/** * Load the form */ private function loadForm() { $this->imageIsAllowed = BackendModel::getModuleSetting($this->URL->getModule(), 'show_image_form', true); $this->frm = new BackendForm('add'); // set hidden values $rbtHiddenValues[] = array('label' => BL::lbl('Hidden', $this->URL->getModule()), 'value' => 'Y'); $rbtHiddenValues[] = array('label' => BL::lbl('Published'), 'value' => 'N'); // get categories $categories = BackendBlogModel::getCategories(); $categories['new_category'] = SpoonFilter::ucfirst(BL::getLabel('AddCategory')); // create elements $this->frm->addText('title', null, null, 'inputText title', 'inputTextError title'); $this->frm->addEditor('text'); $this->frm->addEditor('introduction'); $this->frm->addRadiobutton('hidden', $rbtHiddenValues, 'N'); $this->frm->addCheckbox('allow_comments', BackendModel::getModuleSetting($this->getModule(), 'allow_comments', false)); $this->frm->addDropdown('category_id', $categories, SpoonFilter::getGetValue('category', null, null, 'int')); if (count($categories) != 2) { $this->frm->getField('category_id')->setDefaultElement(''); } $this->frm->addDropdown('user_id', BackendUsersModel::getUsers(), BackendAuthentication::getUser()->getUserId()); $this->frm->addText('tags', null, null, 'inputText tagBox', 'inputTextError tagBox'); $this->frm->addDate('publish_on_date'); $this->frm->addTime('publish_on_time'); if ($this->imageIsAllowed) { $this->frm->addImage('image'); } // meta $this->meta = new BackendMeta($this->frm, null, 'title', true); }
/** * Returns the encrypted password for a user by giving a email/password * Returns false if no user was found for this user/pass combination * * @param string $email The email. * @param string $password The password. * @return string */ public static function getEncryptedPassword($email, $password) { $email = (string) $email; $password = (string) $password; // fetch user ID by email $userId = BackendUsersModel::getIdByEmail($email); // check if a user ID was found, return false if no user exists if ($userId === false) { return false; } // fetch user record $user = new BackendUser($userId); $key = $user->getSetting('password_key'); // return the encrypted string return (string) self::getEncryptedString($password, $key); }
/** * Execute the action */ public function execute() { $email = $this->getParameter('email', 'string'); // does the user exist if ($email !== null) { parent::execute(); // delete item if (BackendUsersModel::undoDelete($email)) { // get user $user = new BackendUser(null, $email); // item was deleted, so redirect $this->redirect(BackendModel::createURLForAction('edit') . '&id=' . $user->getUserId() . '&report=restored&var=' . $user->getSetting('nickname') . '&highlight=row-' . $user->getUserId()); } else { $this->redirect(BackendModel::createURLForAction('index') . '&error=non-existing'); } } else { $this->redirect(BackendModel::createURLForAction('index') . '&error=non-existing'); } }
/** * Execute the action */ public function execute() { // get parameters $this->id = $this->getParameter('id', 'int'); // does the user exist if ($this->id !== null && BackendUsersModel::exists($this->id) && BackendAuthentication::getUser()->getUserId() != $this->id) { parent::execute(); // get data $user = new BackendUser($this->id); // God-users can't be deleted if ($user->isGod()) { $this->redirect(BackendModel::createURLForAction('index') . '&error=cant-delete-god'); } // delete item BackendUsersModel::delete($this->id); // trigger event BackendModel::triggerEvent($this->getModule(), 'after_delete', array('id' => $this->id)); // item was deleted, so redirect $this->redirect(BackendModel::createURLForAction('index') . '&report=deleted&var=' . $user->getSetting('nickname')); } else { $this->redirect(BackendModel::createURLForAction('index') . '&error=non-existing'); } }
