CMSimple_XH 開発者ドキュメント
ChangePassword.php
1 <?php
2 
16 namespace XH;
17 
29 {
35  private $passwordOld;
36 
42  private $passwordNew;
43 
49  private $passwordConfirmation;
50 
56  private $config;
57 
63  private $lang;
64 
70  private $csrfProtector;
71 
77  public function __construct()
78  {
79  global $cf, $tx, $_XH_csrfProtection;
80 
81  $this->passwordOld = isset($_POST['xh_password_old'])
82  ? stsl($_POST['xh_password_old']) : '';
83  $this->passwordNew = isset($_POST['xh_password_new'])
84  ? stsl($_POST['xh_password_new']) : '';
85  $this->passwordConfirmation = isset($_POST['xh_password_confirmation'])
86  ? stsl($_POST['xh_password_confirmation']) : '';
87  $this->config = $cf;
88  $this->lang = $tx;
89  $this->csrfProtector = $_XH_csrfProtection;
90  }
91 
99  public function defaultAction()
100  {
101  global $o;
102 
103  $o .= $this->render();
104  }
105 
113  private function render()
114  {
115  global $sn;
116 
117  return '<form id="xh_change_password" action="' . $sn
118  . '?&xh_change_password" method="post">'
119  . $this->csrfProtector->tokenInput()
120  . $this->renderField('old', $this->passwordOld)
121  . $this->renderField('new', $this->passwordNew)
122  . $this->renderField('confirmation', $this->passwordConfirmation)
123  . $this->renderSubmit()
124  . '</form>';
125  }
126 
135  private function renderField($which, $value)
136  {
137  $id = "xh_password_$which";
138  $html = '<p>'
139  . '<label for="' . $id . '">' . $this->lang['password'][$which]
140  . '</label> '
141  . tag(
142  'input id="' . $id . '" type="password" name="' . $id
143  . '" value="' . XH_hsc($value) . '"'
144  );
145  if (in_array($which, array('old', 'new'))) {
146  $html .= ' <span class="xh_password_score"></span>';
147  }
148  $html .= '</p>';
149  return $html;
150  }
151 
157  private function renderSubmit()
158  {
159  return '<p><button name="action" value="save">'
160  . utf8_ucfirst($this->lang['action']['save']) . '</button></p>';
161  }
162 
170  public function saveAction()
171  {
172  global $o;
173 
174  $this->csrfProtector->check();
175  if ($hash = $this->validate($error)) {
176  $this->config['security']['password'] = $hash;
177  $this->savePassword();
178  header('Location: ' . CMSIMPLE_URL);
179  exit;
180  } else {
181  $o .= XH_message('fail', $error);
182  $o .= $this->render();
183  }
184  }
185 
193  private function validate(&$error)
194  {
195  $result = null;
196  if ($this->passwordOld && $this->passwordNew
197  && $this->passwordConfirmation
198  ) {
199  $hash = password_verify($this->passwordOld, $this->config['security']['password']);
200  if (!$hash) {
201  $error = $this->lang['password']['wrong'];
202  } else {
203  if (!preg_match('/^[!-~]+$/u', $this->passwordNew)) {
204  $error = $this->lang['password']['invalid'];
205  } elseif ($this->passwordNew != $this->passwordConfirmation) {
206  $error = $this->lang['password']['mismatch'];
207  } else {
208  $result = password_hash($this->passwordNew, PASSWORD_BCRYPT);
209  }
210  }
211  } else {
212  $error = $this->lang['password']['fields_missing'];
213  }
214  return $result;
215  }
216 
224  private function savePassword()
225  {
226  global $pth;
227 
228  $o = "<?php\n\n";
229  foreach ($this->config as $cat => $opts) {
230  foreach ($opts as $name => $opt) {
231  // The following are there for backwards compatibility,
232  // and have to be suppressed in the config form.
233  if ($cat == 'security' && $name == 'type'
234  || $cat == 'scripting' && $name == 'regexp'
235  || $cat == 'site' && $name == 'title'
236  || $cat == 'xhtml'
237  ) {
238  continue;
239  }
240  $opt = addcslashes($opt, "\0..\37\"\$\\");
241  $o .= "\$cf['$cat']['$name']=\"$opt\";\n";
242  }
243  }
244  $o .= "\n?>\n";
245  return XH_writeFile($pth['file']['config'], $o);
246  }
247 }
const CMSIMPLE_URL
Definition: cms.php:761
XH_writeFile($filename, $contents)
Definition: functions.php:1626
tag($s)
Definition: functions.php:1126
utf8_ucfirst($string)
Definition: utf8.php:118
$cf
Definition: cms.php:272
$o
Definition: cms.php:113
$sn
Definition: cms.php:434
foreach(XH_plugins() as $plugin) $_XH_csrfProtection
Definition: cms.php:879
$tx
Definition: cms.php:363
stsl($t)
Definition: functions.php:606
$pth
Definition: cms.php:230
XH_hsc($string)
Definition: functions.php:2204
XH_message($type, $message)
Definition: functions.php:1806