more strict user validation & registration
This commit is contained in:
Tony Yang
parent
d97af84b3f
commit
a0a77d6748
GPG Key ID:
D88388851C28715D
51
account.php
51
account.php
@ -3,17 +3,37 @@ require_once('connection/SQL.php');
|
|||||||
require_once('config.php');
|
require_once('config.php');
|
||||||
require_once('include/view.php');
|
require_once('include/view.php');
|
||||||
require_once('include/security.php');
|
require_once('include/security.php');
|
||||||
|
require_once('include/user.php');
|
||||||
|
|
||||||
|
$user = validate_user();
|
||||||
|
if (!$user->valid) {
|
||||||
|
http_response_code(403);
|
||||||
|
header("Location: index.php?err=account");
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
if (isset($_POST['username']) && trim($_POST['username']) != "" && isset($_POST['password']) && isset($_POST['name']) && isset($_POST['email'])) {
|
if (isset($_POST['username']) && trim($_POST['username']) != "" && isset($_POST['password']) && isset($_POST['name']) && isset($_POST['email'])) {
|
||||||
// create new account
|
// create new account
|
||||||
|
if (!$blog['register']) {
|
||||||
|
http_response_code(403);
|
||||||
|
header('axios-location: account.php');
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
if (!validate_csrf()) {
|
if (!validate_csrf()) {
|
||||||
http_response_code(403);
|
http_response_code(403);
|
||||||
header('axios-location: account.php?new');
|
header('axios-location: account.php?new');
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
$username = $_POST['username'];
|
$username = $_POST['username'];
|
||||||
$exist = cavern_query_result("SELECT * FROM `user` WHERE `username`='%s' OR `email`='%s'", array($username, $_POST["email"]))['num_rows'];
|
try {
|
||||||
if ($exist == 0) {
|
$target_user = new User($username);
|
||||||
|
|
||||||
|
http_response_code(409); // 409 Conflict
|
||||||
|
header('axios-location: account.php?new&err=used');
|
||||||
|
exit;
|
||||||
|
} catch (NoUserException $e) {
|
||||||
if (preg_match('/^[a-z][a-z0-9\_\-]*$/', $username) && strlen($username) <= 20 && strlen($_POST['name']) <= 40 && filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
|
if (preg_match('/^[a-z][a-z0-9\_\-]*$/', $username) && strlen($username) <= 20 && strlen($_POST['name']) <= 40 && filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
|
||||||
$SQL->query("INSERT INTO `user` (`username`, `pwd`, `name`, `email`) VALUES ('%s', '%s', '%s', '%s')", array($username, cavern_password_hash($_POST['password'], $username), htmlspecialchars($_POST['name']), $_POST['email']));
|
$SQL->query("INSERT INTO `user` (`username`, `pwd`, `name`, `email`) VALUES ('%s', '%s', '%s', '%s')", array($username, cavern_password_hash($_POST['password'], $username), htmlspecialchars($_POST['name']), $_POST['email']));
|
||||||
header('axios-location: index.php?ok=reg');
|
header('axios-location: index.php?ok=reg');
|
||||||
@ -22,12 +42,8 @@ if (isset($_POST['username']) && trim($_POST['username']) != "" && isset($_POST[
|
|||||||
header('axios-location: index.php?err=miss');
|
header('axios-location: index.php?err=miss');
|
||||||
}
|
}
|
||||||
exit;
|
exit;
|
||||||
} else {
|
|
||||||
http_response_code(409); // 409 Conflict
|
|
||||||
header('axios-location: account.php?new&err=used');
|
|
||||||
exit;
|
|
||||||
}
|
}
|
||||||
} else if (isset($_SESSION['cavern_username']) && isset($_POST['username']) && isset($_POST['old']) && (isset($_POST['name']) || isset($_POST['new']))) {
|
} else if ($user->islogin && isset($_POST['username']) && isset($_POST['old']) && (isset($_POST['name']) || isset($_POST['new']))) {
|
||||||
// modify account data
|
// modify account data
|
||||||
if (!validate_csrf()) {
|
if (!validate_csrf()) {
|
||||||
http_response_code(403);
|
http_response_code(403);
|
||||||
