From e38d201ec1b19c6bd04c7a0808ec70c0be307025 Mon Sep 17 00:00:00 2001
From: Krombel <krombel@krombel.de>
Date: Fri, 23 Feb 2018 17:43:08 +0100
Subject: [PATCH] only allow actions (admin) when in right state; prepare
 decline reason

- fixes on path's and varnames
---
 MatrixConnection.php    |  4 +--
 functions.php           |  2 +-
 lang/lang.de.php        |  3 ++
 public/register.php     |  5 +--
 public/verify.php       |  4 +--
 public/verify_admin.php | 80 +++++++++++++++++++++++------------------
 6 files changed, 57 insertions(+), 41 deletions(-)

diff --git a/MatrixConnection.php b/MatrixConnection.php
index 21df64f..7ff2966 100644
--- a/MatrixConnection.php
+++ b/MatrixConnection.php
@@ -73,10 +73,10 @@ class MatrixConnection
 			error_log("no message to send");
 		}
 
-		$mac = hash_hmac('sha1', $username, $registration_shared_secret);
+		$mac = hash_hmac('sha1', $username, $shared_secret);
 
 		$data = array(
-			"username" => $user,
+			"username" => $username,
 			"password" => $password,
 			"mac" => $mac,
 		);
diff --git a/functions.php b/functions.php
index 5559eea..45d259f 100644
--- a/functions.php
+++ b/functions.php
@@ -36,7 +36,7 @@ function exec_curl_request($handle)
 		if ($http_code == 401) {
 			throw new Exception('Invalid access token provided');
 		}
-		return false;
+		throw new Exception("Server responds: '" . $response['error'] . "'");
 	} else {
 		$response = json_decode($response, true);
 		if (isset($response["event_id"])) {
diff --git a/lang/lang.de.php b/lang/lang.de.php
index 0b044ef..c2f072e 100644
--- a/lang/lang.de.php
+++ b/lang/lang.de.php
@@ -16,9 +16,12 @@ $language = array(
     "SEND_MAIL_FAIL" => "Senden der E-Mail fehlgeschlagen",
     "SEND_MATRIX_FAIL" => "Senden einer Nachricht an die Administratoren fehlgeschlagen",
     "REGISTRATION_REQUEST_FAILED" => "Registrierungsanfrage ist fehlgeschlagen",
+    "REGISTRATION_FAILED" => "Registrierung ist fehlgeschlagen",
     "VERIFICATION_SUCCEEDED" => "Verifizierung erfolgreich",
     "VERIFICATION_FAILED" => "Verifizierung fehlgeschlagen",
     "VERIFICATION_SUCCESS_BODY" => "Vielen Dank. Die Administratoren wurden informiert",
     "ADMIN_VERIFY_SITE_TITLE" => "Registrierungsanfrage bearbeiten",
+    "ADMIN_REGISTER_ACCEPTED_BODY" => "Die Registrierungsanfrage wurde akzeptiert. Der Nutzer wurde per Mail informiert.",
+    "ADMIN_REGISTER_DECLINED_BODY" => "Die Registrierungsanfrage wurde angelehnt. Der Nutzer wurde per Mail informiert.",
 );
 ?>
diff --git a/public/register.php b/public/register.php
index 8a1e2b5..d52a2c7 100644
--- a/public/register.php
+++ b/public/register.php
@@ -58,12 +58,13 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {
 
 		#	$first="test"; $last="test2"; $user="test3"; $note="empty"; $email="mail+test1@matthias-kesler.de";
 
-		$sql = "SELECT COUNT(*) FROM registrations WHERE username = '" . $username . "' LIMIT 1;";
+		$sql = "SELECT COUNT(*) FROM registrations WHERE username = '" . $username . "' AND NOT state = "
+		       . RegisterState::RegistrationDeclined . " LIMIT 1;";
 		$res = $db->query($sql);
 		if ($res->fetchColumn() > 0) {
 			throw new Exception($language["USERNAME_PENDING_REGISTRATION"]);
 		}
-		require_once("MatrixConnection.php");
+		require_once("../MatrixConnection.php");
 		$mxConn = new MatrixConnection($homeserver, $access_token);
 		if ($mxConn->hasUser($username)) {
 			throw new Exception($language["USERNAME_REGISTERED"]);
diff --git a/public/verify.php b/public/verify.php
index 52e9896..ed358af 100644
--- a/public/verify.php
+++ b/public/verify.php
@@ -48,7 +48,7 @@ try {
 	}
 
