PageRenderTime 24ms CodeModel.GetById 20ms RepoModel.GetById 0ms app.codeStats 0ms

/application/controllers/IndexController.php

http://simple-php-contact-form.googlecode.com/
PHP | 368 lines | 201 code | 52 blank | 115 comment | 25 complexity | 0ebcae1d8919584999cc5fb0b342b16b MD5 | raw file
Possible License(s): BSD-3-Clause, Apache-2.0 
    

  1. <?php
    2. 

  2. /**
    3. 

  3.  * Simple PHP Contact Form
    4. 

  4.  *
    5. 

  5.  * This file is part of the Simple PHP Contact Form which is subject to the New
    6. 

  6.  * BSD License {@see LICENSE} which you would be advised to read before using,
    7. 

  7.  * modifying or redistributing this software.
    8. 

  8.  *
    9. 

  9.  * PHP version 5.2
    10. 

  10.  *
    11. 

  11.  * @category  Simple-PHP-Contact-Form
    12. 

  12.  * @package   Application_Controllers
    13. 

  13.  * @author    jah <jah@jahboite.co.uk>
    14. 

  14.  * @copyright 2010 jah <jah@jahboite.co.uk>
    15. 

  15.  * @license   New BSD License {@see LICENSE}
    16. 

  16.  * @version   SVN: $Id$
    17. 

  17.  * @link      http://code.google.com/p/simple-php-contact-form/
    18. 

  18.  */
    19. 

  19. 

  20. 

  21. /**
    22. 

  22.  * IndexController.
    23. 

  23.  *
    24. 

  24.  * @category  Simple-PHP-Contact-Form
    25. 

  25.  * @package   Application_Controllers
    26. 

  26.  * @author    jah <jah@jahboite.co.uk>
    27. 

  27.  * @copyright 2010 jah <jah@jahboite.co.uk>
    28. 

  28.  * @license   New BSD License {@see LICENSE}
    29. 

  29.  * @version   Release: @package_version@
    30. 

  30.  * @link      http://code.google.com/p/simple-php-contact-form/
    31. 

  31.  */
    32. 

  32. class IndexController extends Zend_Controller_Action
    33. 

  33. {
    34. 

  34.     private $_recipientsConfig = null;
    35. 

  35.     private $_formConfig       = null;
    36. 

  36.     private $_form             = null;
    37. 

  37.     private $_auditor          = null;
    38. 

  38. 

  39.     /**
    40. 

  40.      * Initialises the form at each request of this controller.
    41. 

  41.      * TODO error action doesn't need init - so either move the error action
    42. 

  42.      * or move the init stuff elsewhere.
    43. 

  43.      *
    44. 

  44.      * @return null
    45. 

  45.      */
    46. 

  46.     public function init()
    47. 

  47.     {
    48. 

  48.         // Get the form configuration data.
    49. 

  49.         $bs = $this->getInvokeArg('bootstrap');
    50. 

  50.         $formConfigLoc = $bs->getOption('formconfigloc');
    51. 

  51.         if ($formConfigLoc === null) {
    52. 

  52.             throw new EnterpriseSecurityException(
    53. 

  53.                 'Your request could not be fulfilled.',
    54. 

  54.                 'Contact Application cannot start, cannot find form configuration data!'
    55. 

  55.             );
    56. 

  56.         }
    57. 

  57.         $this->_formConfig = new Zend_Config_Ini(
    58. 

  58.             $formConfigLoc, APPLICATION_ENV, false
    59. 

  59.         );
    60. 

  60.         if (! $this->_formConfig instanceof Zend_Config) {
    61. 

  61.             throw new EnterpriseSecurityException(
    62. 

  62.                 'Your request could not be fulfilled.',
    63. 

  63.                 'Contact Application cannot start, cannot find form configuration data!'
    64. 

  64.             );
    65. 

  65.         }
    66. 

  66. 

  67.         // Get the recipients configuration data.
    68. 

  68.         $rcptConfigLoc = $bs->getOption('recipientsconfigloc');
    69. 

  69.         if (! empty($rcptConfigLoc)) {
    70. 

  70.             $this->_recipientsConfig = new Zend_Config_Ini(
    71. 

  71.                 $rcptConfigLoc, APPLICATION_ENV, false
    72. 

  72.             );
    73. 

  73.         }
    74. 

  74.         if (! $this->_recipientsConfig instanceof Zend_Config) {
    75. 

  75.             $this->_auditor = ESAPI::getAuditor('IndexController');
    76. 

  76.             $this->_auditor->warning(
    77. 

  77.                 Auditor::SECURITY,
    78. 

  78.                 false,
    79. 

