From 8cfd7df062f373dcbc2a272cd60270d9b4b76bd6 Mon Sep 17 00:00:00 2001 From: Diego Najar Date: Sat, 14 Jul 2018 15:17:06 +0200 Subject: [PATCH] Session in admin area and when you create the Login object --- bl-kernel/admin/controllers/edit-content.php | 4 +- bl-kernel/admin/controllers/edit-user.php | 8 +- bl-kernel/admin/controllers/login.php | 10 +- bl-kernel/admin/controllers/logout.php | 2 +- bl-kernel/admin/controllers/user-password.php | 4 +- bl-kernel/admin/views/dashboard.old.php | 161 -------------- bl-kernel/admin/views/edit-user.old.php | 204 ------------------ bl-kernel/admin/views/edit-user.php | 2 +- bl-kernel/ajax/user-logged.php | 6 +- bl-kernel/boot/admin.php | 6 +- bl-kernel/boot/init.php | 3 +- bl-kernel/functions.php | 14 +- bl-kernel/helpers/session.class.php | 11 +- bl-kernel/login.class.php | 13 +- bl-plugins/api/plugin.php | 4 +- bl-plugins/simple-stats/plugin.php | 4 +- 16 files changed, 49 insertions(+), 407 deletions(-) delete mode 100644 bl-kernel/admin/views/dashboard.old.php delete mode 100644 bl-kernel/admin/views/edit-user.old.php diff --git a/bl-kernel/admin/controllers/edit-content.php b/bl-kernel/admin/controllers/edit-content.php index a0e16354..dd693033 100644 --- a/bl-kernel/admin/controllers/edit-content.php +++ b/bl-kernel/admin/controllers/edit-content.php @@ -7,10 +7,10 @@ if (!checkRole(array('admin','moderator'), false)) { $pageKey = isset($_POST['key']) ? $_POST['key'] : $layout['parameters']; $page = buildPage($pageKey); - if (!$page || $page->username()!==$Login->username()) { + if (!$page || $page->username()!==$login->username()) { $syslog->add(array( 'dictionaryKey'=>'access-deny', - 'notes'=>$Login->username() + 'notes'=>$login->username() )); Alert::set($Language->g('You do not have sufficient permissions')); Redirect::page('dashboard'); diff --git a/bl-kernel/admin/controllers/edit-user.php b/bl-kernel/admin/controllers/edit-user.php index ec517029..f2eb865f 100644 --- a/bl-kernel/admin/controllers/edit-user.php +++ b/bl-kernel/admin/controllers/edit-user.php @@ -14,8 +14,8 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') { // Prevent non-administrators to change other users - if ($Login->role()!=='admin') { - $_POST['username'] = $Login->username(); + if ($login->role()!=='admin') { + $_POST['username'] = $login->username(); unset($_POST['role']); } @@ -40,8 +40,8 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') { // ============================================================================ // Prevent non-administrators to change other users -if ($Login->role()!=='admin') { - $layout['parameters'] = $Login->username(); +if ($login->role()!=='admin') { + $layout['parameters'] = $login->username(); } // Get the user to edit diff --git a/bl-kernel/admin/controllers/login.php b/bl-kernel/admin/controllers/login.php index 716b19df..493280b7 100644 --- a/bl-kernel/admin/controllers/login.php +++ b/bl-kernel/admin/controllers/login.php @@ -11,7 +11,7 @@ function checkLogin($args) { global $Security; - global $Login; + global $login; global $Language; if ($Security->isBlocked()) { @@ -19,9 +19,9 @@ function checkLogin($args) return false; } - if ($Login->verifyUser($_POST['username'], $_POST['password'])) { + if ($login->verifyUser($_POST['username'], $_POST['password'])) { if (isset($_POST['remember'])) { - $Login->setRememberMe($_POST['username']); + $login->setRememberMe($_POST['username']); } // Renew the token. This token will be the same inside the session for multiple forms. $Security->generateTokenCSRF(); @@ -41,13 +41,13 @@ function checkLogin($args) function checkRememberMe() { global $Security; - global $Login; + global $login; if ($Security->isBlocked()) { return false; } - if ($Login->verifyUserByRemember()) { + if ($login->verifyUserByRemember()) { $Security->generateTokenCSRF(); Redirect::page('dashboard'); return true; diff --git a/bl-kernel/admin/controllers/logout.php b/bl-kernel/admin/controllers/logout.php index 8aa4adef..dbb5794e 100644 --- a/bl-kernel/admin/controllers/logout.php +++ b/bl-kernel/admin/controllers/logout.php @@ -20,6 +20,6 @@ // Main after POST // ============================================================================ -if ($Login->logout()) { +if ($login->logout()) { Redirect::home(); } diff --git a/bl-kernel/admin/controllers/user-password.php b/bl-kernel/admin/controllers/user-password.php index 8001b719..326c78e0 100644 --- a/bl-kernel/admin/controllers/user-password.php +++ b/bl-kernel/admin/controllers/user-password.php @@ -29,8 +29,8 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') { // ============================================================================ // Prevent non-administrators to change other users -if ($Login->role()!=='admin') { - $layout['parameters'] = $Login->username(); +if ($login->role()!=='admin') { + $layout['parameters'] = $login->username(); } // Get the user to edit diff --git a/bl-kernel/admin/views/dashboard.old.php b/bl-kernel/admin/views/dashboard.old.php deleted file mode 100644 index 6a589ed0..00000000 --- a/bl-kernel/admin/views/dashboard.old.php +++ /dev/null @@ -1,161 +0,0 @@ -
-
- -
- -
-

