From b666de2151ccf137bbf397018826827dd21eb25c Mon Sep 17 00:00:00 2001 From: flashwave Date: Sun, 7 Aug 2016 16:10:27 +0200 Subject: [PATCH] revised the session system --- app/ActiveUser.php | 52 ----- app/BBCode/Tags/NamedQuote.php | 4 +- app/Controllers/AuthController.php | 30 +-- app/Controllers/CommentsController.php | 18 +- app/Controllers/Forum/ForumController.php | 12 +- app/Controllers/Forum/PostController.php | 28 +-- app/Controllers/Forum/TopicController.php | 40 ++-- app/Controllers/FriendsController.php | 14 +- app/Controllers/NotificationsController.php | 8 +- app/Controllers/PremiumController.php | 11 +- .../Settings/AccountController.php | 38 ++-- .../Settings/AdvancedController.php | 35 ++- .../Settings/AppearanceController.php | 28 +-- app/Controllers/Settings/Controller.php | 34 +-- .../Settings/FriendsController.php | 6 +- app/Controllers/UserController.php | 4 +- app/Middleware/UpdateLastOnline.php | 6 +- app/Session.php | 203 +++++++++++------- app/User.php | 28 +++ .../yuuno/settings/advanced/sessions.twig | 21 +- routes.php | 6 +- sakura.php | 7 +- 22 files changed, 323 insertions(+), 310 deletions(-) delete mode 100644 app/ActiveUser.php diff --git a/app/ActiveUser.php b/app/ActiveUser.php deleted file mode 100644 index 2ea513b..0000000 --- a/app/ActiveUser.php +++ /dev/null @@ -1,52 +0,0 @@ - - */ -class ActiveUser -{ - /** - * The user object of the currently active user. - * @var User - */ - public static $user = null; - - /** - * The currently active session object. - * @var Session - */ - public static $session = null; - - /** - * Attempt to validate a session. - * @param int $userId - * @param string $sessionId - */ - public static function init($userId, $sessionId) - { - // Create a session object - self::$session = new Session($userId, $sessionId); - - // Create a user object - $user = User::construct($userId); - - // Check if the session exists and check if the user is activated - if (self::$session->validate() > 0 - && !$user->permission(Site::DEACTIVATED)) { - // Assign the user object - self::$user = $user; - } else { - self::$user = User::construct(0); - } - } -} diff --git a/app/BBCode/Tags/NamedQuote.php b/app/BBCode/Tags/NamedQuote.php index 6caf514..818b9e5 100644 --- a/app/BBCode/Tags/NamedQuote.php +++ b/app/BBCode/Tags/NamedQuote.php @@ -6,8 +6,8 @@ namespace Sakura\BBCode\Tags; -use Sakura\ActiveUser; use Sakura\BBCode\TagBase; +use Sakura\CurrentSession; use Sakura\Forum\Forum; use Sakura\Forum\Post; use Sakura\Perms\Forum as ForumPerms; @@ -36,7 +36,7 @@ class NamedQuote extends TagBase $post = new Post(intval($matches[2])); $forum = new Forum($post->forum); - if ($post->id !== 0 && $forum->permission(ForumPerms::VIEW, ActiveUser::$user->id)) { + if ($post->id !== 0 && $forum->permission(ForumPerms::VIEW, CurrentSession::$user->id)) { $link = route('forums.post', $post->id); $quoting = "{$post->poster->username}"; diff --git a/app/Controllers/AuthController.php b/app/Controllers/AuthController.php index d5cbaaf..516e04a 100644 --- a/app/Controllers/AuthController.php +++ b/app/Controllers/AuthController.php @@ -7,13 +7,12 @@ namespace Sakura\Controllers; use Sakura\ActionCode; -use Sakura\ActiveUser; use Sakura\Config; +use Sakura\CurrentSession; use Sakura\DB; use Sakura\Net; use Sakura\Perms\Site; use Sakura\Router; -use Sakura\Session; use Sakura\Template; use Sakura\User; @@ -46,10 +45,8 @@ class AuthController extends Controller */ public function logout() { - if (!ActiveUser::$session->validate() - || !isset($_REQUEST['s']) - || $_REQUEST['s'] != session_id()) { - $message = 'Something happened! This probably happened because you went here without being logged in.'; + if (!session_check('s')) { + $message = 'Validation failed, this logout attempt was possibly forged.'; $redirect = (isset($_REQUEST['redirect']) ? $_REQUEST['redirect'] : Router::route('main.index')); Template::vars(compact('message', 'redirect')); @@ -58,7 +55,7 @@ class AuthController extends Controller } // Destroy the active session - ActiveUser::$session->destroy(); + CurrentSession::stop(); // Return true indicating a successful logout $message = 'Goodbye!'; @@ -144,11 +141,14 @@ class AuthController extends Controller return Template::render('global/information'); } - // Create a new session - $session = new Session($user->id); - // Generate a session key - $sessionKey = $session->create($remember); + $session = CurrentSession::create( + $user->id, + Net::ip(), + get_country_code(), + clean_string($_SERVER['HTTP_USER_AGENT'] ?? ''), + $remember + ); $cookiePrefix = config('cookie.prefix'); @@ -162,7 +162,7 @@ class AuthController extends Controller // Session ID cookie setcookie( "{$cookiePrefix}session", - $sessionKey, + $session->key, time() + 604800 ); @@ -222,7 +222,7 @@ class AuthController extends Controller } // Check if authentication is disallowed - if (!isset($_POST['session']) || $_POST['session'] != session_id()) { + if (!session_check()) { $message = "Your session expired, refreshing the page will most likely fix this!"; Template::vars(compact('message', 'redirect')); @@ -413,7 +413,7 @@ class AuthController extends Controller $redirect = Router::route('auth.reactivate'); // Validate session - if (!isset($_POST['session']) || $_POST['session'] != session_id()) { + if (!session_check()) { $message = "Your session expired, refreshing the page will most likely fix this!"; Template::vars(compact('message', 'redirect')); @@ -482,7 +482,7 @@ class AuthController extends Controller $redirect = Router::route('main.index'); // Validate session - if (!isset($_POST['session']) || $_POST['session'] != session_id()) { + if (!session_check()) { $message = "Your session expired, refreshing the page will most likely fix this!"; Template::vars(compact('message', 'redirect')); diff --git a/app/Controllers/CommentsController.php b/app/Controllers/CommentsController.php index 2b56eb1..6566977 100644 --- a/app/Controllers/CommentsController.php +++ b/app/Controllers/CommentsController.php @@ -6,9 +6,9 @@ namespace Sakura\Controllers; -use Sakura\ActiveUser; use Sakura\Comment; use Sakura\Config; +use Sakura\CurrentSession; use Sakura\Perms\Site; /** @@ -26,16 +26,14 @@ class CommentsController extends Controller */ public function post($category = '', $reply = 0) { - $session = $_POST['session'] ?? ''; - // Check if the user can comment - if ($session !