Ejemplo n.º 1
0
 /**
  * Processes an new account registration request.
  *
  * Processes the request from the form on the registration page, checking that:
  * 1. The honeypot was not modified;
  * 2. The master account has already been created (during installation);
  * 3. Account registration is enabled;
  * 4. The user is not already logged in;
  * 5. Valid information was entered;
  * 6. The captcha, if enabled, is correct;
  * 7. The username and email are not already taken.
  * Automatically sends an activation link upon success, if account activation is enabled.
  * This route is "public access".
  * Request type: POST
  * Returns the User Object for the user record that was created.
  */
 public function register()
 {
     // POST: user_name, display_name, email, title, password, passwordc, captcha, spiderbro, csrf_token
     $post = $this->_app->request->post();
     // Get the alert message stream
     $ms = $this->_app->alerts;
     // Check the honeypot. 'spiderbro' is not a real field, it is hidden on the main page and must be submitted with its default value for this to be processed.
     if (!$post['spiderbro'] || $post['spiderbro'] != "http://") {
         error_log("Possible spam received:" . print_r($this->_app->request->post(), true));
         $ms->addMessage("danger", "Aww hellllls no!");
         $this->_app->halt(500);
         // Don't let on about why the request failed ;-)
     }
     // Load the request schema
     $requestSchema = new \Fortress\RequestSchema($this->_app->config('schema.path') . "/forms/register.json");
     // Set up Fortress to process the request
     $rf = new \Fortress\HTTPRequestFortress($ms, $requestSchema, $post);
     // Security measure: do not allow registering new users until the master account has been created.
     if (!User::find($this->_app->config('user_id_master'))) {
         $ms->addMessageTranslated("danger", "MASTER_ACCOUNT_NOT_EXISTS");
         $this->_app->halt(403);
     }
     // Check if registration is currently enabled
     if (!$this->_app->site->can_register) {
         $ms->addMessageTranslated("danger", "ACCOUNT_REGISTRATION_DISABLED");
         $this->_app->halt(403);
     }
     // Prevent the user from registering if he/she is already logged in
     if (!$this->_app->user->isGuest()) {
         $ms->addMessageTranslated("danger", "ACCOUNT_REGISTRATION_LOGOUT");
         $this->_app->halt(200);
     }
     // Sanitize data
     $rf->sanitize();
     // Validate, and halt on validation errors.
     $error = !$rf->validate(true);
     // Get the filtered data
     $data = $rf->data();
     // Check captcha, if required
     if ($this->_app->site->enable_captcha == "1") {
         if (!$data['captcha'] || md5($data['captcha']) != $_SESSION['userfrosting']['captcha']) {
             $ms->addMessageTranslated("danger", "CAPTCHA_FAIL");
             $error = true;
         }
     }
     // Remove captcha, password confirmation from object data
     $rf->removeFields(['captcha', 'passwordc']);
     // Perform desired data transformations.  Is this a feature we could add to Fortress?
