aboutsummaryrefslogtreecommitdiffhomepage
path: root/main/app/sprinkles/admin/src/Controller/UserController.php
diff options
context:
space:
mode:
Diffstat (limited to 'main/app/sprinkles/admin/src/Controller/UserController.php')
-rw-r--r--main/app/sprinkles/admin/src/Controller/UserController.php3032
1 files changed, 1516 insertions, 1516 deletions
diff --git a/main/app/sprinkles/admin/src/Controller/UserController.php b/main/app/sprinkles/admin/src/Controller/UserController.php
index 45f9919..d66f2f1 100644
--- a/main/app/sprinkles/admin/src/Controller/UserController.php
+++ b/main/app/sprinkles/admin/src/Controller/UserController.php
@@ -1,1516 +1,1516 @@
-<?php
-/**
- * UserFrosting (http://www.userfrosting.com)
- *
- * @link https://github.com/userfrosting/UserFrosting
- * @license https://github.com/userfrosting/UserFrosting/blob/master/licenses/UserFrosting.md (MIT License)
- */
-
-namespace UserFrosting\Sprinkle\Admin\Controller;
-
-use Carbon\Carbon;
-use Illuminate\Database\Schema\Blueprint;
-use Illuminate\Database\Capsule\Manager as Capsule;
-use Psr\Http\Message\ResponseInterface as Response;
-use Psr\Http\Message\ServerRequestInterface as Request;
-use Slim\Exception\NotFoundException;
-use UserFrosting\Fortress\RequestDataTransformer;
-use UserFrosting\Fortress\RequestSchema;
-use UserFrosting\Fortress\ServerSideValidator;
-use UserFrosting\Fortress\Adapter\JqueryValidationAdapter;
-use UserFrosting\Sprinkle\Account\Database\Models\Group;
-use UserFrosting\Sprinkle\Account\Database\Models\User;
-use UserFrosting\Sprinkle\Account\Facades\Password;
-use UserFrosting\Sprinkle\Core\Controller\SimpleController;
-use UserFrosting\Sprinkle\Core\Facades\Debug;
-use UserFrosting\Sprinkle\Core\Mail\EmailRecipient;
-use UserFrosting\Sprinkle\Core\Mail\TwigMailMessage;
-use UserFrosting\Support\Exception\BadRequestException;
-use UserFrosting\Support\Exception\ForbiddenException;
-use UserFrosting\Support\Exception\HttpException;
-
-/**
- * Controller class for user-related requests, including listing users, CRUD for users, etc.
- *
- * @author Alex Weissman (https://alexanderweissman.com)
- */
-class UserController extends SimpleController
-{
- /**
- * Processes the request to create a new user (from the admin controls).
- *
- * Processes the request from the user creation form, checking that:
- * 1. The username and email are not already in use;
- * 2. The logged-in user has the necessary permissions to update the posted field(s);
- * 3. The submitted data is valid.
- * This route requires authentication.
- * Request type: POST
- * @see getModalCreate
- * @throws ForbiddenException
- * @throws BadRequestException
- * @throws ForbiddenException
- */
- public function create($request, $response, $args) {
- // Get POST parameters: user_name, first_name, last_name, email, locale, (group)
- $params = $request->getParsedBody();
-
- /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
- $authorizer = $this->ci->authorizer;
-
- /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
- $currentUser = $this->ci->currentUser;
-
- // Access-controlled page
- if (!$authorizer->checkAccess($currentUser, 'create_user')) {
- throw new ForbiddenException();
- }
-
- /** @var UserFrosting\Sprinkle\Core\MessageStream $ms */
- $ms = $this->ci->alerts;
-
- // Load the request schema
- $schema = new RequestSchema('schema://requests/user/create.yaml');
-
- // Whitelist and set parameter defaults
- $transformer = new RequestDataTransformer($schema);
- $data = $transformer->transform($params);
-
- $error = FALSE;
-
- // Validate request data
- $validator = new ServerSideValidator($schema, $this->ci->translator);
- if (!$validator->validate($data)) {
- $ms->addValidationErrors($validator);
- $error = TRUE;
- }
-
- /** @var UserFrosting\Sprinkle\Core\Util\ClassMapper $classMapper */
- $classMapper = $this->ci->classMapper;
-
- // Check if username or email already exists
- if ($classMapper->staticMethod('user', 'findUnique', $data['user_name'], 'user_name')) {
- $ms->addMessageTranslated('danger', 'USERNAME.IN_USE', $data);
- $error = TRUE;
- }
-
- if ($classMapper->staticMethod('user', 'findUnique', $data['email'], 'email')) {
- $ms->addMessageTranslated('danger', 'EMAIL.IN_USE', $data);
- $error = TRUE;
- }
-
- if ($error) {
- return $response->withStatus(400);
- }
-
- /** @var UserFrosting\Config\Config $config */
- $config = $this->ci->config;
-
- // If currentUser does not have permission to set the group, but they try to set it to something other than their own group,
- // throw an exception.
- if (!$authorizer->checkAccess($currentUser, 'create_user_field', [
- 'fields' => ['group']
- ])) {
- if (isset($data['group_id']) && $data['group_id'] != $currentUser->group_id) {
- throw new ForbiddenException();
- }
- }
-
- // In any case, set the group id if not otherwise set
- if (!isset($data['group_id'])) {
- $data['group_id'] = $currentUser->group_id;
- }
-
- $data['flag_verified'] = 1;
- // Set password as empty on initial creation. We will then send email so new user can set it themselves via a verification token
- $data['password'] = '';
-
- // All checks passed! log events/activities, create user, and send verification email (if required)
- // Begin transaction - DB will be rolled back if an exception occurs
- Capsule::transaction(function () use ($classMapper, $data, $ms, $config, $currentUser) {
- // Create the user
- $user = $classMapper->createInstance('user', $data);
-
- // Store new user to database
- $user->save();
-
- // Create activity record
- $this->ci->userActivityLogger->info("User {$currentUser->user_name} created a new account for {$user->user_name}.", [
- 'type' => 'account_create',
- 'user_id' => $currentUser->id
- ]);
-
- // Load default roles
- $defaultRoleSlugs = $classMapper->staticMethod('role', 'getDefaultSlugs');
- $defaultRoles = $classMapper->staticMethod('role', 'whereIn', 'slug', $defaultRoleSlugs)->get();
- $defaultRoleIds = $defaultRoles->pluck('id')->all();
-
- // Attach default roles
- $user->roles()->attach($defaultRoleIds);
-
- // Try to generate a new password request
- $passwordRequest = $this->ci->repoPasswordReset->create($user, $config['password_reset.timeouts.create']);
-
- // Create and send welcome email with password set link
- $message = new TwigMailMessage($this->ci->view, 'mail/password-create.html.twig');
-
- $message->from($config['address_book.admin'])
- ->addEmailRecipient(new EmailRecipient($user->email, $user->full_name))
- ->addParams([
- 'user' => $user,
- 'create_password_expiration' => $config['password_reset.timeouts.create'] / 3600 . ' hours',
- 'token' => $passwordRequest->getToken()
- ]);
-
- $this->ci->mailer->send($message);
-
- $ms->addMessageTranslated('success', 'USER.CREATED', $data);
- });
-
- return $response->withStatus(200);
- }
-
- /**
- * Processes the request to send a user a password reset email.
- *
- * Processes the request from the user update form, checking that:
- * 1. The target user's new email address, if specified, is not already in use;
- * 2. The logged-in user has the necessary permissions to update the posted field(s);
- * 3. We're not trying to disable the master account;
- * 4. The submitted data is valid.
- * This route requires authentication.
- * Request type: POST
- * @throws ForbiddenException
- * @throws NotFoundException
- * @throws BadRequestException
- */
- public function createPasswordReset($request, $response, $args) {
- // Get the username from the URL
- $user = $this->getUserFromParams($args);
-
- if (!$user) {
- throw new NotFoundException($request, $response);
- }
-
- /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
- $authorizer = $this->ci->authorizer;
-
- /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
- $currentUser = $this->ci->currentUser;
-
- // Access-controlled resource - check that currentUser has permission to edit "password" for this user
- if (!$authorizer->checkAccess($currentUser, 'update_user_field', [
- 'user' => $user,
- 'fields' => ['password']
- ])) {
- throw new ForbiddenException();
- }
-
- /** @var UserFrosting\Config\Config $config */
- $config = $this->ci->config;
-
- /** @var UserFrosting\Sprinkle\Core\MessageStream $ms */
- $ms = $this->ci->alerts;
-
- // Begin transaction - DB will be rolled back if an exception occurs
- Capsule::transaction(function () use ($user, $config) {
-
- // Create a password reset and shoot off an email
- $passwordReset = $this->ci->repoPasswordReset->create($user, $config['password_reset.timeouts.reset']);
-
- // Create and send welcome email with password set link
- $message = new TwigMailMessage($this->ci->view, 'mail/password-reset.html.twig');
-
- $message->from($config['address_book.admin'])
- ->addEmailRecipient(new EmailRecipient($user->email, $user->full_name))
- ->addParams([
- 'user' => $user,
- 'token' => $passwordReset->getToken(),
- 'request_date' => Carbon::now()->format('Y-m-d H:i:s')
- ]);
-
- $this->ci->mailer->send($message);
- });
-
- $ms->addMessageTranslated('success', 'PASSWORD.FORGET.REQUEST_SENT', [
- 'email' => $user->email
- ]);
- return $response->withStatus(200);
- }
-
-
- /**
- * Sets the users public key
- * Request type: POST
- * @throws NotFoundException
- * @throws BadRequestException
- * @throws ForbiddenException
- */
- public function setPublicKey($request, $response, $args) {
- $requestedUser = $this->getUserFromParams($args);
-
- if (!$requestedUser) {
- throw new NotFoundException($request, $response);
- }
-
- $PublicKey = $request->getParsedBody()["PublicKey"];
-
- if ($this->ci->currentUser->id === $requestedUser->id && (Capsule::table('public_keys')
- ->where('user_id', "=", $requestedUser->id)
- ->exists()) === FALSE) {
- Capsule::table('public_keys')
- ->insert(['user_id' => $requestedUser->id, 'key' => substr(substr($PublicKey, 100), 0, -40)]);
- return $response->withStatus(200);
- } else if ($this->ci->currentUser->id === $requestedUser->id) {
- Capsule::table('public_keys')
- ->where('user_id', $requestedUser->id)
- ->update(['key' => substr(substr($PublicKey, 100), 0, -40)]);
- return $response->withStatus(200);
- } else {
- throw new ForbiddenException();
- }
- }
-
- /**
- * Processes the request to delete an existing user.
- *
- * Deletes the specified user, removing any existing associations.
- * Before doing so, checks that:
- * 1. You are not trying to delete the master account;
- * 2. You have permission to delete the target user's account.
- * This route requires authentication (and should generally be limited to admins or the root user).
- * Request type: DELETE
- * @throws BadRequestException
- * @throws ForbiddenException
- * @throws NotFoundException
- * @throws BadRequestException
- */
- public function delete($request, $response, $args) {
- $user = $this->getUserFromParams($args);
-
- // If the user doesn't exist, return 404
- if (!$user) {
- throw new NotFoundException($request, $response);
- }
-
- /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
- $authorizer = $this->ci->authorizer;
-
- /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
- $currentUser = $this->ci->currentUser;
-
- // Access-controlled page
- if (!$authorizer->checkAccess($currentUser, 'delete_user', [
- 'user' => $user
- ])) {
- throw new ForbiddenException();
- }
-
- /** @var UserFrosting\Config\Config $config */
- $config = $this->ci->config;
-
- // Check that we are not deleting the master account
- // Need to use loose comparison for now, because some DBs return `id` as a string
- if ($user->id == $config['reserved_user_ids.master']) {
- $e = new BadRequestException();
- $e->addUserMessage('DELETE_MASTER');
- throw $e;
- }
-
- $userName = $user->user_name;
-
- // Begin transaction - DB will be rolled back if an exception occurs
- Capsule::transaction(function () use ($user, $userName, $currentUser) {
- $user->delete();
- unset($user);
-
- // Create activity record
- $this->ci->userActivityLogger->info("User {$currentUser->user_name} deleted the account for {$userName}.", [
- 'type' => 'account_delete',
- 'user_id' => $currentUser->id
- ]);
- });
-
- /** @var UserFrosting\Sprinkle\Core\MessageStream $ms */
- $ms = $this->ci->alerts;
-
- $ms->addMessageTranslated('success', 'DELETION_SUCCESSFUL', [
- 'user_name' => $userName
- ]);
-
- return $response->withStatus(200);
- }
-
- /**
- * Returns activity history for a single user.
