/** * Processes an new account registration request. * * Processes the request from the form on the registration page, checking that: * 1. The honeypot was not modified; * 2. The master account has already been created (during installation); * 3. Account registration is enabled; * 4. The user is not already logged in; * 5. Valid information was entered; * 6. The captcha, if enabled, is correct; * 7. The username and email are not already taken. * Automatically sends an activation link upon success, if account activation is enabled. * This route is "public access". * Request type: POST * Returns the User Object for the user record that was created. */ public function register() { // POST: user_name, display_name, email, title, password, passwordc, captcha, spiderbro, csrf_token $post = $this->_app->request->post(); // Get the alert message stream $ms = $this->_app->alerts; // Check the honeypot. 'spiderbro' is not a real field, it is hidden on the main page and must be submitted with its default value for this to be processed. if (!$post['spiderbro'] || $post['spiderbro'] != "http://") { error_log("Possible spam received:" . print_r($this->_app->request->post(), true)); $ms->addMessage("danger", "Aww hellllls no!"); $this->_app->halt(500); // Don't let on about why the request failed ;-) } // Load the request schema $requestSchema = new \Fortress\RequestSchema($this->_app->config('schema.path') . "/forms/register.json"); // Set up Fortress to process the request $rf = new \Fortress\HTTPRequestFortress($ms, $requestSchema, $post); // Security measure: do not allow registering new users until the master account has been created. if (!User::find($this->_app->config('user_id_master'))) { $ms->addMessageTranslated("danger", "MASTER_ACCOUNT_NOT_EXISTS"); $this->_app->halt(403); } // Check if registration is currently enabled if (!$this->_app->site->can_register) { $ms->addMessageTranslated("danger", "ACCOUNT_REGISTRATION_DISABLED"); $this->_app->halt(403); } // Prevent the user from registering if he/she is already logged in if (!$this->_app->user->isGuest()) { $ms->addMessageTranslated("danger", "ACCOUNT_REGISTRATION_LOGOUT"); $this->_app->halt(200); } // Sanitize data $rf->sanitize(); // Validate, and halt on validation errors. $error = !$rf->validate(true); // Get the filtered data $data = $rf->data(); // Check captcha, if required if ($this->_app->site->enable_captcha == "1") { if (!$data['captcha'] || md5($data['captcha']) != $_SESSION['userfrosting']['captcha']) { $ms->addMessageTranslated("danger", "CAPTCHA_FAIL"); $error = true; } } // Remove captcha, password confirmation from object data $rf->removeFields(['captcha', 'passwordc']); // Perform desired data transformations. Is this a feature we could add to Fortress? $data['display_name'] = trim($data['display_name']); $data['locale'] = $this->_app->site->default_locale; if ($this->_app->site->require_activation) { $data['flag_verified'] = 0; } else { $data['flag_verified'] = 1; } // Check if username or email already exists if (User::where('user_name', $data['user_name'])->first()) { $ms->addMessageTranslated("danger", "ACCOUNT_USERNAME_IN_USE", $data); $error = true; } if (User::where('email', $data['email'])->first()) { $ms->addMessageTranslated("danger", "ACCOUNT_EMAIL_IN_USE", $data); $error = true; } // Halt on any validation errors if ($error) { $this->_app->halt(400); } // Get default primary group (is_default = GROUP_DEFAULT_PRIMARY) $primaryGroup = Group::where('is_default', GROUP_DEFAULT_PRIMARY)->first(); // Check that a default primary group is actually set if (!