/**
* Delete PersonAppData
*
* @param
* $userId for who data is to be deleted
* @param
* $groupId of the user
* @param
* $appId to which all Appdata belongs to
* @param
* $feilds array of Appdata needs to be deleted
* @param
* $token security token for validation
*/
public function deletePersonData($userId, GroupId $groupId, $appId, $fields, SecurityToken $token)
{
if ($fields == null || $fields[0] == '*') {
$key = "*";
if (!ShindigIntegratorDbFetcher::get()->deleteAppData($userId, $key, $token->getAppId())) {
throw new SocialSpiException("Internal server error", ResponseError::$INTERNAL_ERROR);
}
return null;
}
foreach ($fields as $key) {
if (!ShindigIntegratorAppDataService::isValidKey($key)) {
throw new SocialSpiException("The person app data key had invalid characters", ResponseError::$BAD_REQUEST);
}
}
switch ($groupId->getType()) {
case 'self':
foreach ($fields as $key) {
if (!ShindigIntegratorDbFetcher::get()->deleteAppData($userId, $key, $token->getAppId())) {
throw new SocialSpiException("Internal server error", ResponseError::$INTERNAL_ERROR);
}
}
break;
default:
throw new SocialSpiException("Not Implemented", ResponseError::$NOT_IMPLEMENTED);
break;
}
return null;
}
public static function getAppId($appId, SecurityToken $token)
{
if ($appId == '@app') {
return $token->getAppId();
} else {
return $appId;
}
}
public function createMessage($userId, $appId, $message, $optionalMessageId, SecurityToken $token)
{
try {
$messages = ATutorDbFetcher::get()->createMessage($userId, $token->getAppId(), $message);
} catch (SocialSpiException $e) {
throw $e;
} catch (Exception $e) {
throw new SocialSpiException("Invalid create message request: " . $e->getMessage(), ResponseError::$INTERNAL_ERROR);
}
}
protected function getKey($userId, SecurityToken $token)
{
$pos = strrpos($userId, ':');
if ($pos !== false) {
$userId = substr($userId, $pos + 1);
}
if ($token->getAppId()) {
return self::$TOKEN_PREFIX . $token->getAppId() . '_' . $userId;
}
return self::$TOKEN_PREFIX . $token->getAppUrl() . '_' . $userId;
}
public function createActivity($userId, $groupId, $appId, $fields, $activity, SecurityToken $token)
{
try {
if ($token->getOwnerId() != $token->getViewerId()) {
throw new SocialSpiException("unauthorized: Create activity permission denied.", ResponseError::$UNAUTHORIZED);
}
ATutorDbFetcher::get()->createActivity($userId->getUserId($token), $activity, $token->getAppId());
} catch (SocialSpiException $e) {
throw $e;
} catch (Exception $e) {
throw new SocialSpiException("Invalid create activity request: " . $e->getMessage(), ResponseError::$INTERNAL_ERROR);
}
}
public function update(SS_HTTPRequest $request)
{
if (!SecurityToken::inst()->checkRequest($request)) {
return '';
}
$url = $request->postVar('URL');
if (strlen($url)) {
$info = Oembed::get_oembed_from_url($url);
if ($info && $info->exists()) {
$object = EmbeddedObject::create();
$object->Title = $info->title;
$object->SourceURL = $url;
$object->Width = $info->width;
$object->Height = $info->height;
$object->ThumbURL = $info->thumbnail_url;
$object->Description = $info->description ? $info->description : $info->title;
$object->Type = $info->type;
$object->EmbedHTML = $info->forTemplate();
$this->object = $object;
// needed to make sure the check in FieldHolder works out
$object->ID = -1;
return $this->FieldHolder();
} else {
$this->message = _t('EmbeddedObjectField.ERROR', 'Could not look up provided URL: ' . Convert::raw2xml($url));
return $this->FieldHolder();
}
} else {
$this->object = null;
return $this->FieldHolder();
}
}
public function update(SS_HTTPRequest $request)
{
if (!SecurityToken::inst()->checkRequest($request)) {
return '';
}
$url = $request->postVar('URL');
if (strlen($url)) {
$info = Oembed::get_oembed_from_url($url);