== session_id()) { + if (session_check()) { $error = "Your session expired, refresh the page!"; return $this->json(compact('error')); } // Check if the user can comment - if (!ActiveUser::$user->permission(Site::CREATE_COMMENTS)) { + if (!CurrentSession::$user->permission(Site::CREATE_COMMENTS)) { $error = "You aren't allowed to make comments!"; return $this->json(compact('error')); } @@ -60,7 +58,7 @@ class CommentsController extends Controller $comment->category = $category; $comment->time = time(); $comment->reply = (int) $reply; - $comment->user = (int) ActiveUser::$user->id; + $comment->user = (int) CurrentSession::$user->id; $comment->text = $text; $comment->save(); @@ -76,7 +74,7 @@ class CommentsController extends Controller public function delete($id = 0) { // Check if the user can delete comments - if (!ActiveUser::$user->permission(Site::DELETE_COMMENTS)) { + if (!CurrentSession::$user->permission(Site::DELETE_COMMENTS)) { $error = "You aren't allowed to delete comments!"; return $this->json(compact('error')); } @@ -88,7 +86,7 @@ class CommentsController extends Controller return $this->json(compact('error')); } - if (ActiveUser::$user->id !== $comment->user) { + if (CurrentSession::$user->id !== $comment->user) { $error = "You aren't allowed to delete the comments of other people!"; return $this->json(compact('error')); } @@ -111,7 +109,7 @@ class CommentsController extends Controller $vote = $vote != 0; // Check if the user can delete comments - if (!ActiveUser::$user->permission(Site::VOTE_COMMENTS)) { + if (!CurrentSession::$user->permission(Site::VOTE_COMMENTS)) { $error = "You aren't allowed to vote on comments!"; return $this->json(compact('error')); } @@ -123,7 +121,7 @@ class CommentsController extends Controller return $this->json(compact('error')); } - $comment->vote(ActiveUser::$user->id, $vote); + $comment->vote(CurrentSession::$user->id, $vote); $upvotes = $comment->upvotes; $downvotes = $comment->downvotes; diff --git a/app/Controllers/Forum/ForumController.php b/app/Controllers/Forum/ForumController.php index e379d11..f77ed24 100644 --- a/app/Controllers/Forum/ForumController.php +++ b/app/Controllers/Forum/ForumController.php @@ -6,8 +6,8 @@ namespace Sakura\Controllers\Forum; -use Sakura\ActiveUser; use Sakura\Config; +use Sakura\CurrentSession; use Sakura\DB; use Sakura\Forum\Forum; use Sakura\Forum\Post; @@ -43,7 +43,7 @@ class ForumController extends Controller $forum = new Forum($topic->forum); // Check if we have permission to view it - if (!$forum->permission(ForumPerms::VIEW, ActiveUser::$user->id)) { + if (!$forum->permission(ForumPerms::VIEW, CurrentSession::$user->id)) { $fetch = DB::table('posts') ->groupBy('topic_id') ->orderByRaw('COUNT(*) DESC') @@ -73,7 +73,7 @@ class ForumController extends Controller $forum = new Forum($post->forum); // Check if we have permission to view it - if (!$forum->permission(ForumPerms::VIEW, ActiveUser::$user->id)) { + if (!$forum->permission(ForumPerms::VIEW, CurrentSession::$user->id)) { $fetch = DB::table('posts') ->orderBy('post_id', 'desc') ->skip(11 + $_n) @@ -124,7 +124,7 @@ class ForumController extends Controller // Check if the forum exists if ($forum->id < 0 - || !$forum->permission(ForumPerms::VIEW, ActiveUser::$user->id)) { + || !$forum->permission(ForumPerms::VIEW, CurrentSession::$user->id)) { return view('global/information', compact('message', 'redirect')); } @@ -157,12 +157,12 @@ class ForumController extends Controller // Check if the forum exists if ($forum->id < 1 - || !$forum->permission(ForumPerms::VIEW, ActiveUser::$user->id)) { + || !$forum->permission(ForumPerms::VIEW, CurrentSession::$user->id)) { $message = "The forum you tried to access does not exist."; return view('global/information', compact('message', 'redirect')); } - $forum->trackUpdateAll(ActiveUser::$user->id); + $forum->trackUpdateAll(CurrentSession::$user->id); $message = 'All topics have been marked as read!'; $redirect = route('forums.forum', $forum->id); diff --git a/app/Controllers/Forum/PostController.php b/app/Controllers/Forum/PostController.php index 2a66d0c..4c5e9e1 100644 --- a/app/Controllers/Forum/PostController.php +++ b/app/Controllers/Forum/PostController.php @@ -6,7 +6,7 @@ namespace Sakura\Controllers\Forum; -use Sakura\ActiveUser; +use Sakura\CurrentSession; use Sakura\DB; use Sakura\Forum\Forum; use Sakura\Forum\Post; @@ -35,7 +35,7 @@ class PostController extends Controller // Check if the forum exists if ($post->id === 0 || $topic->id === 0 - || !$forum->permission(ForumPerms::VIEW, ActiveUser::$user->id)) { + || !$forum->permission(ForumPerms::VIEW, CurrentSession::$user->id)) { $message = "This post doesn't exist or you don't have access to it!"; $redirect = route('forums.index'); @@ -75,7 +75,7 @@ class PostController extends Controller // Check if the forum exists if ($post->id === 0 || $topic->id === 0 - || !$forum->permission(ForumPerms::VIEW, ActiveUser::$user->id)) { + || !$forum->permission(ForumPerms::VIEW, CurrentSession::$user->id)) { return ""; } @@ -99,15 +99,15 @@ class PostController extends Controller // Check permissions $noAccess = $post->id === 0 || $topic->id === 0 - || !$forum->permission(ForumPerms::VIEW, ActiveUser::$user->id); + || !$forum->permission(ForumPerms::VIEW, CurrentSession::$user->id); $noEdit = ( - $post->poster->id === ActiveUser::$user->id - ? !ActiveUser::$user->permission(ForumPerms::EDIT_OWN, Perms::FORUM) - : !$forum->permission(ForumPerms::EDIT_ANY, ActiveUser::$user->id) + $post->poster->id === CurrentSession::$user->id + ? !CurrentSession::$user->permission(ForumPerms::EDIT_OWN, Perms::FORUM) + : !$forum->permission(ForumPerms::EDIT_ANY, CurrentSession::$user->id) ) || ( $topic->status === 1 - && !$forum->permission(ForumPerms::LOCK, ActiveUser::$user->id) + && !$forum->permission(ForumPerms::LOCK, CurrentSession::$user->id) ); // Check if the forum exists @@ -182,7 +182,7 @@ class PostController extends Controller $post->text = $text; $post->editTime = time(); $post->editReason = ''; - $post->editUser = ActiveUser::$user; + $post->editUser = CurrentSession::$user; $post = $post->update(); $postLink = route('forums.post', $post->id); @@ -204,15 +204,15 @@ class PostController extends Controller // Check permissions $noAccess = $post->id === 0 || $topic->id === 0 - || !$forum->permission(ForumPerms::VIEW, ActiveUser::$user->id); + || !$forum->permission(ForumPerms::VIEW, CurrentSession::$user->id); $noDelete = ( - $post->poster->id === ActiveUser::$user->id - ? !ActiveUser::$user->permission(ForumPerms::DELETE_OWN, Perms::FORUM) - : !$forum->permission(ForumPerms::DELETE_ANY, ActiveUser::$user->id) + $post->poster->id === CurrentSession::$user->id + ? !CurrentSession::$user->permission(ForumPerms::DELETE_OWN, Perms::FORUM) + : !