protected function find($email, $password = null)
{
$find = $this->model->where($this->default['params']['email'], $email);
if (!is_null($password)) {
$s = new Security();
$password = $s->crypt($password, $this->default['crypt']);
$find->where($this->default['params']['password'], $password);
}
if (!empty($this->default['where'])) {
foreach ($this->default['where'] as $key => $value) {
switch (count($value)) {
case 4:
$find->where($value[0], $value[1], $value[2], $value[3]);
break;
case 3:
$find->where($value[0], $value[1], $value[2]);
break;
default:
$find->where($value[0], $value[1]);
break;
}
}
}
return $find->find();
}
/**
* Hyperlink
*
* @access public
* @param string $controller Controller name
* @param string $action Action name
* @param array $params Url parameters
* @param boolean $csrf Add a CSRF token
* @param string $anchor Link Anchor
* @return string
*/
public function href($controller, $action, array $params = array(), $csrf = false, $anchor = '')
{
$values = array('controller' => $controller, 'action' => $action);
if ($csrf) {
$params['csrf_token'] = Security::getCSRFToken();
}
$values += $params;
return '?' . http_build_query($values, '', '&') . (empty($anchor) ? '' : '#' . $anchor);
}
function version_1($pdo)
{
$pdo->exec("\n CREATE TABLE config (\n language CHAR(5) DEFAULT 'en_US',\n webhooks_token VARCHAR(255),\n timezone VARCHAR(50) DEFAULT 'UTC'\n ) ENGINE=InnoDB CHARSET=utf8\n ");
$pdo->exec("\n CREATE TABLE users (\n id INT NOT NULL AUTO_INCREMENT,\n username VARCHAR(50),\n password VARCHAR(255),\n is_admin TINYINT DEFAULT 0,\n default_project_id INT DEFAULT 0,\n PRIMARY KEY (id)\n ) ENGINE=InnoDB CHARSET=utf8\n ");
$pdo->exec("\n CREATE TABLE projects (\n id INT NOT NULL AUTO_INCREMENT,\n name VARCHAR(50) UNIQUE,\n is_active TINYINT DEFAULT 1,\n token VARCHAR(255),\n PRIMARY KEY (id)\n ) ENGINE=InnoDB CHARSET=utf8\n ");
$pdo->exec("\n CREATE TABLE project_has_users (\n id INT NOT NULL AUTO_INCREMENT,\n project_id INT,\n user_id INT,\n PRIMARY KEY (id),\n UNIQUE KEY `idx_project_user` (project_id, user_id),\n FOREIGN KEY(project_id) REFERENCES projects(id) ON DELETE CASCADE,\n FOREIGN KEY(user_id) REFERENCES users(id) ON DELETE CASCADE\n ) ENGINE=InnoDB CHARSET=utf8\n ");
$pdo->exec("\n CREATE TABLE columns (\n id INT NOT NULL AUTO_INCREMENT,\n title VARCHAR(255),\n position INT NOT NULL,\n project_id INT NOT NULL,\n task_limit INT DEFAULT '0',\n UNIQUE KEY `idx_title_project` (title, project_id),\n PRIMARY KEY (id),\n FOREIGN KEY(project_id) REFERENCES projects(id) ON DELETE CASCADE\n ) ENGINE=InnoDB CHARSET=utf8\n ");
$pdo->exec("\n CREATE TABLE tasks (\n id INT NOT NULL AUTO_INCREMENT,\n title VARCHAR(255),\n description TEXT,\n date_creation INT,\n date_completed INT,\n date_due INT,\n color_id VARCHAR(50),\n project_id INT,\n column_id INT,\n owner_id INT DEFAULT '0',\n position INT,\n score INT,\n is_active TINYINT DEFAULT 1,\n PRIMARY KEY (id),\n INDEX `idx_task_active` (is_active),\n FOREIGN KEY(project_id) REFERENCES projects(id) ON DELETE CASCADE,\n FOREIGN KEY(column_id) REFERENCES columns(id) ON DELETE CASCADE\n ) ENGINE=InnoDB CHARSET=utf8\n ");
