1 files changed, 52 insertions, 22 deletions

diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php
index 9d6ae18e6..2a1d43d9e 100644
--- a/app/Controllers/userController.php
+++ b/app/Controllers/userController.php
@@ -35,6 +35,39 @@ class FreshRSS_user_Controller extends Minz_ActionController {
 	}
 
 	/**
+	 * The username is also used as folder name, file name, and part of SQL table name.
+	 * '_' is a reserved internal username.
+	 */
+	const USERNAME_PATTERN = '[0-9a-zA-Z_]{2,38}|[0-9a-zA-Z]';
+
+	public static function checkUsername($username) {
+		return preg_match('/^' . self::USERNAME_PATTERN . '$/', $username) === 1;
+	}
+
+	public static function updateContextUser($passwordPlain, $apiPasswordPlain, $userConfigUpdated = array()) {
+		if ($passwordPlain != '') {
+			$passwordHash = self::hashPassword($passwordPlain);
+			FreshRSS_Context::$user_conf->passwordHash = $passwordHash;
+		}
+
+		if ($apiPasswordPlain != '') {
+			$apiPasswordHash = self::hashPassword($apiPasswordPlain);
+			FreshRSS_Context::$user_conf->apiPasswordHash = $apiPasswordHash;
+		}
+
+		if (is_array($userConfigUpdated)) {
+			foreach ($userConfigUpdated as $configName => $configValue) {
+				if ($configValue !== null) {
+					FreshRSS_Context::$user_conf->_param($configName, $configValue);
+				}
+			}
+		}
+
+		$ok = FreshRSS_Context::$user_conf->save();
+		return $ok;
+	}
+
+	/**
 	 * This action displays the user profile page.
 	 */
 	public function profileAction() {
@@ -45,26 +78,17 @@ class FreshRSS_user_Controller extends Minz_ActionController {
 		));
 
 		if (Minz_Request::isPost()) {
-			$ok = true;
-
 			$passwordPlain = Minz_Request::param('newPasswordPlain', '', true);
-			if ($passwordPlain != '') {
-				Minz_Request::_param('newPasswordPlain');	//Discard plain-text password ASAP
-				$_POST['newPasswordPlain'] = '';
-				$passwordHash = self::hashPassword($passwordPlain);
-				$ok &= ($passwordHash != '');
-				FreshRSS_Context::$user_conf->passwordHash = $passwordHash;
-			}
-			Minz_Session::_param('passwordHash', FreshRSS_Context::$user_conf->passwordHash);
+			Minz_Request::_param('newPasswordPlain');	//Discard plain-text password ASAP
+			$_POST['newPasswordPlain'] = '';
 
-			$passwordPlain = Minz_Request::param('apiPasswordPlain', '', true);
-			if ($passwordPlain != '') {
-				$passwordHash = self::hashPassword($passwordPlain);
-				$ok &= ($passwordHash != '');
-				FreshRSS_Context::$user_conf->apiPasswordHash = $passwordHash;
-			}
+			$apiPasswordPlain = Minz_Request::param('apiPasswordPlain', '', true);
 
-			$ok &= FreshRSS_Context::$user_conf->save();
+			$ok = self::updateContextUser($passwordPlain, $apiPasswordPlain, array(
+					'token' => Minz_Request::param('token', null),
+				));
+
+			Minz_Session::_param('passwordHash', FreshRSS_Context::$user_conf->passwordHash);
 
 			if ($ok) {
 				Minz_Request::good(_t('feedback.profile.updated'),
@@ -96,7 +120,9 @@ class FreshRSS_user_Controller extends Minz_ActionController {
 		// Get information about the current user.
 		$entryDAO = FreshRSS_Factory::createEntryDao($this->view->current_user);
 		$this->view->nb_articles = $entryDAO->count();
-		$this->view->size_user = $entryDAO->size();
+
+		$databaseDAO = FreshRSS_Factory::createDatabaseDAO();
+		$this->view->size_user = $databaseDAO->size();
 	}
 
 	public static function createUser($new_user_name, $passwordPlain, $apiPasswordPlain, $userConfig = array(), $insertDefaultFeeds = true) {
@@ -104,7 +130,8 @@ class FreshRSS_user_Controller extends Minz_ActionController {
 			$userConfig = array();
 		}
 
-		$ok = ($new_user_name != '') && ctype_alnum($new_user_name);
+		$ok = self::checkUsername($new_user_name);
+		$homeDir = join_path(DATA_PATH, 'users', $new_user_name);
 
 		if ($ok) {
 			$languages = Minz_Translate::availableLanguages();
@@ -114,7 +141,7 @@ class FreshRSS_user_Controller extends Minz_ActionController {
 
 			$ok &= !in_array(strtoupper($new_user_name), array_map('strtoupper', listUsers()));	//Not an existing user, case-insensitive
 
-			$configPath = join_path(DATA_PATH, 'users', $new_user_name, 'config.php');
+			$configPath = join_path($homeDir, 'config.php');
 			$ok &= !file_exists($configPath);
 		}
 		if ($ok) {
@@ -131,7 +158,9 @@ class FreshRSS_user_Controller extends Minz_ActionController {
 			}
 		}
 		if ($ok) {
-			mkdir(join_path(DATA_PATH, 'users', $new_user_name));
+			if (!is_dir($homeDir)) {
+				mkdir($homeDir);
+			}
 			$userConfig['passwordHash'] = $passwordHash;
 			$userConfig['apiPasswordHash'] = $apiPasswordHash;
 			$ok &= (file_put_contents($configPath, "<?php\n return " . var_export($userConfig, true) . ';') !== false);
@@ -187,7 +216,7 @@ class FreshRSS_user_Controller extends Minz_ActionController {
 		$db = FreshRSS_Context::$system_conf->db;
 		require_once(APP_PATH . '/SQL/install.sql.' . $db['type'] . '.php');
 
-		$ok = ctype_alnum($username);
+		$ok = self::checkUsername($username);
 		if ($ok) {
 			$default_user = FreshRSS_Context::$system_conf->default_user;
 			$ok &= (strcasecmp($username, $default_user) !== 0);	//It is forbidden to delete the default user
@@ -200,6 +229,7 @@ class FreshRSS_user_Controller extends Minz_ActionController {
 			$userDAO = new FreshRSS_UserDAO();
 			$ok &= $userDAO->deleteUser($username);
 			$ok &= recursive_unlink($user_data);
+			array_map('unlink', glob(PSHB_PATH . '/feeds/*/' . $username . '.txt'));
 		}
 		return $ok;
 	}