From 127a868e4033a66c03ba18128697a8702cc484e7 Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Mon, 1 Mar 2021 19:03:21 +0300
Subject: [PATCH] userhelper: use orm for some things
---
classes/pref/users.php | 39 ++++++------
classes/userhelper.php | 131 +++++++++++++++++++++--------------------
2 files changed, 88 insertions(+), 82 deletions(-)
diff --git a/classes/pref/users.php b/classes/pref/users.php
index bf95886ad..ff9bf1712 100644
--- a/classes/pref/users.php
+++ b/classes/pref/users.php
@@ -1,24 +1,21 @@
<?php
class Pref_Users extends Handler_Administrative {
function csrf_ignore($method) {
- $csrf_ignored = array("index");
-
- return array_search($method, $csrf_ignored) !== false;
+ return $method == "index";
}
function edit() {
- global $access_level_names;
-
- $id = (int)clean($_REQUEST["id"]);
+ $user = ORM::for_table('ttrss_users')
+ ->find_one((int)$_REQUEST["id"])
+ ->as_array();
- $sth = $this->pdo->prepare("SELECT id, login, access_level, email FROM ttrss_users WHERE id = ?");
- $sth->execute([$id]);
+ global $access_level_names;
- if ($user = $sth->fetch(PDO::FETCH_ASSOC)) {
+ if ($user) {
print json_encode([
- "user" => $user,
- "access_level_names" => $access_level_names
- ]);
+ "user" => $user,
+ "access_level_names" => $access_level_names
+ ]);
}
}
@@ -124,7 +121,7 @@ class Pref_Users extends Handler_Administrative {
}
if ($password) {
- UserHelper::reset_password($uid, false, $password);
+ UserHelper::reset_password($id, false, $password);
}
}
@@ -149,16 +146,22 @@ class Pref_Users extends Handler_Administrative {
$login = clean($_REQUEST["login"]);
$tmp_user_pwd = make_password();
$salt = UserHelper::get_salt();
- $pwd_hash = UserHelper::hash_password($tmp_user_pwd, $salt, UserHelper::HASH_ALGOS[0]);
if (!$login) return; // no blank usernames
if (!UserHelper::find_user_by_login($login)) {
- $sth = $this->pdo->prepare("INSERT INTO ttrss_users
- (login,pwd_hash,access_level,last_login,created, salt)
- VALUES (LOWER(?), ?, 0, null, NOW(), ?)");
- $sth->execute([$login, $pwd_hash, $salt]);
+ $user = ORM::for_table('ttrss_users')->create();
+
+ $tmp_user_pwd = make_password();
+ $salt = UserHelper::get_salt();
+
+ $user->login = $login;
+ $user->pwd_hash = UserHelper::hash_password($tmp_user_pwd, $salt);
+ $user->access_level = 0;
+ $user->salt = $salt;
+ $user->created = 'NOW()';
+ $user->save();
if ($new_uid = UserHelper::find_user_by_login($login)) {
diff --git a/classes/userhelper.php b/classes/userhelper.php
index e3f39a7f8..84dc71383 100644
--- a/classes/userhelper.php
+++ b/classes/userhelper.php
@@ -39,27 +39,25 @@ class UserHelper {
session_regenerate_id(true);
- $_SESSION["uid"] = $user_id;
- $_SESSION["auth_module"] = $auth_module;
-
- $pdo = Db::pdo();
- $sth = $pdo->prepare("SELECT login,access_level,pwd_hash FROM ttrss_users
- WHERE id = ?");
- $sth->execute([$user_id]);
- $row = $sth->fetch();
-
- $_SESSION["name"] = $row["login"];
- $_SESSION["access_level"] = $row["access_level"];
- $_SESSION["csrf_token"] = bin2hex(get_random_bytes(16));
-
- $usth = $pdo->prepare("UPDATE ttrss_users SET last_login = NOW() WHERE id = ?");
- $usth->execute([$user_id]);
-
- $_SESSION["ip_address"] = UserHelper::get_user_ip();
- $_SESSION["user_agent"] = sha1($_SERVER['HTTP_USER_AGENT']);
- $_SESSION["pwd_hash"] = $row["pwd_hash"];
+ $user = ORM::for_table('ttrss_users')->find_one($user_id);
+
+ if ($user) {
+ $_SESSION["uid"] = $user_id;
+ $_SESSION["auth_module"] = $auth_module;
+ $_SESSION["name"] = $user->login;
+ $_SESSION["access_level"] = $user->access_level;
+ $_SESSION["csrf_token"] = bin2hex(get_random_bytes(16));
+ $_SESSION["ip_address"] = UserHelper::get_user_ip();
+ $_SESSION["user_agent"] = sha1($_SERVER['HTTP_USER_AGENT']);
+ $_SESSION["pwd_hash"] = $user->pwd_hash;
+
+ $user->last_login = 'NOW()';
+ $user->save();
+
+ return true;
+ }
- return true;
+ return false;
}
