diff --git a/public/settings/account.php b/public/settings/account.php index 59749a28..3e4ffade 100644 --- a/public/settings/account.php +++ b/public/settings/account.php @@ -1,6 +1,7 @@ checkPassword($_POST['current_password'] ?? '')) { $errors[] = 'Your password was incorrect.'; } else { // Changing e-mail diff --git a/public/settings/data.php b/public/settings/data.php index c0634991..2ebe0833 100644 --- a/public/settings/data.php +++ b/public/settings/data.php @@ -2,6 +2,7 @@ namespace Misuzu; use ZipArchive; +use Misuzu\Users\User; require_once '../../misuzu.php'; @@ -26,50 +27,55 @@ function db_to_zip(ZipArchive $archive, int $userId, string $filename, string $q $errors = []; $currentUserId = user_session_current('user_id'); +$currentUser = User::get($currentUserId); if(isset($_POST['action']) && is_string($_POST['action'])) { if(isset($_POST['password']) && is_string($_POST['password']) - && user_password_verify_db($currentUserId, $_POST['password'])) { + && $currentUser->checkPassword($_POST['password'] ?? '')) { switch($_POST['action']) { case 'data': audit_log(MSZ_AUDIT_PERSONAL_DATA_DOWNLOAD, $currentUserId); - $filename = tempnam(sys_get_temp_dir(), 'msz'); + $timeStamp = floor(time() / 3600) * 3600; + $fileName = sprintf('msz-user-data-%d-%d.zip', $currentUserId, $timeStamp); + $filePath = sys_get_temp_dir() . DIRECTORY_SEPARATOR . $fileName; $archive = new ZipArchive; - $archive->open($filename, ZipArchive::CREATE); - db_to_zip($archive, $currentUserId, 'audit_log.json', 'SELECT *, INET6_NTOA(`log_ip`) AS `log_ip` FROM `msz_audit_log` WHERE `user_id` = :user_id'); - db_to_zip($archive, $currentUserId, 'auth_tfa.json', 'SELECT * FROM `msz_auth_tfa` WHERE `user_id` = :user_id'); - db_to_zip($archive, $currentUserId, 'changelog_changes.json', 'SELECT * FROM `msz_changelog_changes` WHERE `user_id` = :user_id'); - db_to_zip($archive, $currentUserId, 'comments_posts.json', 'SELECT * FROM `msz_comments_posts` WHERE `user_id` = :user_id'); - db_to_zip($archive, $currentUserId, 'comments_votes.json', 'SELECT * FROM `msz_comments_votes` WHERE `user_id` = :user_id'); - db_to_zip($archive, $currentUserId, 'forum_permissions.json', 'SELECT * FROM `msz_forum_permissions` WHERE `user_id` = :user_id'); - db_to_zip($archive, $currentUserId, 'forum_polls_answers.json', 'SELECT * FROM `msz_forum_polls_answers` WHERE `user_id` = :user_id'); - db_to_zip($archive, $currentUserId, 'forum_posts.json', 'SELECT *, INET6_NTOA(`post_ip`) AS `post_ip` FROM `msz_forum_posts` WHERE `user_id` = :user_id'); - db_to_zip($archive, $currentUserId, 'forum_topics.json', 'SELECT * FROM `msz_forum_topics` WHERE `user_id` = :user_id'); - db_to_zip($archive, $currentUserId, 'forum_topics_priority.json', 'SELECT * FROM `msz_forum_topics_priority` WHERE `user_id` = :user_id'); - db_to_zip($archive, $currentUserId, 'forum_topics_track.json', 'SELECT * FROM `msz_forum_topics_track` WHERE `user_id` = :user_id'); - db_to_zip($archive, $currentUserId, 'login_attempts.json', 'SELECT *, INET6_NTOA(`attempt_ip`) AS `attempt_ip` FROM `msz_login_attempts` WHERE `user_id` = :user_id'); - db_to_zip($archive, $currentUserId, 'news_posts.json', 'SELECT * FROM `msz_news_posts` WHERE `user_id` = :user_id'); - db_to_zip($archive, $currentUserId, 'permissions.json', 'SELECT * FROM `msz_permissions` WHERE `user_id` = :user_id'); - db_to_zip($archive, $currentUserId, 'profile_fields_values.json', 'SELECT * FROM `msz_profile_fields_values` WHERE `user_id` = :user_id'); - db_to_zip($archive, $currentUserId, 'sessions.json', 'SELECT *, INET6_NTOA(`session_ip`) AS `session_ip`, INET6_NTOA(`session_ip_last`) AS `session_ip_last` FROM `msz_sessions` WHERE `user_id` = :user_id'); - db_to_zip($archive, $currentUserId, 'users.json', 'SELECT *, NULL AS `password`, NULL AS `user_totp_key`, INET6_NTOA(`register_ip`) AS `register_ip`, INET6_NTOA(`last_ip`) AS `last_ip` FROM `msz_users` WHERE `user_id` = :user_id'); - db_to_zip($archive, $currentUserId, 'users_password_resets.json', 'SELECT *, INET6_NTOA(`reset_ip`) AS `reset_ip` FROM `msz_users_password_resets` WHERE `user_id` = :user_id'); - db_to_zip($archive, $currentUserId, 'user_chat_tokens.json', 'SELECT * FROM `msz_user_chat_tokens` WHERE `user_id` = :user_id'); - db_to_zip($archive, $currentUserId, 'user_relations.json', 'SELECT * FROM `msz_user_relations` WHERE `user_id` = :user_id_1 OR `subject_id` = :user_id_2', 2); - db_to_zip($archive, $currentUserId, 'user_roles.json', 'SELECT * FROM `msz_user_roles` WHERE `user_id` = :user_id'); - db_to_zip($archive, $currentUserId, 'user_warnings.json', 'SELECT *, INET6_NTOA(`user_ip`) AS `user_ip`, NULL AS `issuer_id`, NULL AS `issuer_ip`, NULL AS `warning_note_private` FROM `msz_user_warnings` WHERE `user_id` = :user_id'); + if(!is_file($filePath)) { + if($archive->open($filePath, ZipArchive::CREATE | ZIPARCHIVE::OVERWRITE) === true) { + db_to_zip($archive, $currentUserId, 'audit_log.json', 'SELECT *, INET6_NTOA(`log_ip`) AS `log_ip` FROM `msz_audit_log` WHERE `user_id` = :user_id'); + db_to_zip($archive, $currentUserId, 'auth_tfa.json', 'SELECT * FROM `msz_auth_tfa` WHERE `user_id` = :user_id'); + db_to_zip($archive, $currentUserId, 'changelog_changes.json', 'SELECT * FROM `msz_changelog_changes` WHERE `user_id` = :user_id'); + db_to_zip($archive, $currentUserId, 'comments_posts.json', 'SELECT * FROM `msz_comments_posts` WHERE `user_id` = :user_id'); + db_to_zip($archive, $currentUserId, 'comments_votes.json', 'SELECT * FROM `msz_comments_votes` WHERE `user_id` = :user_id'); + db_to_zip($archive, $currentUserId, 'forum_permissions.json', 'SELECT * FROM `msz_forum_permissions` WHERE `user_id` = :user_id'); + db_to_zip($archive, $currentUserId, 'forum_polls_answers.json', 'SELECT * FROM `msz_forum_polls_answers` WHERE `user_id` = :user_id'); + db_to_zip($archive, $currentUserId, 'forum_posts.json', 'SELECT *, INET6_NTOA(`post_ip`) AS `post_ip` FROM `msz_forum_posts` WHERE `user_id` = :user_id'); + db_to_zip($archive, $currentUserId, 'forum_topics.json', 'SELECT * FROM `msz_forum_topics` WHERE `user_id` = :user_id'); + db_to_zip($archive, $currentUserId, 'forum_topics_priority.json', 'SELECT * FROM `msz_forum_topics_priority` WHERE `user_id` = :user_id'); + db_to_zip($archive, $currentUserId, 'forum_topics_track.json', 'SELECT * FROM `msz_forum_topics_track` WHERE `user_id` = :user_id'); + db_to_zip($archive, $currentUserId, 'login_attempts.json', 'SELECT *, INET6_NTOA(`attempt_ip`) AS `attempt_ip` FROM `msz_login_attempts` WHERE `user_id` = :user_id'); + db_to_zip($archive, $currentUserId, 'news_posts.json', 'SELECT * FROM `msz_news_posts` WHERE `user_id` = :user_id'); + db_to_zip($archive, $currentUserId, 'permissions.json', 'SELECT * FROM `msz_permissions` WHERE `user_id` = :user_id'); + db_to_zip($archive, $currentUserId, 'profile_fields_values.json', 'SELECT * FROM `msz_profile_fields_values` WHERE `user_id` = :user_id'); + db_to_zip($archive, $currentUserId, 'sessions.json', 'SELECT *, INET6_NTOA(`session_ip`) AS `session_ip`, INET6_NTOA(`session_ip_last`) AS `session_ip_last` FROM `msz_sessions` WHERE `user_id` = :user_id'); + db_to_zip($archive, $currentUserId, 'users.json', 'SELECT *, NULL AS `password`, NULL AS `user_totp_key`, INET6_NTOA(`register_ip`) AS `register_ip`, INET6_NTOA(`last_ip`) AS `last_ip` FROM `msz_users` WHERE `user_id` = :user_id'); + db_to_zip($archive, $currentUserId, 'users_password_resets.json', 'SELECT *, INET6_NTOA(`reset_ip`) AS `reset_ip` FROM `msz_users_password_resets` WHERE `user_id` = :user_id'); + db_to_zip($archive, $currentUserId, 'user_chat_tokens.json', 'SELECT * FROM `msz_user_chat_tokens` WHERE `user_id` = :user_id'); + db_to_zip($archive, $currentUserId, 