diff options
Diffstat (limited to 'modules/gallery')
| -rw-r--r-- | modules/gallery/controllers/password.php | 133 | ||||
| -rw-r--r-- | modules/gallery/helpers/access.php | 4 | ||||
| -rw-r--r-- | modules/gallery/libraries/Identity.php | 34 | ||||
| -rw-r--r-- | modules/gallery/libraries/drivers/Identity.php | 196 | ||||
| -rw-r--r-- | modules/gallery/tests/Albums_Controller_Test.php | 1 | ||||
| -rw-r--r-- | modules/gallery/tests/Photos_Controller_Test.php | 2 | ||||
| -rw-r--r-- | modules/gallery/views/admin_identity.html.php | 6 | ||||
| -rw-r--r-- | modules/gallery/views/reset_password.html.php | 17 |
8 files changed, 23 insertions, 370 deletions
diff --git a/modules/gallery/controllers/password.php b/modules/gallery/controllers/password.php deleted file mode 100644 index ce6d67b1..00000000 --- a/modules/gallery/controllers/password.php +++ /dev/null @@ -1,133 +0,0 @@ -<?php defined("SYSPATH") or die("No direct script access."); -/** - * Gallery - a web based photo album viewer and editor - * Copyright (C) 2000-2009 Bharat Mediratta - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or (at - * your option) any later version. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - * General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. - */ -class Password_Controller extends Controller { - public function reset() { - if (request::method() == "post") { - // @todo separate the post from get parts of this function - access::verify_csrf(); - $this->_send_reset(); - } else { - print $this->_reset_form(); - } - } - - public function do_reset() { - if (request::method() == "post") { - $this->_change_password(); - } else { - $user = Identity::lookup_user_by_hash(Input::instance()->get("key")); - if (!empty($user)) { - print $this->_new_password_form($user->hash); - } else { - throw new Exception("@todo FORBIDDEN", 503); - } - } - } - - private function _send_reset() { - $form = $this->_reset_form(); - - $valid = $form->validate(); - if ($valid) { - $user = Identity::lookup_user_by_name($form->reset->inputs["name"]->value); - if (!$user->loaded || empty($user->email)) { - $form->reset->inputs["name"]->add_error("no_email", 1); - $valid = false; - } - } - - if ($valid) { - $user->hash = md5(rand()); - $user->save(); - $message = new View("reset_password.html"); - $message->confirm_url = url::abs_site("password/do_reset?key=$user->hash"); - $message->user = $user; - - Sendmail::factory() - ->to($user->email) - ->subject(t("Password Reset Request")) - ->header("Mime-Version", "1.0") - ->header("Content-type", "text/html; charset=iso-8859-1") - ->message($message->render()) - ->send(); - - log::success( - "user", - t("Password reset email sent for user %name", array("name" => $user->name))); - } else { - // Don't include the username here until you're sure that it's XSS safe - log::warning( - "user", "Password reset email requested for bogus user"); - } - - message::success(t("Password reset email sent")); - print json_encode( - array("result" => "success")); - } - - private function _reset_form() { - $form = new Forge(url::current(true), "", "post", array("id" => "g-reset-form")); - $group = $form->group("reset")->label(t("Reset Password")); - $group->input("name")->label(t("Username"))->id("g-name")->class(null)->rules("required"); - $group->inputs["name"]->error_messages("no_email", t("No email, unable to reset password")); - $group->submit("")->value(t("Reset")); - - return $form; - } - - private function _new_password_form($hash=null) { - $template = new Theme_View("page.html", "reset"); - - $form = new Forge("password/do_reset", "", "post", array("id" => "g-change-password-form")); - $group = $form->group("reset")->label(t("Change Password")); - $hidden = $group->hidden("hash"); - if (!empty($hash)) { - $hidden->value($hash); - } - $group->password("password")->label(t("Password"))->id("g-password") - ->rules("required|length[1,40]"); - $group->password("password2")->label(t("Confirm Password"))->id("g-password2") - ->matches($group->password); - $group->inputs["password2"]->error_messages( - "mistyped", t("The password and the confirm password must match")); - $group->submit("")->value(t("Update")); - - $template->content = $form; - return $template; - } - - private function _change_password() { - $view = $this->_new_password_form(); - if ($view->content->validate()) { - $user = Identity::lookup_user_by_hash(Input::instance()->get("key")); - if (empty($user)) { - throw new Exception("@todo FORBIDDEN", 503); - } - - $user->password = $view->content->reset->password->value; - $user->hash = null; - $user->save(); - message::success(t("Password reset successfully")); - url::redirect(item::root()->abs_url()); - } else { - print $view; - } - } -}
