CodeIgniter 2 and Ion Auth - edit own user account - codeigniter

I am using the latest Ion Auth files along with the latest version of CodeIgniter 2.
There is a function called edit_user within the auth.php Controller file. This function is restricted to use only by members within the "Admin" group, and any Admin member can edit any other member using the function via this URL...
/auth/edit_user/id
The problem is that I don't see any Controller function or View that allows a regular (non-Admin) user to edit their own account details.
Would this be a new Controller function I'd need to write (modify edit_user function?) or is this something that Ion Auth should already do? If so, how?
Here is the stock Ion Auth edit_user function contained within the auth.php Controller...
function edit_user($id)
{
$this->data['title'] = "Edit User";
if (!$this->ion_auth->logged_in() || !$this->ion_auth->is_admin())
{
redirect('auth', 'refresh');
}
$user = $this->ion_auth->user($id)->row();
//process the phone number
if (isset($user->phone) && !empty($user->phone))
{
$user->phone = explode('-', $user->phone);
}
//validate form input
$this->form_validation->set_rules('first_name', 'First Name', 'required|xss_clean');
$this->form_validation->set_rules('last_name', 'Last Name', 'required|xss_clean');
$this->form_validation->set_rules('phone1', 'First Part of Phone', 'required|xss_clean|min_length[3]|max_length[3]');
$this->form_validation->set_rules('phone2', 'Second Part of Phone', 'required|xss_clean|min_length[3]|max_length[3]');
$this->form_validation->set_rules('phone3', 'Third Part of Phone', 'required|xss_clean|min_length[4]|max_length[4]');
$this->form_validation->set_rules('company', 'Company Name', 'required|xss_clean');
if (isset($_POST) && !empty($_POST))
{
// do we have a valid request?
if ($this->_valid_csrf_nonce() === FALSE || $id != $this->input->post('id'))
{
show_error('This form post did not pass our security checks.');
}
$data = array(
'first_name' => $this->input->post('first_name'),
'last_name' => $this->input->post('last_name'),
'company' => $this->input->post('company'),
'phone' => $this->input->post('phone1') . '-' . $this->input->post('phone2') . '-' . $this->input->post('phone3'),
);
//update the password if it was posted
if ($this->input->post('password'))
{
$this->form_validation->set_rules('password', 'Password', 'required|min_length[' . $this->config->item('min_password_length', 'ion_auth') . ']|max_length[' . $this->config->item('max_password_length', 'ion_auth') . ']|matches[password_confirm]');
$this->form_validation->set_rules('password_confirm', 'Password Confirmation', 'required');
$data['password'] = $this->input->post('password');
}
if ($this->form_validation->run() === TRUE)
{
$this->ion_auth->update($user->id, $data);
//check to see if we are creating the user
//redirect them back to the admin page
$this->session->set_flashdata('message', "User Saved");
redirect("auth", 'refresh');
}
}
//display the edit user form
$this->data['csrf'] = $this->_get_csrf_nonce();
//set the flash data error message if there is one
$this->data['message'] = (validation_errors() ? validation_errors() : ($this->ion_auth->errors() ? $this->ion_auth->errors() : $this->session->flashdata('message')));
//pass the user to the view
$this->data['user'] = $user;
$this->data['first_name'] = array(
'name' => 'first_name',
'id' => 'first_name',
'type' => 'text',
'value' => $this->form_validation->set_value('first_name', $user->first_name),
);
$this->data['last_name'] = array(
'name' => 'last_name',
'id' => 'last_name',
'type' => 'text',
'value' => $this->form_validation->set_value('last_name', $user->last_name),
);
$this->data['company'] = array(
'name' => 'company',
'id' => 'company',
'type' => 'text',
'value' => $this->form_validation->set_value('company', $user->company),
);
$this->data['phone1'] = array(
'name' => 'phone1',
'id' => 'phone1',
'type' => 'text',
'value' => $this->form_validation->set_value('phone1', $user->phone[0]),
);
$this->data['phone2'] = array(
'name' => 'phone2',
'id' => 'phone2',
'type' => 'text',
'value' => $this->form_validation->set_value('phone2', $user->phone[1]),
);
$this->data['phone3'] = array(
'name' => 'phone3',
'id' => 'phone3',
'type' => 'text',
'value' => $this->form_validation->set_value('phone3', $user->phone[2]),
);
$this->data['password'] = array(
'name' => 'password',
'id' => 'password',
'type' => 'password'
);
$this->data['password_confirm'] = array(
'name' => 'password_confirm',
'id' => 'password_confirm',
'type' => 'password'
);
$this->load->view('auth/edit_user', $this->data);
}

