public function authControl() { $this->disableCaching(); $this->addHeaderJavaScript('assets/js/jqBootstrapValidation.js'); $this->addHeaderJavaScript('assets/js/validate-fields.js'); $this->addHeaderJavaScript('assets/js/jstz-1.0.4.min.js'); $owner_dao = DAOFactory::getDAO('OwnerDAO'); $invite_dao = DAOFactory::getDAO('InviteDAO'); $owner = $owner_dao->getByEmail($this->getLoggedInUser()); $this->addToView('owner', $owner); $this->addToView('notification_options', $this->notification_frequencies); $this->addToView('tz_list', Installer::getTimeZoneList()); $this->view_mgr->addHelp('api', 'userguide/api/posts/index'); $this->view_mgr->addHelp('application_settings', 'userguide/settings/application'); $this->view_mgr->addHelp('users', 'userguide/settings/allaccounts'); $this->view_mgr->addHelp('backup', 'install/backup'); $this->view_mgr->addHelp('account', 'userguide/settings/account'); //process password change if (isset($_POST['changepass']) && $_POST['changepass'] == 'Change password' && isset($_POST['oldpass']) && isset($_POST['pass1']) && isset($_POST['pass2'])) { // Check their old password is correct if (!$owner_dao->isOwnerAuthorized($this->getLoggedInUser(), $_POST['oldpass'])) { $this->addErrorMessage("Password is incorrect.", 'password'); } elseif ($_POST['pass1'] != $_POST['pass2']) { $this->addErrorMessage("New passwords did not match. Your password has not been changed.", 'password'); } elseif (!preg_match("/(?=.{8,})(?=.*[a-zA-Z])(?=.*[0-9])/", $_POST['pass1'])) { $this->addErrorMessage("Your new password must be at least 8 characters and contain both numbers " . "and letters. Your password has not been changed.", 'password'); } else { // verify CSRF token $this->validateCSRFToken(); // Try to update the password if ($owner_dao->updatePassword($this->getLoggedInUser(), $_POST['pass1']) < 1) { $this->addErrorMessage("Your password has NOT been updated.", 'password'); } else { $this->addSuccessMessage("Your password has been updated.", 'password'); } } } //reset api_key if (isset($_POST['reset_api_key']) && $_POST['reset_api_key'] == 'Reset API Key') { $this->validateCSRFToken(); $api_key = $owner_dao->resetAPIKey($owner->id); if (!$api_key) { throw new Exception("Unbale to update user's api_key, something bad must have happened"); } $this->addSuccessMessage("Your API Key has been reset! Please update your ThinkUp RSS feed subscription.", 'api_key'); $owner->api_key = $api_key; } // process invite if (isset($_POST['invite']) && $_POST['invite'] == 'Create Invitation') { // verify CSRF token $this->validateCSRFToken(); $invite_code = substr(md5(uniqid(rand(), true)), 0, 10); $invite_added = $invite_dao->addInviteCode($invite_code); if ($invite_added == 1) { //invite generated and inserted $invite_link = Utils::getApplicationURL() . 'session/register.php?code=' . $invite_code; $this->addSuccessMessage("Invitation created!<br />Copy this link and send it to someone you want to " . 'invite to register on your ThinkUp installation.<br /><a href="' . $invite_link . '" id="clippy_12345">' . $invite_link . '</a> <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" width="100" height="14" class="clippy" id="clippy" > <param name="movie" value="' . Utils::getApplicationURL() . 'assets/flash/clippy.swf"/> <param name="allowScriptAccess" value="always" /> <param name="quality" value="high" /> <param name="scale" value="noscale" /> <param NAME="FlashVars" value="id=clippy_12345&copied=copied!&copyto=copy to clipboard"> <param name="bgcolor" value="#D5F0FC"> <param name="wmode" value="opaque"> <embed src="' . Utils::getApplicationURL() . 'assets/flash/clippy.swf" width="100" height="14" name="clippy" quality="high" allowScriptAccess="always" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer" FlashVars="id=clippy_12345&copied=copied!