  79.                 'Contact Application cannot find contact recipients data. Form submissions will be logged to file!'
    80. 

  80.             );
    81. 

  81.         }
    82. 

  82. 

  83.         // get a new form and pass recipient config data to it.
    84. 

  84.         $this->_form = $this->_helper->formLoader('contact', $this->_formConfig);
    85. 

  85.         $this->_form->setRecipientConfiguration($this->_recipientsConfig);
    86. 

  86.         $this->_form->setCaptcha();
    87. 

  87. 

  88.     }
    89. 

  89. 

  90. 

  91.     /**
    92. 

  92.      * The index action will add a form which will be rendered by the view.
    93. 

  93.      * If the form has been previously submitted and the form contained
    94. 

  94.      * validation errors then client will be redirected here and the form
    95. 

  95.      * will be retrieved from the session storage.
    96. 

  96.      *
    97. 

  97.      * @return null
    98. 

  98.      */
    99. 

  99.     public function indexAction()
    100. 

  100.     {
    101. 

  101.         // see if the form has already been submitted. if it was and it failed
    102. 

  102.         // validation then the form will be persisted in the session and can be
    103. 

  103.         // represented to the client.  if it passed validation the client can be
    104. 

  104.         // shown a thank you message.
    105. 

  105.         if (Zend_Session::sessionExists()) {
    106. 

  106. 

  107.             $ns = new Zend_Session_Namespace('Contact');
    108. 

  108. 

  109.             if ($ns->submission === false) {
    110. 

  110. 

  111.                 $this->view->contactForm = $ns->form;
    112. 

  112.                 unset($ns->form);
    113. 

  113.                 unset($ns->submission);
    114. 

  114.                 return;
    115. 

  115. 

  116.             } else if ($ns->submission === true) {
    117. 

  117. 

  118.                 unset($ns->submission);
    119. 

  119.                 $this->render('thanks');
    120. 

  120.                 return;
    121. 

  121. 

  122.             }
    123. 

  123.         }
    124. 

  124. 

  125.         // new form
    126. 

  126.         $this->_form->setCSRFToken();
    127. 

  127.         $this->view->contactForm = $this->_form;
    128. 

  128.     }
    129. 

  129. 

  130. 

  131.     /**
    132. 

  132.      * The send action is the target for form submission.  If the request does
    133. 

  133.      * not contain POST data then the response will be a redirect to the index
    134. 

  134.      * action where the form will be displayed.
    135. 

  135.      * POST data is validated and if successful an email will be sent before
    136. 

  136.      * redirecting the client away from the send action (to a success message).
    137. 

  137.      * If validation fails, the form is persisted in the session and the client
    138. 

  138.      * is redirected away from the send action to display the form with error
    139. 

  139.      * messages.
    140. 

  140.      * Whether or not the form is successfully validated, a user session will be
    141. 

  141.      * started so that the client can be tracked and certain thresholds enforced.
    142. 

  142.      *
    143. 

  143.      * @return null
    144. 

  144.      */
    145. 

  145.     public function sendAction()
    146. 

  146.     {
    147. 

  147.         if (! $this->_request->isPost()) {
    148. 

  148.             $this->_helper->getHelper('redirector')
    149. 

  149.                 ->setCode(303)
    150. 

  150.                 ->gotoSimple(
    151. 

  151.                     'index', null, null, $this->_request->getParams()
    152. 

  152.                 );
    153. 

  153.         }
    154. 

  154. 

  155.         $ns = new Zend_Session_Namespace('Contact');
    156. 

  156.         $ids = ESAPI::getIntrusionDetector();
    157. 

  157. 

  158.         // Is the form submission a valid one?
    159. 

  159.         $valid = $this->_form->isValid($this->_request->getPost());
    160. 

  160. 

  161.         // Check whether a csrf token is being re-used.  This should not happen
    162. 

  162.         // often due to the POST-Redirect-GET design of this application.
    163. 

  163.         // If the token is being reused then throw an Intrusion Exception.
    164. 

  164.         if (   isset($ns->history->token)
    165. 

  165.             && in_array($this->_form->token->getValue(), $ns->history->token)
    166. 

  166.         ) {
    167. 

  167.             throw new IntrusionException(
    168. 

  168.                 'Form resubmission is not permitted.',
    169. 

  169.                 'Submitted token is one contained in the history of the current session.'
    170. 

  170.             );
    171. 

  171.         }
    172. 

  172. 

  173.         if ($valid !== true) {
    174. 

  174. 

  175.             // Add a formValidationErrors event to the client session.
    176. 

  176.             $ids->addEvent(
    177. 