     $data['display_name'] = trim($data['display_name']);
     $data['locale'] = $this->_app->site->default_locale;
     if ($this->_app->site->require_activation) {
         $data['flag_verified'] = 0;
     } else {
         $data['flag_verified'] = 1;
     }
     // Check if username or email already exists
     if (User::where('user_name', $data['user_name'])->first()) {
         $ms->addMessageTranslated("danger", "ACCOUNT_USERNAME_IN_USE", $data);
         $error = true;
     }
     if (User::where('email', $data['email'])->first()) {
         $ms->addMessageTranslated("danger", "ACCOUNT_EMAIL_IN_USE", $data);
         $error = true;
     }
     // Halt on any validation errors
     if ($error) {
         $this->_app->halt(400);
     }
     // Get default primary group (is_default = GROUP_DEFAULT_PRIMARY)
     $primaryGroup = Group::where('is_default', GROUP_DEFAULT_PRIMARY)->first();
     // Check that a default primary group is actually set
     if (!$primaryGroup) {
         $ms->addMessageTranslated("danger", "ACCOUNT_REGISTRATION_BROKEN");
         error_log("Account registration is not working because a default primary group has not been set.");
         $this->_app->halt(500);
     }
     $data['primary_group_id'] = $primaryGroup->id;
     // Set default title for new users
     $data['title'] = $primaryGroup->new_user_title;
     // Hash password
     $data['password'] = Authentication::hashPassword($data['password']);
     // Create the user
     $user = new User($data);
     // Add user to default groups, including default primary group
     $defaultGroups = Group::where('is_default', GROUP_DEFAULT)->get();
     $user->addGroup($primaryGroup->id);
     foreach ($defaultGroups as $group) {
         $user->addGroup($group->id);
     }
     // Create sign-up event
     $user->newEventSignUp();
     // Store new user to database
     $user->save();
     if ($this->_app->site->require_activation) {
         // Create verification request event
         $user->newEventVerificationRequest();
         $user->save();
         // Re-save with verification event
         // Create and send verification email
         $twig = $this->_app->view()->getEnvironment();
         $template = $twig->loadTemplate("mail/activate-new.twig");
         $notification = new Notification($template);
         $notification->fromWebsite();
         // Automatically sets sender and reply-to
         $notification->addEmailRecipient($user->email, $user->display_name, ["user" => $user]);
         try {
             $notification->send();
         } catch (\phpmailerException $e) {
             $ms->addMessageTranslated("danger", "MAIL_ERROR");
             error_log('Mailer Error: ' . $e->errorMessage());
             $this->_app->halt(500);
         }
         $ms->addMessageTranslated("success", "ACCOUNT_REGISTRATION_COMPLETE_TYPE2");
     } else {
         // No activation required
         $ms->addMessageTranslated("success", "ACCOUNT_REGISTRATION_COMPLETE_TYPE1");
     }
     // Return the user object to the calling program
     return $user;
 }
Ejemplo n.º 2
0
 /**
  * Processes the request to create a new auth rule.
  *
  * Processes the request from the auth creation form, checking that:
  * 1. The group does not already have a rule for the specified hook.
  * 2. The user has the necessary permissions to update the posted field(s);
  * 3. The submitted data is valid.
  * This route requires authentication (and should generally be limited to admins or the root user).
  * Request type: POST
  * @see formAuthCreate
  * @todo make this work for user-level rules as well
  */
 public function createAuthRule($id, $type = "group")
 {
     $post = $this->_app->request->post();
     // Load the request schema
     $requestSchema = new \Fortress\RequestSchema($this->_app->config('schema.path') . "/forms/auth-create.json");
     // Get the alert message stream
     $ms = $this->_app->alerts;
     // TODO: Check that the group exists
     $group = Group::find($id);
     // Access-controlled resource
     if (!$this->_app->user->checkAccess('create_auth', ['group' => $group])) {
         $ms->addMessageTranslated("danger", "ACCESS_DENIED");
         $this->_app->halt(403);
     }
     // Set up Fortress to process the request
     $rf = new \Fortress\HTTPRequestFortress($ms, $requestSchema, $post);
     // Sanitize data
     $rf->sanitize();
     // Validate, and halt on validation errors.
     $error = !$rf->validate(true);
     // Get the filtered data
     $data = $rf->data();
     // Remove csrf_token from object data
     $rf->removeFields(['csrf_token']);
     // Perform desired data transformations on required fields.
     $data['hook'] = trim($data['hook']);
     $data['conditions'] = trim($data['conditions']);
     // Check if the group already has a rule for this hook
     if (GroupAuth::where("group_id", $id)->where("hook", $data['hook'])->first()) {
         $post['name'] = $group->name;
         $ms->addMessageTranslated("danger", "GROUP_AUTH_EXISTS", $post);
         $this->_app->halt(400);
     }
     // Halt on any validation errors
     if ($error) {
         $this->_app->halt(400);
     }
     // Create the rule
     $rule = new GroupAuth();
     $rule->group_id = $id;
     $rule->hook = $data['hook'];
     $rule->conditions = $data['conditions'];
     // Store new group to database
     $rule->save();
     // Success message
     $data['name'] = $group['name'];
     $ms->addMessageTranslated("success", "GROUP_AUTH_CREATION_SUCCESSFUL", $data);
 }
Ejemplo n.º 3
0
 /** 
  * Processes the request to update an existing user's details, including enabled/disabled status and activation status.
