Session in admin area and when you create the Login object

This commit is contained in:
Diego Najar 2018-07-14 15:17:06 +02:00
parent f01528bf75
commit 8cfd7df062
16 changed files with 49 additions and 407 deletions

View File

@ -7,10 +7,10 @@
if (!checkRole(array('admin','moderator'), false)) { if (!checkRole(array('admin','moderator'), false)) {
$pageKey = isset($_POST['key']) ? $_POST['key'] : $layout['parameters']; $pageKey = isset($_POST['key']) ? $_POST['key'] : $layout['parameters'];
$page = buildPage($pageKey); $page = buildPage($pageKey);
if (!$page || $page->username()!==$Login->username()) { if (!$page || $page->username()!==$login->username()) {
$syslog->add(array( $syslog->add(array(
'dictionaryKey'=>'access-deny', 'dictionaryKey'=>'access-deny',
'notes'=>$Login->username() 'notes'=>$login->username()
)); ));
Alert::set($Language->g('You do not have sufficient permissions')); Alert::set($Language->g('You do not have sufficient permissions'));
Redirect::page('dashboard'); Redirect::page('dashboard');

View File

@ -14,8 +14,8 @@
if ($_SERVER['REQUEST_METHOD'] == 'POST') { if ($_SERVER['REQUEST_METHOD'] == 'POST') {
// Prevent non-administrators to change other users // Prevent non-administrators to change other users
if ($Login->role()!=='admin') { if ($login->role()!=='admin') {
$_POST['username'] = $Login->username(); $_POST['username'] = $login->username();
unset($_POST['role']); unset($_POST['role']);
} }
@ -40,8 +40,8 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') {
// ============================================================================ // ============================================================================
// Prevent non-administrators to change other users // Prevent non-administrators to change other users
if ($Login->role()!=='admin') { if ($login->role()!=='admin') {
$layout['parameters'] = $Login->username(); $layout['parameters'] = $login->username();
} }
// Get the user to edit // Get the user to edit

View File

@ -11,7 +11,7 @@
function checkLogin($args) function checkLogin($args)
{ {
global $Security; global $Security;
global $Login; global $login;
global $Language; global $Language;
if ($Security->isBlocked()) { if ($Security->isBlocked()) {
@ -19,9 +19,9 @@ function checkLogin($args)
return false; return false;
} }
if ($Login->verifyUser($_POST['username'], $_POST['password'])) { if ($login->verifyUser($_POST['username'], $_POST['password'])) {
if (isset($_POST['remember'])) { if (isset($_POST['remember'])) {
$Login->setRememberMe($_POST['username']); $login->setRememberMe($_POST['username']);
} }
// Renew the token. This token will be the same inside the session for multiple forms. // Renew the token. This token will be the same inside the session for multiple forms.
$Security->generateTokenCSRF(); $Security->generateTokenCSRF();
@ -41,13 +41,13 @@ function checkLogin($args)
function checkRememberMe() function checkRememberMe()
{ {
global $Security; global $Security;
global $Login; global $login;
if ($Security->isBlocked()) { if ($Security->isBlocked()) {
return false; return false;
} }
if ($Login->verifyUserByRemember()) { if ($login->verifyUserByRemember()) {
$Security->generateTokenCSRF(); $Security->generateTokenCSRF();
Redirect::page('dashboard'); Redirect::page('dashboard');
return true; return true;

View File

@ -20,6 +20,6 @@
// Main after POST // Main after POST
// ============================================================================ // ============================================================================
if ($Login->logout()) { if ($login->logout()) {
Redirect::home(); Redirect::home();
} }

View File

@ -29,8 +29,8 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST') {
// ============================================================================ // ============================================================================
// Prevent non-administrators to change other users // Prevent non-administrators to change other users
if ($Login->role()!=='admin') { if ($login->role()!=='admin') {
$layout['parameters'] = $Login->username(); $layout['parameters'] = $login->username();
} }
// Get the user to edit // Get the user to edit