&copyto=copy to clipboard" bgcolor="#dff0d8" wmode="opaque"/></object> <br /> Good for one new registration. Expires in 7 days.', 'invite', true); } else { $this->addErrorMessage("There was an error creating a new invite. Please try again.", 'invite'); } } //process service user deletion if (isset($_POST['action']) && $_POST['action'] == 'Delete' && isset($_POST['instance_id']) && is_numeric($_POST['instance_id']) && !isset($_POST['hashtag_id']) && !isset($_POST['new_hashtag_name'])) { $owner_instance_dao = DAOFactory::getDAO('OwnerInstanceDAO'); $instance_dao = DAOFactory::getDAO('InstanceDAO'); $instancehashtag_dao = DAOFactory::getDAO('InstanceHashtagDAO'); $hashtagpost_dao = DAOFactory::getDAO('HashtagPostDAO'); $hashtag_dao = DAOFactory::getDAO('HashtagDAO'); $instance = $instance_dao->get($_POST['instance_id']); $message = ''; if (isset($instance)) { // verify CSRF token $this->validateCSRFToken(); if ($this->isAdmin()) { //Retrieve this instance's saved searches $instances_hashtags = $instancehashtag_dao->getByInstance($instance->id); $deleted_searches = 0; foreach ($instances_hashtags as $instance_hashtag) { $hashtag_id = $instance_hashtag->hashtag_id; $deleted_searches += $instancehashtag_dao->delete($instance_hashtag->instance_id, $hashtag_id); //Continue deletions if no other owner has saved this search if (!$instancehashtag_dao->isHashtagSaved($hashtag_id)) { $deleted_searchposts = $hashtagpost_dao->deleteHashtagsPostsByHashtagID($hashtag_id); $deleted_hashtag = $hashtag_dao->deleteHashtagByID($hashtag_id); } } //delete all owner_instances $owner_instance_dao->deleteByInstance($instance->id); //delete instance $instance_dao->delete($instance->network_username, $instance->network); $this->addSuccessMessage('Account ' . ($deleted_searches > 0 ? 'and its saved searches ' : '') . 'deleted.', 'account'); } else { if ($owner_instance_dao->doesOwnerHaveAccessToInstance($owner, $instance)) { //delete owner instance $total_deletions = $owner_instance_dao->delete($owner->id, $instance->id); if ($total_deletions > 0) { //delete instance if no other owners have it $remaining_owner_instances = $owner_instance_dao->getByInstance($instance->id); $deleted_searches = 0; if (sizeof($remaining_owner_instances) == 0) { //Retrieve this instance's saved searches $instances_hashtags = $instancehashtag_dao->getByInstance($instance->id); foreach ($instances_hashtags as $instance_hashtag) { $hashtag_id = $instance_hashtag->hashtag_id; $deleted_searches += $instancehashtag_dao->delete($instance_hashtag->instance_id, $hashtag_id); //Continue deletions if no other owner has saved this search if (!$instancehashtag_dao->isHashtagSaved($hashtag_id)) { $deleted_searchposts = $hashtagpost_dao->deleteHashtagsPostsByHashtagID($hashtag_id); $deleted_hashtag = $hashtag_dao->deleteHashtagByID($hashtag_id); } } $instance_dao->delete($instance->network_username, $instance->network); } $this->addSuccessMessage('Account ' . ($deleted_searches > 0 ? 'and its saved searches ' : '') . 'deleted.', 'account'); } } else { $this->addErrorMessage('Insufficient privileges.', 'account'); } } } else { $this->addErrorMessage('Instance doesn\'t exist.', 'account'); } } //process hashtag deletion if (isset($_POST['action']) && $_POST['action'] == 'Delete' && isset($_POST['hashtag_id']) && is_numeric($_POST['hashtag_id']) && isset($_POST['instance_id']) && is_numeric($_POST['instance_id'])) { $instancehashtag_dao = DAOFactory::getDAO('InstanceHashtagDAO'); $hashtag_dao = DAOFactory::getDAO('HashtagDAO'); $hashtagpost_dao = DAOFactory::getDAO('HashtagPostDAO'); $hashtag_id = $_POST['hashtag_id']; $instance_id = $_POST['instance_id']; $instance_dao = DAOFactory::getDAO('InstanceDAO'); $instance = $instance_dao->get($instance_id); if (isset($instance)) { $instances_hashtags_deleted = $instancehashtag_dao->delete($instance_id, $hashtag_id); if (!$instancehashtag_dao->isHashtagSaved($hashtag_id)) { $deleted_searchposts = $hashtagpost_dao->deleteHashtagsPostsByHashtagID($hashtag_id); $deleted_hashtag = $hashtag_dao->deleteHashtagByID($hashtag_id); } $message = "Deleted saved search."; $this->addSuccessMessage($message, 'account'); } else { $this->addErrorMessage('Instance doesn\'t exist.', 'account'); } } //process service user hashtag addition if (isset($_POST['action']) && $_POST['action'] == 'Save search' && isset($_POST['new_hashtag_name']) && $_POST['new_hashtag_name'] != '' && isset($_POST['instance_id']) && is_numeric($_POST['instance_id'])) { $instancehashtag_dao = DAOFactory::getDAO('InstanceHashtagDAO'); $hashtag_dao = DAOFactory::getDAO('HashtagDAO'); $instance_id = $_POST['instance_id']; $new_hashtag_name = $_POST['new_hashtag_name']; //Check if $new_hashtag_name is an individual word (no spaces) if (strpos($new_hashtag_name, " ") === false) { $instance_dao = DAOFactory::getDAO('InstanceDAO'); $instance = $instance_dao->get($instance_id); if (isset($instance)) { $hashtag = $hashtag_dao->getHashtag($new_hashtag_name, $instance->network); if (!isset($hashtag)) { $hashtag_id = $hashtag_dao->insertHashtag($new_hashtag_name, $instance->network); $row_inserted = $instancehashtag_dao->insert($instance_id, $hashtag_id); $message = "Saved search for " . $new_hashtag_name . "."; $this->addSuccessMessage($message, 'account'); } else { $row_inserted = $instancehashtag_dao->insert($instance_id, $hashtag->id); $message = "Saved search for " . $new_hashtag_name . "."; $this->addSuccessMessage($message, 'account'); } } else { $this->addErrorMessage('Instance doesn\'t exist.', 'account'); } } else { $this->addErrorMessage('You can only search for an individual keyword or hashtag, not a phrase. ' . 'Please try again.', 'account'); } } //process change to notification frequency if (isset($_POST['updatefrequency'])) { $this->validateCSRFToken(); $new_freq = isset($_POST['notificationfrequency']) ? $_POST['notificationfrequency'] : null; $updates = 0; if ($new_freq && isset($this->notification_frequencies[$new_freq])) { $updates = $owner_dao->setEmailNotificationFrequency($this->getLoggedInUser(), $new_freq); } if ($updates > 0) { // Update the user in the view to match $owner->email_notification_frequency = $new_freq; $this->addToView('owner', $owner); $this->addSuccessMessage('Your email notification frequency has been updated.', 'notifications'); } } //process change to timezone if (isset($_POST['updatetimezone'])) { $this->validateCSRFToken(); $new_tz = isset($_POST['timezone']) ? $_POST['timezone'] : null; $updates = 0; if (isset($new_tz)) { $possible_timezones = timezone_identifiers_list(); if (in_array($new_tz, $possible_timezones)) { $updates = $owner_dao->setTimezone($this->getLoggedInUser(), $new_tz); } } if ($updates > 0) { // Update the user in the view to match $owner->timezone = $new_tz; $this->addToView('owner', $owner); $this->addSuccessMessage('Your time zone has been saved.', 'timezone'); } } $this->view_mgr->clear_all_cache(); /* Begin plugin-specific configuration handling */ if (isset($_GET['p']) && !isset($_GET['u'])) { // add config js to header if ($this->isAdmin()) { $this->addHeaderJavaScript('assets/js/plugin_options.js'); } $active_plugin = $_GET['p']; $webapp_plugin_registrar = PluginRegistrarWebapp::getInstance(); $pobj = $webapp_plugin_registrar->getPluginObject($active_plugin); $p = new $pobj(); $this->addToView('body', $p->renderConfiguration($owner)); $this->addToView('force_plugin', true); $profiler = Profiler::getInstance(); $profiler->clearLog(); } elseif (isset($_GET['p']) && isset($_GET['u']) && isset($_GET['n'])) { if ($this->isAdmin()) { $this->addHeaderJavaScript('assets/js/plugin_options.js'); } $active_plugin = $_GET['p']; $instance_username = $_GET['u']; $instance_network = $_GET['n']; $webapp_plugin_registrar = PluginRegistrarWebapp::getInstance(); $pobj = $webapp_plugin_registrar->getPluginObject($active_plugin); $p = new $pobj(); $this->addToView('body', $p->renderInstanceConfiguration($owner, $instance_username, $instance_network)); $this->addToView('force_plugin', true); $profiler = Profiler::getInstance(); $profiler->clearLog(); } $plugin_dao = DAOFactory::getDAO('PluginDAO'); $config = Config::getInstance(); $installed_plugins = $plugin_dao->getInstalledPlugins(); $this->addToView('installed_plugins', $installed_plugins); /* End plugin-specific configuration handling */ if ($owner->is_admin) { if (!isset($instance_dao)) { $instance_dao = DAOFactory::getDAO('InstanceDAO'); } $owners = $owner_dao->getAllOwners(); foreach ($owners as $o) { $instances = $instance_dao->getByOwner($o, true); $o->setInstances($instances); } $this->addToView('owners', $owners); $this->addToView('public_instances', $instance_dao->getPublicInstances()); } $whichphp = @exec('which php'); $php_path = !empty($whichphp) ? $whichphp : 'php'; $email = $this->getLoggedInUser(); //rss_crawl_url $rss_crawl_url = Utils::getApplicationURL() . sprintf('crawler/rss.php?un=%s&as=%s', urlencode($email), $owner->api_key); $this->addToView('rss_crawl_url', $rss_crawl_url); //cli_crawl_command $cli_crawl_command = 'cd ' . THINKUP_WEBAPP_PATH . 'crawler/;export THINKUP_PASSWORD=yourpassword; ' . $php_path . ' crawl.php ' . $email; $this->addToView('cli_crawl_command', $cli_crawl_command); //help link $this->view_mgr->addHelp('rss', 'userguide/datacapture'); return $this->generateView(); }
