/** * REST endpoint for sharing droplets via email */ public function action_share() { $this->template = ''; $this->auto_render = FALSE; if ($this->request->method() != "POST") { throw HTTP_Exception::factory(405)->allowed('POST'); } // Extract the input data to be used for sending the email $post = Arr::extract($_POST, array('recipient', 'drop_title', 'drop_url', 'security_code')); $csrf_token = $this->request->headers('x-csrf-token'); // Setup validation $validation = Validation::factory($post)->rule('recipient', 'not_empty')->rule('recipient', 'email')->rule('security_code', 'Captcha::valid')->rule('drop_title', 'not_empty')->rule('drop_url', 'url'); // Validate if (!CSRF::valid($csrf_token) or !$validation->check()) { Kohana::$log->add(Log::DEBUG, "CSRF token or form validation failure"); throw HTTP_Exception::factory(400); } else { list($recipient, $subject) = array($post['recipient'], $post['drop_title']); // Modify the mail body to include the email address of the // use sharing content $mail_body = __(":user has shared a drop with you via SwiftRiver\n\n:url", array(':user' => $this->user['owner']['username'], ':url' => $post['drop_url'])); // Send the email Swiftriver_Mail::send($recipient, $subject, $mail_body); } }
public static function valid($token) { if (!CSRF::valid($token)) { $css_files = array(); $view = "access_denied"; \CODOF\Smarty\Layout::load($view, $css_files); return false; } return true; }
public static function auto_check($base_app) { if ('POST' == !$_SERVER['REQUEST_METHOD'] || !isset($_POST[self::$name])) { return true; } if (self::check() < 1) { self::deny($base_app); } self::$valid = true; }
/** * Simple register for user * */ public function action_register() { $this->template->content = View::factory('pages/auth/register'); $this->template->content->msg = ''; //if user loged in redirect home if (Auth::instance()->logged_in()) { $this->request->redirect(Route::get('oc-panel')->uri()); } elseif (core::post('email') and CSRF::valid('register')) { $email = core::post('email'); if (Valid::email($email, TRUE)) { if (core::post('password1') == core::post('password2')) { //check we have this email in the DB $user = new Model_User(); $user = $user->where('email', '=', $email)->limit(1)->find(); if ($user->loaded()) { Form::set_errors(array(__('User already exists'))); } else { //create user $user->email = $email; $user->name = core::post('name'); $user->status = Model_User::STATUS_ACTIVE; $user->id_role = 1; //normal user $user->password = core::post('password1'); $user->seoname = $user->gen_seo_title(core::post('name')); try { $user->save(); } catch (ORM_Validation_Exception $e) { //Form::errors($content->errors); } catch (Exception $e) { throw new HTTP_Exception_500($e->getMessage()); } //login the user Auth::instance()->login(core::post('email'), core::post('password1')); //send email $user->email('auth.register', array('[USER.PWD]' => core::post('password1'), '[URL.QL]' => $user->ql('default', NULL, TRUE))); Alert::set(Alert::SUCCESS, __('Welcome!')); //login the user $this->request->redirect(Core::post('auth_redirect', Route::url('oc-panel'))); } } else { Form::set_errors(array(__('Passwords do not match'))); } } else { Form::set_errors(array(__('Invalid Email'))); } } //template header $this->template->title = __('Register new user'); }
/** * Create a New River * Step 1 * @return void */ public function action_index() { $this->step_content = View::factory('pages/river/create/name')->bind('post', $post)->bind('errors', $errors); // Check for form submission if ($_POST and CSRF::valid($_POST['form_auth_id'])) { $post = Arr::extract($_POST, array('river_name', 'river_public')); try { $river = Model_River::create_new($post['river_name'], $post['river_public'], $this->user->account); // Redirect to the /create/open/<id> to open channels $this->request->redirect(URL::site() . $this->account_path . '/river/create/open/' . $river->id); } catch (ORM_Validation_Exception $e) { $errors = $e->errors('validation'); } catch (Database_Exception $e) { $errors = array(__("A river with the name ':name' already exists", array(':name' => $post['river_name']))); } } }
