summaryrefslogtreecommitdiff
path: root/modules/user/controllers
diff options
context:
space:
mode:
Diffstat (limited to 'modules/user/controllers')
-rw-r--r--modules/user/controllers/admin_users.php20
-rw-r--r--modules/user/controllers/password.php133
-rw-r--r--modules/user/controllers/users.php4
3 files changed, 146 insertions, 11 deletions
diff --git a/modules/user/controllers/admin_users.php b/modules/user/controllers/admin_users.php
index 5950c358..258de843 100644
--- a/modules/user/controllers/admin_users.php
+++ b/modules/user/controllers/admin_users.php
@@ -21,8 +21,12 @@ class Admin_Users_Controller extends Admin_Controller {
public function index() {
$view = new Admin_View("admin.html");
$view->content = new View("admin_users.html");
- $view->content->users = user::get_user_list(array("orderby" => array("name" => "ASC")));
- $view->content->groups = group::get_group_list(array("orderby" => array("name" => "ASC")));
+ $view->content->users = ORM::factory("user")
+ ->orderby("name", "ASC")
+ ->find_all();
+ $view->content->groups = ORM::factory("group")
+ ->orderby("name", "ASC")
+ ->find_all();
print $view;
}
@@ -65,7 +69,7 @@ class Admin_Users_Controller extends Admin_Controller {
public function delete_user($id) {
access::verify_csrf();
- if ($id == user::active()->id || $id == user::guest()->id) {
+ if ($id == Session::active_user()->id || $id == user::guest()->id) {
access::forbidden();
}
@@ -132,7 +136,7 @@ class Admin_Users_Controller extends Admin_Controller {
}
// An admin can change the admin status for any user but themselves
- if ($user->id != user::active()->id) {
+ if ($user->id != Session::active_user()->id) {
$user->admin = $form->edit_user->admin->checked;
}
$user->save();
@@ -154,7 +158,7 @@ class Admin_Users_Controller extends Admin_Controller {
$form = $this->_get_user_edit_form_admin($user);
// Don't allow the user to control their own admin bit, else you can lock yourself out
- if ($user->id == user::active()->id) {
+ if ($user->id == Session::active_user()->id) {
$form->edit_user->admin->disabled(1);
}
print $form;
@@ -325,8 +329,7 @@ class Admin_Users_Controller extends Admin_Controller {
$group->input("url")->label(t("URL"))->id("g-url");
self::_add_locale_dropdown($group);
$group->checkbox("admin")->label(t("Admin"))->id("g-admin");
- $user = ORM::factory("user");
- $form->add_rules_from($user);
+ $form->add_rules_from(ORM::factory("user"));
module::event("user_add_form_admin", $user, $form);
$group->submit("")->value(t("Add User"));
@@ -378,8 +381,7 @@ class Admin_Users_Controller extends Admin_Controller {
$form_group->inputs["name"]->error_messages(
"in_use", t("There is already a group with that name"));
$form_group->submit("")->value(t("Add Group"));
- $group = ORM::factory("group");
- $form->add_rules_from($group);
+ $form->add_rules_from(ORM::factory("group"));
return $form;
}
diff --git a/modules/user/controllers/password.php b/modules/user/controllers/password.php
new file mode 100644
index 00000000..a8f1c5ca
--- /dev/null
+++ b/modules/user/controllers/password.php
@@ -0,0 +1,133 @@
+<?php defined("SYSPATH") or die("No direct script access.");
+/**
+ * Gallery - a web based photo album viewer and editor
+ * Copyright (C) 2000-2009 Bharat Mediratta
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA.
