Adding email verification

* Adding mail verification during account registration * Added new dist file option for mail verification * Added account confirmation page using tokens * Added mail class into user class for password resets * Moved password reset template * Adjusted account registration page * Adjusted user class for email confirmation Also fixed a bug with smarty_cache_key not being used properly if smarty is disabled. Key still needs to be available even if caching is disabled Addresses #330 and prepare the ticket for invitation only system.
2013-07-14 22:17:54 +02:00 · 2013-07-14 22:17:54 +02:00 · 0ede05a6fd
commit 0ede05a6fd
parent 29d5d36a7e
12 changed files with 143 additions and 39 deletions
--- a/public/include/autoloader.inc.php
+++ b/public/include/autoloader.inc.php
@ -22,6 +22,7 @@ require_once(INCLUDE_DIR . '/database.inc.php');
 require_once(INCLUDE_DIR . '/smarty.inc.php');
 // Load classes that need the above as dependencies
 require_once(CLASS_DIR . '/base.class.php');
+require_once(CLASS_DIR . '/mail.class.php');
 require_once(CLASS_DIR . '/tokentype.class.php');
 require_once(CLASS_DIR . '/token.class.php');
 require_once(CLASS_DIR . '/block.class.php');
@ -32,7 +33,6 @@ require_once(CLASS_DIR . '/share.class.php');
 require_once(CLASS_DIR . '/worker.class.php');
 require_once(CLASS_DIR . '/statistics.class.php');
 require_once(CLASS_DIR . '/transaction.class.php');
-require_once(CLASS_DIR . '/mail.class.php');
 require_once(CLASS_DIR . '/notification.class.php');
 require_once(CLASS_DIR . '/news.class.php');
 require_once(INCLUDE_DIR . '/lib/Michelf/Markdown.php');
--- a/public/include/classes/token.class.php
+++ b/public/include/classes/token.class.php
@ -22,7 +22,7 @@ class Token Extends Base {
   * Insert a new token
   * @param name string Name of the variable
   * @param value string Variable value
-   * @return mixed Insert ID on success, false on failure
+   * @return mixed Token string on success, false on failure
   **/
  public function createToken($strType, $account_id=NULL) {
    $strToken = hash('sha256', $account_id.$strType.microtime());
@ -35,7 +35,7 @@ class Token Extends Base {
      VALUES (?, ?, ?)
      ");
    if ($stmt && $stmt->bind_param('sii', $strToken, $iToken_id, $account_id) && $stmt->execute())
-      return $stmt->insert_id;
+      return $strToken;
    $this->setErrorMessage('Unable to create new token');
    $this->debug->append('Failed to create new token in database: ' . $this->mysqli->error);
    return false;
@ -54,7 +54,7 @@ class Token Extends Base {
  }
 }

-$token = new Token();
-$token->setDebug($debug);
-$token->setMysql($mysqli);
-$token->setTokenType($tokentype);
+$oToken = new Token();
+$oToken->setDebug($debug);
+$oToken->setMysql($mysqli);
+$oToken->setTokenType($tokentype);
--- a/public/include/classes/user.class.php
+++ b/public/include/classes/user.class.php
@ -10,16 +10,21 @@ class User {
  private $table = 'accounts';
  private $user = array();

-  public function __construct($debug, $mysqli, $token, $salt, $config) {
+  public function __construct($debug, $mysqli, $salt, $config) {
    $this->debug = $debug;
    $this->mysqli = $mysqli;
-    $this->token = $token;
    $this->salt = $salt;
    $this->config = $config;
    $this->debug->append("Instantiated User class", 2);
  }

  // get and set methods
+  public function setMail($mail) {
+    $this->mail = $mail;
+  }
+  public function setToken($token) {
+    $this->token= $token;
+  }
  private function setErrorMessage($msg) {
    $this->sError = $msg;
  }
@ -484,14 +489,16 @@ class User {
      return false;
    }
    if ($this->mysqli->query("SELECT id FROM $this->table LIMIT 1")->num_rows > 0) {
+      $this->config['accounts']['confirm_email'] ? $is_locked = 1 : $is_locked = 0;
      $stmt = $this->mysqli->prepare("
        INSERT INTO $this->table (username, pass, email, pin, api_key, is_locked)
        VALUES (?, ?, ?, ?, ?, ?)
        ");
    } else {
+      $is_locked = 0;
      $stmt = $this->mysqli->prepare("
        INSERT INTO $this->table (username, pass, email, pin, api_key, is_admin, is_locked)
-        VALUES (?, ?, ?, ?, ?, 1, 0)
+        VALUES (?, ?, ?, ?, ?, 1, ?)
        ");
    }