/** * simple registration without password * @return [type] [description] */ public function action_register() { $provider_name = $this->request->param('id'); $this->template->content = View::factory('pages/auth/register-social', array('provider' => $provider_name, 'uid' => core::get('uid'), 'name' => core::get('name'))); if (core::post('email') and CSRF::valid('register_social')) { $email = core::post('email'); if (Valid::email($email, TRUE)) { //register the user in DB Model_User::create_social($email, core::post('name'), $provider_name, core::get('uid')); //log him in Auth::instance()->social_login($provider_name, core::get('uid')); Alert::set(Alert::SUCCESS, __('Welcome!')); //change the redirect $this->redirect(Route::url('default')); } else { Form::set_errors(array(__('Invalid Email'))); } } //template header $this->template->title = __('Register new user'); }
/** * Simple register for user * */ public function action_register() { $this->template->content = View::factory('pages/auth/register'); $this->template->content->msg = ''; //if user loged in redirect home if (Auth::instance()->logged_in()) { $this->redirect(Route::get('oc-panel')->uri()); } elseif ($this->request->post()) { $validation = Validation::factory($this->request->post())->rule('name', 'not_empty')->rule('email', 'not_empty')->rule('email', 'email')->rule('password1', 'not_empty')->rule('password2', 'not_empty')->rule('password1', 'matches', array(':validation', 'password1', 'password2')); if ($validation->check()) { //posting data so try to remember password if (CSRF::valid('register')) { $email = core::post('email'); //check we have this email in the DB $user = new Model_User(); $user = $user->where('email', '=', $email)->limit(1)->find(); if ($user->loaded()) { Form::set_errors(array(__('User already exists'))); } else { //creating the user $user = Model_User::create_email($email, core::post('name'), core::post('password1')); //login the user Auth::instance()->login(core::post('email'), core::post('password1')); Alert::set(Alert::SUCCESS, __('Welcome!')); //login the user $this->redirect(Core::post('auth_redirect', Route::url('oc-panel'))); } } } else { $errors = $validation->errors('auth'); foreach ($errors as $error) { Alert::set(Alert::ALERT, $error); } } } //template header $this->template->title = __('Register new user'); $this->template->meta_description = __('Create a new profile at') . ' ' . Core::config('general.site_name'); }
/** * 2step verification form * */ public function action_2step() { // 2step disabled or trying to access directly if (!Auth::instance()->logged_in() or Core::config('general.google_authenticator') == FALSE) { $this->redirect(Route::get('oc-panel')->uri()); } //template header $this->template->title = __('2 Step Authentication'); $this->template->content = View::factory('pages/auth/2step'); //if user loged in redirect home if (Auth::instance()->logged_in() and (Cookie::get('google_authenticator') == $this->user->id_user or $this->user->google_authenticator == '')) { $this->redirect(Route::get('oc-panel')->uri()); } elseif (core::post('code') and CSRF::valid('2step')) { //load library require Kohana::find_file('vendor', 'GoogleAuthenticator'); $ga = new PHPGangsta_GoogleAuthenticator(); if ($ga->verifyCode($this->user->google_authenticator, core::post('code'), 2)) { //set cookie Cookie::set('google_authenticator', $this->user->id_user, Core::config('auth.lifetime')); // redirect to the url we wanted to see Auth::instance()->login_redirect(); } else { Form::set_errors(array(__('Invalid Code'))); } } }
