gosora/routes/account.go

405 lines
13 KiB
Go
Raw Normal View History

package routes
import (
"database/sql"
"html"
"io"
"log"
"net/http"
"os"
"regexp"
"strconv"
"strings"
"../common"
"../query_gen/lib"
)
// A blank list to fill out that parameter in Page for routes which don't use it
var tList []interface{}
func AccountLogin(w http.ResponseWriter, r *http.Request, user common.User) common.RouteError {
header, ferr := common.UserCheck(w, r, &user)
if ferr != nil {
return ferr
}
if user.Loggedin {
return common.LocalError("You're already logged in.", w, r, user)
}
pi := common.Page{common.GetTitlePhrase("login"), user, header, tList, nil}
if common.RunPreRenderHook("pre_render_login", w, r, &user, &pi) {
return nil
}
err := common.RunThemeTemplate(header.Theme.Name, "login", pi, w)
if err != nil {
return common.InternalError(err, w, r)
}
return nil
}
// TODO: Log failed attempted logins?
// TODO: Lock IPS out if they have too many failed attempts?
// TODO: Log unusual countries in comparison to the country a user usually logs in from? Alert the user about this?
func AccountLoginSubmit(w http.ResponseWriter, r *http.Request, user common.User) common.RouteError {
if user.Loggedin {
return common.LocalError("You're already logged in.", w, r, user)
}
username := html.EscapeString(strings.Replace(r.PostFormValue("username"), "\n", "", -1))
uid, err := common.Auth.Authenticate(username, r.PostFormValue("password"))
if err != nil {
return common.LocalError(err.Error(), w, r, user)
}
userPtr, err := common.Users.Get(uid)
if err != nil {
return common.LocalError("Bad account", w, r, user)
}
user = *userPtr
var session string
if user.Session == "" {
session, err = common.Auth.CreateSession(uid)
if err != nil {
return common.InternalError(err, w, r)
}
} else {
session = user.Session
}
common.Auth.SetCookies(w, uid, session)
if user.IsAdmin {
// Is this error check redundant? We already check for the error in PreRoute for the same IP
// TODO: Should we be logging this?
log.Printf("#%d has logged in with IP %s", uid, user.LastIP)
}
http.Redirect(w, r, "/", http.StatusSeeOther)
return nil
}
Commented out more debug code. Main Menu is now shown on the main menu in the menu list for extra clarity. Travis should now be able to run it's tests. Moved routeChangeTheme to the routes package. Moved routeShowAttachment to the routes package and partially refactored it. Moved routeLikeTopicSubmit to the routes package. Moved routeReplyLikeSubmit to the routes package and partially refactored it. Moved routeProfileReplyCreateSubmit to the routes package. Moved routeLogout to the routes package, now known as routes.AccountLogout. Moved the routeDynamic stub to the routes package, now known as routes.DynamicRoute. Moved the routeUploads stub to the routes package, now known as routes.UploadedFile. Moved the BadRoute stub to the routes package, now known as routes.BadRoute. All routes moved to the routes package have had the route prefix dropped from their name. Simplified the email token route to redirect back to the main email route instead of rendering the same template. Refactored the panel menus to use the new submenu system instead of the old one which had a lot of menu duplication. Added a stub directory for Nox, the next major theme after Cosora. Fixed a bug where the alerts wouldn't load outside of the index. Tweaked the CSS in the topic creation and reply forms on Shadow. Tweaked the padding on the stickies on Shadow. Improved the submenu CSS on every theme. Fixed the submitrow CSS on Shadow, Tempra Conflux. Fixed some double borders on Tempra Conflux. The frontend sidebar should no longer show up in the Control Panel in Tempra Conflux and Tempra Simple. Tweaked the title CSS on Cosora. Tweaked the user manager CSS on Cosora. Changed the primary text colour on Cosora. Fixed attachment images taking up too much space on Cosora. Run the patcher or update script for this commit.
2018-05-15 05:59:52 +00:00
func AccountLogout(w http.ResponseWriter, r *http.Request, user common.User) common.RouteError {
if !user.Loggedin {
return common.LocalError("You can't logout without logging in first.", w, r, user)
}
common.Auth.Logout(w, user.ID)
http.Redirect(w, r, "/", http.StatusSeeOther)
return nil
}
func AccountRegister(w http.ResponseWriter, r *http.Request, user common.User) common.RouteError {
header, ferr := common.UserCheck(w, r, &user)
if ferr != nil {
return ferr
}
if user.Loggedin {
return common.LocalError("You're already logged in.", w, r, user)
}
pi := common.Page{common.GetTitlePhrase("register"), user, header, tList, nil}
if common.RunPreRenderHook("pre_render_register", w, r, &user, &pi) {
return nil
}
err := common.RunThemeTemplate(header.Theme.Name, "register", pi, w)
if err != nil {
return common.InternalError(err, w, r)
}
return nil
}
func AccountRegisterSubmit(w http.ResponseWriter, r *http.Request, user common.User) common.RouteError {
headerLite, _ := common.SimpleUserCheck(w, r, &user)
// TODO: Should we push multiple validation errors to the user instead of just one?
