/** * Get the API-key for a user. * * @param string $email The emailaddress for the user. * @param string $password The password for the user. * @return array */ public static function getAPIKey($email, $password) { $email = (string) $email; $password = (string) $password; // validate if ($email == '') { API::output(API::BAD_REQUEST, array('message' => 'No email-parameter provided.')); } if ($password == '') { API::output(API::BAD_REQUEST, array('message' => 'No password-parameter provided.')); } // load user try { $user = new BackendUser(null, $email); } catch (Exception $e) { API::output(API::FORBIDDEN, array('message' => 'Can\'t authenticate you.')); } // validate password if (!BackendAuthentication::loginUser($email, $password)) { API::output(API::FORBIDDEN, array('message' => 'Can\'t authenticate you.')); } // does the user have access? if ($user->getSetting('api_access', false) == false) { API::output(API::FORBIDDEN, array('message' => 'Your account isn\'t allowed to use the API. Contact an administrator.')); } // create the key if needed if ($user->getSetting('api_key', null) == null) { $user->setSetting('api_key', uniqid()); } // return the key return array('api_key' => $user->getSetting('api_key')); }
/** * Validate the forms */ private function validateForm() { if ($this->frm->isSubmitted()) { $txtEmail = $this->frm->getField('backend_email'); $txtPassword = $this->frm->getField('backend_password'); // required fields if (!$txtEmail->isFilled() || !$txtPassword->isFilled()) { // add error $this->frm->addError('fields required'); // show error $this->tpl->assign('hasError', true); } // invalid form-token? if ($this->frm->getToken() != $this->frm->getField('form_token')->getValue()) { // set a correct header, so bots understand they can't mess with us. if (!headers_sent()) { header('400 Bad Request', true, 400); } } // all fields are ok? if ($txtEmail->isFilled() && $txtPassword->isFilled() && $this->frm->getToken() == $this->frm->getField('form_token')->getValue()) { // try to login the user if (!BackendAuthentication::loginUser($txtEmail->getValue(), $txtPassword->getValue())) { // add error $this->frm->addError('invalid login'); // store attempt in session $current = SpoonSession::exists('backend_login_attempts') ? (int) SpoonSession::get('backend_login_attempts') : 0; // increment and store SpoonSession::set('backend_login_attempts', ++$current); // show error $this->tpl->assign('hasError', true); } } // check sessions if (SpoonSession::exists('backend_login_attempts') && (int) SpoonSession::get('backend_login_attempts') >= 5) { // get previous attempt $previousAttempt = SpoonSession::exists('backend_last_attempt') ? SpoonSession::get('backend_last_attempt') : time(); // calculate timeout $timeout = 5 * (SpoonSession::get('backend_login_attempts') - 4); // too soon! if (time() < $previousAttempt + $timeout) { // sleep untill the user can login again sleep($timeout); // set a correct header, so bots understand they can't mess with us. if (!headers_sent()) { header('503 Service Unavailable', true, 503); } } else { // increment and store SpoonSession::set('backend_last_attempt', time()); } // too many attempts $this->frm->addEditor('too many attempts'); // show error $this->tpl->assign('hasTooManyAttemps', true); $this->tpl->assign('hasError', false); } // no errors in the form? if ($this->frm->isCorrect()) { // cleanup sessions SpoonSession::delete('backend_login_attempts'); SpoonSession::delete('backend_last_attempt'); // create filter with modules which may not be displayed $filter = array('authentication', 'error', 'core'); // get all modules $modules = array_diff(BackendModel::getModules(), $filter); // loop through modules and break on first allowed module foreach ($modules as $module) { if (BackendAuthentication::isAllowedModule($module)) { break; } } // redirect to the correct URL (URL the user was looking for or fallback) $this->redirect($this->getParameter('querystring', 'string', BackendModel::createUrlForAction(null, $module))); } } // is the form submitted if ($this->frmForgotPassword->isSubmitted()) { // backend email $email = $this->frmForgotPassword->getField('backend_email_forgot')->getValue(); // required fields if ($this->frmForgotPassword->getField('backend_email_forgot')->isEmail(BL::err('EmailIsInvalid'))) { // check if there is a user with the given emailaddress if (!BackendUsersModel::existsEmail($email)) { $this->frmForgotPassword->getField('backend_email_forgot')->addError(BL::err('EmailIsUnknown')); } } // no errors in the form? if ($this->frmForgotPassword->isCorrect()) { // generate the key for the reset link and fetch the user ID for this email $key = BackendAuthentication::getEncryptedString($email, uniqid()); // insert the key and the timestamp into the user settings $userId = BackendUsersModel::getIdByEmail($email); $user = new BackendUser($userId); $user->setSetting('reset_password_key', $key); $user->setSetting('reset_password_timestamp', time()); // variables to parse in the e-mail $variables['resetLink'] = SITE_URL . BackendModel::createURLForAction('reset_password') . '&email=' . $email . '&key=' . $key; // send e-mail to user BackendMailer::addEmail(SpoonFilter::ucfirst(BL::msg('ResetYourPasswordMailSubject')), BACKEND_MODULE_PATH . '/layout/templates/mails/reset_password.tpl', $variables, $email); // clear post-values $_POST['backend_email_forgot'] = ''; // show success message $this->tpl->assign('isForgotPasswordSuccess', true); // show form $this->tpl->assign('showForm', true); } else { $this->tpl->assign('showForm', true); } } }
/** * Validate the form * * @return void */ private function validateForm() { // is the form submitted if ($this->frm->isSubmitted()) { // shorten fields $newPassword = $this->frm->getField('backend_new_password'); $newPasswordRepeated = $this->frm->getField('backend_new_password_repeated'); // required fields $newPassword->isFilled(BL::err('PasswordIsRequired')); $newPasswordRepeated->isFilled(BL::err('PasswordRepeatIsRequired')); // all fields are ok? if ($newPassword->isFilled() && $newPasswordRepeated->isFilled()) { // the passwords entered match if ($newPassword->getValue() !== $newPasswordRepeated->getValue()) { // add error $this->frm->addError(BL::err('PasswordsDontMatch')); // show error $this->tpl->assign('error', BL::err('PasswordsDontMatch')); } } // is the form submitted if ($this->frm->isCorrect()) { // change the users password BackendUsersModel::updatePassword($this->user, $newPassword->getValue()); // attempt to login the user if (!BackendAuthentication::loginUser($this->user->getEmail(), $newPassword->getValue())) { // redirect to the login form with an error $this->redirect(BackendModel::createURLForAction('index', null, null, array('login' => 'failed'))); } // redirect to the login form $this->redirect(BackendModel::createUrlForAction('index', 'dashboard', null, array('password_reset' => 'success'))); } } }