public function action_index() { $view = View::factory('home/register'); if ($this->request->method() === Request::POST) { if (!Security::check($this->request->post('token'))) { throw new Exception("Bad Token"); } $post = Validation::factory($_POST)->rule('name', 'not_empty')->rule('surname', 'not_empty')->rule('email', 'not_empty')->rule('email', 'email')->rule('email', 'Model_Client::if_email_exists')->rule('pass', 'not_empty')->rule('pass_confirm', 'not_empty')->rule('pass', 'matches', array(':validation', 'pass_confirm', 'pass'))->rule('checkbox', 'not_empty'); if ($post->check()) { $salt = 'MySalt!'; $name = $this->request->post('name'); $surname = $this->request->post('surname'); $email = $this->request->post('email'); $pass = crypt($salt, $this->request->post('pass')); $checkbox = $this->request->post('checkbox'); $clients = new Model_Client(); $data = array('name' => $name, 'surname' => $surname, 'email' => $email, 'pass' => $pass, 'is_superuser' => '0'); $create_user = $clients->create_user($data); if (!$create_user) { throw new Exception("Please check all fields!"); } $this->request->redirect('/'); } } $this->template->content = $view->render(); }
public function action_create() { $this->template->page_title = 'Create Page'; $user = new Model_User(); $session = Session::instance()->get('user'); $view = View::factory('cp/pages/create'); $view->author = $user->get_user_by_session_id($session); if ($this->request->method() === Request::POST) { if (!Security::check($this->request->post('csrf_token'))) { throw new HTTP_Exception_401("Bad token!"); } $post_title = $this->request->post('title'); $post_content = $this->request->post('content'); $post_author = $this->request->post('author'); $post_date = time(); if (empty($post_title) && empty($post_content) && empty($post_author) && empty($post_date)) { throw new Exception('Please don`t make empty fields!'); } $page = new Model_Page(); $data = array('title' => $post_title, 'content' => $post_content, 'author' => $post_author, 'date' => $date); $insert_page = $page->insert_page($data); if (!$insert_page) { throw new Exception('Check if you are connected to database!'); } $this->request->redirect('cp/pages'); } $this->template->content = $view->render(); }
public function action_do() { $user_id = $this->request->param('id'); $hash = $this->request->param('id2'); $password_recovery = new Model_Password_Recovery(); $check_hash = $password_recovery->check($user_id, $hash); if ($check_hash !== true) { throw new Exception("This hash is not a password recovery request!"); } $view = View::factory('forgot_password/recovery'); if ($this->request->method() === Request::POST) { if (!Security::check($this->request->post('csrf_secure'))) { throw new Exception("Bad token!"); } $password = $this->request->post('password'); $confirm = $this->request->post('confirm'); if ($password !== $confirm) { throw new Exception("Passwords did not match!"); } $user = new Model_User(); $password = crypt($password, 'generatedsalt'); $change_password = $user->recover_password($password, $user_id); if (!$change_password) { throw new Exception("Error with changing a password!"); } $chmod_attemp = $password_recovery->chmod_attemp($hash); if (!$chmod_attemp) { throw new Exception("False"); } $this->redirect(''); } $this->template->content = $view->render(); }
public function action_create() { if (Auth::is_admin_signed_in() === true) { $view = View::factory('acp/categories/create'); $categories = new Model_Category(); if ($this->request->method() === Request::POST) { $name = $this->request->post('name'); $slug = $this->request->post('slug'); $token = $this->request->param('id'); if (!Security::check($token)) { $this->request->redirect('acp/categories/create'); } if (empty($slug)) { $slug = URL::title($name, '_'); } if (empty($name) && empty($slug)) { $this->request->redirect('acp/categories/create'); } $categories = new Model_Category(); $create_category = $categories->create_category($name, $slug); if (!$create_category) { $this->request->redirect('acp/categories/create'); } $this->request->redirect('acp/categories'); } $this->template->content = $view->render(); } else { $this->request->redirect('acp'); } }
public function action_login() { if (HTTP_Request::POST == $this->request->method() && Security::check(Arr::get($this->request->post(), 'csrf', '')) && Captcha::valid($_POST['captcha'])) { $remember = array_key_exists('remember', $this->request->post()) ? (bool) $this->request->post('remember') : FALSE; $user = Auth::instance()->login($this->request->post('username'), $this->request->post('password'), $remember); if ($user) { HTTP::redirect($this->config->get('admin_url')); } else { Session::instance()->set('error', 'Логин или пароль не верный'); $errors = array('Логин или пароль не верный.'); } } $this->template = 'login'; parent::before(); $captcha = Captcha::instance(); $csrf = Security::token(true); $this->template->title = 'Вход в админ панель'; $this->template->bind('errors', $errors)->bind('csrf', $csrf)->bind('captcha', $captcha); $errors = null; if (Auth::instance()->get_user()) { $auth = Auth::instance(); $has_admin_role = $auth->logged_in('admin'); if ($has_admin_role) { $session = Session::instance(); $session->set('redirectAfterLogin', $_SERVER['REQUEST_URI']); HTTP::redirect('/' . $this->admin_url . '/'); } } }
