public function action_index() { $view = View::factory('forgot_password'); $this->template->content = $view->render(); if ($this->request->method() === Request::POST) { $email = $this->request->post('email'); $user = new Model_User(); $password_recovery = new Model_Password_Recovery(); $unique_email = $user->unique_email($email); if ($unique_email === true) { throw new Exception("Email is not correct!"); } $view_for_message = View::factory('forgot_password/send_email'); $user_id = $user->get_id($email); $hash = sha1(Security::token()); $view_for_message->user_id = $user_id; $view_for_message->hash = $hash; $create_attemp = $password_recovery->create_attemp($email, $user_id, $hash); if (!$create_attemp) { throw new Exception("Cannot create attemp!"); } Email::connect(); $to = array($email); $from = array('user@localhost', 'admin'); $subject = 'Password recovery'; $message = $view_for_message->render(); $send_email = Email::send($to, $from, $subject, $message, true); if (!$send_email) { throw new Exception("Cannot send email! \n {$send_email}"); } $this->redirect('/'); } }
/** * Tests Security::token() * * @test * @dataProvider provider_csrf_token * @covers Security::token */ public function test_csrf_token($expected, $input, $iteration) { Security::$token_name = 'token_' . $iteration; $this->assertSame(TRUE, $input); $this->assertSame($expected, Security::token(FALSE)); Session::instance()->delete(Security::$token_name); }
public function action_spam() { $id = (int) $this->request->param('id', 0); $question = ORM::factory('Feedback_Question', $id); $user_id = $this->user->id; if (!$question->loaded()) { $this->redirect('manage/feedback'); } $token = Arr::get($_POST, 'token', false); $return = Security::xss_clean(Arr::get($_GET, 'r', 'manage/expert')); $this->set('return', Url::media($return)); if ($this->request->method() == Request::POST && Security::token() === $token) { $question->is_spam = ($question->is_spam + 1) % 2; $question->spam_mod_id = $user_id; $question->save(); if ($question->is_spam == 1) { Message::success(i18n::get('The question is marked as spam')); } else { Message::success(i18n::get('Marked "Spam" is removed from the question')); } $this->redirect($return); } else { if ($question->loaded()) { $this->set('question', $question)->set('token', Security::token(true)); } else { $this->redirect('manage/expert'); } } }
public function action_delete() { $id = (int) $this->request->param('id', 0); $expert = ORM::factory('Expert', $id); if (!$expert->loaded()) { $this->redirect('manage/expert'); } $token = Arr::get($_POST, 'token', false); if ($this->request->method() == Request::POST && Security::token() === $token) { $expert->delete(); $opinions = ORM::factory('Expert_Opinion')->where('expert_id', '=', $id)->find_all(); foreach ($opinions as $item) { ORM::factory('Expert_Opinion', $item->id)->delete(); } $list = ORM::factory('Expert'); $paginate = Paginate::factory($list); $list = $list->find_all(); $last_page = $paginate->page_count(); if ($this->page > $last_page) { $this->page = $this->page - 1; } if ($this->page <= 0) { $this->page = 1; } Message::success(i18n::get('Judge and all his positions removed')); $this->redirect('manage/expert/page-' . $this->page); } else { $this->set('expert', $expert)->set('token', Security::token(true))->set('cancel_url', Url::media('manage/expert/page-' . $this->page)); } }
public function action_delete() { $id = (int) $this->request->param('id', 0); $expert = ORM::factory('Expert_Opinion', $id); if (!$expert->loaded()) { $this->redirect('manage/expertopinions'); } $token = Arr::get($_POST, 'token', false); if ($this->request->method() == Request::POST && Security::token() === $token) { $loger = new Loger('delete', $expert->title); $loger->logThis($expert); $expert->delete(); $list = ORM::factory('Expert_Opinion'); $paginate = Paginate::factory($list); $list = $list->find_all(); $last_page = $paginate->page_count(); if ($this->page > $last_page) { $this->page = $this->page - 1; } if ($this->page <= 0) { $this->page = 1; } Message::success(i18n::get('The position of the expert removed')); $this->redirect('manage/expertopinions/page-' . $this->page); } else { $this->set('item', $expert)->set('token', Security::token(true))->set('cancel_url', Url::media('manage/expertopinions/page-' . $this->page)); } }
