leonardo/yii2-usuario
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into feature/#572_malpositioned_disconnect_button_in_networks_view

Browse Source
This commit is contained in:
edegaudenzi
2025-04-16 16:14:54 +01:00
committed by GitHub
parent ff61596e56 b837304722
commit 7f45a3b6cb
11 changed files with 245 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/php.yml vendored
View File

@ -76,7 +76,7 @@ jobs:
run: vendor/bin/phpstan analyse
- name: Archive failed tests artifacts - test output & log
uses: actions/upload-artifact@v2
uses: actions/upload-artifact@v4
if: failure()
with:
name: test-outputs-php-${{ matrix.php-versions }}

7
CHANGELOG.md
View File

@ -5,7 +5,11 @@
- Enh: Changed exception thrown in PasswordRecoveryService from `RuntimeException` to `NotFoundException`. (eseperio)
- New #553: created Da\User\AuthClient\Microsoft365 auth client (edegaudenzi)
- Ehh: Added SecurityHelper to the Bootstrap classMap
- Fix #572: Correctly positioned the 'Disconnect' button in networks view
- Fix #546: The profile/show page must not be visible by default, implement configurable policy (TonisOrmisson)
- Fix #397: No more fatal Exceptions when connecting to already taken Social Network (edegaudenzi)
- Ehh: Added option to pre-fill recovery email via url parameter (TonisOrmisson)
- Ehh: Fixed pretty-url rules not initialized for console apps (TonisOrmisson)
- Fix #572: Correctly positioned the 'Disconnect' button in networks view (edegaudenzi)
## 1.6.3 Mar 18th, 2024
@ -14,6 +18,7 @@
- Fix: Social Network Auth (eluhr)
- Enh #532: /user/registration/register now shows form validation errors
- Enh: Allow/suggest new v3 releases of 2amigos 2fa dependencies: 2fa-library, qrcode-library (TonisOrmisson)
- Ehh: Added all the classes to the Bootstrap.php classMap
- Enh: Added option to disable viewing any other user's profile for non-admin users (TonisOrmisson)
- Ehn: updated Estonian (et) translation by (TonisOrmisson)
- Ehn: use recaptcha.net instead of google.com (Eseperio)

14
docs/install/configuration-options.md
View File

@ -241,6 +241,15 @@ simple backends with static administrators that won't change throughout time.
Configures the permission name for `administrators`. See [AuthHelper](../../src/User/Helper/AuthHelper.php).
#### profileVisibility (type: `integer`, default:`0` (ProfileController::PROFILE_VISIBILITY_OWNER))
Configures to whom users 'profile/show' (public profile) page is shown. Constant values are defined in
[ProfileController](../../src/User/Controller/ProfileController.php) as constants. The visibility levels are:
- `0` (ProfileController::PROFILE_VISIBILITY_OWNER): The users profile page is shown ONLY to user itself, the owner of the profile.
- `1` (ProfileController::PROFILE_VISIBILITY_ADMIN): The users profile is shown ONLY to user itself (owner) AND users defined by module as admins.
- `2` (ProfileController::PROFILE_VISIBILITY_USERS): Any users profile page is shown to any other non-guest user.
- `3` (ProfileController::PROFILE_VISIBILITY_PUBLIC): Any user profile views are globally public and visible to anyone (including guests).
#### prefix (type: `string`, default: `user`)
Configures the URL prefix for the module.
@ -313,11 +322,6 @@ Set to `true` to restrict user assignments to roles only.
If `true` registration and last login IPs are not logged into users table, instead a dummy 127.0.0.1 is used
#### disableProfileViewsForRegularUsers (type: `boolean`, default: `false`)
If `true` only admin users have access to view any other user's profile. By default any user can see any other users public profile page.
#### minPasswordRequirements (type: `array`, default: `['lower' => 1, 'digit' => 1, 'upper' => 1]`)
Minimum requirements when a new password is automatically generated.

