lkddi/nexusphp
1
0
Fork 0
mirror of https://github.com/lkddi/nexusphp.git synced 2026-04-24 12:07:23 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix password related

Browse Source
This commit is contained in:
xiaomlove
2025-10-30 10:28:52 +07:00
parent f1cbb5c3da
commit 3d5e316275
7 changed files with 79 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/Repositories/UserRepository.php
+1 -1
View File
@@ -177,7 +177,7 @@ class UserRepository extends BaseRepository
throw new \InvalidArgumentException("password confirmation != password"); throw new \InvalidArgumentException("password confirmation != password");
} }
$user = User::query()->findOrFail($id, ['id', 'username', 'class']); $user = User::query()->findOrFail($id, ['id', 'username', 'class']);
$operator = Auth::user(); $operator = get_user_id();
if ($operator) { if ($operator) {
$this->checkPermission($operator, $user); $this->checkPermission($operator, $user);
} }
include/constants.php
+1 -1
View File
@@ -1,6 +1,6 @@
<?php <?php
defined('VERSION_NUMBER') || define('VERSION_NUMBER', '1.9.10'); defined('VERSION_NUMBER') || define('VERSION_NUMBER', '1.9.10');
defined('RELEASE_DATE') || define('RELEASE_DATE', '2025-10-29'); defined('RELEASE_DATE') || define('RELEASE_DATE', '2025-10-30');
defined('IN_TRACKER') || define('IN_TRACKER', false); defined('IN_TRACKER') || define('IN_TRACKER', false);
defined('PROJECTNAME') || define("PROJECTNAME","NexusPHP"); defined('PROJECTNAME') || define("PROJECTNAME","NexusPHP");
defined('NEXUSPHPURL') || define("NEXUSPHPURL","https://nexusphp.org"); defined('NEXUSPHPURL') || define("NEXUSPHPURL","https://nexusphp.org");
public/adduser.php
+45 -33
View File
@@ -6,40 +6,52 @@ if (get_user_class() < UC_ADMINISTRATOR)
stderr("Error", "Access denied."); stderr("Error", "Access denied.");
if ($_SERVER["REQUEST_METHOD"] == "POST") if ($_SERVER["REQUEST_METHOD"] == "POST")
{ {
if ($_POST["username"] == "" || $_POST["password"] == "" || $_POST["email"] == "") // if ($_POST["username"] == "" || $_POST["password"] == "" || $_POST["email"] == "")
stderr("Error", "Missing form data."); // stderr("Error", "Missing form data.");
if ($_POST["password"] != $_POST["password2"]) // if ($_POST["password"] != $_POST["password2"])
stderr("Error", "Passwords mismatch."); // stderr("Error", "Passwords mismatch.");
$email = htmlspecialchars(trim($_POST["email"])); // $email = htmlspecialchars(trim($_POST["email"]));
$email = safe_email($email); // $email = safe_email($email);
if (!check_email($email)) // if (!check_email($email))
stderr("Error","Invalid email address!"); // stderr("Error","Invalid email address!");
//
$username = $_POST["username"]; // $username = $_POST["username"];
//
if (!validusername($username)) // if (!validusername($username))
stderr("Error","Invalid username."); // stderr("Error","Invalid username.");
$username = sqlesc($username); // $username = sqlesc($username);
$res = sql_query("SELECT id FROM users WHERE username=$username"); // $res = sql_query("SELECT id FROM users WHERE username=$username");
$arr = mysql_fetch_row($res); // $arr = mysql_fetch_row($res);
if ($arr) // if ($arr)
stderr("Error","Username already exists!"); // stderr("Error","Username already exists!");
$password = $_POST["password"]; // $password = $_POST["password"];
$email = sqlesc($_POST["email"]); // $email = sqlesc($_POST["email"]);
$res = sql_query("SELECT id FROM users WHERE email=$email"); // $res = sql_query("SELECT id FROM users WHERE email=$email");
$arr = mysql_fetch_row($res); // $arr = mysql_fetch_row($res);
if ($arr) // if ($arr)
