/** * Authorizes the user with his username and password. Initializes * the user session if the user data are valid. * * @access protected * @param \Zepi\Turbo\Framework $framework * @param \Zepi\Turbo\Request\RequestAbstract $request * @param \Zepi\Turbo\Response\Response $response * @return string|boolean */ protected function generateNewPassword(Framework $framework, RequestAbstract $request, Response $response) { $uuid = $request->getRouteParam('uuid'); $token = $request->getRouteParam('token'); if ($uuid === false || !$this->userManager->hasUserForUuid($uuid) || $token === false) { $response->redirectTo('/'); return; } // Load the user $user = $this->userManager->getUserForUuid($uuid); if ($user->getMetaData('passwordRequestToken') == '') { return array('result' => false, 'message' => $this->translate('You haven\'t requested a new password.', '\\Zepi\\Web\\AccessControl')); } // If the validate function returned a string there was an error in the validation. if ($user->getMetaData('passwordRequestToken') !== $token || $user->getMetaData('passwordRequestTokenLifetime') < time()) { return array('result' => false, 'message' => $this->translate('The given token is invalid or expired. Please request a new password.', '\\Zepi\\Web\\AccessControl')); } // Generate a new password $password = $this->generateRandomPassword(); // Save the new password $user->setNewPassword($password); // Reset the token $user->setMetaData('passwordRequestToken', ''); $user->setMetaData('passwordRequestTokenLifetime', 0); // Update the user $this->userManager->updateUser($user); // Send the request mail $this->mailHelper->sendMail($user->getMetaData('email'), $this->translate('New password generated', '\\Zepi\\Web\\AccessControl'), $this->render('\\Zepi\\Web\\AccessControl\\Mail\\GenerateNewPassword', array('user' => $user, 'password' => $password))); return array('result' => true, 'message' => $this->translate('Your new password is generated and saved. You will receive an email with the new password.', '\\Zepi\\Web\\AccessControl')); }
/** * Verifies the given session token and lifetime * * @param \Zepi\Turbo\Request\WebRequest $request * @param string $token * @param string $lifetime * @return array */ protected function verifyToken(WebRequest $request, $token, $lifetime) { $notValid = false; // Cookie does not exists - this is maybe a session hijacking attack if ($request->getCookieData($token) === false) { $notValid = true; } // Check for the old data if ($notValid && $request->getSessionData('oldUserSessionToken') !== false) { $token = $request->getSessionData('oldUserSessionToken'); $lifetime = $request->getSessionData('oldUserSessionTokenLifetime'); // Look for the old session token cookie... if ($request->getCookieData($token) === false) { $notValid = true; } } // Check the lifetime of the cookie and the session if (!$notValid && $request->getCookieData($token) != $lifetime) { $notValid = true; } // If the session token expired more than 30 minutes ago // the session isn't valid anymore if (!$notValid && $lifetime < time() - 1800) { $notValid = true; } $userUuid = $request->getSessionData('userUuid'); // If the given uuid doesn't exists, this session can't be valid if (!$notValid && !$this->userManager->hasUserForUuid($userUuid)) { $notValid = true; } return array($notValid, $token, $lifetime, $userUuid); }
/** * Validates the input user data * * @param \Zepi\Turbo\Framework $framework * @param string $username * @return boolean|string */ protected function validateData(Framework $framework, $username) { // If the given username doesn't exists if (!$this->userManager->hasUserForUsername($username)) { return $this->translate('The inserted username does not exist.', '\\Zepi\\Web\\AccessControl'); } // Everything is okey return true; }
/** * Activates the user or returns an error message * * @access protected * @param string $uuid * @param string $activationToken * @return array */ protected function activateUser($uuid, $activationToken) { // Check the uuid if (!$this->userManager->hasUserForUuid($uuid)) { return array('result' => false, 'message' => $this->translate('Account with the given UUID does not exist.', '\\Zepi\\Web\\AccessControl')); } // Compare the activation token $user = $this->userManager->getUserForUuid($uuid); if ($user->getMetaData('activationToken') !== $activationToken) { return array('result' => false, 'message' => $this->translate('The given activation token is not valid.', '\\Zepi\\Web\\AccessControl')); } // Remove the disabled access level $this->accessControlManager->revokePermission($uuid, get_class($user), '\\Global\\Disabled'); $this->accessControlManager->grantPermission($uuid, get_class($user), '\\Global\\Active', 'Activation'); return array('result' => true, 'message' => $this->translate('Your account was activated successfully.', '\\Zepi\\Web\\AccessControl')); }
