implement hasUser(localpart), RegisterState add verify{_admin}.php

- fixes
2018-02-23 15:28:50 +01:00
parent 8fff520b28
commit e88eb13d91
8 changed files with 448 additions and 115 deletions
--- a/public/register.php
+++ b/public/register.php
@@ -7,6 +7,7 @@ if (!file_exists("../config.php")) {
 	exit();
 }
 require_once "../config.php";
+require_once "../mail_templates.php";

 // enforce admin via https
 if (!isset($_SERVER['HTTPS'])) {
@@ -16,67 +17,95 @@ if (!isset($_SERVER['HTTPS'])) {

 session_start();

+require_once("../database.php");
+
 if ($_SERVER["REQUEST_METHOD"] == "POST") {
-	$success = false;
-	if (!isset($_SESSION["token"]) || !isset($_POST["token"]) || $_SESSION["token"] != $_POST["token"]) {
-		// token not present or invalid
-		$message = $language["UNKNOWN_SESSION"];
-	}
-	elseif (!isset($_POST["username"])) {
-		$message = $language["UNKNOWN_USERNAME"];
-	}
-	elseif (strlen($_POST["username"] > 20 || strlen($_POST["username"]) < 3)) {
-		$message = $language["USERNAME_LENGTH_INVALID"];
-	}
-	elseif (ctype_alnum($_POST['username']) != true) {
-		$message = $language["USERNAME_NOT_ALNUM"];
-	}
-	elseif (isset($_POST["note"]) && strlen($_POST["note"]) > 50) {
-		$message = $language["NOTE_LENGTH_EXEEDED"];
-	}
-	elseif (!isset($_POST["email"]) || !filter_var($_POST["email"], FILTER_VALIDATE_EMAIL)) {
-		$message = $language["EMAIL_INVALID_FORMAT"];
-	}
-	elseif (isset($_POST["first_name"]) && ! preg_match("/[A-Z][a-z]+/", $_POST["first_name"])) {
-		$message = $language["FIRSTNAME_INVALID_FORMAT"];
-	}
-	elseif (isset($_POST["last_name"]) && ! preg_match("/[A-Z][a-z]+/", $_POST["last_name"])) {
-		$message = $language["SIRNAME_INVALID_FORMAT"];
-	}
-	else {
+	try {
+		if (!isset($_SESSION["token"]) || !isset($_POST["token"]) || $_SESSION["token"] != $_POST["token"]) {
+			// token not present or invalid
+			throw new Exception($language["UNKNOWN_SESSION"]);
+		}
+		if (!isset($_POST["username"])) {
+			throw new Exception($language["UNKNOWN_USERNAME"]);
+		}
+		if (strlen($_POST["username"] > 20 || strlen($_POST["username"]) < 3)) {
+			throw new Exception($language["USERNAME_LENGTH_INVALID"]);
+		}
+		if (ctype_alnum($_POST['username']) != true) {
+			throw new Exception($language["USERNAME_NOT_ALNUM"]);
+		}
+		if (isset($_POST["note"]) && strlen($_POST["note"]) > 50) {
+			throw new Exception($language["NOTE_LENGTH_EXEEDED"]);
+		}
+		if (!isset($_POST["email"]) || !filter_var($_POST["email"], FILTER_VALIDATE_EMAIL)) {
+			throw new Exception($language["EMAIL_INVALID_FORMAT"]);
+		}
+		if (isset($_POST["first_name"]) && ! preg_match("/[A-Z][a-z]+/", $_POST["first_name"])) {
+			throw new Exception($language["FIRSTNAME_INVALID_FORMAT"]);
+		}
+		if (isset($_POST["last_name"]) && ! preg_match("/[A-Z][a-z]+/", $_POST["last_name"])) {
+			throw new Exception($language["SIRNAME_INVALID_FORMAT"]);
+		}
+
 		// check valid password
-		require_once("../database.php");
-		$ins_stmt = $db->prepare("INSERT INTO registrations
-			(first_name, last_name, note, email, username, verify_token)
-			VALUES (:first, :last, :note, :email, :username, :token )");
-		$ins_stmt->bindParam(':first', $first);
-		$ins_stmt->bindParam(':last', $last);
-		$ins_stmt->bindParam(':note', $note);
-		$ins_stmt->bindParam(':email', $email);
-		$ins_stmt->bindParam(':username', $user);
-		$ins_stmt->bindParam(':token ', $vToken);
+		$first_name = filter_var($_POST["first_name"], FILTER_SANITIZE_STRING);
+		$last_name = filter_var($_POST["last_name"], FILTER_SANITIZE_STRING);
+		$username = filter_var($_POST["username"], FILTER_SANITIZE_STRING);
+		$note   = filter_var($_POST["note"], FILTER_SANITIZE_STRING);
+		$email  = filter_var($_POST["email"], FILTER_VALIDATE_EMAIL);
+		$verify_token = bin2hex(random_bytes(16));
+		$admin_token = bin2hex(random_bytes(16));