  * 
  * Processes the request from the user update form, checking that:
  * 1. The target user's new email address, if specified, is not already in use;
  * 2. The logged-in user has the necessary permissions to update the posted field(s);
  * 3. We're not trying to disable the master account;
  * 4. The submitted data is valid.
  * This route requires authentication.
  * Request type: POST
  * @param int $user_id the id of the user to edit.     
  * @see formUserEdit
  */
 public function updateUser($user_id)
 {
     $post = $this->_app->request->post();
     // Load the request schema
     $requestSchema = new \Fortress\RequestSchema($this->_app->config('schema.path') . "/forms/user-update.json");
     // Get the alert message stream
     $ms = $this->_app->alerts;
     // Get the target user
     $target_user = User::find($user_id);
     // Get the target user's groups
     $groups = $target_user->getGroups();
     /*
     // Access control for entire page
     if (!$this->_app->user->checkAccess('uri_update_user')){
         $ms->addMessageTranslated("danger", "ACCESS_DENIED");
         $this->_app->halt(403);
     }
     */
     // Only the master account can edit the master account!
     if ($target_user->id == $this->_app->config('user_id_master') && $this->_app->user->id != $this->_app->config('user_id_master')) {
         $ms->addMessageTranslated("danger", "ACCESS_DENIED");
         $this->_app->halt(403);
     }
     // Remove csrf_token
     unset($post['csrf_token']);
     // Set up Fortress to process the request
     $rf = new \Fortress\HTTPRequestFortress($ms, $requestSchema, $post);
     if (isset($post['passwordc'])) {
         unset($post['passwordc']);
     }
     // Check authorization for submitted fields, if the value has been changed
     foreach ($post as $name => $value) {
         if ($name == "groups" || isset($target_user->{$name}) && $post[$name] != $target_user->{$name}) {
             // Check authorization
             if (!$this->_app->user->checkAccess('update_account_setting', ['user' => $target_user, 'property' => $name])) {
                 $ms->addMessageTranslated("danger", "ACCESS_DENIED");
                 $this->_app->halt(403);
             }
         } else {
             if (!isset($target_user->{$name})) {
                 $ms->addMessageTranslated("danger", "NO_DATA");
                 $this->_app->halt(400);
             }
         }
     }
     // Check that we are not disabling the master account
     if ($target_user->id == $this->_app->config('user_id_master') && isset($post['flag_enabled']) && $post['flag_enabled'] == "0") {
         $ms->addMessageTranslated("danger", "ACCOUNT_DISABLE_MASTER");
         $this->_app->halt(403);
     }
     // Check that the email address is not in use
     if (isset($post['email']) && $post['email'] != $target_user->email && UserLoader::exists($post['email'], 'email')) {
         $ms->addMessageTranslated("danger", "ACCOUNT_EMAIL_IN_USE", $post);
         $this->_app->halt(400);
     }
     // Sanitize
     $rf->sanitize();
     // Validate, and halt on validation errors.
