fix all issues

This commit is contained in:
root
2026-03-24 01:02:36 -04:00
parent 0f8a1fa0b1
commit 58445b2a48
19 changed files with 674 additions and 167 deletions
+160 -34
View File
@@ -21,6 +21,7 @@ require_once APPPATH . 'Helpers/pbkdf2_helper.php';
class UserController extends BaseController
{
private const ACTIVATION_TTL_HOURS = 48;
protected $userModel;
protected $roleModel;
protected $userRoleModel;
@@ -49,6 +50,37 @@ class UserController extends BaseController
$this->resetRequestModel = new PasswordResetRequestModel();
}
private function denyAccess(string $message)
{
if ($this->request->isAJAX() || $this->request->getHeaderLine('Accept') === 'application/json') {
return service('response')
->setStatusCode(403)
->setJSON(['status' => 'error', 'message' => $message]);
}
session()->setFlashdata('error', $message);
return redirect()->to('/access_denied');
}
private function requirePermission(string $permission)
{
if (!session()->get('is_logged_in')) {
return redirect()->to('/login');
}
$userId = (int) session()->get('user_id');
if ($userId <= 0 || !has_permission($userId, $permission)) {
return $this->denyAccess("You don't have permission to use this feature.");
}
return null;
}
private function hashToken(string $token): string
{
return hash('sha256', $token);
}
// Method to show the home page
public function home()
{
@@ -75,6 +107,10 @@ class UserController extends BaseController
public function userList()
{
if ($resp = $this->requirePermission('read_user')) {
return $resp;
}
helper('url');
return view('user/user_list', [
@@ -85,6 +121,10 @@ class UserController extends BaseController
// Method to show the list of users
public function index()
{
if ($resp = $this->requirePermission('read_user')) {
return $resp;
}
// Fetch users along with their assigned roles
$builder = $this->db->table('users');
$builder->select('users.id, users.firstname, users.lastname, users.email, user_roles.role_id, roles.name as role, users.status, users.updated_at');
@@ -122,6 +162,10 @@ class UserController extends BaseController
public function userListData()
{
if ($resp = $this->requirePermission('read_user')) {
return $resp;
}
return $this->response->setJSON([
'users' => $this->buildUsersWithRoles(),
]);
@@ -253,6 +297,10 @@ class UserController extends BaseController
// Method to store a new user
public function store()
{
if ($resp = $this->requirePermission('edit_user')) {
return $resp;
}
// Validate input data
$validation = \Config\Services::validation();
$validation->setRules([
@@ -315,6 +363,10 @@ class UserController extends BaseController
// Method to show the form for editing an existing user
public function edit($id)
{
if ($resp = $this->requirePermission('edit_user')) {
return $resp;
}
$data['user'] = $this->userModel->find($id);
$data['roles'] = $this->roleModel->findAll();
$userRoles = $this->userRoleModel->where('user_id', $id)->findAll();
@@ -327,6 +379,10 @@ class UserController extends BaseController
// Method to delete an existing user
public function delete($id)
{
if ($resp = $this->requirePermission('edit_user')) {
return $resp;
}
$this->userModel->delete($id);
// Delete the user's roles from the user_roles table
@@ -369,27 +425,21 @@ class UserController extends BaseController
$email = strtolower($this->request->getPost('email'));
$user = $this->userModel->where('email', $email)->first();
// --- Handle unknown email ---
if (!$user) {
session()->setFlashdata('error', 'If this email is registered, you will receive a reset link.');
log_message('info', "Password reset requested for non-existing user {$email}");
return redirect()->back();
}
// --- Handle unverified accounts ---
if ((int) $user['is_verified'] === 0) {
session()->setFlashdata('error', 'Please check your email and complete the account activation process before resetting your password.');
log_message('info', "Password reset blocked for unverified user {$email}");
// --- Handle unknown or unverified email ---
if (!$user || (int) $user['is_verified'] === 0) {
session()->setFlashdata('success', 'If this email is registered, you will receive a reset link.');
log_message('info', "Password reset requested for {$email} (user missing or unverified).");
return redirect()->back();
}
// --- Verified user: continue with reset ---
$token = bin2hex(random_bytes(48));
$tokenHash = $this->hashToken($token);
$expires_at = Time::now()->addHours(1);
$this->passwordResetModel->insert([
'email' => $email,
'token' => $token,
'token' => $tokenHash,
'created_at' => Time::now(),
'expires_at' => $expires_at,
]);
@@ -447,7 +497,12 @@ class UserController extends BaseController
}
// You may want to validate the token here
$resetEntry = $this->passwordResetModel->where('token', $token)
$tokenHash = $this->hashToken($token);
$resetEntry = $this->passwordResetModel
->groupStart()
->where('token', $tokenHash)
->orWhere('token', $token)
->groupEnd()
->where('expires_at >=', Time::now())
->first();
@@ -462,6 +517,10 @@ class UserController extends BaseController
//This function processes the new password submission, validating the token, updating the user's password, and cleaning up the reset entry.
