public function action_index()
{
$view = View::factory('forgot_password');
$this->template->content = $view->render();
if ($this->request->method() === Request::POST) {
$email = $this->request->post('email');
$user = new Model_User();
$password_recovery = new Model_Password_Recovery();
$unique_email = $user->unique_email($email);
if ($unique_email === true) {
throw new Exception("Email is not correct!");
}
$view_for_message = View::factory('forgot_password/send_email');
$user_id = $user->get_id($email);
$hash = sha1(Security::token());
$view_for_message->user_id = $user_id;
$view_for_message->hash = $hash;
$create_attemp = $password_recovery->create_attemp($email, $user_id, $hash);
if (!$create_attemp) {
throw new Exception("Cannot create attemp!");
}
Email::connect();
$to = array($email);
$from = array('user@localhost', 'admin');
$subject = 'Password recovery';
$message = $view_for_message->render();
$send_email = Email::send($to, $from, $subject, $message, true);
if (!$send_email) {
throw new Exception("Cannot send email! \n {$send_email}");
}
$this->redirect('/');
}
}
/**
* Tests Security::token()
*
* @test
* @dataProvider provider_csrf_token
* @covers Security::token
*/
public function test_csrf_token($expected, $input, $iteration)
{
Security::$token_name = 'token_' . $iteration;
$this->assertSame(TRUE, $input);
$this->assertSame($expected, Security::token(FALSE));
Session::instance()->delete(Security::$token_name);
}
public function action_spam()
{
$id = (int) $this->request->param('id', 0);
$question = ORM::factory('Feedback_Question', $id);
$user_id = $this->user->id;
if (!$question->loaded()) {
$this->redirect('manage/feedback');
}
$token = Arr::get($_POST, 'token', false);
$return = Security::xss_clean(Arr::get($_GET, 'r', 'manage/expert'));
$this->set('return', Url::media($return));
if ($this->request->method() == Request::POST && Security::token() === $token) {
$question->is_spam = ($question->is_spam + 1) % 2;
$question->spam_mod_id = $user_id;
$question->save();
if ($question->is_spam == 1) {
Message::success(i18n::get('The question is marked as spam'));
} else {
Message::success(i18n::get('Marked "Spam" is removed from the question'));
}
$this->redirect($return);
} else {
if ($question->loaded()) {
$this->set('question', $question)->set('token', Security::token(true));
} else {
$this->redirect('manage/expert');
}
}
}
public function action_delete()
{
$id = (int) $this->request->param('id', 0);
$expert = ORM::factory('Expert', $id);
if (!$expert->loaded()) {
$this->redirect('manage/expert');
}
$token = Arr::get($_POST, 'token', false);
if ($this->request->method() == Request::POST && Security::token() === $token) {
$expert->delete();
$opinions = ORM::factory('Expert_Opinion')->where('expert_id', '=', $id)->find_all();
foreach ($opinions as $item) {
ORM::factory('Expert_Opinion', $item->id)->delete();
}
$list = ORM::factory('Expert');
$paginate = Paginate::factory($list);
$list = $list->find_all();
$last_page = $paginate->page_count();
if ($this->page > $last_page) {
$this->page = $this->page - 1;
}
if ($this->page <= 0) {
$this->page = 1;
}
Message::success(i18n::get('Judge and all his positions removed'));
$this->redirect('manage/expert/page-' . $this->page);
} else {
$this->set('expert', $expert)->set('token', Security::token(true))->set('cancel_url', Url::media('manage/expert/page-' . $this->page));
}
}
public function action_delete()
{
$id = (int) $this->request->param('id', 0);
$expert = ORM::factory('Expert_Opinion', $id);
if (!$expert->loaded()) {
$this->redirect('manage/expertopinions');
}
$token = Arr::get($_POST, 'token', false);
if ($this->request->method() == Request::POST && Security::token() === $token) {
$loger = new Loger('delete', $expert->title);
$loger->logThis($expert);
$expert->delete();