     if (!$rf->validate()) {
         $this->_app->halt(400);
     }
     // Remove passwordc
     $rf->removeFields(['passwordc']);
     // Get the filtered data
     $data = $rf->data();
     // Update user groups
     if (isset($data['groups'])) {
         foreach ($data['groups'] as $group_id => $is_member) {
             if ($is_member == "1" && !isset($groups[$group_id])) {
                 $target_user->addGroup($group_id);
             } else {
                 if ($is_member == "0" && isset($groups[$group_id])) {
                     $target_user->removeGroup($group_id);
                 }
             }
         }
         unset($data['groups']);
     }
     // Hash password
     if (isset($data['password'])) {
         $data['password'] = Authentication::hashPassword($data['password']);
     }
     // Update the user and generate success messages
     foreach ($data as $name => $value) {
         if ($value != $target_user->{$name}) {
             $target_user->{$name} = $value;
             // Custom success messages (optional)
             if ($name == "flag_enabled") {
                 if ($value == "1") {
                     $ms->addMessageTranslated("success", "ACCOUNT_ENABLE_SUCCESSFUL", ["user_name" => $target_user->user_name]);
                 } else {
                     $ms->addMessageTranslated("success", "ACCOUNT_DISABLE_SUCCESSFUL", ["user_name" => $target_user->user_name]);
                 }
             }
             if ($name == "flag_verified") {
                 $ms->addMessageTranslated("success", "ACCOUNT_MANUALLY_ACTIVATED", ["user_name" => $target_user->user_name]);
             }
         }
     }
     // If we're generating a password reset, create the corresponding event and shoot off an email
     if (isset($data['flag_password_reset']) && $data['flag_password_reset'] == "1") {
         // Recheck auth
         if (!$this->_app->user->checkAccess('update_account_setting', ['user' => $target_user, 'property' => 'flag_password_reset'])) {
             $ms->addMessageTranslated("danger", "ACCESS_DENIED");
             $this->_app->halt(403);
         }
         // New password reset event - bypass any rate limiting
         $target_user->newEventPasswordReset();
         $target_user->save();
         // Email the user asking to confirm this change password request
         $twig = $this->_app->view()->getEnvironment();
         $template = $twig->loadTemplate("mail/password-reset.twig");
         $notification = new Notification($template);
         $notification->fromWebsite();
         // Automatically sets sender and reply-to
         $notification->addEmailRecipient($target_user->email, $target_user->display_name, ["user" => $target_user, "request_date" => date("Y-m-d H:i:s")]);
         try {
             $notification->send();
         } catch (\Exception\phpmailerException $e) {
             $ms->addMessageTranslated("danger", "MAIL_ERROR");
             error_log('Mailer Error: ' . $e->errorMessage());
             $this->_app->halt(500);
         }
         $ms->addMessageTranslated("success", "FORGOTPASS_REQUEST_SENT", ["user_name" => $target_user->user_name]);
     }
     $ms->addMessageTranslated("success", "ACCOUNT_DETAILS_UPDATED", ["user_name" => $target_user->user_name]);
     $target_user->save();
 }
Ejemplo n.º 4
0
    $_SESSION['Fortress']['alerts'] = new Fortress\MessageStream($translator);
}
$ms = $_SESSION['Fortress']['alerts'];
/*******************************************************/
// Test the error stream and reset
echo "<h2>Current message stream</h2>";
echo "<pre>";
print_r($ms->messages());
echo "</pre>";
$ms->resetMessageStream();
// Load the request schema
$schema = new Fortress\RequestSchema("fortress/schema/forms/register.json");
// POST request
$rf = new Fortress\HTTPRequestFortress($ms, $schema, $_GET);
// Remove csrf_token from the request data, if specified
$rf->removeFields(['csrf_token']);
// Sanitize, and print sanitized data for demo purposes
$rf->sanitize(true, "error");
echo "<h2>Sanitized data</h2>";
echo "<pre>";
print_r($rf->data());
echo "</pre>";
// Validate.  Normally we'd want to halt on validation errors.  But for this demo, we will simply print the message stream.
