Fix. Remote Calls. RC calling without token fixed. (#438)

lib/CleantalkSP/Common/RemoteCalls.php

@@ -28,6 +28,10 @@ class RemoteCalls
      */
     protected $without_token;
 
+    protected static $allowedActionsWithoutToken = [
+        'post_api_key',
+    ];
+
     const COOLDOWN = 10;
 
     /**
@@ -53,10 +57,20 @@ public static function checkWithoutToken()
     {
         global $spbc;
 
+        $rc_servers = [
+            'netserv3.cleantalk.org',
+            'netserv4.cleantalk.org',
+        ];
+
         return ! $spbc->key_is_ok &&
                Request::get('spbc_remote_call_action') &&
                in_array(Request::get('plugin_name'), array('security', 'spbc')) &&
-               strpos(IP::resolve(IP::get()), 'cleantalk.org') !== false;
+               in_array(IP::resolve(IP::get('remote_addr')), $rc_servers, true);
+    }
+
+    private static function isAllowedWithoutToken($rc)
+    {
+        return in_array($rc, self::$allowedActionsWithoutToken, true);
     }
 
     /**
@@ -87,9 +101,11 @@ public function process()
                 // Check API key
                 if (
                     ($this->state->data['key_is_ok'] !== false) &&
-                    (($token === strtolower(md5($this->state->api_key)) ||
-                    $token === strtolower(hash('sha256', $this->state->api_key))) ||
-                    $this->without_token)
+                    (
+                        ( $token === strtolower(md5($this->state->api_key)) ||
+                        $token === strtolower(hash('sha256', $this->state->api_key)) ) ||
+                        ( $this->without_token && self::isAllowedWithoutToken($action) )
+                    )
                 ) {
                     // Flag to let plugin know that Remote Call is running.
                     $this->state->rc_running = true;