diff options
Diffstat (limited to 'src/index.php')
| -rw-r--r-- | src/index.php | 159 | 
1 files changed, 112 insertions, 47 deletions
| diff --git a/src/index.php b/src/index.php index c75d112..de46204 100644 --- a/src/index.php +++ b/src/index.php @@ -12,6 +12,9 @@ use mystic\forum\orm\UserPermissions;  use mystic\forum\utils\FileUtils;  use mystic\forum\utils\RequestUtils;  use mystic\forum\utils\ValidationUtils; +use Symfony\Component\Mailer\Transport; +use Symfony\Component\Mime\Address; +use Symfony\Component\Mime\Email;  header_remove("X-Powered-By"); @@ -122,12 +125,15 @@ function env(string $key): ?string {  require_once __DIR__ . "/vendor/autoload.php"; +require_once __DIR__ . "/application/i18n.php"; +i18n_locale("de"); +  $db = null;  try {      $db = new Database(Database::getConnectionString("db", getenv("POSTGRES_USER"), getenv("POSTGRES_PASSWORD"), getenv("POSTGRES_DBNAME")));  } catch (DatabaseConnectionException $ex) {      Messaging::error([ -        Messaging::bold("Failed to connect to database!"), +        Messaging::bold(__("Failed to connect to database!")),          Messaging::italic($ex->getMessage()),      ]);      exit; @@ -175,7 +181,7 @@ $GLOBALS["currentUser"] = &$currentUser;  if ($_action === "auth") {      if ($currentUser) { -        header("Location: " . $_GET["next"] ?? "."); +        header("Location: " . ($_GET["next"] ?? "."));          exit;      } @@ -186,17 +192,17 @@ if ($_action === "auth") {          $user = new User();          $user->name = $username;          if (!$db->fetchWhere($user, "name") || !password_verify($password, $user->passwordHash)) { -            RequestUtils::triggerFormError("Username or password incorrect!"); +            RequestUtils::triggerFormError(__("Username or password incorrect!"));          }          if (!$user->activated) { -            RequestUtils::triggerFormError("Please activate your user account first!"); +            RequestUtils::triggerFormError(__("Please activate your user account first!"));          }          RequestUtils::setAuthorizedUser($user); -        header("Location: " . $_GET["next"] ?? "."); +        header("Location: " . ($_GET["next"] ?? "."));      } else { -        _view("template_start", ["_title" => "Log in"]); +        _view("template_start", ["_title" => __("Log in")]);          _view("template_navigation_start");          _view("template_navigation", ["user" => RequestUtils::getAuthorizedUser($db)]);          _view("template_navigation_end"); @@ -205,19 +211,19 @@ if ($_action === "auth") {      }  } elseif ($_action === "register") {      if ($currentUser) { -        header("Location: " . $_GET["next"] ?? "."); +        header("Location: " . ($_GET["next"] ?? "."));          exit;      }      if (!REGISTRATION_ENABLED) {          http_response_code(403); -        Messaging::error("Public registration disabled"); +        Messaging::error(__("Public registration disabled"));          exit;      }      if (RequestUtils::isRequestMethod("POST")) {          $doNotFill = $_POST["username"] ?? null; -        if ($doNotFill !== null) { +        if (!empty($doNotFill)) {              sleep(10);              http_response_code(204);              exit; @@ -229,27 +235,27 @@ if ($_action === "auth") {          $displayName = RequestUtils::getRequiredField("display_name");          $captcha = RequestUtils::getRequiredField("captcha"); -        if ($captcha !== $_SESSION["captchaPhrase"]) { -            RequestUtils::triggerFormError("Incorrect CAPTCHA text!"); +        if ($captcha !== ($_SESSION["captchaPhrase"] ?? null)) { +            RequestUtils::triggerFormError(__("Incorrect CAPTCHA text!"));          }          // usernames are always lowercase          $username = strtolower($username);          if ($password !