Fix password reset issues

2013-04-18 18:17:33 +10:00 · 2013-04-18 18:17:33 +10:00 · 13982be9f6
commit 13982be9f6
parent 6cb3e55ca9
14 changed files with 99 additions and 69 deletions
--- a/application/classes/Auth/OSB.php
+++ b/application/classes/Auth/OSB.php
@ -21,16 +21,20 @@ class Auth_OSB extends Auth_ORM {
 	 * @return  boolean
 	 */
 	public function logged_in($role=NULL,$debug=NULL) {
 		static $status = NULL;
 		if (! is_null($status))
 			return $status;
 		$status = FALSE;
 		// Get the user from the session
-		$user = $this->get_user(FALSE);
+		$uo = $this->get_user();
 		// If we are not a valid user object, then we are not logged in
-		if (is_object($user) AND $user instanceof Model_Account AND $user->loaded()) {
+		if (is_object($uo) AND ($uo instanceof Model_Account) AND $uo->loaded()) {
-
+			if (Config::sitemode() == Kohana::DEVELOPMENT)
-			if (Config::sitemode() == Kohana::DEVELOPMENT && Kohana::$config->load('debug')->site)
+				SystemMessage::add(array('title'=>'Debug','type'=>'debug','body'=>Debug::vars(array('user'=>$uo->username,'r'=>$role))));
 				SystemMessage::add(array('title'=>'Debug','type'=>'debug','body'=>Kohana::debug(array('user'=>$user->username,'r'=>$role))));
 			if (! empty($role)) {
 				// Get the module details
@ -67,7 +71,7 @@ class Auth_OSB extends Auth_ORM {
 							$roles .= ($roles ? '|' : '').$gm->group->name;
 							// $gm->group->id == 0 means all users.
-							if ($gm->group->id == 0 OR $user->has_any('group',$gm->group->list_childgrps(TRUE))) {
+							if ($gm->group->id == 0 OR $uo->has_any('group',$gm->group->list_childgrps(TRUE))) {
 								$status = TRUE;
 								$roles = '';
@ -80,7 +84,7 @@ class Auth_OSB extends Auth_ORM {
 								SystemMessage::add(array(
 									'title'=>'User is not authorised in Database',
 									'type'=>'debug',
-									'body'=>sprintf('Role(s) checked: %s<br/>User: %s</br>Module: %s<br/>Method: %s',$roles,$user->username,$mo->name,$mmo->name),
+									'body'=>sprintf('Role(s) checked: %s<br/>User: %s</br>Module: %s<br/>Method: %s',$roles,$uo->username,$mo->name,$mmo->name),
 								));
 						}
 					}
@ -90,8 +94,8 @@ class Auth_OSB extends Auth_ORM {
 					SystemMessage::add(array(
 						'title'=>'Debug',
 						'type'=>'debug',
-						'body'=>sprintf('A-User: <b>%s</b>, Module: <b>%s</b>, Method: <b>%s</b>, Role: <b>%s</b>, Status: <b>%s</b>, Data: <b>%s</b>',
+						'body'=>sprintf('User: <b>%s</b>, Module: <b>%s</b>, Method: <b>%s</b>, Role: <b>%s</b>, Status: <b>%s</b>, Data: <b>%s</b>',
-							$user->username,Request::current()->controller(),Request::current()->action(),$role,$status,$debug)));
+							$uo->username,Request::current()->controller(),Request::current()->action(),$role,$status,$debug)));
 			// There is no role, so the method should be allowed to run as anonymous
 			} else {
@ -99,15 +103,15 @@ class Auth_OSB extends Auth_ORM {
 					SystemMessage::add(array(
 						'title'=>'Debug',
 						'type'=>'debug',
-						'body'=>sprintf('B-User: <b>%s</b>, Module: <b>%s</b>, Method: <b>%s</b>, Status: <b>%s</b>, Data: <b>%s</b>',
+						'body'=>sprintf('User: <b>%s</b>, Module: <b>%s</b>, Method: <b>%s</b>, Status: <b>%s</b>, Data: <b>%s</b>',
-							$user->username,Request::current()->controller(),Request::current()->action(),'No Role Default Access',$debug)));
+							$uo->username,Request::current()->controller(),Request::current()->action(),'No Role Default Access',$debug)));
 				$status = TRUE;
 			}
 		// Check and see if we have a token to login and run the method
 		} elseif ((! empty($_REQUEST['token']) AND $token = $_REQUEST['token']) OR $token=Session::instance()->get('token')) {
-			if ($user=$this->_get_token_user($token) AND $user !== FALSE)
+			if (! is_null($this->_get_token_user($token)))
 				$status = TRUE;
 		} else {
@ -120,19 +124,19 @@ class Auth_OSB extends Auth_ORM {
 	/**
 	 * Gets the currently logged in user from the session.