@ -501,17 +508,29 @@ class User {
    $apikey_hash = $this->getHash($username);
    $username_clean = strip_tags($username);

-    //
-    $this->config['confirm_email'] ? $is_locked = 1 : $is_locked = 0;
-
    if ($this->checkStmt($stmt) && $stmt->bind_param('sssssi', $username_clean, $password_hash, $email1, $pin_hash, $apikey_hash, $is_locked) && $stmt->execute()) {
-      if ($this->config['confirm_email']) {
-        $this->token->createToken('confirm_email', $stmt->insert_id);
+      if ($this->config['accounts']['confirm_email']) {
+        if ($token = $this->token->createToken('confirm_email', $stmt->insert_id)) {
+          $aData['username'] = $username_clean;
+          $aData['token'] = $token;
+          $aData['email'] = $email1;
+          $aData['subject'] = 'E-Mail verification';
+          if (!$this->mail->sendMail('register/confirm_email', $aData)) {
+            $this->setErrorMessage('Unable to request email confirmation');
+            return false;
+          }
+          return true;
+        } else {
+          $this->setErrorMessage('Failed to create confirmation token');
+          $this->debug->append('Unable to create confirm_email token: ' . $this->token->getError());
+          return false;
+        }
      } else {
        return true;
      }
    } else {
      $this->setErrorMessage( 'Unable to register' );
+      $this->debug->append('Failed to insert user into DB: ' . $this->mysqli->error);
      if ($stmt->sqlstate == '23000') $this->setErrorMessage( 'Username or email already registered' );
      return false;
    }
@ -548,7 +567,7 @@ class User {
        $this->setErrorMessage('Unable to set new password');
      }
    } else {
-      $this->setErrorMessage('Unable find user for your token');
+      $this->setErrorMessage('Invalid token');
    }
    $this->debug->append('Failed to update password:' . $this->mysqli->error);
    return false;
@ -557,35 +576,26 @@ class User {
  /**
   * Reset a password by sending a password reset mail
   * @param username string Username to reset password for
-   * @param smarty object Smarty object for mail templating
   * @return bool
   **/
-  public function initResetPassword($username, $smarty) {
+  public function initResetPassword($username) {
    $this->debug->append("STA " . __METHOD__, 4);
    // Fetch the users mail address
    if (empty($username)) {
      $this->serErrorMessage("Username must not be empty");
      return false;
    }
-    if (!$email = $this->getUserEmail($username)) {
+    if (!$aData['email'] = $this->getUserEmail($username)) {
      $this->setErrorMessage("Unable to find a mail address for user $username");
      return false;
    }
-    if (!$token = $this->token->getToken($this->token->createToken('password_reset', $this->getUserId($username)))) {
-      $this->setErrorMessage("Unable to setup token for password reset");
+    if (!$aData['token'] = $this->token->createToken('password_reset', $this->getUserId($username))) {
+      $this->setErrorMessage('Unable to setup token for password reset');
      return false;
    }
-    $smarty->assign('TOKEN', $token['token']);
-    $smarty->assign('USERNAME', $username);
-    $smarty->assign('SUBJECT', 'Password Reset Request');
-    $smarty->assign('WEBSITENAME', $this->config['website']['name']);
-    $headers = 'From: Website Administration <' . $this->config['website']['email'] . ">\n";
-    $headers .= "MIME-Version: 1.0\n";
-    $headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";
-    if (mail($email,
-      $smarty->fetch('templates/mail/subject.tpl'),
-      $smarty->fetch('templates/mail/body.tpl'),
-      $headers)) {
+    $aData['username'] = $username;
+    $aData['subject'] = 'Password Reset Request';
+    if ($this->mail->sendMail('password/reset', $aData)) {
        return true;
      } else {
        $this->setErrorMessage("Unable to send mail to your address");
@ -614,4 +624,6 @@ class User {
 }