== $passwordRetype) { -            RequestUtils::triggerFormError("Passwords do not match!"); +            RequestUtils::triggerFormError(__("Passwords do not match!"));          }          if (strlen($password) < 8) { -            RequestUtils::triggerFormError("Password too short! Your password must consist of 8 or more characters"); +            RequestUtils::triggerFormError(__("Password too short! Your password must consist of 8 or more characters"));          }          if (!ValidationUtils::isUsernameValid($username)) { -            RequestUtils::triggerFormError("Username has an invalid format"); +            RequestUtils::triggerFormError(__("Username has an invalid format"));          }          if (filter_var($email, FILTER_VALIDATE_EMAIL) === false) { -            RequestUtils::triggerFormError("Invalid email address"); +            RequestUtils::triggerFormError(__("Invalid email address"));          }          $user = new User(); @@ -257,11 +263,11 @@ if ($_action === "auth") {          $user->email = $email;          if ($db->fetchWhere($user, "name")) { -            RequestUtils::triggerFormError("This username is already taken!"); +            RequestUtils::triggerFormError(__("This username is already taken!"));          }          if ($db->fetchWhere($user, "email")) { -            RequestUtils::triggerFormError("This email address is already in use!"); +            RequestUtils::triggerFormError(__("This email address is already in use!"));          }          // re-create user so we don't forget to clear properties set by the above queries @@ -278,26 +284,85 @@ if ($_action === "auth") {          $user->activationToken = $db->generateId(12);          $user->created = new \DateTimeImmutable(); -        // TODO Send verification email +        Transport::fromDsn(env("MAILER_DSN"))->send( +            (new Email()) +                ->from(env("MAILER_FROM")) +                ->to(new Address($email, $displayName)) +                ->text(__( +                    "Welcome to %forum_title%, %user_display_name%!\n" . +                    "\n" . +                    "Please activate your account by clicking the link below:\n" . +                    "%activation_link%\n" . +                    "\n" . +                    "Kind regards,\n" . +                    "%forum_copyright%", +                    params: [ +                        "forum_title" => (env("MYSTIC_FORUM_TITLE") ?? "Forum"), +                        "user_display_name" => $displayName, +                        "activation_link" => env("PUBLIC_URL") . "?_action=verifyemail&token=" . urlencode($user->activationToken) . "&sig=" . urlencode(base64_encode(hash("sha256", env("SECRET") . $user->activationToken . $user->id, true))), +                        "forum_copyright" => (env("MYSTIC_FORUM_COPYRIGHT") ?? env("MYSTIC_FORUM_TITLE") ?? "Forum") +                    ] +                )) +                ->subject("Please activate your account") +        );          $db->insert($user); -        Messaging::info([ -            "Your account has been created!", -            //"Please check your emails for an activation link!", -            Messaging::html('<p>Please click <a href="?_action=auth">here</a> to log in!</p>'), -        ]); +        Messaging::info( +            Messaging::html(nl2br(htmlentities(__("Your account has been created!\nPlease check your emails for an activation link!"), true))) +        );      } else { -        _view("template_start", ["_title" => "Register"]); +        _view("template_start", ["_title" => __("Register")]);          _view("template_navigation_start");          _view("template_navigation", ["user" => RequestUtils::getAuthorizedUser($db)]);          _view("template_navigation_end");          _view("form_register");          _view("template_end");      } +} elseif ($_action === "verifyemail") { +    RequestUtils::ensureRequestMethod("GET"); +    $token = $_GET["token"] ?? throw new Exception("Missing token"); +    $sig = $_GET["sig"] ?? throw new Exception("Missing signature"); + +    $user = new User(); +    $user->activated = false; +    $user->activationToken = $token; + +    if (!$db->fetchWhere($user, [ "activated", "activation_token" ])) { +        http_response_code(400); +        Messaging::error(__("Invalid token")); +        exit; +    } + +    $expectedSignature = base64_encode(hash("sha256", env("SECRET") . $user->activationToken . $user->id, true)); +     +    if ($expectedSignature !