From fa0889268ab3bbd2c5df9ceb6c92ca5b69778eea Mon Sep 17 00:00:00 2001 From: xevidos Date: Wed, 16 Oct 2019 10:20:09 -0400 Subject: [PATCH] Continued implementation of new table structures, New SQL procedures, and New function principles, Updated saving methods to support PHP 7.4 and deprecation of magic_quotes --- common.php | 31 +- components/active/class.active.php | 30 +- components/filemanager/class.filemanager.php | 3 +- components/filemanager/controller.php | 32 +- components/filemanager/init.js | 14 +- components/install/install.php | 53 +-- components/install/view.php | 8 +- components/permissions/class.permissions.php | 8 +- components/project/class.project.php | 16 +- components/project/dialog.php | 2 +- components/settings/class.settings.php | 20 +- components/settings/init.js | 2 +- components/sql/class.sql.conversions.php | 458 ------------------- components/sql/class.sql.php | 390 ++++++---------- components/sql/scripts/mysql.sql | 22 +- components/user/class.user.php | 139 ++---- components/user/controller.php | 80 +++- components/user/dialog.php | 4 +- components/user/init.js | 7 +- 19 files changed, 372 insertions(+), 947 deletions(-) delete mode 100644 components/sql/class.sql.conversions.php diff --git a/common.php b/common.php index bed198f..0df0af7 100755 --- a/common.php +++ b/common.php @@ -167,8 +167,8 @@ class Common { public static function is_admin() { global $sql; - $query = "SELECT COUNT( * ) FROM users WHERE username=? AND access=?;"; - $bind_variables = array( $_SESSION["user"], "admin" ); + $query = "SELECT COUNT( * ) FROM users WHERE id=? AND access=?;"; + $bind_variables = array( $_SESSION["user_id"], Permissions::SYSTEM_LEVELS["admin"] ); $return = $sql->query( $query, $bind_variables, -1, 'fetchColumn' ); $admin = ( $return > 0 ); return $admin; @@ -316,32 +316,7 @@ class Common { public static function startSession() { - Common::construct(); - - //Set a Session Name - session_name( md5( BASE_PATH ) ); - session_save_path( SESSIONS_PATH ); - session_start(); - - if( ! defined( 'SESSION_ID' ) ) { - - define( "SESSION_ID", session_id() ); - } - - //Check for external authentification - if( defined( 'AUTH_PATH' ) ) { - - require_once( AUTH_PATH ); - } - - global $lang; - if ( isset( $_SESSION['lang'] ) ) { - - include BASE_PATH . "/languages/{$_SESSION['lang']}.php"; - } else { - - include BASE_PATH . "/languages/" . LANGUAGE . ".php"; - } + Common::start_session(); } ////////////////////////////////////////////////////////////////// diff --git a/components/active/class.active.php b/components/active/class.active.php index dac9313..bee6d72 100755 --- a/components/active/class.active.php +++ b/components/active/class.active.php @@ -14,7 +14,6 @@ class Active extends Common { // PROPERTIES ////////////////////////////////////////////////////////////////// - public $username = ""; public $path = ""; public $new_path = ""; @@ -34,7 +33,7 @@ class Active extends Common { public static function remove( $path ) { global $sql; - $query = "DELETE FROM active WHERE path=? AND username=?;"; + $query = "DELETE FROM active WHERE path=? AND user=?;"; $bind_variables = array( $path, $_SESSION["user"] ); $return = $sql->query( $query, $bind_variables, 0, "rowCount" ); } @@ -46,8 +45,8 @@ class Active extends Common { public function ListActive() { global $sql; - $query = "SELECT path, position, focused FROM active WHERE username=?"; - $bind_variables = array( $this->username ); + $query = "SELECT path, position, focused FROM active WHERE user=?"; + $bind_variables = array( $_SESSION["user_id"] ); $result = $sql->query( $query, $bind_variables, array() ); $tainted = false; $root = WORKSPACE; @@ -82,7 +81,7 @@ class Active extends Common { public function Check() { global $sql; - $query = "SELECT username FROM active WHERE path=?"; + $query = "SELECT user FROM active WHERE path=?"; $bind_variables = array( $this->path ); $result = $sql->query( $query, $bind_variables, array() ); $tainted = false; @@ -92,10 +91,11 @@ class Active extends Common { foreach( $result as $id => $data ) { - array_push( $users, $data["username"] ); - if( $data["username"] == $this->username ) { + array_push( $users, $data["user"] ); + if( $data["user"] == $_SESSION ) { $user = true; + break; } } @@ -115,8 +115,8 @@ class Active extends Common { public function Add() { global $sql; - $query = "INSERT INTO active( username, path, focused ) VALUES ( ?, ?, ? );"; - $bind_variables = array( $this->username, $this->path, false ); + $query = "INSERT INTO active( user, path, focused ) VALUES ( ?, ?, ? );"; + $bind_variables = array( $_SESSION["user_id"], $this->path, false ); $return = $sql->query( $query, $bind_variables, 0, "rowCount" ); if( $return > 0 ) { @@ -149,8 +149,8 @@ class Active extends Common { public function RemoveAll() { global $sql; - $query = "DELETE FROM active WHERE username=?;"; - $bind_variables = array( $this->username ); + $query = "DELETE FROM active WHERE user=?;"; + $bind_variables = array( $_SESSION["user_id"] ); $return = $sql->query( $query, $bind_variables, 0, "rowCount" ); if( $return > 0 ) { @@ -167,8 +167,8 @@ class Active extends Common { public function MarkFileAsFocused() { global $sql; - $query = "UPDATE active SET focused=? WHERE username=?;UPDATE active SET focused=? WHERE path=? AND username=?;"; - $bind_variables = array( false, $this->username, true, $this->path, $this->username ); + $query = "UPDATE active SET focused=? WHERE user=?;UPDATE active SET focused=? WHERE path=? AND user=?;"; + $bind_variables = array( false, $_SESSION["user_id"], true, $this->path, $_SESSION["user_id"] ); $return = $sql->query( $query, $bind_variables, 0, "rowCount" ); if( $return > 0 ) { @@ -188,8 +188,8 @@ class Active extends Common { foreach( $positions as $path => $cursor ) { - $query .= "UPDATE active SET position=? WHERE path=? AND username=?;"; - array_push( $bind_variables, json_encode( $cursor ), $path, $this->username ); + $query .= "UPDATE active SET position=? WHERE path=? AND user=?;"; + array_push( $bind_variables, json_encode( $cursor ), $path, $_SESSION["user_id"] ); } $return = $sql->query( $query, $bind_variables, 0, "rowCount" ); diff --git a/components/filemanager/class.filemanager.php b/components/filemanager/class.filemanager.php index b5f668d..601aad5 100755 --- a/components/filemanager/class.filemanager.php +++ b/components/filemanager/class.filemanager.php @@ -406,7 +406,8 @@ class Filemanager extends Common { if( $patch && ! $mtime ) { $response["status"] = "error"; - $response["message"] = "mtime parameter not found"; + $response["message"] = "invalid mtime parameter not found"; + $response["mtime"] = $mtime; return $response; } diff --git a/components/filemanager/controller.php b/components/filemanager/controller.php index e82422e..69fadab 100755 --- a/components/filemanager/controller.php +++ b/components/filemanager/controller.php @@ -169,24 +169,36 @@ switch( $action ) { case 'modify': - if( isset( $_POST["content"] ) || isset( $_POST["patch"] ) ) { + if( isset( $_POST["data"] ) ) { - $content = isset( $_POST["content"] ) ? $_POST["content"] : ""; - $patch = isset( $_POST["patch"] ) ? $_POST["patch"] : false; - $mtime = isset( $_POST["mtime"] ) ? $_POST["mtime"] : 0; + $data = json_decode( $_POST["data"], true ); - if( get_magic_quotes_gpc() ){ + if( json_last_error() !