+ */
+class Password_Controller extends Controller {
+ public function reset() {
+ if (request::method() == "post") {
+ // @todo separate the post from get parts of this function
+ access::verify_csrf();
+ $this->_send_reset();
+ } else {
+ print $this->_reset_form();
+ }
+ }
+
+ public function do_reset() {
+ if (request::method() == "post") {
+ $this->_change_password();
+ } else {
+ $user = user::lookup_user_by_field("hash", Input::instance()->get("key"));
+ if (!empty($user)) {
+ print $this->_new_password_form($user->hash);
+ } else {
+ throw new Exception("@todo FORBIDDEN", 503);
+ }
+ }
+ }
+
+ private function _send_reset() {
+ $form = $this->_reset_form();
+
+ $valid = $form->validate();
+ if ($valid) {
+ $user = Identity::lookup_user_by_name($form->reset->inputs["name"]->value);
+ if (!$user->loaded || empty($user->email)) {
+ $form->reset->inputs["name"]->add_error("no_email", 1);
+ $valid = false;
+ }
+ }
+
+ if ($valid) {
+ $user->hash = md5(rand());
+ $user->save();
+ $message = new View("reset_password.html");
+ $message->confirm_url = url::abs_site("password/do_reset?key=$user->hash");
+ $message->user = $user;
+
+ Sendmail::factory()
+ ->to($user->email)
+ ->subject(t("Password Reset Request"))
+ ->header("Mime-Version", "1.0")
+ ->header("Content-type", "text/html; charset=iso-8859-1")
+ ->message($message->render())
+ ->send();
+
+ log::success(
+ "user",
+ t("Password reset email sent for user %name", array("name" => $user->name)));
+ } else {
+ // Don't include the username here until you're sure that it's XSS safe
+ log::warning(
+ "user", "Password reset email requested for bogus user");
+ }
+
+ message::success(t("Password reset email sent"));
+ print json_encode(
+ array("result" => "success"));
+ }
+
+ private function _reset_form() {
+ $form = new Forge(url::current(true), "", "post", array("id" => "g-reset-form"));
+ $group = $form->group("reset")->label(t("Reset Password"));
+ $group->input("name")->label(t("Username"))->id("g-name")->class(null)->rules("required");
+ $group->inputs["name"]->error_messages("no_email", t("No email, unable to reset password"));
+ $group->submit("")->value(t("Reset"));
+
+ return $form;
+ }
+
+ private function _new_password_form($hash=null) {
+ $template = new Theme_View("page.html", "reset");
+
+ $form = new Forge("password/do_reset", "", "post", array("id" => "g-change-password-form"));
+ $group = $form->group("reset")->label(t("Change Password"));
+ $hidden = $group->hidden("hash");
+ if (!empty($hash)) {
+ $hidden->value($hash);
+ }
+ $group->password("password")->label(t("Password"))->id("g-password")
+ ->rules("required|length[1,40]");
+ $group->password("password2")->label(t("Confirm Password"))->id("g-password2")
+ ->matches($group->password);
+ $group->inputs["password2"]->error_messages(
+ "mistyped", t("The password and the confirm password must match"));
+ $group->submit("")->value(t("Update"));
+
+ $template->content = $form;
+ return $template;
+ }
+
+ private function _change_password() {
+ $view = $this->_new_password_form();
+ if ($view->content->validate()) {
+ $user = user::lookup_user_by_field("hash", Input::instance()->get("key"));
+ if (empty($user)) {
+ throw new Exception("@todo FORBIDDEN", 503);
+ }
+
+ $user->password = $view->content->reset->password->value;
+ $user->hash = null;
+ $user->save();
+ message::success(t("Password reset successfully"));
+ url::redirect(item::root()->abs_url());
+ } else {
+ print $view;
+ }
+ }
+} \ No newline at end of file
diff --git a/modules/user/controllers/users.php b/modules/user/controllers/users.php
index b03a47cc..0ccf3e2a 100644
--- a/modules/user/controllers/users.php
+++ b/modules/user/controllers/users.php
@@ -21,7 +21,7 @@ class Users_Controller extends Controller {
public function update($id) {
$user = user::lookup($id);
- if ($user->guest || $user->id != user::active()->id) {
+ if ($user->guest || $user->id != Session::active_user()->id) {
access::forbidden();
}
@@ -59,7 +59,7 @@ class Users_Controller extends Controller {
public function form_edit($id) {
$user = user::lookup($id);
- if ($user->guest || $user->id != user::active()->id) {
+ if ($user->guest || $user->id != Session::active_user()->id) {
access::forbidden();
}