-	 * Returns FALSE if no user is currently logged in.
+	 * Returns NULL if no user is currently logged in.
 	 *
 	 * @param boolean Check token users too
 	 * @return  mixed
 	 */
-	public function get_user($tokenuser=TRUE) {
+	public function get_user($default=NULL,$tokenuser=TRUE) {
-		$user = parent::get_user();
+		$uo = parent::get_user($default);
 		// If we are not logged in, see if there is token for the user
-		if ($tokenuser AND $user === NULL AND $token=Session::instance()->get('token'))
+		if (is_null($uo) AND $tokenuser AND $token=Session::instance()->get('token'))
-			$user = $this->_get_token_user($token);
+			$uo = $this->_get_token_user($token);
-		return $user;
+		return $uo;
 	}
 	/**
@ -141,17 +145,16 @@ class Auth_OSB extends Auth_ORM {
 	 * This will check that the token is valid (not expired and for the request)
 	 *
 	 * @param $token The token
-	 * @return mixed The user
+	 * @return Model_Account|NULL The user that the token is valid for.
 	 */
 	private function _get_token_user($token) {
 		// This has been implemented, as we sometimes we seem to come here twice
-		static $user = NULL;
+		static $uo = NULL;
-		if (! is_null($user))
+		if (! is_null($uo))
-			return $user;
+			return $uo;
 		$mmto = ORM::factory('Module_Method_Token',array('token'=>$token));
 		$user = FALSE;
 		// Ignore the token if it doesnt exist.
 		if ($mmto->loaded()) {
@ -195,13 +198,13 @@ class Auth_OSB extends Auth_ORM {
 					Session::instance()->set('token',$token);
-					$user = ORM::factory('Account',$mmto->account_id);
+					$uo = ORM::factory('Account',$mmto->account_id);
-					$user->log(sprintf('Token %s used for method %s [%s]',$mmto->token,$mmto->module_method->name(),Request::current()->param('id')));
+					$uo->log(sprintf('Token %s used for method %s [%s]',$mmto->token,$mmto->module_method->name(),Request::current()->param('id')));
 				}
 			}
 		}
-		return $user;
+		return $uo;
 	}
 	/**
@ -212,28 +215,28 @@ class Auth_OSB extends Auth_ORM {
 	 * @param   boolean  enable autologin
 	 * @return  boolean
 	 */
-	protected function _login($user, $password, $remember)
+	protected function _login($user,$password,$remember) {
-	{
+		if (! is_object($user)) {
 		if ( ! is_object($user))
 		{
 			$username = $user;
 			// Load the user
 			$user = ORM::factory('Account');
 			$user->where('username','=',$username)->find();
 			// If no user loaded, return
 			if (! $user->loaded())
 				return FALSE;
 		}
 		if (is_string($password))
 		{
 		// Create a hashed password
 		if (is_string($password))
 			$password = $this->hash($password);
 		}
 		// If the passwords match, perform a login
-		if ($user->status AND $user->has_any('group',ORM::factory('Group',array('name'=>'Registered Users'))->list_childgrps(TRUE)) AND $user->password === $password)
+		if ($user->status AND $user->has_any('group',ORM::factory('Group',array('name'=>'Registered Users'))->list_childgrps(TRUE)) AND $user->password === $password) {
-		{
+
-			if ($remember === TRUE)
+			// @todo This is not currently used.
-			{
+			if ($remember === TRUE) {
 				// Create a new autologin token
 				$token = ORM::factory('User_Token');
@ -272,7 +275,6 @@ class Auth_OSB extends Auth_ORM {
 	 * Determine if a user is authorised to view an account
 	 *
 	 * @param Model_Account Account Ojbect to validate if the current user has access
 	 *
 	 * @return boolean TRUE if authorised, FALSE if not.
