liquid_feedback_frontend: 58f48a8a202a model/member.lua

252 selector:join("privilege", "__model_member__privilege", { "member.id = __model_member__privilege.member_id AND __model_member__privilege.voting_right AND __model_member__privilege.unit_id = ?", args.voting_right_for_unit_id })

253 end

254 if args.admin_search then

255 local search_string = "%" .. args.admin_search .. "%"

256 selector:add_where{ "member.identification ILIKE ? OR member.name ILIKE ?", search_string, search_string }

257 end

258 if args.order then

259 if args.order == "id" then

260 selector:add_order_by("id")

261 elseif args.order == "identification" then

262 selector:add_order_by("identification")

263 elseif args.order == "name" then

264 selector:add_order_by("name")

265 else

266 error("invalid order")

267 end

268 end

269 return selector

270 end

271

272 function Member:lockForReference()

273 self.get_db_conn().query("LOCK TABLE " .. self:get_qualified_table() .. " IN ROW SHARE MODE")

274 end

275

276

277 function Member:get_all_by_authority(authority)

278

279 local members = Member:new_selector()

280 :add_where{ "authority = ?", authority }

281 :add_field("authority_data->'uid' as authority_data_uid")

282 :exec()

283

284 return members

285 end

286

287 function Member.object:set_password(password)

288 trace.disable()

289

290 local hash_prefix

291 local salt_length

292

293 local function rounds()

294 return multirand.integer(

295 config.password_hash_min_rounds,

296 config.password_hash_max_rounds

297 )

298 end

299

300 if config.password_hash_algorithm == "crypt_md5" then

301 hash_prefix = "$1$"

302 salt_length = 8

303

304 elseif config.password_hash_algorithm == "crypt_sha256" then

305 hash_prefix = "$5$rounds=" .. rounds() .. "$"

306 salt_length = 16

307

308 elseif config.password_hash_algorithm == "crypt_sha512" then

309 hash_prefix = "$6$rounds=" .. rounds() .. "$"

310 salt_length = 16

311

312 else

313 error("Unknown hash algorithm selected in configuration")

314

315 end

316

317 hash_prefix = hash_prefix .. multirand.string(

318 salt_length,

319 "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./"

320 )

321

322 local hash = extos.crypt(password, hash_prefix)

323

324 if not hash or hash:sub(1, #hash_prefix) ~= hash_prefix then

325 error("Password hashing algorithm failed")

326 end

327

328 self.password = hash

329 end

330

331 function Member.object:check_password(password)

332 if type(password) == "string" and type(self.password) == "string" then

333 return extos.crypt(password, self.password) == self.password

334 else

335 return false

336 end

337 end

338

339 function Member.object_get:password_hash_needs_update()

340

341 if self.password == nil then

342 return nil

343 end

344

345 local function check_rounds(rounds)

346 if rounds then

347 rounds = tonumber(rounds)

348 if

349 rounds >= config.password_hash_min_rounds and

350 rounds <= config.password_hash_max_rounds

351 then

352 return false

353 end

354 end

355 return true

356 end

357

358 if config.password_hash_algorithm == "crypt_md5" then

359

360 return self.password:sub(1,3) ~= "$1$"

361

362 elseif config.password_hash_algorithm == "crypt_sha256" then

363

364 return check_rounds(self.password:match("^%$5%$rounds=([1-9][0-9]*)%$"))

365

366 elseif config.password_hash_algorithm == "crypt_sha512" then

367

368 return check_rounds(self.password:match("^%$6%$rounds=([1-9][0-9]*)%$"))

369

370 else

371 error("Unknown hash algorithm selected in configuration")

372

373 end

374

375 end

376

377 function Member.object_get:published_contacts()

378 return Member:new_selector()

379 :join('"contact"', nil, '"contact"."other_member_id" = "member"."id"')

380 :add_where{ '"contact"."member_id" = ?', self.id }

381 :add_where("public")

382 :exec()

383 end

384

385 function Member:by_login_and_password(login, password)

386

387 local function prepare_login_selector()

