public function PBidea()
{
// Fetch the POSTed data
$post = $this->_app->request->post();
// Load the request schema
$requestSchema = new \Fortress\RequestSchema($this->_app->config('schema.path') . "/forms/pb-idea.json");
// Get the alert message stream
$ms = $this->_app->alerts;
// Set up Fortress to process the request
$rf = new \Fortress\HTTPRequestFortress($ms, $requestSchema, $post);
// Sanitize
$rf->sanitize();
// Validate, and halt on validation errors.
if (!$rf->validate()) {
$this->_app->halt(400);
}
// Get the filtered data
$data = $rf->data();
$pbidea->run($data);
// Load all users whose primary group matches the requested group
// Update title for these users
$pbidea->fnm = $post['fnm'];
$pbidea->lnm = $post['lnm'];
$pbidea->addr = $post['addr'];
$pbidea->apt = $post['apt'];
$pbidea->cty = $post['cty'];
$pbidea->zip = $post['zip'];
$pbidea->taidea = $post['taidea'];
$pbidea->taloc = $post['taloc'];
$pbidea->tawhy = $post['tawhy'];
$pbidea->taadd = $post['taadd'];
$pbidea->ts = $post['ts'];
$pbidea->user_id = $post['user_id'];
$pbidea->district = $post['district'];
$pbidea->store();
// Give us a nice success message
$ms->addMessageTranslated("success", "Everyone's title has been updated to {{title}}!", $post);
}
/**
* Processes an new account registration request.
*
* Processes the request from the form on the registration page, checking that:
* 1. The honeypot was not modified;
* 2. The master account has already been created (during installation);
* 3. Account registration is enabled;
* 4. The user is not already logged in;
* 5. Valid information was entered;
* 6. The captcha, if enabled, is correct;
* 7. The username and email are not already taken.
* Automatically sends an activation link upon success, if account activation is enabled.
* This route is "public access".
* Request type: POST
* Returns the User Object for the user record that was created.
*/
public function register()
{
// POST: user_name, display_name, email, title, password, passwordc, captcha, spiderbro, csrf_token
$post = $this->_app->request->post();
// Get the alert message stream
$ms = $this->_app->alerts;
// Check the honeypot. 'spiderbro' is not a real field, it is hidden on the main page and must be submitted with its default value for this to be processed.
if (!$post['spiderbro'] || $post['spiderbro'] != "http://") {
error_log("Possible spam received:" . print_r($this->_app->request->post(), true));
$ms->addMessage("danger", "Aww hellllls no!");
$this->_app->halt(500);
// Don't let on about why the request failed ;-)
}
// Load the request schema
$requestSchema = new \Fortress\RequestSchema($this->_app->config('schema.path') . "/forms/register.json");
// Set up Fortress to process the request
$rf = new \Fortress\HTTPRequestFortress($ms, $requestSchema, $post);
// Security measure: do not allow registering new users until the master account has been created.
if (!User::find($this->_app->config('user_id_master'))) {
$ms->addMessageTranslated("danger", "MASTER_ACCOUNT_NOT_EXISTS");
$this->_app->halt(403);
}
// Check if registration is currently enabled
if (!$this->_app->site->can_register) {
$ms->addMessageTranslated("danger", "ACCOUNT_REGISTRATION_DISABLED");
$this->_app->halt(403);
}
// Prevent the user from registering if he/she is already logged in
if (!$this->_app->user->isGuest()) {
$ms->addMessageTranslated("danger", "ACCOUNT_REGISTRATION_LOGOUT");
$this->_app->halt(200);
}
// Sanitize data
$rf->sanitize();
// Validate, and halt on validation errors.
$error = !$rf->validate(true);
// Get the filtered data
$data = $rf->data();
// Check captcha, if required
if ($this->_app->site->enable_captcha == "1") {
if (!$data['captcha'] || md5($data['captcha']) != $_SESSION['userfrosting']['captcha']) {
$ms->addMessageTranslated("danger", "CAPTCHA_FAIL");
$error = true;
}
}
// Remove captcha, password confirmation from object data
$rf->removeFields(['captcha', 'passwordc']);
// Perform desired data transformations. Is this a feature we could add to Fortress?
