/**
* Allow a user to edit their own record
*
* @param Request $request the request.
* @param $db the database.
*
* @return mixed
*/
public function updateUser(Request $request, $db)
{
if (false === $request->getUserId()) {
throw new Exception("You must be logged in to change a user account", 400);
}
$userId = $this->getItemId($request);
$user_mapper = new UserMapper($db, $request);
if ($user_mapper->thisUserHasAdminOn($userId)) {
$oauthModel = $request->getOauthModel($db);
$accessToken = $request->getAccessToken();
// only trusted clients can change account details
if (!$oauthModel->isAccessTokenPermittedPasswordGrant($accessToken)) {
throw new Exception("This client does not have permission to perform this operation", 403);
}
// start building up a representation of the user
$user = array("user_id" => $userId);
$errors = array();
// start with passwords
$password = $request->getParameter('password');
if (!empty($password)) {
// they must supply their old password to be allowed to set a new one
$old_password = $request->getParameter('old_password');
if (empty($old_password)) {
throw new Exception('The field "old_password" is needed to update a user password', 400);
}
// is the old password correct before we proceed?
if (!$oauthModel->reverifyUserPassword($userId, $old_password)) {
throw new Exception("The credentials could not be verified", 403);
}
$validity = $user_mapper->checkPasswordValidity($password);
if (true === $validity) {
// OK good, go ahead
$user['password'] = $password;
} else {
// the password wasn't acceptable, tell the user why
$errors = array_merge($errors, $validity);
}
}
$user['full_name'] = filter_var(trim($request->getParameter("full_name")), FILTER_SANITIZE_STRING);
if (empty($user['full_name'])) {
$errors[] = "'full_name' is a required field";
}
$user['email'] = filter_var(trim($request->getParameter("email")), FILTER_VALIDATE_EMAIL);
if (empty($user['email'])) {
$errors[] = "A valid entry for 'email' is required";
} else {
// does anyone else have this email?
$existing_user = $user_mapper->getUserByEmail($user['email']);
if ($existing_user['users']) {
// yes but is that our existing user being found?
$old_user = $user_mapper->getUserById($userId);
if ($old_user['users'][0]['uri'] != $existing_user['users'][0]['uri']) {
// the email address exists and not on this user's account
$errors[] = "That email is already associated with another account";
}
}
}
// Optional Fields
$twitter_username = $request->getParameter("twitter_username", false);
if (false !== $twitter_username) {
$user['twitter_username'] = filter_var(trim($twitter_username), FILTER_SANITIZE_STRING);
}
if ($errors) {
throw new Exception(implode(". ", $errors), 400);
} else {
// now update the user
if (!$user_mapper->editUser($user, $userId)) {
throw new Exception("User not updated", 400);
}
// we're good!
header("Content-Length: 0", null, 204);
exit;
// no more content
}
}
throw new Exception("Could not update user", 400);
}
/**
* Ensures that setUserId can set a user id into the model that can be
* retrieved with getUserId
*
* @return void
*
* @test
*/
public function setUserIdAllowsForSettingOfUserId()
{
$request = new \Request($this->config, []);
$user = uniqid();
$request->setUserId($user);
$this->assertEquals($user, $request->getUserId());
}