\ No newline at end of file diff --git a/modules/gallery/helpers/access.php b/modules/gallery/helpers/access.php index 21f4de81..fba161e3 100644 --- a/modules/gallery/helpers/access.php +++ b/modules/gallery/helpers/access.php @@ -197,8 +197,8 @@ class access_Core { * @param Item_Model $item * @param boolean $value */ - private static function _set(Group_Model $group, $perm_name, $album, $value) { - if (get_class($group) != "Group_Model") { + private static function _set(Group_Definition $group, $perm_name, $album, $value) { + if (!($group instanceof Group_Definition)) { throw new Exception("@todo PERMISSIONS_ONLY_WORK_ON_GROUPS"); } if (!$album->loaded) { diff --git a/modules/gallery/libraries/Identity.php b/modules/gallery/libraries/Identity.php index 9e5f0bb5..e77fd2d2 100644 --- a/modules/gallery/libraries/Identity.php +++ b/modules/gallery/libraries/Identity.php @@ -133,37 +133,17 @@ class Identity_Core { } /** - * @see Identity_Driver::hash_password. - */ - static function hash_password($password) { - return self::instance()->driver->hash_password($password); - } - - /** - * Look up a user by id. - * @param integer $id the user id - * @return User_Definition the user object, or null if the id was invalid. + * @see Identity_Driver::lookup_user. */ static function lookup_user($id) { - return self::instance()->driver->lookup_user_by_field("id", $id); + return self::instance()->driver->lookup_user($id); } /** - * Look up a user by name. - * @param integer $name the user name - * @return User_Definition the user object, or null if the name was invalid. + * @see Identity_Driver::lookup_user_by_name. */ static function lookup_user_by_name($name) { - return self::instance()->driver->lookup_user_by_field("name", $name); - } - - /** - * Look up a user by hash. - * @param string $name the user name - * @return User_Definition the user object, or null if the name was invalid. - */ - static function lookup_user_by_hash($hash) { - return self::instance()->driver->lookup_user_by_field("hash", $hash); + return self::instance()->driver->lookup_user_by_name($name); } /** @@ -188,12 +168,10 @@ class Identity_Core { } /** - * Look up a group by name. - * @param integer $id the group name - * @return Group_Definition the group object, or null if the name was invalid. + * @see Identity_Driver::lookup_group_by_name. */ static function lookup_group_by_name($name) { - return self::instance()->driver->lookup_group_by_field("name", $name); + return self::instance()->driver->lookup_group_by_name($name); } /** diff --git a/modules/gallery/libraries/drivers/Identity.php b/modules/gallery/libraries/drivers/Identity.php index a9e1a75b..6ab001cb 100644 --- a/modules/gallery/libraries/drivers/Identity.php +++ b/modules/gallery/libraries/drivers/Identity.php @@ -45,19 +45,18 @@ interface Identity_Driver { public function is_correct_password($user, $password); /** - * Create the hashed passwords. - * @param string $password a plaintext password - * @return string hashed password + * Look up a user by id. + * @param integer id + * @return User_Definition the user object, or null if the name was invalid. */ - public function hash_password($password); + public function lookup_user($id); /** - * Look up a user by by search the specified field. - * @param string search field - * @param string search value - * @return User_Definition the user object, or null if the name was invalid. + * Look up a user by name. + * @param string name + * @return User_Definition the user object, or null if the name was invalid. */ - public function lookup_user_by_field($field, $value); + public function lookup_user_by_name($name); /** * Create a new group. @@ -90,181 +89,6 @@ interface Identity_Driver { } // End Identity Driver Definition -/** - * User Data wrapper - */ -abstract class User_Definition { - protected $user; - public function __get($column) { - switch ($column) { - case "id": - case "name": - case "full_name": - case "password": - case "login_count": - case "last_login": - case "email": - case "admin": - case "guest": - case "hash": - case "url": - case "locale": - case "groups": - case "hashed_password": - return $this->user->$column; - default: - throw new Exception("@todo UNSUPPORTED FIELD: $column"); - break; - } - } - - public function __set($column, $value) { - switch ($column) { - case "id": - case "groups": - throw new Exception("@todo READ ONLY FIELD: $column"); - break; - case "name": - case "full_name": - case "hashed_password": - case "password": - case "login_count": - case "last_login": - case "email": - case "admin": - case "guest": - case "hash": - case "url": - case "locale": - $this->user->$column = $value; - break; - default: - throw new Exception("@todo UNSUPPORTED FIELD: $column"); - break; - } - } - - public function __isset($column) { - return isset($this->user->$column); - } - - public function __unset($column) { - switch ($column) { - case "id": - case "groups": - throw new Exception("@todo READ ONLY FIELD: $column"); - break; - case "name": - case "full_name": - case "password": - case "login_count": - case "last_login": - case "email": - case "admin": - case "guest": - case "hash": - case "url": - case "locale": - case "hashed_password": - unset($this->user->$column); - break; - default: - throw new