Projekte/web-base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

csrf token now default, groups improved

Browse Source
This commit is contained in:
Roman Hergenreder
2020-06-23 15:31:09 +02:00
parent 42e1ac95c8
commit a4504d8336
13 changed files with 140 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files

77
core/Api/UserAPI.class.php
View File

@@ -51,6 +51,25 @@ namespace Api {
protected function hashPassword($password, $salt) {
return hash('sha256', $password . $salt);
}
protected function checkToken($token) {
$sql = $this->user->getSQL();
$res = $sql->select("UserToken.token_type", "User.name", "User.email")
->from("UserToken")
->innerJoin("User", "UserToken.user_id", "User.uid")
->where(new Compare("UserToken.token", $token))
->where(new Compare("UserToken.valid_until", $sql->now(), ">"))
->where(new Compare("UserToken.used", 0))
->execute();
$this->lastError = $sql->getLastError();
$this->success = ($res !== FALSE);
if ($this->success && !empty($res)) {
return $res[0];
}
return array();
}
}
}
@@ -63,8 +82,6 @@ namespace Api\User {
use Api\UserAPI;
use DateTime;
use Driver\SQL\Condition\Compare;
use Driver\SQL\Condition\CondBool;
use Views\Account\ConfirmEmail;
class Create extends UserAPI {
@@ -75,9 +92,9 @@ namespace Api\User {
'password' => new StringType('password'),
'confirmPassword' => new StringType('confirmPassword'),
));
$this->csrfTokenRequired = true;
$this->loginRequired = true;
$this->requiredGroup = USER_GROUP_ADMIN;
$this->requiredGroup = array(USER_GROUP_ADMIN);
}
public function execute($values = array()) {
@@ -103,20 +120,18 @@ namespace Api\User {
class Fetch extends UserAPI {
const SELECT_SIZE = 10;
private int $userCount;
public function __construct($user, $externalCall = false) {
parent::__construct($user, $externalCall, array(
'page' => new Parameter('page', Parameter::TYPE_INT, true, 1)
'page' => new Parameter('page', Parameter::TYPE_INT, true, 1),
'count' => new Parameter('count', Parameter::TYPE_INT, true, 20),
));
$this->loginRequired = true;
$this->requiredGroup = USER_GROUP_ADMIN;
$this->requiredGroup = array(USER_GROUP_SUPPORT, USER_GROUP_ADMIN);
$this->userCount = 0;
$this->csrfTokenRequired = true;
}
private function getUserCount() {
@@ -143,20 +158,25 @@ namespace Api\User {
return $this->createError("Invalid page count");
}
$count = $this->getParam("count");
if ($count < 1 || $count > 50) {
return $this->createError("Invalid fetch count");
}
if (!$this->getUserCount()) {
return false;
}
$sql = $this->user->getSQL();
$res = $sql->select("User.uid as userId", "User.name", "User.email", "User.registered_at",
"Group.uid as groupId", "Group.name as groupName")
"Group.uid as groupId", "Group.name as groupName", "Group.color as groupColor")
->from("User")
->leftJoin("UserGroup", "User.uid", "UserGroup.user_id")
->leftJoin("Group", "Group.uid", "UserGroup.group_id")
->orderBy("User.uid")
->ascending()
->limit(Fetch::SELECT_SIZE)
->offset(($page - 1) * Fetch::SELECT_SIZE)
->limit($count)
->offset(($page - 1) * $count)
->execute();
$this->success = ($res !== FALSE);
@@ -168,6 +188,7 @@ namespace Api\User {
$userId = intval($row["userId"]);
$groupId = intval($row["groupId"]);
$groupName = $row["groupName"];
$groupColor = $row["groupColor"];
if (!isset($this->result["users"][$userId])) {
$this->result["users"][$userId] = array(
"uid" => $userId,
@@ -179,10 +200,13 @@ namespace Api\User {
}
if (!is_null($groupId)) {
$this->result["users"][$userId]["groups"][$groupId] = $groupName;
$this->result["users"][$userId]["groups"][$groupId] = array(
"name" => $groupName,
"color" => $groupColor
);
}
}
$this->result["pageCount"] = intval(ceil($this->userCount / Fetch::SELECT_SIZE));
$this->result["pageCount"] = intval(ceil($this->userCount / $count));
$this->result["totalCount"] = $this->userCount;
}
@@ -194,7 +218,7 @@ namespace Api\User {
public function __construct($user, $externalCall = false) {
parent::__construct($user, $externalCall, array());
$this->csrfTokenRequired = true;
$this->csrfTokenRequired = false;
}
public function execute($values = array()) {
@@ -220,9 +244,9 @@ namespace Api\User {
'username' => new StringType('username', 32),
'email' => new StringType('email', 64),
));
$this->csrfTokenRequired = true;
$this->loginRequired = true;
$this->requiredGroup = USER_GROUP_ADMIN;
$this->requiredGroup = array(USER_GROUP_ADMIN);
}
public function execute($values = array()) {
@@ -344,7 +368,6 @@ If the invitation was not intended, you can simply ignore this email.<br><br><a
parent::__construct($user, $externalCall);
$this->loginRequired = true;
$this->apiKeyAllowed = false;
$this->csrfTokenRequired = true;
}
public function execute($values = array()) {
@@ -453,22 +476,12 @@ If the registration was not intended, you can simply ignore this email.<br><br><
}
$token = $this->getParam('token');
$sql = $this->user->getSQL();
$res = $sql->select("UserToken.token_type", "User.name", "User.email")
->from("UserToken")
->innerJoin("User", "UserToken.user_id", "User.uid")
->where(new Compare("UserToken.token", $token))
->where(new Compare("UserToken.valid_until", $sql->now(), ">"))
->where(new Compare("UserToken.used", 0))
->execute();
$this->lastError = $sql->getLastError();
$this->success = ($res !== FALSE);
$tokenEntry = $this->checkToken($token);
if ($this->success) {
if (count($res) > 0) {
$row = $res[0];
$this->result["token"] = array("type" => $row["token_type"]);
$this->result["user"] = array("name" => $row["name"], "email" => $row["email"]);
if (!empty($tokenEntry)) {
$this->result["token"] = array("type" => $tokenEntry["token_type"]);
$this->result["user"] = array("name" => $tokenEntry["name"], "email" => $tokenEntry["email"]);
} else {
return $this->createError("This token does not exist or is no longer valid");
}