$primaryGroup) { $ms->addMessageTranslated("danger", "ACCOUNT_REGISTRATION_BROKEN"); error_log("Account registration is not working because a default primary group has not been set."); $this->_app->halt(500); } $data['primary_group_id'] = $primaryGroup->id; // Set default title for new users $data['title'] = $primaryGroup->new_user_title; // Hash password $data['password'] = Authentication::hashPassword($data['password']); // Create the user $user = new User($data); // Add user to default groups, including default primary group $defaultGroups = Group::where('is_default', GROUP_DEFAULT)->get(); $user->addGroup($primaryGroup->id); foreach ($defaultGroups as $group) { $user->addGroup($group->id); } // Create sign-up event $user->newEventSignUp(); // Store new user to database $user->save(); if ($this->_app->site->require_activation) { // Create verification request event $user->newEventVerificationRequest(); $user->save(); // Re-save with verification event // Create and send verification email $twig = $this->_app->view()->getEnvironment(); $template = $twig->loadTemplate("mail/activate-new.twig"); $notification = new Notification($template); $notification->fromWebsite(); // Automatically sets sender and reply-to $notification->addEmailRecipient($user->email, $user->display_name, ["user" => $user]); try { $notification->send(); } catch (\phpmailerException $e) { $ms->addMessageTranslated("danger", "MAIL_ERROR"); error_log('Mailer Error: ' . $e->errorMessage()); $this->_app->halt(500); } $ms->addMessageTranslated("success", "ACCOUNT_REGISTRATION_COMPLETE_TYPE2"); } else { // No activation required $ms->addMessageTranslated("success", "ACCOUNT_REGISTRATION_COMPLETE_TYPE1"); } // Return the user object to the calling program return $user; }
/** * Processes the request to create a new auth rule. * * Processes the request from the auth creation form, checking that: * 1. The group does not already have a rule for the specified hook. * 2. The user has the necessary permissions to update the posted field(s); * 3. The submitted data is valid. * This route requires authentication (and should generally be limited to admins or the root user). * Request type: POST * @see formAuthCreate * @todo make this work for user-level rules as well */ public function createAuthRule($id, $type = "group") { $post = $this->_app->request->post(); // Load the request schema $requestSchema = new \Fortress\RequestSchema($this->_app->config('schema.path') . "/forms/auth-create.json"); // Get the alert message stream $ms = $this->_app->alerts; // TODO: Check that the group exists $group = Group::find($id); // Access-controlled resource if (!$this->_app->user->checkAccess('create_auth', ['group' => $group])) { $ms->addMessageTranslated("danger", "ACCESS_DENIED"); $this->_app->halt(403); } // Set up Fortress to process the request $rf = new \Fortress\HTTPRequestFortress($ms, $requestSchema, $post); // Sanitize data $rf->sanitize(); // Validate, and halt on validation errors. $error = !$rf->validate(true); // Get the filtered data $data = $rf->data(); // Remove csrf_token from object data $rf->removeFields(['csrf_token']); // Perform desired data transformations on required fields. $data['hook'] = trim($data['hook']); $data['conditions'] = trim($data['conditions']); // Check if the group already has a rule for this hook if (GroupAuth::where("group_id", $id)->where("hook", $data['hook'])->first()) { $post['name'] = $group->name; $ms->addMessageTranslated("danger", "GROUP_AUTH_EXISTS", $post); $this->_app->halt(400); } // Halt on any validation errors if ($error) { $this->_app->halt(400); } // Create the rule $rule = new GroupAuth(); $rule->group_id = $id; $rule->hook = $data['hook']; $rule->conditions = $data['conditions']; // Store new group to database $rule->save(); // Success message $data['name'] = $group['name']; $ms->addMessageTranslated("success", "GROUP_AUTH_CREATION_SUCCESSFUL", $data); }