'user_relations.json', 'SELECT * FROM `msz_user_relations` WHERE `user_id` = :user_id_1 OR `subject_id` = :user_id_2', 2); + db_to_zip($archive, $currentUserId, 'user_roles.json', 'SELECT * FROM `msz_user_roles` WHERE `user_id` = :user_id'); + db_to_zip($archive, $currentUserId, 'user_warnings.json', 'SELECT *, INET6_NTOA(`user_ip`) AS `user_ip`, NULL AS `issuer_id`, NULL AS `issuer_ip`, NULL AS `warning_note_private` FROM `msz_user_warnings` WHERE `user_id` = :user_id'); - $archive->close(); + $archive->close(); + } else { + $errors[] = 'Something went wrong while creating your account archive.'; + break; + } + } header('Content-Type: application/zip'); - header(sprintf( - 'Content-Disposition: inline; filename="misuzu-user-data-%d-%d.zip"', - $currentUserId, - time() - )); - echo file_get_contents($filename); + header(sprintf('Content-Disposition: inline; filename="%s"', $fileName)); + echo file_get_contents($filePath); return; case 'deactivate': diff --git a/public/user-assets.php b/public/user-assets.php index cdb9e6bf..ce398d35 100644 --- a/public/user-assets.php +++ b/public/user-assets.php @@ -2,14 +2,16 @@ namespace Misuzu; use Misuzu\Imaging\Image; +use Misuzu\Users\User; $userAssetsMode = !empty($_GET['m']) && is_string($_GET['m']) ? (string)$_GET['m'] : ''; $misuzuBypassLockdown = $userAssetsMode === 'avatar'; require_once '../misuzu.php'; -$userId = !empty($_GET['u']) && is_string($_GET['u']) ? (int)$_GET['u'] : 0; -$userExists = user_exists($userId); +$userInfo = User::get((int)filter_input(INPUT_GET, 'u', FILTER_SANITIZE_NUMBER_INT)); +$userExists = empty($userExists); +$userId = $userExists ? $userInfo->getUserId() : 0; $canViewImages = !$userExists || !user_warning_check_expiration($userId, MSZ_WARN_BAN) diff --git a/src/Http/Handlers/SockChatHandler.php b/src/Http/Handlers/SockChatHandler.php index 24884456..01414f78 100644 --- a/src/Http/Handlers/SockChatHandler.php +++ b/src/Http/Handlers/SockChatHandler.php @@ -209,8 +209,8 @@ final class SockChatHandler extends Handler { if(time() > 1577750400) return ['success' => false, 'reason' => 'unsupported']; - if(user_password_verify_db($authInfo->user_id, mb_substr($authInfo->token, 5))) - $userId = $authInfo->user_id; + //if(user_password_verify_db($authInfo->user_id, mb_substr($authInfo->token, 5))) + // $userId = $authInfo->user_id; } elseif($authMethod === 'SESS:') { $sessionToken = mb_substr($authInfo->token, 5); $tokenData = user_session_cookie_unpack( diff --git a/src/Users/user_legacy.php b/src/Users/user_legacy.php index fbb04cf8..112241a8 100644 --- a/src/Users/user_legacy.php +++ b/src/Users/user_legacy.php @@ -113,45 +113,6 @@ function user_email_set(int $userId, string $email): bool { return $updateMail->execute(); } -function user_password_verify_db(int $userId, string $password): bool { - if($userId < 1) { - return false; - } - - $fetchPassword = \Misuzu\DB::prepare(' - SELECT `password` - FROM `msz_users` - WHERE `user_id` = :user_id - '); - $fetchPassword->bind('user_id', $userId); - $currentPassword = $fetchPassword->fetchColumn(0, ''); - - return !empty($currentPassword) && password_verify($password, $currentPassword); -} - -// function of the century, only use this if it doesn't make sense to grab data otherwise -function user_exists(int $userId): bool { - if($userId < 1) { - return false; - } - - static $exists = []; - - if(isset($exists[$userId])) { - return $exists[$userId]; - } - - $check = \Misuzu\DB::prepare(' - SELECT COUNT(`user_id`) > 0 - FROM `msz_users` - WHERE `user_id` = :user_id - '); - - $check->bind('user_id', $userId); - - return $exists[$userId] = (bool)$check->fetchColumn(0, false); -} - function user_id_from_username(string $username): int { $getId = \Misuzu\DB::prepare('SELECT `user_id` FROM `msz_users` WHERE LOWER(`username`) = LOWER(:username)'); $getId->bind('username', $username);