/** * Step 3 - Populate database and finish */ private function step3() { $this->setViewTemplate('install.step3.tpl'); $config_file_exists = false; $config_file = THINKUP_WEBAPP_PATH . 'config.inc.php'; // make sure we are here with posted data if (empty($_POST)) { $this->step1(); return; } // check if we have made config.inc.php if (file_exists($config_file) && filesize($config_file) > 0) { // this is could be from step 2 is not able writing // to webapp dir $config_file_exists = true; require $config_file; $db_config['db_type'] = $THINKUP_CFG['db_type']; $db_config['db_name'] = $THINKUP_CFG['db_name']; $db_config['db_user'] = $THINKUP_CFG['db_user']; $db_config['db_password'] = $THINKUP_CFG['db_password']; $db_config['db_host'] = $THINKUP_CFG['db_host']; $db_config['db_socket'] = $THINKUP_CFG['db_socket']; $db_config['db_port'] = $THINKUP_CFG['db_port']; $db_config['table_prefix'] = $THINKUP_CFG['table_prefix']; $db_config['timezone'] = $THINKUP_CFG['timezone']; $email = trim($_POST['site_email']); } else { // make sure we're not from error or couldn't write config.inc.php if (!isset($_POST['db_user']) && !isset($_POST['db_passwd']) && !isset($_POST['db_name']) && !isset($_POST['db_host'])) { $this->addErrorMessage("Missing database credentials"); $this->step2(); return; } // trim each posted value $db_config['db_type'] = trim(@$_POST['db_type']); $db_config['db_name'] = trim($_POST['db_name']); $db_config['db_user'] = trim($_POST['db_user']); $db_config['db_password'] = trim($_POST['db_passwd']); $db_config['db_host'] = trim($_POST['db_host']); $db_config['db_socket'] = trim($_POST['db_socket']); $db_config['db_port'] = trim($_POST['db_port']); $db_config['table_prefix'] = trim($_POST['db_prefix']); $db_config['timezone'] = trim($_POST['timezone']); $email = trim($_POST['site_email']); } $db_config['db_type'] = 'mysql'; //default for now $password = $_POST['password']; $confirm_password = $_POST['confirm_password']; $full_name = $_POST['full_name']; $display_errors = false; // check email if (!Utils::validateEmail($email)) { $this->addErrorMessage("Please enter a valid email address.", "email"); $display_errors = true; } if ($password != $confirm_password || $password == '' || !preg_match("/(?=.{8,})(?=.*[a-zA-Z])(?=.*[0-9])/", $password)) { //check password if ($password != $confirm_password) { $this->addErrorMessage("Your passwords did not match.", "password"); } else { if ($password == '') { $this->addErrorMessage("Please choose a password.", "password"); } else { if (!preg_match("/(?=.{8,})(?=.*[a-zA-Z])(?=.*[0-9])/", $password)) { $this->addErrorMessage("Password must be at least 8 characters and contain both numbers and letters.", "password"); } } } $display_errors = true; } if ($_POST['db_name'] == '') { $this->addErrorMessage("Please enter a database name.", "database_name"); $display_errors = true; } if ($_POST['db_host'] == '') { $this->addErrorMessage("Please enter a database host.", "database_host"); $display_errors = true; } if ($_POST['timezone'] == '') { $this->addErrorMessage("Please select a time zone.", "timezone"); $display_errors = true; } if (($error = $this->installer->checkDb($db_config)) !== true) { //check db if (($p = strpos($error->getMessage(), "Unknown MySQL server host")) !== false || ($p = strpos($error->getMessage(), "Can't connect to MySQL server")) !== false || ($p = strpos($error->getMessage(), "Can't connect to local MySQL server through socket")) !== false || ($p = strpos($error->getMessage(), "Access denied for user")) !