/**
* Insert/Update Group
*
* Controller for the Group module.
*
* @param \Slim\Route $route The route data array
* @return void
*/
function insert_update_group(\Slim\Route $route)
{
$app = \Slim\Slim::getInstance();
$final_global_template_vars = $app->config('final_global_template_vars');
require_once $final_global_template_vars["absolute_path_to_this_module"] . "/models/group.class.php";
require_once $_SERVER["PATH_TO_VENDOR"] . "wixel/gump/gump.class.php";
// URL parameters matched in the route.
$params = $route->getParams();
$group_id = isset($params["group_id"]) ? $params["group_id"] : false;
$db_conn = new \PHPSkeleton\models\db($final_global_template_vars["db_connection"]);
$db_resource = $db_conn->get_resource();
$group = new \PHPSkeleton\Group($db_resource, $final_global_template_vars["session_key"]);
$gump = new GUMP();
$rules = array("name" => "required", "abbreviation" => "required|alpha_numeric", "state" => "alpha_numeric", "zip" => "numeric|exact_len,5", "group_parent" => "numeric");
$validated = $gump->validate($app->request()->post(), $rules);
$errors = array();
if ($validated !== true) {
$errors = \phpskeleton\models\utility::gump_parse_errors($validated);
}
if (!$errors) {
$group->insert_update_group($app->request()->post(), $group_id);
// If group_id is true, then the group was modified. Otherwise, it was created.
if ($group_id) {
$app->flash('message', 'The group has been successfully modified.');
} else {
$app->flash('message', 'New group has been successfully created.');
}
$app->redirect($final_global_template_vars["path_to_this_module"]);
} else {
$env = $app->environment();
$env["default_validation_errors"] = $errors;
}
}
function authenticate(\Slim\Route $route)
{
$app = \Slim\Slim::getInstance();
$query = new QueryHandler();
$auth = new HashGenerator();
// Getting request headers
$headers = apache_request_headers();
$requestURI = $_SERVER['REQUEST_URI'];
$requestMethod = $app->request->getMethod();
$params = $route->getParams();
try {
$userId = intval($params['userId']);
if (!$userId > 0) {
$userId = DEFAULT_USER;
}
} catch (Exception $e) {
$userId = DEFAULT_USER;
}
// TEST CODE ****************************
$testParams = implode(',', getRequestParams());
echo "<h3>{$testParams}</h3>";
// END TEST CODE ************************
// Get Handshake KEY
if (!isset($headers['Authorization'])) {
// api key is missing in header
exitApp(BAD_REQUEST, "Authorization key is misssing");
}
// Get User Access Key
if (!isset($headers['AccessKey']) && $userId !== DEFAULT_USER) {
// api key is missing in header
exitApp(BAD_REQUEST, "Access key is misssing");
}
$auth_key = $headers['Authorization'];
@($accessKey = $headers['AccessKey']);
$stringParams = implode(',', getRequestParams());
// AUTHORIZE ADMIN OPERATION
$adminData = "admin" . $requestURI . "#" . $stringParams;
$adminHash = $auth->getAuthHash($adminData);
$userData = $userId . $requestURI . "#" . $stringParams;
// echo $userData;
$userHash = $auth->getAuthHash($userData);
// route the authorization for USER or ADMIN
switch ($auth_key) {
case $adminHash:
// check if admin is valid
$admin = $query->getAdmin($accessKey);
if (empty($admin)) {
exitApp(UNAUTHORIZED, "Admin not found!");
}
//Check admin access level
if ($admin[ADMIN_FIELDS::ACCESS_LEVEL == "read"] && $requestMethod != "GET") {
exitApp(UNAUTHORIZED, "Limited admin access !");
}
// admin is verified
break;
case $userHash:
//non-user operation
if ($userId == DEFAULT_USER) {
break;
}
// UserOperatoin: check if user is valid
$user_array = $query->getUser(array(USER_FIELDS::ACCESS_KEY => $accessKey));
if (empty($user_array)) {
exitApp(UNAUTHORIZED, "Invalid access key!");
}
if ($user_array[USER_FIELDS::IS_ACTIVE] == false) {
// if requesting login
if (strpos($requestURI, 'login') !== false) {
$message = "Please activate your account";
}
// for other operation
$message = "Your account has been deactivated.";
exitApp(UNAUTHORIZED, $message);
}
if ($user_array[USER_FIELDS::USER_ID] != $userId) {
exitApp(UNAUTHORIZED, "You are not authorized to access others data");
}
break;
default:
exitApp(UNAUTHORIZED, "Invalid authorization key !");
}
}
/**
* Dispatch route
*
* This method invokes the route object's callable. If middleware is
* registered for the route, each callable middleware is invoked in
* the order specified.
*
* This method is smart about trailing slashes on the route pattern.