public function processResetPassword()
{
if (strtolower($this->request->getMethod()) !== 'post') {
return redirect()->to('/')->with('error', 'Invalid request.');
}
$token = $this->request->getPost('token');
$newPassword = $this->request->getPost('password');
$passConfirm = $this->request->getPost('pass_confirm');
@@ -490,7 +549,12 @@ class UserController extends BaseController
}
// Find the password reset entry
$resetEntry = $this->passwordResetModel->where('token', $token)
$tokenHash = $this->hashToken($token);
$resetEntry = $this->passwordResetModel
->groupStart()
->where('token', $tokenHash)
->orWhere('token', $token)
->groupEnd()
->where('expires_at >=', Time::now())
->first();
@@ -519,7 +583,12 @@ class UserController extends BaseController
]);
// Delete the used token from the password reset table
$this->passwordResetModel->where('token', $token)->delete();
$this->passwordResetModel
->groupStart()
->where('token', $tokenHash)
->orWhere('token', $token)
->groupEnd()
->delete();
// Retrieve the user's IP address from the request
$ipAddress = $this->request->getIPAddress();
@@ -546,10 +615,16 @@ class UserController extends BaseController
public function confirm($token)
{
log_message('info', 'Processing email confirmation with token: ' . $token);
log_message('info', 'Processing email confirmation.');
$user = $this->userModel->where('token', $token)->first();
$tokenHash = $this->hashToken($token);
$user = $this->userModel
->groupStart()
->where('token', $tokenHash)
->orWhere('token', $token)
->groupEnd()
->where('created_at >=', Time::now()->subHours(self::ACTIVATION_TTL_HOURS)->toDateTimeString())
->first();
if (!$user || $user['is_verified'] == 1) {
return redirect()->to('/invalid_token');
@@ -570,7 +645,14 @@ class UserController extends BaseController
{
//echo "Reached setPassword with token: " . esc($token);
//echo "Token received: " . $token;
$user = $this->userModel->where('token', $token)->first();
$tokenHash = $this->hashToken($token);
$user = $this->userModel
->groupStart()
->where('token', $tokenHash)
->orWhere('token', $token)
->groupEnd()
->where('created_at >=', Time::now()->subHours(self::ACTIVATION_TTL_HOURS)->toDateTimeString())
->first();
if (!$user || $user['is_verified'] == 1) {
return redirect()->to('/invalid_token');
@@ -584,6 +666,10 @@ class UserController extends BaseController
public function savePassword()
{
if (strtolower($this->request->getMethod()) !== 'post') {
return redirect()->to('/')->with('error', 'Invalid request.');
}
$validation = \Config\Services::validation();
$validation->setRules([
'password' => [
@@ -615,9 +701,17 @@ class UserController extends BaseController
$token = $this->request->getPost('token');
$password = $this->request->getPost('password');
$user = $this->userModel->where('id', $userId)->where('token', $token)->first();
$tokenHash = $this->hashToken($token);
$user = $this->userModel
->where('id', $userId)
->groupStart()
->where('token', $tokenHash)
->orWhere('token', $token)
->groupEnd()
->where('created_at >=', Time::now()->subHours(self::ACTIVATION_TTL_HOURS)->toDateTimeString())
->first();
log_message('debug', "Attempting to set password for user $userId with token $token");
log_message('debug', "Attempting to set password for user $userId");
if (!$user || $user['is_verified'] == 1) {
