Adding email verification

* Adding mail verification during account registration * Added new dist file option for mail verification * Added account confirmation page using tokens * Added mail class into user class for password resets * Moved password reset template * Adjusted account registration page * Adjusted user class for email confirmation Also fixed a bug with smarty_cache_key not being used properly if smarty is disabled. Key still needs to be available even if caching is disabled Addresses #330 and prepare the ticket for invitation only system.
2013-07-14 22:17:54 +02:00 · 2013-07-14 22:17:54 +02:00 · 0ede05a6fd
commit 0ede05a6fd
parent 29d5d36a7e
12 changed files with 143 additions and 39 deletions
--- a/public/include/autoloader.inc.php
+++ b/public/include/autoloader.inc.php
@ -22,6 +22,7 @@ require_once(INCLUDE_DIR . '/database.inc.php');
 require_once(INCLUDE_DIR . '/smarty.inc.php');
 // Load classes that need the above as dependencies
 require_once(CLASS_DIR . '/base.class.php');
 require_once(CLASS_DIR . '/mail.class.php');
 require_once(CLASS_DIR . '/tokentype.class.php');
 require_once(CLASS_DIR . '/token.class.php');
 require_once(CLASS_DIR . '/block.class.php');
@ -32,7 +33,6 @@ require_once(CLASS_DIR . '/share.class.php');
 require_once(CLASS_DIR . '/worker.class.php');
 require_once(CLASS_DIR . '/statistics.class.php');
 require_once(CLASS_DIR . '/transaction.class.php');
 require_once(CLASS_DIR . '/mail.class.php');
 require_once(CLASS_DIR . '/notification.class.php');
 require_once(CLASS_DIR . '/news.class.php');
 require_once(INCLUDE_DIR . '/lib/Michelf/Markdown.php');
--- a/public/include/classes/token.class.php
+++ b/public/include/classes/token.class.php
@ -22,7 +22,7 @@ class Token Extends Base {
   * Insert a new token
   * @param name string Name of the variable
   * @param value string Variable value
-   * @return mixed Insert ID on success, false on failure
+   * @return mixed Token string on success, false on failure
   **/
  public function createToken($strType, $account_id=NULL) {
    $strToken = hash('sha256', $account_id.$strType.microtime());
@ -35,7 +35,7 @@ class Token Extends Base {
      VALUES (?, ?, ?)
      ");
    if ($stmt && $stmt->bind_param('sii', $strToken, $iToken_id, $account_id) && $stmt->execute())
-      return $stmt->insert_id;
+      return $strToken;
    $this->setErrorMessage('Unable to create new token');
    $this->debug->append('Failed to create new token in database: ' . $this->mysqli->error);
    return false;
@ -54,7 +54,7 @@ class Token Extends Base {
  }
 }
-$token = new Token();
+$oToken = new Token();
-$token->setDebug($debug);
+$oToken->setDebug($debug);
-$token->setMysql($mysqli);
+$oToken->setMysql($mysqli);
-$token->setTokenType($tokentype);
+$oToken->setTokenType($tokentype);
--- a/public/include/classes/user.class.php
+++ b/public/include/classes/user.class.php
@ -10,16 +10,21 @@ class User {
  private $table = 'accounts';
  private $user = array();
-  public function __construct($debug, $mysqli, $token, $salt, $config) {
+  public function __construct($debug, $mysqli, $salt, $config) {
    $this->debug = $debug;
    $this->mysqli = $mysqli;
    $this->token = $token;
    $this->salt = $salt;
    $this->config = $config;
    $this->debug->append("Instantiated User class", 2);
  }
  // get and set methods
  public function setMail($mail) {
    $this->mail = $mail;
  }
  public function setToken($token) {
    $this->token= $token;
  }
  private function setErrorMessage($msg) {
    $this->sError = $msg;
  }
@ -484,14 +489,16 @@ class User {
      return false;
    }
    if ($this->mysqli->query("SELECT id FROM $this->table LIMIT 1")->num_rows > 0) {
      $this->config['accounts']['confirm_email'] ? $is_locked = 1 : $is_locked = 0;
      $stmt = $this->mysqli->prepare("
        INSERT INTO $this->table (username, pass, email, pin, api_key, is_locked)
        VALUES (?, ?, ?, ?, ?, ?)
