/** * Generates the captcha, "returns" a real image, this is why there is header('Content-type: image/jpeg') * Note: This is a very special method, as this is echoes out binary data. */ public static function generateAndShowCaptcha() { // create a captcha with the CaptchaBuilder lib (loaded via Composer) $captcha = new CaptchaBuilder(); $captcha->build(Config::get('CAPTCHA_WIDTH'), Config::get('CAPTCHA_HEIGHT')); // write the captcha character into session Session::set('captcha', $captcha->getPhrase()); // render an image showing the characters (=the captcha) header('Content-type: image/jpeg'); $captcha->output(); }
/** * Writes the new account type marker to the database and to the session * * @param $type * * @return bool */ public static function saveRoleToDatabase($type) { // if $type is not 1 or 2 if (!in_array($type, [1, 2])) { return false; } $database = DatabaseFactory::getFactory()->getConnection(); $query = $database->prepare("UPDATE users SET user_account_type = :new_type WHERE user_id = :user_id LIMIT 1"); $query->execute(array(':new_type' => $type, ':user_id' => Session::get('user_id'))); if ($query->rowCount() == 1) { // set account type in session Session::set('user_account_type', $type); return true; } return false; }
/** * Delete a user's avatar * * @param int $userId * @return bool success */ public static function deleteAvatar($userId) { if (!ctype_digit($userId)) { Session::add("feedback_negative", Text::get("FEEDBACK_AVATAR_IMAGE_DELETE_FAILED")); return false; } // try to delete image, but still go on regardless of file deletion result self::deleteAvatarImageFile($userId); $database = DatabaseFactory::getFactory()->getConnection(); $sth = $database->prepare("UPDATE users SET user_has_avatar = 0 WHERE user_id = :user_id LIMIT 1"); $sth->bindValue(":user_id", (int) $userId, \PDO::PARAM_INT); $sth->execute(); if ($sth->rowCount() == 1) { Session::set('user_avatar_file', self::getPublicUserAvatarFilePathByUserId($userId)); Session::add("feedback_positive", Text::get("FEEDBACK_AVATAR_IMAGE_DELETE_SUCCESSFUL")); return true; } else { Session::add("feedback_negative", Text::get("FEEDBACK_AVATAR_IMAGE_DELETE_FAILED")); return false; } }
/** * The real login process: The user's data is written into the session. * Cheesy name, maybe rename. Also maybe refactoring this, using an array. * * @param $user_id * @param $user_name * @param $user_email * @param $user_account_type */ public static function setSuccessfulLoginIntoSession($user_id, $user_name, $user_email, $user_account_type) { Session::init(); // remove old and regenerate session ID. // It's important to regenerate session on sensitive actions, // and to avoid fixated session. // e.g. when a user logs in session_regenerate_id(true); $_SESSION = array(); Session::set('user_id', $user_id); Session::set('user_name', $user_name); Session::set('user_email', $user_email); Session::set('user_account_type', $user_account_type); Session::set('user_provider_type', 'DEFAULT'); // get and set avatars Session::set('user_avatar_file', AvatarModel::getPublicUserAvatarFilePathByUserId($user_id)); Session::set('user_gravatar_image_url', AvatarModel::getGravatarLinkByEmail($user_email)); // finally, set user as logged-in Session::set('user_logged_in', true); // update session id in database Session::updateSessionId($user_id, session_id()); // set session cookie setting manually, // Why? because you need to explicitly set session expiry, path, domain, secure, and HTTP. // @see https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet#Cookies setcookie(session_name(), session_id(), time() + Config::get('SESSION_RUNTIME'), Config::get('COOKIE_PATH'), Config::get('COOKIE_DOMAIN'), Config::get('COOKIE_SECURE'), Config::get('COOKIE_HTTP')); }
/** * Edit the user's email * * @param $new_user_email * * @return bool success status */ public static function editUserEmail($new_user_email) { // email provided ? if (empty($new_user_email)) { Session::add('feedback_negative', Text::get('FEEDBACK_EMAIL_FIELD_EMPTY')); return false; } // check if new email is same like the old one if ($new_user_email == Session::get('user_email')) { Session::add('feedback_negative', Text::get('FEEDBACK_EMAIL_SAME_AS_OLD_ONE')); return false; } // user's email must be in valid email format, also checks the length // @see http://stackoverflow.com/questions/21631366/php-filter-validate-email-max-length // @see http://stackoverflow.com/questions/386294/what-is-the-maximum-length-of-a-valid-email-address if (!filter_var($new_user_email, FILTER_VALIDATE_EMAIL)) { Session::add('feedback_negative', Text::get('FEEDBACK_EMAIL_DOES_NOT_FIT_PATTERN')); return false; } // strip tags, just to be sure $new_user_email = substr(strip_tags($new_user_email), 0, 254); // check if user's email already exists if (self::doesEmailAlreadyExist($new_user_email)) { Session::add('feedback_negative', Text::get('FEEDBACK_USER_EMAIL_ALREADY_TAKEN')); return false; } // write to database, if successful ... // ... then write new email to session, Gravatar too (as this relies to the user's email address) if (self::saveNewEmailAddress(Session::get('user_id'), $new_user_email)) { Session::set('user_email', $new_user_email); Session::set('user_gravatar_image_url', AvatarModel::getGravatarLinkByEmail($new_user_email)); Session::add('feedback_positive', Text::get('FEEDBACK_EMAIL_CHANGE_SUCCESSFUL')); return true; } Session::add('feedback_negative', Text::get('FEEDBACK_UNKNOWN_ERROR')); return false; }