View File

@ -1,161 +0,0 @@
<div class="uk-block dashboard-links">
<div class="uk-grid uk-grid-match" data-uk-grid-margin="{target:'.uk-panel'}">
<div class="uk-width-medium-1-3">
<div class="uk-panel">
<h4><a href="<?php echo HTML_PATH_ADMIN_ROOT.'new-content' ?>"><i class="uk-icon-pencil"></i> <?php $L->p('New content') ?></a></h4>
<p><?php $L->p('Create new content for your site') ?></p>
</div>
<div class="uk-panel">
<h4><a href="<?php echo HTML_PATH_ADMIN_ROOT.'content' ?>"><i class="uk-icon-folder-o"></i> <?php $L->p('Manage content') ?></a></h4>
<p><?php $L->p('Edit or delete content from your site') ?></p>
</div>
</div>
<?php if($Login->role() == 'admin') { ?>
<div class="uk-width-medium-1-3" style="border-right: 1px solid #E6E6E6; border-left: 1px solid #E6E6E6">
<div class="uk-panel">
<h4><a href="<?php echo HTML_PATH_ADMIN_ROOT.'new-category' ?>"><i class="uk-icon-file-text-o"></i> <?php $L->p('New category') ?></a></h4>
<p><?php $L->p('Create a new category to organize your content') ?></p>
</div>
<div class="uk-panel">
<h4><a href="<?php echo HTML_PATH_ADMIN_ROOT.'categories' ?>"><i class="uk-icon-folder-o"></i> <?php $L->p('Manage categories') ?></a></h4>
<p><?php $L->p('Edit or delete your categories') ?></p>
</div>
</div>
<?php } ?>
<div class="uk-width-medium-1-3">
<?php if($Login->role() == 'admin') { ?>
<div class="uk-panel">
<h4><a href="<?php echo HTML_PATH_ADMIN_ROOT.'add-user' ?>"><i class="uk-icon-user-plus"></i> <?php $L->p('Add a new user') ?></a></h4>
<p><?php $L->p('Invite a friend to collaborate on your site') ?></p>
</div>
<div class="uk-panel">
<h4><a href="<?php echo HTML_PATH_ADMIN_ROOT.'settings-regional' ?>"><i class="uk-icon-globe"></i> <?php $L->p('Language and timezone') ?></a></h4>
<p><?php $L->p('Change your language and region settings') ?></p>
</div>
<?php } else { ?>
<div class="uk-panel">
<h4><a href="<?php echo HTML_PATH_ADMIN_ROOT.'edit-user/'.$Login->username() ?>"><i class="uk-icon-user"></i> <?php $L->p('Profile') ?></a></h4>
<p><?php $L->p('View and edit your profile') ?></p>
</div>
<?php } ?>
</div>
</div>
</div>
<div id="dashboard-panel" class="uk-grid uk-grid-small">
<div class="uk-width-1-3">
<div class="uk-panel">
<h4 class="panel-title"><?php $L->p('Notifications') ?></h4>
<ul class="uk-list uk-list-line">
<?php
// Print Notifications
$logs = array_slice($syslog->db, 0, NOTIFICATIONS_AMOUNT);
foreach($logs as $log) {
$dict = $L->g($log['dictionaryKey']);
echo '<li>';
echo $dict;
if( !empty($log['notes'])) {
echo ' « <b>'.$log['notes'].'</b> »';
}
echo '<br><span class="notification-date">';
echo Date::format($log['date'], DB_DATE_FORMAT, NOTIFICATIONS_DATE_FORMAT);
echo ' - by '.$log['username'];
echo '</span>';
echo '</li>';
}
?>
</ul>
</div>
</div>
<div class="uk-width-1-3">
<?php if (pluginEnabled('pluginSimpleStats')) {
$SimpleStats = getPlugin('pluginSimpleStats');
echo '<div class="uk-panel">';
echo '<h4 class="panel-title">'.$SimpleStats->getValue('label').'</h4>';
echo $SimpleStats->dashboard();
echo '</div>';
}
?>
<div class="uk-panel">
<h4 class="panel-title"><?php $L->p('Statistics') ?></h4>
<table class="uk-table statistics">
<tbody>
<tr>
<td><?php $Language->p('Published') ?></td>
<td><?php echo count($dbPages->getPublishedDB(false)) ?></td>
</tr>
<tr>
<td><?php $Language->p('Static') ?></td>
<td><?php echo count($dbPages->getStaticDB(false)) ?></td>
</tr>
<td><?php $Language->p('Users') ?></td>
<td><?php echo $dbUsers->count() ?></td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="uk-width-1-3">
<div class="uk-panel">
<h4 class="panel-title"><?php $L->p('Scheduled content') ?></h4>
<ul class="uk-list">
<?php
$scheduledPages = $dbPages->getScheduledDB(true);
if (empty($scheduledPages)) {
echo '<li>'.$Language->g('There are no scheduled content').'</li>';
} else {
foreach ($scheduledPages as $key) {
$page = buildPage($key);
echo '<li><span class="label-time">'.$page->dateRaw(SCHEDULED_DATE_FORMAT).'</span><a href="'.HTML_PATH_ADMIN_ROOT.'edit-content/'.$page->key().'">'.($page->title()?$page->title():'['.$Language->g('Empty title').'] ').'</a></li>';
}
}
?>
</ul>
</div>
<div class="uk-panel">
<h4 class="panel-title"><?php $L->p('Draft content') ?></h4>
<ul class="uk-list">
<?php
$draftPages = $dbPages->getDraftDB(true);
if (empty($draftPages)) {
echo '<li>'.$Language->g('There are no draft content').'</li>';
} else {
foreach ($draftPages as $key) {
$page = buildPage($key);
echo '<li><a href="'.HTML_PATH_ADMIN_ROOT.'edit-content/'.$page->key().'">'.($page->title()?$page->title():'['.$Language->g('Empty title').'] ').'</a></li>';
}
}
?>
</ul>
</div>
</div>
</div>

