flashii/misuzu
flashii/misuzu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Removed user_password_verify_db() and user_exists().

Browse source
This commit is contained in:
flash 2020-05-14 22:18:39 +00:00
parent ca0f1ecb39
commit 4871df92f9
5 changed files with 47 additions and 76 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
public/settings/account.php
View file

@ -1,6 +1,7 @@
<?php
namespace Misuzu;
use Misuzu\Users\User;
use chillerlan\QRCode\QRCode;
use chillerlan\QRCode\QROptions;
@ -13,6 +14,7 @@ if(!user_session_active()) {
$errors = [];
$currentUserId = user_session_current('user_id');
$currentUser = User::get($currentUserId);
$currentEmail = user_email_get($currentUserId);
$isRestricted = user_warning_check_restriction($currentUserId);
$twoFactorInfo = user_totp_info($currentUserId);
@ -66,7 +68,7 @@ if($isVerifiedRequest && isset($_POST['tfa']['enable']) && (bool)$twoFactorInfo[
}
if($isVerifiedRequest && !empty($_POST['current_password'])) {
if(!user_password_verify_db($currentUserId, $_POST['current_password'] ?? '')) {
if(!$currentUser->checkPassword($_POST['current_password'] ?? '')) {
$errors[] = 'Your password was incorrect.';
} else {
// Changing e-mail

70
public/settings/data.php
View file

@ -2,6 +2,7 @@
namespace Misuzu;
use ZipArchive;
use Misuzu\Users\User;
require_once '../../misuzu.php';
@ -26,50 +27,55 @@ function db_to_zip(ZipArchive $archive, int $userId, string $filename, string $q
$errors = [];
$currentUserId = user_session_current('user_id');
$currentUser = User::get($currentUserId);
if(isset($_POST['action']) && is_string($_POST['action'])) {
if(isset($_POST['password']) && is_string($_POST['password'])
&& user_password_verify_db($currentUserId, $_POST['password'])) {
&& $currentUser->checkPassword($_POST['password'] ?? '')) {
switch($_POST['action']) {
case 'data':
audit_log(MSZ_AUDIT_PERSONAL_DATA_DOWNLOAD, $currentUserId);
$filename = tempnam(sys_get_temp_dir(), 'msz');
$timeStamp = floor(time() / 3600) * 3600;
$fileName = sprintf('msz-user-data-%d-%d.zip', $currentUserId, $timeStamp);
$filePath = sys_get_temp_dir() . DIRECTORY_SEPARATOR . $fileName;
$archive = new ZipArchive;
$archive->open($filename, ZipArchive::CREATE);
db_to_zip($archive, $currentUserId, 'audit_log.json', 'SELECT *, INET6_NTOA(`log_ip`) AS `log_ip` FROM `msz_audit_log` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'auth_tfa.json', 'SELECT * FROM `msz_auth_tfa` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'changelog_changes.json', 'SELECT * FROM `msz_changelog_changes` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'comments_posts.json', 'SELECT * FROM `msz_comments_posts` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'comments_votes.json', 'SELECT * FROM `msz_comments_votes` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'forum_permissions.json', 'SELECT * FROM `msz_forum_permissions` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'forum_polls_answers.json', 'SELECT * FROM `msz_forum_polls_answers` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'forum_posts.json', 'SELECT *, INET6_NTOA(`post_ip`) AS `post_ip` FROM `msz_forum_posts` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'forum_topics.json', 'SELECT * FROM `msz_forum_topics` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'forum_topics_priority.json', 'SELECT * FROM `msz_forum_topics_priority` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'forum_topics_track.json', 'SELECT * FROM `msz_forum_topics_track` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'login_attempts.json', 'SELECT *, INET6_NTOA(`attempt_ip`) AS `attempt_ip` FROM `msz_login_attempts` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'news_posts.json', 'SELECT * FROM `msz_news_posts` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'permissions.json', 'SELECT * FROM `msz_permissions` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'profile_fields_values.json', 'SELECT * FROM `msz_profile_fields_values` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'sessions.json', 'SELECT *, INET6_NTOA(`session_ip`) AS `session_ip`, INET6_NTOA(`session_ip_last`) AS `session_ip_last` FROM `msz_sessions` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'users.json', 'SELECT *, NULL AS `password`, NULL AS `user_totp_key`, INET6_NTOA(`register_ip`) AS `register_ip`, INET6_NTOA(`last_ip`) AS `last_ip` FROM `msz_users` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'users_password_resets.json', 'SELECT *, INET6_NTOA(`reset_ip`) AS `reset_ip` FROM `msz_users_password_resets` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'user_chat_tokens.json', 'SELECT * FROM `msz_user_chat_tokens` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'user_relations.json', 'SELECT * FROM `msz_user_relations` WHERE `user_id` = :user_id_1 OR `subject_id` = :user_id_2', 2);
db_to_zip($archive, $currentUserId, 'user_roles.json', 'SELECT * FROM `msz_user_roles` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'user_warnings.json', 'SELECT *, INET6_NTOA(`user_ip`) AS `user_ip`, NULL AS `issuer_id`, NULL AS `issuer_ip`, NULL AS `warning_note_private` FROM `msz_user_warnings` WHERE `user_id` = :user_id');
if(!is_file($filePath)) {
if($archive->open($filePath, ZipArchive::CREATE | ZIPARCHIVE::OVERWRITE) === true) {
db_to_zip($archive, $currentUserId, 'audit_log.json', 'SELECT *, INET6_NTOA(`log_ip`) AS `log_ip` FROM `msz_audit_log` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'auth_tfa.json', 'SELECT * FROM `msz_auth_tfa` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'changelog_changes.json', 'SELECT * FROM `msz_changelog_changes` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'comments_posts.json', 'SELECT * FROM `msz_comments_posts` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'comments_votes.json', 'SELECT * FROM `msz_comments_votes` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'forum_permissions.json', 'SELECT * FROM `msz_forum_permissions` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'forum_polls_answers.json', 'SELECT * FROM `msz_forum_polls_answers` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'forum_posts.json', 'SELECT *, INET6_NTOA(`post_ip`) AS `post_ip` FROM `msz_forum_posts` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'forum_topics.json', 'SELECT * FROM `msz_forum_topics` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'forum_topics_priority.json', 'SELECT * FROM `msz_forum_topics_priority` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'forum_topics_track.json', 'SELECT * FROM `msz_forum_topics_track` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'login_attempts.json', 'SELECT *, INET6_NTOA(`attempt_ip`) AS `attempt_ip` FROM `msz_login_attempts` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'news_posts.json', 'SELECT * FROM `msz_news_posts` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'permissions.json', 'SELECT * FROM `msz_permissions` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'profile_fields_values.json', 'SELECT * FROM `msz_profile_fields_values` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'sessions.json', 'SELECT *, INET6_NTOA(`session_ip`) AS `session_ip`, INET6_NTOA(`session_ip_last`) AS `session_ip_last` FROM `msz_sessions` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'users.json', 'SELECT *, NULL AS `password`, NULL AS `user_totp_key`, INET6_NTOA(`register_ip`) AS `register_ip`, INET6_NTOA(`last_ip`) AS `last_ip` FROM `msz_users` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'users_password_resets.json', 'SELECT *, INET6_NTOA(`reset_ip`) AS `reset_ip` FROM `msz_users_password_resets` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'user_chat_tokens.json', 'SELECT * FROM `msz_user_chat_tokens` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'user_relations.json', 'SELECT * FROM `msz_user_relations` WHERE `user_id` = :user_id_1 OR `subject_id` = :user_id_2', 2);
db_to_zip($archive, $currentUserId, 'user_roles.json', 'SELECT * FROM `msz_user_roles` WHERE `user_id` = :user_id');
db_to_zip($archive, $currentUserId, 'user_warnings.json', 'SELECT *, INET6_NTOA(`user_ip`) AS `user_ip`, NULL AS `issuer_id`, NULL AS `issuer_ip`, NULL AS `warning_note_private` FROM `msz_user_warnings` WHERE `user_id` = :user_id');
$archive->close();
$archive->close();
} else {
$errors[] = 'Something went wrong while creating your account archive.';
break;
}
}
header('Content-Type: application/zip');
header(sprintf(
'Content-Disposition: inline; filename="misuzu-user-data-%d-%d.zip"',
$currentUserId,
time()
));
echo file_get_contents($filename);
header(sprintf('Content-Disposition: inline; filename="%s"', $fileName));
echo file_get_contents($filePath);
return;
case 'deactivate':