$list = ORM::factory('Expert_Opinion');
$paginate = Paginate::factory($list);
$list = $list->find_all();
$last_page = $paginate->page_count();
if ($this->page > $last_page) {
$this->page = $this->page - 1;
}
if ($this->page <= 0) {
$this->page = 1;
}
Message::success(i18n::get('The position of the expert removed'));
$this->redirect('manage/expertopinions/page-' . $this->page);
} else {
$this->set('item', $expert)->set('token', Security::token(true))->set('cancel_url', Url::media('manage/expertopinions/page-' . $this->page));
}
}
public function before()
{
parent::before();
// detecting language, setting it
$this->detect_language();
$this->set('_language', $this->language);
// creating and attaching page metadata
$this->metadata = new Model_Metadata();
$this->metadata->title(__(Application::instance()->get('title')), false);
$this->set('_metadata', $this->metadata);
//TODO: token auth
/*
if ($this->request->method() == Request::POST && Arr::get($_POST, 'token', '') !== Security::token())
{
throw new HTTP_Exception_403('Wrong token data');
}
*/
$this->set('_token', Security::token());
// Handles return urls, cropping language out of it (will be appended by url.site at redirect time)
$rr = Request::initial()->uri();
$rr = trim($rr, '/');
$rr = explode('/', $rr);
if (in_array($rr[0], Application::instance()->get('language.list'))) {
array_shift($rr);
}
$rr = implode('/', $rr);
$this->set('_return', $rr);
// detecting if user is logged in
if (method_exists(Auth::instance(), 'auto_login')) {
Auth::instance()->auto_login();
}
$this->user = Auth::instance()->get_user();
$this->set('_user', $this->user);
}
public function action_index()
{
$this->template->title = 'Chat';
$this->template->description = 'Asynchronous chat';
View::set_global('_token', Security::token(true));
$this->template->messages = View::factory('messages');
$this->template->send_message_form = View::factory('send_message_form');
}
/**
* Tests Security::token()
*
* @test
* @dataProvider provider_csrf_token
* @covers Security::token
*/
public function test_csrf_token($expected, $input, $iteration)
{
//@todo: the Security::token tests need to be reviewed to check how much of the logic they're actually covering
Security::$token_name = 'token_' . $iteration;
$this->assertSame(TRUE, $input);
$this->assertSame($expected, Security::token(FALSE));
Session::instance()->delete(Security::$token_name);
}
/**
* Form Component
*/
public static function formComponent()
{
$_templates = Themes::getTemplates();
foreach ($_templates as $template) {
$templates[basename($template, '.template.php')] = basename($template, '.template.php');
}
echo '<div class="col-xs-3">' . Form::open() . Form::hidden('csrf', Security::token()) . Form::label('sandbox_form_template', __('Sandbox template', 'sandbox')) . Form::select('sandbox_form_template', $templates, Option::get('sandbox_template'), array('class' => 'form-control')) . Html::br() . Form::submit('sandbox_component_save', __('Save', 'sandbox'), array('class' => 'btn btn-default')) . Form::close() . '</div>';
}
public function __construct($field = array(), $render = TRUE)
{
if (!isset($field['value'])) {
$field['value'] = Security::token();
}
if (!isset($field['name'])) {
$field['name'] = 'security_token';
}
parent::__construct($field, $render);
}
/**
* Action for logging out the user
*
* Additional query params can be specified:
*
* destroy - to completely destroy the session
* all - to remove all user tokens (logout from everywhere)
*
*/
public function action_logout()
{
// Log out only if the token is ok
if (Security::token() === $this->request->param('token')) {
$destroy = (bool) $this->request->query('destroy');
$all = (bool) $this->request->query('all');
Auth::instance()->logout($destroy, $all);
}
$this->request->redirect(Route::url('admin/auth'));
}