== false) { $db_error = substr($error->getMessage(), $p); } else { $db_error = $error->getMessage(); } $disable_xss = true; $db_error = filter_var($db_error, FILTER_SANITIZE_SPECIAL_CHARS); $this->addErrorMessage("ThinkUp couldn't connect to your database. The error message is:<br /> " . " <strong>{$db_error}</strong><br />Please correct your database information and try again.", "database", $disable_xss); $display_errors = true; } if ($display_errors) { $this->setViewTemplate('install.step2.tpl'); $this->addToView('db_name', $db_config['db_name']); $this->addToView('db_user', $db_config['db_user']); $this->addToView('db_passwd', $db_config['db_password']); $this->addToView('db_host', $db_config['db_host']); $this->addToView('db_prefix', $db_config['table_prefix']); $this->addToView('db_socket', $db_config['db_socket']); $this->addToView('db_port', $db_config['db_port']); $this->addToView('db_type', $db_config['db_type']); $this->addToView('current_tz', $_POST['timezone']); $this->addToView('tz_list', Installer::getTimeZoneList()); $this->addToView('site_email', $email); $this->addToView('full_name', $full_name); return; } $admin_user = array('email' => $email, 'password' => $password, 'confirm_password' => $confirm_password); // trying to create config file if (!$config_file_exists && !$this->installer->createConfigFile($db_config, $admin_user)) { $config_file_contents_arr = $this->installer->generateConfigFile($db_config, $admin_user); $config_file_contents_str = ''; foreach ($config_file_contents_arr as $line) { $config_file_contents_str .= htmlentities($line); } $whoami = @exec('whoami'); $disable_xss = true; if (!empty($whoami)) { $whoami = filter_var($whoami, FILTER_SANITIZE_SPECIAL_CHARS); $this->addErrorMessage("ThinkUp couldn't write the <code>config.inc.php</code> file.<br /><br />" . "Use root (or sudo) to create the file manually, and allow PHP to write to it, by executing the " . "following commands:<br /><code>sudo touch " . escapeshellcmd(THINKUP_WEBAPP_PATH . "config.inc.php") . "</code><br /><code>sudo chown {$whoami} " . escapeshellcmd(THINKUP_WEBAPP_PATH . "config.inc.php") . "</code><br /><br />If you don't have root access, create the <code>" . THINKUP_WEBAPP_PATH . "config.inc.php</code> file, show the contents of your config file below," . " and copy and paste the text into the <code>config.inc.php</code> file.", null, $disable_xss); } else { $this->addErrorMessage("ThinkUp couldn't write the <code>config.inc.php</code> file.<br /><br />" . "You will need to create the <code>" . THINKUP_WEBAPP_PATH . "config.inc.php</code> file manually, and paste the following text into it.", null, $disable_xss); } $this->addToView('config_file_contents', $config_file_contents_str); $this->addToView('_POST', $_POST); $this->setViewTemplate('install.config.tpl'); return; } unset($admin_user['confirm_password']); // check tables $this->installer->checkTable($db_config); // if empty, we're ready to populate the database with ThinkUp tables $this->installer->populateTables($db_config); //Set the application server name in app settings for access by command-line scripts Installer::storeServerName(); $owner_dao = DAOFactory::getDAO('OwnerDAO', $db_config); if (!$owner_dao->doesAdminExist() && !$owner_dao->doesOwnerExist($email)) { // create admin if not exists $activation_code = $owner_dao->createAdmin($email, $password, $full_name); // view for email $cfg_array = array('site_root_path' => Utils::getSiteRootPathFromFileSystem(), 'source_root_path' => THINKUP_ROOT_PATH, 'debug' => false, 'app_title_prefix' => "", 'cache_pages' => false); $email_view = new ViewManager($cfg_array); $email_view->caching = false; $email_view->assign('application_url', Utils::getApplicationURL()); $email_view->assign('email', urlencode($email)); $email_view->assign('activ_code', $activation_code); $message = $email_view->fetch('_email.registration.tpl'); Mailer::mail($email, "Activate Your New ThinkUp Account", $message); } else { $email = 'Use your old email admin'; $password = '******'; } unset($THINKUP_CFG); $this->addToView('errors', $this->installer->getErrorMessages()); $this->addToView('username', $email); $this->addToView('password', $password); $this->addToView('login_url', Utils::getSiteRootPathFromFileSystem() . 'session/login.php'); }