From 207be7114a1bfa9d9509d44bc85be4c76bda1e6c Mon Sep 17 00:00:00 2001
From: Skylar Ittner <admin@netsyms.com>
Date: Sat, 24 Jun 2017 20:31:51 -0600
Subject: [PATCH] Flag users as disabled/deleted if they can't actually be
 deleted

---
 action.php           |  8 +++++-
 lang/en_us.php       |  4 ++-
 lib/getusertable.php | 50 ++++++++++++++++++++++++++--------
 pages/edituser.php   | 17 +++++++++---
 pages/users.php      | 64 ++++++++++++++++++++++++--------------------
 static/js/users.js   | 15 ++++++++---
 6 files changed, 108 insertions(+), 50 deletions(-)

diff --git a/action.php b/action.php
index 81ef92f..deb932f 100644
--- a/action.php
+++ b/action.php
@@ -52,7 +52,8 @@ switch ($VARS['action']) {
             'realname' => $VARS['name'],
             'username' => $VARS['username'],
             'email' => $VARS['email'],
-            'acctstatus' => $VARS['status']
+            'acctstatus' => $VARS['status'],
+            'deleted' => 0
         ];
 
         if (!is_empty($VARS['pass'])) {
@@ -78,6 +79,11 @@ switch ($VARS['action']) {
         }
         $olddata = $database->select('accounts', '*', ['uid' => $VARS['id']])[0];
         $database->delete('accounts', ['uid' => $VARS['id']]);
+        if (!is_null($database->error()[1])) {
+            // If we can't delete the account (because it's referenced elsewhere),
+            // we will flag it as deleted and set the status to LOCKED_OR_DISABLED.
+            $database->update('accounts', ['acctstatus' => 2, 'deleted' => 1], ['uid' => $VARS['id']]);
+        }
         insertAuthLog(16, $_SESSION['uid'], $olddata['username'] . ", " . $olddata['realname'] . ", " . $olddata['email'] . ", " . $olddata['acctstatus']);
         returnToSender("user_deleted");
     case "rmtotp":
diff --git a/lang/en_us.php b/lang/en_us.php
index 97fd137..644e471 100644
--- a/lang/en_us.php
+++ b/lang/en_us.php
@@ -85,5 +85,7 @@ define("STRINGS", [
     "remove 2fa" => "Reset 2FA",
     "action performed by" => "Action performed by {user}",
     "2fa removed" => "2-factor authentication removed.",
-    "2fa" => "2FA"
+    "2fa" => "2FA",
+    "show deleted" => "Show deleted",
+    "editing deleted account" => "You are editing an account marked as deleted.  The account will be undeleted if you press Save."
 ]);
\ No newline at end of file
diff --git a/lib/getusertable.php b/lib/getusertable.php
index 9f729f1..5564a9e 100644
--- a/lib/getusertable.php
+++ b/lib/getusertable.php
@@ -6,11 +6,20 @@ dieifnotloggedin();
 
 header("Content-Type: application/json");
 
+$show_deleted = false;
+if ($VARS['show_deleted'] == 1) {
+    $show_deleted = true;
+}
+
 $out = [];
 
 $out['draw'] = intval($VARS['draw']);
 
-$out['recordsTotal'] = $database->count('accounts');
+if ($show_deleted) {
+    $out['recordsTotal'] = $database->count('accounts');
+} else {
+    $out['recordsTotal'] = $database->count('accounts', ['deleted' => 0]);
+}
 $filter = false;
 
