/** * Delete the current user's avatar */ public function deleteAvatar_action() { AvatarModel::deleteAvatar(Session::get("user_id")); Redirect::to('user/editAvatar'); }
/** * The real login process: The user's data is written into the session. * Cheesy name, maybe rename. Also maybe refactoring this, using an array. * * @param $user_id * @param $user_name * @param $user_email * @param $user_account_type */ public static function setSuccessfulLoginIntoSession($user_id, $user_name, $user_email, $user_account_type) { Session::init(); // remove old and regenerate session ID. // It's important to regenerate session on sensitive actions, // and to avoid fixated session. // e.g. when a user logs in session_regenerate_id(true); $_SESSION = array(); Session::set('user_id', $user_id); Session::set('user_name', $user_name); Session::set('user_email', $user_email); Session::set('user_account_type', $user_account_type); Session::set('user_provider_type', 'DEFAULT'); // get and set avatars Session::set('user_avatar_file', AvatarModel::getPublicUserAvatarFilePathByUserId($user_id)); Session::set('user_gravatar_image_url', AvatarModel::getGravatarLinkByEmail($user_email)); // finally, set user as logged-in Session::set('user_logged_in', true); // update session id in database Session::updateSessionId($user_id, session_id()); // set session cookie setting manually, // Why? because you need to explicitly set session expiry, path, domain, secure, and HTTP. // @see https://www.owasp.org/index.php/PHP_Security_Cheat_Sheet#Cookies setcookie(session_name(), session_id(), time() + Config::get('SESSION_RUNTIME'), Config::get('COOKIE_PATH'), Config::get('COOKIE_DOMAIN'), Config::get('COOKIE_SECURE'), Config::get('COOKIE_HTTP')); }
/** * Edit the user's email * * @param $new_user_email * * @return bool success status */ public static function editUserEmail($new_user_email) { // email provided ? if (empty($new_user_email)) { Session::add('feedback_negative', Text::get('FEEDBACK_EMAIL_FIELD_EMPTY')); return false; } // check if new email is same like the old one if ($new_user_email == Session::get('user_email')) { Session::add('feedback_negative', Text::get('FEEDBACK_EMAIL_SAME_AS_OLD_ONE')); return false; } // user's email must be in valid email format, also checks the length // @see http://stackoverflow.com/questions/21631366/php-filter-validate-email-max-length // @see http://stackoverflow.com/questions/386294/what-is-the-maximum-length-of-a-valid-email-address if (!filter_var($new_user_email, FILTER_VALIDATE_EMAIL)) { Session::add('feedback_negative', Text::get('FEEDBACK_EMAIL_DOES_NOT_FIT_PATTERN')); return false; } // strip tags, just to be sure $new_user_email = substr(strip_tags($new_user_email), 0, 254); // check if user's email already exists if (self::doesEmailAlreadyExist($new_user_email)) { Session::add('feedback_negative', Text::get('FEEDBACK_USER_EMAIL_ALREADY_TAKEN')); return false; } // write to database, if successful ... // ... then write new email to session, Gravatar too (as this relies to the user's email address) if (self::saveNewEmailAddress(Session::get('user_id'), $new_user_email)) { Session::set('user_email', $new_user_email); Session::set('user_gravatar_image_url', AvatarModel::getGravatarLinkByEmail($new_user_email)); Session::add('feedback_positive', Text::get('FEEDBACK_EMAIL_CHANGE_SUCCESSFUL')); return true; } Session::add('feedback_negative', Text::get('FEEDBACK_UNKNOWN_ERROR')); return false; }