 	 */
 	public function authorised(Model_Account $ao) {
--- a/application/classes/Config.php
+++ b/application/classes/Config.php
@ -163,7 +163,11 @@ class Config extends Kohana_Config {
 	}
 	public static function theme() {
-		return Kohana::$config->load('config')->theme;
+		// If we are using user admin pages (and login), we'll choose the admin theme.
 		if (! empty(URL::$method_directory[strtolower(Request::current()->directory())]) OR in_array(strtolower(Request::current()->controller()),array('login')))
 			return 'theme/'.Kohana::$config->load('config')->theme_admin;
 		else
 			return 'theme/'.Kohana::$config->load('config')->theme;
 	}
 	public static function time($date) {
--- a/application/classes/Controller/Login.php
+++ b/application/classes/Controller/Login.php
@ -18,10 +18,8 @@ class Controller_Login extends lnApp_Controller_Login {
 	 */
 	public function action_register() {
 		// If user already signed-in
-		if (Auth::instance()->logged_in()!= 0) {
+		if (Auth::instance()->logged_in())
 			// Redirect to the user account
 			HTTP::redirect('welcome/index');
 		}
 		HTTP::redirect('login');
 	}
@ -34,10 +32,8 @@ class Controller_Login extends lnApp_Controller_Login {
 		$token_expire = 15;
 		// If user already signed-in
-		if (Auth::instance()->logged_in()!= 0) {
+		if (Auth::instance()->logged_in())
 			// Redirect to the user account
 			HTTP::redirect('welcome/index');
 		}
 		// If the user posted their details to reset their password
 		if ($_POST) {
@ -71,7 +67,7 @@ class Controller_Login extends lnApp_Controller_Login {
 			// Redirect to our password reset, the Auth will validate the token.
 			} elseif (! empty($_REQUEST['token'])) {
-				HTTP::redirect(URL::link('user','account/resetpassword?token=%s'.$_REQUEST['token']));
+				HTTP::redirect(URL::link('user','account/resetpassword?token='.$_REQUEST['token']));
 			}
 			// Show our token screen even if the email was invalid.
--- a/application/classes/Controller/TemplateDefault.php
+++ b/application/classes/Controller/TemplateDefault.php
@ -57,7 +57,7 @@ class Controller_TemplateDefault extends lnApp_Controller_TemplateDefault {
 			$this->ao = Auth::instance()->get_user();
 			if (! is_null($this->ao) AND (is_string($this->ao) OR ! $this->ao->loaded()))
-				throw new Kohana_Exception('Account doesnt exist :account ?',array(':account'=>(is_string($this->ao) OR is_null($this->ao)) ? $this->ao : Auth::instance()->get_user()->id));
+				throw HTTP_Exception::factory(501,'Account doesnt exist :account ?',array(':account'=>(is_string($this->ao) OR is_null($this->ao)) ? $this->ao : Auth::instance()->get_user()->id));
 		}
 		parent::before();
--- a/application/classes/HTTP/Exception/404.php
+++ b/application/classes/HTTP/Exception/404.php
@ -4,7 +4,7 @@
 * This class overrides Kohana's 404 Exception
 *
 * @package    OSB
- * @category   Helpers
+ * @category   Exceptions
 * @author     Deon George
 * @copyright  (c) 2009-2013 Open Source Billing
 * @license    http://dev.osbill.net/license.html
--- a/application/classes/HTTP/Exception/501.php
+++ b/application/classes/HTTP/Exception/501.php
@ -0,0 +1,34 @@
 <?php defined('SYSPATH') or die('No direct access allowed.');
 /**
 * This class provides a custom 501 Exception to catch OSB specific errors.
 *
 * @package    OSB
 * @category   Exceptions
 * @author     Deon George
 * @copyright  (c) 2009-2013 Open Source Billing
 * @license    http://dev.osbill.net/license.html
 */
 class HTTP_Exception_501 extends Kohana_HTTP_Exception {
 	protected $_code = 501;
 	public function __construct($message='',array $variables=NULL,$code=0) {
 		parent::__construct($message,$variables,$code);
 		$response = Response::factory();
 		$response->status($this->_code);
 		// @todo This is not working as cleanly as I would like - ie: we shouldnt need to publish the headers ourselves?