$info = Embed\Embed::create($url);
if ($info) {
$object = EmbeddedObject::create();
$object->setFromEmbed($info);
$this->object = $object;
// needed to make sure the check in FieldHolder works out
$object->ID = -1;
return $this->FieldHolder();
} else {
$this->message = _t('EmbeddedObjectField.ERROR', 'Could not look up provided URL: ' . Convert::raw2xml($url));
return $this->FieldHolder();
}
} else {
$this->object = null;
return $this->FieldHolder();
}
}
public function authenticate(SS_HTTPRequest $request)
{
$token = $this->getToken($request);
$user = null;
if (!Member::currentUserID() && !$this->allowPublicAccess || $token) {
if (!$token) {
throw new WebServiceException(403, "Missing token parameter");
}
$user = $this->tokenAuthenticator->authenticate($token);
if (!$user) {
throw new WebServiceException(403, "Invalid user token");
}
} else {
if ($this->allowSecurityId && Member::currentUserID()) {
// we check the SecurityID parameter for the current user
$secParam = SecurityToken::inst()->getName();
$securityID = $request->requestVar($secParam);
if ($securityID && $securityID != SecurityToken::inst()->getValue()) {
throw new WebServiceException(403, "Invalid security ID");
}
$user = Member::currentUser();
}
}
if (!$user && !$this->allowPublicAccess) {
throw new WebServiceException(403, "Invalid request");
}
// now, if we have an hmacValidator in place, use it
if ($this->hmacValidator && $user) {
if (!$this->hmacValidator->validateHmac($user, $request)) {
throw new WebServiceException(403, "Invalid message");
}
}
return true;
}
public function handleBatchAction($request)
{
// This method can't be called without ajax.
if (!$request->isAjax()) {
$this->parentController->redirectBack();
return;
}
// Protect against CSRF on destructive action
if (!SecurityToken::inst()->checkRequest($request)) {
return $this->httpError(400);
}
$actions = $this->batchActions();
$actionClass = $actions[$request->param('BatchAction')]['class'];
$actionHandler = new $actionClass();
// Sanitise ID list and query the database for apges
$ids = preg_split('/ *, */', trim($request->requestVar('csvIDs')));
foreach ($ids as $k => $v) {
if (!is_numeric($v)) {
unset($ids[$k]);
}
}
if ($ids) {
if (class_exists('Translatable') && SiteTree::has_extension('Translatable')) {
Translatable::disable_locale_filter();
}
$recordClass = $this->recordClass;
$pages = DataObject::get($recordClass)->byIDs($ids);
if (class_exists('Translatable') && SiteTree::has_extension('Translatable')) {
Translatable::enable_locale_filter();
}
$record_class = $this->recordClass;
if ($record_class::has_extension('Versioned')) {
// If we didn't query all the pages, then find the rest on the live site
if (!$pages || $pages->Count() < sizeof($ids)) {
$idsFromLive = array();
foreach ($ids as $id) {
$idsFromLive[$id] = true;
}
if ($pages) {
foreach ($pages as $page) {
unset($idsFromLive[$page->ID]);
}
}
$idsFromLive = array_keys($idsFromLive);
$livePages = Versioned::get_by_stage($this->recordClass, 'Live')->byIDs($idsFromLive);
if ($pages) {
// Can't merge into a DataList, need to condense into an actual list first
// (which will retrieve all records as objects, so its an expensive operation)
$pages = new ArrayList($pages->toArray());
$pages->merge($livePages);
} else {
$pages = $livePages;
}
}
}
} else {
$pages = new ArrayList();
}
return $actionHandler->run($pages);
}
/**
* Ensure we populate these fields before a save.
*/
public function onBeforeWrite()
{
// Run other beforewrites first.
parent::onBeforeWrite();
if (!$this->isBrowser()) {
return false;
}
// If this is the first save...
if (!$this->ID) {
// Ensure the session exists before querying it.
if (!Session::request_contains_session_id()) {
Session::start();
}
// Store the sesion and has information in the database.
