public static function hook_start() { if (!BackendUser::check()) { if (PersistUser::check()) { Controller::redirect(); } } }
public function action_create() { if (is_post()) { $parameters = get_previous_parameters(); $object = new CommentObj(); $object = $object->fromRequest(); $object['foreign_id'] = empty($object['foreign_id']) ? reset($parameters) : $object['foreign_id']; $object['foreign_table'] = empty($object['foreign_table']) ? table_name(get_previous_area()) : $object['foreign_table']; //If we don't have a logged in user, create a dummy account if (!BackendUser::check()) { $query = new SelectQuery('BackendUser'); $query->filter('`email` = :email'); if ($old_user = Controller::getVar('user')) { $existing_user = $query->fetchAssoc(array(':email' => $old_user['email'])); } switch (true) { case $existing_user && $existing_user['confirmed'] && $existing_user['active']: //Attribute quote to user? Seems risque, actually, if I know a user's email address, I can just attribute to him. Auth first Backend::addError('Comment not added. Please login first'); return false; break; case $existing_user && !$existing_user['confirmed'] && $existing_user['active']: //Unregistered user commented before $object['user_id'] = $existing_user['id']; break; default: case !$existing_user: $user_data = array('name' => $old_user['name'], 'surname' => '', 'email' => $old_user['email'], 'website' => $old_user['website'], 'username' => $old_user['email'], 'password' => get_random(), 'confirmed' => 0, 'active' => 1); $user = self::getObject('BackendUser'); if ($user->create($user_data)) { $object['user_id'] = $user->array['id']; $url = SITE_LINK . '/?q=backend_user/confirm/' . $user->array['salt']; $app_name = ConfigValue::get('Title'); $message = <<<END Hi {$user->array['name']}! Thank you for your comment on {$app_name}. An account has automatically been created for you. To activate it, please click on the following link: {$url} Please note that you don't need to do this for your comments to show, but this account will be deleted if it isn't confirmed in a weeks time. Regards END; send_email($user->array['email'], 'Thank you for your comment.', $message); } else { Backend::addError('Could not create user to add Comment'); return false; } break; } } $object = array_filter($object, create_function('$var', 'return !is_null($var);')); Controller::setVar('obj', $object); } return parent::action_create(); }
public static function check($action = '*', $subject = '*', $subject_id = 0) { if (!BACKEND_WITH_DATABASE) { return true; } static $cache = array(); if (is_object($subject)) { $subject = get_class($subject); } $key = serialize(array($action, $subject, $subject_id)); if (array_key_exists($key, $cache)) { //return $cache[$key]; } $roles = GateKeeper::permittedRoles($action, class_for_url($subject), $subject_id); $user = BackendUser::check(); $user = !$user && !empty($_SESSION['BackendUser']) ? $_SESSION['BackendUser'] : $user; if (!$user && !in_array('anonymous', $roles)) { if (Controller::$debug) { Backend::addNotice('Anonymous User'); } $cache[$key] = true; return true; } if ($subject != '*' && !Component::isActive(class_name($subject))) { if (Controller::$debug) { Backend::addNotice('Invalid Component: ' . class_name($subject)); } $cache[$key] = false; return false; } if (empty($user->roles)) { if (Controller::$debug) { Backend::addNotice('No User Roles'); } $cache[$key] = false; return false; } $intersect = is_array($roles) ? array_intersect($user->roles, $roles) : $user->roles; if (Controller::$debug >= 2) { Backend::addNotice('Valid roles found: ' . json_encode($intersect)); } $result = count($intersect) ? true : false; $cache[$key] = $result; return $result; }
public function get_roles($userId = false) { if ($userId) { $user = BackendUser::retrieve($userId); } else { $user = (array) BackendUser::check(); } if (!$user) { return false; } Controller::$parameters[0] = $user['id']; return $user['roles']; }