== $sig) { +        http_response_code(400); +        Messaging::error(__("Invalid signature.")); +        exit; +    } + +    $user->activated = true; +    $user->activationToken = ""; + +    if (!$db->update($user)) { +        http_response_code(400); +        Messaging::error(__("Failed to update user")); +        exit; +    } + +    Messaging::info([ +        Messaging::html(nl2br(__( +                "Your account has been activated!\nPlease click %link%here%/link% to log in!", +                [ +                    "link" => '<a href="?_action=auth">', +                    "/link" => '</a>', +                ] +        )), true), +    ]);  } elseif ($_action === "logout") {      RequestUtils::unsetAuthorizedUser(); -    header("Location: " . $_GET["next"] ?? "."); +    header("Location: " . ($_GET["next"] ?? "."));  } elseif ($_action === "viewtopic") {      $topicId = $_GET["topic"] ?? throw new Exception("Missing topic id");      $topic = new Topic(); @@ -318,19 +383,19 @@ if ($_action === "auth") {          $attachments = reArrayFiles($_FILES["files"]);          if (count($attachments) > MAX_ATTACHMENT_COUNT) -            RequestUtils::triggerFormError("Too many attachments"); +            RequestUtils::triggerFormError(__("Too many attachments"));          // check all attachments before saving one          foreach ($attachments as $att) {              if ($att["size"] > MAX_ATTACHMENT_SIZE) { -                RequestUtils::triggerFormError("Individual file size exceeded"); +                RequestUtils::triggerFormError(__("Individual file size exceeded"));              }          }          $message = trim(RequestUtils::getRequiredField("message"));          if (strlen($message) < 1 || strlen($message) > 0x8000) { -            RequestUtils::triggerFormError("Message too short or too long!"); +            RequestUtils::triggerFormError(__("Message too short or too long!"));          }          $post = new Post(); @@ -425,21 +490,21 @@ if ($_action === "auth") {          $attachments = reArrayFiles($_FILES["files"]);          if (count($attachments) > MAX_ATTACHMENT_COUNT) -            RequestUtils::triggerFormError("Too many attachments"); +            RequestUtils::triggerFormError(__("Too many attachments"));          // check all attachments before saving one          foreach ($attachments as $att) {              if ($att["size"] > MAX_ATTACHMENT_SIZE) { -                RequestUtils::triggerFormError("Individual file size exceeded"); +                RequestUtils::triggerFormError(__("Individual file size exceeded"));              }          }          if (strlen($title) < 1 || strlen($title) > 255) { -            RequestUtils::triggerFormError("Title too short or too long!"); +            RequestUtils::triggerFormError(__("Title too short or too long!"));          }          if (strlen($message) < 1 || strlen($message) > 0x8000) { -            RequestUtils::triggerFormError("Message too short or too long!"); +            RequestUtils::triggerFormError(__("Message too short or too long!"));          }          $topic = new Topic(); @@ -479,7 +544,7 @@ if ($_action === "auth") {          header("Location: ?_action=viewtopic&topic=" . urlencode($topic->id));      } else { -        _view("template_start", ["_title" => "New topic"]); +        _view("template_start", ["_title" => __("New topic")]);          _view("template_navigation_start");          _view("template_navigation", ["user" => RequestUtils::getAuthorizedUser($db)]);          _view("template_navigation_end"); @@ -495,7 +560,7 @@ if ($_action === "auth") {      if (!$db->fetchWhere($user, "name")) {          http_response_code(404); -        Messaging::error("No user with name @$userHandle"); +        Messaging::error(__("No user with name @%user_handle%", [ "user_handle" => $userHandle ]));          exit;      } @@ -506,7 +571,7 @@ if ($_action === "auth") {      $user->id = $userId;      if (!$db->fetch($user)) {          http_response_code(404); -        Messaging::error("No user exists with this id"); +        Messaging::error(__("No user exists with this id"));          exit;      } @@ -531,12 +596,12 @@ if ($_action === "auth") {          if ($userName !