From ac8bd3d2512dd1bfca43d71ea10202ba9e6a82a6 Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Tue, 21 Jul 2015 15:31:23 +0200 Subject: Add a max_registrations limit - Allow user to create accounts (not implemented) - Admin only can set this limit See https://github.com/FreshRSS/FreshRSS/issues/679 --- app/Controllers/userController.php | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'app/Controllers/userController.php') diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index ed01b83c5..1c7745753 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -211,4 +211,28 @@ class FreshRSS_user_Controller extends Minz_ActionController { Minz_Request::forward(array('c' => 'user', 'a' => 'manage'), true); } + + /** + * This action updates the max number of registrations. + * + * Request parameter is: + * - max-registrations (int >= 0) + */ + public function setRegistrationAction() { + if (Minz_Request::isPost() && FreshRSS_Auth::hasAccess('admin')) { + $limits = FreshRSS_Context::$system_conf->limits; + $limits['max_registrations'] = Minz_Request::param('max-registrations', 1); + FreshRSS_Context::$system_conf->limits = $limits; + FreshRSS_Context::$system_conf->save(); + + invalidateHttpCache(); + + Minz_Session::_param('notification', array( + 'type' => 'good', + 'content' => _t('feedback.user.set_registration') + )); + } + + Minz_Request::forward(array('c' => 'user', 'a' => 'manage'), true); + } } -- cgit v1.2.3 From 9fca5c70f33291cacc04e7bdfa01a12c6df3f97c Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Wed, 22 Jul 2015 12:20:00 +0200 Subject: Add some comments --- app/Controllers/userController.php | 19 +++++++++++++++++++ app/views/auth/register.phtml | 7 +++++++ 2 files changed, 26 insertions(+) (limited to 'app/Controllers/userController.php') diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index 1c7745753..c198d1328 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -103,6 +103,17 @@ class FreshRSS_user_Controller extends Minz_ActionController { $this->view->size_user = $entryDAO->size(); } + /** + * This action creates a new user. + * + * Request parameters are: + * - new_user_language + * - new_user_name + * - new_user_passwordPlain + * - new_user_email + * + * @todo clean up this method. Idea: write a method to init a user with basic information. + */ public function createAction() { if (Minz_Request::isPost() && FreshRSS_Auth::hasAccess('admin')) { $db = FreshRSS_Context::$system_conf->db; @@ -178,6 +189,14 @@ class FreshRSS_user_Controller extends Minz_ActionController { Minz_Request::forward(array('c' => 'user', 'a' => 'manage'), true); } + /** + * This action delete an existing user. + * + * Request parameter is: + * - username + * + * @todo clean up this method. Idea: create a User->clean() method. + */ public function deleteAction() { if (Minz_Request::isPost() && FreshRSS_Auth::hasAccess('admin')) { $db = FreshRSS_Context::$system_conf->db; diff --git a/app/views/auth/register.phtml b/app/views/auth/register.phtml index f67ecc4d9..31ab89d26 100644 --- a/app/views/auth/register.phtml +++ b/app/views/auth/register.phtml @@ -1,3 +1,10 @@ +

-- cgit v1.2.3 From 02c3546440f961018adc1e2c8e97c16f2aca18fc Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Wed, 22 Jul 2015 13:52:03 +0200 Subject: Registration action is handled and create a user See https://github.com/FreshRSS/FreshRSS/issues/679 --- app/Controllers/userController.php | 20 +++++++++++++++++--- app/views/auth/register.phtml | 7 +++++++ lib/lib_rss.php | 16 ++++++++++++++++ 3 files changed, 40 insertions(+), 3 deletions(-) (limited to 'app/Controllers/userController.php') diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index c198d1328..46f4f434d 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -12,9 +12,14 @@ class FreshRSS_user_Controller extends Minz_ActionController { * This action is called before every other action in that class. It is * the common boiler plate for every action. It is triggered by the * underlying framework. + * + * @todo clean up the access condition. */ public function firstAction() { - if (!FreshRSS_Auth::hasAccess()) { + if (!FreshRSS_Auth::hasAccess() && !