|
1
|
|
|
<?php |
|
2
|
|
|
/** |
|
3
|
|
|
* BEdita, API-first content management framework |
|
4
|
|
|
* Copyright 2019 ChannelWeb Srl, Chialab Srl |
|
5
|
|
|
* |
|
6
|
|
|
* This file is part of BEdita: you can redistribute it and/or modify |
|
7
|
|
|
* it under the terms of the GNU Lesser General Public License as published |
|
8
|
|
|
* by the Free Software Foundation, either version 3 of the License, or |
|
9
|
|
|
* (at your option) any later version. |
|
10
|
|
|
* |
|
11
|
|
|
* See LICENSE.LGPL or <http://gnu.org/licenses/lgpl-3.0.html> for more details. |
|
12
|
|
|
*/ |
|
13
|
|
|
|
|
14
|
|
|
namespace BEdita\Core\Model\Action; |
|
15
|
|
|
|
|
16
|
|
|
use BEdita\Core\Model\Entity\AsyncJob; |
|
17
|
|
|
use BEdita\Core\Model\Entity\User; |
|
18
|
|
|
use BEdita\Core\Model\Table\RolesTable; |
|
19
|
|
|
use BEdita\Core\Model\Validation\Validation; |
|
20
|
|
|
use BEdita\Core\Utility\LoggedUser; |
|
21
|
|
|
use Cake\Core\Configure; |
|
22
|
|
|
use Cake\Event\Event; |
|
23
|
|
|
use Cake\Event\EventDispatcherTrait; |
|
24
|
|
|
use Cake\Event\EventListenerInterface; |
|
25
|
|
|
use Cake\Http\Client; |
|
26
|
|
|
use Cake\I18n\Time; |
|
27
|
|
|
use Cake\Mailer\MailerAwareTrait; |
|
28
|
|
|
use Cake\Network\Exception\BadRequestException; |
|
29
|
|
|
use Cake\Network\Exception\UnauthorizedException; |
|
30
|
|
|
use Cake\ORM\TableRegistry; |
|
31
|
|
|
use Cake\Routing\Router; |
|
32
|
|
|
use Cake\Utility\Hash; |
|
33
|
|
|
use Cake\Validation\Validator; |
|
34
|
|
|
|
|
35
|
|
|
/** |
|
36
|
|
|
* Command to signup a user. |
|
37
|
|
|
* |
|
38
|
|
|
* @since 4.0.0 |
|
39
|
|
|
*/ |
|
40
|
|
|
class SignupUserAction extends BaseAction implements EventListenerInterface |
|
41
|
|
|
{ |
|
42
|
|
|
|
|
43
|
|
|
use EventDispatcherTrait; |
|
44
|
|
|
use MailerAwareTrait; |
|
45
|
|
|
|
|
46
|
|
|
/** |
|
47
|
|
|
* 400 Username already registered |
|
48
|
|
|
* |
|
49
|
|
|
* @var string |
|
50
|
|
|
*/ |
|
51
|
|
|
const BE_USER_EXISTS = 'be_user_exists'; |
|
52
|
|
|
|
|
53
|
|
|
/** |
|
54
|
|
|
* The UsersTable table |
|
55
|
|
|
* |
|
56
|
|
|
* @var \BEdita\Core\Model\Table\UsersTable |
|
57
|
|
|
*/ |
|
58
|
|
|
protected $Users; |
|
59
|
|
|
|
|
60
|
|
|
/** |
|
61
|
|
|
* The AsyncJobs table |
|
62
|
|
|
* |
|
63
|
|
|
* @var \BEdita\Core\Model\Table\AsyncJobsTable |
|
64
|
|
|
*/ |
|
65
|
|
|
protected $AsyncJobs; |
|
66
|
|
|
|
|
67
|
|
|
/** |
|
68
|
|
|
* The RolesTable table |
|
69
|
|
|
* |
|
70
|
|
|
* @var \BEdita\Core\Model\Table\RolesTable |
|
71
|
|
|
*/ |
|
72
|
|
|
protected $Roles; |
|
73
|
|
|
|
|
74
|
|
|
/** |
|
75
|
|
|
* {@inheritdoc} |
|
76
|
|
|
*/ |
|
77
|
|
|
protected function initialize(array $config) |
|
78
|
|
|
{ |
|
79
|
|
|
$this->Users = TableRegistry::get('Users'); |
|
80
|
|
|
$this->AsyncJobs = TableRegistry::get('AsyncJobs'); |
|
81
|
|
|
$this->Roles = TableRegistry::get('Roles'); |
|
82
|
|
|
|
|
83
|
|
|
