From 540adaf829b4835bf99fa47e58520cf998defb88 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Sun, 14 Oct 2018 11:57:28 -0400 Subject: [PATCH] Use Model\Register methods in modules - Update registration emails to avoid storing the plaintext password in the register table - Remove redundant sprintf() when used with L10n::t() - Remove redundant Systen::baseUrl() with goaway() --- mod/admin.php | 20 ++++++++------------ mod/invite.php | 7 +------ mod/ping.php | 6 +----- mod/register.php | 17 ++++------------- mod/regmod.php | 30 ++++++++++++----------------- src/Model/User.php | 47 ++++++++++++++++++++++++++++------------------ 6 files changed, 55 insertions(+), 72 deletions(-) diff --git a/mod/admin.php b/mod/admin.php index 7574e684ec..6189c4cb77 100644 --- a/mod/admin.php +++ b/mod/admin.php @@ -18,13 +18,14 @@ use Friendica\Database\DBA; use Friendica\Database\DBStructure; use Friendica\Model\Contact; use Friendica\Model\Item; +use Friendica\Model\Register; use Friendica\Model\User; use Friendica\Module\Login; use Friendica\Module\Tos; use Friendica\Util\Arrays; use Friendica\Util\DateTimeFormat; -use Friendica\Util\Temporal; use Friendica\Util\Network; +use Friendica\Util\Temporal; require_once 'include/enotify.php'; require_once 'include/text.php'; @@ -895,8 +896,7 @@ function admin_page_summary(App $a) logger('accounts: ' . print_r($accounts, true), LOGGER_DATA); - $r = q("SELECT COUNT(`id`) AS `count` FROM `register`"); - $pending = $r[0]['count']; + $pending = Register::getPendingCount(); $r = q("SELECT COUNT(*) AS `total` FROM `queue` WHERE 1"); $queue = (($r) ? $r[0]['total'] : 0); @@ -912,10 +912,10 @@ function admin_page_summary(App $a) $r = q("SHOW variables LIKE 'max_allowed_packet'"); $max_allowed_packet = (($r) ? $r[0]['Value'] : 0); - $server_settings = ['label' => L10n::t('Server Settings'), - 'php' => ['upload_max_filesize' => ini_get('upload_max_filesize'), - 'post_max_size' => ini_get('post_max_size'), - 'memory_limit' => ini_get('memory_limit')], + $server_settings = ['label' => L10n::t('Server Settings'), + 'php' => ['upload_max_filesize' => ini_get('upload_max_filesize'), + 'post_max_size' => ini_get('post_max_size'), + 'memory_limit' => ini_get('memory_limit')], 'mysql' => ['max_allowed_packet' => $max_allowed_packet]]; $t = get_markup_template('admin/summary.tpl'); @@ -1792,11 +1792,7 @@ function admin_page_users(App $a) } /* get pending */ - $pending = q("SELECT `register`.*, `contact`.`name`, `user`.`email` - FROM `register` - INNER JOIN `contact` ON `register`.`uid` = `contact`.`uid` - INNER JOIN `user` ON `register`.`uid` = `user`.`uid`;"); - + $pending = Register::getPending(); /* get users */ $total = q("SELECT COUNT(*) AS `total` FROM `user` WHERE 1"); diff --git a/mod/invite.php b/mod/invite.php index 2a98d19ffc..7318b77ae9 100644 --- a/mod/invite.php +++ b/mod/invite.php @@ -58,14 +58,9 @@ function invite_post(App $a) } if ($invitation_only && ($invites_remaining || is_site_admin())) { - $code = autoname(8) . srand(1000, 9999); + $code = Friendica\Model\Register::createForInvitation(); $nmessage = str_replace('$invite_code', $code, $message); - $r = q("INSERT INTO `register` (`hash`,`created`) VALUES ('%s', '%s') ", - DBA::escape($code), - DBA::escape(DateTimeFormat::utcNow()) - ); - if (! is_site_admin()) { $invites_remaining --; if ($invites_remaining >= 0) { diff --git a/mod/ping.php b/mod/ping.php index ff0139f28f..5ea75727a1 100644 --- a/mod/ping.php +++ b/mod/ping.php @@ -202,11 +202,7 @@ function ping_init(App $a) $mail_count = count($mails); if (intval(Config::get('config', 'register_policy')) === REGISTER_APPROVE && is_site_admin()) { - $regs = q( - "SELECT `contact`.