public function createAction() { if (Minz_Request::isPost() && Minz_Configuration::isAdmin(Minz_Session::param('currentUser', '_'))) { require_once APP_PATH . '/sql.php'; $new_user_language = Minz_Request::param('new_user_language', $this->view->conf->language); if (!in_array($new_user_language, $this->view->conf->availableLanguages())) { $new_user_language = $this->view->conf->language; } $new_user_name = Minz_Request::param('new_user_name'); $ok = $new_user_name != '' && ctype_alnum($new_user_name); if ($ok) { $ok &= strcasecmp($new_user_name, Minz_Configuration::defaultUser()) !== 0; //It is forbidden to alter the default user $ok &= !in_array(strtoupper($new_user_name), array_map('strtoupper', listUsers())); //Not an existing user, case-insensitive $configPath = DATA_PATH . '/' . $new_user_name . '_user.php'; $ok &= !file_exists($configPath); } if ($ok) { $passwordPlain = Minz_Request::param('new_user_passwordPlain', false); $passwordHash = ''; if ($passwordPlain != '') { Minz_Request::_param('new_user_passwordPlain'); //Discard plain-text password ASAP $_POST['new_user_passwordPlain'] = ''; if (!function_exists('password_hash')) { include_once LIB_PATH . '/password_compat.php'; } $passwordHash = password_hash($passwordPlain, PASSWORD_BCRYPT, array('cost' => self::BCRYPT_COST)); $passwordPlain = ''; $passwordHash = preg_replace('/^\\$2[xy]\\$/', '\\$2a\\$', $passwordHash); //Compatibility with bcrypt.js $ok &= $passwordHash != ''; } if (empty($passwordHash)) { $passwordHash = ''; } $new_user_email = filter_var($_POST['new_user_email'], FILTER_VALIDATE_EMAIL); if (empty($new_user_email)) { $new_user_email = ''; } else { $personaFile = DATA_PATH . '/persona/' . $new_user_email . '.txt'; @unlink($personaFile); $ok &= file_put_contents($personaFile, $new_user_name) !== false; } } if ($ok) { $config_array = array('language' => $new_user_language, 'passwordHash' => $passwordHash, 'mail_login' => $new_user_email); $ok &= file_put_contents($configPath, "<?php\n return " . var_export($config_array, true) . ';') !== false; } if ($ok) { $userDAO = new FreshRSS_UserDAO(); $ok &= $userDAO->createUser($new_user_name); } invalidateHttpCache(); $notif = array('type' => $ok ? 'good' : 'bad', 'content' => Minz_Translate::t($ok ? 'user_created' : 'error_occurred', $new_user_name)); Minz_Session::_param('notification', $notif); } Minz_Request::forward(array('c' => 'configure', 'a' => 'users'), true); }
/** * This action creates a new user. * * Request parameters are: * - new_user_language * - new_user_name * - new_user_passwordPlain * - new_user_email * - r (i.e. a redirection url, optional) * * @todo clean up this method. Idea: write a method to init a user with basic information. * @todo handle r redirection in Minz_Request::forward directly? */ public function createAction() { if (Minz_Request::isPost() && (FreshRSS_Auth::hasAccess('admin') || !max_registrations_reached())) { $db = FreshRSS_Context::$system_conf->db; require_once APP_PATH . '/SQL/install.sql.' . $db['type'] . '.php'; $new_user_language = Minz_Request::param('new_user_language', FreshRSS_Context::$user_conf->language); $languages = Minz_Translate::availableLanguages(); if (!isset($languages[$new_user_language])) { $new_user_language = FreshRSS_Context::$user_conf->language; } $new_user_name = Minz_Request::param('new_user_name'); $ok = $new_user_name != '' && ctype_alnum($new_user_name); if ($ok) { $default_user = FreshRSS_Context::$system_conf->default_user; $ok &= strcasecmp($new_user_name, $default_user) !== 0; //It is forbidden to alter the default user $ok &= !in_array(strtoupper($new_user_name), array_map('strtoupper', listUsers())); //Not an existing user, case-insensitive $configPath = join_path(DATA_PATH, 'users', $new_user_name, 'config.php'); $ok &= !file_exists($configPath); } if ($ok) { $passwordPlain = Minz_Request::param('new_user_passwordPlain', '', true); $passwordHash = ''; if ($passwordPlain != '') { Minz_Request::_param('new_user_passwordPlain'); //Discard plain-text password ASAP $_POST['new_user_passwordPlain'] = ''; if (!function_exists('password_hash')) { include_once LIB_PATH . '/password_compat.php'; } $passwordHash = password_hash($passwordPlain, PASSWORD_BCRYPT, array('cost' => self::BCRYPT_COST)); $passwordPlain = ''; $passwordHash = preg_replace('/^\\$2[xy]\\$/', '\\$2a\\$', $passwordHash); //Compatibility with bcrypt.js $ok &= $passwordHash != ''; } if (empty($passwordHash)) { $passwordHash = ''; } $new_user_email = filter_var($_POST['new_user_email'], FILTER_VALIDATE_EMAIL); if (empty($new_user_email)) { $new_user_email = ''; } else { $personaFile = join_path(DATA_PATH, 'persona', $new_user_email . '.txt'); @unlink($personaFile); $ok &= file_put_contents($personaFile, $new_user_name) !== false; } } if ($ok) { mkdir(join_path(DATA_PATH, 'users', $new_user_name)); $config_array = array('language' => $new_user_language, 'passwordHash' => $passwordHash, 'mail_login' => $new_user_email); $ok &= file_put_contents($configPath, "<?php\n return " . var_export($config_array, true) . ';') !== false; } if ($ok) { $userDAO = new FreshRSS_UserDAO(); $ok &= $userDAO->createUser($new_user_name); } invalidateHttpCache(); $notif = array('type' => $ok ? 'good' : 'bad', 'content' => _t('feedback.user.created' . (!$ok ? '.error' : ''), $new_user_name)); Minz_Session::_param('notification', $notif); } $redirect_url = urldecode(Minz_Request::param('r', false, true)); if (!$redirect_url) { $redirect_url = array('c' => 'user', 'a' => 'manage'); } Minz_Request::forward($redirect_url, true); }