/** * Processes the request to update an existing user's details, including enabled/disabled status and activation status. * * Processes the request from the user update form, checking that: * 1. The target user's new email address, if specified, is not already in use; * 2. The logged-in user has the necessary permissions to update the posted field(s); * 3. We're not trying to disable the master account; * 4. The submitted data is valid. * This route requires authentication. * Request type: POST * @param int $user_id the id of the user to edit. * @see formUserEdit */ public function updateUser($user_id) { $post = $this->_app->request->post(); // Load the request schema $requestSchema = new \Fortress\RequestSchema($this->_app->config('schema.path') . "/forms/user-update.json"); // Get the alert message stream $ms = $this->_app->alerts; // Get the target user $target_user = User::find($user_id); // Get the target user's groups $groups = $target_user->getGroups(); /* // Access control for entire page if (!$this->_app->user->checkAccess('uri_update_user')){ $ms->addMessageTranslated("danger", "ACCESS_DENIED"); $this->_app->halt(403); } */ // Only the master account can edit the master account! if ($target_user->id == $this->_app->config('user_id_master') && $this->_app->user->id != $this->_app->config('user_id_master')) { $ms->addMessageTranslated("danger", "ACCESS_DENIED"); $this->_app->halt(403); } // Remove csrf_token unset($post['csrf_token']); // Set up Fortress to process the request $rf = new \Fortress\HTTPRequestFortress($ms, $requestSchema, $post); if (isset($post['passwordc'])) { unset($post['passwordc']); } // Check authorization for submitted fields, if the value has been changed foreach ($post as $name => $value) { if ($name == "groups" || isset($target_user->{$name}) && $post[$name] != $target_user->{$name}) { // Check authorization if (!$this->_app->user->checkAccess('update_account_setting', ['user' => $target_user, 'property' => $name])) { $ms->addMessageTranslated("danger", "ACCESS_DENIED"); $this->_app->halt(403); } } else { if (!isset($target_user->{$name})) { $ms->addMessageTranslated("danger", "NO_DATA"); $this->_app->halt(400); } } } // Check that we are not disabling the master account if ($target_user->id == $this->_app->config('user_id_master') && isset($post['flag_enabled']) && $post['flag_enabled'] == "0") { $ms->addMessageTranslated("danger", "ACCOUNT_DISABLE_MASTER"); $this->_app->halt(403); } // Check that the email address is not in use if (isset($post['email']) && $post['email'] != $target_user->email && UserLoader::exists($post['email'], 'email')) { $ms->addMessageTranslated("danger", "ACCOUNT_EMAIL_IN_USE", $post); $this->_app->halt(400); } // Sanitize $rf->sanitize(); // Validate, and halt on validation errors. if (!$rf->validate()) { $this->_app->halt(400); } // Remove passwordc $rf->removeFields(['passwordc']); // Get the filtered data $data = $rf->data(); // Update user groups if (isset($data['groups'])) { foreach ($data['groups'] as $group_id => $is_member) { if ($is_member == "1" && !isset($groups[$group_id])) { $target_user->addGroup($group_id); } else { if ($is_member == "0" && isset($groups[$group_id])) { $target_user->removeGroup($group_id); } } } unset($data['groups']); } // Hash password if (isset($data['password'])) { $data['password'] = Authentication::hashPassword($data['password']); } // Update the user and generate success messages foreach ($data as $name => $value) { if ($value != $target_user->{$name}) { $target_user->{$name} = $value; // Custom success messages (optional) if ($name == "flag_enabled") { if ($value == "1") { $ms->addMessageTranslated("success", "ACCOUNT_ENABLE_SUCCESSFUL", ["user_name" => $target_user->user_name]); } else { $ms->addMessageTranslated("success", "ACCOUNT_DISABLE_SUCCESSFUL", ["user_name" => $target_user->user_name]); } } if ($name == "flag_verified") { $ms->addMessageTranslated("success", "ACCOUNT_MANUALLY_ACTIVATED", ["user_name" => $target_user->user_name]); } } } // If we're generating a password reset, create the corresponding event and shoot off an email if (isset($data['flag_password_reset']) && $data['flag_password_reset'] == "1") { // Recheck auth if (!