stderr("Error","The e-mail address is already in use."); // stderr("Error","The e-mail address is already in use.");
$secret = mksecret(); // $secret = mksecret();
$passhash = sqlesc(md5($secret . $password . $secret)); // $passhash = sqlesc(md5($secret . $password . $secret));
$secret = sqlesc($secret); // $secret = sqlesc($secret);
//
// sql_query("INSERT INTO users (added, last_access, secret, username, passhash, status, stylesheet, class,email) VALUES(NOW(), NOW(), $secret, $username, $passhash, 'confirmed', ".$defcss.",".$defaultclass_class.",$email)") or sqlerr(__FILE__, __LINE__);
// $res = sql_query("SELECT id FROM users WHERE username=$username");
// $arr = mysql_fetch_row($res);
// if (!$arr)
// stderr("Error", "Unable to create the account. The user name is possibly already taken.");
sql_query("INSERT INTO users (added, last_access, secret, username, passhash, status, stylesheet, class,email) VALUES(NOW(), NOW(), $secret, $username, $passhash, 'confirmed', ".$defcss.",".$defaultclass_class.",$email)") or sqlerr(__FILE__, __LINE__); try {
$res = sql_query("SELECT id FROM users WHERE username=$username"); $userRep = new \App\Repositories\UserRepository();
$arr = mysql_fetch_row($res); $newUser = $userRep->store([
if (!$arr) 'username' => $_POST['username'],
stderr("Error", "Unable to create the account. The user name is possibly already taken."); 'email' => $_POST['email'],
header("Location: " . get_protocol_prefix() . "$BASEURL/userdetails.php?id=".htmlspecialchars($arr[0])); 'password' => $_POST['password'],
'password_confirmation' => $_POST['password2'],
]);
} catch (\Exception $e) {
stderr("ERROR", $e->getMessage());
}
header("Location: " . get_protocol_prefix() . "$BASEURL/userdetails.php?id=".htmlspecialchars($newUser->id));
die; die;
} }
stdhead("Add user"); stdhead("Add user");
public/modtask.php
+18 -18
View File
@@ -218,23 +218,23 @@ if ($action == "edituser")
$userModifyLogs[] = "donor status changed by {$CURUSER['username']}. Current donor status: $donor"; $userModifyLogs[] = "donor status changed by {$CURUSER['username']}. Current donor status: $donor";
} }
} }
//migrate to management
if ($chpassword != "" AND $passagain != "") { // if ($chpassword != "" AND $passagain != "") {
unset($passupdate); // unset($passupdate);
$passupdate=false; // $passupdate=false;
//
if ($chpassword == $username OR strlen($chpassword) > 40 OR strlen($chpassword) < 6 OR $chpassword != $passagain) // if ($chpassword == $username OR strlen($chpassword) > 40 OR strlen($chpassword) < 6 OR $chpassword != $passagain)
$passupdate=false; // $passupdate=false;
else // else
$passupdate=true; // $passupdate=true;
} // }
//
if (isset($passupdate) && $passupdate) { // if (isset($passupdate) && $passupdate) {
$sec = mksecret(); // $sec = mksecret();
$passhash = md5($sec . $chpassword . $sec); // $passhash = md5($sec . $chpassword . $sec);
$updateset[] = "secret = " . sqlesc($sec); // $updateset[] = "secret = " . sqlesc($sec);
$updateset[] = "passhash = " . sqlesc($passhash); // $updateset[] = "passhash = " . sqlesc($passhash);
} // }
if ($curclass >= get_user_class()) if ($curclass >= get_user_class())
puke(); puke();
@@ -457,7 +457,7 @@ if ($action == "edituser")
$subject = nexus_trans("user.msg_download_rights_removed", [], $locale); $subject = nexus_trans("user.msg_download_rights_removed", [], $locale);
$msg = nexus_trans("user.msg_your_download_rights_removed", [], $locale) . $CURUSER['username'] . nexus_trans("user.msg_probably_reason_three", [], $locale); $msg = nexus_trans("user.msg_your_download_rights_removed", [], $locale) . $CURUSER['username'] . nexus_trans("user.msg_probably_reason_three", [], $locale);