- *
- * This page requires authentication.
- * Request type: GET
- * @throws ForbiddenException
- * @throws NotFoundException
- * @throws BadRequestException
- */
- public function getActivities($request, $response, $args) {
- $user = $this->getUserFromParams($args);
-
- // If the user doesn't exist, return 404
- if (!$user) {
- throw new NotFoundException($request, $response);
- }
-
- /** @var UserFrosting\Sprinkle\Core\Util\ClassMapper $classMapper */
- $classMapper = $this->ci->classMapper;
-
- // GET parameters
- $params = $request->getQueryParams();
-
- /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
- $authorizer = $this->ci->authorizer;
-
- /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
- $currentUser = $this->ci->currentUser;
-
- // Access-controlled page
- if (!$authorizer->checkAccess($currentUser, 'view_user_field', [
- 'user' => $user,
- 'property' => 'activities'
- ])) {
- throw new ForbiddenException();
- }
-
- $sprunje = $classMapper->createInstance('activity_sprunje', $classMapper, $params);
-
- $sprunje->extendQuery(function ($query) use ($user) {
- return $query->where('user_id', $user->id);
- });
-
- // Be careful how you consume this data - it has not been escaped and contains untrusted user-supplied content.
- // For example, if you plan to insert it into an HTML DOM, you must escape it on the client side (or use client-side templating).
- return $sprunje->toResponse($response);
- }
-
- /**
- * Returns info for a single user.
- *
- * This page requires authentication.
- * Request type: GET
- * @throws ForbiddenException
- * @throws NotFoundException
- * @throws BadRequestException
- */
- public function getInfo($request, $response, $args) {
- $user = $this->getUserFromParams($args);
-
- // If the user doesn't exist, return 404
- if (!$user) {
- throw new NotFoundException($request, $response);
- }
-
- /** @var UserFrosting\Sprinkle\Core\Util\ClassMapper $classMapper */
- $classMapper = $this->ci->classMapper;
-
- // Join user's most recent activity
- $user = $classMapper->createInstance('user')
- ->where('user_name', $user->user_name)
- ->joinLastActivity()
- ->with('lastActivity', 'group')
- ->first();
-
- /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
- $authorizer = $this->ci->authorizer;
-
- /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
- $currentUser = $this->ci->currentUser;
-
- // Access-controlled page
- if (!$authorizer->checkAccess($currentUser, 'uri_user', [
- 'user' => $user
- ])) {
- throw new ForbiddenException();
- }
-
- $result = $user->toArray();
- $result["avatar"] = $user->avatar;
-
- // Be careful how you consume this data - it has not been escaped and contains untrusted user-supplied content.
- // For example, if you plan to insert it into an HTML DOM, you must escape it on the client side (or use client-side templating).
- return $response->withJson($result, 200, JSON_PRETTY_PRINT);
- }
-
- /**
- * Returns a list of Users
- *
- * Generates a list of users, optionally paginated, sorted and/or filtered.
- * This page requires authentication.
- * Request type: GET
- * @throws ForbiddenException
- */
- public function getList($request, $response, $args) {
- // GET parameters
- $params = $request->getQueryParams();
-
- /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
- $authorizer = $this->ci->authorizer;
-
- /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
- $currentUser = $this->ci->currentUser;
-
- // Access-controlled page
- if (!$authorizer->checkAccess($currentUser, 'uri_users')) {
- throw new ForbiddenException();
- }
-
- /** @var UserFrosting\Sprinkle\Core\Util\ClassMapper $classMapper */
- $classMapper = $this->ci->classMapper;
-
- $sprunje = $classMapper->createInstance('user_sprunje', $classMapper, $params);
-
- // Be careful how you consume this data - it has not been escaped and contains untrusted user-supplied content.
- // For example, if you plan to insert it into an HTML DOM, you must escape it on the client side (or use client-side templating).
- return $sprunje->toResponse($response);
- }
-
- /**
- * Renders the modal form to confirm user deletion.
- *
- * This does NOT render a complete page. Instead, it renders the HTML for the modal, which can be embedded in other pages.
- * This page requires authentication.
- * Request type: GET
- * @throws BadRequestException
- * @throws ForbiddenException
- * @throws NotFoundException
- * @throws BadRequestException
- */
- public function getModalConfirmDelete($request, $response, $args) {
- // GET parameters
- $params = $request->getQueryParams();
-
- $user = $this->getUserFromParams($params);
-
- // If the user doesn't exist, return 404
- if (!$user) {
- throw new NotFoundException($request, $response);
- }
-
- /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
- $authorizer = $this->ci->authorizer;
-
- /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
- $currentUser = $this->ci->currentUser;
-
- // Access-controlled page
- if (!$authorizer->checkAccess($currentUser, 'delete_user', [
- 'user' => $user
- ])) {
- throw new ForbiddenException();
- }
-
- /** @var UserFrosting\Config\Config $config */
- $config = $this->ci->config;
-
- // Check that we are not deleting the master account
- // Need to use loose comparison for now, because some DBs return `id` as a string
- if ($user->id == $config['reserved_user_ids.master']) {
- $e = new BadRequestException();
- $e->addUserMessage('DELETE_MASTER');
- throw $e;
- }
-
- return $this->ci->view->render($response, 'modals/confirm-delete-user.html.twig', [
- 'user' => $user,
- 'form' => [
- 'action' => "api/users/u/{$user->user_name}",
- ]
- ]);
- }
-
- /**
- * Renders the modal form for creating a new user.
- *
- * This does NOT render a complete page. Instead, it renders the HTML for the modal, which can be embedded in other pages.
- * If the currently logged-in user has permission to modify user group membership, then the group toggle will be displayed.
- * Otherwise, the user will be added to the default group and receive the default roles automatically.
- * This page requires authentication.
- * Request type: GET
- * @throws ForbiddenException
- */
- public function getModalCreate($request, $response, $args) {
- // GET parameters
- $params = $request->getQueryParams();
-
- /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
- $authorizer = $this->ci->authorizer;
-
- /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
- $currentUser = $this->ci->currentUser;
-
- /** @var UserFrosting\I18n\MessageTranslator $translator */
- $translator = $this->ci->translator;
-
- // Access-controlled page
- if (!$authorizer->checkAccess($currentUser, 'create_user')) {
- throw new ForbiddenException();
- }
-
- /** @var UserFrosting\Sprinkle\Core\Util\ClassMapper $classMapper */
- $classMapper = $this->ci->classMapper;
-
- /** @var UserFrosting\Config\Config $config */
- $config = $this->ci->config;
-
- // Determine form fields to hide/disable
- $fields = [
- 'hidden' => ['theme'],
- 'disabled' => []
- ];
-
- // Get a list of all locales
- $locales = $config->getDefined('site.locales.available');
-
- // Determine if currentUser has permission to modify the group. If so, show the 'group' dropdown.
- // Otherwise, set to the currentUser's group and disable the dropdown.
- if ($authorizer->checkAccess($currentUser, 'create_user_field', [
- 'fields' => ['group']
- ])) {
- // Get a list of all groups
- $groups = $classMapper->staticMethod('group', 'all');
- } else {
- // Get the current user's group
- $groups = $currentUser->group()->get();
- $fields['disabled'][] = 'group';
- }
-
- // Create a dummy user to prepopulate fields
- $data = [
- 'group_id' => $currentUser->group_id,
- 'locale' => $config['site.registration.user_defaults.locale'],
- 'theme' => ''
- ];
-
- $user = $classMapper->createInstance('user', $data);
-
- // Load validation rules
- $schema = new RequestSchema('schema://requests/user/create.yaml');
- $validator = new JqueryValidationAdapter($schema, $this->ci->translator);
-
- return $this->ci->view->render($response, 'modals/user.html.twig', [
- 'user' => $user,
- 'groups' => $groups,
- 'locales' => $locales,
- 'form' => [
- 'action' => 'api/users',
- 'method' => 'POST',
- 'fields' => $fields,
- 'submit_text' => $translator->translate('CREATE')
- ],
- 'page' => [
- 'validators' => $validator->rules('json', FALSE)
- ]
- ]);
- }
-
- /**
- * Renders the modal form for editing an existing user.
- *
- * This does NOT render a complete page. Instead, it renders the HTML for the modal, which can be embedded in other pages.
- * This page requires authentication.
- * Request type: GET
- * @throws ForbiddenException
- * @throws NotFoundException
- * @throws BadRequestException
- */
- public function getModalEdit($request, $response, $args) {
- // GET parameters
- $params = $request->getQueryParams();
-
- $user = $this->getUserFromParams($params);
-
- // If the user doesn't exist, return 404
- if (!$user) {
- throw new NotFoundException($request, $response);
- }
-
- /** @var UserFrosting\Sprinkle\Core\Util\ClassMapper $classMapper */
- $classMapper = $this->ci->classMapper;
-
- // Get the user to edit
- $user = $classMapper->staticMethod('user', 'where', 'user_name', $user->user_name)
- ->with('group')
- ->first();
-
- /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
- $authorizer = $this->ci->authorizer;
-
- /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
- $currentUser = $this->ci->currentUser;
-
- // Access-controlled resource - check that currentUser has permission to edit basic fields "name", "email", "locale" for this user
- $fieldNames = ['name', 'email', 'locale'];
- if (!$authorizer->checkAccess($currentUser, 'update_user_field', [
- 'user' => $user,
- 'fields' => $fieldNames
- ])) {
- throw new ForbiddenException();
- }
-
- // Get a list of all groups
- $groups = $classMapper->staticMethod('group', 'all');
-
- /** @var UserFrosting\Config\Config $config */
- $config = $this->ci->config;
-
- // Get a list of all locales
- $locales = $config->getDefined('site.locales.available');
-
- // Generate form
- $fields = [
- 'hidden' => ['theme'],
- 'disabled' => ['user_name']
- ];
-
- // Disable group field if currentUser doesn't have permission to modify group
- if (!$authorizer->checkAccess($currentUser, 'update_user_field', [
- 'user' => $user,
- 'fields' => ['group']
- ])) {
- $fields['disabled'][] = 'group';
- }
-
- // Load validation rules
- $schema = new RequestSchema('schema://requests/user/edit-info.yaml');
- $validator = new JqueryValidationAdapter($schema, $this->ci->translator);
-
- $translator = $this->ci->translator;
-
- return $this->ci->view->render($response, 'modals/user.html.twig', [
- 'user' => $user,
- 'groups' => $groups,
- 'locales' => $locales,
- 'form' => [
- 'action' => "api/users/u/{$user->user_name}",
- 'method' => 'PUT',
- 'fields' => $fields,
- 'submit_text' => $translator->translate('UPDATE')
- ],
- 'page' => [
- 'validators' => $validator->rules('json', FALSE)
- ]
- ]);
- }
-
- /**
- * Renders the modal form for editing a user's password.
- *
- * This does NOT render a complete page. Instead, it renders the HTML for the form, which can be embedded in other pages.
- * This page requires authentication.
- * Request type: GET
- * @throws ForbiddenException
- * @throws NotFoundException
- * @throws BadRequestException
- */
- public function getModalEditPassword($request, $response, $args) {
- // GET parameters
- $params = $request->getQueryParams();
-
- $user = $this->getUserFromParams($params);
-
- // If the user doesn't exist, return 404
- if (!$user) {
- throw new NotFoundException($request, $response);
- }
-
- /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
- $authorizer = $this->ci->authorizer;
-
- /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
- $currentUser = $this->ci->currentUser;
-
- // Access-controlled resource - check that currentUser has permission to edit "password" field for this user
- if (!$authorizer->checkAccess($currentUser, 'update_user_field', [
- 'user' => $user,
- 'fields' => ['password']
- ])) {
- throw new ForbiddenException();
- }
-
- // Load validation rules
- $schema = new RequestSchema('schema://requests/user/edit-password.yaml');
- $validator = new JqueryValidationAdapter($schema, $this->ci->translator);
-
- return $this->ci->view->render($response, 'modals/user-set-password.html.twig', [
- 'user' => $user,
- 'page' => [
- 'validators' => $validator->rules('json', FALSE)
- ]
- ]);
- }
-
- /**
- * Renders the modal form for editing a user's roles.