View File

@ -1,204 +0,0 @@
<?php
HTML::title(array('title'=>$L->g('Edit user'), 'icon'=>'user'));
echo '<div class="uk-grid">';
echo '<div class="uk-width-7-10">';
HTML::formOpen(array('id'=>'edit-user-profile-form','class'=>'uk-form-horizontal'));
// Security token
HTML::formInputHidden(array(
'name'=>'tokenCSRF',
'value'=>$Security->getTokenCSRF()
));
// Security token
HTML::formInputHidden(array(
'name'=>'username',
'value'=>$User->username()
));
HTML::legend(array('value'=>$L->g('Profile'), 'class'=>'first-child'));
HTML::formInputText(array(
'name'=>'usernameDisable',
'label'=>$L->g('Username'),
'value'=>$User->username(),
'class'=>'uk-width-1-2 uk-form-medium',
'disabled'=>true,
'tip'=>''
));
HTML::formInputText(array(
'name'=>'firstName',
'label'=>$L->g('First name'),
'value'=>$User->firstName(),
'class'=>'uk-width-1-2 uk-form-medium',
'tip'=>''
));
HTML::formInputText(array(
'name'=>'lastName',
'label'=>$L->g('Last name'),
'value'=>$User->lastName(),
'class'=>'uk-width-1-2 uk-form-medium',
'tip'=>''
));
echo '<div class="uk-form-row">
<label class="uk-form-label">'.$L->g('password').'</label>
<div class="uk-form-controls">
<a href="'.HTML_PATH_ADMIN_ROOT.'user-password/'.$User->username().'">'.$L->g('Change password').'</a>
</div>
</div>';
if($Login->role()==='admin') {
HTML::formSelect(array(
'name'=>'role',
'label'=>$L->g('Role'),
'options'=>array('editor'=>$L->g('Editor'), 'admin'=>$L->g('Administrator')),
'selected'=>$User->role(),
'tip'=>''
));
}
HTML::formInputText(array(
'name'=>'email',
'label'=>$L->g('Email'),
'value'=>$User->email(),
'class'=>'uk-width-1-2 uk-form-medium',
'tip'=>$L->g('Recommended for recovery password and notifications')
));
HTML::legend(array('value'=>$L->g('Social networks links')));
HTML::formInputText(array(
'name'=>'twitter',
'label'=>'Twitter',
'value'=>$User->twitter(),
'class'=>'uk-width-1-2 uk-form-medium',
'tip'=>''
));
HTML::formInputText(array(
'name'=>'facebook',
'label'=>'Facebook',
'value'=>$User->facebook(),
'class'=>'uk-width-1-2 uk-form-medium',
'tip'=>''
));
HTML::formInputText(array(
'name'=>'codepen',
'label'=>'Codepen',
'value'=>$User->codepen(),
'class'=>'uk-width-1-2 uk-form-medium',
'tip'=>''
));
HTML::formInputText(array(
'name'=>'googlePlus',
'label'=>'Google+',
'value'=>$User->googlePlus(),
'class'=>'uk-width-1-2 uk-form-medium',
'tip'=>''
));
HTML::formInputText(array(
'name'=>'instagram',
'label'=>'Instagram',
'value'=>$User->instagram(),
