From 1866afd9a8ca232703c86e5a8df506d4ce4c2cf0 Mon Sep 17 00:00:00 2001 From: Jitendra Purohit Date: Sat, 9 Sep 2023 18:02:49 +0530 Subject: [PATCH] Set verified checksum contact in the session --- src/ContactComponent.php | 22 +++++++++------------ src/Utils.php | 41 ++++++++++++++++++++++++++++++++++++++++ src/UtilsInterface.php | 11 +++++++++++ 3 files changed, 61 insertions(+), 13 deletions(-) diff --git a/src/ContactComponent.php b/src/ContactComponent.php index 154aff580..e7ae76517 100644 --- a/src/ContactComponent.php +++ b/src/ContactComponent.php @@ -13,6 +13,11 @@ */ class ContactComponent implements ContactComponentInterface { + /** + * UtilsInterface object + */ + protected $utils; + public function __construct(UtilsInterface $utils) { $this->utils = $utils; } @@ -216,19 +221,10 @@ function wf_crm_contact_access($component, $filters, $cid) { if ($cid == $this->utils->wf_crm_user_cid()) { $filters['checkPermissions'] = FALSE; } - if (!empty($filters['checkPermissions'])) { - // If we have a valid checksum for this contact, bypass other permission checks - // For legacy reasons we support "cid" param as an alias of "cid1" - // ToDo use: \Drupal::request()->query->all(); - if (wf_crm_aval($_GET, "cid$c") == $cid || ($c == 1 && wf_crm_aval($_GET, "cid") == $cid)) { - // For legacy reasons we support "cs" param as an alias of "cs1" - if (!empty($_GET['cs']) && $c == 1 && \CRM_Contact_BAO_Contact_Utils::validChecksum($cid, $_GET['cs'])) { - $filters['checkPermissions'] = FALSE; - } - elseif (!empty($_GET["cs$c"]) && \CRM_Contact_BAO_Contact_Utils::validChecksum($cid, $_GET["cs$c"])) { - $filters['checkPermissions'] = FALSE; - } - } + // If checksum is included in the URL, bypass the permission. + $checksumValid = $this->utils->checksumUserAccess($c, $cid); + if (!empty($filters['checkPermissions']) && $checksumValid) { + $filters['checkPermissions'] = FALSE; } // Fetch contact name with filters applied $result = $this->utils->wf_civicrm_api4('Contact', 'get', $filters)[0] ?? []; diff --git a/src/Utils.php b/src/Utils.php index 0fb062dba..8e78d1186 100644 --- a/src/Utils.php +++ b/src/Utils.php @@ -1021,4 +1021,45 @@ public function hasMultipleValues($element) { return FALSE; } + + /** + * @inheritDoc + */ + public function checksumUserAccess($c, $cid) { + $request = \Drupal::request(); + $session = \CRM_Core_Session::singleton(); + $urlCid1 = $request->query->get('cid'); + $urlChecksum1 = $request->query->get('cs'); + + $urlCidN = $request->query->get("cid$c"); + $urlChecksumN = $request->query->get("cs$c"); + + $cs = NULL; + if ($c == 1 && !empty($urlChecksum1)) { + $cs = $urlChecksum1; + } + elseif (!empty($urlChecksumN)) { + $cs = $urlChecksumN; + } + if ($cs && (($c == 1 && $urlCid1 == $cid) || $urlCidN == $cid)) { + $check_access = $this->wf_civicrm_api4('Contact', 'validateChecksum', [ + 'contactId' => $cid, + 'checksum' => $cs, + ])[0] ?? []; + if ($check_access['valid']) { + if ($c == 1) { + $session->set('userID', $cid); + } + else { + return TRUE; + } + } + } + // If no checksum is passed and user is anonymous, reset prev checksum session values if any. + if (\Drupal::currentUser()->isAnonymous() && $session->get('userID') && $c == 1 && empty($urlChecksum1)) { + $session->reset(); + } + return FALSE; + } + } diff --git a/src/UtilsInterface.php b/src/UtilsInterface.php index 1e4523026..7e9c09555 100644 --- a/src/UtilsInterface.php +++ b/src/UtilsInterface.php @@ -318,4 +318,15 @@ function wf_crm_custom_types_map_array(); */ function wf_crm_get_civi_setting($setting_name, $default_value = NULL); + /** + * Set checksum user in the session. + * + * @param int $c + * @param int $cid + * + * @return boolean + * TRUE if checksum is valid. + */ + function checksumUserAccess($c, $cid); + }