function Start()
{
$this->Username = jf::$XUser->Username();
$Logged = false;
if (isset($_COOKIE["jframework_rememberme"])) {
$rememberMeToken = $_COOKIE["jframework_rememberme"];
$userID = jf::LoadGeneralSetting("rememberme_" . $rememberMeToken);
if ($userID > 0) {
$Result = jf::$XUser->ForceLogin($userID);
$Logged = true;
}
}
if (isset($_POST["Username"])) {
$Username = $_POST['Username'];
$Password = $_POST['Password'];
$loginResult = jf::$XUser->Login($Username, $Password);
if ($loginResult == false) {
$UserID = jf::$XUser->UserID($Username);
$res = jf::$XUser->LastError;
if ($res == \jf\ExtendedUserErrors::Inactive) {
$ErrorString = "Your account is not activated.";
} elseif ($res == \jf\ExtendedUserErrors::InvalidCredentials or $res == \jf\ExtendedUserErrors::NotFound) {
$ErrorString = "Invalid Credentials.";
} elseif ($res == \jf\ExtendedUserErrors::Locked) {
$ErrorString = "Your account is locked. Try again in " . floor(jf::$XUser->LockTime($Username) / 60) . " minute(s).";
} elseif ($res == \jf\ExtendedUserErrors::PasswordExpired) {
$Link = "./reset?user={$UserID}";
$ErrorString = "Your password is expired. You should <a href='{$Link}'>change your password</a>.";
} elseif ($res == \jf\ExtendedUserErrors::TemporaryValidPassword) {
$Link = "./reset?user={$UserID}&temp={$Password}";
$ErrorString = "This is a temporary password. You should <a href='{$Link}'>reset your password</a> now.";
}
$Logged = false;
$this->Error = $ErrorString;
} else {
$Logged = true;
if (isset($_POST['Remember'])) {
$timeout = 60 * 60 * 24 * 30;
$rememberMeToken = jf::$Security->RandomToken();
jf::SaveGeneralSetting("rememberme_" . $rememberMeToken, jf::CurrentUser(), $timeout);
setcookie('jframework_rememberme', $rememberMeToken, jf::time() + $timeout);
}
}
}
if ($Logged == true) {
if (isset($_GET['return'])) {
$this->Redirect($_GET['return']);
}
$this->Success = true;
}
return $this->Present();
}
function Start()
{
// If validation request
if (isset($_GET['validate'])) {
$token = $_GET['validate'];
$userId = jf::LoadGeneralSetting("activation_{$token}");
if (!jf::$XUser->UserIDExists($userId)) {
$errorString = "Invalid validation token";
} else {
if (jf::$XUser->IsActive($userId)) {
$errorString = "Your account is already activated";
} else {
jf::$XUser->Activate($userId);
jf::DeleteGeneralSetting("activation_{$token}");
$this->Success = "Your account is successfully activated";
}
}
}
// If sign up request
if (isset($_POST["Username"])) {
$username = $_POST['Username'];
$password = $_POST['Password'];
$email = $_POST['Email'];
if (!preg_match('/^[_a-z0-9-]+(\\.[_a-z0-9-]+)*@[a-z0-9-]+(\\.[a-z0-9-]+)*(\\.[a-z]{2,3})$/', $email)) {
$errorString = "Invalid email address.";
} elseif (jf::$XUser->UserID($username)) {
$errorString = "User already exists.";
} elseif ($_POST['Confirm'] != $password) {
$errorString = "Passwords does not match.";
}
if (!isset($errorString)) {
$userId = jf::$XUser->CreateUser($username, $password, $email);
$roleId = jf::$RBAC->Roles->TitleId(self::ROLE_NAME);
jf::$RBAC->Users->Assign($roleId, $userId);
// Assign role to the newly created user
// Send activation email
if ($this->activationMail($email, $userId, $username)) {
$this->Success = "Signup successful. Check your email for activation link.";
} else {
$errorString = "Could not send confirmation email.";
}
}
}
if (isset($errorString)) {
$this->Error = $errorString;
}
return $this->Present();
}
/**
* @depends testLoadGeneral
*/
function testSaveGeneralTimeOut()
{
jf::SaveGeneralSetting("some_name", "some_value", jf\Timeout::DAY);
$this->assertTrue(jf::SaveGeneralSetting("some_name", "some_value", jf\Timeout::DAY));
$this->movetime(jf\Timeout::DAY);
jf::$Settings->_Sweep(true);
$this->assertNull(jf::LoadGeneralSetting("some_name"));
$this->assertTrue(jf::SaveGeneralSetting("some_name", "some_value", 1));
$this->movetime(jf\Timeout::YEAR * 10);
$this->assertNotNull(jf::LoadGeneralSetting("some_name", 1));
$this->movetime(0);
$this->movetime(jf\Timeout::NEVER - jf::time());
$this->assertEquals(jf::time(), 2147483647);
jf::$Settings->_Sweep(true);
$this->assertNull(jf::LoadGeneralSetting("some_name", 1));
}
/**
* Returns the object of the lesson from
* the application settings.
