merge prod to main
This commit is contained in:
Regular → Executable
+160
-34
@@ -21,6 +21,7 @@ require_once APPPATH . 'Helpers/pbkdf2_helper.php';
|
||||
|
||||
class UserController extends BaseController
|
||||
{
|
||||
private const ACTIVATION_TTL_HOURS = 48;
|
||||
protected $userModel;
|
||||
protected $roleModel;
|
||||
protected $userRoleModel;
|
||||
@@ -49,6 +50,37 @@ class UserController extends BaseController
|
||||
$this->resetRequestModel = new PasswordResetRequestModel();
|
||||
}
|
||||
|
||||
private function denyAccess(string $message)
|
||||
{
|
||||
if ($this->request->isAJAX() || $this->request->getHeaderLine('Accept') === 'application/json') {
|
||||
return service('response')
|
||||
->setStatusCode(403)
|
||||
->setJSON(['status' => 'error', 'message' => $message]);
|
||||
}
|
||||
|
||||
session()->setFlashdata('error', $message);
|
||||
return redirect()->to('/access_denied');
|
||||
}
|
||||
|
||||
private function requirePermission(string $permission)
|
||||
{
|
||||
if (!session()->get('is_logged_in')) {
|
||||
return redirect()->to('/login');
|
||||
}
|
||||
|
||||
$userId = (int) session()->get('user_id');
|
||||
if ($userId <= 0 || !has_permission($userId, $permission)) {
|
||||
return $this->denyAccess("You don't have permission to use this feature.");
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
private function hashToken(string $token): string
|
||||
{
|
||||
return hash('sha256', $token);
|
||||
}
|
||||
|
||||
// Method to show the home page
|
||||
public function home()
|
||||
{
|
||||
@@ -75,6 +107,10 @@ class UserController extends BaseController
|
||||
|
||||
public function userList()
|
||||
{
|
||||
if ($resp = $this->requirePermission('read_user')) {
|
||||
return $resp;
|
||||
}
|
||||
|
||||
helper('url');
|
||||
|
||||
return view('user/user_list', [
|
||||
@@ -85,6 +121,10 @@ class UserController extends BaseController
|
||||
// Method to show the list of users
|
||||
public function index()
|
||||
{
|
||||
if ($resp = $this->requirePermission('read_user')) {
|
||||
return $resp;
|
||||
}
|
||||
|
||||
// Fetch users along with their assigned roles
|
||||
$builder = $this->db->table('users');
|
||||
$builder->select('users.id, users.firstname, users.lastname, users.email, user_roles.role_id, roles.name as role, users.status, users.updated_at');
|
||||
@@ -122,6 +162,10 @@ class UserController extends BaseController
|
||||
|
||||
public function userListData()
|
||||
{
|
||||
if ($resp = $this->requirePermission('read_user')) {
|
||||
return $resp;
|
||||
}
|
||||
|
||||
return $this->response->setJSON([
|
||||
'users' => $this->buildUsersWithRoles(),
|
||||
]);
|
||||
@@ -253,6 +297,10 @@ class UserController extends BaseController
|
||||
// Method to store a new user
|
||||
public function store()
|
||||
{
|
||||
if ($resp = $this->requirePermission('edit_user')) {
|
||||
return $resp;
|
||||
}
|
||||
|
||||
// Validate input data
|
||||
$validation = \Config\Services::validation();
|
||||
$validation->setRules([
|
||||
@@ -315,6 +363,10 @@ class UserController extends BaseController
|
||||
// Method to show the form for editing an existing user
|
||||
public function edit($id)
|
||||
{
|
||||
if ($resp = $this->requirePermission('edit_user')) {
|
||||
return $resp;
|
||||
}
|
||||
|
||||
$data['user'] = $this->userModel->find($id);
|
||||
$data['roles'] = $this->roleModel->findAll();
|
||||
$userRoles = $this->userRoleModel->where('user_id', $id)->findAll();
|
||||
@@ -327,6 +379,10 @@ class UserController extends BaseController
|
||||
