From d4f25fe4904acd64a9cd8bc401a9c00ddd740ea0 Mon Sep 17 00:00:00 2001 From: Hillel Coren Date: Mon, 1 May 2017 21:46:31 +0300 Subject: [PATCH] Check user email isn't taken in lookup tables --- app/Console/Commands/InitLookup.php | 9 ++++--- app/Http/Controllers/AccountApiController.php | 4 +++ app/Http/Controllers/AccountController.php | 27 ++++++++++++++++--- app/Http/Controllers/UserController.php | 11 +++++++- app/Models/LookupUser.php | 23 ++++++++++++++++ app/Ninja/Repositories/AccountRepository.php | 6 ++++- 6 files changed, 70 insertions(+), 10 deletions(-) diff --git a/app/Console/Commands/InitLookup.php b/app/Console/Commands/InitLookup.php index 97c4a97744b0..8b5a227599cd 100644 --- a/app/Console/Commands/InitLookup.php +++ b/app/Console/Commands/InitLookup.php @@ -19,7 +19,7 @@ class InitLookup extends Command * * @var string */ - protected $signature = 'ninja:init-lookup {--truncate=} {--company_id=}'; + protected $signature = 'ninja:init-lookup {--truncate=} {--company_id=} {--page_size=100}'; /** * The console command description. @@ -65,7 +65,7 @@ class InitLookup extends Command ->where('id', '>=', $this->option('company_id') ?: 1) ->count(); - for ($i=0; $i<$count; $i += 100) { + for ($i=0; $i<$count; $i += (int) $this->option('page_size')) { $this->initCompanies($dbServer->id, $i); } } @@ -79,7 +79,7 @@ class InitLookup extends Command $companies = DB::table('companies') ->offset($offset) - ->limit(100) + ->limit((int) $this->option('page_size')) ->orderBy('id') ->where('id', '>=', $this->option('company_id') ?: 1) ->get(['id']); @@ -196,7 +196,7 @@ class InitLookup extends Command DB::statement('truncate lookup_users'); DB::statement('truncate lookup_contacts'); DB::statement('truncate lookup_invitations'); - DB::statement('truncate lookup_tokens'); + DB::statement('truncate lookup_account_tokens'); DB::statement('SET FOREIGN_KEY_CHECKS = 1'); } @@ -205,6 +205,7 @@ class InitLookup extends Command return [ ['truncate', null, InputOption::VALUE_OPTIONAL, 'Truncate', null], ['company_id', null, InputOption::VALUE_OPTIONAL, 'Company Id', null], + ['page_size', null, InputOption::VALUE_OPTIONAL, 'Page Size', null], ]; } diff --git a/app/Http/Controllers/AccountApiController.php b/app/Http/Controllers/AccountApiController.php index 4d9b4377f23c..59584cfeea77 100644 --- a/app/Http/Controllers/AccountApiController.php +++ b/app/Http/Controllers/AccountApiController.php @@ -39,6 +39,10 @@ class AccountApiController extends BaseAPIController public function register(RegisterRequest $request) { + if (! \App\Models\LookupUser::validateEmail()) { + return $this->errorResponse(['message' => trans('texts.email_taken')], 500); + } + $account = $this->accountRepo->create($request->first_name, $request->last_name, $request->email, $request->password); $user = $account->users()->first(); diff --git a/app/Http/Controllers/AccountController.php b/app/Http/Controllers/AccountController.php index 541924d5b118..08ff6d39bb04 100644 --- a/app/Http/Controllers/AccountController.php +++ b/app/Http/Controllers/AccountController.php @@ -1085,6 +1085,14 @@ class AccountController extends BaseController { /** @var \App\Models\User $user */ $user = Auth::user(); + $email = trim(strtolower(Input::get('email'))); + + if (! \App\Models\LookupUser::validateEmail($email, $user)) { + return Redirect::to('settings/' . ACCOUNT_USER_DETAILS) + ->withError(trans('texts.email_taken')) + ->withInput(); + } + $rules = ['email' => 'email|required|unique:users,email,'.