== JSON_ERROR_NONE ) { - $content = stripslashes( $content ); - $patch = stripslashes( $patch ); - $mtime = stripslashes( $mtime ); + $data = json_decode( stripslashes( $_POST["data"] ), true ); } - $response = $Filemanager->modify( $path, $content, $mtime ); + if( json_last_error() !== JSON_ERROR_NONE ) { + + $data = array(); + } + + if( isset( $data["content"] ) || isset( $data["patch"] ) ) { + + $content = isset( $data["content"] ) ? $data["content"] : ""; + $patch = isset( $data["patch"] ) ? $data["patch"] : false; + $mtime = isset( $data["mtime"] ) ? $data["mtime"] : 0; + + $response = $Filemanager->modify( $path, $content, $patch, $mtime ); + } else { + + $response["status"] = "error"; + $response["message"] = "Missing modification content"; + } } else { $response["status"] = "error"; - $response["message"] = "Missing modification content"; + $response["message"] = "Missing save data"; } break; diff --git a/components/filemanager/init.js b/components/filemanager/init.js index d93914c..62b20ad 100755 --- a/components/filemanager/init.js +++ b/components/filemanager/init.js @@ -54,10 +54,10 @@ this.noOpen = this.noAudio.concat( this.noFiles, this.noImages ), - this.noBrowser = this.noAudio.concat( this.noImages ), - - // Initialize node listener - this.nodeListener(); + this.noBrowser = this.noAudio.concat( this.noImages ), + + // Initialize node listener + this.nodeListener(); this.auto_reload = ( await codiad.settings.get_option( "codiad.filemanager.autoReloadPreview" ) == "true" ); amplify.subscribe( 'settings.save', async function() { @@ -1066,8 +1066,10 @@ callbacks.error.apply( context, [data] ); } } - - $.post( this.controller + '?action=modify&path=' + encodeURIComponent( path ), data, function( resp ) { + let post = { + "data": JSON.stringify( data ) + }; + $.post( this.controller + '?action=modify&path=' + encodeURIComponent( path ), post, function( resp ) { console.log( resp ); resp = $.parseJSON( resp ); diff --git a/components/install/install.php b/components/install/install.php index 4d9e1ee..07ea2a1 100644 --- a/components/install/install.php +++ b/components/install/install.php @@ -148,8 +148,7 @@ define("WSURL", BASE_URL . "/workspace"); // Marketplace //define("MARKETURL", "http://market.codiad.com/json"); '; - $this->save_file( $this->config, $config_data ); - echo( "success" ); + return file_put_contents( $this->config, $config_data ); } function create_project() { @@ -158,10 +157,12 @@ define("WSURL", BASE_URL . "/workspace"); if ( ! $this->is_abs_path( $project_path ) ) { - $project_path = preg_replace( '/[^\w-._@]/', '-', $project_path ); + $project_path = preg_replace( '/[^\w\-._@]/', '-', $project_path ); + $project_path = $this->username . "/" . $project_path; + if( ! is_dir( $this->workspace . "/" . $project_path ) ) { - mkdir( $this->workspace . "/" . $project_path ); + mkdir( $this->workspace . "/" . $project_path, 0755, true ); } } else { @@ -185,11 +186,12 @@ define("WSURL", BASE_URL . "/workspace"); } $bind_variables = array( + $project_path, $this->project_name, $project_path, $this->username ); - $query = "INSERT INTO projects(name, path, owner) VALUES (?,?,?);"; + $query = "DELETE FROM projects WHERE path = ?;INSERT INTO projects(name, path, owner) VALUES (?,?,( SELECT id FROM users WHERE username = ? LIMIT 1 ));"; $connection = $this->sql->connect(); $statement = $connection->prepare( $query ); $statement->execute( $bind_variables ); @@ -205,36 +207,31 @@ define("WSURL", BASE_URL . "/workspace"); $result = $this->sql->create_default_tables(); - if ( ! $result === true ) { + if ( ! $result["create_tables"] === true ) { - die( '{"message":"Could not tables in database.","error":"' . json_encode( $result ) .'"}' ); + exit( json_encode( $result ) ); } } function create_user() { $bind_variables = array( - "", - "", $this->username, $this->password, - "", $this->project_path, - "admin", - "", - "" + Permissions::LEVELS["admin"] ); - $query = "INSERT INTO users(first_name, last_name, username, password, email, project, access, groups, token) VALUES (?,?,?,?,?,?,?,?,?)"; - $connection = $this->sql->connect(); - $statement = $connection->prepare( $query ); - $statement->execute( $bind_variables ); - $error = $statement->errorInfo(); + $query = "INSERT INTO users( username, password, project, access ) VALUES ( ?,?,( SELECT id FROM projects WHERE path = ? LIMIT 1 ),? )"; - if( ! $error[0] == "00000" ) { + try { - die( '{"message":"Could not create user in database.","error":"' . addslashes(json_encode( $error )) .'"}' ); + $connection = $this->sql->connect(); + $statement = $connection->prepare( $query ); + $statement->execute( $bind_variables ); + } catch( exception $e ) { + + exit( "Error could not create user: " . $e->getMessage() ); } - $this->set_default_options(); } @@ -269,10 +266,11 @@ define("WSURL", BASE_URL . "/workspace"); $connection = $this->sql->connect(); $this->create_tables(); - $this->create_project(); $this->create_user(); + $this->create_project(); //exit( "stop" ); $this->create_config(); + return "success"; } function JSEND( $message, $error=null ) { @@ -288,18 +286,11 @@ define("WSURL", BASE_URL . "/workspace"); exit( json_encode( $message ) ); } - function save_file( $file, $data ) { - - $write = fopen( $file, 'w' ) or die( '{"message": "can\'t open file"}' ); - fwrite( $write, $data ); - fclose( $write ); - } - public function set_default_options() { foreach( Settings::DEFAULT_OPTIONS as $id => $option ) { - $query = "INSERT INTO user_options ( name, username, value ) VALUES ( ?, ?, ? );"; + $query = "INSERT INTO user_options ( name, user, value ) VALUES ( ?, ( SELECT id FROM users WHERE username = ? ), ? );"; $bind_variables = array( $option["name"], $this->username, @@ -309,7 +300,7 @@ define("WSURL", BASE_URL . "/workspace"); if( $result == 0 ) { - $query = "UPDATE user_options SET value=? WHERE name=? AND username=?;"; + $query = "UPDATE user_options SET value=? WHERE name=? AND user=( SELECT id FROM users WHERE username = ? );"; $bind_variables = array( $option["value"], $option["name"], diff --git a/components/install/view.php b/components/install/view.php index 0796f85..63168d9 100755 --- a/components/install/view.php +++ b/components/install/view.php @@ -442,12 +442,12 @@ if(!password_match){ alert('The passwords entered do not match'); } if(!empty_fields && password_match && check_path){ $.post('components/install/install.php',$('#install').serialize(),function( data ) { -if( data == 'success' ){ +console.log( data ); + +if( data === "success" ){ window.location.reload(); } else { -data = JSON.parse( data ); -console.log( data.error ); -alert( "An Error Occurred\n" + data.message ); +alert( "An Error Occurred. Please check the console for more information.