/** * Add a user to the manager list * * @return void */ public function addTask() { // Check for request forgeries Request::checkToken(); // Incoming member ID $id = Request::getInt('offering', 0); if (!$id) { $this->setError(Lang::txt('COURSES_NO_ID')); $this->displayTask(); return; } $section = Request::getInt('section', 0); $role_id = Request::getInt('role', 0); // Load the profile $model = \Components\Courses\Models\Offering::getInstance($id); if ($section) { $model->section($section); } $managers = $model->managers(array('student' => 0, 'section_id' => array(0, $section), 'offering_id' => array(0, $id))); // Incoming host $m = Request::getVar('usernames', '', 'post'); $mbrs = explode(',', $m); $users = array(); foreach ($mbrs as $mbr) { // Retrieve user's account info $mbr = trim($mbr); if (is_numeric($mbr)) { $uid = (int) $mbr; } else { $uid = \Hubzero\User\User::oneByUsername($mbr)->get('id'); } // Ensure we found an account if ($uid) { // Loop through existing members and make sure the user isn't already a member if (isset($managers[$uid])) { $this->setError(Lang::txt('COM_COURSES_ERROR_ALREADY_MANAGER', $mbr)); continue; } // They user is not already a member, so we can go ahead and add them $users[] = $uid; } else { $this->setError(Lang::txt('COM_COURSES_ERROR_USER_NOTFOUND') . ' ' . $mbr); } } if (count($users) > 0) { $model->add($users, $role_id); } // Push through to the hosts view $this->displayTask($model); }
/** * Short description for 'addmanager' * * @return void */ public function addTask() { // Check for request forgeries Request::checkToken(); // Incoming member ID $id = Request::getInt('id', 0); if (!$id) { $this->setError(Lang::txt('COM_COURSES_ERROR_NO_ID')); $this->displayTask(); return; } // Load the profile $course = \Components\Courses\Models\Course::getInstance($id); $managers = $course->managers(); //get('managers'); // Incoming host $m = Request::getVar('usernames', '', 'post'); $mbrs = explode(',', $m); $users = array(); foreach ($mbrs as $mbr) { // Retrieve user's account info $mbr = trim($mbr); // User ID if (is_numeric($mbr)) { // Make sure the user exists $user = User::getInstance($mbr); if (is_object($user) && $user->get('username')) { $uid = $mbr; } } else { $uid = \Hubzero\User\User::oneByUsername($mbr)->get('id'); } // Ensure we found an account if ($uid) { // Loop through existing members and make sure the user isn't already a member if (isset($managers[$uid])) { $this->setError(Lang::txt('COM_COURSES_ERROR_ALREADY_MANAGER', $mbr)); continue; } // They user is not already a member, so we can go ahead and add them $users[] = $uid; } else { $this->setError(Lang::txt('COM_COURSES_ERROR_USER_NOTFOUND') . ' ' . $mbr); } } // Add users $course->add($users, Request::getInt('role', 0)); // Push through to the hosts view $this->displayTask($course); }
/** * Validate a password * * @param string $password * @param array $rules * @param mixed $user * @param string $name * @return array */ public static function verify($password, $rules, $user, $name = null) { if (empty($rules)) { return array(); } $fail = array(); $stats = self::analyze($password); foreach ($rules as $rule) { if ($rule['rule'] == 'minCharacterClasses') { if ($stats['uniqueClasses'] < $rule['value']) { $fail[] = $rule['failuremsg']; } } else { if ($rule['rule'] == 'maxCharacterClasses') { if ($stats['uniqueClasses'] > $rule['value']) { $fail[] = $rule['failuremsg']; } } else { if ($rule['rule'] == 'minPasswordLength') { if ($stats['count'][0] < $rule['value']) { $fail[] = $rule['failuremsg']; } } else { if ($rule['rule'] == 'maxPasswordLength') { if ($stats['count'][0] > $rule['value']) { $fail[] = $rule['failuremsg']; } } else { if ($rule['rule'] == 'maxClassCharacters') { if (empty($rule['class'])) { continue; } $class = $rule['class']; if (empty($stats['count'][$class])) { $stats['count'][$class] = 0; } if ($stats['count'][$class] > $rule['value']) { $fail[] = $rule['failuremsg']; } } else { if ($rule['rule'] == 'minClassCharacters') { if (empty($rule['class'])) { continue; } $class = $rule['class']; if (empty($stats['count'][$class])) { $stats['count'][$class] = 0; } if ($stats['count'][$class] < $rule['value']) { $fail[] = $rule['failuremsg']; } } else { if ($rule['rule'] == 'minUniqueCharacters') { if ($stats['uniqueCharacters'] < $rule['value']) { $fail[] = $rule['failuremsg']; } } else { if ($rule['rule'] == 'notBlacklisted') { if (Blacklist::basedOnBlackList($password)) { $fail[] = $rule['failuremsg']; } } else { if ($rule['rule'] == 'notNameBased') { if ($name == null) { if (is_numeric($user)) { $xuser = User::oneOrNew($user); } else { $xuser = User::oneByUsername($user); } if (!is_object($xuser)) { continue; } $givenName = $xuser->get('givenName'); $middleName = $xuser->get('middleName'); $surname = $xuser->get('surname'); $name = $givenName; if (!empty($middleName)) { if (empty($name)) { $name = $middleName; } else { $name .