Enforce LOCKED and !CONFIRMED flags on clients

8fcd6a56 · Jared Hancock · b8c3e5e7 · 8fcd6a56 · 8fcd6a56 · 8fcd6a56
Commit 8fcd6a56 authored 11 years ago by Jared Hancock
--- a/account.php
+++ b/account.php
@@ -37,9 +37,9 @@ elseif ($thisclient) {
    // Existing client (with an account) updating profile
    else {
        $user = User::lookup($thisclient->getId());
-        $content = Page::lookup(Page::lookupByType('registration-thanks'));
+        $content = Page::lookup(Page::getIdByType('registration-thanks'));
        $inc = isset($_GET['confirmed'])
-            ? 'registration.confirmed.inc.php' : 'profile.inc.php';
+            ? 'register.confirmed.inc.php' : 'profile.inc.php';
    }
 }
@@ -81,7 +81,7 @@ elseif ($_POST) {
    if (!$errors) {
        switch ($_POST['do']) {
        case 'create':
-            $content = Page::lookup(Page::lookupByType('registration-confirm'));
+            $content = Page::lookup(Page::getIdByType('registration-confirm'));
            $inc = 'register.confirm.inc.php';
            $acct->sendResetEmail('registration-client');
        }

--- a/include/class.auth.php
+++ b/include/class.auth.php
@@ -128,17 +128,23 @@ abstract class AuthenticationBackend {
            // All backends are queried here, even if they don't support
            // authentication so that extensions like lockouts and audits
            // can be supported.
-            $result = $bk->authenticate($username, $password);
+            try {
-            if ($result instanceof AuthenticatedUser
+                $result = $bk->authenticate($username, $password);
-                    && ($bk->login($result, $bk)))
+                if ($result instanceof AuthenticatedUser
-                return $result;
+                        && ($bk->login($result, $bk)))
-            elseif ($result instanceof AccessDenied) {
+                    return $result;
+                elseif ($result instanceof AccessDenied) {
+                    break;
+                }
+            }
+            catch (AccessDenied $e) {
+                $result = $e;
                break;
            }
        }
        if (!$result)
-            $result = new  AccessDenied('Access denied');
+            $result = new AccessDenied('Access denied');
        if ($result && $result instanceof AccessDenied)
            $errors['err'] = $result->reason;
@@ -413,6 +419,15 @@ abstract class UserAuthenticationBackend  extends AuthenticationBackend {
                || !($authkey = $bk->getAuthKey($user)))
            return false;
+        $acct = $user->getAccount();
+        if ($acct) {
+            if (!$acct->isConfirmed())
+                throw new AccessDenied('Account confirmation required');
+            elseif ($acct->isLocked())
+                throw new AccessDenied('Account is administratively locked');
+        }
        //Tag the authkey.
        $authkey = $bk::$id.':'.$authkey;
@@ -482,9 +497,10 @@ abstract class UserAuthenticationBackend  extends AuthenticationBackend {
 /**
 * This will be an exception in later versions of PHP
 */
-class AccessDenied {
+class AccessDenied extends Exception {
    function __construct($reason) {
        $this->reason = $reason;
+        parent::__construct($reason);
    }
 }

--- a/include/class.client.php
+++ b/include/class.client.php
@@ -59,6 +59,7 @@ abstract class TicketUser {
        $vars = array(
            'url' => $ost->getConfig()->getBaseUrl(),
            'ticket' => $this->getTicket(),
+            'user' => $this,
            'recipient' => $this);
        $msg = $ost->replaceTemplateVariables(array(
@@ -348,6 +349,7 @@ class ClientAccount extends ClientAccountModel {
        $vars = array(
            'url' => $ost->getConfig()->getBaseUrl(),
            'token' => $token,
+            'user' => $this->getUser(),
            'recipient' => $this->getUser(),
            'link' => sprintf(
                "%s/pwreset.php?token=%s",

--- a/include/i18n/en_US/templates/page/registration-client.yaml
+++ b/include/i18n/en_US/templates/page/registration-client.yaml
@@ -12,13 +12,13 @@ notes: >
    verification. Please use %{link} somewhere in the body.
 name: "Welcome to %{company.name}"
 body: >
-    <h3><strong>Hi %{user.name.first},</strong></h3> We've created an
+    <h3><strong>Hi %{recipient.name.first},</strong></h3> We've created an
    account for you at our help desk at %{url}.<br />
    <br />
    Please follow the link below to confirm your account and gain access to
    your tickets.<br />
    <br />
-    <a href="%{reset_link}">%{confirmation_link}</a><br />
+    <a href="%{link}">%{link}</a><br />
    <br />
    <em style="font-size: small">Your friendly Customer Support System<br
    />%{company.name}</em>