\n" ); } }); } diff --git a/components/permissions/class.permissions.php b/components/permissions/class.permissions.php index 55512f9..b082bb5 100644 --- a/components/permissions/class.permissions.php +++ b/components/permissions/class.permissions.php @@ -23,6 +23,12 @@ class Permissions { "admin" => 64, ); + const SYSTEM_LEVELS = array( + + "user" => 32, + "admin" => 64, + ); + function __construct() { @@ -82,7 +88,7 @@ class Permissions { if( $data["owner"] == 'nobody' ) { $access = self::LEVELS["owner"]; - } elseif( $data["owner"] == $_SESSION["user"] ) { + } elseif( $data["owner"] == $_SESSION["user_id"] ) { $access = self::LEVELS["owner"]; } else { diff --git a/components/project/class.project.php b/components/project/class.project.php index c4c0b68..d22cd12 100755 --- a/components/project/class.project.php +++ b/components/project/class.project.php @@ -155,13 +155,13 @@ class Project extends Common { $owner = $result["owner"]; if( $exclude_public ) { - if( $owner == $_SESSION["user"] ) { + if( $owner == $_SESSION["user_id"] ) { $return = true; } } else { - if( $owner == $_SESSION["user"] || $owner == 'nobody' ) { + if( $owner == $_SESSION["user_id"] || $owner == 'nobody' ) { $return = true; } @@ -217,7 +217,7 @@ class Project extends Common { OR owner='nobody' OR id IN ( SELECT project FROM access WHERE user = ? ) ) ORDER BY name;"; - $bind_variables = array( $project, $_SESSION["user"], $_SESSION["user_id"] ); + $bind_variables = array( $project, $_SESSION["user_id"], $_SESSION["user_id"] ); //$query = "SELECT * FROM projects WHERE path=? AND ( owner=? OR owner='nobody' ) ORDER BY name;"; //$bind_variables = array( $project, $_SESSION["user"] ); $return = $sql->query( $query, $bind_variables, array(), "fetch" ); @@ -260,7 +260,7 @@ class Project extends Common { WHERE owner=? OR owner='nobody' OR id IN ( SELECT project FROM access WHERE user = ? );"; - $bind_variables = array( $_SESSION["user"], $_SESSION["user_id"] ); + $bind_variables = array( $_SESSION["user_id"], $_SESSION["user_id"] ); $return = $sql->query( $query, $bind_variables, array() ); return( $return ); } @@ -293,14 +293,14 @@ class Project extends Common { global $sql; $query = "SELECT * FROM projects WHERE name=? AND path=? AND ( owner=? OR owner='nobody' );"; - $bind_variables = array( $old_name, $path, $_SESSION["user"] ); + $bind_variables = array( $old_name, $path, $_SESSION["user_id"] ); $return = $sql->query( $query, $bind_variables, array() ); $pass = false; if( ! empty( $return ) ) { $query = "UPDATE projects SET name=? WHERE name=? AND path=? AND ( owner=? OR owner='nobody' );"; - $bind_variables = array( $new_name, $old_name, $path, $_SESSION["user"] ); + $bind_variables = array( $new_name, $old_name, $path, $_SESSION["user_id"] ); $return = $sql->query( $query, $bind_variables, 0, "rowCount"); if( $return > 0 ) { @@ -375,13 +375,13 @@ class Project extends Common { OR owner='nobody' OR id IN ( SELECT project FROM access WHERE user = ? ) ) ORDER BY name LIMIT 1;"; - $bind_variables = array( $this->path, $_SESSION["user"], $_SESSION["user_id"] ); + $bind_variables = array( $this->path, $_SESSION["user_id"], $_SESSION["user_id"] ); $return = $sql->query( $query, $bind_variables, array(), "fetch" ); if( ! empty( $return ) ) { $query = "UPDATE users SET project=? WHERE username=?;"; - $bind_variables = array( $this->path, $_SESSION["user"] ); + $bind_variables = array( $return["id"], $_SESSION["user"] ); $sql->query( $query, $bind_variables, 0, "rowCount" ); $this->name = $return['name']; $_SESSION['project'] = $return['path']; diff --git a/components/project/dialog.php b/components/project/dialog.php index 6d1416b..b70dbe4 100755 --- a/components/project/dialog.php +++ b/components/project/dialog.php @@ -96,7 +96,7 @@ switch( $_GET['action'] ) { ?> diff --git a/components/settings/class.settings.php b/components/settings/class.settings.php index f46fadb..fc2afc3 100755 --- a/components/settings/class.settings.php +++ b/components/settings/class.settings.php @@ -113,7 +113,7 @@ class Settings { $result = $sql->query( $query, $bind_variables, 0, "rowCount" ); } else { - $query = "DELETE FROM options WHERE name=? AND username=?"; + $query = "DELETE FROM options WHERE name=? AND user=?"; $bind_variables = array( $option, $this->username, @@ -138,17 +138,17 @@ class Settings { $query = "SELECT value FROM options WHERE name=?;"; $bind_variables = array( $option ); - $return = $sql->query( $query, $bind_variables, array() )[0]; + $return = $sql->query( $query, $bind_variables, array() ); } else { - $query = "SELECT value FROM user_options WHERE name=? AND username=?;"; - $bind_variables = array( $option, $this->username ); - $return = $sql->query( $query, $bind_variables, array() )[0]; + $query = "SELECT value FROM user_options WHERE name=? AND user=?;"; + $bind_variables = array( $option, $_SESSION["user_id"] ); + $return = $sql->query( $query, $bind_variables, array() ); } if( ! empty( $return ) ) { - $return = $return["value"]; + $return = $return[0]["value"]; } else { $return = null; @@ -259,21 +259,21 @@ class Settings { } } else { - $query = "INSERT INTO user_options ( name, username, value ) VALUES ( ?, ?, ? );"; + $query = "INSERT INTO user_options ( name, user, value ) VALUES ( ?, ?, ? );"; $bind_variables = array( $option, - $this->username, + $_SESSION["user_id"], $value, ); $result = $sql->query( $query, $bind_variables, 0, "rowCount" ); if( $result == 0 ) { - $query = "UPDATE user_options SET value=? WHERE name=? AND username=?;"; + $query = "UPDATE user_options SET value=? WHERE name=? AND user=?;"; $bind_variables = array( $value, $option, - $this->username, + $_SESSION["user_id"], ); $result = $sql->query( $query, $bind_variables, 0, "rowCount" ); } diff --git a/components/settings/init.js b/components/settings/init.js index cd28450..3f4d0ee 100755 --- a/components/settings/init.js +++ b/components/settings/init.js @@ -166,7 +166,7 @@ let _self = codiad.settings; jQuery.ajax({ - + url: this.controller + '?action=update_option', type: "POST", dataType: 'html', diff --git a/components/sql/class.sql.conversions.php b/components/sql/class.sql.conversions.php deleted file mode 100644 index ccea77d..0000000 --- a/components/sql/class.sql.conversions.php +++ /dev/null @@ -1,458 +0,0 @@ - array( - - "mysql" => "CREATE TABLE IF NOT EXISTS", - "pgsql" => "CREATE TABLE IF NOT EXISTS", - "sqlite" => "CREATE TABLE IF NOT EXISTS", - ), - - "delete" => array( - - "mysql" => "DELETE", - "pgsql" => "DELETE", - "sqlite" => "DELETE", - ), - - "find" => array( - - "mysql" => "LOCATE( %substring%, %string% )", - "pgsql" => "POSITION( %substring% in %string% )", - "sqlite" => "INSTR( %string%, %substring% )", - ), - - "select" => array( - - "mysql" => "SELECT", - "pgsql" => "SELECT", - "sqlite" => "SELECT", - ), - - "update" => array( - - "mysql" => "UPDATE", - "pgsql" => "UPDATE", - "sqlite" => "UPDATE", - ), - ); - - public $comparisons = array( - - "equal" => array( - - "mysql" => "=", - "pgsql" => "=", - "sqlite" => "=", - ), - - "less than" => array( - - "mysql" => "<", - "pgsql" => "<", - "sqlite" => "<", - ), - - "more than" => array( - - "mysql" => ">", - "pgsql" => ">", - "sqlite" => ">", - ), - - "not" => array( - - "mysql" => "!", - "pgsql" => "!", - "sqlite" => "!", - ), - - "not equal" => array( - - "mysql" => "!