Set verified checksum contact in the session

colemanw · Sep 9, 2023 · 1866afd · 1866afd
1 parent 192a3ac
commit 1866afd
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 13 deletions.
diff --git a/src/ContactComponent.php b/src/ContactComponent.php
@@ -13,6 +13,11 @@
  */
 class ContactComponent implements ContactComponentInterface {
 
+  /**
+   * UtilsInterface object
+   */
+  protected $utils;
+
   public function __construct(UtilsInterface $utils) {
     $this->utils = $utils;
   }
@@ -216,19 +221,10 @@ function wf_crm_contact_access($component, $filters, $cid) {
     if ($cid == $this->utils->wf_crm_user_cid()) {
       $filters['checkPermissions'] = FALSE;
     }
-    if (!empty($filters['checkPermissions'])) {
-      // If we have a valid checksum for this contact, bypass other permission checks
-      // For legacy reasons we support "cid" param as an alias of "cid1"
-      // ToDo use: \Drupal::request()->query->all();
-      if (wf_crm_aval($_GET, "cid$c") == $cid || ($c == 1 && wf_crm_aval($_GET, "cid") == $cid)) {
-        // For legacy reasons we support "cs" param as an alias of "cs1"
-        if (!empty($_GET['cs']) && $c == 1 && \CRM_Contact_BAO_Contact_Utils::validChecksum($cid, $_GET['cs'])) {
-          $filters['checkPermissions'] = FALSE;
-        }
-        elseif (!empty($_GET["cs$c"]) && \CRM_Contact_BAO_Contact_Utils::validChecksum($cid, $_GET["cs$c"])) {
-          $filters['checkPermissions'] = FALSE;
-        }
-      }
+    // If checksum is included in the URL, bypass the permission.
+    $checksumValid = $this->utils->checksumUserAccess($c, $cid);
+    if (!empty($filters['checkPermissions']) && $checksumValid) {
+      $filters['checkPermissions'] = FALSE;
     }
     // Fetch contact name with filters applied
     $result = $this->utils->wf_civicrm_api4('Contact', 'get', $filters)[0] ?? [];

diff --git a/src/Utils.php b/src/Utils.php
@@ -1021,4 +1021,45 @@ public function hasMultipleValues($element) {
     return FALSE;
   }
 
+
+  /**
+   * @inheritDoc
+   */
+  public function checksumUserAccess($c, $cid) {
+    $request = \Drupal::request();
+    $session = \CRM_Core_Session::singleton();
+    $urlCid1 = $request->query->get('cid');
+    $urlChecksum1 = $request->query->get('cs');
+
+    $urlCidN = $request->query->get("cid$c");
+    $urlChecksumN = $request->query->get("cs$c");
+
+    $cs = NULL;
+    if ($c == 1 && !empty($urlChecksum1)) {
+      $cs = $urlChecksum1;
+    }
+    elseif (!empty($urlChecksumN)) {
+      $cs = $urlChecksumN;
+    }
+    if ($cs && (($c == 1 && $urlCid1 == $cid) || $urlCidN == $cid)) {
+      $check_access = $this->wf_civicrm_api4('Contact', 'validateChecksum', [
+        'contactId' => $cid,
+        'checksum' => $cs,
+      ])[0] ?? [];
+      if ($check_access['valid']) {
+        if ($c == 1) {
+          $session->set('userID', $cid);
+        }
+        else {
+          return TRUE;
+        }
+      }
+    }
+    // If no checksum is passed and user is anonymous, reset prev checksum session values if any.
+    if (\Drupal::currentUser()->isAnonymous() && $session->get('userID') && $c == 1 && empty($urlChecksum1)) {
+      $session->reset();
+    }
+    return FALSE;
+  }
+
 }
diff --git a/src/UtilsInterface.php b/src/UtilsInterface.php
@@ -318,4 +318,15 @@ function wf_crm_custom_types_map_array();
    */
   function wf_crm_get_civi_setting($setting_name, $default_value = NULL);
 
+  /**
+   * Set checksum user in the session.
+   *
+   * @param int $c
+   * @param int $cid
+   *
+   * @return boolean
+   *   TRUE if checksum is valid.
+   */
+  function checksumUserAccess($c, $cid);
+
 }