feat(api): refactored private API to update user data

Author: thorsten

phpmyfaq/.htaccess

@@ -95,7 +95,7 @@ Header set Access-Control-Allow-Headers "Content-Type, Authorization"
     RewriteRule user/(ucp|bookmarks|request-removal|logout) index.php?action=$1 [L,QSA]
 
     # Private APIs
-    RewriteRule api/(autocomplete|bookmark/([0-9]+)) api/index.php [L,QSA]
+    RewriteRule api/(autocomplete|bookmark/([0-9]+)|user/data/update) api/index.php [L,QSA]
 
     # Setup APIs
     RewriteRule api/setup/(check|backup|update-database) api/index.php [L,QSA]

phpmyfaq/api.service.php

@@ -844,97 +844,6 @@
 
         break;
 
-    //
-    // Save user data from UCP
-    //
-    case 'submit-user-data':
-        $postData = json_decode(file_get_contents('php://input'), true, 512, JSON_THROW_ON_ERROR);
-
-        $csrfToken = Filter::filterVar($postData[Token::PMF_SESSION_NAME], FILTER_SANITIZE_SPECIAL_CHARS);
-
-        if (!Token::getInstance()->verifyToken('ucp', $csrfToken)) {
-            $response->setStatusCode(Response::HTTP_UNAUTHORIZED);
-            $response->setData(['error' => Translation::get('ad_msg_noauth')]);
-            break;
-        }
-
-        $userId = Filter::filterVar($postData['userid'], FILTER_VALIDATE_INT);
-        $userName = trim((string) Filter::filterVar($postData['name'], FILTER_SANITIZE_SPECIAL_CHARS));
-        $email = Filter::filterVar($postData['email'], FILTER_VALIDATE_EMAIL);
-        $isVisible = Filter::filterVar($postData['is_visible'], FILTER_SANITIZE_SPECIAL_CHARS);
-        $password = trim((string) Filter::filterVar($postData['faqpassword'], FILTER_SANITIZE_SPECIAL_CHARS));
-        $confirm = trim((string) Filter::filterVar($postData['faqpassword_confirm'], FILTER_SANITIZE_SPECIAL_CHARS));
-        $twoFactorEnabled = Filter::filterVar($postData['twofactor_enabled'] ?? 'off', FILTER_SANITIZE_SPECIAL_CHARS);
-        $deleteSecret = Filter::filterVar($postData['newsecret'] ?? '', FILTER_SANITIZE_SPECIAL_CHARS);
-
-        $user = CurrentUser::getFromSession($faqConfig);
-
-        $isAzureAdUser = $user->getUserAuthSource() === 'azure';
-
-        $secret = $deleteSecret === 'on' ? '' : $user->getUserData('secret');
-
-        if ($userId !== $user->getUserId()) {
-            $response->setStatusCode(Response::HTTP_BAD_REQUEST);
-            $response->setData(['error' => 'User ID mismatch!']);
-            break;
-        }
-
-        if (!$isAzureAdUser) {
-            if ($password !== $confirm) {
-                $response->setStatusCode(Response::HTTP_CONFLICT);
-                $response->setData(['error' => Translation::get('ad_user_error_passwordsDontMatch')]);
-                break;
-            }
-
-            if (strlen($password) <= 7 || strlen($confirm) <= 7) {
-                $response->setStatusCode(Response::HTTP_CONFLICT);
-                $response->setData(['error' => Translation::get('ad_passwd_fail')]);
-                break;
-            } else {
-                $userData = [
-                    'display_name' => $userName,
-                    'email' => $email,
-                    'is_visible' => $isVisible === 'on' ? 1 : 0,
-                    'twofactor_enabled' => $twoFactorEnabled === 'on' ? 1 : 0,
-                    'secret' => $secret
-                ];
-
-                $success = $user->setUserData($userData);
-
-                foreach ($user->getAuthContainer() as $auth) {
-                    if ($auth->setReadOnly()) {
-                        continue;
-                    }
-
-                    if (!$auth->update($user->getLogin(), $password)) {
-                        $response->setStatusCode(Response::HTTP_BAD_REQUEST);
-                        $response->setData(['error' => $auth->error()]);
-                        $success = false;
-                    } else {
-                        $success = true;
-                    }
-                }
-            }
-        } else {
-            $userData = [
-                'is_visible' => $isVisible === 'on' ? 1 : 0,
-                'twofactor_enabled' => $twoFactorEnabled === 'on' ? 1 : 0,
-                'secret' => $secret
-            ];
-
-            $success = $user->setUserData($userData);
-        }
-
-        if ($success) {
-            $response->setStatusCode(Response::HTTP_OK);
-            $response->setData(['success' => Translation::get('ad_entry_savedsuc')]);
-        } else {
-            $response->setStatusCode(Response::HTTP_BAD_REQUEST);
-            $response->setData(['error' => Translation::get('ad_entry_savedfail')]);
-        }
-
-        break;
-
     //
     // Change password
     //

