/** * Perform the necessary actions to send a password reset mail * * @param $user_name_or_email string Username or user's email * @param $captcha string Captcha string * * @return bool success status */ public static function requestPasswordReset($user_name_or_email, $captcha) { if (!CaptchaModel::checkCaptcha($captcha)) { Session::add('feedback_negative', Text::get('FEEDBACK_CAPTCHA_WRONG')); return false; } if (empty($user_name_or_email)) { Session::add('feedback_negative', Text::get('FEEDBACK_USERNAME_EMAIL_FIELD_EMPTY')); return false; } // check if that username exists $result = UserModel::getUserDataByUserNameOrEmail($user_name_or_email); if (!$result) { Session::add('feedback_negative', Text::get('FEEDBACK_USER_DOES_NOT_EXIST')); return false; } // generate integer-timestamp (to see when exactly the user (or an attacker) requested the password reset mail) // generate random hash for email password reset verification (40 char string) $temporary_timestamp = time(); $user_password_reset_hash = sha1(uniqid(mt_rand(), true)); // set token (= a random hash string and a timestamp) into database ... $token_set = self::setPasswordResetDatabaseToken($result->user_name, $user_password_reset_hash, $temporary_timestamp); if (!$token_set) { return false; } // ... and send a mail to the user, containing a link with username and token hash string $mail_sent = self::sendPasswordResetMail($result->user_name, $user_password_reset_hash, $result->user_email); if ($mail_sent) { return true; } // default return return false; }
/** * This method controls what happens when you move to /overview/showProfile in your app. * Shows the (public) details of the selected user. * @param $user_id int id the the user */ public function showProfile($user_id) { if (isset($user_id)) { $this->View->render('profile/showProfile', array('user' => UserModel::getPublicProfileOfUser($user_id))); } else { Redirect::home(); } }
/** * Handles the entire registration process for DEFAULT users (not for people who register with * 3rd party services, like facebook) and creates a new user in the database if everything is fine * * @return boolean Gives back the success status of the registration */ public static function registerNewUser() { // clean the input $user_name = strip_tags(Request::post('user_name')); $user_email = strip_tags(Request::post('user_email')); $user_email_repeat = strip_tags(Request::post('user_email_repeat')); $user_password_new = Request::post('user_password_new'); $user_password_repeat = Request::post('user_password_repeat'); // stop registration flow if registrationInputValidation() returns false (= anything breaks the input check rules) $validation_result = self::registrationInputValidation(Request::post('captcha'), $user_name, $user_password_new, $user_password_repeat, $user_email, $user_email_repeat); if (!$validation_result) { return false; } // crypt the password with the PHP 5.5's password_hash() function, results in a 60 character hash string. // @see php.net/manual/en/function.password-hash.php for more, especially for potential options $user_password_hash = password_hash($user_password_new, PASSWORD_DEFAULT); // make return a bool variable, so both errors can come up at once if needed $return = true; // check if username already exists if (UserModel::doesUsernameAlreadyExist($user_name)) { Session::add('feedback_negative', Text::get('FEEDBACK_USERNAME_ALREADY_TAKEN')); $return = false; } // check if email already exists if (UserModel::doesEmailAlreadyExist($user_email)) { Session::add('feedback_negative', Text::get('FEEDBACK_USER_EMAIL_ALREADY_TAKEN')); $return = false; } // if Username or Email were false, return false if (!$return) { return false; } // generate random hash for email verification (40 char string) $user_activation_hash = sha1(uniqid(mt_rand(), true)); // write user data to database if (!self::writeNewUserToDatabase($user_name, $user_password_hash, $user_email, time(), $user_activation_hash)) { Session::add('feedback_negative', Text::get('FEEDBACK_ACCOUNT_CREATION_FAILED')); return false; // no reason not to return false here } // get user_id of the user that has been created, to keep things clean we DON'T use lastInsertId() here $user_id = UserModel::getUserIdByUsername($user_name); if (!$user_id) { Session::add('feedback_negative', Text::get('FEEDBACK_UNKNOWN_ERROR')); return false; } // send verification email if (self::sendVerificationEmail($user_id, $user_email, $user_activation_hash)) { Session::add('feedback_positive', Text::get('FEEDBACK_ACCOUNT_SUCCESSFULLY_CREATED')); return true; } // if verification email sending failed: instantly delete the user self::rollbackRegistrationByUserId($user_id); Session::add('feedback_negative', Text::get('FEEDBACK_VERIFICATION_MAIL_SENDING_FAILED')); return false; }
/** * This method controls what happens when you move to /admin or /admin/index in your app. */ public function index() { $this->View->render('admin/index', array('users' => UserModel::getPublicProfilesOfAllUsers())); }
/** * performs the login via cookie (for DEFAULT user account, FACEBOOK-accounts are handled differently) * TODO add throttling here ? * * @param $cookie string The cookie "remember_me" * * @return bool success state */ public static function loginWithCookie($cookie) { // do we have a cookie ? if (!$cookie) { Session::add('feedback_negative', Text::get('FEEDBACK_COOKIE_INVALID')); return false; } // before list(), check it can be split into 3 strings. if (count(explode(':', $cookie)) !== 3) { Session::add('feedback_negative', Text::get('FEEDBACK_COOKIE_INVALID')); return false; } // check cookie's contents, check if cookie contents belong together or token is empty list($user_id, $token, $hash) = explode(':', $cookie); // decrypt user id $user_id = Encryption::decrypt($user_id); if ($hash !== hash('sha256', $user_id . ':' . $token) || empty($token) || empty($user_id)) { Session::add('feedback_negative', Text::get('FEEDBACK_COOKIE_INVALID')); return false; } // get data of user that has this id and this token $result = UserModel::getUserDataByUserIdAndToken($user_id, $token); // if user with that id and exactly that cookie token exists in database if ($result) { // successfully logged in, so we write all necessary data into the session and set "user_logged_in" to true self::setSuccessfulLoginIntoSession($result->user_id, $result->user_name, $result->user_email, $result->user_account_type); // save timestamp of this login in the database line of that user self::saveTimestampOfLoginOfUser($result->user_name); // NOTE: we don't set another remember_me-cookie here as the current cookie should always // be invalid after a certain amount of time, so the user has to login with username/password // again from time to time. This is good and safe ! ;) Session::add('feedback_positive', Text::get('FEEDBACK_COOKIE_LOGIN_SUCCESSFUL')); return true; } else { Session::add('feedback_negative', Text::get('FEEDBACK_COOKIE_INVALID')); return false; } }
public function editUserEmail_action() { UserModel::editUserEmail(Request::post('user_email')); Redirect::to('user/editUserEmail'); }