Business
/
ManagePanel
2
0
Fork 1
Code Issues 1 Pull Requests Releases Wiki Activity

User list and user editor/adder now working.

Browse Source
master
Skylar Ittner 7 years ago
parent 2f9cff273b
commit 4b6fcd8f7c
13 changed files with 273 additions and 27 deletions
Show Stats Download Patch File Download Diff File

47
action.php
Unescape Escape View File

@ -3,11 +3,15 @@
/**
* Make things happen when buttons are pressed and forms submitted.
*/
require_once __DIR__ . "/required.php";
require_once __DIR__ . "/lib/login.php";
dieifnotloggedin();
if (account_has_permission($_SESSION['username'], "ADMIN") == FALSE) {
die("You don't have permission to be here.");
}
/**
* Redirects back to the page ID in $_POST/$_GET['source'] with the given message ID.
* The message will be displayed by the app.
@ -25,8 +29,49 @@ function returnToSender($msg, $arg = "") {
}
switch ($VARS['action']) {
case "edituser":
if (is_empty($VARS['id'])) {
$insert = true;
} else {
if ($database->has('accounts', ['uid' => $VARS['id']])) {
$insert = false;
} else {
returnToSender("invalid_userid");
}
}
if (is_empty($VARS['name']) || is_empty($VARS['username']) || is_empty($VARS['status'])) {
returnToSender('invalid_parameters');
}
if (!$database->has('acctstatus', ['statusid' => $VARS['status']])) {
returnToSender("invalid_parameters");
}
$data = [
'realname' => $VARS['name'],
'username' => $VARS['username'],
'email' => $VARS['email'],
'acctstatus' => $VARS['status']
];
if (!is_empty($VARS['pass'])) {
$data['password'] = password_hash($VARS['pass'], PASSWORD_BCRYPT);
}
if ($insert) {
$data['phone1'] = "";
$data['phone2'] = "";
$data['accttype'] = 1;
$database->insert('accounts', $data);
} else {
$database->update('accounts', $data, ['uid' => $VARS['id']]);
}
returnToSender("user_saved");
case "signout":
session_destroy();
header('Location: index.php');
die("Logged out.");
default:
die("Invalid action");
}

2
api.php
Unescape Escape View File

@ -14,7 +14,7 @@ header("Content-Type: application/json");
$username = $VARS['username'];
$password = $VARS['password'];
if (user_exists($username) !== true || authenticate_user($username, $password, $errmsg) !== true) {
if (user_exists($username) !== true || authenticate_user($username, $password, $errmsg) !== true || account_has_permission($username, "ADMIN") !== true) {
header("HTTP/1.1 403 Unauthorized");
die("\"403 Unauthorized\"");
}

5
app.php
Unescape Escape View File

@ -1,10 +1,7 @@
<?php
require_once __DIR__ . "/required.php";
if ($_SESSION['loggedin'] != true) {
header('Location: index.php');
die("Session expired. Log in again to continue.");
}
redirectIfNotLoggedIn();
require_once __DIR__ . "/pages.php";

18
index.php
Unescape Escape View File

@ -4,7 +4,7 @@ require_once __DIR__ . "/required.php";
require_once __DIR__ . "/lib/login.php";
// if we're logged in, we don't need to be here.
if ($_SESSION['loggedin']) {
if ($_SESSION['loggedin'] && account_has_permission($_SESSION['username'], "ADMIN")) {
header('Location: app.php');
}
@ -34,13 +34,17 @@ if (checkLoginServer()) {
break;
}
if ($userpass_ok) {
$_SESSION['passok'] = true; // stop logins using only username and authcode
if (userHasTOTP($VARS['username'])) {
$multiauth = true;
if (account_has_permission($VARS['username'], "ADMIN") == FALSE) {
$alert = lang("no admin permission", false);
} else {
doLoginUser($VARS['username'], $VARS['password']);
header('Location: app.php');
die("Logged in, go to app.php");
$_SESSION['passok'] = true; // stop logins using only username and authcode
if (userHasTOTP($VARS['username'])) {
$multiauth = true;
} else {
doLoginUser($VARS['username'], $VARS['password']);
header('Location: app.php');
die("Logged in, go to app.php");
}
}
}
} else {

