public function process($parameters)
{
$activation = new Activation();
$csfr = new Csrf();
$userId = $parameters[0];
if (!$activation->checkIfIsAdminOfUser($_SESSION['id_user'], $userId)) {
$this->redirect('error');
}
if (isset($_POST['sent'])) {
if (!Csrf::validateCsrfRequest($_POST['csrf'])) {
$this->messages[] = ['s' => 'error', 'cs' => 'Možný CSRF útok! Zkuste prosím aktivaci znovu', 'en' => 'Possible CSRF attack! Please try activation again'];
$this->redirect('error');
}
$tariffId = $activation->sanitize($_POST['tariff']);
$startDate = $activation->sanitize($_POST['startDate']);
$result = $activation->validateForceActivationData($tariffId, $startDate);
if ($result['s'] == 'success') {
$result = $activation->forceActivateUser($activation->getUserEmailFromId($userId), $tariffId, $startDate);
}
$this->messages[] = $result;
if ($result['s'] == 'success') {
$this->redirect('payments/' . $userId);
}
}
$this->data['csrf'] = $csfr->getCsrfToken();
$this->data['tariffs'] = $activation->returnTariffsData($this->language);
$this->header['title'] = ['cs' => 'Aktivace uživatele', 'en' => 'User activation'];
$this->view = 'forceActivation';
}
public static function update()
{
// verify Csrf token
if (Csrf::verify(Input::post('token')) === false) {
Notifications::set('error', 'Invalid token');
return false;
}
$post = Input::post(array('sitename', 'description', 'theme', 'twitter', 'home_page', 'posts_page', 'auto_published_comments', 'posts_per_page'));
$errors = array();
if (empty($post['sitename'])) {
$errors[] = Lang::line('metadata.missing_sitename', 'You need a site sitename');
}
if (empty($post['description'])) {
$errors[] = Lang::line('metadata.missing_sitedescription', 'You need a site description');
}
if (empty($post['theme'])) {
$errors[] = Lang::line('metadata.missing_theme', 'You need a theme');
}
// auto publish comments
$post['auto_published_comments'] = $post['auto_published_comments'] ? 1 : 0;
// format posts per page, must be a whole number above 1 defaults to 10 if a invalid number is entered
$post['posts_per_page'] = ($posts_per_page = intval($post['posts_per_page'])) > 0 ? $posts_per_page : 10;
if (count($errors)) {
Notifications::set('error', $errors);
return false;
}
foreach ($post as $key => $value) {
Db::update('meta', array('value' => $value), array('key' => $key));
}
Notifications::set('success', Lang::line('metadata.meta_success_updated', 'Your metadata has been updated'));
return true;
}
/**
* The login action, when you do login/login
*/
public function login()
{
// check if csrf token is valid
if (!Csrf::isTokenValid()) {
LoginModel::logout();
Redirect::home();
exit;
}
// perform the login method, put result (true or false) into $login_successful
$login_successful = LoginModel::login(Request::post('user_name'), Request::post('user_password'), Request::post('set_remember_me_cookie'));
// check login status: if true, then redirect user to user/index, if false, then to login form again
if ($login_successful) {
if (Request::post('redirect')) {
Redirect::toPreviousViewedPageAfterLogin(ltrim(urldecode(Request::post('redirect')), '/'));
} else {
Redirect::to('user/index');
}
} else {
if (Request::post('redirect')) {
Redirect::to('login?redirect=' . ltrim(urlencode(Request::post('redirect')), '/'));
} else {
Redirect::to('login/index');
}
}
}
/**
* Edit user name (perform the real action after form has been submitted)
*/
public function editUsername_action()
{
// check if csrf token is valid
if (!Csrf::isTokenValid()) {
LoginModel::logout();
Redirect::home();
exit;
}
UserModel::editUserName(Request::post('user_name'));
Redirect::to('user/editUsername');
}
function process($parameters)
{
$checkUsers = new CheckUsers();
$userId = $_SESSION['id_user'];
if (!$checkUsers->checkIfAdmin($userId)) {
$this->redirect('error');
}
$members = $checkUsers->getMembers($userId, $this->language);
$this->data['csrf'] = Csrf::getCsrfToken();
$this->data['activeMemberMailList'] = $checkUsers->getActiveMemberMailList($members);
$this->data['members'] = $members;
$this->header['title'] = ['cs' => 'Ostatní členové', 'en' => 'Other members'];
$this->view = 'checkUsers';
}
public function process($parameters)
{
$deactivation = new Activation();
$userId = $parameters[0];
if (!$deactivation->checkIfIsAdminOfUser($_SESSION['id_user'], $userId)) {
$this->redirect('error');
}
$csrfToken = $parameters[1];