`name`, `contact`.`url`, `contact`.`micro`, `register`.`created` - FROM `contact` RIGHT JOIN `register` ON `register`.`uid` = `contact`.`uid` - WHERE `contact`.`self` = 1" - ); + $regs = Friendica\Model\Register::getPending(); if (DBA::isResult($regs)) { $register_count = count($regs); diff --git a/mod/register.php b/mod/register.php index 2b3522234e..79e9455cd5 100644 --- a/mod/register.php +++ b/mod/register.php @@ -11,10 +11,8 @@ use Friendica\Core\L10n; use Friendica\Core\PConfig; use Friendica\Core\System; use Friendica\Core\Worker; -use Friendica\Database\DBA; use Friendica\Model; use Friendica\Module\Tos; -use Friendica\Util\DateTimeFormat; require_once 'include/enotify.php'; @@ -86,7 +84,7 @@ function register_post(App $a) if (intval(Config::get('config', 'register_policy')) === REGISTER_OPEN) { if ($using_invites && $invite_id) { - q("delete * from register where hash = '%s' limit 1", DBA::escape($invite_id)); + Model\Register::deleteByHash($invite_id); PConfig::set($user['uid'], 'system', 'invites_remaining', $num_invites); } @@ -122,19 +120,11 @@ function register_post(App $a) goaway(); } - $hash = random_string(); - $r = q("INSERT INTO `register` ( `hash`, `created`, `uid`, `password`, `language`, `note` ) VALUES ( '%s', '%s', %d, '%s', '%s', '%s' ) ", - DBA::escape($hash), - DBA::escape(DateTimeFormat::utcNow()), - intval($user['uid']), - DBA::escape($result['password']), - DBA::escape(Config::get('system', 'language')), - DBA::escape($_POST['permonlybox']) - ); + Model\Register::createForApproval($user['uid'], Config::get('system', 'language'), $_POST['permonlybox']); // invite system if ($using_invites && $invite_id) { - q("DELETE * FROM `register` WHERE `hash` = '%s' LIMIT 1", DBA::escape($invite_id)); + Model\Register::deleteByHash($invite_id); PConfig::set($user['uid'], 'system', 'invites_remaining', $num_invites); } @@ -163,6 +153,7 @@ function register_post(App $a) } // send notification to the user, that the registration is pending Model\User::sendRegisterPendingEmail( + $user['uid'], $user['email'], Config::get('config', 'sitename'), $user['username'], diff --git a/mod/regmod.php b/mod/regmod.php index 11d8eee412..433a8f5e4e 100644 --- a/mod/regmod.php +++ b/mod/regmod.php @@ -9,6 +9,7 @@ use Friendica\Core\L10n; use Friendica\Core\System; use Friendica\Core\Worker; use Friendica\Database\DBA; +use Friendica\Model\Register; use Friendica\Model\User; use Friendica\Module\Login; @@ -18,30 +19,24 @@ function user_allow($hash) { $a = get_app(); - $register = q("SELECT * FROM `register` WHERE `hash` = '%s' LIMIT 1", - DBA::escape($hash) - ); - + $register = Register::getByHash($hash); if (!DBA::isResult($register)) { return false; } $user = q("SELECT * FROM `user` WHERE `uid` = %d LIMIT 1", - intval($register[0]['uid']) + intval($register['uid']) ); if (!DBA::isResult($user)) { killme(); } - $r = q("DELETE FROM `register` WHERE `hash` = '%s'", - DBA::escape($register[0]['hash']) - ); - + Register::deleteByHash($hash); $r = q("UPDATE `user` SET `blocked` = 0, `verified` = 1 WHERE `uid` = %d", - intval($register[0]['uid']) + intval($register['uid']) ); $r = q("SELECT * FROM `profile` WHERE `uid` = %d AND `is-default` = 1", @@ -54,14 +49,14 @@ function user_allow($hash) } } - L10n::pushLang($register[0]['language']); + L10n::pushLang($register['language']); $res = User::sendRegisterOpenEmail( $user[0]['email'], Config::get('config', 