mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-08-01 20:30:39 +02:00
Code Issues Releases Wiki Activity

EONE-62 (New Feature): login/init session working now; added user preferences management; new experimental feature 'login as'; need more work regarding DB related operations and security

Browse Source
This commit is contained in:
secretr
2010-05-13 15:47:31 +00:00
parent 252100989e
commit f713eb0d15
7 changed files with 705 additions and 185 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
class2.php
View File

@@ -2,16 +2,14 @@
/* /*
* e107 website system * e107 website system
* *
* Copyright (C) 2008-2009 e107 Inc (e107.org) * Copyright (C) 2008-2010 e107 Inc (e107.org)
* Released under the terms and conditions of the * Released under the terms and conditions of the
* GNU General Public License (http://www.gnu.org/licenses/gpl.txt) * GNU General Public License (http://www.gnu.org/licenses/gpl.txt)
* *
* General purpose file * General purpose file
* *
* $Source: /cvs_backup/e107_0.8/class2.php,v $ * $URL$
* $Revision$ * $Id$
* $Date$
* $Author$
* *
*/ */
// //
@@ -1556,10 +1554,11 @@ function init_session()
*/ */
global $pref, $user_pref, $currentUser, $e107, $_E107; global $pref, $user_pref, $currentUser, $_E107;
$sql = e107::getDb(); $sql = e107::getDb();
$tp = e107::getParser(); $tp = e107::getParser();
$e107 = e107::getInstance();
$eArrayStorage = e107::getArrayStorage(); $eArrayStorage = e107::getArrayStorage();
@@ -1596,7 +1595,7 @@ function init_session()
{ {
list($uid, $upw)=(isset($_COOKIE[e_COOKIE]) && $_COOKIE[e_COOKIE] ? explode(".", $_COOKIE[e_COOKIE]) : explode(".", $_SESSION[e_COOKIE])); list($uid, $upw)=(isset($_COOKIE[e_COOKIE]) && $_COOKIE[e_COOKIE] ? explode(".", $_COOKIE[e_COOKIE]) : explode(".", $_SESSION[e_COOKIE]));
} }
else else // FIXME - this will never happen - see above
{ {
list($uid, $upw)= explode('.', $cli_log); list($uid, $upw)= explode('.', $cli_log);
} }

55
e107_handlers/e107_class.php
View File

@@ -51,6 +51,14 @@ class e107
public $site_theme; public $site_theme;
/**
* Contains reference to global $_E107 array
* Assignment is done inside prepare_request() method
*
* @var array
*/
protected $_E107 = array();
/** /**
* @var string Current request type (http or https) * @var string Current request type (http or https)
*/ */
@@ -175,6 +183,7 @@ class e107
'sitelinks' => '{e_HANDLER}sitelinks_class.php', 'sitelinks' => '{e_HANDLER}sitelinks_class.php',
'themeHandler' => '{e_HANDLER}theme_handler.php', 'themeHandler' => '{e_HANDLER}theme_handler.php',
'user_class' => '{e_HANDLER}userclass_class.php', 'user_class' => '{e_HANDLER}userclass_class.php',
'userlogin' => '{e_HANDLER}login.php',
'xmlClass' => '{e_HANDLER}xml_class.php', 'xmlClass' => '{e_HANDLER}xml_class.php',
); );
@@ -477,6 +486,31 @@ class e107
return (isset($this->e107_dirs[$key]) ? $this->e107_dirs[$key] : ''); return (isset($this->e107_dirs[$key]) ? $this->e107_dirs[$key] : '');
} }
/**
* Get value from $_E107 config array
* Note: will always return false if called before prepare_request() method!
*
* @param string $key
* @return boolean
*/
public static function getE107($key)
{
$self = self::getInstance();
return (isset($self->_E107[$key]) && $self->_E107[$key] ? true : false);
}
/**
* Convenient proxy to $_E107 getter - check if
* the system is currently running in cli mode
* Note: will always return false if called before prepare_request() method!
*
* @return boolean
*/
public static function isCli()
{
return self::getE107('cli');
}
/** /**
* Get mysql config var (e107_config.php) * Get mysql config var (e107_config.php)
* Replaces all $mySQL(*) globals * Replaces all $mySQL(*) globals
@@ -1099,7 +1133,7 @@ class e107
{ {
return self::getUser(); return self::getUser();
} }
$user = self::getRegistry('targets/core/user/'.$user_id); $user = self::getRegistry('core/e107/user/'.$user_id);
if(null === $user) if(null === $user)
{ {
$user = self::getObject('e_system_user'); $user = self::getObject('e_system_user');
@@ -1115,7 +1149,13 @@ class e107
*/ */
public static function getUser() public static function getUser()
{ {
return self::getSingleton('e_user', true, 'targets/core/current_user'); $user = self::getRegistry('core/e107/current_user');
if(null === $user)
{
$user = self::getObject('e_user');
self::setRegistry('core/e107/current_user', $user);
}
return $user;
} }
/** /**
@@ -1731,8 +1771,11 @@ class e107
} }
} }
// we can now start use $e107->_E107
if(isset($GLOBALS['_E107']) && is_array($GLOBALS['_E107'])) $this->_E107 = & $GLOBALS['_E107'];
// remove ajax_used=1 from query string to avoid SELF problems, ajax should always be detected via e_AJAX_REQUEST constant // remove ajax_used=1 from query string to avoid SELF problems, ajax should always be detected via e_AJAX_REQUEST constant
$_SERVER['QUERY_STRING'] = str_replace(array('ajax_used=1', '&&'), array('', '&'), $_SERVER['QUERY_STRING']); $_SERVER['QUERY_STRING'] = trim(str_replace(array('ajax_used=1', '&&'), array('', '&'), $_SERVER['QUERY_STRING']), '&');
// e107 uses relative url's, which are broken by "pretty" URL's. So for now we don't support / after .php // e107 uses relative url's, which are broken by "pretty" URL's. So for now we don't support / after .php
if(($pos = strpos($_SERVER['PHP_SELF'], '.php/')) !== false) // redirect bad URLs to the correct one. if(($pos = strpos($_SERVER['PHP_SELF'], '.php/')) !== false) // redirect bad URLs to the correct one.
@@ -1853,8 +1896,6 @@ class e107
*/ */
public function set_paths() public function set_paths()
{ {
global $_E107;
// ssl_enabled pref not needed anymore, scheme is auto-detected // ssl_enabled pref not needed anymore, scheme is auto-detected
$this->HTTP_SCHEME = 'http'; $this->HTTP_SCHEME = 'http';
if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') if(isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on')
@@ -1865,7 +1906,7 @@ class e107
$path = ""; $i = 0; $path = ""; $i = 0;
// FIXME - Again, what if someone moves handlers under the webroot? // FIXME - Again, what if someone moves handlers under the webroot?
if(!isset($_E107['cli'])) if(!self::isCli())
{ {
while (!file_exists("{$path}class2.php")) while (!file_exists("{$path}class2.php"))
{ {
@@ -1904,7 +1945,7 @@ class e107
} }
define('e_ROOT', $e_ROOT); // Specified format gives trailing slash already (at least on Windows) define('e_ROOT', $e_ROOT); // Specified format gives trailing slash already (at least on Windows)
$this->relative_base_path = (!isset($_E107['cli'])) ? $path : e_ROOT; $this->relative_base_path = (!self::isCli()) ? $path : e_ROOT;
$this->http_path = "http://{$_SERVER['HTTP_HOST']}{$this->server_path}"; $this->http_path = "http://{$_SERVER['HTTP_HOST']}{$this->server_path}";
$this->https_path = "https://{$_SERVER['HTTP_HOST']}{$this->server_path}"; $this->https_path = "https://{$_SERVER['HTTP_HOST']}{$this->server_path}";
$this->file_path = $path; $this->file_path = $path;