$pdo->exec("\n CREATE TABLE comments (\n id INT NOT NULL AUTO_INCREMENT,\n task_id INT,\n user_id INT,\n date INT,\n comment TEXT,\n PRIMARY KEY (id),\n FOREIGN KEY(task_id) REFERENCES tasks(id) ON DELETE CASCADE,\n FOREIGN KEY(user_id) REFERENCES users(id) ON DELETE CASCADE\n ) ENGINE=InnoDB CHARSET=utf8\n ");
$pdo->exec("\n CREATE TABLE actions (\n id INT NOT NULL AUTO_INCREMENT,\n project_id INT,\n event_name VARCHAR(50),\n action_name VARCHAR(50),\n PRIMARY KEY (id),\n FOREIGN KEY(project_id) REFERENCES projects(id) ON DELETE CASCADE\n ) ENGINE=InnoDB CHARSET=utf8\n ");
$pdo->exec("\n CREATE TABLE action_has_params (\n id INT NOT NULL AUTO_INCREMENT,\n action_id INT,\n name VARCHAR(50),\n value VARCHAR(50),\n PRIMARY KEY (id),\n FOREIGN KEY(action_id) REFERENCES actions(id) ON DELETE CASCADE\n ) ENGINE=InnoDB CHARSET=utf8\n ");
$pdo->exec("\n INSERT INTO users\n (username, password, is_admin)\n VALUES ('admin', '" . \password_hash('admin', PASSWORD_BCRYPT) . "', '1')\n ");
$pdo->exec("\n INSERT INTO config\n (webhooks_token)\n VALUES ('" . Security::generateToken() . "')\n ");
}
function version_1($pdo)
{
$pdo->exec("\n CREATE TABLE config (\n language CHAR(5) DEFAULT 'en_US',\n webhooks_token VARCHAR(255) DEFAULT '',\n timezone VARCHAR(50) DEFAULT 'UTC',\n api_token VARCHAR(255) DEFAULT ''\n );\n\n CREATE TABLE users (\n id SERIAL PRIMARY KEY,\n username VARCHAR(50),\n password VARCHAR(255),\n is_admin BOOLEAN DEFAULT '0',\n default_project_id INTEGER DEFAULT 0,\n is_ldap_user BOOLEAN DEFAULT '0',\n name VARCHAR(255),\n email VARCHAR(255),\n google_id VARCHAR(255),\n github_id VARCHAR(30)\n );\n\n CREATE TABLE remember_me (\n id SERIAL PRIMARY KEY,\n user_id INTEGER,\n ip VARCHAR(40),\n user_agent VARCHAR(255),\n token VARCHAR(255),\n sequence VARCHAR(255),\n expiration INTEGER,\n date_creation INTEGER,\n FOREIGN KEY(user_id) REFERENCES users(id) ON DELETE CASCADE\n );\n\n CREATE TABLE last_logins (\n id SERIAL PRIMARY KEY,\n auth_type VARCHAR(25),\n user_id INTEGER,\n ip VARCHAR(40),\n user_agent VARCHAR(255),\n date_creation INTEGER,\n FOREIGN KEY(user_id) REFERENCES users(id) ON DELETE CASCADE\n );\n\n CREATE TABLE projects (\n id SERIAL PRIMARY KEY,\n name VARCHAR(255) UNIQUE,\n is_active BOOLEAN DEFAULT '1',\n token VARCHAR(255),\n last_modified INTEGER DEFAULT 0\n );\n\n CREATE TABLE project_has_users (\n id SERIAL PRIMARY KEY,\n project_id INTEGER,\n user_id INTEGER,\n FOREIGN KEY(project_id) REFERENCES projects(id) ON DELETE CASCADE,\n FOREIGN KEY(user_id) REFERENCES users(id) ON DELETE CASCADE,\n UNIQUE(project_id, user_id)\n );\n\n CREATE TABLE project_has_categories (\n id SERIAL PRIMARY KEY,\n name VARCHAR(255),\n project_id INTEGER,\n UNIQUE (project_id, name),\n FOREIGN KEY(project_id) REFERENCES projects(id) ON DELETE CASCADE\n );\n\n CREATE TABLE columns (\n id SERIAL PRIMARY KEY,\n title VARCHAR(255),\n position INTEGER,\n project_id INTEGER,\n task_limit INTEGER DEFAULT 0,\n FOREIGN KEY(project_id) REFERENCES projects(id) ON DELETE CASCADE,\n UNIQUE (title, project_id)\n );\n\n CREATE TABLE tasks (\n id SERIAL PRIMARY KEY,\n title VARCHAR(255),\n