/**
*
* Is the current request a cross-site forgery?
*
* @return bool
*
*/
public function isCsrf()
{
if (!$this->_csrf) {
$this->_csrf = Solar::factory('Solar_Csrf');
}
return $this->_csrf->isForgery();
}
/**
*
* Updates this object with current values.
*
* This helps to maintain transitions between not having a session and
* then having one; in the non-session state, there will be no token,
* so we can't expect its presence until the next page load.
*
* @return void
*
*/
protected function _update()
{
if (self::$_updated) {
// already updated with current values
return;
}
// lazy-start the session if one exists
self::$_session->lazyStart();
if (!self::$_session->isStarted()) {
// not started, nothing left to do
return;
}
// the session has started. is there an existing csrf token?
if (self::$_session->has('token')) {
// retain the existing token
self::$_current = self::$_session->get('token');
} else {
// no token, create a new one for the session.
// we're transitioning from a non-token state, and
// incoming forms won't have it yet, so we don't retain
// the new token as the current value.
self::$_session->set('token', uniqid(mt_rand(), true));
}
self::$_updated = true;
}
/**
*
* Generates a hidden anti-CSRF element.
*
* @param array $info An array of element information.
*
* @return string The element XHTML.
*
*/
public function formCsrf()
{
return $this->_view->formHidden(array('name' => $this->_csrf->getKey(), 'value' => $this->_csrf->getToken()));
}
/**
*
* Resets the form object to its originally-configured state, and adds
* an anti-CSRF element with the current value of the session token.
*
* This clears out all elements, filters, validations, and feedback,
* as well as all submitted values. Use this method to "start over
* again" using the same form object.
*
* @return void
*
*/
public function reset()
{
// attribs should be the default set, plus config overrides
$this->attribs = array_merge($this->_default_attribs, $this->_config['attribs']);
$this->elements = array();
$this->feedback = array();
$this->_submitted = null;
// add the csrf token value if present
if ($this->_csrf->hasToken()) {
$name = $this->_csrf->getKey();
$this->setElement($name, array('type' => 'hidden', 'value' => $this->_csrf->getToken()));
}
}
/**
*
* If no CSRF element is present, add one.
*
* @return void
*
*/
protected function _addCsrfElement()
{
// if no token, nothing to add
if (!$this->_csrf->hasToken()) {
return;
}
// is a csrf element already present?
$name = $this->_csrf->getKey();
foreach ($this->_hidden as $info) {
if ($info['name'] == $name) {
// found it, no need to add it
return;
}
}
// add the token to the hidden elements
$this->addElement(array('name' => $name, 'type' => 'hidden', 'value' => $this->_csrf->getToken()));
}
/**
*
* If a CSRF element is needed but not present, add it; if present and not
* needed, remove it.
*
* @return void
*
*/
protected function _modCsrfElement()
{
// the name of the csrf element
$name = $this->_csrf->getKey();
// if using GET, don't add csrf if not already there ...
$method = strtolower($this->_attribs_form['method']);
if ($method == 'get') {
// ... and remove it if present.
foreach ($this->_hidden as $key => $info) {
if ($info['name'] == $name) {
unset($this->_hidden[$key]);
}
}
// done
return;
}
// if no token, nothing to add
if (!$this->_csrf->hasToken()) {
return;
}
// is a csrf element already present?
foreach ($this->_hidden as $info) {
if ($info['name'] == $name) {
// found it, no need to add it
return;
}
}
// add the token to the hidden elements
$this->addElement(array('name' => $name, 'type' => 'hidden', 'value' => $this->_csrf->getToken()));
}