- *
- * This does NOT render a complete page. Instead, it renders the HTML for the form, which can be embedded in other pages.
- * This page requires authentication.
- * Request type: GET
- * @throws ForbiddenException
- * @throws NotFoundException
- * @throws BadRequestException
- */
- public function getModalEditRoles($request, $response, $args) {
- // GET parameters
- $params = $request->getQueryParams();
-
- $user = $this->getUserFromParams($params);
-
- // If the user doesn't exist, return 404
- if (!$user) {
- throw new NotFoundException($request, $response);
- }
-
- /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
- $authorizer = $this->ci->authorizer;
-
- /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
- $currentUser = $this->ci->currentUser;
-
- // Access-controlled resource - check that currentUser has permission to edit "roles" field for this user
- if (!$authorizer->checkAccess($currentUser, 'update_user_field', [
- 'user' => $user,
- 'fields' => ['roles']
- ])) {
- throw new ForbiddenException();
- }
-
- return $this->ci->view->render($response, 'modals/user-manage-roles.html.twig', [
- 'user' => $user
- ]);
- }
-
- /**
- * Returns a list of effective Permissions for a specified User.
- *
- * Generates a list of permissions, optionally paginated, sorted and/or filtered.
- * This page requires authentication.
- * Request type: GET
- * @throws ForbiddenException
- * @throws NotFoundException
- * @throws BadRequestException
- */
- public function getPermissions($request, $response, $args) {
- $user = $this->getUserFromParams($args);
-
- // If the user doesn't exist, return 404
- if (!$user) {
- throw new NotFoundException($request, $response);
- }
-
- // GET parameters
- $params = $request->getQueryParams();
-
- /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager */
- $authorizer = $this->ci->authorizer;
-
- /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
- $currentUser = $this->ci->currentUser;
-
- // Access-controlled page
- if (!$authorizer->checkAccess($currentUser, 'view_user_field', [
- 'user' => $user,
- 'property' => 'permissions'
- ])) {
- throw new ForbiddenException();
- }
-
- /** @var UserFrosting\Sprinkle\Core\Util\ClassMapper $classMapper */
- $classMapper = $this->ci->classMapper;
-
- $params['user_id'] = $user->id;
- $sprunje = $classMapper->createInstance('user_permission_sprunje', $classMapper, $params);
-
- $response = $sprunje->toResponse($response);
-
- // Be careful how you consume this data - it has not been escaped and contains untrusted user-supplied content.
- // For example, if you plan to insert it into an HTML DOM, you must escape it on the client side (or use client-side templating).
- return $response;
- }
-
- /**
- * Returns roles associated with a single user.
- *
- * This page requires authentication.
- * Request type: GET
- * @throws ForbiddenException
- * @throws NotFoundException
- * @throws BadRequestException
- */
- public function getRoles($request, $response, $args) {
- $user = $this->getUserFromParams($args);
-
- // If the user doesn't exist, return 404
- if (!$user) {
- throw new NotFoundException($request, $response);
- }
-
- /** @var UserFrosting\Sprinkle\Core\Util\ClassMapper $classMapper */
- $classMapper = $this->ci->classMapper;
-
- // GET parameters
- $params = $request->getQueryParams();
-
- /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
- $authorizer = $this->ci->authorizer;
-
- /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
- $currentUser = $this->ci->currentUser;
-
- // Access-controlled page
- if (!$authorizer->checkAccess($currentUser, 'view_user_field', [
- 'user' => $user,
- 'property' => 'roles'
- ])) {
- throw new ForbiddenException();
- }
-
- $sprunje = $classMapper->createInstance('role_sprunje', $classMapper, $params);
- $sprunje->extendQuery(function ($query) use ($user) {
- return $query->forUser($user->id);
- });
-
- // Be careful how you consume this data - it has not been escaped and contains untrusted user-supplied content.
- // For example, if you plan to insert it into an HTML DOM, you must escape it on the client side (or use client-side templating).
- return $sprunje->toResponse($response);
- }
-
- /**
- * Renders a page displaying a user's information, in read-only mode.
- *
- * This checks that the currently logged-in user has permission to view the requested user's info.
- * It checks each field individually, showing only those that you have permission to view.
- * This will also try to show buttons for activating, disabling/enabling, deleting, and editing the user.
- * This page requires authentication.
- * Request type: GET
- * @throws ForbiddenException
- * @throws BadRequestException
- */
- public function pageInfo($request, $response, $args) {
- $user = $this->getUserFromParams($args);
-
- // If the user no longer exists, forward to main user listing page
- if (!$user) {
- $usersPage = $this->ci->router->pathFor('uri_users');
- return $response->withRedirect($usersPage, 404);
- }
-
- /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
- $authorizer = $this->ci->authorizer;
-
- /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
- $currentUser = $this->ci->currentUser;
-
- // Access-controlled page
- if (!$authorizer->checkAccess($currentUser, 'uri_user', [
- 'user' => $user
- ])) {
- throw new ForbiddenException();
- }
-
- /** @var UserFrosting\Config\Config $config */
- $config = $this->ci->config;
-
- // Get a list of all locales
- $locales = $config->getDefined('site.locales.available');
-
- // Determine fields that currentUser is authorized to view
- $fieldNames = ['user_name', 'name', 'email', 'locale', 'group', 'roles'];
-
- // Generate form
- $fields = [
- // Always hide these
- 'hidden' => ['theme']
- ];
-
- // Determine which fields should be hidden
- foreach ($fieldNames as $field) {
- if (!$authorizer->checkAccess($currentUser, 'view_user_field', [
- 'user' => $user,
- 'property' => $field
- ])) {
- $fields['hidden'][] = $field;
- }
- }
-
- // Determine buttons to display
- $editButtons = [
- 'hidden' => []
- ];
-
- if (!$authorizer->checkAccess($currentUser, 'update_user_field', [
- 'user' => $user,
- 'fields' => ['name', 'email', 'locale']
- ])) {
- $editButtons['hidden'][] = 'edit';
- }
-
- if (!$authorizer->checkAccess($currentUser, 'update_user_field', [
- 'user' => $user,
- 'fields' => ['flag_enabled']
- ])) {
- $editButtons['hidden'][] = 'enable';
- }
-
- if (!$authorizer->checkAccess($currentUser, 'update_user_field', [
- 'user' => $user,
- 'fields' => ['flag_verified']
- ])) {
- $editButtons['hidden'][] = 'activate';
- }
-
- if (!$authorizer->checkAccess($currentUser, 'update_user_field', [
- 'user' => $user,
- 'fields' => ['password']
- ])) {
- $editButtons['hidden'][] = 'password';
- }
-
- if (!$authorizer->checkAccess($currentUser, 'update_user_field', [
- 'user' => $user,
- 'fields' => ['roles']
- ])) {
- $editButtons['hidden'][] = 'roles';
- }
-
- if (!$authorizer->checkAccess($currentUser, 'delete_user', [
- 'user' => $user
- ])) {
- $editButtons['hidden'][] = 'delete';
- }
-
- // Determine widgets to display
- $widgets = [
- 'hidden' => []
- ];
-
- if (!$authorizer->checkAccess($currentUser, 'view_user_field', [
- 'user' => $user,
- 'property' => 'permissions'
- ])) {
- $widgets['hidden'][] = 'permissions';
- }
-
- if (!$authorizer->checkAccess($currentUser, 'view_user_field', [
- 'user' => $user,
- 'property' => 'activities'
- ])) {
- $widgets['hidden'][] = 'activities';
- }
-
- return $this->ci->view->render($response, 'pages/user.html.twig', [
- 'user' => $user,
- 'locales' => $locales,
- 'fields' => $fields,
- 'tools' => $editButtons,
- 'widgets' => $widgets
- ]);
- }
-
- /**
- * Renders the user listing page.
- *
- * This page renders a table of users, with dropdown menus for admin actions for each user.
- * Actions typically include: edit user details, activate user, enable/disable user, delete user.
- * This page requires authentication.
- * Request type: GET
- * @throws ForbiddenException
- */
- public function pageList($request, $response, $args) {
- /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
- $authorizer = $this->ci->authorizer;
-
- /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
- $currentUser = $this->ci->currentUser;
-
- // Access-controlled page
- if (!$authorizer->checkAccess($currentUser, 'uri_users')) {
- throw new ForbiddenException();
- }
-
- return $this->ci->view->render($response, 'pages/users.html.twig');
- }
-
- /**
- * Gets the users public key
- * Request type: GET
- * @throws NotFoundException
- * @throws BadRequestException
- */
- public function getPublicKey($request, $response, $args) {
- $requestedUser = $this->getUserFromParams($args);
-
- if (!$requestedUser) {
- throw new NotFoundException($request, $response);
- }
-
- if ((Capsule::table('public_keys')
- ->where('user_id', "=", $requestedUser->id)
- ->exists())) {
-
- $RawPublicKey = Capsule::table('public_keys')
- ->where('user_id', "=", $requestedUser->id)
- ->value('key');
- $PublicKey = "-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion: OpenPGP.js v3.0.9\nComment: https://openpgpjs.org\n\n" . $RawPublicKey . "\n-----END PGP PUBLIC KEY BLOCK-----";
-
- $ContentType = explode(',', $request->getHeaderLine('Accept'))[0];
- switch ($ContentType) {
- case 'application/json':
- $response->write(json_encode(array('user_id' => $requestedUser->id, 'PublicKey' => $PublicKey)));
- break;
- case 'text/html':
- $response->write("<pre>" . $PublicKey);
- break;
- default:
- $response->write($PublicKey);
- }
- return $response->withStatus(200);
- } else {
- throw new NotFoundException($request, $response);
- }
- }
-
- /**
- * Gets the users which are following the requested user
- * Request type: GET
- * @throws ForbiddenException
- * @throws NotFoundException
- * @throws BadRequestException
- */
- public function getFollowers($request, $response, $args) {
- $user = $this->getUserFromParams($args);
-
- // If the user doesn't exist, return 404
- if (!$user) {
- throw new NotFoundException($request, $response);
- }
-
- /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
- $authorizer = $this->ci->authorizer;
-
- /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
- $currentUser = $this->ci->currentUser;
-
- // Access-controlled page
- if (!$authorizer->checkAccess($currentUser, 'uri_user', [
- 'user' => $user
- ])) {
- throw new ForbiddenException();
- }
-
- $UsersFollowers = Capsule::table('user_follow')
- ->where('user_id', "=", $user->id)
- ->join("users", "users.id", "=", "user_follow.followed_by_id")
- ->select("user_follow.followed_by_id as id", "users.user_name as username")
- ->get();
-
- $result = $UsersFollowers->toArray();
-
- return $response->withJson($result, 200, JSON_PRETTY_PRINT);
- }
-
- /**
- * Get users which the user follows
- * Request type: GET
- * @throws ForbiddenException
- * @throws NotFoundException
- * @throws BadRequestException
- */
- public function getFollows($request, $response, $args) {
- $user = $this->getUserFromParams($args);
-
- // If the user doesn't exist, return 404
- if (!$user) {
- throw new NotFoundException($request, $response);
- }
-
- /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
- $authorizer = $this->ci->authorizer;
-
- /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
- $currentUser = $this->ci->currentUser;
-
- // Access-controlled page
- if (($user->id == $currentUser->id) || (!$authorizer->checkAccess($currentUser, 'uri_user', [
- 'user' => $user
- ]))) {
- throw new ForbiddenException();
- }
-
- $UsersFollows = Capsule::table('user_follow')
- ->where('followed_by_id', "=", $user->id)
- ->join("users", "users.id", "=", "user_follow.user_id")
- ->select("user_follow.user_id as id", "users.user_name as username")
- ->get();
-
- $result = $UsersFollows->toArray();
-
- return $response->withJson($result, 200, JSON_PRETTY_PRINT);
- }
-
- /**
- * Get users which the user follows and which are following the user
- * Request type: GET
- * @throws NotFoundException
- * @throws ForbiddenException
- * @throws BadRequestException
- */
- public function getFriends($request, $response, $args) {
- $user = $this->getUserFromParams($args);
-
- // If the user doesn't exist, return 404
- if (!$user) {
- throw new NotFoundException($request, $response);
- }
-
- /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
- $authorizer = $this->ci->authorizer;
-
- /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
- $currentUser = $this->ci->currentUser;
-
- // Access-controlled page
- if (!$authorizer->checkAccess($currentUser, 'uri_user', [
- 'user' => $user
- ])) {
- throw new ForbiddenException();
- }
-
- $UsersFriends = Capsule::select("SELECT id FROM (SELECT user_id AS id FROM user_follow WHERE followed_by_id = $user->id UNION ALL SELECT followed_by_id FROM user_follow WHERE user_id = $user->id) t GROUP BY id HAVING COUNT(id) > 1");
-
- /** @var UserFrosting\Sprinkle\Core\Util\ClassMapper $classMapper */
- $classMapper = $this->ci->classMapper;
-
- foreach ($UsersFriends as $Key => $UsersFriendId) { // NOT THAT EFFICIENT...