$this->getEventManager()->on($this); |
|
84
|
|
|
} |
|
85
|
|
|
|
|
86
|
|
|
/** |
|
87
|
|
|
* {@inheritDoc} |
|
88
|
|
|
* |
|
89
|
|
|
* @return \BEdita\Core\Model\Entity\User |
|
90
|
|
|
* @throws \Cake\Network\Exception\BadRequestException When validation of URL options fails |
|
91
|
|
|
* @throws \Cake\Network\Exception\UnauthorizedException Upon external authorization check failure. |
|
92
|
|
|
*/ |
|
93
|
|
|
public function execute(array $data = []) |
|
94
|
|
|
{ |
|
95
|
|
|
$data = $this->normalizeInput($data); |
|
96
|
|
|
// add activation url from config if not set |
|
97
|
|
|
if (Configure::check('Signup.activationUrl') && empty($data['data']['activation_url'])) { |
|
98
|
|
|
$data['data']['activation_url'] = Router::url(Configure::read('Signup.activationUrl')); |
|
99
|
|
|
} |
|
100
|
|
|
$errors = $this->validate($data['data']); |
|
101
|
|
|
if (!empty($errors)) { |
|
102
|
|
|
throw new BadRequestException([ |
|
|
|
|
|
|
103
|
|
|
'title' => __d('bedita', 'Invalid data'), |
|
104
|
|
|
'detail' => $errors, |
|
105
|
|
|
]); |
|
106
|
|
|
} |
|
107
|
|
|
|
|
108
|
|
|
// operations are not in transaction because AsyncJobs could use a different connection |
|
109
|
|
|
$user = $this->createUser($data['data']); |
|
110
|
|
|
try { |
|
111
|
|
|
// add roles to user, with validity check |
|
112
|
|
|
$this->addRoles($user, $data['data']); |
|
|
|
|
|
|
113
|
|
|
|
|
114
|
|
|
if (empty($data['data']['auth_provider'])) { |
|
115
|
|
|
$job = $this->createSignupJob($user); |
|
|
|
|
|
|
116
|
|
|
$activationUrl = $this->getActivationUrl($job, $data['data']); |
|
117
|
|
|
|
|
118
|
|
|
$this->dispatchEvent('Auth.signup', [$user, $job, $activationUrl], $this->Users); |
|
119
|
|
|
} else { |
|
120
|
|
|
$this->dispatchEvent('Auth.signupActivation', [$user], $this->Users); |
|
121
|
|
|
} |
|
122
|
|
|
} catch (\Exception $e) { |
|
123
|
|
|
// if async job or send mail fail remove user created and re-throw the exception |
|
124
|
|
|
$this->Users->delete($user); |
|
|
|
|
|
|
125
|
|
|
|
|
126
|
|
|
throw $e; |
|
127
|
|
|
} |
|
128
|
|
|
|
|
129
|
|
|
return (new GetObjectAction(['table' => $this->Users]))->execute(['primaryKey' => $user->id, 'contain' => 'Roles']); |
|
|
|
|
|
|
130
|
|
|
} |
|
131
|
|
|
|
|
132
|
|
|
/** |
|
133
|
|
|
* Normalize input data to plain JSON if in JSON API format |
|
134
|
|
|
* |
|
135
|
|
|
* @param array $data Input data |
|
136
|
|
|
* @return array Normalized array |
|
137
|
|
|
*/ |
|
138
|
|
|
protected function normalizeInput(array $data) |
|
139
|
|
|
{ |
|
140
|
|
|
if (!empty($data['data']['data']['attributes'])) { |
|
141
|
|
|
$meta = !empty($data['data']['data']['meta']) ? $data['data']['data']['meta'] : []; |
|
142
|
|
|
$data['data'] = array_merge($data['data']['data']['attributes'], $meta); |
|
143
|
|
|
} |
|
144
|
|
|
|
|
145
|
|
|
return $data; |
|
146
|
|
|
} |
|
147
|
|
|
|
|
148
|
|
|
/** |
|
149
|
|
|