 	require_once("../MatrixConnection.php");
-	$adminUrl = $webroot . "/admin_verify.php?t=" . $admin_token;
+	$adminUrl = $webroot . "/verify_admin.php?t=" . $admin_token;
 	$mxConn = new MatrixConnection($homeserver, $access_token);
 	$mxMsg = new MatrixMessage();
 	$mxMsg->set_body($first_name . ' ' . $last_name . "möchte sich registrieren und hat folgende Notiz hinterlassen:\r\n"
@@ -65,7 +65,7 @@ try {
 	}
 	$db->exec("UPDATE registrations SET state = " .
 		($response ? RegisterState::PendingAdminVerify : RegisterState::PendingAdminSend)
-		. " WHERE verify_token = \"" . $verify_token. "\";");
+		. " WHERE verify_token = \"" . $token. "\";");
 
 	send_mail_pending_approval($homeserver, $first_name . " " . $last_name, $email);
 
diff --git a/public/verify_admin.php b/public/verify_admin.php
index fb9243a..0b56954 100644
--- a/public/verify_admin.php
+++ b/public/verify_admin.php
@@ -18,7 +18,7 @@ if (!isset($_SERVER['HTTPS'])) {
 session_start();
 
 try {
-	if ($_SERVER["REQUEST_METHOD"] == "GET") {
+	if ($_SERVER["REQUEST_METHOD"] != "GET") {
 		throw new Exception("Method not allowed");
 	}
 	if (!isset($_GET["t"])) {
@@ -26,23 +26,28 @@ try {
 	}
 	$token = filter_var($_GET["t"], FILTER_SANITIZE_STRING);
 
-	$action = NULL;
-	if (isset($_GET("allow")) {
-		$action = RegisterState::RegistrationAccepted;
-	}
-	if (isset($_GET("deny")) {
-		$action = RegisterState::RegistrationDeclined;
-	}
-
 	require_once("../database.php");
 
-	$sql = "SELECT COUNT(*) FROM registrations WHERE admin_token = '" . $token . "' LIMIT 1;";
-	$res = $db->query($sql);
+	$action = NULL;
+	if (isset($_GET["allow"])) {
+		$action = RegisterState::RegistrationAccepted;
+	}
+	$decline_reason = "Noch nicht implementiert";
+	if (isset($_GET["deny"])) {
+		$action = RegisterState::RegistrationDeclined;
+		if (isset($_GET["reason"])) {
+			$decline_reason = filter_var($_GET["reason"], FILTER_SANITIZE_STRING);
+		}
+	}
 
+	$sql = "SELECT COUNT(*) FROM registrations WHERE admin_token = '" . $token
+		. "' AND state = " . RegisterState::PendingAdminVerify . " LIMIT 1;";
+	$res = $db->query($sql);
 	$first_name = NULL; $last_name = NULL; $username = NULL; $note = NULL; $email = NULL;
 
 	if ($res->fetchColumn() > 0) {
-		$sql = "SELECT first_name, last_name, username, note, email FROM registrations WHERE admin_token = '" . $token . "' LIMIT 1;";
+		$sql = "SELECT first_name, last_name, username, note, email FROM registrations WHERE admin_token = '" . $token
+			. "' AND state = " . RegisterState::PendingAdminVerify . " LIMIT 1;";
 		foreach ($db->query($sql) as $row) {
 			// will only be executed once
 			$first_name = $row["first_name"];
@@ -56,26 +61,43 @@ try {
 	}
 
 	if ($action == RegisterState::RegistrationAccepted) {
-		$db->exec("UPDATE registrations SET state = " . RegisterState::RegistrationAccepted)
+		$db->exec("UPDATE registrations SET state = " . RegisterState::RegistrationAccepted
 			. " WHERE admin_token = \"" . $token. "\";");
 