  177.                 'ValidationErrorEvent',
    178. 

  178.                 'Form submission contained inputs that caused Validation errors.'
    179. 

  179.             );
    180. 

  180. 

  181.             // There are certain validation errors that require an exception to
    182. 

  182.             // be thrown becuase errors for these elements is assumed to be
    183. 

  183.             // evidence of tampering. Throw IntrusionException if there are
    184. 

  184.             // errors in CSRFToken or recipientsMap.
    185. 

  185.             if ($this->_form->detectedTamper()) {
    186. 

  186.                 throw new IntrusionException(
    187. 

  187.                     'The submitted form contained invalid information.',
    188. 

  188.                     'Form submission contained evidence of tampering!'
    189. 

  189.                 );
    190. 

  190.             }
    191. 

  191. 

  192.             // Log a warning about failed validation and include the error
    193. 

  193.             // messages.
    194. 

  194.             $validationErrMsgs = $this->_form->getMessages(null, true);
    195. 

  195.             $vmsgs = '';
    196. 

  196.             foreach ($validationErrMsgs as $elem => $messageArray) {
    197. 

  197.                 $vmsgs .= "[{$elem}:";
    198. 

  198.                 foreach ($messageArray as $validator => $message) {
    199. 

  199.                     $vmsgs .= "{$validator}={$message};";
    200. 

  200.                 }
    201. 

  201.                 $vmsgs .= "] ";
    202. 

  202.             }
    203. 

  203.             ESAPI::getAuditor('IndexController')->warning(
    204. 

  204.                 Auditor::SECURITY,
    205. 

  205.                 false,
    206. 

  206.                 'Validation failure messages: ' . $vmsgs
    207. 

  207.             );
    208. 

  208.             // Store the form in the session so that we can perform a redirect
    209. 

  209.             // away from the send action. // TODO expire it soon!
    210. 

  210.             $ns->submission = false;
    211. 

  211.             $ns->form = $this->_form;
    212. 

  212.             $this->_helper->getHelper('redirector')
    213. 

  213.                 ->setCode(303)
    214. 

  214.                 ->gotoSimple(
    215. 

  215.                     'index', null, null, $this->_request->getParams()
    216. 

  216.                 );
    217. 

  217.             return;
    218. 

  218.         }
    219. 

  219. 

  220.         // We have a valid form!!
    221. 

  221. 

  222.         // Kill the CSRF cookie.
    223. 

  223.         setcookie(Form_Contact::CSRFCOOKIE, 'expired', 1, '/');
    224. 

  224. 

  225.         // Add token to map of submitted tokens
    226. 

  226.         if (is_array($ns->history->token)) {
    227. 

  227.             array_unshift($ns->history->token, $this->_form->token->getValue());
    228. 

  228.         } else {
    229. 

  229.             $ns->history->token = array($this->_form->token->getValue());
    230. 

  230.         }
    231. 

  231. 

  232.         // extract the valid values from the form and send a mail
    233. 

  233.         $validValues = array();
    234. 

  234.         $elements = $this->_form->getElements();
    235. 

  235.         foreach ($elements as $key => $elem) {
    236. 

  236.             $validValues[$key] = $elem->getValue();
    237. 

  237.         }
    238. 

  238.         // attempt to send a mail
    239. 

  239.         $successfulDelivery = $this->_helper->sendMail(
    240. 

  240.             $validValues, $this->_recipientsConfig
    241. 

  241.         );
    242. 

  242. 

  243.         // If mail delivery was not successful show a
    244. 

  244.         if ($successfulDelivery !== true) {
    245. 

  245. 

  246.             ESAPI::getAuditor('IndexController')->warning(
    247. 

  247.                 Auditor::SECURITY, false,
    248. 

  248.                 'Sending of mail failed - ' . $this->_helper->sendMail->getResponse()
    249. 

  249.             );
    250. 

  250.             $ids->addEvent(
    251. 

  251.                 'MailNotDeliveredEvent',
    252. 

  252.                 'successfully submitted valid contact form but mail was NOT sent.'
    253. 

  253.             );
    254. 

  254.             // TODO an encrypted logfile with failed email messages?
    255. 

  255.             // View helpful error message.
    256. 

  256.             throw new Exception('Successful form submission failed to be sent.');
    257. 

  257. 

  258.         } else {
    259. 

  259. 

  260.             $ns->submission = true;
    261. 

  261.             $this->_helper->getHelper('redirector')
    262. 

  262.                 ->setCode(303)
    263. 

  263.                 ->gotoSimple(
    264. 

  264.                     'index', null, null, $this->_request->getParams()
    265. 