13
lang/en_us.php
Unescape Escape View File

@ -9,6 +9,7 @@ define("STRINGS", [
"2fa prompt" => "Enter the six-digit code from your mobile authenticator app.",
"2fa incorrect" => "Authentication code incorrect.",
"login incorrect" => "Login incorrect.",
"no admin permission" => "You do not have permission to access this system.",
"login server unavailable" => "Login server unavailable. Try again later or contact technical support.",
"account locked" => "This account has been disabled. Contact technical support.",
"password expired" => "You must change your password before continuing.",
@ -35,5 +36,15 @@ define("STRINGS", [
"total users" => "Total Users",
"view users" => "View Users",
"normal accounts" => "Normal Accounts",
"locked accounts" => "Locked Accounts"
"locked accounts" => "Locked Accounts",
"editing user" => "Editing {user}",
"invalid userid" => "Invalid user ID.",
"user saved" => "User saved.",
"adding user" => "Adding new user",
"placeholder name" => "John Doe",
"placeholder username" => "jdoe",
"placeholder email address" => "jdoe@example.com",
"placeholder password" => "swordfish",
"new password" => "New Password",
"non-local account warning" => "This account is not locally managed. Changes made here will not synchronize to the directory server and some attributes cannot be edited."
]);

8
lang/messages.php
Unescape Escape View File

@ -12,5 +12,13 @@ define("MESSAGES", [
"404_error" => [
"string" => "page not found",
"type" => "info"
],
"invalid_userid" => [
"string" => "invalid userid",
"type" => "danger"
],
"user_saved" => [
"string" => "user saved",
"type" => "success"
]
]);

31
lib/login.php
Unescape Escape View File

@ -157,6 +157,37 @@ function get_account_status($username) {
}
}
/**
* Check if the given username has the given permission (or admin access)
* @param string $username
* @param string $permcode
* @return boolean TRUE if the user has the permission (or admin access), else FALSE
*/
function account_has_permission($username, $permcode) {
$client = new GuzzleHttp\Client();
$response = $client
->request('POST', PORTAL_API, [
'form_params' => [
'key' => PORTAL_KEY,
'action' => "permission",
'username' => $username,
'code' => $permcode
]
]);
if ($response->getStatusCode() > 299) {
sendError("Login server error: " . $response->getBody());
}
$resp = json_decode($response->getBody(), TRUE);
if ($resp['status'] == "OK") {
return $resp['has_permission'];
} else {
return false;
}
}
////////////////////////////////////////////////////////////////////////////////
// Login handling //
////////////////////////////////////////////////////////////////////////////////

7
pages.php
Unescape Escape View File

@ -20,6 +20,13 @@ define("PAGES", [
"static/js/users.js"
],
],
"edituser" => [
"title" => "edit user",
"navbar" => false,
"scripts" => [
"static/js/edituser.js"
]
],
"404" => [
"title" => "404 error"
]