description TEXT,\n date_creation INTEGER,\n color_id VARCHAR(255),\n project_id INTEGER,\n column_id INTEGER,\n owner_id INTEGER DEFAULT 0,\n position INTEGER,\n is_active BOOLEAN DEFAULT '1',\n date_completed INTEGER,\n score INTEGER,\n date_due INTEGER,\n category_id INTEGER DEFAULT 0,\n FOREIGN KEY(project_id) REFERENCES projects(id) ON DELETE CASCADE,\n FOREIGN KEY(column_id) REFERENCES columns(id) ON DELETE CASCADE\n );\n\n CREATE TABLE task_has_subtasks (\n id SERIAL PRIMARY KEY,\n title VARCHAR(255),\n status SMALLINT DEFAULT 0,\n time_estimated INTEGER DEFAULT 0,\n time_spent INTEGER DEFAULT 0,\n task_id INTEGER NOT NULL,\n user_id INTEGER,\n FOREIGN KEY(task_id) REFERENCES tasks(id) ON DELETE CASCADE\n );\n\n CREATE TABLE task_has_files (\n id SERIAL PRIMARY KEY,\n name VARCHAR(255),\n path VARCHAR(255),\n is_image BOOLEAN DEFAULT '0',\n task_id INTEGER,\n FOREIGN KEY(task_id) REFERENCES tasks(id) ON DELETE CASCADE\n );\n\n CREATE TABLE comments (\n id SERIAL PRIMARY KEY,\n task_id INTEGER,\n user_id INTEGER,\n date INTEGER,\n comment TEXT,\n FOREIGN KEY(task_id) REFERENCES tasks(id) ON DELETE CASCADE,\n FOREIGN KEY(user_id) REFERENCES users(id) ON DELETE CASCADE\n );\n\n CREATE TABLE actions (\n id SERIAL PRIMARY KEY,\n project_id INTEGER,\n event_name VARCHAR(50),\n action_name VARCHAR(50),\n FOREIGN KEY(project_id) REFERENCES projects(id) ON DELETE CASCADE\n );\n\n CREATE TABLE action_has_params (\n id SERIAL PRIMARY KEY,\n action_id INTEGER,\n name VARCHAR(50),\n value VARCHAR(50),\n FOREIGN KEY(action_id) REFERENCES actions(id) ON DELETE CASCADE\n );\n ");
$pdo->exec("\n INSERT INTO users\n (username, password, is_admin)\n VALUES ('admin', '" . \password_hash('admin', PASSWORD_BCRYPT) . "', '1')\n ");
$pdo->exec("\n INSERT INTO config\n (webhooks_token, api_token)\n VALUES ('" . Security::generateToken() . "', '" . Security::generateToken() . "')\n ");
}
function version_1($pdo)
{
$pdo->exec("\n CREATE TABLE config (\n language TEXT DEFAULT 'en_US',\n webhooks_token TEXT DEFAULT ''\n )\n ");
$pdo->exec("\n CREATE TABLE users (\n id INTEGER PRIMARY KEY,\n username TEXT,\n password TEXT,\n is_admin INTEGER DEFAULT 0,\n default_project_id INTEGER DEFAULT 0\n )\n ");
$pdo->exec("\n CREATE TABLE projects (\n id INTEGER PRIMARY KEY,\n name TEXT NOCASE UNIQUE,\n is_active INTEGER DEFAULT 1\n )\n ");
$pdo->exec("\n CREATE TABLE columns (\n id INTEGER PRIMARY KEY,\n title TEXT,\n position INTEGER,\n project_id INTEGER,\n FOREIGN KEY(project_id) REFERENCES projects(id) ON DELETE CASCADE,\n UNIQUE (title, project_id)\n )\n ");
$pdo->exec("\n CREATE TABLE tasks (\n id INTEGER PRIMARY KEY,\n title TEXT NOCASE NOT NULL,\n description TEXT,\n date_creation INTEGER,\n color_id TEXT,\n project_id INTEGER,\n column_id INTEGER,\n owner_id INTEGER DEFAULT '0',\n position INTEGER,\n is_active INTEGER DEFAULT 1,\n FOREIGN KEY(project_id) REFERENCES projects(id) ON DELETE CASCADE,\n FOREIGN KEY(column_id) REFERENCES columns(id) ON DELETE CASCADE\n )\n ");
$pdo->exec("\n INSERT INTO users\n (username, password, is_admin)\n VALUES ('admin', '" . \password_hash('admin', PASSWORD_BCRYPT) . "', '1')\n ");
