app/Http/Requests/UpdateUserRequest.php

<?php

namespace App\Http\Requests;

use Hash;
use Illuminate\Foundation\Http\FormRequest;
use LibreNMS\Config;

class UpdateUserRequest extends FormRequest
{
    /**
     * Determine if the user is authorized to make this request.
     *
     * @return bool
     */
    public function authorize()
    {
        if ($this->user()->isAdmin()) {
            return true;
        }

        $user = $this->route('user');
        if ($user && $this->user()->can('update', $user)) {
            // normal users cannot edit their level or ability to modify a password
            unset($this['level'], $this['can_modify_passwd']);
            return true;
        }

        return false;
    }

    /**
     * Get the validation rules that apply to the request.
     *
     * @return array
     */
    public function rules()
    {
        return [
            'realname' => 'nullable|max:64|alpha_space',
            'email' => 'nullable|email|max:64',
            'descr' => 'nullable|max:30|alpha_space',
            'level' => 'int',
            'old_password' => 'nullable|string',
            'new_password' => 'nullable|confirmed|min:' . Config::get('password.min_length', 8),
            'new_password_confirmation' => 'nullable|same:new_password',
            'dashboard' => 'int',
        ];
    }

    /**
     * Configure the validator instance.
     *
     * @param  \Illuminate\Validation\Validator  $validator
     * @return void
     */
    public function withValidator($validator)
    {
        $validator->after(function ($validator) {
            // if not an admin and new_password is set, check old password matches
            if (!$this->user()->isAdmin()) {
                if ($this->has('new_password')) {
                    if ($this->has('old_password')) {
                        $user = $this->route('user');
                        if ($user && !Hash::check($this->old_password, $user->password)) {
                            $validator->errors()->add('old_password', __('Existing password did not match'));
                        }
                    } else {
                        $validator->errors()->add('old_password', __('The :attribute field is required.', ['attribute' => 'old_password']));
                    }
                }
            }
        });
    }
}
New User Management (#9348) * Rewrite user management. Error management Revert edituser legacy page Connect user permissions button to legacy page for now. Implement user creation Refine form Remove PingCheck.php accidental add :) Fixes for redirection and deletion More fixes: realname accidental validation setting, hide can modify for read-only auths Use a panel to improve style Add icon to panel-title Not allowed to delete own user (at least via the click of a button) Use request validation to reduce complexity of controller. Improve protection against users doing things they should not. Switch to horizontal form and not nearly as wide of layout :) delete without refresh. Fix for buttons Include all users (not just from this auth) Hide the auth column if there is only one auth type Show username if real name isn't set Don't allow creation of demo users via the webui a fix to the lnms user:add command, it didn't set auth_id update edituser.inc.php to current just redirect to users page * Remove TwoFactorTest for now * Update edituser.inc.php * Update .env.dusk.testing * Enable 2fa for 2fa test... 2019-04-22 19:01:39 -05:00			`<?php`

			`namespace App\Http\Requests;`

			`use Hash;`
			`use Illuminate\Foundation\Http\FormRequest;`
			`use LibreNMS\Config;`

			`class UpdateUserRequest extends FormRequest`
			`{`
			`/**`
			`* Determine if the user is authorized to make this request.`
			`*`
			`* @return bool`
			`*/`
			`public function authorize()`
			`{`
			`if ($this->user()->isAdmin()) {`
			`return true;`
			`}`

			`$user = $this->route('user');`
			`if ($user && $this->user()->can('update', $user)) {`
			`// normal users cannot edit their level or ability to modify a password`
			`unset($this['level'], $this['can_modify_passwd']);`
			`return true;`
			`}`

