Merge pull request #8472 from christianbeeznest/fixes-plugin-userremoteservice01

Plugin: Improve UserRemoteService plugin safety and UI

Author: christianbeeznest

public/main/admin/settings.lib.php

@@ -330,6 +330,7 @@ function getStablePluginAllowList(): array
         'LearningCalendar',
         'SurveyExportCsv',
         'SurveyExportTxt',
+        'UserRemoteService',
     ];
 }
 

public/plugin/UserRemoteService/Entity/UserRemoteService.php

@@ -1,129 +1,80 @@
 <?php
 /* For licensing terms, see /license.txt */
 
+declare(strict_types=1);
+
 namespace Chamilo\PluginBundle\UserRemoteService;
 
 use Doctrine\ORM\Mapping as ORM;
 use Exception;
 
-/**
- * UserRemoteService.
- *
- * @ORM\Table(name="plugin_user_remote_service")
- * @ORM\Entity
- */
+#[ORM\Table(name: 'plugin_user_remote_service')]
+#[ORM\Entity]
 class UserRemoteService
 {
-    /**
-     * @var int
-     *
-     * @ORM\Column(name="id", type="integer")
-     * @ORM\Id
-     * @ORM\GeneratedValue
-     */
-    protected $id;
+    #[ORM\Column(name: 'id', type: 'integer')]
+    #[ORM\Id]
+    #[ORM\GeneratedValue]
+    protected ?int $id = null;
 
-    /**
-     * @var string
-     *
-     * @ORM\Column(name="title", type="string", length=255, nullable=false)
-     */
-    protected $title;
+    #[ORM\Column(name: 'title', type: 'string', length: 255, nullable: false)]
+    protected string $title = '';
 
-    /**
-     * @var string
-     *
-     * @ORM\Column(name="url", type="string", length=255, nullable=false)
-     */
-    protected $url;
+    #[ORM\Column(name: 'url', type: 'string', length: 255, nullable: false)]
+    protected string $url = '';
 
-    /**
-     * @return int
-     */
-    public function getId()
+    public function getId(): ?int
     {
         return $this->id;
     }
 
-    /**
-     * @param int $id
-     *
-     * @return $this
-     */
-    public function setId($id)
+    public function setId(int $id): self
     {
         $this->id = $id;
 
         return $this;
     }
 
-    /**
-     * @return string
-     */
-    public function getTitle()
+    public function getTitle(): string
     {
         return $this->title;
     }
 
-    /**
-     * @param string $title
-     *
-     * @return UserRemoteService
-     */
-    public function setTitle($title)
+    public function setTitle(string $title): self
     {
         $this->title = $title;
 
         return $this;
     }
 
-    /**
-     * @return string
-     */
-    public function getURL()
+    public function getURL(): string
     {
         return $this->url;
     }
 
-    /**
-     * @param string $url
-     *
-     * @return UserRemoteService
-     */
-    public function setURL($url)
+    public function setURL(string $url): self
     {
         $this->url = $url;
 
         return $this;
     }
 
-    /**
-     * @return string
-     */
-    public function getAccessURL($pluginName)
+    public function getAccessURL(string $pluginName): string
     {
-        $accessUrl = api_get_path(WEB_PLUGIN_PATH).$pluginName."/redirect.php?serviceId=".$this->getId();
-
-        return $accessUrl;
+        return api_get_path(WEB_PLUGIN_PATH).$pluginName.'/redirect.php?serviceId='.(int) $this->getId();
     }
 
     /**
-     * Returns a user-specific URL, with two extra query string parameters : 'username' and 'hash'.
-     * 'hash' is generated using $salt and $userId.
-     *
-     * @param string $username the URL query parameter 'username'
-     * @param string $userId   the user identifier, to build the hash
-     * @param string $salt     the salt, to build the hash
-     *
-     * @throws Exception on hash generation failure
+     * Returns a user-specific URL with username and hash parameters.
      *
-     * @return string the custom user URL
+     * @throws Exception
      */
-    public function getCustomUserURL($username, $userId, $salt)
+    public function getCustomUserURL(string $username, int $userId, string $salt): string
     {
         $hash = password_hash($salt.$userId, PASSWORD_BCRYPT);
+
         if (false === $hash) {
-            throw new Exception('hash generation failed');
+            throw new Exception('Hash generation failed');
         }
 
         return sprintf(
@@ -140,21 +91,16 @@ public function getCustomUserURL($username, $userId, $salt)
     }
 
