-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathUser.class.php
282 lines (230 loc) · 10.8 KB
/
User.class.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
<?php
// The User class benefits from the general Model class for it's basic interactions
// with the database. There is a lot of handling in the User class for the special
// cases of dealing with registration, login, password renewal and account activation.
class User extends Model {
public $name;
public $email;
protected $password;
protected $salt;
protected $activationkey;
// Create a user by given user form POST request
public function __construct($userRequest=null) {
if($userRequest != null) {
$this->setEmail($userRequest['email'], $userRequest['emailconfirm']);
$this->name = $userRequest['name'];
$this->password = $this->setPassword($userRequest['password']);
$this->setActivationkey();
$this->save();
$this->sendMail();
}
}
// Save the User instance to the database, after verification
public function save() {
$this->verifyBeforeSave();
return Model::save($this);
}
// Return a User instance with given id
public function find($id) {
return Model::find("User", $id);
}
// Activate user account by activationkey
public function activate($activationkey){
global $database;
$query = "SELECT id FROM User WHERE activationkey = ?";
$stmt = $database->prepare($query);
$result = $stmt->execute(array($activationkey));
$error = $stmt->errorInfo();
if($stmt->errorCode() != '00000') {
throw new Exception($error[2]);
}
if($result) {
$query = "UPDATE User SET activated='1', activationkey='' WHERE activationkey=?;";
$stmt = $database->prepare($query);
$result = $stmt->execute(array($activationkey));
$error = $stmt->errorInfo();
if($stmt->errorCode() != '00000') {
throw new Exception($error[2]);
} else {
return true;
}
} else throw new Exception("Kunne ikke aktivere konto. Sjekk at nøkkelen er korrekt");
} // end activate
// Grabs the salt from the DB by looking up it up in the DB by using the mailaddress
public function findSalt($mail=null){
global $database;
if(empty($mail)) {
$salt = Tools::genSalt();
} else {
$query = "SELECT salt FROM User where activated='1' AND email=?";
$stmt = $database->prepare($query);
$stmt->execute(array($mail));
$result = $stmt->fetch();
if($stmt->errorCode() != '00000') {
$error = $stmt->errorInfo();
throw new Exception($error[2]);
} else {
$salt = $result['salt'];
}
}
return $salt;
}
// Checks if the two mail addresses are the same, if they are, it's stored in email variable'
private function setEmail($imail, $imailconfirm){
if($imail != $imailconfirm) throw new Exception("Mailadressen er ikke lik");
$this->email = $imail;
}
// Takes the users given password, creates a salt "pepper" by SHA1 the password, then MD5 that hash again.
// Calls to function in Tools, which returns a random generated salt.
// Password is hashed using SHA1 and adding the random generated salt before the password, and the "pepper" salt after the password
protected function setPassword($ipassword){
if (!preg_match('/(?=^.{8,}$)((?=.*\d)|(?=.*\W+))(?![.\n])(?=.*[A-Z])(?=.*[a-z]).*/', $ipassword)) {
throw new Exception("Passordet må være 8 tegn, kun 'A-Za-z0-9' og minst et siffer, en liten og en stor bokstav.");}
$this->salt = User::findSalt();
$pepper = md5(sha1($ipassword));
return sha1($this->salt.$ipassword.$pepper);
}
// Calls to function in Tools, which returns an activation key
private function setActivationkey(){
$this->activationkey = Tools::genActivationKey();
}
// Constructs a mail with a link with activation key as paramether to activate the user account.
// Then sends the mail to the users mail address.
private function sendMail(){
if(Tools::mailSupport()) {
$to = $this->email;
$url = Tools::rootURL()."activate/$this->activationkey";
$subject = " RAS-blogg registrering";
$message = "<h1>Velkommen til RAS-blogg!</h1>";
$message.= "<p>Du eller noen andre har benyttet denne mailadressen for å registrere bruker på RAS-bloggen.";
$message.= "Du kan fullføre registreringen ved å trykke på følgende link:<a href=\"<? echo $url?>\">$url</a></p>";
$message.= "<p>Hvis dette er feil, se bort ifra denne mailen, og se frem til videre oppdateringer fra våre samarbeidspartnere.</p>";
$message.= "<h2>Vennlig Hilsen RAS</h2>";
$headers = 'From: noreply@'. $_SERVER['SERVER_NAME'] . "\r\n" .
'Reply-To: noreply@'. $_SERVER['SERVER_NAME'] . "\r\n" .
'Content-type: text/html; charset=iso-8859-1\n'.