=", - "pgsql" => "!=", - "sqlite" => "!=", - ), - - "where" => array( - - "mysql" => "WHERE", - "pgsql" => "WHERE", - "sqlite" => "WHERE", - ), - ); - - public $data_types = array( - - "bool" => array( - - "mysql" => "BOOL", - "pgsql" => "BOOL", - "sqlite" => "BOOL", - ), - - "int" => array( - - "mysql" => "INT", - "pgsql" => "INT", - "sqlite" => "INT", - ), - - "string" => array( - - "mysql" => "VARCHAR(255)", - "pgsql" => "VARCHAR", - "sqlite" => "VARCHAR", - ), - - "text" => array( - - "mysql" => "TEXT", - "pgsql" => "TEXT", - "sqlite" => "TEXT", - ), - ); - - public $general = array( - - "from" => array( - - "mysql" => "FROM", - "pgsql" => "FROM", - "sqlite" => "FROM", - ), - ); - - public $specials = array( - - "id" => array( - - "mysql" => "NOT NULL AUTO_INCREMENT PRIMARY KEY", - "pgsql" => "SERIAL PRIMARY KEY", - "sqlite" => "SERIAL PRIMARY KEY", - ), - - "key" => array( - - "mysql" => "KEY", - "pgsql" => "KEY", - "sqlite" => "KEY", - ), - - "auto increment" => array( - - "mysql" => "AUTO_INCREMENT", - "pgsql" => "AUTO_INCREMENT", - "sqlite" => "AUTO_INCREMENT", - ), - - "not null" => array( - - "mysql" => "NOT NULL", - "pgsql" => "NOT NULL", - "sqlite" => "NOT NULL", - ), - - "null" => array( - - "mysql" => "NULL", - "pgsql" => "NULL", - "sqlite" => "NULL", - ), - - "unique" => array( - - "mysql" => "CONSTRAINT %constraint_name% UNIQUE ( %field_names% )", - "pgsql" => "CONSTRAINT %constraint_name% UNIQUE ( %field_names% )", - "sqlite" => "CONSTRAINT %constraint_name% UNIQUE ( %field_names% )", - ), - ); - - public $wraps = array( - - "close" => array( - - "mysql" => "`", - "mssql" => "]", - "pgsql" => "\"", - "sqlite" => "\"", - ), - - "open" => array( - - "mysql" => "`", - "mssql" => "[", - "pgsql" => "\"", - "sqlite" => "\"", - ), - ); - - public function check_field( $needle, $haystack ) { - - $field = preg_replace_callback( - // Matches parts to be replaced: '[field]' - '/(\[.*?\])/', - // Callback function. Use 'use()' or define arrays as 'global' - function( $matches ) use ( $haystack ) { - - // Remove square brackets from the match - // then use it as variable name - $match = trim( $matches[1], "[]" ); - return $match; - }, - // Input string to search in. - $needle - ); - - if( $field === $needle ) { - - $field = false; - } - return $field; - } - - public function find( $substring, $string ) { - - $dbtype = DBTYPE; - $find_string = $this->actions["find"][$dbtype]; - $find_string = str_replace( "%string%", $string, $find_string ); - $find_string = str_replace( "%substring%", $substring, $find_string ); - - return $find_string; - } - - public function select( $table, $fields, $where ) { - - $dbtype = DBTYPE; - $id_close = $this->wraps["close"][$dbtype]; - $id_open = $this->wraps["open"][$dbtype]; - $query = $this->actions["select"][$dbtype] . " "; - $bind_vars = array(); - - if( empty( $fields ) ) { - - $query .= " * "; - } - - foreach( $fields as $field ) { - - $query .= $field . ","; - } - - $query = substr( $query, 0, -1 ); - $query .= " {$this->general["from"][$dbtype]} {$table} "; - - if( ! empty( $where ) ) { - - $query .= " {$this->comparisons["where"][$dbtype]} "; - } - - foreach( $where as $comparison ) { - - $comparison_string = ""; - - //Put a replace of %% symbols with fields and open / close - if( $comparison[0] == "find" ) { - - $c1 = $this->check_field( $comparison[1], $fields ); - $c2 = $this->check_field( $comparison[2], $fields ); - $c3 = $this->check_field( $comparison[3][1], $fields ); - - if( ! $c1 === FALSE ) { - - $c1 = $id_open . $c1 . $id_close; - } else { - - $c1 = "?"; - array_push( $bind_vars, $comparison[1] ); - } - - if( ! $c2 === FALSE ) { - - $c2 = $id_open . $c2 . $id_close; - } else { - - $c2 = "?"; - array_push( $bind_vars, $comparison[2] ); - } - - if( ! $c3 === FALSE ) { - - $c3 = $id_open . $c3 . $id_close; - } else { - - $c3 = "?"; - array_push( $bind_vars, $comparison[3][1] ); - } - - $c0 = $this->find( $c1, $c2 ); - $comparison_string .= "{$c0} {$this->comparisons[$comparison[3][0]][$dbtype]} {$c3}"; - } elseif( $comparison[0] == "in" ) { - - - } elseif( $comparison[0] == "limit" ) { - - - } else { - - if( in_array( $fields, $comparison[1] ) ) { - - $comparison[1] = $id_open . $comparison[1] . $id_close; - } - - if( in_array( $fields, $comparison[3] ) ) { - - $comparison[3] = $id_open . $comparison[3] . $id_close; - } - - $comparison_string .= "{$comparison[1]} {$this->$comparisons[$comparison[0]][$dbtype]} {$comparison[2]}"; - } - - $index = array_search( $comparison, $where ); - - if( $index ) { - - } else { - - $query .= "{$comparison_string} "; - } - } - - //$query = substr( $query, 0, -1 ); - $query .= ";"; - return array( $query, $bind_vars ); - } - - public function table( $table_name, $fields, $attributes ) { - - $dbtype = DBTYPE; - $id_close = $this->wraps["close"][$dbtype]; - $id_open = $this->wraps["open"][$dbtype]; - - $query = "{$this->actions["create"][$dbtype]} {$table_name} ("; - - foreach( $fields as $id => $type ) { - - $query .= "{$id} {$this->data_types[$type][$dbtype]}"; - - if( isset( $attributes[$id] ) ) { - - foreach( $attributes[$id] as $attribute ) { - - $attribute_string = $this->specials["$attribute"][$dbtype]; - - if( $attribute == "unique" ) { - - continue; - } - - if( $dbtype == "pgsql" ) { - - if( $id == "id" ) { - - $query = substr( $query, 0, -( strlen( " {$this->data_types[$type][$dbtype]}" ) ) ); - } - } - - if( ! strpos( $attribute_string, "%table_name%" ) === FALSE ) { - - $attribute_string = str_replace( "%table_name%", $table_name, $attribute_string ); - } - - if( ! strpos( $attribute_string, "%fields%" ) === FALSE ) { - - $fields_string = ""; - - foreach( $fields as $field ) { - - $fields_string .= "{$id_open}field{$id_close},"; - } - - $fields_string = substr( $fields_string, 0, -1 ); - $attribute_string = str_replace( "%fields%", $fields_string, $attribute_string ); - } - $query .