$this->_app->user->checkAccess('update_account_setting', ['user' => $target_user, 'property' => 'flag_password_reset'])) { $ms->addMessageTranslated("danger", "ACCESS_DENIED"); $this->_app->halt(403); } // New password reset event - bypass any rate limiting $target_user->newEventPasswordReset(); $target_user->save(); // Email the user asking to confirm this change password request $twig = $this->_app->view()->getEnvironment(); $template = $twig->loadTemplate("mail/password-reset.twig"); $notification = new Notification($template); $notification->fromWebsite(); // Automatically sets sender and reply-to $notification->addEmailRecipient($target_user->email, $target_user->display_name, ["user" => $target_user, "request_date" => date("Y-m-d H:i:s")]); try { $notification->send(); } catch (\Exception\phpmailerException $e) { $ms->addMessageTranslated("danger", "MAIL_ERROR"); error_log('Mailer Error: ' . $e->errorMessage()); $this->_app->halt(500); } $ms->addMessageTranslated("success", "FORGOTPASS_REQUEST_SENT", ["user_name" => $target_user->user_name]); } $ms->addMessageTranslated("success", "ACCOUNT_DETAILS_UPDATED", ["user_name" => $target_user->user_name]); $target_user->save(); }
$_SESSION['Fortress']['alerts'] = new Fortress\MessageStream($translator); } $ms = $_SESSION['Fortress']['alerts']; /*******************************************************/ // Test the error stream and reset echo "<h2>Current message stream</h2>"; echo "<pre>"; print_r($ms->messages()); echo "</pre>"; $ms->resetMessageStream(); // Load the request schema $schema = new Fortress\RequestSchema("fortress/schema/forms/register.json"); // POST request $rf = new Fortress\HTTPRequestFortress($ms, $schema, $_GET); // Remove csrf_token from the request data, if specified $rf->removeFields(['csrf_token']); // Sanitize, and print sanitized data for demo purposes $rf->sanitize(true, "error"); echo "<h2>Sanitized data</h2>"; echo "<pre>"; print_r($rf->data()); echo "</pre>"; // Validate. Normally we'd want to halt on validation errors. But for this demo, we will simply print the message stream. if (!$rf->validate()) { $ms->addMessageTranslated("danger", "Validation failed for {{placeholder}}", ["placeholder" => "the form"]); } // Test client validators $clientVal = new Fortress\ClientSideValidator($schema, $translator); echo "<h2>Client-side validation schema (JSON)</h2>"; echo "<pre>"; print_r($clientVal->formValidationRulesJson());
public function register() { // POST: user_name, display_name, email, title, password, passwordc, captcha, spiderbro, csrf_token $post = $this->_app->request->post(); // Get the alert message stream $ms = $this->_app->alerts; // Check the honeypot. 'spiderbro' is not a real field, it is hidden on the main page and must be submitted with its default value for this to be processed. if (!$post['spiderbro'] || $post['spiderbro'] != "http://") { error_log("Possible spam received:" . print_r($this->_app->request->post(), true)); $ms->addMessage("danger", "Aww hellllls no!"); $this->_app->halt(500); // Don't let on about why the request failed ;-) } // Load the request schema $requestSchema = new \Fortress\RequestSchema($this->_app->config('schema.path') . "/forms/register.json"); // Set up Fortress to process the request $rf = new \Fortress\HTTPRequestFortress($ms, $requestSchema, $post); // Security measure: do not allow registering new users until the master account has been created. if (!UserLoader::exists($this->_app->config('user_id_master'))) { $ms->addMessageTranslated("danger", "MASTER_ACCOUNT_NOT_EXISTS"); $this->_app->halt(403); } // Check if registration is currently enabled if (!$this->_app->site->can_register) { $ms->addMessageTranslated("danger", "ACCOUNT_REGISTRATION_DISABLED"); $this->_app->halt(403); } // Prevent the user from registering if he/she is already logged in if (!$this->_app->user->isGuest()) { $ms->addMessageTranslated("danger", "ACCOUNT_REGISTRATION_LOGOUT"); $this->_app->halt(200); } // Sanitize data $rf->sanitize(); // Validate, and halt on validation errors. $error = !$rf->validate(true); // Get the filtered data $data = $rf->data(); // Check captcha, if required if ($this->_app->site->enable_captcha == "1") { if (!