if(err != null)\r
RenderMessage(res,err,info);\r
else{\r
- result.token = info.token;\r
+ result.token = req.session._csrf;\r
+ res.setHeader("X-FRAME-OPTIONS","DENY");\r
res.render("profile/admin",result);\r
}\r
});\r
\r
function admin_postproc(req,res)\r
{\r
- if(req.session.items.token != req.body.token){\r
- RenderMessage(res,resource.invaild_parameter,req.session.items);\r
- return;\r
- }\r
async.waterfall([\r
function(cb){\r
if(typeof(req.body.removeall) != "undefined")\r
else if(result.length == 0)\r
RenderMessage(res,resource.notfound_name,req.session.items);\r
else{\r
- res.render("profile/detail",{list:result,token:req.session.items.token,admin:req.session.items.admin});\r
+ res.setHeader("X-FRAME-OPTIONS","DENY");\r
+ res.render("profile/detail",{list:result,alias:config.alias,token:req.session._csrf,admin:req.session.items.admin});\r
}\r
});\r
}\r
\r
function detail_postproc(req, res)\r
{\r
- if(req.session.items.token != req.body.token){\r
- RenderMessage(res,resource.invaild_parameter,req.session.items);\r
- return;\r
- }\r
if(typeof(req.body.remove) != "undefined"){\r
async.waterfall([\r
function(cb){\r
if(err != null){\r
RenderMessage(res,err,req.session.items);\r
}else if(result != null){\r
- res.render("profile/edit",{list:result,token:req.body.token});\r
+ res.setHeader("X-FRAME-OPTIONS","DENY");\r
+ res.render("profile/edit",{list:result,token:req.session._csrf,alias:config.alias});\r
}else{\r
RenderMessage(res,resource.unmatch_password,req.session.items);\r
}\r
\r
function edit_postproc(req, res)\r
{\r
- if(req.session.items.token != req.body.token){\r
- RenderMessage(res,resource.invaild_parameter,req.session.items);\r
- return;\r
- }\r
if(typeof(req.body.name) == "undefined")\r
{\r
RenderMessage(res,resource.invaild_parameter,req.session.items);\r
return;\r
}else if(typeof(req.body.edit) != "undefined"){\r
+ var validator = new Validator();\r
+ if(validator.Validate(req.body,config.alias))\r
+ {\r
+ RenderMessage(validator.Message,req.session.items);\r
+ return;\r
+ }\r
async.waterfall([\r
function(cb){\r
- collection.UpdatAsync(req.body.name,req.body,cb);\r
- }\r
+ if(req.body.updatepassword == false)\r
+ collection.UpdatAsync(req.body.name,req.body,null,cb);\r
+ else\r
+ collection.UpdatAsync(req.body.name,req.body,req.body.password,cb);\r
+ },\r
],function(err,result){\r
if(err != null)\r
RenderMessage(res,err,req.session.items);\r
\r
function registor_postproc(req, res)\r
{\r
- if(req.session.items.token != req.body.token){\r
- RenderMessage(res,resource.invaild_parameter,req.session.items);\r
- return;\r
- }\r
if(typeof(req.body.registor) != "undefined"){\r
+ var validator = new Validator();\r
+ if(validator.Validate(req.body,config.alias))\r
+ {\r
+ RenderMessage(res,validator.Message,req.session.items);\r
+ return;\r
+ }\r
async.waterfall([\r
function(cb){\r
collection.AddAsync(req.body,cb);\r
if(typeof(req.session.items) == "undefined")\r
req.session.items = new security.SessionInfomation(false);\r
\r
- res.render("profile/registor",{token:req.session.items.token});\r
+ res.setHeader("X-FRAME-OPTIONS","DENY");\r
+ res.render("profile/registor",{token:req.session._csrf,alias:config.alias});\r
}\r
\r
function RenderMessage(res,msg,info)\r
{\r
- if(typeof(info) == "undefined")\r
- res.render("profile/message",{message:msg});\r
+ if(typeof(info) == "undefined" || typeof(info.admin) == "undefined")\r
+ res.render("profile/message",{message:msg,admin:false});\r
else\r
res.render("profile/message",{message:msg,admin:info.admin});\r
}\r
function ProfileCollection()\r
{\r
var MySQLPool = new require("./mysql_pool.js");\r
+ var murmurhash = require("murmurhash");\r
var pool = new MySQLPool({\r
host : config.db_host,\r
user : config.db_user,\r
this.AuthAsync = function(name,password,cb){\r
async.waterfall([\r
function(next){\r
- pool.query("SELECT * FROM list WHERE name = ?",[name],next);\r
+ pool.query("SELECT password FROM list WHERE name_hash = ? and name = ?",[murmurhash.v3(name),name],next);\r