- $UsersFriendInformation = $classMapper->createInstance('user')// raw select doesnt work with instance
- ->where('id', $UsersFriendId->id)
- ->get();
-
- $UsersFriends[$Key]->id = $UsersFriendInformation[0]->id;
- $UsersFriends[$Key]->username = $UsersFriendInformation[0]->user_name;
- $UsersFriends[$Key]->avatar = $UsersFriendInformation[0]->avatar;
- $UsersFriends[$Key]->full_name = $UsersFriendInformation[0]->full_name;
- }
-
- $result = $UsersFriends;
-
- if (sizeof($result) > 0) { // USER HAS FRIENDS
- return $response->withJson($result, 200, JSON_PRETTY_PRINT);
- } else {
- throw new NotFoundException($request, $response);
- }
- }
-
-
- /**
- * Processes the request to update an existing user's basic details (first_name, last_name, email, locale, group_id)
- *
- * Processes the request from the user update form, checking that:
- * 1. The target user's new email address, if specified, is not already in use;
- * 2. The logged-in user has the necessary permissions to update the putted field(s);
- * 3. The submitted data is valid.
- * This route requires authentication.
- * Request type: PUT
- * @throws NotFoundException
- * @throws ForbiddenException
- * @throws BadRequestException
- * @throws BadRequestException
- */
- public function updateInfo($request, $response, $args) {
- // Get the username from the URL
- $user = $this->getUserFromParams($args);
-
- if (!$user) {
- throw new NotFoundException($request, $response);
- }
-
- /** @var UserFrosting\Config\Config $config */
- $config = $this->ci->config;
-
- // Get PUT parameters
- $params = $request->getParsedBody();
-
- /** @var UserFrosting\Sprinkle\Core\MessageStream $ms */
- $ms = $this->ci->alerts;
-
- // Load the request schema
- $schema = new RequestSchema('schema://requests/user/edit-info.yaml');
-
- // Whitelist and set parameter defaults
- $transformer = new RequestDataTransformer($schema);
- $data = $transformer->transform($params);
-
- $error = FALSE;
-
- // Validate request data
- $validator = new ServerSideValidator($schema, $this->ci->translator);
- if (!$validator->validate($data)) {
- $ms->addValidationErrors($validator);
- $error = TRUE;
- }
-
- // Determine targeted fields
- $fieldNames = [];
- foreach ($data as $name => $value) {
- if ($name == 'first_name' || $name == 'last_name') {
- $fieldNames[] = 'name';
- } else if ($name == 'group_id') {
- $fieldNames[] = 'group';
- } else {
- $fieldNames[] = $name;
- }
- }
-
- /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
- $authorizer = $this->ci->authorizer;
-
- /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
- $currentUser = $this->ci->currentUser;
-
- // Access-controlled resource - check that currentUser has permission to edit submitted fields for this user
- if (!$authorizer->checkAccess($currentUser, 'update_user_field', [
- 'user' => $user,
- 'fields' => array_values(array_unique($fieldNames))
- ])) {
- throw new ForbiddenException();
- }
-
- // Only the master account can edit the master account!
- if (
- ($user->id == $config['reserved_user_ids.master']) &&
- ($currentUser->id != $config['reserved_user_ids.master'])
- ) {
- throw new ForbiddenException();
- }
-
- /** @var UserFrosting\Sprinkle\Core\Util\ClassMapper $classMapper */
- $classMapper = $this->ci->classMapper;
-
- // Check if email already exists
- if (
- isset($data['email']) &&
- $data['email'] != $user->email &&
- $classMapper->staticMethod('user', 'findUnique', $data['email'], 'email')
- ) {
- $ms->addMessageTranslated('danger', 'EMAIL.IN_USE', $data);
- $error = TRUE;
- }
-
- if ($error) {
- return $response->withStatus(400);
- }
-
- // Begin transaction - DB will be rolled back if an exception occurs
- Capsule::transaction(function () use ($data, $user, $currentUser) {
- // Update the user and generate success messages
- foreach ($data as $name => $value) {
- if ($value != $user->$name) {
- $user->$name = $value;
- }
- }
-
- $user->save();
-
- // Create activity record
- $this->ci->userActivityLogger->info("User {$currentUser->user_name} updated basic account info for user {$user->user_name}.", [
- 'type' => 'account_update_info',
- 'user_id' => $currentUser->id
- ]);
- });
-
- $ms->addMessageTranslated('success', 'DETAILS_UPDATED', [
- 'user_name' => $user->user_name
- ]);
- return $response->withStatus(200);
- }
-
- /**
- * Processes the request to update a specific field for an existing user.
- *
- * Supports editing all user fields, including password, enabled/disabled status and verification status.
- * Processes the request from the user update form, checking that:
- * 1. The logged-in user has the necessary permissions to update the putted field(s);
- * 2. We're not trying to disable the master account;
- * 3. The submitted data is valid.
- * This route requires authentication.
- * Request type: PUT
- * @throws ForbiddenException
- * @throws BadRequestException
- * @throws BadRequestException
- * @throws BadRequestException
- * @throws BadRequestException
- * @throws BadRequestException
- * @throws NotFoundException
- * @throws BadRequestException
- */
- public function updateField($request, $response, $args) {
- // Get the username from the URL
- $user = $this->getUserFromParams($args);
-
- if (!$user) {
- throw new NotFoundException($request, $response);
- }
-
- // Get key->value pair from URL and request body
- $fieldName = $args['field'];
-
- /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
- $authorizer = $this->ci->authorizer;
-
- /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
- $currentUser = $this->ci->currentUser;
-
- // Access-controlled resource - check that currentUser has permission to edit the specified field for this user
- if (!$authorizer->checkAccess($currentUser, 'update_user_field', [
- 'user' => $user,
- 'fields' => [$fieldName]
- ])) {
- throw new ForbiddenException();
- }
-
- /** @var UserFrosting\Config\Config $config */
- $config = $this->ci->config;
-
- // Only the master account can edit the master account!
- if (
- ($user->id == $config['reserved_user_ids.master']) &&
- ($currentUser->id != $config['reserved_user_ids.master'])
- ) {
- throw new ForbiddenException();
- }
-
- // Get PUT parameters: value
- $put = $request->getParsedBody();
-
- if (!isset($put['value'])) {
- throw new BadRequestException();
- }
-
- // Create and validate key -> value pair
- $params = [
- $fieldName => $put['value']
- ];
-
- // Load the request schema
- $schema = new RequestSchema('schema://requests/user/edit-field.yaml');
-
- // Whitelist and set parameter defaults
- $transformer = new RequestDataTransformer($schema);
- $data = $transformer->transform($params);
-
- // Validate, and throw exception on validation errors.
- $validator = new ServerSideValidator($schema, $this->ci->translator);
- if (!$validator->validate($data)) {
- // encapsulate the communication of error messages from ServerSideValidator to the BadRequestException
- $e = new BadRequestException();
- foreach ($validator->errors() as $idx => $field) {
- foreach ($field as $eidx => $error) {
- $e->addUserMessage($error);
- }
- }
- throw $e;
- }
-
- // Get validated and transformed value
- $fieldValue = $data[$fieldName];
-
- /** @var UserFrosting\Sprinkle\Core\MessageStream $ms */
- $ms = $this->ci->alerts;
-
- // Special checks and transformations for certain fields
- if ($fieldName == 'flag_enabled') {
- // Check that we are not disabling the master account
- if (
- ($user->id == $config['reserved_user_ids.master']) &&
- ($fieldValue == '0')
- ) {
- $e = new BadRequestException();
- $e->addUserMessage('DISABLE_MASTER');
- throw $e;
- } else if (
- ($user->id == $currentUser->id) &&
- ($fieldValue == '0')
- ) {
- $e = new BadRequestException();
- $e->addUserMessage('DISABLE_SELF');
- throw $e;
- }
- } else if ($fieldName == 'password') {
- $fieldValue = Password::hash($fieldValue);
- }
-
- // Begin transaction - DB will be rolled back if an exception occurs
- Capsule::transaction(function () use ($fieldName, $fieldValue, $user, $currentUser) {
- if ($fieldName == 'roles') {
- $newRoles = collect($fieldValue)->pluck('role_id')->all();
- $user->roles()->sync($newRoles);
- } else {
- $user->$fieldName = $fieldValue;
- $user->save();
- }
-
- // Create activity record
- $this->ci->userActivityLogger->info("User {$currentUser->user_name} updated property '$fieldName' for user {$user->user_name}.", [
- 'type' => 'account_update_field',
- 'user_id' => $currentUser->id
- ]);
- });
-
- // Add success messages
- if ($fieldName == 'flag_enabled') {
- if ($fieldValue == '1') {
- $ms->addMessageTranslated('success', 'ENABLE_SUCCESSFUL', [
- 'user_name' => $user->user_name
- ]);
- } else {
- $ms->addMessageTranslated('success', 'DISABLE_SUCCESSFUL', [
- 'user_name' => $user->user_name
- ]);
- }
- } else if ($fieldName == 'flag_verified') {
- $ms->addMessageTranslated('success', 'MANUALLY_ACTIVATED', [
- 'user_name' => $user->user_name
- ]);
- } else {
- $ms->addMessageTranslated('success', 'DETAILS_UPDATED', [
- 'user_name' => $user->user_name
- ]);
- }
-
- return $response->withStatus(200);
- }
-
- protected function getUserFromParams($params) {
- // Load the request schema
- $schema = new RequestSchema('schema://requests/user/get-by-username.yaml');
-
- // Whitelist and set parameter defaults
- $transformer = new RequestDataTransformer($schema);
- $data = $transformer->transform($params);
-
- // Validate, and throw exception on validation errors.
- $validator = new ServerSideValidator($schema, $this->ci->translator);
- if (!$validator->validate($data)) {
- $e = new BadRequestException();
- foreach ($validator->errors() as $idx => $field) {
- foreach ($field as $eidx => $error) {
- $e->addUserMessage($error);
- }
- }
- throw $e;
- }
-
- /** @var UserFrosting\Sprinkle\Core\Util\ClassMapper $classMapper */
- $classMapper = $this->ci->classMapper;
-
- // Get the user to delete
- $user = $classMapper->staticMethod('user', 'where', 'user_name', $data['user_name'])
- ->first();
-
- return $user;
- }
-}
+<?php
+/**
+ * UserFrosting (http://www.userfrosting.com)
+ *
+ * @link https://github.com/userfrosting/UserFrosting
+ * @license https://github.com/userfrosting/UserFrosting/blob/master/licenses/UserFrosting.md (MIT License)
+ */
+
+namespace UserFrosting\Sprinkle\Admin\Controller;
+
+use Carbon\Carbon;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Database\Capsule\Manager as Capsule;
+use Psr\Http\Message\ResponseInterface as Response;
+use Psr\Http\Message\ServerRequestInterface as Request;
+use Slim\Exception\NotFoundException;
+use UserFrosting\Fortress\RequestDataTransformer;
+use UserFrosting\Fortress\RequestSchema;
+use UserFrosting\Fortress\ServerSideValidator;
+use UserFrosting\Fortress\Adapter\JqueryValidationAdapter;
+use UserFrosting\Sprinkle\Account\Database\Models\Group;
+use UserFrosting\Sprinkle\Account\Database\Models\User;
+use UserFrosting\Sprinkle\Account\Facades\Password;
+use UserFrosting\Sprinkle\Core\Controller\SimpleController;
+use UserFrosting\Sprinkle\Core\Facades\Debug;
+use UserFrosting\Sprinkle\Core\Mail\EmailRecipient;
+use UserFrosting\Sprinkle\Core\Mail\TwigMailMessage;
+use UserFrosting\Support\Exception\BadRequestException;
+use UserFrosting\Support\Exception\ForbiddenException;
+use UserFrosting\Support\Exception\HttpException;
+
+/**
+ * Controller class for user-related requests, including listing users, CRUD for users, etc.