$data['captcha'] || md5($data['captcha']) != $_SESSION['userfrosting']['captcha']) { $ms->addMessageTranslated("danger", "CAPTCHA_FAIL"); $error = true; } } // Remove captcha, password confirmation from object data $rf->removeFields(['captcha', 'passwordc']); // Perform desired data transformations. Is this a feature we could add to Fortress? $data['user_name'] = strtolower(trim($data['user_name'])); $data['display_name'] = trim($data['display_name']); $data['email'] = strtolower(trim($data['email'])); $data['locale'] = $this->_app->site->default_locale; if ($this->_app->site->require_activation) { $data['active'] = 0; } else { $data['active'] = 1; } // Check if username or email already exists if (UserLoader::exists($data['user_name'], 'user_name')) { $ms->addMessageTranslated("danger", "ACCOUNT_USERNAME_IN_USE", $data); $error = true; } if (UserLoader::exists($data['email'], 'email')) { $ms->addMessageTranslated("danger", "ACCOUNT_EMAIL_IN_USE", $data); $error = true; } // Halt on any validation errors if ($error) { $this->_app->halt(400); } // Get default primary group (is_default = GROUP_DEFAULT_PRIMARY) $primaryGroup = GroupLoader::fetch(GROUP_DEFAULT_PRIMARY, "is_default"); $data['primary_group_id'] = $primaryGroup->id; // Set default title for new users $data['title'] = $primaryGroup->new_user_title; // Hash password $data['password'] = Authentication::hashPassword($data['password']); // Create the user $user = new User($data); // Add user to default groups, including default primary group $defaultGroups = GroupLoader::fetchAll(GROUP_DEFAULT, "is_default"); $user->addGroup($primaryGroup->id); foreach ($defaultGroups as $group_id => $group) { $user->addGroup($group_id); } // Store new user to database $user->store(); if ($this->_app->site->require_activation) { // Create and send activation email $mail = new \PHPMailer(); $mail->From = $this->_app->site->admin_email; $mail->FromName = $this->_app->site->site_title; $mail->addAddress($user->email); // Add a recipient $mail->addReplyTo($this->_app->site->admin_email, $this->_app->site->site_title); $mail->Subject = $this->_app->site->site_title . " - please activate your account"; $mail->Body = $this->_app->view()->render("common/mail/activate-new.html", ["user" => $user]); $mail->isHTML(true); // Set email format to HTML if (!$mail->send()) { $ms->addMessageTranslated("danger", "MAIL_ERROR"); error_log('Mailer Error: ' . $mail->ErrorInfo); $this->_app->halt(500); } // Activation required $ms->addMessageTranslated("success", "ACCOUNT_REGISTRATION_COMPLETE_TYPE2"); } else { // No activation required $ms->addMessageTranslated("success", "ACCOUNT_REGISTRATION_COMPLETE_TYPE1"); } }
/** * Processes the request to create a new user (from the admin controls). * * Processes the request from the user creation form, checking that: * 1. The username and email are not already in use; * 2. The logged-in user has the necessary permissions to update the posted field(s); * 3. The submitted data is valid. * This route requires authentication. * Request type: POST * @see formUserCreate */ public function createUser() { $post = $this->_app->request->post(); // Load the request schema $requestSchema = new \Fortress\RequestSchema($this->_app->config('schema.path') . "/forms/user-create.json"); // Get the alert message stream $ms = $this->_app->alerts; // Access-controlled resource if (!$this->_app->user->checkAccess('create_account')) { $ms->addMessageTranslated("danger", "ACCESS_DENIED"); $this->_app->halt(403); } // Set up Fortress to process the request $rf = new \Fortress\HTTPRequestFortress($ms, $requestSchema, $post); // Sanitize data $rf->sanitize(); // Validate, and halt on validation errors. $error = !$rf->validate(true); // Get the filtered data $data = $rf->data(); // Remove csrf_token, password confirmation from object data $rf->removeFields(['csrf_token, passwordc']); // Perform desired data transformations on required fields. Is this a feature we could add to Fortress? $data['user_name'] = strtolower(trim($data['user_name'])); $data['display_name'] = trim($data['display_name']); $data['email'] = strtolower(trim($data['email'])); $data['active'] = 1; // Check if username or email already exists if (UserLoader::exists($data['user_name'], 'user_name')) { $ms->addMessageTranslated("danger", "ACCOUNT_USERNAME_IN_USE", $data); $error = true; } if (UserLoader::exists($data['email'], 'email')) { $ms->addMessageTranslated("danger", "ACCOUNT_EMAIL_IN_USE", $data); $error = true; } // Halt on any validation errors if ($error) { $this->_app->halt(400); } // Get default primary group (is_default = GROUP_DEFAULT_PRIMARY) $primaryGroup = GroupLoader::fetch(GROUP_DEFAULT_PRIMARY, "is_default"); // Set default values if not specified or not authorized if (!isset($data['locale']) || !