public function action_index() { $count = ORM::factory('User')->count_all(); if ($count === 0) { $this->template->content = View::factory('install/index'); if ($this->request->method() === Request::POST) { if (!Security::check($this->request->param('id'))) { throw new Exception("Bad token!"); } $post = Validation::factory($_POST)->rule('username', 'not_empty')->rule('email', 'not_empty')->rule('email', 'email')->rule('password', 'not_empty')->rule('password', 'min_length', array(':value', '8'))->rule('password2x', 'not_empty')->rule('password', 'matches', array(':validation', 'password', 'password2x')); if ($post->check()) { $user = new Model_User(); $post = $this->request->post(); $user->values($post)->save(); $adminRole = ORM::factory('Role')->where('name', '=', 'admin')->find(); $loginRole = ORM::factory('Role')->where('name', '=', 'login')->find(); $user->add('roles', $loginRole); $user->add('roles', $adminRole); $this->redirect('install/successful'); } else { $this->redirect('install/oops'); } } } else { $this->redirect(''); } }
/** * Get cookie value(s) * * @param string $name Name of the cookie to get * @param mixed $default [optional] Default value if cookie is not set. Default is false * @return mixed Cookie stored datas */ public static function get($name, $default = false) { // handling array notation if (preg_match('#^(.*?)\\[(.*?)\\]$#', $name, $m)) { if (!isset($_COOKIE[$m[1]][$m[2]])) { return $default; } $value = $_COOKIE[$m[1]][$m[2]]; } else { if (!isset($_COOKIE[$name])) { return $default; } $value = $_COOKIE[$name]; } // retrieve cookie content $cookieValue = explode('|', $value); // hash is not correct if (count($cookieValue) !== 3 || !Security::check($cookieValue[0] . $cookieValue[1], $cookieValue[2])) { Cookie::delete($name); return $default; } $value = $cookieValue[0]; // if content is a serialized array if ($v = @unserialize($value)) { $value = $v; } return $value; }
public function action_sign_up() { $email = $this->request->post('email'); $pass = crypt('MySalt!', $this->request->post('pass')); $cookie = $this->request->post('cookie'); if (!Security::check($this->request->param('id'))) { throw new Exception("Bad Token!"); } if (empty($email) and empty($pass)) { $this->request->redirect('acp'); } $client = new Model_Client(); $email_from_db = $client->email_from_db($email); $pass_from_db = $client->pass_from_db($email); if ($email !== $email_from_db || $pass !== $pass_from_db) { throw new Exception("This User do not exists! \n {$pass} {$pass_from_db}"); } $is_superuser = $client->is_superuser($email); if ($is_superuser === 0) { throw new Exception("Sorry, but you are not a superuser!"); } if ($cookie) { Cookie::set('admin', $email); } Session::instance()->set('admin', $email); $this->request->redirect('acp'); }
public function action_write() { $this->template->page_title = 'Write Article'; $user = new Model_User(); $session = Session::instance()->get('user'); $view = View::factory('cp/entries/write'); $view->author = $users->get_user_by_session_id($session); if ($this->request->method() === Request::POST) { if (!Security::check($this->request->post('csrf_token'))) { throw new HTTP_Exception_401("Bad token!"); } $post_title = $this->request->post('title'); $post_slug = $this->request->post('slug'); $post_content = $this->request->post('content'); $post_author = $this->request->post('author'); $post_date = time(); if (empty($post_title) and empty($post_content) and empty($post_author) and empty($post_date)) { throw new Exception('Please don`t make empty fields!'); } if (empty($post_slug)) { $post_slug = URL::title($post_title, '_'); } $entry = new Model_Entry(); $data = array('title' => $post_title, 'slug' => $post_slug, 'content' => $post_content, 'author' => $post_author, 'date' => $post_date); $insert_entry = $entry->insert_entry($data); if (!$insert_entry) { throw new Exception('Check if you are connected to database!'); } $this->request->redirect('cp/entries/write/'); } $this->template->content = $view->render(); }
public function before() { if ($this->request->is_ajax() && $this->request->method() == 'POST') { if (!Security::check($this->request->headers('X-CSRF-TOKEN'))) { return $this->response->status(403)->body('X-CSRF protection'); } } }
/** * Provides test data for Security::token() * * @return array Test data sets */ public function provider_csrf_token() { $array = array(); for ($i = 0; $i <= 4; $i++) { Security::$token_name = 'token_' . $i; $array[] = array(Security::token(TRUE), Security::check(Security::token(FALSE)), $i); } return $array; }