= ' ' . $middleName; } } if (!empty($surname)) { if (empty($name)) { $name = $surname; } else { $name .= ' ' . $surname; } } } if (self::isBasedOnName($password, $name)) { $fail[] = $rule['failuremsg']; } } else { if ($rule['rule'] == 'notUsernameBased') { if (is_numeric($user)) { $xuser = User::oneOrNew($user); if (!is_object($xuser)) { continue; } $user = $xuser->get('username'); } if (self::isBasedOnUsername($password, $user)) { $fail[] = $rule['failuremsg']; } } else { if ($rule['rule'] == 'notReused') { $date = new \DateTime('now'); $date->modify("-" . $rule['value'] . "day"); $phist = History::getInstance($user); if (!is_object($phist)) { continue; } if ($phist->exists($password, $date->format("Y-m-d H:i:s"))) { $fail[] = $rule['failuremsg']; } } else { if ($rule['rule'] == 'notRepeat') { if (Password::passwordMatches($user, $password, true)) { $fail[] = $rule['failuremsg']; } } else { if ($rule['rule'] === 'true') { } else { if ($rule['rule'] == 'notStale') { } else { $fail[] = $rule['failuremsg']; } } } } } } } } } } } } } } } if (empty($fail)) { $fail = array(); } return $fail; }
/** * Authenticate requests * * @return mixed */ public function authenticate() { if (!$this->_route) { return; } JLoader::import('Hubzero.User.Profile'); JLoader::import('Hubzero.User.Helper'); JLoader::import('Hubzero.Oauth.Provider'); JLoader::import('Hubzero.User'); JLoader::import('Hubzero.Xml'); /* * If CLI then we have to gather all query, post and header values * into params for Oauth_Provider's constructor. */ $params = array(); if (php_sapi_name() == 'cli') { $queryvars = $this->request->get('queryvars'); $postvars = $this->request->get('postdata'); if (!empty($queryvars)) { foreach ($queryvars as $key => $value) { if (isset($queryvars[$key])) { $params[$key] = $queryvars[$key]; } else { if (isset($postvars[$key])) { $params[$key] = $postvars[$key]; } } } } if (!empty($postvars)) { foreach ($postvars as $key => $value) { if (isset($queryvars[$key])) { $params[$key] = $queryvars[$key]; } else { if (isset($postvars[$key])) { $params[$key] = $postvars[$key]; } } } } if (empty($params)) { return false; } } /* If request has a Basic Auth header Oauth will throw an exception if the header doesn't conform to the OAuth protocol. We catch that (or any other) exception and proceed as if there was no oauth data. @TODO A better approach might be to inspect the Basic Auth header and see if it even looks like OAuth was being attempted and throw an Oauth compliant error if it was. */ try { $oauthp = new \Hubzero\Oauth\Provider($params); $oauthp->setRequestTokenPath('/api/oauth/request_token'); $oauthp->setAccessTokenPath('/api/oauth/access_token'); $oauthp->setAuthorizePath('/api/oauth/authorize'); $result = $oauthp->validateRequest($this->request->get('request'), $this->request->get('method')); if (is_array($result)) { $this->response->setResponseProvides('application/x-www-form-urlencoded'); $this->response->setMessage($result['message'], $result['status'], $result['reason']); return false; } $this->_provider = $oauthp; $this->_authn['oauth_token'] = $oauthp->getToken(); $this->_authn['consumer_key'] = $oauthp->getConsumerKey(); } catch (Exception $e) { $result = false; } $this->_authn['user_id'] = null; if (isset($this->_authn['oauth_token']) && $this->_authn['oauth_token']) { $data = $oauthp->getTokenData(); if (!empty($data->user_id)) { $this->_authn['user_id'] = $data->user_id; } $this->_authn['session_id'] = null; JFactory::getSession()->set('user', new JUser($data->user_id)); } else { // well lets try to authenticate it with a session instead $session_name = md5(self::getHash('site')); $session_id = null; if (!empty($_COOKIE[$session_name])) { $session_id = $_COOKIE[$session_name]; } $this->_authn['session_id'] = $session_id; $this->_authn['user_id'] = null; if (!empty($session_id)) { $db = JFactory::getDBO(); $timeout = JFactory::getConfig()->getValue('config.timeout'); $query = "SELECT userid FROM `#__session` WHERE session_id=" . $db->Quote($session_id) . "AND " . " time + " . (int) $timeout . " <= NOW() AND client_id = 0;"; $db->setQuery($query); $user_id = $db->loadResult(); if (!empty($user_id)) { $this->_authn['user_id'] = $user_id; } } // tool session authentication $toolSessionId = JRequest::getInt('sessionnum', null, 'POST'); $toolSessionToken = JRequest::getCmd('sessiontoken', null, 'POST'); // use request headers as backup method to post vars if (!$toolSessionId && !