$this->_app->user->checkAccess("update_account_setting", ["property" => "locale"])) { $data['locale'] = $this->_app->site->default_locale; } if (!isset($data['title']) || !$this->_app->user->checkAccess("update_account_setting", ["property" => "title"])) { // Set default title for new users $data['title'] = $primaryGroup->new_user_title; } if (!isset($data['primary_group_id']) || !$this->_app->user->checkAccess("update_account_setting", ["property" => "primary_group_id"])) { $data['primary_group_id'] = $primaryGroup->id; } // Set groups to default groups if not specified or not authorized to set groups if (!isset($data['groups']) || !$this->_app->user->checkAccess("update_account_setting", ["property" => "groups"])) { $default_groups = GroupLoader::fetchAll(GROUP_DEFAULT, "is_default"); $data['groups'] = []; foreach ($default_groups as $group_id => $group) { $data['groups'][$group_id] = "1"; } } // Hash password $data['password'] = Authentication::hashPassword($data['password']); // Create the user $user = new User($data); // Add user to groups, including selected primary group $user->addGroup($data['primary_group_id']); foreach ($data['groups'] as $group_id => $is_member) { if ($is_member == "1") { $user->addGroup($group_id); } } // Store new user to database $user->store(); // Success message $ms->addMessageTranslated("success", "ACCOUNT_CREATION_COMPLETE", $data); }
/** * Processes a request to create the master account. * * Processes the request from the master account creation form, checking that: * 1. The honeypot has not been changed; * 2. The master account does not already exist; * 3. The correct configuration token was submitted; * 3. The submitted data is valid. * This route is "public access" (until the master account has been created, that is) * Request type: POST */ public function setupMasterAccount() { $post = $this->_app->request->post(); // Get the alert message stream $ms = $this->_app->alerts; // Check the honeypot. 'spiderbro' is not a real field, it is hidden on the main page and must be submitted with its default value for this to be processed. if (!$post['spiderbro'] || $post['spiderbro'] != "http://") { error_log("Possible spam received:" . print_r($this->_app->request->post(), true)); $ms->addMessage("danger", "Aww hellllls no!"); $this->_app->halt(500); // Don't let on about why the request failed ;-) } // Do not allow registering a master account if one has already been created if (User::find($this->_app->config('user_id_master'))) { $ms->addMessageTranslated("danger", "MASTER_ACCOUNT_EXISTS"); $this->_app->halt(403); } // Check the configuration token if ($post['root_account_config_token'] != $this->_app->site->root_account_config_token) { $ms->addMessageTranslated("danger", "CONFIG_TOKEN_MISMATCH"); $this->_app->halt(403); } // Load the request schema $requestSchema = new \Fortress\RequestSchema($this->_app->config('schema.path') . "/forms/register.json"); // Set up Fortress to process the request $rf = new \Fortress\HTTPRequestFortress($ms, $requestSchema, $post); // Sanitize data $rf->sanitize(); // Validate, and halt on validation errors. $error = !