public function action_index()
{
$view = View::factory('home/register');
if ($this->request->method() === Request::POST) {
if (!Security::check($this->request->post('token'))) {
throw new Exception("Bad Token");
}
$post = Validation::factory($_POST)->rule('name', 'not_empty')->rule('surname', 'not_empty')->rule('email', 'not_empty')->rule('email', 'email')->rule('email', 'Model_Client::if_email_exists')->rule('pass', 'not_empty')->rule('pass_confirm', 'not_empty')->rule('pass', 'matches', array(':validation', 'pass_confirm', 'pass'))->rule('checkbox', 'not_empty');
if ($post->check()) {
$salt = 'MySalt!';
$name = $this->request->post('name');
$surname = $this->request->post('surname');
$email = $this->request->post('email');
$pass = crypt($salt, $this->request->post('pass'));
$checkbox = $this->request->post('checkbox');
$clients = new Model_Client();
$data = array('name' => $name, 'surname' => $surname, 'email' => $email, 'pass' => $pass, 'is_superuser' => '0');
$create_user = $clients->create_user($data);
if (!$create_user) {
throw new Exception("Please check all fields!");
}
$this->request->redirect('/');
}
}
$this->template->content = $view->render();
}
public function action_create()
{
$this->template->page_title = 'Create Page';
$user = new Model_User();
$session = Session::instance()->get('user');
$view = View::factory('cp/pages/create');
$view->author = $user->get_user_by_session_id($session);
if ($this->request->method() === Request::POST) {
if (!Security::check($this->request->post('csrf_token'))) {
throw new HTTP_Exception_401("Bad token!");
}
$post_title = $this->request->post('title');
$post_content = $this->request->post('content');
$post_author = $this->request->post('author');
$post_date = time();
if (empty($post_title) && empty($post_content) && empty($post_author) && empty($post_date)) {
throw new Exception('Please don`t make empty fields!');
}
$page = new Model_Page();
$data = array('title' => $post_title, 'content' => $post_content, 'author' => $post_author, 'date' => $date);
$insert_page = $page->insert_page($data);
if (!$insert_page) {
throw new Exception('Check if you are connected to database!');
}
$this->request->redirect('cp/pages');
}
$this->template->content = $view->render();
}
public function action_do()
{
$user_id = $this->request->param('id');
$hash = $this->request->param('id2');
$password_recovery = new Model_Password_Recovery();
$check_hash = $password_recovery->check($user_id, $hash);
if ($check_hash !== true) {
throw new Exception("This hash is not a password recovery request!");
}
$view = View::factory('forgot_password/recovery');
if ($this->request->method() === Request::POST) {
if (!Security::check($this->request->post('csrf_secure'))) {
throw new Exception("Bad token!");
}
$password = $this->request->post('password');
$confirm = $this->request->post('confirm');
if ($password !== $confirm) {
throw new Exception("Passwords did not match!");
}
$user = new Model_User();
$password = crypt($password, 'generatedsalt');
$change_password = $user->recover_password($password, $user_id);
if (!$change_password) {
throw new Exception("Error with changing a password!");
}
$chmod_attemp = $password_recovery->chmod_attemp($hash);
if (!$chmod_attemp) {
throw new Exception("False");
}
$this->redirect('');
}
$this->template->content = $view->render();
}
public function action_create()
{
if (Auth::is_admin_signed_in() === true) {
$view = View::factory('acp/categories/create');
$categories = new Model_Category();
if ($this->request->method() === Request::POST) {
$name = $this->request->post('name');
$slug = $this->request->post('slug');
$token = $this->request->param('id');
if (!Security::check($token)) {
$this->request->redirect('acp/categories/create');
}
if (empty($slug)) {
$slug = URL::title($name, '_');
}
if (empty($name) && empty($slug)) {
$this->request->redirect('acp/categories/create');
}
$categories = new Model_Category();
$create_category = $categories->create_category($name, $slug);
if (!$create_category) {
$this->request->redirect('acp/categories/create');
}
