public function actionPostPasswordTest() { $input = $this->_input->filter(array('password' => XenForo_Input::STRING, 'password_algo' => XenForo_Input::STRING, 'decrypt' => XenForo_Input::UINT)); if (!XenForo_Application::debugMode()) { return $this->responseNoPermission(); } if (empty($input['decrypt'])) { $result = bdApi_Crypt::encrypt($input['password'], $input['password_algo']); } else { $result = bdApi_Crypt::decrypt($input['password'], $input['password_algo']); } $data = array('result' => $result); return $this->responseData('bdApi_ViewApi_Tool_PasswordTest', $data); }
public function actionPostToken() { /* @var $oauth2Model bdApi_Model_OAuth2 */ $oauth2Model = $this->getModelFromCache('bdApi_Model_OAuth2'); // decrypt password for password grant type // we also need to recover the client secret for verification purpose $input = $this->_input->filter(array('client_id' => XenForo_Input::STRING, 'password' => XenForo_Input::STRING, 'password_algo' => XenForo_Input::STRING)); if (!empty($input['client_id']) and !empty($input['password']) and !empty($input['password_algo'])) { $client = $oauth2Model->getClientModel()->getClientById($input['client_id']); if (!empty($client)) { $password = bdApi_Crypt::decrypt($input['password'], $input['password_algo'], $client['client_secret']); $_POST['password'] = $password; $_POST['password_algo'] = ''; $_POST['client_secret'] = $client['client_secret']; } } return $oauth2Model->getServer()->actionOauthToken($this); }
public function actionPutIndex() { $input = $this->_input->filter(array('password' => XenForo_Input::STRING, 'password_old' => XenForo_Input::STRING, 'password_algo' => XenForo_Input::STRING, 'user_email' => XenForo_Input::STRING, 'username' => XenForo_Input::STRING, 'primary_group_id' => XenForo_Input::UINT, 'secondary_group_ids' => array(XenForo_Input::UINT, 'array' => true), 'user_dob_day' => XenForo_Input::UINT, 'user_dob_month' => XenForo_Input::UINT, 'user_dob_year' => XenForo_Input::UINT, 'user_fields' => XenForo_Input::ARRAY_SIMPLE)); $user = $this->_getUserOrError(); $visitor = XenForo_Visitor::getInstance(); $session = bdApi_Data_Helper_Core::safeGetSession(); $isAdmin = $session->checkScope(bdApi_Model_OAuth2::SCOPE_MANAGE_SYSTEM) && $visitor->hasAdminPermission('user'); $requiredAuth = 0; if (!empty($input['password'])) { $requiredAuth++; } if (!empty($input['user_email'])) { $requiredAuth++; } if ($requiredAuth > 0) { $isAuth = false; if ($isAdmin && $visitor['user_id'] != $user['user_id']) { $isAuth = true; } elseif (!empty($input['password_old'])) { $auth = $this->_getUserModel()->getUserAuthenticationObjectByUserId($user['user_id']); if (!empty($auth)) { $passwordOld = bdApi_Crypt::decrypt($input['password_old'], $input['password_algo']); if ($auth->hasPassword() && $auth->authenticate($user['user_id'], $passwordOld)) { $isAuth = true; } } } if (!$isAuth) { return $this->responseError(new XenForo_Phrase('bdapi_slash_users_requires_password_old'), 403); } } /* @var $writer XenForo_DataWriter_User */ $writer = XenForo_DataWriter::create('XenForo_DataWriter_User'); $writer->setExistingData($user, true); if ($isAdmin) { $writer->setOption(XenForo_DataWriter_User::OPTION_ADMIN_EDIT, true); } if (!empty($input['password'])) { $password = bdApi_Crypt::decrypt($input['password'], $input['password_algo']); $writer->setPassword($password, $password); } if (!empty($input['user_email'])) { $writer->set('email', $input['user_email']); if ($writer->isChanged('email') && XenForo_Application::getOptions()->get('registrationSetup', 'emailConfirmation') && !$isAdmin) { switch ($writer->get('user_state')) { case 'moderated': case 'email_confirm': $writer->set('user_state', 'email_confirm'); break; default: $writer->set('user_state', 'email_confirm_edit'); } } } if (!empty($input['username'])) { $writer->set('username', $input['username']); if ($writer->isChanged('username') && !$isAdmin) { return $this->responseError(new XenForo_Phrase('bdapi_slash_users_denied_username'), 403); } } if ($input['primary_group_id'] > 0) { $userGroups = $this->_getUserGroupModel()->getAllUserGroups(); if (!isset($userGroups[$input['primary_group_id']])) { return $this->responseError(new XenForo_Phrase('requested_user_group_not_found')); } if (!empty($input['secondary_group_ids'])) { foreach ($input['secondary_group_ids'] as $secondaryGroupId) { if (!isset($userGroups[$secondaryGroupId])) { return $this->responseError(new XenForo_Phrase('requested_user_group_not_found')); } } } $writer->set('user_group_id', $input['primary_group_id']); $writer->setSecondaryGroups($input['secondary_group_ids']); } if (!empty($input['user_dob_day']) && !empty($input['user_dob_month']) && !empty($input['user_dob_year'])) { $writer->set('dob_day', $input['user_dob_day']); $writer->set('dob_month', $input['user_dob_month']); $writer->set('dob_year', $input['user_dob_year']); $hasExistingDob = false; $hasExistingDob = $hasExistingDob || !!