* Validate data. |
|
150
|
|
|
* |
|
151
|
|
|
* It needs to validate some data that don't concern the User entity |
|
152
|
|
|
* as `activation_url` and `redirect_url` |
|
153
|
|
|
* |
|
154
|
|
|
* @param array $data The data to validate |
|
155
|
|
|
* @return array |
|
156
|
|
|
*/ |
|
157
|
|
|
protected function validate(array $data) |
|
158
|
|
|
{ |
|
159
|
|
|
$validator = new Validator(); |
|
160
|
|
|
$validator->setProvider('bedita', Validation::class); |
|
161
|
|
|
|
|
162
|
|
|
if (empty($data['auth_provider'])) { |
|
163
|
|
|
$validator->requirePresence('activation_url'); |
|
164
|
|
|
|
|
165
|
|
|
$validator |
|
166
|
|
|
->requirePresence('username') |
|
167
|
|
|
->notEmpty('username'); |
|
168
|
|
|
} else { |
|
169
|
|
|
$validator |
|
170
|
|
|
->requirePresence('provider_username') |
|
171
|
|
|
->requirePresence('access_token'); |
|
172
|
|
|
} |
|
173
|
|
|
|
|
174
|
|
|
$validator |
|
175
|
|
|
->add('activation_url', 'customUrl', [ |
|
176
|
|
|
'rule' => 'url', |
|
177
|
|
|
'provider' => 'bedita', |
|
178
|
|
|
]) |
|
179
|
|
|
|
|
180
|
|
|
->add('redirect_url', 'customUrl', [ |
|
181
|
|
|
'rule' => 'url', |
|
182
|
|
|
'provider' => 'bedita', |
|
183
|
|
|
]); |
|
184
|
|
|
|
|
185
|
|
|
return $validator->errors($data); |
|
186
|
|
|
} |
|
187
|
|
|
|
|
188
|
|
|
/** |
|
189
|
|
|
* Create a new user with status: |
|
190
|
|
|
* - `on` if an external auth provider is used or no activation |
|
191
|
|
|
* is required via `Signup.requireActivation` config |
|
192
|
|
|
* - `draft` in other cases. |
|
193
|
|
|
* |
|
194
|
|
|
* The user is validated using 'signup' validation. |
|
195
|
|
|
* |
|
196
|
|
|
* @param array $data The data to save |
|
197
|
|
|
* @return \BEdita\Core\Model\Entity\User|bool User created or `false` on error |
|
198
|
|
|
* @throws \Cake\Network\Exception\UnauthorizedException Upon external authorization check failure. |
|
199
|
|
|
*/ |
|
200
|
|
|
protected function createUser(array $data) |
|
201
|
|
|
{ |
|
202
|
|
|
if (!LoggedUser::getUser()) { |
|
203
|
|
|
LoggedUser::setUser(['id' => 1]); |
|
204
|
|
|
} |
|
205
|
|
|
|
|
206
|
|
|
$status = 'draft'; |
|
207
|
|
|
if (Configure::read('Signup.requireActivation') === false) { |
|
208
|
|
|
$status = 'on'; |
|
209
|
|
|
} |
|
210
|
|
|
unset($data['status']); |
|
211
|
|
|
|
|
212
|
|
|
if (empty($data['auth_provider'])) { |
|
213
|
|
|
return $this->createUserEntity($data, $status, 'signup'); |
|
214
|
|
|
} |
|
215
|
|
|
|
|
216
|
|
|
$authProvider = $this->checkExternalAuth($data); |
|
217
|
|
|
|
|
218
|
|
|
$user = $this->createUserEntity($data, 'on', 'signupExternal'); |
|
219
|
|
|
|
|
220
|
|
|
// create `ExternalAuth` entry |
|
221
|
|
|
$this->Users->dispatchEvent('Auth.externalAuth', [ |
|
222
|
|
|
'authProvider' => $authProvider, |
|
223
|
|
|
'providerUsername' => $data['provider_username'], |
|
224
|
|
|
'userId' => $user->get('id'), |
|
225