Exception("@todo UNSUPPORTED FIELD: $column"); - break; - } - } - - /** - * Return a url to the user's avatar image. - * @param integer $size the target size of the image (default 80px) - * @return string a url - */ - abstract public function avatar_url($size=80, $default=null); - - /** - * Return the best version of the user's name. Either their specified full name, or fall back - * to the user name. - * @return string - */ - abstract public function display_name(); - - /** - * Return the internal user object without the wrapper. - * This method is used by implementing classes to access the internal user object. - * Consider it pseudo private and only declared public as PHP as not internal or friend modifier - */ - public function _uncloaked() { - return $this->user; - } - - abstract public function save(); - abstract public function delete(); -} - -/** - * Group Data wrapper - */ -abstract class Group_Definition { - protected $group; - - public function __get($column) { - switch ($column) { - case "id": - case "name": - case "special": - case "users": - return $this->group->$column; - default: - throw new Exception("@todo UNSUPPORTED FIELD: $column"); - break; - } - } - - public function __set($column, $value) { - switch ($column) { - case "id": - case "users": - throw new Exception("@todo READ ONLY FIELD: $column"); - break; - case "name": - case "special": - $this->group->$column = $value; - default: - throw new Exception("@todo UNSUPPORTED FIELD: $column"); - break; - } - } - - public function __isset($column) { - return isset($this->group->$column); - } - - public function __unset($column) { - switch ($column) { - case "id": - case "users": - throw new Exception("@todo READ ONLY FIELD: $column"); - break; - case "name": - case "special": - unset($this->group->$column); - default: - throw new Exception("@todo UNSUPPORTED FIELD: $column"); - break; - } - } - - /** - * Return the internal group object without the wrapper. - * This method is used by implementing classes to access the internal group object. - * Consider it pseudo private and only declared public as PHP as not internal or friend modifier - */ - public function _uncloaked() { - return $this->group; - } +interface Group_Definition {} - abstract public function save(); - abstract public function delete(); - abstract public function add($user); - abstract public function remove($user); -} +interface User_Definition {} diff --git a/modules/gallery/tests/Albums_Controller_Test.php b/modules/gallery/tests/Albums_Controller_Test.php index 046cb5ad..fa46d924 100644 --- a/modules/gallery/tests/Albums_Controller_Test.php +++ b/modules/gallery/tests/Albums_Controller_Test.php @@ -43,6 +43,7 @@ class Albums_Controller_Test extends Unit_Test_Case { $_POST["column"] = "weight"; $_POST["direction"] = "ASC"; $_POST["csrf"] = access::csrf_token(); + $_POST["slug"] = "new_name"; $_POST["_method"] = "put"; access::allow(Identity::everybody(), "edit", $root); diff --git a/modules/gallery/tests/Photos_Controller_Test.php b/modules/gallery/tests/Photos_Controller_Test.php index cdb4ae4f..59c3f78a 100644 --- a/modules/gallery/tests/Photos_Controller_Test.php +++ b/modules/gallery/tests/Photos_Controller_Test.php @@ -31,7 +31,7 @@ class Photos_Controller_Test extends Unit_Test_Case { $root = ORM::factory("item", 1); $photo = photo::create( $root, MODPATH . "gallery/tests/test.jpg", "test.jpeg", - "test", "test", Session::active_user(), "slug"); + "test", "test", Session::active_user()->id, "slug"); $orig_name = $photo->name; $_POST["filename"] = "test.jpeg"; diff --git a/modules/gallery/views/admin_identity.html.php b/modules/gallery/views/admin_identity.html.php index dcf1dbc1..1405cacb 100644 --- a/modules/gallery/views/admin_identity.html.php +++ b/modules/gallery/views/admin_identity.html.php @@ -15,11 +15,11 @@ height:165, modal: true, overlay: { - backgroundColor: '#000', - opacity: 0.5 + backgroundColor: '#000', + opacity: 0.5 }, buttons: { - "Continue": function() { + "Continue": function() { $("##g-dialog form").submit(); }, Cancel: function() { diff --git a/modules/gallery/views/reset_password.html.php b/modules/gallery/views/reset_password.html.php deleted file mode 100644 index 92ca4917..00000000 --- a/modules/gallery/views/reset_password.html.php +++ /dev/null @@ -1,17 +0,0 @@ -<?php defined("SYSPATH") or die("No direct script access.") ?> -<html> - <head> - <title><?= t("Password Reset Request") ?> </title> - </head> - <body> - <h2><?= t("Password Reset Request") ?> </h2> - <p> - <?= t("Hello, %name,", array("name" => $user->full_name ? $user->full_name : $user->name)) ?> - </p> - <p> - <?= t("We received a request to reset your password for <a href=\"%site_url\">%site_url</a>. If you made this request, you can confirm it by <a href=\"%confirm_url\">clicking this link</a>. If you didn't request this password reset, it's ok to ignore this mail.", - array("site_url" => html::mark_clean(url::base(false, "http")), - "confirm_url" => $confirm_url)) ?> - </p> - </body> -</html> |