} $existing_operator = operator_by_login($login); if (!$opId && $existing_operator || $opId && $existing_operator && $opId != $existing_operator['operatorid']) { $errors[] = getlocal("page_agent.error.duplicate_login"); } $canmodify = $opId == $operator['operatorid'] && is_capable($can_modifyprofile, $operator) || is_capable($can_administrate, $operator); if (!$canmodify) { $errors[] = getlocal('page_agent.cannot_modify'); } if (count($errors) == 0) { if (!$opId) { $newop = create_operator($login, $email, $jabber, $password, $localname, $commonname, $jabbernotify ? 1 : 0, ""); header("Location: {$webimroot}/operator/avatar.php?op=" . $newop['operatorid']); exit; } else { update_operator($opId, $login, $email, $jabber, $password, $localname, $commonname, $jabbernotify ? 1 : 0); // update the session password if (!empty($password) && $opId == $operator['operatorid']) { $toDashboard = $operator['vcpassword'] == md5('') && $password != ''; $_SESSION["{$mysqlprefix}operator"]['vcpassword'] = md5($password); if ($toDashboard) { header("Location: {$webimroot}/operator/index.php"); exit; } } header("Location: {$webimroot}/operator/operator.php?op={$opId}&stored"); exit; } } else { $page['formlogin'] = topage($login); $page['formname'] = topage($localname);
/** * Makes an operator enabled. * * @param int $operator_id ID of the operator to enable. */ function enable_operator($operator_id) { $operator = operator_by_id($operator_id); $operator['idisabled'] = 0; update_operator($operator); }
/** * Processes submitting of the form which is generated in * {@link \Mibew\Controller\OperatorController::showEditFormAction()} method. * * @param Request $request Incoming request. * @return string Rendered page content. */ public function submitFormAction(Request $request) { csrf_check_token($request); $errors = array(); $operator = $this->getOperator(); $op_id = $request->attributes->getInt('operator_id'); $login = $request->request->get('login'); $email = $request->request->get('email'); $password = $request->request->get('password'); $password_confirm = $request->request->get('passwordConfirm'); $local_name = $request->request->get('name'); $common_name = $request->request->get('commonname'); $code = $request->request->get('code'); if (!$local_name) { $errors[] = no_field('Name'); } if (!$common_name) { $errors[] = no_field('International name (Latin)'); } // The login is needed only for new operators. If login is changed for // existing operator the stored password hash becomes invalid. if (!$op_id) { if (!$login) { $errors[] = no_field('Login'); } elseif (!preg_match("/^[\\w_\\.]+\$/", $login)) { $errors[] = getlocal('Login should contain only latin characters, numbers and underscore symbol.'); } } if (!$email || !MailUtils::isValidAddress($email)) { $errors[] = wrong_field('E-mail'); } if ($code && !preg_match("/^[A-Za-z0-9_]+\$/", $code)) { $errors[] = getlocal('Code should contain only latin characters, numbers and underscore symbol.'); } if (!$op_id && !$password) { $errors[] = no_field('Password'); } if ($password != $password_confirm) { $errors[] = getlocal('Entered passwords do not match'); } $existing_operator = operator_by_login($login); $duplicate_login = !$op_id && $existing_operator || $op_id && $existing_operator && $op_id != $existing_operator['operatorid']; if ($duplicate_login) { $errors[] = getlocal('Please choose another login because an operator with that login is already registered in the system.'); } // Check if operator with specified email already exists in the database. $existing_operator = operator_by_email($email); $duplicate_email = !$op_id && $existing_operator || $op_id && $existing_operator && $op_id != $existing_operator['operatorid']; if ($duplicate_email) { $errors[] = getlocal('Please choose another email because an operator with that email is already registered in the system.'); } if (count($errors) != 0) { $request->attributes->set('errors', $errors); // The form should be rebuild. Invoke appropriate action. return $this->showFormAction($request); } if (!$op_id) { // Create new operator and redirect the current operator to avatar // page. $new_operator = create_operator($login, $email, $password, $local_name, $common_name, '', $code); $redirect_to = $this->generateUrl('operator_avatar', array('operator_id' => $new_operator['operatorid'])); return $this->redirect($redirect_to); } // Mix old operator's fields with updated values $target_operator = array('vcemail' => $email, 'vclocalename' => $local_name, 'vccommonname' => $common_name, 'code' => $code) + operator_by_id($op_id); // Set the password only if it's not an empty string. if ($password !