function Users_user_validate() { Q_Valid::nonce(true); $type = isset($_REQUEST['identifierType']) ? $_REQUEST['identifierType'] : Q_Config::get("Users", "login", "identifierType", "email,mobile"); $parts = explode(',', $type); $accept_mobile = true; $expected = 'email address or mobile number'; $fields = array('emailAddress', 'mobileNumber', 'identifier'); if (count($parts) === 1) { if ($parts[0] === 'email') { $expected = 'email address'; $fields = array('emailAddress', 'identifier'); $accept_mobile = false; } else { if ($parts[0] === 'mobile') { $expected = 'mobile number'; $fields = array('mobileNumber', 'identifier'); } } } if (!isset($_REQUEST['identifier'])) { throw new Q_Exception("a valid {$expected} is required", $fields); } if (!Q_Valid::email($_REQUEST['identifier'])) { if (!$accept_mobile) { throw new Q_Exception("a valid {$expected} is required", $fields); } if (!Q_Valid::phone($_REQUEST['identifier'])) { throw new Q_Exception("a valid {$expected} is required", $fields); } } }
function Streams_invite_validate() { if (Q_Request::method() === 'PUT') { return; } if (Q_Request::method() !== 'GET') { Q_Valid::nonce(true); } $fields = array('publisherId', 'streamName'); if (Q_Request::method() === 'POST') { if (Q_Valid::requireFields($fields)) { return; } foreach ($fields as $f) { if (strlen(trim($_REQUEST[$f])) === 0) { Q_Response::addError(new Q_Exception("{$f} can't be empty", $f)); } } } if (isset($_REQUEST['fullName'])) { $length_min = Q_Config::get('Streams', 'inputs', 'fullName', 'lengthMin', 5); $length_max = Q_Config::get('Streams', 'inputs', 'fullName', 'lengthMax', 30); if (strlen($_REQUEST['fullName']) < $length_min) { throw new Q_Exception("A user's full name can't be that short.", 'fullName'); } if (strlen($_REQUEST['fullName']) > $length_max) { throw new Q_Exception("A user's full name can't be that long.", 'fullName'); } } }
function Users_account_validate() { Q_Valid::nonce(true); $birthday_year = $birthday_month = $birthday_day = null; extract($_REQUEST); $field_names = array('firstName' => 'First name', 'lastName' => 'Last name', 'username' => 'Username', 'gender' => 'Your gender', 'desired_gender' => 'Gender preference', 'orientation' => 'Orientation', 'relationship_status' => 'Status', 'zipcode' => 'Zipcode'); foreach ($field_names as $name => $label) { if (isset($_POST[$name]) and !$_POST[$name]) { Q_Response::addError(new Q_Exception_RequiredField(array('field' => $label), $name)); } } if (isset($birthday_year)) { if (!checkdate($birthday_month, $birthday_day, $birthday_year)) { $field = 'Birthday'; $range = 'a valid date'; Q_Response::addError(new Q_Exception_WrongValue(compact('field', 'range'), 'birthday')); } } global $Q_installing; if (isset($username) and isset($Q_installing)) { try { Q::event('Users/validate/username', compact('username')); } catch (Exception $e) { Q_Response::addError($e); } } }
function Streams_interest_validate($params) { // Protect against CSRF attacks: if (Q_Request::method() !== 'GET') { Q_Valid::nonce(true); } }
function Users_account_post() { Q_Session::start(); Q_Valid::nonce(true); extract($_REQUEST); // Implement the action $user = Users::loggedInUser(true); }
function Streams_publisher_validate($params) { // Protect against CSRF attacks: Q_Valid::nonce(true); $type = Streams::requestedType(); if ($type && Q::canHandle("Streams/validate/{$type}")) { return Q::event("Streams/validate/{$type}", $params); } }
function Users_register_validate() { Q_Valid::nonce(true); foreach (array('identifier', 'username', 'icon') as $field) { if (!isset($_REQUEST[$field])) { throw new Q_Exception("{$field} is missing", array($field)); } } }
function Users_importContacts_validate() { Q_Valid::nonce(true); if (empty($_GET['provider'])) { throw new Q_Exception('No provider specified'); } if (!Q::canHandle('Users/importContacts/providers/' . $_GET['provider'])) { throw new Q_Exception('Unsupported provider specified: ' . $_GET['provider']); } }
/** * Post one or more fields here to change the corresponding basic streams for the logged-in user. Fields can include: * "firstName": specify the first name directly * "lastName": specify the last name directly * "fullName": the user's full name, which if provided will be split into first and last name and override them * "gender": the user's gender * "birthday_year": the year the user was born * "birthday_month": the month the user was born * "birthday_day": the day the user was born */ function Streams_basic_post() { Q_Valid::nonce(true); $user = Users::loggedInUser(true); $request = $_REQUEST; $fields = array(); if (!empty($request['birthday_year']) && !empty($request['birthday_month']) && !empty($request['birthday_day'])) { $request['birthday'] = sprintf("%04d-%02d-%02d", $_REQUEST['birthday_year'], $_REQUEST['birthday_month'], $_REQUEST['birthday_day']); } // $request['icon'] = $user->icon; if (isset($request['fullName'])) { $name = Streams::splitFullName($request['fullName']); $request['firstName'] = $name['first']; $request['lastName'] = $name['last']; } foreach (array('firstName', 'lastName', 'birthday', 'gender') as $field) { if (isset($request[$field])) { $fields[] = $field; } } $p = new Q_Tree(); $p->load(STREAMS_PLUGIN_CONFIG_DIR . DS . 