var regSuccess = true
var regErrMsg = ""
var regErrReason = ""
var regError = func(userMsg string, reason string) {
regSuccess = false
if regErrMsg == "" {
regErrMsg = userMsg
}
regErrReason += reason + "|"
}
username := html.EscapeString(strings.Replace(r.PostFormValue("username"), "\n", "", -1))
email := html.EscapeString(strings.Replace(r.PostFormValue("email"), "\n", "", -1))
if username == "" {
regError("You didn't put in a username.", "no-username")
}
if email == "" {
regError("You didn't put in an email.", "no-email")
}
password := r.PostFormValue("password")
// ? Move this into Create()? What if we want to programatically set weak passwords for tests?
err := common.WeakPassword(password, username, email)
if err != nil {
regError(err.Error(), "weak-password")
} else {
// Do the two inputted passwords match..?
confirmPassword := r.PostFormValue("confirm_password")
if password != confirmPassword {
regError("The two passwords don't match.", "password-mismatch")
}
}
regLog := common.RegLogItem{Username: username, Email: email, FailureReason: regErrReason, Success: regSuccess, IPAddress: user.LastIP}
_, err = regLog.Create()
if err != nil {
return common.InternalError(err, w, r)
}
if !regSuccess {
return common.LocalError(regErrMsg, w, r, user)
}
var active bool
var group int
switch headerLite.Settings["activation_type"] {
case 1: // Activate All
active = true
group = common.Config.DefaultGroup
default: // Anything else. E.g. Admin Activation or Email Activation.
group = common.Config.ActivationGroup
}
// TODO: Do the registration attempt logging a little less messily (without having to amend the result after the insert)
uid, err := common.Users.Create(username, password, email, group, active)
if err != nil {
regLog.Success = false
if err == common.ErrAccountExists {
regLog.FailureReason += "username-exists"
err = regLog.Commit()
if err != nil {
return common.InternalError(err, w, r)
}
return common.LocalError("This username isn't available. Try another.", w, r, user)
} else if err == common.ErrLongUsername {
regLog.FailureReason += "username-too-long"
err = regLog.Commit()
if err != nil {
return common.InternalError(err, w, r)
}
return common.LocalError("The username is too long, max: "+strconv.Itoa(common.Config.MaxUsernameLength), w, r, user)
}
regLog.FailureReason += "internal-error"
err2 := regLog.Commit()
if err2 != nil {
return common.InternalError(err2, w, r)
}
return common.InternalError(err, w, r)
}
// Check if this user actually owns this email, if email activation is on, automatically flip their account to active when the email is validated. Validation is also useful for determining whether this user should receive any alerts, etc. via email
if common.Site.EnableEmails {
token, err := common.GenerateSafeString(80)
if err != nil {
return common.InternalError(err, w, r)
}
// TODO: Add an EmailStore and move this there
acc := qgen.Builder.Accumulator()
_, err = acc.Insert("emails").Columns("email, uid, validated, token").Fields("?,?,?,?").Exec(email, uid, 0, token)
if err != nil {
return common.InternalError(err, w, r)
}
if !common.SendValidationEmail(username, email, token) {
return common.LocalError("We were unable to send the email for you to confirm that this email address belongs to you. You may not have access to some functionality until you do so. Please ask an administrator for assistance.", w, r, user)
}
}
session, err := common.Auth.CreateSession(uid)
if err != nil {
return common.InternalError(err, w, r)
}
common.Auth.SetCookies(w, uid, session)
http.Redirect(w, r, "/", http.StatusSeeOther)
return nil
}
func AccountEditCritical(w http.ResponseWriter, r *http.Request, user common.User) common.RouteError {
header, ferr := common.UserCheck(w, r, &user)
if ferr != nil {
return ferr
}
pi := common.Page{"Edit Password", user, header, tList, nil}
if common.RunPreRenderHook("pre_render_account_own_edit_critical", w, r, &user, &pi) {
return nil
}
err := common.Templates.ExecuteTemplate(w, "account_own_edit.html", pi)
if err != nil {
return common.InternalError(err, w, r)
}
return nil
}
func AccountEditCriticalSubmit(w http.ResponseWriter, r *http.Request, user common.User) common.RouteError {
_, ferr := common.SimpleUserCheck(w, r, &user)
if ferr != nil {
return ferr
}
var realPassword, salt string
currentPassword := r.PostFormValue("account-current-password")
newPassword := r.PostFormValue("account-new-password")
confirmPassword := r.PostFormValue("account-confirm-password")
// TODO: Use a reusable statement
acc := qgen.Builder.Accumulator()