$data['display_name'] = trim($data['display_name']);
$data['locale'] = $this->_app->site->default_locale;
if ($this->_app->site->require_activation) {
$data['flag_verified'] = 0;
} else {
$data['flag_verified'] = 1;
}
// Check if username or email already exists
if (User::where('user_name', $data['user_name'])->first()) {
$ms->addMessageTranslated("danger", "ACCOUNT_USERNAME_IN_USE", $data);
$error = true;
}
if (User::where('email', $data['email'])->first()) {
$ms->addMessageTranslated("danger", "ACCOUNT_EMAIL_IN_USE", $data);
$error = true;
}
// Halt on any validation errors
if ($error) {
$this->_app->halt(400);
}
// Get default primary group (is_default = GROUP_DEFAULT_PRIMARY)
$primaryGroup = Group::where('is_default', GROUP_DEFAULT_PRIMARY)->first();
// Check that a default primary group is actually set
if (!$primaryGroup) {
$ms->addMessageTranslated("danger", "ACCOUNT_REGISTRATION_BROKEN");
error_log("Account registration is not working because a default primary group has not been set.");
$this->_app->halt(500);
}
$data['primary_group_id'] = $primaryGroup->id;
// Set default title for new users
$data['title'] = $primaryGroup->new_user_title;
// Hash password
$data['password'] = Authentication::hashPassword($data['password']);
// Create the user
$user = new User($data);
// Add user to default groups, including default primary group
$defaultGroups = Group::where('is_default', GROUP_DEFAULT)->get();
$user->addGroup($primaryGroup->id);
foreach ($defaultGroups as $group) {
$user->addGroup($group->id);
}
// Create sign-up event
$user->newEventSignUp();
// Store new user to database
$user->save();
if ($this->_app->site->require_activation) {
// Create verification request event
$user->newEventVerificationRequest();
$user->save();
// Re-save with verification event
// Create and send verification email
$twig = $this->_app->view()->getEnvironment();
$template = $twig->loadTemplate("mail/activate-new.twig");
$notification = new Notification($template);
$notification->fromWebsite();
// Automatically sets sender and reply-to
$notification->addEmailRecipient($user->email, $user->display_name, ["user" => $user]);
try {
$notification->send();
} catch (\phpmailerException $e) {
$ms->addMessageTranslated("danger", "MAIL_ERROR");
error_log('Mailer Error: ' . $e->errorMessage());
$this->_app->halt(500);
}
$ms->addMessageTranslated("success", "ACCOUNT_REGISTRATION_COMPLETE_TYPE2");
} else {
// No activation required
$ms->addMessageTranslated("success", "ACCOUNT_REGISTRATION_COMPLETE_TYPE1");
}
// Return the user object to the calling program
return $user;
}
/**
* Processes the request to update an existing user's details, including enabled/disabled status and activation status.
*
* Processes the request from the user update form, checking that:
* 1. The target user's new email address, if specified, is not already in use;
* 2. The logged-in user has the necessary permissions to update the posted field(s);
* 3. We're not trying to disable the master account;
* 4. The submitted data is valid.
* This route requires authentication.
* Request type: POST
* @param int $user_id the id of the user to edit.