$this->request->redirect('acp/categories');
}
$this->template->content = $view->render();
} else {
$this->request->redirect('acp');
}
}
public function action_login()
{
if (HTTP_Request::POST == $this->request->method() && Security::check(Arr::get($this->request->post(), 'csrf', '')) && Captcha::valid($_POST['captcha'])) {
$remember = array_key_exists('remember', $this->request->post()) ? (bool) $this->request->post('remember') : FALSE;
$user = Auth::instance()->login($this->request->post('username'), $this->request->post('password'), $remember);
if ($user) {
HTTP::redirect($this->config->get('admin_url'));
} else {
Session::instance()->set('error', 'Логин или пароль не верный');
$errors = array('Логин или пароль не верный.');
}
}
$this->template = 'login';
parent::before();
$captcha = Captcha::instance();
$csrf = Security::token(true);
$this->template->title = 'Вход в админ панель';
$this->template->bind('errors', $errors)->bind('csrf', $csrf)->bind('captcha', $captcha);
$errors = null;
if (Auth::instance()->get_user()) {
$auth = Auth::instance();
$has_admin_role = $auth->logged_in('admin');
if ($has_admin_role) {
$session = Session::instance();
$session->set('redirectAfterLogin', $_SERVER['REQUEST_URI']);
HTTP::redirect('/' . $this->admin_url . '/');
}
}
}
public function action_index()
{
$count = ORM::factory('User')->count_all();
if ($count === 0) {
$this->template->content = View::factory('install/index');
if ($this->request->method() === Request::POST) {
if (!Security::check($this->request->param('id'))) {
throw new Exception("Bad token!");
}
$post = Validation::factory($_POST)->rule('username', 'not_empty')->rule('email', 'not_empty')->rule('email', 'email')->rule('password', 'not_empty')->rule('password', 'min_length', array(':value', '8'))->rule('password2x', 'not_empty')->rule('password', 'matches', array(':validation', 'password', 'password2x'));
if ($post->check()) {
$user = new Model_User();
$post = $this->request->post();
$user->values($post)->save();
$adminRole = ORM::factory('Role')->where('name', '=', 'admin')->find();
$loginRole = ORM::factory('Role')->where('name', '=', 'login')->find();
$user->add('roles', $loginRole);
$user->add('roles', $adminRole);
$this->redirect('install/successful');
} else {
$this->redirect('install/oops');
}
}
} else {
$this->redirect('');
}
}
/**
* Get cookie value(s)
*
* @param string $name Name of the cookie to get
* @param mixed $default [optional] Default value if cookie is not set. Default is false
* @return mixed Cookie stored datas
*/
public static function get($name, $default = false)
{
// handling array notation
if (preg_match('#^(.*?)\\[(.*?)\\]$#', $name, $m)) {
if (!isset($_COOKIE[$m[1]][$m[2]])) {
return $default;
}
$value = $_COOKIE[$m[1]][$m[2]];
} else {
if (!isset($_COOKIE[$name])) {
return $default;
}
$value = $_COOKIE[$name];
}
// retrieve cookie content
$cookieValue = explode('|', $value);
// hash is not correct
if (count($cookieValue) !== 3 || !Security::check($cookieValue[0] . $cookieValue[1], $cookieValue[2])) {
Cookie::delete($name);
return $default;
}
$value = $cookieValue[0];
// if content is a serialized array
if ($v = @unserialize($value)) {
$value = $v;
}
return $value;
}
public function action_sign_up()
{
$email = $this->request->post('email');
$pass = crypt('MySalt!', $this->request->post('pass'));
$cookie = $this->request->post('cookie');
if (!Security::check($this->request->param('id'))) {
throw new Exception("Bad Token!");
}
if (empty($email) and empty($pass)) {
$this->request->redirect('acp');
}
$client = new Model_Client();
$email_from_db = $client->email_from_db($email);
$pass_from_db = $client->pass_from_db($email);
if ($email !== $email_from_db || $pass !== $pass_from_db) {
throw new Exception("This User do not exists! \n {$pass} {$pass_from_db}");
}
$is_superuser = $client->is_superuser($email);
if ($is_superuser === 0) {
throw new Exception("Sorry, but you are not a superuser!");
}
if ($cookie) {
Cookie::set('admin', $email);
}
Session::instance()->set('admin', $email);
$this->request->redirect('acp');
}