p('New content') ?>

-

p('Create new content for your site') ?>

-
- -
-

p('Manage content') ?>

-

p('Edit or delete content from your site') ?>

-
- -
- role() == 'admin') { ?> -
- -
-

p('New category') ?>

-

p('Create a new category to organize your content') ?>

-
- -
-

p('Manage categories') ?>

-

p('Edit or delete your categories') ?>

-
- -
- - -
- - role() == 'admin') { ?> - -
-

p('Add a new user') ?>

-

p('Invite a friend to collaborate on your site') ?>

-
- -
-

p('Language and timezone') ?>

-

p('Change your language and region settings') ?>

-
- - - -
-

p('Profile') ?>

-

p('View and edit your profile') ?>

-
- - - -
- -
-
- -
- -
- -
-

p('Notifications') ?>

-
    - db, 0, NOTIFICATIONS_AMOUNT); - foreach($logs as $log) { - $dict = $L->g($log['dictionaryKey']); - echo '
  • '; - echo $dict; - if( !empty($log['notes'])) { - echo ' « '.$log['notes'].' »'; - } - echo '
    '; - echo Date::format($log['date'], DB_DATE_FORMAT, NOTIFICATIONS_DATE_FORMAT); - echo ' - by '.$log['username']; - echo ''; - echo '
    • '; - } - ?> -
-
- -
- -
- - '; - echo '

'.$SimpleStats->getValue('label').'

'; - echo $SimpleStats->dashboard(); - echo '
'; - } - ?> - - -
-

p('Statistics') ?>

- - - - - - - - - - - - - - -
p('Published') ?>getPublishedDB(false)) ?>
p('Static') ?>getStaticDB(false)) ?>
p('Users') ?>count() ?>
-
- -
- -
- -
-