'class'=>'uk-width-1-2 uk-form-medium',
'tip'=>''
));
echo '<div class="uk-form-row">
<div class="uk-form-controls">
<button type="submit" class="uk-button uk-button-primary">'.$L->g('Save').'</button>
<a href="'.HTML_PATH_ADMIN_ROOT.'users" class="uk-button">'.$L->g('Cancel').'</a>
</div>
</div>';
HTML::legend(array('value'=>$L->g('Authentication Token')));
HTML::formInputText(array(
'name'=>'tokenAuth',
'label'=>$L->g('Token'),
'value'=>$User->tokenAuth(),
'class'=>'uk-width-1-2 uk-form-medium',
'tip'=>$L->g('this-token-is-similar-to-a-password-it-should-not-be-shared')
));
HTML::legend(array('value'=>$L->g('Status')));
HTML::formInputText(array(
'name'=>'status',
'label'=>$L->g('Current status'),
'value'=>$User->enabled()?$L->g('Enabled'):$L->g('Disabled'),
'class'=>'uk-width-1-2 uk-form-medium',
'disabled'=>true,
'tip'=>$User->enabled()?'':$L->g('To enable the user you must set a new password')
));
if( $User->enabled() ) {
echo '<div class="uk-form-row">
<div class="uk-form-controls">
<button type="submit" id="jsdisable-user" class="delete-button" name="disable-user"><i class="uk-icon-ban"></i> '.$L->g('Disable the user').'</button>
</div>
</div>';
}
if( ($Login->role()==='admin') && ($User->username()!='admin') ) {
HTML::legend(array('value'=>$L->g('Delete')));
echo '<div class="uk-form-row">
<div class="uk-form-controls">
<button type="submit" id="jsdelete-user-associate" class="delete-button" name="delete-user-associate"><i class="uk-icon-ban"></i> '.$L->g('Delete the user and associate his pages to admin user').'</button>
<button type="submit" id="jsdelete-user-all" class="delete-button" name="delete-user-all"><i class="uk-icon-ban"></i> '.$L->g('Delete the user and all his pages').'</button>
</div>
</div>';
}
HTML::formClose();
echo '</div>';
echo '<div class="uk-width-3-10" style="margin-top: 50px; text-align: center;">';
HTML::profileUploader($User->username());
echo '</div>';
echo '</div>';
?>
<script>
$(document).ready(function() {
$("#jsdelete-user-associate").click(function() {
if(confirm("<?php $Language->p('Confirm delete this action cannot be undone') ?>")==false) {
return false;
}
});
$("#jsdelete-user-all").click(function() {
if(confirm("<?php $Language->p('Confirm delete this action cannot be undone') ?>")==false) {
return false;
}
});
$("#jsdisable-user").click(function() {
if(confirm("<?php $Language->p('Do you want to disable the user') ?>")==false) {
return false;
}
});
});
</script>