/** * Form Component Save */ public static function formComponentSave() { if (Request::post('sandbox_component_save')) { if (Security::check(Request::post('csrf'))) { Option::update('sandbox_template', Request::post('sandbox_form_template')); Request::redirect('index.php?id=themes'); } } }
public function attempt($login, $password, $remember = false) { if ($hash = $this->retrieveUser($login)) { if (Security::check($login . $password, $hash)) { return $this->login($login, $remember); } } return false; }
public function action_delete_category() { $category_id = $this->request->param('id'); if (!Security::check($this->request->param('id2'))) { throw new Exception("Bad token!"); } $category = ORM::factory('Category'); $delete_category = $category->delete_category($category_id); $this->redirect('dashboard/categories/list'); }
function __construct($param = null) { try { Security::check($this); } catch (Exception $e) { header('Location: /403'); } $this->param = $param; $this->init(); }
public function action_delete_user() { $user_id = $this->request->param('id'); if (!Security::check($this->request->param('id2'))) { throw new Exception("Bad token!"); } $user = ORM::factory('user'); $delete_user = $user->delete_user($user_id); $this->redirect('dashboard/users/list'); }
public static function getRoute() { self::$url = empty($_GET['url']) ? '/' : $_GET['url']; Routing::setRoutes(); if (empty(self::$controller)) trigger_error('Page Not Found'); elseif (!method_exists(self::$controller, self::$method)) trigger_error('Invalid Page Index'); Security::check(self::$controller, self::$method); return array(self::$controller, self::$method); }
/** * * */ function checkEmail() { $email = get_post_value('email'); $m = new Security(); $data = $m->check($email); if ($data) { $this->assign('message', 'emailExist'); $this->setReturnType('message'); } else { $this->assign('message', 'emailNotExist'); $this->setReturnType('message'); } }
public function action_delete_topic() { $topic_id = $this->request->param('id'); if (!Security::check($this->request->param('id2'))) { throw new Exception("Bad token!"); } $topic = ORM::factory('topic'); $delete_topic = $topic->delete_topic($topic_id); if (!$delete_topic) { throw new Exception("Topic was unable to delete"); } $this->redirect('dashboard/topics/list'); }
/** * Main Dashboard admin function */ public static function main() { // set/update google analytics settings if (Request::post('ga_settings_update')) { if (Security::check(Request::post('csrf'))) { // client id $ga_client_id = trim(Request::post('ga_client_id')); if (!empty($ga_client_id)) { $opt_client_id = Option::get('ga_client_id'); if (empty($opt_client_id)) { Option::add('ga_client_id', $ga_client_id); } else { Option::update('ga_client_id', $ga_client_id); } } // API key $ga_api_key = trim(Request::post('ga_api_key')); if (!empty($ga_api_key)) { $opt_api_key = Option::get('ga_api_key'); if (empty($opt_api_key)) { Option::add('ga_api_key', $ga_api_key); } else { Option::update('ga_api_key', $ga_api_key); } } // view id $ga_view_id = trim(Request::post('ga_view_id')); if (!empty($ga_view_id)) { $opt_view_id = Option::get('ga_view_id'); if (empty($opt_view_id)) { Option::add('ga_view_id', $ga_view_id); } else { Option::update('ga_view_id', $ga_view_id); } } // tracking id $ga_tracking_id = trim(Request::post('ga_tracking_id')); if (!empty($ga_tracking_id)) { $opt_view_id = Option::get('ga_tracking_id'); if (empty($opt_view_id)) { Option::add('ga_tracking_id', $ga_tracking_id); } else { Option::update('ga_tracking_id', $ga_tracking_id); } } } } // Display view View::factory('box/dashboard/views/backend/index')->display(); }
public function action_album_delete() { $id = (int) $this->request->param('id'); $exhibit = ORM::factory('Exhibit_Album', $id); if (!$exhibit->loaded()) { throw new HTTP_Exception_404(); } if ($this->request->method() == Request::POST) { if (Security::check(Arr::get($_POST, 'token'))) { $exhibit->delete(); $this->redirect('manage/exhibits'); } } $this->set('item', $exhibit)->set('token', Security::token(true)); }
public static function is_admin($login, $pwd = null) { $db = Connections::get('core'); $r = $db->fetch($db->select('core_admin', array('a', 'm'), "login = '******'")->statement); if ($pwd === null) { return count($r) === 1; } if (count($r) !== 1) { return 0; } $a = $db->fetch($db->select('a', array(), "aid = '{$r->a}'")->statement); $m = $db->fetch($db->select('m', array(), "mid = '{$r->m}'")->statement); $setup = array('blowfish', 'cbc', base64_decode($m->n), $m->s); return Security::check($pwd, $a->b, $setup); }
