diff options
| author |  Clément <clement@selfhost.fr>
| 2017-02-15 14:12:25 +0100 |
|---|---|---|
| committer | Clément <clement@selfhost.fr>
| 2017-02-15 14:12:25 +0100 |
| commit | 2d097bc855dbd1ad06c7c306c05e78a198209084 (patch) | |
| tree | 67028e45792c575c25c92616633f64cc7a4a13eb /app/Controllers/userController.php | |
| parent | fe293900061263a1917fc1cf18ca369c8e07cb99 (diff) | |
| parent | 5f637bd816b7323885bfe1751a1724ee59a822f6 (diff) | |
Merge remote-tracking branch 'FreshRSS/master' into dev
Diffstat (limited to 'app/Controllers/userController.php')
| -rw-r--r-- | app/Controllers/userController.php | 285 |
1 files changed, 163 insertions, 122 deletions
diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index 61d33437d..9d6ae18e6 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -12,73 +12,66 @@ class FreshRSS_user_Controller extends Minz_ActionController { * This action is called before every other action in that class. It is * the common boiler plate for every action. It is triggered by the * underlying framework. + * + * @todo clean up the access condition. */ public function firstAction() { - if (!FreshRSS_Auth::hasAccess()) { - Minz_Error::error( - 403, - array('error' => array(_t('access_denied'))) - ); + if (!FreshRSS_Auth::hasAccess() && !( + Minz_Request::actionName() === 'create' && + !max_registrations_reached() + )) { + Minz_Error::error(403); + } + } + + public static function hashPassword($passwordPlain) { + if (!function_exists('password_hash')) { + include_once(LIB_PATH . '/password_compat.php'); } + $passwordHash = password_hash($passwordPlain, PASSWORD_BCRYPT, array('cost' => self::BCRYPT_COST)); + $passwordPlain = ''; + $passwordHash = preg_replace('/^\$2[xy]\$/', '\$2a\$', $passwordHash); //Compatibility with bcrypt.js + return $passwordHash == '' ? '' : $passwordHash; } /** - * This action displays the user profil page. + * This action displays the user profile page. */ - public function profilAction() { - Minz_View::prependTitle(_t('users.profil') . ' · '); + public function profileAction() { + Minz_View::prependTitle(_t('conf.profile.title') . ' · '); + + Minz_View::appendScript(Minz_Url::display( + '/scripts/bcrypt.min.js?' . @filemtime(PUBLIC_PATH . '/scripts/bcrypt.min.js') + )); if (Minz_Request::isPost()) { $ok = true; - $passwordPlain = Minz_Request::param('passwordPlain', '', true); + $passwordPlain = Minz_Request::param('newPasswordPlain', '', true); if ($passwordPlain != '') { - Minz_Request::_param('passwordPlain'); //Discard plain-text password ASAP - $_POST['passwordPlain'] = ''; - if (!function_exists('password_hash')) { - include_once(LIB_PATH . '/password_compat.php'); - } - $passwordHash = password_hash($passwordPlain, PASSWORD_BCRYPT, array('cost' => self::BCRYPT_COST)); - $passwordPlain = ''; - $passwordHash = preg_replace('/^\$2[xy]\$/', '\$2a\$', $passwordHash); //Compatibility with bcrypt.js + Minz_Request::_param('newPasswordPlain'); //Discard plain-text password ASAP + $_POST['newPasswordPlain'] = ''; + $passwordHash = self::hashPassword($passwordPlain); $ok &= ($passwordHash != ''); - FreshRSS_Context::$conf->_passwordHash($passwordHash); + FreshRSS_Context::$user_conf->passwordHash = $passwordHash; } - Minz_Session::_param('passwordHash', FreshRSS_Context::$conf->passwordHash); + Minz_Session::_param('passwordHash', FreshRSS_Context::$user_conf->passwordHash); $passwordPlain = Minz_Request::param('apiPasswordPlain', '', true); if ($passwordPlain != '') { - if (!function_exists('password_hash')) { - include_once(LIB_PATH . '/password_compat.php'); - } - $passwordHash = password_hash($passwordPlain, PASSWORD_BCRYPT, array('cost' => self::BCRYPT_COST)); - $passwordPlain = ''; - $passwordHash = preg_replace('/^\$2[xy]\$/', '\$2a\$', $passwordHash); //Compatibility with bcrypt.js + $passwordHash = self::hashPassword($passwordPlain); $ok &= ($passwordHash != ''); - FreshRSS_Context::$conf->_apiPasswordHash($passwordHash); - } - - // TODO: why do we need of hasAccess here? - if (FreshRSS_Auth::hasAccess('admin')) { - FreshRSS_Context::$conf->_mail_login(Minz_Request::param('mail_login', '', true)); + FreshRSS_Context::$user_conf->apiPasswordHash = $passwordHash; } - $email = FreshRSS_Context::$conf->mail_login; - Minz_Session::_param('mail', $email); - $ok &= FreshRSS_Context::$conf->save(); - - if ($email != '') { - $personaFile = DATA_PATH . '/persona/' . $email . '.txt'; - @unlink($personaFile); - $ok &= (file_put_contents($personaFile, Minz_Session::param('currentUser', '_')) !== false); - } + $ok &= FreshRSS_Context::$user_conf->save(); if ($ok) { - Minz_Request::good('users.profil.updated', - array('c' => 'user', 'a' => 'profil')); + Minz_Request::good(_t('feedback.profile.updated'), + array('c' => 'user', 'a' => 'profile')); } else { - Minz_Request::bad('error_occurred', - array('c' => 'user', 'a' => 'profil')); + Minz_Request::bad(_t('feedback.profile.error'), + array('c' => 'user', 'a' => 'profile')); } } } @@ -88,16 +81,14 @@ class FreshRSS_user_Controller extends Minz_ActionController { */ public function manageAction() { if (!FreshRSS_Auth::hasAccess('admin')) { - Minz_Error::error(403, - array('error' => array(_t('access_denied')))); + Minz_Error::error(403); } - Minz_View::prependTitle(_t('users.manage') . ' · '); + Minz_View::prependTitle(_t('admin.user.title') . ' · '); // Get the correct current user. - $userDAO = new FreshRSS_UserDAO(); $username = Minz_Request::param('u', Minz_Session::param('currentUser')); - if (!$userDAO->exist($username)) { + if (!FreshRSS_UserDAO::exist($username)) { $username = Minz_Session::param('currentUser'); } $this->view->current_user = $username; @@ -108,109 +99,159 @@ class FreshRSS_user_Controller extends Minz_ActionController { $this->view->size_user = $entryDAO->size(); } - public function createAction() { - if (Minz_Request::isPost() && FreshRSS_Auth::hasAccess('admin')) { - $db = Minz_Configuration::dataBase(); - require_once(APP_PATH . '/SQL/install.sql.' . $db['type'] . '.php'); - - $new_user_language = Minz_Request::param('new_user_language', FreshRSS_Context::$conf->language); - if (!in_array($new_user_language, FreshRSS_Context::$conf->availableLanguages())) { - $new_user_language = FreshRSS_Context::$conf->language; - } + public static function createUser($new_user_name, $passwordPlain, $apiPasswordPlain, $userConfig = array(), $insertDefaultFeeds = true) { + if (!is_array($userConfig)) { + $userConfig = array(); + } - $new_user_name = Minz_Request::param('new_user_name'); - $ok = ($new_user_name != '') && ctype_alnum($new_user_name); + $ok = ($new_user_name != '') && ctype_alnum($new_user_name); - if ($ok) { - $ok &= (strcasecmp($new_user_name, Minz_Configuration::defaultUser()) !