== '') { $target_operator['vcpassword'] = calculate_password_hash($target_operator['vclogin'], $password); } // Update operator's fields in the database. update_operator($target_operator); // Operator's data are cached in the authentication manager, thus we need // to manually update them. if ($target_operator['operatorid'] == $operator['operatorid']) { // Check if the admin has set his password for the first time. $to_dashboard = check_password_hash($operator['vclogin'], '', $operator['vcpassword']) && $password != ''; // Update operator's fields. $this->getAuthenticationManager()->setOperator($target_operator); // Redirect the admin to the home page if needed. if ($to_dashboard) { return $this->redirect($this->generateUrl('home_operator')); } } // Redirect the operator to edit page again to use GET method instead of // POST. $redirect_to = $this->generateUrl('operator_edit', array('operator_id' => $op_id, 'stored' => true)); return $this->redirect($redirect_to); }
} $existing_operator = operator_by_login($login); if (!$opId && $existing_operator || $opId && $existing_operator && $opId != $existing_operator['operatorid']) { $errors[] = getlocal("page_agent.error.duplicate_login"); } $canmodify = $opId == $operator['operatorid'] && is_capable($can_modifyprofile, $operator) || is_capable($can_administrate, $operator); if (!$canmodify) { $errors[] = getlocal('page_agent.cannot_modify'); } if (count($errors) == 0) { if (!$opId) { $newop = create_operator($login, $email, $password, $localname, $commonname, ""); header("Location: {$webimroot}/operator/avatar.php?op=" . $newop['operatorid']); exit; } else { update_operator($opId, $login, $email, $password, $localname, $commonname); header("Location: {$webimroot}/operator/operator.php?op={$opId}&stored"); exit; } } else { $page['formlogin'] = topage($login); $page['formname'] = topage($localname); $page['formemail'] = topage($email); $page['formcommonname'] = topage($commonname); $page['opid'] = topage($opId); } } else { if (isset($_GET['op'])) { $opId = verifyparam('op', "/^\\d{1,9}\$/"); $op = operator_by_id($opId); if (!$op) {
/** * Resets operators password and provides an ability to set the new one. * * @param Request $request * @return string Rendered page content */ public function resetAction(Request $request) { $page = array('version' => MIBEW_VERSION, 'showform' => true, 'title' => getlocal('Change your password'), 'headertitle' => getlocal('Mibew Messenger'), 'show_small_login' => true, 'fixedwrap' => true, 'errors' => array()); if ($request->isMethod('POST')) { // When HTTP GET method is used the form is just rendered but the // user does not pass any data. Thus we need to prevent CSRF attacks // only for POST requests csrf_check_token($request); } // Make sure user id is specified and its format is correct. $op_id = $request->isMethod('GET') ? $request->query->get('id') : $request->request->get('id'); if (!preg_match("/^\\d{1,9}\$/", $op_id)) { throw new BadRequestException(); } // Make sure token is specified and its format is correct. $token = $request->isMethod('GET') ? $request->query->get('token') : $request->request->get('token'); if (!preg_match("/^[\\dabcdef]+\$/", $token)) { throw new BadRequestException(); } $operator = operator_by_id($op_id); if (!$operator) { $page['errors'][] = 'No such operator'; $page['showform'] = false; } elseif ($token != $operator['vcrestoretoken']) { $page['errors'][] = 'Wrong token'; $page['showform'] = false; } if (count($page['errors']) == 0 && $request->isMethod('POST') && $request->request->has('password')) { $password = $request->request->get('password'); $password_confirm = $request->request->get('passwordConfirm'); if (!$password) { $page['errors'][] = no_field('Password'); } if ($password != $password_confirm) { $page['errors'][] = getlocal('Entered passwords do not match'); } if (count($page['errors']) == 0) { $page['isdone'] = true; // Update the operator $operator['vcrestoretoken'] = ''; $operator['vcpassword'] = calculate_password_hash($operator['vclogin'], $password); update_operator($operator); $page['loginname'] = $operator['vclogin']; return $this->render('password_recovery_reset', $page); } } $page['id'] = $op_id; $page['token'] = $token; $page['isdone'] = false; return $this->render('password_recovery_reset', $page); }