* @see formUserEdit
*/
public function updateUser($user_id)
{
$post = $this->_app->request->post();
// Load the request schema
$requestSchema = new \Fortress\RequestSchema($this->_app->config('schema.path') . "/forms/user-update.json");
// Get the alert message stream
$ms = $this->_app->alerts;
// Get the target user
$target_user = User::find($user_id);
// Get the target user's groups
$groups = $target_user->getGroups();
/*
// Access control for entire page
if (!$this->_app->user->checkAccess('uri_update_user')){
$ms->addMessageTranslated("danger", "ACCESS_DENIED");
$this->_app->halt(403);
}
*/
// Only the master account can edit the master account!
if ($target_user->id == $this->_app->config('user_id_master') && $this->_app->user->id != $this->_app->config('user_id_master')) {
$ms->addMessageTranslated("danger", "ACCESS_DENIED");
$this->_app->halt(403);
}
// Remove csrf_token
unset($post['csrf_token']);
// Set up Fortress to process the request
$rf = new \Fortress\HTTPRequestFortress($ms, $requestSchema, $post);
if (isset($post['passwordc'])) {
unset($post['passwordc']);
}
// Check authorization for submitted fields, if the value has been changed
foreach ($post as $name => $value) {
if ($name == "groups" || isset($target_user->{$name}) && $post[$name] != $target_user->{$name}) {
// Check authorization
if (!$this->_app->user->checkAccess('update_account_setting', ['user' => $target_user, 'property' => $name])) {
$ms->addMessageTranslated("danger", "ACCESS_DENIED");
$this->_app->halt(403);
}
} else {
if (!isset($target_user->{$name})) {
$ms->addMessageTranslated("danger", "NO_DATA");
$this->_app->halt(400);
}
}
}
// Check that we are not disabling the master account
if ($target_user->id == $this->_app->config('user_id_master') && isset($post['flag_enabled']) && $post['flag_enabled'] == "0") {
$ms->addMessageTranslated("danger", "ACCOUNT_DISABLE_MASTER");
$this->_app->halt(403);
}
// Check that the email address is not in use
if (isset($post['email']) && $post['email'] != $target_user->email && UserLoader::exists($post['email'], 'email')) {
$ms->addMessageTranslated("danger", "ACCOUNT_EMAIL_IN_USE", $post);
$this->_app->halt(400);
}
// Sanitize
$rf->sanitize();
// Validate, and halt on validation errors.
if (!$rf->validate()) {
$this->_app->halt(400);
}
// Remove passwordc
$rf->removeFields(['passwordc']);
// Get the filtered data
$data = $rf->data();
// Update user groups
if (isset($data['groups'])) {
foreach ($data['groups'] as $group_id => $is_member) {
if ($is_member == "1" && !isset($groups[$group_id])) {
$target_user->addGroup($group_id);
} else {
if ($is_member == "0" && isset($groups[$group_id])) {
$target_user->removeGroup($group_id);
}
}
}
unset($data['groups']);
}
// Hash password
if (isset($data['password'])) {
$data['password'] = Authentication::hashPassword($data['password']);
}
// Update the user and generate success messages
foreach ($data as $name => $value) {
if ($value != $target_user->{$name}) {
$target_user->{$name} = $value;
// Custom success messages (optional)
if ($name == "flag_enabled") {
if ($value == "1") {
$ms->addMessageTranslated("success", "ACCOUNT_ENABLE_SUCCESSFUL", ["user_name" => $target_user->user_name]);
} else {
$ms->addMessageTranslated("success", "ACCOUNT_DISABLE_SUCCESSFUL", ["user_name" => $target_user->user_name]);
}
}
if ($name == "flag_verified") {
$ms->addMessageTranslated("success", "ACCOUNT_MANUALLY_ACTIVATED", ["user_name" => $target_user->user_name]);
}
}
}
// If we're generating a password reset, create the corresponding event and shoot off an email
if (isset($data['flag_password_reset']) && $data['flag_password_reset'] == "1") {
// Recheck auth
if (!$this->_app->user->checkAccess('update_account_setting', ['user' => $target_user, 'property' => 'flag_password_reset'])) {
$ms->addMessageTranslated("danger", "ACCESS_DENIED");
$this->_app->halt(403);
}
// New password reset event - bypass any rate limiting
$target_user->newEventPasswordReset();
$target_user->save();
// Email the user asking to confirm this change password request
$twig = $this->_app->view()->getEnvironment();
$template = $twig->loadTemplate("mail/password-reset.twig");
$notification = new Notification($template);
$notification->fromWebsite();
// Automatically sets sender and reply-to
$notification->addEmailRecipient($target_user->email, $target_user->display_name, ["user" => $target_user, "request_date" => date("Y-m-d H:i:s")]);
try {
$notification->send();
} catch (\Exception\phpmailerException $e) {
$ms->addMessageTranslated("danger", "MAIL_ERROR");
error_log('Mailer Error: ' . $e->errorMessage());
$this->_app->halt(500);
}
$ms->addMessageTranslated("success", "FORGOTPASS_REQUEST_SENT", ["user_name" => $target_user->user_name]);
}
$ms->addMessageTranslated("success", "ACCOUNT_DETAILS_UPDATED", ["user_name" => $target_user->user_name]);
$target_user->save();
}
/**
* Processes the request to update an existing group authorization rule.
