/** * Load the form */ private function loadForm() { // create user objects $this->user = new BackendUser($this->id); $this->authenticatedUser = BackendAuthentication::getUser(); // create form $this->frm = new BackendForm('edit'); // get active groups $groups = BackendGroupsModel::getGroupsByUser($this->id); // loop through groups and set checked foreach ($groups as $group) { $checkedGroups[] = $group['id']; } // create elements // profile $this->frm->addText('email', $this->record['email'], 255); if ($this->user->isGod()) { $this->frm->getField('email')->setAttributes(array('disabled' => 'disabled')); } $this->frm->addText('name', $this->record['settings']['name'], 255); $this->frm->addText('surname', $this->record['settings']['surname'], 255); $this->frm->addText('nickname', $this->record['settings']['nickname'], 24); $this->frm->addImage('avatar'); // password // check if we're god or same user if ($this->authenticatedUser->getUserId() == $this->id || $this->authenticatedUser->isGod()) { // allow to set new password $this->frm->addPassword('new_password', null, 75); $this->frm->addPassword('confirm_password', null, 75); // disable autocomplete $this->frm->getField('new_password')->setAttributes(array('autocomplete' => 'off')); $this->frm->getField('confirm_password')->setAttributes(array('autocomplete' => 'off')); } // settings $this->frm->addDropdown('interface_language', BackendLanguage::getInterfaceLanguages(), $this->record['settings']['interface_language']); $this->frm->addDropdown('date_format', BackendUsersModel::getDateFormats(), $this->user->getSetting('date_format')); $this->frm->addDropdown('time_format', BackendUsersModel::getTimeFormats(), $this->user->getSetting('time_format')); $this->frm->addDropdown('number_format', BackendUsersModel::getNumberFormats(), $this->user->getSetting('number_format', 'dot_nothing')); $this->frm->addDropDown('csv_split_character', BackendUsersModel::getCSVSplitCharacters(), $this->user->getSetting('csv_split_character')); $this->frm->addDropDown('csv_line_ending', BackendUsersModel::getCSVLineEndings(), $this->user->getSetting('csv_line_ending')); // permissions $this->frm->addCheckbox('active', $this->record['active'] == 'Y'); // disable active field for current users if ($this->authenticatedUser->getUserId() == $this->record['id']) { $this->frm->getField('active')->setAttribute('disabled', 'disabled'); } $this->frm->addCheckbox('api_access', isset($this->record['settings']['api_access']) && $this->record['settings']['api_access'] == 'Y'); $this->frm->addMultiCheckbox('groups', BackendGroupsModel::getAll(), $checkedGroups); }
/** * Returns the encrypted password for a user by giving a email/password * Returns false if no user was found for this user/pass combination * * @param string $email The email. * @param string $password The password. * @return string */ public static function getEncryptedPassword($email, $password) { $email = (string) $email; $password = (string) $password; // fetch user ID by email $userId = BackendUsersModel::getIdByEmail($email); // check if a user ID was found, return false if no user exists if ($userId === false) { return false; } // fetch user record $user = new BackendUser($userId); $key = $user->getSetting('password_key'); // return the encrypted string return (string) self::getEncryptedString($password, $key); }
/** * Execute the action */ public function execute() { $email = $this->getParameter('email', 'string'); // does the user exist if ($email !== null) { parent::execute(); // delete item if (BackendUsersModel::undoDelete($email)) { // get user $user = new BackendUser(null, $email); // item was deleted, so redirect $this->redirect(BackendModel::createURLForAction('edit') . '&id=' . $user->getUserId() . '&report=restored&var=' . $user->getSetting('nickname') . '&highlight=row-' . $user->getUserId()); } else { $this->redirect(BackendModel::createURLForAction('index') . '&error=non-existing'); } } else { $this->redirect(BackendModel::createURLForAction('index') . '&error=non-existing'); } }
/** * Execute the action */ public function execute() { // get parameters $this->id = $this->getParameter('id', 'int'); // does the user exist if ($this->id !== null && BackendUsersModel::exists($this->id) && BackendAuthentication::getUser()->getUserId() != $this->id) { parent::execute(); // get data $user = new BackendUser($this->id); // God-users can't be deleted if ($user->isGod()) { $this->redirect(BackendModel::createURLForAction('index') . '&error=cant-delete-god'); } // delete item BackendUsersModel::delete($this->id); // trigger event BackendModel::triggerEvent($this->getModule(), 'after_delete', array('id' => $this->id)); // item was deleted, so redirect $this->redirect(BackendModel::createURLForAction('index') . '&report=deleted&var=' . $user->getSetting('nickname')); } else { $this->redirect(BackendModel::createURLForAction('index') . '&error=non-existing'); } }