public static function anti_forgery_token($new = FALSE)
{
$session = Session::instance();
$config = Kohana::$config->load('security');
$token_name = $config->get('csrf_token_name', 'request-verification-token');
$csrf_token = $session->get($token_name);
if ($new === TRUE or !$csrf_token) {
$csrf_key = $config->get('csrf_key', Security::token(TRUE));
$csrf_token = Crypto_Hash_Simple::compute_hash($csrf_key);
$session->set($token_name, $csrf_token);
}
return Form::hidden($token_name, $csrf_token, array('id' => $token_name));
}
public function action_album_delete()
{
$id = (int) $this->request->param('id');
$exhibit = ORM::factory('Exhibit_Album', $id);
if (!$exhibit->loaded()) {
throw new HTTP_Exception_404();
}
if ($this->request->method() == Request::POST) {
if (Security::check(Arr::get($_POST, 'token'))) {
$exhibit->delete();
$this->redirect('manage/exhibits');
}
}
$this->set('item', $exhibit)->set('token', Security::token(true));
}
public function action_delete()
{
$id = (int) $this->request->param('id', 0);
$type = Arr::get($_GET, 'type', 'slider');
$token = Arr::get($_POST, 'token', false);
if ($this->request->method() == Request::POST && Security::token() === $token) {
$slider = ORM::factory('Slider', $id);
$loger = new Loger('delete', $slider->link_ru);
$loger->log($slider);
$slider->delete();
$this->redirect('manage/sliders/?type=' . $type);
} else {
$this->set('token', Security::token(true))->set('r', Url::media('manage/sliders?type=' . $type));
}
}
public function action_delete()
{
$id = (int) $this->request->param('id', 0);
$token = Arr::get($_POST, 'token', false);
if ($this->request->method() == Request::POST && Security::token() === $token) {
ORM::factory('Leader', $id)->delete();
$this->redirect('manage/leaders');
} else {
$leader = ORM::factory('Leader', $id);
if ($leader->loaded()) {
$this->set('record', $leader)->set('token', Security::token(true))->set('cancel_url', Url::media('manage/leader'));
} else {
throw new HTTP_Exception_404();
}
}
}
public function action_delete()
{
$id = (int) $this->request->param('id', 0);
$link = ORM::factory('Link', $id);
if (!$link->loaded()) {
throw new HTTP_Exception_404();
}
$token = Arr::get($_POST, 'token', false);
if ($this->request->method() == Request::POST && Security::token() === $token) {
$link->delete();
Message::success('Удалено');
$this->redirect('manage/links');
} else {
$this->set('record', $link)->set('token', Security::token(true))->set('cancel_url', Url::media('manage/links'));
}
}
public function action_delete()
{
$id = (int) $this->request->param('id', 0);
$token = Arr::get($_POST, 'token', false);
if ($this->request->method() == Request::POST && Security::token() === $token) {
ORM::factory('Document', $id)->delete();
$this->redirect('manage/documents');
} else {
$document = ORM::factory('Document', $id);
if ($document->loaded()) {
$this->set('record', $document)->set('token', Security::token(true))->set('cancel_url', Url::media('manage/document'));
} else {
$this->redirect('manage/document');
}
}
}
public function action_delete()
{
$id = (int) $this->request->param('id', 0);
$token = Arr::get($_POST, 'token', false);
$acts = ORM::factory('Acts', $id);
if (!$acts->loaded()) {
throw new HTTP_Exception_404();
}
if ($this->request->post() && Security::token() === $token) {
$acts->delete();
Message::success('Акт удален');
$this->redirect('manage/acts');
} else {
$this->set('record', $acts)->set('token', Security::token(true))->set('cancel_url', Url::media('manage/acts'));
}
}
public function action_view()
{
$id = $this->request->param('id');
$item = ORM::factory('User_Item', $id);
$errors = array();
if (!$item->loaded()) {
$errors[] = 'Recipe could not be found';
} elseif ($item->user_id != $this->user->id) {
$errors[] = 'You can\'t access another player\'s recipe';
} elseif ($item->location != 'cookbook') {
