/** * Authorizes the user with his username and password. Initializes * the user session if the user data are valid. * * @access protected * @param \Zepi\Turbo\Framework $framework * @param \Zepi\Turbo\Request\RequestAbstract $request * @param \Zepi\Turbo\Response\Response $response * @return string|boolean */ protected function generateNewPassword(Framework $framework, RequestAbstract $request, Response $response) { $uuid = $request->getRouteParam('uuid'); $token = $request->getRouteParam('token'); if ($uuid === false || !$this->userManager->hasUserForUuid($uuid) || $token === false) { $response->redirectTo('/'); return; } // Load the user $user = $this->userManager->getUserForUuid($uuid); if ($user->getMetaData('passwordRequestToken') == '') { return array('result' => false, 'message' => $this->translate('You haven\'t requested a new password.', '\\Zepi\\Web\\AccessControl')); } // If the validate function returned a string there was an error in the validation. if ($user->getMetaData('passwordRequestToken') !== $token || $user->getMetaData('passwordRequestTokenLifetime') < time()) { return array('result' => false, 'message' => $this->translate('The given token is invalid or expired. Please request a new password.', '\\Zepi\\Web\\AccessControl')); } // Generate a new password $password = $this->generateRandomPassword(); // Save the new password $user->setNewPassword($password); // Reset the token $user->setMetaData('passwordRequestToken', ''); $user->setMetaData('passwordRequestTokenLifetime', 0); // Update the user $this->userManager->updateUser($user); // Send the request mail $this->mailHelper->sendMail($user->getMetaData('email'), $this->translate('New password generated', '\\Zepi\\Web\\AccessControl'), $this->render('\\Zepi\\Web\\AccessControl\\Mail\\GenerateNewPassword', array('user' => $user, 'password' => $password))); return array('result' => true, 'message' => $this->translate('Your new password is generated and saved. You will receive an email with the new password.', '\\Zepi\\Web\\AccessControl')); }
/** * Verifies the session tokens and the session token life time and * loads the user for the session. * * @access protected * @param \Zepi\Turbo\Framework $framework * @param \Zepi\Turbo\Request\WebRequest $request * @param \Zepi\Turbo\Response\Response $response * @return boolean */ protected function reinitializeUserSession(Framework $framework, WebRequest $request, Response $response) { $token = $request->getSessionData('userSessionToken'); $lifetime = $request->getSessionData('userSessionTokenLifetime'); list($notValid, $token, $lifetime, $userUuid) = $this->verifyToken($request, $token, $lifetime); // We do not load any user session because this session isn't // okey. Our session token is not set or the lifetime is invalid or expired. // This is maybe an expired session or a hijacking attack... if ($notValid) { $this->cleanupSession($request); $this->regenerateSession($request); return false; } // Load the user $user = $this->userManager->getUserForUuid($userUuid); // If the user is disabled we cannot initialize the session if (!$user->hasAccess('\\Global\\*') && $user->hasAccess('\\Global\\Disabled')) { return false; } // Generate a new session object $session = new Session($user, $token, $lifetime); $request->setSession($session); // Generate a new token if the lifetime expires soon... if ($lifetime - 30 < time()) { $this->initializeUserSession($request, $response, $user); } return true; }
/** * Displays the edit user form and saves the data to the database. * * @access public * @param \Zepi\Turbo\Framework $framework * @param \Zepi\Turbo\Request\WebRequest $request * @param \Zepi\Turbo\Response\Response $response */ public function execute(Framework $framework, WebRequest $request, Response $response) { $uuid = $request->getRouteParam('uuid'); // If there is a request parameter we need to edit a user. Otherwise we create a new one. if (is_string($uuid)) { $additionalTitle = $this->translate('Modify user', '\\Zepi\\Web\\AccessControl'); $user = $this->userManager->getUserForUuid($uuid); } else { $additionalTitle = $this->translate('Add user', '\\Zepi\\Web\\AccessControl'); $user = new User('', '', '', '', array()); } $title = $this->translate('User management', '\\Zepi\\Web\\AccessControl'); $this->layout->setUser($user); // Prepare the page $this->activateMenuEntry('user-administration'); $this->setTitle($title, $additionalTitle); // Process the data $result = $this->processFormData($request, $user); if ($result === true) { // Display the successful saved message $response->setOutput($this->render('\\Zepi\\Web\\AccessControl\\Templates\\Administration\\EditUserFinished', array('title' => $this->getTitle()))); } else { // Display the form $response->setOutput($this->render('\\Zepi\\Web\\AccessControl\\Templates\\Administration\\EditUserForm', array('user' => $user, 'title' => $this->getTitle(), 'layout' => $this->layout->getLayout(), 'layoutRenderer' => $this->getLayoutRenderer()))); } }
/** * Activates the user or returns an error message * * @access protected * @param string $uuid * @param string $activationToken * @return array */ protected function activateUser($uuid, $activationToken) { // Check the uuid if (!$this->userManager->hasUserForUuid($uuid)) { return array('result' => false, 'message' => $this->translate('Account with the given UUID does not exist.', '\\Zepi\\Web\\AccessControl')); } // Compare the activation token $user = $this->userManager->getUserForUuid($uuid); if ($user->getMetaData('activationToken') !== $activationToken) { return array('result' => false, 'message' => $this->translate('The given activation token is not valid.', '\\Zepi\\Web\\AccessControl')); } // Remove the disabled access level $this->accessControlManager->revokePermission($uuid, get_class($user), '\\Global\\Disabled'); $this->accessControlManager->grantPermission($uuid, get_class($user), '\\Global\\Active', 'Activation'); return array('result' => true, 'message' => $this->translate('Your account was activated successfully.', '\\Zepi\\Web\\AccessControl')); }
/** * Displays the edit user form and saves the data to the database. * * @access public * @param \Zepi\Turbo\Framework $framework * @param \Zepi\Turbo\Request\WebRequest $request * @param \Zepi\Turbo\Response\Response $response */ public function execute(Framework $framework, WebRequest $request, Response $response) { // Prepare the page $additionalTitle = $this->translate('Delete user', '\\Zepi\\Web\\AccessControl'); $title = $this->translate('User management', '\\Zepi\\Web\\AccessControl') . ' - ' . $additionalTitle; $this->setTitle($title, $additionalTitle); $this->activateMenuEntry('user-administration'); // Get the user $uuid = $request->getRouteParam('uuid'); // If the UUID does not exists redirect to the overview page if (!is_string($uuid) || !$this->userManager->hasUserForUuid($uuid)) { $response->redirectTo($request->getFullRoute('/administration/users/')); return; } $user = $this->userManager->getUserForUuid($uuid); // If $result isn't true, display the edit user form if ($request->getRouteParam('confirmation') === 'confirmed') { $this->userManager->deleteUser($user); $response->setOutput($this->render('\\Zepi\\Web\\AccessControl\\Templates\\Administration\\DeleteUserFinished', array('user' => $user))); } else { // Display the delete user confirmation $response->setOutput($this->render('\\Zepi\\Web\\AccessControl\\Templates\\Administration\\DeleteUser', array('user' => $user))); } }