userhelper: use orm for some things
This commit is contained in:
parent
f38be747d1
commit
127a868e40
|
@ -1,20 +1,17 @@
|
||||||
<?php
|
<?php
|
||||||
class Pref_Users extends Handler_Administrative {
|
class Pref_Users extends Handler_Administrative {
|
||||||
function csrf_ignore($method) {
|
function csrf_ignore($method) {
|
||||||
$csrf_ignored = array("index");
|
return $method == "index";
|
||||||
|
|
||||||
return array_search($method, $csrf_ignored) !== false;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
function edit() {
|
function edit() {
|
||||||
|
$user = ORM::for_table('ttrss_users')
|
||||||
|
->find_one((int)$_REQUEST["id"])
|
||||||
|
->as_array();
|
||||||
|
|
||||||
global $access_level_names;
|
global $access_level_names;
|
||||||
|
|
||||||
$id = (int)clean($_REQUEST["id"]);
|
if ($user) {
|
||||||
|
|
||||||
$sth = $this->pdo->prepare("SELECT id, login, access_level, email FROM ttrss_users WHERE id = ?");
|
|
||||||
$sth->execute([$id]);
|
|
||||||
|
|
||||||
if ($user = $sth->fetch(PDO::FETCH_ASSOC)) {
|
|
||||||
print json_encode([
|
print json_encode([
|
||||||
"user" => $user,
|
"user" => $user,
|
||||||
"access_level_names" => $access_level_names
|
"access_level_names" => $access_level_names
|
||||||
|
@ -124,7 +121,7 @@ class Pref_Users extends Handler_Administrative {
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($password) {
|
if ($password) {
|
||||||
UserHelper::reset_password($uid, false, $password);
|
UserHelper::reset_password($id, false, $password);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -149,16 +146,22 @@ class Pref_Users extends Handler_Administrative {
|
||||||
$login = clean($_REQUEST["login"]);
|
$login = clean($_REQUEST["login"]);
|
||||||
$tmp_user_pwd = make_password();
|
$tmp_user_pwd = make_password();
|
||||||
$salt = UserHelper::get_salt();
|
$salt = UserHelper::get_salt();
|
||||||
$pwd_hash = UserHelper::hash_password($tmp_user_pwd, $salt, UserHelper::HASH_ALGOS[0]);
|
|
||||||
|
|
||||||
if (!$login) return; // no blank usernames
|
if (!$login) return; // no blank usernames
|
||||||
|
|
||||||
if (!UserHelper::find_user_by_login($login)) {
|
if (!UserHelper::find_user_by_login($login)) {
|
||||||
|
|
||||||
$sth = $this->pdo->prepare("INSERT INTO ttrss_users
|
$user = ORM::for_table('ttrss_users')->create();
|
||||||
(login,pwd_hash,access_level,last_login,created, salt)
|
|
||||||
VALUES (LOWER(?), ?, 0, null, NOW(), ?)");
|
$tmp_user_pwd = make_password();
|
||||||
$sth->execute([$login, $pwd_hash, $salt]);
|
$salt = UserHelper::get_salt();
|
||||||
|
|
||||||
|
$user->login = $login;
|
||||||
|
$user->pwd_hash = UserHelper::hash_password($tmp_user_pwd, $salt);
|
||||||
|
$user->access_level = 0;
|
||||||
|
$user->salt = $salt;
|
||||||
|
$user->created = 'NOW()';
|
||||||
|
$user->save();
|
||||||
|
|
||||||
if ($new_uid = UserHelper::find_user_by_login($login)) {
|
if ($new_uid = UserHelper::find_user_by_login($login)) {
|
||||||
|
|
||||||
|
|
|
@ -39,29 +39,27 @@ class UserHelper {
|
||||||
|
|
||||||
session_regenerate_id(true);
|
session_regenerate_id(true);
|
||||||
|
|
||||||
|
$user = ORM::for_table('ttrss_users')->find_one($user_id);
|
||||||
|
|
||||||
|
if ($user) {
|
||||||
$_SESSION["uid"] = $user_id;
|
$_SESSION["uid"] = $user_id;
|
||||||
$_SESSION["auth_module"] = $auth_module;
|
$_SESSION["auth_module"] = $auth_module;
|
||||||
|
$_SESSION["name"] = $user->login;
|
||||||
$pdo = Db::pdo();
|
$_SESSION["access_level"] = $user->access_level;
