function validateaccount($email, $rand_key_confirm) { $rand_key = $rand_key_confirm; $PDO = Record::getConnection(); $check_validated = "SELECT * FROM " . TABLE_PREFIX . "user WHERE email='{$email}'"; $result = $PDO->prepare($check_validated); $result->execute(); $count = $result->rowCount(); if ($count > 0) { $settings = Plugin::getAllSettings("registered_users"); $met = $settings["message_error_technical"]; $message_empty_name = $settings["message_empty_name"]; $message_empty_email = $settings["message_empty_email"]; $message_empty_username = $settings["message_empty_username"]; $message_empty_password = $settings["message_empty_password"]; $message_empty_password_confirm = $settings["message_empty_password_confirm"]; $message_notvalid_password = $settings["message_notvalid_password"]; $message_notvalid_username = $settings["message_notvalid_username"]; $message_notvalid_email = $settings["message_notvalid_email"]; $message_error_already_validated = $settings["message_error_already_validated"]; echo $message_error_already_validated; } else { $today = date('Y-m-d G:i:s'); $registration_temp = "SELECT * FROM " . TABLE_PREFIX . "registered_users_temp WHERE email='{$email}'"; foreach ($PDO->query($registration_temp) as $row) { $name = $row['name']; $email = $row['email']; $username = $row['username']; $password = $row['password']; $rand_key = $row['rand_key']; $reg_date = $row['reg_date']; $welcome_message = $row['welcome_message']; $message_notvalid_password = $row['message_notvalid_password']; } if ($rand_key_confirm == $rand_key) { // Let's transfer the user from the temp table to the user table //$update_user_table = "INSERT INTO ".TABLE_PREFIX."user (`id`,`name`,`email`,`username`,`password`,`created_on`,`updated_on`,`created_by_id`,`updated_by_id`) VALUES ('','$name','$email','$username','$password','$reg_date','$today','','');"; //$stmt = $__CMS_CONN__->prepare($update_user_table); //$stmt->execute(); $user = new User(); $user->name = $name; $user->email = $email; $user->username = $username; $user->salt = AuthUser::generateSalt(); $user->password = AuthUser::generateHashedPassword($password, $user->salt); $user->created_on = $reg_date; $user->updated_on = $today; $user->save(); // We don't need them in the temp table anymore $delete_temp_user = "******" . TABLE_PREFIX . "registered_users_temp WHERE email='{$email}'"; $stmt = $PDO->prepare($delete_temp_user); $stmt->execute(); // And let's make sure we have some permissions set so that user can then do something! // First we need the default permssion ID $def_permission = Plugin::getSetting("default_permissions", "registered_users"); // Then we need the correct user ID /*$user = "******".TABLE_PREFIX."user WHERE email='$email'"; foreach ($__CMS_CONN__->query($user) as $row) { $id = $row['id']; }*/ $id = $user->id; $set_permissions = "INSERT INTO " . TABLE_PREFIX . "user_role (`user_id`,`role_id`) VALUES ('{$id}','{$permission_id}');"; $stmt = $PDO->prepare($set_permissions); $stmt->execute(); // We also need to add the profile settings into DB $addprofile = "INSERT INTO " . TABLE_PREFIX . "user_profile (`id`,`firstlogin`,`subscribe`,`sysnotifications`,`haspic`,`profile_blurb`) VALUES ({$id},'1','1','1','0','your public profile...');"; $addprofile = $PDO->prepare($addprofile); $addprofile->execute(); echo $welcome_message; $loadloginclass = new RegisteredUser(); $loadloginclass->login_page(); } else { echo $message_notvalid_password; } } }
/** * @todo merge _add() and _edit() into one _store() * * @param <type> $id */ private function _edit($id) { use_helper('Validate'); $data = $_POST['user']; Flash::set('post_data', (object) $data); // Add pre-save checks here $errors = false; // CSRF checks if (isset($_POST['csrf_token'])) { $csrf_token = $_POST['csrf_token']; if (!SecureToken::validateToken($csrf_token, BASE_URL . 