aboutsummaryrefslogtreecommitdiff
path: root/mod/uservalidationbyemail/start.php
blob: 4596fd7d6e1c22439fa9a3cf4a61267a25481562 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
<?php
/**
 * Email user validation plugin.
 * Non-admin accounts are invalid until their email address is confirmed.
 *
 * @package Elgg.Core.Plugin
 * @subpackage UserValidationByEmail
 */

function uservalidationbyemail_init() {
	global $CONFIG;

	require_once dirname(__FILE__) . '/lib/functions.php';

	// Register page handler to validate users
	// This doesn't need to be an action because security is handled by the validation codes.
	register_page_handler('uservalidationbyemail', 'uservalidationbyemail_page_handler');

	// mark users as unvalidated and disable when they register
	register_plugin_hook('register', 'user', 'uservalidationbyemail_disable_new_user');

	// canEdit override to allow not logged in code to disable a user
	register_plugin_hook('permissions_check', 'user', 'uservalidationbyemail_allow_new_user_can_edit');

	// prevent users from logging in if they aren't validated
	register_plugin_hook('action', 'login', 'uservalidationbyemail_check_login_attempt');

	// when requesting a new password
	register_plugin_hook('action', 'user/requestnewpassword', 'uservalidationbyemail_check_request_password');

	// prevent the engine from logging in users via login()
	register_elgg_event_handler('login', 'user', 'uservalidationbyemail_check_manual_login');

	// make admin users always validated
	register_elgg_event_handler('make_admin', 'user', 'uservalidationbyemail_validate_new_admin_user');

	// register Walled Garden public pages
	register_plugin_hook('public_pages', 'walled_garden', 'uservalidationbyemail_public_pages');

	// admin interface to manually validate users
	elgg_add_admin_submenu_item('unvalidated', elgg_echo('uservalidationbyemail:admin:unvalidated'), 'users');

	$action_path = dirname(__FILE__) . '/actions';

	register_action('uservalidationbyemail/validate', FALSE, "$action_path/validate.php", TRUE);
	register_action('uservalidationbyemail/resend_validation', FALSE, "$action_path/resend_validation.php", TRUE);
	register_action('uservalidationbyemail/delete', FALSE, "$action_path/delete.php", TRUE);
	register_action('uservalidationbyemail/bulk_action', FALSE, "$action_path/bulk_action.php", TRUE);
}

/**
 * Disables a user upon registration.
 *
 * @param unknown_type $hook
 * @param unknown_type $type
 * @param unknown_type $value
 * @param unknown_type $params
 */
function uservalidationbyemail_disable_new_user($hook, $type, $value, $params) {
	$user = elgg_get_array_value('user', $params);

	// no clue what's going on, so don't react.
	if (!$user instanceof ElggUser) {
		return NULL;
	}

	// disable user to prevent showing up on the site
	// set context to our canEdit() override works
	$context = get_context();
	set_context('uservalidationbyemail_new_user');
	$hidden_entities = access_get_show_hidden_status();
	access_show_hidden_entities(TRUE);

	// Don't do a recursive disable.  Any entities owned by the user at this point
	// are products of plugins that hook into create user and might need
	// access to the entities.
	// @todo That ^ sounds like a specific case...would be nice to track it down...
	$user->disable('uservalidationbyemail_new_user', FALSE);

	// set user as unvalidated and send out validation email
	uservalidationbyemail_set_user_validation_status($user->guid, FALSE);
	uservalidationbyemail_request_validation($user->guid);

	set_context($context);
	access_show_hidden_entities($hidden_entities);

	return TRUE;
}

/**
 * Override the canEdit() call for if we're in the context of registering a new user.
 *
 */
function uservalidationbyemail_allow_new_user_can_edit($hook, $type, $value, $params) {
	// $params['user'] is the user to check permissions for.
	// we want the entity to check, which is a user.
	$user = elgg_get_array_value('entity', $params);

	if (!($user instanceof ElggUser)) {
		return NULL;
	}

	$context = get_context();
	if ($context == 'uservalidationbyemail_new_user' || $context = 'uservalidationbyemail_validate_user') {
		return TRUE;
	}

	return NULL;
}

/**
 * Checks if a login failed because the user hasn't validated his account.
 *
 * @param unknown_type $hook
 * @param unknown_type $type
 * @param unknown_type $value
 * @param unknown_type $params
 */
function uservalidationbyemail_check_login_attempt($hook, $type, $value, $params) {
	// everything is only stored in the input at this point
	$username = get_input('username');
	$password = get_input("password");

	if (empty($username) || empty($password)) {
		// return true to let the original login action deal with it.
		return TRUE;
	}

