summaryrefslogtreecommitdiff
path: root/includes/controller
diff options
context:
space:
mode:
authorPhilip Häusler <msquare@notrademark.de>2015-12-30 15:48:41 +0100
committerPhilip Häusler <msquare@notrademark.de>2015-12-30 15:48:41 +0100
commitef60b955555ea1d22da8494a34440c3fd2d8b190 (patch)
treefbe409ee1e4426fab4ea10a51fde324350a4f2fd /includes/controller
parent1983db901b9b7ea9b87a66ed38f030369dc3a0a4 (diff)
add a more secure way to delete users containing a password request
Diffstat (limited to 'includes/controller')
-rw-r--r--includes/controller/users_controller.php55
1 files changed, 55 insertions, 0 deletions
diff --git a/includes/controller/users_controller.php b/includes/controller/users_controller.php
index c560e79a..404b7f9b 100644
--- a/includes/controller/users_controller.php
+++ b/includes/controller/users_controller.php
@@ -27,10 +27,65 @@ function users_controller() {
}
}
+/**
+ * Delete a user, requires to enter own password for reasons.
+ */
+function user_delete_controller() {
+ global $privileges, $user;
+
+ if (isset($_REQUEST['user_id'])) {
+ $user_source = User($_REQUEST['user_id']);
+ } else
+ $user_source = $user;
+
+ if (! in_array('admin_user', $privileges))
+ redirect(page_link_to(''));
+
+ // You cannot delete yourself
+ if ($user['UID'] == $user_source['UID']) {
+ error(_("You cannot delete yourself."));
+ redirect(user_link($user));
+ }
+
+ if (isset($_REQUEST['submit'])) {
+ $ok = true;
+
+ if (! (isset($_REQUEST['password']) && verify_password($_REQUEST['password'], $user['Passwort'], $user['UID']))) {
+ $ok = false;
+ error(_("Your password is incorrect. Please try it again."));
+ }
+
+ if ($ok) {
+ $result = User_delete($user_source['UID']);
+ if ($result === false)
+ engelsystem_error('Unable to delete user.');
+
+ mail_user_delete($user_source);
+ success(_("User deleted."));
+ engelsystem_log(sprintf("Deleted %s", User_Nick_render($user_source)));
+
+ redirect(users_link());
+ }
+ }
+
+ return array(
+ sprintf(_("Delete %s"), $user_source['Nick']),
+ User_delete_view($user_source)
+ );
+}
+
function users_link() {
return page_link_to('users');
}
+function user_edit_link($user) {
+ return page_link_to('admin_user') . '&user_id=' . $user['UID'];
+}
+
+function user_delete_link($user) {
+ return page_link_to('users') . '&action=delete&user_id=' . $user['UID'];
+}
+
function user_link($user) {
return page_link_to('users') . '&action=view&user_id=' . $user['UID'];
}