]> ruin.nu Git - ndwebbie.git/blobdiff - lib/NDWeb/Controller/Settings.pm
projects / ndwebbie.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Be more paranoid with param in list context
[ndwebbie.git] / lib / NDWeb / Controller / Settings.pm
diff --git a/lib/NDWeb/Controller/Settings.pm b/lib/NDWeb/Controller/Settings.pm
index 3f09a435f8e57979dfa99e37b466432c901900bb..03dc7824687a9bd21282ceadc38b9fd233e427c9 100644 (file)
--- a/lib/NDWeb/Controller/Settings.pm
+++ b/lib/NDWeb/Controller/Settings.pm
@@ -43,11 +43,12 @@ sub index :Path :Args(0) {
        }
        $c->stash(stylesheets => \@stylesheets);
 
-       my ($birthday,$timezone,$email) = $dbh->selectrow_array(q{
-SELECT birthday,timezone,email FROM users WHERE uid = $1
+       my ($birthday,$timezone,$email,$discord_id) = $dbh->selectrow_array(q{
+SELECT birthday,timezone,email,discord_id FROM users WHERE uid = $1
                },undef,$c->user->id);
        $c->stash(birthday => $birthday);
        $c->stash(email =>  $c->flash->{email} // $email);
+       $c->stash(discord_id =>  $c->flash->{discord_id} // $discord_id);
 
        my @timezone = split m{/},$timezone,2;
        $c->stash(timezone => \@timezone);
@@ -67,7 +68,8 @@ sub changeStylesheet : Local {
        my $query = $dbh->prepare(q{UPDATE users SET css = NULLIF($2,'Default')
                WHERE uid = $1
        });
-       $query->execute($c->user->id,html_escape $c->req->param('stylesheet'));
+       my $css = html_escape $c->req->param('stylesheet');
+       $query->execute($c->user->id,$css);
 
        $c->res->redirect($c->uri_for(''));
 }
@@ -80,7 +82,8 @@ sub changeBirthday : Local {
                WHERE uid = $1
                });
        eval{
-               $query->execute($c->user->id,html_escape $c->req->param('birthday'));
+               my $birthday = html_escape $c->req->param('birthday');
+               $query->execute($c->user->id,$birthday);
        };
        if ($@){
                if ($@ =~ /invalid input syntax for type date/){
@@ -112,10 +115,18 @@ sub changePassword : Local {
        my ( $self, $c ) = @_;
        my $dbh = $c->model;
 
-       my $query = $dbh->prepare(q{UPDATE users SET password = MD5($1)
-               WHERE password = MD5($2) AND uid = $3
+       my $pass = $c->req->param('pass');
+       if (length $pass < 4) {
+               $c->flash(error => "Your password need to be at least 4 characters");
+       } else {
+               my $query = $dbh->prepare(q{UPDATE users SET password = $1
+                       WHERE password = crypt($2,password) AND uid = $3
                });
-       $query->execute($c->req->param('pass'),$c->req->param('oldpass'),$c->user->id);
+               my $oldpass = $c->req->param('oldpass');
+               $query->execute($pass,$oldpass,$c->user->id);
+
+               $c->flash(error => "Old password was invalid") unless $query->rows;
+       }
 
        $c->res->redirect($c->uri_for(''));
 }
@@ -126,6 +137,16 @@ sub changeEmail : Local {
 
        my $email = $c->req->param('email');
 
+       if ($email =~ /^\s*$/) {
+               my $update = $dbh->prepare(q{
+UPDATE users SET email = NULL WHERE uid = $1;
+                       });
+               $update->execute($c->user->id);
+               $c->flash(error => 'email cleared');
+               $c->res->redirect($c->uri_for(''));
+               return,
+       }
+
        unless (Email::Valid->address($email)){
                $c->flash(email => $email);
                $c->flash(error => 'Invalid email address');
@@ -142,7 +163,7 @@ INSERT INTO email_change (uid,email) VALUES ($1,$2) RETURNING id;
                my ($id) = $insert->fetchrow_array;
 
                my %mail = (
-                       smtp => 'ruin.nu',
+                       smtp => 'localhost',
                        To      => $email,
                        From    => 'NewDawn Command <nd@ruin.nu>',
                        'Content-type' => 'text/plain; charset="UTF-8"',
@@ -172,6 +193,39 @@ use the following url to confirm the change:
        $c->res->redirect($c->uri_for(''));
 }
 
+sub changeDiscordId : Local {
+       my ( $self, $c ) = @_;
+       my $dbh = $c->model;
+
+       my $discord_id = $c->req->param('discord_id');
+
+       if ($discord_id =~ /^\s*$/) {
+               my $update = $dbh->prepare(q{
+UPDATE users SET discord_id = NULL WHERE uid = $1;
+                       });
+               $update->execute($c->user->id);
+               $c->flash(error => 'discord id cleared');
+               $c->res->redirect($c->uri_for(''));
+               return,
+       }
+
+       eval{
+               my $update = $dbh->prepare(q{
+UPDATE users SET discord_id = $2 WHERE uid = $1;
+                       });
+               $update->execute($c->user->id,$discord_id);
+       };
+       if($@){
+               if($@ =~ /duplicate key value violates unique constraint/){
+                       $c->flash(discord_id => $discord_id);
+                       $c->flash(error => 'Someone else is using this discord id, duplicate account?');
+               }else{
+                       die $@;
+               }
+       }
+       $c->res->redirect($c->uri_for(''));
+}
+
 sub confirmEmail : Local {
        my ( $self, $c, $id ) = @_;
        my $dbh = $c->model;
The ND webbie, with scripts and database schemas