|
|
|
'params' => empty($data['provider_userdata']) ? null : $data['provider_userdata'], |
|
226
|
|
|
]); |
|
227
|
|
|
|
|
228
|
|
|
return $user; |
|
229
|
|
|
} |
|
230
|
|
|
|
|
231
|
|
|
/** |
|
232
|
|
|
* Create User model entity. |
|
233
|
|
|
* |
|
234
|
|
|
* @param array $data The signup data |
|
235
|
|
|
* @param string $status User `status`, `on` or `draft` |
|
236
|
|
|
* @param string $validate Validation options to use |
|
237
|
|
|
* @return @return \BEdita\Core\Model\Entity\User The User entity created |
|
|
|
|
|
|
238
|
|
|
*/ |
|
239
|
|
|
protected function createUserEntity(array $data, $status, $validate) |
|
240
|
|
|
{ |
|
241
|
|
|
if ($this->Users->exists(['username' => $data['username']])) { |
|
242
|
|
|
$this->dispatchEvent('Auth.signupUserExists', [$data], $this->Users); |
|
243
|
|
|
throw new BadRequestException([ |
|
|
|
|
|
|
244
|
|
|
'title' => __d('bedita', 'User "{0}" already registered', $data['username']), |
|
245
|
|
|
'code' => self::BE_USER_EXISTS, |
|
246
|
|
|
]); |
|
247
|
|
|
} |
|
248
|
|
|
$action = new SaveEntityAction(['table' => $this->Users]); |
|
249
|
|
|
|
|
250
|
|
|
return $action([ |
|
251
|
|
|
'entity' => $this->Users->newEntity()->set('status', $status), |
|
252
|
|
|
'data' => $data, |
|
253
|
|
|
'entityOptions' => [ |
|
254
|
|
|
'validate' => $validate, |
|
255
|
|
|
], |
|
256
|
|
|
]); |
|
257
|
|
|
} |
|
258
|
|
|
|
|
259
|
|
|
/** |
|
260
|
|
|
* Check external auth data validity |
|
261
|
|
|
* |
|
262
|
|
|
* To perform external auth check these fields are mandatory: |
|
263
|
|
|
* - "auth_provider": provider name like "google", "facebook"... must be in `auth_providers` |
|
264
|
|
|
* - "provider_username": id or username of the provider |
|
265
|
|
|
* - "access_token": token returned by provider to use in check |
|
266
|
|
|
* |
|
267
|
|
|
* @param array $data The signup data |
|
268
|
|
|
* @return \BEdita\Core\Model\Entity\AuthProvider AuthProvider entity |
|
269
|
|
|
* @throws \Cake\Network\Exception\UnauthorizedException Upon external authorization check failure. |
|
270
|
|
|
*/ |
|
271
|
|
|
protected function checkExternalAuth(array $data) |
|
272
|
|
|
{ |
|
273
|
|
|
/** @var \BEdita\Core\Model\Entity\AuthProvider $authProvider */ |
|
274
|
|
|
$authProvider = TableRegistry::get('AuthProviders')->find('enabled') |
|
275
|
|
|
->where(['name' => $data['auth_provider']]) |
|
276
|
|
|
->first(); |
|
277
|
|
|
if (empty($authProvider)) { |
|
278
|
|
|
throw new UnauthorizedException(__d('bedita', 'External auth provider not found')); |
|
279
|
|
|
} |
|
280
|
|
|
$providerResponse = $this->getOAuth2Response($authProvider->get('url'), $data['access_token']); |
|
281
|
|
|
if (!$authProvider->checkAuthorization($providerResponse, $data['provider_username'])) { |
|
282
|
|
|
throw new UnauthorizedException(__d('bedita', 'External auth failed')); |
|
283
|
|
|
} |
|
284
|
|
|
|
|
285
|
|
|