/** * Default authentication * * @return bool */ public static function authorize() { // grab data $email = SpoonFilter::getGetValue('email', null, ''); $nonce = SpoonFilter::getGetValue('nonce', null, ''); $secret = SpoonFilter::getGetValue('secret', null, ''); // data can be available in the POST, so check it if ($email == '') { $email = SpoonFilter::getPostValue('email', null, ''); } if ($nonce == '') { $nonce = SpoonFilter::getPostValue('nonce', null, ''); } if ($secret == '') { $secret = SpoonFilter::getPostValue('secret', null, ''); } // check if needed elements are available if ($email == '') { self::output(self::BAD_REQUEST, array('message' => 'No email-parameter provided.')); } if ($nonce == '') { self::output(self::BAD_REQUEST, array('message' => 'No nonce-parameter provided.')); } if ($secret == '') { self::output(self::BAD_REQUEST, array('message' => 'No secret-parameter provided.')); } // get the user $user = new BackendUser(null, $email); // user is god! if ($user->isGod()) { return true; } // get settings $apiAccess = $user->getSetting('api_access', false); $apiKey = $user->getSetting('api_key'); // no API-access if (!$apiAccess) { self::output(self::FORBIDDEN, array('message' => 'Your account isn\'t allowed to use the API. Contact an administrator.')); } // create hash $hash = BackendAuthentication::getEncryptedString($email . $apiKey, $nonce); // output if ($secret != $hash) { self::output(self::FORBIDDEN, array('message' => 'Invalid secret.')); } // return return true; }
/** * Get the HTML for a user to use in a datagrid * * @param int $id The Id of the user. * @return string */ public static function getUser($id) { $id = (int) $id; // create user instance $user = new BackendUser($id); // get settings $avatar = $user->getSetting('avatar', 'no-avatar.gif'); $nickname = $user->getSetting('nickname'); $allowed = BackendAuthentication::isAllowedAction('edit', 'users'); // build html $html = '<div class="dataGridAvatar">' . "\n"; $html .= ' <div class="avatar av24">' . "\n"; if ($allowed) { $html .= ' <a href="' . BackendModel::createURLForAction('edit', 'users') . '&id=' . $id . '">' . "\n"; } $html .= ' <img src="' . FRONTEND_FILES_URL . '/backend_users/avatars/32x32/' . $avatar . '" width="24" height="24" alt="' . $nickname . '" />' . "\n"; if ($allowed) { $html .= ' </a>' . "\n"; } $html .= ' </div>'; $html .= ' <p><a href="' . BackendModel::createURLForAction('edit', 'users') . '&id=' . $id . '">' . $nickname . '</a></p>' . "\n"; $html .= '</div>'; return $html; }
/** * Update the user password * * @param BackendUser $user An instance of BackendUser. * @param string $password The new password for the user. */ public static function updatePassword(BackendUser $user, $password) { // fetch user info $userId = $user->getUserId(); $key = $user->getSetting('password_key'); // update user BackendModel::getDB(true)->update('users', array('password' => BackendAuthentication::getEncryptedString((string) $password, $key)), 'id = ?', $userId); // remove the user settings linked to the resetting of passwords self::deleteResetPasswordSettings($userId); }
/** * Remove a device from a user. * * @param string $uri The uri of the channel opened for the device. * @param string $email The emailaddress for the user to link the device to. */ public static function microsoftRemovedevice($uri, $email) { if (API::authorize()) { // redefine $uri = (string) $uri; // validate if ($uri == '') { API::output(API::BAD_REQUEST, array('message' => 'No uri-parameter provided.')); } if ($email == '') { API::output(API::BAD_REQUEST, array('message' => 'No email-parameter provided.')); } try { // load user $user = new BackendUser(null, $email); // get current uris $uris = (array) $user->getSetting('microsoft_channel_uri'); // not already in array? $index = array_search($uri, $uris); if ($index !== false) { // remove from array unset($uris[$index]); // save it $user->setSetting('microsoft_channel_uri', $uris); } } catch (Exception $e) { API::output(API::FORBIDDEN, array('message' => 'Can\'t authenticate you.')); } } }
/** * Get the API-key for a user. * * @return array * @param string $email The emailaddress for the user. * @param string $password The password for the user. */ public static function getAPIKey($email, $password) { // get variables $email = (string) $email; $password = (string) $password; // validate if ($email == '') { API::output(API::BAD_REQUEST, array('message' => 'No email-parameter provided.')); } if ($password == '') { API::output(API::BAD_REQUEST, array('message' => 'No password-parameter provided.')); } // load user try { $user = new BackendUser(null, $email); } catch (Exception $e) { API::output(API::FORBIDDEN, array('message' => 'Can\'t authenticate you.')); } // validate password if (!BackendAuthentication::loginUser($email, $password)) { API::output(API::FORBIDDEN, array('message' => 'Can\'t authenticate you.')); } // does the user have access? if ($user->getSetting('api_access', false) == false) { API::output(API::FORBIDDEN, array('message' => 'Your account isn\'t allowed to use the API. Contact an administrator.')); } // create the key if needed if ($user->getSetting('api_key', null) == null) { $user->setSetting('api_key', uniqid()); } // return the key return array('api_key' => $user->getSetting('api_key')); }