コード例 #1
0
ファイル: Tan.php プロジェクト: TriTT/SecureCoding
 public static function generate($customerId)
 {
     $tan = new Tan();
     $tan->customerId = $customerId;
     $tan->value = Helper::randomString(15);
     return $tan;
 }
コード例 #2
0
 /**
  * @return void
  */
 public function createAction()
 {
     if ($this->isAJAX() && $this->isRequestMethod('POST')) {
         $status = 400;
         $data = array("error" => 'bad_request');
         $request = json_decode(file_get_contents('php://input'));
         if (filter_var($request->{'_csrf_token_register'}, FILTER_SANITIZE_STRING) && filter_var($request->{'_username'}, FILTER_VALIDATE_REGEXP, array("options" => array("regexp" => '/^[a-zA-Z0-9]{3,15}$/'))) && filter_var($request->{'_password'}, FILTER_VALIDATE_REGEXP, array("options" => array("regexp" => '/^[a-zA-Z0-9]{6,20}$/')))) {
             $status = 400;
             $data = array("error" => 'bad_request');
             $csrf_token_register = htmlspecialchars($request->{'_csrf_token_register'}, ENT_QUOTES);
             if ($csrf_token_register == hash('sha256', Security::getCSRFToken('csrf_token_register'))) {
                 $username = htmlspecialchars($request->{'_username'}, ENT_QUOTES);
                 $password = htmlspecialchars($request->{'_password'}, ENT_QUOTES);
                 $user = $this->loadModel('User');
                 $user->Username = $username;
                 $user->Password = $password;
                 $status = 409;
                 $data = array('error' => 'username_is_taken');
                 if (!$user->isUsernameTaken()) {
                     $id = $user->Save(array('username' => $username, 'password' => $user->Password));
                     if ($id > 0) {
                         $role = $this->loadModel('Role');
                         $role->Save(array('user_id' => $id, 'role_id' => 1));
                         $status = 201;
                         $data = array('id' => $id);
                     }
                 }
             }
         }
         http_response_code($status);
         echo json_encode($data);
     } else {
         Helper::redirectTo(WEB . 'register');
     }
 }
コード例 #3
0
 /**
  * @access public
  * @param string $name
  * @param int $length
  * @return string
  */
 public static function generateCSRFToken($name, $length = 100)
 {
     $token = Helper::random($length);
     Session::Start();
     Session::Set($name, $token);
     return hash('sha256', $token);
 }
コード例 #4
0
 /**
  * @return void
  */
 public function indexAction()
 {
     if ($this->isAJAX() && $this->isRequestMethod('POST')) {
         $status = 400;
         $data = array('error' => 'bad_request');
         if (filter_has_var(INPUT_POST, "_csrf_token_login") && filter_has_var(INPUT_POST, "_username") && filter_has_var(INPUT_POST, "_password")) {
             $status = 403;
             $data = array('error' => 'bad_request');
             $csrf_token_login = htmlspecialchars($_POST['_csrf_token_login'], ENT_QUOTES);
             if ($csrf_token_login == hash('sha256', Security::getCSRFToken('csrf_token_login'))) {
                 $status = 204;
                 $data = array('error' => 'no_content');
                 $username = htmlspecialchars($_POST['_username'], ENT_QUOTES);
                 $password = htmlspecialchars($_POST['_password'], ENT_QUOTES);
                 $user = $this->loadModel('User');
                 $user->Username = $username;
                 $user->Password = $password;
                 $id = $user->isAuthorized();
                 if ($id > 0) {
                     Security::loggedIn($id, $user->Role);
                     Security::destroyCSRFToken('csrf_token_login');
                     $status = 200;
                     $data = array('id' => $id, 'role' => $user->Role);
                 }
             }
         }
         http_response_code($status);
         echo json_encode($data);
     } else {
         Helper::redirectTo(WEB . 'register');
     }
 }
コード例 #5
0
 public function register(Request $request)
 {
     $employeeRepository = $this->getEmployeeRepository();
     $employee = new Employee();
     //check for all request parameters
     if (!isset($request->request['email']) || !isset($request->request['password']) || !isset($request->request['passwordRep']) || !isset($request->request['firstname']) || !isset($request->request['lastname'])) {
         return JsonErrorResponse::fromKey(JsonErrorResponse::INVALID_REQUEST_PARAMETER);
