$app->get('/account/lang', function () use($app) { ok(DatawrapperSession::getLanguage()); }); /* set a new language */ $app->put('/account/lang', function () use($app) { $data = json_decode($app->request()->getBody()); DatawrapperSession::setLanguage($data->lang); ok(); }); /* login user */ $app->post('/auth/login', function () use($app) { $payload = json_decode($app->request()->getBody()); // v-- don't expire login anymore $user = UserQuery::create()->findOneByEmail($payload->email); if (!empty($user) && $user->getDeleted() == false) { if ($user->getPwd() === secure_password($payload->pwhash)) { DatawrapperSession::login($user, $payload->keeplogin == true); ok(); } else { Action::logAction($user, 'wrong-password', json_encode(get_user_ips())); error('login-invalid', __('The password is incorrect.')); } } else { error('login-email-unknown', __('The email is not registered yet.')); } }); /* return the server salt for secure auth */ $app->get('/auth/salt', function () use($app) { ok(array('salt' => DW_AUTH_SALT)); }); /*
}); //GET route $app->get('/setup', function () use($app) { disable_cache($app); if (DatawrapperSession::getUser()->isLoggedIn() || UserQuery::create()->filterByRole(array('admin', 'sysadmin'))->count() > 0) { $app->redirect('/'); } $page = array('title' => 'Datawrapper', 'pageClass' => 'setup', 'noHeader' => true, 'noFooter' => true, 'noSignup' => true, 'auth_salt' => DW_AUTH_SALT); add_header_vars($page, ''); $app->render('setup.twig', $page); }); /* * endpoint for final setup script */ $app->post('/setup', function () use($app) { $data = json_decode($app->request()->getBody()); // check that there is no admin user yet (only true right after setup) if (UserQuery::create()->count() == 0) { $user = new User(); $user->setCreatedAt(time()); $user->setEmail($data->email); $user->setRole('admin'); $user->setPwd(secure_password($data->pwd)); $user->setLanguage(DatawrapperSession::getLanguage()); $user->save(); DatawrapperSession::login($user); $app->redirect('/'); } else { print json_encode(array('status' => 'fail')); } });
public function setPwd($pwd) { return parent::setPwd(secure_password($pwd)); }
if ($curUser->isLoggedIn()) { if ($user_id == 'current' || $curUser->getId() === $user_id) { $user = $curUser; } else { if ($curUser->isAdmin()) { $user = UserQuery::create()->findPK($user_id); } } if (!empty($user)) { $messages = array(); $errors = array(); if (!empty($payload->pwd)) { // update password $chk = false; if (!empty($payload->oldpwhash)) { $chk = $user->getPwd() === secure_password($payload->oldpwhash); } if ($chk || $curUser->isSysAdmin()) { $user->setPwd($payload->pwd); Action::logAction($curUser, 'change-password', array('user' => $user->getId())); } else { Action::logAction($curUser, 'change-password-failed', array('user' => $user->getId(), 'reason' => 'old password is wrong')); $errors[] = __('The password could not be changed because your old password was not entered correctly.'); } } if (!empty($payload->email) && $payload->email != $user->getEmail()) { if (check_email($payload->email) || $curUser->isAdmin()) { if (!email_exists($payload->email)) { if ($curUser->isAdmin()) { $user->setEmail($payload->email); } else {
return; } } else { $pwd = $payload->pwd; } if ($curUser->isLoggedIn()) { if ($user_id == 'current' || $curUser->getId() == $user_id) { $user = $curUser; } else { if ($curUser->isAdmin()) { $user = UserQuery::create()->findPK($user_id); $pwd = $user->getPwd(); } } if (!empty($user)) { if ($user->getPwd() === secure_password($pwd)) { // Delete user if (!$curUser->isAdmin()) { DatawrapperSession::logout(); } $user->erase(); ok(); } else { Action::logAction($user, 'delete-request-wrong-password', json_encode(get_user_ips())); error('wrong-password', __('The password you entered is not correct.')); } } else { error('user-not-found', 'no user found with that id'); } } else { error('need-login', 'you must be logged in to do that');
<?php /* * This scripts secures all passwords in the database with the * secure_auth_key that was introduced in 1.3.2. * * Please run this script only once(!) when migrating to 1.3.2 and * please BACK UP YOUR DATABASE first, in case something goes wrong. * * OTHERWISE your users won't be able to login anymore. */ define('ROOT_PATH', '../../'); define('NO_SLIM', 1); require_once ROOT_PATH . 'lib/bootstrap.php'; if (empty($dw_config['secure_auth_key'])) { die("You need to specify a secure auth key in config.yaml"); } foreach (UserQuery::create()->find() as $user) { $user->setPwd(secure_password($user->getPwd())); $user->save(); } print "ok.\n";