$pdo->exec("\n INSERT INTO config\n (webhooks_token)\n VALUES ('" . Security::generateToken() . "')\n ");
}
/**
* Enable public access for a project
*
* @access public
* @param integer $project_id Project id
* @return bool
*/
public function enablePublicAccess($project_id)
{
return $this->exists($project_id) && $this->db->table(self::TABLE)->eq('id', $project_id)->save(array('is_public' => 1, 'token' => Security::generateToken()));
}
/**
* Build relative url
*
* @access private
* @param string $separator Querystring argument separator
* @param string $controller Controller name
* @param string $action Action name
* @param array $params Url parameters
* @param boolean $csrf Add a CSRF token
* @param string $anchor Link Anchor
* @param boolean $absolute Absolute or relative link
* @return string
*/
private function build($separator, $controller, $action, array $params = array(), $csrf = false, $anchor = '', $absolute = false)
{
$path = $this->router->findUrl($controller, $action, $params);
$qs = array();
if (empty($path)) {
$qs['controller'] = $controller;
$qs['action'] = $action;
$qs += $params;
}
if ($csrf) {
$qs['csrf_token'] = Security::getCSRFToken();
}
if (!empty($qs)) {
$path .= '?' . http_build_query($qs, '', $separator);
}
return ($absolute ? $this->base() : $this->dir()) . $path . (empty($anchor) ? '' : '#' . $anchor);
}
/**
* URL query string
*
* u('task', 'show', array('task_id' => $task_id))
*
* @param string $controller Controller name
* @param string $action Action name
* @param array $params Url parameters
* @param boolean $csrf Add a CSRF token
* @return string
*/
public function u($controller, $action, array $params = array(), $csrf = false)
{
$html = '?controller=' . $controller . '&action=' . $action;
if ($csrf) {
$params['csrf_token'] = Security::getCSRFToken();
}
foreach ($params as $key => $value) {
$html .= '&' . $key . '=' . $value;
}
return $html;
}
/**
* Check if the CSRF token from the URL is correct
*
* @access protected
*/
protected function checkCSRFParam()
{
if (!Security::validateCSRFToken($this->request->getStringParam('csrf_token'))) {
$this->forbidden();
}
}
<?php
$randId = \Core\CString::rand();
echo \Core\View::includeResources("resources/core/jquery/jquery-1.11.3.min.js");
?>
<div class="login">
<trans>You are logged as</trans> <?php
echo \Core\Security::UserName();
?>
|
<a href="#" id="logout_<?php
echo $randId;
?>
"><trans>logout</trans></a>
</div>
<script type="text/javascript">
$(function() {
// Edit link
$("#logout_<?php
echo $randId;
?>
").click(function() {
$.ajax({
url: "<?php
echo APP_URI . "index.php/" . \Core\Request::getClassUri($self) . "/logout";
?>
/",
method : "POST",
data : {
"moduleId" : "<?php
echo $self->id();
/**
* Return a new sequence token and update the database
*
* @access public
* @param string $token Session token
* @return string
*/
public function update($token)
{
$new_sequence = Security::generateToken();
$this->db->table(self::TABLE)->eq('token', $token)->update(array('sequence' => $new_sequence));
return $new_sequence;
}
$s = $_REQUEST->service;
} else {
$_REQUEST->service = $s;