$this->SessionID = SecurityToken::getSecurityID();
if (is_null($this->SessionID)) {
return false;
}
$gen = new RandomGenerator();
$uniqueurl = substr($gen->randomToken(), 0, 32);
while (ShortList::get()->filter('URL', $uniqueurl)->count() > 0) {
$uniqueurl = substr($gen->randomToken(), 0, 32);
}
$this->URL = $uniqueurl;
$this->UserAgent = Controller::curr()->getRequest()->getHeader('User-Agent');
}
}
public function sort($request)
{
if (!SecurityToken::inst()->checkRequest($request)) {
$this->httpError(404);
}
$class = $request->postVar('class');
$ids = $request->postVar('id');
if ($class == 'WorkflowAction') {
$objects = $this->Definition()->Actions();
} elseif ($class == 'WorkflowTransition') {
$parent = $request->postVar('parent');
$action = $this->Definition()->Actions()->byID($parent);
if (!$action) {
$this->httpError(400, _t('AdvancedWorkflowAdmin.INVALIDPARENTID', 'An invalid parent ID was specified.'));
}
$objects = $action->Transitions();
} else {
$this->httpError(400, _t('AdvancedWorkflowAdmin.INVALIDCLASSTOORDER', 'An invalid class to order was specified.'));
}
if (array_diff($ids, $objects->column('ID'))) {
$this->httpError(400, _t('AdvancedWorkflowAdmin.INVALIDIDLIST', 'An invalid list of IDs was provided.'));
}
singleton('WorkflowService')->reorder($objects, $ids);
return new SS_HTTPResponse(null, 200, _t('AdvancedWorkflowAdmin.SORTORDERSAVED', 'The sort order has been saved.'));
}
/**
* Create a new translation from an existing item, switch to this language and reload the tree.
*/
function createtranslation($data, $form)
{
$request = $this->owner->getRequest();
// Protect against CSRF on destructive action
if (!SecurityToken::inst()->checkRequest($request)) {
return $this->owner->httpError(400);
}
$langCode = Convert::raw2sql($request->postVar('NewTransLang'));
$record = $this->owner->getRecord($request->postVar('ID'));
if (!$record) {
return $this->owner->httpError(404);
}
$this->owner->Locale = $langCode;
Translatable::set_current_locale($langCode);
// Create a new record in the database - this is different
// to the usual "create page" pattern of storing the record
// in-memory until a "save" is performed by the user, mainly
// to simplify things a bit.
// @todo Allow in-memory creation of translations that don't
// persist in the database before the user requests it
$translatedRecord = $record->createTranslation($langCode);
$url = Controller::join_links($this->owner->Link('show'), $translatedRecord->ID);
// set the X-Pjax header to Content, so that the whole admin panel will be refreshed
$this->owner->getResponse()->addHeader('X-Pjax', 'Content');
return $this->owner->redirect($url);
}
public function tearDown()
{
SecurityToken::enable();
$this->folder->deleteDatabaseOnly();
Filesystem::removeFolder($this->folder->getFullPath());
parent::tearDown();
}
/**
* This is called when an interactive authentication attempt succeeds. This
* is called by authentication listeners inheriting from AbstractAuthenticationListener.
* @param Request $request
* @param TokenInterface $token
* @return Response The response to return
*/
public function onAuthenticationSuccess(Request $request, TokenInterface $token)
{
$user = $token->getUser();
// This should actually be handle by the AuthenticationFailedHandler
if (!$user->isAdmin()) {
// can't go into admin
$request->getSession()->set(SecurityContextInterface::AUTHENTICATION_ERROR, new AuthenticationException('User is not an admin.'));
return $this->httpUtils->createRedirectResponse($request, 'admin_login');
}
\LoginAttempts::DeleteOldLoginAttempts();
\LoginAttempts::ClearLoginAttemptsForIp();
$zendAuth = \Zend_Auth::getInstance();
$this->authAdapter->setUsername($user->getUsername())->setPassword($request->request->get('_password'))->setAdmin(true);
$zendAuth->authenticate($this->authAdapter);
$OAuthtoken = $this->userService->loginUser($user, 'oauth_authorize');
$session = $request->getSession();
$session->set('_security_oauth_authorize', serialize($OAuthtoken));
$frontendToken = $this->userService->loginUser($user, 'frontend_area');
$session = $request->getSession();
$session->set('_security_frontend_area', serialize($frontendToken));
\Article::UnlockByUser($user->getId());
$request->setLocale($request->request->get('login_language'));
$this->setNoCacheCookie($request);
$user->setLastLogin(new \DateTime());
$this->em->flush();
if ($request->get('ajax') === 'true') {
// close popup with login.