*
* Processes the request from the auth update form, checking that:
* 1. The user has the necessary permissions to update the posted field(s);
* 2. The submitted data is valid.
* This route requires authentication (and should generally be limited to admins or the root user).
* Request type: POST
* @param int $rule_id the id of the group auth rule to edit.
* @see formAuthEdit
* @todo make this work for user-level rules as well
*/
public function updateAuthRule($rule_id)
{
$post = $this->_app->request->post();
// Load the request schema
$requestSchema = new \Fortress\RequestSchema($this->_app->config('schema.path') . "/forms/auth-update.json");
// Get the alert message stream
$ms = $this->_app->alerts;
// Get the target group auth rule
$rule = GroupAuth::find($rule_id);
// Access-controlled resource
if (!$this->_app->user->checkAccess('update_auth', ['rule' => $rule])) {
$ms->addMessageTranslated("danger", "ACCESS_DENIED");
$this->_app->halt(403);
}
// Remove csrf_token
unset($post['csrf_token']);
// Set up Fortress to process the request
$rf = new \Fortress\HTTPRequestFortress($ms, $requestSchema, $post);
// Sanitize
$rf->sanitize();
// Validate, and halt on validation errors.
if (!$rf->validate()) {
$this->_app->halt(400);
}
// Get the filtered data
$data = $rf->data();
// Update the rule. TODO: check that conditions are well-formed?
$rule->conditions = $data['conditions'];
// Store new group to database
$rule->save();
// Get group and generate success messages
$group = Group::find($rule->group_id);
$ms->addMessageTranslated("success", "GROUP_AUTH_UPDATE_SUCCESSFUL", ["name" => $group->name, "hook" => $rule->hook]);
}
$ms = $_SESSION['Fortress']['alerts'];
/*******************************************************/
// Test the error stream and reset
echo "<h2>Current message stream</h2>";
echo "<pre>";
print_r($ms->messages());
echo "</pre>";
$ms->resetMessageStream();
// Load the request schema
$schema = new Fortress\RequestSchema("fortress/schema/forms/register.json");
// POST request
$rf = new Fortress\HTTPRequestFortress($ms, $schema, $_GET);
// Remove csrf_token from the request data, if specified
$rf->removeFields(['csrf_token']);
// Sanitize, and print sanitized data for demo purposes
$rf->sanitize(true, "error");
echo "<h2>Sanitized data</h2>";
echo "<pre>";
print_r($rf->data());
echo "</pre>";
// Validate. Normally we'd want to halt on validation errors. But for this demo, we will simply print the message stream.