@ -35,7 +51,7 @@ if (isset($_POST['username']) && trim($_POST['username']) != "" && isset($_POST[
|
|||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
$username = $_POST['username'];
|
$username = $_POST['username'];
|
||||||
if ($username != $_SESSION['cavern_username']) {
|
if ($username !== $user->username) {
|
||||||
// not the same person
|
// not the same person
|
||||||
http_response_code(403);
|
http_response_code(403);
|
||||||
header('axios-location: account.php?err=edit');
|
header('axios-location: account.php?err=edit');
|
||||||
@ -77,11 +93,11 @@ if (isset($_POST['username']) && trim($_POST['username']) != "" && isset($_POST[
|
|||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else if (!isset($_SESSION['cavern_username']) && !isset($_GET['new'])) {
|
} else if (!$user->islogin && !isset($_GET['new'])) {
|
||||||
// if mode isn't definded, redirect to register page
|
// if mode isn't defined, redirect to register page
|
||||||
header('Location: account.php?new');
|
header('Location: account.php?new');
|
||||||
exit;
|
exit;
|
||||||
} else if (isset($_SESSION['cavern_username']) && isset($_GET['new'])) {
|
} else if ($user->islogin && isset($_GET['new'])) {
|
||||||
// if someone is logged in, then redirect to account setting page
|
// if someone is logged in, then redirect to account setting page
|
||||||
header('Location: account.php');
|
header('Location: account.php');
|
||||||
exit;
|
exit;
|
||||||
@ -141,11 +157,6 @@ if (isset($_GET['new'])) {
|
|||||||
$view->render();
|
$view->render();
|
||||||
} else {
|
} else {
|
||||||
// edit account data
|
// edit account data
|
||||||
$username = $_SESSION['cavern_username'];
|
|
||||||
$result = cavern_query_result("SELECT * FROM `user` WHERE `username`='%s'", array($username));
|
|
||||||
$name = $result['row']['name'];
|
|
||||||
$email = $result['row']['email'];
|
|
||||||
|
|
||||||
$view = new View('theme/default.html', 'theme/nav/util.php', 'theme/sidebar.php', $blog['name'], "帳號");
|
$view = new View('theme/default.html', 'theme/nav/util.php', 'theme/sidebar.php', $blog['name'], "帳號");
|
||||||
$view->add_script_source("ts('.ts.dropdown').dropdown();");
|
$view->add_script_source("ts('.ts.dropdown').dropdown();");
|
||||||
$view->add_script("./include/js/security.js");
|
$view->add_script("./include/js/security.js");
|
||||||
@ -180,25 +191,25 @@ if (isset($_GET['new'])) {
|
|||||||
<div class="six wide field">
|
<div class="six wide field">
|
||||||
<label>頭貼</label>
|
<label>頭貼</label>
|
||||||
<div class="ts center aligned flatted borderless segment">
|
<div class="ts center aligned flatted borderless segment">
|
||||||
<img src="https://www.gravatar.com/avatar/<?= md5(strtolower($email)) ?>?d=https%3A%2F%2Ftocas-ui.com%2Fassets%2Fimg%2F5e5e3a6.png&s=500" class="ts rounded image" id="avatar">
|
<img src="https://www.gravatar.com/avatar/<?= md5(strtolower($user->email)) ?>?d=https%3A%2F%2Ftocas-ui.com%2Fassets%2Fimg%2F5e5e3a6.png&s=500" class="ts rounded image" id="avatar">
|
||||||
</div>
|
</div>
|
||||||
<div data-tooltip="請透過電子信箱更換頭貼" data-tooltip-position="bottom right" class="ts top right attached label avatar tooltip">?</div>
|
<div data-tooltip="請透過電子信箱更換頭貼" data-tooltip-position="bottom right" class="ts top right attached label avatar tooltip">?</div>
|
||||||
</div>
|
</div>
|
||||||
<div class="ten wide field">
|
<div class="ten wide field">
|
||||||
<div class="disabled field">
|
<div class="disabled field">
|
||||||
<label>帳號</label>
|
<label>帳號</label>
|
||||||
<input type="text" name="username" value="<?= $username ?>">
|
<input type="text" name="username" value="<?= $user->username ?>">
|
||||||
</div>
|
</div>
|
||||||
<div class="required field">
|
<div class="required field">
|
||||||
<label>暱稱</label>
|
<label>暱稱</label>
|
||||||