public function before() { parent::before(); // detecting language, setting it $this->detect_language(); $this->set('_language', $this->language); // creating and attaching page metadata $this->metadata = new Model_Metadata(); $this->metadata->title(__(Application::instance()->get('title')), false); $this->set('_metadata', $this->metadata); //TODO: token auth /* if ($this->request->method() == Request::POST && Arr::get($_POST, 'token', '') !== Security::token()) { throw new HTTP_Exception_403('Wrong token data'); } */ $this->set('_token', Security::token()); // Handles return urls, cropping language out of it (will be appended by url.site at redirect time) $rr = Request::initial()->uri(); $rr = trim($rr, '/'); $rr = explode('/', $rr); if (in_array($rr[0], Application::instance()->get('language.list'))) { array_shift($rr); } $rr = implode('/', $rr); $this->set('_return', $rr); // detecting if user is logged in if (method_exists(Auth::instance(), 'auto_login')) { Auth::instance()->auto_login(); } $this->user = Auth::instance()->get_user(); $this->set('_user', $this->user); }
public function action_index() { $this->template->title = 'Chat'; $this->template->description = 'Asynchronous chat'; View::set_global('_token', Security::token(true)); $this->template->messages = View::factory('messages'); $this->template->send_message_form = View::factory('send_message_form'); }
/** * Tests Security::token() * * @test * @dataProvider provider_csrf_token * @covers Security::token */ public function test_csrf_token($expected, $input, $iteration) { //@todo: the Security::token tests need to be reviewed to check how much of the logic they're actually covering Security::$token_name = 'token_' . $iteration; $this->assertSame(TRUE, $input); $this->assertSame($expected, Security::token(FALSE)); Session::instance()->delete(Security::$token_name); }
/** * Form Component */ public static function formComponent() { $_templates = Themes::getTemplates(); foreach ($_templates as $template) { $templates[basename($template, '.template.php')] = basename($template, '.template.php'); } echo '<div class="col-xs-3">' . Form::open() . Form::hidden('csrf', Security::token()) . Form::label('sandbox_form_template', __('Sandbox template', 'sandbox')) . Form::select('sandbox_form_template', $templates, Option::get('sandbox_template'), array('class' => 'form-control')) . Html::br() . Form::submit('sandbox_component_save', __('Save', 'sandbox'), array('class' => 'btn btn-default')) . Form::close() . '</div>'; }
public function __construct($field = array(), $render = TRUE) { if (!isset($field['value'])) { $field['value'] = Security::token(); } if (!isset($field['name'])) { $field['name'] = 'security_token'; } parent::__construct($field, $render); }
/** * Action for logging out the user * * Additional query params can be specified: * * destroy - to completely destroy the session * all - to remove all user tokens (logout from everywhere) * */ public function action_logout() { // Log out only if the token is ok if (Security::token() === $this->request->param('token')) { $destroy = (bool) $this->request->query('destroy'); $all = (bool) $this->request->query('all'); Auth::instance()->logout($destroy, $all); } $this->request->redirect(Route::url('admin/auth')); }
public static function anti_forgery_token($new = FALSE) { $session = Session::instance(); $config = Kohana::$config->load('security'); $token_name = $config->get('csrf_token_name', 'request-verification-token'); $csrf_token = $session->get($token_name); if ($new === TRUE or !$csrf_token) { $csrf_key = $config->get('csrf_key', Security::token(TRUE)); $csrf_token = Crypto_Hash_Simple::compute_hash($csrf_key); $session->set($token_name, $csrf_token); } return Form::hidden($token_name, $csrf_token, array('id' => $token_name)); }
public function action_album_delete() { $id = (int) $this->request->param('id'); $exhibit = ORM::factory('Exhibit_Album', $id); if (!$exhibit->loaded()) { throw new HTTP_Exception_404(); } if ($this->request->method() == Request::POST) { if (Security::check(Arr::get($_POST, 'token'))) { $exhibit->delete(); $this->redirect('manage/exhibits'); } } $this->set('item', $exhibit)->set('token', Security::token(true)); }
public function action_delete() { $id = (int) $this->request->param('id', 0); $type = Arr::get($_GET, 'type', 'slider'); $token = Arr::get($_POST, 'token', false); if ($this->request->method() == Request::POST && Security::token() === $token) { $slider = ORM::factory('Slider', $id); $loger = new Loger('delete', $slider->link_ru); $loger->log($slider); $slider->delete(); $this->redirect('manage/sliders/?type=' . $type); } else { $this->set('token', Security::token(true))->set('r', Url::media('manage/sliders?type=' . $type)); } }
public function action_delete() { $id = (int) $this->request->param('id', 0); $token = Arr::get($_POST, 'token', false); if ($this->request->method() == Request::POST && Security::token() === $token) { ORM::factory('Leader', $id)->delete(); $this->redirect('manage/leaders'); } else { $leader = ORM::factory('Leader', $id); if ($leader->loaded()) { $this->set('record', $leader)->set('token', Security::token(true))->set('cancel_url', Url::media('manage/leader')); } else { throw new HTTP_Exception_404(); } } }