136
pages/edituser.php
Unescape Escape View File

@ -0,0 +1,136 @@
<?php
require_once __DIR__ . '/../required.php';
require_once __DIR__ . "/../lib/login.php";
require_once __DIR__ . "/../lib/userinfo.php";
redirectifnotloggedin();
$userdata = [
'uid' => '',
'username' => '',
'realname' => '',
'email' => '',
'acctstatus' => '',
'typecode' => 'LOCAL'
];
$editing = false;
if (!is_empty($VARS['id'])) {
if ($database->has('accounts', ['uid' => $VARS['id']])) {
$editing = true;
$userdata = $database->select('accounts', ['[>]accttypes' => ['accttype' => 'typeid']], [
'uid',
'username',
'realname',
'email',
'acctstatus',
'typecode'
], [
'uid' => $VARS['id']
])[0];
} else {
// user id is invalid, redirect to a page that won't cause an error when pressing Save
header('Location: app.php?page=edituser');
}
}
if ($userdata['typecode'] != "LOCAL") {
$localacct = false;
} else {
$localacct = true;
}
?>
<form role="form" action="action.php" method="POST">
<div class="panel panel-blue">
<div class="panel-heading">
<h3 class="panel-title">
<?php
if ($editing) {
?>
<i class="fa fa-pencil-square-o"></i> <?php lang2("editing user", ['user' => "<span id=\"name_title\">" . htmlspecialchars($userdata['realname']) . "</span>"]); ?>
<?php
} else {
?>
<i class="fa fa-pencil-square-o"></i> <?php lang("adding user"); ?>
<?php
}
?>
</h3>
</div>
<div class="panel-body">
<?php
if (!$localacct) {
?>
<div class="alert alert-warning">
<?php lang("non-local account warning"); ?>
</div>
<?php
}
?>
<div class="form-group">
<label for="name"><i class="fa fa-user"></i> <?php lang("name"); ?></label>
<input type="text" class="form-control" id="name" name="name" placeholder="<?php lang("placeholder name"); ?>" required="required" value="<?php echo htmlspecialchars($userdata['realname']); ?>" />
</div>
<div class="row">
<div class="col-xs-12 col-md-6">
<div class="form-group">
<label for="username"><i class="fa fa-id-badge"></i> <?php lang("username"); ?></label>
<input type="text" <?php if (!$localacct) echo "disabled"; ?> class="form-control" name="username" id="username" placeholder="<?php lang("placeholder username"); ?>" required="required" value="<?php echo htmlspecialchars($userdata['username']); ?>" />
</div>
</div>
<div class="col-xs-12 col-md-6">
<div class="form-group">
<label for="email"><i class="fa fa-envelope"></i> <?php lang("email"); ?></label>
<input type="email" class="form-control" name="email" id="email" placeholder="<?php lang("placeholder email address"); ?>" value="<?php echo htmlspecialchars($userdata['email']); ?>" />
</div>
</div>
</div>
<div class="row">
<div class="col-xs-12 col-md-6">
<div class="form-group">
<label for="pass"><i class="fa fa-lock"></i> <?php lang("new password"); ?></label>
<input type="text" <?php if (!$localacct) echo "disabled"; ?> autocomplete="new-password" class="form-control" name="pass" id="pass" placeholder="<?php lang("placeholder password"); ?>" />
</div>
</div>
<div class="col-xs-12 col-md-6">
<div class="form-group">
<label for="status"><i class="fa fa-check-circle"></i> <?php lang("status"); ?></label>
<select class="form-control" name="status" id="status" required="required">
<?php
$statuses = $database->select('acctstatus', ['statusid (id)', 'statuscode (code)'], ["ORDER" => "statusid"]);
foreach ($statuses as $s) {
echo "<option";
if ($s['id'] == $userdata['acctstatus']) {
echo " selected";
}
echo " value=\"" . $s['id'] . "\">" . $s['code'] . "</option>";
}
?>
</select>
</div>
</div>
</div>
</div>
<input type="hidden" name="id" value="<?php echo htmlspecialchars($VARS['id']); ?>" />
<input type="hidden" name="action" value="edituser" />
<input type="hidden" name="source" value="users" />
<div class="panel-footer">
<button type="submit" class="btn btn-success"><i class="fa fa-floppy-o"></i> <?php lang("save"); ?></button>
<?php
if ($editing) {
?>
<a href="action.php?action=deleteuser&source=users&userid=<?php echo htmlspecialchars($VARS['id']); ?>" style="margin-top: 8px;" class="btn btn-danger btn-xs pull-right"><i class="fa fa-times"></i> <?php lang('delete'); ?></a>
<?php
}
?>
</div>
</div>
</form>