<input type="text" required="required" name="name" maxlength="40" value="<?= $name ?>">
|
<input type="text" required="required" name="name" maxlength="40" value="<?= $user->name ?>">
|
||||||
<small>上限40字元。</small>
|
<small>上限40字元。</small>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
<div class="required field">
|
<div class="required field">
|
||||||
<label>信箱</label>
|
<label>信箱</label>
|
||||||
<input type="email" required="required" name="email" value="<?= $email ?>">
|
<input type="email" required="required" name="email" value="<?= $user->email ?>">
|
||||||
<small>透過電子信箱,在 <a href="https://en.gravatar.com/" target="_blank">Gravatar</a> 更改你的頭貼。</small>
|
<small>透過電子信箱,在 <a href="https://en.gravatar.com/" target="_blank">Gravatar</a> 更改你的頭貼。</small>
|
||||||
</div>
|
</div>
|
||||||
<div class="required field">
|
<div class="required field">
|
||||||
|
|||||||
@ -2,13 +2,21 @@
|
|||||||
require_once('connection/SQL.php');
|
require_once('connection/SQL.php');
|
||||||
require_once('config.php');
|
require_once('config.php');
|
||||||
require_once('include/view.php');
|
require_once('include/view.php');
|
||||||
|
require_once('include/user.php');
|
||||||
|
|
||||||
if (isset($_SESSION['cavern_username'])) {
|
$user = validate_user();
|
||||||
|
if (!$user->valid) {
|
||||||
|
http_response_code(403);
|
||||||
|
header("Location: index.php?err=account");
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($user->islogin) {
|
||||||
$view = new View('theme/default.html', 'theme/nav/util.php', 'theme/sidebar.php', $blog['name'], "通知");
|
$view = new View('theme/default.html', 'theme/nav/util.php', 'theme/sidebar.php', $blog['name'], "通知");
|
||||||
$view->add_script_source("ts('.ts.dropdown:not(.basic)').dropdown();");
|
$view->add_script_source("ts('.ts.dropdown:not(.basic)').dropdown();");
|
||||||
$view->add_script("./include/js/security.js");
|
$view->add_script("./include/js/security.js");
|
||||||
|
|
||||||
$notice_list = cavern_query_result("SELECT * FROM `notification` WHERE `username` = '%s' ORDER BY `time` DESC", array($_SESSION['cavern_username']));
|
$notice_list = cavern_query_result("SELECT * FROM `notification` WHERE `username` = '%s' ORDER BY `time` DESC", array($user->username));
|
||||||
|
|
||||||
if ($notice_list['num_rows'] > 0) {
|
if ($notice_list['num_rows'] > 0) {
|
||||||
$regex = array(
|
$regex = array(
|
||||||
|
|||||||
2
post.php
2
post.php
@ -12,7 +12,7 @@ require_once('notification.php');
|
|||||||
$user = validate_user();
|
$user = validate_user();
|
||||||
if (!$user->valid) {
|
if (!$user->valid) {
|
||||||
http_response_code(403);
|
http_response_code(403);
|
||||||
header("Location: ../index.php?err=account");
|
header("Location: index.php?err=account");
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
40
user.php
40
user.php
@ -2,28 +2,34 @@
|
|||||||
require_once('connection/SQL.php');
|
require_once('connection/SQL.php');
|
||||||
require_once('config.php');
|
require_once('config.php');
|
||||||
require_once('include/view.php');
|
require_once('include/view.php');
|
||||||
|
require_once('include/user.php');
|
||||||
|
|
||||||
|
$user = validate_user();
|
||||||
|
if (!$user->valid) {
|
||||||
|
http_response_code(403);
|
||||||
|
header("Location: index.php?err=account");
|
||||||
|
exit;
|
||||||
|
}
|
||||||
|
|
||||||
if (isset($_GET['username']) && trim($_GET['username']) != "") {
|
if (isset($_GET['username']) && trim($_GET['username']) != "") {
|
||||||
$username = trim($_GET['username']);
|
$username = trim($_GET['username']);
|
||||||
$result = cavern_query_result("SELECT * FROM `user` WHERE `username`='%s'", array($username));
|
|
||||||
if ($result['num_rows'] > 0) {
|
try {
|
||||||
$name = $result['row']['name'];
|
$target_user = new User($username);
|
||||||
$level = $result['row']['level'];
|
} catch (NoUserException $e) {