|
||||||
$sth = $pdo->prepare("SELECT login,access_level,pwd_hash FROM ttrss_users
|
|
||||||
WHERE id = ?");
|
|
||||||
$sth->execute([$user_id]);
|
|
||||||
$row = $sth->fetch();
|
|
||||||
|
|
||||||
$_SESSION["name"] = $row["login"];
|
|
||||||
$_SESSION["access_level"] = $row["access_level"];
|
|
||||||
$_SESSION["csrf_token"] = bin2hex(get_random_bytes(16));
|
$_SESSION["csrf_token"] = bin2hex(get_random_bytes(16));
|
||||||
|
|
||||||
$usth = $pdo->prepare("UPDATE ttrss_users SET last_login = NOW() WHERE id = ?");
|
|
||||||
$usth->execute([$user_id]);
|
|
||||||
|
|
||||||
$_SESSION["ip_address"] = UserHelper::get_user_ip();
|
$_SESSION["ip_address"] = UserHelper::get_user_ip();
|
||||||
$_SESSION["user_agent"] = sha1($_SERVER['HTTP_USER_AGENT']);
|
$_SESSION["user_agent"] = sha1($_SERVER['HTTP_USER_AGENT']);
|
||||||
$_SESSION["pwd_hash"] = $row["pwd_hash"];
|
$_SESSION["pwd_hash"] = $user->pwd_hash;
|
||||||
|
|
||||||
|
$user->last_login = 'NOW()';
|
||||||
|
$user->save();
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
if ($login && $password && !$user_id && !$check_only)
|
if ($login && $password && !$user_id && !$check_only)
|
||||||
Logger::log(E_USER_WARNING, "Failed login attempt for $login (service: $service) from " . UserHelper::get_user_ip());
|
Logger::log(E_USER_WARNING, "Failed login attempt for $login (service: $service) from " . UserHelper::get_user_ip());
|
||||||
|
|
||||||
|
@ -167,29 +165,23 @@ class UserHelper {
|
||||||
}
|
}
|
||||||
|
|
||||||
static function get_login_by_id(int $id) {
|
static function get_login_by_id(int $id) {
|
||||||
$pdo = Db::pdo();
|
$user = ORM::for_table('ttrss_users')
|
||||||
|
->find_one($id);
|
||||||
$sth = $pdo->prepare("SELECT login FROM ttrss_users WHERE id = ?");
|
|
||||||
$sth->execute([$id]);
|
|
||||||
|
|
||||||
if ($row = $sth->fetch()) {
|
|
||||||
return $row["login"];
|
|
||||||
}
|
|
||||||
|
|
||||||
|
if ($user)
|
||||||
|
return $user->login;
|
||||||
|
else
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
static function find_user_by_login(string $login) {
|
static function find_user_by_login(string $login) {
|
||||||
$pdo = Db::pdo();
|
$user = ORM::for_table('ttrss_users')
|
||||||
|
->where('login', $login)
|
||||||
$sth = $pdo->prepare("SELECT id FROM ttrss_users WHERE
|
->find_one();
|
||||||
LOWER(login) = LOWER(?)");
|
|
||||||
$sth->execute([$login]);
|
|
||||||
|
|
||||||
if ($row = $sth->fetch()) {
|
|
||||||
return $row["id"];
|
|
||||||
}
|
|
||||||
|
|
||||||
|
if ($user)
|
||||||
|
return $user->id;
|
||||||
|
else
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -224,12 +216,17 @@ class UserHelper {
|
||||||
|
|
||||||
$pwd_hash = self::hash_password($tmp_user_pwd, $new_salt, self::HASH_ALGOS[0]);
|
$pwd_hash = self::hash_password($tmp_user_pwd, $new_salt, self::HASH_ALGOS[0]);
|
||||||
|
|
||||||
$sth = $pdo->prepare("UPDATE ttrss_users
|
$user = ORM::for_table('ttrss_users')->find_one($uid);
|
||||||
SET pwd_hash = ?, salt = ?, otp_enabled = false
|
|
||||||
WHERE id = ?");
|
if ($user) {
|
||||||
$sth->execute([$pwd_hash, $new_salt, $uid]);
|
$user->pwd_hash = $pwd_hash;
|
||||||
|
$user->salt = $new_salt;
|
||||||
|
$user->save();
|
||||||
|
|
||||||
$message = T_sprintf("Changed password of user %s to %s", "<strong>$login</strong>", "<strong>$tmp_user_pwd</strong>");
|
$message = T_sprintf("Changed password of user %s to %s", "<strong>$login</strong>", "<strong>$tmp_user_pwd</strong>");
|
||||||
|
} else {
|
||||||
|
