Commit | Line | Data |
---|---|---|
6a41a21e TD |
1 | <?php |
2 | namespace wcf\page; | |
3 | use wcf\data\user\User; | |
4 | use wcf\system\exception\IllegalLinkException; | |
5 | use wcf\system\session\SessionHandler; | |
6 | use wcf\system\WCF; | |
4aff3083 | 7 | use wcf\util\CryptoUtil; |
6a41a21e TD |
8 | use wcf\util\StringUtil; |
9 | ||
10 | /** | |
11 | * Automatically authes the user for the current request via an access-token. | |
12 | * A missing token will be ignored, an invalid token results in a throw of a IllegalLinkException. | |
13 | * | |
7405c637 | 14 | * @author Tim Duesterhus |
cea1798f | 15 | * @copyright 2001-2017 WoltLab GmbH |
6a41a21e | 16 | * @license GNU Lesser General Public License <http://opensource.org/licenses/lgpl-license.php> |
e71525e4 | 17 | * @package WoltLabSuite\Core\Page |
6a41a21e TD |
18 | */ |
19 | abstract class AbstractAuthedPage extends AbstractPage { | |
20 | /** | |
0fcfe5f6 | 21 | * @inheritDoc |
6a41a21e TD |
22 | */ |
23 | public function readParameters() { | |
24 | parent::readParameters(); | |
25 | ||
26 | // check security token | |
27 | $this->checkAccessToken(); | |
28 | } | |
29 | ||
30 | /** | |
31 | * Validates the access-token and performs the login. | |
32 | */ | |
33 | protected function checkAccessToken() { | |
34 | if (isset($_REQUEST['at'])) { | |
fd64de8d | 35 | list($userID, $token) = array_pad(explode('-', StringUtil::trim($_REQUEST['at']), 2), 2, null); |
6a41a21e TD |
36 | |
37 | if (WCF::getUser()->userID) { | |
4aff3083 | 38 | if ($userID == WCF::getUser()->userID && CryptoUtil::secureCompare(WCF::getUser()->accessToken, $token)) { |
6a41a21e TD |
39 | // everything is fine, but we are already logged in |
40 | return; | |
41 | } | |
42 | else { | |
43 | // token is invalid | |
44 | throw new IllegalLinkException(); | |
45 | } | |
46 | } | |
47 | else { | |
48 | $user = new User($userID); | |
4aff3083 | 49 | if (CryptoUtil::secureCompare($user->accessToken, $token)) { |
6a41a21e TD |
50 | // token is valid -> change user |
51 | SessionHandler::getInstance()->changeUser($user, true); | |
52 | } | |
53 | else { | |
54 | // token is invalid | |
55 | throw new IllegalLinkException(); | |
56 | } | |
57 | } | |
58 | } | |
59 | } | |
60 | } |