/** * Changes the password for the logged in user. * * @access protected * @param \Zepi\Web\UserInterface\Form\Form $form * @param \Zepi\Turbo\Framework $framework * @param \Zepi\Turbo\Request\WebRequest $request * @param \Zepi\Turbo\Response\Response $response */ protected function changePassword(Form $form, Framework $framework, WebRequest $request, Response $response) { // Get the logged in user $session = $request->getSession(); $user = $session->getUser(); // Get the password data $oldPassword = trim($form->getField('change-password', 'old-password')->getValue()); $newPassword = trim($form->getField('change-password', 'new-password')->getValue()); $newPasswordConfirmed = trim($form->getField('change-password', 'new-password-confirmed')->getValue()); $result = $this->validateData($framework, $user, $oldPassword, $newPassword, $newPasswordConfirmed); // If the validate function returned a string there was an error in the validation. if ($result !== true) { return $result; } // Change the password $user->setNewPassword($newPassword); // Get the UserManager to update the user $result = $this->userManager->updateUser($user); return $result; }
/** * Validates the input user data * * @param \Zepi\Turbo\Framework $framework * @param string $username * @param string $email * @param string $password * @param boolean $tos * @return boolean|string */ protected function validateData(Framework $framework, $username, $email, $password, $tos) { // If the given username already exists if ($this->userManager->hasUserForUsername($username)) { return $this->translate('The inserted username is already in use. Please select a new username.', '\\Zepi\\Web\\AccessControl'); } // Email if (!filter_var($email, FILTER_VALIDATE_EMAIL)) { return $this->translate('Please insert a valid email address.', '\\Zepi\\Web\\AccessControl'); } // Password if (strlen($password) < 8) { return $this->translate('The password needs at least 8 characters.', '\\Zepi\\Web\\AccessControl'); } // ToS if (!$tos) { return $this->translate('Please accept our terms of service.', '\\Zepi\\Web\\AccessControl'); } // Everything is okey return true; }
/** * Validates the input user data * * @param \Zepi\Turbo\Framework $framework * @param string $username * @param string $password * @return boolean|\Zepi\Web\AccessControl\Entity\User */ protected function validateUserData(Framework $framework, $username, $password) { // If the password isn't at least 8 characters long if (strlen($password) < 8) { return false; } // If the given username doesn't exists if (!$this->userManager->hasUserForUsername($username)) { return false; } $user = $this->userManager->getUserForUsername($username); // If the user not is usable if ($user === false) { return false; } // If the inserted password not is correct if (!$user->comparePasswords($password)) { return false; } // Everything is okey return $user; }
/** * Execute the installation the access control module * * @access public * @param \Zepi\Turbo\Framework $framework * @param \Zepi\Turbo\Request\CliRequest $request * @param \Zepi\Turbo\Response\Response $response */ public function execute(Framework $framework, CliRequest $request, Response $response) { // Execute the installer only if there are no users $dataRequest = new \Zepi\DataSource\Core\Entity\DataRequest(1, 0, 'name', 'ASC'); if ($this->userManager->count($dataRequest) > 0) { return; } $username = ''; while ($username === '') { $username = trim($this->cliHelper->inputText('Please enter the username for the super-admin user:'******''; while ($password === '') { $password = trim($this->cliHelper->inputText('Please enter the password for the super-admin user:'******'', '', $username, '', array()); $user->setNewPassword($password); // Save the super-admin user $user = $this->userManager->addUser($user); // Add the super-admin access level $this->accessControlManager->grantPermission($user->getUuid(), '\\Zepi\\Web\\AccessControl\\Entity\\User', '\\Global\\*', 'CLI'); }
/** * Displays the edit user form and saves the data to the database. * * @access public * @param \Zepi\Turbo\Framework $framework * @param \Zepi\Turbo\Request\WebRequest $request * @param \Zepi\Turbo\Response\Response $response */ public function execute(Framework $framework, WebRequest $request, Response $response) { // Prepare the page $additionalTitle = $this->translate('Delete user', '\\Zepi\\Web\\AccessControl'); $title = $this->translate('User management', '\\Zepi\\Web\\AccessControl') . ' - ' . $additionalTitle; $this->setTitle($title, $additionalTitle); $this->activateMenuEntry('user-administration'); // Get the user $uuid = $request->getRouteParam('uuid'); // If the UUID does not exists redirect to the overview page if (!is_string($uuid) || !$this->userManager->hasUserForUuid($uuid)) { $response->redirectTo($request->getFullRoute('/administration/users/')); return; } $user = $this->userManager->getUserForUuid($uuid); // If $result isn't true, display the edit user form if ($request->getRouteParam('confirmation') === 'confirmed') { $this->userManager->deleteUser($user); $response->setOutput($this->render('\\Zepi\\Web\\AccessControl\\Templates\\Administration\\DeleteUserFinished', array('user' => $user))); } else { // Display the delete user confirmation $response->setOutput($this->render('\\Zepi\\Web\\AccessControl\\Templates\\Administration\\DeleteUser', array('user' => $user))); } }
/** * Returns true if the username is in use and not is the edited user. * * @param string $username * @param \Zepi\Web\AccessControl\Entity\User $user * @return boolean */ protected function isUsernameInUse($username, User $user) { return $this->userManager->hasUserForUsername($username) && $this->userManager->getUserForUsername($username)->getUuid() != $user->getUuid(); }