$errors[] = 'The recipe you want to view is not located in your cookbook.';
} elseif ($item->item->type->default_command != 'General_Cook') {
$errors[] = 'The item you want to use as a recipe just isn\'t cut out for it.';
} else {
$recipe = ORM::factory('Item_Recipe')->where('item_recipe.name', '=', $item->item->commands[0]['param'])->find();
$coll = $recipe->materials->find_all();
$materials = array();
$collect_count = 0;
foreach ($coll as $material) {
$user_item = Item::factory($material->item)->user_has('inventory');
$mat = 0;
if ($user_item != FALSE) {
if ($user_item->amount >= $material->amount) {
$mat = $material->amount;
$collect_count++;
} else {
$mat = $user_item->amount;
}
}
$materials[] = array('name' => $material->item->name, 'img' => $material->item->img(), 'amount_needed' => $material->amount, 'amount_owned' => $mat);
}
$collect_count = $collect_count == count($coll);
if ($this->request->is_ajax()) {
$this->response->headers('Content-Type', 'application/json');
return $this->response->body(json_encode(array('status' => 'success', 'materials' => $materials, 'name' => $recipe->name, 'img' => $recipe->item->img(), 'collected' => $collect_count, 'csrf' => Security::token())));
}
$this->view = new View_Item_Cookbook_View();
$this->view->id = $item->id;
$this->view->recipe = $recipe;
$this->view->materials = $materials;
$this->view->collected = $collect_count;
}
if (count($errors) > 0) {
Hint::error($errors[0]);
$this->redirect(Route::get('item.cookbook')->uri());
}
}
public function action_delete()
{
$id = (int) $this->request->param('id', 0);
$point = ORM::factory('Point', $id);
if (!$point->loaded()) {
throw new HTTP_Exception_404();
}
$token = Arr::get($_POST, 'token', false);
if ($this->request->method() == Request::POST && Security::token() === $token) {
$loger = new Loger($event, $point->name);
$loger->logThis($point);
$redirect = 'manage/maps/view/' . $point->district_id;
$point->delete();
$this->redirect($redirect);
} else {
$this->set('record', $point)->set('token', Security::token(true))->set('cancel_url', Url::media('manage/maps/view/' . $point->district_id));
}
}
public function action_delete()
{
$id = (int) $this->request->param('id', 0);
$infograph = ORM::factory('Infograph', $id);
if (!$infograph->loaded()) {
throw new HTTP_Exception_404();
}
$token = Arr::get($_POST, 'token', false);
if ($this->request->method() == Request::POST && Security::token() === $token) {
$loger = new Loger('delete', $infograph->title);
$loger->log($infograph);
$infograph->delete();
Message::success('Запись удалена');
$this->redirect('manage/infographs');
} else {
$this->set('record', $infograph)->set('token', Security::token(true))->set('cancel_url', Url::media('manage/infographs'));
}
}
public function action_delete()
{
$type = (int) Arr::get($_GET, 'type', 0);
$id = (int) $this->request->param('id', 0);
$item = ORM::factory('Comment', $id);
if (!$item->loaded()) {
throw new HTTP_Exception_404();
}
$token = Arr::get($_POST, 'token', false);
if ($this->request->method() == Request::POST && Security::token() === $token) {
$item->delete();
Message::success('Комментарий удален');
$this->redirect('manage/comments?type=' . $type);
} else {
$this->set('type', $type);
$this->set('record', $item)->set('token', Security::token(true))->set('cancel_url', Url::media('manage/comments?type=' . $type));
}
}
public function action_delete()
{
$id = (int) $this->request->param('id', 0);
$item = ORM::factory('Chronology_Line', $id);
if (!$item->loaded()) {
throw new HTTP_Exception_404('Page not found');
}
$period = ORM::factory('Chronology', $item->period_id);
$token = Arr::get($_POST, 'token', false);
if ($this->request->post() and Security::token() === $token) {
$loger = new Loger('delete', $item->title);
$loger->logThis($item);