/** * main toggle admin function */ public static function main() { // handle option form submit if (Request::post('toggle_options')) { if (Security::check(Request::post('csrf'))) { Option::update('toggle_duration', (int) Request::post('toggle_duration')); Option::update('toggle_easing', Request::post('toggle_easing')); Notification::set('success', __('Configuration has been saved with success!', 'toggle')); } else { Notification::set('error', __('Request was denied. Invalid security token. Please refresh the page and try again.', 'toggle')); die; } Request::redirect('index.php?id=toggle'); } // Display view View::factory('toggle/views/backend/index')->display(); }
public function action_add_to_cart() { $product_count = $this->request->param('id'); $product_id = $this->request->param('id2'); if (!Security::check($this->request->param('id3'))) { $this->request->redirect('products'); } if (empty($product_id)) { $this->request->redirect('cart'); } $cart = new Model_Cart(); $session = Session::instance()->get('email'); if (empty($session)) { $this->request->redirect('products'); } $add_to_cart = $cart->add_to_cart($product_count, $product_id, $session); $this->request->redirect('cart'); }
public function action_delete() { $product_id = $this->request->param('id'); $token = $this->request->param('id2'); $session = Session::instance()->get('email'); if (empty($product_id)) { $this->request->redirect('cart'); } if (!Security::check($token)) { $this->request->redirect('cart'); } $model_for_cart = Model::factory('cart'); $delete_from_cart = $model_for_cart->delete_from_cart($product_id); if (!$delete_from_cart) { $this->request->redirect('cart'); } $this->request->redirect('cart'); }
/** * The before() method is called before your controller action. * In our template controller we override this method so that we can * set up default values. These variables are then available to our * controllers if they need to be modified. */ public function before() { parent::before(); if ($this->request->method() == 'POST' && !isset($this->ignore_tokens_for_actions[$this->request->controller()][$this->request->action()])) { if (!Security::check($this->request->post('token'))) { throw new HTTP_Exception_500('Invalid token'); } } if ($this->auto_render) { // Initialize empty values $this->template->title = ''; $this->template->content = ''; $this->template->description = $this->config['seo']['description']; $this->template->keywords = $this->config['seo']['keywords']; $this->template->styles = array(); $this->template->scripts = array(); } }
public function action_index() { if (!Security::check($this->request->param('id'))) { throw new Exception("Bad token!"); } $post = $this->request->post(); $auth = Auth::instance(); if ($this->request->post('cookie')) { $success = $auth->login($post['username'], $post['password'], TRUE); } else { $success = $auth->login($post['username'], $post['password'], FALSE); } if ($success) { $this->redirect('/'); } else { throw new Exception("login was unsuccessful!"); } }
public function action_change_signature() { $user = new Model_User(); $view = View::factory('profile/change_signature'); $view->users = $user->where('id', '=', Auth::instance()->get_user()->pk())->find(); if ($this->request->method() === Request::POST) { if (!Security::check($this->request->param('id'))) { throw new Exception("Bad token!"); } $new_signature = $this->request->post('signature'); $update_signature = $user->change_signature($new_signature, Auth::instance()->get_user()->pk()); if (!$update_signature) { throw new Exception('Signature could not be saved!'); } $this->redirect('/'); } $this->template->content = $view->render(); }
/** * Provides test data for Security::token() * * @return array Test data sets */ public function provider_csrf_token() { // Unfortunately this data provider has to use the session in order to // generate its data. If headers have already been sent then this method // throws an error, even if the test is does not run. If we return an // empty array then this also causes an error, so the only way to get // around it is to return an array of misc data and have the test skip // if headers have been sent. It's annoying this hack has to be // implemented, but the security code isn't exactly brilliantly // implemented. Ideally we'd be able to inject a session instance if (headers_sent()) { return array(array('', '', 0)); } $array = array(); for ($i = 0; $i <= 4; $i++) { Security::$token_name = 'token_' . $i; $array[] = array(Security::token(TRUE), Security::check(Security::token(FALSE)), $i); } return $array; }
public function action_index() { if (!Security::check($this->request->param("id"))) { throw new Exception("Bad token!"); } if (!Auth::instance()->logged_in()) { throw new Exception("You must be logged in to logout!"); } Auth::instance()->logout(); if (Cookie::get('user_id')) { Cookie::delete('user_id'); if (!Cookie::delete('user_id')) { throw new Exception("Cookie error."); } } if (!Auth::instance()->logout()) { throw new Exception("Session error."); } $this->redirect('/'); }