mirror of
https://github.com/Pathduck/gallery3.git
synced 2026-05-20 03:19:13 -04:00
fdc0f83024
communicate. Almost all controllers now use JSON to speak to the theme when we're dealing with form processing. This means tht we only send the form back and forth, but we use a JSON protocol to tell the browser success/error status as well as the location of any newly created resources, or where the browser should redirect the user. Lots of small changes: 1) Admin -> Edit Profile is gone. Instead I fixed the "Modify Profile" link in the top right corner to be a modal dialog 2) We use json_encode everywhere. No more Atom/XML for now. We can bring those back later, though. For now there's a lot of code duplication but that'll be easy to clean up. 3) REST_Controller is no longer abstract. All methods its subclasses should create throw exceptions, which means that subclasses don't have to implement stubs for those methods. 4) New pattern: helper method get_add_form calls take an Item_Model, not an id since we have to load the Item_Model in the controller anyway to check permissions. 5) User/Groups REST resources are separate from User/Group in the site admin. They do different things, we should avoid confusing overlap.
254 lines
7.8 KiB
PHP
254 lines
7.8 KiB
PHP
<?php defined("SYSPATH") or die("No direct script access.");
|
|
/**
|
|
* Gallery - a web based photo album viewer and editor
|
|
* Copyright (C) 2000-2008 Bharat Mediratta
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or (at
|
|
* your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA.
|
|
*/
|
|
|
|
/**
|
|
* This is the API for handling users.
|
|
*
|
|
* Note: by design, this class does not do any permission checking.
|
|
*/
|
|
class user_Core {
|
|
public static function get_edit_form($user, $action = NULL) {
|
|
$form = new Forge("users/$user->id?_method=put", "", "post", array("id" => "gUserForm"));
|
|
$group = $form->group("edit_user")->label(_("Edit User"));
|
|
$group->input("name")->label(_("Name"))->id("gName")->value($user->name);
|
|
$group->input("full_name")->label(_("Full Name"))->id("gFullName")->value($user->full_name);
|
|
$group->password("password")->label(_("Password"))->id("gPassword");
|
|
$group->input("email")->label(_("Email"))->id("gEmail")->value($user->email);
|
|
$group->submit(_("Modify"));
|
|
$form->add_rules_from($user);
|
|
return $form;
|
|
}
|
|
|
|
public static function get_edit_form_admin($user, $action = NULL) {
|
|
$form = new Forge("admin/users/edit/$user->id", "", "post", array("id" => "gUserForm"));
|
|
$group = $form->group("edit_user")->label(_("Edit User"));
|
|
$group->input("name")->label(_("Name"))->id("gName")->value($user->name);
|
|
$group->input("full_name")->label(_("Full Name"))->id("gFullName")->value($user->full_name);
|
|
$group->password("password")->label(_("Password"))->id("gPassword");
|
|
$group->input("email")->label(_("Email"))->id("gEmail")->value($user->email);
|
|
$group->submit(_("Modify"));
|
|
$form->add_rules_from($user);
|
|
return $form;
|
|
}
|
|
|
|
public static function get_add_form_admin($action = NULL) {
|
|
$form = new Forge("admin/users/create");
|
|
$group = $form->group("add_user")->label(_("Add User"));
|
|
$group->input("name")->label(_("Name"))->id("gName");
|
|
$group->input("full_name")->label(_("Full Name"))->id("gFullName");
|
|
$group->password("password")->label(_("Password"))->id("gPassword");
|
|
$group->input("email")->label(_("Email"))->id("gEmail");
|
|
$group->submit(_("Add"));
|
|
$user = ORM::factory("user");
|
|
$form->add_rules_from($user);
|
|
return $form;
|
|
}
|
|
|
|
public static function get_delete_form_admin($user, $action = NULL) {
|
|
$form = new Forge($action);
|
|
$group = $form->group("delete_user")->label(_("Delete User"));
|
|
$group->label(sprintf(_("Are you sure you want to delete %s?"), $user->name));
|
|
$group->submit(_("Delete"));
|
|
return $form;
|
|
}
|
|
|
|
/**
|
|
* Make sure that we have a session and group_ids cached in the session.
|
|
*/
|
|
public static function load_user() {
|
|
// This is one of the first session operations that we'll do, so it may fail if there's no
|
|
// install yet. Try to handle this situation gracefully expecting that the scaffolding will
|
|
// Do The Right Thing.
|
|
//
|
|
// @todo get rid of this extra error checking when we have an installer.
|
|
try {
|
|
$session = Session::instance();
|
|
} catch (Exception $e) {
|
|
return;
|
|
}
|
|
|
|
if (!($user = $session->get("user"))) {
|
|
$session->set("user", $user = user::guest());
|
|
}
|
|
|
|
if (!$session->get("group_ids")) {
|
|
$ids = array();
|
|
foreach ($user->groups as $group) {
|
|
$ids[] = $group->id;
|
|
}
|
|
$session->set("group_ids", $ids);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Return the array of group ids this user belongs to
|
|
*
|
|
* @return array
|
|
*/
|
|
public static function group_ids() {
|
|
return Session::instance()->get("group_ids", array(1));
|
|
}
|
|
|
|
/**
|
|
* Return the active user. If there's no active user, return the guest user.