'X-Mailer: PHP/' . phpversion() . ' RAS Software version 1';
mail($to, $subject, $message, $headers);
}
}
// Verify all attributes
private function verifyBeforeSave() {
// Verify not empty variables
Model::verifyNotEmpty($this, array('id', 'activated','activationkey'));
if (!preg_match('/(?=^.{2,}$)([A-Za-z0-9_-]+)/', $this->name)) throw new Exception("Navnet må være 2 tegn, samt tillatte tegn: 'A-Za-z0-9_-'");
}
// Does the login authentication check
public function loginCheck(){
if (func_num_args() != 0) return false; // Check that the function is called with correct number of arguments
if(empty($_POST['username'])) throw new Exception( "Du må oppgi en epost!");
if(empty($_POST['password'])) throw new Exception( "Du må oppgi et passord!");
$user = User::CheckLoginInDB($_POST['username'], $_POST['password']);
// var_dump($user);
if(get_class($user) != "User") throw new Exception( "Passordet eller eposten stemmer ikke!");
if(!$user->activated) throw new Exception("Du må aktivere din konto fra lenken som ble sendt i epost.");
return $user;
}
// Check the login credential for match in DB, and returns the matching object
protected function CheckLoginInDB($email, $password){
if (func_num_args() != 2) return false; // Check that the function is called with correct number of arguments
global $database;
$salt = User::findSalt($email);
$pepper = md5(sha1($password));
$password = sha1($salt.$password.$pepper);
$query = "SELECT * FROM User WHERE email=:email AND password=:password";
$stmt = $database->prepare($query);
$stmt->bindParam(':email', $email);
$stmt->bindParam(':password', $password);
$stmt->setFetchMode( PDO::FETCH_CLASS, 'User');
$stmt->execute();
$user = $stmt->fetch( PDO::FETCH_CLASS );
if($stmt->errorCode() != '00000') {
$error = $stmt->errorInfo();
throw new Exception($error[2]);
} else {
return $user;
}
}
// Changes the logged in users password
// Takes in $POST with old and new password (entered by user)
// Checks for match in DB for old password with the logged in users mail (set by SESSION)
public function changeInfo($POST){
if (func_num_args() != 1) return false; // Check that the function is called with correct number of arguments
if($_SESSION['auth'] != 'true' || func_num_args() != 1) return false; // Check that the function is called with correct number of arguments while user are logged in
global $database;
$oldpassword = $POST['oldpassword'];
$newpassword = $POST['newpassword'];
$user = User::CheckLoginInDB($_SESSION['mail'], $oldpassword); // Grabs the current users object, and checks user credential
//$query = "UPDATE User SET password = $newpassword WHERE email LIKE $_SESSION['mail'] AND password = $oldpassword";
$salt = User::findSalt($_SESSION['mail']);
$pepper = md5(sha1($oldpassword));
$oldpassword = sha1($salt.$oldpassword.$pepper); // Hashes old password
// Creates the new password and get a new salt
if (!preg_match('/(?=^.{8,}$)((?=.*\d)|(?=.*\W+))(?![.\n])(?=.*[A-Z])(?=.*[a-z]).*/', $newpassword)) {
throw new Exception("Passordet må være 8 tegn, kun 'A-Za-z0-9' og minst et siffer, en liten og en stor bokstav.");
}
$pepper = md5(sha1($newpassword));
$salt = User::findSalt();
$newpassword = sha1($salt.$newpassword.$pepper);
$query = "UPDATE User SET password = ?, salt = ? WHERE email LIKE ? AND password = ?;";
$stmt = $database->prepare($query);
$success = $stmt->execute(array($newpassword, $salt, $_SESSION['mail'], $oldpassword));
return $success; // returns true or false
}
// Generates a new password for the user with the given mail, and sends a mail to the user with the new password
public function newPassword($mail){
if(func_num_args() != 1) return false; // Check that the function is called with correct number of arguments
if(User::checkMail($mail)){
global $database;
$newpasswordclear = Tools::randString(9, true);
$pepper = md5(sha1($newpasswordclear));
$salt = User::findSalt();
$newpassword = sha1($salt.$newpasswordclear.$pepper);
$query = "UPDATE User SET password = ?, salt = ? WHERE email LIKE ?;";
$stmt = $database->prepare($query);
$success = $stmt->execute(array($newpassword, $salt, $mail));
if($success==true)
User::sendNewPasswordMail($mail, $newpasswordclear);
return $success; // returns true or false
} else {
return false;
}
}
// Sends mail with the users new password
protected function sendNewPasswordMail($mail, $password){
if(Tools::mailSupport()){
$subject = " RAS-blogg nytt passord";
$message = "Nytt passord
<br/>
Du eller noen andre har benyttet denne mailadressen for å be om nytt passord til denne brukeren på RAS-bloggen.
<br/>
Ditt nye passord er: $password
<br/></br>
Vennlig Hilsen,
<br/>
RAS-blogg Team";
$headers = 'From: noreply@ RASblog.com' . "\r\n" .
'Reply-To: noreply@RASblog.com' . "\r\n" .
'Content-type: text/html; charset=iso-8859-1\n'.
'X-Mailer: PHP/' . phpversion();
mail($mail, $subject, $message, $headers);
}
}
// Checks DB if mail user is registered
private function checkMail($mail){
global $database;
$query = "SELECT * FROM User WHERE email =:mail;";
$stmt = $database->prepare($query);
$stmt->bindParam(':mail', $mail);
$stmt->setFetchMode( PDO::FETCH_CLASS, 'User');
$stmt->execute();
$user = $stmt->fetch( PDO::FETCH_CLASS );
if($stmt->errorCode() != '00000' || $user!=true) {
$error = $stmt->errorInfo('Feil mailadresse');
throw new Exception($error[2]);
} else {
return $user;
}
} // end checkMail
}
?>