if (!Csrf::validateCsrfRequest($csrfToken)) {
$this->messages[] = ['s' => 'error', 'cs' => 'Možný CSRF útok! Zkuste prosím deaktivaci znovu', 'en' => 'Possible CSRF attack! Please try deactivation again'];
} else {
$email = $deactivation->getUserEmailFromId($userId);
$result = $deactivation->deactivateUser($email);
$this->messages[] = $result;
}
$this->redirect('checkUsers');
}
public function login()
{
if (!Csrf::isTokenValid()) {
self::logout();
}
$success = LoginModel::login(Request::post('user_name'), Request::post('user_password'), Request::post('set_remember_me_cookie'));
// check login status: if true, then redirect user login/showProfile, if false, then to login form again
if ($success) {
if (Request::post('redirect')) {
Redirect::to(ltrim(urldecode(Request::post('redirect')), '/'));
} else {
Redirect::to('login/showProfile');
}
} else {
Redirect::to('login/index');
}
}
function process($parameters)
{
$changePersonals = new ChangePersonals();
if (!$changePersonals->checkLogin()) {
$this->redirect('error');
}
//if empty parameter, add the current user
if (isset($parameters[0])) {
$userId = $parameters[0];
} else {
$userId = $_SESSION['id_user'];
}
//if not admin of the right place, throw error
if ($userId != $_SESSION['id_user'] && !$changePersonals->checkIfIsAdminOfUser($_SESSION['id_user'], $userId)) {
$this->redirect('error');
}
//if form is sent
if (isset($_POST['sent'])) {
$data = $changePersonals->sanitize(['firstname' => $_POST['firstname'], 'surname' => $_POST['surname'], 'telephone' => $_POST['telephone'], 'address' => $_POST['address'], 'ic' => $_POST['ic'], 'p' => $_POST['p'], 'csrf' => $_POST['csrf']]);
if (!Csrf::validateCsrfRequest($data['csrf'])) {
$this->messages[] = ['s' => 'error', 'cs' => 'Možný CSRF útok! Zkuste prosím změnit údaje znovu', 'en' => 'Possible CSRF attack! Please try to change your personals again'];
} else {
$result = $changePersonals->validateData($data);
if ($result['s'] == 'success') {
$fakturoid = new FakturoidWrapper();
//add fakturoid_id into data
$data['fakturoid_id'] = $fakturoid->getFakturoidIdFromUserId($userId);
if ($fakturoid->updateCustomer($data) == false) {
$result = ['s' => 'error', 'cs' => 'Bohužel se nepovedlo uložit data do Faktuoidu; zkus to prosím za pár minut', 'en' => 'Sorry, we didn\'n safe your data into Fakturoid; try it again after a couple of minutes please'];
} else {
$result = $changePersonals->changePersonalData($data, $userId);
}
}
$this->messages[] = $result;
}
}
//data for form
$userData = $changePersonals->getUserData($userId);
$this->data = $userData['user'];
$this->data['csrf'] = Csrf::getCsrfToken();
$this->header['title'] = ['cs' => 'Změna osobních údajů', 'en' => 'Change personal information'];
$this->view = 'changePersonals';
}
function process($parameters)
{
$changePersonals = new ChangePersonals();
if (!$changePersonals->checkLogin()) {
$this->redirect('error');
}
//if empty parameter, add there current user
if (isset($parameters[0])) {
$userId = $parameters[0];
} else {
$userId = $_SESSION['id_user'];
}
//if not admin of the right place, throw error
if ($userId != $_SESSION['id_user'] && !$changePersonals->checkIfIsAdminOfUser($_SESSION['id_user'], $userId)) {
$this->redirect('error');
}
//if form is sent
if (isset($_POST['sent'])) {
$data = $changePersonals->sanitize(['firstname' => $_POST['firstname'], 'surname' => $_POST['surname'], 'telephone' => $_POST['telephone'], 'address' => $_POST['address'], 'ic' => $_POST['ic'], 'p' => $_POST['p'], 'csrf' => $_POST['csrf']]);
if (!Csrf::validateCsrfRequest($data['csrf'])) {
$this->messages[] = ['s' => 'error', 'cs' => 'Možný CSRF útok! Zkuste prosím změnit údaje znovu', 'en' => 'Possible CSRF attack! Please try change your personals again'];
} else {
$result = $changePersonals->validateData($data);
if ($result['s'] == 'success') {
$result = $changePersonals->changePersonalData($data, $userId);
}
$this->messages[] = $result;
}
}
//data for form
$user = $changePersonals->getUserData($userId, $this->language);
$this->data = $user['user'];
$this->data['csrf'] = Csrf::getCsrfToken();
$this->header['title'] = ['cs' => 'Změna osobních údajů', 'en' => 'Change Personal info'];
$this->view = 'changePersonals';
}
/**
* Edit user name (perform the real action after form has been submitted)
* Auth::checkAuthentication() makes sure that only logged in users can use this action
*/
public function editUsername_action()