$writer->getExisting('dob_day'); $hasExistingDob = $hasExistingDob || !!$writer->getExisting('dob_month'); $hasExistingDob = $hasExistingDob || !!$writer->getExisting('dob_year'); if ($hasExistingDob && ($writer->isChanged('dob_day') || $writer->isChanged('dob_month') || $writer->isChanged('dob_year')) && !$isAdmin) { // setting new dob is fine but changing dob requires admin permission return $this->responseError(new XenForo_Phrase('bdapi_slash_users_denied_dob'), 403); } } if (!empty($input['user_fields'])) { $profileFieldsInput = new XenForo_Input($input['user_fields']); $profileFields = $profileFieldsInput->filter(array('about' => XenForo_Input::STRING, 'homepage' => XenForo_Input::STRING, 'location' => XenForo_Input::STRING, 'occupation' => XenForo_Input::STRING)); $writer->bulkSet($profileFields); $writer->setCustomFields($input['user_fields']); } $writer->preSave(); if (!$isAdmin) { if ($writer->isChanged('user_group_id') || $writer->isChanged('secondary_group_ids')) { // this has to be checked here because `secondary_group_ids` only get set within preSave() return $this->responseError(new XenForo_Phrase('bdapi_slash_users_denied_user_group'), 403); } } $writer->save(); $user = $writer->getMergedData(); if ($writer->isChanged('email') && in_array($user['user_state'], array('email_confirm', 'email_confirm_edit'))) { /* @var $userConfirmationModel XenForo_Model_UserConfirmation */ $userConfirmationModel = $this->getModelFromCache('XenForo_Model_UserConfirmation'); $userConfirmationModel->sendEmailConfirmation($user); } return $this->responseMessage(new XenForo_Phrase('changes_saved')); }
public function actionPutIndex() { $user = $this->_getUserOrError(); $visitor = XenForo_Visitor::getInstance(); $input = $this->_input->filter(array('password_old' => XenForo_Input::STRING, 'password_algo' => XenForo_Input::STRING, 'user_email' => XenForo_Input::STRING, 'username' => XenForo_Input::STRING, 'password' => XenForo_Input::STRING, 'user_dob_day' => XenForo_Input::UINT, 'user_dob_month' => XenForo_Input::UINT, 'user_dob_year' => XenForo_Input::UINT)); $session = bdApi_Data_Helper_Core::safeGetSession(); $isAdmin = $session->checkScope(bdApi_Model_OAuth2::SCOPE_MANAGE_SYSTEM) && $visitor->hasAdminPermission('user'); $isAuth = false; if ($isAdmin && $visitor['user_id'] != $user['user_id']) { $isAuth = true; } elseif (!empty($input['password_old'])) { $auth = $this->_getUserModel()->getUserAuthenticationObjectByUserId($user['user_id']); if (!empty($auth)) { $passwordOld = bdApi_Crypt::decrypt($input['password_old'], $input['password_algo']); if ($auth->hasPassword() && $auth->authenticate($user['user_id'], $passwordOld)) { $isAuth = true; } } } if (!$isAuth) { return $this->responseNoPermission(); } /* @var $writer XenForo_DataWriter_User */ $writer = XenForo_DataWriter::create('XenForo_DataWriter_User'); $writer->setExistingData($user, true); if (!empty($input['user_email'])) { $writer->set('email', $input['user_email']); if ($writer->isChanged('email') && XenForo_Application::getOptions()->get('registrationSetup', 'emailConfirmation') && !$isAdmin) { switch ($writer->get('user_state')) { case 'moderated': case 'email_confirm': $writer->set('user_state', 'email_confirm'); break; default: $writer->set('user_state', 'email_confirm_edit'); } } } if (!empty($input['username'])) { if (!$isAdmin) { return $this->responseNoPermission(); } $writer->set('username', $input['username']); } if (!empty($input['password'])) { $password = bdApi_Crypt::decrypt($input['password'], $input['password_algo']); $writer->setPassword($password, $password); } if (!empty($input['user_dob_day']) && !empty($input['user_dob_month']) && !empty($input['user_dob_year'])) { $hasExistingDob = false; $hasExistingDob = $hasExistingDob || !!$writer->getExisting('dob_day'); $hasExistingDob = $hasExistingDob || !!$writer->getExisting('dob_month'); $hasExistingDob = $hasExistingDob || !!$writer->getExisting('dob_year'); if ($hasExistingDob) { if (!$isAdmin) { // changing dob requires admin permission return $this->responseNoPermission(); } } else { // new dob just needs auth } $writer->set('dob_day', $input['user_dob_day']); $writer->set('dob_month', $input['user_dob_month']); $writer->set('dob_year', $input['user_dob_year']); } if (!$writer->hasChanges()) { return $this->responseError(new XenForo_Phrase('error_occurred_or_request_stopped'), 400); } $writer->save(); $user = $writer->getMergedData(); if ($writer->isChanged('email') && in_array($user['user_state'], array('email_confirm', 'email_confirm_edit'))) { /* @var $userConfirmationModel XenForo_Model_UserConfirmation */ $userConfirmationModel = $this->getModelFromCache('XenForo_Model_UserConfirmation'); $userConfirmationModel->sendEmailConfirmation($user); } return $this->responseMessage(new XenForo_Phrase('changes_saved')); }