/**
* REST endpoint for sharing droplets via email
*/
public function action_share()
{
$this->template = '';
$this->auto_render = FALSE;
if ($this->request->method() != "POST") {
throw HTTP_Exception::factory(405)->allowed('POST');
}
// Extract the input data to be used for sending the email
$post = Arr::extract($_POST, array('recipient', 'drop_title', 'drop_url', 'security_code'));
$csrf_token = $this->request->headers('x-csrf-token');
// Setup validation
$validation = Validation::factory($post)->rule('recipient', 'not_empty')->rule('recipient', 'email')->rule('security_code', 'Captcha::valid')->rule('drop_title', 'not_empty')->rule('drop_url', 'url');
// Validate
if (!CSRF::valid($csrf_token) or !$validation->check()) {
Kohana::$log->add(Log::DEBUG, "CSRF token or form validation failure");
throw HTTP_Exception::factory(400);
} else {
list($recipient, $subject) = array($post['recipient'], $post['drop_title']);
// Modify the mail body to include the email address of the
// use sharing content
$mail_body = __(":user has shared a drop with you via SwiftRiver\n\n:url", array(':user' => $this->user['owner']['username'], ':url' => $post['drop_url']));
// Send the email
Swiftriver_Mail::send($recipient, $subject, $mail_body);
}
}
public static function valid($token)
{
if (!CSRF::valid($token)) {
$css_files = array();
$view = "access_denied";
\CODOF\Smarty\Layout::load($view, $css_files);
return false;
}
return true;
}
public static function auto_check($base_app)
{
if ('POST' == !$_SERVER['REQUEST_METHOD'] || !isset($_POST[self::$name])) {
return true;
}
if (self::check() < 1) {
self::deny($base_app);
}
self::$valid = true;
}
/**
* Simple register for user
*
*/
public function action_register()
{
$this->template->content = View::factory('pages/auth/register');
$this->template->content->msg = '';
//if user loged in redirect home
if (Auth::instance()->logged_in()) {
$this->request->redirect(Route::get('oc-panel')->uri());
} elseif (core::post('email') and CSRF::valid('register')) {
$email = core::post('email');
if (Valid::email($email, TRUE)) {
if (core::post('password1') == core::post('password2')) {
//check we have this email in the DB
$user = new Model_User();
$user = $user->where('email', '=', $email)->limit(1)->find();
if ($user->loaded()) {
Form::set_errors(array(__('User already exists')));
} else {
//create user
$user->email = $email;
$user->name = core::post('name');
$user->status = Model_User::STATUS_ACTIVE;
$user->id_role = 1;
//normal user
$user->password = core::post('password1');
$user->seoname = $user->gen_seo_title(core::post('name'));
try {
$user->save();
} catch (ORM_Validation_Exception $e) {
//Form::errors($content->errors);
} catch (Exception $e) {
throw new HTTP_Exception_500($e->getMessage());
}
//login the user
Auth::instance()->login(core::post('email'), core::post('password1'));
//send email
$user->email('auth.register', array('[USER.PWD]' => core::post('password1'), '[URL.QL]' => $user->ql('default', NULL, TRUE)));
Alert::set(Alert::SUCCESS, __('Welcome!'));
//login the user
$this->request->redirect(Core::post('auth_redirect', Route::url('oc-panel')));
}
} else {
Form::set_errors(array(__('Passwords do not match')));
}
} else {
Form::set_errors(array(__('Invalid Email')));
}
}
//template header
$this->template->title = __('Register new user');
}
/**
* Create a New River
* Step 1
* @return void
*/
public function action_index()
{
$this->step_content = View::factory('pages/river/create/name')->bind('post', $post)->bind('errors', $errors);
// Check for form submission
if ($_POST and CSRF::valid($_POST['form_auth_id'])) {
$post = Arr::extract($_POST, array('river_name', 'river_public'));
try {
$river = Model_River::create_new($post['river_name'], $post['river_public'], $this->user->account);
// Redirect to the /create/open/<id> to open channels
$this->request->redirect(URL::site() . $this->account_path . '/river/create/open/' . $river->id);
} catch (ORM_Validation_Exception $e) {
$errors = $e->errors('validation');
} catch (Database_Exception $e) {
$errors = array(__("A river with the name ':name' already exists", array(':name' => $post['river_name'])));
