diff options
Diffstat (limited to 'modules/gallery/controllers')
| -rw-r--r-- | modules/gallery/controllers/admin_users.php | 291 | ||||
| -rw-r--r-- | modules/gallery/controllers/albums.php | 1 | ||||
| -rw-r--r-- | modules/gallery/controllers/login.php | 82 | ||||
| -rw-r--r-- | modules/gallery/controllers/logout.php | 38 | ||||
| -rw-r--r-- | modules/gallery/controllers/password.php | 133 | ||||
| -rw-r--r-- | modules/gallery/controllers/users.php | 68 |
6 files changed, 613 insertions, 0 deletions
diff --git a/modules/gallery/controllers/admin_users.php b/modules/gallery/controllers/admin_users.php new file mode 100644 index 00000000..34b3a426 --- /dev/null +++ b/modules/gallery/controllers/admin_users.php @@ -0,0 +1,291 @@ +<?php defined("SYSPATH") or die("No direct script access."); +/** + * Gallery - a web based photo album viewer and editor + * Copyright (C) 2000-2009 Bharat Mediratta + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. + */ +class Admin_Users_Controller extends Admin_Controller { + public function index() { + $view = new Admin_View("admin.html"); + $view->content = new View("admin_users.html"); + $view->content->writable = user::is_writable(); + $view->content->users = user::get_user_list(array("orderby" => array("name" => "ASC"))); + $view->content->groups = group::get_group_list(array("orderby" => array("name" => "ASC"))); + print $view; + } + + public function add_user() { + access::verify_csrf(); + + $form = user::get_add_form_admin(); + $valid = $form->validate(); + $name = $form->add_user->inputs["name"]->value; + if ($user = user::lookup_by_name($name)) { + $form->add_user->inputs["name"]->add_error("in_use", 1); + $valid = false; + } + + if ($valid) { + $user = user::create( + $name, $form->add_user->full_name->value, $form->add_user->password->value); + $user->email = $form->add_user->email->value; + $user->admin = $form->add_user->admin->checked; + + if ($form->add_user->locale) { + $desired_locale = $form->add_user->locale->value; + $user->locale = $desired_locale == "none" ? null : $desired_locale; + } + $user->save(); + module::event("user_add_form_admin_completed", $user, $form); + + message::success(t("Created user %user_name", array("user_name" => $user->name))); + print json_encode(array("result" => "success")); + } else { + print json_encode(array("result" => "error", + "form" => $form->__toString())); + } + } + + public function add_user_form() { + print user::get_add_form_admin(); + } + + public function delete_user($id) { + access::verify_csrf(); + + if ($id == user::active()->id || $id == user::guest()->id) { + access::forbidden(); + } + + $user = user::lookup($id); + if (empty($user)) { + kohana::show_404(); + } + + $form = user::get_delete_form_admin($user); + if($form->validate()) { + $name = $user->name; + $user->delete(); + } else { + print json_encode(array("result" => "error", + "form" => $form->__toString())); + } + + $message = t("Deleted user %user_name", array("user_name" => $name)); + log::success("user", $message); + message::success($message); + print json_encode(array("result" => "success")); + } + + public function delete_user_form($id) { + $user = user::lookup($id); + if (empty($user)) { + kohana::show_404(); + } + print user::get_delete_form_admin($user); + } + + public function edit_user($id) { + access::verify_csrf(); + + $user = user::lookup($id); + if (empty($user)) { + kohana::show_404(); + } + + $form = user::get_edit_form_admin($user); + $valid = $form->validate(); + if ($valid) { + $new_name = $form->edit_user->inputs["name"]->value; + $temp_user = user::lookup_by_name($new_name); + if ($new_name != $user->name && + ($temp_user && $temp_user->id != $user->id)) { + $form->edit_user->inputs["name"]->add_error("in_use", 1); + $valid = false; + } else { + $user->name = $new_name; + } + } + + if ($valid) { + $user->full_name = $form->edit_user->full_name->value; + if ($form->edit_user->password->value) { + $user->password = $form->edit_user->password->value; + } + $user->email = $form->edit_user->email->value; + $user->url = $form->edit_user->url->value; + if ($form->edit_user->locale) { + $desired_locale = $form->edit_user->locale->value; + $user->locale = $desired_locale == "none" ? null : $desired_locale; + } + + // An admin can change the admin status for any user but themselves + if ($user->id != user::active()->id) { + $user->admin = $form->edit_user->admin->checked; + } + $user->save(); + module::event("user_edit_form_admin_completed", $user, $form); + + message::success(t("Changed user %user_name", array("user_name" => $user->name))); + print json_encode(array("result" => "success")); + } else { + print json_encode(array("result" => "error", + "form" => $form->__toString())); + } + } + + public function edit_user_form($id) { + $user = user::lookup($id); + if (empty($user)) { + kohana::show_404(); + } + + $form = user::get_edit_form_admin($user); + // Don't allow the user to control their own admin bit, else you can lock yourself out + if ($user->id == user::active()->id) { + $form->edit_user->admin->disabled(1); + } + print $form; + } + + public function add_user_to_group($user_id, $group_id) { + access::verify_csrf(); + $group = group::lookup($group_id); + $user = user::lookup($user_id); + $group->add($user); + $group->save(); + } + + public function remove_user_from_group($user_id, $group_id) { + access::verify_csrf(); + $group = group::lookup($group_id); + $user = user::lookup($user_id); + $group->remove($user); + $group->save(); + } + + public function group($group_id) { + $view = new View("admin_users_group.html"); + $view->group = group::lookup($group_id); + print $view; + } + + public function add_group() { + access::verify_csrf(); + + $form = group::get_add_form_admin(); + $valid = $form->validate(); + if ($valid) { + $new_name = $form->add_group->inputs["name"]->value; + $group = group::lookup_by_name($new_name); + if (!empty($group)) { + $form->add_group->inputs["name"]->add_error("in_use", 1); + $valid = false; + } + } + + if ($valid) { + $group = group::create($new_name); + $group->save(); + message::success( + t("Created group %group_name", array("group_name" => $group->name))); + print json_encode(array("result" => "success")); + } else { + print json_encode(array("result" => "error", + "form" => $form->__toString())); + } + } + + public function add_group_form() { + print group::get_add_form_admin(); + } + + public function delete_group($id) { + access::verify_csrf(); + + $group = group::lookup($id); + if (empty($group)) { + kohana::show_404(); + } + + $form = group::get_delete_form_admin($group); + if ($form->validate()) { + $name = $group->name; + $group->delete(); + } else { + print json_encode(array("result" => "error", + "form" => $form->__toString())); + } + + $message = t("Deleted group %group_name", array("group_name" => $name)); + log::success("group", $message); + message::success($message); + print json_encode(array("result" => "success")); + } + + public function delete_group_form($id) { + $group = group::lookup($id); + if (empty($group)) { + kohana::show_404(); + } + + print group::get_delete_form_admin($group); + } + + public function edit_group($id) { + access::verify_csrf(); + + $group = group::lookup($id); + if (empty($group)) { + kohana::show_404(); + } + + $form = group::get_edit_form_admin($group); + $valid = $form->validate(); + + if ($valid) { + $new_name = $form->edit_group->inputs["name"]->value; + $group = group::lookup_by_name($name); + if ($group->loaded) { + $form->edit_group->inputs["name"]->add_error("in_use", 1); + $valid = false; + } + } + + if ($valid) { + $group->name = $form->edit_group->inputs["name"]->value; + $group->save(); + message::success( + t("Changed group %group_name", array("group_name" => $group->name))); + print json_encode(array("result" => "success")); + } else { + message::error( + t("Failed to change group %group_name", array("group_name" => $group->name))); + print json_encode(array("result" => "error", + "form" => $form->__toString())); + } + } + + public function edit_group_form($id) { + $group = group::lookup($id); + if (empty($group)) { + kohana::show_404(); + } + + print group::get_edit_form_admin($group); + } + +} diff --git a/modules/gallery/controllers/albums.php b/modules/gallery/controllers/albums.php index 9733d1cd..95d63308 100644 --- a/modules/gallery/controllers/albums.php +++ b/modules/gallery/controllers/albums.php @@ -29,6 +29,7 @@ class Albums_Controller extends Items_Controller { $view = new Theme_View("page.html", "login"); $view->page_title = t("Log in to Gallery"); $view->content = new View("login_ajax.html"); + $view->content->writable = user::is_writable(); $view->content->form = user::get_login_form("login/auth_html"); print $view; return; diff --git a/modules/gallery/controllers/login.php