( + Minz_Request::actionName() === 'create' && + !max_registrations_reached() + )) { Minz_Error::error(403); } } @@ -111,11 +116,16 @@ class FreshRSS_user_Controller extends Minz_ActionController { * - new_user_name * - new_user_passwordPlain * - new_user_email + * - r (i.e. a redirection url, optional) * * @todo clean up this method. Idea: write a method to init a user with basic information. + * @todo handle r redirection in Minz_Request::forward directly? */ public function createAction() { - if (Minz_Request::isPost() && FreshRSS_Auth::hasAccess('admin')) { + if (Minz_Request::isPost() && ( + FreshRSS_Auth::hasAccess('admin') || + !max_registrations_reached() + )) { $db = FreshRSS_Context::$system_conf->db; require_once(APP_PATH . '/SQL/install.sql.' . $db['type'] . '.php'); @@ -186,7 +196,11 @@ class FreshRSS_user_Controller extends Minz_ActionController { Minz_Session::_param('notification', $notif); } - Minz_Request::forward(array('c' => 'user', 'a' => 'manage'), true); + $redirect_url = urldecode(Minz_Request::param('r', false, true)); + if (!$redirect_url) { + $redirect_url = array('c' => 'user', 'a' => 'manage'); + } + Minz_Request::forward($redirect_url, true); } /** diff --git a/app/views/auth/register.phtml b/app/views/auth/register.phtml index 31ab89d26..96c91f411 100644 --- a/app/views/auth/register.phtml +++ b/app/views/auth/register.phtml @@ -29,6 +29,13 @@
+ 'index', 'a' => 'index'), + 'php', true + )); + ?> +
diff --git a/lib/lib_rss.php b/lib/lib_rss.php index 0118e0f46..c99e2c7e8 100644 --- a/lib/lib_rss.php +++ b/lib/lib_rss.php @@ -266,6 +266,22 @@ function listUsers() { } +/** + * Return if the maximum number of registrations has been reached. + * + * Note a max_regstrations of 0 means there is no limit. + * + * @return true if number of users >= max registrations, false else. + */ +function max_registrations_reached() { + $system_conf = Minz_Configuration::get('system'); + $limit_registrations = $system_conf->limits['max_registrations']; + $number_accounts = count(listUsers()); + + return $limit_registrations > 0 && $number_accounts >= $limit_registrations; +} + + /** * Register and return the configuration for a given user. * -- cgit v1.2.3 From 3a929138b000a45f57b3a6c62d5cfa72b842538c Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Wed, 22 Jul 2015 14:22:26 +0200 Subject: Give possibility to delete its own account See https://github.com/FreshRSS/FreshRSS/issues/679 --- app/Controllers/userController.php | 17 ++++++++++++++--- app/views/user/profile.phtml | 22 ++++++++++++++++++++++ 2 files changed, 36 insertions(+), 3 deletions(-) (limited to 'app/Controllers/userController.php') diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index 46f4f434d..cebfcd5ec 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -212,11 +212,15 @@ class FreshRSS_user_Controller extends Minz_ActionController { * @todo clean up this method. Idea: create a User->clean() method. */ public function deleteAction() { - if (Minz_Request::isPost() && FreshRSS_Auth::hasAccess('admin')) { + $username = Minz_Request::param('username'); + + if (Minz_Request::isPost() && ( + FreshRSS_Auth::hasAccess('admin') || + Minz_Session::param('currentUser', '_') === $username + )) { $db = FreshRSS_Context::$system_conf->db; require_once(APP_PATH . '/SQL/install.sql.' . $db['type'] . '.php'); - $username = Minz_Request::param('username'); $ok = ctype_alnum($username); $user_data = join_path(DATA_PATH, 'users', $username); @@ -234,6 +238,9 @@ class FreshRSS_user_Controller extends Minz_ActionController { //TODO: delete Persona file } invalidateHttpCache(); + if (Minz_Session::param('currentUser', '_') === $username) { + FreshRSS_Auth::removeAccess(); + } $notif = array( 'type' => $ok ? 'good' : 'bad', @@ -242,7 +249,11 @@ class FreshRSS_user_Controller extends Minz_ActionController { Minz_Session::_param('notification', $notif); } - Minz_Request::forward(array('c' => 'user', 'a' => 'manage'), true); + $redirect_url = urldecode(Minz_Request::param('r', false, true)); + if (!$redirect_url) { + $redirect_url = array('c' => 'user', 'a' => 'manage'); + } + Minz_Request::forward($redirect_url, true); } /** diff --git a/app/views/user/profile.phtml b/app/views/user/profile.phtml index c44202edd..11097e546 100644 --- a/app/views/user/profile.phtml +++ b/app/views/user/profile.phtml @@ -57,4 +57,26 @@ + + +
