bitPickups/friendica_2020-09-1_sharedHosting
1
0
Fork 0
Code Pull requests Activity

Merge pull request #5920 from MrPetovan/bug/remove-password-from-register

Browse source 
Avoid storing plaintext password in register table
This commit is contained in:
Michael Vogel 2018-10-17 21:04:11 +02:00 committed by GitHub
commit 389685e099
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 259 additions and 132 deletions
Download patch file Download diff file Expand all files Collapse all files

24
mod/admin.php
View file

@ -18,13 +18,14 @@ use Friendica\Database\DBA;
use Friendica\Database\DBStructure;
use Friendica\Model\Contact;
use Friendica\Model\Item;
use Friendica\Model\Register;
use Friendica\Model\User;
use Friendica\Module\Login;
use Friendica\Module\Tos;
use Friendica\Util\Arrays;
use Friendica\Util\DateTimeFormat;
use Friendica\Util\Temporal;
use Friendica\Util\Network;
use Friendica\Util\Temporal;
require_once 'include/enotify.php';
require_once 'include/text.php';
@ -33,11 +34,11 @@ require_once 'include/items.php';
/**
* @brief Process send data from the admin panels subpages
*
* This function acts as relais for processing the data send from the subpages
* This function acts as relay for processing the data send from the subpages
* of the admin panel. Depending on the 1st parameter of the url (argv[1])
* specialized functions are called to process the data from the subpages.
*
* The function itself does not return anything, but the subsequencely function
* The function itself does not return anything, but the subsequently function
* return the HTML for the pages of the admin panel.
*
* @param App $a
@ -895,8 +896,7 @@ function admin_page_summary(App $a)
logger('accounts: ' . print_r($accounts, true), LOGGER_DATA);
$r = q("SELECT COUNT(`id`) AS `count` FROM `register`");
$pending = $r[0]['count'];
$pending = Register::getPendingCount();
$r = q("SELECT COUNT(*) AS `total` FROM `queue` WHERE 1");
$queue = (($r) ? $r[0]['total'] : 0);
@ -912,10 +912,10 @@ function admin_page_summary(App $a)
$r = q("SHOW variables LIKE 'max_allowed_packet'");
$max_allowed_packet = (($r) ? $r[0]['Value'] : 0);
$server_settings = ['label' => L10n::t('Server Settings'),
'php' => ['upload_max_filesize' => ini_get('upload_max_filesize'),
'post_max_size' => ini_get('post_max_size'),
'memory_limit' => ini_get('memory_limit')],
$server_settings = ['label' => L10n::t('Server Settings'),
'php' => ['upload_max_filesize' => ini_get('upload_max_filesize'),
'post_max_size' => ini_get('post_max_size'),
'memory_limit' => ini_get('memory_limit')],
'mysql' => ['max_allowed_packet' => $max_allowed_packet]];
$t = get_markup_template('admin/summary.tpl');
@ -1792,11 +1792,7 @@ function admin_page_users(App $a)
}
/* get pending */
$pending = q("SELECT `register`.*, `contact`.`name`, `user`.`email`
FROM `register`
INNER JOIN `contact` ON `register`.`uid` = `contact`.`uid`
INNER JOIN `user` ON `register`.`uid` = `user`.`uid`;");
$pending = Register::getPending();
/* get users */
$total = q("SELECT COUNT(*) AS `total` FROM `user` WHERE 1");

7
mod/invite.php
View file

@ -58,14 +58,9 @@ function invite_post(App $a)
}
if ($invitation_only && ($invites_remaining || is_site_admin())) {
$code = autoname(8) . srand(1000, 9999);
$code = Friendica\Model\Register::createForInvitation();
$nmessage = str_replace('$invite_code', $code, $message);
$r = q("INSERT INTO `register` (`hash`,`created`) VALUES ('%s', '%s') ",
DBA::escape($code),
DBA::escape(DateTimeFormat::utcNow())
);
if (! is_site_admin()) {
$invites_remaining --;
if ($invites_remaining >= 0) {

6
mod/ping.php
View file

@ -202,11 +202,7 @@ function ping_init(App $a)
$mail_count = count($mails);
if (intval(Config::get('config', 'register_policy')) === REGISTER_APPROVE && is_site_admin()) {
$regs = q(
"SELECT `contact`.`name`, `contact`.`url`, `contact`.`micro`, `register`.`created`
FROM `contact` RIGHT JOIN `register` ON `register`.`uid` = `contact`.`uid`
WHERE `contact`.`self` = 1"
);
$regs = Friendica\Model\Register::getPending();
if (DBA::isResult($regs)) {
$register_count = count($regs);