}
}
}
/**
* simple registration without password
* @return [type] [description]
*/
public function action_register()
{
$provider_name = $this->request->param('id');
$this->template->content = View::factory('pages/auth/register-social', array('provider' => $provider_name, 'uid' => core::get('uid'), 'name' => core::get('name')));
if (core::post('email') and CSRF::valid('register_social')) {
$email = core::post('email');
if (Valid::email($email, TRUE)) {
//register the user in DB
Model_User::create_social($email, core::post('name'), $provider_name, core::get('uid'));
//log him in
Auth::instance()->social_login($provider_name, core::get('uid'));
Alert::set(Alert::SUCCESS, __('Welcome!'));
//change the redirect
$this->redirect(Route::url('default'));
} else {
Form::set_errors(array(__('Invalid Email')));
}
}
//template header
$this->template->title = __('Register new user');
}
/**
* Simple register for user
*
*/
public function action_register()
{
$this->template->content = View::factory('pages/auth/register');
$this->template->content->msg = '';
//if user loged in redirect home
if (Auth::instance()->logged_in()) {
$this->redirect(Route::get('oc-panel')->uri());
} elseif ($this->request->post()) {
$validation = Validation::factory($this->request->post())->rule('name', 'not_empty')->rule('email', 'not_empty')->rule('email', 'email')->rule('password1', 'not_empty')->rule('password2', 'not_empty')->rule('password1', 'matches', array(':validation', 'password1', 'password2'));
if ($validation->check()) {
//posting data so try to remember password
if (CSRF::valid('register')) {
$email = core::post('email');
//check we have this email in the DB
$user = new Model_User();
$user = $user->where('email', '=', $email)->limit(1)->find();
if ($user->loaded()) {
Form::set_errors(array(__('User already exists')));
} else {
//creating the user
$user = Model_User::create_email($email, core::post('name'), core::post('password1'));
//login the user
Auth::instance()->login(core::post('email'), core::post('password1'));
Alert::set(Alert::SUCCESS, __('Welcome!'));
//login the user
$this->redirect(Core::post('auth_redirect', Route::url('oc-panel')));
}
}
} else {
$errors = $validation->errors('auth');
foreach ($errors as $error) {
Alert::set(Alert::ALERT, $error);
}
}
}
//template header
$this->template->title = __('Register new user');
$this->template->meta_description = __('Create a new profile at') . ' ' . Core::config('general.site_name');
}
/**
* 2step verification form
*
*/
public function action_2step()
{
// 2step disabled or trying to access directly
if (!Auth::instance()->logged_in() or Core::config('general.google_authenticator') == FALSE) {
$this->redirect(Route::get('oc-panel')->uri());
}
//template header
$this->template->title = __('2 Step Authentication');
$this->template->content = View::factory('pages/auth/2step');
//if user loged in redirect home
if (Auth::instance()->logged_in() and (Cookie::get('google_authenticator') == $this->user->id_user or $this->user->google_authenticator == '')) {
$this->redirect(Route::get('oc-panel')->uri());
} elseif (core::post('code') and CSRF::valid('2step')) {
//load library
require Kohana::find_file('vendor', 'GoogleAuthenticator');
$ga = new PHPGangsta_GoogleAuthenticator();
if ($ga->verifyCode($this->user->google_authenticator, core::post('code'), 2)) {
//set cookie
Cookie::set('google_authenticator', $this->user->id_user, Core::config('auth.lifetime'));
// redirect to the url we wanted to see
Auth::instance()->login_redirect();
} else {
Form::set_errors(array(__('Invalid Code')));
}
}
}
/**
* Returns TRUE if the POST has a valid CSRF
*
* Usage:<br>
* <code>
* if ($this->valid_post('upload_photo')) { ... }
* </code>
*
* @param string|NULL $submit Submit value [Optional]
* @return boolean Return TRUE if it's valid $_POST
*
* @uses Request::is_post
* @uses Request::post_max_size_exceeded
* @uses Request::get_post_max_size
* @uses Request::post
* @uses Message::error
* @uses CSRF::valid
* @uses Captcha::valid
*/
public function valid_post($submit = NULL)
{
if (!$this->request->is_post()) {
return FALSE;
}
