misuzu/public-legacy/settings/account.php

<?php
namespace Misuzu;

use RuntimeException;
use Misuzu\Users\{User,UserPasswordsData};
use chillerlan\QRCode\QRCode;
use chillerlan\QRCode\QROptions;

if(!isset($msz) || !($msz instanceof \Misuzu\MisuzuContext))
    die('Script must be called through the Misuzu route dispatcher.');

if(!$msz->authInfo->loggedIn)
    Template::throwError(401);

$errors = [];
$userInfo = $msz->authInfo->userInfo;
$isRestricted = $msz->usersCtx->hasActiveBan($userInfo);
$hasTotp = $msz->usersCtx->totps->hasUserTotp($userInfo);
$isVerifiedRequest = CSRF::validateRequest();

if(!$isRestricted && $isVerifiedRequest && !empty($_POST['role'])) {
    try {
        $roleInfo = $msz->usersCtx->roles->getRole(($_POST['role']['id'] ?? 0));
    } catch(RuntimeException $ex) {}

    if(empty($roleInfo) || !$msz->usersCtx->users->hasRole($userInfo, $roleInfo))
        $errors[] = "You're trying to modify a role that hasn't been assigned to you.";
    else {
        switch($_POST['role']['mode'] ?? '') {
            case 'display':
                $msz->usersCtx->users->updateUser(
                    $userInfo,
                    displayRoleInfo: $roleInfo
                );
                break;

            case 'leave':
                if($roleInfo->leavable) {
                    $msz->usersCtx->users->removeRoles($userInfo, $roleInfo);
                    $msz->perms->precalculatePermissions(
                        $msz->forumCtx->categories,
                        [$userInfo->id]
                    );
                } else
                    $errors[] = "You're not allow to leave this role, an administrator has to remove it for you.";
                break;
        }
    }
}

if($isVerifiedRequest && isset($_POST['tfa']['enable']) && $msz->usersCtx->totps->hasUserTotp($userInfo) !== (bool)$_POST['tfa']['enable']) {
    if((bool)$_POST['tfa']['enable']) {
        $totpInfo = $msz->usersCtx->totps->updateUserTotp($userInfo);
        $totpSecret = $totpInfo->encodedSecret;
        $totpIssuer = $msz->siteInfo->name;
        $totpQrcode = (new QRCode(new QROptions([
            'version'    => 5,
            'outputType' => QRCode::OUTPUT_IMAGE_JPG,
            'eccLevel'   => QRCode::ECC_L,
        ])))->render(sprintf('otpauth://totp/%s:%s?%s', $totpIssuer, $userInfo->name, http_build_query([
            'secret' => $totpSecret,
            'issuer' => $totpIssuer,
        ])));

        $hasTotp = true;
        Template::set([
            'settings_2fa_code' => $totpSecret,
            'settings_2fa_image' => $totpQrcode,
        ]);
    } else {
        $hasTotp = false;
        $msz->usersCtx->totps->deleteUserTotp($userInfo);
    }
}

if($isVerifiedRequest && !empty($_POST['current_password'])) {
    if(!$msz->usersCtx->passwords->getUserPassword($userInfo)?->verifyPassword($_POST['current_password'] ?? '')) {
        $errors[] = 'Your password was incorrect.';
    } else {
        // Changing e-mail
        if(!empty($_POST['email']['new'])) {
            if(empty($_POST['email']['confirm']) || $_POST['email']['new'] !== $_POST['email']['confirm']) {
                $errors[] = 'The addresses you entered did not match each other.';
            } elseif($userInfo->emailAddress === mb_strtolower($_POST['email']['confirm'])) {
                $errors[] = 'This is already your e-mail address!';
            } else {
                $checkMail = $msz->usersCtx->users->validateEMailAddress($_POST['email']['new']);

                if($checkMail !== '') {
                    $errors[] = $msz->usersCtx->users->validateEMailAddressText($checkMail);
                } else {
                    $msz->usersCtx->users->updateUser(userInfo: $userInfo, emailAddr: $_POST['email']['new']);
                    $msz->createAuditLog('PERSONAL_EMAIL_CHANGE', [$_POST['email']['new']]);
                }
            }
        }

        // Changing password
        if(!empty($_POST['password']['new'])) {
            if(empty($_POST['password']['confirm']) || $_POST['password']['new'] !== $_POST['password']['confirm']) {
                $errors[] = 'The new passwords you entered did not match each other.';
            } else {
                $checkPassword = UserPasswordsData::validateUserPassword($_POST['password']['new']);

                if($checkPassword !== '') {
                    $errors[] = UserPasswordsData::validateUserPasswordText($checkPassword);
                } else {
                    $msz->usersCtx->passwords->updateUserPassword($userInfo, $_POST['password']['new']);
                    $msz->createAuditLog('PERSONAL_PASSWORD_CHANGE');
                }
            }
        }
    }
}

// reload $userInfo object
if($_SERVER['REQUEST_METHOD'] === 'POST' && $isVerifiedRequest)
    $userInfo = $msz->usersCtx->users->getUser($userInfo->id, 'id');

$userRoles = iterator_to_array($msz->usersCtx->roles->getRoles(userInfo: $userInfo));

Template::render('settings.account', [
    'errors' => $errors,
    'settings_user' => $userInfo,
    'settings_roles' => $userRoles,
    'is_restricted' => $isRestricted,
    'has_totp' => $hasTotp,
]);