phpmyfaq/assets/src/api/user.js

@@ -0,0 +1,39 @@
+/**
+ * Private User API functionality
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <[email protected]>
+ * @copyright 2024 phpMyFAQ Team
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2024-03-03
+ */
+
+import { serialize } from '../utils';
+
+export const updateUserControlPanelData = async (data) => {
+  try {
+    const response = await fetch('api/user/data/update', {
+      method: 'PUT',
+      cache: 'no-cache',
+      headers: {
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify(serialize(data)),
+      redirect: 'follow',
+      referrerPolicy: 'no-referrer',
+    });
+
+    if (response.ok) {
+      return await response.json();
+    } else {
+      return await response.json();
+    }
+  } catch (error) {
+    console.error(error);
+  }
+};

phpmyfaq/assets/src/frontend.js

@@ -21,6 +21,7 @@ import { handleComments, handleSaveComment, handleUserVoting } from './faq';
 import { handleAutoComplete, handleQuestion } from './search';
 import { calculateReadingTime, handlePasswordStrength, handlePasswordToggle, handleReloadCaptcha } from './utils';
 import './utils/tooltip';
+import { handleUserControlPanel } from './user';
 
 //
 // Reload Captchas
@@ -60,6 +61,11 @@ handleComments();
 //
 handleBookmarks();
 
+//
+// Handle user control panel
+//
+handleUserControlPanel();
+
 //
 // Masonry on startpage
 //

phpmyfaq/assets/src/user/index.js

@@ -0,0 +1 @@
+export * from './ucp';

phpmyfaq/assets/src/user/ucp.js

@@ -0,0 +1,51 @@
+/**
+ * User Control Panel functionality
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public License,
+ * v. 2.0. If a copy of the MPL was not distributed with this file, You can
+ * obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * @package   phpMyFAQ
+ * @author    Thorsten Rinne <[email protected]>
+ * @copyright 2024 phpMyFAQ Team
+ * @license   https://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
+ * @link      https://www.phpmyfaq.de
+ * @since     2024-03-03
+ */
+
+import { updateUserControlPanelData } from '../api/user';
+import { addElement } from '../utils';
+
+export const handleUserControlPanel = () => {
+  const userControlPanelSubmit = document.getElementById('pmf-submit-user-control-panel');
+
+  if (userControlPanelSubmit) {
+    userControlPanelSubmit.addEventListener('click', async (event) => {
+      event.preventDefault();
+
+      const form = document.querySelector('#pmf-user-control-panel-form');
+      const loader = document.getElementById('loader');
+      const formData = new FormData(form);
+
+      const response = await updateUserControlPanelData(formData);
+
+      if (response.success) {
+        loader.classList.add('d-none');
+        const message = document.getElementById('pmf-user-control-panel-response');
+        message.insertAdjacentElement(
+          'afterend',
+          addElement('div', { classList: 'alert alert-success', innerText: response.success })
+        );
+      }
+
+      if (response.error) {
+        loader.classList.add('d-none');
+        const message = document.getElementById('pmf-user-control-panel-response');
+        message.insertAdjacentElement(
+          'afterend',
+          addElement('div', { classList: 'alert alert-danger', innerText: response.error })
+        );
+      }
+    });
+  }
+};