44
src/User/Bootstrap.php
View File

@ -30,6 +30,7 @@ use yii\console\Application as ConsoleApplication;
use yii\helpers\ArrayHelper;
use yii\i18n\PhpMessageSource;
use yii\web\Application as WebApplication;
use yii\web\UrlManager;
/**
* Bootstrap class of the yii2-usuario extension. Configures container services, initializes translations,
@ -49,10 +50,10 @@ class Bootstrap implements BootstrapInterface
$this->initTranslations($app);
$this->initContainer($app, $map);
$this->initMailServiceConfiguration($app, $app->getModule('user'));
$this->initUrlRoutes($app);
if ($app instanceof WebApplication) {
$this->initControllerNamespace($app);
$this->initUrlRoutes($app);
$this->initUrlRestRoutes($app);
$this->initAuthCollection($app);
$this->initAuthManager($app);
@ -256,11 +257,11 @@ class Bootstrap implements BootstrapInterface
/**
* Initializes web url routes (rules in Yii2).
*
* @param WebApplication $app
* @param Application $app
*
* @throws InvalidConfigException
*/
protected function initUrlRoutes(WebApplication $app)
protected function initUrlRoutes(Application $app)
{
/** @var $module Module */
$module = $app->getModule('user');
@ -274,8 +275,13 @@ class Bootstrap implements BootstrapInterface
$config['routePrefix'] = 'user';
}
$urlManager = $app->getUrlManager();
if(!($urlManager instanceof UrlManager)) {
return;
}
$rule = Yii::createObject($config);
$app->getUrlManager()->addRules([$rule], false);
$urlManager->addRules([$rule], false);
}
/**
@ -399,13 +405,17 @@ class Bootstrap implements BootstrapInterface
'Assignment',
'Permission',
'Role',
'SessionHistory'
'SessionHistory',
'AbstractAuthItem',
'Rule',
],
'Da\User\Search' => [
'UserSearch',
'PermissionSearch',
'RoleSearch',
'SessionHistorySearch',
'RuleSearch',
'AbstractAuthItemSearch',
],
'Da\User\Form' => [
'RegistrationForm',
@ -413,12 +423,36 @@ class Bootstrap implements BootstrapInterface
'LoginForm',
'SettingsForm',
'RecoveryForm',
'GdprDeleteForm',
],
'Da\User\Service' => [
'AccountConfirmationService',
'AuthItemEditionService',
'AuthRuleEditionService',
'EmailChangeService',
'MailService',
'PasswordExpireService',
'PasswordRecoveryService',
'ResendConfirmationService',
'ResetPasswordService',
'SocialNetworkAccountConnectService',
'SocialNetworkAuthenticateService',
'SwitchIdentityService',
'TwoFactorEmailCodeGeneratorService',
'TwoFactorQrCodeUriGeneratorService',
'TwoFactorSmsCodeGeneratorService',
'UpdateAuthAssignmentsService',
'UserBlockService',
'UserConfirmationService',
'UserCreateService',
'UserRegisterService',
],
'Da\User\Helper' => [
'AuthHelper',
'ClassMapHelper',
'MigrationHelper',
'SecurityHelper',
'TimezoneHelper',
]
];

35
src/User/Controller/ProfileController.php
View File

@ -25,6 +25,15 @@ class ProfileController extends Controller
{
use ModuleAwareTrait;
/** @var int will allow only profile owner */
const PROFILE_VISIBILITY_OWNER = 0;
/** @var int will allow profile owner and admin users */
const PROFILE_VISIBILITY_ADMIN = 1;
/** @var int will allow any logged-in users */
const PROFILE_VISIBILITY_USERS = 2;
/** @var int will allow anyone, including guests */
public const PROFILE_VISIBILITY_PUBLIC = 3;
protected $profileQuery;
/**
@ -73,11 +82,33 @@ class ProfileController extends Controller
public function actionShow($id)
{
$user = Yii::$app->user;
/** @var User $identity */
$id = (int) $id;
/** @var ?User $identity */
$identity = $user->getIdentity();
if($user->getId() != $id && $this->module->disableProfileViewsForRegularUsers && !$identity->getIsAdmin()) {
switch($this->module->profileVisibility) {
case static::PROFILE_VISIBILITY_OWNER:
if($identity === null || $id !== $user->getId()) {
throw new ForbiddenHttpException();
}
break;
case static::PROFILE_VISIBILITY_ADMIN:
if($id === $user->getId() || ($identity !== null && $identity->getIsAdmin())) {
break;
}
throw new ForbiddenHttpException();
case static::PROFILE_VISIBILITY_USERS:
if((!$user->getIsGuest())) {
break;
}
throw new ForbiddenHttpException();
case static::PROFILE_VISIBILITY_PUBLIC:
break;
default:
throw new ForbiddenHttpException();
}
$profile = $this->profileQuery->whereUserId($id)->one();