= " {$attribute_string}"; - } - } - $query .= ","; - } - - $id_close = $this->wraps["close"][$dbtype]; - $id_open = $this->wraps["open"][$dbtype]; - $fields_string = ""; - $unique_string = ""; - $unique_length = 0; - - foreach( $attributes as $id => $attribute ) { - - if( in_array( "unique", $attribute ) ) { - - $unique_length++; - } - } - - foreach( $attributes as $id => $attribute ) { - - if( is_array( $attribute ) && in_array( "unique", $attribute ) ) { - - if( $unique_string == "" ) { - - $unique_string = $this->specials["unique"][$dbtype] . ","; - } - if( $dbtype == "mysql" && $fields ) { - - if( $fields[$id] == "text" ) { - - $field_length = ( 3000 / $unique_length ); - $fields_string .= "{$id_open}{$id}{$id_close}($field_length),"; - } elseif( $fields[$id] == "string" ) { - - $field_length = ( 3000 / $unique_length ); - $fields_string .= "{$id_open}{$id}{$id_close}(255),"; - } - } else { - - $fields_string .= "{$id_open}{$id}{$id_close},"; - } - } - } - - $unique_string = str_replace( "%constraint_name%", strtolower( preg_replace( '#[^A-Za-z0-9' . preg_quote( '-_@. ').']#', '', $fields_string ) ), $unique_string ); - $unique_string = str_replace( "%field_names%", substr( $fields_string, 0, -1 ), $unique_string ); - $query .= $unique_string; - - $query = substr( $query, 0, -1 ); - $query .= ")"; - - if( $dbtype == "mysql" ) { - - $query .= " ENGINE=InnoDB;"; - } else { - - $query .= ";"; - } - - return( $query ); - } - - public function tables( $tables ) { - - $query = ""; - - foreach( $tables as $table_name => $table_data ) { - - $query .= $this->table( $table_name, $table_data["fields"], $table_data["attributes"] ) . PHP_EOL; - } - return( $query ); - } - - public function update( $table, $fields, $where ) { - - - } -} - -?> diff --git a/components/sql/class.sql.php b/components/sql/class.sql.php index 5201bf3..4f46465 100755 --- a/components/sql/class.sql.php +++ b/components/sql/class.sql.php @@ -54,141 +54,27 @@ class sql { public function create_default_tables() { - $create_tables = $this->create_tables( - array( - "active" => array( - "fields" => array( - "username" => "string", - "path" => "text", - "position" => "string", - "focused" => "string" - ), - "attributes" => array( - "username" => array( "not null" ), - "path" => array( "not null" ), - "focused" => array( "not null" ), - ) - ), - "access" => array( - "fields" => array( - "project" => "int", - "user" => "int", - "level" => "int", - ), - "attributes" => array( - "id" => array( "not null" ), - "user" => array( "not null" ), - "level" => array( "not null" ), - ) - ), - "options" => array( - "fields" => array( - "id" => "int", - "name" => "string", - "value" => "text", - ), - "attributes" => array( - "id" => array( "id" ), - "name" => array( "not null", "unique" ), - "value" => array( "not null" ), - ) - ), - "projects" => array( - "fields" => array( - "id" => "int", - "name" => "string", - "path" => "text", - "owner" => "string", - ), - "attributes" => array( - - "id" => array( "id" ), - "name" => array( "not null" ), - "path" => array( "not null", "unique" ), - "owner" => array( "not null", "unique" ), - ) - ), - "users" => array( - "fields" => array( - "id" => "int", - "first_name" => "string", - "last_name" => "string", - "username" => "string", - "password" => "text", - "email" => "string", - "project" => "int", - "access" => "string", - "token" => "string", - ), - "attributes" => array( - "id" => array( "id" ), - "username" => array( "not null", "unique" ), - "password" => array( "not null" ), - "access" => array( "not null" ), - ) - ), - "user_options" => array( - "fields" => array( - "id" => "int", - "name" => "string", - "username" => "string", - "value" => "text", - ), - "attributes" => array( - "id" => array( "id" ), - "name" => array( "not null", "unique" ), - "username" => array( "not null", "unique" ), - "value" => array( "not null" ), - ) - ), - ) - ); + $create_tables = $this->create_tables(); $structure_updates = $this->update_table_structure(); $result = array( "create_tables" => $create_tables, "structure_updates" => $structure_updates ); - exit( json_encode( $result, JSON_PRETTY_PRINT ) ); + return $result; } - public function create_tables( $table ) { + public function create_tables() { - /** - Tables layout - array( - - "table_name" => array( - - "fields" => array( - - "id" => "int", - "test_field" => "string" - ), - "attributes" => array( - - "id" => array( "id" ), - "test_field" => array( "not null" ), - ) - ), - "table2_name" => array( - - "fields" => array( - - "id" => "int", - "test_field" => "string" - ), - "attributes" => array( - - "id" => array( "id" ), - "test_field" => array( "not null" ), - ) - ) - ); - */ + $script = __DIR__ . "/scripts/" . DBTYPE . ".sql"; - try { + if( ! is_file( $script ) ) { - $query = $this->conversions->tables( $table ); + return "Error, no database scripts specified for currently selected dbtype."; + } + + try { + + $query = file_get_contents( $script ); $connection = $this->connect(); $result = $connection->exec( $query ); return true; @@ -227,130 +113,148 @@ class sql { return self::$instance; } - public function select( $table, $fields=array(), $where=array() ) { - - $array = $this->conversions->select( $table, $fields, $where ); - $query = $array[0]; - $bind_vars = $array[1]; - $result = $this->query( $query, $bind_vars, array() ); - //echo var_dump( $query, $bind_vars ) . "
"; - return $result; - } - - public function update( $table, $fields=array(), $where=array() ) { - - $query = $this->conversions->update( $table, $fields, $where ); - //echo var_dump( $query ) . "
"; - //return $query; - } - public function update_table_structure() { $status_updates = array(); - $sql_conversions = new sql_conversions(); - - try { - - $access_query = "INSERT INTO access( project, user, level ) VALUES "; - $projects = $this->query( "SELECT id, access FROM projects", array(), array(), "fetchAll", "exception" ); - $users = $this->query( "SELECT id, username FROM users", array(), array(), "fetchAll", "exception" ); - $delete = Permissions::LEVELS["delete"]; - - foreach( $users as $row => $user ) { - - foreach( $projects as $row => $project ) { - - $access = json_decode( $project["access"], true ); - if( ! is_array( $access ) || empty( $access ) ) { - - continue; - } - - foreach( $access as $granted_user ) { - - if( $granted_user == $user["username"] ) { - - $access_query .= "( {$project["id"]}, {$user["id"]}, $delete ),"; - } - } - } - } - - if( $access_query !