X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;ds=sidebyside;f=src%2FModel%2FUser.php;h=d65e7d8f9699e41aabadb406bd3034bd7da2266f;hb=71ec84f6dc83f753fe80170cfdfd32d202850d90;hp=a253865c2331a903cb1684411fc591308184c55a;hpb=cd79ce3a57ad57af69df3461c1b1198ae46e1861;p=friendica.git diff --git a/src/Model/User.php b/src/Model/User.php index a253865c23..d65e7d8f96 100644 --- a/src/Model/User.php +++ b/src/Model/User.php @@ -5,23 +5,22 @@ */ namespace Friendica\Model; +use DivineOmega\PasswordExposed\PasswordStatus; +use Exception; use Friendica\Core\Addon; use Friendica\Core\Config; use Friendica\Core\L10n; use Friendica\Core\PConfig; +use Friendica\Core\Protocol; use Friendica\Core\System; use Friendica\Core\Worker; -use Friendica\Database\DBM; -use Friendica\Model\Contact; -use Friendica\Model\Group; -use Friendica\Model\Photo; +use Friendica\Database\DBA; use Friendica\Object\Image; use Friendica\Util\Crypto; use Friendica\Util\DateTimeFormat; use Friendica\Util\Network; -use dba; -use Exception; use LightOpenID; +use function password_exposed; require_once 'boot.php'; require_once 'include/dba.php'; @@ -39,7 +38,7 @@ class User * @return boolean|array */ public static function getOwnerDataById($uid) { - $r = dba::fetch_first("SELECT + $r = DBA::fetchFirst("SELECT `contact`.*, `user`.`prvkey` AS `uprvkey`, `user`.`timezone`, @@ -57,12 +56,29 @@ class User LIMIT 1", $uid ); - if (!DBM::is_result($r)) { + if (!DBA::isResult($r)) { return false; } return $r; } + /** + * @brief Get owner data by nick name + * + * @param int $nick + * @return boolean|array + */ + public static function getOwnerDataByNick($nick) + { + $user = DBA::selectFirst('user', ['uid'], ['nickname' => $nick]); + + if (!DBA::isResult($user)) { + return false; + } + + return self::getOwnerDataById($user['uid']); + } + /** * @brief Returns the default group for a given user and network * @@ -75,7 +91,7 @@ class User { $default_group = 0; - if ($network == NETWORK_OSTATUS) { + if ($network == Protocol::OSTATUS) { $default_group = PConfig::get($uid, "ostatus", "default_group"); } @@ -83,9 +99,9 @@ class User return $default_group; } - $user = dba::selectFirst('user', ['def_gid'], ['uid' => $uid]); + $user = DBA::selectFirst('user', ['def_gid'], ['uid' => $uid]); - if (DBM::is_result($user)) { + if (DBA::isResult($user)) { $default_group = $user["def_gid"]; } @@ -101,7 +117,7 @@ class User * @param string $password * @return int|boolean * @deprecated since version 3.6 - * @see Friendica\Model\User::getIdFromPasswordAuthentication() + * @see User::getIdFromPasswordAuthentication() */ public static function authenticate($user_info, $password) { @@ -125,13 +141,23 @@ class User { $user = self::getAuthenticationInfo($user_info); - if ($user['legacy_password']) { + if (strpos($user['password'], '$') === false) { + //Legacy hash that has not been replaced by a new hash yet + if (self::hashPasswordLegacy($password) === $user['password']) { + self::updatePassword($user['uid'], $password); + + return $user['uid']; + } + } elseif (!empty($user['legacy_password'])) { + //Legacy hash that has been double-hashed and not replaced by a new hash yet + //Warning: `legacy_password` is not necessary in sync with the content of `password` if (password_verify(self::hashPasswordLegacy($password), $user['password'])) { self::updatePassword($user['uid'], $password); return $user['uid']; } } elseif (password_verify($password, $user['password'])) { + //New password hash if (password_needs_rehash($user['password'], PASSWORD_DEFAULT)) { self::updatePassword($user['uid'], $password); } @@ -174,7 +200,7 @@ class User } } elseif (is_int($user_info) || is_string($user_info)) { if (is_int($user_info)) { - $user = dba::selectFirst('user', ['uid', 'password', 'legacy_password'], + $user = DBA::selectFirst('user', ['uid', 'password', 'legacy_password'], [ 'uid' => $user_info, 'blocked' => 0, @@ -184,21 +210,14 @@ class User ] ); } else { - $user = dba::fetch_first('SELECT `uid`, `password`, `legacy_password` - FROM `user` - WHERE (`email` = ? OR `username` = ? OR `nickname` = ?) - AND `blocked` = 0 - AND `account_expired` = 0 - AND `account_removed` = 0 - AND `verified` = 1 - LIMIT 1', - $user_info, - $user_info, - $user_info - ); + $fields = ['uid', 'password', 'legacy_password']; + $condition = ["(`email` = ? OR `username` = ? OR `nickname` = ?) + AND NOT `blocked` AND NOT `account_expired` AND NOT `account_removed` AND `verified`", + $user_info, $user_info, $user_info]; + $user = DBA::selectFirst('user', $fields, $condition); } - if (!DBM::is_result($user)) { + if (!DBA::isResult($user)) { throw new Exception(L10n::t('User not found')); } } @@ -216,6 +235,17 @@ class User return autoname(6) . mt_rand(100, 9999); } + /** + * Checks if the provided plaintext password has been exposed or not + * + * @param string $password + * @return bool + */ + public static function isPasswordExposed($password) + { + return password_exposed($password) === PasswordStatus::EXPOSED; + } + /** * Legacy hashing function, kept for password migration purposes * @@ -235,6 +265,10 @@ class User */ public static function hashPassword($password) { + if (!trim($password)) { + throw new Exception(L10n::t('Password can\'t be empty')); + } + return password_hash($password, PASSWORD_DEFAULT); } @@ -266,7 +300,37 @@ class User 'pwdreset_time' => null, 'legacy_password' => false ]; - return dba::update('user', $fields, ['uid' => $uid]); + return DBA::update('user', $fields, ['uid' => $uid]); + } + + /** + * @brief Checks if a nickname is in the list of the forbidden nicknames + * + * Check if a nickname is forbidden from registration on the node by the + * admin. Forbidden nicknames (e.g. role namess) can be configured in the + * admin panel. + * + * @param string $nickname The nickname that should be checked + * @return boolean True is the nickname is blocked on the node + */ + public static function isNicknameBlocked($nickname) + { + $forbidden_nicknames = Config::get('system', 'forbidden_nicknames', ''); + + // if the config variable is empty return false + if (empty($forbidden_nicknames)) { + return false; + } + + // check if the nickname is in the list of blocked nicknames + $forbidden = explode(',', $forbidden_nicknames); + $forbidden = array_map('trim', $forbidden); + if (in_array(strtolower($nickname), $forbidden)) { + return true; + } + + // else return false + return false; } /** @@ -293,19 +357,20 @@ class User $using_invites = Config::get('system', 'invitation_only'); $num_invites = Config::get('system', 'number_invites'); - $invite_id = x($data, 'invite_id') ? notags(trim($data['invite_id'])) : ''; - $username = x($data, 'username') ? notags(trim($data['username'])) : ''; - $nickname = x($data, 'nickname') ? notags(trim($data['nickname'])) : ''; - $email = x($data, 'email') ? notags(trim($data['email'])) : ''; - $openid_url = x($data, 'openid_url') ? notags(trim($data['openid_url'])) : ''; - $photo = x($data, 'photo') ? notags(trim($data['photo'])) : ''; - $password = x($data, 'password') ? trim($data['password']) : ''; - $password1 = x($data, 'password1') ? trim($data['password1']) : ''; - $confirm = x($data, 'confirm') ? trim($data['confirm']) : ''; - $blocked = x($data, 'blocked') ? intval($data['blocked']) : 0; - $verified = x($data, 'verified') ? intval($data['verified']) : 0; - - $publish = x($data, 'profile_publish_reg') && intval($data['profile_publish_reg']) ? 1 : 0; + $invite_id = !empty($data['invite_id']) ? notags(trim($data['invite_id'])) : ''; + $username = !empty($data['username']) ? notags(trim($data['username'])) : ''; + $nickname = !empty($data['nickname']) ? notags(trim($data['nickname'])) : ''; + $email = !empty($data['email']) ? notags(trim($data['email'])) : ''; + $openid_url = !empty($data['openid_url']) ? notags(trim($data['openid_url'])) : ''; + $photo = !empty($data['photo']) ? notags(trim($data['photo'])) : ''; + $password = !empty($data['password']) ? trim($data['password']) : ''; + $password1 = !empty($data['password1']) ? trim($data['password1']) : ''; + $confirm = !empty($data['confirm']) ? trim($data['confirm']) : ''; + $blocked = !empty($data['blocked']) ? intval($data['blocked']) : 0; + $verified = !empty($data['verified']) ? intval($data['verified']) : 0; + $language = !empty($data['language']) ? notags(trim($data['language'])) : 'en'; + + $publish = !empty($data['profile_publish_reg']) && intval($data['profile_publish_reg']) ? 