return new Response("<script type=\"text/javascript\">window.parent.g_security_token = '" . \SecurityToken::GetToken() . "';window.parent.\$(window.parent.document.body).data('loginDialog').dialog('close');window.parent.setSecurityToken(window.parent.g_security_token);</script>");
}
return parent::onAuthenticationSuccess($request, $token);
}
/**
*
* @return array
*/
public function getUsers()
{
$ids = $this->getListParameter(self::$USER_ID);
if (empty($ids)) {
if ($this->token->getViewerId() != null) {
// Assume @me
$ids = array("@me");
} else {
throw new IllegalArgumentException("No userId provided and viewer not available");
}
}
$userIds = array();
foreach ($ids as $id) {
$userIds[] = UserId::fromJson($id);
}
return $userIds;
}
/**
* Coverage for a bug where there's an error generating the link when ProductID = 0
*/
public function testCorruptedOrderItemLinks()
{
SecurityToken::disable();
$product = $this->socks;
$item = $product->Item();
$item->ProductID = 0;
$this->assertEquals('', $item->removeLink());
}
/**
* Generate a security token.
* */
public static function getSecurityToken()
{
// Ensure the session exists before querying it.
if (!Session::request_contains_session_id()) {
Session::start();
}
return SecurityToken::inst()->getSecurityID();
}
public function getUserId(SecurityToken $token)
{
switch ($this->type) {
case 'viewer':
return $token->getViewerId();
break;
case 'owner':
return $token->getOwnerId();
break;
case 'userId':
return $this->userId;
break;
default:
throw new Exception("The type field is not a valid enum: {$this->type}");
break;
}
}
public function saveComplexTableField($data, $form, $params)
{
$child = new $data['ClassName']();
$child->ParentID = $this->controller->ID;
$child->write();
$link = SecurityToken::inst()->addToUrl(Controller::join_links($this->Link(), 'item', $child->ID, 'edit'));
Session::set('FormInfo.ComplexTableField_Popup_DetailForm.formError', array('message' => _t('MemberProfiles.SECTIONADDED', 'Profile section added, please edit it below.'), 'type' => 'good'));
return Director::redirect($link);
}
/**
* @param $data
* @param $form
* @return mixed
*/
public function doUpload($data, $form)
{
$material = PresentationSlide::create();
$material->SlideID = $data['Slide'];
$material->write();
$this->presentation->Materials()->filter(['ClassName' => 'PresentationSlide'])->removeAll();
$this->presentation->Materials()->add($material);
$token = SecurityToken::inst()->getValue();
return $form->controller()->redirect(Controller::join_links($form->controller()->Link(), 'success', "?key={$token}&material={$material->ID}"));
}
/**
* Check the links are accurate
*/
public function testLinks()
{
SecurityToken::disable();
$product = $this->socks;
$item = $product->Item();
$this->assertEquals("shoppingcart/add/Product/{$product->ID}", $item->addLink());
$this->assertEquals("shoppingcart/remove/Product/{$product->ID}", $item->removeLink());
$this->assertEquals("shoppingcart/removeall/Product/{$product->ID}", $item->removeallLink());
$this->assertEquals("shoppingcart/setquantity/Product/{$product->ID}", $item->setquantityLink());
}
function handleAction($request)
{
// This method can't be called without ajax.
