Spade
Mini Shell
| Directory:~$ /proc/self/root/home/lmsyaran/www/joomla5/libraries/src/User/ |
| [Home] [System Details] [Kill Me] |
<?php
/**
* Joomla! Content Management System
*
* @copyright (C) 2006 Open Source Matters, Inc.
<https://www.joomla.org>
* @license GNU General Public License version 2 or later; see
LICENSE.txt
*/
namespace Joomla\CMS\User;
use Joomla\CMS\Access\Access;
use Joomla\CMS\Event\User\AfterDeleteEvent;
use Joomla\CMS\Event\User\AfterSaveEvent;
use Joomla\CMS\Event\User\BeforeDeleteEvent;
use Joomla\CMS\Event\User\BeforeSaveEvent;
use Joomla\CMS\Factory;
use Joomla\CMS\Language\Text;
use Joomla\CMS\Object\LegacyErrorHandlingTrait;
use Joomla\CMS\Object\LegacyPropertyManagementTrait;
use Joomla\CMS\Plugin\PluginHelper;
use Joomla\CMS\Table\Table;
use Joomla\Registry\Registry;
use Joomla\Utilities\ArrayHelper;
// phpcs:disable PSR1.Files.SideEffects
\defined('_JEXEC') or die;
// phpcs:enable PSR1.Files.SideEffects
/**
* User class. Handles all application interaction with a user
*
* @since 1.7.0
*/
#[\AllowDynamicProperties]
class User
{
use LegacyErrorHandlingTrait;
use LegacyPropertyManagementTrait;
/**
* A cached switch for if this user has root access rights.
*
* @var boolean
* @since 1.7.0
*/
protected $isRoot = null;
/**
* Unique id
*
* @var integer
* @since 1.7.0
*/
public $id = null;
/**
* The user's real name (or nickname)
*
* @var string
* @since 1.7.0
*/
public $name = null;
/**
* The login name
*
* @var string
* @since 1.7.0
*/
public $username = null;
/**
* The email
*
* @var string
* @since 1.7.0
*/
public $email = null;
/**
* MD5 encrypted password
*
* @var string
* @since 1.7.0
*/
public $password = null;
/**
* Clear password, only available when a new password is set for a user
*
* @var string
* @since 1.7.0
*/
public $password_clear = '';
/**
* Block status
*
* @var integer
* @since 1.7.0
*/
public $block = null;
/**
* Should this user receive system email
*
* @var integer
* @since 1.7.0
*/
public $sendEmail = null;
/**
* Date the user was registered
*
* @var string
* @since 1.7.0
*/
public $registerDate = null;
/**
* Date of last visit
*
* @var string
* @since 1.7.0
*/
public $lastvisitDate = null;
/**
* Activation hash
*
* @var string
* @since 1.7.0
*/
public $activation = null;
/**
* User parameters
*
* @var Registry
* @since 1.7.0
*/
public $params = null;
/**
* Associative array of user names => group ids
*
* @var array
* @since 1.7.0
*/
public $groups = [];
/**
* Guest status
*
* @var integer
* @since 1.7.0
*/
public $guest = null;
/**
* Last Reset Time
*
* @var string
* @since 3.0.1
*/
public $lastResetTime = null;
/**
* Count since last Reset Time
*
* @var integer
* @since 3.0.1
*/
public $resetCount = null;
/**
* Flag to require the user's password be reset
*
* @var integer
* @since 3.2
*/
public $requireReset = null;
/**
* The type alias
*
* @var string
* @since 5.0.0
*/
public $typeAlias = null;
/**
* The otp key
*
* @var string
* @since 5.0.0
*/
public $otpKey = null;
/**
* The otp
*
* @var string
* @since 5.0.0
*/
public $otep = null;
/**
* The authentication provider
*
* @var string
* @since 5.0.0
*/
public $authProvider = null;
/**
* User parameters
*
* @var Registry
* @since 1.7.0
*/
protected $_params = null;
/**
* Authorised access groups
*
* @var array
* @since 1.7.0
*/
protected $_authGroups = null;
/**
* Authorised access levels
*
* @var array
* @since 1.7.0
*/
protected $_authLevels = null;
/**
* Authorised access actions
*
* @var array
* @since 1.7.0
*/
protected $_authActions = null;
/**
* Error message
*
* @var string
* @since 1.7.0
*/
protected $_errorMsg = null;
/**
* @var array User instances container.