'user/edit')) { Flash::set('error', __('Invalid CSRF token found!')); redirect(get_url('user/edit/' . $id)); } } else { Flash::set('error', __('No CSRF token found!')); redirect(get_url('user/edit/' . $id)); } // check if user want to change the password if (strlen($data['password']) > 0) { // check if pass and confirm are egal and >= 5 chars if (strlen($data['password']) >= 5 && $data['password'] == $data['confirm']) { unset($data['confirm']); } else { Flash::set('error', __('Password and Confirm are not the same or too small!')); redirect(get_url('user/edit/' . $id)); } } else { unset($data['password'], $data['confirm']); } // Check alphanumerical fields $fields = array('username'); foreach ($fields as $field) { if (!empty($data[$field]) && !Validate::alphanum_space($data[$field])) { $errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => $field)); } } if (!empty($data['name']) && !Validate::alphanum_space($data['name'], true)) { $errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => 'name')); } if (!empty($data['email']) && !Validate::email($data['email'])) { $errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => 'email')); } if (!empty($data['language']) && !Validate::alpha($data['language'])) { $errors[] = __('Illegal value for :fieldname field!', array(':fieldname' => 'language')); } if ($errors !== false) { // Set the errors to be displayed. Flash::set('error', implode('<br/>', $errors)); redirect(get_url('user/edit/' . $id)); } $user = Record::findByIdFrom('User', $id); if (isset($data['password'])) { if (empty($user->salt)) { $user->salt = AuthUser::generateSalt(); } $data['password'] = AuthUser::generateHashedPassword($data['password'], $user->salt); } $user->setFromData($data); if ($user->save()) { if (AuthUser::hasPermission('user_edit')) { // now we need to add permissions $data = isset($_POST['user_permission']) ? $_POST['user_permission'] : array(); UserRole::setPermissionsFor($user->id, $data); } Flash::set('success', __('User has been saved!')); Observer::notify('user_after_edit', $user->name); } else { Flash::set('error', __('User has not been saved!')); } if (AuthUser::getId() == $id) { redirect(get_url('user/edit/' . $id)); } else { redirect(get_url('user')); } }
public function addUser($data, $verify) { // CHECK PERMISSIONS if (!$this->permissions->hasPermission("user_add")) { $this->_error(__("You don't have the Permission to perform this action!")); return false; } if (!SecureToken::validateToken($verify, get_url("user/add/" . $this->currentID))) { $this->_error(__("The CSRF Token does not exist or is invalid!")); return false; } // VALIDATE USER DATA $data = paw_xss_cleaner($data); if (!isset($data["username"]) || ($username = $this->validateUsername($data["username"], true)) === false) { return false; } if (!isset($data["email"]) || ($usermail = $this->validateUsermail($data["email"], true)) === false) { return false; } if (!isset($data["password"]) || ($password = $this->validatePassword($data["password"], true)) === false) { return false; } if (!isset($data["name"])) { $data["name"] = $data["username"]; } $userip = NULL; // CHECK LANGUAGE if (isset($data["language"]) && $data["language"] !== NULL) { $language = Setting::getLanguages(); if (!isset($language[$data["language"]])) { $data["language"] = NULL; } } if (!isset($data["language"]) || $data["language"] === NULL) { $data["language"] = Setting::get("language"); } // REGISTER-DATA $usersalt = AuthUser::generateSalt(); $blowfish = $this->_hashBlowfish($username, $password, $usersalt); $password = AuthUser::generateHashedPassword($password, $usersalt); $userdata = array("name" => ":name", "email" => ":mail", "username" => ":user", "ip" => Record::escape($userip), "password" => Record::escape($password), "blowfish" => Record::escape($blowfish), "salt" => Record::escape($usersalt), "language" => ":lang", "last_login" => Record::escape(date("Y-m-d H:i:s", 0)), "last_failure" => Record::escape(date("Y-m-d H:i:s", 0)), "failure_count" => 0, "created_on" => Record::escape(date("Y-m-d H:i:s")), "updated_on" => Record::escape(date("Y-m-d H:i:s")), "created_by_id" => $this->currentID, "updated_by_id" => $this->currentID); // ADD USER $query = "INSERT INTO " . TABLE_PREFIX . "user (" . implode(", ", array_keys($userdata)) . ") VALUES (" . implode(", ", array_values($userdata)) . ")"; Record::query($query, array(":name" => $data["name"], ":user" => $username, ":mail" => $usermail, ":lang" => $data["language"])); $user = $this->getUser($username, "username"); if ($user !== false) { $this->fields->addMeta($user->id, "activation_type", "instant", true); $this->fields->addMeta($user->id, "activation_status", true, true); if (isset($data["roles"]) && !empty($data["roles"])) { $this->permissions->roleToUser($data["roles"], $user->id); } return true; } $this->_error(__("An unknown error is occurred!")); return false; }