View File

@ -24,7 +24,7 @@ echo Bootstrap::formOpen(array());
'tip'=>'' 'tip'=>''
)); ));
if ($Login->role()==='admin') { if ($login->role()==='admin') {
echo Bootstrap::formSelect(array( echo Bootstrap::formSelect(array(
'name'=>'role', 'name'=>'role',
'label'=>$L->g('Role'), 'label'=>$L->g('Role'),

View File

@ -8,7 +8,7 @@ header('Content-Type: application/json');
*/ */
// Check UUID // Check UUID
if ($Login->isLogged()) { if ($login->isLogged()) {
exit (json_encode(array( exit (json_encode(array(
'status'=>1, 'status'=>1,
'message'=>'The user is logged.' 'message'=>'The user is logged.'

View File

@ -6,6 +6,8 @@ if (Session::started()===false) {
exit('Bludit CMS. Session initialization failure.'); exit('Bludit CMS. Session initialization failure.');
} }
$login = $Login = new Login($dbUsers);
$layout = array( $layout = array(
'controller'=>null, 'controller'=>null,
'view'=>null, 'view'=>null,
@ -34,7 +36,7 @@ include(PATH_RULES.'60.plugins.php');
// --- AJAX --- // --- AJAX ---
if ($layout['slug']==='ajax') { if ($layout['slug']==='ajax') {
if ($Login->isLogged()) { if ($login->isLogged()) {
// Rules: Security check CSRF // Rules: Security check CSRF
include(PATH_RULES.'99.security.php'); include(PATH_RULES.'99.security.php');
@ -60,7 +62,7 @@ else
// User not logged. // User not logged.
// Slug is login. // Slug is login.
// Slug is login-email. // Slug is login-email.
if($Url->notFound() || !$Login->isLogged() || ($Url->slug()==='login') || ($Url->slug()==='login-email') ) { if($Url->notFound() || !$login->isLogged() || ($Url->slug()==='login') || ($Url->slug()==='login-email') ) {
$layout['controller'] = 'login'; $layout['controller'] = 'login';
$layout['view'] = 'login'; $layout['view'] = 'login';
$layout['template'] = 'login.php'; $layout['template'] = 'login.php';

View File

@ -183,7 +183,6 @@ define('HTML_PATH_PLUGINS', HTML_PATH_ROOT.'bl-plugins/');
// --- Objects with dependency --- // --- Objects with dependency ---
$language = $Language = new dbLanguage( $Site->language() ); $language = $Language = new dbLanguage( $Site->language() );
$login = $Login = new Login( $dbUsers );
$Url->checkFilters( $Site->uriFilters() ); $Url->checkFilters( $Site->uriFilters() );
// --- CONSTANTS with dependency --- // --- CONSTANTS with dependency ---

View File

@ -536,14 +536,14 @@ function editUser($args) {
function disableUser($args) { function disableUser($args) {
global $dbUsers; global $dbUsers;
global $Login; global $login;
global $syslog; global $syslog;
// Arguments // Arguments
$username = $args['username']; $username = $args['username'];
// Only administrators can disable users // Only administrators can disable users
if ($Login->role()!=='admin') { if ($login->role()!=='admin') {
return false; return false;
} }
@ -566,7 +566,7 @@ function disableUser($args) {
function deleteUser($args) { function deleteUser($args) {
global $dbUsers, $dbPages; global $dbUsers, $dbPages;
global $Login; global $login;
global $syslog; global $syslog;
// Arguments // Arguments
@ -574,7 +574,7 @@ function deleteUser($args) {
$deleteContent = isset($args['deleteContent']) ? $args['deleteContent'] : false; $deleteContent = isset($args['deleteContent']) ? $args['deleteContent'] : false;
// Only administrators can delete users // Only administrators can delete users
if ($Login->role()!=='admin') { if ($login->role()!=='admin') {
return false; return false;
} }
@ -750,11 +750,11 @@ function changeUserPassword($args) {
// Returns true if the user is allowed to procceded // Returns true if the user is allowed to procceded
function checkRole($allowRoles, $redirect=true) { function checkRole($allowRoles, $redirect=true) {
global $Login; global $login;
global $Language; global $Language;
global $syslog; global $syslog;
$userRole = $Login->role(); $userRole = $login->role();
if (in_array($userRole, $allowRoles)) { if (in_array($userRole, $allowRoles)) {
return true; return true;
} }
@ -762,7 +762,7 @@ function checkRole($allowRoles, $redirect=true) {
if ($redirect) { if ($redirect) {
$syslog->add(array( $syslog->add(array(
'dictionaryKey'=>'access-deny', 'dictionaryKey'=>'access-deny',
'notes'=>$Login->username() 'notes'=>$login->username()
)); ));
Alert::set($Language->g('You do not have sufficient permissions')); Alert::set($Language->g('You do not have sufficient permissions'));
Redirect::page('dashboard'); Redirect::page('dashboard');