public function action_delete() { $id = (int) $this->request->param('id', 0); $link = ORM::factory('Link', $id); if (!$link->loaded()) { throw new HTTP_Exception_404(); } $token = Arr::get($_POST, 'token', false); if ($this->request->method() == Request::POST && Security::token() === $token) { $link->delete(); Message::success('Удалено'); $this->redirect('manage/links'); } else { $this->set('record', $link)->set('token', Security::token(true))->set('cancel_url', Url::media('manage/links')); } }
public function action_delete() { $id = (int) $this->request->param('id', 0); $token = Arr::get($_POST, 'token', false); if ($this->request->method() == Request::POST && Security::token() === $token) { ORM::factory('Document', $id)->delete(); $this->redirect('manage/documents'); } else { $document = ORM::factory('Document', $id); if ($document->loaded()) { $this->set('record', $document)->set('token', Security::token(true))->set('cancel_url', Url::media('manage/document')); } else { $this->redirect('manage/document'); } } }
public function action_delete() { $id = (int) $this->request->param('id', 0); $token = Arr::get($_POST, 'token', false); $acts = ORM::factory('Acts', $id); if (!$acts->loaded()) { throw new HTTP_Exception_404(); } if ($this->request->post() && Security::token() === $token) { $acts->delete(); Message::success('Акт удален'); $this->redirect('manage/acts'); } else { $this->set('record', $acts)->set('token', Security::token(true))->set('cancel_url', Url::media('manage/acts')); } }
public function action_view() { $id = $this->request->param('id'); $item = ORM::factory('User_Item', $id); $errors = array(); if (!$item->loaded()) { $errors[] = 'Recipe could not be found'; } elseif ($item->user_id != $this->user->id) { $errors[] = 'You can\'t access another player\'s recipe'; } elseif ($item->location != 'cookbook') { $errors[] = 'The recipe you want to view is not located in your cookbook.'; } elseif ($item->item->type->default_command != 'General_Cook') { $errors[] = 'The item you want to use as a recipe just isn\'t cut out for it.'; } else { $recipe = ORM::factory('Item_Recipe')->where('item_recipe.name', '=', $item->item->commands[0]['param'])->find(); $coll = $recipe->materials->find_all(); $materials = array(); $collect_count = 0; foreach ($coll as $material) { $user_item = Item::factory($material->item)->user_has('inventory'); $mat = 0; if ($user_item != FALSE) { if ($user_item->amount >= $material->amount) { $mat = $material->amount; $collect_count++; } else { $mat = $user_item->amount; } } $materials[] = array('name' => $material->item->name, 'img' => $material->item->img(), 'amount_needed' => $material->amount, 'amount_owned' => $mat); } $collect_count = $collect_count == count($coll); if ($this->request->is_ajax()) { $this->response->headers('Content-Type', 'application/json'); return $this->response->body(json_encode(array('status' => 'success', 'materials' => $materials, 'name' => $recipe->name, 'img' => $recipe->item->img(), 'collected' => $collect_count, 'csrf' => Security::token()))); } $this->view = new View_Item_Cookbook_View(); $this->view->id = $item->id; $this->view->recipe = $recipe; $this->view->materials = $materials; $this->view->collected = $collect_count; } if (count($errors) > 0) { Hint::error($errors[0]); $this->redirect(Route::get('item.cookbook')->uri()); } }
public function action_delete() { $id = (int) $this->request->param('id', 0); $point = ORM::factory('Point', $id); if (!$point->loaded()) { throw new HTTP_Exception_404(); } $token = Arr::get($_POST, 'token', false); if ($this->request->method() == Request::POST && Security::token() === $token) { $loger = new Loger($event, $point->name); $loger->logThis($point); $redirect = 'manage/maps/view/' . $point->district_id; $point->delete(); $this->redirect($redirect); } else { $this->set('record', $point)->set('token', Security::token(true))->set('cancel_url', Url::media('manage/maps/view/' . $point->district_id)); } }
public function action_delete() { $id = (int) $this->request->param('id', 0); $infograph = ORM::factory('Infograph', $id); if (!$infograph->loaded()) { throw new HTTP_Exception_404(); } $token = Arr::get($_POST, 'token', false); if ($this->request->method() == Request::POST && Security::token() === $token) { $loger = new Loger('delete', $infograph->title); $loger->log($infograph); $infograph->delete(); Message::success('Запись удалена'); $this->redirect('manage/infographs'); } else { $this->set('record', $infograph)->set('token', Security::token(true))->set('cancel_url', Url::media('manage/infographs')); } }