* @since 1.7.3
*/
protected static $instances = [];
/**
* Constructor activating the default information of the language
*
* @param integer $identifier The primary key of the user to load
(optional).
*
* @since 1.7.0
*/
public function __construct($identifier = 0)
{
// Create the user parameters object
$this->_params = new Registry();
// Load the user if it exists
if (!empty($identifier)) {
$this->load($identifier);
} else {
// Initialise
$this->id = 0;
$this->sendEmail = 0;
$this->guest = 1;
}
}
/**
* Returns the global User object, only creating it if it doesn't
already exist.
*
* @param integer $identifier The primary key of the user to load
(optional).
*
* @return User The User object.
*
* @since 1.7.0
* @deprecated 4.3 will be removed in 6.0
* Load the user service from the dependency injection
container or via $app->getIdentity()
* Example:
Factory::getContainer()->get(UserFactoryInterface::class)->loadUserById($id)
*/
public static function getInstance($identifier = 0)
{
@trigger_error(
sprintf(
'%1$s() is deprecated. Load the user from the
dependency injection container or via
%2$s::getApplication()->getIdentity().',
__METHOD__,
__CLASS__
),
E_USER_DEPRECATED
);
// Find the user id
if (!is_numeric($identifier)) {
return
Factory::getContainer()->get(UserFactoryInterface::class)->loadUserByUsername($identifier);
}
$id = $identifier;
// If the $id is zero, just return an empty User.
// Note: don't cache this user because it'll have a new
ID on save!
if ($id === 0) {
return
Factory::getContainer()->get(UserFactoryInterface::class)->loadUserById($id);
}
// Check if the user ID is already cached.
if (empty(self::$instances[$id])) {
self::$instances[$id] =
Factory::getContainer()->get(UserFactoryInterface::class)->loadUserById($id);
}
return self::$instances[$id];
}
/**
* Method to get a parameter value
*
* @param string $key Parameter key
* @param mixed $default Parameter default value
*
* @return mixed The value or the default if it did not exist
*
* @since 1.7.0
*/
public function getParam($key, $default = null)
{
return $this->_params->get($key, $default);
}
/**
* Method to set a parameter
*
* @param string $key Parameter key
* @param mixed $value Parameter value
*
* @return mixed Set parameter value
*
* @since 1.7.0
*/
public function setParam($key, $value)
{
return $this->_params->set($key, $value);
}
/**
* Method to set a default parameter if it does not exist
*
* @param string $key Parameter key
* @param mixed $value Parameter value
*
* @return mixed Set parameter value
*
* @since 1.7.0
*/
public function defParam($key, $value)
{
return $this->_params->def($key, $value);
}
/**
* Method to check User object authorisation against an access control
* object and optionally an access extension object
*
* @param string $action The name of the action to check for
permission.
* @param string $assetname The name of the asset on which to
perform the action.
*
* @return boolean True if authorised
*
* @since 1.7.0
*/
public function authorise($action, $assetname = null)
{
// Make sure we only check for core.admin once during the run.
if ($this->isRoot === null) {
$this->isRoot = false;
// Check for the configuration file failsafe.
$rootUser =
Factory::getApplication()->get('root_user');
// The root_user variable can be a numeric user ID or a
username.
if (is_numeric($rootUser) && $this->id > 0
&& $this->id == $rootUser) {
$this->isRoot = true;
} elseif ($this->username && $this->username ==
$rootUser) {
$this->isRoot = true;
} elseif ($this->id > 0) {
// Get all groups against which the user is mapped.
$identities = $this->getAuthorisedGroups();
array_unshift($identities, $this->id * -1);
if
(Access::getAssetRules(1)->allow('core.admin', $identities)) {
$this->isRoot = true;
return true;
}
}
}
return $this->isRoot ? true : (bool) Access::check($this->id,
$action, $assetname);
}
/**
* Method to return a list of all categories that a user has permission
for a given action
*
* @param string $component The component from which to retrieve
the categories
* @param string $action The name of the section within the
component from which to retrieve the actions.