if ($login && $password && !$user_id && !$check_only)
@@ -167,30 +165,24 @@ class UserHelper {
}
static function get_login_by_id(int $id) {
- $pdo = Db::pdo();
-
- $sth = $pdo->prepare("SELECT login FROM ttrss_users WHERE id = ?");
- $sth->execute([$id]);
+ $user = ORM::for_table('ttrss_users')
+ ->find_one($id);
- if ($row = $sth->fetch()) {
- return $row["login"];
- }
-
- return null;
+ if ($user)
+ return $user->login;
+ else
+ return null;
}
static function find_user_by_login(string $login) {
- $pdo = Db::pdo();
-
- $sth = $pdo->prepare("SELECT id FROM ttrss_users WHERE
- LOWER(login) = LOWER(?)");
- $sth->execute([$login]);
-
- if ($row = $sth->fetch()) {
- return $row["id"];
- }
+ $user = ORM::for_table('ttrss_users')
+ ->where('login', $login)
+ ->find_one();
- return null;
+ if ($user)
+ return $user->id;
+ else
+ return null;
}
static function logout() {
@@ -224,12 +216,17 @@ class UserHelper {
$pwd_hash = self::hash_password($tmp_user_pwd, $new_salt, self::HASH_ALGOS[0]);
- $sth = $pdo->prepare("UPDATE ttrss_users
- SET pwd_hash = ?, salt = ?, otp_enabled = false
- WHERE id = ?");
- $sth->execute([$pwd_hash, $new_salt, $uid]);
+ $user = ORM::for_table('ttrss_users')->find_one($uid);
+
+ if ($user) {
+ $user->pwd_hash = $pwd_hash;
+ $user->salt = $new_salt;
+ $user->save();
- $message = T_sprintf("Changed password of user %s to %s", "<strong>$login</strong>", "<strong>$tmp_user_pwd</strong>");
+ $message = T_sprintf("Changed password of user %s to %s", "<strong>$login</strong>", "<strong>$tmp_user_pwd</strong>");
+ } else {
+ $message = T_sprintf("User not found: %s", $login);
+ }
if ($format_output)
print_notice($message);
@@ -246,10 +243,16 @@ class UserHelper {
}
static function disable_otp(int $owner_uid) : bool {
- $sth = Db::pdo()->prepare("UPDATE ttrss_users SET otp_enabled = false WHERE id = ?");
- $sth->execute([$owner_uid]);
+ $user = ORM::for_table('ttrss_users')->find_one($owner_uid);
- return true;
+ if ($user) {
+ $user->otp_enabled = false;
+ $user->save();
+
+ return true;
+ } else {
+ return false;
+ }
}
static function enable_otp(int $owner_uid, int $otp_check) : bool {
@@ -257,12 +260,12 @@ class UserHelper {
if ($secret) {
$otp = TOTP::create($secret);
+ $user = ORM::for_table('ttrss_users')->find_one($owner_uid);
- if ($otp->now() == $otp_check) {
- $sth = Db::pdo()->prepare("UPDATE ttrss_users
- SET otp_enabled = true WHERE id = ?");
+ if ($otp->now() == $otp_check && $user) {
- $sth->execute([$owner_uid]);
+ $user->otp_enabled = true;
+ $user->save();
return true;
}
@@ -272,24 +275,21 @@ class UserHelper {
static function is_otp_enabled(int $owner_uid) : bool {
- $sth = Db::pdo()->prepare("SELECT otp_enabled FROM ttrss_users WHERE id = ?");
- $sth->execute([$owner_uid]);
+ $user = ORM::for_table('ttrss_users')->find_one($owner_uid);
- if ($row = $sth->fetch()) {
- return sql_bool_to_bool($row["otp_enabled"]);
+ if ($user) {
+ return $user->otp_enabled;
+ } else {
+ return false;
}
-
- return false;
}
static function get_otp_secret(int $owner_uid, bool $show_if_enabled = false) {
- $sth = Db::pdo()->prepare("SELECT salt, otp_enabled FROM ttrss_users WHERE id = ?");
- $sth->execute([$owner_uid]);
+ $user = ORM::for_table('ttrss_users')->find_one($owner_uid);
- if ($row = $sth->fetch()) {
- if (!sql_bool_to_bool($row["otp_enabled"]) || $show_if_enabled) {
- return \ParagonIE\ConstantTime\Base32::encodeUpperUnpadded(mb_substr(sha1($row["salt"]), 0, 12));
- }
+ if ($user) {
+ if (!$user->otp_enabled || $show_if_enabled)
+ return \ParagonIE\ConstantTime\Base32::encodeUpperUnpadded(mb_substr(sha1($user->salt), 0, 12));
}
return null;
@@ -307,7 +307,10 @@ class UserHelper {
return false;
}
- static function hash_password(string $pass, string $salt, string $algo) {
+ static function hash_password(string $pass, string $salt, string $algo = "") {
+
+ if (!$algo) $algo = self::HASH_ALGOS[0];
+
$pass_hash = "";
switch ($algo) {
--
GitLab