public function action_write()
{
$this->template->page_title = 'Write Article';
$user = new Model_User();
$session = Session::instance()->get('user');
$view = View::factory('cp/entries/write');
$view->author = $users->get_user_by_session_id($session);
if ($this->request->method() === Request::POST) {
if (!Security::check($this->request->post('csrf_token'))) {
throw new HTTP_Exception_401("Bad token!");
}
$post_title = $this->request->post('title');
$post_slug = $this->request->post('slug');
$post_content = $this->request->post('content');
$post_author = $this->request->post('author');
$post_date = time();
if (empty($post_title) and empty($post_content) and empty($post_author) and empty($post_date)) {
throw new Exception('Please don`t make empty fields!');
}
if (empty($post_slug)) {
$post_slug = URL::title($post_title, '_');
}
$entry = new Model_Entry();
$data = array('title' => $post_title, 'slug' => $post_slug, 'content' => $post_content, 'author' => $post_author, 'date' => $post_date);
$insert_entry = $entry->insert_entry($data);
if (!$insert_entry) {
throw new Exception('Check if you are connected to database!');
}
$this->request->redirect('cp/entries/write/');
}
$this->template->content = $view->render();
}
public function before()
{
if ($this->request->is_ajax() && $this->request->method() == 'POST') {
if (!Security::check($this->request->headers('X-CSRF-TOKEN'))) {
return $this->response->status(403)->body('X-CSRF protection');
}
}
}
/**
* Provides test data for Security::token()
*
* @return array Test data sets
*/
public function provider_csrf_token()
{
$array = array();
for ($i = 0; $i <= 4; $i++) {
Security::$token_name = 'token_' . $i;
$array[] = array(Security::token(TRUE), Security::check(Security::token(FALSE)), $i);
}
return $array;
}
/**
* Form Component Save
*/
public static function formComponentSave()
{
if (Request::post('sandbox_component_save')) {
if (Security::check(Request::post('csrf'))) {
Option::update('sandbox_template', Request::post('sandbox_form_template'));
Request::redirect('index.php?id=themes');
}
}
}
public function attempt($login, $password, $remember = false)
{
if ($hash = $this->retrieveUser($login)) {
if (Security::check($login . $password, $hash)) {
return $this->login($login, $remember);
}
}
return false;
}
public function action_delete_category()
{
$category_id = $this->request->param('id');
if (!Security::check($this->request->param('id2'))) {
throw new Exception("Bad token!");
}
$category = ORM::factory('Category');
$delete_category = $category->delete_category($category_id);
$this->redirect('dashboard/categories/list');
}
function __construct($param = null)
{
try {
Security::check($this);
} catch (Exception $e) {
header('Location: /403');
}
$this->param = $param;
$this->init();
}
public function action_delete_user()
{
$user_id = $this->request->param('id');
if (!Security::check($this->request->param('id2'))) {
throw new Exception("Bad token!");
}
$user = ORM::factory('user');
$delete_user = $user->delete_user($user_id);
$this->redirect('dashboard/users/list');
}
public static function getRoute()
{
self::$url = empty($_GET['url']) ? '/' : $_GET['url'];
Routing::setRoutes();
if (empty(self::$controller))
trigger_error('Page Not Found');
elseif (!method_exists(self::$controller, self::$method))
trigger_error('Invalid Page Index');
Security::check(self::$controller, self::$method);
return array(self::$controller, self::$method);
}
/**
*
*
*/
function checkEmail()
{
$email = get_post_value('email');
$m = new Security();
$data = $m->check($email);
if ($data) {
$this->assign('message', 'emailExist');
$this->setReturnType('message');
} else {
$this->assign('message', 'emailNotExist');
$this->setReturnType('message');
}
}
public function action_delete_topic()
{
$topic_id = $this->request->param('id');
if (!Security::check($this->request->param('id2'))) {
throw new Exception("Bad token!");
}
$topic = ORM::factory('topic');
$delete_topic = $topic->delete_topic($topic_id);
if (!$delete_topic) {
throw new Exception("Topic was unable to delete");
}
$this->redirect('dashboard/topics/list');
