/** * This static method returns a valid CurrentUser object if there is one * in the cookie that is not timed out. The session-ID is updated then. * The CurrentUser will be removed from the session, if it is * timed out. If there is no valid CurrentUser in the cookie or the * cookie is timed out, null will be returned. If the cookie is correct, * but there is no user found in the user table, false will be returned. * On success, a valid CurrentUser object is returned * * @static * * @param PMF_Configuration $config * * @return null|PMF_User_CurrentUser */ public static function getFromCookie(PMF_Configuration $config) { if (!isset($_COOKIE[PMF_Session::PMF_COOKIE_NAME_REMEMBERME])) { return null; } // create a new CurrentUser object $user = new PMF_User_CurrentUser($config); $user->getUserByCookie($_COOKIE[PMF_Session::PMF_COOKIE_NAME_REMEMBERME]); if (-1 === $user->getUserId()) { return null; } // sessionId needs to be updated $user->updateSessionId(true); // user is now logged in $user->_loggedIn = true; // save current user to session and return the instance $user->saveToSession(); // add CSRF token to session $user->saveCrsfTokenToSession(); return $user; }
} } // delete group confirmation if ($groupAction == 'delete_confirm' && $user->perm->checkRight($user->getUserId(), 'delgroup')) { $message = ''; $user = new PMF_User_CurrentUser($faqConfig); $perm = $user->perm; $groupId = PMF_Filter::filterInput(INPUT_POST, 'group_list_select', FILTER_VALIDATE_INT, 0); if ($groupId <= 0) { $message .= sprintf('<p class="alert alert-error">%s</p>', $PMF_LANG['ad_user_error_noId']); $groupAction = $defaultGroupAction; } else { $twig->loadTemplate('group/delete_confirm.twig')->display(array('PMF_LANG' => $PMF_LANG, 'csrfToken' => $user->getCsrfTokenFromSession(), 'groupData' => $perm->getGroupData($groupId), 'groupId' => $groupId)); } } if ($groupAction == 'delete' && $user->perm->checkRight($user->getUserId(), 'delgroup')) { $message = ''; $user = new PMF_User($faqConfig); $groupId = PMF_Filter::filterInput(INPUT_POST, 'group_id', FILTER_VALIDATE_INT, 0); $csrfOkay = true; $csrfToken = PMF_Filter::filterInput(INPUT_POST, 'csrf', FILTER_SANITIZE_STRING); if (!isset($_SESSION['phpmyfaq_csrf_token']) || $_SESSION['phpmyfaq_csrf_token'] !== $csrfToken) { $csrfOkay = false; } $groupAction = $defaultGroupAction; if ($groupId <= 0) { $message .= sprintf('<p class="alert alert-danger">%s</p>', $PMF_LANG['ad_user_error_noId']); } else { if (!$user->perm->deleteGroup($groupId) && !$csrfOkay) { $message .= sprintf('<p class="alert alert-danger">%s</p>', $PMF_LANG['ad_group_error_delete']); } else {
/** * This static method returns a valid CurrentUser object if there is one * in the cookie that is not timed out. The session-ID is updated if * necessary. The CurrentUser will be removed from the session, if it is * timed out. If there is no valid CurrentUser in the cookie or the * cookie is timed out, null will be returned. If the cookie is correct, * but there is no user found in the user table, false will be returned. * On success, a valid CurrentUser object is returned * * @static * @param PMF_Configuration $config * * @return null|PMF_User_CurrentUser */ public static function getFromCookie(PMF_Configuration $config) { if (!isset($_COOKIE[PMF_Session::PMF_COOKIE_NAME_REMEMBERME])) { return null; } // create a new CurrentUser object $user = new PMF_User_CurrentUser($config); $user->getUserByCookie($_COOKIE[PMF_Session::PMF_COOKIE_NAME_REMEMBERME]); if (-1 === $user->getUserId()) { return null; } // sessionId and cookie information needs to be updated if ($user->sessionIdIsTimedOut()) { $user->updateSessionId(); $user->setRememberMe(sha1(session_id())); } // user is now logged in $user->_loggedIn = true; // save current user to session and return the instance $user->saveToSession(); return $user; }