/** * Returns TRUE if the POST has a valid CSRF * * Usage:<br> * <code> * if ($this->valid_post('upload_photo')) { ... } * </code> * * @param string|NULL $submit Submit value [Optional] * @return boolean Return TRUE if it's valid $_POST * * @uses Request::is_post * @uses Request::post_max_size_exceeded * @uses Request::get_post_max_size * @uses Request::post * @uses Message::error * @uses CSRF::valid * @uses Captcha::valid */ public function valid_post($submit = NULL) { if (!$this->request->is_post()) { return FALSE; } if (Request::post_max_size_exceeded()) { $this->_errors = array('_action' => __('Max file size of :max Bytes exceeded!', array(':max' => Request::get_post_max_size()))); return FALSE; } if (!is_null($submit)) { if (!isset($_POST[$submit])) { $this->_errors = array('_action' => __('This form has altered. Please try submitting it again.')); return FALSE; } } $_token = $this->request->post('_token'); $_action = $this->request->post('_action'); $has_csrf = !empty($_token) and !empty($_action); $valid_csrf = CSRF::valid($_token, $_action); if ($has_csrf and !$valid_csrf) { // CSRF was submitted but expired $this->_errors = array('_token' => __('This form has expired. Please try submitting it again.')); return FALSE; } if (isset($_POST['_captcha'])) { $captcha = $this->request->post('_captcha'); if (empty($captcha)) { // CSRF was not entered $this->_errors = array('_captcha' => __('The security code can\'t be empty.')); return FALSE; } elseif (!Captcha::valid($captcha)) { $this->_errors = array('_captcha' => __('The security answer was wrong.')); return FALSE; } } return $has_csrf and $valid_csrf; }
/** * Log User In * * @return void */ public function action_index() { $this->template->content->active = 'login'; $this->template->content->sub_content = View::factory('pages/login/main')->bind('messages', $this->messages)->bind('errors', $this->errors)->bind('referrer', $referrer); if ($this->user) { $this->request->redirect($this->dashboard_url); } // Get the referriing URL $referrer = $this->request->query('redirect_to') ? $this->request->query('redirect_to') : NULL; //Check for system messages $session = Session::instance(); $messages = $session->get_once('system_messages'); if ($messages) { $this->messages = $messages; } $errors = $session->get_once('system_errors'); if ($errors) { $this->errors = $errors; } // Password reset request if ($this->request->post('recover_email')) { $email = $this->request->post('recover_email'); $csrf_token = $this->request->post('form_auth_id'); if (!Valid::email($email) or !CSRF::valid($csrf_token)) { $this->errors = array(__('The email address you have provided is invalid')); } else { // Is the email registed in this site? $user = ORM::factory('user', array('email' => $email)); if (!$user->loaded()) { $this->errors = array(__('The provided email address is not registered')); } else { $messages = Model_User::password_reset($email, $this->riverid_auth); // Display the messages if (isset($messages['errors'])) { $this->errors = $messages['errors']; } if (isset($messages['messages'])) { $this->messages = $messages['messages']; } } } } // Check, has the form been submitted, if so, setup validation if ($this->request->post('username') and $this->request->post('password')) { // Validate the form token if (CSRF::valid($this->request->post('form_auth_id'))) { $username = $this->request->post('username'); $password = $this->request->post('password'); // Check Auth if the post data validates using the rules setup in the user model if (Auth::instance()->login($username, $password, $this->request->post('remember') == 1)) { // Always redirect after a successful POST to prevent refresh warnings // First check if a referrer was provided in the post parameters // and if not provided, use the referrer from the request otherwise // just redirect to the user profile if the above are not found or do // not point to a url in this site $redirect_to = $this->request->post('referrer'); $redirect_to = $redirect_to ? $redirect_to : $this->request->referrer(); if (!$redirect_to or strpos($redirect_to, URL::base($this->request)) === FALSE or strpos($redirect_to, URL::base($this->request)) != 0) { $user = Auth::instance()->get_user(); $redirect_to = URL::site() . $user->account->account_path; } $this->request->redirect($redirect_to); } else { $this->template->content->set('username', $username); // Get errors for display in view $validation = Validation::factory($this->request->post())->rule('username', 'not_empty')->rule('password', 'not_empty'); if ($validation->check()) { $validation->error('password', 'invalid'); } $this->errors = $validation->errors('login'); } } else { // Show invalid request message Kohana::$log->add(Log::ERROR, "Invalid CSRF token :token", array(':token' => $this->request->post('form_auth_id'))); } } }