Unless I'm missing something, I ended up modifying the edit_user function within the auth.php Controller as follows.
I changed this line which checks to see that the user is "not logged in" OR "not an admin" before dumping them out...
if (!$this->ion_auth->logged_in() || !$this->ion_auth->is_admin())
{
redirect('auth', 'refresh');
}
...into this, which check to see that the user is "not logged in" OR ("not an admin" AND "not the user") before dumping them out...
if (!$this->ion_auth->logged_in() || (!$this->ion_auth->is_admin() && !($this->ion_auth->user()->row()->id == $id)))
This seems to be working...
Admin can edit all accounts
User can only edit his own account
and somebody not logged in, can't edit any account.
Edit: However, the user also has access to the "groups" setting and could simply put themself into the "admin" group. Not good.
Ion Auth's developer refers to the files he provides as working "examples". Therefore, it's up to the end-developer to edit Ion Auth to suit the needs of the project.
To prevent the user from being able to make himself an "admin" requires a simple change to the edit_user.php view file.
Verifies the user is already an "admin" before creating the checkboxes...
<?php if ($this->ion_auth->is_admin()): ?>
// code that generates Groups checkboxes
<?php endif ?>
Then you'll also need to thoroughly test and adjust as needed. For example, after editing a user profile, you're redirected to the auth view. Since the user doesn't have permission to see the auth view, there is a "must be an admin" error. In the controller file, you'll have to add the appropriate logic to properly redirect the user when they're not an "admin".

No Ion Auth doesn't do this as is - it's pretty light weight. But it's not hard to do and your on the right track, just grab that edit_user method and take out the admin checks and make it so the user can only edit their own account, just alter it so that it only updates user details for the currently logged in user.
Check the ion auth docs, have a crack at it and come back with some code if you have any problems.

Related

what would the following form validation rule mean ? I want a logic that even if one of the form posts are set...it should be allowed

$this->form_validation->set_rules('newusername', 'newfullname', 'newcity','newemail');
// is the set_rules correct. I want that if any one input field with above names are set. It should pass the validation . Please help me if there are any corrections.
May be you should read the manual again. If you want at least one of them filled, you'll need to write your own validation.
Using the following rules:
public $rules = array(
'newusername' => array(
'field' => 'newusername',
'label' => 'New User Name',
'rules' => 'trim|xss_clean|callback_needone'
),
'newfullname' => array(
'field' => 'newusername',
'label' => 'New Full Name',
'rules' => 'trim|xss_clean|callback_needone'
),
'newcity' => array(
'field' => 'newcity',
'label' => 'New City',
'rules' => 'trim|xss_clean|callback_needone'
),
'newemail' => array(
'field' => 'newemail',
'label' => 'New Email',
'rules' => 'trim|xss_clean|callback_needone'
)
)
in your controller you have to write
public function needone(){
if ( empty($this->input->post('newusername')) && empty($this->input->post('newfullname')) && empty($this->input->post('newcity')) && empty($this->input->post('newmail')) ) {
$this->form_validation->set_message('needone', 'At least one field must be entered');
return FALSE;
}
return TRUE;
}
Put the rule on any of the form's fields, or all of them to hilite those who are in the required group, it's up to you.
Each input field in your form, requires it's own validation rules. Which should look like this;
$this->form_validation->set_rules('field name', 'human name', 'rules');
https://ellislab.com/codeigniter/user-guide/libraries/form_validation.html#validationrules
So, you would have 4 set_rules functions, like this;
$this->form_validation->set_rules('newusername', 'New username', 'trim|xss_clean|required');
$this->form_validation->set_rules('newfullname', 'New full name', 'trim|xss_clean|required');
$this->form_validation->set_rules('newcity', 'New City', 'trim|xss_clean|required');
$this->form_validation->set_rules('newemail', 'New Email', 'trim|xss_clean|required');
https://ellislab.com/codeigniter/user-guide/libraries/form_validation.html#cascadingrules
Here's a rule reference, all the available rules;
https://ellislab.com/codeigniter/user-guide/libraries/form_validation.html#rulereference
Now, to check if ANY of the items are set, I would do this;
if ($this->input->post('newusername') OR $this->input->post('newusername') OR $this->input->post('newusername') OR $this->input->post('newusername'))
{
// One of them is set
}
else
{
// Nothing is set
}