	// see if we need to resolve an email address to a username
	if (strpos($username, '@') !== FALSE && ($users = get_user_by_email($username))) {
		$username = $users[0]->username;
	}

	// See the users exists and isn't validated
	$access_status = access_get_show_hidden_status();
	access_show_hidden_entities(TRUE);

	$user = get_user_by_username($username);

	// only resend validation if the password is correct
	if ($user && authenticate($username, $password) && !$user->validated) {
		// show an error and resend validation email
		uservalidationbyemail_request_validation($user->guid);
		// halt action
		$value = FALSE;
	}

	access_show_hidden_entities($access_status);

	return $value;
}

/**
 * Checks sent passed validation code and user guids and validates the user.
 *
 * @param array $page
 */
function uservalidationbyemail_page_handler($page) {
	global $CONFIG;

	if (isset($page[0]) && $page[0] == 'confirm') {
		$code = sanitise_string(get_input('c', FALSE));
		$user_guid = get_input('u', FALSE);

		// new users are not enabled by default.
		$access_status = access_get_show_hidden_status();
		access_show_hidden_entities(true);

		$user = get_entity($user_guid);

		if (($code) && ($user)) {
			if (uservalidationbyemail_validate_email($user_guid, $code)) {

				$context = get_context();
				set_context('uservalidationbyemail_validate_user');

				system_message(elgg_echo('email:confirm:success'));

				$user = get_entity($user_guid);
				$user->enable();

				set_context($context);
				login($user);
			} else {
				register_error(elgg_echo('email:confirm:fail'));
			}
		} else {
			register_error(elgg_echo('email:confirm:fail'));
		}

		access_show_hidden_entities($access_status);
	} else {
		register_error(elgg_echo('email:confirm:fail'));
	}

	forward();
}

/**
 * Make sure any admin users are automatically validated
 *
 * @param unknown_type $event
 * @param unknown_type $type
 * @param unknown_type $object
 */
function uservalidationbyemail_validate_new_admin_user($event, $type, $user) {
	if ($user instanceof ElggUser && !$user->validated) {
		uservalidationbyemail_set_user_validation_status($user->guid, TRUE, 'admin_user');
	}

	return TRUE;
}

/**
 * Registers public pages to allow in the case Private Network has been enabled.
 */
function uservalidationbyemail_public_pages($hook, $type, $return_value, $params) {
	$return_value[] = 'pg/uservalidationbyemail/confirm';
	return $return_value;
}

/**
 * Prevent a manual code login with login().
 *
 * @param unknown_type $event
 * @param unknown_type $type
 * @param unknown_type $user
 */
function uservalidationbyemail_check_manual_login($event, $type, $user) {
	$access_status = access_get_show_hidden_status();
	access_show_hidden_entities(TRUE);

	// @todo register_error()?
	$return = ($user instanceof ElggUser && !$user->isEnabled() && !$user->validated) ? FALSE : NULL;

	access_show_hidden_entities($access_status);

	return $return;
}

/**
 * Deny requests to change password if the account isn't validated.
 *
 * @todo This is needed because changing the password requires the entity to be enabled.
 *
 * @param unknown_type $hook
 * @param unknown_type $type
 * @param unknown_type $value
 * @param unknown_type $params
 */
function uservalidationbyemail_check_request_password($hook, $type, $value, $params) {
	$username = get_input('username');

	// see if we need to resolve an email address to a username
	if (strpos($username, '@') !== FALSE && ($users = get_user_by_email($username))) {
		$username = $users[0]->username;
	}

	// See the users exists and isn't validated
	$access_status = access_get_show_hidden_status();
	access_show_hidden_entities(TRUE);

	$user = get_user_by_username($username);

	// resend validation instead of resetting password
	if ($user && !$user->validated) {
		uservalidationbyemail_request_validation($user->guid);
		$value = FALSE;
	}

	access_show_hidden_entities($access_status);

	return $value;
}

register_elgg_event_handler('init', 'system', 'uservalidationbyemail_init');