8
src/User/Controller/RecoveryController.php
View File

@ -89,14 +89,18 @@ class RecoveryController extends Controller
throw new NotFoundHttpException();
}
$request = Yii::$app->request;
/** @var RecoveryForm $form */
$form = $this->make(RecoveryForm::class, [], ['scenario' => RecoveryForm::SCENARIO_REQUEST]);
if(!$request->getIsPost() && !empty($request->get('email'))) {
$form->email = $request->get('email');
}
$event = $this->make(FormEvent::class, [$form]);
$this->make(AjaxRequestModelValidator::class, [$form])->validate();
if ($form->load(Yii::$app->request->post()) && $form->validate()) {
if ($form->load($request->post()) && $form->validate()) {
$this->trigger(FormEvent::EVENT_BEFORE_REQUEST, $event);
$mailService = MailFactory::makeRecoveryMailerService($form->email);

12
src/User/Module.php
View File

@ -12,6 +12,7 @@
namespace Da\User;
use Da\User\Contracts\MailChangeStrategyInterface;
use Da\User\Controller\ProfileController;
use Da\User\Filter\AccessRuleFilter;
use Yii;
use yii\base\Module as BaseModule;
@ -181,6 +182,12 @@ class Module extends BaseModule
* @var string the administrator permission name
*/
public $administratorPermissionName;
/**
* @var int $profileVisibility Defines the level of user's profile page visibility.
* Defaults to ProfileController::PROFILE_VISIBILITY_OWNER meaning no-one except the user itself can view
* the profile. @see ProfileController constants for possible options
*/
public $profileVisibility = ProfileController::PROFILE_VISIBILITY_OWNER;
/**
* @var string the route prefix
*/
@ -219,6 +226,7 @@ class Module extends BaseModule
'<action:(register|resend)>' => 'registration/<action>',
'confirm/<id:\d+>/<code:[A-Za-z0-9_-]+>' => 'registration/confirm',
'forgot' => 'recovery/request',
'forgot/<email:[a-zA-Z0-9_.±]+@[a-zA-Z0-9-]+.[a-zA-Z0-9-.]+>' => 'recovery/request',
'recover/<id:\d+>/<code:[A-Za-z0-9_-]+>' => 'recovery/reset'
];
/**
@ -241,10 +249,6 @@ class Module extends BaseModule
* @var boolean whether to disable IP logging into user table
*/
public $disableIpLogging = false;
/**
* @var boolean whether to disable viewing any user's profile for non-admin users
*/
public $disableProfileViewsForRegularUsers = false;
/**
* @var array Minimum requirements when a new password is automatically generated.
* Array structure: `requirement => minimum number characters`.

2
src/User/Service/SocialNetworkAccountConnectService.php
View File

@ -93,6 +93,6 @@ class SocialNetworkAccountConnectService implements ServiceInterface
}
}
return false;
return $account;
}
}

4
tests/_fixtures/data/profile.php
View File

@ -7,4 +7,8 @@ return [
'user_id' => 1,
'name' => 'John Doe',
],
'seconduser' => [
'user_id' => 9,
'name' => 'John Doe 2',
],
];

26
tests/_fixtures/data/user.php
View File

@ -87,4 +87,30 @@ return [
'confirmed_at' => $time,
'gdpr_consent' => false,
],
'admin' => [
'id' => 8,
'username' => 'admin',
'email' => 'admin@example.com',
'password_hash' => '$2y$13$qY.ImaYBppt66qez6B31QO92jc5DYVRzo5NxM1ivItkW74WsSG6Ui',
'auth_key' => '39HU0m5lpjWtqstFVGFjj6lFb7UZDeRq',
'auth_tf_key' => '',
'auth_tf_enabled' => false,
'created_at' => $time,
'updated_at' => $time,
'confirmed_at' => $time,
'gdpr_consent' => false,
],
'seconduser' => [
'id' => 9,
'username' => 'seconduser',
'email' => 'seconduser@example.com',
'password_hash' => '$2y$13$qY.ImaYBppt66qez6B31QO92jc5DYVRzo5NxM1ivItkW74WsSG6Ui',
'auth_key' => '776960890cec5ac53525f0e910716f5a',
'auth_tf_key' => '',
'auth_tf_enabled' => false,
'created_at' => $time,
'updated_at' => $time,
'confirmed_at' => $time,
'gdpr_consent' => false,
],
];

