}
$existing_operator = operator_by_login($login);
if (!$opId && $existing_operator || $opId && $existing_operator && $opId != $existing_operator['operatorid']) {
$errors[] = getlocal("page_agent.error.duplicate_login");
}
$canmodify = $opId == $operator['operatorid'] && is_capable($can_modifyprofile, $operator) || is_capable($can_administrate, $operator);
if (!$canmodify) {
$errors[] = getlocal('page_agent.cannot_modify');
}
if (count($errors) == 0) {
if (!$opId) {
$newop = create_operator($login, $email, $jabber, $password, $localname, $commonname, $jabbernotify ? 1 : 0, "");
header("Location: {$webimroot}/operator/avatar.php?op=" . $newop['operatorid']);
exit;
} else {
update_operator($opId, $login, $email, $jabber, $password, $localname, $commonname, $jabbernotify ? 1 : 0);
// update the session password
if (!empty($password) && $opId == $operator['operatorid']) {
$toDashboard = $operator['vcpassword'] == md5('') && $password != '';
$_SESSION["{$mysqlprefix}operator"]['vcpassword'] = md5($password);
if ($toDashboard) {
header("Location: {$webimroot}/operator/index.php");
exit;
}
}
header("Location: {$webimroot}/operator/operator.php?op={$opId}&stored");
exit;
}
} else {
$page['formlogin'] = topage($login);
$page['formname'] = topage($localname);
/**
* Makes an operator enabled.
*
* @param int $operator_id ID of the operator to enable.
*/
function enable_operator($operator_id)
{
$operator = operator_by_id($operator_id);
$operator['idisabled'] = 0;
update_operator($operator);
}
/**
* Processes submitting of the form which is generated in
* {@link \Mibew\Controller\OperatorController::showEditFormAction()} method.
*
* @param Request $request Incoming request.
* @return string Rendered page content.
*/
public function submitFormAction(Request $request)
{
csrf_check_token($request);
$errors = array();
$operator = $this->getOperator();
$op_id = $request->attributes->getInt('operator_id');
$login = $request->request->get('login');
$email = $request->request->get('email');
$password = $request->request->get('password');
$password_confirm = $request->request->get('passwordConfirm');
$local_name = $request->request->get('name');
$common_name = $request->request->get('commonname');
$code = $request->request->get('code');
if (!$local_name) {
$errors[] = no_field('Name');
}
if (!$common_name) {
$errors[] = no_field('International name (Latin)');
}
// The login is needed only for new operators. If login is changed for
// existing operator the stored password hash becomes invalid.
if (!$op_id) {
if (!$login) {
$errors[] = no_field('Login');
} elseif (!preg_match("/^[\\w_\\.]+\$/", $login)) {
$errors[] = getlocal('Login should contain only latin characters, numbers and underscore symbol.');
}
}
if (!$email || !MailUtils::isValidAddress($email)) {
$errors[] = wrong_field('E-mail');
}
if ($code && !preg_match("/^[A-Za-z0-9_]+\$/", $code)) {
$errors[] = getlocal('Code should contain only latin characters, numbers and underscore symbol.');
}
if (!$op_id && !$password) {
$errors[] = no_field('Password');
}
if ($password != $password_confirm) {
$errors[] = getlocal('Entered passwords do not match');
}
$existing_operator = operator_by_login($login);
$duplicate_login = !$op_id && $existing_operator || $op_id && $existing_operator && $op_id != $existing_operator['operatorid'];
if ($duplicate_login) {
$errors[] = getlocal('Please choose another login because an operator with that login is already registered in the system.');
}
// Check if operator with specified email already exists in the database.
$existing_operator = operator_by_email($email);
$duplicate_email = !$op_id && $existing_operator || $op_id && $existing_operator && $op_id != $existing_operator['operatorid'];
if ($duplicate_email) {
$errors[] = getlocal('Please choose another email because an operator with that email is already registered in the system.');
}
if (count($errors) != 0) {
$request->attributes->set('errors', $errors);
// The form should be rebuild. Invoke appropriate action.
return $this->showFormAction($request);
}
if (!$op_id) {
// Create new operator and redirect the current operator to avatar
// page.