p('Scheduled content') ?>

- -
- -
-

p('Draft content') ?>

- -
- -
- - diff --git a/bl-kernel/admin/views/edit-user.old.php b/bl-kernel/admin/views/edit-user.old.php deleted file mode 100644 index fa84c88e..00000000 --- a/bl-kernel/admin/views/edit-user.old.php +++ /dev/null @@ -1,204 +0,0 @@ -$L->g('Edit user'), 'icon'=>'user')); - -echo '
'; -echo '
'; - -HTML::formOpen(array('id'=>'edit-user-profile-form','class'=>'uk-form-horizontal')); - - // Security token - HTML::formInputHidden(array( - 'name'=>'tokenCSRF', - 'value'=>$Security->getTokenCSRF() - )); - - // Security token - HTML::formInputHidden(array( - 'name'=>'username', - 'value'=>$User->username() - )); - - HTML::legend(array('value'=>$L->g('Profile'), 'class'=>'first-child')); - - HTML::formInputText(array( - 'name'=>'usernameDisable', - 'label'=>$L->g('Username'), - 'value'=>$User->username(), - 'class'=>'uk-width-1-2 uk-form-medium', - 'disabled'=>true, - 'tip'=>'' - )); - - HTML::formInputText(array( - 'name'=>'firstName', - 'label'=>$L->g('First name'), - 'value'=>$User->firstName(), - 'class'=>'uk-width-1-2 uk-form-medium', - 'tip'=>'' - )); - - HTML::formInputText(array( - 'name'=>'lastName', - 'label'=>$L->g('Last name'), - 'value'=>$User->lastName(), - 'class'=>'uk-width-1-2 uk-form-medium', - 'tip'=>'' - )); - - echo '
- -
- '.$L->g('Change password').' -
-
'; - -if($Login->role()==='admin') { - - HTML::formSelect(array( - 'name'=>'role', - 'label'=>$L->g('Role'), - 'options'=>array('editor'=>$L->g('Editor'), 'admin'=>$L->g('Administrator')), - 'selected'=>$User->role(), - 'tip'=>'' - )); - -} - - HTML::formInputText(array( - 'name'=>'email', - 'label'=>$L->g('Email'), - 'value'=>$User->email(), - 'class'=>'uk-width-1-2 uk-form-medium', - 'tip'=>$L->g('Recommended for recovery password and notifications') - )); - - HTML::legend(array('value'=>$L->g('Social networks links'))); - - HTML::formInputText(array( - 'name'=>'twitter', - 'label'=>'Twitter', - 'value'=>$User->twitter(), - 'class'=>'uk-width-1-2 uk-form-medium', - 'tip'=>'' - )); - - HTML::formInputText(array( - 'name'=>'facebook', - 'label'=>'Facebook', - 'value'=>$User->facebook(), - 'class'=>'uk-width-1-2 uk-form-medium', - 'tip'=>'' - )); - - HTML::formInputText(array( - 'name'=>'codepen', - 'label'=>'Codepen', - 'value'=>$User->codepen(), - 'class'=>'uk-width-1-2 uk-form-medium', - 'tip'=>'' - )); - - HTML::formInputText(array( - 'name'=>'googlePlus', - 'label'=>'Google+', - 'value'=>$User->googlePlus(), - 'class'=>'uk-width-1-2 uk-form-medium', - 'tip'=>'' - )); - - HTML::formInputText(array( - 'name'=>'instagram', - 'label'=>'Instagram', - 'value'=>$User->instagram(), - 'class'=>'uk-width-1-2 uk-form-medium', - 'tip'=>'' - )); - - echo '
-
- - '.$L->g('Cancel').' -
-
'; - - HTML::legend(array('value'=>$L->g('Authentication Token'))); - - HTML::formInputText(array( - 'name'=>'tokenAuth', - 'label'=>$L->g('Token'), - 'value'=>$User->tokenAuth(), - 'class'=>'uk-width-1-2 uk-form-medium', - 'tip'=>$L->g('this-token-is-similar-to-a-password-it-should-not-be-shared') - )); - - HTML::legend(array('value'=>$L->g('Status'))); - - HTML::formInputText(array( - 'name'=>'status', - 'label'=>$L->g('Current status'), - 'value'=>$User->enabled()?$L->g('Enabled'):$L->g('Disabled'), - 'class'=>'uk-width-1-2 uk-form-medium', - 'disabled'=>true, - 'tip'=>$User->enabled()?'':$L->g('To enable the user you must set a new password') - )); - -if( $User->enabled() ) { - echo '
-
- -
-