+ *
+ * @author Alex Weissman (https://alexanderweissman.com)
+ */
+class UserController extends SimpleController
+{
+ /**
+ * Processes the request to create a new user (from the admin controls).
+ *
+ * Processes the request from the user creation form, checking that:
+ * 1. The username and email are not already in use;
+ * 2. The logged-in user has the necessary permissions to update the posted field(s);
+ * 3. The submitted data is valid.
+ * This route requires authentication.
+ * Request type: POST
+ * @see getModalCreate
+ * @throws ForbiddenException
+ * @throws BadRequestException
+ * @throws ForbiddenException
+ */
+ public function create($request, $response, $args) {
+ // Get POST parameters: user_name, first_name, last_name, email, locale, (group)
+ $params = $request->getParsedBody();
+
+ /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
+ $authorizer = $this->ci->authorizer;
+
+ /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
+ $currentUser = $this->ci->currentUser;
+
+ // Access-controlled page
+ if (!$authorizer->checkAccess($currentUser, 'create_user')) {
+ throw new ForbiddenException();
+ }
+
+ /** @var UserFrosting\Sprinkle\Core\MessageStream $ms */
+ $ms = $this->ci->alerts;
+
+ // Load the request schema
+ $schema = new RequestSchema('schema://requests/user/create.yaml');
+
+ // Whitelist and set parameter defaults
+ $transformer = new RequestDataTransformer($schema);
+ $data = $transformer->transform($params);
+
+ $error = FALSE;
+
+ // Validate request data
+ $validator = new ServerSideValidator($schema, $this->ci->translator);
+ if (!$validator->validate($data)) {
+ $ms->addValidationErrors($validator);
+ $error = TRUE;
+ }
+
+ /** @var UserFrosting\Sprinkle\Core\Util\ClassMapper $classMapper */
+ $classMapper = $this->ci->classMapper;
+
+ // Check if username or email already exists
+ if ($classMapper->staticMethod('user', 'findUnique', $data['user_name'], 'user_name')) {
+ $ms->addMessageTranslated('danger', 'USERNAME.IN_USE', $data);
+ $error = TRUE;
+ }
+
+ if ($classMapper->staticMethod('user', 'findUnique', $data['email'], 'email')) {
+ $ms->addMessageTranslated('danger', 'EMAIL.IN_USE', $data);
+ $error = TRUE;
+ }
+
+ if ($error) {
+ return $response->withStatus(400);
+ }
+
+ /** @var UserFrosting\Config\Config $config */
+ $config = $this->ci->config;
+
+ // If currentUser does not have permission to set the group, but they try to set it to something other than their own group,
+ // throw an exception.
+ if (!$authorizer->checkAccess($currentUser, 'create_user_field', [
+ 'fields' => ['group']
+ ])) {
+ if (isset($data['group_id']) && $data['group_id'] != $currentUser->group_id) {
+ throw new ForbiddenException();
+ }
+ }
+
+ // In any case, set the group id if not otherwise set
+ if (!isset($data['group_id'])) {
+ $data['group_id'] = $currentUser->group_id;
+ }
+
+ $data['flag_verified'] = 1;
+ // Set password as empty on initial creation. We will then send email so new user can set it themselves via a verification token
+ $data['password'] = '';
+
+ // All checks passed! log events/activities, create user, and send verification email (if required)
+ // Begin transaction - DB will be rolled back if an exception occurs
+ Capsule::transaction(function () use ($classMapper, $data, $ms, $config, $currentUser) {
+ // Create the user
+ $user = $classMapper->createInstance('user', $data);
+
+ // Store new user to database
+ $user->save();
+
+ // Create activity record
+ $this->ci->userActivityLogger->info("User {$currentUser->user_name} created a new account for {$user->user_name}.", [
+ 'type' => 'account_create',
+ 'user_id' => $currentUser->id
+ ]);
+
+ // Load default roles
+ $defaultRoleSlugs = $classMapper->staticMethod('role', 'getDefaultSlugs');
+ $defaultRoles = $classMapper->staticMethod('role', 'whereIn', 'slug', $defaultRoleSlugs)->get();
+ $defaultRoleIds = $defaultRoles->pluck('id')->all();
+
+ // Attach default roles
+ $user->roles()->attach($defaultRoleIds);
+
+ // Try to generate a new password request
+ $passwordRequest = $this->ci->repoPasswordReset->create($user, $config['password_reset.timeouts.create']);
+
+ // Create and send welcome email with password set link
+ $message = new TwigMailMessage($this->ci->view, 'mail/password-create.html.twig');
+
+ $message->from($config['address_book.admin'])
+ ->addEmailRecipient(new EmailRecipient($user->email, $user->full_name))
+ ->addParams([
+ 'user' => $user,
+ 'create_password_expiration' => $config['password_reset.timeouts.create'] / 3600 . ' hours',
+ 'token' => $passwordRequest->getToken()
+ ]);
+
+ $this->ci->mailer->send($message);
+
+ $ms->addMessageTranslated('success', 'USER.CREATED', $data);
+ });
+
+ return $response->withStatus(200);
+ }
+
+ /**
+ * Processes the request to send a user a password reset email.
+ *
+ * Processes the request from the user update form, checking that:
+ * 1. The target user's new email address, if specified, is not already in use;
+ * 2. The logged-in user has the necessary permissions to update the posted field(s);
+ * 3. We're not trying to disable the master account;
+ * 4. The submitted data is valid.
+ * This route requires authentication.
+ * Request type: POST
+ * @throws ForbiddenException
+ * @throws NotFoundException
+ * @throws BadRequestException
+ */
+ public function createPasswordReset($request, $response, $args) {
+ // Get the username from the URL
+ $user = $this->getUserFromParams($args);
+
+ if (!$user) {
+ throw new NotFoundException($request, $response);
+ }
+
+ /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
+ $authorizer = $this->ci->authorizer;
+
+ /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
+ $currentUser = $this->ci->currentUser;
+
+ // Access-controlled resource - check that currentUser has permission to edit "password" for this user
+ if (!$authorizer->checkAccess($currentUser, 'update_user_field', [
+ 'user' => $user,
+ 'fields' => ['password']
+ ])) {
+ throw new ForbiddenException();
+ }
+
+ /** @var UserFrosting\Config\Config $config */
+ $config = $this->ci->config;
+
+ /** @var UserFrosting\Sprinkle\Core\MessageStream $ms */
+ $ms = $this->ci->alerts;
+
+ // Begin transaction - DB will be rolled back if an exception occurs
+ Capsule::transaction(function () use ($user, $config) {
+
+ // Create a password reset and shoot off an email
+ $passwordReset = $this->ci->repoPasswordReset->create($user, $config['password_reset.timeouts.reset']);
+
+ // Create and send welcome email with password set link
+ $message = new TwigMailMessage($this->ci->view, 'mail/password-reset.html.twig');
+
+ $message->from($config['address_book.admin'])
+ ->addEmailRecipient(new EmailRecipient($user->email, $user->full_name))
+ ->addParams([
+ 'user' => $user,
+ 'token' => $passwordReset->getToken(),
+ 'request_date' => Carbon::now()->format('Y-m-d H:i:s')
+ ]);
+
+ $this->ci->mailer->send($message);
+ });
+
+ $ms->addMessageTranslated('success', 'PASSWORD.FORGET.REQUEST_SENT', [
+ 'email' => $user->email
+ ]);
+ return $response->withStatus(200);
+ }
+
+
+ /**
+ * Sets the users public key
+ * Request type: POST
+ * @throws NotFoundException
+ * @throws BadRequestException
+ * @throws ForbiddenException
+ */
+ public function setPublicKey($request, $response, $args) {
+ $requestedUser = $this->getUserFromParams($args);
+
+ if (!$requestedUser) {
+ throw new NotFoundException($request, $response);
+ }
+
+ $PublicKey = $request->getParsedBody()["PublicKey"];
+
+ if ($this->ci->currentUser->id === $requestedUser->id && (Capsule::table('public_keys')
+ ->where('user_id', "=", $requestedUser->id)
+ ->exists()) === FALSE) {
+ Capsule::table('public_keys')
+ ->insert(['user_id' => $requestedUser->id, 'key' => substr(substr($PublicKey, 100), 0, -40)]);
+ return $response->withStatus(200);
+ } else if ($this->ci->currentUser->id === $requestedUser->id) {
+ Capsule::table('public_keys')
+ ->where('user_id', $requestedUser->id)
+ ->update(['key' => substr(substr($PublicKey, 100), 0, -40)]);
+ return $response->withStatus(200);
+ } else {
+ throw new ForbiddenException();
+ }
+ }
+
+ /**
+ * Processes the request to delete an existing user.
+ *
+ * Deletes the specified user, removing any existing associations.
+ * Before doing so, checks that:
+ * 1. You are not trying to delete the master account;
+ * 2. You have permission to delete the target user's account.
+ * This route requires authentication (and should generally be limited to admins or the root user).
+ * Request type: DELETE
+ * @throws BadRequestException
+ * @throws ForbiddenException
+ * @throws NotFoundException
+ * @throws BadRequestException
+ */
+ public function delete($request, $response, $args) {
+ $user = $this->getUserFromParams($args);
+
+ // If the user doesn't exist, return 404
+ if (!$user) {
+ throw new NotFoundException($request, $response);
+ }
+
+ /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
+ $authorizer = $this->ci->authorizer;
+
+ /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
+ $currentUser = $this->ci->currentUser;
+
+ // Access-controlled page
+ if (!$authorizer->checkAccess($currentUser, 'delete_user', [
+ 'user' => $user
+ ])) {
+ throw new ForbiddenException();
+ }
+
+ /** @var UserFrosting\Config\Config $config */
+ $config = $this->ci->config;
+
+ // Check that we are not deleting the master account
+ // Need to use loose comparison for now, because some DBs return `id` as a string
+ if ($user->id == $config['reserved_user_ids.master']) {
+ $e = new BadRequestException();
+ $e->addUserMessage('DELETE_MASTER');
+ throw $e;
+ }
+
+ $userName = $user->user_name;
+
+ // Begin transaction - DB will be rolled back if an exception occurs
+ Capsule::transaction(function () use ($user, $userName, $currentUser) {
+ $user->delete();
+ unset($user);
+
+ // Create activity record
+ $this->ci->userActivityLogger->info("User {$currentUser->user_name} deleted the account for {$userName}.", [
+ 'type' => 'account_delete',
+ 'user_id' => $currentUser->id
+ ]);
+ });
+
+ /** @var UserFrosting\Sprinkle\Core\MessageStream $ms */
+ $ms = $this->ci->alerts;
+
+ $ms->addMessageTranslated('success', 'DELETION_SUCCESSFUL', [
+ 'user_name' => $userName
+ ]);
+
+ return $response->withStatus(200);
+ }
+
+ /**
+ * Returns activity history for a single user.
+ *
+ * This page requires authentication.
+ * Request type: GET
+ * @throws ForbiddenException
+ * @throws NotFoundException
+ * @throws BadRequestException
+ */
+ public function getActivities($request, $response, $args) {
+ $user = $this->getUserFromParams($args);
+
+ // If the user doesn't exist, return 404
+ if (!$user) {
+ throw new NotFoundException($request, $response);
+ }
+
+ /** @var UserFrosting\Sprinkle\Core\Util\ClassMapper $classMapper */
+ $classMapper = $this->ci->classMapper;
+
+ // GET parameters
+ $params = $request->getQueryParams();
+
+ /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
+ $authorizer = $this->ci->authorizer;
+
+ /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
+ $currentUser = $this->ci->currentUser;
+
+ // Access-controlled page
+ if (!$authorizer->checkAccess($currentUser, 'view_user_field', [
+ 'user' => $user,
+ 'property' => 'activities'
+ ])) {
+ throw new ForbiddenException();
+ }
+
+ $sprunje = $classMapper->createInstance('activity_sprunje', $classMapper, $params);
+
+ $sprunje->extendQuery(function ($query) use ($user) {
+ return $query->where('user_id', $user->id);
+ });
+
+ // Be careful how you consume this data - it has not been escaped and contains untrusted user-supplied content.