1 : 0; $netpublish = strlen(Config::get('system', 'directory')) ? $publish : 0; if ($password1 != $confirm) { @@ -319,12 +384,12 @@ class User throw new Exception(L10n::t('An invitation is required.')); } - if (!dba::exists('register', ['hash' => $invite_id])) { + if (!DBA::exists('register', ['hash' => $invite_id])) { throw new Exception(L10n::t('Invitation could not be verified.')); } } - if (!x($username) || !x($email) || !x($nickname)) { + if (empty($username) || empty($email) || empty($nickname)) { if ($openid_url) { if (!Network::isUrlValid($openid_url)) { throw new Exception(L10n::t('Invalid OpenID url')); @@ -332,7 +397,7 @@ class User $_SESSION['register'] = 1; $_SESSION['openid'] = $openid_url; - $openid = new LightOpenID; + $openid = new LightOpenID($a->get_hostname()); $openid->identity = $openid_url; $openid->returnUrl = System::baseUrl() . '/openid'; $openid->required = ['namePerson/friendly', 'contact/email', 'namePerson']; @@ -381,15 +446,18 @@ class User if (!valid_email($email) || !Network::isEmailDomainValid($email)) { throw new Exception(L10n::t('Not a valid email address.')); } + if (self::isNicknameBlocked($nickname)) { + throw new Exception(L10n::t('The nickname was blocked from registration by the nodes admin.')); + } - if (Config::get('system', 'block_extended_register', false) && dba::exists('user', ['email' => $email])) { + if (Config::get('system', 'block_extended_register', false) && DBA::exists('user', ['email' => $email])) { throw new Exception(L10n::t('Cannot use that email.')); } // Disallow somebody creating an account using openid that uses the admin email address, // since openid bypasses email verification. We'll allow it if there is not yet an admin account. - if (x($a->config, 'admin_email') && strlen($openid_url)) { - $adminlist = explode(',', str_replace(' ', '', strtolower($a->config['admin_email']))); + if (Config::get('config', 'admin_email') && strlen($openid_url)) { + $adminlist = explode(',', str_replace(' ', '', strtolower(Config::get('config', 'admin_email')))); if (in_array(strtolower($email), $adminlist)) { throw new Exception(L10n::t('Cannot use that email.')); } @@ -402,8 +470,8 @@ class User } // Check existing and deleted accounts for this nickname. - if (dba::exists('user', ['nickname' => $nickname]) - || dba::exists('userd', ['username' => $nickname]) + if (DBA::exists('user', ['nickname' => $nickname]) + || DBA::exists('userd', ['username' => $nickname]) ) { throw new Exception(L10n::t('Nickname is already registered. Please choose another.')); } @@ -426,8 +494,8 @@ class User $sprvkey = $sres['prvkey']; $spubkey = $sres['pubkey']; - $insert_result = dba::insert('user', [ - 'guid' => generate_user_guid(), + $insert_result = DBA::insert('user', [ + 'guid' => System::createGUID(32), 'username' => $username, 'password' => $new_password_encoded, 'email' => $email, @@ -439,14 +507,15 @@ class User 'sprvkey' => $sprvkey, 'verified' => $verified, 'blocked' => $blocked, + 'language' => $language, 'timezone' => 'UTC', 'register_date' => DateTimeFormat::utcNow(), 'default-location' => '' ]); if ($insert_result) { - $uid = dba::lastInsertId(); - $user = dba::selectFirst('user', [], ['uid' => $uid]); + $uid = DBA::lastInsertId(); + $user = DBA::selectFirst('user', [], ['uid' => $uid]); } else { throw new Exception(L10n::t('An error occurred during registration. Please try again.')); } @@ -457,14 +526,14 @@ class User // if somebody clicked submit twice very quickly, they could end up with two accounts // due to race condition. Remove this one. - $user_count = dba::count('user', ['nickname' => $nickname]); + $user_count = DBA::count('user', ['nickname' => $nickname]); if ($user_count > 1) { - dba::delete('user', ['uid' => $uid]); + DBA::delete('user', ['uid' => $uid]); throw new Exception(L10n::t('Nickname is already registered. Please choose another.')); } - $insert_result = dba::insert('profile', [ + $insert_result = DBA::insert('profile', [ 'uid' => $uid, 'name' => $username, 'photo' => System::baseUrl() . "/photo/profile/{$uid}.jpg", @@ -475,14 +544,14 @@ class User 'profile-name' => L10n::t('default') ]); if (!