flashii/misuzu
flashii/misuzu
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Prevent viewing the test site without logging in.

Browse source
This commit is contained in:
flash 2018-09-28 00:27:30 +02:00
parent 0cda47d5af
commit 44cb3e5bac
7 changed files with 166 additions and 122 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
misuzu.php
View file

@ -267,7 +267,9 @@ MIG;
tpl_add_path(__DIR__ . '/templates');
if ($app->underLockdown()) {
$misuzuBypassLockdown = !empty($misuzuBypassLockdown);
if (!$misuzuBypassLockdown && $app->underLockdown()) {
http_response_code(503);
echo tpl_render('auth.lockdown');
exit;
@ -294,6 +296,12 @@ MIG;
}
}
if (!$misuzuBypassLockdown && $app->isStagingSite() && !$app->hasActiveSession()) {
http_response_code(401);
echo tpl_render('auth.private');
exit;
}
$inManageMode = starts_with($_SERVER['REQUEST_URI'], '/manage');
$hasManageAccess = perms_check(perms_get_user(MSZ_PERMS_GENERAL, $app->getUserId()), MSZ_PERM_GENERAL_CAN_MANAGE);
tpl_var('has_manage_access', $hasManageAccess);

15
public/auth.php
View file

@ -3,6 +3,10 @@ use Carbon\Carbon;
use Misuzu\Application;
use Misuzu\Database;
$isSubmission = !empty($_POST['auth']) && is_array($_POST['auth']);
$authMode = $isSubmission ? ($_POST['auth']['mode'] ?? '') : ($_GET['m'] ?? 'login');
$misuzuBypassLockdown = $authMode === 'login' || $authMode === 'get_user';
require_once __DIR__ . '/../misuzu.php';
$usernameValidationErrors = [
@ -14,9 +18,8 @@ $usernameValidationErrors = [
];
$preventRegistration = $app->disableRegistration();
$isStagingSite = $app->isStagingSite();
$isSubmission = !empty($_POST['auth']) && is_array($_POST['auth']);
$authMode = $isSubmission ? ($_POST['auth']['mode'] ?? '') : ($_GET['m'] ?? 'login');
$authUsername = $isSubmission ? ($_POST['auth']['username'] ?? '') : ($_GET['username'] ?? '');
$authEmail = $isSubmission ? ($_POST['auth']['email'] ?? '') : ($_GET['email'] ?? '');
$authPassword = $_POST['auth']['password'] ?? '';
@ -24,6 +27,7 @@ $authVerification = $_POST['auth']['verification'] ?? '';
tpl_vars([
'prevent_registration' => $preventRegistration,
'is_staging_site' => $isStagingSite,
'auth_mode' => $authMode,
'auth_username' => $authUsername,
'auth_email' => $authEmail,
@ -57,6 +61,11 @@ switch ($authMode) {
break;
}
if ($isStagingSite) {
header('Location: /');
return;
}
$resetUser = (int)($_POST['user'] ?? $_GET['u'] ?? 0);
$getResetUser = Database::prepare('
SELECT `user_id`, `username`
@ -144,7 +153,7 @@ switch ($authMode) {
break;
case 'forgot':
if ($app->hasActiveSession()) {
if ($app->hasActiveSession() || $isStagingSite) {
header('Location: /');
break;
}

4
public/profile.php
View file

@ -1,10 +1,12 @@
<?php
use Misuzu\Database;
$mode = (string)($_GET['m'] ?? null);
$misuzuBypassLockdown = $mode === 'avatar';
require_once __DIR__ . '/../misuzu.php';
$userId = (int)($_GET['u'] ?? 0);
$mode = (string)($_GET['m'] ?? null);
switch ($mode) {
case 'avatar':

9
src/Application.php
View file

@ -306,7 +306,14 @@ final class Application
public function disableRegistration(): bool
{
return $this->underLockdown() || boolval($this->config['Auth']['prevent_registration'] ?? false);
return $this->underLockdown()
|| $this->isStagingSite()
|| boolval($this->config['Auth']['prevent_registration'] ?? false);
}
public function isStagingSite(): bool
{
return boolval($this->config['Auth']['staging'] ?? false);
}
public function getLinkedData(): array