*
* @return array List of categories that this group can do this
action to (empty array if none). Categories must be published.
*
* @since 1.7.0
*/
public function getAuthorisedCategories($component, $action)
{
// Brute force method: get all published category rows for the
component and check each one
// @todo: Modify the way permissions are stored in the db to allow
for faster implementation and better scaling
$db = Factory::getDbo();
$subQuery = $db->getQuery(true)
->select($db->quoteName(['id',
'asset_id']))
->from($db->quoteName('#__categories'))
->where(
[
$db->quoteName('extension') . ' =
:component',
$db->quoteName('published') . ' =
1',
]
);
$query = $db->getQuery(true)
->select($db->quoteName(['c.id',
'a.name']))
->from('(' . $subQuery . ') AS ' .
$db->quoteName('c'))
->join('INNER',
$db->quoteName('#__assets', 'a'),
$db->quoteName('c.asset_id') . ' = ' .
$db->quoteName('a.id'))
->bind(':component', $component);
$db->setQuery($query);
$allCategories = $db->loadObjectList('id');
$allowedCategories = [];
foreach ($allCategories as $category) {
if ($this->authorise($action, $category->name)) {
$allowedCategories[] = (int) $category->id;
}
}
return $allowedCategories;
}
/**
* Gets an array of the authorised access levels for the user
*
* @return array
*
* @since 1.7.0
*/
public function getAuthorisedViewLevels()
{
if ($this->_authLevels === null) {
$this->_authLevels = [];
}
if (empty($this->_authLevels)) {
$this->_authLevels =
Access::getAuthorisedViewLevels($this->id);
}
return $this->_authLevels;
}
/**
* Gets an array of the authorised user groups
*
* @return array
*
* @since 1.7.0
*/
public function getAuthorisedGroups()
{
if ($this->_authGroups === null) {
$this->_authGroups = [];
}
if (empty($this->_authGroups)) {
$this->_authGroups = Access::getGroupsByUser($this->id);
}
return $this->_authGroups;
}
/**
* Clears the access rights cache of this user
*
* @return void
*
* @since 3.4.0
*/
public function clearAccessRights()
{
$this->_authLevels = null;
$this->_authGroups = null;
$this->isRoot = null;
Access::clearStatics();
}
/**
* Pass through method to the table for setting the last visit date
*
* @param integer $timestamp The timestamp, defaults to
'now'.
*
* @return boolean True on success.
*
* @since 1.7.0
*/
public function setLastVisit($timestamp = null)
{
// Create the user table object
/** @var \Joomla\CMS\Table\User $table */
$table = $this->getTable();
$table->load($this->id);
return $table->setLastVisit($timestamp);
}
/**
* Method to get the user timezone.
*
* If the user didn't set a timezone, it will return the server
timezone
*
* @return \DateTimeZone
*
* @since 3.7.0
*/
public function getTimezone()
{
$timezone = $this->getParam('timezone',
Factory::getApplication()->get('offset', 'GMT'));
return new \DateTimeZone($timezone);
}
/**
* Method to get the user parameters
*
* @param object $params The user parameters object
*
* @return void
*
* @since 1.7.0
*/
public function setParameters($params)
{
$this->_params = $params;
}
/**
* Method to get the user table object
*
* This function uses a static variable to store the table name of the
user table to
* instantiate. You can call this function statically to set the table
name if
* needed.
*
* @param string $type The user table name to be used
* @param string $prefix The user table prefix to be used
*
* @return Table The user table object
*
* @note At 4.0 this method will no longer be static
* @since 1.7.0
*/
public static function getTable($type = null, $prefix =
'\\Joomla\\CMS\\Table\\')
{
static $tabletype;
// Set the default tabletype;
if (!isset($tabletype)) {
$tabletype['name'] = 'user';
$tabletype['prefix'] =
'\\Joomla\\CMS\\Table\\';
}
// Set a custom table type is defined
if (isset($type)) {
$tabletype['name'] = $type;
$tabletype['prefix'] = $prefix;
}
// Create the user table object
return Table::getInstance($tabletype['name'],
$tabletype['prefix']);
}
/**
* Method to bind an associative array of data to a user object
*
* @param array &$array The associative array to bind to the
object
*
* @return boolean True on success
*
* @since 1.7.0
*/
public function bind(&$array)
{
// Let's check to see if the user is new or not
if (empty($this->id)) {
// Check the password and create the crypted password
if (empty($array['password'])) {
$array['password'] =
UserHelper::genRandomPassword(32);
$array['password2'] =
$array['password'];
}
// Not all controllers check the password, although they
should.