/** * Validate the form */ private function validateForm() { // is the form submitted? if ($this->frm->isSubmitted()) { // cleanup the submitted fields, ignore fields that were added by hackers $this->frm->cleanupFields(); // email is present if ($this->frm->getField('email')->isFilled(BL::err('EmailIsRequired'))) { // is this an email-address if ($this->frm->getField('email')->isEmail(BL::err('EmailIsInvalid'))) { // was this emailaddress deleted before if (BackendUsersModel::emailDeletedBefore($this->frm->getField('email')->getValue())) { $this->frm->getField('email')->addError(sprintf(BL::err('EmailWasDeletedBefore'), BackendModel::createURLForAction('undo_delete', null, null, array('email' => $this->frm->getField('email')->getValue())))); } else { // email already exists if (BackendUsersModel::existsEmail($this->frm->getField('email')->getValue())) { $this->frm->getField('email')->addError(BL::err('EmailAlreadyExists')); } } } } // required fields $this->frm->getField('password')->isFilled(BL::err('PasswordIsRequired')); $this->frm->getField('nickname')->isFilled(BL::err('NicknameIsRequired')); $this->frm->getField('name')->isFilled(BL::err('NameIsRequired')); $this->frm->getField('surname')->isFilled(BL::err('SurnameIsRequired')); $this->frm->getField('interface_language')->isFilled(BL::err('FieldIsRequired')); $this->frm->getField('date_format')->isFilled(BL::err('FieldIsRequired')); $this->frm->getField('time_format')->isFilled(BL::err('FieldIsRequired')); $this->frm->getField('number_format')->isFilled(BL::err('FieldIsRequired')); $this->frm->getField('groups')->isFilled(BL::err('FieldIsRequired')); if ($this->frm->getField('password')->isFilled()) { if ($this->frm->getField('password')->getValue() !== $this->frm->getField('confirm_password')->getValue()) { $this->frm->getField('confirm_password')->addError(BL::err('ValuesDontMatch')); } } // validate avatar if ($this->frm->getField('avatar')->isFilled()) { // correct extension if ($this->frm->getField('avatar')->isAllowedExtension(array('jpg', 'jpeg', 'gif', 'png'), BL::err('JPGGIFAndPNGOnly'))) { // correct mimetype? $this->frm->getField('avatar')->isAllowedMimeType(array('image/gif', 'image/jpg', 'image/jpeg', 'image/png'), BL::err('JPGGIFAndPNGOnly')); } } // no errors? if ($this->frm->isCorrect()) { // build settings-array $settings['nickname'] = $this->frm->getField('nickname')->getValue(); $settings['name'] = $this->frm->getField('name')->getValue(); $settings['surname'] = $this->frm->getField('surname')->getValue(); $settings['interface_language'] = $this->frm->getField('interface_language')->getValue(); $settings['date_format'] = $this->frm->getField('date_format')->getValue(); $settings['time_format'] = $this->frm->getField('time_format')->getValue(); $settings['datetime_format'] = $settings['date_format'] . ' ' . $settings['time_format']; $settings['number_format'] = $this->frm->getField('number_format')->getValue(); $settings['csv_split_character'] = $this->frm->getField('csv_split_character')->getValue(); $settings['csv_line_ending'] = $this->frm->getField('csv_line_ending')->getValue(); $settings['password_key'] = uniqid(); $settings['current_password_change'] = time(); $settings['avatar'] = 'no-avatar.gif'; $settings['api_access'] = (bool) $this->frm->getField('api_access')->getChecked(); // get selected groups $groups = $this->frm->getField('groups')->getChecked(); // init var $newSequence = BackendGroupsModel::getSetting($groups[0], 'dashboard_sequence'); // loop through groups and collect all dashboard widget sequences foreach ($groups as $group) { $sequences[] = BackendGroupsModel::getSetting($group, 'dashboard_sequence'); } // loop through sequences foreach ($sequences as $sequence) { // loop through modules inside a sequence foreach ($sequence as $moduleKey => $module) { // loop through widgets inside a module foreach ($module as $widgetKey => $widget) { // if widget present set true if ($widget['present']) { $newSequence[$moduleKey][$widgetKey]['present'] = true; } } } } // add new sequence to settings $settings['dashboard_sequence'] = $newSequence; // build user-array $user['email'] = $this->frm->getField('email')->getValue(); $user['password'] = BackendAuthentication::getEncryptedString($this->frm->getField('password')->getValue(true), $settings['password_key']); // save the password strength $passwordStrength = BackendAuthentication::checkPassword($this->frm->getField('password')->getValue(true)); $settings['password_strength'] = $passwordStrength; // save changes $user['id'] = (int) BackendUsersModel::insert($user, $settings); // has the user submitted an avatar? if ($this->frm->getField('avatar')->isFilled()) { // create new filename $filename = rand(0, 