if (!$this->parentController->isAjax()) {
$this->parentController->redirectBack();
return;
}
// Protect against CSRF on destructive action
if (!SecurityToken::inst()->checkRequest($request)) {
return $this->httpError(400);
}
$actions = $this->batchActions();
$actionClass = $actions[$request->param('BatchAction')]['class'];
$actionHandler = new $actionClass();
// Sanitise ID list and query the database for apges
$ids = split(' *, *', trim($request->requestVar('csvIDs')));
foreach ($ids as $k => $v) {
if (!is_numeric($v)) {
unset($ids[$k]);
}
}
if ($ids) {
if (class_exists('Translatable') && Object::has_extension('SiteTree', 'Translatable')) {
Translatable::disable_locale_filter();
}
$pages = DataObject::get($this->recordClass, sprintf('"%s"."ID" IN (%s)', ClassInfo::baseDataClass($this->recordClass), implode(", ", $ids)));
if (class_exists('Translatable') && Object::has_extension('SiteTree', 'Translatable')) {
Translatable::enable_locale_filter();
}
if (Object::has_extension($this->recordClass, 'Versioned')) {
// If we didn't query all the pages, then find the rest on the live site
if (!$pages || $pages->Count() < sizeof($ids)) {
foreach ($ids as $id) {
$idsFromLive[$id] = true;
}
if ($pages) {
foreach ($pages as $page) {
unset($idsFromLive[$page->ID]);
}
}
$idsFromLive = array_keys($idsFromLive);
$sql = sprintf('"%s"."ID" IN (%s)', $this->recordClass, implode(", ", $idsFromLive));
$livePages = Versioned::get_by_stage($this->recordClass, 'Live', $sql);
if ($pages) {
$pages->merge($livePages);
} else {
$pages = $livePages;
}
}
}
} else {
$pages = new ArrayList();
}
return $actionHandler->run($pages);
}
public static function initVisitor()
{
$secID = SecurityToken::inst()->getSecurityID();
if (!($visitor = self::get()->find('securityID', $secID))) {
$referer = isset($_SERVER['HTTP_REFERER']) ? self::getDomain($_SERVER['HTTP_REFERER']) : "";
$searchTerm = "";
// This is a new visitor so lets see if we can find out where they came from
$visitor = self::saveVisitor($secID, $_SERVER['REMOTE_ADDR'], $referer, $searchTerm);
}
return $visitor;
}
public static function initVisitor()
{
$secID = SecurityToken::inst()->getSecurityID();
if (!($visitor = self::get()->find('securityID', $secID))) {
$referer = isset($_POST['ref']) ? $_POST['ref'] : "";
$resolution = isset($_POST['res']) ? $_POST['res'] : "";
$platform = isset($_POST['plat']) ? $_POST['plat'] : "";
$searchTerm = "";
// This is a new visitor so lets see if we can find out where they came from
$visitor = self::saveVisitor($secID, $_SERVER['REMOTE_ADDR'], $referer, $searchTerm, $resolution, $platform);
}
return $visitor;
}
public function testDeleteActionRemoveRelation()
{
$this->logInWithPermission('ADMIN');
$config = GridFieldConfig::create()->addComponent(new GridFieldDeleteAction(true));
$gridField = new GridField('testfield', 'testfield', $this->list, $config);
$form = new Form(new Controller(), 'mockform', new FieldList(array($this->gridField)), new FieldList());
$stateID = 'testGridStateActionField';
Session::set($stateID, array('grid' => '', 'actionName' => 'deleterecord', 'args' => array('RecordID' => $this->idFromFixture('GridFieldAction_Delete_Team', 'team1'))));
$token = SecurityToken::inst();
$request = new SS_HTTPRequest('POST', 'url', array(), array('action_gridFieldAlterAction?StateID=' . $stateID => true, $token->getName() => $token->getValue()));
$this->gridField->gridFieldAlterAction(array('StateID' => $stateID), $this->form, $request);
$this->assertEquals(2, $this->list->count(), 'User should be able to delete records with ADMIN permission.');
}
public function getGlobals()
{
global $Campsite;
$localeFromCookie = 'en';
if ($this->request) {