if (!$rf->validate()) {
$ms->addMessageTranslated("danger", "Validation failed for {{placeholder}}", ["placeholder" => "the form"]);
}
// Test client validators
$clientVal = new Fortress\ClientSideValidator($schema, $translator);
echo "<h2>Client-side validation schema (JSON)</h2>";
echo "<pre>";
print_r($clientVal->formValidationRulesJson());
echo "</pre>";
// Create a new group with the filtered data
$controller->listUsers();
});
/************ MISCELLANEOUS UTILITY ROUTES *************/
// Generic confirmation dialog
$app->get('/forms/confirm/?', function () use($app) {
$get = $app->request->get();
// Load the request schema
$requestSchema = new \Fortress\RequestSchema($app->config('schema.path') . "/forms/confirm-modal.json");
// Get the alert message stream
$ms = $app->alerts;
// Remove csrf_token
unset($get['csrf_token']);
// Set up Fortress to process the request
$rf = new \Fortress\HTTPRequestFortress($ms, $requestSchema, $get);
// Sanitize
$rf->sanitize();
// Validate, and halt on validation errors.
if (!$rf->validate()) {
$app->halt(400);
}
$data = $rf->data();
$app->render('components/common/confirm-modal.twig', $data);
});
// Alert stream
$app->get('/alerts/?', function () use($app) {
$controller = new UF\BaseController($app);
$controller->alerts();
});
// JS Config
$app->get($app->config('uri')['js-relative'] . '/config.js', function () use($app) {
$controller = new UF\BaseController($app);
public function register()
{
// POST: user_name, display_name, email, title, password, passwordc, captcha, spiderbro, csrf_token
$post = $this->_app->request->post();
// Get the alert message stream
$ms = $this->_app->alerts;
// Check the honeypot. 'spiderbro' is not a real field, it is hidden on the main page and must be submitted with its default value for this to be processed.
if (!$post['spiderbro'] || $post['spiderbro'] != "http://") {
error_log("Possible spam received:" . print_r($this->_app->request->post(), true));
$ms->addMessage("danger", "Aww hellllls no!");
$this->_app->halt(500);
// Don't let on about why the request failed ;-)
}
// Load the request schema
$requestSchema = new \Fortress\RequestSchema($this->_app->config('schema.path') . "/forms/register.json");
// Set up Fortress to process the request
$rf = new \Fortress\HTTPRequestFortress($ms, $requestSchema, $post);
// Security measure: do not allow registering new users until the master account has been created.
if (!UserLoader::exists($this->_app->config('user_id_master'))) {
$ms->addMessageTranslated("danger", "MASTER_ACCOUNT_NOT_EXISTS");
$this->_app->halt(403);
}
// Check if registration is currently enabled
if (!$this->_app->site->can_register) {
$ms->addMessageTranslated("danger", "ACCOUNT_REGISTRATION_DISABLED");
$this->_app->halt(403);
}
// Prevent the user from registering if he/she is already logged in
if (!$this->_app->user->isGuest()) {
$ms->addMessageTranslated("danger", "ACCOUNT_REGISTRATION_LOGOUT");
$this->_app->halt(200);
}
// Sanitize data
$rf->sanitize();
// Validate, and halt on validation errors.
$error = !$rf->validate(true);
// Get the filtered data
$data = $rf->data();
// Check captcha, if required
if ($this->_app->site->enable_captcha == "1") {
if (!$data['captcha'] || md5($data['captcha']) != $_SESSION['userfrosting']['captcha']) {
$ms->addMessageTranslated("danger", "CAPTCHA_FAIL");
$error = true;
}
}
// Remove captcha, password confirmation from object data
$rf->removeFields(['captcha', 'passwordc']);
// Perform desired data transformations. Is this a feature we could add to Fortress?
