From 8fcd6a56b767c62aa488fc9fb1c3bb8b4d3d6fcb Mon Sep 17 00:00:00 2001
From: Jared Hancock <jared@osticket.com>
Date: Tue, 25 Mar 2014 13:42:41 -0500
Subject: [PATCH] Enforce LOCKED and !CONFIRMED flags on clients

---
 account.php                                   |  6 ++--
 include/class.auth.php                        | 30 ++++++++++++++-----
 include/class.client.php                      |  2 ++
 .../templates/page/registration-client.yaml   |  4 +--
 4 files changed, 30 insertions(+), 12 deletions(-)

diff --git a/account.php b/account.php
index b9effe186..d9c0793f9 100644
--- a/account.php
+++ b/account.php
@@ -37,9 +37,9 @@ elseif ($thisclient) {
     // Existing client (with an account) updating profile
     else {
         $user = User::lookup($thisclient->getId());
-        $content = Page::lookup(Page::lookupByType('registration-thanks'));
+        $content = Page::lookup(Page::getIdByType('registration-thanks'));
         $inc = isset($_GET['confirmed'])
-            ? 'registration.confirmed.inc.php' : 'profile.inc.php';
+            ? 'register.confirmed.inc.php' : 'profile.inc.php';
     }
 }
 
@@ -81,7 +81,7 @@ elseif ($_POST) {
     if (!$errors) {
         switch ($_POST['do']) {
         case 'create':
-            $content = Page::lookup(Page::lookupByType('registration-confirm'));
+            $content = Page::lookup(Page::getIdByType('registration-confirm'));
             $inc = 'register.confirm.inc.php';
             $acct->sendResetEmail('registration-client');
         }
diff --git a/include/class.auth.php b/include/class.auth.php
index 1cd2c584f..d778401d9 100644
--- a/include/class.auth.php
+++ b/include/class.auth.php
@@ -128,17 +128,23 @@ abstract class AuthenticationBackend {
             // All backends are queried here, even if they don't support
             // authentication so that extensions like lockouts and audits
             // can be supported.
-            $result = $bk->authenticate($username, $password);
-            if ($result instanceof AuthenticatedUser
-                    && ($bk->login($result, $bk)))
-                return $result;
-            elseif ($result instanceof AccessDenied) {
+            try {
+                $result = $bk->authenticate($username, $password);
+                if ($result instanceof AuthenticatedUser
+                        && ($bk->login($result, $bk)))
+                    return $result;
+                elseif ($result instanceof AccessDenied) {
+                    break;
+                }
+            }
+            catch (AccessDenied $e) {
+                $result = $e;
                 break;
             }
         }
 
         if (!$result)
-            $result = new  AccessDenied('Access denied');
+            $result = new AccessDenied('Access denied');
 
         if ($result && $result instanceof AccessDenied)
             $errors['err'] = $result->reason;
@@ -413,6 +419,15 @@ abstract class UserAuthenticationBackend  extends AuthenticationBackend {
                 || !($authkey = $bk->getAuthKey($user)))
             return false;
 
+        $acct = $user->getAccount();
+
+        if ($acct) {
+            if (!$acct->isConfirmed())
+                throw new AccessDenied('Account confirmation required');
+            elseif ($acct->isLocked())
+                throw new AccessDenied('Account is administratively locked');
+        }
+
         //Tag the authkey.
         $authkey = $bk::$id.':'.$authkey;
 
@@ -482,9 +497,10 @@ abstract class UserAuthenticationBackend  extends AuthenticationBackend {
 /**
  * This will be an exception in later versions of PHP
  */
-class AccessDenied {
+class AccessDenied extends Exception {
     function __construct($reason) {
         $this->reason = $reason;
+        parent::__construct($reason);
     }
 }
 
diff --git a/include/class.client.php b/include/class.client.php
index 910be9b4b..8dfb211a8 100644
--- a/include/class.client.php
+++ b/include/class.client.php
@@ -59,6 +59,7 @@ abstract class TicketUser {
         $vars = array(
             'url' => $ost->getConfig()->getBaseUrl(),
             'ticket' => $this->getTicket(),
+            'user' => $this,
             'recipient' => $this);
 
         $msg = $ost->replaceTemplateVariables(array(
@@ -348,6 +349,7 @@ class ClientAccount extends ClientAccountModel {
         $vars = array(
             'url' => $ost->getConfig()->getBaseUrl(),
             'token' => $token,
+            'user' => $this->getUser(),
             'recipient' => $this->getUser(),
             'link' => sprintf(
                 "%s/pwreset.php?token=%s",
diff --git a/include/i18n/en_US/templates/page/registration-client.yaml b/include/i18n/en_US/templates/page/registration-client.yaml
index abc881597..ea820a31f 100644
--- a/include/i18n/en_US/templates/page/registration-client.yaml
+++ b/include/i18n/en_US/templates/page/registration-client.yaml
@@ -12,13 +12,13 @@ notes: >
     verification. Please use %{link} somewhere in the body.
 name: "Welcome to %{company.name}"
 body: >
-    <h3><strong>Hi %{user.name.first},</strong></h3> We've created an
+    <h3><strong>Hi %{recipient.name.first},</strong></h3> We've created an
     account for you at our help desk at %{url}.<br />
     <br />
     Please follow the link below to confirm your account and gain access to
     your tickets.<br />
     <br />
-    <a href="%{reset_link}">%{confirmation_link}</a><br />
+    <a href="%{link}">%{link}</a><br />
     <br />
     <em style="font-size: small">Your friendly Customer Support System<br
     />%{company.name}</em>
-- 
GitLab