mirror of
https://github.com/lkddi/nexusphp.git
synced 2026-04-03 14:10:57 +08:00
fix password related
This commit is contained in:
xiaomlove
@@ -177,7 +177,7 @@ class UserRepository extends BaseRepository
|
||||
throw new \InvalidArgumentException("password confirmation != password");
|
||||
}
|
||||
$user = User::query()->findOrFail($id, ['id', 'username', 'class']);
|
||||
$operator = Auth::user();
|
||||
$operator = get_user_id();
|
||||
if ($operator) {
|
||||
$this->checkPermission($operator, $user);
|
||||
}
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
<?php
|
||||
defined('VERSION_NUMBER') || define('VERSION_NUMBER', '1.9.10');
|
||||
defined('RELEASE_DATE') || define('RELEASE_DATE', '2025-10-29');
|
||||
defined('RELEASE_DATE') || define('RELEASE_DATE', '2025-10-30');
|
||||
defined('IN_TRACKER') || define('IN_TRACKER', false);
|
||||
defined('PROJECTNAME') || define("PROJECTNAME","NexusPHP");
|
||||
defined('NEXUSPHPURL') || define("NEXUSPHPURL","https://nexusphp.org");
|
||||
|
||||
@@ -6,40 +6,52 @@ if (get_user_class() < UC_ADMINISTRATOR)
|
||||
stderr("Error", "Access denied.");
|
||||
if ($_SERVER["REQUEST_METHOD"] == "POST")
|
||||
{
|
||||
if ($_POST["username"] == "" || $_POST["password"] == "" || $_POST["email"] == "")
|
||||
stderr("Error", "Missing form data.");
|
||||
if ($_POST["password"] != $_POST["password2"])
|
||||
stderr("Error", "Passwords mismatch.");
|
||||
$email = htmlspecialchars(trim($_POST["email"]));
|
||||
$email = safe_email($email);
|
||||
if (!check_email($email))
|
||||
stderr("Error","Invalid email address!");
|
||||
|
||||
$username = $_POST["username"];
|
||||
|
||||
if (!validusername($username))
|
||||
stderr("Error","Invalid username.");
|
||||
$username = sqlesc($username);
|
||||
$res = sql_query("SELECT id FROM users WHERE username=$username");
|
||||
$arr = mysql_fetch_row($res);
|
||||
if ($arr)
|
||||
stderr("Error","Username already exists!");
|
||||
$password = $_POST["password"];
|
||||
$email = sqlesc($_POST["email"]);
|
||||
$res = sql_query("SELECT id FROM users WHERE email=$email");
|
||||
$arr = mysql_fetch_row($res);
|
||||
if ($arr)
|
||||
stderr("Error","The e-mail address is already in use.");
|
||||
$secret = mksecret();
|
||||
$passhash = sqlesc(md5($secret . $password . $secret));
|
||||
$secret = sqlesc($secret);
|
||||
// if ($_POST["username"] == "" || $_POST["password"] == "" || $_POST["email"] == "")
|
||||
// stderr("Error", "Missing form data.");
|
||||
// if ($_POST["password"] != $_POST["password2"])
|
||||
// stderr("Error", "Passwords mismatch.");
|
||||
// $email = htmlspecialchars(trim($_POST["email"]));
|
||||
// $email = safe_email($email);
|
||||
// if (!check_email($email))
|
||||
// stderr("Error","Invalid email address!");
|
||||
//
|
||||
// $username = $_POST["username"];
|
||||
//
|
||||
// if (!validusername($username))
|
||||
// stderr("Error","Invalid username.");
|
||||
// $username = sqlesc($username);
|
||||
// $res = sql_query("SELECT id FROM users WHERE username=$username");
|
||||
// $arr = mysql_fetch_row($res);
|
||||
// if ($arr)
|
||||
// stderr("Error","Username already exists!");
|
||||
// $password = $_POST["password"];
|
||||
// $email = sqlesc($_POST["email"]);
|
||||
// $res = sql_query("SELECT id FROM users WHERE email=$email");
|
||||