37
e107_handlers/login.php
View File

@@ -3,16 +3,14 @@
/* /*
* e107 website system * e107 website system
* *
* Copyright (C) 2008-2009 e107 Inc (e107.org) * Copyright (C) 2008-2010 e107 Inc (e107.org)
* Released under the terms and conditions of the * Released under the terms and conditions of the
* GNU General Public License (http://www.gnu.org/licenses/gpl.txt) * GNU General Public License (http://www.gnu.org/licenses/gpl.txt)
* *
* e107 Main * e107 Main
* *
* $Source: /cvs_backup/e107_0.8/e107_handlers/login.php,v $ * $Id$
* $Revision$ * $URL$
* $Date$
* $Author$
*/ */
@@ -61,7 +59,7 @@ class userlogin
' @param string $response - response string returned by CHAP login (instead of password) ' @param string $response - response string returned by CHAP login (instead of password)
# @return boolean - FALSE on login fail, TRUE on login successful # @return boolean - FALSE on login fail, TRUE on login successful
*/ */
public function __construct($username, $userpass, $autologin, $response = '') public function __construct($username, $userpass, $autologin, $response = '', $noredirect = false)
{ {
global $pref, $e_event, $_E107; global $pref, $e_event, $_E107;
@@ -72,7 +70,7 @@ class userlogin
{ {
return FALSE; return FALSE;
} }
$tp = e107::getParser(); $tp = e107::getParser();
$sql = e107::getDb(); $sql = e107::getDb();
@@ -102,7 +100,7 @@ class userlogin
{ {
if (varset($pref['auth_badpassword'], TRUE) || ($this->checkUserPassword($userpass, $response, $forceLogin) === TRUE)) if (varset($pref['auth_badpassword'], TRUE) || ($this->checkUserPassword($userpass, $response, $forceLogin) === TRUE))
{ {
$result = LOGIN_CONTINUE; // Valid User exists in local DB $result = LOGIN_CONTINUE; // Valid User exists in local DB
} }
} }
} }
@@ -248,6 +246,8 @@ class userlogin
} }
} }
if($noredirect) return;
$redir = e_SELF; $redir = e_SELF;
if (e_QUERY) $redir .= '?'.str_replace('&','&',e_QUERY); if (e_QUERY) $redir .= '?'.str_replace('&','&',e_QUERY);
if (isset($pref['frontpage_force']) && is_array($pref['frontpage_force'])) if (isset($pref['frontpage_force']) && is_array($pref['frontpage_force']))
@@ -267,19 +267,24 @@ class userlogin
} }
} }
} }
$redirPrev = e107::getRedirect()->getPreviousUrl(); $redirPrev = e107::getRedirect()->getPreviousUrl();
if($redirPrev) if($redirPrev)
{ {
e107::getRedirect()->redirect($redirPrev); e107::getRedirect()->redirect($redirPrev);
} }
e107::getRedirect()->redirect($redir); e107::getRedirect()->redirect($redir);
exit(); exit();
} }
public function getUserData()
{
return $this->userData;
}
/** /**
* Look up a user in the e107 database, according to the options set (for login name/email address) * Look up a user in the e107 database, according to the options set (for login name/email address)
* Note: PASSWORD IS NOT VERIFIED BY THIS ROUTINE * Note: PASSWORD IS NOT VERIFIED BY THIS ROUTINE
@@ -312,7 +317,7 @@ class userlogin
{ // Invalid user { // Invalid user
return $this->invalidLogin($username,LOGIN_BAD_USER); return $this->invalidLogin($username,LOGIN_BAD_USER);
} }
// User is in DB here // User is in DB here
$this->userData = $this->e107->sql -> db_Fetch(MYSQL_ASSOC); // Get user info $this->userData = $this->e107->sql -> db_Fetch(MYSQL_ASSOC); // Get user info
$this->userData['user_perms'] = trim($this->userData['user_perms']); $this->userData['user_perms'] = trim($this->userData['user_perms']);
@@ -432,7 +437,7 @@ class userlogin
break; break;
case LOGIN_NOT_ACTIVATED : case LOGIN_NOT_ACTIVATED :
$srch = array("[","]"); $srch = array("[","]");
$repl = array("<a href='".e_BASE_ABS."signup.php?resend'>","</a>"); $repl = array("<a href='".e_BASE_ABS."signup.php?resend'>","</a>");
define("LOGINMESSAGE", str_replace($srch,$repl,LAN_LOGIN_22)."<br /><br />"); define("LOGINMESSAGE", str_replace($srch,$repl,LAN_LOGIN_22)."<br /><br />");
$this->logNote('LAN_ROLL_LOG_05', $username); $this->logNote('LAN_ROLL_LOG_05', $username);
$this->genNote($username, LAN_LOGIN_27); $this->genNote($username, LAN_LOGIN_27);

4
e107_handlers/model_class.php
View File

@@ -35,7 +35,7 @@ class e_model
protected $_data = array(); protected $_data = array();
/** /**
* Data structure (types) array, required for {@link e_admin_model::sanitize()} method, * Data structure (types) array, required for {@link e_front_model::sanitize()} method,
* it also serves as a map (find data) for building DB queries, * it also serves as a map (find data) for building DB queries,
* copy/sanitize posted data to object data, etc. * copy/sanitize posted data to object data, etc.
* *
@@ -1382,7 +1382,7 @@ class e_front_model extends e_model
* Predefined data fields types, passed to DB handler * Predefined data fields types, passed to DB handler
* *
* @param array $field_types * @param array $field_types
* @return e_model * @return e_front_model
*/ */
public function setDbTypes($field_types) public function setDbTypes($field_types)
{ {

