public function addUser($user_id)
{
// First, load current users for event
$this->getUsers();
// Return if user already in event
if (isset($this->_users[$user_id])) {
return $this;
}
// Next, check that the requested user actually exists
if (!UserLoader::exists($user_id)) {
throw new \Exception("The specified user_id ({$user_id}) does not exist.");
}
// Ok, add to the list of users
$this->_users[$user_id] = UserLoader::fetch($user_id);
return $this;
}
public function getUsers()
{
//Get connected and load the group_user table
$db = static::connection();
$link_table = static::getTable('group_user')->name;
$sqlVars[":id"] = $this->_id;
$query = "\n SELECT user_id FROM `{$link_table}`\n WHERE group_id = :id";
$stmt = $db->prepare($query);
$stmt->execute($sqlVars);
//Get the array of users in this group
$users_array = [];
while ($user_id = $stmt->fetch(\PDO::FETCH_ASSOC)) {
$users_array[] = UserLoader::fetch($user_id['user_id']);
}
return $users_array;
}
/**
* Processes the request to delete an existing user.
*
* Deletes the specified user, removing associations with any groups and any user-specific authorization rules.
* Before doing so, checks that:
* 1. You are not trying to delete the master account;
* 2. You have permission to delete user user accounts.
* This route requires authentication (and should generally be limited to admins or the root user).
* Request type: POST
* @param int $user_id the id of the user to delete.
*/
public function deleteUser($user_id)
{
$post = $this->_app->request->post();
// Get the target user
$target_user = UserLoader::fetch($user_id);
// Get the alert message stream
$ms = $this->_app->alerts;
// Check authorization
if (!$this->_app->user->checkAccess('delete_account', ['user' => $target_user])) {
$ms->addMessageTranslated("danger", "ACCESS_DENIED");
$this->_app->halt(403);
}
// Check that we are not disabling the master account
if ($target_user->id == $this->_app->config('user_id_master')) {
$ms->addMessageTranslated("danger", "ACCOUNT_DELETE_MASTER");
$this->_app->halt(403);
}
$ms->addMessageTranslated("success", "ACCOUNT_DELETION_SUCCESSFUL", ["user_name" => $target_user->user_name]);
$target_user->delete();
unset($target_user);
}
public function accountSettings()
{
// Load the request schema
$requestSchema = new \Fortress\RequestSchema($this->_app->config('schema.path') . "/forms/account-settings.json");
// Get the alert message stream
$ms = $this->_app->alerts;
// Access control for entire page
if (!$this->_app->user->checkAccess('uri_account_settings')) {
$ms->addMessageTranslated("danger", "ACCESS_DENIED");
$this->_app->halt(403);
}
$data = $this->_app->request->post();
// Remove csrf_token
unset($data['csrf_token']);
// Check current password
if (!isset($data['passwordcheck']) || !$this->_app->user->verifyPassword($data['passwordcheck'])) {
$ms->addMessageTranslated("danger", "ACCOUNT_PASSWORD_INVALID");
$this->_app->halt(403);
}
// Validate new email, if specified
if (isset($data['email']) && $data['email'] != $this->_app->user->email) {
// Check authorization
if (!$this->_app->user->checkAccess('update_account_setting', ['user' => $this->_app->user, 'property' => 'email'])) {
$ms->addMessageTranslated("danger", "ACCESS_DENIED");
$this->_app->halt(403);
}
// Check if address is in use
if (UserLoader::exists($data['email'], 'email')) {
$ms->addMessageTranslated("danger", "ACCOUNT_EMAIL_IN_USE", $data);
$this->_app->halt(400);
}
} else {
$data['email'] = $this->_app->user->email;
}
// Validate locale, if specified
if (isset($data['locale']) && $data['locale'] != $this->_app->user->locale) {
// Check authorization
if (!$this->_app->user->checkAccess('update_account_setting', ['user' => $this->_app->user, 'property' => 'locale'])) {
$ms->addMessageTranslated("danger", "ACCESS_DENIED");
$this->_app->halt(403);
}
// Validate locale
if (!in_array($data['locale'], $this->_app->site->getLocales())) {
$ms->addMessageTranslated("danger", "ACCOUNT_SPECIFY_LOCALE");
$this->_app->halt(400);
}
} else {
$data['locale'] = $this->_app->user->locale;
}
// Validate display_name, if specified
if (isset($data['display_name']) && $data['display_name'] != $this->_app->user->display_name) {
// Check authorization
if (!$this->_app->user->checkAccess('update_account_setting', ['user' => $this->_app->user, 'property' => 'display_name'])) {
$ms->addMessageTranslated("danger", "ACCESS_DENIED");
$this->_app->halt(403);
}
} else {
$data['display_name'] = $this->_app->user->display_name;
}
// Validate password, if specified and not empty
if (isset($data['password']) && !empty($data['password'])) {
// Check authorization
if (!$this->_app->user->checkAccess('update_account_setting', ['user' => $this->_app->user, 'property' => 'password'])) {
$ms->addMessageTranslated("danger", "ACCESS_DENIED");
$this->_app->halt(403);
}
} else {
// Do not pass to model if no password is specified
unset($data['password']);
unset($data['passwordc']);
}
// Set up Fortress to validate the request
$rf = new \Fortress\HTTPRequestFortress($ms, $requestSchema, $data);
// Validate
if (!$rf->validate()) {
$this->_app->halt(400);
}
// If a new password was specified, hash it
if (isset($data['password'])) {
$data['password'] = Authentication::hashPassword($data['password']);
}
// Remove passwordc, passwordcheck
unset($data['passwordc']);
unset($data['passwordcheck']);
// Looks good, let's update with new values!