  265.                 );
    266. 

  266.             return;
    267. 

  267. 

  268.         }
    269. 

  269. 

  270.     }
    271. 

  271. 

  272. 

  273.     /**
    274. 

  274.      * The router is set to /action and this segment of the url is overloaded
    275. 

  275.      * so that /someRecipient is also valid.  This __call method is invoked
    276. 

  276.      * whenever this segment of the url is not a defined action and in these
    277. 

  277.      * cases, the $actionMethod may be a valid recipient.  These sre trapped
    278. 

  278.      * here and, if valid, the request is re-dispatched to the index action to
    279. 

  279.      * which we pass a recipient parameter.
    280. 

  280.      * If a valid recipient is not found then execution is passed to the  parent
    281. 

  281.      * __call method.
    282. 

  282.      *
    283. 

  283.      * @param string $actionMethod Url segment.
    284. 

  284.      * @param array  $args         Request arguments.
    285. 

  285.      *
    286. 

  286.      * @return null
    287. 

  287.      */
    288. 

  288.     public function __call($actionMethod, $args)
    289. 

  289.     {
    290. 

  290.         $logger = ESAPI::getAuditor('IndexController');
    291. 

  291. 

  292.         // I do not anticipate this happening often...
    293. 

  293.         if (! is_string($actionMethod)) {
    294. 

  294. 

  295.             return parent::__call($actionMethod, $args);
    296. 

  296. 

  297.         }
    298. 

  298. 

  299.         // If there's less than two recipients defined, we don't need to trap
    300. 

  300.         // usernames. ignore them.
    301. 

  301.         if ($this->_recipientsConfig->count() < 2) {
    302. 

  302. 

  303.             return parent::__call($actionMethod, $args);
    304. 

  304. 

  305.         }
    306. 

  306. 

  307.         // Strip the trailing 'Action' from the method name.
    308. 

  308.         $method = null;
    309. 

  309.         $detectedCharacterEncoding = mb_detect_encoding($actionMethod);
    310. 

  310.         $len = mb_strlen($actionMethod, $detectedCharacterEncoding);
    311. 

  311.         if (mb_substr($actionMethod, $len-6, 6, $detectedCharacterEncoding) == 'Action' ) {
    312. 

  312.             $method = mb_substr(
    313. 

  313.                 $actionMethod, 0, $len-6, $detectedCharacterEncoding
    314. 

  314.             );
    315. 

  315.         } else {
    316. 

  316.             $method = $actionMethod;
    317. 

  317.         }
    318. 

  318. 

  319.         // Validate the possible recipient and, if valid, add a 'recipient'
    320. 

  320.         // request param and continue on to the indexAction of this controller.
    321. 

  321.         $recipientValidator = new Custom_Validate_ValidRecipient(
    322. 

  322.             $this->_recipientsConfig
    323. 

  323.         );
    324. 

  324.         if ($recipientValidator->isValid($method)) {
    325. 

  325.             $this->_request->setActionName('index');
    326. 

  326.             $this->_request->setParams(
    327. 

  327.                 array(
    328. 

  328.                     'recipient' => $method,
    329. 

  329.                     'action' => 'index'
    330. 

  330.                 )
    331. 

  331.             );
    332. 

  332.             $this->_request->setDispatched(false);
    333. 

  333.             return;
    334. 

  334.         }
    335. 

  335. 

  336.         return parent::__call($actionMethod, $args);
    337. 

  337.     }
    338. 

  338. 

  339. 

  340.     /**
    341. 

  341.      * The error controller will redirect the client here and a generic message will
    342. 

  342.      * be displayed. Direct requests for this page will result in a redirect to
    343. 

  343.      * index action.
    344. 

  344.      *
    345. 

  345.      * @return null
    346. 

  346.      */
    347. 

  347.     public function errorAction()
    348. 

  348.     {
    349. 

  349.         if (Zend_Session::sessionExists()) {
    350. 

  350.             $ns = new Zend_Session_Namespace('Contact');
    351. 

  351.             if ($ns->error === true) {
    352. 

  352.                 // Just show this view. Simples!
    353. 

  353.                 unset($ns->error);
    354. 

  354.                 return;
    355. 

  355.             }
    356. 

  356.         }
    357. 

  357. 

  358.         $this->_helper->getHelper('redirector')
    359. 

  359.             ->setCode(303)
    360. 

  360.             ->gotoSimple(
    361. 

  361.                 'index', null, null, $this->_request->getParams()
    362. 

  362.             );
    363. 

  363. 

  364.     }
    365. 

  365. 

  366. 

  367. }
    368. 

  368. 

  369.