61
e107_handlers/pref_class.php
View File

@@ -2,16 +2,14 @@
/* /*
* e107 website system * e107 website system
* *
* Copyright (C) 2008-2009 e107 Inc (e107.org) * Copyright (C) 2008-2010 e107 Inc (e107.org)
* Released under the terms and conditions of the * Released under the terms and conditions of the
* GNU General Public License (http://www.gnu.org/licenses/gpl.txt) * GNU General Public License (http://www.gnu.org/licenses/gpl.txt)
* *
* e107 Preference Handler * e107 Preference Handler
* *
* $Source: /cvs_backup/e107_0.8/e107_handlers/pref_class.php,v $ * $URL$
* $Revision$ * $Id$
* $Date$
* $Author$
*/ */
if (!defined('e107_INIT')) { exit; } if (!defined('e107_INIT')) { exit; }
@@ -23,11 +21,11 @@ require_once(e_HANDLER.'model_class.php');
* *
* @package e107 * @package e107
* @category e107_handlers * @category e107_handlers
* @version 1.0 * @version $Id$
* @author SecretR * @author SecretR
* @copyright Copyright (c) 2009, e107 Inc. * @copyright Copyright (c) 2009, e107 Inc.
*/ */
class e_pref extends e_admin_model class e_pref extends e_front_model
{ {
/** /**
* Preference ID - DB row value * Preference ID - DB row value
@@ -504,7 +502,7 @@ class e_pref extends e_admin_model
e107::getMessage()->addInfo('Settings not saved as no changes were made.', 'default', $session_messages); e107::getMessage()->addInfo('Settings not saved as no changes were made.', 'default', $session_messages);
return 0; return 0;
} }
$admin_log = e107::getAdminLog(); $admin_log = e107::getAdminLog();
//Save to DB //Save to DB
@@ -538,7 +536,7 @@ class e_pref extends e_admin_model
// auto admin log // auto admin log
if(is_array($old)) // fix install problems - no old prefs available if(is_array($old)) // fix install problems - no old prefs available
{ {
$new = $this->getPref(); $new = $this->getPref();
$admin_log->logArrayDiffs($new, $old, 'PREFS_02', false); $admin_log->logArrayDiffs($new, $old, 'PREFS_02', false);
unset($new, $old); unset($new, $old);
} }
@@ -682,31 +680,16 @@ class e_pref extends e_admin_model
/** /**
* Override * Override
*/ */
public function dbInsert() public function delete()
{ {
} }
/** /**
* Override * Override
*/ */
public function dbUpdate() protected function dbUpdate()
{ {
} }
/**
* Override
*/
public function dbReplace()
{
}
/**
* Override
*/
public function dbDelete()
{
}
} }
/** /**
@@ -861,6 +844,22 @@ class e_plugin_pref extends e_pref
{ {
return $this->plugin_id; return $this->plugin_id;
} }
/**
* Delete plugin preferences
* @see e107_handlers/e_pref#delete()
* @return boolean
*/
public function delete()
{
$ret = false;
if($this->plugin_id)
{
$ret = e107::getDb($this->plugin_id)->db_Delete('core', "e107_name='{$this->plugin_id}'");
$this->destroy();
}
return $ret;
}
} }
/** /**
@@ -1037,13 +1036,13 @@ class prefs
* *
* all pref sets other than menu_pref get toDB() * all pref sets other than menu_pref get toDB()
*/ */
function setArray($name = '', $table = 'core', $uid = USERID) function setArray($name = '', $table = 'core', $uid = USERID)
{ {
$tp = e107::getParser(); $tp = e107::getParser();
if (!strlen($name)) if (!strlen($name))
{ {
switch ($table) switch ($table)
{ {
case 'core': case 'core':
$name = 'pref'; $name = 'pref';
@@ -1055,9 +1054,9 @@ class prefs
} }
global $$name; global $$name;
if ($name != 'menu_pref') if ($name != 'menu_pref')
{ {
foreach($$name as $key => $prefvalue) foreach($$name as $key => $prefvalue)
{ {
$$name[$key] = $tp->toDB($prefvalue); $$name[$key] = $tp->toDB($prefvalue);
} }