if (!$rf->validate()) {
    $ms->addMessageTranslated("danger", "Validation failed for {{placeholder}}", ["placeholder" => "the form"]);
}
// Test client validators
$clientVal = new Fortress\ClientSideValidator($schema, $translator);
echo "<h2>Client-side validation schema (JSON)</h2>";
echo "<pre>";
print_r($clientVal->formValidationRulesJson());
Ejemplo n.º 5
0
 public function register()
 {
     // POST: user_name, display_name, email, title, password, passwordc, captcha, spiderbro, csrf_token
     $post = $this->_app->request->post();
     // Get the alert message stream
     $ms = $this->_app->alerts;
     // Check the honeypot. 'spiderbro' is not a real field, it is hidden on the main page and must be submitted with its default value for this to be processed.
     if (!$post['spiderbro'] || $post['spiderbro'] != "http://") {
         error_log("Possible spam received:" . print_r($this->_app->request->post(), true));
         $ms->addMessage("danger", "Aww hellllls no!");
         $this->_app->halt(500);
         // Don't let on about why the request failed ;-)
     }
     // Load the request schema
     $requestSchema = new \Fortress\RequestSchema($this->_app->config('schema.path') . "/forms/register.json");
     // Set up Fortress to process the request
     $rf = new \Fortress\HTTPRequestFortress($ms, $requestSchema, $post);
     // Security measure: do not allow registering new users until the master account has been created.
     if (!UserLoader::exists($this->_app->config('user_id_master'))) {
         $ms->addMessageTranslated("danger", "MASTER_ACCOUNT_NOT_EXISTS");
         $this->_app->halt(403);
     }
     // Check if registration is currently enabled
     if (!$this->_app->site->can_register) {
         $ms->addMessageTranslated("danger", "ACCOUNT_REGISTRATION_DISABLED");
         $this->_app->halt(403);
     }
     // Prevent the user from registering if he/she is already logged in
     if (!$this->_app->user->isGuest()) {
         $ms->addMessageTranslated("danger", "ACCOUNT_REGISTRATION_LOGOUT");
         $this->_app->halt(200);
     }
     // Sanitize data
     $rf->sanitize();
     // Validate, and halt on validation errors.
     $error = !$rf->validate(true);
     // Get the filtered data
     $data = $rf->data();
     // Check captcha, if required
     if ($this->_app->site->enable_captcha == "1") {
         if (!$data['captcha'] || md5($data['captcha']) != $_SESSION['userfrosting']['captcha']) {
             $ms->addMessageTranslated("danger", "CAPTCHA_FAIL");
             $error = true;
         }
     }
     // Remove captcha, password confirmation from object data
     $rf->removeFields(['captcha', 'passwordc']);
     // Perform desired data transformations.  Is this a feature we could add to Fortress?
     $data['user_name'] = strtolower(trim($data['user_name']));
     $data['display_name'] = trim($data['display_name']);
     $data['email'] = strtolower(trim($data['email']));
     $data['locale'] = $this->_app->site->default_locale;
     if ($this->_app->site->require_activation) {
         $data['active'] = 0;
     } else {
         $data['active'] = 1;
     }
     // Check if username or email already exists
     if (UserLoader::exists($data['user_name'], 'user_name')) {
         $ms->addMessageTranslated("danger", "ACCOUNT_USERNAME_IN_USE", $data);
         $error = true;
     }
     if (UserLoader::exists($data['email'], 'email')) {
         $ms->addMessageTranslated("danger", "ACCOUNT_EMAIL_IN_USE", $data);
         $error = true;
     }
     // Halt on any validation errors
     if ($error) {
         $this->_app->halt(400);
     }
     // Get default primary group (is_default = GROUP_DEFAULT_PRIMARY)
     $primaryGroup = GroupLoader::fetch(GROUP_DEFAULT_PRIMARY, "is_default");
     $data['primary_group_id'] = $primaryGroup->id;
     // Set default title for new users
     $data['title'] = $primaryGroup->new_user_title;
     // Hash password