+ // For example, if you plan to insert it into an HTML DOM, you must escape it on the client side (or use client-side templating).
+ return $sprunje->toResponse($response);
+ }
+
+ /**
+ * Returns info for a single user.
+ *
+ * This page requires authentication.
+ * Request type: GET
+ * @throws ForbiddenException
+ * @throws NotFoundException
+ * @throws BadRequestException
+ */
+ public function getInfo($request, $response, $args) {
+ $user = $this->getUserFromParams($args);
+
+ // If the user doesn't exist, return 404
+ if (!$user) {
+ throw new NotFoundException($request, $response);
+ }
+
+ /** @var UserFrosting\Sprinkle\Core\Util\ClassMapper $classMapper */
+ $classMapper = $this->ci->classMapper;
+
+ // Join user's most recent activity
+ $user = $classMapper->createInstance('user')
+ ->where('user_name', $user->user_name)
+ ->joinLastActivity()
+ ->with('lastActivity', 'group')
+ ->first();
+
+ /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
+ $authorizer = $this->ci->authorizer;
+
+ /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
+ $currentUser = $this->ci->currentUser;
+
+ // Access-controlled page
+ if (!$authorizer->checkAccess($currentUser, 'uri_user', [
+ 'user' => $user
+ ])) {
+ throw new ForbiddenException();
+ }
+
+ $result = $user->toArray();
+ $result["avatar"] = $user->avatar;
+
+ // Be careful how you consume this data - it has not been escaped and contains untrusted user-supplied content.
+ // For example, if you plan to insert it into an HTML DOM, you must escape it on the client side (or use client-side templating).
+ return $response->withJson($result, 200, JSON_PRETTY_PRINT);
+ }
+
+ /**
+ * Returns a list of Users
+ *
+ * Generates a list of users, optionally paginated, sorted and/or filtered.
+ * This page requires authentication.
+ * Request type: GET
+ * @throws ForbiddenException
+ */
+ public function getList($request, $response, $args) {
+ // GET parameters
+ $params = $request->getQueryParams();
+
+ /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
+ $authorizer = $this->ci->authorizer;
+
+ /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
+ $currentUser = $this->ci->currentUser;
+
+ // Access-controlled page
+ if (!$authorizer->checkAccess($currentUser, 'uri_users')) {
+ throw new ForbiddenException();
+ }
+
+ /** @var UserFrosting\Sprinkle\Core\Util\ClassMapper $classMapper */
+ $classMapper = $this->ci->classMapper;
+
+ $sprunje = $classMapper->createInstance('user_sprunje', $classMapper, $params);
+
+ // Be careful how you consume this data - it has not been escaped and contains untrusted user-supplied content.
+ // For example, if you plan to insert it into an HTML DOM, you must escape it on the client side (or use client-side templating).
+ return $sprunje->toResponse($response);
+ }
+
+ /**
+ * Renders the modal form to confirm user deletion.
+ *
+ * This does NOT render a complete page. Instead, it renders the HTML for the modal, which can be embedded in other pages.
+ * This page requires authentication.
+ * Request type: GET
+ * @throws BadRequestException
+ * @throws ForbiddenException
+ * @throws NotFoundException
+ * @throws BadRequestException
+ */
+ public function getModalConfirmDelete($request, $response, $args) {
+ // GET parameters
+ $params = $request->getQueryParams();
+
+ $user = $this->getUserFromParams($params);
+
+ // If the user doesn't exist, return 404
+ if (!$user) {
+ throw new NotFoundException($request, $response);
+ }
+
+ /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
+ $authorizer = $this->ci->authorizer;
+
+ /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
+ $currentUser = $this->ci->currentUser;
+
+ // Access-controlled page
+ if (!$authorizer->checkAccess($currentUser, 'delete_user', [
+ 'user' => $user
+ ])) {
+ throw new ForbiddenException();
+ }
+
+ /** @var UserFrosting\Config\Config $config */
+ $config = $this->ci->config;
+
+ // Check that we are not deleting the master account
+ // Need to use loose comparison for now, because some DBs return `id` as a string
+ if ($user->id == $config['reserved_user_ids.master']) {
+ $e = new BadRequestException();
+ $e->addUserMessage('DELETE_MASTER');
+ throw $e;
+ }
+
+ return $this->ci->view->render($response, 'modals/confirm-delete-user.html.twig', [
+ 'user' => $user,
+ 'form' => [
+ 'action' => "api/users/u/{$user->user_name}",
+ ]
+ ]);
+ }
+
+ /**
+ * Renders the modal form for creating a new user.
+ *
+ * This does NOT render a complete page. Instead, it renders the HTML for the modal, which can be embedded in other pages.
+ * If the currently logged-in user has permission to modify user group membership, then the group toggle will be displayed.
+ * Otherwise, the user will be added to the default group and receive the default roles automatically.
+ * This page requires authentication.
+ * Request type: GET
+ * @throws ForbiddenException
+ */
+ public function getModalCreate($request, $response, $args) {
+ // GET parameters
+ $params = $request->getQueryParams();
+
+ /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
+ $authorizer = $this->ci->authorizer;
+
+ /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
+ $currentUser = $this->ci->currentUser;
+
+ /** @var UserFrosting\I18n\MessageTranslator $translator */
+ $translator = $this->ci->translator;
+
+ // Access-controlled page
+ if (!$authorizer->checkAccess($currentUser, 'create_user')) {
+ throw new ForbiddenException();
+ }
+
+ /** @var UserFrosting\Sprinkle\Core\Util\ClassMapper $classMapper */
+ $classMapper = $this->ci->classMapper;
+
+ /** @var UserFrosting\Config\Config $config */
+ $config = $this->ci->config;
+
+ // Determine form fields to hide/disable
+ $fields = [
+ 'hidden' => ['theme'],
+ 'disabled' => []
+ ];
+
+ // Get a list of all locales
+ $locales = $config->getDefined('site.locales.available');
+
+ // Determine if currentUser has permission to modify the group. If so, show the 'group' dropdown.
+ // Otherwise, set to the currentUser's group and disable the dropdown.
+ if ($authorizer->checkAccess($currentUser, 'create_user_field', [
+ 'fields' => ['group']
+ ])) {
+ // Get a list of all groups
+ $groups = $classMapper->staticMethod('group', 'all');
+ } else {
+ // Get the current user's group
+ $groups = $currentUser->group()->get();
+ $fields['disabled'][] = 'group';
+ }
+
+ // Create a dummy user to prepopulate fields
+ $data = [
+ 'group_id' => $currentUser->group_id,
+ 'locale' => $config['site.registration.user_defaults.locale'],
+ 'theme' => ''
+ ];
+
+ $user = $classMapper->createInstance('user', $data);
+
+ // Load validation rules
+ $schema = new RequestSchema('schema://requests/user/create.yaml');
+ $validator = new JqueryValidationAdapter($schema, $this->ci->translator);
+
+ return $this->ci->view->render($response, 'modals/user.html.twig', [
+ 'user' => $user,
+ 'groups' => $groups,
+ 'locales' => $locales,
+ 'form' => [
+ 'action' => 'api/users',
+ 'method' => 'POST',
+ 'fields' => $fields,
+ 'submit_text' => $translator->translate('CREATE')
+ ],
+ 'page' => [
+ 'validators' => $validator->rules('json', FALSE)
+ ]
+ ]);
+ }
+
+ /**
+ * Renders the modal form for editing an existing user.
+ *
+ * This does NOT render a complete page. Instead, it renders the HTML for the modal, which can be embedded in other pages.
+ * This page requires authentication.
+ * Request type: GET
+ * @throws ForbiddenException
+ * @throws NotFoundException
+ * @throws BadRequestException
+ */
+ public function getModalEdit($request, $response, $args) {
+ // GET parameters
+ $params = $request->getQueryParams();
+
+ $user = $this->getUserFromParams($params);
+
+ // If the user doesn't exist, return 404
+ if (!$user) {
+ throw new NotFoundException($request, $response);
+ }
+
+ /** @var UserFrosting\Sprinkle\Core\Util\ClassMapper $classMapper */
+ $classMapper = $this->ci->classMapper;
+
+ // Get the user to edit
+ $user = $classMapper->staticMethod('user', 'where', 'user_name', $user->user_name)
+ ->with('group')
+ ->first();
+
+ /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
+ $authorizer = $this->ci->authorizer;
+
+ /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
+ $currentUser = $this->ci->currentUser;
+
+ // Access-controlled resource - check that currentUser has permission to edit basic fields "name", "email", "locale" for this user
+ $fieldNames = ['name', 'email', 'locale'];
+ if (!$authorizer->checkAccess($currentUser, 'update_user_field', [
+ 'user' => $user,
+ 'fields' => $fieldNames
+ ])) {
+ throw new ForbiddenException();
+ }
+
+ // Get a list of all groups
+ $groups = $classMapper->staticMethod('group', 'all');
+
+ /** @var UserFrosting\Config\Config $config */
+ $config = $this->ci->config;
+
+ // Get a list of all locales
+ $locales = $config->getDefined('site.locales.available');
+
+ // Generate form
+ $fields = [
+ 'hidden' => ['theme'],
+ 'disabled' => ['user_name']
+ ];
+
+ // Disable group field if currentUser doesn't have permission to modify group
+ if (!$authorizer->checkAccess($currentUser, 'update_user_field', [
+ 'user' => $user,
+ 'fields' => ['group']
+ ])) {
+ $fields['disabled'][] = 'group';
+ }
+
+ // Load validation rules
+ $schema = new RequestSchema('schema://requests/user/edit-info.yaml');
+ $validator = new JqueryValidationAdapter($schema, $this->ci->translator);
+
+ $translator = $this->ci->translator;
+
+ return $this->ci->view->render($response, 'modals/user.html.twig', [
+ 'user' => $user,
+ 'groups' => $groups,
+ 'locales' => $locales,
+ 'form' => [
+ 'action' => "api/users/u/{$user->user_name}",
+ 'method' => 'PUT',
+ 'fields' => $fields,
+ 'submit_text' => $translator->translate('UPDATE')
+ ],
+ 'page' => [
+ 'validators' => $validator->rules('json', FALSE)
+ ]
+ ]);
+ }
+
+ /**
+ * Renders the modal form for editing a user's password.
+ *
+ * This does NOT render a complete page. Instead, it renders the HTML for the form, which can be embedded in other pages.
+ * This page requires authentication.
+ * Request type: GET
+ * @throws ForbiddenException
+ * @throws NotFoundException
+ * @throws BadRequestException
+ */
+ public function getModalEditPassword($request, $response, $args) {
+ // GET parameters
+ $params = $request->getQueryParams();
+
+ $user = $this->getUserFromParams($params);
+
+ // If the user doesn't exist, return 404
+ if (!$user) {
+ throw new NotFoundException($request, $response);
+ }
+
+ /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
+ $authorizer = $this->ci->authorizer;
+
+ /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
+ $currentUser = $this->ci->currentUser;
+
+ // Access-controlled resource - check that currentUser has permission to edit "password" field for this user
+ if (!$authorizer->checkAccess($currentUser, 'update_user_field', [
+ 'user' => $user,
+ 'fields' => ['password']
+ ])) {
+ throw new ForbiddenException();
+ }
+
+ // Load validation rules
+ $schema = new RequestSchema('schema://requests/user/edit-password.yaml');
+ $validator = new JqueryValidationAdapter($schema, $this->ci->translator);
+
+ return $this->ci->view->render($response, 'modals/user-set-password.html.twig', [
+ 'user' => $user,
+ 'page' => [
+ 'validators' => $validator->rules('json', FALSE)
+ ]
+ ]);
+ }
+
+ /**
+ * Renders the modal form for editing a user's roles.
+ *
+ * This does NOT render a complete page. Instead, it renders the HTML for the form, which can be embedded in other pages.
+ * This page requires authentication.