148
e107_handlers/user_handler.php
View File

@@ -2,22 +2,20 @@
/* /*
* e107 website system * e107 website system
* *
* Copyright (C) 2008-2009 e107 Inc (e107.org) * Copyright (C) 2008-2010 e107 Inc (e107.org)
* Released under the terms and conditions of the * Released under the terms and conditions of the
* GNU General Public License (http://www.gnu.org/licenses/gpl.txt) * GNU General Public License (http://www.gnu.org/licenses/gpl.txt)
* *
* Handler - user-related functions * Handler - user-related functions
* *
* $Source: /cvs_backup/e107_0.8/e107_handlers/user_handler.php,v $ * $URL$
* $Revision$ * $Id$
* $Date$
* $Author$
* *
*/ */
/** /**
* *
* @package e107 * @package e107
* @subpackage e107_handlers * @subpackage e107_handlers
* @version $Id$; * @version $Id$;
@@ -181,8 +179,8 @@ class UserHandler
* @param string $password - plaintext password as entered by user * @param string $password - plaintext password as entered by user
* @param string $login_name - string used to log in (could actually be email address) * @param string $login_name - string used to log in (could actually be email address)
* @param string $stored_hash - required value for password to match * @param string $stored_hash - required value for password to match
* *
* @return PASSWORD_INVALID|PASSWORD_VALID|string * @return PASSWORD_INVALID|PASSWORD_VALID|string
* PASSWORD_INVALID if no match * PASSWORD_INVALID if no match
* PASSWORD_VALID if valid password * PASSWORD_VALID if valid password
* Return a new hash to store if valid password but non-preferred encoding * Return a new hash to store if valid password but non-preferred encoding
@@ -445,25 +443,27 @@ class UserHandler
* @param array $lode - user information from DB - 'user_id' and 'user_password' required * @param array $lode - user information from DB - 'user_id' and 'user_password' required
* @param bool $autologin - TRUE if the 'Remember Me' box ticked * @param bool $autologin - TRUE if the 'Remember Me' box ticked
* *
* @return none * @return void
*/ */
public function makeUserCookie($lode,$autologin = FALSE) public function makeUserCookie($lode,$autologin = FALSE)
{ {
global $pref; global $pref;
$cookieval = $lode['user_id'].'.'.md5($lode['user_password']); // (Use extra md5 on cookie value to obscure hashed value for password) $cookieval = $lode['user_id'].'.'.md5($lode['user_password']); // (Use extra md5 on cookie value to obscure hashed value for password)
if ($pref['user_tracking'] == 'session') if (e107::getPref('user_tracking') == 'session')
{ {
$_SESSION[$pref['cookie_name']] = $cookieval; $_SESSION[e107::getPref('cookie_name')] = $cookieval;
} }
else else
{ {
if ($autologin == 1) if ($autologin == 1)
{ // Cookie valid for up to 30 days { // Cookie valid for up to 30 days
cookie($pref['cookie_name'], $cookieval, (time() + 3600 * 24 * 30)); cookie(e107::getPref('cookie_name'), $cookieval, (time() + 3600 * 24 * 30));
$_COOKIE[e107::getPref('cookie_name')] = $cookieval; // make it available to the global scope before the page is reloaded
} }
else else
{ {
cookie($pref['cookie_name'], $cookieval); cookie(e107::getPref('cookie_name'), $cookieval);
$_COOKIE[e107::getPref('cookie_name')] = $cookieval; // make it available to the global scope before the page is reloaded
} }
} }
} }
@@ -833,7 +833,7 @@ e107::includeLan(e_LANGUAGEDIR.e_LANGUAGE."/admin/lan_administrator.php");
class e_userperms class e_userperms
{ {
protected $core_perms = array( protected $core_perms = array(
"1"=> ADMSLAN_19, "1"=> ADMSLAN_19,
"2"=> ADMSLAN_20, "2"=> ADMSLAN_20,
"3"=> ADMSLAN_21, "3"=> ADMSLAN_21,
@@ -868,39 +868,39 @@ class e_userperms
"N"=> ADMSLAN_47, "N"=> ADMSLAN_47,
// "Z"=> ADMSLAN_62, // "Z"=> ADMSLAN_62,
); );
protected $plugin_perms = array(); protected $plugin_perms = array();
protected $language_perms = array(); protected $language_perms = array();
protected $main_perms = array(); protected $main_perms = array();
protected $permSectionDiz = array( protected $permSectionDiz = array(
'core' => ADMSLAN_74, 'core' => ADMSLAN_74,
'plugin' => ADLAN_CL_7, 'plugin' => ADLAN_CL_7,
'language' => ADLAN_132, 'language' => ADLAN_132,
'main' => ADMSLAN_58 'main' => ADMSLAN_58
); );
function __construct() function __construct()
{ {
$sql = e107::getDb('sql2'); $sql = e107::getDb('sql2');
$tp = e107::getParser(); $tp = e107::getParser();
$sql->db_Select("plugin", "*", "plugin_installflag='1'"); $sql->db_Select("plugin", "*", "plugin_installflag='1'");
while ($row2 = $sql->db_Fetch()) while ($row2 = $sql->db_Fetch())
{ {
$this->plugin_perms[("P".$row2['plugin_id'])] = LAN_PLUGIN." - ".$tp->toHTML($row2['plugin_name'], FALSE, 'RAWTEXT,defs'); $this->plugin_perms[("P".$row2['plugin_id'])] = LAN_PLUGIN." - ".$tp->toHTML($row2['plugin_name'], FALSE, 'RAWTEXT,defs');
} }
asort($this->plugin_perms); asort($this->plugin_perms);
$this->plugin_perms = array("Z"=>ADMSLAN_62) + $this->plugin_perms; $this->plugin_perms = array("Z"=>ADMSLAN_62) + $this->plugin_perms;
if(e107::getConfig()->getPref('multilanguage')) if(e107::getConfig()->getPref('multilanguage'))
{ {
$lanlist = explode(",",e_LANLIST); $lanlist = explode(",",e_LANLIST);
@@ -910,20 +910,20 @@ class e_userperms
$this->language_perms[$langs] = $langs; $this->language_perms[$langs] = $langs;
} }
} }
if(getperms('0')) if(getperms('0'))
{ {
$this->main_perms = array('0' => ADMSLAN_58); $this->main_perms = array('0' => ADMSLAN_58);
} }
} }
function renderSectionDiz($key) function renderSectionDiz($key)
{ {
return $this->permSectionDiz[$key]; return $this->permSectionDiz[$key];
} }
function getPermList($type='all') function getPermList($type='all')
{ {
if($type == 'core') if($type == 'core')
@@ -942,34 +942,34 @@ class e_userperms
{ {
return $this->main_perms; return $this->main_perms;
} }
if($type == 'grouped') if($type == 'grouped')
{ {
$ret = array(); $ret = array();
$ret['core'] = $this->core_perms; $ret['core'] = $this->core_perms;
$ret['plugin'] = $this->plugin_perms; $ret['plugin'] = $this->plugin_perms;
if(vartrue($this->language_perms)) if(vartrue($this->language_perms))
{ {
$ret['language'] = $this->language_perms; $ret['language'] = $this->language_perms;
} }
if(vartrue($this->main_perms)) if(vartrue($this->main_perms))
{ {
$ret['main'] = $this->main_perms; $ret['main'] = $this->main_perms;