52
mod/register.php
View file

@ -11,10 +11,8 @@ use Friendica\Core\L10n;
use Friendica\Core\PConfig;
use Friendica\Core\System;
use Friendica\Core\Worker;
use Friendica\Database\DBA;
use Friendica\Model\User;
use Friendica\Model;
use Friendica\Module\Tos;
use Friendica\Util\DateTimeFormat;
require_once 'include/enotify.php';
@ -67,7 +65,7 @@ function register_post(App $a)
$arr['language'] = L10n::getBrowserLanguage();
try {
$result = User::create($arr);
$result = Model\User::create($arr);
} catch (Exception $e) {
notice($e->getMessage());
return;
@ -76,7 +74,7 @@ function register_post(App $a)
$user = $result['user'];
if ($netpublish && intval(Config::get('config', 'register_policy')) !== REGISTER_APPROVE) {
$url = System::baseUrl() . '/profile/' . $user['nickname'];
$url = $a->getBaseUrl() . '/profile/' . $user['nickname'];
Worker::add(PRIORITY_LOW, "Directory", $url);
}
@ -86,18 +84,22 @@ function register_post(App $a)
if (intval(Config::get('config', 'register_policy')) === REGISTER_OPEN) {
if ($using_invites && $invite_id) {
q("delete * from register where hash = '%s' limit 1", DBA::escape($invite_id));
Model\Register::deleteByHash($invite_id);
PConfig::set($user['uid'], 'system', 'invites_remaining', $num_invites);
}
// Only send a password mail when the password wasn't manually provided
if (!x($_POST, 'password1') || !x($_POST, 'confirm')) {
$res = User::sendRegisterOpenEmail(
$user['email'], Config::get('config', 'sitename'), System::baseUrl(), $user['username'], $result['password'], $user);
$res = Model\User::sendRegisterOpenEmail(
$user,
Config::get('config', 'sitename'),
$a->getBaseUrl(),
$result['password']
);
if ($res) {
info(L10n::t('Registration successful. Please check your email for further instructions.') . EOL);
goaway(System::baseUrl());
goaway();
} else {
notice(
L10n::t('Failed to send email message. Here your accout details:<br> login: %s<br> password: %s<br><br>You can change your password after login.',
@ -108,27 +110,19 @@ function register_post(App $a)
}
} else {
info(L10n::t('Registration successful.') . EOL);
goaway(System::baseUrl());
goaway();
}
} elseif (intval(Config::get('config', 'register_policy')) === REGISTER_APPROVE) {
if (!strlen(Config::get('config', 'admin_email'))) {
notice(L10n::t('Your registration can not be processed.') . EOL);
goaway(System::baseUrl());
goaway();
}
$hash = random_string();
$r = q("INSERT INTO `register` ( `hash`, `created`, `uid`, `password`, `language`, `note` ) VALUES ( '%s', '%s', %d, '%s', '%s', '%s' ) ",
DBA::escape($hash),
DBA::escape(DateTimeFormat::utcNow()),
intval($user['uid']),
DBA::escape($result['password']),
DBA::escape(Config::get('system', 'language')),
DBA::escape($_POST['permonlybox'])
);
Model\Register::createForApproval($user['uid'], Config::get('system', 'language'), $_POST['permonlybox']);
// invite system
if ($using_invites && $invite_id) {
q("DELETE * FROM `register` WHERE `hash` = '%s' LIMIT 1", DBA::escape($invite_id));
Model\Register::deleteByHash($invite_id);
PConfig::set($user['uid'], 'system', 'invites_remaining', $num_invites);
}
@ -146,9 +140,9 @@ function register_post(App $a)
'source_name' => $user['username'],
'source_mail' => $user['email'],
'source_nick' => $user['nickname'],
'source_link' => System::baseUrl() . "/admin/users/",
'link' => System::baseUrl() . "/admin/users/",
'source_photo' => System::baseUrl() . "/photo/avatar/" . $user['uid'] . ".jpg",
'source_link' => $a->getBaseUrl() . "/admin/users/",
'link' => $a->getBaseUrl() . "/admin/users/",
'source_photo' => $a->getBaseUrl() . "/photo/avatar/" . $user['uid'] . ".jpg",
'to_email' => $admin['email'],
'uid' => $admin['uid'],
'language' => $admin['language'] ? $admin['language'] : 'en',
@ -156,11 +150,15 @@ function register_post(App $a)
]);
}
// send notification to the user, that the registration is pending
User::sendRegisterPendingEmail(
$user['email'], Config::get('config', 'sitename'), $user['username']);
Model\User::sendRegisterPendingEmail(
$user,
Config::get('config', 'sitename'),
$a->getBaseURL(),
$result['password']
);
info(L10n::t('Your registration is pending approval by the site owner.') . EOL);
goaway(System::baseUrl());
goaway();
}
return;

