change password is now usable for GM's too by using a GET['id'] param!

This commit is contained in:
Quitta 2013-07-01 23:29:16 +02:00
parent 10213a0530
commit a94bb6dbc7
6 changed files with 173 additions and 50 deletions

View file

@ -313,6 +313,8 @@ class Users{
} }
public function check_change_password($values){ public function check_change_password($values){
//if admin isn't changing others
if(!$values['adminChangesOther']){
if ( isset( $values["user"] ) and isset( $values["CurrentPass"] ) and isset( $values["ConfirmNewPass"] ) and isset( $values["NewPass"] ) ){ if ( isset( $values["user"] ) and isset( $values["CurrentPass"] ) and isset( $values["ConfirmNewPass"] ) and isset( $values["NewPass"] ) ){
$match = $this->checkLoginMatch($values["user"],$values["CurrentPass"]); $match = $this->checkLoginMatch($values["user"],$values["CurrentPass"]);
$newpass = $this->checkPassword($values["NewPass"]); $newpass = $this->checkPassword($values["NewPass"]);
@ -322,19 +324,33 @@ class Users{
$newpass = ""; $newpass = "";
$confpass = ""; $confpass = "";
} }
if ( ( $match != "fail" ) and ( $newpass == "success" ) and ( $confpass == "success" ) ){ }else{
//if admin is indeed changing someone!
if ( isset( $values["user"] ) and isset( $values["ConfirmNewPass"] ) and isset( $values["NewPass"] ) ){
$newpass = $this->checkPassword($values["NewPass"]);
$confpass = $this->confirmPassword($newpass,$values["NewPass"],$values["ConfirmNewPass"]);
}else{
$newpass = "";
$confpass = "";
}
}
if ( !$values['adminChangesOther'] and ( $match != "fail" ) and ( $newpass == "success" ) and ( $confpass == "success" ) ){
return "success";
}else if($values['adminChangesOther'] and ( $newpass == "success" ) and ( $confpass == "success" ) ){
return "success"; return "success";
}else{ }else{
$pageElements = array( $pageElements = array(
'match_error_message' => $match,
'newpass_error_message' => $newpass, 'newpass_error_message' => $newpass,
'confirmnewpass_error_message' => $confpass 'confirmnewpass_error_message' => $confpass
); );
if(!$values['adminChangesOther']){
$pageElements['match_error_message'] = $match;
if ( $match != "fail" ){ if ( $match != "fail" ){
$pageElements['MATCH_ERROR'] = 'FALSE'; $pageElements['MATCH_ERROR'] = 'FALSE';
}else{ }else{
$pageElements['MATCH_ERROR'] = 'TRUE'; $pageElements['MATCH_ERROR'] = 'TRUE';
} }
}
if ( $newpass != "success" ){ if ( $newpass != "success" ){
$pageElements['NEWPASSWORD_ERROR'] = 'TRUE'; $pageElements['NEWPASSWORD_ERROR'] = 'TRUE';
}else{ }else{
@ -348,6 +364,29 @@ class Users{
return $pageElements; return $pageElements;
} }
} }
protected function setPassword($user, $pass){
try {
//make connection with and put into shard db
global $cfg;
$dbs = new DBLayer($cfg['db']['shard']);
$dbs->execute("UPDATE user SET Password = :pass WHERE Login = :user ",$values);
return "ok";
}
catch (PDOException $e) {
//oh noooz, the shard is offline! Put in query queue at ams_lib db!
/*try {
$dbl = new DBLayer($cfg['db']['lib']);
$dbl->execute("INSERT INTO ams_querycache (type, query) VALUES (:type, :query)",array("type" => "createUser",
"query" => json_encode(array($values["name"],$values["pass"],$values["mail"]))));
return "shardoffline";
}catch (PDOException $e) {
print_r($e);
return "liboffline";
}*/
}
}
} }

View file

@ -48,9 +48,30 @@ class WebUsers extends Users{
}else{ }else{
return "fail"; return "fail";
} }
}
public function getUsername($id){
global $cfg;
$dbw = new DBLayer($cfg['db']['web']);
$statement = $dbw->execute("SELECT * FROM ams_user WHERE UId=:id", array('id' => $id));
$row = $statement->fetch();
return $row['Login'];
}
public function isLoggedIn(){
if(isset($_SESSION['user'])){
return true;
}
return false;
}
public function isAdmin(){
if(isset($_SESSION['permission']) && $_SESSION['permission'] == 2){
return true;
}
return false;
} }
} }