        ");
    } else {
      $is_locked = 0;
      $stmt = $this->mysqli->prepare("
        INSERT INTO $this->table (username, pass, email, pin, api_key, is_admin, is_locked)
-        VALUES (?, ?, ?, ?, ?, 1, 0)
+        VALUES (?, ?, ?, ?, ?, 1, ?)
        ");
    }
@ -501,17 +508,29 @@ class User {
    $apikey_hash = $this->getHash($username);
    $username_clean = strip_tags($username);
    //
    $this->config['confirm_email'] ? $is_locked = 1 : $is_locked = 0;
    if ($this->checkStmt($stmt) && $stmt->bind_param('sssssi', $username_clean, $password_hash, $email1, $pin_hash, $apikey_hash, $is_locked) && $stmt->execute()) {
-      if ($this->config['confirm_email']) {
+      if ($this->config['accounts']['confirm_email']) {
-        $this->token->createToken('confirm_email', $stmt->insert_id);
+        if ($token = $this->token->createToken('confirm_email', $stmt->insert_id)) {
          $aData['username'] = $username_clean;
          $aData['token'] = $token;
          $aData['email'] = $email1;
          $aData['subject'] = 'E-Mail verification';
          if (!$this->mail->sendMail('register/confirm_email', $aData)) {
            $this->setErrorMessage('Unable to request email confirmation');
            return false;
          }
          return true;
        } else {
          $this->setErrorMessage('Failed to create confirmation token');
          $this->debug->append('Unable to create confirm_email token: ' . $this->token->getError());
          return false;
        }
      } else {
        return true;
      }
    } else {
      $this->setErrorMessage( 'Unable to register' );
      $this->debug->append('Failed to insert user into DB: ' . $this->mysqli->error);
      if ($stmt->sqlstate == '23000') $this->setErrorMessage( 'Username or email already registered' );
      return false;
    }
@ -548,7 +567,7 @@ class User {
        $this->setErrorMessage('Unable to set new password');
      }
    } else {
-      $this->setErrorMessage('Unable find user for your token');
+      $this->setErrorMessage('Invalid token');
    }
    $this->debug->append('Failed to update password:' . $this->mysqli->error);
    return false;
@ -557,35 +576,26 @@ class User {
  /**
   * Reset a password by sending a password reset mail
   * @param username string Username to reset password for
   * @param smarty object Smarty object for mail templating
   * @return bool
   **/
-  public function initResetPassword($username, $smarty) {
+  public function initResetPassword($username) {
    $this->debug->append("STA " . __METHOD__, 4);
    // Fetch the users mail address
    if (empty($username)) {
      $this->serErrorMessage("Username must not be empty");
      return false;
    }
-    if (!$email = $this->getUserEmail($username)) {
+    if (!$aData['email'] = $this->getUserEmail($username)) {
      $this->setErrorMessage("Unable to find a mail address for user $username");
      return false;
    }
-    if (!$token = $this->token->getToken($this->token->createToken('password_reset', $this->getUserId($username)))) {
+    if (!$aData['token'] = $this->token->createToken('password_reset', $this->getUserId($username))) {
-      $this->setErrorMessage("Unable to setup token for password reset");
+      $this->setErrorMessage('Unable to setup token for password reset');
      return false;
    }
-    $smarty->assign('TOKEN', $token['token']);
+    $aData['username'] = $username;
-    $smarty->assign('USERNAME', $username);
+    $aData['subject'] = 'Password Reset Request';
-    $smarty->assign('SUBJECT', 'Password Reset Request');
+    if ($this->mail->sendMail('password/reset', $aData)) {
    $smarty->assign('WEBSITENAME', $this->config['website']['name']);
    $headers = 'From: Website Administration <' . $this->config['website']['email'] . ">\n";
    $headers .= "MIME-Version: 1.0\n";
    $headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";
    if (mail($email,
      $smarty->fetch('templates/mail/subject.tpl'),
      $smarty->fetch('templates/mail/body.tpl'),
      $headers)) {
        return true;
      } else {
        $this->setErrorMessage("Unable to send mail to your address");
@ -614,4 +624,6 @@ class User {
 }
 // Make our class available automatically
-$user = new User($debug, $mysqli, $token, SALT, $config);
+$user = new User($debug, $mysqli, SALT, $config);
 $user->setMail($mail);
 $user->setToken($oToken);
--- a/public/include/config/global.inc.dist.php
+++ b/public/include/config/global.inc.dist.php
@ -121,6 +121,23 @@ $config['website']['theme'] = 'mmcFE';
 $config['website']['mobile'] = true;
 $config['website']['mobile_theme'] = 'mobile';
 /**
 * Account specific settings
 *
 * Explanation
 *   You can change some defaults on how accounts are created or registered
 *   By default, all newly created accounts will require an email verificaiton.