'sitename'), System::baseUrl(), $user[0]['username'], - $register[0]['password'], + 'Sent in a previous email', $user[0]); L10n::popLang(); @@ -77,20 +72,19 @@ function user_allow($hash) // allowed to have friends on this system function user_deny($hash) { - $register = q("SELECT * FROM `register` WHERE `hash` = '%s' LIMIT 1", - DBA::escape($hash) - ); + $register = Register::getByHash($hash); if (!DBA::isResult($register)) { return false; } $user = q("SELECT * FROM `user` WHERE `uid` = %d LIMIT 1", - intval($register[0]['uid']) + intval($register['uid']) ); - DBA::delete('user', ['uid' => $register[0]['uid']]); - DBA::delete('register', ['hash' => $register[0]['hash']]); + DBA::delete('user', ['uid' => $register['uid']]); + + Register::deleteByHash($register['hash']); notice(L10n::t('Registration revoked for %s', $user[0]['username']) . EOL); return true; diff --git a/src/Model/User.php b/src/Model/User.php index ddd6ce1ed6..2888410c7f 100644 --- a/src/Model/User.php +++ b/src/Model/User.php @@ -412,7 +412,7 @@ class User throw new Exception(L10n::t('An invitation is required.')); } - if (!DBA::exists('register', ['hash' => $invite_id])) { + if (!Register::existsByHash($invite_id)) { throw new Exception(L10n::t('Invitation could not be verified.')); } } @@ -660,22 +660,31 @@ class User * @param string $email * @param string $sitename * @param string $username + * @param string $password Plaintext password * @return NULL|boolean from notification() and email() inherited */ - public static function sendRegisterPendingEmail($email, $sitename, $username) + public static function sendRegisterPendingEmail($uid, $email, $sitename, $username, $siteurl, $nickname, $password) { $body = deindent(L10n::t(' Dear %1$s, Thank you for registering at %2$s. Your account is pending for approval by the administrator. - ')); - $body = sprintf($body, $username, $sitename); + Your login details are as follows: + + Site Location: %3$s + Login Name: %4$s + Password: %5$s + ', + $body, $username, $sitename, $siteurl, $nickname, $password + )); return notification([ - 'type' => SYSTEM_EMAIL, + 'type' => SYSTEM_EMAIL, + 'uid' => $uid, 'to_email' => $email, - 'subject'=> L10n::t('Registration at %s', $sitename), - 'body' => $body]); + 'subject' => L10n::t('Registration at %s', $sitename), + 'body' => $body + ]); } /** @@ -695,7 +704,9 @@ class User $preamble = deindent(L10n::t(' Dear %1$s, Thank you for registering at %2$s. Your account has been created. - ')); + ', + $preamble, $username, $sitename + )); $body = deindent(L10n::t(' The login details are as follows: @@ -722,19 +733,19 @@ class User If you ever want to delete your account, you can do so at %3$s/removeme - Thank you and welcome to %2$s.')); - - $preamble = sprintf($preamble, $username, $sitename); - $body = sprintf($body, $email, $sitename, $siteurl, $username, $password); + Thank you and welcome to %2$s.', + $body, $email, $sitename, $siteurl, $username, $password + )); return notification([ - 'uid' => $user['uid'], + 'uid' => $user['uid'], 'language' => $user['language'], - 'type' => SYSTEM_EMAIL, + 'type' => SYSTEM_EMAIL, 'to_email' => $email, - 'subject'=> L10n::t('Registration details for %s', $sitename), - 'preamble'=> $preamble, - 'body' => $body]); + 'subject' => L10n::t('Registration details for %s', $sitename), + 'preamble' => $preamble, + 'body' => $body + ]); } /** @@ -771,7 +782,7 @@ class User if ($uid == local_user()) { unset($_SESSION['authenticated']); unset($_SESSION['uid']); - goaway(System::baseUrl()); + goaway();; } } }