77
mod/regmod.php
View file

@ -9,6 +9,7 @@ use Friendica\Core\L10n;
use Friendica\Core\System;
use Friendica\Core\Worker;
use Friendica\Database\DBA;
use Friendica\Model\Register;
use Friendica\Model\User;
use Friendica\Module\Login;
@ -18,51 +19,35 @@ function user_allow($hash)
{
$a = get_app();
$register = q("SELECT * FROM `register` WHERE `hash` = '%s' LIMIT 1",
DBA::escape($hash)
);
$register = Register::getByHash($hash);
if (!DBA::isResult($register)) {
return false;
}
$user = q("SELECT * FROM `user` WHERE `uid` = %d LIMIT 1",
intval($register[0]['uid'])
);
$user = User::getById($register['uid']);
if (!DBA::isResult($user)) {
killme();
exit();
}
$r = q("DELETE FROM `register` WHERE `hash` = '%s'",
DBA::escape($register[0]['hash'])
);
Register::deleteByHash($hash);
DBA::update('user', ['blocked' => false, 'verified' => true], ['uid' => $register['uid']]);
$r = q("UPDATE `user` SET `blocked` = 0, `verified` = 1 WHERE `uid` = %d",
intval($register[0]['uid'])
);
$profile = DBA::selectFirst('profile', ['net-publish'], ['uid' => $register['uid'], 'is-default' => true]);
$r = q("SELECT * FROM `profile` WHERE `uid` = %d AND `is-default` = 1",
intval($user[0]['uid'])
);
if (DBA::isResult($r) && $r[0]['net-publish']) {
$url = System::baseUrl() . '/profile/' . $user[0]['nickname'];
if ($url && strlen(Config::get('system', 'directory'))) {
Worker::add(PRIORITY_LOW, "Directory", $url);
}
if (DBA::isResult($profile) && $profile['net-publish'] && Config::get('system', 'directory')) {
$url = System::baseUrl() . '/profile/' . $user['nickname'];
Worker::add(PRIORITY_LOW, "Directory", $url);
}
L10n::pushLang($register[0]['language']);
L10n::pushLang($register['language']);
$res = User::sendRegisterOpenEmail(
$user[0]['email'],
$user,
Config::get('config', 'sitename'),
System::baseUrl(),
$user[0]['username'],
$register[0]['password'],
$user[0]);
$a->getBaseUrl(),
defaults($register, 'password', 'Sent in a previous email')
);
L10n::popLang();
@ -77,22 +62,21 @@ function user_allow($hash)
// allowed to have friends on this system
function user_deny($hash)
{
$register = q("SELECT * FROM `register` WHERE `hash` = '%s' LIMIT 1",
DBA::escape($hash)
);
$register = Register::getByHash($hash);
if (!DBA::isResult($register)) {
return false;
}
$user = q("SELECT * FROM `user` WHERE `uid` = %d LIMIT 1",
intval($register[0]['uid'])
);
$user = User::getById($register['uid']);
if (!DBA::isResult($user)) {
exit();
}
DBA::delete('user', ['uid' => $register[0]['uid']]);
DBA::delete('register', ['hash' => $register[0]['hash']]);
DBA::delete('user', ['uid' => $register['uid']]);
notice(L10n::t('Registration revoked for %s', $user[0]['username']) . EOL);
Register::deleteByHash($register['hash']);
notice(L10n::t('Registration revoked for %s', $user['username']) . EOL);
return true;
}
@ -100,17 +84,16 @@ function regmod_content(App $a)
{
if (!local_user()) {
info(L10n::t('Please login.') . EOL);
$o = '<br /><br />' . Login::form($a->query_string, intval(Config::get('config', 'register_policy')) === REGISTER_CLOSED ? 0 : 1);
return $o;
return Login::form($a->query_string, intval(Config::get('config', 'register_policy')) === REGISTER_CLOSED ? 0 : 1);
}
if ((!is_site_admin()) || (x($_SESSION, 'submanage') && intval($_SESSION['submanage']))) {
if (!is_site_admin() || !empty($_SESSION['submanage'])) {
notice(L10n::t('Permission denied.') . EOL);
return '';
}
if ($a->argc != 3) {
killme();
exit();
}
$cmd = $a->argv[1];
@ -118,13 +101,11 @@ function regmod_content(App $a)
if ($cmd === 'deny') {
user_deny($hash);
goaway(System::baseUrl() . "/admin/users/");
killme();
goaway('admin/users/');
}
if ($cmd === 'allow') {
user_allow($hash);
goaway(System::baseUrl() . "/admin/users/");
killme();
goaway('admin/users/');
}
}