}
if (!empty($_REQUEST->request)) {
$r = $_REQUEST->request;
} else {
$_REQUEST->request = $r;
}
$s = strtolower($s);
$s = ucfirst($s);
\Core\Event::fire("Page_PreLoad", $_REQUEST);
// Test security access
// redirect to defaultService if not allow
try {
\Core\Security::serviceAuthorized($s, $r);
} catch (\Core\CException $exception) {
\Core\Server::sendHeaderStatus(500);
\Core\Event::fire("Page_AccessDeny", $_REQUEST, $exception);
die($exception->getMessage());
}
try {
// Test if session dir ok
$sessionPath = session_save_path();
if (!empty($sessionPath)) {
if (!is_dir($sessionPath) || !is_writable($sessionPath)) {
throw new \Core\CException("Server error : Php session directory \"" . $sessionPath . "\n (" . \Core\Server::perms($sessionPath) . ")\" is not writable.");
}
}
// Test signature du controller
if (class_exists($s) && method_exists($s, $r)) {
protected function loginAction($options = array())
{
// Default option value
// passwordEncrypt = true
$options["passwordEncrypt"] = isset($options["passwordEncrypt"]) ? $options["passwordEncrypt"] : true;
// force l'envoi de la clé
$this->testKey(true);
if (empty($_REQUEST->login) || empty($_REQUEST->password)) {
throw new \Core\CException("Login failed");
}
$db = \Core\Db::create($this->getParams("database"));
$userTable = $db->quoteTable($this->getParams("userTable", "table"));
$idField = $db->quoteField($this->getParams("userTable", "idField"));
$loginField = $db->quoteField($this->getParams("userTable", "loginField"));
$passwordField = $db->quoteField($this->getParams("userTable", "passwordField"));
$passwordFn = $this->getParams("userTable", "passwordFn");
$nameField = $db->quoteField($this->getParams("userTable", "nameField"));
$roleTable = $db->quoteTable($this->getParams("roleTable", "table"));
$roleId = $db->quoteField($this->getParams("roleTable", "idField"));
$roleField = $db->quoteField($this->getParams("roleTable", "roleField"));
$linkTable = $db->quoteTable($this->getParams("linkTable", "table"));
$linkUser = $db->quoteField($this->getParams("linkTable", "userId"));
$linkRole = $db->quoteField($this->getParams("linkTable", "roleId"));
//if(! \Core\CString::isValidMd5($_REQUEST->password)) {
if ($options["passwordEncrypt"] === true && !empty($passwordFn)) {
$_REQUEST->password = call_user_func($passwordFn, $_REQUEST->password);
}
$randId = strtolower(\Core\CString::rand(5));
$sql = "\n SELECT\n {$idField} as userid_{$randId},\n {$loginField} as userlogin_{$randId},\n {$nameField} as username_{$randId},\n u.*\n FROM\n {$userTable} u\n WHERE\n u.{$loginField} = :user\n AND u.{$passwordField} = :Login\n ";
$res = $db->selectRow($sql, array(":user" => $_REQUEST->login, ":Login" => $_REQUEST->password));
if (!empty($res)) {
\Core\Security::setUserId($res["userid_" . $randId]);
\Core\Security::setUserLogin($res["userlogin_" . $randId]);
\Core\Security::setUserName($res["username_" . $randId]);
$resUser = $res;
unset($resUser["userid_" . $randId]);
unset($resUser["userlogin_" . $randId]);
unset($resUser["username_" . $randId]);
\Core\Security::setUser($resUser);
// Reccup role
