/** * Used by subclasses to validate access keys when they are allowed. * @param $userId int The user this key refers to * @param $reviewId int The ID of the review this key refers to * @param $newKey string The new key name, if one was supplied; otherwise, the existing one (if it exists) is used * @return object Valid user object if the key was valid; otherwise NULL. */ function &validateAccessKey($userId, $reviewId, $newKey = null) { $press =& Request::getPress(); if (!$press || !$press->getSetting('reviewerAccessKeysEnabled')) { $accessKey = false; return $accessKey; } define('REVIEWER_ACCESS_KEY_SESSION_VAR', 'ReviewerAccessKey'); import('lib.pkp.classes.security.AccessKeyManager'); $accessKeyManager = new AccessKeyManager(); $session =& Request::getSession(); // Check to see if a new access key is being used. if (!empty($newKey)) { if (Validation::isLoggedIn()) { Validation::logout(); } $keyHash = $accessKeyManager->generateKeyHash($newKey); $session->setSessionVar(REVIEWER_ACCESS_KEY_SESSION_VAR, $keyHash); } else { $keyHash = $session->getSessionVar(REVIEWER_ACCESS_KEY_SESSION_VAR); } // Now that we've gotten the key hash (if one exists), validate it. $accessKey =& $accessKeyManager->validateKey('ReviewerContext', $userId, $keyHash, $reviewId); if ($accessKey) { $userDao =& DAORegistry::getDAO('UserDAO'); $user =& $userDao->getUser($accessKey->getUserId(), false); return $user; } // No valid access key -- return NULL. return $accessKey; }
/** * Tests if the request contains a valid access token. If this is the case * the regular login process will be skipped * * @param $request PKPRequest * @return void */ function _validateAccessKey($request) { $accessKeyCode = $request->getUserVar('key'); $reviewId = $request->getUserVar('reviewId'); if (!($accessKeyCode && $reviewId)) { return false; } // Check if the user is already logged in $sessionManager = SessionManager::getManager(); $session = $sessionManager->getUserSession(); if ($session->getUserId()) { return false; } import('lib.pkp.classes.security.AccessKeyManager'); $reviewerSubmissionDao = DAORegistry::getDAO('ReviewerSubmissionDAO'); $reviewerSubmission = $reviewerSubmissionDao->getReviewerSubmission($reviewId); // Validate the access key $context = $request->getContext(); $accessKeyManager = new AccessKeyManager(); $accessKeyHash = AccessKeyManager::generateKeyHash($accessKeyCode); $accessKey = $accessKeyManager->validateKey($context->getId(), $reviewerSubmission->getReviewerId(), $accessKeyHash); if (!$accessKey) { return false; } // Get the reviewer user object $userDao = DAORegistry::getDAO('UserDAO'); $user = $userDao->getById($accessKey->getUserId()); if (!$user) { return false; } // Register the user object in the session import('lib.pkp.classes.security.PKPValidation'); $reason = null; if (PKPValidation::registerUserSession($user, $reason)) { $this->submission = $reviewerSubmission; $this->user = $user; } }
/** * Check credentials and activate a new user * @author Marc Bria <*****@*****.**> */ function activateUser($args) { $username = array_shift($args); $accessKeyCode = array_shift($args); $journal =& Request::getJournal(); $userDao =& DAORegistry::getDAO('UserDAO'); $user =& $userDao->getUserByUsername($username); if (!$user) { Request::redirect(null, 'login'); } // Checks user & token import('security.AccessKeyManager'); $accessKeyManager =& new AccessKeyManager(); $accessKeyHash = AccessKeyManager::generateKeyHash($accessKeyCode); $accessKey =& $accessKeyManager->validateKey('RegisterContext', $user->getUserId(), $accessKeyHash); if ($accessKey != null && $user->getDateValidated() === null) { // Activate user $user->setDisabled(false); $user->setDisabledReason(''); $user->setDateValidated(Core::getCurrentDate()); $userDao->updateUser($user); $templateMgr =& TemplateManager::getManager(); $templateMgr->assign('message', 'user.login.activated'); return $templateMgr->display('common/message.tpl'); } Request::redirect(null, 'login'); }
/** * Check credentials and activate a new user * @param $args array * @param $request PKPRequest */ function activateUser($args, $request) { $username = array_shift($args); $accessKeyCode = array_shift($args); $userDao = DAORegistry::getDAO('UserDAO'); $user = $userDao->getByUsername($username); if (!$user) { $request->redirect(null, 'login'); } // Checks user and token import('lib.pkp.classes.security.AccessKeyManager'); $accessKeyManager = new AccessKeyManager(); $accessKeyHash = AccessKeyManager::generateKeyHash($accessKeyCode); $accessKey = $accessKeyManager->validateKey('RegisterContext', $user->getId(), $accessKeyHash); if ($accessKey != null && $user->getDateValidated() === null) { // Activate user $user->setDisabled(false); $user->setDisabledReason(''); $user->setDateValidated(Core::getCurrentDate()); $userDao->updateObject($user); $templateMgr = TemplateManager::getManager($request); $templateMgr->assign('message', 'user.login.activated'); return $templateMgr->display('frontend/pages/message.tpl'); } $request->redirect(null, 'login'); }
/** * Removes an email address and associated access key from email notifications * @param $email string * @param $password string * @return boolean */ function unsubscribeGuest($email, $password) { $application =& PKPApplication::getApplication(); $productName = $application->getName(); $context =& Request::getContext(); $contextId = $context->getId(); $result =& $this->retrieve('SELECT setting_id FROM notification_settings WHERE setting_name = ? AND product = ? AND context = ?', array('mailList', $productName, (int) $contextId)); $row = $result->GetRowAssoc(false); $userId = (int) $row['setting_id']; $result->Close(); unset($result); import('lib.pkp.classes.security.AccessKeyManager'); $accessKeyManager = new AccessKeyManager(); $accessKeyHash = AccessKeyManager::generateKeyHash($password); $accessKey = $accessKeyManager->validateKey('MailListContext', $userId, $accessKeyHash); if ($accessKey) { $this->update('DELETE FROM notification_settings WHERE setting_name = ? AND setting_value = ? AND product = ? AND context = ?', array('mailList', $email, $productName, (int) $contextId)); $accessKeyDao =& DAORegistry::getDAO('AccessKeyDAO'); $accessKeyDao->deleteObject($accessKey); return true; } else { return false; } }