From 0bd07ef211d5db93728bf11f38166312cef4a603 Mon Sep 17 00:00:00 2001
From: ivan <ivan@opensupports.com>
Date: Sat, 21 Jan 2017 01:17:28 -0300
Subject: [PATCH] Ivan - Add token ticket for backend [skip ci]

---
 server/controllers/ticket/comment.php | 12 +++++--
 server/controllers/ticket/get.php     | 45 +++++++++++++++++++++------
 server/models/Session.php             | 11 ++++++-
 3 files changed, 55 insertions(+), 13 deletions(-)

diff --git a/server/controllers/ticket/comment.php b/server/controllers/ticket/comment.php
index cd7713e1..cc0d24ba 100644
--- a/server/controllers/ticket/comment.php
+++ b/server/controllers/ticket/comment.php
@@ -25,9 +25,15 @@ class CommentController extends Controller {
         
         if(!Controller::isUserSystemEnabled()) {
             $validations['permission'] = 'any';
-            $validations['requestData']['email'] = [
-                'validation' => DataValidator::email(),
-                'error' => ERRORS::INVALID_EMAIL
+            $session = Session::getInstance();
+
+            $validations['requestData']['csrf_token'] = [
+                'validation' => DataValidator::equals($session->getToken()),
+                'error' => ERRORS::NO_PERMISSION
+            ];
+            $validations['requestData']['ticketNumber'] = [
+                'validation' => DataValidator::equals($session->getTicketNumber()),
+                'error' => ERRORS::INVALID_TICKET
             ];
         }
         
diff --git a/server/controllers/ticket/get.php b/server/controllers/ticket/get.php
index 6e2a6758..61cba027 100644
--- a/server/controllers/ticket/get.php
+++ b/server/controllers/ticket/get.php
@@ -20,14 +20,28 @@ class TicketGetController extends Controller {
 
         if(!Controller::isUserSystemEnabled() && !Controller::isStaffLogged()) {
             $validations['permission'] = 'any';
-            $validations['requestData']['email'] = [
-                'validation' => DataValidator::email(),
-                'error' => ERRORS::INVALID_EMAIL
-            ];
-            $validations['requestData']['captcha'] = [
-                'validation' => DataValidator::captcha(),
-                'error' => ERRORS::INVALID_CAPTCHA
-            ];
+
+            if(Controller::request('token')) {
+                $session = Session::getInstance();
+                
+                $validations['requestData']['csrf_token'] = [
+                    'validation' => DataValidator::equals($session->getToken()),
+                    'error' => ERRORS::NO_PERMISSION
+                ];
+                $validations['requestData']['ticketNumber'] = [
+                    'validation' => DataValidator::equals($session->getTicketNumber()),
+                    'error' => ERRORS::INVALID_TICKET
+                ];
+            } else {
+                $validations['requestData']['email'] = [
+                    'validation' => DataValidator::email(),
+                    'error' => ERRORS::INVALID_EMAIL
+                ];
+                $validations['requestData']['captcha'] = [
+                    'validation' => DataValidator::captcha(),
+                    'error' => ERRORS::INVALID_CAPTCHA
+                ];
+            }
         }
 
         return $validations;
@@ -40,7 +54,11 @@ class TicketGetController extends Controller {
 
         if(!Controller::isUserSystemEnabled() && !Controller::isStaffLogged()) {
             if($this->ticket->authorEmail === $email) {
-                Response::respondSuccess($this->ticket->toArray());
+                if(!Controller::request('token')) {
+                    $this->generateSessionToken();
+                } else {
+                    Response::respondSuccess($this->ticket->toArray());
+                }
                 return;
             } else {
                 throw new Exception(ERRORS::NO_PERMISSION);
@@ -54,6 +72,15 @@ class TicketGetController extends Controller {
         }
     }
 
+    private function generateSessionToken() {
+        $session = Session::getInstance();
+        $token = Hashing::generateRandomToken();
+
+        $session->createTicketSession($this->ticket->ticketNUmber);
+
+        Response::respondSuccess(['token' => $token, 'ticketNumber' => $this->ticket->ticketNUmber]);
+    }
+
     private function shouldDenyPermission() {
         $user = Controller::getLoggedUser();
 
diff --git a/server/models/Session.php b/server/models/Session.php
index 9535876a..eceb9c13 100644
--- a/server/models/Session.php
+++ b/server/models/Session.php
@@ -29,6 +29,15 @@ class Session {
         $this->store('staff', $staff);
         $this->store('token', Hashing::generateRandomToken());
     }
+    
+    public function createTicketSession($ticketNumber) {
+        $this->store('ticketNumber', $ticketNumber);
+        $this->store('token', Hashing::generateRandomToken());
+    }
+    
+    public function getTicketNumber() {
+        return $this->getStoredData('ticketNumber');
+    }
 
     public function getToken() {
         return $this->getStoredData('token');
@@ -51,7 +60,7 @@ class Session {
                $token === $data['token'];
     }
 
-    private function store($key, $value) {
+    public function store($key, $value) {
         $_SESSION[$key] = $value;
     }