diff options
Diffstat (limited to 'plugins/UsersManager/Repository/UserRepository.php')
-rw-r--r-- | plugins/UsersManager/Repository/UserRepository.php | 225 |
1 files changed, 225 insertions, 0 deletions
diff --git a/plugins/UsersManager/Repository/UserRepository.php b/plugins/UsersManager/Repository/UserRepository.php new file mode 100644 index 0000000000..51dd49636b --- /dev/null +++ b/plugins/UsersManager/Repository/UserRepository.php @@ -0,0 +1,225 @@ +<?php + +namespace Piwik\Plugins\UsersManager\Repository; + +use Piwik\Auth\Password; +use Piwik\Container\StaticContainer; +use Piwik\Date; +use Piwik\Metrics\Formatter; +use Piwik\Piwik; +use Piwik\Plugins\CoreAdminHome\Emails\UserCreatedEmail; +use Piwik\Plugins\UsersManager\API; +use Piwik\Plugins\UsersManager\Emails\UserInviteEmail; +use Piwik\Plugins\UsersManager\LastSeenTimeLogger; +use Piwik\Plugins\UsersManager\Model; +use Piwik\Plugins\UsersManager\UserAccessFilter; +use Piwik\Plugins\UsersManager\UsersManager; +use Piwik\Plugins\UsersManager\Validators\Email; +use Piwik\Plugins\UsersManager\Validators\Login; +use Piwik\Validators\BaseValidator; +use Piwik\Validators\IdSite; +use Piwik\Plugin; + + +class UserRepository +{ + + protected $model; + + protected $filter; + + protected $password; + + public function __construct(Model $model, UserAccessFilter $filter, Password $password) + { + $this->model = $model; + $this->filter = $filter; + $this->password = $password; + } + + + public function index($userLogin, $pending) + { + Piwik::checkUserHasSuperUserAccessOrIsTheUser($userLogin); + $this->checkUserExists($userLogin); + + $user = $this->model->getUser($userLogin, $pending); + + $user = $this->filter->filterUser($user); + return $this->enrichUser($user); + } + + public function create($userLogin, $email, $initialIdSite, $password = '', $_isPasswordHashed = false) + { + $this->validateAccess(); + if (!Piwik::hasUserSuperUserAccess()) { + if (empty($initialIdSite)) { + throw new \Exception(Piwik::translate("UsersManager_AddUserNoInitialAccessError")); + } + // check if the site exist + BaseValidator::check('siteId', $initialIdSite, [new IdSite()]); + Piwik::checkUserHasAdminAccess($initialIdSite); + } + + //validate info + BaseValidator::check('userLogin', $userLogin, [new Login(true)]); + BaseValidator::check('email', $email, [new Email(true)]); + + if (!empty($password)) { + if (!$_isPasswordHashed) { + $passwordTransformed = UsersManager::getPasswordHash($password); + } else { + $passwordTransformed = $password; + } + $password = $this->password->hash($passwordTransformed); + } + + //insert user into database. + $this->model->addUser($userLogin, $password, $email, Date::now()->getDatetime(), empty($password)); + + /** + * Triggered after a new user is invited. + * + * @param string $userLogin The new user's details handle. + */ + Piwik::postEvent('UsersManager.inviteUser.end', array($userLogin, $email)); + + if ($initialIdSite) { + API::getInstance()->setUserAccess($userLogin, 'view', $initialIdSite); + } + } + + public function sendNewUserEmails($userLogin, $expired = 7, $newUser = true) + { + + //send Admin Email + if ($newUser) { + $mail = StaticContainer::getContainer()->make(UserCreatedEmail::class, array( + 'login' => Piwik::getCurrentUserLogin(), + 'emailAddress' => Piwik::getCurrentUserEmail(), + 'userLogin' => $userLogin, + )); + $mail->safeSend(); + } + + + if (!empty($expired)) { + //retrieve user details + $user = API::getInstance()->getUser($userLogin); + + //remove all previous token + $this->model->deleteAllTokensForUser($userLogin); + + //generate Token + $generatedToken = $this->model->generateRandomTokenAuth(); + + //attach token to user + $this->model->addTokenAuth($userLogin, $generatedToken, "Invite Token", Date::now()->getDatetime(), + Date::now()->addDay($expired)->getDatetime()); + + + // send email + $email = StaticContainer::getContainer()->make(UserInviteEmail::class, array( + 'currentUser' => Piwik::getCurrentUserLogin(), + 'user' => $user, + 'token' => $generatedToken + )); + $email->safeSend(); + } + } + + private function validateAccess() + { + Piwik::checkUserHasSomeAdminAccess(); + UsersManager::dieIfUsersAdminIsDisabled(); + } + + public function enrichUser($user) + { + if (empty($user)) { + return $user; + } + + unset($user['token_auth']); + unset($user['password']); + unset($user['ts_password_modified']); + unset($user['idchange_last_viewed']); + + if ($lastSeen = LastSeenTimeLogger::getLastSeenTimeForUser($user['login'])) { + $user['last_seen'] = Date::getDatetimeFromTimestamp($lastSeen); + } + + if (Piwik::hasUserSuperUserAccess()) { + $user['uses_2fa'] = !empty($user['twofactor_secret']) && $this->isTwoFactorAuthPluginEnabled(); + unset($user['twofactor_secret']); + if (!empty($user['invite_status']) && $user['invite_status'] === 'pending') { + $validToken = $this->model->checkUserHasUnexpiredToken($user['login']); + if (!$validToken) { + $user['invite_status'] = 'expired'; + } + } + if (empty($user['invite_status'])) { + $user['invite_status'] = 'accept'; + } + return $user; + } + + $newUser = array('login' => $user['login']); + + if ($user['login'] === Piwik::getCurrentUserLogin() || !empty($user['superuser_access'])) { + $newUser['email'] = $user['email']; + } + + if (isset($user['role'])) { + $newUser['role'] = $user['role'] == 'superuser' ? 'admin' : $user['role']; + } + if (isset($user['capabilities'])) { + $newUser['capabilities'] = $user['capabilities']; + } + + if (isset($user['superuser_access'])) { + $newUser['superuser_access'] = $user['superuser_access']; + } + + if (isset($user['last_seen'])) { + $newUser['last_seen'] = $user['last_seen']; + } + + return $newUser; + } + + public function enrichUsers($users) + { + if (!empty($users)) { + foreach ($users as $index => $user) { + $users[$index] = $this->enrichUser($user); + } + } + return $users; + } + + public function enrichUsersWithLastSeen($users) + { + $formatter = new Formatter(); + + $lastSeenTimes = LastSeenTimeLogger::getLastSeenTimesForAllUsers(); + foreach ($users as &$user) { + $login = $user['login']; + if (isset($lastSeenTimes[$login])) { + $user['last_seen'] = $formatter->getPrettyTimeFromSeconds(time() - $lastSeenTimes[$login]); + } + } + return $users; + } + + + private function isTwoFactorAuthPluginEnabled() + { + if (!isset($this->twoFaPluginActivated)) { + $this->twoFaPluginActivated = Plugin\Manager::getInstance()->isPluginActivated('TwoFactorAuth'); + } + return $this->twoFaPluginActivated; + } + + +}
\ No newline at end of file |