encode($user);
} else {
//user name is available
$user = array('name' => 'yes');
echo json_encode($user);
}
CRM_Utils_System::civiExit();
}