// Hence this code is required:
if (isset($array['password2']) &&
$array['password'] != $array['password2']) {
Factory::getApplication()->enqueueMessage(Text::_('JLIB_USER_ERROR_PASSWORD_NOT_MATCH'),
'error');
return false;
}
$this->password_clear = ArrayHelper::getValue($array,
'password', '', 'string');
$array['password'] =
UserHelper::hashPassword($array['password']);
// Set the registration timestamp
$this->set('registerDate',
Factory::getDate()->toSql());
} else {
// Updating an existing user
if (!empty($array['password'])) {
if ($array['password'] !=
$array['password2']) {
$this->setError(Text::_('JLIB_USER_ERROR_PASSWORD_NOT_MATCH'));
return false;
}
$this->password_clear = ArrayHelper::getValue($array,
'password', '', 'string');
// Check if the user is reusing the current password if
required to reset their password
if ($this->requireReset == 1 &&
UserHelper::verifyPassword($this->password_clear, $this->password)) {
$this->setError(Text::_('JLIB_USER_ERROR_CANNOT_REUSE_PASSWORD'));
return false;
}
$array['password'] =
UserHelper::hashPassword($array['password']);
// Reset the change password flag
$array['requireReset'] = 0;
} else {
$array['password'] = $this->password;
}
// Prevent updating internal fields
unset($array['registerDate']);
unset($array['lastvisitDate']);
unset($array['lastResetTime']);
unset($array['resetCount']);
}
if (\array_key_exists('params', $array)) {
$this->_params->loadArray($array['params']);
if (\is_array($array['params'])) {
$params = (string) $this->_params;
} else {
$params = $array['params'];
}
$this->params = $params;
}
// Bind the array
if (!$this->setProperties($array)) {
$this->setError(Text::_('JLIB_USER_ERROR_BIND_ARRAY'));
return false;
}
// Make sure its an integer
$this->id = (int) $this->id;
return true;
}
/**
* Method to save the User object to the database
*
* @param boolean $updateOnly Save the object only if not a new
user
* Currently only used in the user reset
password method.
*
* @return boolean True on success
*
* @since 1.7.0
* @throws \RuntimeException
*/
public function save($updateOnly = false)
{
// Create the user table object
$table = $this->getTable();
$this->params = (string) $this->_params;
$table->bind($this->getProperties());
// Allow an exception to be thrown.
try {
// Check and store the object.
if (!$table->check()) {
$this->setError($table->getError());
return false;
}
// If user is made a Super Admin group and user is NOT a Super
Admin
// @todo ACL - this needs to be acl checked
$my = Factory::getUser();
// Are we creating a new user
$isNew = empty($this->id);
// If we aren't allowed to create new users return
if ($isNew && $updateOnly) {
return true;
}
// Get the old user
$oldUser = new User($this->id);
// Access Checks
// The only mandatory check is that only Super Admins can
operate on other Super Admin accounts.
// To add additional business rules, use a user plugin and
throw an Exception with onUserBeforeSave.
// Check if I am a Super Admin
$iAmSuperAdmin = $my->authorise('core.admin');
$iAmRehashingSuperadmin = false;
if (($my->id == 0 && !$isNew) &&
$this->id == $oldUser->id &&
$oldUser->authorise('core.admin') &&
$oldUser->password != $this->password) {
$iAmRehashingSuperadmin = true;
}
// Check if we are using a CLI application
$isCli = false;
if (Factory::getApplication()->isCli()) {
$isCli = true;
}
// We are only worried about edits to this account if I am not
a Super Admin.
if ($iAmSuperAdmin != true && $iAmRehashingSuperadmin
!= true && $isCli != true) {
// I am not a Super Admin, and this one is, so fail.
if (!$isNew && Access::check($this->id,
'core.admin')) {
throw new \RuntimeException('User not Super
Administrator');
}
if ($this->groups != null) {
// I am not a Super Admin and I'm trying to make
one.
foreach ($this->groups as $groupId) {
if (Access::checkGroup($groupId,
'core.admin')) {
throw new \RuntimeException('User not
Super Administrator');
}
}
}
}
// Fire the onUserBeforeSave event.