     /**
-     * Returns a user-specific URL, with two extra query string parameters : 'uid' and 'hash'.
-     * 'hash' is generated using $salt and $userId.
-     *
-     * @param string $userId the user identifier, to build the hash and to include for the uid parameter
-     * @param string $salt   the salt, to build the hash
+     * Returns a user-specific URL with uid and hash parameters.
      *
-     * @throws Exception on hash generation failure
-     *
-     * @return string the custom user redirect URL
+     * @throws Exception
      */
-    public function getCustomUserRedirectURL($userId, $salt)
+    public function getCustomUserRedirectURL(int $userId, string $salt): string
     {
         $hash = password_hash($salt.$userId, PASSWORD_BCRYPT);
+
         if (false === $hash) {
-            throw new Exception('hash generation failed');
+            throw new Exception('Hash generation failed');
         }
 
         return sprintf(

public/plugin/UserRemoteService/README.md

@@ -1,10 +1,44 @@
 User Remote Service Plugin
 ==========================
 
-Appends site-specific iframe-targeted user-identifying links to the menu bar.
-You can also hide the link from the menu and use the redirect link to use it as a link in a course.
+This plugin exposes signed user-specific links to external services.
 
-After activation, configure a __salt__ then select region __menu_administrator__.
+Flow
+----
 
-In the __Administration__ menu, in block __Plugins__,
-you will find a link __User Remote Services__ to manage the services in the main menu (title and URL) and also get the redirect URL to use in a course.
+1. Enable the plugin from the plugin list.
+2. Configure the plugin settings:
+   - Salt: required to generate signed hashes.
+   - Hide links from navigation menu: optional.
+3. Open the plugin administration page and create remote services with HTTP/HTTPS URLs.
+4. Authenticated users can open the service through:
+   - iframe.php?serviceId=ID
+   - redirect.php?serviceId=ID
+
+Generated parameters
+--------------------
+
+Iframe URLs receive:
+
+- username
+- hash
+
+Redirect URLs receive:
+
+- uid
+- hash
+
+The remote service can verify the hash with:
+
+```php
+password_verify($salt.$userId, $hash)
+```
+
+Security notes
+--------------
+
+- Only authenticated Chamilo users can open service links.
+- Service URLs must use HTTP or HTTPS.
+- Empty or invalid service IDs are rejected.
+- The plugin does not create or update Chamilo users.
+- The plugin only signs the current authenticated user and redirects/embeds the configured service.

public/plugin/UserRemoteService/admin.php

@@ -6,13 +6,10 @@
 api_protect_admin_script(true);
 
 $plugin = UserRemoteServicePlugin::create();
+$plugin->handleAdminPost();
 
 Display::display_header($plugin->get_title());
 
-echo $plugin->getCreationForm()->returnForm();
-
-echo $plugin->getDeletionForm()->returnForm();
-
-echo $plugin->getServiceHTMLTable();
+echo $plugin->getAdminPageHtml();
 
 Display::display_footer();

public/plugin/UserRemoteService/iframe.php

@@ -3,13 +3,17 @@
 
 require_once __DIR__.'/config.php';
 
-if (!api_user_is_login()) {
+if (api_is_anonymous()) {
     api_not_allowed(true);
 }
 
 $plugin = UserRemoteServicePlugin::create();
 
-Display::display_header();
+if (!$plugin->isEnabled()) {
+    api_not_allowed(true);
+}
+
+Display::display_header($plugin->get_title());
 
 echo $plugin->getIFrame();
 

public/plugin/UserRemoteService/index.php

@@ -3,8 +3,12 @@
 
 require_once __DIR__.'/config.php';
 