{
Auth::checkAuthentication();
// check if csrf token is valid
if (!Csrf::isTokenValid()) {
self::logout();
}
UserModel::editUserName(Request::post('user_name'));
Redirect::to('login/index');
}
/**
* Do something after content is loaded from DB
*
* @param \Cx\Core\ContentManager\Model\Entity\Page $page The resolved page
*/
public function postContentLoad(\Cx\Core\ContentManager\Model\Entity\Page $page)
{
global $objTemplate;
Csrf::add_placeholder($objTemplate);
}
function render(Container $form, $data, $prefix = '')
{
if ($form->if) {
$this->pushStack(new Test($prefix . $form->if), $data);
}
// Add the forms prefix on
$prefix .= $form->prefix;
// Group by the form name if it is set
if ($form->name) {
if (isset($data[$form->name])) {
$data = $data[$form->name];
} else {
$data = array();
}
}
// Render the <form> tag if it has an action
if ($form->action) {
print '<form' . Html::attributes(array('id' => $form->id, 'action' => $form->action, 'method' => $form->method, 'enctype' => $form->upload ? 'multipart/form-data' : NULL)) . '>' . "\n";
// Send a _csrf field with the form
print '<input' . Html::attributes(array('type' => 'hidden', 'name' => '_csrf', 'value' => Csrf::generate($form->intent, $form->expire))) . '>' . "\n";
}
// Render each of the elements
foreach ($form->getElements() as $element) {
$this->renderElement($element, $data, $prefix);
}
// Kill anything remaining on the stack
$this->endStack(NULL);
// Close the actual form
if ($form->action) {
print '</form>' . "\n";
}
}
if ($objFWUser->objUser->login($backend)) {
return true;
}
}
return false;
}
/**
* Remove the CSRF protection parameter from the query string and referrer
*/
public static function cleanRequestURI()
{
// This will remove the parameter from the first position in the query string
// and leave an URI like "index.php&name=value", which is invalid
//$csrfUrlModifierPattern = '#(?:\&(?:amp\;)?|\?)?'.self::$formkey.'\=[a-zA-Z0-9_]+#';
// Better cut the parameter plus trailing ampersand, if any.
$csrfUrlModifierPattern = '/' . self::$formkey . '\\=[a-zA-Z0-9_]+\\&?/';
// This will leave the URI valid, even if it's the last parameter;
// a trailing question mark or ampersand does no harm.
!empty($_SERVER['QUERY_STRING']) ? $_SERVER['QUERY_STRING'] = preg_replace($csrfUrlModifierPattern, '', $_SERVER['QUERY_STRING']) : false;
!empty($_SERVER['REQUEST_URI']) ? $_SERVER['REQUEST_URI'] = preg_replace($csrfUrlModifierPattern, '', $_SERVER['REQUEST_URI']) : false;
!empty($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] = preg_replace($csrfUrlModifierPattern, '', $_SERVER['HTTP_REFERER']) : false;
!empty($_SERVER['argv']) ? $_SERVER['argv'] = preg_grep($csrfUrlModifierPattern, $_SERVER['argv'], PREG_GREP_INVERT) : false;
}
public static function setFrontendMode()
{
self::$frontend_mode = true;
@ini_set('url_rewriter.tags', 'area=href,frame=src,iframe=src,input=src,form=,fieldset=');
}
}
Csrf::cleanRequestURI();
public static function add()
{
// verify Csrf token
if (Csrf::verify(Input::post('token')) === false) {
Notifications::set('error', 'Invalid token');
return false;
}
$post = Input::post(array('slug', 'name', 'title', 'content', 'redirect', 'status'));
$errors = array();
if (empty($post['name'])) {
$errors[] = Lang::line('pages.missing_name', 'Please enter a name');
}
if (empty($post['title'])) {
$errors[] = Lang::line('pages.missing_title', 'Please enter a title');
}
// check for duplicate slug
$sql = "select id from pages where slug = ?";
if (Db::row($sql, array($post['slug']))) {
$errors[] = Lang::line('pages.duplicate_slug', 'A pages with the same slug already exists, please change your page slug.');
}
if (count($errors)) {
Notifications::set('error', $errors);
return false;
}
if (empty($post['slug'])) {
$post['slug'] = $post['name'];
}
$post['slug'] = Str::slug($post['slug']);
Db::insert('pages', $post);
Notifications::set('success', Lang::line('pages.page_success_created', 'Your new page has been added'));
return true;
}
/*
|--------------------------------------------------------------------------
| CSRF Protection Filter
|--------------------------------------------------------------------------
|
| The CSRF filter is responsible for protecting your application against
| cross-site request forgery attacks. If this special token in a user
| session does not match the one given in this request, we'll bail.