$item->delete();
Message::success('Событие удалено');
$this->redirect('manage/lines/list/' . $period->id);
} else {
$this->set('token', Security::token(true))->set('r', Url::media('manage/lines/list/' . $period->id))->set('period', $period);
}
}
public function action_login()
{
$submit = !empty($_POST) ? true : false;
if ($submit) {
$token = $_POST['csrf'];
if (!Security::check($token)) {
Security::token(true);
exit('非法提交');
}
$username = $_POST['username'];
$password = $_POST['password'];
$m_auth = Model::factory('auth');
if ($m_auth->login($username, $password)) {
$this->redirect('/');
} else {
Security::token(true);
exit('登录失败');
}
}
$this->template = View::factory('login');
}
public function action_login()
{
$submit = !empty($_POST) ? true : false;
if ($submit) {
$token = $_POST['csrf'];
if (!Security::check($token)) {
Security::token(true);
exit('非法提交');
}
$username = $_POST['username'];
$password = $_POST['password'];
$return_url = !empty($_GET['return_url']) ? $_GET['return_url'] : '/';
$auth = Auth::instance();
if ($auth->login($username, $password)) {
$this->redirect($return_url);
} else {
Security::token(true);
exit('登录失败');
}
}
$this->template = View::factory('login');
}
public function action_show()
{
$id = (int) $this->request->param('id', 0);
$token = Arr::get($_POST, 'token', false);
$return = Security::xss_clean(Arr::get($_GET, 'r', 'manage/expertcomments'));
if ($this->request->method() == Request::POST && Security::token() === $token) {
$comments = ORM::factory('Expert_Comment', $id);
$comments->moderator_decision = ($comments->moderator_decision + 1) % 2;
$comments->moderator_id = $this->user->id;
$comments->save();
$expert = ORM::factory('Expert_Opinion', $comments->opinion_id);
$comments_count = $expert->comments_count;
$comments_count += $comments->moderator_decision ? 1 : -1;
DB::query(Database::UPDATE, "UPDATE `history`.`expert_opinions` SET `comments_count` = '" . $comments_count . "' WHERE `id` = '" . $expert->id . "'")->execute();
$this->redirect($return);
} else {
$comment = ORM::factory('Expert_Comment', $id);
if ($comment->loaded()) {
$this->set('item', $comment)->set('token', Security::token(true));
} else {
$this->redirect($return);
}
}
}
<h1>Login</h1>
<form action="<?php
echo URL::site('acp/sign_up/' . Security::token());
?>
" method="post">
<input type="text" name="email" /><br />
<input type="password" name="pass" /><br />
<label>
<input type="checkbox" name="cookie" />
Login with cookies.
</label><br />
<input type="submit" value="Apstiprinu!" />
</form>
public function action_delete()
{
$id = (int) $this->request->param('id', 0);
$item = ORM::factory('Calendar', $id);
if (!$item->loaded()) {
throw new HTTP_Exception_404();
}
$month = $item->month;
$day = $item->day;
$token = Arr::get($_POST, 'token', false);
if ($this->request->method() == Request::POST && Security::token() === $token) {
$loger = new Loger('delete', $item->title);
$loger->logThis($item);
$item->delete();
Message::success('Удалено');
$this->redirect('manage/calendar/list?m=' . $month . '&d=' . $day);
} else {
$this->set('record', $item)->set('month', $month)->set('day', $day)->set('token', Security::token(true))->set('cancel_url', Url::media('manage/calendar/list?m=' . $month . '&d=' . $day));
}
}
public static function check($token)
{
return Security::slow_equals(Security::token(), $token);
}
<form action="<?php
echo URL::site('topic/new/' . Security::token());
?>
" method="post">
Topic title: <input type="text" name="title" /><br />
<?php
if (isset($categories)) {
?>
Category: <select name="category_id">
<?php
foreach ($categories as $category) {
?>
<?php
if (!Auth::instance()->logged_in()) {
?>
<?php
if ($category->role_id == 1) {
?>
<option value="<?php
echo $category->id;
?>
"><?php
echo $category->name;
?>
</option>
<?php
}
?>
<?php
}