+ + +

+ +
+
+ 'index', 'a' => 'index'), + 'php', true + )); + ?> + + + +
+
+
+ -- cgit v1.2.3 From 8751c344f384e19dd2fd2f0b5607ecc2aac58541 Mon Sep 17 00:00:00 2001 From: Marien Fressinaud Date: Wed, 22 Jul 2015 22:58:00 +0200 Subject: Ask password to user before deleting its account See https://github.com/FreshRSS/FreshRSS/issues/679 --- app/Controllers/userController.php | 37 +++++++++++++++++++++++++++---------- app/views/user/profile.phtml | 21 +++++++++++++++------ 2 files changed, 42 insertions(+), 16 deletions(-) (limited to 'app/Controllers/userController.php') diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php index cebfcd5ec..428cd145d 100644 --- a/app/Controllers/userController.php +++ b/app/Controllers/userController.php @@ -30,13 +30,17 @@ class FreshRSS_user_Controller extends Minz_ActionController { public function profileAction() { Minz_View::prependTitle(_t('conf.profile.title') . ' ยท '); + Minz_View::appendScript(Minz_Url::display( + '/scripts/bcrypt.min.js?' . @filemtime(PUBLIC_PATH . '/scripts/bcrypt.min.js') + )); + if (Minz_Request::isPost()) { $ok = true; - $passwordPlain = Minz_Request::param('passwordPlain', '', true); + $passwordPlain = Minz_Request::param('newPasswordPlain', '', true); if ($passwordPlain != '') { - Minz_Request::_param('passwordPlain'); //Discard plain-text password ASAP - $_POST['passwordPlain'] = ''; + Minz_Request::_param('newPasswordPlain'); //Discard plain-text password ASAP + $_POST['newPasswordPlain'] = ''; if (!function_exists('password_hash')) { include_once(LIB_PATH . '/password_compat.php'); } @@ -213,10 +217,16 @@ class FreshRSS_user_Controller extends Minz_ActionController { */ public function deleteAction() { $username = Minz_Request::param('username'); + $redirect_url = urldecode(Minz_Request::param('r', false, true)); + if (!$redirect_url) { + $redirect_url = array('c' => 'user', 'a' => 'manage'); + } + + $self_deletion = Minz_Session::param('currentUser', '_') === $username; if (Minz_Request::isPost() && ( FreshRSS_Auth::hasAccess('admin') || - Minz_Session::param('currentUser', '_') === $username + $self_deletion )) { $db = FreshRSS_Context::$system_conf->db; require_once(APP_PATH . '/SQL/install.sql.' . $db['type'] . '.php'); @@ -228,6 +238,16 @@ class FreshRSS_user_Controller extends Minz_ActionController { $default_user = FreshRSS_Context::$system_conf->default_user; $ok &= (strcasecmp($username, $default_user) !== 0); //It is forbidden to delete the default user } + if ($ok && $self_deletion) { + // We check the password if it's a self-destruction + $nonce = Minz_Session::param('nonce'); + $challenge = Minz_Request::param('challenge', ''); + + $ok &= FreshRSS_FormAuth::checkCredentials( + $username, FreshRSS_Context::$user_conf->passwordHash, + $nonce, $challenge + ); + } if ($ok) { $ok &= is_dir($user_data); } @@ -237,10 +257,11 @@ class FreshRSS_user_Controller extends Minz_ActionController { $ok &= recursive_unlink($user_data); //TODO: delete Persona file } - invalidateHttpCache(); - if (Minz_Session::param('currentUser', '_') === $username) { + if ($ok && $self_deletion) { FreshRSS_Auth::removeAccess(); + $redirect_url = array('c' => 'index', 'a' => 'index'); } + invalidateHttpCache(); $notif = array( 'type' => $ok ? 'good' : 'bad', @@ -249,10 +270,6 @@ class FreshRSS_user_Controller extends Minz_ActionController { Minz_Session::_param('notification', $notif); } - $redirect_url = urldecode(Minz_Request::param('r', false, true)); - if (!$redirect_url) { - $redirect_url = array('c' => 'user', 'a' => 'manage'); - } Minz_Request::forward($redirect_url, true); } diff --git a/app/views/user/profile.phtml b/app/views/user/profile.phtml index 11097e546..7ae2c7ede 100644 --- a/app/views/user/profile.phtml +++ b/app/views/user/profile.phtml @@ -18,11 +18,11 @@
- +
- /> - + /> +
@@ -59,21 +59,30 @@ -
+

+
+ +
+ +
+ +
+
+
'index', 'a' => 'index'), + array('c' => 'user', 'a' => 'profile'), 'php', true )); ?> - +
-- cgit v1.2.3