authorisation based on values not on verb

I'm implementing an authorisation process based on values not on verb.
Example:
all users/groups are allowed to update a db field
admin can set status to all possible values (confirmed | pending | cancelled)
supplier can set to 'confirmed'
All examples I find go around a user/group being able or not to insert,update or delete something.
Is there something out there to deal with situations like this out of the box, or this has be hard coded?
Basically what you need is something hard to maintain in any application: granular permissions.
You can get this to work easily using Cartalyst's Sentry. Here's how I do it:
All my routes are hierarchically organized and named as such:
<?php
Route::get('login', array('as'=>'logon.login', 'uses'=>'LogonController#login'));
Route::get('logged/out', array('as'=>'logon.loggedOut', 'uses'=>'LogonController#loggedOut'));
Route::group(array('before' => 'auth'), function()
{
Route::get('logout', array('as'=>'logon.logout', 'uses'=>'LogonController#logout'));
Route::group(array('before' => 'permissions'), function()
{
Route::get('store/checkout/shipping/address', array('as'=>'store.checkout.shipping.address', 'uses'=>'StoreController#shippingAddress'));
Route::get('store/checkout/payment/confirmed', array('as'=>'store.checkout.payment.confirmed', 'uses'=>'StoreController#confirmed'));
Route::get('profile', array('as'=>'profile.show', 'uses'=>'ProfileController#show'));
});
});
Those under the filter 'permissions' are subject to check if user has rights to use them:
Route::filter('permissions', function()
{
$name = Route::current()->getName();
$name = 'system' . ( ! empty($name) ? '.' : '') . $name;
if (!Permission::has($name)) {
App::abort(401, 'You are not authorized to access route '.$name);
}
});
Basically here I get the current route name, add 'system.' to it and check if the user has this particular permission.
Here's how I create my groups and populate permissions:
<?php
public function seedPermissions()
{
DB::table('groups')->truncate();
$id = 1;
Sentry::getGroupProvider()->create(array(
'id' => $id++,
'name' => 'Super Administrators',
'permissions' => array(
'system' => 1,
),
));
Sentry::getGroupProvider()->create(array(
'id' => $id++,
'name' => 'Administrators',
'permissions' => array(
'system.users' => 1,
'system.products' => 1,
'system.store' => 1,
'system.profile' => 1,
),
));
Sentry::getGroupProvider()->create(array(
'id' => $id++,
'name' => 'Managers',
'permissions' => array(
'system.products' => 1,
'system.store' => 1,
'system.profile' => 1,
),
));
Sentry::getGroupProvider()->create(array(
'id' => $id++,
'name' => 'Users',
'permissions' => array(
'system.store.checkout' => 1,
'system.profile' => 1,
),
));
}
So if a user is trying to add some shipping address, the route 'store.checkout.payment.confirmed', as every user has access to 'system.store.checkout', everything inside that route will available to him.
And this is how I check for permissions:
public static function has($permission)
{
$all = [];
$parts = explode('.',$permission);
$permission = '';
foreach($parts as $part) {
$permission .= (!empty($permission) ? '.' : '') . $part;
$all[] = $permission;
}
return Sentry::check() and Sentry::getUser()->hasAnyAccess($all);
}
It basically builds a list of routes:
system
system.store
system.store.checkout
system.store.checkout.payment
system.store.checkout.payment.confirmed
And if Sentry finds one of those in the users granular permissions it will return true.
Now I just have to add users to groups:
Sentry::findUserById(1)->addGroup( Sentry::getGroupProvider()->findByName('Users') );
And if I need to go granular on a particular user/permission I just need to:
$user = Sentry::findUserById(1);
$user->permissions['store.checkout.payment'] = false;
$user->save();
And the user will never be able to pay for anything in the store again. :)

CakePHP modal AJAX checks not displaying in lights out box?