3) . '_' . $user['id'] . '.' . $this->frm->getField('avatar')->getExtension(); // add into settings to update $settings['avatar'] = $filename; // resize (128x128) $this->frm->getField('avatar')->createThumbnail(FRONTEND_FILES_PATH . '/backend_users/avatars/128x128/' . $filename, 128, 128, true, false, 100); // resize (64x64) $this->frm->getField('avatar')->createThumbnail(FRONTEND_FILES_PATH . '/backend_users/avatars/64x64/' . $filename, 64, 64, true, false, 100); // resize (32x32) $this->frm->getField('avatar')->createThumbnail(FRONTEND_FILES_PATH . '/backend_users/avatars/32x32/' . $filename, 32, 32, true, false, 100); } // update settings (in this case the avatar) BackendUsersModel::update($user, $settings); // save groups BackendGroupsModel::insertMultipleGroups($user['id'], $groups); // trigger event BackendModel::triggerEvent($this->getModule(), 'after_add', array('item' => $user)); // everything is saved, so redirect to the overview $this->redirect(BackendModel::createURLForAction('index') . '&report=added&var=' . $settings['nickname'] . '&highlight=row-' . $user['id']); } } }
/** * Validate the forms */ private function validateForm() { if ($this->frm->isSubmitted()) { $txtEmail = $this->frm->getField('backend_email'); $txtPassword = $this->frm->getField('backend_password'); // required fields if (!$txtEmail->isFilled() || !$txtPassword->isFilled()) { // add error $this->frm->addError('fields required'); // show error $this->tpl->assign('hasError', true); } // invalid form-token? if ($this->frm->getToken() != $this->frm->getField('form_token')->getValue()) { // set a correct header, so bots understand they can't mess with us. if (!headers_sent()) { header('400 Bad Request', true, 400); } } // all fields are ok? if ($txtEmail->isFilled() && $txtPassword->isFilled() && $this->frm->getToken() == $this->frm->getField('form_token')->getValue()) { // try to login the user if (!BackendAuthentication::loginUser($txtEmail->getValue(), $txtPassword->getValue())) { // add error $this->frm->addError('invalid login'); // store attempt in session $current = SpoonSession::exists('backend_login_attempts') ? (int) SpoonSession::get('backend_login_attempts') : 0; // increment and store SpoonSession::set('backend_login_attempts', ++$current); // show error $this->tpl->assign('hasError', true); } } // check sessions if (SpoonSession::exists('backend_login_attempts') && (int) SpoonSession::get('backend_login_attempts') >= 5) { // get previous attempt $previousAttempt = SpoonSession::exists('backend_last_attempt') ? SpoonSession::get('backend_last_attempt') : time(); // calculate timeout $timeout = 5 * (SpoonSession::get('backend_login_attempts') - 4); // too soon! if (time() < $previousAttempt + $timeout) { // sleep untill the user can login again sleep($timeout); // set a correct header, so bots understand they can't mess with us. if (!headers_sent()) { header('503 Service Unavailable', true, 503); } } else { // increment and store SpoonSession::set('backend_last_attempt', time()); } // too many attempts $this->frm->addEditor('too many attempts'); // show error $this->tpl->assign('hasTooManyAttemps', true); $this->tpl->assign('hasError', false); } // no errors in the form? if ($this->frm->isCorrect()) { // cleanup sessions SpoonSession::delete('backend_login_attempts'); SpoonSession::delete('backend_last_attempt'); // create filter with modules which may not be displayed $filter = array('authentication', 'error', 'core'); // get all modules $modules = array_diff(BackendModel::getModules(), $filter); // loop through modules and break on first allowed module foreach ($modules as $module) { if (BackendAuthentication::isAllowedModule($module)) { break; } } // redirect to the correct URL (URL the user was looking for or fallback) $this->redirect($this->getParameter('querystring', 'string', BackendModel::createUrlForAction(null, $module))); } } // is the form submitted if ($this->frmForgotPassword->isSubmitted()) { // backend email $email = $this->frmForgotPassword->getField('backend_email_forgot')->getValue(); // required fields if ($this->frmForgotPassword->getField('backend_email_forgot')->isEmail(BL::err('EmailIsInvalid'))) { // check if there is a user with the given emailaddress if (!BackendUsersModel::existsEmail($email)) { $this->frmForgotPassword->getField('backend_email_forgot')->addError(BL::err('EmailIsUnknown')); } } // no errors in the form? if ($this->frmForgotPassword->isCorrect()) { // generate the key for the reset link and fetch the user ID for this email $key = BackendAuthentication::getEncryptedString($email, uniqid()); // insert the key and the timestamp into the user settings $userId = BackendUsersModel::getIdByEmail($email); $user = new BackendUser($userId); $user->setSetting('reset_password_key', $key); $user->setSetting('reset_password_timestamp', time()); // variables to parse in the e-mail $variables['resetLink'] = SITE_URL . BackendModel::createURLForAction('reset_password') . '&email=' . $email . '&key=' . $key; // send e-mail to user BackendMailer::addEmail(SpoonFilter::ucfirst(BL::msg('ResetYourPasswordMailSubject')), BACKEND_MODULE_PATH . '/layout/templates/mails/reset_password.tpl', $variables, $email); // clear post-values $_POST['backend_email_forgot'] = ''; // show success message $this->tpl->assign('isForgotPasswordSuccess', true); // show form $this->tpl->assign('showForm', true); } else { $this->tpl->assign('showForm', true); } } }
/** * Load the form */ private function loadForm() { // create form $this->frm = new BackendForm('edit'); // set hidden values $rbtHiddenValues[] = array('label' => BL::lbl('Hidden'), 'value' => 'Y'); $rbtHiddenValues[] = array('label' => BL::lbl('Published'), 'value' => 'N'); // get categories $categories = BackendBlogModel::getCategories(); $categories['new_category'] = SpoonFilter::ucfirst(BL::getLabel('AddCategory')); // create elements $this->frm->addText('title', $this->record['title'], null, 'inputText title', 'inputTextError title'); $this->frm->addEditor('text', $this->record['text']); $this->frm->addEditor('introduction', $this->record['introduction']); $this->frm->addRadiobutton('hidden', $rbtHiddenValues, $this->record['hidden']); $this->frm->addCheckbox('allow_comments', $this->record['allow_comments'] === 'Y' ? true : false); $this->frm->addDropdown('category_id', $categories, $this->record['category_id']); if (count($categories) != 2) { $this->frm->getField('category_id')->setDefaultElement(''); } $this->frm->addDropdown('user_id', BackendUsersModel::getUsers(), $this->record['user_id']); $this->frm->addText('tags', BackendTagsModel::getTags($this->URL->getModule(), $this->record['id']), null, 'inputText tagBox', 'inputTextError tagBox'); $this->frm->addDate('publish_on_date', $this->record['publish_on']); $this->frm->addTime('publish_on_time', date('H:i', $this->record['publish_on'])); if ($this->imageIsAllowed) { $this->frm->addImage('image'); $this->frm->addCheckbox('delete_image'); } // meta object $this->meta = new BackendMeta($this->frm, $this->record['meta_id'], 'title', true); // set callback for generating a unique URL $this->meta->setUrlCallback('BackendBlogModel', 'getURL', array($this->record['id'])); }
/** * Validate the form * * @return void */ private function validateForm() { // is the form submitted if ($this->frm->isSubmitted()) { // shorten fields $newPassword = $this->frm->getField('backend_new_password'); $newPasswordRepeated = $this->frm->getField('backend_new_password_repeated'); // required fields $newPassword->isFilled(BL::err('PasswordIsRequired')); $newPasswordRepeated->isFilled(BL::err('PasswordRepeatIsRequired')); // all fields are ok? if ($newPassword->isFilled() && $newPasswordRepeated->isFilled()) { // the passwords entered match if ($newPassword->getValue() !== $newPasswordRepeated->getValue()) { // add error $this->frm->addError(BL::err('PasswordsDontMatch')); // show error $this->tpl->assign('error', BL::err('PasswordsDontMatch')); } } // is the form submitted if ($this->frm->isCorrect()) { // change the users password BackendUsersModel::updatePassword($this->user, $newPassword->getValue()); // attempt to login the user if (!BackendAuthentication::loginUser($this->user->getEmail(), $newPassword->getValue())) { // redirect to the login form with an error $this->redirect(BackendModel::createURLForAction('index', null, null, array('login' => 'failed'))); } // redirect to the login form $this->redirect(BackendModel::createUrlForAction('index', 'dashboard', null, array('password_reset' => 'success'))); } } }