// Method to delete an existing user
|
||||
public function delete($id)
|
||||
{
|
||||
if ($resp = $this->requirePermission('edit_user')) {
|
||||
return $resp;
|
||||
}
|
||||
|
||||
$this->userModel->delete($id);
|
||||
|
||||
// Delete the user's roles from the user_roles table
|
||||
@@ -369,27 +425,21 @@ class UserController extends BaseController
|
||||
$email = strtolower($this->request->getPost('email'));
|
||||
$user = $this->userModel->where('email', $email)->first();
|
||||
|
||||
// --- Handle unknown email ---
|
||||
if (!$user) {
|
||||
session()->setFlashdata('error', 'If this email is registered, you will receive a reset link.');
|
||||
log_message('info', "Password reset requested for non-existing user {$email}");
|
||||
return redirect()->back();
|
||||
}
|
||||
|
||||
// --- Handle unverified accounts ---
|
||||
if ((int) $user['is_verified'] === 0) {
|
||||
session()->setFlashdata('error', 'Please check your email and complete the account activation process before resetting your password.');
|
||||
log_message('info', "Password reset blocked for unverified user {$email}");
|
||||
// --- Handle unknown or unverified email ---
|
||||
if (!$user || (int) $user['is_verified'] === 0) {
|
||||
session()->setFlashdata('success', 'If this email is registered, you will receive a reset link.');
|
||||
log_message('info', "Password reset requested for {$email} (user missing or unverified).");
|
||||
return redirect()->back();
|
||||
}
|
||||
|
||||
// --- Verified user: continue with reset ---
|
||||
$token = bin2hex(random_bytes(48));
|
||||
$tokenHash = $this->hashToken($token);
|
||||
$expires_at = Time::now()->addHours(1);
|
||||
|
||||
$this->passwordResetModel->insert([
|
||||
'email' => $email,
|
||||
'token' => $token,
|
||||
'token' => $tokenHash,
|
||||
'created_at' => Time::now(),
|
||||
'expires_at' => $expires_at,
|
||||
]);
|
||||
@@ -447,7 +497,12 @@ class UserController extends BaseController
|
||||
}
|
||||
|
||||
// You may want to validate the token here
|
||||
$resetEntry = $this->passwordResetModel->where('token', $token)
|
||||
$tokenHash = $this->hashToken($token);
|
||||
$resetEntry = $this->passwordResetModel
|
||||
->groupStart()
|
||||
->where('token', $tokenHash)
|
||||
->orWhere('token', $token)
|
||||
->groupEnd()
|
||||
->where('expires_at >=', Time::now())
|
||||
->first();
|
||||
|
||||
@@ -462,6 +517,10 @@ class UserController extends BaseController
|
||||
//This function processes the new password submission, validating the token, updating the user's password, and cleaning up the reset entry.
|
||||
public function processResetPassword()
|
||||
{
|
||||
if (strtolower($this->request->getMethod()) !== 'post') {
|
||||
return redirect()->to('/')->with('error', 'Invalid request.');
|
||||
}
|
||||
|
||||
$token = $this->request->getPost('token');
|
||||
$newPassword = $this->request->getPost('password');
|
||||
$passConfirm = $this->request->getPost('pass_confirm');
|
||||
@@ -490,7 +549,12 @@ class UserController extends BaseController
|
||||
}
|
||||
|
||||
// Find the password reset entry
|
||||
$resetEntry = $this->passwordResetModel->where('token', $token)
|
||||
$tokenHash = $this->hashToken($token);
|
||||
$resetEntry = $this->passwordResetModel
|
||||
->groupStart()
|
||||
->where('token', $tokenHash)
|
||||
->orWhere('token', $token)
|
||||
->groupEnd()
|
||||
->where('expires_at >=', Time::now())
|
||||
->first();
|
||||
|
||||
@@ -519,7 +583,12 @@ class UserController extends BaseController
|
||||
]);
|
||||
|
||||
// Delete the used token from the password reset table