if (Request::post_max_size_exceeded()) {
$this->_errors = array('_action' => __('Max file size of :max Bytes exceeded!', array(':max' => Request::get_post_max_size())));
return FALSE;
}
if (!is_null($submit)) {
if (!isset($_POST[$submit])) {
$this->_errors = array('_action' => __('This form has altered. Please try submitting it again.'));
return FALSE;
}
}
$_token = $this->request->post('_token');
$_action = $this->request->post('_action');
$has_csrf = !empty($_token) and !empty($_action);
$valid_csrf = CSRF::valid($_token, $_action);
if ($has_csrf and !$valid_csrf) {
// CSRF was submitted but expired
$this->_errors = array('_token' => __('This form has expired. Please try submitting it again.'));
return FALSE;
}
if (isset($_POST['_captcha'])) {
$captcha = $this->request->post('_captcha');
if (empty($captcha)) {
// CSRF was not entered
$this->_errors = array('_captcha' => __('The security code can\'t be empty.'));
return FALSE;
} elseif (!Captcha::valid($captcha)) {
$this->_errors = array('_captcha' => __('The security answer was wrong.'));
return FALSE;
}
}
return $has_csrf and $valid_csrf;
}
/**
* Log User In
*
* @return void
*/
public function action_index()
{
$this->template->content->active = 'login';
$this->template->content->sub_content = View::factory('pages/login/main')->bind('messages', $this->messages)->bind('errors', $this->errors)->bind('referrer', $referrer);
if ($this->user) {
$this->request->redirect($this->dashboard_url);
}
// Get the referriing URL
$referrer = $this->request->query('redirect_to') ? $this->request->query('redirect_to') : NULL;
//Check for system messages
$session = Session::instance();
$messages = $session->get_once('system_messages');
if ($messages) {
$this->messages = $messages;
}
$errors = $session->get_once('system_errors');
if ($errors) {
$this->errors = $errors;
}
// Password reset request
if ($this->request->post('recover_email')) {
$email = $this->request->post('recover_email');
$csrf_token = $this->request->post('form_auth_id');
if (!Valid::email($email) or !CSRF::valid($csrf_token)) {
$this->errors = array(__('The email address you have provided is invalid'));
} else {
// Is the email registed in this site?
$user = ORM::factory('user', array('email' => $email));
if (!$user->loaded()) {
$this->errors = array(__('The provided email address is not registered'));
} else {
$messages = Model_User::password_reset($email, $this->riverid_auth);
// Display the messages
if (isset($messages['errors'])) {
$this->errors = $messages['errors'];
}
if (isset($messages['messages'])) {
$this->messages = $messages['messages'];
}
}
}
}
// Check, has the form been submitted, if so, setup validation
if ($this->request->post('username') and $this->request->post('password')) {
// Validate the form token
if (CSRF::valid($this->request->post('form_auth_id'))) {
$username = $this->request->post('username');
$password = $this->request->post('password');
// Check Auth if the post data validates using the rules setup in the user model
if (Auth::instance()->login($username, $password, $this->request->post('remember') == 1)) {
// Always redirect after a successful POST to prevent refresh warnings
// First check if a referrer was provided in the post parameters
// and if not provided, use the referrer from the request otherwise
// just redirect to the user profile if the above are not found or do
// not point to a url in this site
$redirect_to = $this->request->post('referrer');
$redirect_to = $redirect_to ? $redirect_to : $this->request->referrer();
if (!$redirect_to or strpos($redirect_to, URL::base($this->request)) === FALSE or strpos($redirect_to, URL::base($this->request)) != 0) {
$user = Auth::instance()->get_user();
$redirect_to = URL::site() . $user->account->account_path;
}
$this->request->redirect($redirect_to);
} else {
$this->template->content->set('username', $username);
// Get errors for display in view
$validation = Validation::factory($this->request->post())->rule('username', 'not_empty')->rule('password', 'not_empty');
if ($validation->check()) {
$validation->error('password', 'invalid');
}
$this->errors = $validation->errors('login');
}
} else {