public function action_delete() { $type = (int) Arr::get($_GET, 'type', 0); $id = (int) $this->request->param('id', 0); $item = ORM::factory('Comment', $id); if (!$item->loaded()) { throw new HTTP_Exception_404(); } $token = Arr::get($_POST, 'token', false); if ($this->request->method() == Request::POST && Security::token() === $token) { $item->delete(); Message::success('Комментарий удален'); $this->redirect('manage/comments?type=' . $type); } else { $this->set('type', $type); $this->set('record', $item)->set('token', Security::token(true))->set('cancel_url', Url::media('manage/comments?type=' . $type)); } }
public function action_delete() { $id = (int) $this->request->param('id', 0); $item = ORM::factory('Chronology_Line', $id); if (!$item->loaded()) { throw new HTTP_Exception_404('Page not found'); } $period = ORM::factory('Chronology', $item->period_id); $token = Arr::get($_POST, 'token', false); if ($this->request->post() and Security::token() === $token) { $loger = new Loger('delete', $item->title); $loger->logThis($item); $item->delete(); Message::success('Событие удалено'); $this->redirect('manage/lines/list/' . $period->id); } else { $this->set('token', Security::token(true))->set('r', Url::media('manage/lines/list/' . $period->id))->set('period', $period); } }
public function action_login() { $submit = !empty($_POST) ? true : false; if ($submit) { $token = $_POST['csrf']; if (!Security::check($token)) { Security::token(true); exit('非法提交'); } $username = $_POST['username']; $password = $_POST['password']; $m_auth = Model::factory('auth'); if ($m_auth->login($username, $password)) { $this->redirect('/'); } else { Security::token(true); exit('登录失败'); } } $this->template = View::factory('login'); }
public function action_login() { $submit = !empty($_POST) ? true : false; if ($submit) { $token = $_POST['csrf']; if (!Security::check($token)) { Security::token(true); exit('非法提交'); } $username = $_POST['username']; $password = $_POST['password']; $return_url = !empty($_GET['return_url']) ? $_GET['return_url'] : '/'; $auth = Auth::instance(); if ($auth->login($username, $password)) { $this->redirect($return_url); } else { Security::token(true); exit('登录失败'); } } $this->template = View::factory('login'); }
public function action_show() { $id = (int) $this->request->param('id', 0); $token = Arr::get($_POST, 'token', false); $return = Security::xss_clean(Arr::get($_GET, 'r', 'manage/expertcomments')); if ($this->request->method() == Request::POST && Security::token() === $token) { $comments = ORM::factory('Expert_Comment', $id); $comments->moderator_decision = ($comments->moderator_decision + 1) % 2; $comments->moderator_id = $this->user->id; $comments->save(); $expert = ORM::factory('Expert_Opinion', $comments->opinion_id); $comments_count = $expert->comments_count; $comments_count += $comments->moderator_decision ? 1 : -1; DB::query(Database::UPDATE, "UPDATE `history`.`expert_opinions` SET `comments_count` = '" . $comments_count . "' WHERE `id` = '" . $expert->id . "'")->execute(); $this->redirect($return); } else { $comment = ORM::factory('Expert_Comment', $id); if ($comment->loaded()) { $this->set('item', $comment)->set('token', Security::token(true)); } else { $this->redirect($return); } } }
<h1>Login</h1> <form action="<?php echo URL::site('acp/sign_up/' . Security::token()); ?> " method="post"> <input type="text" name="email" /><br /> <input type="password" name="pass" /><br /> <label> <input type="checkbox" name="cookie" /> Login with cookies. </label><br /> <input type="submit" value="Apstiprinu!" /> </form>
public function action_delete() { $id = (int) $this->request->param('id', 0); $item = ORM::factory('Calendar', $id); if (!$item->loaded()) { throw new HTTP_Exception_404(); } $month = $item->month; $day = $item->day; $token = Arr::get($_POST, 'token', false); if ($this->request->method() == Request::POST && Security::token() === $token) { $loger = new Loger('delete', $item->title); $loger->logThis($item); $item->delete(); Message::success('Удалено'); $this->redirect('manage/calendar/list?m=' . $month . '&d=' . $day); } else { $this->set('record', $item)->set('month', $month)->set('day', $day)->set('token', Security::token(true))->set('cancel_url', Url::media('manage/calendar/list?m=' . $month . '&d=' . $day)); } }
public static function check($token) { return Security::slow_equals(Security::token(), $token); }
<form action="<?php echo URL::site('topic/new/' . Security::token()); ?> " method="post"> Topic title: <input type="text" name="title" /><br /> <?php if (isset($categories)) { ?> Category: <select name="category_id"> <?php foreach ($categories as $category) { ?> <?php if (!Auth::instance()->logged_in()) { ?> <?php if ($category->role_id == 1) { ?> <option value="<?php echo $category->id; ?> "><?php echo $category->name; ?> </option> <?php } ?> <?php }