From 5c9a32329ad68dc5ae8bc8a3566a0d603b80a934 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Tue, 31 Dec 2013 14:52:01 +0100
Subject: Multi-utilisateur fonctionnel avec Mozilla Persona
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Il faut ré-enregistrer l'adresse courriel une fois dans l'interface de
FreshRSS pour créer le fichier nécessaire.
+ Comparaison sans tenir compte de la casse pour les noms d'utilisateur.
Contribue à https://github.com/marienfressinaud/FreshRSS/issues/126
ll faudra tester la sécurité
---
 app/Controllers/usersController.php | 37 ++++++++++++++++++++++++++-----------
 1 file changed, 26 insertions(+), 11 deletions(-)

(limited to 'app/Controllers/usersController.php')

diff --git a/app/Controllers/usersController.php b/app/Controllers/usersController.php
index 7d9568083..5b3ffe81a 100644
--- a/app/Controllers/usersController.php
+++ b/app/Controllers/usersController.php
@@ -17,7 +17,14 @@ class FreshRSS_users_Controller extends Minz_ActionController {
 			$this->view->conf->_mail_login($mail);
 			$ok &= $this->view->conf->save();
 
-			Minz_Session::_param('mail', $this->view->conf->mail_login);
+			$email = $this->view->conf->mail_login;
+			Minz_Session::_param('mail', $email);
+
+			if ($email != '') {
+				$personaFile = DATA_PATH . '/persona/' . $email . '.txt';
+				@unlink($personaFile);
+				$ok &= (file_put_contents($personaFile, Minz_Session::param('currentUser', '_')) !== false);
+			}
 
 			//TODO: use $ok
 			$notif = array(
@@ -38,8 +45,6 @@ class FreshRSS_users_Controller extends Minz_ActionController {
 			$this->view->conf->_token($token);
 			$ok &= $this->view->conf->save();
 
-			Minz_Session::_param('mail', $this->view->conf->mail_login);
-
 			$anon = Minz_Request::param('anon_access', false);
 			$anon = ((bool)$anon) && ($anon !== 'no');
 			$auth_type = Minz_Request::param('auth_type', 'none');
@@ -69,18 +74,27 @@ class FreshRSS_users_Controller extends Minz_ActionController {
 			}
 
 			$new_user_name = Minz_Request::param('new_user_name');
-			$ok = ctype_alnum($new_user_name);
-
-			$new_user_email = filter_var($_POST['new_user_email'], FILTER_VALIDATE_EMAIL);
-			if (empty($new_user_email)) {
-				$new_user_email = '';
-				$ok &= Minz_Configuration::authType() !== 'persona';
-			}
+			$ok = ($new_user_name != '') && ctype_alnum($new_user_name);
 
 			if ($ok) {
+				$ok &= (strcasecmp($new_user_name, Minz_Configuration::defaultUser()) !== 0);	//It is forbidden to alter the default user
+
+				$ok &= !in_array(strtoupper($new_user_name), array_map('strtoupper', listUsers()));	//Not an existing user, case-insensitive
+
 				$configPath = DATA_PATH . '/' . $new_user_name . '_user.php';
 				$ok &= !file_exists($configPath);
 			}
+			if ($ok) {
+				$new_user_email = filter_var($_POST['new_user_email'], FILTER_VALIDATE_EMAIL);
+				if (empty($new_user_email)) {
+					$new_user_email = '';
+					$ok &= Minz_Configuration::authType() !== 'persona';
+				} else {
+					$personaFile = DATA_PATH . '/persona/' . $new_user_email . '.txt';
+					@unlink($personaFile);
+					$ok &= (file_put_contents($personaFile, $new_user_name) !== false);
+				}
+			}
 			if ($ok) {
 				$config_array = array(
 					'language' => $new_user_language,
@@ -110,7 +124,7 @@ class FreshRSS_users_Controller extends Minz_ActionController {
 			$ok = ctype_alnum($username);
 
 			if ($ok) {
-				$ok &= ($username !== Minz_Configuration::defaultUser());	//It is forbidden to delete the default user
+				$ok &= (strcasecmp($username, Minz_Configuration::defaultUser()) !== 0);	//It is forbidden to delete the default user
 			}
 			if ($ok) {
 				$configPath = DATA_PATH . '/' . $username . '_user.php';
@@ -120,6 +134,7 @@ class FreshRSS_users_Controller extends Minz_ActionController {
 				$userDAO = new FreshRSS_UserDAO();
 				$ok &= $userDAO->deleteUser($username);
 				$ok &= unlink($configPath);
+				//TODO: delete Persona file
 			}
 			$notif = array(
 				'type' => $ok ? 'good' : 'bad',
-- 
cgit v1.2.3