-if ('true' !== UserRemoteServicePlugin::create()->get_hide_link_from_navigation_menu()) {
-    foreach (UserRemoteServicePlugin::create()->getNavigationMenu() as $key => $menu) {
-        $template->params['menu'][$key] = $menu;
-    }
+$plugin = UserRemoteServicePlugin::create();
+
+if (!api_user_is_login() || !$plugin->isEnabled() || $plugin->get_hide_link_from_navigation_menu()) {
+    return;
+}
+
+foreach ($plugin->getNavigationMenu() as $key => $menu) {
+    $template->params['menu'][$key] = $menu;
 }

public/plugin/UserRemoteService/lang/en_US.php

@@ -22,3 +22,19 @@
 $strings['ServiceTitle'] = 'Service title';
 $strings['ServiceURL'] = 'Service web site location (URL)';
 $strings['RedirectAccessURL'] = "URL to use in Chamilo to redirect user to the service (URL)";
+$strings['Actions'] = 'Actions';
+$strings['AddRemoteService'] = 'Add remote service';
+$strings['CurrentServices'] = 'Current services';
+$strings['DeleteService'] = 'Delete service';
+$strings['InvalidSecurityToken'] = 'Invalid security token.';
+$strings['InvalidServiceTitle'] = 'Please enter a service title.';
+$strings['InvalidServiceUrl'] = 'Please enter a valid HTTP or HTTPS URL.';
+$strings['MissingSaltWarning'] = 'Configure a salt before exposing remote service links. The salt is required to generate signed user URLs.';
+$strings['NoServicesConfigured'] = 'No remote services have been configured yet.';
+$strings['OpenInIframe'] = 'Open in iframe';
+$strings['OpenRedirect'] = 'Open redirect URL';
+$strings['RemoteServicesDescription'] = 'Manage external services that receive signed user URLs from Chamilo. Only authenticated users can open these links.';
+$strings['ServiceCreated'] = 'The remote service has been created.';
+$strings['ServiceDeleted'] = 'The remote service has been deleted.';
+$strings['ServiceManagement'] = 'Remote service management';
+$strings['ServiceUnavailable'] = 'This remote service is not available. Check that the plugin is enabled, the salt is configured and the URL is valid.';

public/plugin/UserRemoteService/lang/es.php

@@ -21,3 +21,19 @@
 $strings['ServiceTitle'] = 'Título del servicio';
 $strings['ServiceURL'] = 'Ubicación del sitio web del servicio (URL)';
 $strings['RedirectAccessURL'] = 'URL a usar en Chamilo para redirigir al usuario al servicio (URL)';
+$strings['Actions'] = 'Acciones';
+$strings['AddRemoteService'] = 'Añadir servicio remoto';
+$strings['CurrentServices'] = 'Servicios actuales';
+$strings['DeleteService'] = 'Eliminar servicio';
+$strings['InvalidSecurityToken'] = 'Token de seguridad inválido.';
+$strings['InvalidServiceTitle'] = 'Ingrese un título para el servicio.';
+$strings['InvalidServiceUrl'] = 'Ingrese una URL HTTP o HTTPS válida.';
+$strings['MissingSaltWarning'] = 'Configure una sal antes de exponer enlaces de servicios remotos. La sal es necesaria para generar URLs firmadas de usuario.';
+$strings['NoServicesConfigured'] = 'Todavía no hay servicios remotos configurados.';
+$strings['OpenInIframe'] = 'Abrir en iframe';
+$strings['OpenRedirect'] = 'Abrir URL de redirección';
+$strings['RemoteServicesDescription'] = 'Administra servicios externos que reciben URLs firmadas de usuario desde Chamilo. Solo usuarios autenticados pueden abrir estos enlaces.';
+$strings['ServiceCreated'] = 'El servicio remoto ha sido creado.';
+$strings['ServiceDeleted'] = 'El servicio remoto ha sido eliminado.';
+$strings['ServiceManagement'] = 'Gestión de servicios remotos';
+$strings['ServiceUnavailable'] = 'Este servicio remoto no está disponible. Verifique que el plugin esté activo, la sal esté configurada y la URL sea válida.';

public/plugin/UserRemoteService/redirect.php

@@ -3,11 +3,21 @@
 
 require_once __DIR__.'/config.php';
 
-if (!api_user_is_login()) {
+if (api_is_anonymous()) {
     api_not_allowed(true);
 }
 
 $plugin = UserRemoteServicePlugin::create();
 
-header('Location: '.$plugin->getActiveServiceSpecificUserUrl());
+if (!$plugin->isEnabled()) {
+    api_not_allowed(true);
+}
+
+$url = $plugin->getActiveServiceSpecificUserUrl();
+
+if (empty($url)) {
+    api_not_allowed(true);
+}
+
+header('Location: '.$url);
 exit;