// Show invalid request message
Kohana::$log->add(Log::ERROR, "Invalid CSRF token :token", array(':token' => $this->request->post('form_auth_id')));
}
}
}
/**
* Account settings
*
* @return void
*/
public function action_settings()
{
if (!$this->owner) {
$this->redirect($this->dashboard_url, 302);
}
$this->template->content->show_navigation = FALSE;
// Set the current page
$this->active = 'settings-navigation-link';
$this->template->content->view_type = 'settings';
$this->template->header->js = View::factory('pages/user/js/settings');
$this->template->header->js->user = $this->user;
$this->sub_content = View::factory('pages/user/settings')->bind('user', $this->user)->bind('errors', $this->errors);
if ($this->request->method() === 'POST' and CSRF::valid($this->request->post('form_auth_id'))) {
if (!isset($_POST['current_password'])) {
if (($account = $this->account_service->update_account($this->user['id'], $_POST)) != FALSE) {
$this->user = $account;
$this->visited_account = $account;
}
} elseif (isset($_POST['current_password'])) {
// The change password form has been submitted
$this->account_service->change_password($this->user['id'], $_POST);
}
}
$session = Session::instance();
$this->sub_content->messages = $session->get('messages');
$session->delete('messages');
}
/**
* REST endpoint for sharing droplets via email
*/
public function action_share()
{
$this->template = '';
$this->auto_render = FALSE;
if ($_POST) {
// Extract the input data
$post = Arr::extract($_POST, array('recipient', 'subject', 'body'));
$csrf_token = $this->request->headers('x-csrf-token');
// Setup validation
$validation = Validation::factory($post)->rule('recipient', 'not_empty')->rule('recipient', 'email')->rule('subject', 'not_empty')->rule('body', 'not_empty')->rule('body', 'max_length', array(':value', 300));
// Validate
if (!CSRF::valid($csrf_token) and !$validation->check()) {
$this->response->status(400);
} else {
// Modify the mail body to include the email address of the
// use sharing content
$mail_body = __(":body \n\nShared by :sender", array(':body' => $post['body'], ':sender' => $this->user->username));
// Send the email
Swiftriver_Mail::send($post['recipient'], $post['subject'], $mail_body);
}
} else {
throw new HTTP_Exception_405("Only HTTP POST requests are allowed");
}
}
/**
* Reset account password
*
* @return void
*/
public function action_reset_password()
{
// Check if the email and token params are present
if (!isset($_GET['email']) or !isset($_GET['token'])) {
$this->redirect('/login');
}
$this->template->content = View::factory('pages/login/reset_password')->bind('messages', $this->messages)->bind('errors', $this->errors)->bind('referrer', $referrer);
if ($this->request->method() == 'POST' and CSRF::valid($this->request->post('form_auth_id'))) {
try {
// Marshall the submitted data
$reset_data = array('email' => $this->request->query('email'), 'token' => $this->request->query('token'), 'password' => $this->request->post('password'), 'password_confirm' => $this->request->post('password_confirm'));
// Reset the password
if ($this->account_service->reset_password($reset_data)) {
Swiftriver_Messages::add_message('success', __('Success'), __('Password reset successfully.'), FALSE);
$this->redirect(URL::site('login'), 302);
} else {
$this->redirect(URL::site($this->request->uri()), 302);
}
} catch (SwiftRiver_API_Exception_BadRequest $e) {
foreach ($e->get_errors() as $error) {
$message = "Error";
if ($error['field'] == 'token' and $error['code'] == 'invalid') {
$message = __('Account not found.');
}
Swiftriver_Messages::add_message('failure', __('Failure'), $message, FALSE);
}
$this->redirect(URL::site($this->request->uri()), 302);
} catch (SwiftRiver_API_Exception_NotFound $e) {
Swiftriver_Messages::add_message('failure', __('Failure'), __('There is no account registered with that email address.'), FALSE);
$this->session->set("fullname", $this->request->post('fullname'));
$this->session->set("email", $this->request->post('email'));
$this->session->set("username", $this->request->post('username'));
$this->redirect(URL::site($this->request->uri()), 302);
}
}
}