|
||||
$this->passwordResetModel->where('token', $token)->delete();
|
||||
$this->passwordResetModel
|
||||
->groupStart()
|
||||
->where('token', $tokenHash)
|
||||
->orWhere('token', $token)
|
||||
->groupEnd()
|
||||
->delete();
|
||||
|
||||
// Retrieve the user's IP address from the request
|
||||
$ipAddress = $this->request->getIPAddress();
|
||||
@@ -546,10 +615,16 @@ class UserController extends BaseController
|
||||
|
||||
public function confirm($token)
|
||||
{
|
||||
log_message('info', 'Processing email confirmation with token: ' . $token);
|
||||
log_message('info', 'Processing email confirmation.');
|
||||
|
||||
|
||||
$user = $this->userModel->where('token', $token)->first();
|
||||
$tokenHash = $this->hashToken($token);
|
||||
$user = $this->userModel
|
||||
->groupStart()
|
||||
->where('token', $tokenHash)
|
||||
->orWhere('token', $token)
|
||||
->groupEnd()
|
||||
->where('created_at >=', Time::now()->subHours(self::ACTIVATION_TTL_HOURS)->toDateTimeString())
|
||||
->first();
|
||||
|
||||
if (!$user || $user['is_verified'] == 1) {
|
||||
return redirect()->to('/invalid_token');
|
||||
@@ -570,7 +645,14 @@ class UserController extends BaseController
|
||||
{
|
||||
//echo "Reached setPassword with token: " . esc($token);
|
||||
//echo "Token received: " . $token;
|
||||
$user = $this->userModel->where('token', $token)->first();
|
||||
$tokenHash = $this->hashToken($token);
|
||||
$user = $this->userModel
|
||||
->groupStart()
|
||||
->where('token', $tokenHash)
|
||||
->orWhere('token', $token)
|
||||
->groupEnd()
|
||||
->where('created_at >=', Time::now()->subHours(self::ACTIVATION_TTL_HOURS)->toDateTimeString())
|
||||
->first();
|
||||
|
||||
if (!$user || $user['is_verified'] == 1) {
|
||||
return redirect()->to('/invalid_token');
|
||||
@@ -584,6 +666,10 @@ class UserController extends BaseController
|
||||
|
||||
public function savePassword()
|
||||
{
|
||||
if (strtolower($this->request->getMethod()) !== 'post') {
|
||||
return redirect()->to('/')->with('error', 'Invalid request.');
|
||||
}
|
||||
|
||||
$validation = \Config\Services::validation();
|
||||
$validation->setRules([
|
||||
'password' => [
|
||||
@@ -615,9 +701,17 @@ class UserController extends BaseController
|
||||
$token = $this->request->getPost('token');
|
||||
$password = $this->request->getPost('password');
|
||||
|
||||
$user = $this->userModel->where('id', $userId)->where('token', $token)->first();
|
||||
$tokenHash = $this->hashToken($token);
|
||||
$user = $this->userModel
|
||||
->where('id', $userId)
|
||||
->groupStart()
|
||||
->where('token', $tokenHash)
|
||||
->orWhere('token', $token)
|
||||
->groupEnd()
|
||||
->where('created_at >=', Time::now()->subHours(self::ACTIVATION_TTL_HOURS)->toDateTimeString())
|
||||
->first();
|
||||
|
||||
log_message('debug', "Attempting to set password for user $userId with token $token");
|
||||
log_message('debug', "Attempting to set password for user $userId");
|
||||
|
||||
if (!$user || $user['is_verified'] == 1) {
|
||||
return redirect()->to('/invalid_token');
|
||||
@@ -670,20 +764,39 @@ class UserController extends BaseController
|
||||
$roleKey = (string) $this->request->getPost('role');
|
||||
log_message('info', 'Role selected: ' . $roleKey);
|
||||
|
||||
$roleModel = new RoleModel();
|
||||
$route = $roleModel->getRouteByNameOrSlug($roleKey);
|
||||
|
||||
if ($route === null) {
|
||||
log_message('error', 'Invalid or inactive role selected: ' . $roleKey);
|
||||
return redirect()->back()->with('error', 'Invalid role selected.');
|
||||
}
|
