BookStack/app/Http/Controllers/Auth/UserInviteController.php

<?php

namespace BookStack\Http\Controllers\Auth;

use BookStack\Auth\Access\UserInviteService;
use BookStack\Auth\UserRepo;
use BookStack\Exceptions\UserTokenExpiredException;
use BookStack\Exceptions\UserTokenNotFoundException;
use BookStack\Http\Controllers\Controller;
use Exception;
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Routing\Redirector;
use Illuminate\Validation\Rules\Password;

class UserInviteController extends Controller
{
    protected UserInviteService $inviteService;
    protected UserRepo $userRepo;

    /**
     * Create a new controller instance.
     */
    public function __construct(UserInviteService $inviteService, UserRepo $userRepo)
    {
        $this->middleware('guest');
        $this->middleware('guard:standard');

        $this->inviteService = $inviteService;
        $this->userRepo = $userRepo;
    }

    /**
     * Show the page for the user to set the password for their account.
     *
     * @throws Exception
     */
    public function showSetPassword(string $token)
    {
        try {
            $this->inviteService->checkTokenAndGetUserId($token);
        } catch (Exception $exception) {
            return $this->handleTokenException($exception);
        }

        return view('auth.invite-set-password', [
            'token' => $token,
        ]);
    }

    /**
     * Sets the password for an invited user and then grants them access.
     *
     * @throws Exception
     */
    public function setPassword(Request $request, string $token)
    {
        $this->validate($request, [
            'password' => ['required', Password::default()],
        ]);

        try {
            $userId = $this->inviteService->checkTokenAndGetUserId($token);
        } catch (Exception $exception) {
            return $this->handleTokenException($exception);
        }

        $user = $this->userRepo->getById($userId);
        $user->password = bcrypt($request->get('password'));
        $user->email_confirmed = true;
        $user->save();

        $this->inviteService->deleteByUser($user);
        $this->showSuccessNotification(trans('auth.user_invite_success_login', ['appName' => setting('app-name')]));

        return redirect('/login');
    }

    /**
     * Check and validate the exception thrown when checking an invite token.
     *
     * @throws Exception
     *
     * @return RedirectResponse|Redirector
     */
    protected function handleTokenException(Exception $exception)
    {
        if ($exception instanceof UserTokenNotFoundException) {
            return redirect('/');
        }

        if ($exception instanceof UserTokenExpiredException) {
            $this->showErrorNotification(trans('errors.invite_token_expired'));

            return redirect('/password/email');
        }

        throw $exception;
    }
}
Finished new user invite flow 2019-08-18 08:11:30 -04:00			`<?php`

			`namespace BookStack\Http\Controllers\Auth;`

			`use BookStack\Auth\Access\UserInviteService;`
			`use BookStack\Auth\UserRepo;`
			`use BookStack\Exceptions\UserTokenExpiredException;`
			`use BookStack\Exceptions\UserTokenNotFoundException;`
			`use BookStack\Http\Controllers\Controller;`
			`use Exception;`
			`use Illuminate\Http\RedirectResponse;`
			`use Illuminate\Http\Request;`
			`use Illuminate\Routing\Redirector;`
Aligned password length requirements Updated all password validation to use central password defaults system while updating length requirements to now all match at 8 characters minimum. Some language text was technically correct (More than 7 characters) but this has been updated for clarity and to prompt other translations to be updated. Closes #2237 2021-12-18 11:31:48 -05:00			`use Illuminate\Validation\Rules\Password;`
Finished new user invite flow 2019-08-18 08:11:30 -04:00
			`class UserInviteController extends Controller`
			`{`
Updated auth controllers with property types 2022-09-22 10:12:05 -04:00			`protected UserInviteService $inviteService;`
			`protected UserRepo $userRepo;`
Finished new user invite flow 2019-08-18 08:11:30 -04:00
			`/**`
			`* Create a new controller instance.`
			`*/`
Prevented auto-login from direct email confirmation actions Was done for convenience but could potentially be exploited by an attacker using signing up via one of these routes, then forwarding an email confirmation to another user so they unknowingly utilise an account someone else controls. Tweaks the flow of confirming email, and the user invite flow. For #3050 2021-11-15 05:50:28 -05:00			`public function __construct(UserInviteService $inviteService, UserRepo $userRepo)`
Finished new user invite flow 2019-08-18 08:11:30 -04:00			`{`
Simplified guard names and rolled out guard route checks - Included tests to cover for LDAP and SAML - Updated wording for external auth id option. - Updated 'assertPermissionError' test case to be usable in BrowserKitTests 2020-02-02 08:10:21 -05:00			`$this->middleware('guest');`
			`$this->middleware('guard:standard');`

Finished new user invite flow 2019-08-18 08:11:30 -04:00			`$this->inviteService = $inviteService;`
			`$this->userRepo = $userRepo;`
			`}`