} }
return $ret; return $ret;
} }
return array_merge($this->core_perms,$this->plugin_perms,$this->language_perms,$this->main_perms); return array_merge($this->core_perms,$this->plugin_perms,$this->language_perms,$this->main_perms);
} }
function checkb($arg, $perms, $label='') function checkb($arg, $perms, $label='')
{ {
$frm = e107::getForm(); $frm = e107::getForm();
$par = "<div class='field-spacer'>"; $par = "<div class='field-spacer'>";
$par .= $frm->checkbox('perms[]', $arg, getperms($arg, $perms)); $par .= $frm->checkbox('perms[]', $arg, getperms($arg, $perms));
if ($label) if ($label)
@@ -977,44 +977,44 @@ class e_userperms
$par .= $frm->label($label,'perms[]', $arg); $par .= $frm->label($label,'perms[]', $arg);
} }
$par .= "</div>\n"; $par .= "</div>\n";
return $par; return $par;
} }
function renderPerms($perms,$uniqueID='') function renderPerms($perms,$uniqueID='')
{ {
$tmp = explode(".",$perms); $tmp = explode(".",$perms);
$permdiz = $this->getPermList(); $permdiz = $this->getPermList();
$ptext = array(); $ptext = array();
foreach($tmp as $p) foreach($tmp as $p)
{ {
$ptext[] = $permdiz[$p]; $ptext[] = $permdiz[$p];
} }
$id = "id_".$uniqueID; $id = "id_".$uniqueID;
$text = "<div onclick=\"e107Helper.toggle('id_{$id}')\" class='e-pointer' title='".ADMSLAN_71."'>{$perms}</div>"; $text = "<div onclick=\"e107Helper.toggle('id_{$id}')\" class='e-pointer' title='".ADMSLAN_71."'>{$perms}</div>";
if(varset($ptext)) if(varset($ptext))
{ {
$text .= "<div id='id_{$id}' class='e-hideme'><ul><li>".implode("</li><li>",$ptext)."</li></ul></div>"; $text .= "<div id='id_{$id}' class='e-hideme'><ul><li>".implode("</li><li>",$ptext)."</li></ul></div>";
} }
/* /*
$text = "<a href='#".$id."' class='e-expandit' title='".ADMSLAN_71."'>{$perms}</a>"; $text = "<a href='#".$id."' class='e-expandit' title='".ADMSLAN_71."'>{$perms}</a>";
if(varset($ptext)) if(varset($ptext))
{ {
$text .= "<div class='e-hideme' id='".$id."' ><ul><li>".implode("</li><li>",$ptext)."</li></ul></div>"; $text .= "<div class='e-hideme' id='".$id."' ><ul><li>".implode("</li><li>",$ptext)."</li></ul></div>";
} }
*/ */
return $text; return $text;
} }
/** /**
* Render edit admin perms form. * Render edit admin perms form.
* *
* @param array $row [optional] containing $row['user_id'], $row['user_name'], $row['user_perms']; * @param array $row [optional] containing $row['user_id'], $row['user_name'], $row['user_perms'];
* @return void * @return void
@@ -1028,12 +1028,12 @@ class e_userperms
$ns = e107::getRender(); $ns = e107::getRender();
$sql = e107::getDb(); $sql = e107::getDb();
$frm = e107::getForm(); $frm = e107::getForm();
$a_id = $row['user_id']; $a_id = $row['user_id'];
$ad_name = $row['user_name']; $ad_name = $row['user_name'];
$a_perms = $row['user_perms']; $a_perms = $row['user_perms'];
$text = " $text = "
<form method='post' action='".e_SELF."' id='myform'> <form method='post' action='".e_SELF."' id='myform'>
<fieldset id='core-administrator-edit'> <fieldset id='core-administrator-edit'>
@@ -1054,21 +1054,21 @@ class e_userperms
<tr> <tr>
<td class='label'>".ADMSLAN_18."</td> <td class='label'>".ADMSLAN_18."</td>
<td class='control'> <td class='control'>
"; ";
$groupedList = $prm->getPermList('grouped'); $groupedList = $prm->getPermList('grouped');
foreach($groupedList as $section=>$list) foreach($groupedList as $section=>$list)
{ {
$text .= "\t\t<div class='field-section'><h4>".$prm->renderSectionDiz($section)."</h4>"; //XXX Lan - General $text .= "\t\t<div class='field-section'><h4>".$prm->renderSectionDiz($section)."</h4>"; //XXX Lan - General
foreach($list as $key=>$diz) foreach($list as $key=>$diz)
{ {
$text .= $prm->checkb($key, $a_perms, $diz); $text .= $prm->checkb($key, $a_perms, $diz);
} }
$text .= "</div>"; $text .= "</div>";
} }
$text .= "<div class='field-section'> $text .= "<div class='field-section'>
".$frm->admin_button('check_all', 'jstarget:perms', 'action', LAN_CHECKALL)." ".$frm->admin_button('check_all', 'jstarget:perms', 'action', LAN_CHECKALL)."
".$frm->admin_button('uncheck_all', 'jstarget:perms', 'action', LAN_UNCHECKALL)." ".$frm->admin_button('uncheck_all', 'jstarget:perms', 'action', LAN_UNCHECKALL)."
@@ -1085,37 +1085,37 @@ class e_userperms
</fieldset> </fieldset>
</form> </form>
"; ";
$ns->tablerender(ADMSLAN_52, $text); $ns->tablerender(ADMSLAN_52, $text);
} }
/** /**
* Update user (admin) permissions. * Update user (admin) permissions.
* NOTE: exit if $uid is not an integer or is 0. * NOTE: exit if $uid is not an integer or is 0.
* *
* @param integer $uid * @param integer $uid
* @param array $permArray eg. array('A', 'K', '1'); * @param array $permArray eg. array('A', 'K', '1');
* @return void * @return void
*/ */
function updatePerms($uid, $permArray) function updatePerms($uid, $permArray)
{ {
global $admin_log; global $admin_log;
$sql = e107::getDb(); $sql = e107::getDb();
$tp = e107::getParser(); $tp = e107::getParser();
$modID = intval($uid); $modID = intval($uid);
if ($modID == 0) if ($modID == 0)
{ {
exit(); exit();
} }
$sql->db_Select("user", "*", "user_id=".$modID); $sql->db_Select("user", "*", "user_id=".$modID);
$row = $sql->db_Fetch(); $row = $sql->db_Fetch();
$a_name = $row['user_name']; $a_name = $row['user_name'];
$perm = ""; $perm = "";
foreach($permArray as $value) foreach($permArray as $value)
{ {
$value = $tp->toDB($value); $value = $tp->toDB($value);
@@ -1124,13 +1124,13 @@ class e_userperms
if (!getperms('0')) { $value = ""; break; } if (!getperms('0')) { $value = ""; break; }
$perm = "0"; break; $perm = "0"; break;
} }
if ($value) if ($value)
{ {
$perm .= $value."."; $perm .= $value.".";
} }
} }
admin_update($sql->db_Update("user", "user_perms='{$perm}' WHERE user_id='{$modID}' "), 'update', sprintf(ADMSLAN_2, $tp->toDB($_POST['ad_name'])), false, false); admin_update($sql->db_Update("user", "user_perms='{$perm}' WHERE user_id='{$modID}' "), 'update', sprintf(ADMSLAN_2, $tp->toDB($_POST['ad_name'])), false, false);
$logMsg = str_replace(array('--ID--', '--NAME--'),array($modID, $a_name),ADMSLAN_72).$perm; $logMsg = str_replace(array('--ID--', '--NAME--'),array($modID, $a_name),ADMSLAN_72).$perm;
$admin_log->log_event('ADMIN_01',$logMsg,E_LOG_INFORMATIVE,''); $admin_log->log_event('ADMIN_01',$logMsg,E_LOG_INFORMATIVE,'');