+ * Request type: GET
+ * @throws ForbiddenException
+ * @throws NotFoundException
+ * @throws BadRequestException
+ */
+ public function getModalEditRoles($request, $response, $args) {
+ // GET parameters
+ $params = $request->getQueryParams();
+
+ $user = $this->getUserFromParams($params);
+
+ // If the user doesn't exist, return 404
+ if (!$user) {
+ throw new NotFoundException($request, $response);
+ }
+
+ /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
+ $authorizer = $this->ci->authorizer;
+
+ /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
+ $currentUser = $this->ci->currentUser;
+
+ // Access-controlled resource - check that currentUser has permission to edit "roles" field for this user
+ if (!$authorizer->checkAccess($currentUser, 'update_user_field', [
+ 'user' => $user,
+ 'fields' => ['roles']
+ ])) {
+ throw new ForbiddenException();
+ }
+
+ return $this->ci->view->render($response, 'modals/user-manage-roles.html.twig', [
+ 'user' => $user
+ ]);
+ }
+
+ /**
+ * Returns a list of effective Permissions for a specified User.
+ *
+ * Generates a list of permissions, optionally paginated, sorted and/or filtered.
+ * This page requires authentication.
+ * Request type: GET
+ * @throws ForbiddenException
+ * @throws NotFoundException
+ * @throws BadRequestException
+ */
+ public function getPermissions($request, $response, $args) {
+ $user = $this->getUserFromParams($args);
+
+ // If the user doesn't exist, return 404
+ if (!$user) {
+ throw new NotFoundException($request, $response);
+ }
+
+ // GET parameters
+ $params = $request->getQueryParams();
+
+ /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager */
+ $authorizer = $this->ci->authorizer;
+
+ /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
+ $currentUser = $this->ci->currentUser;
+
+ // Access-controlled page
+ if (!$authorizer->checkAccess($currentUser, 'view_user_field', [
+ 'user' => $user,
+ 'property' => 'permissions'
+ ])) {
+ throw new ForbiddenException();
+ }
+
+ /** @var UserFrosting\Sprinkle\Core\Util\ClassMapper $classMapper */
+ $classMapper = $this->ci->classMapper;
+
+ $params['user_id'] = $user->id;
+ $sprunje = $classMapper->createInstance('user_permission_sprunje', $classMapper, $params);
+
+ $response = $sprunje->toResponse($response);
+
+ // Be careful how you consume this data - it has not been escaped and contains untrusted user-supplied content.
+ // For example, if you plan to insert it into an HTML DOM, you must escape it on the client side (or use client-side templating).
+ return $response;
+ }
+
+ /**
+ * Returns roles associated with a single user.
+ *
+ * This page requires authentication.
+ * Request type: GET
+ * @throws ForbiddenException
+ * @throws NotFoundException
+ * @throws BadRequestException
+ */
+ public function getRoles($request, $response, $args) {
+ $user = $this->getUserFromParams($args);
+
+ // If the user doesn't exist, return 404
+ if (!$user) {
+ throw new NotFoundException($request, $response);
+ }
+
+ /** @var UserFrosting\Sprinkle\Core\Util\ClassMapper $classMapper */
+ $classMapper = $this->ci->classMapper;
+
+ // GET parameters
+ $params = $request->getQueryParams();
+
+ /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
+ $authorizer = $this->ci->authorizer;
+
+ /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
+ $currentUser = $this->ci->currentUser;
+
+ // Access-controlled page
+ if (!$authorizer->checkAccess($currentUser, 'view_user_field', [
+ 'user' => $user,
+ 'property' => 'roles'
+ ])) {
+ throw new ForbiddenException();
+ }
+
+ $sprunje = $classMapper->createInstance('role_sprunje', $classMapper, $params);
+ $sprunje->extendQuery(function ($query) use ($user) {
+ return $query->forUser($user->id);
+ });
+
+ // Be careful how you consume this data - it has not been escaped and contains untrusted user-supplied content.
+ // For example, if you plan to insert it into an HTML DOM, you must escape it on the client side (or use client-side templating).
+ return $sprunje->toResponse($response);
+ }
+
+ /**
+ * Renders a page displaying a user's information, in read-only mode.
+ *
+ * This checks that the currently logged-in user has permission to view the requested user's info.
+ * It checks each field individually, showing only those that you have permission to view.
+ * This will also try to show buttons for activating, disabling/enabling, deleting, and editing the user.
+ * This page requires authentication.
+ * Request type: GET
+ * @throws ForbiddenException
+ * @throws BadRequestException
+ */
+ public function pageInfo($request, $response, $args) {
+ $user = $this->getUserFromParams($args);
+
+ // If the user no longer exists, forward to main user listing page
+ if (!$user) {
+ $usersPage = $this->ci->router->pathFor('uri_users');
+ return $response->withRedirect($usersPage, 404);
+ }
+
+ /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
+ $authorizer = $this->ci->authorizer;
+
+ /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
+ $currentUser = $this->ci->currentUser;
+
+ // Access-controlled page
+ if (!$authorizer->checkAccess($currentUser, 'uri_user', [
+ 'user' => $user
+ ])) {
+ throw new ForbiddenException();
+ }
+
+ /** @var UserFrosting\Config\Config $config */
+ $config = $this->ci->config;
+
+ // Get a list of all locales
+ $locales = $config->getDefined('site.locales.available');
+
+ // Determine fields that currentUser is authorized to view
+ $fieldNames = ['user_name', 'name', 'email', 'locale', 'group', 'roles'];
+
+ // Generate form
+ $fields = [
+ // Always hide these
+ 'hidden' => ['theme']
+ ];
+
+ // Determine which fields should be hidden
+ foreach ($fieldNames as $field) {
+ if (!$authorizer->checkAccess($currentUser, 'view_user_field', [
+ 'user' => $user,
+ 'property' => $field
+ ])) {
+ $fields['hidden'][] = $field;
+ }
+ }
+
+ // Determine buttons to display
+ $editButtons = [
+ 'hidden' => []
+ ];
+
+ if (!$authorizer->checkAccess($currentUser, 'update_user_field', [
+ 'user' => $user,
+ 'fields' => ['name', 'email', 'locale']
+ ])) {
+ $editButtons['hidden'][] = 'edit';
+ }
+
+ if (!$authorizer->checkAccess($currentUser, 'update_user_field', [
+ 'user' => $user,
+ 'fields' => ['flag_enabled']
+ ])) {
+ $editButtons['hidden'][] = 'enable';
+ }
+
+ if (!$authorizer->checkAccess($currentUser, 'update_user_field', [
+ 'user' => $user,
+ 'fields' => ['flag_verified']
+ ])) {
+ $editButtons['hidden'][] = 'activate';
+ }
+
+ if (!$authorizer->checkAccess($currentUser, 'update_user_field', [
+ 'user' => $user,
+ 'fields' => ['password']
+ ])) {
+ $editButtons['hidden'][] = 'password';
+ }
+
+ if (!$authorizer->checkAccess($currentUser, 'update_user_field', [
+ 'user' => $user,
+ 'fields' => ['roles']
+ ])) {
+ $editButtons['hidden'][] = 'roles';
+ }
+
+ if (!$authorizer->checkAccess($currentUser, 'delete_user', [
+ 'user' => $user
+ ])) {
+ $editButtons['hidden'][] = 'delete';
+ }
+
+ // Determine widgets to display
+ $widgets = [
+ 'hidden' => []
+ ];
+
+ if (!$authorizer->checkAccess($currentUser, 'view_user_field', [
+ 'user' => $user,
+ 'property' => 'permissions'
+ ])) {
+ $widgets['hidden'][] = 'permissions';
+ }
+
+ if (!$authorizer->checkAccess($currentUser, 'view_user_field', [
+ 'user' => $user,
+ 'property' => 'activities'
+ ])) {
+ $widgets['hidden'][] = 'activities';
+ }
+
+ return $this->ci->view->render($response, 'pages/user.html.twig', [
+ 'user' => $user,
+ 'locales' => $locales,
+ 'fields' => $fields,
+ 'tools' => $editButtons,
+ 'widgets' => $widgets
+ ]);
+ }
+
+ /**
+ * Renders the user listing page.
+ *
+ * This page renders a table of users, with dropdown menus for admin actions for each user.
+ * Actions typically include: edit user details, activate user, enable/disable user, delete user.
+ * This page requires authentication.
+ * Request type: GET
+ * @throws ForbiddenException
+ */
+ public function pageList($request, $response, $args) {
+ /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
+ $authorizer = $this->ci->authorizer;
+
+ /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
+ $currentUser = $this->ci->currentUser;
+
+ // Access-controlled page
+ if (!$authorizer->checkAccess($currentUser, 'uri_users')) {
+ throw new ForbiddenException();
+ }
+
+ return $this->ci->view->render($response, 'pages/users.html.twig');
+ }
+
+ /**
+ * Gets the users public key
+ * Request type: GET
+ * @throws NotFoundException
+ * @throws BadRequestException
+ */
+ public function getPublicKey($request, $response, $args) {
+ $requestedUser = $this->getUserFromParams($args);
+
+ if (!$requestedUser) {
+ throw new NotFoundException($request, $response);
+ }
+
+ if ((Capsule::table('public_keys')
+ ->where('user_id', "=", $requestedUser->id)
+ ->exists())) {
+
+ $RawPublicKey = Capsule::table('public_keys')
+ ->where('user_id', "=", $requestedUser->id)
+ ->value('key');
+ $PublicKey = "-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion: OpenPGP.js v3.0.9\nComment: https://openpgpjs.org\n\n" . $RawPublicKey . "\n-----END PGP PUBLIC KEY BLOCK-----";
+
+ $ContentType = explode(',', $request->getHeaderLine('Accept'))[0];
+ switch ($ContentType) {
+ case 'application/json':
+ $response->write(json_encode(array('user_id' => $requestedUser->id, 'PublicKey' => $PublicKey)));
+ break;
+ case 'text/html':
+ $response->write("<pre>" . $PublicKey);
+ break;
+ default:
+ $response->write($PublicKey);
+ }
+ return $response->withStatus(200);
+ } else {
+ throw new NotFoundException($request, $response);
+ }
+ }
+
+ /**
+ * Gets the users which are following the requested user
+ * Request type: GET
+ * @throws ForbiddenException
+ * @throws NotFoundException
+ * @throws BadRequestException
+ */
+ public function getFollowers($request, $response, $args) {
+ $user = $this->getUserFromParams($args);
+
+ // If the user doesn't exist, return 404
+ if (!$user) {
+ throw new NotFoundException($request, $response);
+ }
+
+ /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
+ $authorizer = $this->ci->authorizer;
+
+ /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
+ $currentUser = $this->ci->currentUser;
+
+ // Access-controlled page
+ if (!$authorizer->checkAccess($currentUser, 'uri_user', [
+ 'user' => $user
+ ])) {
+ throw new ForbiddenException();
+ }
+
+ $UsersFollowers = Capsule::table('user_follow')
+ ->where('user_id', "=", $user->id)
+ ->join("users", "users.id", "=", "user_follow.followed_by_id")
+ ->select("user_follow.followed_by_id as id", "users.user_name as username")
+ ->get();
+
+ $result = $UsersFollowers->toArray();
+
+ return $response->withJson($result, 200, JSON_PRETTY_PRINT);
+ }
+
+ /**
+ * Get users which the user follows
+ * Request type: GET
+ * @throws ForbiddenException
+ * @throws NotFoundException
+ * @throws BadRequestException
+ */
+ public function getFollows($request, $response, $args) {
+ $user = $this->getUserFromParams($args);
+
+ // If the user doesn't exist, return 404
+ if (!$user) {
+ throw new NotFoundException($request, $response);
+ }
+
+ /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
+ $authorizer = $this->ci->authorizer;
+
+ /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
+ $currentUser = $this->ci->currentUser;
+
+ // Access-controlled page
+ if (($user->id == $currentUser->id) || (!$authorizer->checkAccess($currentUser, 'uri_user', [
+ 'user' => $user
+ ]))) {
+ throw new ForbiddenException();
+ }
+
+ $UsersFollows = Capsule::table('user_follow')
+ ->where('followed_by_id', "=", $user->id)
+ ->join("users", "users.id", "=", "user_follow.user_id")
+ ->select("user_follow.user_id as id", "users.user_name as username")
+ ->get();
+
+ $result = $UsersFollows->toArray();
+
+ return $response->withJson($result, 200, JSON_PRETTY_PRINT);
+ }
+
+ /**
+ * Get users which the user follows and which are following the user
+ * Request type: GET
+ * @throws NotFoundException
+ * @throws ForbiddenException
+ * @throws BadRequestException
+ */
+ public function getFriends($request, $response, $args) {
+ $user = $this->getUserFromParams($args);
+
+ // If the user doesn't exist, return 404
+ if (!$user) {
+ throw new NotFoundException($request, $response);
+ }
+
+ /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
+ $authorizer = $this->ci->authorizer;
+
+ /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
+ $currentUser = $this->ci->currentUser;
+
+ // Access-controlled page
+ if (!$authorizer->checkAccess($currentUser, 'uri_user', [
+ 'user' => $user
+ ])) {
+ throw new ForbiddenException();
+ }
+
+ $UsersFriends = Capsule::select("SELECT id FROM (SELECT user_id AS id FROM user_follow WHERE followed_by_id = $user->id UNION ALL SELECT followed_by_id FROM user_follow WHERE user_id = $user->id) t GROUP BY id HAVING COUNT(id) > 1");
+
+ /** @var UserFrosting\Sprinkle\Core\Util\ClassMapper $classMapper */
+ $classMapper = $this->ci->classMapper;
+
+ foreach ($UsersFriends as $Key => $UsersFriendId) { // NOT THAT EFFICIENT...