$toolSessionToken) { $headers = apache_request_headers(); $toolSessionId = isset($headers['sessionnum']) ? $headers['sessionnum'] : null; $toolSessionToken = isset($headers['sessiontoken']) ? $headers['sessiontoken'] : null; } // if we have a session id & token lets use those to authenticate if ($toolSessionId && $toolSessionToken) { // include neede libs require_once PATH_CORE . DS . 'components' . DS . 'com_tools' . DS . 'helpers' . DS . 'utils.php'; // instantiate middleware database $mwdb = \Components\Tools\Helpers\Utils::getMWDBO(); // attempt to load session from db $query = "SELECT * FROM `session` WHERE `sessnum`= " . $mwdb->quote($toolSessionId) . " AND `sesstoken`=" . $mwdb->quote($toolSessionToken); $mwdb->setQuery($query); // only continue if a valid session was found if ($session = $mwdb->loadObject()) { // check users IP against the session execution host IP if (JRequest::ip() == gethostbyname($session->exechost)) { $profile = \Hubzero\User\User::oneByUsername($session->username); $this->_authn['user_id'] = $profile->get('id'); } } } } $this->request->validApiKey = !empty($this->_authn['consumer_key']); }
/** * Validate tool session data * * @param string $toolSessionId Tool session id * @param string $toolSessionToken Tool session token * @return bool Result of test */ public function validateToolSessionData($toolSessionId, $toolSessionToken) { // include neede libs require_once PATH_CORE . DS . 'components' . DS . 'com_tools' . DS . 'helpers' . DS . 'utils.php'; // instantiate middleware database $mwdb = \Components\Tools\Helpers\Utils::getMWDBO(); // attempt to load session from db $query = "SELECT * \n\t\t\t\t FROM `session`\n\t\t\t\t WHERE `sessnum`= " . $mwdb->quote($toolSessionId) . " \n\t\t\t\t AND `sesstoken`=" . $mwdb->quote($toolSessionToken); $mwdb->setQuery($query); // only continue if a valid session was found if (!($session = $mwdb->loadObject())) { return false; } $ip = new \Hubzero\Utility\Ip(\App::get('request')->ip()); // ip should be coming from a private address if (!$ip->isPrivate()) { return false; } // return user id $profile = \Hubzero\User\User::oneByUsername($session->username); return $profile->get('id'); }
/** * Add user(s) to a group members list (invitee, applicant, member, manager) * * @return void */ public function addusersTask() { // Check for request forgeries Request::checkToken(['get', 'post']); $gid = Request::getVar('gid', ''); // Load the group page $this->group = new Group(); $this->group->read($gid); // Set a flag for emailing any changes made $users = array(); $tbl = Request::getVar('tbl', '', 'post'); // Get all invitees of this group $invitees = $this->group->get('invitees'); // Get all applicants of this group $applicants = $this->group->get('applicants'); // Get all normal members (non-managers) of this group $members = $this->group->get('members'); // Get all nmanagers of this group $managers = $this->group->get('managers'); // Incoming array of users to add $m = Request::getVar('usernames', '', 'post'); $mbrs = preg_split("/[,;]/", $m); foreach ($mbrs as $mbr) { // Retrieve user's account info $mbr = trim($mbr); $uid = \Hubzero\User\User::oneByUsername($mbr)->get('id'); // Ensure we found an account if ($uid) { // Loop through existing members and make sure the user isn't already a member if (in_array($uid, $invitees) || in_array($uid, $applicants) || in_array($uid, $members)) { $this->setError(Lang::txt('ALREADY_A_MEMBER_OF_TABLE', $mbr)); continue; } // They user is not already a member, so we can go ahead and add them $users[] = $uid; } else { $this->setError(Lang::txt('COM_GROUPS_USER_NOTFOUND') . ' ' . $mbr); } } // Remove the user from any other lists they may be apart of $this->group->remove('invitees', $users); $this->group->remove('applicants', $users); $this->group->remove('members', $users); $this->group->remove('managers', $users); // Add users to the list that was chosen $this->group->add($tbl, $users); if ($tbl == 'managers') { // Ensure they're added to the members list as well if they're a manager $this->group->add('members', $users); } // Save changes $this->group->update(); // log Log::log(array('gidNumber' => $this->group->get('gidNumber'), 'action' => 'group_members_added', 'comments' => $users)); if (!Request::getInt('no_html', 0)) { App::redirect(Route::url('index.php?option=' . $this->_option . '&controller=' . $this->_controller . '&gid=' . $this->group->get('cn'), false), Lang::txt('COM_GROUPS_MEMBER_ADDED', $tbl)); } }
/** * Check if the user is a member of a given table * * @param string $table Table to check * @param integer $uid User ID * @return boolean */ public function is_member_of($table, $uid) { if (!in_array($table, array('applicants', 'members', 'managers', 'invitees'))) { return false; } if (!is_numeric($uid)) { $uid = User::oneByUsername($uid)->get('id'); } return in_array($uid, $this->get($table)); }