     }
     if (strcmp($request->request['password'], $request->request['passwordRep']) != 0) {
         return JsonErrorResponse::fromKey(JsonErrorResponse::UNEQUAL_PASSWORD_ERROR);
     }
     if (!Helper::checkPasswordConstraints($request->request['password'])) {
         return JsonErrorResponse::fromKey(JsonErrorResponse::PASSWORD_REQUIREMENTS_ERROR);
     }
     $salt = Helper::randomString(5);
     $password = $request->request['password'];
     $hash = Helper::hashPassword($password, $salt);
     //---- validation ---
     $email = $request->request['email'];
     if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
         if (!is_null($employeeRepository->getEmployeeByEmail($email)) || !is_null($this->getCustomerRepository()->getCustomerByEmail($email))) {
             return new JsonResponse(array('success' => true));
         }
         $employee->email = $email;
     } else {
         return JsonErrorResponse::fromKey(JsonErrorResponse::INVALID_REQUEST_EMAIL);
     }
     $employee->firstname = filter_var($request->request['firstname'], FILTER_SANITIZE_STRING);
     $employee->lastname = filter_var($request->request['lastname'], FILTER_SANITIZE_STRING);
     if ($employeeRepository->createEmployeeAccount($employee, $salt, $hash)) {
         return new JsonResponse(array('success' => true));
     } else {
         return JsonErrorResponse::fromKey(JsonErrorResponse::UNEXPECTED_ERROR);
     }
 }
コード例 #6
0
 public function indexAction()
 {
     if ($this->isAJAX() && $this->isRequestMethod('POST')) {
         Security::loggedOut();
         http_response_code(200);
         echo json_encode(array('success' => true));
     } else {
         Helper::redirectTo(WEB . DEFAULT_ROUTE);
     }
 }
コード例 #7
0
 public function crudAction()
 {
     if (Security::getUserRole() === 'ROLE_ADMIN') {
         $css = [STYLES . 'grid.css'];
         $js = [SCRIPTS . 'category.js', SCRIPTS . 'category-crud.js', SCRIPTS . 'categories.js'];
         $this->loadView(LAYOUT, 'Category/Admin/index', 'Categories', $css, $js, ['csrf_token_category' => Security::generateCSRFToken('csrf_token_category')]);
     } else {
         Helper::redirectTo(WEB . 'categories');
     }
 }
コード例 #8
0
 public function crudAction()
 {
     if (Security::getUserRole() === 'ROLE_ADMIN') {
         $comments = $this->loadModel('Comment')->loadAll();
         $css = [STYLES . 'comments.css'];
         $js = [SCRIPTS . 'comment.js', SCRIPTS . 'comment-crud.js'];
         $this->loadView(LAYOUT, 'Comments/Admin/index', 'Comments', $css, $js, ['comments' => $comments, 'csrf_token_comment' => Security::generateCSRFToken('csrf_token_comment')]);
     } else {
         Helper::redirectTo(WEB . 'comments');
     }
 }
コード例 #9
0
 public function __construct()
 {
     $this->app = App::instance();
     if (!$this->templatePath) {
         $this->templatePath = $this->app->get('templatePath');
     }
     if (!$this->viewPath) {
         $fullClass = get_called_class();
         $pos = strrpos($fullClass, '\\');
         $nsp = false === $pos ? '/' : substr($fullClass, 0, $pos);
         $this->viewPath = Helper::fixSlashes(dirname(dirname(__DIR__)) . '/' . $nsp . '/view/');
     }
 }
コード例 #10
0
 /**
  * @access public
  * @return void
  */
 public function run()
 {
     $bootstrap = new Bootstrap();
     $bootstrap->setCurrentController(DEFAULT_CONTROLLER);
     $bootstrap->setCurrentAction(DEFAULT_ACTION);
     $bootstrap->parseUrl();
     $route = $bootstrap->getRoute();
     if (!empty($this->routes[$route]['isOauthRequired']) && !Security::isUserLoggedIn()) {
         Helper::redirectTo(WEB . DEFAULT_ROUTE);
     } else {
         if (!empty($this->routes[$route]['controller'])) {
             $controller = $this->routes[$route]['controller'];
             $bootstrap->setController($controller);
         }
         $bootstrap->loadControllerFile();
         $bootstrap->initControllerClass();
         $bootstrap->runControllerAction($bootstrap->getAction(), $bootstrap->getParams());
     }
 }
コード例 #11
0
 public function account(User $user, Database $db, Request $request)
 {
     $fields = ['username' => $request->get('username', $user->get('username')), 'password' => $request->get('password', $user->get('password')), 'new_password' => $request->get('new_password', $user->get('new_password')), 'name' => $request->get('name', $user->get('name'))];
     $error = null;