View File

@ -3,15 +3,10 @@
class Session { class Session {
private static $started = false; private static $started = false;
private static $sessionName = 'BLUDIT-KEY';
public static function start() public static function start()
{ {
//if(self::$started)
// return true;
// DEBUG: Ver un nombre con alguna llave random al momentode instalar.
$session_name = 'BLUDIT-KEY';
// Try to set the session timeout on server side, 1 hour of timeout // Try to set the session timeout on server side, 1 hour of timeout
ini_set('session.gc_maxlifetime', SESSION_GC_MAXLIFETIME); ini_set('session.gc_maxlifetime', SESSION_GC_MAXLIFETIME);
@ -33,7 +28,7 @@
); );
// Sets the session name to the one set above. // Sets the session name to the one set above.
session_name($session_name); session_name(self::$sessionName);
// Start session. // Start session.
self::$started = session_start(); self::$started = session_start();
@ -55,6 +50,8 @@
{ {
session_destroy(); session_destroy();
unset($_SESSION); unset($_SESSION);
unset($_COOKIE[self::$sessionName]);
Cookie::set(self::$sessionName, '', -1);
self::$started = false; self::$started = false;
Log::set(__METHOD__.LOG_SEP.'Session destroyed.'); Log::set(__METHOD__.LOG_SEP.'Session destroyed.');
return !isset($_SESSION); return !isset($_SESSION);

View File

@ -4,9 +4,18 @@ class Login {
private $dbUsers; private $dbUsers;
function __construct($dbUsers) function __construct()
{ {
$this->dbUsers = $dbUsers; if (isset($GLOBALS['dbUsers'])) {
$this->dbUsers = $GLOBALS['dbUsers'];
} else {
$this->dbUsers = new dbUsers();
}
// Start the Session
if (!Session::started()) {
Session::start();
}
} }
// Returns the username of the user logged // Returns the username of the user logged

View File

@ -47,7 +47,7 @@ class pluginAPI extends Plugin {
global $Url; global $Url;
global $dbPages; global $dbPages;
global $dbUsers; global $dbUsers;
global $Login; global $login;
// CHECK URL // CHECK URL
// ------------------------------------------------------------ // ------------------------------------------------------------
@ -105,7 +105,7 @@ class pluginAPI extends Plugin {
if (($user->role()=='admin') && ($user->enabled())) { if (($user->role()=='admin') && ($user->enabled())) {
// Loggin the user to create the session // Loggin the user to create the session
$Login->setLogin($username, 'admin'); $login->setLogin($username, 'admin');
// Enable write permissions // Enable write permissions
$writePermissions = true; $writePermissions = true;
} }

View File

@ -174,9 +174,9 @@ EOF;
public function addVisitor() public function addVisitor()
{ {
// Exclude administrators visits // Exclude administrators visits
global $Login; global $login;
if ($this->getValue('excludeAdmins') && defined('BLUDIT_PRO')) { if ($this->getValue('excludeAdmins') && defined('BLUDIT_PRO')) {
if ($Login->role()=='admin') { if ($login->role()=='admin') {
return false; return false;
} }
} }