83
templates/auth/auth.twig
View file

@ -1,40 +1,14 @@
{% extends 'auth/master.twig' %}
{% from 'auth/macros.twig' import auth_login %}
{% block content %}
<form class="container container--new auth" method="post" action="">
<input type="hidden" name="auth[mode]" value="login">
<div class="auth__header">
<div class="avatar avatar--new auth__avatar" id="login-avatar"
style="background-image:url('/profile.php?u=0&amp;m=avatar');"></div>
</div>
{% if auth_register_message is defined %}
<div class="warning auth__warning auth__warning--welcome">
<div class="warning__content">
{{ auth_register_message }}
</div>
</div>
{% elseif auth_login_error is defined %}
<div class="warning auth__warning">
<div class="warning__content">
{{ auth_login_error }}
</div>
</div>
{% endif %}
<div class="auth__form">
<input class="input__text input__text--new auth__input" type="text"
name="auth[username]" placeholder="Username" id="login-username"
value="{{ auth_username|default('') }}" required>
<input class="input__text input__text--new auth__input" type="password"
name="auth[password]" placeholder="Password" required>
<button class="input__button input__button--new">Login</button>
</div>
</form>
{{ auth_login(
auth_username|default(''),
auth_register_message|default(auth_login_error|default('')),
auth_register_message is defined
) }}
{% if not prevent_registration %}
<form class="container container--new auth" method="post" action="">
<input type="hidden" name="auth[mode]" value="register">
<div class="container__title">Register</div>
@ -62,7 +36,9 @@
<button class="input__button input__button--new">Sign up</button>
</div>
</form>
{% endif %}
{% if not is_staging_site %}
<form class="container container--new auth" method="post" action="">
<input type="hidden" name="auth[mode]" value="forgot">
<div class="container__title">Forgot password</div>
@ -83,44 +59,5 @@
<button class="input__button input__button--new">Send reminder</button>
</div>
</form>
<script>
let avatarTimeout = 0;
function updateLoginAvatar(avatar, username, force) {
if (!force) {
if (avatarTimeout)
return;
console.log(avatarTimeout);
avatarTimeout = setTimeout(() => {
updateLoginAvatar(avatar, username, true);
clearTimeout(avatarTimeout);
avatarTimeout = 0;
}, 750);
return;
}
const request = new XMLHttpRequest;
request.addEventListener('readystatechange', () => {
if (request.readyState !== 4)
return;
avatar.style.backgroundImage = 'url(\'/profile.php?u=%d&m=avatar\')'.replace('%d', request.responseText);
});
request.open('GET', '/auth.php?m=get_user&u=' + encodeURI(username.value));
request.send();
}
window.addEventListener('load', () => {
const avatar = document.getElementById('login-avatar'),
username = document.getElementById('login-username');
updateLoginAvatar(avatar, username, true); // in case there's anything prefilled
username.addEventListener('keyup', function (ev) {
updateLoginAvatar(avatar, username);
});
});
</script>
{% endif %}
{% endblock %}

71
templates/auth/macros.twig Normal file
View file

@ -0,0 +1,71 @@
{% macro auth_login(username, message, is_welcome) %} {# please only use this once per page, it has script shit rn #}
{% set is_welcome = is_welcome|default(false) %}
<form class="container container--new auth" method="post" action="/auth.php">
<input type="hidden" name="auth[mode]" value="login">
<div class="auth__header">
<div class="avatar avatar--new auth__avatar" id="login-avatar"
style="background-image:url('/profile.php?u=0&amp;m=avatar');"></div>
</div>
{% if message|length > 0 %}
<div class="warning auth__warning{% if is_welcome %} auth__warning--welcome{% endif %}">
<div class="warning__content">
{{ message }}
</div>
</div>
{% endif %}
<div class="auth__form">
<input class="input__text input__text--new auth__input" type="text"
name="auth[username]" placeholder="Username" id="login-username"
value="{{ username|default('') }}" required>
<input class="input__text input__text--new auth__input" type="password"
name="auth[password]" placeholder="Password" required>
<button class="input__button input__button--new">Login</button>
</div>
</form>
<script>
let avatarTimeout = 0;
function updateLoginAvatar(avatar, username, force) {
if (!force) {
if (avatarTimeout)
return;
console.log(avatarTimeout);
avatarTimeout = setTimeout(() => {
updateLoginAvatar(avatar, username, true);
clearTimeout(avatarTimeout);
avatarTimeout = 0;
}, 750);
return;
}
const request = new XMLHttpRequest;
request.addEventListener('readystatechange', () => {
if (request.readyState !== 4)
return;
avatar.style.backgroundImage = 'url(\'/profile.php?u=%d&m=avatar\')'.replace('%d', request.responseText);
});
request.open('GET', '/auth.php?m=get_user&u=' + encodeURI(username.value));
request.send();
}
window.addEventListener('load', () => {
const avatar = document.getElementById('login-avatar'),
username = document.getElementById('login-username');
updateLoginAvatar(avatar, username, true); // in case there's anything prefilled
username.addEventListener('keyup', function (ev) {
updateLoginAvatar(avatar, username);
});
});
</script>
{% endmacro %}

10
templates/auth/private.twig Normal file
View file

@ -0,0 +1,10 @@
{% extends 'auth/master.twig' %}
{% from 'auth/macros.twig' import auth_login %}
{% block content %}
{{ auth_login(
auth_username|default(''),
auth_login_error|default('You must log in to access the testing site.'),
auth_login_error is not defined
) }}
{% endblock %}