572
e107_handlers/user_model.php
View File

@@ -69,7 +69,7 @@ class e_user_model extends e_front_model
protected $_validation_rules = array( protected $_validation_rules = array(
'user_name' => array('string', '1', 'LAN_USER_01', 'LAN_USER_HELP_01'), // TODO - regex 'user_name' => array('string', '1', 'LAN_USER_01', 'LAN_USER_HELP_01'), // TODO - regex
'user_loginname' => array('string', '1', 'LAN_USER_02', 'LAN_USER_HELP_02'), // TODO - regex 'user_loginname' => array('string', '1', 'LAN_USER_02', 'LAN_USER_HELP_02'), // TODO - regex
'user_password' => array('string', '5', 'LAN_USER_05', 'LAN_USER_HELP_05'), // TODO - pref - modify it somewhere below 'user_password' => array('compare', '5', 'LAN_USER_05', 'LAN_USER_HELP_05'), // TODO - pref - modify it somewhere below - prepare_rules()?
'user_email' => array('email', '', 'LAN_USER_08', 'LAN_USER_HELP_08'), 'user_email' => array('email', '', 'LAN_USER_08', 'LAN_USER_HELP_08'),
); );
@@ -113,6 +113,12 @@ class e_user_model extends e_front_model
*/ */
protected $_extended_structure = null; protected $_extended_structure = null;
/**
* User preferences model
* @var e_user_pref
*/
protected $_user_config = null;
/** /**
* User model of current editor * User model of current editor
* @var e_user_model * @var e_user_model
@@ -176,7 +182,7 @@ class e_user_model extends e_front_model
public function hasEditor() public function hasEditor()
{ {
return null !== $this->_editor; return (null !== $this->_editor);
} }
final protected function _setClassList($uid = '') final protected function _setClassList($uid = '')
@@ -247,24 +253,74 @@ class e_user_model extends e_front_model
* *
* @param string$field * @param string$field
* @param string $default * @param string $default
* @param boolean $short if true, 'user_' prefix will be added to field name
* @return mixed * @return mixed
*/ */
public function getValue($field, $default = '') public function getValue($field, $default = '', $short = true)
{ {
$field = 'user_'.$field; if($short) $field = 'user_'.$field;
return $this->get($field, $default); return $this->get($field, $default);
} }
/** /**
* Set User value * Set User value - only when writable
* @param string $field * @param string $field
* @param mixed $value * @param mixed $value
* @param boolean $short if true, 'user_' prefix will be added to field name
* @return e_user_model
*/
public function setValue($field, $value, $short = true)
{
if($short) $field = 'user_'.$field;
if($this->isWritable($field)) $this->set($field, $value, true);
return $this;
}
/**
* Get user preference
* @param string $pref_name
* @param mixed $default
* @return mixed
*/
public function getPref($pref_name = null, $default = null)
{
if(null === $pref_name) return $this->getConfig()->getData();
return $this->getConfig()->get($pref_name, $default);
}
/**
* Set user preference
* @param string $pref_name
* @param mixed $value
* @return e_user_model * @return e_user_model
*/ */
public function setValue($field, $value) public function setPref($pref_name, $value = null)
{ {
$field = 'user_'.$field; $this->getConfig()->set($pref_name, $value);
$this->set($field, $value, true); return $this;
}
/**
* Get user preference (advanced - slower)
* @param string $pref_path
* @param mixed $default
* @param integer $index if number, value will be exploded by "\n" and corresponding index will be returned
* @return mixed
*/
public function findPref($pref_path = null, $default = null, $index = null)
{
return $this->getConfig()->getData($pref_path, $default, $index);
}
/**
* Set user preference (advanced - slower)
* @param string $pref_path
* @param mixed $value
* @return e_user_model
*/
public function setPrefData($pref_path, $value = null)
{
$this->getConfig()->setData($pref_path, $value = null);
return $this; return $this;
} }
@@ -319,6 +375,32 @@ class e_user_model extends e_front_model
return $this; return $this;
} }
/**
* Get user config model
*
* @return e_user_pref
*/
public function getConfig()
{
if (null === $this->_user_config)
{
$this->_user_config = new e_user_pref($this);
}
return $this->_user_config;
}
/**
* Set user config model
*
* @param e_user_pref $user_config
* @return e_user_model
*/
public function setConfig(e_user_pref $user_config)
{
$this->_user_config = $user_config;
return $this;
}
/** /**
* Get current user editor model * Get current user editor model
* @return e_user_model * @return e_user_model
@@ -345,9 +427,11 @@ class e_user_model extends e_front_model
*/ */
public function isWritable($field) public function isWritable($field)
{ {
if (!is_string($field)) $perm = false;
return true; $editor = $this->getEditor();
return !in_array($field, array($this->getFieldIdName(), 'user_admin', 'user_perms')); if($this->getId() === $editor->getId() || $editor->isMainAdmin() || $editor->checkAdminPerms('4'))
$perm = true;
return ($perm && !in_array($field, array($this->getFieldIdName(), 'user_admin', 'user_perms', 'user_prefs')));
} }
/** /**
@@ -357,7 +441,7 @@ class e_user_model extends e_front_model
*/ */
protected function setAsTarget() protected function setAsTarget()
{ {
e107::setRegistry('targets/core/user/'.$this->getId(), $this); e107::setRegistry('core/e107/user/'.$this->getId(), $this);
return $this; return $this;
} }
@@ -368,7 +452,7 @@ class e_user_model extends e_front_model
*/ */
protected function clearTarget() protected function clearTarget()
{ {
e107::setRegistry('targets/core/user'.$this->getId(), null); e107::setRegistry('core/e107/user'.$this->getId(), null);
return $this; return $this;
} }
@@ -386,6 +470,39 @@ class e_user_model extends e_front_model
} }
} }
/**
* Additional security while applying posted
* data to user model
* @return e_user_model
*/
public function mergePostedData()
{
$posted = $this->getPostedData();
foreach ($posted as $key => $value)
{
if(!$this->isWritable($key))
{
$this->removePosted($key);
continue;
}
$this->_modifyPostedData($key, $value);
}
parent::mergePostedData(true, true, true);
return $this;
}
protected function _modifyPostedData($key, $value)
{
// TODO - add more here
switch ($key)
{
case 'password1':
// compare validation rule
$this->setPosted('user_password', array($value, $this->getPosted('password2')));
break;
}
}
/** /**
* Send model data to DB * Send model data to DB
*/ */
@@ -396,7 +513,10 @@ class e_user_model extends e_front_model
return false; // TODO - message, admin log return false; // TODO - message, admin log
} }
// TODO - do the save manual in this order: validate() on user model, save() on extended fields, save() on user model // sync user prefs
$this->getConfig()->apply();
// TODO - do the save manually in this order: validate() on user model, save() on extended fields, save() on user model
$ret = parent::save(true, $force, $session); $ret = parent::save(true, $force, $session);
if(false !== $ret && null !== $this->_extended_model) // don't load extended fields if not already used if(false !== $ret && null !== $this->_extended_model) // don't load extended fields if not already used
{ {
@@ -468,15 +588,27 @@ class e_system_user extends e_user_model
} }
/** /**
* Current system user - additional data protection is required * Current system user
* @author SecretR * @author SecretR
*/ */
class e_user extends e_user_model class e_user extends e_user_model
{ {
private $_session_data = null;
private $_session_key = null;
private $_session_type = null;
private $_session_error = false;
private $_parent_id = false;
private $_parent_data = array();
private $_parent_extmodel = null;