$added = sqlesc(date("Y-m-d H:i:s")); $added = sqlesc(date("Y-m-d H:i:s"));
\App\Models\Message::add([ \App\Models\Message::add([
'sender' => 0, 'sender' => 0,
'receiver' => $userid, 'receiver' => $userid,
public/reset.php
+9 -4
View File
@@ -23,6 +23,9 @@ if ($_SERVER["REQUEST_METHOD"] == "POST")
$res = sql_query("SELECT * FROM users WHERE username=" . sqlesc($username) . " ") or sqlerr(); $res = sql_query("SELECT * FROM users WHERE username=" . sqlesc($username) . " ") or sqlerr();
$arr = mysql_fetch_assoc($res); $arr = mysql_fetch_assoc($res);
if (empty($arr)) {
stderr("Error","Sorry, that username doesn't exist.");
}
if (get_user_class() <= $arr['class']) { if (get_user_class() <= $arr['class']) {
$log = "Password Reset For $username by {$CURUSER['username']} denied: operator class => " . get_user_class() . " is not greater than target user => {$arr['class']}"; $log = "Password Reset For $username by {$CURUSER['username']} denied: operator class => " . get_user_class() . " is not greater than target user => {$arr['class']}";
write_log($log); write_log($log);
@@ -31,10 +34,12 @@ if (get_user_class() <= $arr['class']) {
} }
$id = $arr['id']; $id = $arr['id'];
$wantpassword=$newpassword; //$wantpassword=$newpassword;
$secret = mksecret(); //$secret = mksecret();
$wantpasshash = md5($secret . $wantpassword . $secret); //$wantpasshash = md5($secret . $wantpassword . $secret);
sql_query("UPDATE users SET passhash=".sqlesc($wantpasshash).", secret= ".sqlesc($secret)." where id=$id"); //sql_query("UPDATE users SET passhash=".sqlesc($wantpasshash).", secret= ".sqlesc($secret)." where id=$id");
$userRep = new \App\Repositories\UserRepository();
$userRep->resetPassword($id, $newpassword, $newpasswordagain);
write_log("Password Reset For $username by {$CURUSER['username']}"); write_log("Password Reset For $username by {$CURUSER['username']}");
if (mysql_affected_rows() != 1) if (mysql_affected_rows() != 1)
stderr("Error", "Unable to RESET PASSWORD on this account."); stderr("Error", "Unable to RESET PASSWORD on this account.");
public/usercp.php
+3 -1
View File
@@ -790,8 +790,10 @@ tr_small($lang_usercp['row_funbox'],"<input type=checkbox name=showfb".($CURUSER
$passhash = hash('sha256', $sec . $chpassword); $passhash = hash('sha256', $sec . $chpassword);
$updateset[] = "secret = " . sqlesc($sec); $updateset[] = "secret = " . sqlesc($sec);
$updateset[] = "passhash = " . sqlesc($passhash); $updateset[] = "passhash = " . sqlesc($passhash);
$authKey = mksecret();
$updateset[] = "auth_key = " . sqlesc($authKey);
logincookie($CURUSER["id"], $userInfo->auth_key); logincookie($CURUSER["id"], $authKey);
$passupdated = 1; $passupdated = 1;
} }
public/userdetails.php
+2 -2
View File
@@ -619,8 +619,8 @@ JS;
tr($lang_userdetails['row_change_email'], "<input type=\"text\" size=\"80\" name=\"email\" value=\"" . htmlspecialchars($user['email']) . "\" />", 1); tr($lang_userdetails['row_change_email'], "<input type=\"text\" size=\"80\" name=\"email\" value=\"" . htmlspecialchars($user['email']) . "\" />", 1);
} }
tr($lang_userdetails['row_change_password'], "<input type=\"password\" name=\"chpassword\" size=\"50\" />", 1); tr($lang_userdetails['row_change_password'], "<input disabled type=\"password\" name=\"chpassword\" size=\"50\" />".$migratedHelp, 1);
tr($lang_userdetails['row_repeat_password'], "<input type=\"password\" name=\"passagain\" size=\"50\" />", 1); tr($lang_userdetails['row_repeat_password'], "<input disabled type=\"password\" name=\"passagain\" size=\"50\" />".$migratedHelp, 1);
if (user_can('cruprfmanage')) if (user_can('cruprfmanage'))
{ {