diff options
author | Philip Häusler <msquare@notrademark.de> | 2015-12-30 15:48:41 +0100 |
---|---|---|
committer | Philip Häusler <msquare@notrademark.de> | 2015-12-30 15:48:41 +0100 |
commit | ef60b955555ea1d22da8494a34440c3fd2d8b190 (patch) | |
tree | fbe409ee1e4426fab4ea10a51fde324350a4f2fd /includes | |
parent | 1983db901b9b7ea9b87a66ed38f030369dc3a0a4 (diff) |
add a more secure way to delete users containing a password request
Diffstat (limited to 'includes')
-rw-r--r-- | includes/controller/users_controller.php | 55 | ||||
-rw-r--r-- | includes/engelsystem_provider.php | 1 | ||||
-rw-r--r-- | includes/mailer/users_mailer.php | 9 | ||||
-rw-r--r-- | includes/model/User_model.php | 9 | ||||
-rw-r--r-- | includes/pages/admin_user.php | 25 | ||||
-rw-r--r-- | includes/view/User_view.php | 17 |
6 files changed, 94 insertions, 22 deletions
diff --git a/includes/controller/users_controller.php b/includes/controller/users_controller.php index c560e79a..404b7f9b 100644 --- a/includes/controller/users_controller.php +++ b/includes/controller/users_controller.php @@ -27,10 +27,65 @@ function users_controller() { } } +/** + * Delete a user, requires to enter own password for reasons. + */ +function user_delete_controller() { + global $privileges, $user; + + if (isset($_REQUEST['user_id'])) { + $user_source = User($_REQUEST['user_id']); + } else + $user_source = $user; + + if (! in_array('admin_user', $privileges)) + redirect(page_link_to('')); + + // You cannot delete yourself + if ($user['UID'] == $user_source['UID']) { + error(_("You cannot delete yourself.")); + redirect(user_link($user)); + } + + if (isset($_REQUEST['submit'])) { + $ok = true; + + if (! (isset($_REQUEST['password']) && verify_password($_REQUEST['password'], $user['Passwort'], $user['UID']))) { + $ok = false; + error(_("Your password is incorrect. Please try it again.")); + } + + if ($ok) { + $result = User_delete($user_source['UID']); + if ($result === false) + engelsystem_error('Unable to delete user.'); + + mail_user_delete($user_source); + success(_("User deleted.")); + engelsystem_log(sprintf("Deleted %s", User_Nick_render($user_source))); + + redirect(users_link()); + } + } + + return array( + sprintf(_("Delete %s"), $user_source['Nick']), + User_delete_view($user_source) + ); +} + function users_link() { return page_link_to('users'); } +function user_edit_link($user) { + return page_link_to('admin_user') . '&user_id=' . $user['UID']; +} + +function user_delete_link($user) { + return page_link_to('users') . '&action=delete&user_id=' . $user['UID']; +} + function user_link($user) { return page_link_to('users') . '&action=view&user_id=' . $user['UID']; } diff --git a/includes/engelsystem_provider.php b/includes/engelsystem_provider.php index 30bfae7d..fa5e86a4 100644 --- a/includes/engelsystem_provider.php +++ b/includes/engelsystem_provider.php @@ -48,6 +48,7 @@ require_once realpath(__DIR__ . '/../includes/helper/error_helper.php'); require_once realpath(__DIR__ . '/../includes/helper/email_helper.php'); require_once realpath(__DIR__ . '/../includes/mailer/shifts_mailer.php'); +require_once realpath(__DIR__ . '/../includes/mailer/users_mailer.php'); require_once realpath(__DIR__ . '/../config/config.default.php'); if (file_exists(realpath(__DIR__ . '/../config/config.php'))) diff --git a/includes/mailer/users_mailer.php b/includes/mailer/users_mailer.php new file mode 100644 index 00000000..b08af92b --- /dev/null +++ b/includes/mailer/users_mailer.php @@ -0,0 +1,9 @@ +<?php + +/** + * @param User $user_source + */ +function mail_user_delete($user) { + engelsystem_email_to_user($user, '[engelsystem] ' . _("Your account has been deleted"), _("Your angelsystem account has been deleted. If you have any questions regarding your account deletion, please contact heaven.")); +} +?>
\ No newline at end of file diff --git a/includes/model/User_model.php b/includes/model/User_model.php index d051b3e9..e1bb2733 100644 --- a/includes/model/User_model.php +++ b/includes/model/User_model.php @@ -5,6 +5,15 @@ */ /** + * Delete a user + * + * @param int $user_id + */ +function User_delete($user_id) { + return sql_query("DELETE FROM `User` WHERE `UID`='" . sql_escape($user_id) . "'"); +} + +/** * Update user. * * @param User $user diff --git a/includes/pages/admin_user.php b/includes/pages/admin_user.php index 6d327d7f..516bd1e4 100644 --- a/includes/pages/admin_user.php +++ b/includes/pages/admin_user.php @@ -113,9 +113,9 @@ function admin_user() { $html .= "<hr />"; } - $html .= "<form action=\"" . page_link_to("admin_user") . "&action=delete&id=" . $id . "\" method=\"post\">\n"; - $html .= "<input type=\"submit\" value=\"Löschen\">\n"; - $html .= "</form>"; + $html .= buttons([ + button(user_delete_link($user_source), glyph('lock') . _("delete"), 'btn-danger') + ]); $html .= "<hr />"; } else { @@ -156,25 +156,6 @@ function admin_user() { } break; - case 'delete': - if ($user['UID'] != $id) { - $user_source = User($id); - if ($user_source === false) - engelsystem_error("Unable to load user."); - if ($user_source == null) { - error(_('This user does not exist.')); - redirect(users_link()); - } - - sql_query("DELETE FROM `User` WHERE `UID`='" . sql_escape($id) . "' LIMIT 1"); - sql_query("DELETE FROM `UserGroups` WHERE `uid`='" . sql_escape($id) . "'"); - engelsystem_log("Deleted user " . User_Nick_render($user_source)); - $html .= success("Benutzer gelöscht!", true); - } else { - $html .= error("Du kannst Dich nicht selber löschen!", true); - } - break; - case 'save': $force_active = $user['force_active']; if (in_array('admin_active', $privileges)) diff --git a/includes/view/User_view.php b/includes/view/User_view.php index e5ed7e0e..09668d6f 100644 --- a/includes/view/User_view.php +++ b/includes/view/User_view.php @@ -20,6 +20,23 @@ $tshirt_sizes = array( ); /** + * Gui for deleting user with password field. + */ +function User_delete_view($user) { + return page_with_title(sprintf(_("Delete %s"), User_Nick_render($user)), [ + msg(), + buttons([ + button(user_edit_link($user), glyph('chevron-left') . _("back")) + ]), + error(_("Do you really want to delete the user including all his shifts and every other piece of his data?"), true), + form([ + form_password('password', _("Your password")), + form_submit('submit', _("Delete")) + ]) + ]); +} + +/** * View for editing the number of given vouchers */ function User_edit_vouchers_view($user) { |