 		// register user
-		require_once("MatrixConnection.php");
+		require_once("../MatrixConnection.php");
 		$mxConn = new MatrixConnection($homeserver, $access_token);
 
 		// generate a password with 8 characters
 		$password = bin2hex(openssl_random_pseudo_bytes(4));
 
-		$res = $mxConn->register($username, $password, $shared_secret);
+		$res = $mxConn->register($username, $password, $registration_shared_secret);
+		if ($res) {
+			// send registration_success
+			send_mail_registration_success($homeserver, $first_name . " " . $last_name, $email, $username, $password, $howToURL);
+		} else {
+			send_mail_registration_allowed_but_failed($homeserver, $first_name . " " . $last_name, $email);
+			$mxMsg = new MatrixMessage();
+			$mxMsg->set_type("m.text");
+			$mxMsg->set_body("Fehler beim Registrieren von " . $first_name . " " . $last_name . ".");
+			$mxConn->send($register_room, $mxMsg);
+			throw new Exception($language["REGISTRATION_FAILED"]);
+		}
 
-		// send registration_success
-		send_mail_registration_success($homeserver, $first_name . " " . $last_name, $email, $username, $password, $howToURL)
+		print("<title>" . $language["ADMIN_VERIFY_SITE_TITLE"] . "</title>");
+		print("</head><body>");
+		print("<h1>" . $language["ADMIN_VERIFY_SITE_TITLE"] . "</h1>");
+		print("<p>" . $language["ADMIN_REGISTER_ACCEPTED_BODY"] . "</p>");
 	} elseif ($action == RegisterState::RegistrationDeclined) {
-		$db->exec("UPDATE registrations SET state = " . RegisterState::RegistrationAccepted)
+		$db->exec("UPDATE registrations SET state = " . RegisterState::RegistrationDeclined
 			. " WHERE admin_token = \"" . $token. "\";");
-	}
+		send_mail_registration_decline($homeserver, $first_name . " " . $last_name, $email, $decline_reason);
+		print("<title>" . $language["ADMIN_VERIFY_SITE_TITLE"] . "</title>");
+		print("</head><body>");
+		print("<h1>" . $language["ADMIN_VERIFY_SITE_TITLE"] . "</h1>");
+		print("<p>" . $language["ADMIN_REGISTER_DECLINED_BODY"] . "</p>");
+	} else {
 
-	$adminUrl = $webroot . "/admin_verify.php?t=" . $admin_token;
 	print("<title>" . $language["ADMIN_VERIFY_SITE_TITLE"] . "</title>");
 ?>
 		<link href="//netdna.bootstrapcdn.com/bootstrap/3.1.0/css/bootstrap.min.css" rel="stylesheet">
@@ -140,22 +162,12 @@ body{
 		</div>
  <script type="text/javascript">
 
-	if ($response) {
-		$message = $language["SEND_MATRIX_FAIL"];
-	}
-	$db->exec("UPDATE registrations SET state = " .
-		($response ? RegisterState::PendingAdminVerify : RegisterState::PendingAdminSend)
-		. " WHERE verify_token = \"" . $verify_token. "\";");
-
-	print("<title>" . $language["VERIFICATION_SUCEEDED"] . "</title>");
-	print("</head><body>");
-	print("<h1>" . $language["VERIFICATION_SUCEEDED"] . "</h1>");
-	print("<p>" . $language["VERIFICATION_SUCCESS_BODY"] . "</p>");
-	print("<a href=\"" . $webroot . "/register.php" . "\">Zur Registrierungsseite</a>");
+<?php
+	} // else - no action provided
 } catch (Exception $e) {
-	print("<title>" . $language["VERIFICATION_FAILED"] . "</title>");
+	print("<title>" . $language["REGISTRATION_FAILED"] . "</title>");
 	print("</head><body>");
-	print("<h1>" . $language["VERIFICATION_FAILED"] . "</h1>");
+	print("<h1>" . $language["REGISTRATION_FAILED"] . "</h1>");
 	print("<p>" . $e->getMessage() . "</p>");
 	print("<a href=\"" . $webroot . "/register.php" . "\">Zur Registrierungsseite</a>");
 }