public static function adminLinks() { $result = array(); if (!($user = BackendUser::check())) { return false; } if (!ConfigValue::get('AdminInstalled', false) && in_array('superadmin', $user->roles)) { $result[] = array('text' => 'Install Application', 'href' => '?q=admin/install'); } if (!BACKEND_WITH_DATABASE) { $result[] = array('text' => 'Install Database', 'href' => '?q=admin/install_db'); } if (SITE_STATE != 'production') { $result[] = array('text' => 'Scaffold', 'href' => '?q=admin/scaffold'); } return count($result) ? $result : false; }
/** * If the object has an owner_id field, check that against the current user * * We ignore the action so that it checks every action. You can customize * this per action by overriding this function in the model */ public function checkOwnership($action) { $data = $this->array ? $this->array : ($this->object ? (array) $this->object : false); if (!$data) { //Return true, otherwise invalid objects trigger permission errors return true; } if (!array_key_exists('owner_id', $data)) { //No Owner defined return true; } $user = BackendUser::check(); if ($user && $user->id == $data['owner_id'] || in_array('superadmin', $user->roles)) { return true; } return false; }
<hr class="space"> <h3>Post a comment</h3> <form method="post" action="?q=comment/create" enctype="multipart/form-data"> <?php if (!BackendUser::check()) { ?> <label>Name:</label><span class="quiet"> Required</span><br><input type="text" class="text" name="user[name]"><br> <label>Email:</label><span class="quiet"> Required, won't be published</span><br><input type="text" class="text" name="user[email]"><br> <label>Website:</label><span class="quiet"> Optional</span><br><input type="text" class="text" name="user[website]"><br> <?php } ?> <input id="foreign_table" name="foreign_table" type="hidden" value="<?php echo $foreign_table; ?> "> <input id="foreign_id" name="foreign_id" type="hidden" value="<?php echo $foreign_id; ?> "> <textarea id="content" name="content" class="textarea"></textarea><br> <input type="submit" value="Add Comment" class=""/> </form>
public static function init() { if (!self::$init) { if (self::$mode == self::MODE_REQUEST) { if ($_SERVER['SERVER_PORT'] == 443 || !empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') { $secure = true; } else { $secure = false; } if (WEB_SUB_FOLDER == '/') { //WTF? //print_stacktrace(); die; } if (session_id() == '') { session_set_cookie_params(0, WEB_SUB_FOLDER, null, $secure, true); session_name('Controller'); @session_start(); } date_default_timezone_set(ConfigValue::get('Timezone', 'Africa/Johannesburg')); } self::check_quotes(); self::$salt = ConfigValue::get('Salt', 'Change this to something random!'); //TODO jrgns: Don't know if I like this here... $user = BackendUser::check(); //Debugging self::$debug = false; if (SITE_STATE != 'production' || $user && in_array('superadmin', $user->roles)) { switch (true) { case array_key_exists('debug', self::$query_vars): //Default to lowest level self::$debug = is_numeric(self::$query_vars['debug']) ? (int) self::$query_vars['debug'] : 1; break; } } if ($config_debug = ConfigValue::get('Debug', false)) { self::$debug = $config_debug; } Backend::add('debug', self::$debug); if (SITE_STATE != 'production' || self::$debug) { ini_set('display_errors', 1); ini_set('error_reporting', E_ALL | E_STRICT); } else { ini_set('display_errors', 0); } //q in the payload overrides the q in the query string $query = array_key_exists('q', self::$payload) ? self::$payload['q'] : (array_key_exists('q', self::$query_vars) ? self::$query_vars['q'] : ''); $query = self::checkQuery(Request::getQuery($query)); $query = Hook::run('init', 'pre', array($query)); self::parseQuery($query); //View self::$view = View::getInstance(); if (!self::$view instanceof View) { self::$view = View::getInstance(ConfigValue::get('DefaultView', 'HtmlView')); self::whoops('Unrecognized Request', array('message' => 'Could not find a View for the Request', 'code_hint' => 406)); if (self::$debug) { print_stacktrace(); var_dump(self::$query_vars, $query, $_REQUEST, $_SERVER); } } //Sessions if (array_key_exists('error', $_SESSION)) { Backend::addError($_SESSION['error']); } if (array_key_exists('notice', $_SESSION)) { Backend::addNotice($_SESSION['notice']); } if (array_key_exists('success', $_SESSION)) { Backend::addSuccess($_SESSION['success']); } Hook::run('init', 'post'); self::$init = true; } }