     $data['password'] = Authentication::hashPassword($data['password']);
     // Create the user
     $user = new User($data);
     // Add user to default groups, including default primary group
     $defaultGroups = GroupLoader::fetchAll(GROUP_DEFAULT, "is_default");
     $user->addGroup($primaryGroup->id);
     foreach ($defaultGroups as $group_id => $group) {
         $user->addGroup($group_id);
     }
     // Store new user to database
     $user->store();
     if ($this->_app->site->require_activation) {
         // Create and send activation email
         $mail = new \PHPMailer();
         $mail->From = $this->_app->site->admin_email;
         $mail->FromName = $this->_app->site->site_title;
         $mail->addAddress($user->email);
         // Add a recipient
         $mail->addReplyTo($this->_app->site->admin_email, $this->_app->site->site_title);
         $mail->Subject = $this->_app->site->site_title . " - please activate your account";
         $mail->Body = $this->_app->view()->render("common/mail/activate-new.html", ["user" => $user]);
         $mail->isHTML(true);
         // Set email format to HTML
         if (!$mail->send()) {
             $ms->addMessageTranslated("danger", "MAIL_ERROR");
             error_log('Mailer Error: ' . $mail->ErrorInfo);
             $this->_app->halt(500);
         }
         // Activation required
         $ms->addMessageTranslated("success", "ACCOUNT_REGISTRATION_COMPLETE_TYPE2");
     } else {
         // No activation required
         $ms->addMessageTranslated("success", "ACCOUNT_REGISTRATION_COMPLETE_TYPE1");
     }
 }
Ejemplo n.º 6
0
 /** 
  * Processes the request to create a new user (from the admin controls).
  * 
  * Processes the request from the user creation form, checking that:
  * 1. The username and email are not already in use;
  * 2. The logged-in user has the necessary permissions to update the posted field(s);
  * 3. The submitted data is valid.
  * This route requires authentication.
  * Request type: POST
  * @see formUserCreate
  */
 public function createUser()
 {
     $post = $this->_app->request->post();
     // Load the request schema
     $requestSchema = new \Fortress\RequestSchema($this->_app->config('schema.path') . "/forms/user-create.json");
     // Get the alert message stream
     $ms = $this->_app->alerts;
     // Access-controlled resource
     if (!$this->_app->user->checkAccess('create_account')) {
         $ms->addMessageTranslated("danger", "ACCESS_DENIED");
         $this->_app->halt(403);
     }
     // Set up Fortress to process the request
     $rf = new \Fortress\HTTPRequestFortress($ms, $requestSchema, $post);
     // Sanitize data
     $rf->sanitize();
     // Validate, and halt on validation errors.
     $error = !$rf->validate(true);
     // Get the filtered data
     $data = $rf->data();
     // Remove csrf_token, password confirmation from object data
     $rf->removeFields(['csrf_token, passwordc']);
     // Perform desired data transformations on required fields.  Is this a feature we could add to Fortress?
     $data['user_name'] = strtolower(trim($data['user_name']));
     $data['display_name'] = trim($data['display_name']);
     $data['email'] = strtolower(trim($data['email']));
     $data['active'] = 1;
     // Check if username or email already exists
     if (UserLoader::exists($data['user_name'], 'user_name')) {
         $ms->addMessageTranslated("danger", "ACCOUNT_USERNAME_IN_USE", $data);
         $error = true;
     }
     if (UserLoader::exists($data['email'], 'email')) {
         $ms->addMessageTranslated("danger", "ACCOUNT_EMAIL_IN_USE", $data);
         $error = true;
     }
     // Halt on any validation errors
     if ($error) {
         $this->_app->halt(400);
     }
     // Get default primary group (is_default = GROUP_DEFAULT_PRIMARY)
     $primaryGroup = GroupLoader::fetch(GROUP_DEFAULT_PRIMARY, "is_default");
     // Set default values if not specified or not authorized