 // sort
@@ -43,19 +52,37 @@ switch ($VARS['order'][0]['column']) {
 // search
 if (!is_empty($VARS['search']['value'])) {
     $filter = true;
-    $wherenolimit = [
-        "OR" => [
-            "username[~]" => $VARS['search']['value'],
-            "realname[~]" => $VARS['search']['value'],
-            "email[~]" => $VARS['search']['value'],
-            "statuscode[~]" => $VARS['search']['value'],
-            "typecode[~]" => $VARS['search']['value']
-        ]
-    ];
+    if ($show_deleted) {
+        $wherenolimit = [
+            "OR" => [
+                "username[~]" => $VARS['search']['value'],
+                "realname[~]" => $VARS['search']['value'],
+                "email[~]" => $VARS['search']['value'],
+                "statuscode[~]" => $VARS['search']['value'],
+                "typecode[~]" => $VARS['search']['value']
+            ]
+        ];
+    } else {
+        $wherenolimit = [
+            "AND" => [
+                "OR" => [
+                    "username[~]" => $VARS['search']['value'],
+                    "realname[~]" => $VARS['search']['value'],
+                    "email[~]" => $VARS['search']['value'],
+                    "statuscode[~]" => $VARS['search']['value'],
+                    "typecode[~]" => $VARS['search']['value']
+                ],
+                "deleted" => 0
+            ]
+        ];
+    }
     $where = $wherenolimit;
     $where["LIMIT"] = [$VARS['start'], $VARS['length']];
 } else {
     $where = ["LIMIT" => [$VARS['start'], $VARS['length']]];
+    if (!$show_deleted) {
+        $where["deleted"] = 0;
+    }
 }
 if (!is_null($order)) {
     $where["ORDER"] = $order;
@@ -74,7 +101,8 @@ $users = $database->select('accounts', [
     'acctstatus',
     'statuscode',
     'accttype',
-    'typecode'
+    'typecode',
+    'deleted'
         ], $where);
 
 
diff --git a/pages/edituser.php b/pages/edituser.php
index 1bcc2a6..1f9e5c6 100644
--- a/pages/edituser.php
+++ b/pages/edituser.php
@@ -12,7 +12,8 @@ $userdata = [
     'email' => '',
     'authsecret' => '',
     'acctstatus' => '',
-    'typecode' => 'LOCAL'
+    'typecode' => 'LOCAL',
+    'deleted' => 0
 ];
 
 $editing = false;
@@ -27,7 +28,8 @@ if (!is_empty($VARS['id'])) {
                     'email',
                     'authsecret',
                     'acctstatus',
-                    'typecode'
+                    'typecode',
+                    'deleted'
                         ], [
                     'uid' => $VARS['id']
                 ])[0];
@@ -70,6 +72,13 @@ if ($userdata['typecode'] != "LOCAL") {
                 </div>
                 <?php
             }
+            if ($userdata['deleted'] == 1) {
+                ?>
+                <div class="alert alert-info">
+                    <?php lang("editing deleted account"); ?>
+                </div>
+                <?php
+            }
             ?>
             <div class="form-group">
                 <label for="name"><i class="fa fa-user"></i> <?php lang("name"); ?></label>
@@ -80,7 +89,7 @@ if ($userdata['typecode'] != "LOCAL") {
                 <div class="col-xs-12 col-md-6">
                     <div class="form-group">
                         <label for="username"><i class="fa fa-id-badge"></i> <?php lang("username"); ?></label>
-                        <input type="text" <?php if (!$localacct) echo "disabled"; ?> class="form-control" name="username" id="username" placeholder="<?php lang("placeholder username"); ?>" required="required" value="<?php echo htmlspecialchars($userdata['username']); ?>" />
+                        <input type="text" <?php if (!$localacct) echo "readonly=\"readonly\""; ?> class="form-control" name="username" id="username" placeholder="<?php lang("placeholder username"); ?>" required="required" value="<?php echo htmlspecialchars($userdata['username']); ?>" />
                     </div>
                 </div>
                 <div class="col-xs-12 col-md-6">
@@ -95,7 +104,7 @@ if ($userdata['typecode'] != "LOCAL") {
                 <div class="col-xs-12 col-md-6">
                     <div class="form-group">
                         <label for="pass"><i class="fa fa-lock"></i> <?php lang("new password"); ?></label>
-                        <input type="text" <?php if (!$localacct) echo "disabled"; ?> autocomplete="new-password" class="form-control" name="pass" id="pass" placeholder="<?php lang("placeholder password"); ?>" />
+                        <input type="text" <?php if (!$localacct) echo "readonly=\"readonly\""; ?> autocomplete="new-password" class="form-control" name="pass" id="pass" placeholder="<?php lang("placeholder password"); ?>" />
                     </div>
                 </div>
 