     $selfUrl = $this->homeUrl . '/account';
     $labels = $this->app->load('app/config/translations/user-labels.php');
     if ($request->isPost()) {
         $old_password = $user->get('password');
         $rules = ['name,username' => 'required', 'password' => 'required,Password saat ini tidak boleh kosong', '-password' => "equal({$old_password}),Password saat ini tidak valid", 'new_password' => 'minLength(4,allowEmpty)'];
         $error = $this->validation->setData($fields)->setRules($rules)->setLabels($labels)->validate()->getError();
         if (!$error) {
             // handle file
             $filename = $request->baseDir() . 'asset/avatars/user-' . $user->get('id');
             if (Helper::handleFileUpload('avatar', $filename, $this->app->get('imageTypes'))) {
                 $fields['avatar'] = basename($filename);
             }
             if ($fields['new_password']) {
                 $fields['password'] = $fields['new_password'];
             }
             unset($fields['new_password']);
             $filter = ['id = ?', $user->get('id')];
             $saved = $db->update('user', $fields, $filter);
             if ($saved) {
                 $user->register($fields);
                 $user->message('success', 'Data sudah diupdate');
                 return $this->redirect($selfUrl);
             } else {
                 $error = 'Data gagal disimpan!';
             }
         }
         $user->message('error', $error);
     }
     $avatar = $user->get('avatar');
     $avatar = $this->app->asset($avatar ? 'asset/avatars/' . $avatar : 'asset/images/avatar.png');
     $form = $this->form->setData($fields)->setLabels($labels)->setAttrs(['class' => 'form-horizontal', 'enctype' => 'multipart/form-data'])->setDefaultControlAttrs(['class' => 'form-control'])->setDefaultLabelAttrs(['class' => 'form-label col-md-4']);
     return $this->render('profil', ['form' => $form, 'avatar' => $avatar, 'backUrl' => 'index']);
 }
コード例 #12
0
ファイル: App.php プロジェクト: eghojansu/fa-simple-php
 public function __construct()
 {
     $this->data['templatePath'] = Helper::fixSlashes(dirname(__DIR__) . '/template');
 }
コード例 #13
0
ファイル: app.php プロジェクト: eghojansu/fa-simple-php
                $method = $defaultMethod;
            }
            // check method visibility
            $mref = new ReflectionMethod($class, $method);
            if (false === $mref->isPublic() || '_' === $method[0] || method_exists($class, '_' . $method)) {
                // invalid method
                $class = $errorHandler;
                $method = 'notAllowed';
            }
            $mref = null;
            // current handler info
            $app->set('controller', $class)->set('method', $method);
            $segments = [];
        } else {
            $last = array_pop($segments);
            $pMethod = Helper::fixRouteToClassMap($last);
            array_unshift($args, $last);
        }
    }
}
unset($current_path, $namespace, $suffix, $defaultController, $defaultMethod, $errorHandler, $segments, $pMethod, $clone, $pClass, $pNamespace, $mref);
// controller construction
$instance = $app->service($class);
$response = null;
if (method_exists($instance, '_beforeRoute')) {
    $response = $app->call($instance, '_beforeRoute', $args);
}
if (false === $response || null === $response) {
    $response = $app->call($instance, $method, $args);
}
if ($response instanceof Response) {
コード例 #14
0
 public function approveRegistration(Request $request, $customerId)
 {
     if (!isset($request->request['amount'])) {
         return JsonErrorResponse::fromKey(JsonErrorResponse::INVALID_REQUEST_PARAMETER);
     }
     $amount = $request->request['amount'];
     if (!filter_var($amount, FILTER_VALIDATE_REGEXP, array("options" => array("regexp" => "/^\\d*(\$|\\.\\d\\d\$)/")))) {
         return JsonErrorResponse::fromKey(JsonErrorResponse::INVALID_AMOUNT);
     }
     $amount = floatval($amount);
     $customerRepository = $this->getCustomerRepository();
     $customer = $customerRepository->getCustomerById($customerId);
     if (is_null($customer)) {
         return JsonErrorResponse::fromKey(JsonErrorResponse::INVALID_CUSTOMER_ID);
     }
     if ($customer->status == 'pending') {
         $credentials = $customerRepository->getCustomerCredentials($customer);
         if (is_null($credentials['scs_pin'])) {
             $password = Helper::randomString(5);