     if (!isset($data['locale']) || !$this->_app->user->checkAccess("update_account_setting", ["property" => "locale"])) {
         $data['locale'] = $this->_app->site->default_locale;
     }
     if (!isset($data['title']) || !$this->_app->user->checkAccess("update_account_setting", ["property" => "title"])) {
         // Set default title for new users
         $data['title'] = $primaryGroup->new_user_title;
     }
     if (!isset($data['primary_group_id']) || !$this->_app->user->checkAccess("update_account_setting", ["property" => "primary_group_id"])) {
         $data['primary_group_id'] = $primaryGroup->id;
     }
     // Set groups to default groups if not specified or not authorized to set groups
     if (!isset($data['groups']) || !$this->_app->user->checkAccess("update_account_setting", ["property" => "groups"])) {
         $default_groups = GroupLoader::fetchAll(GROUP_DEFAULT, "is_default");
         $data['groups'] = [];
         foreach ($default_groups as $group_id => $group) {
             $data['groups'][$group_id] = "1";
         }
     }
     // Hash password
     $data['password'] = Authentication::hashPassword($data['password']);
     // Create the user
     $user = new User($data);
     // Add user to groups, including selected primary group
     $user->addGroup($data['primary_group_id']);
     foreach ($data['groups'] as $group_id => $is_member) {
         if ($is_member == "1") {
             $user->addGroup($group_id);
         }
     }
     // Store new user to database
     $user->store();
     // Success message
     $ms->addMessageTranslated("success", "ACCOUNT_CREATION_COMPLETE", $data);
 }
Ejemplo n.º 7
0
 /**
  * Processes a request to create the master account.
  *
  * Processes the request from the master account creation form, checking that:
  * 1. The honeypot has not been changed;
  * 2. The master account does not already exist;
  * 3. The correct configuration token was submitted;
  * 3. The submitted data is valid.
  * This route is "public access" (until the master account has been created, that is)
  * Request type: POST     
  */
 public function setupMasterAccount()
 {
     $post = $this->_app->request->post();
     // Get the alert message stream
     $ms = $this->_app->alerts;
     // Check the honeypot. 'spiderbro' is not a real field, it is hidden on the main page and must be submitted with its default value for this to be processed.
     if (!$post['spiderbro'] || $post['spiderbro'] != "http://") {
         error_log("Possible spam received:" . print_r($this->_app->request->post(), true));
         $ms->addMessage("danger", "Aww hellllls no!");
         $this->_app->halt(500);
         // Don't let on about why the request failed ;-)
     }
     // Do not allow registering a master account if one has already been created
     if (User::find($this->_app->config('user_id_master'))) {
         $ms->addMessageTranslated("danger", "MASTER_ACCOUNT_EXISTS");
         $this->_app->halt(403);
     }
     // Check the configuration token
     if ($post['root_account_config_token'] != $this->_app->site->root_account_config_token) {
         $ms->addMessageTranslated("danger", "CONFIG_TOKEN_MISMATCH");
         $this->_app->halt(403);
     }
     // Load the request schema
     $requestSchema = new \Fortress\RequestSchema($this->_app->config('schema.path') . "/forms/register.json");
     // Set up Fortress to process the request
     $rf = new \Fortress\HTTPRequestFortress($ms, $requestSchema, $post);
     // Sanitize data
     $rf->sanitize();
     // Validate, and halt on validation errors.
     $error = !$rf->validate(true);
     // Get the filtered data
     $data = $rf->data();
     // Remove configuration token, password confirmation from object data
     $rf->removeFields(['root_account_config_token', 'passwordc']);
     // Perform desired data transformations.  Is this a feature we could add to Fortress?