'streams.json'); $p->load(APP_CONFIG_DIR . DS . 'streams.json'); $names = array(); foreach ($fields as $field) { $names[] = "Streams/user/{$field}"; } $streams = Streams::fetch($user, $user->id, $names); foreach ($fields as $field) { $name = "Streams/user/{$field}"; $type = $p->get($name, "type", null); if (!$type) { throw new Q_Exception("Missing {$name} type", $field); } $title = $p->get($name, "title", null); if (!$title) { throw new Q_Exception("Missing {$name} title", $field); } $stream = $streams[$name]; if (isset($stream) and $stream->content === (string) $request[$field]) { continue; } if (!isset($stream)) { $stream = new Streams_Stream(); $stream->publisherId = $user->id; $stream->name = $name; } $messageType = $stream->wasRetrieved() ? 'Streams/changed' : 'Streams/created'; $stream->content = (string) $request[$field]; $stream->type = $type; $stream->title = $title; $stream->changed($user->id, $messageType); } }
function Streams_stream_validate($params) { // Protect against CSRF attacks: if (Q_Request::method() !== 'GET') { Q_Valid::nonce(true); } $type = Streams::requestedType(); if ($type && Q::canHandle("Streams/validate/{$type}")) { return Q::event("Streams/validate/{$type}", $params); } }
function Users_login_validate() { if (Q_Request::method() === 'GET') { return; } Q_Valid::nonce(true); foreach (array('identifier', 'passphrase') as $field) { if (!isset($_REQUEST[$field])) { throw new Q_Exception("{$field} is missing", array($field)); } } }
function Streams_access_put($params) { $user = Users::loggedInUser(true); Q_Valid::nonce(true); $publisherId = Streams::requestedPublisherId(true); $streamName = Streams::requestedName(true); $stream = Streams::fetchOne($user->id, $publisherId, $streamName); if (!$stream) { throw new Q_Exception_MissingRow(array('table' => 'stream', 'criteria' => 'with that name')); } if (!$stream->testAdminLevel('own')) { throw new Users_Exception_NotAuthorized(); } $p = array_merge($_REQUEST, $params); $access = new Streams_Access(); $access->publisherId = $stream->publisherId; $access->streamName = $stream->name; $access->ofUserId = Q::ifset($_REQUEST, 'ofUserId', ''); $access->ofContactLabel = Q::ifset($_REQUEST, 'ofContactLabel', ''); if (empty($access->ofUserId) and empty($access->ofContactLabel)) { $fields = array('grantedByUserId', 'filter', 'readLevel', 'writeLevel', 'adminLevel', 'permissions'); foreach ($fields as $field) { if (isset($p[$field])) { $stream->{$field} = $p[$field]; } } $stream->save(); return; } $access->retrieve(); $fields = array('grantedByUserId', 'filter', 'readLevel', 'writeLevel', 'adminLevel', 'permissions'); foreach ($fields as $field) { if (isset($p[$field])) { $access->{$field} = $p[$field]; } } $defaults = array('grantedByUserId' => $user->id, 'readLevel' => -1, 'writeLevel' => -1, 'adminLevel' => -1); foreach ($defaults as $k => $v) { if (!isset($access->{$k})) { $access->{$k} = $v; } } $access->save(); Streams::$cache['access'] = $access; }
function Streams_register_validate() { Q_Valid::nonce(true); $fields = Users::loggedInUser() ? array('fullName') : array('identifier', 'fullName', 'icon'); foreach ($fields as $field) { if (!isset($_REQUEST[$field])) { throw new Q_Exception("{$field} is missing", array($field)); } } $length_min = Q_Config::get('Streams', 'inputs', 'fullName', 'lengthMin', 5); $length_max = Q_Config::get('Streams', 'inputs', 'fullName', 'lengthMax', 30); if (strlen($_REQUEST['fullName']) < $length_min) { throw new Q_Exception("Your full name can't be that short.", 'fullName'); } if (strlen($_REQUEST['fullName']) > $length_max) { throw new Q_Exception("Your full name can't be that long.", 'fullName'); } }