			`return false;`
			`}`

			`/**`
			`* Get the validation rules that apply to the request.`
			`*`
			`* @return array`
			`*/`
			`public function rules()`
			`{`
			`return [`
Fix html injection in user fields (#10535) validate realname and descr to alpha/numeric/spaces only This flaw is actually in bootgrid, the html isn't interpreted until bootgrid loads. 2019-08-21 20:36:22 -05:00			`'realname' => 'nullable\|max:64\|alpha_space',`
New User Management (#9348) * Rewrite user management. Error management Revert edituser legacy page Connect user permissions button to legacy page for now. Implement user creation Refine form Remove PingCheck.php accidental add :) Fixes for redirection and deletion More fixes: realname accidental validation setting, hide can modify for read-only auths Use a panel to improve style Add icon to panel-title Not allowed to delete own user (at least via the click of a button) Use request validation to reduce complexity of controller. Improve protection against users doing things they should not. Switch to horizontal form and not nearly as wide of layout :) delete without refresh. Fix for buttons Include all users (not just from this auth) Hide the auth column if there is only one auth type Show username if real name isn't set Don't allow creation of demo users via the webui a fix to the lnms user:add command, it didn't set auth_id update edituser.inc.php to current just redirect to users page * Remove TwoFactorTest for now * Update edituser.inc.php * Update .env.dusk.testing * Enable 2fa for 2fa test... 2019-04-22 19:01:39 -05:00			`'email' => 'nullable\|email\|max:64',`
Fix html injection in user fields (#10535) validate realname and descr to alpha/numeric/spaces only This flaw is actually in bootgrid, the html isn't interpreted until bootgrid loads. 2019-08-21 20:36:22 -05:00			`'descr' => 'nullable\|max:30\|alpha_space',`
New User Management (#9348) * Rewrite user management. Error management Revert edituser legacy page Connect user permissions button to legacy page for now. Implement user creation Refine form Remove PingCheck.php accidental add :) Fixes for redirection and deletion More fixes: realname accidental validation setting, hide can modify for read-only auths Use a panel to improve style Add icon to panel-title Not allowed to delete own user (at least via the click of a button) Use request validation to reduce complexity of controller. Improve protection against users doing things they should not. Switch to horizontal form and not nearly as wide of layout :) delete without refresh. Fix for buttons Include all users (not just from this auth) Hide the auth column if there is only one auth type Show username if real name isn't set Don't allow creation of demo users via the webui a fix to the lnms user:add command, it didn't set auth_id update edituser.inc.php to current just redirect to users page * Remove TwoFactorTest for now * Update edituser.inc.php * Update .env.dusk.testing * Enable 2fa for 2fa test... 2019-04-22 19:01:39 -05:00			`'level' => 'int',`
			`'old_password' => 'nullable\|string',`
			`'new_password' => 'nullable\|confirmed\|min:' . Config::get('password.min_length', 8),`
User configurable locale (language) (#10204) * Support for system APP_LOCALE * Start preferences re-write * port 2fa form * Working user preferences * Language user preference * Don't look up locale from the DB every request * Device list working * Deny demo user middleware * Finish password changing * remove used resource methods * remove leftover use * warn that translation is incomplete * fix style 2019-05-23 10:05:45 -05:00			`'new_password_confirmation' => 'nullable\|same:new_password',`
New User Management (#9348) * Rewrite user management. Error management Revert edituser legacy page Connect user permissions button to legacy page for now. Implement user creation Refine form Remove PingCheck.php accidental add :) Fixes for redirection and deletion More fixes: realname accidental validation setting, hide can modify for read-only auths Use a panel to improve style Add icon to panel-title Not allowed to delete own user (at least via the click of a button) Use request validation to reduce complexity of controller. Improve protection against users doing things they should not. Switch to horizontal form and not nearly as wide of layout :) delete without refresh. Fix for buttons Include all users (not just from this auth) Hide the auth column if there is only one auth type Show username if real name isn't set Don't allow creation of demo users via the webui a fix to the lnms user:add command, it didn't set auth_id update edituser.inc.php to current just redirect to users page * Remove TwoFactorTest for now * Update edituser.inc.php * Update .env.dusk.testing * Enable 2fa for 2fa test... 2019-04-22 19:01:39 -05:00			`'dashboard' => 'int',`
			`];`
			`}`

			`/**`
			`* Configure the validator instance.`
			`*`
			`* @param \Illuminate\Validation\Validator $validator`
			`* @return void`
			`*/`
			`public function withValidator($validator)`
			`{`
			`$validator->after(function ($validator) {`
			`// if not an admin and new_password is set, check old password matches`
			`if (!$this->user()->isAdmin()) {`
			`if ($this->has('new_password')) {`
			`if ($this->has('old_password')) {`
			`$user = $this->route('user');`
			`if ($user && !Hash::check($this->old_password, $user->password)) {`
			`$validator->errors()->add('old_password', __('Existing password did not match'));`
			`}`
			`} else {`
			`$validator->errors()->add('old_password', __('The :attribute field is required.', ['attribute' => 'old_password']));`
			`}`
			`}`
			`}`
			`});`
			`}`
			`}`