foreach ($data as $name => $value) {
$this->_app->user->{$name} = $value;
}
$this->_app->user->store();
$ms->addMessageTranslated("success", "ACCOUNT_SETTINGS_UPDATED");
}
public function store($force_create = false)
{
// Initialize timestamps for new Users. Should this be done here, or somewhere else?
if (!isset($this->_id) || $force_create) {
$this->sign_up_stamp = date("Y-m-d H:i:s");
$this->activation_token = UserLoader::generateActivationToken();
$this->last_activation_request = date("Y-m-d H:i:s");
}
// Update the user record itself
parent::store();
// Get the User object's current groups
$this->getGroups();
// Get the User's groups as stored in the DB
$db_groups = $this->fetchGroups();
$link_table = static::getTableGroupUser();
// Add any groups in object that are not in DB yet
$db = static::connection();
$query = "\n INSERT INTO `{$link_table}` (user_id, group_id)\n VALUES (:user_id, :group_id);";
foreach ($this->_groups as $group_id => $group) {
$stmt = $db->prepare($query);
if (!isset($db_groups[$group_id])) {
$sqlVars = [':group_id' => $group_id, ':user_id' => $this->_id];
$stmt->execute($sqlVars);
}
}
// Remove any group links in DB that are no longer modeled in this object
if ($db_groups) {
$db = static::connection();
$query = "\n DELETE FROM `{$link_table}`\n WHERE group_id = :group_id\n AND user_id = :user_id LIMIT 1";
$stmt = $db->prepare($query);
foreach ($db_groups as $group_id => $group) {
if (!isset($this->_groups[$group_id])) {
$sqlVars = [':group_id' => $group_id, ':user_id' => $this->_id];
$stmt->execute($sqlVars);
}
}
}
// Store function should always return the id of the object
return $this->_id;
}
public function setupMasterAccount()
{
$post = $this->_app->request->post();
// Get the alert message stream
$ms = $this->_app->alerts;
// Check the honeypot. 'spiderbro' is not a real field, it is hidden on the main page and must be submitted with its default value for this to be processed.
if (!$post['spiderbro'] || $post['spiderbro'] != "http://") {
error_log("Possible spam received:" . print_r($this->_app->request->post(), true));
$ms->addMessage("danger", "Aww hellllls no!");
$this->_app->halt(500);
// Don't let on about why the request failed ;-)
}
// Do not allow registering a master account if one has already been created
if (UserLoader::exists($this->_app->config('user_id_master'))) {
$ms->addMessageTranslated("danger", "MASTER_ACCOUNT_EXISTS");
$this->_app->halt(403);
}
// Check the configuration token
if ($post['root_account_config_token'] != $this->_app->site->root_account_config_token) {
$ms->addMessageTranslated("danger", "CONFIG_TOKEN_MISMATCH");
$this->_app->halt(403);
}
// Load the request schema
$requestSchema = new \Fortress\RequestSchema($this->_app->config('schema.path') . "/forms/register.json");
// Set up Fortress to process the request
$rf = new \Fortress\HTTPRequestFortress($ms, $requestSchema, $post);
// Sanitize data
$rf->sanitize();
// Validate, and halt on validation errors.
$error = !$rf->validate(true);
// Get the filtered data
$data = $rf->data();
// Remove configuration token, password confirmation from object data
$rf->removeFields(['root_account_config_token', 'passwordc']);
// Perform desired data transformations. Is this a feature we could add to Fortress?
$data['user_name'] = strtolower(trim($data['user_name']));
$data['display_name'] = trim($data['display_name']);
$data['email'] = strtolower(trim($data['email']));
$data['active'] = 1;
$data['locale'] = $this->_app->site->default_locale;
// Halt on any validation errors
if ($error) {
$this->_app->halt(400);
}
// Get default primary group (is_default = GROUP_DEFAULT_PRIMARY)
$primaryGroup = GroupLoader::fetch(GROUP_DEFAULT_PRIMARY, "is_default");
$data['primary_group_id'] = $primaryGroup->id;
// Set default title for new users
$data['title'] = $primaryGroup->new_user_title;
// Hash password
$data['password'] = Authentication::hashPassword($data['password']);
// Create the user
$user = new User($data, $this->_app->config('user_id_master'));
// Add user to default groups, including default primary group
$defaultGroups = GroupLoader::fetchAll(GROUP_DEFAULT, "is_default");
$user->addGroup($primaryGroup->id);
foreach ($defaultGroups as $group_id => $group) {
$user->addGroup($group_id);
}
// Store new user to database, forcing it to insert the new user
$user->store(true);
// No activation required
$ms->addMessageTranslated("success", "ACCOUNT_REGISTRATION_COMPLETE_TYPE1");
// Update install status
$this->_app->site->install_status = "new";
$this->_app->site->root_account_config_token = "";
$this->_app->site->store();
}