-		$first = filter_var($_POST["first_name"], FILTER_SANITIZE_STRING);
-		$last  = filter_var($_POST["last_name"], FILTER_SANITIZE_STRING);
-		$user  = filter_var($_POST["username"], FILTER_SANITIZE_STRING);
-		$note  = filter_var($_POST["note"], FILTER_SANITIZE_STRING);
-		$email = filter_var($_POST["email"], FILTER_VALIDATE_EMAIL);
-		$vToken= bin2hex(random_bytes(16));
+		#	$first="test"; $last="test2"; $user="test3"; $note="empty"; $email="mail+test1@matthias-kesler.de";
+
+		$sql = "SELECT COUNT(*) FROM registrations WHERE username = '" . $username . "' LIMIT 1;";
+		$res = $db->query($sql);
+		if ($res->fetchColumn() > 0) {
+			throw new Exception($language["USERNAME_PENDING_REGISTRATION"]);
+		}
+		require_once("MatrixConnection.php");
+		$mxConn = new MatrixConnection($homeserver, $access_token);
+		if ($mxConn->hasUser($username)) {
+			throw new Exception($language["USERNAME_REGISTERED"]);
+		}
+
+		$db->exec('INSERT INTO registrations
+			(first_name, last_name, username, note, email, verify_token, admin_token)
+			VALUES ("' . $first_name.'","' . $last_name . '","' . $username . '","'	. $note . '","'
+			. $email.'","'	.$verify_token.'","'	.$admin_token.'")');
+		#		$ins_stmt->bindValue(':first_name', $first);
+		#		$ins_stmt->bindValue(':last_lame', $last);
+		#		$ins_stmt->bindValue(':username', $user);
+		#		$ins_stmt->bindValue(':note', $note);
+		#		$ins_stmt->bindValue(':email', $email);
+		#		$ins_stmt->bindValue(':verify_token', $vToken);
+		#		$ins_stmt->bindValue(':admin_token', $adminToken);
+		#		$ins_stmt->bindValue(':now', date('Y-m-d H:i:s'));
+		#
+		#		$ins_stmt->execute();
+
+		$verify_url = $webroot . "/verify.php?t=" . $verify_token;
+		$success = send_mail_pending_verification(
+			$homeserver,
+			$first_name . " " . $last_name,
+			$email,
+			$verify_url);
+
+		$db->exec("UPDATE registrations SET state = " .
+			($success ? RegisterState::PendingEmailVerify : RegisterState::PendingEmailSend)
+			. " WHERE verify_token = \"" . $verify_token. "\";");