phpmyfaq/assets/themes/default/templates/ucp.html

@@ -21,11 +21,11 @@ <h5 class="h6 m-0 font-weight-bold text-primary">{{ msgHeaderUserData }}</h5>
             <div class="spinner-border text-primary d-none" id="loader" role="status">
               <span class="visually-hidden">Loading...</span>
             </div>
-            <div id="faqs"></div>
+            <div id="pmf-user-control-panel-response"></div>
           </div>
         </div>
 
-        <form id="formValues" action="#" method="post" class="needs-validation" novalidate>
+        <form id="pmf-user-control-panel-form" action="#" method="post" class="needs-validation" novalidate>
           <input type="hidden" name="userid" value="{{ userid }}" />
           {{ csrf }}
           <input type="hidden" name="lang" id="lang" value="{{ lang }}" />
@@ -180,7 +180,8 @@ <h1 class="modal-title fs-5" id="twofactor_configLabel">{{ msgTwofactorConfigMod
 
           <div class="row">
             <div class="col-lg-12 text-end">
-              <button class="btn btn-primary" type="submit" id="pmf-submit-values" data-pmf-form="submit-user-data">
+              <button class="btn btn-primary" type="submit" id="pmf-submit-user-control-panel"
+                      data-pmf-form="submit-user-data">
                 {{ msgSave }}
               </button>
             </div>

phpmyfaq/src/api-routes.php

@@ -33,6 +33,7 @@
 use phpMyFAQ\Controller\Api\VersionController;
 use phpMyFAQ\Controller\Frontend\AutoCompleteController;
 use phpMyFAQ\Controller\Frontend\BookmarkController;
+use phpMyFAQ\Controller\Frontend\UserController;
 use phpMyFAQ\Controller\Setup\SetupController;
 use phpMyFAQ\System;
 use Symfony\Component\Routing\Route;
@@ -163,6 +164,10 @@
     'api.bookmark',
     new Route('bookmark/{bookmarkId}', ['_controller' => [BookmarkController::class, 'delete'], '_methods' => 'DELETE'])
 );
+$routes->add(
+    'api.user.update',
+    new Route('user/data/update', ['_controller' => [UserController::class, 'updateData'], '_methods' => 'PUT'])
+);
 
 // Setup REST API
 $routes->add(

phpmyfaq/src/phpMyFAQ/Controller/Administration/AttachmentController.php

@@ -22,6 +22,7 @@
 use phpMyFAQ\Attachment\Filesystem\File\FileException;
 use phpMyFAQ\Configuration;
 use phpMyFAQ\Controller\AbstractController;
+use phpMyFAQ\Core\Exception;
 use phpMyFAQ\Enums\PermissionType;
 use phpMyFAQ\Session\Token;
 use phpMyFAQ\Translation;
@@ -32,6 +33,9 @@
 
 class AttachmentController extends AbstractController
 {
+    /**
+     * @throws Exception
+     */
     #[Route('./admin/api/content/attachments')]
     public function delete(Request $request): JsonResponse
     {
@@ -68,6 +72,7 @@ public function delete(Request $request): JsonResponse
     /**
      * @throws AttachmentException
      * @throws FileException
+     * @throws Exception
      */
     #[Route('./admin/api/content/attachments/upload')]
     public function upload(Request $request): JsonResponse

phpmyfaq/src/phpMyFAQ/Controller/Frontend/CommentController.php

@@ -0,0 +1,14 @@
+<?php
+
+namespace phpMyFAQ\Controller\Frontend;
+
+use phpMyFAQ\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\JsonResponse;
+
+class CommentController extends AbstractController
+{
+    public function create(): JsonResponse
+    {
+        return new JsonResponse(['status' => 'ok']);
+    }
+}