Ok, this might have a very simple answer but for the life of me my I can not seem to find an answer! I am signing up users from a text into a lights out box (SimpleModal) which AJAX loads a new page for an admin to sign up a user to a selected client list.
This all works without any issues at all, so long as the model checks are correct. I have two checks, one makes sure the username is unique and that the password has at lest 8 characters, code below. But when one or both of these checks are not meet, then the user is taken to the AJAX URL and the 'message' is then displayed. This is not what I need I need it to be taken back to the lights out box or set these messages as flash error message to be printed on to the screen.
Or should I remove these checks from the modal and get JQuery to check them instead?
Any ideas?
All help very welcome.....
Model Code ::
public $validate = array(
'username' => array(
'required' => array(
'rule' => array('isUnique'),
'message' => 'Sorry but a unique username is required'
)
),
'password' => array(
'required' => array(
'rule' => array('minLength', '8'),
'message' => 'Sorry but a password of 8 characters or more is required'
)
) ... more check follow but these are the issues....
CTP file ::
$this->layout = 'ajax';
$AddUserForm = $this->Form->create('User', array('url' => '/ADD-USER-URL-HERE'));
$AddUserForm .= $this->Form->input('username');
$AddUserForm .= $this->Form->input('password');
$AddUserForm .= $this->Form->input('role', array('options' => array('admin' => 'Admin', 'user' => 'User')));
$AddUserForm .= $this->Form->input('data_id', array('options' => array($data), 'empty'=>true));
$AddUserForm .= $this->Form->end(__('SAVE NEW USER'));
echo $AddUserForm;
In your ctp file
$('form').on('submit', function(e) {
e.preventDefault();
$.post($(this).attr('action'), $(this).serialize(), function(res) {
$('form').replaceWith(res);
})
})
can be used for validating the data using the above script,
I think this will help you for submitting the form via ajax and you can also display the error messages using the response coming from the ajax.
Hope this will help you.

custom phpbb3 registration

i am making a custom phpbb3 registration and i am trying to register a user form a external file but it not working . also i checked for errors . there is no error .can anyone help me out with where i am wrong . also if anyone has any easy idea how to add a new user record for phpbb3 please help me out with this .
<?php
$username = $_POST[username];
$password = $_POST[password];
$email_address = $_POST[email];
include('forums/common.php');
require('forums/includes/functions_user.php');
// Start session management
$user->session_begin();
$auth->acl($user->data);
$user->setup('viewtopic');
global $config, $db, $user, $auth, $template, $phpbb_root_path, $phpEx;
$user_row = array(
'username' => $username, //REQUIRED IN FORM
'user_password' => md5($password), //REQUIRED IN FORM
'user_email' => $email_address, //REQUIRED IN FORM
'group_id' => 0,//(int) $group_id,
'user_timezone' => $timezone = date(Z) / 3600,//(float) $data[tz],
'user_dst' => date(I),//$is_dst,
'user_lang' => $user->lang_name,//$data[lang],
'user_type' => USER_NORMAL,//$user_type,
'user_actkey' => '',//$user_actkey,
'user_ip' => $user->ip,
'user_regdate' => time(),
'user_inactive_reason' => 0,//$user_inactive_reason,
'user_inactive_time' => 0,//$user_inactive_time,
);
// Register user...
$user_id = user_add($user_row);
?>
You must define
define('IN_PHPBB', true);
In other case your script will exit immediately in common.php and other required files. You can see
if (!defined('IN_PHPBB'))
{
exit;
}
in every required file

Codeigniter Custom Form Validation

this is my register method on controller to register a new user.
function register() {
$config_rules = array(
array(
'field' => 'txtEmail',
'label' => 'Email',
'rules' => 'required|valid_email'
),
array(
'field' => 'txtPassword',
'label' => 'Password',
'rules' => 'required|min_length[6]'
),
array(
'field' => 'txtRePassword',
'label' => 'Re-type Password',
'rules' => 'required|min_length[6]'
)
);
$this->form_validation->set_rules($config_rules);
if(isset($_POST['btnSubmit']) && $this->form_validation->run() == TRUE)
{
// insert query and redirect to registration success page
}
$this->load->view('users/register_form');
}
All the rules for form validation are work fine.
But, the problem is I can't do is to validate password and re-type password.
How make a custom form validation such as to check either
password and re-type password are same or not. Then return false for the validation and give error message telling that password and re-type password are not same through validation_errors().
You can specify the rule something like this:
$rules['password'] = "required|matches[passconf]";
In the above example, the field password will be matched with password confirm field passconf.
See the docs for more information.
http://ellislab.com/codeigniter/user-guide/libraries/form_validation.html
add:
matches[txtRePassword]
to the password rules, then you can use:
$this->validation->set_message('matches', 'New Passwords don\'t match');
to make a customer error message

Resources