 // Make our class available automatically
-$user = new User($debug, $mysqli, $token, SALT, $config);
+$user = new User($debug, $mysqli, SALT, $config);
+$user->setMail($mail);
+$user->setToken($oToken);
--- a/public/include/config/global.inc.dist.php
+++ b/public/include/config/global.inc.dist.php
@ -121,6 +121,23 @@ $config['website']['theme'] = 'mmcFE';
 $config['website']['mobile'] = true;
 $config['website']['mobile_theme'] = 'mobile';

+/**
+ * Account specific settings
+ *
+ * Explanation
+ *   You can change some defaults on how accounts are created or registered
+ *   By default, all newly created accounts will require an email verificaiton.
+ *   Only after acitivating an account the user will be able to login
+ *
+ *  Options:
+ *    confirm_email  :  Send confirmation mail to user after registration
+ *
+ *  Defaults:
+ *    confirm_email  :  true
+ *
+ **/
+$config['accounts']['confirm_email'] = true;
+
 /**
 * Some basic access restrictions on some pages
 *
--- a/public/include/pages/account/confirm.inc.php
+++ b/public/include/pages/account/confirm.inc.php
@ -0,0 +1,17 @@
+<?php
+
+// Make sure we are called from index.php
+if (!defined('SECURITY')) die('Hacking attempt');
+
+// Confirm an account by token
+if (!isset($_GET['token']) || empty($_GET['token'])) {
+  $_SESSION['POPUP'][] = array('CONTENT' => 'Missing token', 'TYPE' => 'errormsg');
+} else if (!$aToken = $oToken->getToken($_GET['token'])) {
+  $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to activate your account. Invalid token', 'TYPE' => 'errormsg');
+} else {
+  $user->changeLocked($aToken['account_id']);
+  $oToken->deleteToken($aToken['token']);
+  $_SESSION['POPUP'][] = array('CONTENT' => 'Account activated. Please login.');
+}
+$smarty->assign('CONTENT', 'default.tpl');
+?>
--- a/public/include/pages/password/change.inc.php
+++ b/public/include/pages/password/change.inc.php
@ -11,7 +11,7 @@ if ($_POST['do'] == 'resetPassword') {
    $_SESSION['POPUP'][] = array('CONTENT' => $user->getError(), 'TYPE' => 'errormsg');
  }
 }
-
 // Tempalte specifics
 $smarty->assign("CONTENT", "default.tpl");
+
 ?>
--- a/public/include/pages/register/register.inc.php
+++ b/public/include/pages/register/register.inc.php
@ -20,7 +20,7 @@ if($config['recaptcha']['enabled'] && $_POST["recaptcha_response_field"] && $_PO
    if ($setting->getValue('lock_registration')) {
      $_SESSION['POPUP'][] = array('CONTENT' => 'Account registration is currently disabled. Please try again later.', 'TYPE' => 'errormsg');
    } else if ($user->register($_POST['username'], $_POST['password1'], $_POST['password2'], $_POST['pin'], $_POST['email1'], $_POST['email2']) && !$setting->getValue('lock_registration')) {
-      $_SESSION['POPUP'][] = array('CONTENT' => 'Account created, please login');
+      $config['accounts']['confirm_email'] ? $_SESSION['POPUP'][] = array('CONTENT' => 'Please check your mailbox to activate this account') : $_SESSION['POPUP'][] = array('CONTENT' => 'Account created, please login');
    } else {
      $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to create account: ' . $user->getError(), 'TYPE' => 'errormsg');
    }
@ -37,7 +37,7 @@ if($config['recaptcha']['enabled'] && $_POST["recaptcha_response_field"] && $_PO
  if ($setting->getValue('lock_registration')) {
    $_SESSION['POPUP'][] = array('CONTENT' => 'Account registration is currently disabled. Please try again later.', 'TYPE' => 'errormsg');
  } else if ($user->register($_POST['username'], $_POST['password1'], $_POST['password2'], $_POST['pin'], $_POST['email1'], $_POST['email2']) && !$setting->getValue('lock_registration')) {
-    $_SESSION['POPUP'][] = array('CONTENT' => 'Account created, please login');
+    $config['accounts']['confirm_email'] ? $_SESSION['POPUP'][] = array('CONTENT' => 'Please check your mailbox to activate this account') : $_SESSION['POPUP'][] = array('CONTENT' => 'Account created, please login');
  } else {
    $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to create account: ' . $user->getError(), 'TYPE' => 'errormsg');
  }
--- a/public/include/smarty.inc.php
+++ b/public/include/smarty.inc.php
@ -18,6 +18,7 @@ $smarty = new Smarty;
 $debug->append('Define Smarty Paths', 3);
 $smarty->template_dir = BASEPATH . 'templates/' . THEME . '/';
 $smarty->compile_dir = BASEPATH . 'templates/compile/';
+$smarty_cache_key = md5(serialize($_REQUEST) . serialize(@$_SESSION['USERDATA']['id']));