$forum->permission(ForumPerms::DELETE_ANY, CurrentSession::$user->id) ) || ( $topic->status === 1 - && !$forum->permission(ForumPerms::LOCK, ActiveUser::$user->id) + && !$forum->permission(ForumPerms::LOCK, CurrentSession::$user->id) ); // Check if the forum exists diff --git a/app/Controllers/Forum/TopicController.php b/app/Controllers/Forum/TopicController.php index a3f705f..6bb6027 100644 --- a/app/Controllers/Forum/TopicController.php +++ b/app/Controllers/Forum/TopicController.php @@ -6,7 +6,7 @@ namespace Sakura\Controllers\Forum; -use Sakura\ActiveUser; +use Sakura\CurrentSession; use Sakura\Forum\Forum; use Sakura\Forum\Post; use Sakura\Forum\Topic; @@ -31,14 +31,14 @@ class TopicController extends Controller // Check if the forum exists if ($topic->id === 0 - || !$forum->permission(ForumPerms::VIEW, ActiveUser::$user->id)) { + || !$forum->permission(ForumPerms::VIEW, CurrentSession::$user->id)) { $message = "This topic doesn't exist or you don't have access to it!"; $redirect = route('forums.index'); return view('global/information', compact('message', 'redirect')); } - $topic->trackUpdate(ActiveUser::$user->id); + $topic->trackUpdate(CurrentSession::$user->id); $topic->viewsUpdate(); return view('forum/topic', compact('forum', 'topic')); @@ -55,7 +55,7 @@ class TopicController extends Controller $forum = new Forum($topic->forum); if ($topic->id !== 0 - || $forum->permission(ForumPerms::VIEW, ActiveUser::$user->id) + || $forum->permission(ForumPerms::VIEW, CurrentSession::$user->id) || session_check()) { return compact('topic', 'forum'); } @@ -78,7 +78,7 @@ class TopicController extends Controller extract($modBase); $redirect = route('forums.topic', $topic->id); - if ($forum->permission(ForumPerms::STICKY, ActiveUser::$user->id)) { + if ($forum->permission(ForumPerms::STICKY, CurrentSession::$user->id)) { $topic->type = $topic->type !== 1 ? 1 : 0; $topic->update(); $message = $topic->type @@ -106,7 +106,7 @@ class TopicController extends Controller extract($modBase); $redirect = route('forums.topic', $topic->id); - if ($forum->permission(ForumPerms::ANNOUNCEMENT, ActiveUser::$user->id)) { + if ($forum->permission(ForumPerms::ANNOUNCEMENT, CurrentSession::$user->id)) { $topic->type = $topic->type !== 2 ? 2 : 0; $topic->update(); $message = $topic->type @@ -134,7 +134,7 @@ class TopicController extends Controller extract($modBase); $redirect = route('forums.topic', $topic->id); - if ($forum->permission(ForumPerms::LOCK, ActiveUser::$user->id)) { + if ($forum->permission(ForumPerms::LOCK, CurrentSession::$user->id)) { $topic->status = $topic->status !== 1 ? 1 : 0; $topic->update(); $message = ($topic->status ? 'Locked' : 'Unlocked') . ' the topic!'; @@ -163,7 +163,7 @@ class TopicController extends Controller // Check if we're operating from the trash if ($topic->forum === $trash) { - if ($forum->permission(ForumPerms::DELETE_ANY, ActiveUser::$user->id)) { + if ($forum->permission(ForumPerms::DELETE_ANY, CurrentSession::$user->id)) { $topic->delete(); $message = "Deleted the topic!"; $redirect = route('forums.forum', $trash); @@ -173,7 +173,7 @@ class TopicController extends Controller } else { $redirect = route('forums.topic', $topic->id); - if ($forum->permission(ForumPerms::MOVE, ActiveUser::$user->id)) { + if ($forum->permission(ForumPerms::MOVE, CurrentSession::$user->id)) { $topic->move($trash); $message = "Moved the topic to the trash!"; } else { @@ -200,7 +200,7 @@ class TopicController extends Controller extract($modBase); $redirect = route('forums.topic', $topic->id); - if ($forum->permission(ForumPerms::MOVE, ActiveUser::$user->id)) { + if ($forum->permission(ForumPerms::MOVE, CurrentSession::$user->id)) { if ($topic->oldForum) { $topic->move($topic->oldForum, false); @@ -231,11 +231,11 @@ class TopicController extends Controller extract($modBase); $redirect = route('forums.topic', $topic->id); - if ($forum->permission(ForumPerms::MOVE, ActiveUser::$user->id)) { + if ($forum->permission(ForumPerms::MOVE, CurrentSession::$user->id)) { $dest_forum = new Forum($_REQUEST['forum_id'] ?? 0); if ($dest_forum->id === 0 - || $dest_forum->permission(ForumPerms::VIEW, ActiveUser::$user->id)) { + || $dest_forum->permission(ForumPerms::VIEW, CurrentSession::$user->id)) { $topic->move($dest_forum->id); $message = "Moved to the topic to {$dest_forum->name}!"; @@ -268,7 +268,7 @@ class TopicController extends Controller // Check if the topic exists if ($topic->id === 0 || $forum->type !== 0 - || !$forum->permission(ForumPerms::VIEW, ActiveUser::$user->id)) { + || !$forum->permission(ForumPerms::VIEW, CurrentSession::$user->id)) { $message = "This post doesn't exist or you don't have access to it!"; $redirect = route('forums.index'); @@ -276,10 +276,10 @@ class TopicController extends Controller } // Check if the topic exists - if (!$forum->permission(ForumPerms::REPLY, ActiveUser::$user->id) + if (!$forum->permission(ForumPerms::REPLY, CurrentSession::$user->id) || ( $topic->status === 1 - && !$forum->permission(ForumPerms::LOCK, ActiveUser::$user->id) + && !$forum->permission(ForumPerms::LOCK, CurrentSession::$user->id) )) { $message = "You are not allowed to post in this topic!"; $redirect = route('forums.topic', $topic->id); @@ -321,7 +321,7 @@ class TopicController extends Controller $post = Post::create( "Re: {$topic->title}", $text, - ActiveUser::$user, + CurrentSession::$user, $topic->id, $forum->id ); @@ -349,9 +349,9 @@ class TopicController extends Controller // Check if the forum exists if ($forum->id === 0 || $forum->type !== 0 - || !$forum->permission(ForumPerms::VIEW, ActiveUser::$user->id) - || !$forum->permission(ForumPerms::REPLY, ActiveUser::$user->id) - || !$forum->permission(ForumPerms::CREATE_THREADS, ActiveUser::$user->id)) { + || !$forum->permission(ForumPerms::VIEW, CurrentSession::$user->id) + || !$forum->permission(ForumPerms::REPLY, CurrentSession::$user->id) + || !$forum->permission(ForumPerms::CREATE_THREADS, CurrentSession::$user->id)) { $message = "This forum doesn't exist or you don't have access to it!"; $redirect = route('forums.index'); @@ -409,7 +409,7 @@ class TopicController extends Controller $post = Post::create( $title, $text, - ActiveUser::$user, + CurrentSession::$user, 0, $forum->id ); diff --git a/app/Controllers/FriendsController.php b/app/Controllers/FriendsController.php index 0b3e7fe..8e9d4c7 100644 --- a/app/Controllers/FriendsController.php +++ b/app/Controllers/FriendsController.php @@ -6,7 +6,7 @@ namespace Sakura\Controllers; -use Sakura\ActiveUser; +use Sakura\CurrentSession; use Sakura\Notification; use Sakura\Perms\Site; use Sakura\Router; @@ -48,12 +48,10 @@ class FriendsController extends Controller */ public function add($id = 0) { - $user = ActiveUser::$user; - - $session = $_POST['session'] ?? ''; + $user = CurrentSession::$user; // Check if the user can comment - if ($session !