public function testHash()
{
$this->assertEquals("5d41402abc4b2a76b9719d911017c592", Security::hash("hello", Security::HASHTYPE_MD5));
$this->assertEquals("49f68a5c8493ec2c0bf489821c21fc3b", Security::hash("hi", Security::HASHTYPE_MD5));
$this->assertStringStartsWith('$2a$08$', Security::hash("hello"));
$this->assertStringStartsWith('$2a$08$', Security::hash("hello", Security::HASHTYPE_PHPASS));
}
protected function body()
{
if (!$this->isInputValid(['resetLink' => 'isNotEmpty', 'pass' => 'isNotEmpty'])) {
return false;
}
$resetLink = $this->getParams('resetLink');
if (strlen($resetLink) < 1) {
// We double-check here. This should not be necessary because the isInputValid function takes care of this.
// However, if there is a bug in isInputValid that causes the check to be skipped,
// this will allow the user to change the password of the first user with no resetLink active.
// This could plausibly be the administrator.
return $this->death(StringID::HackerError);
}
$encryptionType = Security::HASHTYPE_PHPASS;
$newPassword = $this->getParams('pass');
$newPasswordHash = Security::hash($newPassword, $encryptionType);
$usersWithThisResetLink = Repositories::getRepository(Repositories::User)->findBy(['resetLink' => $resetLink]);
if (count($usersWithThisResetLink) !== 1) {
return $this->death(StringID::ResetLinkDoesNotExist);
}
/**
* @var $user \User
*/
$user = $usersWithThisResetLink[0];
if ($user->getResetLinkExpiry() < new \DateTime()) {
return $this->death(StringID::ResetLinkExpired);
}
$user->setResetLink('');
$user->setPass($newPasswordHash);
Repositories::persistAndFlush($user);
return true;
}
/**
* Runs this script.
* @return bool Is it successful?
* @throws \Exception Should never occur.
*/
protected function body()
{
$inputs = array('name' => array('isAlphaNumeric', 'hasLength' => array('min_length' => Constants::UsernameMinLength, 'max_length' => Constants::UsernameMaxLength)), 'realname' => array('isNotEmpty', 'isName'), 'email' => 'isEmail', 'pass' => array(), 'repass' => array());
if (!$this->isInputValid($inputs)) {
return false;
}
// Extract input data
$username = strtolower($this->getParams('name'));
$realname = $this->getParams('realname');
$email = $this->getParams('email');
$pass = $this->getParams('pass');
$repass = $this->getParams('repass');
$id = $this->getParams('id');
$type = $this->getParams('type');
$user = null;
$isIdSet = $id !== null && $id !== '';
$isTypeSet = $type !== null && $type !== '';
// Extract database data
if ($id) {
$user = Repositories::findEntity(Repositories::User, $id);
}
$userExists = $user != null;
$sameNameUserExists = count(Repositories::getRepository(Repositories::User)->findBy(['name' => $username])) > 0;
// Custom verification of input data
if ($pass !== $repass) {
return $this->death(StringID::InvalidInput);
}
if ($userExists) {
if ((strlen($pass) < Constants::PasswordMinLength || strlen($pass) > Constants::PasswordMaxLength) && $pass !== "") {
return $this->death(StringID::InvalidInput);
}
} else {
// A new user must have full password
if (strlen($pass) < Constants::PasswordMinLength || strlen($pass) > Constants::PasswordMaxLength) {
return $this->death(StringID::InvalidInput);
}
}
$code = '';
$unhashedPass = $pass;
$pass = Security::hash($pass, Security::HASHTYPE_PHPASS);
$canAddUsers = User::instance()->hasPrivileges(User::usersAdd);
$canEditUsers = User::instance()->hasPrivileges(User::usersManage);
$isEditingSelf = $id == User::instance()->getId();
// This must not be a strict comparison.
/**
* @var $user \User
*/
if (!$userExists && !$sameNameUserExists) {
if ($this->getParams('fromRegistrationForm')) {
if ($type != Repositories::StudentUserType) {
return $this->death(StringID::InsufficientPrivileges);
}
$code = md5(uniqid(mt_rand(), true));
$emailText = file_get_contents(Config::get("paths", "registrationEmail"));
$emailText = str_replace("%{Username}", $username, $emailText);
$emailText = str_replace("%{ActivationCode}", $code, $emailText);
$emailText = str_replace("%{Link}", Config::getHttpRoot() . "#activate", $emailText);
$lines = explode("\n", $emailText);
$subject = $lines[0];
// The first line is subject.
$text = preg_replace('/^.*\\n/', '', $emailText);
// Everything except the first line.
$returnCode = Core::sendEmail($email, $subject, $text);
if (!$returnCode) {
return $this->stop(ErrorCode::mail, 'user registration failed', 'email could not be sent');
}
} else {
if (!$canAddUsers) {
return $this->death(StringID::InsufficientPrivileges);
}
}
$user = new \User();
/** @var \UserType $typeEntity */
$typeEntity = Repositories::findEntity(Repositories::UserType, $type);
$user->setType($typeEntity);
$user->setPass($pass);
$user->setName($username);
$user->setEmail($email);
$user->setActivationCode($code);
$user->setEncryptionType(Security::HASHTYPE_PHPASS);
$user->setRealName($realname);
Repositories::persistAndFlush($user);
} elseif ($isIdSet) {
if (!$canEditUsers && ($isTypeSet || !$isEditingSelf)) {
return $this->stop(ErrorCode::lowPrivileges, 'cannot edit data of users other than yourself');
}
$type = $isTypeSet ? $type : $user->getType()->getId();
/** @var \UserType $typeEntity */
$typeEntity = Repositories::findEntity(Repositories::UserType, $type);
if ($unhashedPass) {
$user->setPass($pass);
$user->setEncryptionType(Security::HASHTYPE_PHPASS);
}
$user->setType($typeEntity);
$user->setEmail($email);
$user->setActivationCode('');
$user->setRealName($realname);
Repositories::persistAndFlush($user);
} else {
return $this->death(StringID::UserNameExists);
}
return true;
}