diff --git a/pages/users.php b/pages/users.php
index 698cb30..60c8f3f 100644
--- a/pages/users.php
+++ b/pages/users.php
@@ -21,34 +21,34 @@ redirectifnotloggedin();
     </thead>
     <tbody>
         <?php
-        /*$users = $database->select('accounts', [
-            "[>]acctstatus" => ['acctstatus' => 'statusid'],
-            "[>]accttypes" => ['accttype' => 'typeid']
-        ], [
-            'uid',
-            'username',
-            'realname',
-            'email',
-            'acctstatus',
-            'statuscode',
-            'accttype',
-            'typecode'
-        ]);
-        foreach ($users as $u) {
-            ?>
-            <tr>
-                <td></td>
-                <td>
-                    <a class="btn btn-blue btn-xs" href="app.php?page=edituser&id=<?php echo $u['uid']; ?>"><i class="fa fa-pencil-square-o"></i> <?php lang("edit"); ?></a>
-                </td>
-                <td><?php echo $u['realname']; ?></td>
-                <td><?php echo $u['username']; ?></td>
-                <td><?php echo ($u['email'] == "NOEMAIL@EXAMPLE.COM" ? "" : $u['email']); ?></td>
-                <td><?php echo $u['statuscode']; ?></td>
-                <td><?php echo $u['typecode']; ?></td>
-            </tr>
-            <?php
-        }*/
+        /* $users = $database->select('accounts', [
+          "[>]acctstatus" => ['acctstatus' => 'statusid'],
+          "[>]accttypes" => ['accttype' => 'typeid']
+          ], [
+          'uid',
+          'username',
+          'realname',
+          'email',
+          'acctstatus',
+          'statuscode',
+          'accttype',
+          'typecode'
+          ]);
+          foreach ($users as $u) {
+          ?>
+          <tr>
+          <td></td>
+          <td>
+          <a class="btn btn-blue btn-xs" href="app.php?page=edituser&id=<?php echo $u['uid']; ?>"><i class="fa fa-pencil-square-o"></i> <?php lang("edit"); ?></a>
+          </td>
+          <td><?php echo $u['realname']; ?></td>
+          <td><?php echo $u['username']; ?></td>
+          <td><?php echo ($u['email'] == "NOEMAIL@EXAMPLE.COM" ? "" : $u['email']); ?></td>
+          <td><?php echo $u['statuscode']; ?></td>
+          <td><?php echo $u['typecode']; ?></td>
+          </tr>
+          <?php
+          } */
         ?>
     </tbody>
     <tfoot>
@@ -62,4 +62,10 @@ redirectifnotloggedin();
             <th data-priority="3"><i class="fa fa-fw fa-check-circle"></i> <?php lang('status'); ?></th>
             <th data-priority="4"><i class="fa fa-fw fa-server"></i> <?php lang('type'); ?></th>
     </tfoot>
-</table>
\ No newline at end of file
+</table>
+<script>
+    /* Give JavaScript access to the lang string
+     * it needs to inject the show deleted checkbox
+     */
+    var lang_show_deleted = "<?php lang("show deleted") ?>";
+</script>
\ No newline at end of file
diff --git a/static/js/users.js b/static/js/users.js
index 698715e..522e4ce 100644
--- a/static/js/users.js
+++ b/static/js/users.js
@@ -1,4 +1,4 @@
-$('#usertable').DataTable({
+var usertable = $('#usertable').DataTable({
     responsive: {
         details: {
             display: $.fn.dataTable.Responsive.display.modal({
@@ -30,6 +30,11 @@ $('#usertable').DataTable({
     serverSide: true,
     ajax: {
         url: "lib/getusertable.php",
+        data: function (d) {
+            if ($('#show_deleted_checkbox').is(':checked')) {
+                d.show_deleted = 1;
+            }
+        },
         dataFilter: function (data) {
             var json = jQuery.parseJSON(data);
             json.data = [];
@@ -37,8 +42,8 @@ $('#usertable').DataTable({
                 json.data.push([
                     "",
                     row.editbtn,
-                    row.realname,
-                    row.username,
+                    (row.deleted == 1 ? "<del style=\"color: red;\">" : "") + row.realname + (row.deleted == 1 ? "</del>" : ""),
+                    (row.deleted == 1 ? "<span style=\"color: red;\">" : "") + row.username + (row.deleted == 1 ? "</span>" : ""),
                     row.email,
                     (row['2fa'] == true ? "<i class='fa fa-check'></i>" : "<i class='fa fa-times'></i>"),
                     row.statuscode,
@@ -48,4 +53,6 @@ $('#usertable').DataTable({
             return JSON.stringify(json);
         }
     }
-});
\ No newline at end of file
+});
+
+$('#usertable_filter').append("<div class=\"checkbox\" style=\"display: inline-block\"><label><input type=\"checkbox\" id=\"show_deleted_checkbox\" onclick=\"usertable.ajax.reload()\"> " + lang_show_deleted + "</label></div>");
\ No newline at end of file