|
*/
Route::filter('csrf', function () {
if (Request::isMethod('get') || Request::isMethod('options')) {
return;
}
// throws exception if token invalid
Csrf::check();
});
/*
|--------------------------------------------------------------------------
| X-Frame-Options Header Filter
|--------------------------------------------------------------------------
|
| Prevents pages being loaded in an iframe.
|
*/
Route::filter('setXFrameOptionsHeader', function ($route, $request, $response) {
if (method_exists($response, "header")) {
$response->header("X-Frame-Options", "deny");
}
});
/*
function submitted()
{
if (parent::submitted() && isset($_POST['_csrf'])) {
return Csrf::check($_POST['_csrf'], $this->intent);
} else {
return False;
}
}
<h4>editUsername</h4>
<!-- echo out the system feedback (error and success messages) -->
<?php
$this->renderFeedbackMessages();
?>
<h4>Change your username</h4>
<form action="<?php
echo Config::get('URL');
?>
user/editUserName_action" method="post">
<!-- btw http://stackoverflow.com/questions/774054/should-i-put-input-tag-inside-label-tag -->
<label>
New username: <input type="text" name="user_name" required />
</label>
<!-- set CSRF token at the end of the form -->
<input type="hidden" name="csrf_token" value="<?php
echo Csrf::makeToken();
?>
" />
<input type="submit" value="Submit" />
</form>
return View::create('upgrade', $vars)->partial('header', 'partials/header')->partial('footer', 'partials/footer');
});
/*
List extend
*/
Route::get('admin/extend', array('before' => 'auth', 'main' => function ($page = 1) {
$vars['messages'] = Notify::read();
$vars['token'] = Csrf::token();
return View::create('extend/index', $vars)->partial('header', 'partials/header')->partial('footer', 'partials/footer');
}));
Route::post('admin/get_fields', array('before' => 'auth', 'main' => function () {
$input = Input::get(array('id', 'pagetype'));
// get the extended fields
$vars['fields'] = Extend::fields('page', -1, $input['pagetype']);
$html = View::create('pages/fields', $vars)->render();
$token = '<input name="token" type="hidden" value="' . Csrf::token() . '">';
return Response::json(array('token' => $token, 'html' => $html));
}));
/*
Upload an image
*/
Route::post('admin/upload', array('before' => 'auth', 'main' => function () {
$uploader = new Uploader(PATH . 'content', array('png', 'jpg', 'bmp', 'gif', 'pdf'));
$filepath = $uploader->upload($_FILES['file']);
$uri = Config::app('url', '/') . 'content/' . basename($filepath);
$output = array('uri' => $uri);
return Response::json($output);
}));
/*
404 error
*/
public static function add()
{
// verify Csrf token
if (Csrf::verify(Input::post('token')) === false) {
Notifications::set('error', 'Invalid token');
return false;
}
$post = Input::post(array('title', 'slug', 'created', 'description', 'html', 'css', 'js', 'status', 'field', 'comments'));
$errors = array();
$post['created'] = strtotime($post['created']);
if ($post['created'] === false) {
$errors[] = Lang::line('posts.invalid_date', 'Please enter a valid date');
}
if (empty($post['title'])) {
$errors[] = Lang::line('posts.missing_title', 'Please enter a title');
}
if (empty($post['description'])) {
$errors[] = Lang::line('posts.missing_description', 'Please enter a description');
}
if (empty($post['html'])) {
$errors[] = Lang::line('posts.missing_html', 'Please enter your html');
}
// use title as fallback
if (empty($post['slug'])) {
$post['slug'] = $post['title'];
}
// format slug
$post['slug'] = Str::slug($post['slug']);
// check for duplicate slug
$sql = "select id from posts where slug = ?";
if (Db::row($sql, array($post['slug']))) {
$errors[] = Lang::line('posts.duplicate_slug', 'A post with the same slug already exists, please change your post slug.');
}
if (count($errors)) {
Notifications::set('error', $errors);
return false;
}
$custom = array();
if (is_array($post['field'])) {