			`/**`
			`* Show the page for the user to set the password for their account.`
Apply fixes from StyleCI 2021-06-26 11:23:15 -04:00			`*`
Finished new user invite flow 2019-08-18 08:11:30 -04:00			`* @throws Exception`
			`*/`
			`public function showSetPassword(string $token)`
			`{`
			`try {`
			`$this->inviteService->checkTokenAndGetUserId($token);`
			`} catch (Exception $exception) {`
			`return $this->handleTokenException($exception);`
			`}`

			`return view('auth.invite-set-password', [`
			`'token' => $token,`
			`]);`
			`}`

			`/**`
			`* Sets the password for an invited user and then grants them access.`
Apply fixes from StyleCI 2021-06-26 11:23:15 -04:00			`*`
Finished new user invite flow 2019-08-18 08:11:30 -04:00			`* @throws Exception`
			`*/`
Standardised how request is injected into controller methods Puts it in-line with how Laravel recommend. 2019-09-15 13:53:30 -04:00			`public function setPassword(Request $request, string $token)`
Finished new user invite flow 2019-08-18 08:11:30 -04:00			`{`
			`$this->validate($request, [`
Aligned password length requirements Updated all password validation to use central password defaults system while updating length requirements to now all match at 8 characters minimum. Some language text was technically correct (More than 7 characters) but this has been updated for clarity and to prompt other translations to be updated. Closes #2237 2021-12-18 11:31:48 -05:00			`'password' => ['required', Password::default()],`
Finished new user invite flow 2019-08-18 08:11:30 -04:00			`]);`

			`try {`
			`$userId = $this->inviteService->checkTokenAndGetUserId($token);`
			`} catch (Exception $exception) {`
			`return $this->handleTokenException($exception);`
			`}`

			`$user = $this->userRepo->getById($userId);`
			`$user->password = bcrypt($request->get('password'));`
			`$user->email_confirmed = true;`
			`$user->save();`

			`$this->inviteService->deleteByUser($user);`
Prevented auto-login from direct email confirmation actions Was done for convenience but could potentially be exploited by an attacker using signing up via one of these routes, then forwarding an email confirmation to another user so they unknowingly utilise an account someone else controls. Tweaks the flow of confirming email, and the user invite flow. For #3050 2021-11-15 05:50:28 -05:00			`$this->showSuccessNotification(trans('auth.user_invite_success_login', ['appName' => setting('app-name')]));`
Finished new user invite flow 2019-08-18 08:11:30 -04:00
Prevented auto-login from direct email confirmation actions Was done for convenience but could potentially be exploited by an attacker using signing up via one of these routes, then forwarding an email confirmation to another user so they unknowingly utilise an account someone else controls. Tweaks the flow of confirming email, and the user invite flow. For #3050 2021-11-15 05:50:28 -05:00			`return redirect('/login');`
Finished new user invite flow 2019-08-18 08:11:30 -04:00			`}`

			`/**`
			`* Check and validate the exception thrown when checking an invite token.`
Apply fixes from StyleCI 2021-06-26 11:23:15 -04:00			`*`
Finished new user invite flow 2019-08-18 08:11:30 -04:00			`* @throws Exception`
Apply fixes from StyleCI 2021-06-26 11:23:15 -04:00			`*`
			`* @return RedirectResponse\|Redirector`
Finished new user invite flow 2019-08-18 08:11:30 -04:00			`*/`
			`protected function handleTokenException(Exception $exception)`
			`{`
			`if ($exception instanceof UserTokenNotFoundException) {`
			`return redirect('/');`
			`}`

			`if ($exception instanceof UserTokenExpiredException) {`
Entity Repo & Controller Refactor (#1690) * Started mass-refactoring of the current entity repos * Rewrote book tree logic - Now does two simple queries instead of one really complex one. - Extracted logic into its own class. - Remove model-level akward union field listing. - Logic now more readable than being large separate query and compilation functions. * Extracted and split book sort logic * Finished up Book controller/repo organisation * Refactored bookshelves controllers and repo parts * Fixed issues found via phpunit * Refactored Chapter controller * Updated Chapter export controller * Started Page controller/repo refactor * Refactored another chunk of PageController * Completed initial pagecontroller refactor pass * Fixed tests and continued reduction of old repos * Removed old page remove and further reduced entity repo * Removed old entity repo, split out page controller * Ran phpcbf and split out some page content methods * Tidied up some EntityProvider elements * Fixed issued caused by viewservice change 2019-10-05 07:55:01 -04:00			`$this->showErrorNotification(trans('errors.invite_token_expired'));`
Apply fixes from StyleCI 2021-06-26 11:23:15 -04:00
Finished new user invite flow 2019-08-18 08:11:30 -04:00			`return redirect('/password/email');`
			`}`

			`throw $exception;`
			`}`
			`}`