388 local selector = self:new_selector()

389 selector:add_field({ "now() > COALESCE(last_delegation_check, activated) + ?::interval", config.check_delegations_interval_hard }, "needs_delegation_check_hard")

390 selector:add_where('NOT "locked"')

391 selector:optional_object_mode()

392 return selector

393 end

394

395 local function do_local_login()

396 local selector = prepare_login_selector()

397 selector:add_where{'"login" = ?', login }

398 local member = selector:exec()

399 if member and member:check_password(password) then

400 return member

401 else

402 return nil

403 end

404 end

405

406 if config.ldap.member then

407

408 -- Let's check the users credentials against the LDAP

409 local ldap_entry, ldap_err = ldap.check_credentials(login, password)

410

411 -- Is the user already registered as member?

412 local uid

413 local selector = prepare_login_selector()

414

415 -- Get login name from LDAP entry

416 if ldap_entry then

417 uid = config.ldap.member.uid_map(ldap_entry)

418 selector:add_where{'"authority" = ? AND "authority_data"->\'uid\' = ?', "ldap", uid }

419

420 -- or build it from the login

421 else

422 login = config.ldap.member.login_normalizer(login)

423 selector:add_where{'"authority" = ? AND "authority_data"->\'login\' = ?', "ldap", login }

424 end

425

426 local member = selector:exec()

427 -- The member is already registered

428 if member then

429

430 -- The credentials entered by the user are invalid

431 if ldap_err == "invalid_credentials" then

432

433 -- Check if the user tried a cached password (which is invalid now)

434 if config.ldap.member.cache_passwords and member:check_password(password) then

435 member.password = nil

436 member:save()

437 end

438

439 -- Try a regular login

440 return do_local_login()

441

442 end

443

444 -- The credentials were accepted by the LDAP server and no error occured

445 if ldap_entry and not ldap_err then

446

447 -- Cache the password (if feature enabled)

448 if config.ldap.member.cache_passwords and not member:check_password(password) then

449 member:set_password(password)

450 end

451

452 -- update the member attributes and privileges from LDAP

453 local ldap_conn, ldap_err, err, err2 = ldap.update_member_attr(member, nil, uid)

454 if not err then

455 local err = member:try_save()

456 if err then

457 return nil, "member_save_error", err

458 end

459 local succes, err, err2 = ldap.update_member_privileges(member, ldap_entry)

460 if err then

461 return nil, "update_member_privileges_error", err, err2

462 end

463 return member

464 end

465

466 end

467

468 -- Some kind of LDAP error happened, if cached password are enabled,

469 -- check user credentials against the cache

470 if config.ldap.member.cache_passwords and member:check_password(password) then

471

472 -- return the successfully logged in member

473 return member

474

475 end

476

477 -- The member is not registered

478 elseif config.ldap.member.registration and ldap_entry and not ldap_err then

479 -- Automatic registration ("auto")

480 if config.ldap.member.registration == "auto" then

481 member = Member:new()

482 member.authority = "ldap"

483 local ldap_login

484 if config.ldap.member.cache_passwords then

485 if config.ldap.member.login_normalizer then

486 ldap_login = config.ldap.member.login_normalizer(login)

487 else

488 ldap_login = login

489 end

490 end

491 -- TODO change this when SQL layers supports hstore

492 member.authority_data = encode.pg_hstore{

493 uid = uid,

494 login = ldap_login

495 }

496 member.activated = "now"

497 member.last_activity = "now"

498 if config.ldap.member.cache_passwords then

499 member:set_password(password)

500 end

501 local ldap_conn, ldap_err, err, err2 = ldap.update_member_attr(member, nil, uid)

502 if not err then

503 local err = member:try_save()

504 if err then

505 return nil, "member_save_error", err

506 end

507 local success, err, err2 = ldap.update_member_privileges(member, ldap_entry)

508 if err then

509 return nil, "update_member_privileges_error", err, err2

510 end

511 return member

512 end

513

514 -- No automatic registration

515 else

516 return nil, "ldap_credentials_valid_but_no_member", uid

517 end

518 end

519

520 end

521

522 return do_local_login()