return $authProvider; |
|
286
|
|
|
} |
|
287
|
|
|
|
|
288
|
|
|
/** |
|
289
|
|
|
* Get response from an OAuth2 provider |
|
290
|
|
|
* |
|
291
|
|
|
* @param string $url OAuth2 provider URL |
|
292
|
|
|
* @param string $accessToken Access token to use in request |
|
293
|
|
|
* @return array Response from an OAuth2 provider |
|
294
|
|
|
* @codeCoverageIgnore |
|
295
|
|
|
*/ |
|
296
|
|
|
protected function getOAuth2Response($url, $accessToken) |
|
297
|
|
|
{ |
|
298
|
|
|
$response = (new Client())->get($url, [], ['headers' => ['Authorization' => 'Bearer ' . $accessToken]]); |
|
299
|
|
|
|
|
300
|
|
|
return !empty($response->json) ? $response->json : []; |
|
301
|
|
|
} |
|
302
|
|
|
|
|
303
|
|
|
/** |
|
304
|
|
|
* Add roles to user if requested, with validity check |
|
305
|
|
|
* |
|
306
|
|
|
* @param \BEdita\Core\Model\Entity\User $entity The user created |
|
307
|
|
|
* @param array $data The signup data |
|
308
|
|
|
* @return void |
|
309
|
|
|
*/ |
|
310
|
|
|
protected function addRoles(User $entity, array $data) |
|
311
|
|
|
{ |
|
312
|
|
|
$signupRoles = Hash::get($data, 'roles', Configure::read('Signup.defaultRoles')); |
|
313
|
|
|
if (empty($signupRoles)) { |
|
314
|
|
|
return; |
|
315
|
|
|
} |
|
316
|
|
|
$roles = $this->loadRoles($signupRoles); |
|
317
|
|
|
$association = $this->Users->associations()->getByProperty('roles'); |
|
318
|
|
|
$association->link($entity, $roles); |
|
319
|
|
|
} |
|
320
|
|
|
|
|
321
|
|
|
/** |
|
322
|
|
|
* Load requested roles entities with validation |
|
323
|
|
|
* |
|
324
|
|
|
* @param array $roles Requested role names |
|
325
|
|
|
* @return \BEdita\Core\Model\Entity\Role[] requested role entities |
|
326
|
|
|
* @throws \Cake\Network\Exception\BadRequestException When role validation fails |
|
327
|
|
|
*/ |
|
328
|
|
|
protected function loadRoles(array $roles) |
|
329
|
|
|
{ |
|
330
|
|
|
$entities = []; |
|
331
|
|
|
$allowed = (array)Configure::read('Signup.roles'); |
|
332
|
|
|
foreach ($roles as $name) { |
|
333
|
|
|
$role = $this->Roles->find()->where(compact('name'))->first(); |
|
334
|
|
|
if (RolesTable::ADMIN_ROLE === $role->get('id') || !in_array($name, $allowed)) { |
|
335
|
|
|
throw new BadRequestException(__d('bedita', 'Role "{0}" not allowed on signup', [$name])); |
|
336
|
|
|
} |
|
337
|
|
|
$entities[] = $role; |
|
338
|
|
|
} |
|
339
|
|
|
|
|
340
|
|
|
return $entities; |
|
|
|
|
|
|
341
|
|
|
} |
|
342
|
|
|
|
|
343
|
|
|
/** |
|
344
|
|
|
* Create the signup async job |
|
345
|
|
|
* |
|
346
|
|
|
* @param \BEdita\Core\Model\Entity\User $user The user created |
|
347
|
|
|
* @return \BEdita\Core\Model\Entity\AsyncJob |
|
348
|
|
|
*/ |
|
349
|
|
|
protected function createSignupJob(User $user) |
|
350
|
|
|
{ |
|
351
|
|
|
$action = new SaveEntityAction(['table' => $this->AsyncJobs]); |
|
352
|
|
|
|
|
353
|
|
|
return $action([ |
|
354
|
|
|
'entity' => $this->AsyncJobs->newEntity(), |
