diff options
| author |  Marien Fressinaud <dev@marienfressinaud.fr>
| 2015-07-22 22:58:00 +0200 |
|---|---|---|
| committer | Marien Fressinaud <dev@marienfressinaud.fr>
| 2015-07-22 22:58:00 +0200 |
| commit | 8751c344f384e19dd2fd2f0b5607ecc2aac58541 (patch) | |
| tree | c1f0f46fcd4b1ed47500cbbe1ded094c0e0d954d | |
| parent | 669c41114f60a5a31253bed766f52e1840e00599 (diff) | |
Ask password to user before deleting its account
See https://github.com/FreshRSS/FreshRSS/issues/679
| -rw-r--r-- | app/Controllers/userController.php | 37 | ||||
| -rw-r--r-- | app/views/user/profile.phtml | 21 |
2 files changed, 42 insertions, 16 deletions
diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index cebfcd5ec..428cd145d 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -30,13 +30,17 @@ class FreshRSS_user_Controller extends Minz_ActionController { public function profileAction() { Minz_View::prependTitle(_t('conf.profile.title') . ' ยท '); + Minz_View::appendScript(Minz_Url::display( + '/scripts/bcrypt.min.js?' . @filemtime(PUBLIC_PATH . '/scripts/bcrypt.min.js') + )); + if (Minz_Request::isPost()) { $ok = true; - $passwordPlain = Minz_Request::param('passwordPlain', '', true); + $passwordPlain = Minz_Request::param('newPasswordPlain', '', true); if ($passwordPlain != '') { - Minz_Request::_param('passwordPlain'); //Discard plain-text password ASAP - $_POST['passwordPlain'] = ''; + Minz_Request::_param('newPasswordPlain'); //Discard plain-text password ASAP + $_POST['newPasswordPlain'] = ''; if (!function_exists('password_hash')) { include_once(LIB_PATH . '/password_compat.php'); } @@ -213,10 +217,16 @@ class FreshRSS_user_Controller extends Minz_ActionController { */ public function deleteAction() { $username = Minz_Request::param('username'); + $redirect_url = urldecode(Minz_Request::param('r', false, true)); + if (!$redirect_url) { + $redirect_url = array('c' => 'user', 'a' => 'manage'); + } + + $self_deletion = Minz_Session::param('currentUser', '_') === $username; if (Minz_Request::isPost() && ( FreshRSS_Auth::hasAccess('admin') || - Minz_Session::param('currentUser', '_') === $username + $self_deletion )) { $db = FreshRSS_Context::$system_conf->db; require_once(APP_PATH . '/SQL/install.sql.' . $db['type'] . '.php'); @@ -228,6 +238,16 @@ class FreshRSS_user_Controller extends Minz_ActionController { $default_user = FreshRSS_Context::$system_conf->default_user; $ok &= (strcasecmp($username, $default_user) !== 0); //It is forbidden to delete the default user } + if ($ok && $self_deletion) { + // We check the password if it's a self-destruction + $nonce = Minz_Session::param('nonce'); + $challenge = Minz_Request::param('challenge', ''); + + $ok &= FreshRSS_FormAuth::checkCredentials( + $username, FreshRSS_Context::$user_conf->passwordHash, + $nonce, $challenge + ); + } if ($ok) { $ok &= is_dir($user_data); } @@ -237,10 +257,11 @@ class FreshRSS_user_Controller extends Minz_ActionController { $ok &= recursive_unlink($user_data); //TODO: delete Persona file } - invalidateHttpCache(); - if (Minz_Session::param('currentUser', '_') === $username) { + if ($ok && $self_deletion) { FreshRSS_Auth::removeAccess(); + $redirect_url = array('c' => 'index', 'a' => 'index'); } + invalidateHttpCache(); $notif = array( 'type' => $ok ? 'good' : 'bad', @@ -249,10 +270,6 @@ class FreshRSS_user_Controller extends Minz_ActionController { Minz_Session::_param('notification', $notif); } - $redirect_url = urldecode(Minz_Request::param('r', false, true)); - if (!$redirect_url) { - $redirect_url = array('c' => 'user', 'a' => 'manage'); - } Minz_Request::forward($redirect_url, true); } diff --git a/app/views/user/profile.phtml b/app/views/user/profile.phtml index 11097e546..7ae2c7ede 100644 --- a/app/views/user/profile.phtml +++ b/app/views/user/profile.phtml @@ -18,11 +18,11 @@ </div> <div class="form-group"> - <label class="group-name" for="passwordPlain"><?php echo _t('conf.profile.password_form'); ?></label> + <label class="group-name" for="newPasswordPlain"><?php echo _t('conf.profile.password_form'); ?></label> <div class="group-controls"> <div class="stick"> - <input type="password" id="passwordPlain" name="passwordPlain" autocomplete="off" pattern=".{7,}" <?php echo cryptAvailable() ? '' : 'disabled="disabled" '; ?>/> - <a class="btn toggle-password" data-toggle="passwordPlain"><?php echo _i('key'); ?></a> + <input type="password" id="newPasswordPlain" name="newPasswordPlain" autocomplete="off" pattern=".{7,}" <?php echo cryptAvailable() ? '' : 'disabled="disabled" '; ?>/> + <a class="btn toggle-password" data-toggle="newPasswordPlain"><?php echo _i('key'); ?></a> </div> <?php echo _i('help'); ?> <?php echo _t('conf.profile.password_format'); ?> <noscript><b><?php echo _t('gen.js.should_be_activated'); ?></b></noscript> @@ -59,21 +59,30 @@ </form> <?php if (!FreshRSS_Auth::hasAccess('admin')) { ?> - <form method="post" action="<?php echo _url('user', 'delete'); ?>"> + <form id="crypto-form" method="post" action="<?php echo _url('user', 'delete'); ?>"> <legend><?php echo _t('conf.profile.delete'); ?></legend> <p class="alert alert-warn"><span class="alert-head"><?php echo _t('gen.short.attention'); ?></span> <?php echo _t('conf.profile.delete.warn'); ?></p> + <div class="form-group"> + <label class="group-name" for="passwordPlain"><?php echo _t('gen.auth.password'); ?></label> + <div class="group-controls"> + <input type="password" id="passwordPlain" required="required" /> + <input type="hidden" id="challenge" name="challenge" /><br /> + <noscript><strong><?php echo _t('gen.js.should_be_activated'); ?></strong></noscript> + </div> + </div> + <div class="form-group form-actions"> <div class="group-controls"> <?php $redirect_url = urlencode(Minz_Url::display( - array('c' => 'index', 'a' => 'index'), + array('c' => 'user', 'a' => 'profile'), 'php', true )); ?> <input type="hidden" name="r" value="<?php echo $redirect_url; ?>" /> - <input type="hidden" name="username" value="<?php echo Minz_Session::param('currentUser', '_'); ?>" /> + <input type="hidden" name="username" id="username" value="<?php echo Minz_Session::param('currentUser', '_'); ?>" /> <button type="submit" class="btn btn-attention confirm"><?php echo _t('gen.action.remove'); ?></button> </div> </div> |