Habari: system/handlers/userhandler.php Source File

00001 <?php
00007 namespace Habari;
00008 
00013 class UserHandler extends ActionHandler
00014 {
00015 
00020   public function act_login()
00021   {
00022     // Display the login form.
00023     $this->login_form();
00024   }
00025 
00026   public function loginform_do_reset($form)
00027   {
00028     $name = $form->habari_username->value;
00029     if ( empty($name) ) {
00030       Session::error( _t( 'You must supply a username to reset its password.' ) );
00031     }
00032     else {
00033       if ( !is_numeric( $name ) && $user = User::get( $name ) ) {
00034         $hash = Utils::random_password();
00035 
00036         $user->info->password_reset = md5( $hash );
00037         $user->info->commit();
00038         $message = _t( 'Please visit %1$s to reset your password.', array( URL::get( 'auth', array( 'page' => 'password_reset', 'id' => $user->id, 'hash' => $hash ) ) ) );
00039 
00040         Utils::mail( $user->email, _t( '[%1$s] Password reset request for %2$s', array( Options::get( 'title' ), $user->displayname ) ), $message );
00041       }
00042       // Moving this inside the check for user existence would allow attackers to test usernames, so don't
00043       Session::notice( _t( 'A password reset request has been sent to the user.' ) );
00044     }
00045   }
00046   
00047   public function loginform_do_login($form)
00048   {
00049     $name = $form->habari_username->value;
00050     $pass = $form->habari_password->value;
00051 
00052     if ( ( null != $name ) || ( null != $pass ) ) {
00053       $user = User::authenticate( $name, $pass );
00054 
00055       if ( ( $user instanceOf User ) && ( $user != false ) ) {
00056 
00057         // if there's an unused password reset token, unset it to make sure there's no possibility of a compromise that way
00058         if ( isset( $user->info->password_reset ) ) {
00059           unset( $user->info->password_reset );
00060         }
00061 
00062         /* Successfully authenticated. */
00063         // Timestamp last login date and time.
00064         $user->info->authenticate_time = DateTime::create()->format( 'Y-m-d H:i:s' );
00065         $user->update();
00066 
00067         // Remove left over expired session error message.
00068         if ( Session::has_errors( 'expired_session' ) ) {
00069           Session::remove_error( 'expired_session' );
00070         }
00071 
00072         $login_session = Session::get_set( 'login' );
00073         if ( ! empty( $login_session ) ) {
00074           /* Now that we know we're dealing with the same user, transfer the form data so he does not lose his request */
00075           if ( ! empty( $login_session['post_data'] ) ) {
00076             Session::add_to_set( 'last_form_data', $last_form_data['post'], 'post' );
00077           }
00078           if ( ! empty( $login_session['get_data'] ) ) {
00079             Session::add_to_set( 'last_form_data', $last_form_data['get'], 'get' );
00080           }
00081 
00082           /* Redirect to the correct admin page */
00083           $dest = explode( '/', MultiByte::substr( $login_session['original'], MultiByte::strpos( $login_session['original'], 'admin/' ) ) );
00084           if ( '' == $dest[0] ) {
00085             $login_dest = Site::get_url( 'admin' );
00086           }
00087           else {
00088             // Replace '?' with '&' in $dest[1] before call URL::get()
00089             // Therefore calling URL::get() with a query string
00090             $dest[1] = str_replace( '?', '&', $dest[1] );
00091             $login_dest = URL::get( 'admin', 'page=' . $dest[1] );
00092           }
00093         }
00094         else {
00095           $login_session = null;
00096           $login_dest = Site::get_url( 'admin' );
00097         }
00098 
00099         // filter the destination
00100         $login_dest = Plugins::filter( 'login_redirect_dest', $login_dest, $user, $login_session );
00101 
00102         // finally, redirect to the destination
00103         Utils::redirect( $login_dest );
00104 
00105         return true;
00106       }
00107 
00108       /* Authentication failed. */
00109       // Remove submitted password, see, we're secure!
