From dd0366296893a0e8da8ae0365387dd4823d53451 Mon Sep 17 00:00:00 2001
From: Igor Scheller <igor.scheller@igorshp.de>
Date: Tue, 8 Oct 2019 16:17:06 +0200
Subject: Rebuild password reset

---
 includes/controller/users_controller.php | 115 -------------------------------
 1 file changed, 115 deletions(-)

(limited to 'includes/controller')

diff --git a/includes/controller/users_controller.php b/includes/controller/users_controller.php
index 892089e7..3ad2ffd9 100644
--- a/includes/controller/users_controller.php
+++ b/includes/controller/users_controller.php
@@ -1,7 +1,6 @@
 <?php
 
 use Engelsystem\Database\DB;
-use Engelsystem\Models\User\PasswordReset;
 use Engelsystem\Models\User\State;
 use Engelsystem\Models\User\User;
 use Engelsystem\ShiftCalendarRenderer;
@@ -311,120 +310,6 @@ function users_list_controller()
     ];
 }
 
-/**
- * Second step of password recovery: set a new password using the token link from email
- *
- * @return string
- */
-function user_password_recovery_set_new_controller()
-{
-    $request = request();
-    $passwordReset = PasswordReset::whereToken($request->input('token'))->first();
-    if (!$passwordReset) {
-        error(__('Token is not correct.'));
-        redirect(page_link_to('login'));
-    }
-
-    if ($request->hasPostData('submit')) {
-        $valid = true;
-
-        if (
-            $request->has('password')
-            && strlen($request->postData('password')) >= config('min_password_length')
-        ) {
-            if ($request->postData('password') != $request->postData('password2')) {
-                $valid = false;
-                error(__('Your passwords don\'t match.'));
-            }
-        } else {
-            $valid = false;
-            error(__('Your password is to short (please use at least 6 characters).'));
-        }
-
-        if ($valid) {
-            auth()->setPassword($passwordReset->user, $request->postData('password'));
-            success(__('Password saved.'));
-            $passwordReset->delete();
-            redirect(page_link_to('login'));
-        }
-    }
-
-    return User_password_set_view();
-}
-
-/**
- * First step of password recovery: display a form that asks for your email and send email with recovery link
- *
- * @return string
- */
-function user_password_recovery_start_controller()
-{
-    $request = request();
-    if ($request->hasPostData('submit')) {
-        $valid = true;
-
-        $user_source = null;
-        if ($request->has('email') && strlen(strip_request_item('email')) > 0) {
-            $email = strip_request_item('email');
-            if (check_email($email)) {
-                /** @var User $user_source */
-                $user_source = User::whereEmail($email)->first();
-                if (!$user_source) {
-                    $valid = false;
-                    error(__('E-mail address is not correct.'));
-                }
-            } else {
-                $valid = false;
-                error(__('E-mail address is not correct.'));
-            }
-        } else {
-            $valid = false;
-            error(__('Please enter your e-mail.'));
-        }
-
-        if ($valid) {
-            $token = User_generate_password_recovery_token($user_source);
-            engelsystem_email_to_user(
-                $user_source,
-                __('Password recovery'),
-                sprintf(
-                    __('Please visit %s to recover your password.'),
-                    page_link_to('user_password_recovery', ['token' => $token])
-                )
-            );
-            success(__('We sent an email containing your password recovery link.'));
-            redirect(page_link_to('login'));
-        }
-    }
-
-    return User_password_recovery_view();
-}
-
-/**
- * User password recovery in 2 steps.
- * (By email)
- *
- * @return string
- */
-function user_password_recovery_controller()
-{
-    if (request()->has('token')) {
-        return user_password_recovery_set_new_controller();
-    }
-
-    return user_password_recovery_start_controller();
-}
-
-/**
- * Menu title for password recovery.
- *
- * @return string
- */
-function user_password_recovery_title()
-{
-    return __('Password recovery');
-}
-
 /**
  * Loads a user from param user_id.
  *
-- 
cgit v1.2.3-70-g09d2


From fc773b25b3de455f7e74334156926f644f04db98 Mon Sep 17 00:00:00 2001
From: Igor Scheller <igor.scheller@igorshp.de>
Date: Wed, 18 Sep 2019 14:09:30 +0200
Subject: Use 403 forbidden on shifts json, atom export and ical export

---
 includes/controller/shifts_controller.php | 16 +++++++++-------
 includes/helper/error_helper.php          | 11 -----------
 includes/includes.php                     |  1 -
 includes/pages/user_atom.php              | 16 +++++++++-------
 includes/pages/user_ical.php              | 17 ++++++++++-------
 5 files changed, 28 insertions(+), 33 deletions(-)
 delete mode 100644 includes/helper/error_helper.php

(limited to 'includes/controller')

diff --git a/includes/controller/shifts_controller.php b/includes/controller/shifts_controller.php
index caf124ba..726814cf 100644
--- a/includes/controller/shifts_controller.php
+++ b/includes/controller/shifts_controller.php
@@ -1,5 +1,6 @@
 <?php
 