6
public/user-assets.php
View file

@ -2,14 +2,16 @@
namespace Misuzu;
use Misuzu\Imaging\Image;
use Misuzu\Users\User;
$userAssetsMode = !empty($_GET['m']) && is_string($_GET['m']) ? (string)$_GET['m'] : '';
$misuzuBypassLockdown = $userAssetsMode === 'avatar';
require_once '../misuzu.php';
$userId = !empty($_GET['u']) && is_string($_GET['u']) ? (int)$_GET['u'] : 0;
$userExists = user_exists($userId);
$userInfo = User::get((int)filter_input(INPUT_GET, 'u', FILTER_SANITIZE_NUMBER_INT));
$userExists = empty($userExists);
$userId = $userExists ? $userInfo->getUserId() : 0;
$canViewImages = !$userExists
|| !user_warning_check_expiration($userId, MSZ_WARN_BAN)

4
src/Http/Handlers/SockChatHandler.php
View file

@ -209,8 +209,8 @@ final class SockChatHandler extends Handler {
if(time() > 1577750400)
return ['success' => false, 'reason' => 'unsupported'];
if(user_password_verify_db($authInfo->user_id, mb_substr($authInfo->token, 5)))
$userId = $authInfo->user_id;
//if(user_password_verify_db($authInfo->user_id, mb_substr($authInfo->token, 5)))
// $userId = $authInfo->user_id;
} elseif($authMethod === 'SESS:') {
$sessionToken = mb_substr($authInfo->token, 5);
$tokenData = user_session_cookie_unpack(

39
src/Users/user_legacy.php
View file

@ -113,45 +113,6 @@ function user_email_set(int $userId, string $email): bool {
return $updateMail->execute();
}
function user_password_verify_db(int $userId, string $password): bool {
if($userId < 1) {
return false;
}
$fetchPassword = \Misuzu\DB::prepare('
SELECT `password`
FROM `msz_users`
WHERE `user_id` = :user_id
');
$fetchPassword->bind('user_id', $userId);
$currentPassword = $fetchPassword->fetchColumn(0, '');
return !empty($currentPassword) && password_verify($password, $currentPassword);
}
// function of the century, only use this if it doesn't make sense to grab data otherwise
function user_exists(int $userId): bool {
if($userId < 1) {
return false;
}
static $exists = [];
if(isset($exists[$userId])) {
return $exists[$userId];
}
$check = \Misuzu\DB::prepare('
SELECT COUNT(`user_id`) > 0
FROM `msz_users`
WHERE `user_id` = :user_id
');
$check->bind('user_id', $userId);
return $exists[$userId] = (bool)$check->fetchColumn(0, false);
}
function user_id_from_username(string $username): int {
$getId = \Misuzu\DB::prepare('SELECT `user_id` FROM `msz_users` WHERE LOWER(`username`) = LOWER(:username)');
$getId->bind('username', $username);