-
Notifications
You must be signed in to change notification settings - Fork 42
/
Copy pathusers.php
165 lines (138 loc) · 4.13 KB
/
users.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
<?php
/**
* User Management
*
* User administration functions
*
* @package Multiuser
* @author Andreas Gohr <[email protected]>
* @author Andreas Götz <[email protected]>
* @version $Id: users.php,v 1.23 2013/03/15 16:42:46 andig2 Exp $
*/
require_once './core/functions.php';
localnet_or_die();
permission_or_die(PERM_ADMIN);
/**
* Create user
*
* @param string $user Username
* @param string $pass Password
* @param string $perm permission as integer
* @return boolean true on success
*/
function create_user($user, $pass, $perm, $email)
{
global $config;
// acquire next free "real" user-id
$SQL = "SELECT (MAX(id)+1) AS id FROM ".TBL_USERS." WHERE id != ".$config['guestid'].";";
$res = runSQL($SQL);
$nextid = $res[0]['id'];
$SQL = "INSERT INTO ".TBL_USERS."
SET id = ".$nextid.",
name = '".escapeSQL($user)."',
passwd = '".md5($pass)."',
permissions = $perm,
email = '".escapeSQL($email)."'";
$res = runSQL($SQL, false);
// set default read/write permissions for own data
if ($res !== false)
{
$SQL = 'REPLACE INTO '.TBL_PERMISSIONS."
SET from_uid=".$nextid.", to_uid=".$nextid.", permissions=".PERM_READ."|".PERM_WRITE;
$res = runSQL($SQL, false);
}
return $res;
}
/**
* input
*/
$id = req_int('id');
$newuser = req_int('newuser');
$name = req_string('name');
$email = req_string('email');
$password = req_string('password');
$del = req_int('del');
$del_correct = ($del && isset($_POST['del']) && ($_POST['del'] == $del));
$readflag = req_int('readflag');
$writeflag = req_int('writeflag');
$adultflag = req_int('adultflag');
$adminflag = req_int('adminflag');
// calculate permissions
$perm = 0;
if ($adminflag) $perm |= PERM_ADMIN + PERM_ADULT;
elseif ($adultflag) $perm |= PERM_ADULT;
if ($writeflag) $perm |= PERM_READ + PERM_WRITE;
elseif ($readflag) $perm |= PERM_READ;
// new user?
if ($newuser)
{
$message = $lang['msg_usernotcreated'];
if ($name && $password)
{
if (create_user($name, $password, $perm, $email) !== false)
// create successful?
$message = $lang['msg_usercreated'];
else
// error (e.g. duplicate key)?
$smarty->assign('alert', true);
} else {
// name or password missing?
$smarty->assign('alert', true);
}
}
// update user?
elseif ($id && $name)
{
runSQL("UPDATE ".TBL_USERS."
SET name = '".escapeSQL($name)."', permissions = $perm, email = '".escapeSQL($email)."'
WHERE id = $id");
// new password?
if (!empty($password))
{
$pw = md5($password);
runSQL("UPDATE ".TBL_USERS." SET passwd = '$pw' WHERE id = '$id'");
$message = $lang['msg_permpassupd'];
} else {
$message = $lang['msg_permupd'];
}
}
// delete user? - POST only!
elseif ($del && $del_correct)
{
validate_input($del);
// clear user and config
runSQL('DELETE FROM '.TBL_USERS.' WHERE id = '.$del);
runSQL('DELETE FROM '.TBL_USERCONFIG.' WHERE user_id = '.$del);
// clear permissions
runSQL('DELETE FROM '.TBL_PERMISSIONS.' WHERE from_uid = '.$del);
$message = $lang['msg_userdel'];
$smarty->assign('alert', true);
}
// current user permissions
$result = runSQL('SELECT id, name, permissions, email
FROM '.TBL_USERS.'
ORDER BY name');
foreach ($result as $user)
{
// is guest ?
$user['guest'] = ($user['id'] == $config['guestid']) ? 1 : 0;
// don't show guest user if guest is disabled
if ($config['denyguest'] && $user['guest'])
{
continue;
}
// collect and separate permission information
$user['read'] = ($user['permissions'] & PERM_READ);
$user['write'] = ($user['permissions'] & PERM_WRITE);
$user['admin'] = ($user['permissions'] & PERM_ADMIN);
$user['adult'] = ($user['permissions'] & PERM_ADULT);
$userlist[] = $user;
}
// make sure caches are clean
clear_permission_cache();
// prepare templates
tpl_page('usermanager');
$smarty->assign('userlist', $userlist);
$smarty->assign('message', $message);
// display templates
tpl_display('users.tpl');