function Users_activate_post() { Q_Valid::nonce(true); $email = $mobile = $type = $user = null; extract(Users::$cache, EXTR_IF_EXISTS); if (isset($_REQUEST['passphrase'])) { if (empty($_REQUEST['passphrase'])) { throw new Q_Exception("You can't set a blank passphrase.", 'passphrase'); } $isHashed = !empty($_REQUEST['isHashed']); if ($isHashed and $isHashed !== 'true' and intval($_REQUEST['isHashed']) > 1) { // this will let us introduce other values for isHashed in the future throw new Q_Exception("Please set isHashed to 0 or 1", 'isHashed'); } // Save the pass phrase even if there may be a problem adding an email later. // At least the user will be able to log in. $user->passphraseHash = $user->computePassphraseHash($_REQUEST['passphrase'], $isHashed); Q_Response::setNotice("Users/activate/passphrase", "Your pass phrase has been saved.", true); // Log the user in, since they were able to set the passphrase Users::setLoggedInUser($user); // This also saves the user. if (empty($user->passphraseHash)) { throw new Q_Exception("Please set a pass phrase on your account", 'passphrase', true); } } if ($type) { if ($type == 'email address') { $user->setEmailAddress($email->address); // may throw exception } else { if ($type == 'mobile number') { $user->setMobileNumber($mobile->number); // may throw exception } } // Log the user in, since they have just added an email to their account Users::setLoggedInUser($user); // This also saves the user. Q_Response::removeNotice('Users/activate/objects'); Q_Response::setNotice("Users/activate/activated", "Your {$type} has been activated.", true); } Users::$cache['passphrase_set'] = true; Users::$cache['success'] = true; }
function Streams_basic_validate() { Q_Valid::nonce(true); if (Q_Request::method() !== 'POST') { return; } $fields = array('firstName' => 'First name', 'lastName' => 'Last name', 'gender' => 'Gender', 'birthday_month' => 'Month', 'birthday_day' => 'Day', 'birthday_year' => 'Year'); if (isset($_REQUEST['fullName'])) { $length_min = Q_Config::get('Streams', 'inputs', 'fullName', 'lengthMin', 5); $length_max = Q_Config::get('Streams', 'inputs', 'fullName', 'lengthMax', 30); if (strlen($_REQUEST['fullName']) < $length_min) { Q_Response::addError(new Q_Exception("Your full name can't be that short.", 'fullName')); } if (strlen($_REQUEST['fullName']) > $length_max) { Q_Response::addError(new Q_Exception("Your full name can't be that long.", 'fullName')); } } if (Q_Response::getErrors()) { return; } if (!empty($_REQUEST['birthday_month']) or !empty($_REQUEST['birthday_day']) or !empty($_REQUEST['birthday_year'])) { foreach (array('birthday_month', 'birthday_day', 'birthday_year') as $field) { if (empty($_REQUEST[$field]) or !trim($_REQUEST[$field])) { throw new Q_Exception_RequiredField(compact('field'), $field); } } if (!checkdate($_REQUEST['birthday_month'], $_REQUEST['birthday_day'], $_REQUEST['birthday_year'])) { Q_Response::addError(new Q_Exception("Not a valid date", "birthday_day")); } if ($_REQUEST['birthday_year'] > date('Y') - 13) { // compliance with COPPA Q_Response::addError(new Q_Exception("You're still a kid.", "birthday_year")); } if ($_REQUEST['birthday_year'] < date('Y') - 100) { Q_Response::addError(new Q_Exception("A world record? Really?", "birthday_year")); } } if (!empty($_REQUEST['gender'])) { if (!in_array($_REQUEST['gender'], array('male', 'female'))) { Q_Response::addError(new Q_Exception("Please enter male or female", "gender")); } } }
/** * Used called internally, by event handlers to see if the requested * URI requires a valid nonce to be submitted, to prevent CSRF attacks. * @see Q_Valid::requireValidNonce * @method requireValidNonce * @static * @throws {Q_Exception_FailedValidation} */ static function requireValidNonce() { $list = Q_Config::get('Q', 'web', 'requireValidNonce', array()); $uri = Q_Dispatcher::uri(); foreach ($list as $l) { $parts = explode('/', $l); if ($uri->module !== $parts[0]) { continue; } if (isset($parts[1]) and $uri->action !== $parts[1]) { continue; } return Q_Valid::nonce(true); } }
function Streams_participant_validate() { Q_Valid::nonce(true); }
function Streams_publish_validate() { Q_Valid::nonce(true); }
/** * Get the logged-in user's information * @method loggedInUser * @static * @param {boolean} [$throwIfNotLoggedIn=false] * Whether to throw a Users_Exception_NotLoggedIn if no user is logged in. * @param {boolean} [$startSession=true] * Whether to start a PHP session if one doesn't already exist. * @return {Users_User|null} * @throws {Users_Exception_NotLoggedIn} If user is not logged in and * $throwIfNotLoggedIn is true */ static function loggedInUser($throwIfNotLoggedIn = false, $startSession = true) { if ($startSession === false and !Q_Session::id()) { return null; } Q_Session::start(); $nonce = Q_Session::$nonceWasSet or Q_Valid::nonce($throwIfNotLoggedIn, true); if (!$nonce or !isset($_SESSION['Users']['loggedInUser']['id'])) { if ($throwIfNotLoggedIn) { throw new Users_Exception_NotLoggedIn(); } return null; } $id = $_SESSION['Users']['loggedInUser']['id']; $user = Users_User::fetch($id); if (!$user and $throwIfNotLoggedIn) { throw new Users_Exception_NotLoggedIn(); } return $user; }
function Users_contact_validate() { Q_Valid::nonce(true); return Q::event('Users/user/validate'); }