die; } $attachmentErrors = array(); // authenticate with session information $user = PMF_User_CurrentUser::getFromSession($faqconfig->get('security.ipCheck')); if (!$user instanceof PMF_User_CurrentUser) { $user = new PMF_User_CurrentUser(); // user not logged in -> empty user object } $id = PMF_Filter::filterInput(INPUT_GET, 'id', FILTER_VALIDATE_INT); $attachment = PMF_Attachment_Factory::create($id); $userPermission = $faq->getPermission('user', $attachment->getRecordId()); $groupPermission = $faq->getPermission('group', $attachment->getRecordId()); // Check on group permissions if ($user->perm instanceof PMF_Perm_PermMedium) { if (count($groupPermission) && in_array($groupPermission[0], $user->perm->getUserGroups($user->getUserId()))) { $groupPermission = true; } else { $groupPermission = false; } } else { $groupPermission = true; } // Check in user's permissions if (in_array($user->getUserId(), $userPermission)) { $userPermission = true; } else { $userPermission = false; } if ($attachment && ($groupPermission || $groupPermission && $userPermission)) { try {
if ($userId == 0) { $message .= sprintf('<p class="alert alert-error">%s</p>', $PMF_LANG['ad_user_error_noId']); $userAction = $defaultUserAction; } else { $user->getUserById($userId); // account is protected if ($user->getStatus() == 'protected' || $userId == 1) { $message .= sprintf('<p class="alert alert-error">%s</p>', $PMF_LANG['ad_user_error_protectedAccount']); $userAction = $defaultUserAction; } else { $twig->loadTemplate('user/delete_confirm.twig')->display(array('PMF_LANG' => $PMF_LANG, 'csrfToken' => $user->getCsrfTokenFromSession(), 'userId' => $userId, 'userLogin' => $user->getLogin())); } } } // delete user if ($userAction == 'delete' && $user->perm->checkRight($user->getUserId(), 'deluser')) { $message = ''; $user = new PMF_User($faqConfig); $userId = PMF_Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT, 0); $csrfOkay = true; $csrfToken = PMF_Filter::filterInput(INPUT_POST, 'csrf', FILTER_SANITIZE_STRING); if (!isset($_SESSION['phpmyfaq_csrf_token']) || $_SESSION['phpmyfaq_csrf_token'] !== $csrfToken) { $csrfOkay = false; } $userAction = $defaultUserAction; if ($userId == 0 && !$csrfOkay) { $message .= sprintf('<p class="alert alert-danger">%s</p>', $PMF_LANG['ad_user_error_noId']); } else { if (!$user->getUserById($userId)) { $message .= sprintf('<p class="alert alert-danger">%s</p>', $PMF_LANG['ad_user_error_noId']); }
if (count($multiCategories) > 1) { foreach ($multiCategories as $multiCat) { $path = $category->getPath($multiCat['id'], ' » ', true, 'breadcrumb-related-categories'); if ('' === trim($path)) { continue; } $htmlAllCategories .= $path; } } // Related FAQs $faqSearchResult->reviewResultset($faqRelation->getAllRelatedById($recordId, $faq->faqRecord['title'], $faq->faqRecord['keywords'])); $searchHelper = new PMF_Helper_Search($faqConfig); $relatedFaqs = $searchHelper->renderRelatedFaqs($faqSearchResult, $recordId); // Show link to edit the faq? $editThisEntry = ''; if ($user->perm->checkRight($user->getUserId(), 'editbt')) { $editThisEntry = sprintf('<a href="%sadmin/index.php?action=editentry&id=%d&lang=%s">%s</a>', PMF_Link::getSystemRelativeUri('index.php'), $recordId, $lang, $PMF_LANG['ad_entry_edit_1'] . ' ' . $PMF_LANG['ad_entry_edit_2']); } // Is the faq expired? $expired = date('YmdHis') > $faq->faqRecord['dateEnd']; // Does the user have the right to add a comment? if (-1 === $user->getUserId() && !$faqConfig->get('records.allowCommentsForGuests') || $faq->faqRecord['active'] === 'no' || 'n' == $faq->faqRecord['comment'] || $expired) { $commentMessage = $PMF_LANG['msgWriteNoComment']; } else { $commentMessage = sprintf("%s<a href=\"javascript:void(0);\" onclick=\"javascript:\$('#commentForm').show();\">%s</a>", $PMF_LANG['msgYouCan'], $PMF_LANG['msgWriteComment']); } $translationUrl = sprintf(str_replace('%', '%%', PMF_Link::getSystemRelativeUri('index.php')) . 'index.php?%saction=translate&cat=%s&id=%d&srclang=%s', $sids, $currentCategory, $recordId, $lang); if (!empty($switchLanguage)) { $tpl->parseBlock('writeContent', 'switchLanguage', array('msgChangeLanguage' => $PMF_LANG['msgLangaugeSubmit'])); } if ($user->perm->checkRight($user->getUserId(), 'addtranslation')) {