PHPXRef 0.7.1 : Joomla 4.2.2 documentation : /plugins/user/token/src/Field/JoomlatokenField.php source

[Summary view] [Print] [Text view]
   1  <?php
   2  
   3  /**
   4   * @package     Joomla.Plugin
   5   * @subpackage  User.token
   6   *
   7   * @copyright   (C) 2020 Open Source Matters, Inc. <https://www.joomla.org>
   8   * @license     GNU General Public License version 2 or later; see LICENSE.txt
   9   */
  10  
  11  namespace Joomla\Plugin\User\Token\Field;
  12  
  13  use Joomla\CMS\Factory;
  14  use Joomla\CMS\Form\Field\TextField;
  15  
  16  // phpcs:disable PSR1.Files.SideEffects
  17  \defined('_JEXEC') or die;
  18  // phpcs:enable PSR1.Files.SideEffects
  19  
  20  /**
  21   * Joomlatoken field class
  22   *
  23   * @since  4.0.0
  24   */
  25  class JoomlatokenField extends TextField
  26  {
  27      /**
  28       * Name of the layout being used to render the field
  29       *
  30       * @var    string
  31       * @since  4.0.0
  32       */
  33      protected $layout = 'plugins.user.token.token';
  34  
  35      /**
  36       * Method to attach a Form object to the field.
  37       *
  38       * @param   \SimpleXMLElement  $element   The SimpleXMLElement object representing the `<field>`
  39       *                                        tag for the form field object.
  40       * @param   mixed             $value      The form field value to validate.
  41       * @param   string            $group      The field name group control value. This acts as an
  42       *                                        array container for the field. For example if the
  43       *                                        field has name="foo" and the group value is set to
  44       *                                        "bar" then the full field name would end up being
  45       *                                        "bar[foo]".
  46       *
  47       * @return  boolean  True on success.
  48       *
  49       * @see     FormField::setup()
  50       * @since   4.0.0
  51       */
  52      public function setup(\SimpleXMLElement $element, $value, $group = null)
  53      {
  54          $ret = parent::setup($element, $value, $group);
  55  
  56          /**
  57           * Security and privacy precaution: do not display the token field when the user being
  58           * edited is not the same as the logged in user. Tokens are conceptually a combination of
  59           * a username and password, therefore they should be treated in the same mode of
  60           * confidentiality and privacy as passwords i.e. you can reset them for other users but NOT
  61           * be able to see them, thus preventing impersonation attacks by a malicious administrator.
  62           */
  63          $userId = $this->form->getData()->get('id');
  64  
  65          if ($userId != Factory::getUser()->id) {
  66              $this->hidden = true;
  67          }
  68  
  69          return $ret;
  70      }
  71  
  72      /**
  73       * Method to get the field input markup.
  74       *
  75       * @return  string  The field input markup.
  76       *
  77       * @since   4.0.0
  78       */
  79      protected function getInput()
  80      {
  81          // Do not display the token field when the user being edited is not the same as the logged in user
  82          if ($this->hidden) {
  83              return '';
  84          }
  85  
  86          return parent::getInput();
  87      }
  88  
  89      /**
  90       * Returns the token formatted suitably for the user to copy.
  91       *
  92       * @param   string  $tokenSeed  The token seed data stored in the database
  93       *
  94       * @return  string
  95       * @since   4.0.0
  96       */
  97      private function getTokenForDisplay(string $tokenSeed): string
  98      {
  99          if (empty($tokenSeed)) {
 100              return '';
 101          }
 102  
 103          $algorithm = $this->getAttribute('algo', 'sha256');
 104  
 105          try {
 106              $siteSecret = Factory::getApplication()->get('secret');
 107          } catch (\Exception $e) {
 108              $siteSecret = '';
 109          }
 110  
 111          // NO site secret? You monster!
 112          if (empty($siteSecret)) {
 113              return '';
 114          }
 115  
 116          $rawToken  = base64_decode($tokenSeed);
 117          $tokenHash = hash_hmac($algorithm, $rawToken, $siteSecret);
 118          $userId    = $this->form->getData()->get('id');
 119          $message   = base64_encode("$algorithm:$userId:$tokenHash");
 120  
 121          if ($userId != Factory::getUser()->id) {
 122              $message = '';
 123          }
 124  
 125          return $message;
 126      }
 127  
 128      /**
 129       * Get the data for the layout
 130       *
 131       * @return  array
 132       *
 133       * @since   4.0.0
 134       */
 135      protected function getLayoutData()
 136      {
 137          $data          = parent::getLayoutData();
 138          $data['value'] = $this->getTokenForDisplay($this->value);
 139  
 140          return $data;
 141      }
 142  
 143      /**
 144       * Get the layout paths
 145       *
 146       * @return  array
 147       *
 148       * @since   4.0.0
 149       */
 150      protected function getLayoutPaths()
 151      {
 152          $template = Factory::getApplication()->getTemplate();
 153  
 154          return [
 155              JPATH_THEMES . '/' . $template . '/html/layouts',
 156              JPATH_SITE . '/layouts',
 157          ];
 158      }
 159  }
PHP Cross Reference of Joomla 4.2.2 documentation

/plugins/user/token/src/Field/ -> JoomlatokenField.php (source)