},\r
function(result,next){\r
- if(result[0].password == password)\r
+ if(result[0].password == md5_hex(password))\r
next(null,true);\r
else\r
next(null,false);\r
],cb);\r
}\r
this.GetAsync = function(name,cb){\r
- pool.query("SELECT * FROM list WHERE name = ?",[name],cb);\r
+ pool.query("SELECT * FROM list WHERE name_hash = ? and name = ?",[murmurhash.v3(name),name],cb);\r
}\r
this.AddAsync = function(data,cb){\r
- var item = {\r
- name:data.name,\r
- age:data.age,\r
- gender:data.gender,\r
- height:data.height,\r
- weight:data.weight,\r
- race:data.race,\r
- password:data.password,\r
- lastmodified:new Date(),\r
- etc:data.etc\r
- };\r
+ var item = GetItem(data);\r
pool.query("INSERT INTO list SET ?",[item],cb);\r
}\r
- this.UpdatAsync = function(name,data,cb){\r
- var item = {\r
- name:data.name,\r
- age:data.age,\r
- gender:data.gender,\r
- height:data.height,\r
- weight:data.weight,\r
- race:data.race,\r
- password:data.password,\r
- lastmodified:new Date(),\r
- etc:data.etc\r
- };\r
+ this.UpdatAsync = function(name,data,newpassword,cb){\r
+ var item = GetItem(data);\r
+ if(newpassword != null)\r
+ item.password = md5_hex(newpassword);\r
pool.query("UPDATE list SET ? WHERE name = ?",[item,name],cb);\r
}\r
this.ClearAsync = function(cb){\r
pool.query("DELETE FROM list WHERE name IN (?)",[names],cb);\r
}\r
this.RemoveAsync = function(name,cb){\r
- pool.query("DELETE FROM list WHERE name = ?",[name],cb);\r
+ pool.query("DELETE FROM list WHERE name_hash = ? and name = ?",[murmurhash.v3(name),name],cb);\r
}\r
this.FindByNameAsync = function(pattern,start,count,cb){\r
pool.query("SELECT * FROM list WHERE name LIKE ? LIMIT ?,?",[pattern+"%",start,count],cb);\r
}\r
this.ToArrayAsync = function(start,count,cb){\r
- pool.query("SELECT name,age,lastmodified FROM list LIMIT ?,?",[start,count],cb);\r
+ pool.query("SELECT name,lastmodified FROM list LIMIT ?,?",[start,count],cb);\r
+ }\r
+\r
+ var crypto = require("crypto");\r
+ function md5_hex(src)\r
+ {\r
+ var md5 = crypto.createHash('md5');\r
+ md5.update(src, 'utf8');\r
+ return md5.digest('hex');\r
+ }\r
+\r
+ function GetItem(data)\r
+ {\r
+ var item = {\r
+ name_hash:murmurhash.v3(data.name),\r
+ lastmodified:new Date(),\r
+ };\r
+ for(var key in config.alias)\r
+ {\r
+ if(key == "password")\r
+ item[key] = md5_hex(data[key]);\r
+ else\r
+ item[key] = data[key];\r
+ }\r
+ return item;\r
}\r
}\r
\r
+//\r
+// Validatorクラス\r
+//\r
+function Validator()\r
+{\r
+ //\r
+ // バリテーションを行う。\r
+ // エラーがあった場合は真。そうでない場合は偽を返す\r
+ //\r
+ // @body バリテーションの対象となる連想配列\r
+ // @alias バリテーションを行う要素のリスト\r
+ this.Validate = function(body,alias){\r
+ var result = false;\r
+ this.Message = "";\r
+ for(var key in alias)\r
+ {\r
+ var message = IsValidate(body[key],alias[key].type,alias[key].rule);\r
+ if(message != null)\r
+ {\r
+ this.Message += "<p>" + alias[key].name + ":" + message + "</p>\n";\r
+ result = true;\r
+ }\r
+ }\r
+ return result;\r
+ }\r
+ // バリテーション時にエラーがあった場合、メッセージが記録される\r
+ this.Message = "";\r
+ function IsValidate(data,type,rule){\r
+ if(typeof(data) == "undefined")\r
+ throw "data is undefined";\r
+ if(typeof(type) == "undefined")\r
+ throw "type is undefined";\r
+\r
+ var result = null;\r
+\r
+ if(typeof(rule) != "undefined" && typeof(rule.isnotempty) != "undefined"\r
+ && rule.isnotempty && data == "")\r
+ return resource.is_not_empty;\r
+\r
+ switch(type)\r
+ {\r
+ case "text":\r
+ case "textarea":\r
+ case "password":\r
+ if(typeof(data) != "string")\r
+ result = resource.is_not_string;\r
+ break;\r
+ case "number":\r
+ if(data.match(/[^0-9]/g))\r
+ result = resource.is_not_number;\r
+ break;\r
+ case "mail":\r
+ if(data != "" && !data.match(/^[A-Za-z0-9]+[\w\-\+]+@[\w\.-]+\.\w{2,}$/))\r
+ result = resource.is_not_mail;\r
+ break;\r
+ }\r
+\r
+ if(typeof(rule) == "function")\r
+ result = rule(data,type);\r
+\r
+ return result;\r
+ }\r
+}
\ No newline at end of file