$rf->validate(true); // Get the filtered data $data = $rf->data(); // Remove configuration token, password confirmation from object data $rf->removeFields(['root_account_config_token', 'passwordc']); // Perform desired data transformations. Is this a feature we could add to Fortress? $data['display_name'] = trim($data['display_name']); $data['flag_verified'] = 1; $data['locale'] = $this->_app->site->default_locale; // Halt on any validation errors if ($error) { $this->_app->halt(400); } // Get default primary group (is_default = GROUP_DEFAULT_PRIMARY) $primaryGroup = Group::where('is_default', GROUP_DEFAULT_PRIMARY)->first(); $data['primary_group_id'] = $primaryGroup->id; // Set default title for new users $data['title'] = $primaryGroup->new_user_title; // Hash password $data['password'] = Authentication::hashPassword($data['password']); // Create the master user $user = new User($data); $user->id = $this->_app->config('user_id_master'); // Add user to default groups, including default primary group $defaultGroups = Group::where('is_default', GROUP_DEFAULT)->get(); $user->addGroup($primaryGroup->id); foreach ($defaultGroups as $group) { $group_id = $group->id; $user->addGroup($group_id); } // Add sign-up event $user->newEventSignUp(); // Store new user to database $user->save(); // No activation required $ms->addMessageTranslated("success", "ACCOUNT_REGISTRATION_COMPLETE_TYPE1"); // Update install status $this->_app->site->install_status = "new"; $this->_app->site->root_account_config_token = ""; $this->_app->site->store(); }
/** * Processes the request to create a new group. * * Processes the request from the group creation form, checking that: * 1. The group name is not already in use; * 2. The user has the necessary permissions to update the posted field(s); * 3. The submitted data is valid. * This route requires authentication (and should generally be limited to admins or the root user). * Request type: POST * @see formGroupCreate */ public function createGroup() { $post = $this->_app->request->post(); // DEBUG: view posted data //error_log(print_r($post, true)); // Load the request schema $requestSchema = new \Fortress\RequestSchema($this->_app->config('schema.path') . "/forms/group-create.json"); // Get the alert message stream $ms = $this->_app->alerts; // Access-controlled resource if (!$this->_app->user->checkAccess('create_group')) { $ms->addMessageTranslated("danger", "ACCESS_DENIED"); $this->_app->halt(403); } // Set up Fortress to process the request $rf = new \Fortress\HTTPRequestFortress($ms, $requestSchema, $post); // Sanitize data $rf->sanitize(); // Validate, and halt on validation errors. $error = !$rf->validate(true); // Get the filtered data $data = $rf->data(); // Remove csrf_token from object data $rf->removeFields(['csrf_token']); // Perform desired data transformations on required fields. $data['name'] = trim($data['name']); $data['new_user_title'] = trim($data['new_user_title']); $data['landing_page'] = strtolower(trim($data['landing_page'])); $data['theme'] = strtolower(trim($data['theme'])); $data['can_delete'] = 1; // Check if group name already exists if (GroupLoader::exists($data['name'], 'name')) { $ms->addMessageTranslated("danger", "GROUP_NAME_IN_USE", $post); $error = true; } // Halt on any validation errors if ($error) { $this->_app->halt(400); } // Set default values if not specified or not authorized if (!isset($data['theme']) || !$this->_app->user->checkAccess("update_group_setting", ["property" => "theme"])) { $data['theme'] = "default"; } if (!isset($data['new_user_title']) || !$this->_app->user->checkAccess("update_group_setting", ["property" => "new_user_title"])) { // Set default title for new users $data['new_user_title'] = "New User"; } if (!isset($data['landing_page']) || !$this->_app->user->checkAccess("update_group_setting", ["property" => "landing_page"])) { $data['landing_page'] = "dashboard"; } if (!isset($data['icon']) || !$this->_app->user->checkAccess("update_group_setting", ["property" => "icon"])) { $data['icon'] = "fa fa-user"; } if (!isset($data['is_default']) || !$this->_app->user->checkAccess("update_group_setting", ["property" => "is_default"])) { $data['is_default'] = "0"; } // Create the group $group = new Group($data); // Store new group to database $group->store(); // Success message $ms->addMessageTranslated("success", "GROUP_CREATION_SUCCESSFUL", $data); }