110
tests/functional/ProfileCept.php Normal file
View File

@ -0,0 +1,110 @@
<?php
/**
* @var Codeception\Scenario
*/
use tests\_fixtures\ProfileFixture;
use tests\_fixtures\UserFixture;
$I = new FunctionalTester($scenario);
$I->haveFixtures([
'user' => UserFixture::class,
'profile' => ProfileFixture::class
]);
$user = $I->grabFixture('user', 'user');
$secondUser = $I->grabFixture('user', 'seconduser');
$adminUser = $I->grabFixture('user', 'admin');
$I->wantTo('Ensure that profile profile pages are shown only to when user has correct permissions and else forbidden');
Yii::$app->getModule('user')->profileVisibility = \Da\User\Controller\ProfileController::PROFILE_VISIBILITY_OWNER;
Yii::$app->getModule('user')->administrators = ['admin'];
$I->amLoggedInAs($user);
$I->amGoingTo('try to open users own profile page');
$I->amOnRoute('/user/profile/show', ['id' => $user->id]);
$I->expectTo('See the profile page');
$I->dontSee('Forbidden');
$I->see('Joined on');
$I->amGoingTo('Profile visibility::OWNER: try to open another users profile page');
$I->amOnRoute('/user/profile/show', ['id' => $secondUser->id]);
$I->expectTo('See the profile page');
$I->see('Forbidden');
$I->dontSee('Joined on');
Yii::$app->user->logout();
$I->amGoingTo('Profile visibility::OWNER: try to open users profile page as guest');
$I->amOnRoute('/user/profile/show', ['id' => $user->id]);
$I->expectTo('See the profile page');
$I->see('Forbidden');
$I->dontSee('Joined on');
Yii::$app->getModule('user')->profileVisibility = \Da\User\Controller\ProfileController::PROFILE_VISIBILITY_ADMIN;
$I->amLoggedInAs($user);
$I->amGoingTo('Profile visibility::PROFILE_VISIBILITY_ADMIN: try to open users own profile page');
$I->amOnRoute('/user/profile/show', ['id' => $user->id]);
$I->expectTo('See the profile page');
$I->dontSee('Forbidden');
$I->see('Joined on');
$I->amGoingTo('Profile visibility::PROFILE_VISIBILITY_ADMIN: try to open another users profile page as regular user');
$I->amOnRoute('/user/profile/show', ['id' => $secondUser->id]);
$I->expectTo('See the profile page');
$I->see('Forbidden');
$I->dontSee('Joined on');
$I->amLoggedInAs($adminUser);
$I->amGoingTo('Profile visibility::PROFILE_VISIBILITY_ADMIN: try to open another users profile page as admin');
$I->amOnRoute('/user/profile/show', ['id' => $user->id]);
$I->expectTo('See the profile page');
$I->dontSee('Forbidden');
$I->see('Joined on');
Yii::$app->user->logout();
$I->amGoingTo('Profile visibility::PROFILE_VISIBILITY_ADMIN: try to open users profile page as guest');
$I->amOnRoute('/user/profile/show', ['id' => $user->id]);
$I->expectTo('See the profile page');
$I->see('Forbidden');
$I->dontSee('Joined on');
Yii::$app->getModule('user')->profileVisibility = \Da\User\Controller\ProfileController::PROFILE_VISIBILITY_USERS;
$I->amLoggedInAs($user);
$I->amGoingTo('Profile visibility::PROFILE_VISIBILITY_USERS: try to open users own profile page');
$I->amOnRoute('/user/profile/show', ['id' => $user->id]);
$I->expectTo('See the profile page');
$I->dontSee('Forbidden');
$I->see('Joined on');
$I->amGoingTo('Profile visibility::PROFILE_VISIBILITY_USERS: try to open another users profile page as regular user');
$I->amOnRoute('/user/profile/show', ['id' => $secondUser->id]);
$I->expectTo('See the profile page');
$I->dontSee('Forbidden');
$I->see('Joined on');
$I->amLoggedInAs($adminUser);
$I->amGoingTo('Profile visibility::PROFILE_VISIBILITY_USERS: try to open another users profile page as admin');
$I->amOnRoute('/user/profile/show', ['id' => $user->id]);
$I->expectTo('See the profile page');
$I->dontSee('Forbidden');
$I->see('Joined on');
Yii::$app->user->logout();
$I->amGoingTo('Profile visibility::PROFILE_VISIBILITY_USERS: try to open users profile page as guest');
$I->amOnRoute('/user/profile/show', ['id' => $user->id]);
$I->expectTo('See the profile page');
$I->see('Forbidden');
$I->dontSee('Joined on');
Yii::$app->getModule('user')->profileVisibility = \Da\User\Controller\ProfileController::PROFILE_VISIBILITY_PUBLIC;
Yii::$app->user->logout();
$I->amGoingTo('Profile visibility::PROFILE_VISIBILITY_PUBLIC: try to open users profile page as guest');
$I->amOnRoute('/user/profile/show', ['id' => $user->id]);
$I->expectTo('See the profile page');
$I->dontSee('Forbidden');
$I->see('Joined on');