2
pages/home.php
Unescape Escape View File

@ -30,7 +30,7 @@ redirectifnotloggedin();
<div class="panel panel-amber">
<div class="panel-heading"><div class="panel-title"><?php lang("locked accounts") ?></div></div>
<div class="panel-body">
<h1><i class="fa fa-fw fa-user-times"></i> <?php echo $database->count('accounts', ['OR' => ['acctstatus' => 2, 'acctstatus' => 3]]); ?></h1>
<h1><i class="fa fa-fw fa-user-times"></i> <?php echo $database->count('accounts', ['OR' => ['acctstatus #LOCKED_OR_DISABLED' => 2, 'acctstatus #CHANGE_PASSWORD' => 3]]); ?></h1>
</div>
<div class="panel-footer">
<a style="color: black;" href="app.php?page=users"><i class="fa fa-arrow-right fa-fw"></i> <?php lang('view users'); ?></a>

21
pages/users.php
Unescape Escape View File

@ -11,11 +11,11 @@ redirectifnotloggedin();
<tr>
<th data-priority="0"></th>
<th data-priority="1"><?php lang('actions'); ?></th>
<th data-priority="1"><?php lang('name'); ?></th>
<th data-priority="2"><?php lang('username'); ?></th>
<th data-priority="3"><?php lang('email'); ?></th>
<th data-priority="3"><?php lang('status'); ?></th>
<th data-priority="4"><?php lang('type'); ?></th>
<th data-priority="1"><i class="fa fa-fw fa-user"></i> <?php lang('name'); ?></th>
<th data-priority="2"><i class="fa fa-fw fa-id-badge"></i> <?php lang('username'); ?></th>
<th data-priority="3"><i class="fa fa-fw fa-envelope"></i> <?php lang('email'); ?></th>
<th data-priority="3"><i class="fa fa-fw fa-check-circle"></i> <?php lang('status'); ?></th>
<th data-priority="4"><i class="fa fa-fw fa-server"></i> <?php lang('type'); ?></th>
</tr>
</thead>
<tbody>
@ -54,11 +54,10 @@ redirectifnotloggedin();
<tr>
<th data-priority="0"></th>
<th data-priority="1"><?php lang('actions'); ?></th>
<th data-priority="1"><?php lang('name'); ?></th>
<th data-priority="2"><?php lang('username'); ?></th>
<th data-priority="3"><?php lang('email'); ?></th>
<th data-priority="3"><?php lang('status'); ?></th>
<th data-priority="4"><?php lang('type'); ?></th>
</tr>
<th data-priority="1"><i class="fa fa-fw fa-user"></i> <?php lang('name'); ?></th>
<th data-priority="2"><i class="fa fa-fw fa-id-badge"></i> <?php lang('username'); ?></th>
<th data-priority="3"><i class="fa fa-fw fa-envelope"></i> <?php lang('email'); ?></th>
<th data-priority="3"><i class="fa fa-fw fa-check-circle"></i> <?php lang('status'); ?></th>
<th data-priority="4"><i class="fa fa-fw fa-server"></i> <?php lang('type'); ?></th>
</tfoot>
</table>

7
required.php
Unescape Escape View File

@ -185,7 +185,12 @@ if (!function_exists('base_url')) {
function redirectIfNotLoggedIn() {
if ($_SESSION['loggedin'] !== TRUE) {
header('Location: ' . URL . '/index.php');
header('Location: ./index.php');
die();
}
require_once __DIR__ . "/lib/login.php";
if (account_has_permission($_SESSION['username'], "ADMIN") == FALSE) {
header('Location: ./index.php');
die("You don't have permission to be here.");
}
}

3
static/js/edituser.js
Unescape Escape View File

@ -0,0 +1,3 @@
$('#name').on('input propertychange paste', function() {
$('#name_title').text($('#name').val());
});
Write Preview
Loading…
Cancel
Save