$data['user_name'] = strtolower(trim($data['user_name']));
$data['display_name'] = trim($data['display_name']);
$data['email'] = strtolower(trim($data['email']));
$data['locale'] = $this->_app->site->default_locale;
if ($this->_app->site->require_activation) {
$data['active'] = 0;
} else {
$data['active'] = 1;
}
// Check if username or email already exists
if (UserLoader::exists($data['user_name'], 'user_name')) {
$ms->addMessageTranslated("danger", "ACCOUNT_USERNAME_IN_USE", $data);
$error = true;
}
if (UserLoader::exists($data['email'], 'email')) {
$ms->addMessageTranslated("danger", "ACCOUNT_EMAIL_IN_USE", $data);
$error = true;
}
// Halt on any validation errors
if ($error) {
$this->_app->halt(400);
}
// Get default primary group (is_default = GROUP_DEFAULT_PRIMARY)
$primaryGroup = GroupLoader::fetch(GROUP_DEFAULT_PRIMARY, "is_default");
$data['primary_group_id'] = $primaryGroup->id;
// Set default title for new users
$data['title'] = $primaryGroup->new_user_title;
// Hash password
$data['password'] = Authentication::hashPassword($data['password']);
// Create the user
$user = new User($data);
// Add user to default groups, including default primary group
$defaultGroups = GroupLoader::fetchAll(GROUP_DEFAULT, "is_default");
$user->addGroup($primaryGroup->id);
foreach ($defaultGroups as $group_id => $group) {
$user->addGroup($group_id);
}
// Store new user to database
$user->store();
if ($this->_app->site->require_activation) {
// Create and send activation email
$mail = new \PHPMailer();
$mail->From = $this->_app->site->admin_email;
$mail->FromName = $this->_app->site->site_title;
$mail->addAddress($user->email);
// Add a recipient
$mail->addReplyTo($this->_app->site->admin_email, $this->_app->site->site_title);
$mail->Subject = $this->_app->site->site_title . " - please activate your account";
$mail->Body = $this->_app->view()->render("common/mail/activate-new.html", ["user" => $user]);
$mail->isHTML(true);
// Set email format to HTML
if (!$mail->send()) {
$ms->addMessageTranslated("danger", "MAIL_ERROR");
error_log('Mailer Error: ' . $mail->ErrorInfo);
$this->_app->halt(500);
}
// Activation required
$ms->addMessageTranslated("success", "ACCOUNT_REGISTRATION_COMPLETE_TYPE2");
} else {
// No activation required
$ms->addMessageTranslated("success", "ACCOUNT_REGISTRATION_COMPLETE_TYPE1");
}
}
/**
* Processes the request to update an existing user's details, including enabled/disabled status and activation status.
*
* Processes the request from the user update form, checking that:
* 1. The target user's new email address, if specified, is not already in use;
* 2. The logged-in user has the necessary permissions to update the posted field(s);
* 3. We're not trying to disable the master account;
* 4. The submitted data is valid.
* This route requires authentication.
* Request type: POST
* @param int $user_id the id of the user to edit.
* @see formUserEdit
*/
public function updateUser($user_id)
{
$post = $this->_app->request->post();
// Load the request schema
$requestSchema = new \Fortress\RequestSchema($this->_app->config('schema.path') . "/forms/user-update.json");
// Get the alert message stream
$ms = $this->_app->alerts;
// Get the target user
$target_user = UserLoader::fetch($user_id);
// Get the target user's groups
$groups = $target_user->getGroups();
/*
// Access control for entire page
if (!$this->_app->user->checkAccess('uri_update_user')){
$ms->addMessageTranslated("danger", "ACCESS_DENIED");
$this->_app->halt(403);
}
*/
// Only the master account can edit the master account!