+use Engelsystem\Http\Exceptions\HttpForbidden;
 use Engelsystem\ShiftSignupState;
 
 /**
@@ -348,17 +349,18 @@ function shift_next_controller()
 function shifts_json_export_controller()
 {
     $request = request();
+    $user = auth()->apiUser('key');
 
-    if (!$request->has('key') || !preg_match('/^[\da-f]{32}$/', $request->input('key'))) {
-        engelsystem_error('Missing key.');
+    if (
+        !$request->has('key')
+        || !preg_match('/^[\da-f]{32}$/', $request->input('key'))
+        || !$user
+    ) {
+        throw new HttpForbidden('{"error":"Missing or invalid key"}', ['content-type' => 'application/json']);
     }
 
-    $user = auth()->apiUser('key');
-    if (!$user) {
-        engelsystem_error('Key invalid.');
-    }
     if (!auth()->can('shifts_json_export')) {
-        engelsystem_error('No privilege for shifts_json_export.');
+        throw new HttpForbidden('{"error":"Not allowed"}', ['content-type' => 'application/json']);
     }
 
     $shifts = load_ical_shifts();
diff --git a/includes/helper/error_helper.php b/includes/helper/error_helper.php
deleted file mode 100644
index 9314a57a..00000000
--- a/includes/helper/error_helper.php
+++ /dev/null
@@ -1,11 +0,0 @@
-<?php
-
-/**
- * Displays a fatal message and stops execution.
- *
- * @param string $message
- */
-function engelsystem_error($message)
-{
-    raw_output($message);
-}
diff --git a/includes/includes.php b/includes/includes.php
index 855ff359..601a6ca2 100644
--- a/includes/includes.php
+++ b/includes/includes.php
@@ -60,7 +60,6 @@ $includeFiles = [
 
     __DIR__ . '/../includes/helper/graph_helper.php',
     __DIR__ . '/../includes/helper/message_helper.php',
-    __DIR__ . '/../includes/helper/error_helper.php',
     __DIR__ . '/../includes/helper/email_helper.php',
 
     __DIR__ . '/../includes/mailer/shifts_mailer.php',
diff --git a/includes/pages/user_atom.php b/includes/pages/user_atom.php
index 8e5b4858..a491fea7 100644
--- a/includes/pages/user_atom.php
+++ b/includes/pages/user_atom.php
@@ -1,6 +1,7 @@
 <?php
 
 use Engelsystem\Database\DB;
+use Engelsystem\Http\Exceptions\HttpForbidden;
 
 /**
  * Publically available page to feed the news to feed readers
@@ -8,17 +9,18 @@ use Engelsystem\Database\DB;
 function user_atom()
 {
     $request = request();
+    $user = auth()->apiUser('key');
 
-    if (!$request->has('key') || !preg_match('/^[\da-f]{32}$/', $request->input('key'))) {
-        engelsystem_error('Missing key.');
+    if (
+        !$request->has('key')
+        || !preg_match('/^[\da-f]{32}$/', $request->input('key'))
+        || empty($user)
+    ) {
+        throw new HttpForbidden('Missing or invalid key', ['content-type' => 'text/text']);
     }
 
-    $user = auth()->apiUser('key');
-    if (empty($user)) {
-        engelsystem_error('Key invalid.');
-    }
     if (!auth()->can('atom')) {
-        engelsystem_error('No privilege for atom.');
+        throw new HttpForbidden('Not allowed', ['content-type' => 'text/text']);
     }
 
     $news = DB::select('
diff --git a/includes/pages/user_ical.php b/includes/pages/user_ical.php
index ee3a8340..2f3a7ccc 100644
--- a/includes/pages/user_ical.php
+++ b/includes/pages/user_ical.php
@@ -1,22 +1,25 @@
 <?php
 
+use Engelsystem\Http\Exceptions\HttpForbidden;
+
 /**
  * Controller for ical output of users own shifts or any user_shifts filter.
  */
 function user_ical()
 {
     $request = request();
+    $user = auth()->apiUser('key');
 
-    if (!$request->has('key') || !preg_match('/^[\da-f]{32}$/', $request->input('key'))) {
-        engelsystem_error('Missing key.');
+    if (
+        !$request->has('key')
+        || !preg_match('/^[\da-f]{32}$/', $request->input('key'))
+        || !$user
+    ) {
+        throw new HttpForbidden('Missing or invalid key', ['content-type' => 'text/text']);
     }
 
-    $user = auth()->apiUser('key');
-    if (!$user) {
-        engelsystem_error('Key invalid.');
-    }
     if (!auth()->can('ical')) {
-        engelsystem_error('No privilege for ical.');
+        throw new HttpForbidden('Not allowed', ['content-type' => 'text/text']);
     }
 
     $ical_shifts = load_ical_shifts();
-- 
cgit v1.2.3-70-g09d2