b/modules/gallery/controllers/login.php new file mode 100644 index 00000000..85f6db5d --- /dev/null +++ b/modules/gallery/controllers/login.php @@ -0,0 +1,82 @@ +<?php defined("SYSPATH") or die("No direct script access."); +/** + * Gallery - a web based photo album viewer and editor + * Copyright (C) 2000-2009 Bharat Mediratta + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. + */ +class Login_Controller extends Controller { + + public function ajax() { + $view = new View("login_ajax.html"); + $view->writable = user::is_writable(); + $view->form = user::get_login_form("login/auth_ajax"); + print $view; + } + + public function auth_ajax() { + access::verify_csrf(); + + list ($valid, $form) = $this->_auth("login/auth_ajax"); + if ($valid) { + print json_encode( + array("result" => "success")); + } else { + print json_encode( + array("result" => "error", + "form" => $form->__toString())); + } + } + + public function html() { + print user::get_login_form("login/auth_html"); + } + + public function auth_html() { + access::verify_csrf(); + + list ($valid, $form) = $this->_auth("login/auth_html"); + if ($valid) { + url::redirect(item::root()->abs_url()); + } else { + print $form; + } + } + private function _auth($url) { + $form = user::get_login_form($url); + $valid = $form->validate(); + if ($valid) { + $user = user::lookup_by_name($form->login->inputs["name"]->value); + if (empty($user) || !user::is_correct_password($user, $form->login->password->value)) { + log::warning( + "user", + t("Failed login for %name", + array("name" => $form->login->inputs["name"]->value))); + $form->login->inputs["name"]->add_error("invalid_login", 1); + $valid = false; + } + } + + if ($valid) { + user::login($user); + log::info("user", t("User %name logged in", array("name" => $user->name))); + } + + // Either way, regenerate the session id to avoid session trapping + Session::instance()->regenerate(); + + return array($valid, $form); + } +}
\ No newline at end of file diff --git a/modules/gallery/controllers/logout.php b/modules/gallery/controllers/logout.php new file mode 100644 index 00000000..45d397ad --- /dev/null +++ b/modules/gallery/controllers/logout.php @@ -0,0 +1,38 @@ +<?php defined("SYSPATH") or die("No direct script access."); +/** + * Gallery - a web based photo album viewer and editor + * Copyright (C) 2000-2009 Bharat Mediratta + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. + */ +class Logout_Controller extends Controller { + public function index() { + //access::verify_csrf(); + + $user = user::active(); + user::logout(); + log::info("user", t("User %name logged out", array("name" => $user->name)), + html::anchor("user/$user->id", html::clean($user->name))); + if ($continue_url = $this->input->get("continue")) { + $item = url::get_item_from_uri($continue_url); + if (access::can("view", $item)) { + // Don't use url::redirect() because it'll call url::site() and munge the continue url. + header("Location: $continue_url"); + } else { + url::redirect(item::root()->abs_url()); + } + } + } +}
\ No newline at end of file diff --git a/modules/gallery/controllers/password.php b/modules/gallery/controllers/password.php new file mode 100644 index 00000000..e8b08960 --- /dev/null +++ b/modules/gallery/controllers/password.php @@ -0,0 +1,133 @@ +<?php defined("SYSPATH") or die("No direct script access."); +/** + * Gallery - a web based photo album viewer and editor + * Copyright (C) 2000-2009 Bharat Mediratta + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. + */ +class Password_Controller extends Controller { + public function reset() { + if (request::method() == "post") { + // @todo separate the post from get parts of this function + access::verify_csrf(); + $this->_send_reset(); + } else { + print $this->_reset_form(); + } + } + + public function do_reset() { + if (request::method() == "post") { + $this->_change_password(); + } else { + $user = user::lookup_by_hash(Input::instance()->get("key")); + if (!empty($user)) { + print $this->_new_password_form($user->hash); + } else { + throw new Exception("@todo FORBIDDEN", 503); + } + } + } + + private function _send_reset() { + $form = $this->_reset_form(); + + $valid = $form->validate(); + if ($valid) { + $user = user::lockup_by_name($form->reset->inputs["name"]->value); + if (!