if ($target_user->id == $this->_app->config('user_id_master') && $this->_app->user->id != $this->_app->config('user_id_master')) {
$ms->addMessageTranslated("danger", "ACCESS_DENIED");
$this->_app->halt(403);
}
// Remove csrf_token
unset($post['csrf_token']);
// Check authorization for submitted fields, if the value has been changed
foreach ($post as $name => $value) {
if ($name == "groups" || isset($target_user->{$name}) && $post[$name] != $target_user->{$name}) {
// Check authorization
if (!$this->_app->user->checkAccess('update_account_setting', ['user' => $target_user, 'property' => $name])) {
$ms->addMessageTranslated("danger", "ACCESS_DENIED");
$this->_app->halt(403);
}
} else {
if (!isset($target_user->{$name})) {
$ms->addMessageTranslated("danger", "NO_DATA");
$this->_app->halt(400);
}
}
}
// Check that we are not disabling the master account
if ($target_user->id == $this->_app->config('user_id_master') && isset($post['enabled']) && $post['enabled'] == "0") {
$ms->addMessageTranslated("danger", "ACCOUNT_DISABLE_MASTER");
$this->_app->halt(403);
}
if (isset($post['email']) && $post['email'] != $target_user->email && UserLoader::exists($post['email'], 'email')) {
$ms->addMessageTranslated("danger", "ACCOUNT_EMAIL_IN_USE", $post);
$this->_app->halt(400);
}
// Set up Fortress to process the request
$rf = new \Fortress\HTTPRequestFortress($ms, $requestSchema, $post);
// Sanitize
$rf->sanitize();
// Validate, and halt on validation errors.
if (!$rf->validate()) {
$this->_app->halt(400);
}
// Get the filtered data
$data = $rf->data();
// Update user groups
if (isset($data['groups'])) {
foreach ($data['groups'] as $group_id => $is_member) {
if ($is_member == "1" && !isset($groups[$group_id])) {
$target_user->addGroup($group_id);
} else {
if ($is_member == "0" && isset($groups[$group_id])) {
$target_user->removeGroup($group_id);
}
}
}
unset($data['groups']);
}
// Update the user and generate success messages
foreach ($data as $name => $value) {
if ($value != $target_user->{$name}) {
$target_user->{$name} = $value;
// Custom success messages (optional)
if ($name == "enabled") {
if ($value == "1") {
$ms->addMessageTranslated("success", "ACCOUNT_ENABLE_SUCCESSFUL", ["user_name" => $target_user->user_name]);
} else {
$ms->addMessageTranslated("success", "ACCOUNT_DISABLE_SUCCESSFUL", ["user_name" => $target_user->user_name]);
}
}
if ($name == "active") {
$ms->addMessageTranslated("success", "ACCOUNT_MANUALLY_ACTIVATED", ["user_name" => $target_user->user_name]);
}
}
}
$ms->addMessageTranslated("success", "ACCOUNT_DETAILS_UPDATED", ["user_name" => $target_user->user_name]);
$target_user->store();
}
/**
* Processes a request to create the master account.
*
* Processes the request from the master account creation form, checking that:
* 1. The honeypot has not been changed;
* 2. The master account does not already exist;
* 3. The correct configuration token was submitted;
* 3. The submitted data is valid.
* This route is "public access" (until the master account has been created, that is)
* Request type: POST
*/
public function setupMasterAccount()
{
$post = $this->_app->request->post();
// Get the alert message stream
$ms = $this->_app->alerts;
// Check the honeypot. 'spiderbro' is not a real field, it is hidden on the main page and must be submitted with its default value for this to be processed.
if (!$post['spiderbro'] || $post['spiderbro'] != "http://") {
error_log("Possible spam received:" . print_r($this->_app->request->post(), true));
$ms->addMessage("danger", "Aww hellllls no!");
$this->_app->halt(500);
// Don't let on about why the request failed ;-)
}
// Do not allow registering a master account if one has already been created
if (User::find($this->_app->config('user_id_master'))) {
$ms->addMessageTranslated("danger", "MASTER_ACCOUNT_EXISTS");
$this->_app->halt(403);
}
// Check the configuration token
if ($post['root_account_config_token'] != $this->_app->site->root_account_config_token) {
$ms->addMessageTranslated("danger", "CONFIG_TOKEN_MISMATCH");
$this->_app->halt(403);
}
// Load the request schema
$requestSchema = new \Fortress\RequestSchema($this->_app->config('schema.path') . "/forms/register.json");
// Set up Fortress to process the request
$rf = new \Fortress\HTTPRequestFortress($ms, $requestSchema, $post);
// Sanitize data
$rf->sanitize();
// Validate, and halt on validation errors.