$insert_result) { - dba::delete('user', ['uid' => $uid]); + DBA::delete('user', ['uid' => $uid]); throw new Exception(L10n::t('An error occurred creating your default profile. Please try again.')); } // Create the self contact if (!Contact::createSelfFromUserId($uid)) { - dba::delete('user', ['uid' => $uid]); + DBA::delete('user', ['uid' => $uid]); throw new Exception(L10n::t('An error occurred creating your self contact. Please try again.')); } @@ -491,7 +560,7 @@ class User // right away as a default group for new contacts. $def_gid = Group::create($uid, L10n::t('Friends')); if (!$def_gid) { - dba::delete('user', ['uid' => $uid]); + DBA::delete('user', ['uid' => $uid]); throw new Exception(L10n::t('An error occurred creating your default contact group. Please try again.')); } @@ -501,7 +570,7 @@ class User $fields['allow_gid'] = '<' . $def_gid . '>'; } - dba::update('user', $fields, ['uid' => $uid]); + DBA::update('user', $fields, ['uid' => $uid]); // if we have no OpenID photo try to look up an avatar if (!strlen($photo)) { @@ -546,7 +615,7 @@ class User } if (!$photo_failure) { - dba::update('photo', ['profile' => 1], ['resource-id' => $hash]); + DBA::update('photo', ['profile' => 1], ['resource-id' => $hash]); } } } @@ -593,7 +662,7 @@ class User * @param string $password * @return NULL|boolean from notification() and email() inherited */ - public static function sendRegisterOpenEmail($email, $sitename, $siteurl, $username, $password) + public static function sendRegisterOpenEmail($email, $sitename, $siteurl, $username, $password, $user) { $preamble = deindent(L10n::t(' Dear %1$s, @@ -601,11 +670,12 @@ class User ')); $body = deindent(L10n::t(' The login details are as follows: - Site Location: %3$s - Login Name: %1$s - Password: %5$s - You may change your password from your account Settings page after logging + Site Location: %3$s + Login Name: %1$s + Password: %5$s + + You may change your password from your account "Settings" page after logging in. Please take a few moments to review the other account settings on that page. @@ -614,7 +684,7 @@ class User ' . "\x28" . 'on the "Profiles" page' . "\x29" . ' so that other people can easily find you. We recommend setting your full name, adding a profile photo, - adding some profile keywords ' . "\x28" . 'very useful in making new friends' . "\x29" . ' - and + adding some profile "keywords" ' . "\x28" . 'very useful in making new friends' . "\x29" . ' - and perhaps what country you live in; if you do not wish to be more specific than that. @@ -622,6 +692,7 @@ class User If you are new and do not know anybody here, they may help you to make some new and interesting friends. + If you ever want to delete your account, you can do so at %3$s/removeme Thank you and welcome to %2$s.')); @@ -629,6 +700,8 @@ class User $body = sprintf($body, $email, $sitename, $siteurl, $username, $password); return notification([ + 'uid' => $user['uid'], + 'language' => $user['language'], 'type' => SYSTEM_EMAIL, 'to_email' => $email, 'subject'=> L10n::t('Registration details for %s', $sitename), @@ -648,20 +721,24 @@ class User logger('Removing user: ' . $uid); - $user = dba::selectFirst('user', [], ['uid' => $uid]); + $user = DBA::selectFirst('user', [], ['uid' => $uid]); Addon::callHooks('remove_user', $user); // save username (actually the nickname as it is guaranteed // unique), so it cannot be re-registered in the future. - dba::insert('userd', ['username' => $user['nickname']]); + DBA::insert('userd', ['username' => $user['nickname']]); // The user and related data will be deleted in "cron_expire_and_remove_users" (cronjobs.php) - dba::update('user', ['account_removed' => true, 'account_expires_on' => DateTimeFormat::utcNow()], ['uid' => $uid]); + DBA::update('user', ['account_removed' => true, 'account_expires_on' => DateTimeFormat::utc(DateTimeFormat::utcNow() . " + 7 day")], ['uid' => $uid]); Worker::add(PRIORITY_HIGH, "Notifier", "removeme", $uid); // Send an update to the directory - Worker::add(PRIORITY_LOW, "Directory", $user['url']); + $self = DBA::selectFirst('contact', ['url'], ['uid' => $uid, 'self' => true]); + Worker::add(PRIORITY_LOW, "Directory", $self['url']); + + // Remove the user relevant data + Worker::add(PRIORITY_LOW, "RemoveUser", $uid); if ($uid == local_user()) { unset($_SESSION['authenticated']);