523

524 end

525

526 function Member:by_login(login)

527 local selector = self:new_selector()

528 selector:add_where{'"login" = ?', login }

529 selector:optional_object_mode()

530 return selector:exec()

531 end

532

533 function Member:by_name(name)

534 local selector = self:new_selector()

535 selector:add_where{'"name" = ?', name }

536 selector:optional_object_mode()

537 return selector:exec()

538 end

539

540 function Member:get_search_selector(search_string)

541 return self:new_selector()

542 :add_field( {'"highlight"("member"."name", ?)', search_string }, "name_highlighted")

543 :add_where{ '"member"."text_search_data" @@ "text_search_query"(?)', search_string }

544 :add_where("activated NOTNULL AND active")

545 end

546

547 function Member.object:send_invitation(template_file, subject)

548 trace.disable()

549 self.invite_code = multirand.string( 24, "23456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz" )

550 self:save()

551

552 local subject = subject

553 local content

554

555 if template_file then

556 local fh = io.open(template_file, "r")

557 content = fh:read("*a")

558 content = (content:gsub("#{invite_code}", self.invite_code))

559 else

560 subject = config.mail_subject_prefix .. _"Invitation to LiquidFeedback"

561 content = slot.use_temporary(function()

562 slot.put(_"Hello\n\n")

563 slot.put(_"You are invited to LiquidFeedback. To register please click the following link:\n\n")

564 slot.put(request.get_absolute_baseurl() .. "index/register.html?invite=" .. self.invite_code .. "\n\n")

565 slot.put(_"If this link is not working, please open following url in your web browser:\n\n")

566 slot.put(request.get_absolute_baseurl() .. "index/register.html\n\n")

567 slot.put(_"On that page please enter the invite key:\n\n")

568 slot.put(self.invite_code .. "\n\n")

569 end)

570 end

571

572 local success = net.send_mail{

573 envelope_from = config.mail_envelope_from,

574 from = config.mail_from,

575 reply_to = config.mail_reply_to,

576 to = self.notify_email_unconfirmed or self.notify_email,

577 subject = subject,

578 content_type = "text/plain; charset=UTF-8",

579 content = content

580 }

581 return success

582 end

583

584 function Member.object:set_notify_email(notify_email)

585 trace.disable()

586 local expiry = db:query("SELECT now() + '7 days'::interval as expiry", "object").expiry

587 self.notify_email_unconfirmed = notify_email

588 self.notify_email_secret = multirand.string( 24, "23456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz" )

589 self.notify_email_secret_expiry = expiry

590 local content = slot.use_temporary(function()

591 slot.put(_"Hello " .. self.name .. ",\n\n")

592 slot.put(_"Please confirm your email address by clicking the following link:\n\n")

593 slot.put(request.get_absolute_baseurl() .. "index/confirm_notify_email.html?secret=" .. self.notify_email_secret .. "\n\n")

594 slot.put(_"If this link is not working, please open following url in your web browser:\n\n")

595 slot.put(request.get_absolute_baseurl() .. "index/confirm_notify_email.html\n\n")

596 slot.put(_"On that page please enter the confirmation code:\n\n")

597 slot.put(self.notify_email_secret .. "\n\n")

598 end)

599 local success = net.send_mail{

600 envelope_from = config.mail_envelope_from,

601 from = config.mail_from,

602 reply_to = config.mail_reply_to,

603 to = self.notify_email_unconfirmed,

604 subject = config.mail_subject_prefix .. _"Email confirmation request",

605 content_type = "text/plain; charset=UTF-8",

606 content = content

607 }

608 if success then

609 local lock_expiry = db:query("SELECT now() + '1 hour'::interval AS lock_expiry", "object").lock_expiry

610 self.notify_email_lock_expiry = lock_expiry

611 end

612 self:save()

613 return success

614 end

615

616 function Member.object:get_setting(key)

617 return Setting:by_pk(self.id, key)

618 end

619

620 function Member.object:get_setting_value(key)