$dispatcher = Factory::getApplication()->getDispatcher();
PluginHelper::importPlugin('user', null, true,
$dispatcher);
$saveEvent = new BeforeSaveEvent('onUserBeforeSave',
[
'subject' => $oldUser->getProperties(),
'isNew' => $isNew,
'data' => $this->getProperties(),
]);
$dispatcher->dispatch('onUserBeforeSave',
$saveEvent);
$result = $saveEvent['result'] ?? [];
if (\in_array(false, $result, true)) {
// Plugin will have to raise its own error or throw an
exception.
return false;
}
// Store the user data in the database
$result = $table->store();
// Set the id for the User object in case we created a new
user.
if (empty($this->id)) {
$this->id = $table->get('id');
}
if ($my->id == $table->id) {
$registry = new Registry($table->params);
$my->setParameters($registry);
}
// Fire the onUserAfterSave event
$dispatcher->dispatch('onUserAfterSave', new
AfterSaveEvent('onUserAfterSave', [
'subject' => $this->getProperties(),
'isNew' => $isNew,
'savingResult' => $result,
'errorMessage' => $this->getError() ??
'',
]));
} catch (\Exception $e) {
$this->setError($e->getMessage());
return false;
}
return $result;
}
/**
* Method to delete the User object from the database
*
* @return boolean True on success
*
* @since 1.7.0
*/
public function delete()
{
$dispatcher = Factory::getApplication()->getDispatcher();
PluginHelper::importPlugin('user', null, true,
$dispatcher);
// Trigger the onUserBeforeDelete event
$dispatcher->dispatch('onUserBeforeDelete', new
BeforeDeleteEvent('onUserBeforeDelete', [
'subject' => $this->getProperties(),
]));
// Create the user table object
$table = $this->getTable();
if (!$result = $table->delete($this->id)) {
$this->setError($table->getError());
}
// Trigger the onUserAfterDelete event
$dispatcher->dispatch('onUserAfterDelete', new
AfterDeleteEvent('onUserAfterDelete', [
'subject' => $this->getProperties(),
'deletingResult' => $result,
'errorMessage' => $this->getError() ??
'',
]));
return $result;
}
/**
* Method to load a User object by user id number
*
* @param mixed $id The user id of the user to load
*
* @return boolean True on success
*
* @since 1.7.0
*/
public function load($id)
{
// Create the user table object
$table = $this->getTable();
// Load the UserModel object based on the user id or throw a
warning.
if (!$table->load($id)) {
// Reset to guest user
$this->guest = 1;
return false;
}
/*
* Set the user parameters using the default XML file. We might
want to
* extend this in the future to allow for the ability to have
custom
* user parameters, but for right now we'll leave it how it
is.
*/
if ($table->params) {
$this->_params->loadString($table->params);
}
// Assuming all is well at this point let's bind the data
$this->setProperties($table->getProperties());
// The user is no longer a guest
if ($this->id != 0) {
$this->guest = 0;
} else {
$this->guest = 1;
}
return true;
}
/**
* Method to allow serialize the object with minimal properties.
*
* @return array The names of the properties to include in
serialization.
*
* @since 3.6.0
*/
public function __sleep()
{
return ['id'];
}
/**
* Method to recover the full object on unserialize.
*
* @return void
*
* @since 3.6.0
*/
public function __wakeup()
{
// Initialise some variables
$this->_params = new Registry();
// Load the user if it exists
if (!empty($this->id) && $this->load($this->id)) {
// Push user into cached instances.
self::$instances[$this->id] = $this;
} else {
// Initialise
$this->id = 0;
$this->sendEmail = 0;
$this->guest = 1;
}
}
}