00110       $form->habari_password->value = '';
00111       $this->handler_vars['error'] = _t( 'Bad credentials' );
00112     }
00113   }
00114 
00121   public function act_logout()
00122   {
00123     Utils::check_request_method( array( 'GET', 'HEAD', 'POST' ) );
00124 
00125     // get the user from their cookie
00126     $user = User::identify();
00127     if ( $user->loggedin ) {
00128       Plugins::act( 'user_logout', $user );
00129       // delete the cookie, and destroy the object
00130       $user->forget();
00131       $user = null;
00132     }
00133     Utils::redirect( Site::get_url( 'site' ) );
00134   }
00135 
00141   protected function login_form()
00142   {
00143     // Build theme and login page template
00144     $this->setup_theme();
00145     if ( !$this->theme->template_exists( 'login' ) ) {
00146       $this->theme = Themes::create( 'admin', 'RawPHPEngine', Site::get_dir( 'admin_theme', true ) );
00147       $this->theme->assign( 'admin_page', 'login' );
00148     }
00149     
00150     // Build the login form
00151     $form = new FormUI( 'habari_login' );
00152     //$form->on_success( array( $this, 'loginform_success' ) );
00153     $login_form_title = sprintf('<h1><a href="%s" title="%s"><img src="%s" style="height:1em;margin-right:10px;vertical-align:top;">%s</a></h1>', Site::get_url('site'), _t('Go to Site'), Site::get_url('habari', '/system/admin/images/habari.logo.png'), Options::get('title') );
00154     $form->append( FormControlStatic::create('title')->set_static($login_form_title) );
00155     $form->append( FormControlStatic::create('reset_message')->set_static('<p id="reset_message" class="on_reset">' . _t('Please enter the username you wish to reset the password for.  A unique password reset link will be emailed to that user.') . '</p>' ) );
00156     $form->append( FormControlLabel::wrap(_t('Name'), FormControlText::create('habari_username'))->set_template('control.label.outsideleft'));
00157     $form->append(
00158       FormControlLabel::wrap(
00159         _t('Password'),
00160         FormControlPassword::create(
00161           'habari_password',
00162           null,
00163           array(
00164             'class'=>'off_reset',
00165           )
00166         )
00167       )->set_template('control.label.outsideleft')
00168         ->set_properties(array('class'=>'off_reset'))
00169     );
00170     $form->append( $drop_button = FormControlDropbutton::create('submit_button')->add_template_class('ul', 'off_reset'));
00171     $drop_button->append(FormControlSubmit::create('login')->on_success(array($this, 'loginform_do_login'))->set_caption(_t('Login')));
00172     $form->append( FormControlStatic::create('reset_link')->set_static('<a href="#" class="off_reset reset_link">' . _t('Reset password') . '</a>') );
00173     $form->append( FormControlStatic::create('login_link')->set_static('<a href="#" class="on_reset reset_link">' . _t('Login') . '</a>') );
00174     $form->append( FormControlSubmit::create('reset_button')->set_caption(_t('Reset password'))->set_properties(array('class'=>'on_reset'))->on_success(array($this, 'loginform_do_reset')) );
00175 
00176     // Use the dropbutton's visualizer to select the primary action for form submission upon pressing enter
00177     $form->set_settings(array(
00178       'prefix_html' => '<script>$(function(){$("body").on("keypress", "form[name=' . $form->input_name() . ']", function(e){if(e.which==13){$(this).find("#' . $form->submit_button->get_visualizer() . ' .primary").click();return e.preventDefault()&&false;}});})</script>',
00179     ));
00180 
00181     // Let plugins alter this form
00182     Plugins::act( 'form_login', $form );
00183     
00184     // Assign login form and display the page
00185     $this->theme->form = $form;
00186     $this->display( 'login' );
00187     
00188     return true;
00189   }
00190 
00197   protected function display( $template_name )
00198   {
00199     $this->theme->display( $template_name );
00200   }
00201 
00205   public function act_password_reset()
00206   {
00207     Utils::check_request_method( array( 'GET', 'HEAD', 'POST' ) );
00208 
00209     $id = $this->handler_vars['id'];
00210     $hash = $this->handler_vars['hash'];
00211 
00212     if ( $user = User::get( $id ) ) {
00213       if ( is_string( $hash ) && ( $user->info->password_reset == md5( $hash ) ) ) {
00214         // Send a new random password
00215         $password = Utils::random_password();
00216 
00217         $user->password = Utils::crypt( $password );
00218         if ( $user->update() ) {
00219           $message = _t( "Your password for %1\$s has been reset.  Your credentials are as follows---\nUsername: %2\$s\nPassword: %3\$s", array( Site::get_url( 'habari' ), $user->username, $password ) );
00220 
00221           Utils::mail( $user->email, _t( '[%1$s] Password has been reset for %2$s', array( Options::get( 'title' ), $user->displayname ) ), $message );
00222           Session::notice( _t( 'A new password has been sent to the user.' ) );
00223         }
00224         else {
00225           Session::notice( _t( 'There was a problem resetting the password.  It was not reset.' ) );
00226         }
00227 
00228         // Clear the request - it should only work once
00229         unset( $user->info->password_reset );
00230         $user->info->commit();
00231       }
00232       else {
00233         Session::notice( _t( 'The supplied password reset token has expired or is invalid.' ) );
00234       }
00235     }
00236     // Display the login form.
00237     Utils::redirect( URL::get( 'auth', array( 'page' => 'login' ) ) );
00238   }
00239 
00240 }
00241 ?>