*
* @param string $lessonName Name of the lesson to be searched for
*
* @return Object Lesson object
* @throws ArgumentMissingException If $lessonName is missing
* @throws LessonNotFoundException If the lesson is not found
* @throws GeneralSettingsMissingException If there is are no application
* settings present
*/
public static function getLessonObject($lessonName = null)
{
if ($lessonName == null) {
throw new ArgumentMissingException("Please select a lesson");
}
if (!\jf::LoadGeneralSetting('categoryLessons')) {
throw new GeneralSettingsMissingException("No settings found for 'categoryLessons'");
}
foreach (\jf::LoadGeneralSetting('categoryLessons') as $lessons) {
foreach ($lessons as $lesson) {
if ($lesson[0] == $lessonName) {
return $lesson[1];
}
}
}
throw new LessonNotFoundException("Lesson '{$lessonName}' not found");
}
function Start()
{
$this->Username = jf::$XUser->Username();
if (isset($_GET['validate'])) {
$token = $_GET['validate'];
$UserID = jf::LoadGeneralSetting("activation_{$token}");
if (!jf::$XUser->UserIDExists($UserID)) {
$ErrorString = "Invalid validation token.";
} else {
if (jf::$XUser->IsActive($UserID)) {
$ErrorString = "Your account is already activated";
} else {
jf::$XUser->Activate($UserID);
jf::DeleteGeneralSetting("activation_{$token}");
$this->Success = "Your account is succesfully activated. You may now login.";
}
}
}
if (isset($_POST["Username"])) {
$Username = $_POST['Username'];
$Password = $_POST['Password'];
$Email = $_POST['Email'];
if (!preg_match('/^[_a-z0-9-]+(\\.[_a-z0-9-]+)*@[a-z0-9-]+(\\.[a-z0-9-]+)*(\\.[a-z]{2,3})$/', $Email)) {
$ErrorString = "Invalid email address.";
} elseif (jf::$XUser->UserID($Username)) {
$ErrorString = "User already exists.";
} elseif ($_POST['Confirm'] != $Password) {
$ErrorString = "Password retype does not match.";
}
if (!isset($ErrorString)) {
$UserID = jf::$XUser->CreateUser($Username, $Password, $Email);
if ($this->ActivationMail($Email, $UserID, $Username)) {
$this->Success = true;
} else {
$ErrorString = "Could not send confirmation email.";
}
}
}
if (isset($ErrorString)) {
$this->Error = $ErrorString;
}
return $this->Present();
}
public function Start()
{
if (jf::CurrentUser()) {
// Authorize the user
if (jf::Check('workshop')) {
$hiddenLessons = jf::LoadGeneralSetting("hiddenWorkshopLessons");
// If request to hide the lesson
if (isset($_POST['hide'])) {
if ($hiddenLessons === null) {
// If first request i.e settings not present
$hiddenLessons = array($_POST['hide']);
} else {
array_push($hiddenLessons, $_POST['hide']);
}
jf::SaveGeneralSetting("hiddenWorkshopLessons", $hiddenLessons);
echo json_encode(array('status' => true));
return true;
}
// If request to show the lesson
if (isset($_POST['show'])) {
if ($hiddenLessons !== null) {
$position = array_search($_POST['show'], $hiddenLessons);
if ($position !== false) {
unset($hiddenLessons[$position]);
}
}
jf::SaveGeneralSetting("hiddenWorkshopLessons", $hiddenLessons);
echo json_encode(array('status' => true));
return true;
}
// Get the list of all the lessons/categories
$this->allCategoryLesson = jf::LoadGeneralSetting("categoryLessons");
$this->hiddenLessons = $hiddenLessons;
// To generate 'overview' section of the dashboard
// Store all the stats
$obj = new \webgoat\WorkshopUsers();
if (($workshopUsers = $obj->getAll()) === null) {
// Will return 'null' if no users are present
$workshopUsers = array();
// Initialize it to empty array
}
$this->totalUsers = count($workshopUsers);
$this->totalCategories = count($this->allCategoryLesson);
$lessonCount = 0;
foreach ($this->allCategoryLesson as $category => $lessons) {
$lessonCount += count($lessons);
}
$this->totalLessons = $lessonCount;
$this->totalVisibleLessons = $lessonCount - count($this->hiddenLessons);
// For each lesson store a list of users
// who have completed it
$lessonsCompletedBy = array();
$lessonPrefix = "completed_webgoat\\";
foreach ($this->allCategoryLesson as $category => $lessons) {
foreach ($lessons as $lesson) {
$lessonsCompletedBy[$lesson[0]] = array();
// Index 0 is for name
foreach ($workshopUsers as $user) {