== 0); //It is forbidden to alter the default user + if ($ok) { + $languages = Minz_Translate::availableLanguages(); + if (empty($userConfig['language']) || !in_array($userConfig['language'], $languages)) { + $userConfig['language'] = 'en'; + } - $ok &= !in_array(strtoupper($new_user_name), array_map('strtoupper', listUsers())); //Not an existing user, case-insensitive + $ok &= !in_array(strtoupper($new_user_name), array_map('strtoupper', listUsers())); //Not an existing user, case-insensitive - $configPath = DATA_PATH . '/' . $new_user_name . '_user.php'; - $ok &= !file_exists($configPath); - } - if ($ok) { - - $passwordPlain = Minz_Request::param('new_user_passwordPlain', '', true); - $passwordHash = ''; - if ($passwordPlain != '') { - Minz_Request::_param('new_user_passwordPlain'); //Discard plain-text password ASAP - $_POST['new_user_passwordPlain'] = ''; - if (!function_exists('password_hash')) { - include_once(LIB_PATH . '/password_compat.php'); - } - $passwordHash = password_hash($passwordPlain, PASSWORD_BCRYPT, array('cost' => self::BCRYPT_COST)); - $passwordPlain = ''; - $passwordHash = preg_replace('/^\$2[xy]\$/', '\$2a\$', $passwordHash); //Compatibility with bcrypt.js - $ok &= ($passwordHash != ''); - } - if (empty($passwordHash)) { - $passwordHash = ''; - } - - $new_user_email = filter_var($_POST['new_user_email'], FILTER_VALIDATE_EMAIL); - if (empty($new_user_email)) { - $new_user_email = ''; - } else { - $personaFile = DATA_PATH . '/persona/' . $new_user_email . '.txt'; - @unlink($personaFile); - $ok &= (file_put_contents($personaFile, $new_user_name) !== false); - } - } - if ($ok) { - $config_array = array( - 'language' => $new_user_language, - 'passwordHash' => $passwordHash, - 'mail_login' => $new_user_email, - ); - $ok &= (file_put_contents($configPath, "<?php\n return " . var_export($config_array, true) . ';') !== false); + $configPath = join_path(DATA_PATH, 'users', $new_user_name, 'config.php'); + $ok &= !file_exists($configPath); + } + if ($ok) { + $passwordHash = ''; + if ($passwordPlain != '') { + $passwordHash = self::hashPassword($passwordPlain); + $ok &= ($passwordHash != ''); } - if ($ok) { - $userDAO = new FreshRSS_UserDAO(); - $ok &= $userDAO->createUser($new_user_name); + + $apiPasswordHash = ''; + if ($apiPasswordPlain != '') { + $apiPasswordHash = self::hashPassword($apiPasswordPlain); + $ok &= ($apiPasswordHash != ''); } + } + if ($ok) { + mkdir(join_path(DATA_PATH, 'users', $new_user_name)); + $userConfig['passwordHash'] = $passwordHash; + $userConfig['apiPasswordHash'] = $apiPasswordHash; + $ok &= (file_put_contents($configPath, "<?php\n return " . var_export($userConfig, true) . ';') !== false); + } + if ($ok) { + $userDAO = new FreshRSS_UserDAO(); + $ok &= $userDAO->createUser($new_user_name, $userConfig['language'], $insertDefaultFeeds); + } + return $ok; + } + + /** + * This action creates a new user. + * + * Request parameters are: + * - new_user_language + * - new_user_name + * - new_user_passwordPlain + * - r (i.e. a redirection url, optional) + * + * @todo clean up this method. Idea: write a method to init a user with basic information. + * @todo handle r redirection in Minz_Request::forward directly? + */ + public function createAction() { + if (Minz_Request::isPost() && ( + FreshRSS_Auth::hasAccess('admin') || + !max_registrations_reached() + )) { + $new_user_name = Minz_Request::param('new_user_name'); + $passwordPlain = Minz_Request::param('new_user_passwordPlain', '', true); + $new_user_language = Minz_Request::param('new_user_language', FreshRSS_Context::$user_conf->language); + + $ok = self::createUser($new_user_name, $passwordPlain, '', array('language' => $new_user_language)); + Minz_Request::_param('new_user_passwordPlain'); //Discard plain-text password ASAP + $_POST['new_user_passwordPlain'] = ''; invalidateHttpCache(); $notif = array( 'type' => $ok ? 