|
355
|
|
|
'data' => [ |
|
356
|
|
|
'service' => 'signup', |
|
357
|
|
|
'payload' => [ |
|
358
|
|
|
'user_id' => $user->id, |
|
359
|
|
|
], |
|
360
|
|
|
'scheduled_from' => new Time('1 day'), |
|
361
|
|
|
'priority' => 1, |
|
362
|
|
|
], |
|
363
|
|
|
]); |
|
364
|
|
|
} |
|
365
|
|
|
|
|
366
|
|
|
/** |
|
367
|
|
|
* Send confirmation email to user |
|
368
|
|
|
* |
|
369
|
|
|
* @param \Cake\Event\Event $event Dispatched event. |
|
370
|
|
|
* @param \BEdita\Core\Model\Entity\User $user The user |
|
371
|
|
|
* @param \BEdita\Core\Model\Entity\AsyncJob $job The referred async job |
|
372
|
|
|
* @param string $activationUrl URL to be used for activation. |
|
373
|
|
|
* @return void |
|
374
|
|
|
*/ |
|
375
|
|
|
public function sendMail(Event $event, User $user, AsyncJob $job, $activationUrl) |
|
376
|
|
|
{ |
|
377
|
|
|
if (empty($user->get('email'))) { |
|
378
|
|
|
return; |
|
379
|
|
|
} |
|
380
|
|
|
$options = [ |
|
381
|
|
|
'params' => compact('activationUrl', 'user'), |
|
382
|
|
|
]; |
|
383
|
|
|
$this->getMailer('BEdita/Core.User')->send('signup', [$options]); |
|
384
|
|
|
} |
|
385
|
|
|
|
|
386
|
|
|
/** |
|
387
|
|
|
* Send welcome email to user to inform of successfully activation |
|
388
|
|
|
* External auth users are already activated |
|
389
|
|
|
* |
|
390
|
|
|
* @param \Cake\Event\Event $event Dispatched event. |
|
391
|
|
|
* @param \BEdita\Core\Model\Entity\User $user The user |
|
392
|
|
|
* @return void |
|
393
|
|
|
*/ |
|
394
|
|
|
public function sendActivationMail(Event $event, User $user) |
|
395
|
|
|
{ |
|
396
|
|
|
$options = [ |
|
397
|
|
|
'params' => compact('user'), |
|
398
|
|
|
]; |
|
399
|
|
|
$this->getMailer('BEdita/Core.User')->send('welcome', [$options]); |
|
400
|
|
|
} |
|
401
|
|
|
|
|
402
|
|
|
/** |
|
403
|
|
|
* Return the signup activation url |
|
404
|
|
|
* |
|
405
|
|
|
* @param \BEdita\Core\Model\Entity\AsyncJob $job The async job entity |
|
406
|
|
|
* @param array $urlOptions The options used to build activation url |
|
407
|
|
|
* @return string |
|
408
|
|
|
*/ |
|
409
|
|
|
protected function getActivationUrl(AsyncJob $job, array $urlOptions) |
|
410
|
|
|
{ |
|
411
|
|
|
$baseUrl = $urlOptions['activation_url']; |
|
412
|
|
|
$redirectUrl = empty($urlOptions['redirect_url']) ? '' : '&redirect_url=' . rawurlencode($urlOptions['redirect_url']); |
|
413
|
|
|
$baseUrl .= (strpos($baseUrl, '?') === false) ? '?' : '&'; |
|
414
|
|
|
|
|
415
|
|
|
return sprintf('%suuid=%s%s', $baseUrl, $job->uuid, $redirectUrl); |
|
416
|
|
|
} |
|
417
|
|
|
|
|
418
|
|
|
/** |
|
419
|
|
|
* {@inheritdoc} |
|
420
|
|
|
*/ |
|
421
|
|
|
public function implementedEvents() |
|
422
|
|
|
{ |
|
423
|
|
|
return [ |
|
424
|
|
|
'Auth.signup' => 'sendMail', |
|
425
|
|
|
'Auth.signupActivation' => 'sendActivationMail', |
|
426
|
|
|
]; |
|
427
|
|
|
} |
|
428
|
|
|
} |
|
429
|
|
|
|
bedita /
bedita
Loading history...