             $message = "Dear {$customer->firstname} {$customer->lastname}," . PHP_EOL . "your Account was successfully approved!" . "You can now login and make transactions with your tan list" . $password . PHP_EOL . PHP_EOL . "Best Regards," . PHP_EOL . "SitzBank";
             $mail = Helper::getPhpMailer();
             $mail->addAddress($customer->email, $customer->firstname . ' ' . $customer->lastname);
             $mail->Subject = "Account approved!";
             $mail->Body = $message;
             if (!$mail->send()) {
                 return JsonErrorResponse::fromKey(JsonErrorResponse::MAIL_ERROR);
             }
         } else {
             // using the scs generator
             $message = "Dear {$customer->firstname} {$customer->lastname}," . PHP_EOL . "your Account was successfully approved! You chose to use the scs tan generator." . PHP_EOL . "You can download the generator in the logged in area (make a transfer section)." . PHP_EOL . "Your scs pin is " . $credentials['scs_pin'] . PHP_EOL . "Best Regards," . PHP_EOL . "SitzBank";
             $mail = Helper::getPhpMailer();
             $mail->addAddress($customer->email, $customer->firstname . ' ' . $customer->lastname);
             $mail->Subject = "Welcome to Sitzbank!";
             $mail->Body = $message;
             if (!$mail->send()) {
                 return JsonErrorResponse::fromKey(JsonErrorResponse::MAIL_ERROR);
             }
         }
     }
     if ($customerRepository->approveRegistration($customerId)) {
         if ($amount > 0) {
             $transaction = Transaction::withData(1, $customer->id, $amount, "Initial Account Balance", 'approved');
             $this->getTransactionRepository()->createTransaction($transaction);
         }
         return new JsonResponse(array('success' => true));
     }
     return JsonErrorResponse::fromKey(JsonErrorResponse::UNEXPECTED_ERROR);
 }
コード例 #15
0
 public function resetPassword(Request $request)
 {
     if (!isset($request->request['token']) || !isset($request->request['password']) || !isset($request->request['passwordRep'])) {
         return JsonErrorResponse::fromKey(JsonErrorResponse::INVALID_REQUEST_PARAMETER);
     }
     //Validate token
     $token = filter_var($request->request['token'], FILTER_SANITIZE_STRING);
     $customer = $this->getCustomerRepository()->getCustomerByPasswordResetToken($token);
     if (is_null($customer)) {
         return JsonErrorResponse::fromKey(JsonErrorResponse::INVALID_PW_RESET_TOKEN);
     }
     //Validate password
     if (strcmp($request->request['password'], $request->request['passwordRep']) != 0) {
         return JsonErrorResponse::fromKey(JsonErrorResponse::UNEQUAL_PASSWORD_ERROR);
     }
     if (!Helper::checkPasswordConstraints($request->request['password'])) {
         return JsonErrorResponse::fromKey(JsonErrorResponse::PASSWORD_REQUIREMENTS_ERROR);
     }
     $password = $request->request['password'];
     $salt = Helper::randomString(5);
     $hash = Helper::hashPassword($password, $salt);
     if ($this->getCustomerRepository()->updateCustomerCredentials($customer, $salt, $hash)) {
         $this->getCustomerRepository()->removePassworReset($customer->id);
         return new JsonResponse(array('message' => 'Your password has been reseted. You can now login in with your new password.'));
     }
     return JsonErrorResponse::fromKey(JsonErrorResponse::UNEXPECTED_ERROR);
 }
コード例 #16
0
 public function saveAction()
 {
     if ($this->isAJAX() && $this->isRequestMethod('POST')) {
         $this->status = 400;
         $this->data = array("error" => 'bad_request');
         if (filter_has_var(INPUT_POST, '_csrf_token_news')) {
             $csrf_token_news = htmlspecialchars($_POST['_csrf_token_news'], ENT_QUOTES);
             if ($csrf_token_news == hash('sha256', Security::getCSRFToken('csrf_token_news'))) {
                 if (filter_has_var(INPUT_POST, '_id')) {
                     if (is_numeric($_POST['_id'])) {
                         $id = $_POST['_id'];
                         if ($id == 0) {
                             $this->create();
                         } else {
                             $this->update($id);
                         }
                     }
                 }
             }
         }
         http_response_code($this->status);
         echo json_encode($this->data);
     } else {
         if (!$this->isAJAX()) {
             Helper::redirectTo(WEB . 'news/category');
         }
     }
 }