$new_operator = create_operator($login, $email, $password, $local_name, $common_name, '', $code);
$redirect_to = $this->generateUrl('operator_avatar', array('operator_id' => $new_operator['operatorid']));
return $this->redirect($redirect_to);
}
// Mix old operator's fields with updated values
$target_operator = array('vcemail' => $email, 'vclocalename' => $local_name, 'vccommonname' => $common_name, 'code' => $code) + operator_by_id($op_id);
// Set the password only if it's not an empty string.
if ($password !== '') {
$target_operator['vcpassword'] = calculate_password_hash($target_operator['vclogin'], $password);
}
// Update operator's fields in the database.
update_operator($target_operator);
// Operator's data are cached in the authentication manager, thus we need
// to manually update them.
if ($target_operator['operatorid'] == $operator['operatorid']) {
// Check if the admin has set his password for the first time.
$to_dashboard = check_password_hash($operator['vclogin'], '', $operator['vcpassword']) && $password != '';
// Update operator's fields.
$this->getAuthenticationManager()->setOperator($target_operator);
// Redirect the admin to the home page if needed.
if ($to_dashboard) {
return $this->redirect($this->generateUrl('home_operator'));
}
}
// Redirect the operator to edit page again to use GET method instead of
// POST.
$redirect_to = $this->generateUrl('operator_edit', array('operator_id' => $op_id, 'stored' => true));
return $this->redirect($redirect_to);
}
}
$existing_operator = operator_by_login($login);
if (!$opId && $existing_operator || $opId && $existing_operator && $opId != $existing_operator['operatorid']) {
$errors[] = getlocal("page_agent.error.duplicate_login");
}
$canmodify = $opId == $operator['operatorid'] && is_capable($can_modifyprofile, $operator) || is_capable($can_administrate, $operator);
if (!$canmodify) {
$errors[] = getlocal('page_agent.cannot_modify');
}
if (count($errors) == 0) {
if (!$opId) {
$newop = create_operator($login, $email, $password, $localname, $commonname, "");
header("Location: {$webimroot}/operator/avatar.php?op=" . $newop['operatorid']);
exit;
} else {
update_operator($opId, $login, $email, $password, $localname, $commonname);
header("Location: {$webimroot}/operator/operator.php?op={$opId}&stored");
exit;
}
} else {
$page['formlogin'] = topage($login);
$page['formname'] = topage($localname);
$page['formemail'] = topage($email);
$page['formcommonname'] = topage($commonname);
$page['opid'] = topage($opId);
}
} else {
if (isset($_GET['op'])) {
$opId = verifyparam('op', "/^\\d{1,9}\$/");
$op = operator_by_id($opId);
if (!$op) {
/**
* Resets operators password and provides an ability to set the new one.
*
* @param Request $request
* @return string Rendered page content
*/
public function resetAction(Request $request)
{
$page = array('version' => MIBEW_VERSION, 'showform' => true, 'title' => getlocal('Change your password'), 'headertitle' => getlocal('Mibew Messenger'), 'show_small_login' => true, 'fixedwrap' => true, 'errors' => array());
if ($request->isMethod('POST')) {
// When HTTP GET method is used the form is just rendered but the
// user does not pass any data. Thus we need to prevent CSRF attacks
// only for POST requests
csrf_check_token($request);
}
// Make sure user id is specified and its format is correct.
$op_id = $request->isMethod('GET') ? $request->query->get('id') : $request->request->get('id');
if (!preg_match("/^\\d{1,9}\$/", $op_id)) {
throw new BadRequestException();
}
// Make sure token is specified and its format is correct.
$token = $request->isMethod('GET') ? $request->query->get('token') : $request->request->get('token');
if (!preg_match("/^[\\dabcdef]+\$/", $token)) {
throw new BadRequestException();
}
$operator = operator_by_id($op_id);
if (!$operator) {
$page['errors'][] = 'No such operator';
$page['showform'] = false;
} elseif ($token != $operator['vcrestoretoken']) {
$page['errors'][] = 'Wrong token';
$page['showform'] = false;
}
if (count($page['errors']) == 0 && $request->isMethod('POST') && $request->request->has('password')) {
$password = $request->request->get('password');
$password_confirm = $request->request->get('passwordConfirm');
if (!$password) {
$page['errors'][] = no_field('Password');
}
if ($password != $password_confirm) {
$page['errors'][] = getlocal('Entered passwords do not match');
}
if (count($page['errors']) == 0) {
$page['isdone'] = true;
// Update the operator
$operator['vcrestoretoken'] = '';
$operator['vcpassword'] = calculate_password_hash($operator['vclogin'], $password);
update_operator($operator);
$page['loginname'] = $operator['vclogin'];
return $this->render('password_recovery_reset', $page);
}
}
$page['id'] = $op_id;
$page['token'] = $token;
$page['isdone'] = false;
return $this->render('password_recovery_reset', $page);
}