$localeFromCookie = $this->request->cookies->has('TOL_Language') == true ? $this->request->cookies->get('TOL_Language') : 'en';
}
try {
$currentUser = $this->container->getService('user')->getCurrentUser();
} catch (AuthenticationException $e) {
$currentUser = null;
}
return array('Newscoop' => $Campsite, 'NewscoopVersion' => new \CampVersion(), 'SecurityToken' => \SecurityToken::GetToken(), 'NewscoopUser' => $currentUser, 'localeFromCookie' => $localeFromCookie);
}
public function delete($request)
{
if (!SecurityToken::inst()->checkRequest($request)) {
$this->httpError(400);
}
if (!$request->isPOST()) {
$this->httpError(400);
}
if (!$this->record->canDelete()) {
$this->httpError(403);
}
$this->record->delete();
return $this->RootField()->forTemplate();
}
function testDeleteWithoutGroupDeletesFromDatabase()
{
$member1 = $this->objFromFixture('Member', 'member1');
$member1ID = $member1->ID;
$group1 = $this->objFromFixture('Group', 'group1');
$response = $this->get('MemberTableFieldTest_Controller');
$token = SecurityToken::inst();
$url = sprintf('MemberTableFieldTest_Controller/FormNoGroup/field/Members/item/%d/delete/?usetestmanifest=1', $member1->ID);
$url = $token->addToUrl($url);
$response = $this->get($url);
$group1->flushCache();
$this->assertNotContains($member1->ID, $group1->Members()->column('ID'), 'Member relation to group is removed');
DataObject::flush_and_destroy_cache();
$this->assertFalse(DataObject::get_by_id('Member', $member1ID), 'Member record is removed from database');
}
function handleAction($request)
{
// This method can't be called without ajax.
if (!Director::is_ajax()) {
Director::redirectBack();
return;
}
// Protect against CSRF on destructive action
if (!SecurityToken::inst()->checkRequest($request)) {
return $this->httpError(400);
}
$actions = Object::get_static($this->class, 'batch_actions');
$actionClass = $actions[$request->param('BatchAction')];
$actionHandler = new $actionClass();
// Sanitise ID list and query the database for apges
$ids = split(' *, *', trim($request->requestVar('csvIDs')));
foreach ($ids as $k => $v) {
if (!is_numeric($v)) {
unset($ids[$k]);
}
}
if ($ids) {
$pages = DataObject::get('SiteTree', "\"SiteTree\".\"ID\" IN (" . implode(", ", $ids) . ")");
// If we didn't query all the pages, then find the rest on the live site
if (!$pages || $pages->Count() < sizeof($ids)) {
foreach ($ids as $id) {
$idsFromLive[$id] = true;
}
if ($pages) {
foreach ($pages as $page) {
unset($idsFromLive[$page->ID]);
}
}
$idsFromLive = array_keys($idsFromLive);
// Debug::message("\"SiteTree\".\"ID\" IN (" . implode(", ", $idsFromLive) . ")");
$livePages = Versioned::get_by_stage('SiteTree', 'Live', "\"SiteTree\".\"ID\" IN (" . implode(", ", $idsFromLive) . ")");
if ($pages) {
$pages->merge($livePages);
} else {
$pages = $livePages;
}
}
} else {
$pages = new DataObjectSet();
}
return $actionHandler->run($pages);
}
public function preRequest(\SS_HTTPRequest $request, \Session $session, \DataModel $model)
{
// Check languages to set
$languages = array();
foreach (SpellController::get_locales() as $locale) {
$languages[] = i18n::get_locale_name($locale) . '=' . $locale;
}
// Set settings
$editor = Config::inst()->get(__CLASS__, 'editor');
HtmlEditorConfig::get($editor)->enablePlugins('spellchecker');
HtmlEditorConfig::get($editor)->addButtonsToLine(2, 'spellchecker');
$token = SecurityToken::inst();
HtmlEditorConfig::get($editor)->setOption('spellchecker_rpc_url', $token->addToUrl('spellcheck/'));
HtmlEditorConfig::get($editor)->setOption('browser_spellcheck', false);
HtmlEditorConfig::get($editor)->setOption('spellchecker_languages', '+' . implode(', ', $languages));
return true;
}