3 use wcf\data\user\User
;
4 use wcf\system\exception\IllegalLinkException
;
5 use wcf\system\session\SessionHandler
;
7 use wcf\util\CryptoUtil
;
8 use wcf\util\StringUtil
;
11 * Automatically authes the user for the current request via an access-token.
12 * A missing token will be ignored, an invalid token results in a throw of a IllegalLinkException.
14 * @author Tim Duesterhus
15 * @copyright 2001-2018 WoltLab GmbH
16 * @license GNU Lesser General Public License <http://opensource.org/licenses/lgpl-license.php>
17 * @package WoltLabSuite\Core\Page
19 abstract class AbstractAuthedPage
extends AbstractPage
{
23 public function readParameters() {
24 parent
::readParameters();
26 // check security token
27 $this->checkAccessToken();
31 * Validates the access-token and performs the login.
33 protected function checkAccessToken() {
34 if (isset($_REQUEST['at'])) {
35 list($userID, $token) = array_pad(explode('-', StringUtil
::trim($_REQUEST['at']), 2), 2, null);
37 if (WCF
::getUser()->userID
) {
38 if ($userID == WCF
::getUser()->userID
&& CryptoUtil
::secureCompare(WCF
::getUser()->accessToken
, $token)) {
39 // everything is fine, but we are already logged in
44 throw new IllegalLinkException();
48 $user = new User($userID);
49 if (CryptoUtil
::secureCompare($user->accessToken
, $token)) {
50 // token is valid -> change user
51 SessionHandler
::getInstance()->changeUser($user, true);
55 throw new IllegalLinkException();