From 233950519470ae5efd594772bc3766be38fea3c2 Mon Sep 17 00:00:00 2001 From: Starbeamrainbowlabs Date: Sat, 12 May 2018 17:25:26 +0100 Subject: [PATCH] Finish user-add implementation, but it's not tested yet --- Changelog.md | 7 ++-- build/index.php | 66 +++++++++++++++++++++++++++++----- module_index.json | 2 +- modules/feature-user-table.php | 37 ++++++++++++++++++- 4 files changed, 100 insertions(+), 12 deletions(-) diff --git a/Changelog.md b/Changelog.md index 095b34d..4a3762a 100644 --- a/Changelog.md +++ b/Changelog.md @@ -3,11 +3,14 @@ This file holds the changelog for Pepperminty Wiki. This is the master list of t ## v0.17-dev -## Fixed +### Added + - [Module API] Added `save_settings()` convenience method + +### Fixed - [Security] Made the site secret generator cryptographically secure. If you created your wiki before this change, you might want to change your site secret in `peppermint.json` to something more secure with a site like [random.org](https://www.random.org/). - The PHP function `openssl_pseudo_random_bytes()` was being used before, but [apparently that's not cryptographically secure](https://paragonie.com/blog/2015/07/how-safely-generate-random-strings-and-integers-in-php). - [Module API] Fix `full_url()` logic - - [Module API] Mak `email_user()` correctly return email sending failures + - [Module API] Make `email_user()` correctly return email sending failures ## Changed - Password hashing has been overhauled! A totally new-and-different system is being used now, so you'll need to rehash all your passwords. diff --git a/build/index.php b/build/index.php index cecc814..839ec6f 100644 --- a/build/index.php +++ b/build/index.php @@ -396,7 +396,7 @@ if($settings->sessionprefix == "auto") ///////////////////////////////////////////////////////////////////////////// /** The version of Pepperminty Wiki currently running. */ $version = "v0.17-dev"; -$commit = "e11766bbe1276b1515b608827fd8a49ae700ce09"; +$commit = "ef530baaed8e424fb8eab554e6af25b4d58ce559"; /// Environment /// /** Holds information about the current request environment. */ $env = new stdClass(); @@ -555,6 +555,7 @@ function url_origin( $s = false, $use_forwarded_host = false ) */ function full_url( $s = false, $use_forwarded_host = false ) { + if($s == false) $s = $_SERVER; return url_origin( $s, $use_forwarded_host ) . $s['REQUEST_URI']; } @@ -1048,6 +1049,15 @@ function render_editor($editorName) return "✎ $editorName"; } +/** + * Saves the settings file back to peppermint.json. + * @return bool Whether the settings were saved successfully. + */ +function save_settings() { + global $paths, $settings; + file_put_contents($paths->settings_file, json_encode($settings, JSON_PRETTY_PRINT)) !== false; +} + /** * Saves the currently logged in user's data back to peppermint.json. * @package core @@ -1061,9 +1071,8 @@ function save_userdata() return false; $settings->users->{$env->user} = $env->user_data; - file_put_contents($paths->settings_file, json_encode($settings, JSON_PRETTY_PRINT)); - return true; + return save_settings(); } /** @@ -1119,8 +1128,7 @@ function email_user($username, $subject, $body) foreach($headers as $header => $value) $compiled_headers .= "$header: $value\r\n"; - mail($settings->users->{$username}->emailAddress, $subject, $body, $compiled_headers, "-t"); - return true; + return mail($settings->users->{$username}->emailAddress, $subject, $body, $compiled_headers, "-t"); } /** * Sends a plain text email to a list of users, replacing {username} with each user's name. @@ -5925,7 +5933,7 @@ register_module([ if(!$env->is_admin) { http_response_code(401); - exit(page_renderer::render_main("Error - Unauthorised - $settings->sitename", "

Only moderators (or better) may create users. You could try logging out and then logging in again as a moderator, or alternatively visit the user list instead, if that's what you're after.

")); + exit(page_renderer::render_main("Error: Unauthorised - Add User - $settings->sitename", "

Only moderators (or better) may create users. You could try logging out and then logging in again as a moderator, or alternatively visit the user list instead, if that's what you're after.

")); } if(!isset($_POST["user"])) { @@ -5937,7 +5945,14 @@ register_module([ $new_username = $_POST["user"]; $new_email = $_POST["email"] ?? null; - // TODO: Validate & sanitize username / email + if(preg_match('/[^0-9a-zA-Z\-_]/', $new_username) !== 0) { + http_response_code(400); + exit(page_renderer::render_main("Error: Invalid Username - Add User - $settings->sitename", "

The username " . htmlentities($new_username) . " contains some invalid characters. Only a-z, A-Z, 0-9, -, and _ are allowed in usernames. Go back.

