From 0014745d4ad0c5e95e4ebced95062a6272359bf5 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Sun, 8 Aug 2010 21:49:30 -0700
Subject: Add a button to the user profile page to let you reset your REST API
 key.  This is useful if you think it's been compromised in some way. Fixes
 ticket #1226.

---
 modules/rest/controllers/rest.php                 | 16 ++++++++++++++++
 modules/rest/helpers/rest.php                     | 10 ++++++++++
 modules/rest/helpers/rest_event.php               |  7 -------
 modules/rest/views/reset_api_key_confirm.html.php |  7 +++++++
 modules/rest/views/user_profile_rest.html.php     |  3 +++
 5 files changed, 36 insertions(+), 7 deletions(-)
 create mode 100644 modules/rest/views/reset_api_key_confirm.html.php

(limited to 'modules/rest')

diff --git a/modules/rest/controllers/rest.php b/modules/rest/controllers/rest.php
index bf2f0a54..a721ff2b 100644
--- a/modules/rest/controllers/rest.php
+++ b/modules/rest/controllers/rest.php
@@ -37,6 +37,22 @@ class Rest_Controller extends Controller {
     rest::reply(rest::access_key());
   }
 
+  public function reset_api_key_confirm() {
+    $form = new Forge("rest/reset_api_key", "", "post", array("id" => "g-reset-api-key"));
+    $group = $form->group("confirm_reset")->label(t("Confirm resetting your REST API key"));
+    $group->submit("")->value(t("Reset"));
+    $v = new View("reset_api_key_confirm.html");
+    $v->form = $form;
+    print $v;
+  }
+
+  public function reset_api_key() {
+    access::verify_csrf();
+    rest::reset_access_key();
+    message::success(t("Your REST API key has been reset."));
+    json::reply(array("result" => "success"));
+  }
+
   public function __call($function, $args) {
     try {
       $input = Input::instance();
diff --git a/modules/rest/helpers/rest.php b/modules/rest/helpers/rest.php
index 73d09c64..333daf95 100644
--- a/modules/rest/helpers/rest.php
+++ b/modules/rest/helpers/rest.php
@@ -87,6 +87,16 @@ class rest_Core {
     identity::set_active_user($user);
   }
 
+  static function reset_access_key() {
+    $key = ORM::factory("user_access_key")
+      ->where("user_id", "=", identity::active_user()->id)
+      ->find();
+    if ($key->loaded()) {
+      $key->delete();
+    }
+    return rest::access_key();
+  }
+
   static function access_key() {
     $key = ORM::factory("user_access_key")
       ->where("user_id", "=", identity::active_user()->id)
diff --git a/modules/rest/helpers/rest_event.php b/modules/rest/helpers/rest_event.php
index f23b9a58..6a42e893 100644
--- a/modules/rest/helpers/rest_event.php
+++ b/modules/rest/helpers/rest_event.php
@@ -54,13 +54,6 @@ class rest_event {
     self::_get_access_key_form($user, $form);
   }
 
-  /**
-   * Called when user is editing their own form
-   */
-  static function user_edit_form($user, $form) {
-    self::_get_access_key_form($user, $form);
-  }
-
   /**
    * Get the form fields for user edit
    */
diff --git a/modules/rest/views/reset_api_key_confirm.html.php b/modules/rest/views/reset_api_key_confirm.html.php
new file mode 100644
index 00000000..3aae2a9a
--- /dev/null
+++ b/modules/rest/views/reset_api_key_confirm.html.php
@@ -0,0 +1,7 @@
+<?php defined("SYSPATH") or die("No direct script access.") ?>
+<div id="g-rest-reset-api-key" class="ui-helper-clearfix">
+  <p>
+    <?= t("Do you really want to reset your REST API key?  Any clients that use this key will need to be updated with the new value.") ?>
+  </p>
+  <?= $form ?>
+</div>
diff --git a/modules/rest/views/user_profile_rest.html.php b/modules/rest/views/user_profile_rest.html.php
index e81f3d0b..3e5d3dbf 100644
--- a/modules/rest/views/user_profile_rest.html.php
+++ b/modules/rest/views/user_profile_rest.html.php
@@ -4,6 +4,9 @@
     <li id="g-rest-key">
       <p>
         <?= t("<b>Key</b>: %key", array("key" => $rest_key)) ?>
+        <a class="g-button ui-state-default ui-corner-all g-dialog-link" href="<?= url::site("rest/reset_api_key_confirm") ?>">
+          <?= t("reset") ?>
+        </a>
       </p>
     </li>
   </ul>
-- 
cgit v1.2.3