- Lookup anon profiles by ID (safer because they are guranteed to be unique) and probably faster
- Obfuscate the anonymous user session token to make it hard to figure out the profile ID
This commit is contained in:
parent
5ca280f203
commit
ba69842844
|
@ -151,7 +151,7 @@ class AnonymousFavePlugin extends Plugin {
|
||||||
|
|
||||||
if (!common_logged_in()) {
|
if (!common_logged_in()) {
|
||||||
|
|
||||||
$profile = $this->getAnonProfile();
|
$profile = AnonymousFavePlugin::getAnonProfile();
|
||||||
if (!empty($profile)) {
|
if (!empty($profile)) {
|
||||||
if ($profile->hasFave($item->notice)) {
|
if ($profile->hasFave($item->notice)) {
|
||||||
$disfavor = new AnonDisFavorForm($item->out, $item->notice);
|
$disfavor = new AnonDisFavorForm($item->out, $item->notice);
|
||||||
|
@ -207,42 +207,58 @@ class AnonymousFavePlugin extends Plugin {
|
||||||
|
|
||||||
// Get the anon user's IP, and turn it into a nickname
|
// Get the anon user's IP, and turn it into a nickname
|
||||||
list($proxy, $ip) = common_client_ip();
|
list($proxy, $ip) = common_client_ip();
|
||||||
// IP + time + random number should avoid collisions
|
|
||||||
$nickname = 'anonymous-' . $ip . '-' . time() . '-' . common_good_rand(5);
|
// IP + time + random number should help to avoid collisions
|
||||||
|
$baseNickname = $ip . '-' . time() . '-' . common_good_rand(5);
|
||||||
|
|
||||||
$profile = new Profile();
|
$profile = new Profile();
|
||||||
$profile->nickname = $nickname;
|
$profile->nickname = $baseNickname;
|
||||||
$id = $profile->insert();
|
$id = $profile->insert();
|
||||||
|
|
||||||
if (!empty($id)) {
|
if (!$id) {
|
||||||
common_log(
|
throw new ServerException(_m("Couldn't create anonymous user session"));
|
||||||
LOG_INFO,
|
|
||||||
"AnonymousFavePlugin - created profile for anonymous user from IP: "
|
|
||||||
. $ip
|
|
||||||
. ', nickname = '
|
|
||||||
. $nickname
|
|
||||||
);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Stick the Profile ID into the nickname
|
||||||
|
$orig = clone($profile);
|
||||||
|
|
||||||
|
$profile->nickname = 'anon-' . $id . '-' . $baseNickname;
|
||||||
|
$result = $profile->update($orig);
|
||||||
|
|
||||||
|
if (!$result) {
|
||||||
|
throw new ServerException(_m("Couldn't create anonymous user session"));
|
||||||
|
}
|
||||||
|
|
||||||
|
common_log(
|
||||||
|
LOG_INFO,
|
||||||
|
"AnonymousFavePlugin - created profile for anonymous user from IP: "
|
||||||
|
. $ip
|
||||||
|
. ', nickname = '
|
||||||
|
. $profile->nickname
|
||||||
|
);
|
||||||
|
|
||||||
return $profile;
|
return $profile;
|
||||||
}
|
}
|
||||||
|
|
||||||
function getAnonProfile() {
|
static function getAnonProfile() {
|
||||||
|
|
||||||
$anon = $_SESSION['anon_nickname'];
|
$token = $_SESSION['anon_token'];
|
||||||
|
$anon = base64_decode($token);
|
||||||
|
|
||||||
$profile = null;
|
$profile = null;
|
||||||
|
|
||||||
if (!empty($anon)) {
|
if (!empty($anon) && substr($anon, 0, 5) == 'anon-') {
|
||||||
$profile = Profile::staticGet('nickname', $anon);
|
$parts = explode('-', $anon);
|
||||||
|
$id = $parts[1];
|
||||||
|
// Do Profile lookup by ID instead of nickname for safety/performance
|
||||||
|
$profile = Profile::staticGet('id', $id);
|
||||||
} else {
|
} else {
|
||||||
$profile = $this->createAnonProfile();
|
$profile = $this->createAnonProfile();
|
||||||
$_SESSION['anon_nickname'] = $profile->nickname;
|
// Obfuscate so it's hard to figure out the Profile ID
|
||||||
|
$_SESSION['anon_token'] = base64_encode($profile->nickname);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!empty($profile)) {
|
return $profile;
|
||||||
return $profile;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -54,15 +54,7 @@ class AnonDisfavorAction extends RedirectingAction
|
||||||
{
|
{
|
||||||
parent::handle($args);
|
parent::handle($args);
|
||||||
|
|
||||||
$anon = $_SESSION['anon_nickname'];
|
$profile = AnonymousFavePlugin::getAnonProfile();
|
||||||
|
|
||||||
$profile = Profile::staticGet('nickname', $anon);
|
|
||||||
|
|
||||||
if (empty($profile)) {
|
|
||||||
common_debug(
|
|
||||||
"AnonDisFavorAction - Anon user tried to disfave a notice but doesn't have a profile."
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (empty($profile) || $_SERVER['REQUEST_METHOD'] != 'POST') {
|
if (empty($profile) || $_SERVER['REQUEST_METHOD'] != 'POST') {
|
||||||
$this->clientError(
|
$this->clientError(
|
||||||
|
|
|
@ -54,14 +54,7 @@ class AnonFavorAction extends RedirectingAction
|
||||||
{
|
{
|
||||||
parent::handle($args);
|
parent::handle($args);
|
||||||
|
|
||||||
$anon = $_SESSION['anon_nickname'];
|
$profile = AnonymousFavePlugin::getAnonProfile();
|
||||||
$profile = Profile::staticGet('nickname', $anon);
|
|
||||||
|
|
||||||
if (empty($profile)) {
|
|
||||||
common_debug(
|
|
||||||
"AnonFavorAction - Anon user tried to fave a notice but doesn't have a profile."
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (empty($profile) || $_SERVER['REQUEST_METHOD'] != 'POST') {
|
if (empty($profile) || $_SERVER['REQUEST_METHOD'] != 'POST') {
|
||||||
$this->clientError(
|
$this->clientError(
|
||||||
|
|
Loading…
Reference in New Issue
Block a user