 		header(':', true, 501);
 		if (Kohana::$config->load('debug')->show_errors)
 			$response->body(View::factory('errors/501')->set('message',$this->getMessage())->render());
 		else
 			$response->body('Dang, something went wrong, tell us how we got here...');
 		echo $response->render();
 		exit (501);
 	}
 }
 ?>
--- a/application/config/auth.php
+++ b/application/config/auth.php
@ -14,9 +14,5 @@
 return array(
 	'driver'       => 'OSB',
 	'hash_method'  => 'md5',
 	'hash_key'     => '',
 	'lifetime'     => 1209600,
 	'session_key'  => 'auth_user',
 	'forced_key'   => 'auth_forced',
 );
 ?>
--- a/application/config/config.php
+++ b/application/config/config.php
@ -25,6 +25,7 @@ return array(
 	'bsb'             => '633-000',                  // @todo This should come from the DB
 	'accnum'          => '120 440 821',              // @todo This should come from the DB
 	'theme'           => 'yaml', // @todo This should be in the DB
 	'theme_admin'     => 'yaml', // @todo This should be in the DB
 	'tmpdir'          => '/tmp',
 );
 ?>
--- a/application/views/errors/501.php
+++ b/application/views/errors/501.php
@ -0,0 +1,4 @@
 Bother, something went wrong - 501.
 <?php echo $message; ?>
 <hr/>
 <?php echo Debug::vars(array('cookie'=>$_COOKIE,'request'=>$_REQUEST,'session'=>$_SESSION,'server'=>$_SERVER)); ?>
--- a/application/views/theme/yaml/page.php
+++ b/application/views/theme/yaml/page.php
@ -105,7 +105,7 @@
 					<script type="text/javascript">$("#footer").click(function() {$('#kohana-profiler').toggle();});</script>
 					<?php }?>
 					<?php if (Kohana::$environment >= Kohana::STAGING) { ?>
-					<div id="kohana-session" style="display: none; text-align: left;"><?php echo debug::vars(Session::instance()); ?></div>
+					<div id="kohana-session" style="display: none; text-align: left;"><?php echo Debug::vars(Session::instance()); ?></div>
 					<script type="text/javascript">$("#footer").click(function() {$('#kohana-session').toggle();});</script>
 					<?php }?>
 				</div>
--- a/modules/lnApp/classes/lnApp/Controller/Login.php
+++ b/modules/lnApp/classes/lnApp/Controller/Login.php
@ -15,17 +15,11 @@ class lnApp_Controller_Login extends Controller_TemplateDefault {
 	public function action_index() {
 		// If user already signed-in
-		if (Auth::instance()->logged_in() != 0) {
+		if (Auth::instance()->logged_in())
 			// Redirect to the user account
 			HTTP::redirect(URL::link('user','welcome/index'));
 		}
 		// If there is a post and $_POST is not empty
 		if ($_POST) {
 			// Store our details in a session key
 			Session::instance()->set(Kohana::$config->load('auth')->session_key,$_POST['username']);
 			Session::instance()->set('password',$_POST['password']);
 			// If the post data validates using the rules setup in the user model
 			if (Auth::instance()->login($_POST['username'],$_POST['password'])) {
 				// Redirect to the user account
@ -37,10 +31,6 @@ class lnApp_Controller_Login extends Controller_TemplateDefault {
 					HTTP::redirect(URL::link('user','welcome/index'));
 			} else {
 				// We are not successful logging in, so delete our session data
 				Session::instance()->delete(Kohana::$config->load('auth')->session_key);
 				Session::instance()->delete('password');
 				SystemMessage::add(array(
 					'title'=>_('Invalid username or password'),
 					'type'=>'error',
--- a/modules/lnApp/classes/lnApp/Controller/Logout.php
+++ b/modules/lnApp/classes/lnApp/Controller/Logout.php
@ -15,9 +15,12 @@ class lnApp_Controller_Logout extends Controller {
 		# If user already signed-in
 		if (Auth::instance()->logged_in()!= 0) {
 			$ao = Auth::instance()->get_user();
-			Auth::instance()->logout();
+
 			if (method_exists($ao,'log'))
 				$ao->log('Logged Out');
 			Auth::instance()->logout(TRUE);
 			HTTP::redirect('login');
 		}
--- a/modules/lnApp/classes/lnApp/Controller/TemplateDefault.php
+++ b/modules/lnApp/classes/lnApp/Controller/TemplateDefault.php
@ -56,7 +56,7 @@ abstract class lnApp_Controller_TemplateDefault extends Controller_Template {
 		return (($this->auth_required !== FALSE && Auth::instance()->logged_in(NULL,get_class($this).'|'.__METHOD__) === FALSE) ||
 			(is_array($this->secure_actions) && array_key_exists($this->request->action(),$this->secure_actions) &&
-			Auth::instance()->logged_in($this->secure_actions[$this->request->action()],get_class($this).'|'.__METHOD__) === FALSE));
+			is_null(Auth::instance()->logged_in($this->secure_actions[$this->request->action()],get_class($this).'|'.__METHOD__))));
 	}
 	/**