$message = T_sprintf("User not found: %s", $login);
|
||||||
|
}
|
||||||
|
|
||||||
if ($format_output)
|
if ($format_output)
|
||||||
print_notice($message);
|
print_notice($message);
|
||||||
|
@ -246,10 +243,16 @@ class UserHelper {
|
||||||
}
|
}
|
||||||
|
|
||||||
static function disable_otp(int $owner_uid) : bool {
|
static function disable_otp(int $owner_uid) : bool {
|
||||||
$sth = Db::pdo()->prepare("UPDATE ttrss_users SET otp_enabled = false WHERE id = ?");
|
$user = ORM::for_table('ttrss_users')->find_one($owner_uid);
|
||||||
$sth->execute([$owner_uid]);
|
|
||||||
|
if ($user) {
|
||||||
|
$user->otp_enabled = false;
|
||||||
|
$user->save();
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
|
} else {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
static function enable_otp(int $owner_uid, int $otp_check) : bool {
|
static function enable_otp(int $owner_uid, int $otp_check) : bool {
|
||||||
|
@ -257,12 +260,12 @@ class UserHelper {
|
||||||
|
|
||||||
if ($secret) {
|
if ($secret) {
|
||||||
$otp = TOTP::create($secret);
|
$otp = TOTP::create($secret);
|
||||||
|
$user = ORM::for_table('ttrss_users')->find_one($owner_uid);
|
||||||
|
|
||||||
if ($otp->now() == $otp_check) {
|
if ($otp->now() == $otp_check && $user) {
|
||||||
$sth = Db::pdo()->prepare("UPDATE ttrss_users
|
|
||||||
SET otp_enabled = true WHERE id = ?");
|
|
||||||
|
|
||||||
$sth->execute([$owner_uid]);
|
$user->otp_enabled = true;
|
||||||
|
$user->save();
|
||||||
|
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
@ -272,24 +275,21 @@ class UserHelper {
|
||||||
|
|
||||||
|
|
||||||
static function is_otp_enabled(int $owner_uid) : bool {
|
static function is_otp_enabled(int $owner_uid) : bool {
|
||||||
$sth = Db::pdo()->prepare("SELECT otp_enabled FROM ttrss_users WHERE id = ?");
|
$user = ORM::for_table('ttrss_users')->find_one($owner_uid);
|
||||||
$sth->execute([$owner_uid]);
|
|
||||||
|
|
||||||
if ($row = $sth->fetch()) {
|
|
||||||
return sql_bool_to_bool($row["otp_enabled"]);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
if ($user) {
|
||||||
|
return $user->otp_enabled;
|
||||||
|
} else {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
static function get_otp_secret(int $owner_uid, bool $show_if_enabled = false) {
|
static function get_otp_secret(int $owner_uid, bool $show_if_enabled = false) {
|
||||||
$sth = Db::pdo()->prepare("SELECT salt, otp_enabled FROM ttrss_users WHERE id = ?");
|
$user = ORM::for_table('ttrss_users')->find_one($owner_uid);
|
||||||
$sth->execute([$owner_uid]);
|
|
||||||
|
|
||||||
if ($row = $sth->fetch()) {
|
if ($user) {
|
||||||
if (!sql_bool_to_bool($row["otp_enabled"]) || $show_if_enabled) {
|
if (!$user->otp_enabled || $show_if_enabled)
|
||||||
return \ParagonIE\ConstantTime\Base32::encodeUpperUnpadded(mb_substr(sha1($row["salt"]), 0, 12));
|
return \ParagonIE\ConstantTime\Base32::encodeUpperUnpadded(mb_substr(sha1($user->salt), 0, 12));
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return null;
|
return null;
|
||||||
|
@ -307,7 +307,10 @@ class UserHelper {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
static function hash_password(string $pass, string $salt, string $algo) {
|
static function hash_password(string $pass, string $salt, string $algo = "") {
|
||||||
|
|
||||||
|
if (!$algo) $algo = self::HASH_ALGOS[0];
|
||||||
|
|
||||||
$pass_hash = "";
|
$pass_hash = "";
|
||||||
|
|
||||||
switch ($algo) {
|
switch ($algo) {
|
||||||
|
|
Loading…
Reference in New Issue