     $data['display_name'] = trim($data['display_name']);
     $data['flag_verified'] = 1;
     $data['locale'] = $this->_app->site->default_locale;
     // Halt on any validation errors
     if ($error) {
         $this->_app->halt(400);
     }
     // Get default primary group (is_default = GROUP_DEFAULT_PRIMARY)
     $primaryGroup = Group::where('is_default', GROUP_DEFAULT_PRIMARY)->first();
     $data['primary_group_id'] = $primaryGroup->id;
     // Set default title for new users
     $data['title'] = $primaryGroup->new_user_title;
     // Hash password
     $data['password'] = Authentication::hashPassword($data['password']);
     // Create the master user
     $user = new User($data);
     $user->id = $this->_app->config('user_id_master');
     // Add user to default groups, including default primary group
     $defaultGroups = Group::where('is_default', GROUP_DEFAULT)->get();
     $user->addGroup($primaryGroup->id);
     foreach ($defaultGroups as $group) {
         $group_id = $group->id;
         $user->addGroup($group_id);
     }
     // Add sign-up event
     $user->newEventSignUp();
     // Store new user to database
     $user->save();
     // No activation required
     $ms->addMessageTranslated("success", "ACCOUNT_REGISTRATION_COMPLETE_TYPE1");
     // Update install status
     $this->_app->site->install_status = "new";
     $this->_app->site->root_account_config_token = "";
     $this->_app->site->store();
 }
Ejemplo n.º 8
0
 /** 
  * Processes the request to create a new group.
  * 
  * Processes the request from the group creation form, checking that:
  * 1. The group name is not already in use;
  * 2. The user has the necessary permissions to update the posted field(s);
  * 3. The submitted data is valid.
  * This route requires authentication (and should generally be limited to admins or the root user).
  * Request type: POST
  * @see formGroupCreate
  */
 public function createGroup()
 {
     $post = $this->_app->request->post();
     // DEBUG: view posted data
     //error_log(print_r($post, true));
     // Load the request schema
     $requestSchema = new \Fortress\RequestSchema($this->_app->config('schema.path') . "/forms/group-create.json");
     // Get the alert message stream
     $ms = $this->_app->alerts;
     // Access-controlled resource
     if (!$this->_app->user->checkAccess('create_group')) {
         $ms->addMessageTranslated("danger", "ACCESS_DENIED");
         $this->_app->halt(403);
     }
     // Set up Fortress to process the request
     $rf = new \Fortress\HTTPRequestFortress($ms, $requestSchema, $post);
     // Sanitize data
     $rf->sanitize();
     // Validate, and halt on validation errors.
     $error = !$rf->validate(true);
     // Get the filtered data
     $data = $rf->data();
     // Remove csrf_token from object data
     $rf->removeFields(['csrf_token']);
     // Perform desired data transformations on required fields.
     $data['name'] = trim($data['name']);
     $data['new_user_title'] = trim($data['new_user_title']);
     $data['landing_page'] = strtolower(trim($data['landing_page']));
     $data['theme'] = strtolower(trim($data['theme']));
     $data['can_delete'] = 1;
     // Check if group name already exists
     if (GroupLoader::exists($data['name'], 'name')) {
         $ms->addMessageTranslated("danger", "GROUP_NAME_IN_USE", $post);
         $error = true;
     }
     // Halt on any validation errors
     if ($error) {
         $this->_app->halt(400);
     }
     // Set default values if not specified or not authorized
     if (!isset($data['theme']) || !$this->_app->user->checkAccess("update_group_setting", ["property" => "theme"])) {
         $data['theme'] = "default";
     }
     if (!isset($data['new_user_title']) || !$this->_app->user->checkAccess("update_group_setting", ["property" => "new_user_title"])) {
         // Set default title for new users
         $data['new_user_title'] = "New User";
     }
     if (!isset($data['landing_page']) || !$this->_app->user->checkAccess("update_group_setting", ["property" => "landing_page"])) {
         $data['landing_page'] = "dashboard";
     }
     if (!isset($data['icon']) || !$this->_app->user->checkAccess("update_group_setting", ["property" => "icon"])) {
         $data['icon'] = "fa fa-user";
     }
     if (!isset($data['is_default']) || !$this->_app->user->checkAccess("update_group_setting", ["property" => "is_default"])) {
         $data['is_default'] = "0";
     }
     // Create the group
     $group = new Group($data);
     // Store new group to database
     $group->store();
     // Success message
     $ms->addMessageTranslated("success", "GROUP_CREATION_SUCCESSFUL", $data);
 }