")); + } + if(!empty($new_email) && !filter_var($new_email, FILTER_VALIDATE_EMAIL)) { + http_response_code(400); + exit(page_renderer::render_main("Error: Invalid Email Address - Add User - $settings->sitename", "

The email address " . htmlentities($new_email) . " appears to be invalid. Go back.

")); + } $new_password = generate_password($settings->new_password_length); @@ -5948,8 +5963,43 @@ register_module([ $settings->users->$new_username = $user_data; - // TODO: Save new user's data, display the password to the admin, and send email if we're able to + if(!save_settings()) { + http_response_code(503); + exit(page_renderer::render_main("Error: Failed to save settings - Add User - $settings->sitename", "

$settings->sitename failed to save the new user's data to disk. Please contact $settings->admindetails_name for assistance (their email address can be found at the bottom of this page).

")); + } + + $welcome_email_result = email_user($new_username, "Welcome!", "Welcome to $settings->sitename, {username}! $env->user has created you an account. Here are your details: + +Url: " . substr(full_url(), 0, strrpos(full_url(), "?")) . " +Username: {username} +Password: $new_password + +It is advised that you change your password as soon as you login. You can do this by clicking the cog next to your name once you've logged in, and scrolling to the 'change password' heading. + +If you need any assistance, then the help page you can access at the bottom of every page on $settings->sitename has information on most aspects of $settings->sitename. + + +--$settings->sitename, powered by Pepperminty Wiki +https://github.com/sbrl/Pepperminty-Wiki/ +"); + + $content = "

Add User

+

The new user was added to $settings->sitename sucessfully! Their details are as follows:

+ \n"; + if($welcome_email_result) + $content .= "

An email has been sent to the email address given above containing their login details.

\n"; + + $content .= "

Go back to the user table.

\n"; + + http_response_code(201); + exit(page_renderer::render_main("Add User - $settings->sitename", $content)); }); if($env->is_admin) add_help_section("949-user-table", "Managing User Accounts", "

As a moderator on $settings->sitename, you can use the User Table to adminstrate the user accounts on $settings->sitename. It allows you to perform actions such as adding and removing accounts, and resetting passwords.

"); diff --git a/module_index.json b/module_index.json index 50b86d0..d4c5b7c 100755 --- a/module_index.json +++ b/module_index.json @@ -140,7 +140,7 @@ "author": "Starbeamrainbowlabs", "description": "Adds a organiser page that lets moderators (or better) control the reegistered user accounts, and perform adminstrative actions such as password resets, and adding \/ removing accounts.", "id": "feature-user-table", - "lastupdate": 1526077752, + "lastupdate": 1526142201, "optional": false }, { diff --git a/modules/feature-user-table.php b/modules/feature-user-table.php index ade12a7..eaaafd0 100644 --- a/modules/feature-user-table.php +++ b/modules/feature-user-table.php @@ -106,8 +106,43 @@ register_module([ $settings->users->$new_username = $user_data; - // TODO: Save new user's data, display the password to the admin, and send email if we're able to + if(!save_settings()) { + http_response_code(503); + exit(page_renderer::render_main("Error: Failed to save settings - Add User - $settings->sitename", "

$settings->sitename failed to save the new user's data to disk. Please contact $settings->admindetails_name for assistance (their email address can be found at the bottom of this page).

")); + } + + $welcome_email_result = email_user($new_username, "Welcome!", "Welcome to $settings->sitename, {username}! $env->user has created you an account. Here are your details: + +Url: " . substr(full_url(), 0, strrpos(full_url(), "?")) . " +Username: {username} +Password: $new_password + +It is advised that you change your password as soon as you login. You can do this by clicking the cog next to your name once you've logged in, and scrolling to the 'change password' heading. + +If you need any assistance, then the help page you can access at the bottom of every page on $settings->sitename has information on most aspects of $settings->sitename. + + +--$settings->sitename, powered by Pepperminty Wiki +https://github.com/sbrl/Pepperminty-Wiki/ +"); + + $content = "

Add User

+

The new user was added to $settings->sitename sucessfully! Their details are as follows:

+ \n"; + if($welcome_email_result) + $content .= "

An email has been sent to the email address given above containing their login details.

\n"; + + $content .= "

Go back to the user table.

\n"; + + http_response_code(201); + exit(page_renderer::render_main("Add User - $settings->sitename", $content)); }); if($env->is_admin) add_help_section("949-user-table", "Managing User Accounts", "

As a moderator on $settings->sitename, you can use the User Table to adminstrate the user accounts on $settings->sitename. It allows you to perform actions such as adding and removing accounts, and resetting passwords.

");