-		$ins_stmt->execute();
-		$success = true;
-	}
-	if ($success) {
 		print("<title>Erfolgreich</title>");
 		print("</head><body>");
 		print("<h1>Erfolgreich</h1>");
 		print("<p>Bitte überprüfe deine E-Mails um deine E-Mail-Adresse zu bestätigen.</p>");
 		print("<a href=\"" . "/register.php" . "\">Zur Registrierungsseite</a>");
-	} else {
-		print("<title>".$message."</title>");
+	} catch (Exception $e) {
+		print("<title>" . $language["REGISTRATION_REQUEST_FAILED"] . "</title>");
 		print("</head><body>");
-		print("<h1>" . $message . "</h1>");
-		print("<a href=\"" . "/register.php" . "\">Zur Registrierungsseite</a>");
+		print("<h1>" . $language["REGISTRATION_REQUEST_FAILED"] . "</h1>");
+		print("<p>" . $e->getMessage() . "</p>");
+		print("<a href=\"" . $webroot . "/register.php" . "\">Zur Registrierungsseite</a>");
 	}
 } else {
 	$_SESSION["token"] = bin2hex(random_bytes(16));
@@ -139,18 +168,18 @@ body{
  required>
 								</div>
 <?php /**
-								<div class="row">
-									<div class="col-xs-6 col-sm-6 col-md-6">
-										<div class="form-group">
-											<input type="password" name="password" id="password" class="form-control input-sm" placeholder="Passwort" required>
-										</div>
-									</div>
-									<div class="col-xs-6 col-sm-6 col-md-6">
-										<div class="form-group">
-											<input type="password" name="password_confirm" id="password_confirm" class="form-control input-sm" placeholder="Passwort bestätigen" required>
-										</div>
-									</div>
-								</div>
+<div class="row">
+<div class="col-xs-6 col-sm-6 col-md-6">
+<div class="form-group">
+<input type="password" name="password" id="password" class="form-control input-sm" placeholder="Passwort" required>
+</div>
+</div>
+<div class="col-xs-6 col-sm-6 col-md-6">
+<div class="form-group">
+<input type="password" name="password_confirm" id="password_confirm" class="form-control input-sm" placeholder="Passwort bestätigen" required>
+</div>
+</div>
+</div>
 */ ?>
 								<input type="hidden" name="token" id="token" value="<?php echo $_SESSION["token"]; ?>">
 								<input type="submit" value="Registrieren" class="btn btn-info btn-block">
@@ -167,29 +196,29 @@ body{
 				</div>
 			</div>
 		</div>
-		<script type="text/javascript">
-			var first_name = document.getElementById("first_name");
-			first_name.oninvalid = function(event) {
-				event.target.setCustomValidity("Vorname muss das Format <Großbuchstabe><Kleinbuchstaben> haben");
-			}
-			first_name.onkeyup = function(event) {
-				event.target.setCustomValidity("");
-			}
-			var last_name = document.getElementById("last_name");
-			last_name.oninvalid = function(event) {
-				event.target.setCustomValidity("Nachname muss das Format <Großbuchstabe><Kleinbuchstaben> haben");
-			}
-			last_name.onkeyup = function(event) {
-				event.target.setCustomValidity("");
-			}
-			var user_name = document.getElementById("username");
-			user_name.oninvalid = function(event) {
-				event.target.setCustomValidity("Nutzername darf zwischen 3 und 20 kleine Buchstaben und Zahlen enthalten");
-			}
-			user_name.onkeyup = function (event) {
-				event.target.setCustomValidity("");
-			}
-		</script>
+ <script type="text/javascript">
+ var first_name = document.getElementById("first_name");
+	first_name.oninvalid = function(event) {
+		event.target.setCustomValidity("Vorname muss das Format <Großbuchstabe><Kleinbuchstaben> haben");
+	}
+	first_name.onkeyup = function(event) {
+		event.target.setCustomValidity("");
+	}
+	var last_name = document.getElementById("last_name");
+	last_name.oninvalid = function(event) {
+		event.target.setCustomValidity("Nachname muss das Format <Großbuchstabe><Kleinbuchstaben> haben");
+	}
+	last_name.onkeyup = function(event) {
+		event.target.setCustomValidity("");
+	}
+	var user_name = document.getElementById("username");
+	user_name.oninvalid = function(event) {
+		event.target.setCustomValidity("Nutzername darf zwischen 3 und 20 kleine Buchstaben und Zahlen enthalten");
+	}
+	user_name.onkeyup = function (event) {
+		event.target.setCustomValidity("");
+	}
+	</script>
+		<?php } ?>
 	</body>
 </html>
-		<?php } ?>