$user->loaded || empty($user->email)) { + $form->reset->inputs["name"]->add_error("no_email", 1); + $valid = false; + } + } + + if ($valid) { + $user->hash = md5(rand()); + $user->save(); + $message = new View("reset_password.html"); + $message->confirm_url = url::abs_site("password/do_reset?key=$user->hash"); + $message->user = $user; + + Sendmail::factory() + ->to($user->email) + ->subject(t("Password Reset Request")) + ->header("Mime-Version", "1.0") + ->header("Content-type", "text/html; charset=iso-8859-1") + ->message($message->render()) + ->send(); + + log::success( + "user", + t("Password reset email sent for user %name", array("name" => $user->name))); + } else { + // Don't include the username here until you're sure that it's XSS safe + log::warning( + "user", "Password reset email requested for bogus user"); + } + + message::success(t("Password reset email sent")); + print json_encode( + array("result" => "success")); + } + + private function _reset_form() { + $form = new Forge(url::current(true), "", "post", array("id" => "g-reset-form")); + $group = $form->group("reset")->label(t("Reset Password")); + $group->input("name")->label(t("Username"))->id("g-name")->class(null)->rules("required"); + $group->inputs["name"]->error_messages("no_email", t("No email, unable to reset password")); + $group->submit("")->value(t("Reset")); + + return $form; + } + + private function _new_password_form($hash=null) { + $template = new Theme_View("page.html", "reset"); + + $form = new Forge("password/do_reset", "", "post", array("id" => "g-change-password-form")); + $group = $form->group("reset")->label(t("Change Password")); + $hidden = $group->hidden("hash"); + if (!empty($hash)) { + $hidden->value($hash); + } + $group->password("password")->label(t("Password"))->id("g-password") + ->rules("required|length[1,40]"); + $group->password("password2")->label(t("Confirm Password"))->id("g-password2") + ->matches($group->password); + $group->inputs["password2"]->error_messages( + "mistyped", t("The password and the confirm password must match")); + $group->submit("")->value(t("Update")); + + $template->content = $form; + return $template; + } + + private function _change_password() { + $view = $this->_new_password_form(); + if ($view->content->validate()) { + $user = user::lookup_by_hash(Input::instance()->get("key")); + if (empty($user)) { + throw new Exception("@todo FORBIDDEN", 503); + } + + $user->password = $view->content->reset->password->value; + $user->hash = null; + $user->save(); + message::success(t("Password reset successfully")); + url::redirect(item::root()->abs_url()); + } else { + print $view; + } + } +}
\ No newline at end of file diff --git a/modules/gallery/controllers/users.php b/modules/gallery/controllers/users.php new file mode 100644 index 00000000..07c5a457 --- /dev/null +++ b/modules/gallery/controllers/users.php @@ -0,0 +1,68 @@ +<?php defined("SYSPATH") or die("No direct script access."); +/** + * Gallery - a web based photo album viewer and editor + * Copyright (C) 2000-2009 Bharat Mediratta + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. + */ +class Users_Controller extends Controller { + public function update($id) { + $user = user::lookup($id); + + if ($user->guest || $user->id != user::active()->id) { + access::forbidden(); + } + + $form = user::get_edit_form($user); + $valid = $form->validate(); + if ($valid) { + $user->full_name = $form->edit_user->full_name->value; + if ($form->edit_user->password->value) { + $user->password = $form->edit_user->password->value; + } + $user->email = $form->edit_user->email->value; + $user->url = $form->edit_user->url->value; + if ($form->edit_user->locale) { + $desired_locale = $form->edit_user->locale->value; + $new_locale = $desired_locale == "none" ? null : $desired_locale; + if ($new_locale != $user->locale) { + // Delete the session based locale preference + setcookie("g_locale", "", time() - 24 * 3600, "/"); + } + $user->locale = $new_locale; + } + $user->save(); + module::event("user_edit_form_completed", $user, $form); + + message::success(t("User information updated.")); + print json_encode( + array("result" => "success", + "resource" => url::site("users/{$user->id}"))); + } else { + print json_encode( + array("result" => "error", + "form" => $form->__toString())); + } + } + + public function form_edit($id) { + $user = user::lookup($id); + if ($user->guest || $user->id != user::active()->id) { + access::forbidden(); + } + + print user::get_edit_form($user); + } +} |