 *   Only after acitivating an account the user will be able to login
 *
 *  Options:
 *    confirm_email  :  Send confirmation mail to user after registration
 *
 *  Defaults:
 *    confirm_email  :  true
 *
 **/
 $config['accounts']['confirm_email'] = true;
 /**
 * Some basic access restrictions on some pages
 *
--- a/public/include/pages/account/confirm.inc.php
+++ b/public/include/pages/account/confirm.inc.php
@ -0,0 +1,17 @@
 <?php
 // Make sure we are called from index.php
 if (!defined('SECURITY')) die('Hacking attempt');
 // Confirm an account by token
 if (!isset($_GET['token']) || empty($_GET['token'])) {
  $_SESSION['POPUP'][] = array('CONTENT' => 'Missing token', 'TYPE' => 'errormsg');
 } else if (!$aToken = $oToken->getToken($_GET['token'])) {
  $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to activate your account. Invalid token', 'TYPE' => 'errormsg');
 } else {
  $user->changeLocked($aToken['account_id']);
  $oToken->deleteToken($aToken['token']);
  $_SESSION['POPUP'][] = array('CONTENT' => 'Account activated. Please login.');
 }
 $smarty->assign('CONTENT', 'default.tpl');
 ?>
--- a/public/include/pages/password/change.inc.php
+++ b/public/include/pages/password/change.inc.php
@ -11,7 +11,7 @@ if ($_POST['do'] == 'resetPassword') {
    $_SESSION['POPUP'][] = array('CONTENT' => $user->getError(), 'TYPE' => 'errormsg');
  }
 }
 // Tempalte specifics
 $smarty->assign("CONTENT", "default.tpl");
 ?>
--- a/public/include/pages/register/register.inc.php
+++ b/public/include/pages/register/register.inc.php
@ -20,7 +20,7 @@ if($config['recaptcha']['enabled'] && $_POST["recaptcha_response_field"] && $_PO
    if ($setting->getValue('lock_registration')) {
      $_SESSION['POPUP'][] = array('CONTENT' => 'Account registration is currently disabled. Please try again later.', 'TYPE' => 'errormsg');
    } else if ($user->register($_POST['username'], $_POST['password1'], $_POST['password2'], $_POST['pin'], $_POST['email1'], $_POST['email2']) && !$setting->getValue('lock_registration')) {
-      $_SESSION['POPUP'][] = array('CONTENT' => 'Account created, please login');
+      $config['accounts']['confirm_email'] ? $_SESSION['POPUP'][] = array('CONTENT' => 'Please check your mailbox to activate this account') : $_SESSION['POPUP'][] = array('CONTENT' => 'Account created, please login');
    } else {
      $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to create account: ' . $user->getError(), 'TYPE' => 'errormsg');
    }
@ -37,7 +37,7 @@ if($config['recaptcha']['enabled'] && $_POST["recaptcha_response_field"] && $_PO
  if ($setting->getValue('lock_registration')) {
    $_SESSION['POPUP'][] = array('CONTENT' => 'Account registration is currently disabled. Please try again later.', 'TYPE' => 'errormsg');
  } else if ($user->register($_POST['username'], $_POST['password1'], $_POST['password2'], $_POST['pin'], $_POST['email1'], $_POST['email2']) && !$setting->getValue('lock_registration')) {
-    $_SESSION['POPUP'][] = array('CONTENT' => 'Account created, please login');
+    $config['accounts']['confirm_email'] ? $_SESSION['POPUP'][] = array('CONTENT' => 'Please check your mailbox to activate this account') : $_SESSION['POPUP'][] = array('CONTENT' => 'Account created, please login');
  } else {
    $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to create account: ' . $user->getError(), 'TYPE' => 'errormsg');
  }
--- a/public/include/smarty.inc.php
+++ b/public/include/smarty.inc.php
@ -18,6 +18,7 @@ $smarty = new Smarty;
 $debug->append('Define Smarty Paths', 3);
 $smarty->template_dir = BASEPATH . 'templates/' . THEME . '/';
