Merge pull request #414 from panique/develop

Develop

CHANGELOG.md

@@ -1,5 +1,14 @@
 # CHANGE LOG
 
+**April 20th 2014**
+- new header pictures, including a new donate-banner
+- better default gravatar avatar (without JPEG artifacts)
+- fix for #380: no broken avatars for facebook anymore when using gravatar
+
+**April 18th 2014**
+- composer.json got better dependency version definition (to avoid too new / incompatible versions being loaded)
+- the captcha can be reloaded on the fly now
+
 **March 1st 2014**
 - changed link to new support forum
 

README.md

@@ -1,9 +1,10 @@
-![php-login introduction & quickstart placeholder picture](_tutorial/placeholder.jpg)
+[![php-login introduction & quickstart placeholder picture](_tutorial/placeholder-info.png)](http://www.php-login.net)
+
+[![Donate with PayPal banner](_tutorial/donate-with-paypal.png)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=P5YLUK4MW3LDG)
 
 # php-login
 
-*Welcome to the NEW 2.0 version of the php-login! All 4 scripts have their own repos now and "php-login" is the new home
-of the former 4-full-mvc-framework version. Thanks for your support, 900+ stars and 380+ forks, simply WOW!*
+*Thanks for 1.000+ stars and 400+ forks. Wow!*
 
 ### A PHP & MySQL login script built into a skeleton MVC application
 
@@ -227,7 +228,3 @@ This project is kindly powered by **[PHPStorm](http://www.jetbrains.com/phpstorm
 ## Hire me
 
 I'm available for freelance work. Remote worldwide or locally around Central Europe. Mail me if you like.
-
-## GitHub stats (by BitDeli)
-
-[![Bitdeli Badge](https://d2weczhvl823v0.cloudfront.net/panique/php-login/trend.png)](https://bitdeli.com/free "Bitdeli Badge")

application/controllers/login.php

@@ -127,6 +127,11 @@ function editUsername()
      */
     function editUsername_action()
     {
+        // Auth::handleLogin() makes sure that only logged in users can use this action/method and see that page
+        // Note: This line was missing in early version of the script, but it was never a real security issue as
+        // it was not possible to read or edit anything in the database unless the user is really logged in and
+        // has a valid session.
+        Auth::handleLogin();
         $login_model = $this->loadModel('Login');
         $login_model->editUserName();
         $this->view->render('login/editusername');
@@ -147,6 +152,11 @@ function editUserEmail()
      */
     function editUserEmail_action()
     {
+        // Auth::handleLogin() makes sure that only logged in users can use this action/method and see that page
+        // Note: This line was missing in early version of the script, but it was never a real security issue as
+        // it was not possible to read or edit anything in the database unless the user is really logged in and
+        // has a valid session.
+        Auth::handleLogin();
         $login_model = $this->loadModel('Login');
         $login_model->editUserEmail();
         $this->view->render('login/edituseremail');
@@ -169,6 +179,11 @@ function uploadAvatar()
      */
     function uploadAvatar_action()
     {
+        // Auth::handleLogin() makes sure that only logged in users can use this action/method and see that page
+        // Note: This line was missing in early version of the script, but it was never a real security issue as
+        // it was not possible to read or edit anything in the database unless the user is really logged in and
+        // has a valid session.
+        Auth::handleLogin();
         $login_model = $this->loadModel('Login');
         $login_model->createAvatar();
         $this->view->render('login/uploadavatar');
@@ -189,6 +204,11 @@ function changeAccountType()
      */
     function changeAccountType_action()
     {
+        // Auth::handleLogin() makes sure that only logged in users can use this action/method and see that page
+        // Note: This line was missing in early version of the script, but it was never a real security issue as
+        // it was not possible to read or edit anything in the database unless the user is really logged in and
+        // has a valid session.
+        Auth::handleLogin();
         $login_model = $this->loadModel('Login');
         $login_model->changeAccountType();
         $this->view->render('login/changeaccounttype');
@@ -251,9 +271,13 @@ function registerWithFacebook()
      */
     function verify($user_id, $user_activation_verification_code)
     {
-        $login_model = $this->loadModel('Login');
-        $login_model->verifyNewUser($user_id, $user_activation_verification_code);
-        $this->view->render('login/verify');
+        if (isset($user_id) && isset($user_activation_verification_code)) {
+            $login_model = $this->loadModel('Login');
+            $login_model->verifyNewUser($user_id, $user_activation_verification_code);
+            $this->view->render('login/verify');
+        } else {
+            header('location: ' . URL . 'login/index');
+        }
     }
 
     /**
@@ -294,6 +318,8 @@ function verifyPasswordReset($user_name, $verification_code)
 
     /**
      * Set the new password
+     * Please note that this happens while the user is not logged in.
+     * The user identifies via the data provided by the password reset link from the email.
      */
     function setNewPassword()
     {

application/controllers/note.php

@@ -54,10 +54,14 @@ public function create()
      */
     public function edit($note_id)
     {
-        // get the note that you want to edit (to show the current content)
-        $note_model = $this->loadModel('Note');
-        $this->view->note = $note_model->getNote($note_id);
-        $this->view->render('note/edit');
+        if (isset($note_id)) {
+            // get the note that you want to edit (to show the current content)
+            $note_model = $this->loadModel('Note');
+            $this->view->note = $note_model->getNote($note_id);
+            $this->view->render('note/edit');
+        } else {
+            header('location: ' . URL . 'note');
+        }
     }
 
