ttrss/classes/pluginhandler.php

<?php
class PluginHandler extends Handler_Protected {
	function csrf_ignore($method) {
		return true;
	}

	function catchall($method) {
		$plugin_name = clean($_REQUEST["plugin"]);
		$plugin = PluginHost::getInstance()->get_plugin($plugin_name);
		$csrf_token = ($_POST["csrf_token"] ?? "");

		if ($plugin) {
			if (method_exists($plugin, $method)) {
				if (validate_csrf($csrf_token) || $plugin->csrf_ignore($method)) {
					$plugin->$method();
				} else {
					user_error("Rejected ${plugin_name}->${method}(): invalid CSRF token.", E_USER_WARNING);
					print Errors::to_json(Errors::E_UNAUTHORIZED);
				}
			} else {
				user_error("Rejected ${plugin_name}->${method}(): unknown method.", E_USER_WARNING);
				print Errors::to_json(Errors::E_UNKNOWN_METHOD);
			}
		} else {
			user_error("Rejected ${plugin_name}->${method}(): unknown plugin.", E_USER_WARNING);
			print Errors::to_json(Errors::E_UNKNOWN_PLUGIN);
		}
	}
}
experimental new plugin system 2012-12-23 10:52:18 +00:00			`<?php`
			`class PluginHandler extends Handler_Protected {`
			`function csrf_ignore($method) {`
			`return true;`
			`}`

			`function catchall($method) {`
af_readability: add missing file 2019-08-16 12:29:24 +00:00			`$plugin_name = clean($_REQUEST["plugin"]);`
			`$plugin = PluginHost::getInstance()->get_plugin($plugin_name);`
pluginhandlers: post notice if pluginmethod is requested without CSRF token 2021-02-17 11:05:12 +00:00			`$csrf_token = ($_POST["csrf_token"] ?? "");`
experimental new plugin system 2012-12-23 10:52:18 +00:00
pluginhandler: better error reporting 2013-03-16 08:26:14 +00:00			`if ($plugin) {`
			`if (method_exists($plugin, $method)) {`
* add (disabled) shortcut syntax for plugin methods * add controls shortcut for pluginhandler tags * add similar shortcut for frontend * allow plugins to selectively exclude their methods from CSRF checking 2021-02-17 18:44:21 +00:00			`if (validate_csrf($csrf_token) \|\| $plugin->csrf_ignore($method)) {`
pluginhandlers: post notice if pluginmethod is requested without CSRF token 2021-02-17 11:05:12 +00:00			`$plugin->$method();`
			`} else {`
pluginhandler: reject method requests without CSRF 2021-02-17 12:04:39 +00:00			`user_error("Rejected ${plugin_name}->${method}(): invalid CSRF token.", E_USER_WARNING);`
drop errors.php and simplify error handling 2021-02-23 19:26:07 +00:00			`print Errors::to_json(Errors::E_UNAUTHORIZED);`
pluginhandlers: post notice if pluginmethod is requested without CSRF token 2021-02-17 11:05:12 +00:00			`}`
pluginhandler: better error reporting 2013-03-16 08:26:14 +00:00			`} else {`
pluginhandlers: post notice if pluginmethod is requested without CSRF token 2021-02-17 11:05:12 +00:00			`user_error("Rejected ${plugin_name}->${method}(): unknown method.", E_USER_WARNING);`
drop errors.php and simplify error handling 2021-02-23 19:26:07 +00:00			`print Errors::to_json(Errors::E_UNKNOWN_METHOD);`
pluginhandler: better error reporting 2013-03-16 08:26:14 +00:00			`}`
			`} else {`
pluginhandlers: post notice if pluginmethod is requested without CSRF token 2021-02-17 11:05:12 +00:00			`user_error("Rejected ${plugin_name}->${method}(): unknown plugin.", E_USER_WARNING);`
drop errors.php and simplify error handling 2021-02-23 19:26:07 +00:00			`print Errors::to_json(Errors::E_UNKNOWN_PLUGIN);`
experimental new plugin system 2012-12-23 10:52:18 +00:00			`}`
			`}`
			`}`