$sql = "\n SELECT \n r.{$roleField} as role\n FROM\n {$roleTable} r\n JOIN\n {$linkTable} l\n ON r.{$roleId} = l.{$linkRole}\n JOIN\n {$userTable} u\n ON u.{$idField} = l.{$linkUser}\n WHERE\n u.{$idField} = :userid\n ";
$resRole = $db->select($sql, array(":userid" => $res["userid_" . $randId]));
if (!empty($resRole)) {
foreach ($resRole as $role) {
\Core\Security::AddRole($role["role"]);
}
}
// St cookie for Autologin
if (isset($_REQUEST->autologin) && $_REQUEST->autologin == "1") {
$c = array($_REQUEST->login, $_REQUEST->password);
$c = serialize($c);
$c = \Core\CString::encrypt($c, $this->cookieName);
setcookie($this->cookieName, $c, time() + $this->cookieTime, "/");
}
} else {
$this->logout(new \Core\Request());
throw new \Core\CException("Login failed");
}
}
/**
* Generate controller/action url for templates
*
* u('task', 'show', array('task_id' => $task_id))
*
* @param string $controller Controller name
* @param string $action Action name
* @param array $params Url parameters
* @param boolean $csrf Add a CSRF token
* @return string
*/
public function u($controller, $action, array $params = array(), $csrf = false)
{
$values = array('controller' => $controller, 'action' => $action);
if ($csrf) {
$params['csrf_token'] = Security::getCSRFToken();
}
$values += $params;
return '?' . http_build_query($values, '', '&');
}
/**
* Enable public access for a user
*
* @access public
* @param integer $user_id User id
* @return bool
*/
public function enablePublicAccess($user_id)
{
return $this->db->table(self::TABLE)->eq('id', $user_id)->save(array('token' => Security::generateToken()));
}
function form_csrf()
{
return '<input type="hidden" name="csrf_token" value="' . Security::getCSRFToken() . '"/>';
}
/**
* Regenerate a token
*
* @access public
* @param string $option Parameter name
*/
public function regenerateToken($option)
{
return $this->db->table(self::TABLE)->eq('option', $option)->update(array('value' => Security::generateToken()));
}
<?php
/**
Add autologin event to page load
file loaded from Login.php
*/
if (!\Core\Security::Registered()) {
\Core\Event::registerService('Page_PreLoad', '\\Modules\\Core\\Login\\Login::autoLoginEvent');
}
/**
* Regenerate all tokens (projects and webhooks)
*
* @access public
*/
public function regenerateTokens()
{
$this->db->table(self::TABLE)->update(array('webhooks_token' => Security::generateToken(), 'api_token' => Security::generateToken()));
$projects = $this->db->table(Project::TABLE)->findAllByColumn('id');
foreach ($projects as $project_id) {
$this->db->table(Project::TABLE)->eq('id', $project_id)->update(array('token' => Security::generateToken()));
}
}
<table id="board" data-project-id="<?php
echo $current_project_id;
?>
" data-time="<?php
echo time();
?>
" data-check-interval="<?php
echo BOARD_CHECK_INTERVAL;
?>
" data-csrf-token=<?php
echo \Core\Security::getCSRFToken();
?>
>
<tr>
<?php
$column_with = round(100 / count($board), 2);
?>
<?php
foreach ($board as $column) {
?>
<th width="<?php
echo $column_with;
?>
%">
<div class="board-add-icon">
<a href="?controller=task&action=create&project_id=<?php
echo $column['project_id'];
?>
&column_id=<?php
echo $column['id'];
?>