621 local setting = Setting:by_pk(self.id, key)

622 if setting then

623 return setting.value

624 end

625 end

626

627 function Member.object:set_setting(key, value)

628 local setting = self:get_setting(key)

629 if not setting then

630 setting = Setting:new()

631 setting.member_id = self.id

632 setting.key = key

633 end

634 setting.value = value

635 setting:save()

636 end

637

638 function Member.object:get_setting_maps_by_key(key)

639 return SettingMap:new_selector()

640 :add_where{ "member_id = ?", self.id }

641 :add_where{ "key = ?", key }

642 :add_order_by("subkey")

643 :exec()

644 end

645

646 function Member.object:get_setting_map_by_key_and_subkey(key, subkey)

647 return SettingMap:new_selector()

648 :add_where{ "member_id = ?", self.id }

649 :add_where{ "key = ?", key }

650 :add_where{ "subkey = ?", subkey }

651 :add_order_by("subkey")

652 :optional_object_mode()

653 :exec()

654 end

655

656 function Member.object:set_setting_map(key, subkey, value)

657 setting_map = self:get_setting_map_by_key_and_subkey(key, subkey)

658 if not setting_map then

659 setting_map = SettingMap:new()

660 setting_map.member_id = self.id

661 setting_map.key = key

662 setting_map.subkey = subkey

663 end

664 setting_map.value = value

665 setting_map:save()

666 end

667

668 function Member.object_get:notify_email_locked()

669 return(

670 Member:new_selector()

671 :add_where{ "id = ?", app.session.member.id }

672 :add_where("notify_email_lock_expiry > now()")

673 :count() == 1

674 )

675 end

676

677 function Member.object_get:units_with_voting_right()

678 return(Unit:new_selector()

679 :join("privilege", nil, { "privilege.unit_id = unit.id AND privilege.member_id = ? AND privilege.voting_right", self.id })

680 :exec()

681 )

682 end

683

684 function Member.object:ui_field_text(args)

685 args = args or {}

686 if app.session:has_access("authors_pseudonymous") then

687 -- ugly workaround for getting html into a replaced string and to the user

688 ui.container{label = args.label, label_attr={class="ui_field_label"}, content = function()

689 slot.put(string.format('<span><a href="%s">%s</a></span>',

690 encode.url{

691 module = "member",

692 view = "show",

693 id = self.id,

694 },

695 encode.html(self.name)))

696 end

697 }

698 else

699 ui.field.text{ label = args.label, value = _"[not displayed public]" }

700 end

701 end

702

703 function Member.object:has_voting_right_for_unit_id(unit_id)

704 if not self.__units_with_voting_right_hash then

705 local privileges = Privilege:new_selector()

706 :add_where{ "member_id = ?", self.id }

707 :add_where("voting_right")

708 :exec()

709 self.__units_with_voting_right_hash = {}

710 for i, privilege in ipairs(privileges) do

711 self.__units_with_voting_right_hash[privilege.unit_id] = true

712 end

713 end

714 return self.__units_with_voting_right_hash[unit_id] and true or false

715 end

716

717 function Member.object:has_polling_right_for_unit_id(unit_id)

718 if not self.__units_with_polling_right_hash then

719 local privileges = Privilege:new_selector()

720 :add_where{ "member_id = ?", self.id }

721 :add_where("polling_right")

722 :exec()

723 self.__units_with_polling_right_hash = {}

724 for i, privilege in ipairs(privileges) do

725 self.__units_with_polling_right_hash[privilege.unit_id] = true

726 end

727 end

728 return self.__units_with_polling_right_hash[unit_id] and true or false

729 end

730

731 function Member.object:get_delegatee_member(unit_id, area_id, issue_id)

732 local selector = Member:new_selector()

733 if unit_id then

734 selector:join("delegation", nil, { "delegation.trustee_id = member.id AND delegation.scope = 'unit' AND delegation.unit_id = ? AND delegation.truster_id = ?", unit_id, self.id })

735 end

736 selector:optional_object_mode()

737 return selector:exec()

738 end

739