|
||||||
$email = md5(strtolower($result['row']['email']));
|
|
||||||
$role = cavern_level_to_role($level);
|
|
||||||
$posts = cavern_query_result("SELECT * FROM `post` WHERE `username`='%s'", array($username));
|
|
||||||
$posts_count = ($posts['num_rows'] > 0 ? $posts['num_rows'] : 0);
|
|
||||||
} else {
|
|
||||||
http_response_code(404);
|
http_response_code(404);
|
||||||
header('Location: user.php?err=no');
|
header('Location: user.php?err=no');
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (isset($_SESSION['cavern_username'])) {
|
$posts = cavern_query_result("SELECT * FROM `post` WHERE `username`='%s'", array($username));
|
||||||
$view = new View('theme/default.html', 'theme/nav/util.php', 'theme/sidebar.php', $blog['name'], $name);
|
$posts_count = ($posts['num_rows'] > 0 ? $posts['num_rows'] : 0);
|
||||||
|
|
||||||
|
if ($user->islogin) {
|
||||||
|
$view = new View('theme/default.html', 'theme/nav/util.php', 'theme/sidebar.php', $blog['name'], $target_user->name);
|
||||||
$view->add_script_source("ts('.ts.dropdown').dropdown();");
|
$view->add_script_source("ts('.ts.dropdown').dropdown();");
|
||||||
} else {
|
} else {
|
||||||
$view = new View('theme/default.html', 'theme/nav/default.html', 'theme/sidebar.php', $blog['name'], $name);
|
$view = new View('theme/default.html', 'theme/nav/default.html', 'theme/sidebar.php', $blog['name'], $target_user->name);
|
||||||
}
|
}
|
||||||
$view->add_script("./include/js/security.js");
|
$view->add_script("./include/js/security.js");
|
||||||
|
|
||||||
@ -35,11 +41,11 @@ if (isset($_GET['username']) && trim($_GET['username']) != "") {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
?>
|
?>
|
||||||
<div class="ts big dividing header"><?= $name ?> 的個人資料</div>
|
<div class="ts big dividing header"><?= $target_user->name ?> 的個人資料</div>
|
||||||
<div class="ts stackable grid">
|
<div class="ts stackable grid">
|
||||||
<div class="column">
|
<div class="column">
|
||||||
<div class="ts center aligned flatted borderless segment">
|
<div class="ts center aligned flatted borderless segment">
|
||||||
<img src="https://www.gravatar.com/avatar/<?= $email ?>?d=https%3A%2F%2Ftocas-ui.com%2Fassets%2Fimg%2F5e5e3a6.png&s=500" class="ts rounded image" id="avatar">
|
<img src="https://www.gravatar.com/avatar/<?= md5(strtolower($target_user->email)) ?>?d=https%3A%2F%2Ftocas-ui.com%2Fassets%2Fimg%2F5e5e3a6.png&s=500" class="ts rounded image" id="avatar">
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
<div class="stretched column">
|
<div class="stretched column">
|
||||||
@ -57,11 +63,11 @@ if (isset($_GET['username']) && trim($_GET['username']) != "") {
|
|||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td>暱稱</td>
|
<td>暱稱</td>
|
||||||
<td><?= $name ?></td>
|
<td><?= $target_user->name ?></td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td>權限</td>
|
<td>權限</td>
|
||||||
<td><?= $role ?></td>
|
<td><?= cavern_level_to_role($target_user->level) ?></td>
|
||||||
</tr>
|
</tr>
|
||||||
</tbody>
|
</tbody>
|
||||||
</table>
|
</table>
|
||||||
@ -87,7 +93,7 @@ if (isset($_GET['username']) && trim($_GET['username']) != "") {
|
|||||||
<?php $view->render();
|
<?php $view->render();
|
||||||
} else {
|
} else {
|
||||||
if (isset($_GET['err'])) {
|
if (isset($_GET['err'])) {
|
||||||
if (isset($_SESSION['cavern_username'])) {
|
if ($user->islogin) {
|
||||||
$view = new View('theme/default.html', 'theme/nav/util.php', 'theme/sidebar.php', $blog['name'], "使用者");
|
$view = new View('theme/default.html', 'theme/nav/util.php', 'theme/sidebar.php', $blog['name'], "使用者");
|
||||||
$view->add_script_source("ts('.ts.dropdown').dropdown();");
|
$view->add_script_source("ts('.ts.dropdown').dropdown();");
|
||||||
} else {
|
} else {
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user