// $arr = mysql_fetch_row($res);
|
||||
// if ($arr)
|
||||
// stderr("Error","The e-mail address is already in use.");
|
||||
// $secret = mksecret();
|
||||
// $passhash = sqlesc(md5($secret . $password . $secret));
|
||||
// $secret = sqlesc($secret);
|
||||
//
|
||||
// sql_query("INSERT INTO users (added, last_access, secret, username, passhash, status, stylesheet, class,email) VALUES(NOW(), NOW(), $secret, $username, $passhash, 'confirmed', ".$defcss.",".$defaultclass_class.",$email)") or sqlerr(__FILE__, __LINE__);
|
||||
// $res = sql_query("SELECT id FROM users WHERE username=$username");
|
||||
// $arr = mysql_fetch_row($res);
|
||||
// if (!$arr)
|
||||
// stderr("Error", "Unable to create the account. The user name is possibly already taken.");
|
||||
|
||||
sql_query("INSERT INTO users (added, last_access, secret, username, passhash, status, stylesheet, class,email) VALUES(NOW(), NOW(), $secret, $username, $passhash, 'confirmed', ".$defcss.",".$defaultclass_class.",$email)") or sqlerr(__FILE__, __LINE__);
|
||||
$res = sql_query("SELECT id FROM users WHERE username=$username");
|
||||
$arr = mysql_fetch_row($res);
|
||||
if (!$arr)
|
||||
stderr("Error", "Unable to create the account. The user name is possibly already taken.");
|
||||
header("Location: " . get_protocol_prefix() . "$BASEURL/userdetails.php?id=".htmlspecialchars($arr[0]));
|
||||
try {
|
||||
$userRep = new \App\Repositories\UserRepository();
|
||||
$newUser = $userRep->store([
|
||||
'username' => $_POST['username'],
|
||||
'email' => $_POST['email'],
|
||||
'password' => $_POST['password'],
|
||||
'password_confirmation' => $_POST['password2'],
|
||||
]);
|
||||
} catch (\Exception $e) {
|
||||
stderr("ERROR", $e->getMessage());
|
||||
}
|
||||
header("Location: " . get_protocol_prefix() . "$BASEURL/userdetails.php?id=".htmlspecialchars($newUser->id));
|
||||
die;
|
||||
}
|
||||
stdhead("Add user");
|
||||
|
||||
@@ -218,23 +218,23 @@ if ($action == "edituser")
|
||||
$userModifyLogs[] = "donor status changed by {$CURUSER['username']}. Current donor status: $donor";
|
||||
}
|
||||
}
|
||||
|
||||
if ($chpassword != "" AND $passagain != "") {
|
||||
unset($passupdate);
|
||||
$passupdate=false;
|
||||
|
||||
if ($chpassword == $username OR strlen($chpassword) > 40 OR strlen($chpassword) < 6 OR $chpassword != $passagain)
|
||||
$passupdate=false;
|
||||
else
|
||||
$passupdate=true;
|
||||
}
|
||||
|
||||
if (isset($passupdate) && $passupdate) {
|
||||
$sec = mksecret();
|
||||
$passhash = md5($sec . $chpassword . $sec);
|
||||
$updateset[] = "secret = " . sqlesc($sec);
|
||||
$updateset[] = "passhash = " . sqlesc($passhash);
|
||||
}
|
||||
//migrate to management
|
||||
// if ($chpassword != "" AND $passagain != "") {
|
||||
// unset($passupdate);
|
||||
// $passupdate=false;
|
||||
//
|
||||
// if ($chpassword == $username OR strlen($chpassword) > 40 OR strlen($chpassword) < 6 OR $chpassword != $passagain)
|
||||
// $passupdate=false;
|
||||
// else
|
||||
// $passupdate=true;
|
||||
// }
|
||||
//
|
||||
// if (isset($passupdate) && $passupdate) {
|
||||
// $sec = mksecret();
|
||||
// $passhash = md5($sec . $chpassword . $sec);
|
||||
// $updateset[] = "secret = " . sqlesc($sec);
|
||||
// $updateset[] = "passhash = " . sqlesc($passhash);
|
||||
// }
|
||||
|
||||
