functions.php 3.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158
  1. <?php
  2. /**
  3. * All helper function can be found here
  4. */
  5. /**
  6. * Upgrade.php can be protected for admins only or with a security code
  7. *
  8. * @return void
  9. */
  10. function security_tools_protect_upgrade() {
  11. $setting = elgg_get_plugin_setting("secure_upgrade", "security_tools");
  12. // default the upgrade is protected
  13. if ($setting == "no") {
  14. return;
  15. }
  16. $pass = false;
  17. // check for a security code
  18. $code = get_input("code");
  19. if (!empty($code)) {
  20. $pass = security_tools_validate_upgrade_code($code);
  21. }
  22. if (!$pass) {
  23. elgg_admin_gatekeeper();
  24. }
  25. }
  26. /**
  27. * Generate a security code to be used when running upgrade.php
  28. *
  29. * @return string the security code
  30. */
  31. function security_tools_generate_upgrade_code() {
  32. $site = elgg_get_site_entity();
  33. $site_secret = get_site_secret();
  34. return hash_hmac("sha256", ($site->name . "|" . $site->time_created . "|" . $site->url), $site_secret);
  35. }
  36. /**
  37. * Validate if the supplied security code for upgrade.php is correct
  38. *
  39. * @param string $code the security code to validate
  40. *
  41. * @return boolean true if valid
  42. */
  43. function security_tools_validate_upgrade_code($code) {
  44. $result = false;
  45. if (empty($code)) {
  46. return $result;
  47. }
  48. $valid_code = security_tools_generate_upgrade_code();
  49. if ($valid_code === $code) {
  50. $result = true;
  51. }
  52. return $result;
  53. }
  54. /**
  55. * Checks if a user wants to change his email address and sends out a confirmation message
  56. *
  57. * @return void
  58. */
  59. function security_tools_prepare_email_change() {
  60. $user_guid = (int) get_input("guid");
  61. $email = get_input("email");
  62. if (empty($user_guid)) {
  63. $user_guid = elgg_get_logged_in_user_guid();
  64. }
  65. $user = get_user($user_guid);
  66. if (empty($user) || !is_email_address($email)) {
  67. register_error(elgg_echo("email:save:fail"));
  68. return;
  69. }
  70. if (strcmp($email, $user->email) == 0) {
  71. // no change is email address
  72. return;
  73. }
  74. if (get_user_by_email($email)) {
  75. register_error(elgg_echo("registration:dupeemail"));
  76. return;
  77. }
  78. // generate validation code
  79. $validation_code = security_tools_generate_email_code($user, $email);
  80. if (empty($validation_code)) {
  81. return;
  82. }
  83. $site = elgg_get_site_entity();
  84. $current_email = $user->email;
  85. // make sure notification goed to new email
  86. $user->email = $email;
  87. $user->save();
  88. // build notification
  89. $validation_url = $site->url . "email_change_confirmation?u=" . $user->getGUID() . "&c=" . $validation_code;
  90. $subject = elgg_echo("security_tools:notify_user:email_change_request:subject", array($site->name));
  91. $message = elgg_echo("security_tools:notify_user:email_change_request:message", array(
  92. $user->name,
  93. $site->name,
  94. $validation_url
  95. ));
  96. notify_user($user->getGUID(), $site->getGUID(), $subject, $message, null, "email");
  97. // save the validation request
  98. // but first revoke previous request
  99. $user->deleteAnnotations("email_change_confirmation");
  100. $user->annotate("email_change_confirmation", $email, ACCESS_PRIVATE, $user->getGUID());
  101. // restore current email address
  102. $user->email = $current_email;
  103. $user->save();
  104. system_message(elgg_echo("security_tools:usersettings:email:request", array($email)));
  105. }
  106. /**
  107. * Generate a validation code to change an email address
  108. *
  109. * @param ElggUser $user the user who's email address will be changed
  110. * @param string $email the new email address
  111. *
  112. * @return string|boolean the validation code or false
  113. */
  114. function security_tools_generate_email_code(ElggUser $user, $email) {
  115. if (empty($user) || !elgg_instanceof($user, "user")) {
  116. return false;
  117. }
  118. if (empty($email) && !is_email_address($email)) {
  119. return false;
  120. }
  121. $site_secret = get_site_secret();
  122. return hash_hmac("sha256", ($user->getGUID() . "|" . $email . "|" . $user->time_created), $site_secret);
  123. }