/** * Account settings * * @return void */ public function action_settings() { if (!$this->owner) { $this->redirect($this->dashboard_url, 302); } $this->template->content->show_navigation = FALSE; // Set the current page $this->active = 'settings-navigation-link'; $this->template->content->view_type = 'settings'; $this->template->header->js = View::factory('pages/user/js/settings'); $this->template->header->js->user = $this->user; $this->sub_content = View::factory('pages/user/settings')->bind('user', $this->user)->bind('errors', $this->errors); if ($this->request->method() === 'POST' and CSRF::valid($this->request->post('form_auth_id'))) { if (!isset($_POST['current_password'])) { if (($account = $this->account_service->update_account($this->user['id'], $_POST)) != FALSE) { $this->user = $account; $this->visited_account = $account; } } elseif (isset($_POST['current_password'])) { // The change password form has been submitted $this->account_service->change_password($this->user['id'], $_POST); } } $session = Session::instance(); $this->sub_content->messages = $session->get('messages'); $session->delete('messages'); }
/** * REST endpoint for sharing droplets via email */ public function action_share() { $this->template = ''; $this->auto_render = FALSE; if ($_POST) { // Extract the input data $post = Arr::extract($_POST, array('recipient', 'subject', 'body')); $csrf_token = $this->request->headers('x-csrf-token'); // Setup validation $validation = Validation::factory($post)->rule('recipient', 'not_empty')->rule('recipient', 'email')->rule('subject', 'not_empty')->rule('body', 'not_empty')->rule('body', 'max_length', array(':value', 300)); // Validate if (!CSRF::valid($csrf_token) and !$validation->check()) { $this->response->status(400); } else { // Modify the mail body to include the email address of the // use sharing content $mail_body = __(":body \n\nShared by :sender", array(':body' => $post['body'], ':sender' => $this->user->username)); // Send the email Swiftriver_Mail::send($post['recipient'], $post['subject'], $mail_body); } } else { throw new HTTP_Exception_405("Only HTTP POST requests are allowed"); } }
/** * Reset account password * * @return void */ public function action_reset_password() { // Check if the email and token params are present if (!isset($_GET['email']) or !isset($_GET['token'])) { $this->redirect('/login'); } $this->template->content = View::factory('pages/login/reset_password')->bind('messages', $this->messages)->bind('errors', $this->errors)->bind('referrer', $referrer); if ($this->request->method() == 'POST' and CSRF::valid($this->request->post('form_auth_id'))) { try { // Marshall the submitted data $reset_data = array('email' => $this->request->query('email'), 'token' => $this->request->query('token'), 'password' => $this->request->post('password'), 'password_confirm' => $this->request->post('password_confirm')); // Reset the password if ($this->account_service->reset_password($reset_data)) { Swiftriver_Messages::add_message('success', __('Success'), __('Password reset successfully.'), FALSE); $this->redirect(URL::site('login'), 302); } else { $this->redirect(URL::site($this->request->uri()), 302); } } catch (SwiftRiver_API_Exception_BadRequest $e) { foreach ($e->get_errors() as $error) { $message = "Error"; if ($error['field'] == 'token' and $error['code'] == 'invalid') { $message = __('Account not found.'); } Swiftriver_Messages::add_message('failure', __('Failure'), $message, FALSE); } $this->redirect(URL::site($this->request->uri()), 302); } catch (SwiftRiver_API_Exception_NotFound $e) { Swiftriver_Messages::add_message('failure', __('Failure'), __('There is no account registered with that email address.'), FALSE); $this->session->set("fullname", $this->request->post('fullname')); $this->session->set("email", $this->request->post('email')); $this->session->set("username", $this->request->post('username')); $this->redirect(URL::site($this->request->uri()), 302); } } }