* If the route's pattern is defined with a trailing slash, and if the
* current request URI does not have a trailing slash but otherwise
* matches the route's pattern, a Slim_Exception_RequestSlash
* will be thrown triggering an HTTP 301 Permanent Redirect to the same
* URI _with_ a trailing slash. This Exception is caught in the
* `Slim::call` loop. If the route's pattern is defined without a
* trailing slash, and if the current request URI does have a trailing
* slash, the route will not be matched and a 404 Not Found
* response will be sent if no subsequent matching routes are found.
*
* @param \Slim\Route $route The route object
* @return bool Was route callable invoked successfully?
* @throws \Slim\Exception\RequestSlash
*/
public function dispatch(\Slim\Route $route)
{
if (substr($route->getPattern(), -1) === '/' && substr($this->resourceUri, -1) !== '/') {
throw new Exception\RequestSlash();
}
//Invoke middleware
foreach ($route->getMiddleware() as $mw) {
if (is_callable($mw)) {
call_user_func_array($mw, array($route));
}
}
//Invoke callable
if (is_callable($route->getCallable())) {
call_user_func_array($route->getCallable(), array_values($route->getParams()));
return true;
}
return false;
}
/**
* Dispatch route
*
* This method invokes the route object's callable. If middleware is
* registered for the route, each callable middleware is invoked in
* the order specified.
*
* @param \Slim\Route $route The route object
* @return bool Was route callable invoked successfully?
*/
public function dispatch(\Slim\Route $route)
{
$this->currentRoute = $route;
//Invoke middleware
foreach ($route->getMiddleware() as $mw) {
call_user_func_array($mw, array($route));
}
//Invoke callable
call_user_func_array($route->getCallable(), array_values($route->getParams()));
return true;
}
/**
* Override Slim's default `dispatch` function
*
* @param \Slim\Route $route
*
* @return bool
*/
public function dispatch(\Slim\Route $route)
{
$app = $this->getApp();
$params = $route->getParams();
$callable = $route->getCallable();
// check for a matching autoroute based on the request URI
$autoroute = null;
if (count($app->routes) > 0) {
foreach ($app->routes as $testRoute) {
if (!empty($callable) && $callable === $testRoute->getCallback()) {
$autoroute = $testRoute;
break;
}
}
}
// build Request and Response objects to be passed to callable
$req = $this->getRequestData($route, $params);
$resp = $this->getResponseData();
if (!is_callable($callable)) {
return false;
}
$passParams = $app->config("pass-params") == true;
if ($passParams) {
// call the autoroute's callback function and pass in the Request and Response objects
$result = call_user_func_array($callable, array($req, &$resp));
} else {
$app->applyHook("spore.autoroute.before", array("request" => &$req, "response" => &$resp, "autoroute" => &$autoroute));
$result = call_user_func_array($callable, array());
}
$outputEmpty = ob_get_length() <= 0;
$output = "";
// if the output buffer is empty, we can return our own response
if ($outputEmpty) {
// if there is no response data, return a blank response
if ($result === null && $result !== false) {
return true;
}
if ($autoroute && $autoroute->getTemplate()) {
$output = $this->getTemplateOutput($autoroute, $app, $result);
} else {
$output = Serializer::getSerializedData($app, $result);
}
if (empty($output)) {
return true;
}
} else {
$output = ob_get_clean();
}
// return gzip-encoded data if gzip is enabled
$gzipEnabled = $app->config("gzip");
$env = $app->environment();
if (substr_count($env["ACCEPT_ENCODING"], "gzip") && extension_loaded("zlib") && $gzipEnabled) {
$app->response()->header("Content-Encoding", "gzip");
$app->response()->header("Vary", "Accept-Encoding");
$output = gzencode($output, 9, FORCE_GZIP);
}
// set the HTTP status
$app->status($resp->status);
// set the response body
$app->response()->body($output);
return true;
}
/**
* Insert/Update User Account
*
* Controller for the User Account module.
*
* @author Goran Halusa <*****@*****.**>
* @since 0.1.0
* @param array $route The route data array
*/
function insert_update_user_account(\Slim\Route $route)
{
$app = \Slim\Slim::getInstance();
$final_global_template_vars = $app->config('final_global_template_vars');
require_once $final_global_template_vars["absolute_path_to_this_module"] . "/models/user_account.class.php";
require_once $final_global_template_vars["default_module_list"]["group"]["absolute_path_to_this_module"] . "/models/group.class.php";
require_once $final_global_template_vars["default_module_list"]["authenticate"]["absolute_path_to_this_module"] . "/models/authenticate.class.php";
require_once $_SERVER["PATH_TO_VENDOR"] . "wixel/gump/gump.class.php";
// URL parameters matched in the route.