== session_id()) { + if (session_check()) { $error = "Your session expired, refresh the page!"; return $this->json(compact('error')); } @@ -112,12 +110,10 @@ class FriendsController extends Controller */ public function remove($id = 0) { - $user = ActiveUser::$user; - - $session = $_POST['session'] ?? ''; + $user = CurrentSession::$user; // Check if the user can comment - if ($session !== session_id()) { + if (session_check()) { $error = "Your session expired, refresh the page!"; return $this->json(compact('error')); } diff --git a/app/Controllers/NotificationsController.php b/app/Controllers/NotificationsController.php index af5f099..ff4b59a 100644 --- a/app/Controllers/NotificationsController.php +++ b/app/Controllers/NotificationsController.php @@ -6,7 +6,7 @@ namespace Sakura\Controllers; -use Sakura\ActiveUser; +use Sakura\CurrentSession; use Sakura\Notification; use Sakura\Perms\Site; @@ -23,7 +23,7 @@ class NotificationsController extends Controller */ public function notifications() { - return $this->json(ActiveUser::$user->notifications()); + return $this->json(CurrentSession::$user->notifications()); } /** @@ -35,7 +35,7 @@ class NotificationsController extends Controller public function mark($id = 0) { // Check permission - if (ActiveUser::$user->permission(Site::DEACTIVATED)) { + if (CurrentSession::$user->permission(Site::DEACTIVATED)) { return '0'; } @@ -43,7 +43,7 @@ class NotificationsController extends Controller $alert = new Notification($id); // Verify that the currently authed user is the one this alert is for - if ($alert->user !== ActiveUser::$user->id) { + if ($alert->user !== CurrentSession::$user->id) { return '0'; } diff --git a/app/Controllers/PremiumController.php b/app/Controllers/PremiumController.php index 2eea210..4378eae 100644 --- a/app/Controllers/PremiumController.php +++ b/app/Controllers/PremiumController.php @@ -7,8 +7,8 @@ namespace Sakura\Controllers; use Exception; -use Sakura\ActiveUser; use Sakura\Config; +use Sakura\CurrentSession; use Sakura\Payments; use Sakura\Perms\Site; use Sakura\Router; @@ -56,13 +56,12 @@ class PremiumController extends Controller public function purchase() { // Get values from post - $session = isset($_POST['session']) ? $_POST['session'] : ''; $months = isset($_POST['months']) ? $_POST['months'] : 0; // Check if the session is valid - if ($session !== session_id() - || ActiveUser::$user->permission(Site::DEACTIVATED) - || !ActiveUser::$user->permission(Site::OBTAIN_PREMIUM)) { + if (!session_check() + || CurrentSession::$user->permission(Site::DEACTIVATED) + || !CurrentSession::$user->permission(Site::OBTAIN_PREMIUM)) { $message = "You are not allowed to get premium!"; $redirect = Router::route('premium.index'); @@ -157,7 +156,7 @@ class PremiumController extends Controller return header("Location: {$failRoute}"); } - ActiveUser::$user->addPremium(self::PERIOD_PER_PAYMENT * $months); + CurrentSession::$user->addPremium(self::PERIOD_PER_PAYMENT * $months); return header("Location: {$successRoute}"); } diff --git a/app/Controllers/Settings/AccountController.php b/app/Controllers/Settings/AccountController.php index fc21c31..b22500b 100644 --- a/app/Controllers/Settings/AccountController.php +++ b/app/Controllers/Settings/AccountController.php @@ -6,7 +6,7 @@ namespace Sakura\Controllers\Settings; -use Sakura\ActiveUser; +use Sakura\CurrentSession; use Sakura\DB; use Sakura\Perms\Site; @@ -24,7 +24,7 @@ class AccountController extends Controller public function profile() { // Check permission - if (!ActiveUser::$user->permission(Site::ALTER_PROFILE)) { + if (!CurrentSession::$user->permission(Site::ALTER_PROFILE)) { $message = "You aren't allowed to edit your profile!"; $redirect = route('settings.index'); return view('global/information', compact('message', 'redirect')); @@ -50,7 +50,7 @@ class AccountController extends Controller } DB::table('users') - ->where('user_id', ActiveUser::$user->id) + ->where('user_id', CurrentSession::$user->id) ->update($save); // Birthdays @@ -75,7 +75,7 @@ class AccountController extends Controller } DB::table('users') - ->where('user_id', ActiveUser::$user->id) + ->where('user_id', CurrentSession::$user->id) ->update([ 'user_birthday' => $birthdate, ]); @@ -96,7 +96,7 @@ class AccountController extends Controller public function email() { // Check permission - if (!ActiveUser::$user->permission(Site::CHANGE_EMAIL)) { + if (!CurrentSession::$user->permission(Site::CHANGE_EMAIL)) { $message = "You aren't allowed to change your e-mail address."; $redirect = route('settings.index'); return view('global/information', compact('message', 'redirect')); @@ -128,7 +128,7 @@ class AccountController extends Controller return view('global/information', compact('redirect', 'message')); } - ActiveUser::$user->setMail($email); + CurrentSession::$user->setMail($email); $message = 'Changed your e-mail address!'; return view('global/information', compact('redirect', 'message')); @@ -144,7 +144,7 @@ class AccountController extends Controller public function username() { // Check permission - if (!ActiveUser::$user->permission(Site::CHANGE_USERNAME)) { + if (!CurrentSession::$user->permission(Site::CHANGE_USERNAME)) { $message = "You aren't allowed to change your username."; $redirect = route('settings.index'); return view('global/information', compact('redirect', 'message')); @@ -176,7 +176,7 @@ class AccountController extends Controller ->get(); // Check if anything was returned - if ($getOld && $getOld[0]->user_id != ActiveUser::$user->id) { + if ($getOld && $getOld[0]->user_id != CurrentSession::$user->id) { $message = "The username you tried to use is reserved, try again later!"; return view('global/information', compact('redirect', 'message')); } @@ -192,7 +192,7 @@ class AccountController extends Controller return view('global/information', compact('redirect', 'message')); } - ActiveUser::$user->setUsername($username, $username_clean); + CurrentSession::$user->setUsername($username, $username_clean); $message = "Changed your username!"; return view('global/information', compact('redirect', 'message')); @@ -208,7 +208,7 @@ class AccountController extends Controller public function title() { // Check