err := acc.Select("users").Columns("password, salt").Where("uid = ?").QueryRow(user.ID).Scan(&realPassword, &salt)
if err == sql.ErrNoRows {
return common.LocalError("Your account no longer exists.", w, r, user)
} else if err != nil {
return common.InternalError(err, w, r)
}
err = common.CheckPassword(realPassword, currentPassword, salt)
if err == common.ErrMismatchedHashAndPassword {
return common.LocalError("That's not the correct password.", w, r, user)
} else if err != nil {
return common.InternalError(err, w, r)
}
if newPassword != confirmPassword {
return common.LocalError("The two passwords don't match.", w, r, user)
}
common.SetPassword(user.ID, newPassword)
// Log the user out as a safety precaution
common.Auth.ForceLogout(user.ID)
http.Redirect(w, r, "/", http.StatusSeeOther)
return nil
}
func AccountEditAvatar(w http.ResponseWriter, r *http.Request, user common.User) common.RouteError {
headerVars, ferr := common.UserCheck(w, r, &user)
if ferr != nil {
return ferr
}
pi := common.Page{"Edit Avatar", user, headerVars, tList, nil}
if common.RunPreRenderHook("pre_render_account_own_edit_avatar", w, r, &user, &pi) {
return nil
}
err := common.Templates.ExecuteTemplate(w, "account_own_edit_avatar.html", pi)
if err != nil {
return common.InternalError(err, w, r)
}
return nil
}
func AccountEditAvatarSubmit(w http.ResponseWriter, r *http.Request, user common.User) common.RouteError {
headerVars, ferr := common.UserCheck(w, r, &user)
if ferr != nil {
return ferr
}
var filename, ext string
for _, fheaders := range r.MultipartForm.File {
for _, hdr := range fheaders {
if hdr.Filename == "" {
continue
}
infile, err := hdr.Open()
if err != nil {
return common.LocalError("Upload failed", w, r, user)
}
defer infile.Close()
// We don't want multiple files
// TODO: Check the length of r.MultipartForm.File and error rather than doing this x.x
if filename != "" {
if filename != hdr.Filename {
os.Remove("./uploads/avatar_" + strconv.Itoa(user.ID) + "." + ext)
return common.LocalError("You may only upload one avatar", w, r, user)
}
} else {
filename = hdr.Filename
}
if ext == "" {
extarr := strings.Split(hdr.Filename, ".")
if len(extarr) < 2 {
return common.LocalError("Bad file", w, r, user)
}
ext = extarr[len(extarr)-1]
// TODO: Can we do this without a regex?
reg, err := regexp.Compile("[^A-Za-z0-9]+")
if err != nil {
return common.LocalError("Bad file extension", w, r, user)
}
ext = reg.ReplaceAllString(ext, "")
ext = strings.ToLower(ext)
}
outfile, err := os.Create("./uploads/avatar_" + strconv.Itoa(user.ID) + "." + ext)
if err != nil {
return common.LocalError("Upload failed [File Creation Failed]", w, r, user)
}
defer outfile.Close()
_, err = io.Copy(outfile, infile)
if err != nil {
return common.LocalError("Upload failed [Copy Failed]", w, r, user)
}
}
}
if ext == "" {
return common.LocalError("No file", w, r, user)
}
err := user.ChangeAvatar("." + ext)
if err != nil {
return common.InternalError(err, w, r)
}
user.Avatar = "/uploads/avatar_" + strconv.Itoa(user.ID) + "." + ext
headerVars.NoticeList = append(headerVars.NoticeList, common.GetNoticePhrase("account_avatar_updated"))
pi := common.Page{"Edit Avatar", user, headerVars, tList, nil}
if common.RunPreRenderHook("pre_render_account_own_edit_avatar", w, r, &user, &pi) {
return nil
}
err = common.Templates.ExecuteTemplate(w, "account_own_edit_avatar.html", pi)
if err != nil {
return common.InternalError(err, w, r)
}
return nil
}
func AccountEditUsername(w http.ResponseWriter, r *http.Request, user common.User) common.RouteError {
headerVars, ferr := common.UserCheck(w, r, &user)
if ferr != nil {
return ferr
}
if r.FormValue("updated") == "1" {
headerVars.NoticeList = append(headerVars.NoticeList, common.GetNoticePhrase("account_username_updated"))
}
pi := common.Page{"Edit Username", user, headerVars, tList, user.Name}
if common.RunPreRenderHook("pre_render_account_own_edit_username", w, r, &user, &pi) {
return nil
}
err := common.Templates.ExecuteTemplate(w, "account_own_edit_username.html", pi)
if err != nil {
return common.InternalError(err, w, r)
}
return nil
}
func AccountEditUsernameSubmit(w http.ResponseWriter, r *http.Request, user common.User) common.RouteError {
_, ferr := common.SimpleUserCheck(w, r, &user)
if ferr != nil {
return ferr
}
newUsername := html.EscapeString(strings.Replace(r.PostFormValue("account-new-username"), "\n", "", -1))
err := user.ChangeName(newUsername)
if err != nil {
return common.LocalError("Unable to change the username. Does someone else already have this name?", w, r, user)
}
http.Redirect(w, r, "/user/edit/username/?updated=1", http.StatusSeeOther)
return nil
}