== "INSERT INTO access( project, user, level ) VALUES " ) { - - $result = $this->query( substr( $access_query, 0, -1 ), array(), 0, "rowCount", "exception" ); - } - $result = $this->query( "ALTER TABLE projects DROP COLUMN access", array(), 0, "rowCount" ); - $status_updates["access_column"] = "Cached data and removed access column."; - } catch( Exception $error ) { - - //The access field is not there. - //echo var_export( $error->getMessage(), $access_query ); - $status_updates["access_column"] = array( - "error_message" => $error->getMessage(), - "dev_message" => "No access column to convert." - ); - } - - try { - - $update_query = ""; - $projects = $this->query( "SELECT id, path FROM projects", array(), array(), "fetchAll", "exception" ); - $result = $this->query( "SELECT project FROM users", array(), array(), "fetchAll", "exception" ); - $convert = false; - $delete = Permissions::LEVELS["delete"]; - - foreach( $result as $row => $user ) { - - if( ! is_numeric( $user["project"] ) ) { - - $convert = true; - } - - foreach( $projects as $row => $project ) { - - if( $project["path"] == $user["project"] ) { - - $update_query .= "UPDATE users SET project={$project["id"]};"; - } - } - } - - if( $convert && strlen( $update_query ) > 0 ) { - - //change project to users table - $result = $this->query( "ALTER TABLE users DROP COLUMN project", array(), array(), "rowCount", "exception" ); - $result = $this->query( "ALTER TABLE users ADD COLUMN project " . $sql_conversions->data_types["int"][DBTYPE], array(), array(), "rowCount", "exception" ); - $result = $this->query( $update_query, array(), array(), "rowCount", "exception" ); - } else { - - $status_updates["users_current_project"] = array( "dev_message" => "Users current project column to project_id conversion not needed." ); - } - } catch( Exception $error ) { - - //echo var_dump( $error->getMessage() ); - $status_updates["users_current_project"] = array( - "error_message" => $error->getMessage(), - "dev_message" => "Users current project column to project_id conversion failed." - ); - } - - try { - - $result = $this->query( "ALTER TABLE users DROP COLUMN groups", array(), array(), "rowCount", "exception" ); - $status_updates["users_groups_column"] = array( "dev_message" => "Removal of the groups column from the users table succeeded." ); - } catch( Exception $error ) { - - //echo var_dump( $error->getMessage() ); - $status_updates["users_groups_column"] = array( - "error_message" => $error->getMessage(), - "dev_message" => "Removal of the groups column from the users table failed. This usually means there was never one to begin with" - ); - } if( DBTYPE === "mysql" || DBTYPE === "pgsql" ) { - //$constraint = ( DBTYPE === "mysql" ) ? "INDEX" : "CONSTRAINT"; + try { + + $access_query = "INSERT INTO access( project, user, level ) VALUES "; + $projects = $this->query( "SELECT id, access FROM projects", array(), array(), "fetchAll", "exception" ); + $users = $this->query( "SELECT id, username FROM users", array(), array(), "fetchAll", "exception" ); + $delete = Permissions::LEVELS["delete"]; + + foreach( $users as $row => $user ) { + + foreach( $projects as $row => $project ) { + + $access = json_decode( $project["access"], true ); + if( ! is_array( $access ) || empty( $access ) ) { + + continue; + } + + foreach( $access as $granted_user ) { + + if( $granted_user == $user["username"] ) { + + $access_query .= "( {$project["id"]}, {$user["id"]}, $delete ),"; + } + } + } + } + + if( $access_query !== "INSERT INTO access( project, user, level ) VALUES " ) { + + $result = $this->query( substr( $access_query, 0, -1 ), array(), 0, "rowCount", "exception" ); + } + $result = $this->query( "ALTER TABLE projects DROP COLUMN access", array(), 0, "rowCount" ); + $status_updates["access_column"] = "Cached data and removed access column."; + } catch( Exception $error ) { + + //The access field is not there. + //echo var_export( $error->getMessage(), $access_query ); + $status_updates["access_column"] = array( + "error_message" => $error->getMessage(), + "dev_message" => "No access column to convert." + ); + } + + try { + + $update_query = ""; + $projects = $this->query( "SELECT id, path FROM projects", array(), array(), "fetchAll", "exception" ); + $result = $this->query( "SELECT project FROM users", array(), array(), "fetchAll", "exception" ); + $convert = false; + $delete = Permissions::LEVELS["delete"]; + + foreach( $result as $row => $user ) { + + if( ! is_numeric( $user["project"] ) ) { + + $convert = true; + } + + foreach( $projects as $row => $project ) { + + if( $project["path"] == $user["project"] ) { + + $update_query .= "UPDATE users SET project={$project["id"]} WHERE username = '{$user["username"]}';"; + } + } + } + + if( $convert && strlen( $update_query ) > 0 ) { + + //change project to users table + $result = $this->query( "ALTER TABLE users DROP COLUMN project", array(), array(), "rowCount", "exception" ); + $result = $this->query( "ALTER TABLE users ADD COLUMN project INT", array(), array(), "rowCount", "exception" ); + $result = $this->query( $update_query, array(), array(), "rowCount", "exception" ); + } else { + + $status_updates["users_current_project"] = array( "dev_message" => "Users current project column to project_id conversion not needed." ); + } + } catch( Exception $error ) { + + //echo var_dump( $error->getMessage() ); + $status_updates["users_current_project"] = array( + "error_message" => $error->getMessage(), + "dev_message" => "Users current project column to project_id conversion failed." + ); + } + + try { + + $update_query = ""; + $options = $this->query( "SELECT id, name, username, value FROM user_options", array(), array(), "fetchAll", "exception" ); + $users = $this->query( "SELECT id, username FROM users", array(), array(), "fetchAll", "exception" ); + $delete = Permissions::LEVELS["delete"]; + + foreach( $users as $row => $user ) { + + foreach( $options as $row => $option ) { + + if( $option["username"] == $user["username"] ) { + + $update_query .= "UPDATE user_options SET user={$user["id"]} WHERE id={$option["id"]};"; + } + } + } + + if( strlen( $update_query ) > 0 ) { + + //change project to users table + $result = $this->query( "ALTER TABLE user_options DROP COLUMN username", array(), array(), "rowCount", "exception" ); + $result = $this->query( "ALTER TABLE user_options ADD COLUMN user INT", array(), array(), "rowCount", "exception" ); + $result = $this->query( $update_query, array(), array(), "rowCount", "exception" ); + } else { + + $status_updates["username_user_option_column"] = array( "dev_message" => "User options username column needed no conversion." ); + } + } catch( Exception $error ) { + + //The access field is not there. + //echo var_export( $error->getMessage(), $access_query ); + $status_updates["username_user_option_column"] = array( + "error_message" => $error->getMessage(), + "dev_message" => "No username column to convert." + ); + } + + try { + + $result = $this->query( "ALTER TABLE users DROP COLUMN groups", array(), array(), "rowCount", "exception" ); + $status_updates["users_groups_column"] = array( "dev_message" => "Removal of the groups column from the