permission - if (!ActiveUser::$user->permission(Site::CHANGE_USERTITLE)) { + if (!CurrentSession::$user->permission(Site::CHANGE_USERTITLE)) { $message = "You aren't allowed to change your title."; $redirect = route('settings.index'); return view('global/information', compact('redirect', 'message')); @@ -224,14 +224,14 @@ class AccountController extends Controller return view('global/information', compact('redirect', 'message')); } - if ($title === ActiveUser::$user->title) { + if ($title === CurrentSession::$user->title) { $message = "This is already your title!"; return view('global/information', compact('redirect', 'message')); } // Update database DB::table('users') - ->where('user_id', ActiveUser::$user->id) + ->where('user_id', CurrentSession::$user->id) ->update([ 'user_title' => $title, ]); @@ -250,7 +250,7 @@ class AccountController extends Controller public function password() { // Check permission - if (!ActiveUser::$user->permission(Site::CHANGE_PASSWORD)) { + if (!CurrentSession::$user->permission(Site::CHANGE_PASSWORD)) { $message = "You aren't allowed to change your password."; $redirect = route('settings.index'); return view('global/information', compact('redirect', 'message')); @@ -263,7 +263,7 @@ class AccountController extends Controller $redirect = route('settings.account.password'); // Check current password - if (!password_verify($current, ActiveUser::$user->password)) { + if (!password_verify($current, CurrentSession::$user->password)) { $message = "Your password was invalid!"; return view('global/information', compact('redirect', 'message')); } @@ -274,7 +274,7 @@ class AccountController extends Controller return view('global/information', compact('redirect', 'message')); } - ActiveUser::$user->setPassword($password); + CurrentSession::$user->setPassword($password); $message = "Changed your password!"; return view('global/information', compact('redirect', 'message')); @@ -290,7 +290,7 @@ class AccountController extends Controller public function ranks() { // Check permission - if (!ActiveUser::$user->permission(Site::ALTER_RANKS)) { + if (!CurrentSession::$user->permission(Site::ALTER_RANKS)) { $message = "You aren't allowed to manage your ranks."; $redirect = route('settings.index'); return view('global/information', compact('redirect', 'message')); @@ -311,7 +311,7 @@ class AccountController extends Controller $redirect = route('settings.account.ranks'); // Check if user has this rank - if (!ActiveUser::$user->hasRanks([$rank])) { + if (!CurrentSession::$user->hasRanks([$rank])) { $message = "You aren't a part of this rank!"; return view('global/information', compact('redirect', 'message')); } @@ -322,13 +322,13 @@ class AccountController extends Controller return view('global/information', compact('redirect', 'message')); } - ActiveUser::$user->removeRanks([$rank]); + CurrentSession::$user->removeRanks([$rank]); $message = "Removed the rank from your account!"; return view('global/information', compact('redirect', 'message')); } - ActiveUser::$user->setMainRank($rank); + CurrentSession::$user->setMainRank($rank); $message = "Changed your main rank!"; return view('global/information', compact('redirect', 'message')); diff --git a/app/Controllers/Settings/AdvancedController.php b/app/Controllers/Settings/AdvancedController.php index aa4a208..d1907b3 100644 --- a/app/Controllers/Settings/AdvancedController.php +++ b/app/Controllers/Settings/AdvancedController.php @@ -6,9 +6,9 @@ namespace Sakura\Controllers\Settings; -use Sakura\ActiveUser; -use Sakura\DB; +use Sakura\CurrentSession; use Sakura\Perms\Site; +use Sakura\Session; /** * Advanced settings. @@ -24,7 +24,7 @@ class AdvancedController extends Controller public function sessions() { // Check permission - if (!ActiveUser::$user->permission(Site::MANAGE_SESSIONS)) { + if (!CurrentSession::$user->permission(Site::MANAGE_SESSIONS)) { $message = "You aren't allowed to manage sessions."; $redirect = route('settings.index'); return view('global/information', compact('message', 'redirect')); @@ -38,21 +38,16 @@ class AdvancedController extends Controller // End all sessions if ($all) { - DB::table('sessions') - ->where('user_id', ActiveUser::$user->id) - ->delete(); - + CurrentSession::$user->purgeSessions(); $message = "Deleted all active session associated with your account!"; return view('global/information', compact('message', 'redirect')); } // Create the session statement - $session = DB::table('sessions') - ->where('user_id', ActiveUser::$user->id) - ->where('session_id', $id); + $session = new Session($id); // Check if the session exists - if (!$session->count()) { + if ($session->id < 1 || $session->user !== CurrentSession::$user->id) { $message = "This session doesn't exist!"; return view('global/information', compact('message', 'redirect')); } @@ -64,10 +59,8 @@ class AdvancedController extends Controller return view('global/information', compact('message', 'redirect')); } - $sessions = DB::table('sessions') - ->where('user_id', ActiveUser::$user->id) - ->get(); - $active = ActiveUser::$session->sessionId; + $sessions = CurrentSession::$user->sessions(); + $active = CurrentSession::$session->id; return view('settings/advanced/sessions', compact('sessions', 'active')); } @@ -79,7 +72,7 @@ class AdvancedController extends Controller public function deactivate() { // Check permission - if (!ActiveUser::$user->permission(Site::DEACTIVATE_ACCOUNT)) { + if (!CurrentSession::$user->permission(Site::DEACTIVATE_ACCOUNT)) { $message = "You aren't allowed to deactivate your account."; return view('global/information', compact('message', 'redirect')); } @@ -90,18 +83,18 @@ class AdvancedController extends Controller $redirect = route('settings.advanced.deactivate'); // Check password - if (!ActiveUser::$user->verifyPassword($password)) { + if (!CurrentSession::$user->verifyPassword($password)) { $message = "Your password was invalid!"; return view('global/information', compact('message', 'redirect')); } // Deactivate account - ActiveUser::$user->removeRanks(array_keys(ActiveUser::$user->ranks)); - ActiveUser::$user->addRanks([1]); - ActiveUser::$user->setMainRank(1); + CurrentSession::$user->removeRanks(array_keys(CurrentSession::$user->ranks)); + CurrentSession::$user->addRanks([1]); + CurrentSession::$user->setMainRank(1); // Destroy all active sessions - ActiveUser::$session->destroyAll(); + CurrentSession::$user->purgeSessions(); $redirect = route('main.index'); $message = "Farewell!"; diff --git a/app/Controllers/Settings/AppearanceController.php