== $user->name) {              if ($lastNameChangeTooRecent) { -                RequestUtils::triggerFormError("You can only change your username every 30 days!"); +                RequestUtils::triggerFormError(__("You can only change your username every 30 days!"));              } else {                  if (!ValidationUtils::isUsernameValid($userName)) -                    RequestUtils::triggerFormError("Invalid username!"); +                    RequestUtils::triggerFormError(__("Invalid username!"));                  if (!ValidationUtils::isUsernameAvailable($db, $userName)) -                    RequestUtils::triggerFormError("This username is already taken!"); +                    RequestUtils::triggerFormError(__("This username is already taken!"));                  $user->name = $userName;                  $user->nameLastChanged = new DateTimeImmutable();              } @@ -551,13 +616,13 @@ if ($_action === "auth") {                  break;              case "replace": {                  if (!isset($_FILES["pfp"]) || $_FILES["pfp"]["error"] !== UPLOAD_ERR_OK) { -                    RequestUtils::triggerFormError("Please upload an image to change your profile picture"); +                    RequestUtils::triggerFormError(__("Please upload an image to change your profile picture"));                  }                  $im = @imagecreatefromjpeg($_FILES["pfp"]["tmp_name"]);                  if ($im === false)                      $im = @imagecreatefrompng($_FILES["pfp"]["tmp_name"]);                  if ($im === false) -                    RequestUtils::triggerFormError("Please upload a valid PNG or JPEG file"); +                    RequestUtils::triggerFormError(__("Please upload a valid PNG or JPEG file"));                  /** @var \GdImage $im */                  $thumb = imagecreatetruecolor(64, 64);                  imagecopyresampled($thumb, $im, 0, 0, 0, 0, 64, 64, imagesx($im), imagesy($im)); @@ -575,7 +640,7 @@ if ($_action === "auth") {          }          if (!$db->update($user)) -            RequestUtils::triggerFormError("Failed to save changes"); +            RequestUtils::triggerFormError(__("Failed to save changes", context: "Update profile"));          header("Location: $_SERVER[REQUEST_URI]");      } else { @@ -605,7 +670,7 @@ if ($_action === "auth") {  } elseif ($_action === "attachment") {      if (!$currentUser) {          http_response_code(403); -        Messaging::error("You must be logged in to view attachments"); +        Messaging::error(__("You must be logged in to view attachments"));          exit;      } @@ -614,7 +679,7 @@ if ($_action === "auth") {      $attachment->id = $attId;      if (!$db->fetch($attachment)) {          http_response_code(404); -        Messaging::error("No attachment exists with this id"); +        Messaging::error(__("No attachment exists with this id"));          exit;      } @@ -645,7 +710,7 @@ if ($_action === "auth") {      $user->id = $userId;      if (!$db->fetch($user)) {          http_response_code(404); -        Messaging::error("No user exists with this id"); +        Messaging::error(__("No user exists with this id"));          exit;      } @@ -682,13 +747,13 @@ if ($_action === "auth") {      $attachment->id = $attId;      if (!$db->fetch($attachment)) {          http_response_code(404); -        Messaging::error("No attachment exists with this id"); +        Messaging::error(__("No attachment exists with this id"));          exit;      }      if (!str_starts_with($attachment->mimeType, "image/")) {          http_response_code(400); -        Messaging::error("Attachment is not an image"); +        Messaging::error(__("Attachment is not an image"));          exit;      } @@ -805,7 +870,7 @@ if ($_action === "auth") {          header("Location: ?_action=viewtopic&topic=" . urlencode($post->topicId));      } else { -        _view("template_start", ["_title" => "Delete post"]); +        _view("template_start", ["_title" => __("Delete post")]);          _view("template_navigation_start");          _view("template_navigation", ["user" => RequestUtils::getAuthorizedUser($db)]);          _view("template_navigation_end"); |