// Write config.php if (!file_put_contents(CFG_FILE, $config_content)) { $error .= "<ul><li><strong>Config file could not be written!</strong></li>\n"; } else { $msg .= "<ul><li>Config file successfully written.</li>\n"; } if (false === $error) { // Include generated config.php require CFG_FILE; // Generate admin name (defaults to 'admin') and pwd if (isset($_POST['config']['admin_username'])) { $admin_name = $_POST['config']['admin_username']; $admin_name = trim($admin_name); try { $admin_passwd_precrypt = '12' . dechex(rand(100000000, 4294967295)) . 'K'; $admin_passwd = AuthUser::generateHashedPassword($admin_passwd_precrypt, $admin_salt); } catch (Exception $e) { $error = 'Wolf CMS could not generate a default administration password and has not been installed.<br />The following error has occured: <p><strong>' . $e->getMessage() . "</strong></p>\n"; file_put_contents(CFG_FILE, ''); } } // If DB is SQLite, check that DB directory is writable. if (false === $error && $_POST['config']['db_driver'] == 'sqlite') { $sqlite_db = $_POST['config']['db_name']; if (false !== strrpos($sqlite_db, '/')) { $sqlite_dir = substr($sqlite_db, 0, strrpos($sqlite_db, '/')); } else { $sqlite_dir = substr($sqlite_db, 0, strrpos($sqlite_db, '\\')); } if (!file_exists($sqlite_db) && !is_writable($sqlite_dir)) { $error = 'Wolf CMS could not access the specified SQLite directory in order to create the SQLite DB.';
private function _edit($id) { $data = $_POST['user']; // CSRF checks if (isset($_POST['csrf_token'])) { $csrf_token = $_POST['csrf_token']; if (!SecureToken::validateToken($csrf_token, BASE_URL . 'user/edit')) { Flash::set('error', __('Invalid CSRF token found!')); redirect(get_url('user/add')); } } else { Flash::set('error', __('No CSRF token found!')); redirect(get_url('user/edit')); } // check if user want to change the password if (strlen($data['password']) > 0) { // check if pass and confirm are egal and >= 5 chars if (strlen($data['password']) >= 5 && $data['password'] == $data['confirm']) { unset($data['confirm']); } else { Flash::set('error', __('Password and Confirm are not the same or too small!')); redirect(get_url('user/edit/' . $id)); } } else { unset($data['password'], $data['confirm']); } $user = Record::findByIdFrom('User', $id); if (isset($data['password'])) { $data['password'] = AuthUser::generateHashedPassword($data['password'], $user->salt); } $user->setFromData($data); if ($user->save()) { if (AuthUser::hasPermission('administrator')) { // now we need to add permissions $data = isset($_POST['user_permission']) ? $_POST['user_permission'] : array(); UserPermission::setPermissionsFor($user->id, $data); } Flash::set('success', __('User has been saved!')); } else { Flash::set('error', __('User has not been saved!')); } if (AuthUser::getId() == $id) { redirect(get_url('user/edit/' . $id)); } else { redirect(get_url('user')); } }
/** * This method is used to send a newly generated password to a user. * * @param string $email The user's email adress. */ private function _sendPasswordTo($email) { $user = User::findBy('email', $email); if ($user) { use_helper('Email'); $new_pass = '******' . dechex(rand(100000000, 4294967295)) . 'K'; $user->password = AuthUser::generateHashedPassword($new_pass . $user->salt); $user->save(); $email = new Email(); $email->from(Setting::get('admin_email'), Setting::get('admin_title')); $email->to($user->email); $email->subject(__('Your new password from ') . Setting::get('admin_title')); $email->message(__('Username') . ': ' . $user->username . "\n" . __('Password') . ': ' . $new_pass); $email->send(); Flash::set('success', __('An email has been sent with your new password!')); redirect(get_url('login')); } else { Flash::set('email', $email); Flash::set('error', __('No user found!')); redirect(get_url('login/forgot')); } }