if (jf::LoadUserSetting($lessonPrefix . $lesson[0], $user['ID'])) {
array_push($lessonsCompletedBy[$lesson[0]], $user['Username']);
}
}
}
}
// To generate the reports page
$this->reports = $lessonsCompletedBy;
// To generate analytics
$noOfLessonsInCategories = array(array('Category', 'No of Lessons'));
// Initialize with heading
foreach ($this->allCategoryLesson as $category => $lessons) {
array_push($noOfLessonsInCategories, array($category, count($lessons)));
}
$this->analytics = $noOfLessonsInCategories;
return $this->Present();
} else {
// User not authorized
$this->Redirect(SiteRoot);
// Redirect to home page instead of Login Page
}
} else {
// User not authenticated
$this->Redirect(jf::url() . "/user/login?return=/" . jf::$BaseRequest);
}
}
public function Handle($request)
{
// This gives complete request path
$request = jf::$BaseRequest;
//FIXME: Fix JCatchControl so that this is not required
if (jf::CurrentUser()) {
// If user is logged in
// Check if the user has permissions
// to view the challenges
if (jf::Check('view_single_chal')) {
// Extract the relative request path
// i.e the path after the controller URL
// Ex: If request is http://localhost/webgoatphp/mode/single/challenges/HTTPBasics/static/test
// $request will be mode/single/challenges/HTTPBasics/static/test
// $relativePath will be HTTPBasics/static/test
$relativePath = $this->getRelativePath($request);
$absolutePath = LESSON_PATH . $relativePath;
if (strpos($relativePath, "/static/") !== false) {
if (file_exists($absolutePath)) {
$FileMan = new \jf\DownloadManager();
return $FileMan->Feed($absolutePath);
}
} else {
$nameOfLesson = stristr($relativePath, "/", true);
\webgoat\LessonScanner::loadClasses();
if (strpos($relativePath, "reset/") !== false) {
$lessonNameWithNS = "\\webgoat\\" . $nameOfLesson;
$obj = new $lessonNameWithNS();
$obj->reset();
echo json_encode(array("status" => true));
return true;
} else {
if (isset($_GET['refresh']) || !jf::LoadGeneralSetting("categoryLessons")) {
\webgoat\LessonScanner::run();
}
$this->allCategoryLesson = jf::LoadGeneralSetting("categoryLessons");
try {
$lessonObj = \webgoat\LessonScanner::getLessonObject($nameOfLesson);
$lessonObj->start();
$this->lessonTitle = $lessonObj->getTitle();
$this->hints = $lessonObj->getHints();
$this->htmlContent = $lessonObj->getContent();
$this->nameOfLesson = $nameOfLesson;
$secureCoding = $lessonObj->isSecureCodingAllowed();
$sourceCodeToDisplay = "";
if ($secureCoding['status'] === true) {
$sourceCode = file($absolutePath . "index.php");
$firstLine = $sourceCode[$secureCoding['start']];
$this->indentSize = strlen($firstLine) - strlen(ltrim($firstLine));
for ($i = $secureCoding['start']; $i < $secureCoding['end']; $i++) {
$sourceCodeToDisplay .= $this->removeWhitespaces($sourceCode[$i]) . "\n";
}
$this->sourceCode = $sourceCodeToDisplay;
}
// To show complete PHP Code
$sourceCode = file_get_contents($absolutePath . "index.php");
$this->completeSourceCode = htmlentities($sourceCode);
if (isset($_POST['sourceCode'])) {
// Code to handle source code evaluation
}
} catch (Exception $e) {
//$this->error = "Lesson Not found. Please select a lesson.";
$this->error = $e->getMessage();
}
header("X-XSS-Protection: 0");
// Disable XSS protection
return $this->Present();
}
}
} else {
// Not sufficient permissions, redirect
// to home page of the application
$this->Redirect(SiteRoot);
}
} else {
// User not logged in
$this->Redirect(jf::url() . "/user/login?return=/{$request}");
}
}
<?php
#####################################################################################
# Transition script. Used to make changes between versions, such as database schema #
# upgrades and similar things. #
#####################################################################################
$OldVersion = jf::LoadGeneralSetting("Version");
$Version = constant("jf_Application_Version");
if ($Version != $OldVersion) {
jf::SaveGeneralSetting("Version", $Version);
# save the new version first, so that concurrent requests do not run transition again
if ($OldVersion == "1.0" and $Version == "2.0") {
//upgrade the database schema from version 1 to version 2
}
}