$user->id.',id']; $validator = Validator::make(Input::all(), $rules); @@ -1095,8 +1103,8 @@ class AccountController extends BaseController } else { $user->first_name = trim(Input::get('first_name')); $user->last_name = trim(Input::get('last_name')); - $user->username = trim(Input::get('email')); - $user->email = trim(strtolower(Input::get('email'))); + $user->username = $email; + $user->email = $email; $user->phone = trim(Input::get('phone')); if (! Auth::user()->is_admin) { @@ -1193,8 +1201,15 @@ class AccountController extends BaseController */ public function checkEmail() { - $email = User::withTrashed()->where('email', '=', Input::get('email')) - ->where('id', '<>', Auth::user()->registered ? 0 : Auth::user()->id) + $email = trim(strtolower(Input::get('email'))); + $user = Auth::user(); + + if (! \App\Models\LookupUser::validateEmail($email, $user)) { + return 'taken'; + } + + $email = User::withTrashed()->where('email', '=', $email) + ->where('id', '<>', $user->registered ? 0 : $user->id) ->first(); if ($email) { @@ -1234,6 +1249,10 @@ class AccountController extends BaseController $email = trim(strtolower(Input::get('new_email'))); $password = trim(Input::get('new_password')); + if (! \App\Models\LookupUser::validateEmail($email, $user)) { + return ''; + } + if ($user->registered) { $newAccount = $this->accountRepo->create($firstName, $lastName, $email, $password, $account->company); $newUser = $newAccount->users()->first(); diff --git a/app/Http/Controllers/UserController.php b/app/Http/Controllers/UserController.php index c6429521a875..9e83394cc1d4 100644 --- a/app/Http/Controllers/UserController.php +++ b/app/Http/Controllers/UserController.php @@ -170,13 +170,22 @@ class UserController extends BaseController $rules['email'] = 'required|email|unique:users,email,'.$user->id.',id'; } else { + $user = false; $rules['email'] = 'required|email|unique:users'; } $validator = Validator::make(Input::all(), $rules); if ($validator->fails()) { - return Redirect::to($userPublicId ? 'users/edit' : 'users/create')->withInput()->withErrors($validator); + return Redirect::to($userPublicId ? 'users/edit' : 'users/create') + ->withErrors($validator) + ->withInput(); + } + + if (! \App\Models\LookupUser::validateEmail($email, $user)) { + return Redirect::to($userPublicId ? 'users/edit' : 'users/create') + ->withError(trans('texts.email_taken')) + ->withInput(); } if ($userPublicId) { diff --git a/app/Models/LookupUser.php b/app/Models/LookupUser.php index 0dafa976e444..6d829fa48428 100644 --- a/app/Models/LookupUser.php +++ b/app/Models/LookupUser.php @@ -42,4 +42,27 @@ class LookupUser extends LookupModel config(['database.default' => $current]); } + public static function validateEmail($email, $user = false) + { + if (! env('MULTI_DB_ENABLED')) { + return true; + } + + $current = config('database.default'); + config(['database.default' => DB_NINJA_LOOKUP]); + + $lookupUser = LookupUser::whereEmail($email)->first(); + + if ($user) { + $lookupAccount = LookupAccount::whereAccountKey($user->account->account_key)->firstOrFail(); + $isValid = ! $lookupUser || ($lookupUser->lookup_account_id == $lookupAccount->id && $lookupUser->user_id == $user->id); + } else { + $isValid = ! $lookupUser; + } + + config(['database.default' => $current]); + + return $isValid; + } + } diff --git a/app/Ninja/Repositories/AccountRepository.php b/app/Ninja/Repositories/AccountRepository.php index 89ea2c1d90c6..51ff426c2bbc 100644 --- a/app/Ninja/Repositories/AccountRepository.php +++ b/app/Ninja/Repositories/AccountRepository.php @@ -449,12 +449,16 @@ class AccountRepository if (! $user->registered) { $rules = ['email' => 'email|required|unique:users,email,'.$user->id.',id']; $validator = Validator::make(['email' => $email], $rules); + if ($validator->fails()) { $messages = $validator->messages(); - return $messages->first('email'); } + if (! \App\Models\LookupUser::validateEmail($email, $user)) { + return trans('texts.email_taken'); + } + $user->email = $email; $user->first_name = $firstName; $user->last_name = $lastName;