'; -} - -if( ($Login->role()==='admin') && ($User->username()!='admin') ) { - - HTML::legend(array('value'=>$L->g('Delete'))); - - echo '
-
- - -
-
'; - -} - -HTML::formClose(); - -echo '
'; - -echo '
'; - -HTML::profileUploader($User->username()); - -echo '
'; -echo '
'; - -?> - - \ No newline at end of file diff --git a/bl-kernel/admin/views/edit-user.php b/bl-kernel/admin/views/edit-user.php index 06be37d3..d87fa7e0 100644 --- a/bl-kernel/admin/views/edit-user.php +++ b/bl-kernel/admin/views/edit-user.php @@ -24,7 +24,7 @@ echo Bootstrap::formOpen(array()); 'tip'=>'' )); - if ($Login->role()==='admin') { + if ($login->role()==='admin') { echo Bootstrap::formSelect(array( 'name'=>'role', 'label'=>$L->g('Role'), diff --git a/bl-kernel/ajax/user-logged.php b/bl-kernel/ajax/user-logged.php index 3c28a0cd..12385a33 100644 --- a/bl-kernel/ajax/user-logged.php +++ b/bl-kernel/ajax/user-logged.php @@ -2,13 +2,13 @@ header('Content-Type: application/json'); /* - * + * * This script check if the user is logged - * + * */ // Check UUID -if ($Login->isLogged()) { +if ($login->isLogged()) { exit (json_encode(array( 'status'=>1, 'message'=>'The user is logged.' diff --git a/bl-kernel/boot/admin.php b/bl-kernel/boot/admin.php index 1e0c62fb..7e7aaf3a 100644 --- a/bl-kernel/boot/admin.php +++ b/bl-kernel/boot/admin.php @@ -6,6 +6,8 @@ if (Session::started()===false) { exit('Bludit CMS. Session initialization failure.'); } +$login = $Login = new Login($dbUsers); + $layout = array( 'controller'=>null, 'view'=>null, @@ -34,7 +36,7 @@ include(PATH_RULES.'60.plugins.php'); // --- AJAX --- if ($layout['slug']==='ajax') { - if ($Login->isLogged()) { + if ($login->isLogged()) { // Rules: Security check CSRF include(PATH_RULES.'99.security.php'); @@ -60,7 +62,7 @@ else // User not logged. // Slug is login. // Slug is login-email. - if($Url->notFound() || !$Login->isLogged() || ($Url->slug()==='login') || ($Url->slug()==='login-email') ) { + if($Url->notFound() || !$login->isLogged() || ($Url->slug()==='login') || ($Url->slug()==='login-email') ) { $layout['controller'] = 'login'; $layout['view'] = 'login'; $layout['template'] = 'login.php'; diff --git a/bl-kernel/boot/init.php b/bl-kernel/boot/init.php index 31248239..51eda8ec 100644 --- a/bl-kernel/boot/init.php +++ b/bl-kernel/boot/init.php @@ -182,8 +182,7 @@ define('HTML_PATH_UPLOADS_THUMBNAILS', HTML_PATH_UPLOADS.'thumbnails/'); define('HTML_PATH_PLUGINS', HTML_PATH_ROOT.'bl-plugins/'); // --- Objects with dependency --- -$language = $Language = new dbLanguage( $Site->language() ); -$login = $Login = new Login( $dbUsers ); +$language = $Language = new dbLanguage( $Site->language() ); $Url->checkFilters( $Site->uriFilters() ); // --- CONSTANTS with dependency --- diff --git a/bl-kernel/functions.php b/bl-kernel/functions.php index 675bc752..01cba627 100644 --- a/bl-kernel/functions.php +++ b/bl-kernel/functions.php @@ -536,14 +536,14 @@ function editUser($args) { function disableUser($args) { global $dbUsers; - global $Login; + global $login; global $syslog; // Arguments $username = $args['username']; // Only administrators can disable users - if ($Login->role()!=='admin') { + if ($login->role()!=='admin') { return false; } @@ -566,7 +566,7 @@ function disableUser($args) { function deleteUser($args) { global $dbUsers, $dbPages; - global $Login; + global $login; global $syslog; // Arguments @@ -574,7 +574,7 @@ function deleteUser($args) { $deleteContent = isset($args['deleteContent']) ? $args['deleteContent'] : false; // Only administrators can delete users - if ($Login->role()!