b/app/Controllers/Settings/AppearanceController.php index 8fe08f3..d674d45 100644 --- a/app/Controllers/Settings/AppearanceController.php +++ b/app/Controllers/Settings/AppearanceController.php @@ -6,7 +6,7 @@ namespace Sakura\Controllers\Settings; -use Sakura\ActiveUser; +use Sakura\CurrentSession; use Sakura\DB; use Sakura\File; use Sakura\Perms\Site; @@ -85,13 +85,13 @@ class AppearanceController extends Controller return "Your image is not allowed to be larger than {$maxSizeFmt}!"; } - $userId = ActiveUser::$user->id; + $userId = CurrentSession::$user->id; $ext = image_type_to_extension($meta[2]); $filename = "{$mode}_{$userId}{$ext}"; // Create the file - $file = File::create(file_get_contents($tmpName), $filename, ActiveUser::$user); + $file = File::create(file_get_contents($tmpName), $filename, CurrentSession::$user); // Delete the old file $this->deleteFile($mode); @@ -100,7 +100,7 @@ class AppearanceController extends Controller // Save new avatar DB::table('users') - ->where('user_id', ActiveUser::$user->id) + ->where('user_id', CurrentSession::$user->id) ->update([ $column => $file->id, ]); @@ -114,7 +114,7 @@ class AppearanceController extends Controller */ public function deleteFile($mode) { - $fileId = ActiveUser::$user->{$mode}; + $fileId = CurrentSession::$user->{$mode}; if ($fileId) { (new File($fileId))->delete(); @@ -128,7 +128,7 @@ class AppearanceController extends Controller public function avatar() { // Check permission - if (!ActiveUser::$user->permission(Site::CHANGE_AVATAR)) { + if (!CurrentSession::$user->permission(Site::CHANGE_AVATAR)) { $message = "You aren't allowed to change your avatar."; $redirect = route('settings.index'); return view('global/information', compact('message', 'redirect')); @@ -159,7 +159,7 @@ class AppearanceController extends Controller public function background() { // Check permission - if (!ActiveUser::$user->permission(Site::CHANGE_BACKGROUND)) { + if (!CurrentSession::$user->permission(Site::CHANGE_BACKGROUND)) { $message = "You aren't allowed to change your background."; $redirect = route('settings.index'); return view('global/information', compact('message', 'redirect')); @@ -190,7 +190,7 @@ class AppearanceController extends Controller public function header() { // Check permission - if (!ActiveUser::$user->permission(Site::CHANGE_HEADER)) { + if (!CurrentSession::$user->permission(Site::CHANGE_HEADER)) { $message = "You aren't allowed to change your profile header."; $redirect = route('settings.index'); return view('global/information', compact('message', 'redirect')); @@ -221,9 +221,9 @@ class AppearanceController extends Controller { // Check permission if (!( - ActiveUser::$user->page - && ActiveUser::$user->permission(Site::CHANGE_USERPAGE) - ) && !ActiveUser::$user->permission(Site::CREATE_USERPAGE)) { + CurrentSession::$user->page + && CurrentSession::$user->permission(Site::CHANGE_USERPAGE) + ) && !CurrentSession::$user->permission(Site::CREATE_USERPAGE)) { $message = "You aren't allowed to change your userpage."; $redirect = route('settings.index'); return view('global/information', compact('message', 'redirect')); @@ -239,7 +239,7 @@ class AppearanceController extends Controller $message = 'Your userpage is too long, shorten it a little!'; } else { DB::table('users') - ->where('user_id', ActiveUser::$user->id) + ->where('user_id', CurrentSession::$user->id) ->update([ 'user_page' => $userpage, ]); @@ -260,7 +260,7 @@ class AppearanceController extends Controller public function signature() { // Check permission - if (!ActiveUser::$user->permission(Site::CHANGE_SIGNATURE)) { + if (!CurrentSession::$user->permission(Site::CHANGE_SIGNATURE)) { $message = "You aren't allowed to change your signature."; $redirect = route('settings.index'); return view('global/information', compact('message', 'redirect')); @@ -276,7 +276,7 @@ class AppearanceController extends Controller $message = 'Your signature is too long, shorten it a little!'; } else { DB::table('users') - ->where('user_id', ActiveUser::$user->id) + ->where('user_id', CurrentSession::$user->id) ->update([ 'user_signature' => $signature, ]); diff --git a/app/Controllers/Settings/Controller.php b/app/Controllers/Settings/Controller.php index b810437..c0ba864 100644 --- a/app/Controllers/Settings/Controller.php +++ b/app/Controllers/Settings/Controller.php @@ -6,8 +6,8 @@ namespace Sakura\Controllers\Settings; -use Sakura\ActiveUser; use Sakura\Controllers\Controller as BaseController; +use Sakura\CurrentSession; use Sakura\Perms\Site; use Sakura\Router; use Sakura\Template; @@ -36,27 +36,27 @@ class Controller extends BaseController $nav = []; // Account - if (ActiveUser::$user->permission(Site::ALTER_PROFILE)) { + if (CurrentSession::$user->permission(Site::ALTER_PROFILE)) { $nav["Account"]["Profile"] = Router::route('settings.account.profile'); } - if (ActiveUser::$user->permission(Site::CHANGE_EMAIL)) { + if (CurrentSession::$user->permission(Site::CHANGE_EMAIL)) { $nav["Account"]["E-mail address"] = Router::route('settings.account.email'); } - if (ActiveUser::$user->permission(Site::CHANGE_USERNAME)) { + if (CurrentSession::$user->permission(Site::CHANGE_USERNAME)) { $nav["Account"]["Username"] = Router::route('settings.account.username'); } - if (ActiveUser::$user->permission(Site::CHANGE_USERTITLE)) { + if (CurrentSession::$user->permission(Site::CHANGE_USERTITLE)) { $nav["Account"]["Title"] = Router::route('settings.account.title'); } - if (ActiveUser::$user->permission(Site::CHANGE_PASSWORD)) { + if (CurrentSession::$user->permission(Site::CHANGE_PASSWORD)) { $nav["Account"]["Password"] = Router::route('settings.account.password'); } - if (ActiveUser::$user->permission(Site::ALTER_RANKS)) { + if (CurrentSession::$user->permission(Site::ALTER_RANKS)) { $nav["Account"]["Ranks"] = Router::route('settings.account.ranks'); } // Friends - if (ActiveUser::$user->permission(Site::MANAGE_FRIENDS)) { + if (CurrentSession::$user->permission(Site::MANAGE_FRIENDS)) { $nav["Friends"]["Listing"] = Router::route('settings.friends.listing'); $nav["Friends"]["Requests"] = Router::route('settings.friends.requests'); } @@ -65,30 +65,30 @@ class Controller extends BaseController $nav["Notifications"]["History"] = Router::route('settings.notifications.history'); // Appearance - if (ActiveUser::$user->permission(Site::CHANGE_AVATAR)) { + if (CurrentSession::$user->permission(Site::CHANGE_AVATAR)) { $nav["Appearance"]["Avatar"] = Router::route('settings.appearance.avatar'); } - if (ActiveUser::$user->permission(Site::CHANGE_BACKGROUND)) { + if (CurrentSession::$user->permission(Site::CHANGE_BACKGROUND)) { $nav["Appearance"]["Background"] = Router::route('settings.appearance.background'); } - if (ActiveUser::$user->permission(Site::CHANGE_HEADER)) { + if (CurrentSession::$user->permission(Site::CHANGE_HEADER)) { $nav["Appearance"]["Header"] = Router::route('settings.appearance.header'); } if (( - ActiveUser::$user->page - && ActiveUser::$user->permission(Site::CHANGE_USERPAGE) - ) || ActiveUser::$user->permission(Site::CREATE_USERPAGE)) { + CurrentSession::$user->page + && CurrentSession::$user->permission(Site::CHANGE_USERPAGE) + ) || CurrentSession::$user->permission(Site::CREATE_USERPAGE)) { $nav["Appearance"]["Userpage"] = Router::route('settings.appearance.userpage'); } - if (ActiveUser::$user->permission(Site::CHANGE_SIGNATURE)) { + if (CurrentSession::$user->permission(Site::CHANGE_SIGNATURE)) { $nav["Appearance"]["Signature"] = Router::route('settings.appearance.signature'); } // Advanced - if (ActiveUser::$user->permission(Site::MANAGE_SESSIONS)) { + if (CurrentSession::$user->permission(Site::MANAGE_SESSIONS)) { $nav["Advanced"]["Sessions"] = Router::route('settings.advanced.sessions'); } - if (ActiveUser::$user->permission(Site::DEACTIVATE_ACCOUNT)) { + if (CurrentSession::$user->permission(Site::DEACTIVATE_ACCOUNT)) { $nav["Advanced"]["Deactivate"] = Router::route('settings.advanced.deactivate'); } diff --git a/app/Controllers/Settings/FriendsController.php b/app/Controllers/Settings/FriendsController.php index 9aa07c6..e8603dc 100644 --- a/app/Controllers/Settings/FriendsController.php +++ b/app/Controllers/Settings/FriendsController.php @@ -6,7 +6,7 @@ namespace Sakura\Controllers\Settings; -use Sakura\ActiveUser; +use Sakura\CurrentSession; use Sakura\Perms\Site; /** @@ -23,7 +23,7 @@ class FriendsController extends Controller public function listing() { // Check permission - if (!ActiveUser::$user->permission(Site::MANAGE_FRIENDS)) { + if (!CurrentSession::$user->permission(Site::MANAGE_FRIENDS)) { $message = "You aren't allowed to manage friends."; $redirect = route('settings.index'); return view('global/information', compact('message', 'redirect')); @@ -39,7 +39,7 @@ class FriendsController extends Controller public function requests() { // Check permission - if (!ActiveUser::$user->permission(Site::MANAGE_FRIENDS)) { + if (!CurrentSession::$user->permission(Site::MANAGE_FRIENDS)) { $message = "You aren't allowed to manage friends."; $redirect = route('settings.index'); return view('global/information', compact('message', 'redirect')); diff --git a/app/Controllers/UserController.php b/app/Controllers/UserController.php index 9ad5c1b..b0e29dc 100644 --- a/app/Controllers/UserController.php +++ b/app/Controllers/UserController.php @@ -6,8 +6,8 @@ namespace Sakura\Controllers; -use Sakura\ActiveUser; use Sakura\Config; +use Sakura\CurrentSession; use Sakura\DB; use Sakura\Perms\Site; use Sakura\Rank; @@ -67,7 +67,7 @@ class UserController extends Controller public function members($rank = null) { // Check permission - if (!ActiveUser::$user->permission(Site::VIEW_MEMBERLIST)) { + if (!CurrentSession::$user->permission(Site::VIEW_MEMBERLIST)) { return Template::render('global/restricted'); } diff --git a/app/Middleware/UpdateLastOnline.php b/app/Middleware/UpdateLastOnline.php index 7ab8f68..7fd1f88 100644 --- a/app/Middleware/UpdateLastOnline.php +++ b/app/Middleware/UpdateLastOnline.php @@ -6,7 +6,7 @@ namespace Sakura\Middleware; -use Sakura\ActiveUser; +use Sakura\CurrentSession; /** * Updates when the last online time of a user. @@ -20,8 +20,8 @@ class UpdateLastOnline implements MiddlewareInterface */ public function run() { - if (ActiveUser::$user->id !== 0) { - ActiveUser::$user->updateOnline(); + if (CurrentSession::$user->id !== 0) { + CurrentSession::$user->updateOnline(); } } } diff --git a/app/Session.php b/app/Session.php index 163cd7d..fff3a9d 100644 --- a/app/Session.php +++ b/app/Session.php @@ -1,129 +1,166 @@ */ class Session { /** - * The ID of the user this session is from. + * Session storage id. * @var int */ - public $userId = 0; + public $id = 0; /** - * The ID of the session. + * User id. + * @var int + */ + public $user = 0; + + /** + * IP address this session was started from. * @var string */ - public $sessionId = ""; + public $ip = ''; /** - * Constructor. - * @param int $userId - * @param int $sessionId + * Country this session was started from. + * @var string */ - public function __construct($userId, $sessionId = null) + public $country = ''; + + /** + * User agent this session was started from. + * @var string + */ + public $agent = ''; + + /** + * Session secret key. + * @var string + */ + public $key = ''; + + /** + * Timestamp from when this session was created. + * @var int + */ + public $start = 0; + + /** + * Timestamp on which this session will invalidate. + * @var int + */ + public $expire = 0; + + /** + * Whether to extend the session's lifetime. + * @var bool + */ + public $remember = false; + + /** + * Constructor, $id can be a number or the secret key. + * @param mixed $id + */ + public function __construct($id) { - // Check if a PHP session was already started and if not start one - if (session_status() != PHP_SESSION_ACTIVE) { - session_start(); + $data = DB::table('sessions'); + + if (is_numeric($id)) { + $data->where('session_id', $id); + } else { + $data->where('session_key', $id); } - // Set the supposed session data - $this->userId = $userId; - $this->sessionId = $sessionId; + $data = $data->first(); + + if ($data) { + $this->id = intval($data->session_id); + $this->user = intval($data->user_id); + $this->ip = Net::ntop($data->user_ip); + $this->country = $data->session_country; + $this->agent = $data->user_agent; + $this->key = $data->session_key; + $this->start = intval($data->session_start); + $this->expire = intval($data->session_expire); + $this->remember = boolval($data->session_remember); + } } /** - * Destroy the active session. + * Create a new session + * @param int $user + * @param string $ip + * @param string $country + * @param string $agent + * @param bool $remember + * @param int $length + * @return Session */ - public function destroy() + public static function create($user, $ip, $country, $agent = null, $remember = false, $length = 604800) { - // Invalidate the session key - DB::table('sessions') - ->where('session_key', $this->sessionId) - ->where('user_id', $this->userId) - ->delete(); + $start = time(); + $key = bin2hex(random_bytes(64)); - // Unset userId and sessionId - unset($this->userId); - unset($this->sessionId); - - // Destroy the session - session_regenerate_id(true); - session_destroy(); - } - - /** - * Destroy all sessions from this user. - */ - public function destroyAll() - { - // Delete all database entries with this user in it - DB::table('sessions') - ->where('user_id', $this->userId) - ->delete(); - - // Destroy this session to finish it off - $this->destroy(); - } - - /** - * Create a new session. - * @param boolean $permanent - * @return string - */ - public function create($permanent) - { - // Generate session key - $session = hash('sha256', $this->userId . base64_encode('sakura' . mt_rand(0, 99999999)) . time()); - - // Insert the session into the database - DB::table('sessions') - ->insert([ - 'user_id' => $this->userId, - 'user_ip' => Net::pton(Net::ip()), - 'user_agent' => clean_string(isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : 'No user agent header.'), - 'session_key' => $session, - 'session_start' => time(), - 'session_expire' => time() + 604800, - 'session_remember' => $permanent ? '1' : '0', + $id = DB::table('sessions') + ->insertGetId([ + 'user_id' => $user, + 'user_ip' => Net::pton($ip), + 'user_agent' => $agent, + 'session_key' => $key, + 'session_start' => $start, + 'session_expire' => $start + $length, + 'session_remember' => $remember ? 1 : 0, + 'session_country' => $country, ]); - // Return the session key - return $session; + return new Session($id); + } + + /** + * Delete this session. + */ + public function delete() + { + DB::table('sessions') + ->where('session_id', $this->id) + ->delete(); } /** * Validate the session. - * 0 = false, 1 = active, 2 = permanent. - * @return int + * @param int $user + * @param string $ip + * @return bool */ - public function validate() + public function validate($user, $ip = null) { // Get session from database $session = DB::table('sessions') - ->where('user_id', $this->userId) - ->where('session_key', $this->sessionId) + ->where([ + 'session_key' => $this->key, + 'user_id' => $user, + ]) ->first(); // Check if we actually got something in return if (!$session) { - return 0; + return false; } // Check if the session expired if ($session->session_expire < time()) { - // ...and return false - return 0; + $this->delete(); + return false; } /* completely removed the code for ip checking because it only worked with IPv4 @@ -132,11 +169,21 @@ class Session // If the remember flag is set extend the session time if ($session->session_remember) { DB::table('sessions') - ->where('session_id', $session[0]->session_id) + ->where('session_id', $session->session_id) ->update(['session_expire' => time() + 604800]); } // Return 2 if the remember flag is set and return 1 if not - return $session->session_remember ? 2 : 1; + return true; + } + + /** + * Get the country. + * @param bool $long + * @return string + */ + public function country($long = false) + { + return $long ? get_country_name($this->country) : $this->country; } } diff --git a/app/User.php b/app/User.php index 8037549..92c0600 100644 --- a/app/User.php +++ b/app/User.php @@ -1032,4 +1032,32 @@ class User return $alerts; } + + /** + * Invalidate all sessions related to this user. + */ + public function purgeSessions() + { + DB::table('sessions') + ->where('user_id', $this->id) + ->delete(); + } + + /** + * Get all a user's sessions + * @return array + */ + public function sessions() + { + $sessions = []; + $ids = array_column(DB::table('sessions') + ->where('user_id', $this->id) + ->get(['session_id']), 'session_id'); + + foreach ($ids as $id) { + $sessions[$id] = new Session($id); + } + + return $sessions; + } } diff --git a/resources/views/yuuno/settings/advanced/sessions.twig b/resources/views/yuuno/settings/advanced/sessions.twig index c44da81..69b65f3 100644 --- a/resources/views/yuuno/settings/advanced/sessions.twig +++ b/resources/views/yuuno/settings/advanced/sessions.twig @@ -4,33 +4,36 @@ {% block description %}

Session keys are a way of identifying yourself with the system without keeping your password in memory.

-

If someone finds one of your session keys they could possibly compromise your account, if you see any sessions here that shouldn't be here hit the Kill button to kill the selected session.

+

If someone finds one of your session keys they could possibly compromise your account, if you see any sessions here that shouldn't be here hit the Kill button to kill the selected usession.

If you get logged out after clicking one you've most likely killed your current session, to make it easier to avoid this from happening your current session is highlighted.

{% endblock %} {% block settingsContent %} - + - + - {% for s in sessions %} - + {% for usession in sessions %} + + diff --git a/routes.php b/routes.php index 2c2fe1b..af58b19 100644 --- a/routes.php +++ b/routes.php @@ -8,7 +8,7 @@ namespace Sakura; // Check if logged out Router::filter('logoutCheck', function () { - if (ActiveUser::$user->isActive()) { + if (CurrentSession::$user->isActive()) { $message = "You must be logged out to do that!"; Template::vars(compact('message')); @@ -19,7 +19,7 @@ Router::filter('logoutCheck', function () { // Check if logged in Router::filter('loginCheck', function () { - if (!ActiveUser::$user->isActive()) { + if (!CurrentSession::$user->isActive()) { $message = "You must be logged in to do that!"; Template::vars(compact('message')); @@ -31,7 +31,7 @@ Router::filter('loginCheck', function () { // Maintenance check Router::filter('maintenance', function () { if (config('general.maintenance')) { - ActiveUser::$session->destroy(); + CurrentSession::stop(); http_response_code(503); diff --git a/sakura.php b/sakura.php index fa947fe..8324835 100644 --- a/sakura.php +++ b/sakura.php @@ -60,16 +60,17 @@ if (!defined('IN_CLI')) { // Initialise the current session $cookiePrefix = config('cookie.prefix'); - ActiveUser::init( + CurrentSession::start( intval($_COOKIE["{$cookiePrefix}id"] ?? 0), - $_COOKIE["{$cookiePrefix}session"] ?? '' + $_COOKIE["{$cookiePrefix}session"] ?? '', + Net::ip() ); // Start templating engine and set base variables Template::set(config('general.design')); Template::vars([ 'get' => $_GET, - 'user' => ActiveUser::$user, + 'user' => CurrentSession::$user, 'post' => $_POST, 'server' => $_SERVER, 'request' => $_REQUEST,
IPUseragentLogin time
IPUseragentCountryLogin time
IPUseragentLogin time
IPUseragentCountryLogin time
- {{ s.user_ip }} + {{ usession.ip }} - {{ s.user_agent }} + {{ usession.agent }} - + {{ usession.country }} {{ usession.country(true) }} + +
- +