}
/**
* Main Dashboard admin function
*/
public static function main()
{
// set/update google analytics settings
if (Request::post('ga_settings_update')) {
if (Security::check(Request::post('csrf'))) {
// client id
$ga_client_id = trim(Request::post('ga_client_id'));
if (!empty($ga_client_id)) {
$opt_client_id = Option::get('ga_client_id');
if (empty($opt_client_id)) {
Option::add('ga_client_id', $ga_client_id);
} else {
Option::update('ga_client_id', $ga_client_id);
}
}
// API key
$ga_api_key = trim(Request::post('ga_api_key'));
if (!empty($ga_api_key)) {
$opt_api_key = Option::get('ga_api_key');
if (empty($opt_api_key)) {
Option::add('ga_api_key', $ga_api_key);
} else {
Option::update('ga_api_key', $ga_api_key);
}
}
// view id
$ga_view_id = trim(Request::post('ga_view_id'));
if (!empty($ga_view_id)) {
$opt_view_id = Option::get('ga_view_id');
if (empty($opt_view_id)) {
Option::add('ga_view_id', $ga_view_id);
} else {
Option::update('ga_view_id', $ga_view_id);
}
}
// tracking id
$ga_tracking_id = trim(Request::post('ga_tracking_id'));
if (!empty($ga_tracking_id)) {
$opt_view_id = Option::get('ga_tracking_id');
if (empty($opt_view_id)) {
Option::add('ga_tracking_id', $ga_tracking_id);
} else {
Option::update('ga_tracking_id', $ga_tracking_id);
}
}
}
}
// Display view
View::factory('box/dashboard/views/backend/index')->display();
}
public function action_album_delete()
{
$id = (int) $this->request->param('id');
$exhibit = ORM::factory('Exhibit_Album', $id);
if (!$exhibit->loaded()) {
throw new HTTP_Exception_404();
}
if ($this->request->method() == Request::POST) {
if (Security::check(Arr::get($_POST, 'token'))) {
$exhibit->delete();
$this->redirect('manage/exhibits');
}
}
$this->set('item', $exhibit)->set('token', Security::token(true));
}
public static function is_admin($login, $pwd = null)
{
$db = Connections::get('core');
$r = $db->fetch($db->select('core_admin', array('a', 'm'), "login = '******'")->statement);
if ($pwd === null) {
return count($r) === 1;
}
if (count($r) !== 1) {
return 0;
}
$a = $db->fetch($db->select('a', array(), "aid = '{$r->a}'")->statement);
$m = $db->fetch($db->select('m', array(), "mid = '{$r->m}'")->statement);
$setup = array('blowfish', 'cbc', base64_decode($m->n), $m->s);
return Security::check($pwd, $a->b, $setup);
}
/**
* main toggle admin function
*/
public static function main()
{
// handle option form submit
if (Request::post('toggle_options')) {
if (Security::check(Request::post('csrf'))) {
Option::update('toggle_duration', (int) Request::post('toggle_duration'));
Option::update('toggle_easing', Request::post('toggle_easing'));
Notification::set('success', __('Configuration has been saved with success!', 'toggle'));
} else {
Notification::set('error', __('Request was denied. Invalid security token. Please refresh the page and try again.', 'toggle'));
die;
}
Request::redirect('index.php?id=toggle');
}
// Display view
View::factory('toggle/views/backend/index')->display();
}
public function action_add_to_cart()
{
$product_count = $this->request->param('id');
$product_id = $this->request->param('id2');
if (!Security::check($this->request->param('id3'))) {
$this->request->redirect('products');
}
if (empty($product_id)) {
$this->request->redirect('cart');
}
$cart = new Model_Cart();
$session = Session::instance()->get('email');
if (empty($session)) {
$this->request->redirect('products');
}
$add_to_cart = $cart->add_to_cart($product_count, $product_id, $session);
$this->request->redirect('cart');
}
public function action_delete()
{
$product_id = $this->request->param('id');
$token = $this->request->param('id2');
$session = Session::instance()->get('email');
if (empty($product_id)) {
$this->request->redirect('cart');
}
if (!Security::check($token)) {
$this->request->redirect('cart');
}
$model_for_cart = Model::factory('cart');
$delete_from_cart = $model_for_cart->delete_from_cart($product_id);
if (!$delete_from_cart) {
$this->request->redirect('cart');
}
$this->request->redirect('cart');
}
/**
* The before() method is called before your controller action.