 $smarty->compile_dir = BASEPATH . 'templates/compile/';
 $smarty_cache_key = md5(serialize($_REQUEST) . serialize(@$_SESSION['USERDATA']['id']));
 // Optional smarty caching, check Smarty documentation for details
 if ($config['smarty']['cache']) {
@ -26,6 +27,5 @@ if ($config['smarty']['cache']) {
  $smarty->cache_lifetime = $config['smarty']['cache_lifetime'];
  $smarty->cache_dir = BASEPATH . "templates/cache";
  $smarty->use_sub_dirs = true;
  $smarty_cache_key = md5(serialize($_REQUEST) . serialize(@$_SESSION['USERDATA']['id']));
 }
 ?>
--- a/public/templates/mail/password/reset.tpl
+++ b/public/templates/mail/password/reset.tpl
@ -1,8 +1,8 @@
 <html>
 <body>
-<p>Hello {$USERNAME},</p><br />
+<p>Hello {$DATA.username},</p><br />
 <p>You have requested a password reset through our online form. In order to complete the request please follow this link:</p>
-<p>http://{$smarty.server.SERVER_NAME}{$smarty.server.PHP_SELF}?page=password&action=change&token={$TOKEN}</p>
+<p>http://{$smarty.server.SERVER_NAME}{$smarty.server.PHP_SELF}?page=password&action=change&token={$DATA.token}</p>
 <p>You will be asked to change your password. You can then use this new password to login to your account.</p>
 <p>Cheers,</p>
 <p>Website Administration</p>
--- a/public/templates/mail/register/confirm_email.tpl
+++ b/public/templates/mail/register/confirm_email.tpl
@ -0,0 +1,10 @@
 <html>
 <body>
 <p>Hello {$DATA.username},</p><br />
 <p>You have create a new account. In order to complete the registration process please follow this link:</p>
 <p>http://{$smarty.server.SERVER_NAME}{$smarty.server.PHP_SELF}?page=account&action=confirm&token={$DATA.token}</p>
 <p></p>
 <p>Cheers,</p>
 <p>Website Administration</p>
 </body>
 </html>
--- a/public/templates/mmcFE/account/confirm/default.tpl
+++ b/public/templates/mmcFE/account/confirm/default.tpl
@ -0,0 +1 @@
--- a/sql/004_tokens.sql
+++ b/sql/004_tokens.sql
@ -0,0 +1,47 @@
 SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";
 SET time_zone = "+00:00";
 /*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
 /*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
 /*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
 /*!40101 SET NAMES utf8 */;
 CREATE TABLE IF NOT EXISTS `tokens` (
  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
  `account_id` int(11) NOT NULL,
  `token` varchar(65) NOT NULL,
  `type` tinyint(4) NOT NULL,
  `time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
  PRIMARY KEY (`id`),
  UNIQUE KEY `token` (`token`),
  KEY `account_id` (`account_id`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 /*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
 /*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
 /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
 SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";
 SET time_zone = "+00:00";
 /*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
 /*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
 /*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
 /*!40101 SET NAMES utf8 */;
 CREATE TABLE IF NOT EXISTS `token_types` (
  `id` tinyint(4) unsigned NOT NULL AUTO_INCREMENT,
  `name` varchar(25) NOT NULL,
  PRIMARY KEY (`id`)
 ) ENGINE=InnoDB  DEFAULT CHARSET=utf8 AUTO_INCREMENT=3 ;
 INSERT INTO `token_types` (`id`, `name`) VALUES
 (1, 'password_reset'),
 (2, 'confirm_email');
 /*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
 /*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
 /*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
 ALTER TABLE `accounts` DROP `token`;