From ef00f9d2033f6de11e71bf3a909399cae6f73a9f Mon Sep 17 00:00:00 2001
From: ArthurHoaro <arthur@hoa.ro>
Date: Wed, 27 May 2020 13:35:48 +0200
Subject: Process password change controller through Slim

---
 .../front/controller/admin/PasswordController.php  | 100 +++++++++++++++++++++
 1 file changed, 100 insertions(+)
 create mode 100644 application/front/controller/admin/PasswordController.php

(limited to 'application/front/controller/admin/PasswordController.php')

diff --git a/application/front/controller/admin/PasswordController.php b/application/front/controller/admin/PasswordController.php
new file mode 100644
index 00000000..6e8f0bcb
--- /dev/null
+++ b/application/front/controller/admin/PasswordController.php
@@ -0,0 +1,100 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Shaarli\Front\Controller\Admin;
+
+use Shaarli\Container\ShaarliContainer;
+use Shaarli\Front\Exception\OpenShaarliPasswordException;
+use Shaarli\Front\Exception\ShaarliFrontException;
+use Slim\Http\Request;
+use Slim\Http\Response;
+use Throwable;
+
+/**
+ * Class PasswordController
+ *
+ * Slim controller used to handle passwords update.
+ */
+class PasswordController extends ShaarliAdminController
+{
+    public function __construct(ShaarliContainer $container)
+    {
+        parent::__construct($container);
+
+        $this->assignView(
+            'pagetitle',
+            t('Change password') .' - '. $this->container->conf->get('general.title', 'Shaarli')
+        );
+    }
+
+    /**
+     * GET /password - Displays the change password template
+     */
+    public function index(Request $request, Response $response): Response
+    {
+        return $response->write($this->render('changepassword'));
+    }
+
+    /**
+     * POST /password - Change admin password - existing and new passwords need to be provided.
+     */
+    public function change(Request $request, Response $response): Response
+    {
+        $this->checkToken($request);
+
+        if ($this->container->conf->get('security.open_shaarli', false)) {
+            throw new OpenShaarliPasswordException();
+        }
+
+        $oldPassword = $request->getParam('oldpassword');
+        $newPassword = $request->getParam('setpassword');
+
+        if (empty($newPassword) || empty($oldPassword)) {
+            $this->saveErrorMessage(t('You must provide the current and new password to change it.'));
+
+            return $response
+                ->withStatus(400)
+                ->write($this->render('changepassword'))
+            ;
+        }
+
+        // Make sure old password is correct.
+        $oldHash = sha1(
+            $oldPassword .
+            $this->container->conf->get('credentials.login') .
+            $this->container->conf->get('credentials.salt')
+        );
+
+        if ($oldHash !== $this->container->conf->get('credentials.hash')) {
+            $this->saveErrorMessage(t('The old password is not correct.'));
+
+            return $response
+                ->withStatus(400)
+                ->write($this->render('changepassword'))
+            ;
+        }
+
+        // Save new password
+        // Salt renders rainbow-tables attacks useless.
+        $this->container->conf->set('credentials.salt', sha1(uniqid('', true) .'_'. mt_rand()));
+        $this->container->conf->set(
+            'credentials.hash',
+            sha1(
+                $newPassword
+                . $this->container->conf->get('credentials.login')
+                . $this->container->conf->get('credentials.salt')
+            )
+        );
+
+        try {
+            $this->container->conf->write($this->container->loginManager->isLoggedIn());
+        } catch (Throwable $e) {
+            throw new ShaarliFrontException($e->getMessage(), 500, $e);
+        }
+
+        $this->saveSuccessMessage(t('Your password has been changed'));
+
+        return $response->write($this->render('changepassword'));
+    }
+}
-- 
cgit v1.2.3


From 9c75f877935fa6adec951a4d8d32b328aaab314f Mon Sep 17 00:00:00 2001
From: ArthurHoaro <arthur@hoa.ro>
Date: Sat, 13 Jun 2020 13:08:01 +0200
Subject: Use multi-level routes for existing controllers instead of 1 level
 everywhere

Also prefix most admin routes with /admin/
---
 application/front/controller/admin/PasswordController.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'application/front/controller/admin/PasswordController.php')

diff --git a/application/front/controller/admin/PasswordController.php b/application/front/controller/admin/PasswordController.php
index 6e8f0bcb..bcce01a6 100644
--- a/application/front/controller/admin/PasswordController.php
+++ b/application/front/controller/admin/PasswordController.php
@@ -29,7 +29,7 @@ class PasswordController extends ShaarliAdminController
     }
 
     /**
-     * GET /password - Displays the change password template
+     * GET /admin/password - Displays the change password template
      */
     public function index(Request $request, Response $response): Response
     {
@@ -37,7 +37,7 @@ class PasswordController extends ShaarliAdminController
     }
 
     /**
-     * POST /password - Change admin password - existing and new passwords need to be provided.
+     * POST /admin/password - Change admin password - existing and new passwords need to be provided.
      */
     public function change(Request $request, Response $response): Response
     {
-- 
cgit v1.2.3


From 1a8ac737e52cb25a5c346232ee398f5908cee7d7 Mon Sep 17 00:00:00 2001
From: ArthurHoaro <arthur@hoa.ro>
Date: Mon, 6 Jul 2020 08:04:35 +0200
Subject: Process main page (linklist) through Slim controller

Including a bunch of improvements on the container,
and helper used across new controllers.
---
 application/front/controller/admin/PasswordController.php | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

(limited to 'application/front/controller/admin/PasswordController.php')

diff --git a/application/front/controller/admin/PasswordController.php b/application/front/controller/admin/PasswordController.php
index bcce01a6..5ec0d24b 100644
--- a/application/front/controller/admin/PasswordController.php
+++ b/application/front/controller/admin/PasswordController.php
@@ -7,6 +7,7 @@ namespace Shaarli\Front\Controller\Admin;
 use Shaarli\Container\ShaarliContainer;
 use Shaarli\Front\Exception\OpenShaarliPasswordException;
 use Shaarli\Front\Exception\ShaarliFrontException;
+use Shaarli\Render\TemplatePage;
 use Slim\Http\Request;
 use Slim\Http\Response;
 use Throwable;
@@ -33,7 +34,7 @@ class PasswordController extends ShaarliAdminController
      */
     public function index(Request $request, Response $response): Response
     {
-        return $response->write($this->render('changepassword'));
+        return $response->write($this->render(TemplatePage::CHANGE_PASSWORD));
     }
 
     /**
@@ -55,7 +56,7 @@ class PasswordController extends ShaarliAdminController
 
             return $response
                 ->withStatus(400)
-                ->write($this->render('changepassword'))
+                ->write($this->render(TemplatePage::CHANGE_PASSWORD))
             ;
         }
 
@@ -71,7 +72,7 @@ class PasswordController extends ShaarliAdminController
 
             return $response
                 ->withStatus(400)
-                ->write($this->render('changepassword'))
+                ->write($this->render(TemplatePage::CHANGE_PASSWORD))
             ;
         }
 
@@ -95,6 +96,6 @@ class PasswordController extends ShaarliAdminController
 
         $this->saveSuccessMessage(t('Your password has been changed'));
 
-        return $response->write($this->render('changepassword'));
+        return $response->write($this->render(TemplatePage::CHANGE_PASSWORD));
     }
 }
-- 
cgit v1.2.3