* In our template controller we override this method so that we can
* set up default values. These variables are then available to our
* controllers if they need to be modified.
*/
public function before()
{
parent::before();
if ($this->request->method() == 'POST' && !isset($this->ignore_tokens_for_actions[$this->request->controller()][$this->request->action()])) {
if (!Security::check($this->request->post('token'))) {
throw new HTTP_Exception_500('Invalid token');
}
}
if ($this->auto_render) {
// Initialize empty values
$this->template->title = '';
$this->template->content = '';
$this->template->description = $this->config['seo']['description'];
$this->template->keywords = $this->config['seo']['keywords'];
$this->template->styles = array();
$this->template->scripts = array();
}
}
public function action_index()
{
if (!Security::check($this->request->param('id'))) {
throw new Exception("Bad token!");
}
$post = $this->request->post();
$auth = Auth::instance();
if ($this->request->post('cookie')) {
$success = $auth->login($post['username'], $post['password'], TRUE);
} else {
$success = $auth->login($post['username'], $post['password'], FALSE);
}
if ($success) {
$this->redirect('/');
} else {
throw new Exception("login was unsuccessful!");
}
}
public function action_change_signature()
{
$user = new Model_User();
$view = View::factory('profile/change_signature');
$view->users = $user->where('id', '=', Auth::instance()->get_user()->pk())->find();
if ($this->request->method() === Request::POST) {
if (!Security::check($this->request->param('id'))) {
throw new Exception("Bad token!");
}
$new_signature = $this->request->post('signature');
$update_signature = $user->change_signature($new_signature, Auth::instance()->get_user()->pk());
if (!$update_signature) {
throw new Exception('Signature could not be saved!');
}
$this->redirect('/');
}
$this->template->content = $view->render();
}
/**
* Provides test data for Security::token()
*
* @return array Test data sets
*/
public function provider_csrf_token()
{
// Unfortunately this data provider has to use the session in order to
// generate its data. If headers have already been sent then this method
// throws an error, even if the test is does not run. If we return an
// empty array then this also causes an error, so the only way to get
// around it is to return an array of misc data and have the test skip
// if headers have been sent. It's annoying this hack has to be
// implemented, but the security code isn't exactly brilliantly
// implemented. Ideally we'd be able to inject a session instance
if (headers_sent()) {
return array(array('', '', 0));
}
$array = array();
for ($i = 0; $i <= 4; $i++) {
Security::$token_name = 'token_' . $i;
$array[] = array(Security::token(TRUE), Security::check(Security::token(FALSE)), $i);
}
return $array;
}
public function action_index()
{
if (!Security::check($this->request->param("id"))) {
throw new Exception("Bad token!");
}
if (!Auth::instance()->logged_in()) {
throw new Exception("You must be logged in to logout!");
}
Auth::instance()->logout();
if (Cookie::get('user_id')) {
Cookie::delete('user_id');
if (!Cookie::delete('user_id')) {
throw new Exception("Cookie error.");
}
}
if (!Auth::instance()->logout()) {
throw new Exception("Session error.");
}
$this->redirect('/');
}