private $_parent_extstruct = null;
private $_parent_config = null;
public function __construct() public function __construct()
{ {
// reference to self $this->setSessionData() // retrieve data from current session
$this->load()->setEditor($this); ->load() // load current user from DB
->setEditor($this); // reference to self
} }
/** /**
@@ -489,56 +621,270 @@ class e_user extends e_user_model
return true; return true;
} }
// TODO login by name/password, load, set cookie/session data /**
* Get parent user ID - present if main admin is browsing
* front-end logged in as another user account
*
* @return integer or false if not present
*/
final public function getParentId()
{
return $this->_parent_id;
}
/**
* User login
* @param string $uname
* @param string $upass_plain
* @param boolean $uauto
* @param string $uchallange
* @return boolean success
*/
final public function login($uname, $upass_plain, $uauto = false, $uchallange = false) final public function login($uname, $upass_plain, $uauto = false, $uchallange = false)
{ {
// FIXME - rewrite userlogin - clean up redirects and if($this->isUser()) return false;
//$userlogin = new userlogin($uname, $upass_plain, $uauto, $uchallange);
// if($userlogin->getId()) $this->load() --> use the previously set user COOKIE/SESSION data $userlogin = new userlogin($uname, $upass_plain, $uauto, $uchallange, true);
$this->setSessionData(true)
->setData($userlogin->getUserData());
return $this->isUser(); return $this->isUser();
} }
final public function loginAs($user_id)
{
// TODO - set session data required for loadAs()
}
/** /**
* *
* @return unknown_type * @return e_user
*/ */
protected function initConstants() protected function _initConstants()
{ {
//FIXME - BC - constants from init_session() should be defined here //FIXME - BC - constants from init_session() should be defined here
//init_session(); // the old way // [SecretR] Not sure we should do this here, it's too restricting - constants can be
// defined once, we need the freedom to do it multiple times - e.g. load() executed in constructor than login(), loginAs() etc.
// called by a controller
// We should switch to e.g. isAdmin() instead of ADMIN constant check
return $this;
} }
/** /**
* TODO destroy cookie/session data, self destroy * Destroy cookie/session data, self destroy
* @return void * @return e_user
*/ */
final public function logout() final public function logout()
{ {
// FIXME - destoy cookie/session data first $this->logoutAs()
$this->_data = array(); ->_destroySession();
if (null !== $this->_extended_model)
parent::destroy();
if(session_id()) session_destroy();
e107::setRegistry('core/e107/current_user', null);
return $this;
}
/**
* Destroy cookie/session/model data for current user, resurrect parent user
* @return e_user
*/
final public function logoutAs()
{
if($this->getParentId())
{ {
$this->_extended_model->destroy(); // load parent user data
$this->_extended_model = $this->_parent_extmodel;
$this->_extended_structure = $this->_parent_extstruct;
$this->_user_config = $this->_parent_config;
$this->setData($this->_parent_model->getData());
// cleanup
$this->_destroyAsSession();
$this->_parent_id = false;
$this->_parent_model = $this->_parent_extstruct = $this->_parent_extmodel = $this->_parent_config = null;
} }
e107::setRegistry('targets/core/current_user', null); return $this;
} }
/** /**
* TODO load user data by cookie/session data * TODO load user data by cookie/session data
* @return e_user * @return e_user
*/ */
final public function load($force = false) final public function load($force = false, $denyAs = false)
{ {
// init_session() should come here // init_session() should come here
// $this->initConstants(); - called after data is loaded // $this->initConstants(); - called after data is loaded
// FIXME - temporary here, for testing only!!! if(!$force && $this->getId()) return $this;
// always run cli as main admin
if(e107::isCli())
{
$this->_load(1, $force);
$this->_initConstants();
return $this;
}
// We have active session
if(null !== $this->_session_data)
{
list($uid, $upw) = explode('.', $this->_session_data);
// Bad cookie - destroy session
if(empty($uid) || !is_numeric($uid) || empty($upw))
{
$this->_destroyBadSession();
$this->_initConstants();
return $this;
}
$udata = $this->_load($uid, $force);
// Bad cookie - destroy session
if(empty($udata))
{
$this->_destroyBadSession();
$this->_initConstants();
return $this;
}
// we have a match
if(md5($udata['user_password']) == $upw)
{
// set current user data
$this->setData($udata);
// NEW - try 'logged in as' feature
if(!$denyAs) $this->loadAs();
$this->_initConstants();
return $this;
}
$this->_destroyBadSession();
$this->_initConstants();
return $this;
}
if (USER)
$this->setData(get_user_data(USERID));
return $this; return $this;
} }
final public function loadAs()
{
// FIXME - option to avoid it when browsing Admin area
$loginAs = $this->_getSessionDataAs();
if(!$this->getParentId() && false !== $loginAs && $loginAs !== $this->getId() && $loginAs !== 1 && $this->isMainAdmin())
{
$uasdata = $this->_load($loginAs);
if(!empty($uasdata))
{
// backup parent user data to prevent further db queries
$this->_parent_id = $this->getId();
$this->_parent_model = new e_system_user($this->getData());
$this->setData($uasdata);
// not allowed - revert back
if($this->isMainAdmin())
{
$this->_parent_id = false;
$this->setData($this->_parent_model->getData());
$this->_parent_model = null;
$this->_destroyAsSession();
}
else
{
$this->_parent_extmodel = $this->_extended_model;
$this->_parent_extstruct = $this->_extended_structure;
$this->_user_config = $this->_parent_config;
$this->_extended_model = $this->_extended_structure = $this->_user_config = null;
}
}
}
else
{
$this->_parent_id = false;
$this->_parent_model = null;
$this->_parent_extstruct = $this->_parent_extmodel = null;
}
}
final protected function _destroySession()
{
cookie($this->_session_key, '', (time() - 2592000));
$_SESSION[$this->_session_key] = '';
return $this;
}
final protected function _destroyAsSession()
{
$key = $this->_session_key.'_as';
cookie($key, '', (time() - 2592000));
$_SESSION[$key] = '';
unset($_SESSION[$key]);
return $this;
}
final protected function _destroyBadSession()
{
$this->_session_error = true;
return $this->_destroySession();
}
final protected function _getSessionDataAs()
{
$id = false;
$key = $this->_session_key.'_as';
if('session' == $this->_session_type && isset($_SESSION[$key]) && !empty($_SESSION[$key]))
{
$id = $_SESSION[$key];
}
elseif('cookie' == $this->_session_type && isset($_COOKIE[$key]) && !empty($_COOKIE[$key]))
{
$id = $_COOKIE[$key];
}
if(!empty($id) && is_numeric($id)) return intval($id);
return false;
}
final public function setSessionData($force = false)
{
if($force || null === $this->_session_data)
{
$this->_session_key = e107::getPref('cookie_name', 'e107cookie');
$this->_session_type = e107::getPref('user_tracking', 'cookie');
if('session' == $this->_session_type && isset($_SESSION[$this->_session_key]) && !empty($_SESSION[$this->_session_key]))
{
$this->_session_data = &$_SESSION[$this->_session_key];
}
elseif('cookie' == $this->_session_type && isset($_COOKIE[$this->_session_key]) && !empty($_COOKIE[$this->_session_key]))
{
$this->_session_data = &$_COOKIE[$this->_session_key];
}
}
return $this;
}
public function hasSessionError()
{
return $this->_session_error;
}
final protected function _load($user_id)
{
if(e107::getDb()->db_Select('user', '*', 'user_id='.intval($user_id)))