=='admin') { + if ($login->role()!=='admin') { return false; } @@ -750,11 +750,11 @@ function changeUserPassword($args) { // Returns true if the user is allowed to procceded function checkRole($allowRoles, $redirect=true) { - global $Login; + global $login; global $Language; global $syslog; - $userRole = $Login->role(); + $userRole = $login->role(); if (in_array($userRole, $allowRoles)) { return true; } @@ -762,7 +762,7 @@ function checkRole($allowRoles, $redirect=true) { if ($redirect) { $syslog->add(array( 'dictionaryKey'=>'access-deny', - 'notes'=>$Login->username() + 'notes'=>$login->username() )); Alert::set($Language->g('You do not have sufficient permissions')); Redirect::page('dashboard'); diff --git a/bl-kernel/helpers/session.class.php b/bl-kernel/helpers/session.class.php index 8e6978a0..165a8165 100644 --- a/bl-kernel/helpers/session.class.php +++ b/bl-kernel/helpers/session.class.php @@ -3,15 +3,10 @@ class Session { private static $started = false; + private static $sessionName = 'BLUDIT-KEY'; public static function start() { - //if(self::$started) - // return true; - - // DEBUG: Ver un nombre con alguna llave random al momentode instalar. - $session_name = 'BLUDIT-KEY'; - // Try to set the session timeout on server side, 1 hour of timeout ini_set('session.gc_maxlifetime', SESSION_GC_MAXLIFETIME); @@ -33,7 +28,7 @@ ); // Sets the session name to the one set above. - session_name($session_name); + session_name(self::$sessionName); // Start session. self::$started = session_start(); @@ -55,6 +50,8 @@ { session_destroy(); unset($_SESSION); + unset($_COOKIE[self::$sessionName]); + Cookie::set(self::$sessionName, '', -1); self::$started = false; Log::set(__METHOD__.LOG_SEP.'Session destroyed.'); return !isset($_SESSION); diff --git a/bl-kernel/login.class.php b/bl-kernel/login.class.php index 19eb37d8..18c2df8e 100644 --- a/bl-kernel/login.class.php +++ b/bl-kernel/login.class.php @@ -4,9 +4,18 @@ class Login { private $dbUsers; - function __construct($dbUsers) + function __construct() { - $this->dbUsers = $dbUsers; + if (isset($GLOBALS['dbUsers'])) { + $this->dbUsers = $GLOBALS['dbUsers']; + } else { + $this->dbUsers = new dbUsers(); + } + + // Start the Session + if (!Session::started()) { + Session::start(); + } } // Returns the username of the user logged diff --git a/bl-plugins/api/plugin.php b/bl-plugins/api/plugin.php index ac187475..fc93f9ca 100644 --- a/bl-plugins/api/plugin.php +++ b/bl-plugins/api/plugin.php @@ -47,7 +47,7 @@ class pluginAPI extends Plugin { global $Url; global $dbPages; global $dbUsers; - global $Login; + global $login; // CHECK URL // ------------------------------------------------------------ @@ -105,7 +105,7 @@ class pluginAPI extends Plugin { if (($user->role()=='admin') && ($user->enabled())) { // Loggin the user to create the session - $Login->setLogin($username, 'admin'); + $login->setLogin($username, 'admin'); // Enable write permissions $writePermissions = true; } diff --git a/bl-plugins/simple-stats/plugin.php b/bl-plugins/simple-stats/plugin.php index 706ee194..0ac92b44 100644 --- a/bl-plugins/simple-stats/plugin.php +++ b/bl-plugins/simple-stats/plugin.php @@ -174,9 +174,9 @@ EOF; public function addVisitor() { // Exclude administrators visits - global $Login; + global $login; if ($this->getValue('excludeAdmins') && defined('BLUDIT_PRO')) { - if ($Login->role()=='admin') { + if ($login->role()=='admin') { return false; } }