return redirect()->to('/invalid_token');
@@ -670,20 +764,39 @@ class UserController extends BaseController
$roleKey = (string) $this->request->getPost('role');
log_message('info', 'Role selected: ' . $roleKey);
$roleModel = new RoleModel();
$route = $roleModel->getRouteByNameOrSlug($roleKey);
if ($route === null) {
log_message('error', 'Invalid or inactive role selected: ' . $roleKey);
return redirect()->back()->with('error', 'Invalid role selected.');
}
$userId = (int) session()->get('user_id');
log_message('info', 'User ID: ' . $userId);
if ($userId <= 0) {
return $this->denyAccess("You don't have permission to use this feature.");
}
$roleRow = $this->db->table('user_roles ur')
->join('roles r', 'r.id = ur.role_id', 'inner')
->select('r.name, r.slug, r.dashboard_route')
->where('ur.user_id', $userId)
->where('r.is_active', 1)
->groupStart()
->where('LOWER(r.name)', strtolower($roleKey))
->orWhere('LOWER(r.slug)', strtolower($roleKey))
->groupEnd()
->get()
->getRowArray();
if (empty($roleRow)) {
log_message('error', 'Invalid or unassigned role selected: ' . $roleKey);
return redirect()->back()->with('error', 'Invalid role selected.');
}
$route = $roleRow['dashboard_route'] ?? null;
if ($route === null) {
log_message('error', 'No dashboard route configured for role: ' . $roleKey);
return redirect()->back()->with('error', 'Invalid role selected.');
}
// Persist the *exact* role name or slug—choose your convention.
// If you want to store the canonical name, fetch the row and use $row['name'].
$this->userModel->update($userId, ['role' => $roleKey]);
// Store the canonical name to avoid arbitrary role strings.
$this->userModel->update($userId, ['role' => $roleRow['name']]);
log_message('info', 'Role updated in database.');
log_message('info', 'Redirecting to role dashboard: ' . $route);
@@ -702,6 +815,10 @@ class UserController extends BaseController
public function delete_role($roleId)
{
if ($resp = $this->requirePermission('edit_user')) {
return $resp;
}
// Fetch the role to be deleted
$role = $this->roleModel->find($roleId);
if (!$role) {
@@ -731,6 +848,10 @@ class UserController extends BaseController
public function loginActivity()
{
if ($resp = $this->requirePermission('view_login_activity')) {
return $resp;
}
helper('url');
$perPage = (int) ($this->request->getGet('per_page') ?? 25);
@@ -743,6 +864,10 @@ class UserController extends BaseController
public function loginActivityData()
{
if ($resp = $this->requirePermission('view_login_activity')) {
return $resp;
}
$perPage = (int) ($this->request->getGet('per_page') ?? 25);
$page = (int) ($this->request->getGet('page') ?? 1);
@@ -752,6 +877,10 @@ class UserController extends BaseController
// Method to update an existing user
public function updateUser()
{
if ($resp = $this->requirePermission('edit_user')) {
return $resp;
}
if (strtolower($this->request->getMethod()) !== 'post') {
return redirect()->to(site_url('user/user_list'))->with('error', 'Invalid request.');
}
@@ -800,9 +929,6 @@ class UserController extends BaseController
'status' => trim((string)$this->request->getPost('status')),
'is_suspended' => $toBool('is_suspended'),
'is_verified' => $toBool('is_verified'),
'token' => trim((string)$this->request->getPost('token')),
'updated_at' => $toDT('updated_at'),
'created_at' => $toDT('created_at'),
];
// Validation