-
Notifications
You must be signed in to change notification settings - Fork 37
/
user.php
160 lines (147 loc) · 5.59 KB
/
user.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
<?php
include 'inc/init.php';
fRequest::overrideAction();
$action = fRequest::getValid('action', array('list', 'add', 'edit','settings', 'delete'));
if ($action != 'add') {
fAuthorization::requireLoggedIn();
}
$user_id = fRequest::get('user_id','integer');
if ('edit' == $action) {
try {
$user = new User($user_id);
if (fRequest::isPost()) {
$session_user = new User(fSession::get('user_id'));
if (fSession::get('user_id') == $user->getUserId() || fAuthorization::checkAuthLevel('admin')) {
$valid_pass = fCryptography::checkPasswordHash(
fRequest::get('password'),
$session_user->getPassword()
);
if ($valid_pass) {
$has_error = false;
$password = "";
if (fRequest::get('change_password','boolean')) {
$new_password = fRequest::get('new_password');
$confirm_password = fRequest::get('confirm_password');
if ($new_password != $confirm_password) {
fMessaging::create('error', fURL::get(),"The two passwords don't match, the changes was not applied.");
$has_error = true;
} else {
if ($new_password == "") {
fMessaging::create('error', fURL::get(),"An empty password is forbidden, the changes was not applied.");
$has_error = true;
} else {
$password = fCryptography::hashPassword($new_password);
}
}
} else {
if ($GLOBALS['ALLOW_HTTP_AUTH'] && ($user->getUserId() != 1)) {
$password = 'basic_auth';
} else {
$password = $user->getPassword();
}
}
$user->populate();
$user->setPassword($password);
fRequest::validateCSRFToken(fRequest::get('token'));
if (!$has_error) {
$user->store();
fMessaging::create('affected', "/".User::makeUrl('list'), $user->getUsername());
fMessaging::create('success', "/".User::makeUrl('list'),
'The user "' . $user->getUsername(). '" was successfully updated');
fURL::redirect( User::makeUrl('list'));
}
} else {
fMessaging::create('error', fURL::get(),'The given password is wrong, the changes was not applied.');
}
} else {
fMessaging::create('error', fURL::get(),"You don't have the right to modify this user");
}
}
} catch (fNotFoundException $e) {
fMessaging::create('error', User::makeUrl('list'),
'The user requested, ' . fHTML::encode($user_id) . ', could not be found');
fURL::redirect( User::makeUrl('list'));
} catch (fExpectedException $e) {
fMessaging::create('error', fURL::get(), $e->getMessage());
}
include VIEW_PATH . '/add_edit_user.php';
// --------------------------------- //
} elseif ('add' == $action) {
$user = new User();
if (fRequest::isPost()) {
try {
$user->populate();
$has_error = false;
if ($GLOBALS['ALLOW_HTTP_AUTH']) {
$password = 'basic_auth';
} else {
$new_password = fRequest::get('new_password');
$confirm_password = fRequest::get('confirm_password');
if ($new_password != $confirm_password) {
fMessaging::create('error', fURL::get(),"The two passwords don't match, the user was not created.");
$has_error = true;
} else {
if ($new_password == "") {
fMessaging::create('error', fURL::get(),"An empty password is forbidden, the user was not created.");
$has_error = true;
} else {
$password = fCryptography::hashPassword($new_password);
}
}
}
fRequest::validateCSRFToken(fRequest::get('token'));
if (!$has_error) {
$user->setPassword($password);
$user->store();
if ($user->getUserId() == 1){
$user->setRole('admin');
$user->store();
}
fMessaging::create('affected', User::makeURL('login'), $user->getUsername());
fMessaging::create('success', User::makeURL('login'),
'The user ' . $user->getUsername() . ' was successfully created');
fURL::redirect(User::makeURL('login'));
}
} catch (fExpectedException $e) {
fMessaging::create('error', fURL::get(), $e->getMessage());
}
}
include VIEW_PATH . '/add_edit_user.php';
} elseif ('settings' == $action) {
$user = new User($user_id);
if (fRequest::isPost()) {
try {
$user->populate();
} catch (fExpectedException $e) {
fMessaging::create('error',fURL::get(),$e-getMessage());
}
}
include VIEW_PATH . '/add_edit_user_settings.php';
} elseif ('delete' == $action) {
$class_name = 'User';
try {
$obj = new User($user_id);
$delete_text = 'Are you sure you want to delete user : <strong>'. $obj->getUsername() . '</strong>?';
if (fRequest::isPost()) {
fRequest::validateCSRFToken(fRequest::get('token'));
$obj->delete();
fMessaging::create('success', "/".User::makeUrl('list'),
'The user ' . $obj->getUsername() . ' was successfully deleted');
fURL::redirect(User::makeUrl('list'));
}
} catch (fNotFoundException $e) {
fMessaging::create('error', "/".User::makeUrl('list'),
'The requested user could not be found');
fURL::redirect(User::makeUrl('list'));
} catch (fExpectedException $e) {
fMessaging::create('error', fURL::get(), $e->getMessage());
}
include VIEW_PATH . '/delete.php';
} else {
if (!fAuthorization::checkAuthLevel('admin')) {
fURL::redirect(User::makeURL('edit',fSession::get('user_id')));
} else {
$users = User::findAll();
include VIEW_PATH . '/list_users.php';
}
}