 // Optional smarty caching, check Smarty documentation for details
 if ($config['smarty']['cache']) {
@ -26,6 +27,5 @@ if ($config['smarty']['cache']) {
  $smarty->cache_lifetime = $config['smarty']['cache_lifetime'];
  $smarty->cache_dir = BASEPATH . "templates/cache";
  $smarty->use_sub_dirs = true;
-  $smarty_cache_key = md5(serialize($_REQUEST) . serialize(@$_SESSION['USERDATA']['id']));
 }
 ?>
--- a/public/templates/mail/password/reset.tpl
+++ b/public/templates/mail/password/reset.tpl
@ -1,8 +1,8 @@
 <html>
 <body>
-<p>Hello {$USERNAME},</p><br />
+<p>Hello {$DATA.username},</p><br />
 <p>You have requested a password reset through our online form. In order to complete the request please follow this link:</p>
-<p>http://{$smarty.server.SERVER_NAME}{$smarty.server.PHP_SELF}?page=password&action=change&token={$TOKEN}</p>
+<p>http://{$smarty.server.SERVER_NAME}{$smarty.server.PHP_SELF}?page=password&action=change&token={$DATA.token}</p>
 <p>You will be asked to change your password. You can then use this new password to login to your account.</p>
 <p>Cheers,</p>
 <p>Website Administration</p>
--- a/public/templates/mail/register/confirm_email.tpl
+++ b/public/templates/mail/register/confirm_email.tpl
@ -0,0 +1,10 @@
+<html>
+<body>
+<p>Hello {$DATA.username},</p><br />
+<p>You have create a new account. In order to complete the registration process please follow this link:</p>
+<p>http://{$smarty.server.SERVER_NAME}{$smarty.server.PHP_SELF}?page=account&action=confirm&token={$DATA.token}</p>
+<p></p>
+<p>Cheers,</p>
+<p>Website Administration</p>
+</body>
+</html>
--- a/public/templates/mmcFE/account/confirm/default.tpl
+++ b/public/templates/mmcFE/account/confirm/default.tpl
@ -0,0 +1 @@
+
--- a/sql/004_tokens.sql
+++ b/sql/004_tokens.sql
@ -0,0 +1,47 @@
+SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";
+SET time_zone = "+00:00";
+
+/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
+/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
+/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
+/*!40101 SET NAMES utf8 */;
+
+
+CREATE TABLE IF NOT EXISTS `tokens` (
+  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
+  `account_id` int(11) NOT NULL,
+  `token` varchar(65) NOT NULL,
+  `type` tinyint(4) NOT NULL,
+  `time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  PRIMARY KEY (`id`),
+  UNIQUE KEY `token` (`token`),
+  KEY `account_id` (`account_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
+/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
+/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
+SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";
+SET time_zone = "+00:00";
+
+/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
+/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
+/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
+/*!40101 SET NAMES utf8 */;
+
+
+CREATE TABLE IF NOT EXISTS `token_types` (
+  `id` tinyint(4) unsigned NOT NULL AUTO_INCREMENT,
+  `name` varchar(25) NOT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB  DEFAULT CHARSET=utf8 AUTO_INCREMENT=3 ;
+
+INSERT INTO `token_types` (`id`, `name`) VALUES
+(1, 'password_reset'),
+(2, 'confirm_email');
+
+/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
+/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
+/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
+
+ALTER TABLE `accounts` DROP `token`;