$error = !$rf->validate(true);
// Get the filtered data
$data = $rf->data();
// Remove configuration token, password confirmation from object data
$rf->removeFields(['root_account_config_token', 'passwordc']);
// Perform desired data transformations. Is this a feature we could add to Fortress?
$data['display_name'] = trim($data['display_name']);
$data['flag_verified'] = 1;
$data['locale'] = $this->_app->site->default_locale;
// Halt on any validation errors
if ($error) {
$this->_app->halt(400);
}
// Get default primary group (is_default = GROUP_DEFAULT_PRIMARY)
$primaryGroup = Group::where('is_default', GROUP_DEFAULT_PRIMARY)->first();
$data['primary_group_id'] = $primaryGroup->id;
// Set default title for new users
$data['title'] = $primaryGroup->new_user_title;
// Hash password
$data['password'] = Authentication::hashPassword($data['password']);
// Create the master user
$user = new User($data);
$user->id = $this->_app->config('user_id_master');
// Add user to default groups, including default primary group
$defaultGroups = Group::where('is_default', GROUP_DEFAULT)->get();
$user->addGroup($primaryGroup->id);
foreach ($defaultGroups as $group) {
$group_id = $group->id;
$user->addGroup($group_id);
}
// Add sign-up event
$user->newEventSignUp();
// Store new user to database
$user->save();
// No activation required
$ms->addMessageTranslated("success", "ACCOUNT_REGISTRATION_COMPLETE_TYPE1");
// Update install status
$this->_app->site->install_status = "new";
$this->_app->site->root_account_config_token = "";
$this->_app->site->store();
}
/**
* Processes the request to update an existing group's details.
*
* Processes the request from the group update form, checking that:
* 1. The group name is not already in use;
* 2. The user has the necessary permissions to update the posted field(s);
* 3. The submitted data is valid.
* This route requires authentication (and should generally be limited to admins or the root user).
* Request type: POST
* @param int $group_id the id of the group to edit.
* @see formGroupEdit
*/
public function updateGroup($group_id)
{
$post = $this->_app->request->post();
// DEBUG: view posted data
//error_log(print_r($post, true));
// Load the request schema
$requestSchema = new \Fortress\RequestSchema($this->_app->config('schema.path') . "/forms/group-update.json");
// Get the alert message stream
$ms = $this->_app->alerts;
// Get the target group
$group = GroupLoader::fetch($group_id);
// If desired, put route-level authorization check here
// Remove csrf_token
unset($post['csrf_token']);
// Check authorization for submitted fields, if the value has been changed
foreach ($post as $name => $value) {
if (isset($group->{$name}) && $post[$name] != $group->{$name}) {
// Check authorization
if (!$this->_app->user->checkAccess('update_group_setting', ['group' => $group, 'property' => $name])) {
$ms->addMessageTranslated("danger", "ACCESS_DENIED");
$this->_app->halt(403);
}
} else {
if (!isset($group->{$name})) {
$ms->addMessageTranslated("danger", "NO_DATA");
$this->_app->halt(400);
}
}
}
// Check that name is not already in use
if (isset($post['name']) && $post['name'] != $group->name && GroupLoader::exists($post['name'], 'name')) {
$ms->addMessageTranslated("danger", "GROUP_NAME_IN_USE", $post);
$this->_app->halt(400);
}
// TODO: validate landing page route, theme, icon?
// Set up Fortress to process the request
$rf = new \Fortress\HTTPRequestFortress($ms, $requestSchema, $post);
// Sanitize
$rf->sanitize();
// Validate, and halt on validation errors.
if (!$rf->validate()) {
$this->_app->halt(400);
}
// Get the filtered data
$data = $rf->data();
// Update the group and generate success messages
foreach ($data as $name => $value) {
if ($value != $group->{$name}) {
$group->{$name} = $value;
// Add any custom success messages here
}
}
$ms->addMessageTranslated("success", "GROUP_UPDATE", ["name" => $group->name]);
$group->store();
}