$params = $route->getParams();
$user_account_id = isset($params["user_account_id"]) ? $params["user_account_id"] : false;
$db_conn = new \PHPSkeleton\models\db($final_global_template_vars["db_connection"]);
$db_resource = $db_conn->get_resource();
$useraccount = new \PHPSkeleton\UserAccount($db_resource, $final_global_template_vars["session_key"]);
$group = new \PHPSkeleton\Group($db_resource, $final_global_template_vars["session_key"]);
$authenticate = new \PHPSkeleton\Authenticate($db_resource, $final_global_template_vars["session_key"]);
$post = $app->request()->post();
$errors = false;
$gump = new GUMP();
$rules_password = array();
$rules = array("first_name" => "required|alpha_numeric", "last_name" => "required|alpha_numeric", "user_account_email" => "required|valid_email");
if (isset($post["user_account_password"]) && !empty($post["user_account_password"])) {
$rules_password = array("user_account_password" => "max_len,100|min_len,6", "password_check" => "required|max_len,100|min_len,6");
}
$rules = array_merge($rules, $rules_password);
$validated = $gump->validate($post, $rules);
if ($post["user_account_password"] != $post["password_check"]) {
$validated_password_check = array("field" => "user_account_password_check", "value" => null, "rule" => "validate_required");
if (is_array($validated)) {
array_push($validated, $validated_password_check);
} else {
$validated = array($validated_password_check);
}
}
$errors = array();
if ($validated !== true) {
$errors = \phpskeleton\models\utility::gump_parse_errors($validated);
}
if (isset($errors["user_account_password_check"])) {
$errors["user_account_password_check"] = "Passwords did not match.";
}
$has_permission = array_intersect($_SESSION[$final_global_template_vars["session_key"]]["user_role_list"], $final_global_template_vars["role_perm_manage_all_accounts_access"]);
$role_perm_manage_all_accounts_access = empty($has_permission) ? false : true;
if (!empty($post) && $role_perm_manage_all_accounts_access) {
$current_group_values = $useraccount->get_user_group_roles_map($user_account_id, $final_global_template_vars["proxy_id"]);
$proposed_group_value = json_decode($post["group_data"], true);
$changes = array();
$current_group_role_array = array();
$proposed_group_role_array = array();
foreach ($proposed_group_value as $single_group_info) {
foreach ($single_group_info["roles"] as $single_role_id) {
$tmp_array = array("group_id" => $single_group_info["group_id"], "role_id" => $single_role_id);
$proposed_group_role_array[] = json_encode($tmp_array);
}
}
if (is_array($current_group_values) && !empty($current_group_values)) {
foreach ($current_group_values as $single_group_info) {
foreach ($single_group_info["roles"] as $single_role_id) {
$tmp_array = array("group_id" => $single_group_info["group_id"], "role_id" => $single_role_id);
$current_group_role_array[] = json_encode($tmp_array);
}
}
}
$changes = array_diff($proposed_group_role_array, $current_group_role_array);
$changes = array_merge($changes, array_diff($current_group_role_array, $proposed_group_role_array));
/**
* Check to see if the user is trying to hack the system and add a role they are not able to.
**/
foreach ($changes as $single_change) {
$single_change_array = json_decode($single_change, true);
$show_all = array_intersect($_SESSION[$final_global_template_vars["session_key"]]["user_role_list"], $final_global_template_vars["role_perm_assign_user_account_to_any_group"]);
if (!empty($show_all)) {
// This user can add any group to any user.
} else {
$group_roles = $useraccount->has_role($_SESSION[$final_global_template_vars["session_key"]]["user_account_id"], $final_global_template_vars["administrator_id"], $single_change_array["group_id"]);
if (empty($group_roles)) {
$failed_group = $group->get_group_record($single_change_array["group_id"]);
$errors[] = "You are not able to administor group: " . $failed_group["name"];
}
}
}
// Check to see if the user is trying to add a role to a group they are not able to.
foreach ($changes as $single_change) {
$single_change_array = json_decode($single_change, true);
if (in_array($single_change_array["role_id"], $final_global_template_vars["exclude_ids_from_selector"])) {
$errors[] = "You are not able to administer that role.";
}
}
}
if (!$errors) {
// Hash the incoming password (with some salt).
if (!empty($post["user_account_password"])) {
$post["user_account_password"] = $authenticate->generate_hashed_password($post["user_account_password"]);
}
$useraccount->insert_update_user_account($post, $user_account_id, true, $final_global_template_vars["proxy_id"], $role_perm_manage_all_accounts_access);
$useraccount->insert_addresses($post, $user_account_id, $_SESSION[$final_global_template_vars["session_key"]]["user_account_id"]);
$app->flash('message', 'Account successfully updated.');
if ($role_perm_manage_all_accounts_access) {
$app->redirect($final_global_template_vars["path_to_this_module"]);
} else {
$app->redirect($final_global_template_vars["path_to_this_module"] . "/manage/" . $user_account_id);
}
} else {
$env = $app->environment();
$env["default_validation_errors"] = $errors;
}
}
function not_same_user(\Slim\Route $route)
{
$params = $route->getParams();
if (intval($params["userid"]) === intval($_SESSION['user']['meetup_id'])) {
$data = array('status' => 'error', 'message' => 'You are not' . $params["userid"]);
die(json_encode($data));
}
}