{
return e107::getDb()->db_Fetch();
}
return array();
}
/** /**
* Not allowed * Not allowed
* *
@@ -629,6 +975,14 @@ class e_user_extended_model extends e_front_model
->load(); ->load();
} }
/**
* Always return integer
*/
public function getId()
{
return (integer) parent::getId();
}
/** /**
* Get user model * Get user model
* @return e_user_model * @return e_user_model
@@ -671,12 +1025,13 @@ class e_user_extended_model extends e_front_model
/** /**
* Get User extended field value * Get User extended field value
* Returns NULL when field/default value not found or not enough permissions * Returns NULL when field/default value not found or not enough permissions
* @param string$field * @param string $field
* @param boolean $short if true, 'user_' prefix will be added to field name
* @return mixed * @return mixed
*/ */
public function getValue($field) public function getValue($field, $short = true)
{ {
$field = 'user_'.$field; if($short) $field = 'user_'.$field;
if (!$this->checkRead($field)) if (!$this->checkRead($field))
return null; return null;
return $this->get($field, $this->getDefault($field)); return $this->get($field, $this->getDefault($field));
@@ -687,17 +1042,28 @@ class e_user_extended_model extends e_front_model
* Note: Data is not sanitized! * Note: Data is not sanitized!
* @param string $field * @param string $field
* @param mixed $value * @param mixed $value
* @param boolean $short if true, 'user_' prefix will be added to field name
* @return e_user_extended_model * @return e_user_extended_model
*/ */
public function setValue($field, $value) public function setValue($field, $value, $short = true)
{ {
$field = 'user_'.$field; if($short) $field = 'user_'.$field;
if (!$this->checkWrite($field)) if (!$this->checkWrite($field))
return $this; return $this;
$this->set($field, $value, true); $this->set($field, $value, true);
return $this; return $this;
} }
public function getReadData()
{
// TODO array allowed profile page data (read mode)
}
public function getWriteData()
{
// TODO array allowed settings page data (edit mode)
}
/** /**
* Get default field value, defined by extended field structure * Get default field value, defined by extended field structure
* Returns NULL if field/default value not found * Returns NULL if field/default value not found
@@ -716,17 +1082,27 @@ class e_user_extended_model extends e_front_model
*/ */
public function checkRead($field) public function checkRead($field)
{ {
return $this->getEditor()->checkClass(varset($this->_struct_index[$field]['read'])); $hidden = $this->get('user_hidden_fields');
if($this->getId() !== $this->getEditor()->getId() && !empty($hidden) && strpos($hidden, $field) !== false) return false;
return ($this->checkApplicable($field) && $this->getEditor()->checkClass(varset($this->_struct_index[$field]['read'])));
} }
/** /**
* Check field write permissions * Check field write permissions against current editor
* @param string $field * @param string $field
* @return boolean * @return boolean
*/ */
public function checkWrite($field) public function checkWrite($field)
{ {
return $this->getEditor()->checkClass(varset($this->_struct_index[$field]['write'])); if(!$this->checkApplicable($field)) return false;
$editor = $this->getEditor();
// Main admin checked later in checkClass() method
if($editor->checkAdminPerms('4') && varset($this->_struct_index[$field]['write']) != e_UC_NOBODY)
return true;
return $editor->checkClass(varset($this->_struct_index[$field]['write']));
} }
/** /**
@@ -736,17 +1112,17 @@ class e_user_extended_model extends e_front_model
*/ */
public function checkSignup($field) public function checkSignup($field)
{ {
return $this->getEditor()->checkClass(varset($this->_struct_index[$field]['signup'])); return $this->getUser()->checkClass(varset($this->_struct_index[$field]['signup']));
} }
/** /**
* Check field applicable permissions * Check field applicable permissions against current user
* @param string $field * @param string $field
* @return boolean * @return boolean
*/ */
public function checkApplicable($field) public function checkApplicable($field)
{ {
return $this->getEditor()->checkClass(varset($this->_struct_index[$field]['applicable'])); return $this->getUser()->checkClass(varset($this->_struct_index[$field]['applicable']));
} }
/** /**
@@ -774,6 +1150,7 @@ class e_user_extended_model extends e_front_model
{ {
// load structure dependencies // load structure dependencies
$ignore = array($this->getFieldIdName(), 'user_hidden_fields'); // TODO - user_hidden_fields? Old? $ignore = array($this->getFieldIdName(), 'user_hidden_fields'); // TODO - user_hidden_fields? Old?
$fields = $struct_tree->getTree(); $fields = $struct_tree->getTree();
foreach ($fields as $id => $field) foreach ($fields as $id => $field)
{ {
@@ -849,9 +1226,28 @@ class e_user_extended_model extends e_front_model
return $this->_structure; return $this->_structure;
} }
/**
* Additional security while applying posted
* data to user extended model
* @return e_user_extended_model
*/
public function mergePostedData()
{
$posted = $this->getPostedData();
foreach ($posted as $key => $value)
{
if(!$this->checkWrite($key))
{
$this->removePosted($key);
}
}
parent::mergePostedData(true, true, true);
return $this;
}
/** /**
* Build data types and rules on the fly and save * Build data types and rules on the fly and save
* @see e107_handlers/e_front_model#save($from_post, $force, $session_messages) * @see e_front_model::save()
*/ */
public function save($force = false, $session = false) public function save($force = false, $session = false)
{ {
@@ -859,10 +1255,13 @@ class e_user_extended_model extends e_front_model
return parent::save(true, $force, $session); return parent::save(true, $force, $session);
} }
/**
* Doesn't save anything actually...
*/
public function saveDebug($retrun = false, $undo = true) public function saveDebug($retrun = false, $undo = true)
{ {
$this->_buildManageRules(); $this->_buildManageRules();
parent::saveDebug($return, $undo); return parent::saveDebug($return, $undo);
} }
} }
@@ -1011,3 +1410,80 @@ class e_user_extended_structure_tree extends e_tree_model
return $this; return $this;
} }
} }
class e_user_pref extends e_model
{
/**
* @var e_user_model
*/
protected $_user;
/**
* Constructor
* @param e_user_model $user_model
* @return void
*/
public function __construct(e_user_model $user_model)
{
$this->_user = $user_model;
$this->load();
}
/**
* Load data from user preferences string
* @param boolean $force
* @return e_user_pref
*/
public function load($force = false)
{
if($force || !$this->hasData())
{
$data = $this->_user->get('user_prefs', '');
if(!empty($data))
{
$data = e107::getArrayStorage()->ReadArray($data);
if(!$data) $data = array();
}
else $data = array();
$this->setData($data);
}
return $this;
}
/**
* Apply current data to user data
* @return e_user_pref
*/
public function apply()
{
$this->_user->set('user_prefs', $this->toString(true));
return $this;
}
/**
* Save and apply user preferences
* @return boolean success
*/
public function save()
{
if($this->_user->getId())
{
$data = $this->toString(true);
$this->apply();
return (e107::getDb('user_prefs')->db_Update('user', "user_prefs='{$data}' WHERE user_id=".$this->_user->getId()) ? true : false);
}
return false;
}
/**
* Remove & apply user prefeferences, optionally - save to DB
* @return boolean success
*/
public function delete($save = false)
{
$this->removeData()->apply();
if($save) return $this->save();
return true;
}
}