if ($curclass >= get_user_class())
|
||||
puke();
|
||||
@@ -457,7 +457,7 @@ if ($action == "edituser")
|
||||
$subject = nexus_trans("user.msg_download_rights_removed", [], $locale);
|
||||
$msg = nexus_trans("user.msg_your_download_rights_removed", [], $locale) . $CURUSER['username'] . nexus_trans("user.msg_probably_reason_three", [], $locale);
|
||||
$added = sqlesc(date("Y-m-d H:i:s"));
|
||||
|
||||
|
||||
\App\Models\Message::add([
|
||||
'sender' => 0,
|
||||
'receiver' => $userid,
|
||||
|
||||
@@ -23,6 +23,9 @@ if ($_SERVER["REQUEST_METHOD"] == "POST")
|
||||
|
||||
$res = sql_query("SELECT * FROM users WHERE username=" . sqlesc($username) . " ") or sqlerr();
|
||||
$arr = mysql_fetch_assoc($res);
|
||||
if (empty($arr)) {
|
||||
stderr("Error","Sorry, that username doesn't exist.");
|
||||
}
|
||||
if (get_user_class() <= $arr['class']) {
|
||||
$log = "Password Reset For $username by {$CURUSER['username']} denied: operator class => " . get_user_class() . " is not greater than target user => {$arr['class']}";
|
||||
write_log($log);
|
||||
@@ -31,10 +34,12 @@ if (get_user_class() <= $arr['class']) {
|
||||
}
|
||||
|
||||
$id = $arr['id'];
|
||||
$wantpassword=$newpassword;
|
||||
$secret = mksecret();
|
||||
$wantpasshash = md5($secret . $wantpassword . $secret);
|
||||
sql_query("UPDATE users SET passhash=".sqlesc($wantpasshash).", secret= ".sqlesc($secret)." where id=$id");
|
||||
//$wantpassword=$newpassword;
|
||||
//$secret = mksecret();
|
||||
//$wantpasshash = md5($secret . $wantpassword . $secret);
|
||||
//sql_query("UPDATE users SET passhash=".sqlesc($wantpasshash).", secret= ".sqlesc($secret)." where id=$id");
|
||||
$userRep = new \App\Repositories\UserRepository();
|
||||
$userRep->resetPassword($id, $newpassword, $newpasswordagain);
|
||||
write_log("Password Reset For $username by {$CURUSER['username']}");
|
||||
if (mysql_affected_rows() != 1)
|
||||
stderr("Error", "Unable to RESET PASSWORD on this account.");
|
||||
|
||||
@@ -790,8 +790,10 @@ tr_small($lang_usercp['row_funbox'],"<input type=checkbox name=showfb".($CURUSER
|
||||
$passhash = hash('sha256', $sec . $chpassword);
|
||||
$updateset[] = "secret = " . sqlesc($sec);
|
||||
$updateset[] = "passhash = " . sqlesc($passhash);
|
||||
$authKey = mksecret();
|
||||
$updateset[] = "auth_key = " . sqlesc($authKey);
|
||||
|
||||
logincookie($CURUSER["id"], $userInfo->auth_key);
|
||||
logincookie($CURUSER["id"], $authKey);
|
||||
$passupdated = 1;
|
||||
}
|
||||
|
||||
|
||||
@@ -619,8 +619,8 @@ JS;
|
||||
tr($lang_userdetails['row_change_email'], "<input type=\"text\" size=\"80\" name=\"email\" value=\"" . htmlspecialchars($user['email']) . "\" />", 1);
|
||||
}
|
||||
|
||||
tr($lang_userdetails['row_change_password'], "<input type=\"password\" name=\"chpassword\" size=\"50\" />", 1);
|
||||
tr($lang_userdetails['row_repeat_password'], "<input type=\"password\" name=\"passagain\" size=\"50\" />", 1);
|
||||
tr($lang_userdetails['row_change_password'], "<input disabled type=\"password\" name=\"chpassword\" size=\"50\" />".$migratedHelp, 1);
|
||||
tr($lang_userdetails['row_repeat_password'], "<input disabled type=\"password\" name=\"passagain\" size=\"50\" />".$migratedHelp, 1);
|
||||
|
||||
if (user_can('cruprfmanage'))
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user