||||
|
||||
$userId = (int) session()->get('user_id');
|
||||
log_message('info', 'User ID: ' . $userId);
|
||||
|
||||
if ($userId <= 0) {
|
||||
return $this->denyAccess("You don't have permission to use this feature.");
|
||||
}
|
||||
|
||||
$roleRow = $this->db->table('user_roles ur')
|
||||
->join('roles r', 'r.id = ur.role_id', 'inner')
|
||||
->select('r.name, r.slug, r.dashboard_route')
|
||||
->where('ur.user_id', $userId)
|
||||
->where('r.is_active', 1)
|
||||
->groupStart()
|
||||
->where('LOWER(r.name)', strtolower($roleKey))
|
||||
->orWhere('LOWER(r.slug)', strtolower($roleKey))
|
||||
->groupEnd()
|
||||
->get()
|
||||
->getRowArray();
|
||||
|
||||
if (empty($roleRow)) {
|
||||
log_message('error', 'Invalid or unassigned role selected: ' . $roleKey);
|
||||
return redirect()->back()->with('error', 'Invalid role selected.');
|
||||
}
|
||||
|
||||
$route = $roleRow['dashboard_route'] ?? null;
|
||||
if ($route === null) {
|
||||
log_message('error', 'No dashboard route configured for role: ' . $roleKey);
|
||||
return redirect()->back()->with('error', 'Invalid role selected.');
|
||||
}
|
||||
|
||||
// Persist the *exact* role name or slug—choose your convention.
|
||||
// If you want to store the canonical name, fetch the row and use $row['name'].
|
||||
$this->userModel->update($userId, ['role' => $roleKey]);
|
||||
// Store the canonical name to avoid arbitrary role strings.
|
||||
$this->userModel->update($userId, ['role' => $roleRow['name']]);
|
||||
log_message('info', 'Role updated in database.');
|
||||
|
||||
log_message('info', 'Redirecting to role dashboard: ' . $route);
|
||||
@@ -702,6 +815,10 @@ class UserController extends BaseController
|
||||
|
||||
public function delete_role($roleId)
|
||||
{
|
||||
if ($resp = $this->requirePermission('edit_user')) {
|
||||
return $resp;
|
||||
}
|
||||
|
||||
// Fetch the role to be deleted
|
||||
$role = $this->roleModel->find($roleId);
|
||||
if (!$role) {
|
||||
@@ -731,6 +848,10 @@ class UserController extends BaseController
|
||||
|
||||
public function loginActivity()
|
||||
{
|
||||
if ($resp = $this->requirePermission('view_login_activity')) {
|
||||
return $resp;
|
||||
}
|
||||
|
||||
helper('url');
|
||||
|
||||
$perPage = (int) ($this->request->getGet('per_page') ?? 25);
|
||||
@@ -743,6 +864,10 @@ class UserController extends BaseController
|
||||
|
||||
public function loginActivityData()
|
||||
{
|
||||
if ($resp = $this->requirePermission('view_login_activity')) {
|
||||
return $resp;
|
||||
}
|
||||
|
||||
$perPage = (int) ($this->request->getGet('per_page') ?? 25);
|
||||
$page = (int) ($this->request->getGet('page') ?? 1);
|
||||
|
||||
@@ -752,6 +877,10 @@ class UserController extends BaseController
|
||||
// Method to update an existing user
|
||||
public function updateUser()
|
||||
{
|
||||
if ($resp = $this->requirePermission('edit_user')) {
|
||||
return $resp;
|
||||
}
|
||||
|
||||
if (strtolower($this->request->getMethod()) !== 'post') {
|
||||
return redirect()->to(site_url('user/user_list'))->with('error', 'Invalid request.');
|
||||
}
|
||||
@@ -800,9 +929,6 @@ class UserController extends BaseController
|
||||
'status' => trim((string)$this->request->getPost('status')),
|
||||
'is_suspended' => $toBool('is_suspended'),
|
||||
'is_verified' => $toBool('is_verified'),
|
||||
'token' => trim((string)$this->request->getPost('token')),
|
||||
'updated_at' => $toDT('updated_at'),
|
||||
'created_at' => $toDT('created_at'),
|
||||
];
|
||||
|
||||
// Validation
|
||||
|
||||
Reference in New Issue
Block a user