lepton_securecms.php

Go to the documentation of this file.

<?php
 
declare(strict_types=1);
 
class LEPTON_securecms
{
    public string $_salt = '';
    public string $_reftoken = '';
    
    public function __construct()
    {
        $this->_generate_salt();
    }
    
    public function _generate_salt(): void
    {
        // server depending values
        $salt = $_SERVER['SERVER_SIGNATURE'] ?? 'L';
        $salt .= $_SERVER['SERVER_SOFTWARE'] ?? 'E';
        $salt .= $_SERVER['SERVER_NAME'] ?? 'P';
        $salt .= $_SERVER['SERVER_ADDR'] ?? 'T';
        $salt .= $_SERVER['SERVER_PORT'] ?? 'ON';
        $salt .= PHP_VERSION;
        $salt .= time();
        $this->_salt = $salt;
    }
    
    public function createLepToken(): string
    {
        if (function_exists('microtime'))
        {
            list($usec, $sec) = explode(" ", microtime());
            $time = (string) ((float) $usec + (float) $sec);
        }
        else
        {
            $time = (string) time();
        }
        
        $token = substr(hash("sha512", $time . $this->_salt), 0, 21) . "z" . substr($time, 0, 10);
 
        (isset($_SESSION['LepTokens'])) ? $_SESSION['LepTokens'][] = $token : $_SESSION['LepTokens'] = [$token];
        (isset($_SESSION['LepTokens'])) ? ($_SESSION['LepTokens'][$token] = $this->_reftoken) : ($_SESSION['LepTokens'] = [$token => $this->_reftoken]);
 
        return $token;
    }
    
    public function checkLepToken(): bool
    {
//    echo (LEPTON_tools::display($_SESSION['LepTokens'] ?? "no token", "pre", "ui message green")); 
//    echo (LEPTON_tools::display($_REQUEST, "pre", "ui message green")); 
 
        if (!LEPTOKEN_LIFETIME)
        {
            return true;
        }
        
        $retval    = false;
        
        if (isset($_GET['leptoken']))
        {
            $currentToken= $_GET['leptoken'];
        }
        elseif (isset($_GET['amp;leptoken']))
        {
            $currentToken= $_GET['amp;leptoken'];
        }
        elseif (isset($_POST['leptoken']))
        {
            $currentToken= $_POST['leptoken'];
        }
        elseif (isset($_POST['amp;leptoken']))
        {
            $currentToken= $_POST['amp;leptoken'];
        }
        else
        {
            return $retval;
        }
        
        if (isset($_SESSION['LepTokens']))
        {
            // delete dated tokens, except the last one
            $this->deleteLepTokensByTimeout();
          
            if ($this->testForReloadPage($currentToken) === true)
            {
                return true;
            }
            $tokens = $_SESSION['LepTokens'];
            // $n = count($tokens);
            
            // echo (LEPTON_tools::display($tokens, "pre", "ui message green"));
            
            foreach ($tokens as $token => $ref)
            {
 
                if ($currentToken== $token)
                {
                    $retval = true;
                    foreach($_SESSION['LepTokens'] as $index => $value)
                    {
                        if($value === $token)
                        {
                            $aRev = explode("z", $token);
                            $aRefTime = intval($aRev[1] ?? 0);
                            if (time() - $aRefTime > 60*10)
                            unset($_SESSION['LepTokens'][$index], $_SESSION['LepTokens'][$value]);
                            //break;
                        }
                    }
                    //break;
                }
            }
                
            
        }
        return $retval;
    }
 
    /*
     * delete all Tokens in $_SESSION
     * @access public
     * for use in frontend addons to prevent backend access
     *
     * requirements: an active session must be available and LEPTOKEN must be enabled!
     * 
     */
    static public function clearLepTokens(): void
    {
        if (isset($_SESSION['LepTokens']) && isset($_SESSION['GROUPS_ID']))
        {
            $aTemp = explode(", ", $_SESSION['GROUPS_ID']);
            if ((!in_array(1, $aTemp)) && ((false === LEPTON_admin::getUserPermission("settings_backend_permission")) && (false === LEPTON_admin::getUserPermission("backend_permission"))))
            {
                
                unset($_SESSION['LepTokens']);
            }
        } 
    }
    
    private function deleteLepTokensByTimeout(): bool
    {
        $timeOut = intval(time() - LEPTOKEN_LIFETIME);
        foreach($_SESSION['LepTokens'] as $key => $value)
        {
            $tempToken = empty($value) ? $key : $value;
            $tempTerms = explode("z", $tempToken);
            $tokenTime = intval($tempTerms[1]);
            if ($tokenTime < $timeOut)
            {
                unset($_SESSION['LepTokens'][$key], $_SESSION['LepTokens'][$value]);
            } 
        }
        
        return true;
    }
    
    private function testForReloadPage($lookUpToken): bool
    {
        $counter = 0;
        $deleteFlag = false;
        foreach($_SESSION['LepTokens'] as $key => $value)
        {
            if (($key == $lookUpToken) && ($counter > 1))
            {
                // delete followers
                $deleteFlag= true;
                continue;
            } else {
                $counter++;
            }
            
            if ($deleteFlag === true)
            {
                unset($_SESSION['LepTokens'][$key], $_SESSION['LepTokens'][$value]);
            }
        }
        
        if (true === $deleteFlag)
        {
            $_SESSION['LepTokens'] = [];
            $_SESSION['LepTokens'][] = $lookUpToken;
            $_SESSION['LepTokens'][$key] = "";
        }
        return $deleteFlag;
    }
 
}