|
|
*
|
|
* @return User_Model
|
|
*/
|
|
public static function active() {
|
|
return Session::instance()->get("user", self::guest());
|
|
}
|
|
|
|
/**
|
|
* Return the guest user.
|
|
*
|
|
* @todo consider caching
|
|
*
|
|
* @return User_Model
|
|
*/
|
|
public static function guest() {
|
|
return model_cache::get("user", 1);
|
|
}
|
|
|
|
/**
|
|
* Change the active user.
|
|
*
|
|
* @return User_Model
|
|
*/
|
|
public static function set_active($user) {
|
|
$session = Session::instance();
|
|
$session->set("user", $user);
|
|
$session->delete("group_ids");
|
|
self::load_user();
|
|
}
|
|
|
|
/**
|
|
* Create a new user.
|
|
*
|
|
* @param string $name
|
|
* @param string $full_name
|
|
* @param string $password
|
|
* @return User_Model
|
|
*/
|
|
public static function create($name, $full_name, $password) {
|
|
$user = ORM::factory("user")->where("name", $name)->find();
|
|
if ($user->loaded) {
|
|
throw new Exception("@todo USER_ALREADY_EXISTS $name");
|
|
}
|
|
|
|
$user->name = $name;
|
|
$user->full_name = $full_name;
|
|
$user->password = $password;
|
|
|
|
// Required groups
|
|
$user->add(group::everybody());
|
|
$user->add(group::registered_users());
|
|
|
|
$user->save();
|
|
module::event("user_created", $user);
|
|
return $user;
|
|
}
|
|
|
|
/**
|
|
* Is the password provided correct?
|
|
*
|
|
* @param user User Model
|
|
* @param string $password a plaintext password
|
|
* @return boolean true if the password is correct
|
|
*/
|
|
public static function is_correct_password($user, $password) {
|
|
$valid = $user->password;
|
|
|
|
$salt = substr($valid, 0, 4);
|
|
/* Support both old (G1 thru 1.4.0; G2 thru alpha-4) and new password schemes: */
|
|
$guess = (strlen($valid) == 32) ? md5($password) : ($salt . md5($salt . $password));
|
|
if (!strcmp($guess, $valid)) {
|
|
return true;
|
|
}
|
|
|
|
/* Passwords with <&"> created by G2 prior to 2.1 were hashed with entities */
|
|
$sanitizedPassword = html::specialchars($password, false);
|
|
$guess = (strlen($valid) == 32) ? md5($sanitizedPassword)
|
|
: ($salt . md5($salt . $sanitizedPassword));
|
|
if (!strcmp($guess, $valid)) {
|
|
return true;
|
|
}
|
|
|
|
/* Also support hashes generated by phpass for interoperability with other applications */
|
|
if (strlen($valid) == 34) {
|
|
$hashGenerator = new PasswordHash(10, true);
|
|
return $hashGenerator->CheckPassword($password, $valid);
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* Create the hashed passwords.
|
|
* @param string $password a plaintext password
|
|
* @return string hashed password
|
|
*/
|
|
public static function hash_password($password) {
|
|
return user::_md5Salt($password);
|
|
}
|
|
|
|
/**
|
|
* Perform the post authentication processing
|
|
* @param object $user the user object.
|
|
*/
|
|
public static function login($user) {
|
|
$user->login_count += 1;
|
|
$user->last_login = time();
|
|
$user->save();
|
|
|
|
user::set_active($user);
|
|
module::event("user_login", $user);
|
|
}
|
|
|
|
public static function logout() {
|
|
$user = user::active();
|
|
if (!$user->guest) {
|
|
try {
|
|
Session::instance()->destroy();
|
|
} catch (Exception $e) {
|
|
Kohana::log("error", $e);
|
|
}
|
|
module::event("user_logout", $user);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Create a hashed password using md5 plus salt.
|
|
* @param string $password plaintext password
|
|
* @param string $salt (optional) salt or hash containing salt (randomly generated if omitted)
|
|
* @return string hashed password
|
|
*/
|
|
private static function _md5Salt($password, $salt="") {
|
|
if (empty($salt)) {
|
|
for ($i = 0; $i < 4; $i++) {
|
|
$char = mt_rand(48, 109);
|
|
$char += ($char > 90) ? 13 : ($char > 57) ? 7 : 0;
|
|
$salt .= chr($char);
|
|
}
|
|
} else {
|
|
$salt = substr($salt, 0, 4);
|
|
}
|
|
return $salt . md5($salt . $password);
|
|
}
|
|
} |