+ $UsersFriendInformation = $classMapper->createInstance('user')// raw select doesnt work with instance
+ ->where('id', $UsersFriendId->id)
+ ->get();
+
+ $UsersFriends[$Key]->id = $UsersFriendInformation[0]->id;
+ $UsersFriends[$Key]->username = $UsersFriendInformation[0]->user_name;
+ $UsersFriends[$Key]->avatar = $UsersFriendInformation[0]->avatar;
+ $UsersFriends[$Key]->full_name = $UsersFriendInformation[0]->full_name;
+ }
+
+ $result = $UsersFriends;
+
+ if (sizeof($result) > 0) { // USER HAS FRIENDS
+ return $response->withJson($result, 200, JSON_PRETTY_PRINT);
+ } else {
+ throw new NotFoundException($request, $response);
+ }
+ }
+
+
+ /**
+ * Processes the request to update an existing user's basic details (first_name, last_name, email, locale, group_id)
+ *
+ * Processes the request from the user update form, checking that:
+ * 1. The target user's new email address, if specified, is not already in use;
+ * 2. The logged-in user has the necessary permissions to update the putted field(s);
+ * 3. The submitted data is valid.
+ * This route requires authentication.
+ * Request type: PUT
+ * @throws NotFoundException
+ * @throws ForbiddenException
+ * @throws BadRequestException
+ * @throws BadRequestException
+ */
+ public function updateInfo($request, $response, $args) {
+ // Get the username from the URL
+ $user = $this->getUserFromParams($args);
+
+ if (!$user) {
+ throw new NotFoundException($request, $response);
+ }
+
+ /** @var UserFrosting\Config\Config $config */
+ $config = $this->ci->config;
+
+ // Get PUT parameters
+ $params = $request->getParsedBody();
+
+ /** @var UserFrosting\Sprinkle\Core\MessageStream $ms */
+ $ms = $this->ci->alerts;
+
+ // Load the request schema
+ $schema = new RequestSchema('schema://requests/user/edit-info.yaml');
+
+ // Whitelist and set parameter defaults
+ $transformer = new RequestDataTransformer($schema);
+ $data = $transformer->transform($params);
+
+ $error = FALSE;
+
+ // Validate request data
+ $validator = new ServerSideValidator($schema, $this->ci->translator);
+ if (!$validator->validate($data)) {
+ $ms->addValidationErrors($validator);
+ $error = TRUE;
+ }
+
+ // Determine targeted fields
+ $fieldNames = [];
+ foreach ($data as $name => $value) {
+ if ($name == 'first_name' || $name == 'last_name') {
+ $fieldNames[] = 'name';
+ } else if ($name == 'group_id') {
+ $fieldNames[] = 'group';
+ } else {
+ $fieldNames[] = $name;
+ }
+ }
+
+ /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
+ $authorizer = $this->ci->authorizer;
+
+ /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
+ $currentUser = $this->ci->currentUser;
+
+ // Access-controlled resource - check that currentUser has permission to edit submitted fields for this user
+ if (!$authorizer->checkAccess($currentUser, 'update_user_field', [
+ 'user' => $user,
+ 'fields' => array_values(array_unique($fieldNames))
+ ])) {
+ throw new ForbiddenException();
+ }
+
+ // Only the master account can edit the master account!
+ if (
+ ($user->id == $config['reserved_user_ids.master']) &&
+ ($currentUser->id != $config['reserved_user_ids.master'])
+ ) {
+ throw new ForbiddenException();
+ }
+
+ /** @var UserFrosting\Sprinkle\Core\Util\ClassMapper $classMapper */
+ $classMapper = $this->ci->classMapper;
+
+ // Check if email already exists
+ if (
+ isset($data['email']) &&
+ $data['email'] != $user->email &&
+ $classMapper->staticMethod('user', 'findUnique', $data['email'], 'email')
+ ) {
+ $ms->addMessageTranslated('danger', 'EMAIL.IN_USE', $data);
+ $error = TRUE;
+ }
+
+ if ($error) {
+ return $response->withStatus(400);
+ }
+
+ // Begin transaction - DB will be rolled back if an exception occurs
+ Capsule::transaction(function () use ($data, $user, $currentUser) {
+ // Update the user and generate success messages
+ foreach ($data as $name => $value) {
+ if ($value != $user->$name) {
+ $user->$name = $value;
+ }
+ }
+
+ $user->save();
+
+ // Create activity record
+ $this->ci->userActivityLogger->info("User {$currentUser->user_name} updated basic account info for user {$user->user_name}.", [
+ 'type' => 'account_update_info',
+ 'user_id' => $currentUser->id
+ ]);
+ });
+
+ $ms->addMessageTranslated('success', 'DETAILS_UPDATED', [
+ 'user_name' => $user->user_name
+ ]);
+ return $response->withStatus(200);
+ }
+
+ /**
+ * Processes the request to update a specific field for an existing user.
+ *
+ * Supports editing all user fields, including password, enabled/disabled status and verification status.
+ * Processes the request from the user update form, checking that:
+ * 1. The logged-in user has the necessary permissions to update the putted field(s);
+ * 2. We're not trying to disable the master account;
+ * 3. The submitted data is valid.
+ * This route requires authentication.
+ * Request type: PUT
+ * @throws ForbiddenException
+ * @throws BadRequestException
+ * @throws BadRequestException
+ * @throws BadRequestException
+ * @throws BadRequestException
+ * @throws BadRequestException
+ * @throws NotFoundException
+ * @throws BadRequestException
+ */
+ public function updateField($request, $response, $args) {
+ // Get the username from the URL
+ $user = $this->getUserFromParams($args);
+
+ if (!$user) {
+ throw new NotFoundException($request, $response);
+ }
+
+ // Get key->value pair from URL and request body
+ $fieldName = $args['field'];
+
+ /** @var UserFrosting\Sprinkle\Account\Authorize\AuthorizationManager $authorizer */
+ $authorizer = $this->ci->authorizer;
+
+ /** @var UserFrosting\Sprinkle\Account\Database\Models\User $currentUser */
+ $currentUser = $this->ci->currentUser;
+
+ // Access-controlled resource - check that currentUser has permission to edit the specified field for this user
+ if (!$authorizer->checkAccess($currentUser, 'update_user_field', [
+ 'user' => $user,
+ 'fields' => [$fieldName]
+ ])) {
+ throw new ForbiddenException();
+ }
+
+ /** @var UserFrosting\Config\Config $config */
+ $config = $this->ci->config;
+
+ // Only the master account can edit the master account!
+ if (
+ ($user->id == $config['reserved_user_ids.master']) &&
+ ($currentUser->id != $config['reserved_user_ids.master'])
+ ) {
+ throw new ForbiddenException();
+ }
+
+ // Get PUT parameters: value
+ $put = $request->getParsedBody();
+
+ if (!isset($put['value'])) {
+ throw new BadRequestException();
+ }
+
+ // Create and validate key -> value pair
+ $params = [
+ $fieldName => $put['value']
+ ];
+
+ // Load the request schema
+ $schema = new RequestSchema('schema://requests/user/edit-field.yaml');
+
+ // Whitelist and set parameter defaults
+ $transformer = new RequestDataTransformer($schema);
+ $data = $transformer->transform($params);
+
+ // Validate, and throw exception on validation errors.
+ $validator = new ServerSideValidator($schema, $this->ci->translator);
+ if (!$validator->validate($data)) {
+ // encapsulate the communication of error messages from ServerSideValidator to the BadRequestException
+ $e = new BadRequestException();
+ foreach ($validator->errors() as $idx => $field) {
+ foreach ($field as $eidx => $error) {
+ $e->addUserMessage($error);
+ }
+ }
+ throw $e;
+ }
+
+ // Get validated and transformed value
+ $fieldValue = $data[$fieldName];
+
+ /** @var UserFrosting\Sprinkle\Core\MessageStream $ms */
+ $ms = $this->ci->alerts;
+
+ // Special checks and transformations for certain fields
+ if ($fieldName == 'flag_enabled') {
+ // Check that we are not disabling the master account
+ if (
+ ($user->id == $config['reserved_user_ids.master']) &&
+ ($fieldValue == '0')
+ ) {
+ $e = new BadRequestException();
+ $e->addUserMessage('DISABLE_MASTER');
+ throw $e;
+ } else if (
+ ($user->id == $currentUser->id) &&
+ ($fieldValue == '0')
+ ) {
+ $e = new BadRequestException();
+ $e->addUserMessage('DISABLE_SELF');
+ throw $e;
+ }
+ } else if ($fieldName == 'password') {
+ $fieldValue = Password::hash($fieldValue);
+ }
+
+ // Begin transaction - DB will be rolled back if an exception occurs
+ Capsule::transaction(function () use ($fieldName, $fieldValue, $user, $currentUser) {
+ if ($fieldName == 'roles') {
+ $newRoles = collect($fieldValue)->pluck('role_id')->all();
+ $user->roles()->sync($newRoles);
+ } else {
+ $user->$fieldName = $fieldValue;
+ $user->save();
+ }
+
+ // Create activity record
+ $this->ci->userActivityLogger->info("User {$currentUser->user_name} updated property '$fieldName' for user {$user->user_name}.", [
+ 'type' => 'account_update_field',
+ 'user_id' => $currentUser->id
+ ]);
+ });
+
+ // Add success messages
+ if ($fieldName == 'flag_enabled') {
+ if ($fieldValue == '1') {
+ $ms->addMessageTranslated('success', 'ENABLE_SUCCESSFUL', [
+ 'user_name' => $user->user_name
+ ]);
+ } else {
+ $ms->addMessageTranslated('success', 'DISABLE_SUCCESSFUL', [
+ 'user_name' => $user->user_name
+ ]);
+ }
+ } else if ($fieldName == 'flag_verified') {
+ $ms->addMessageTranslated('success', 'MANUALLY_ACTIVATED', [
+ 'user_name' => $user->user_name
+ ]);
+ } else {
+ $ms->addMessageTranslated('success', 'DETAILS_UPDATED', [
+ 'user_name' => $user->user_name
+ ]);
+ }
+
+ return $response->withStatus(200);
+ }
+
+ protected function getUserFromParams($params) {
+ // Load the request schema
+ $schema = new RequestSchema('schema://requests/user/get-by-username.yaml');
+
+ // Whitelist and set parameter defaults
+ $transformer = new RequestDataTransformer($schema);
+ $data = $transformer->transform($params);
+
+ // Validate, and throw exception on validation errors.
+ $validator = new ServerSideValidator($schema, $this->ci->translator);
+ if (!$validator->validate($data)) {
+ $e = new BadRequestException();
+ foreach ($validator->errors() as $idx => $field) {
+ foreach ($field as $eidx => $error) {
+ $e->addUserMessage($error);
+ }
+ }
+ throw $e;
+ }
+
+ /** @var UserFrosting\Sprinkle\Core\Util\ClassMapper $classMapper */
+ $classMapper = $this->ci->classMapper;
+
+ // Get the user to delete
+ $user = $classMapper->staticMethod('user', 'where', 'user_name', $data['user_name'])
+ ->first();
+
+ return $user;
+ }
+}