     /**
@@ -67,7 +71,7 @@ public function edit($note_id)
      */
     public function editSave($note_id)
     {
-        if (isset($_POST['note_text'])) {
+        if (isset($_POST['note_text']) && isset($note_id)) {
             // perform the update: pass note_id from URL and note_text from POST
             $note_model = $this->loadModel('Note');
             $note_model->editSave($note_id, $_POST['note_text']);
@@ -83,8 +87,10 @@ public function editSave($note_id)
      */
     public function delete($note_id)
     {
-        $note_model = $this->loadModel('Note');
-        $note_model->delete($note_id);
+        if (isset($note_id)) {
+            $note_model = $this->loadModel('Note');
+            $note_model->delete($note_id);
+        }
         header('location: ' . URL . 'note');
     }
 }

application/controllers/overview.php

@@ -32,8 +32,12 @@ function index()
      */
     function showUserProfile($user_id)
     {
-        $overview_model = $this->loadModel('Overview');
-        $this->view->user = $overview_model->getUserProfile($user_id);
-        $this->view->render('overview/showuserprofile');
+        if (isset($user_id)) {
+            $overview_model = $this->loadModel('Overview');
+            $this->view->user = $overview_model->getUserProfile($user_id);
+            $this->view->render('overview/showuserprofile');
+        } else {
+            header('location: ' . URL);
+        }
     }
 }

application/models/login_model.php

@@ -550,7 +550,7 @@ private function sendVerificationEmail($user_id, $user_email, $user_activation_h
             // enable SMTP authentication
             $mail->SMTPAuth = EMAIL_SMTP_AUTH;
             // enable encryption, usually SSL/TLS
-            if (defined(EMAIL_SMTP_ENCRYPTION)) {
+            if (defined('EMAIL_SMTP_ENCRYPTION')) {
                 $mail->SMTPSecure = EMAIL_SMTP_ENCRYPTION;
             }
             // set SMTP provider's credentials
@@ -905,7 +905,7 @@ public function sendPasswordResetMail($user_name, $user_password_reset_hash, $us
             // Enable SMTP authentication
             $mail->SMTPAuth = EMAIL_SMTP_AUTH;
             // Enable encryption, usually SSL/TLS
-            if (defined(EMAIL_SMTP_ENCRYPTION)) {
+            if (defined('EMAIL_SMTP_ENCRYPTION')) {
                 $mail->SMTPSecure = EMAIL_SMTP_ENCRYPTION;
             }
             // Specify host server

application/views/login/register.php

@@ -37,7 +37,11 @@
             <input id="login_input_password_repeat" class="login_input" type="password" name="user_password_repeat" pattern=".{6,}" required autocomplete="off" />
             <!-- show the captcha by calling the login/showCaptcha-method in the src attribute of the img tag -->
             <!-- to avoid weird with-slash-without-slash issues: simply always use the URL constant here -->
-            <img src="<?php echo URL; ?>login/showCaptcha" />
+            <img id="captcha" src="<?php echo URL; ?>login/showCaptcha" />
+            <span style="display: block; font-size: 11px; color: #999; margin-bottom: 10px">
+                <!-- quick & dirty captcha reloader -->
+                <a href="#" onclick="document.getElementById('captcha').src = '<?php echo URL; ?>login/showCaptcha?' + Math.random(); return false">[ Reload Captcha ]</a>
+            </span>
             <label>
                 Please enter these characters
                 <span style="display: block; font-size: 11px; color: #999;">

application/views/login/showprofile.php

@@ -11,10 +11,13 @@
         Your email: <?php echo Session::get('user_email'); ?>
     </div>
     <div>
-        Your gravatar pic (on gravatar.com): <img src='<?php echo Session::get('user_gravatar_image_url'); ?>' />
-    </div>
-    <div>
-        Your avatar pic (saved on local server): <img src='<?php echo Session::get('user_avatar_file'); ?>' />
+        Your avatar image:
+        <?php // if usage of gravatar is activated show gravatar image, else show local avatar ?>
+        <?php if (USE_GRAVATAR) { ?>
+            Your gravatar pic (on gravatar.com): <img src='<?php echo Session::get('user_gravatar_image_url'); ?>' />
+        <?php } else { ?>
+            Your avatar pic (saved on local server): <img src='<?php echo Session::get('user_avatar_file'); ?>' />
+        <?php } ?>
     </div>
     <div>
         Your account type is: <?php echo Session::get('user_account_type'); ?>

composer.json

@@ -2,7 +2,7 @@
     "name": "panique/php-login",
     "type": "project",
     "description": "A PHP login system embedded in a simple MVC framework",
-    "keywords": ["login", "auth", "user", "authentification", "mvc"],
+    "keywords": ["login", "auth", "user", "authentication", "mvc"],
     "homepage": "https://github.com/panique/php-login",
     "license": "MIT",
     "authors": [
@@ -18,10 +18,10 @@
     },
     "require":{
         "php": ">=5.3.7",
-        "ircmaxell/password-compat": "1.0.*",
-        "phpmailer/phpmailer": "5.2.*",
-        "gregwar/captcha": "dev-master",
-        "facebook/php-sdk": "@stable",
-        "raveren/kint": "dev-1.0.0-wip"
+        "ircmaxell/password-compat": "~1.0.3",
+        "phpmailer/phpmailer": "~5.2.7",
+        "gregwar/captcha": "~1.0.11",
+        "facebook/php-sdk": "~3.2.3",
+        "raveren/kint": "~1.0@dev"
     }
 }

index.php

@@ -2,12 +2,12 @@
 
 /**
  * A simple, clean and secure PHP Login Script embedded into a small framework.
- * Also available in other version: one-file, minimal, advanced. See php-login.net for more info.
+ * Also available in other versions: one-file, minimal, advanced. See php-login.net for more info.
  *
  * MVC FRAMEWORK VERSION
  *
  * @author Panique
- * @link http://www.php-login.net
+ * @link http://www.php-login.net/
  * @link https://github.com/panique/php-login/
  * @license http://opensource.org/licenses/MIT MIT License
  */