foreach ($post['field'] as $keylabel => $value) {
list($key, $label) = explode(':', $keylabel);
$custom[$key] = array('label' => $label, 'value' => $value);
}
}
// remove from update
unset($post['field']);
$post['custom_fields'] = json_encode($custom);
// set author
$user = Users::authed();
$post['author'] = $user->id;
Db::insert('posts', $post);
Notifications::set('success', Lang::line('posts.post_success_created', 'Your new post has been added'));
return true;
}
?>
</h1>
<?php
echo Notifications::read();
?>
<section class="content">
<form method="post" action="<?php
echo Url::current();
?>
">
<input name="token" type="hidden" value="<?php
echo Csrf::token();
?>
">
<fieldset>
<p>
<label for="user"><?php
echo __('users.username', 'Username');
?>
:</label>
<input autocapitalize="off" name="user" id="user" value="<?php
echo filter_var(Input::post('user'), FILTER_SANITIZE_STRING);
?>
">
</p>
public static function add()
{
// verify Csrf token
if (Csrf::verify(Input::post('token')) === false) {
Notifications::set('error', 'Invalid token');
return false;
}
$post = Input::post(array('username', 'password', 'email', 'real_name', 'bio', 'status', 'role'));
$errors = array();
if (empty($post['username'])) {
$errors[] = Lang::line('users.missing_username', 'Please enter a username');
} else {
if (static::find(array('username' => $post['username']))) {
$errors[] = Lang::line('users.username_exists', 'Username is already being used');
}
}
if (empty($post['password'])) {
$errors[] = Lang::line('users.missing_password', 'Please enter a password');
}
if (filter_var($post['email'], FILTER_VALIDATE_EMAIL) === false) {
$errors[] = Lang::line('users.invalid_email', 'Please enter a valid email address');
}
if (empty($post['real_name'])) {
$errors[] = Lang::line('users.missing_name', 'Please enter a display name');
}
if (count($errors)) {
Notifications::set('error', $errors);
return false;
}
// encrypt password
$post['password'] = Hash::make($post['password']);
// format email
$post['email'] = strtolower(trim($post['email']));
// strip tags on real_name (http://osvdb.org/show/osvdb/79659)
$post['real_name'] = strip_tags($post['real_name']);
// add record
Db::insert('users', $post);
Notifications::set('success', Lang::line('users.user_success_created', 'A new user has been added'));
return true;
}
Notify::error($errors);
return Response::redirect('admin/users/edit/' . $id);
}
if ($password_reset) {
$input['password'] = Hash::make($input['password']);
}
User::update($id, $input);
Notify::success(__('users.updated'));
return Response::redirect('admin/users/edit/' . $id);
});
/*
Add user
*/
Route::get('admin/users/add', function () {
$vars['messages'] = Notify::read();
$vars['token'] = Csrf::token();
$vars['statuses'] = array('inactive' => __('global.inactive'), 'active' => __('global.active'));
$vars['roles'] = array('administrator' => __('global.administrator'), 'editor' => __('global.editor'), 'user' => __('global.user'));
return View::create('users/add', $vars)->partial('header', 'partials/header')->partial('footer', 'partials/footer');
});
Route::post('admin/users/add', function () {
$input = Input::get(array('username', 'email', 'real_name', 'password', 'bio', 'status', 'role'));
$validator = new Validator($input);
$validator->check('username')->is_max(3, __('users.username_missing', 2));
$validator->check('email')->is_email(__('users.email_missing'));
$validator->check('password')->is_max(6, __('users.password_too_short', 6));
if ($errors = $validator->errors()) {
Input::flash();
Notify::error($errors);
return Response::redirect('admin/users/add');
}
public function ajaxSalt()
{
$public_key = Csrf::generateKeys();
$data = 'plaintext data goes here';
openssl_public_encrypt($data, $encrypted, $public_key);
openssl_private_decrypt($encrypted, $decrypted, Session::get('RSA_private'));
if ($public_key !== false) {
var_dump($public_key);
} else {
echo 'N';
}
}