View file

@ -3,23 +3,61 @@
function change_password(){ function change_password(){
try{ try{
if(isset($_SESSION["user"])){ //if logged in
if(WebUsers::isLoggedIn()){
if(isset($_POST['target_id'])){
$adminChangesOther = false;
//if target_id is the same as session id or is admin
if( ($_POST['target_id'] == $_SESSION['id']) || WebUsers::isAdmin() ){
if($_POST['target_id'] == $_SESSION['id']){
$target_username = $_SESSION['user'];
}else{
$target_username = WebUsers::getUsername($_POST['target_id']);
//isAdmin is true when it's the admin, but the target_id != own id
$adminChangesOther = true;
$_POST["CurrentPass"] = "dummypass";
}
$id = $_POST['target_id'];
$webUser = new WebUsers(); $webUser = new WebUsers();
$params = Array( 'user' => $_SESSION["user"], 'CurrentPass' => $_POST["CurrentPass"], 'NewPass' => $_POST["NewPass"], 'ConfirmNewPass' => $_POST["ConfirmNewPass"]); $params = Array( 'user' => $target_username, 'CurrentPass' => $_POST["CurrentPass"], 'NewPass' => $_POST["NewPass"], 'ConfirmNewPass' => $_POST["ConfirmNewPass"], 'adminChangesOther' => $adminChangesOther);
$result = $webUser->check_change_password($params); $result = $webUser->check_change_password($params);
if ($result == "success"){ if ($result == "success"){
//edit stuff into db //edit stuff into db
$hashpass = crypt($_POST["NewPass"], WebUsers::generateSALT());
print('success!');
exit;
}else{ }else{
$result['prevCurrentPass'] = $_POST["CurrentPass"]; $result['prevCurrentPass'] = $_POST["CurrentPass"];
$result['prevNewPass'] = $_POST["NewPass"]; $result['prevNewPass'] = $_POST["NewPass"];
$result['prevConfirmNewPass'] = $_POST["ConfirmNewPass"]; $result['prevConfirmNewPass'] = $_POST["ConfirmNewPass"];
$result['permission'] = $_SESSION['permission']; $result['permission'] = $_SESSION['permission'];
$result['no_visible_elements'] = 'FALSE'; $result['no_visible_elements'] = 'FALSE';
$result['target_id'] = $_POST['target_id'];
if(isset($_GET['id'])){
if(WebUsers::isAdmin() && ($_POST['target_id'] != $_SESSION['id'])){
$result['isAdmin'] = "TRUE";
}
}
helpers :: loadtemplate( 'settings', $result); helpers :: loadtemplate( 'settings', $result);
exit; exit;
} }
}else{
//ERROR: permission denied!
} }
}else{
//ERROR: The form was not filled in correclty
}
}else{
//ERROR: user is not logged in
exit;
}
}catch (PDOException $e) { }catch (PDOException $e) {
//go to error page or something, because can't access website db //go to error page or something, because can't access website db
print_r($e); print_r($e);

View file

@ -10,6 +10,9 @@ function login(){
//handle successful login //handle successful login
$_SESSION['user'] = $_POST["Username"]; $_SESSION['user'] = $_POST["Username"];
$_SESSION['permission'] = $result['Permission']; $_SESSION['permission'] = $result['Permission'];
$_SESSION['id'] = $result['UId'];
print('id=');
print($_SESSION['id']);
//go back to the index page. //go back to the index page.
header( 'Location: index.php' ); header( 'Location: index.php' );
exit; exit;

View file

@ -0,0 +1,21 @@
<?php
function settings(){
if(WebUsers::isLoggedIn()){
//in case id-GET param set it's value as target_id, if no id-param is given, ue the session id.
if(isset($_GET['id'])){
if(WebUsers::isAdmin() && ($_GET['id']!= $_SESSION['id'])){
$result['isAdmin'] = "TRUE";
}
$result['target_id'] = $_GET['id'];
}else{
$result['target_id'] = $_SESSION['id'];
}
return $result;
}else{
//ERROR: not logged in!
print("not logged in!");
exit;
}
}

View file

@ -10,9 +10,10 @@
</div> </div>
<div class="box-content"> <div class="box-content">
<div class="row-fluid"> <div class="row-fluid">
<form id="changePassword" class="form-vertical" method="post" action="index.php"> <form id="changePassword" class="form-vertical" method="post" action="index.php?page=settings&id={$target_id}">
<legend>Change Password</legend> <legend>Change Password</legend>
{if !isset($isAdmin) or $isAdmin eq "FALSE"}
<div class="control-group {if isset($MATCH_ERROR) and $MATCH_ERROR eq "TRUE"}error{else if <div class="control-group {if isset($MATCH_ERROR) and $MATCH_ERROR eq "TRUE"}error{else if
isset($match_error_message) and $match_error_message neq "fail"}success{else}{/if}"> isset($match_error_message) and $match_error_message neq "fail"}success{else}{/if}">
<label class="control-label">Current Password</label> <label class="control-label">Current Password</label>
@ -24,7 +25,7 @@
</div> </div>
</div> </div>
</div> </div>
{/if}
<div class="control-group {if isset($NEWPASSWORD_ERROR) and $NEWPASSWORD_ERROR eq "TRUE"}error{else if <div class="control-group {if isset($NEWPASSWORD_ERROR) and $NEWPASSWORD_ERROR eq "TRUE"}error{else if
isset($newpass_error_message) and $newpass_error_message eq "success"}success{else}{/if}"> isset($newpass_error_message) and $newpass_error_message eq "success"}success{else}{/if}">
<label class="control-label">New Password</label> <label class="control-label">New Password</label>
@ -50,7 +51,7 @@
</div> </div>
<input type="hidden" name="function" value="change_password"> <input type="hidden" name="function" value="change_password">
<input type="hidden" name="target_id" value="{$target_id}">
<div class="control-group"> <div class="control-group">
<label class="control-label"></label> <label class="control-label"></label>
<div class="controls"> <div class="controls">