users table succeeded." ); + } catch( Exception $error ) { + + //echo var_dump( $error->getMessage() ); + $status_updates["users_groups_column"] = array( + "error_message" => $error->getMessage(), + "dev_message" => "Removal of the groups column from the users table failed. This usually means there was never one to begin with" + ); + } try { diff --git a/components/sql/scripts/mysql.sql b/components/sql/scripts/mysql.sql index 5eceeb7..5582831 100644 --- a/components/sql/scripts/mysql.sql +++ b/components/sql/scripts/mysql.sql @@ -1,3 +1,13 @@ +-- +-- Table structure for table `access` +-- + +CREATE TABLE IF NOT EXISTS `access` ( + `user` int NOT NULL, + `project` int NOT NULL, + `level` int NOT NULL +) ENGINE=InnoDB DEFAULT CHARSET=utf8; + -- -- Table structure for table `active` -- @@ -9,16 +19,6 @@ CREATE TABLE IF NOT EXISTS `active` ( `focused` varchar(255) NOT NULL ) ENGINE=InnoDB DEFAULT CHARSET=utf8; --- --- Table structure for table `access` --- - -CREATE TABLE IF NOT EXISTS `access` ( - `user` int NOT NULL, - `project` int NOT NULL, - `level` int NOT NULL -) ENGINE=InnoDB DEFAULT CHARSET=utf8; - -- -------------------------------------------------------- -- @@ -41,7 +41,7 @@ CREATE TABLE IF NOT EXISTS `projects` ( `id` int PRIMARY KEY AUTO_INCREMENT NOT NULL, `name` varchar(255) NOT NULL, `path` text NOT NULL, - `owner` int NOT NULL, + `owner` int NOT NULL ) ENGINE=InnoDB DEFAULT CHARSET=utf8; diff --git a/components/user/class.user.php b/components/user/class.user.php index 9622c0b..6da1ac3 100755 --- a/components/user/class.user.php +++ b/components/user/class.user.php @@ -10,25 +10,10 @@ require_once( "../settings/class.settings.php" ); class User { - const ACCESS = array( - "admin", - "user" - ); - ////////////////////////////////////////////////////////////////// // PROPERTIES ////////////////////////////////////////////////////////////////// - public $access = 'user'; - public $username = ''; - public $password = ''; - public $project = ''; - public $projects = ''; - public $users = ''; - public $actives = ''; - public $lang = ''; - public $theme = ''; - ////////////////////////////////////////////////////////////////// // METHODS ////////////////////////////////////////////////////////////////// @@ -43,46 +28,47 @@ class User { } - public function add_user() { + public function add_user( $username, $password, $access ) { global $sql; $query = "INSERT INTO users( username, password, access, project ) VALUES ( ?, ?, ?, ? );"; - $bind_variables = array( $this->username, $this->password, $this->access, null ); + $bind_variables = array( $username, $password, $access, null ); $return = $sql->query( $query, $bind_variables, 0, "rowCount" ); + $pass = false; if( $return > 0 ) { - $this->set_default_options(); - exit( formatJSEND( "success", array( "username" => $this->username ) ) ); - } else { - - exit( formatJSEND( "error", "The Username is Already Taken" ) ); + $this->set_default_options( $username ); + $pass = true; } + return false; } - public function delete_user() { + public function delete_user( $username ) { global $sql; - $query = "DELETE FROM user_options WHERE username=?;"; - $bind_variables = array( $this->username ); + $query = "DELETE FROM user_options WHERE user=( SELECT id FROM users WHERE username=? );"; + $bind_variables = array( $username ); $return = $sql->query( $query, $bind_variables, -1, "rowCount" ); if( $return > -1 ) { + //TODO: add new permissions system to delete cleanup + $query = "DELETE FROM projects WHERE owner=? AND access IN ( ?,?,?,?,? );"; $bind_variables = array( - $this->username, + $username, "null", null, "[]", "", - json_encode( array( $this->username ) ) + json_encode( array( $username ) ) ); $return = $sql->query( $query, $bind_variables, -1, "rowCount" ); if( $return > -1 ) { $query = "DELETE FROM users WHERE username=?;"; - $bind_variables = array( $this->username ); + $bind_variables = array( $username ); $return = $sql->query( $query, $bind_variables, 0, "rowCount" ); if( $return > 0 ) { @@ -134,26 +120,26 @@ class User { } } - public function set_default_options() { + public function set_default_options( $username ) { foreach( Settings::DEFAULT_OPTIONS as $id => $option ) { global $sql; - $query = "INSERT INTO user_options ( name, username, value ) VALUES ( ?, ?, ? );"; + $query = "INSERT INTO user_options ( name, user, value ) VALUES ( ?, ( SELECT id FROM users WHERE username=? ), ? );"; $bind_variables = array( $option["name"], - $this->username, + $username, $option["value"], ); $result = $sql->query( $query, $bind_variables, 0, "rowCount" ); if( $result == 0 ) { - $query = "UPDATE user_options SET value=? WHERE name=? AND username=?;"; + $query = "UPDATE user_options SET value=? WHERE name=? AND user=( SELECT id FROM users WHERE username=? );"; $bind_variables = array( $option["value"], $option["name"], - $this->username, + $username, ); $result = $sql->query( $query, $bind_variables, 0, "rowCount" ); } @@ -164,59 +150,18 @@ class User { // Authenticate ////////////////////////////////////////////////////////////////// - public function Authenticate() { + public function Authenticate( $username, $password ) { - if( $this->username == "" || $this->password == "" ) { + if( $username == "" || $password == "" ) { - exit( formatJSEND( "error", "Username or password can not be blank." ) ); - } - - if( ! is_dir( SESSIONS_PATH ) ) { - - mkdir( SESSIONS_PATH, 00755 ); - } - - $permissions = array( - "755", - "0755" - ); - - $server_user = posix_getpwuid( posix_geteuid() ); - $sessions_permissions = substr( sprintf( '%o', fileperms( SESSIONS_PATH ) ), -4 ); - $sessions_owner = posix_getpwuid( fileowner( SESSIONS_PATH ) ); - - if( is_array( $server_user ) ) { - - $server_user = $server_user["uid"]; - } - - if( ! ( $sessions_owner === $server_user ) ) { - - try { - - chown( SESSIONS_PATH, $server_user ); - } catch( Exception $e ) { - - exit( formatJSEND("error", "Error, incorrect owner of sessions folder. Expecting: $server_user, Recieved: " . $sessions_owner ) ); - } - } - - if( ! in_array( $sessions_permissions, $permissions ) ) { - - try { - - chmod( SESSIONS_PATH, 00755 ); - } catch( Exception $e ) { - - exit( formatJSEND("error", "Error, incorrect permissions on sessions folder. Expecting: 0755, Recieved: " . $sessions_permissions ) ); - } + return false; } global $sql; $pass = false; $this->EncryptPassword(); $query = "SELECT * FROM users WHERE username=? AND password=?;"; - $bind_variables = array( $this->username, $this->password ); + $bind_variables = array( $username, $password ); $return = $sql->query( $query, $bind_variables, array() ); /** @@ -226,17 +171,17 @@ class User { if( ( strtolower( DBTYPE ) == "mysql" ) && empty( $return ) ) { $query = "SELECT * FROM users WHERE username=? AND password=PASSWORD( ? );"; - $bind_variables = array( $this->username, $this->password ); + $bind_variables = array( $username, $password ); $return = $sql->query( $query, $bind_variables, array() ); if( ! empty( $return ) ) { $query = "UPDATE users SET password=? WHERE username=?;"; - $bind_variables = array( $this->password, $this->username ); + $bind_variables = array( $password, $username ); $return = $sql->query( $query, $bind_variables, array() ); $query = "SELECT * FROM users WHERE username=? AND password=?;"; - $bind_variables = array( $this->username, $this->password ); + $bind_variables = array( $username, $password ); $return = $sql->query( $query, $bind_variables, array() ); } } @@ -247,17 +192,15 @@ class User { $pass = true; $token = mb_strtoupper( strval( bin2hex( openssl_random_pseudo_bytes( 16 ) ) ) ); $_SESSION['id'] = SESSION_ID; - $_SESSION['user'] = $this->username; + $_SESSION['user'] = $username; $_SESSION['user_id'] = $user["id"]; $_SESSION['token'] = $token; - $_SESSION['lang'] = $this->lang; - $_SESSION['theme'] = $this->theme; $_SESSION["login_session"] = true; $query = "UPDATE users SET token=? WHERE username=?;"; $bind_variables = array( sha1( $token ), $this->username ); $return = $sql->query( $query, $bind_variables, 0, 'rowCount' ); - $projects = $sql->query( "SELECT path FROM projects WHERE id = ?", array( $user["project"] ), array(), 'rowCount' ); + $projects = $sql->query( "SELECT path FROM projects WHERE id = ?", array( $user["project"] ), array() ); if( isset( $user['project'] ) && $user['project'] != '' && ! empty( $projects ) ) { @@ -265,16 +208,9 @@ class User { $_SESSION['project_id'] = $user['project']; } - $this->checkDuplicateSessions( $this->username ); - } - - if( $pass ) { - - echo formatJSEND( "success", array( "username" => $this->username ) ); - } else { - - echo formatJSEND( "error", "Incorrect Username or Password" ); + $this->checkDuplicateSessions( $username ); } + return $pass; } /** @@ -356,10 +292,9 @@ class User { // Create Account ////////////////////////////////////////////////////////////////// - public function Create() { + public function Create( $username, $password ) { - $this->EncryptPassword(); - $this->add_user(); + $this->add_user( $username, $password ); } ////////////////////////////////////////////////////////////////// @@ -375,9 +310,9 @@ class User { // Encrypt Password ////////////////////////////////////////////////////////////////// - private function EncryptPassword() { + private function encrypt_password( $password ) { - $this->password = sha1( md5( $this->password ) ); + return sha1( md5( $password ) ); } ////////////////////////////////////////////////////////////////// @@ -421,11 +356,11 @@ class User { } } - public function update_access() { + public function update_access( $username, $access ) { global $sql; $query = "UPDATE users SET access=? WHERE username=?;"; - $bind_variables = array( $this->access, $this->username ); + $bind_variables = array( $access, $username ); $return = $sql->query( $query, $bind_variables, 0, "rowCount" ); if( $return > 0 ) { @@ -433,7 +368,7 @@ class User { echo formatJSEND( "success", "Updated access for {$this->username}" ); } else { - echo formatJSEND( "error", "Error updating project" ); + echo formatJSEND( "error", "Error updating access" ); } } diff --git a/components/user/controller.php b/components/user/controller.php index 27c1cea..78618bd 100755 --- a/components/user/controller.php +++ b/components/user/controller.php @@ -36,22 +36,73 @@ if($_GET['action']=='authenticate') { die( formatJSEND( "error", "Missing username or password" ) ); } - $User->username = User::CleanUsername( $_POST['username'] ); - $User->password = $_POST['password']; + $username = User::CleanUsername( $_POST['username'] ); + $password = $User->encrypt_password( $_POST['password'] ); // check if the asked languages exist and is registered in languages/code.php require_once '../../languages/code.php'; if( isset( $languages[$_POST['language']] ) ) { - $User->lang = $_POST['language']; + $lang = $_POST['language']; } else { - $User->lang = 'en'; + $lang = 'en'; } // theme - $User->theme = $_POST['theme']; - $User->Authenticate(); + $theme = $_POST['theme']; + $permissions = array( + "755", + "0755" + ); + + if( ! is_dir( SESSIONS_PATH ) ) { + + mkdir( SESSIONS_PATH, 00755 ); + } + + $server_user = getmyuid(); + $sessions_permissions = substr( sprintf( '%o', fileperms( SESSIONS_PATH ) ), -4 ); + $sessions_owner = fileowner( SESSIONS_PATH ); + + if( is_array( $server_user ) ) { + + $server_user = $server_user["uid"]; + } + + if( ! ( $sessions_owner === $server_user ) ) { + + try { + + chown( SESSIONS_PATH, $server_user ); + } catch( Exception $e ) { + + exit( formatJSEND("error", "Error, incorrect owner of sessions folder. Expecting: $server_user, Recieved: " . $sessions_owner ) ); + } + } + + if( ! in_array( $sessions_permissions, $permissions ) ) { + + try { + + chmod( SESSIONS_PATH, 00755 ); + } catch( Exception $e ) { + + exit( formatJSEND("error", "Error, incorrect permissions on sessions folder. Expecting: 0755, Recieved: " . $sessions_permissions ) ); + } + } + + $pass = $User->Authenticate( $username, $password ); + + if( $pass ) { + + $_SESSION['lang'] = $lang; + $_SESSION['theme'] = $theme; + exit( formatJSEND( "success", array( "username" => $this->username ) ) ); + } else { + + exit( formatJSEND( "error", "Incorrect Username or Password" ) ); + } } ////////////////////////////////////////////////////////////////// @@ -86,9 +137,9 @@ if( $_GET['action'] == 'create' ) { exit( formatJSEND( "error", "Invalid characters in username" ) ); } - $User->username = User::CleanUsername( $_POST['username'] ); - $User->password = $_POST['password']; - $User->Create(); + $username = User::CleanUsername( $_POST['username'] ); + $password = $User->encrypt_password( $_POST['password'] ); + $User->Create( $username, $password ); } } @@ -174,7 +225,7 @@ if( $_GET['action'] == 'update_access' ) { checkSession(); - if( ! isset( $_GET['access'] ) || ! isset( $_GET['username'] ) ) { + if( ! isset( $_POST['access'] ) || ! isset( $_POST['user'] ) ) { die( formatJSEND( "error", "Could not update access." ) ); } @@ -184,7 +235,10 @@ if( $_GET['action'] == 'update_access' ) { die( formatJSEND( "error", "You do not have permission to update user's access." ) ); } - $User->username = $_GET["username"]; - $User->access = $_GET["access"]; - $User->update_access(); + if( ! in_array( $_POST["access"], array_keys( Permissions::SYSTEM_LEVELS ) ) ) { + + exit( formatJSEND( "error", "Invalid access level specified." ) ); + } + + $User->update_access( $_POST["user"], $_POST["access"] ); } diff --git a/components/user/dialog.php b/components/user/dialog.php index 296ed3f..25eda6d 100755 --- a/components/user/dialog.php +++ b/components/user/dialog.php @@ -72,10 +72,10 @@ switch($_GET['action']){