'good' : 'bad', - 'content' => _t($ok ? 'user_created' : 'error_occurred', $new_user_name) + 'content' => _t('feedback.user.created' . (!$ok ? '.error' : ''), $new_user_name) ); Minz_Session::_param('notification', $notif); } - Minz_Request::forward(array('c' => 'user', 'a' => 'manage'), true); + $redirect_url = urldecode(Minz_Request::param('r', false, true)); + if (!$redirect_url) { + $redirect_url = array('c' => 'user', 'a' => 'manage'); + } + Minz_Request::forward($redirect_url, true); } + public static function deleteUser($username) { + $db = FreshRSS_Context::$system_conf->db; + require_once(APP_PATH . '/SQL/install.sql.' . $db['type'] . '.php'); + + $ok = ctype_alnum($username); + if ($ok) { + $default_user = FreshRSS_Context::$system_conf->default_user; + $ok &= (strcasecmp($username, $default_user) !== 0); //It is forbidden to delete the default user + } + $user_data = join_path(DATA_PATH, 'users', $username); + if ($ok) { + $ok &= is_dir($user_data); + } + if ($ok) { + $userDAO = new FreshRSS_UserDAO(); + $ok &= $userDAO->deleteUser($username); + $ok &= recursive_unlink($user_data); + } + return $ok; + } + + /** + * This action delete an existing user. + * + * Request parameter is: + * - username + * + * @todo clean up this method. Idea: create a User->clean() method. + */ public function deleteAction() { - if (Minz_Request::isPost() && FreshRSS_Auth::hasAccess('admin')) { - $db = Minz_Configuration::dataBase(); - require_once(APP_PATH . '/SQL/install.sql.' . $db['type'] . '.php'); + $username = Minz_Request::param('username'); + $redirect_url = urldecode(Minz_Request::param('r', false, true)); + if (!$redirect_url) { + $redirect_url = array('c' => 'user', 'a' => 'manage'); + } - $username = Minz_Request::param('username'); - $ok = ctype_alnum($username); + $self_deletion = Minz_Session::param('currentUser', '_') === $username; - if ($ok) { - $ok &= (strcasecmp($username, Minz_Configuration::defaultUser()) !== 0); //It is forbidden to delete the default user + if (Minz_Request::isPost() && ( + FreshRSS_Auth::hasAccess('admin') || + $self_deletion + )) { + $ok = true; + if ($ok && $self_deletion) { + // We check the password if it's a self-destruction + $nonce = Minz_Session::param('nonce'); + $challenge = Minz_Request::param('challenge', ''); + + $ok &= FreshRSS_FormAuth::checkCredentials( + $username, FreshRSS_Context::$user_conf->passwordHash, + $nonce, $challenge + ); } if ($ok) { - $configPath = DATA_PATH . '/' . $username . '_user.php'; - $ok &= file_exists($configPath); + $ok &= self::deleteUser($username); } - if ($ok) { - $userDAO = new FreshRSS_UserDAO(); - $ok &= $userDAO->deleteUser($username); - $ok &= unlink($configPath); - //TODO: delete Persona file + if ($ok && $self_deletion) { + FreshRSS_Auth::removeAccess(); + $redirect_url = array('c' => 'index', 'a' => 'index'); } invalidateHttpCache(); $notif = array( 'type' => $ok ? 'good' : 'bad', - 'content' => _t($ok ? 'user_deleted' : 'error_occurred', $username) + 'content' => _t('feedback.user.deleted' . (!$ok ? '.error' : ''), $username) ); Minz_Session::_param('notification', $notif); } - Minz_Request::forward(array('c' => 'user', 'a' => 'manage'), true); + Minz_Request::forward($redirect_url, true); } } |