summaryrefslogtreecommitdiff
path: root/includes
diff options
context:
space:
mode:
authorPhilip Häusler <msquare@notrademark.de>2015-12-30 15:48:41 +0100
committerPhilip Häusler <msquare@notrademark.de>2015-12-30 15:48:41 +0100
commitef60b955555ea1d22da8494a34440c3fd2d8b190 (patch)
treefbe409ee1e4426fab4ea10a51fde324350a4f2fd /includes
parent1983db901b9b7ea9b87a66ed38f030369dc3a0a4 (diff)
add a more secure way to delete users containing a password request
Diffstat (limited to 'includes')
-rw-r--r--includes/controller/users_controller.php55
-rw-r--r--includes/engelsystem_provider.php1
-rw-r--r--includes/mailer/users_mailer.php9
-rw-r--r--includes/model/User_model.php9
-rw-r--r--includes/pages/admin_user.php25
-rw-r--r--includes/view/User_view.php17
6 files changed, 94 insertions, 22 deletions
diff --git a/includes/controller/users_controller.php b/includes/controller/users_controller.php
index c560e79a..404b7f9b 100644
--- a/includes/controller/users_controller.php
+++ b/includes/controller/users_controller.php
@@ -27,10 +27,65 @@ function users_controller() {
}
}
+/**
+ * Delete a user, requires to enter own password for reasons.
+ */
+function user_delete_controller() {
+ global $privileges, $user;
+
+ if (isset($_REQUEST['user_id'])) {
+ $user_source = User($_REQUEST['user_id']);
+ } else
+ $user_source = $user;
+
+ if (! in_array('admin_user', $privileges))
+ redirect(page_link_to(''));
+
+ // You cannot delete yourself
+ if ($user['UID'] == $user_source['UID']) {
+ error(_("You cannot delete yourself."));
+ redirect(user_link($user));
+ }
+
+ if (isset($_REQUEST['submit'])) {
+ $ok = true;
+
+ if (! (isset($_REQUEST['password']) && verify_password($_REQUEST['password'], $user['Passwort'], $user['UID']))) {
+ $ok = false;
+ error(_("Your password is incorrect. Please try it again."));
+ }
+
+ if ($ok) {
+ $result = User_delete($user_source['UID']);
+ if ($result === false)
+ engelsystem_error('Unable to delete user.');
+
+ mail_user_delete($user_source);
+ success(_("User deleted."));
+ engelsystem_log(sprintf("Deleted %s", User_Nick_render($user_source)));
+
+ redirect(users_link());
+ }
+ }
+
+ return array(
+ sprintf(_("Delete %s"), $user_source['Nick']),
+ User_delete_view($user_source)
+ );
+}
+
function users_link() {
return page_link_to('users');
}
+function user_edit_link($user) {
+ return page_link_to('admin_user') . '&user_id=' . $user['UID'];
+}
+
+function user_delete_link($user) {
+ return page_link_to('users') . '&action=delete&user_id=' . $user['UID'];
+}
+
function user_link($user) {
return page_link_to('users') . '&action=view&user_id=' . $user['UID'];
}
diff --git a/includes/engelsystem_provider.php b/includes/engelsystem_provider.php
index 30bfae7d..fa5e86a4 100644
--- a/includes/engelsystem_provider.php
+++ b/includes/engelsystem_provider.php
@@ -48,6 +48,7 @@ require_once realpath(__DIR__ . '/../includes/helper/error_helper.php');
require_once realpath(__DIR__ . '/../includes/helper/email_helper.php');
require_once realpath(__DIR__ . '/../includes/mailer/shifts_mailer.php');
+require_once realpath(__DIR__ . '/../includes/mailer/users_mailer.php');
require_once realpath(__DIR__ . '/../config/config.default.php');
if (file_exists(realpath(__DIR__ . '/../config/config.php')))
diff --git a/includes/mailer/users_mailer.php b/includes/mailer/users_mailer.php
new file mode 100644
index 00000000..b08af92b
--- /dev/null
+++ b/includes/mailer/users_mailer.php
@@ -0,0 +1,9 @@
+<?php
+
+/**
+ * @param User $user_source
+ */
+function mail_user_delete($user) {
+ engelsystem_email_to_user($user, '[engelsystem] ' . _("Your account has been deleted"), _("Your angelsystem account has been deleted. If you have any questions regarding your account deletion, please contact heaven."));
+}
+?> \ No newline at end of file
diff --git a/includes/model/User_model.php b/includes/model/User_model.php
index d051b3e9..e1bb2733 100644
--- a/includes/model/User_model.php
+++ b/includes/model/User_model.php
@@ -5,6 +5,15 @@
*/
/**
+ * Delete a user
+ *
+ * @param int $user_id
+ */
+function User_delete($user_id) {
+ return sql_query("DELETE FROM `User` WHERE `UID`='" . sql_escape($user_id) . "'");
+}
+
+/**
* Update user.
*
* @param User $user
diff --git a/includes/pages/admin_user.php b/includes/pages/admin_user.php
index 6d327d7f..516bd1e4 100644
--- a/includes/pages/admin_user.php
+++ b/includes/pages/admin_user.php
@@ -113,9 +113,9 @@ function admin_user() {
$html .= "<hr />";
}
- $html .= "<form action=\"" . page_link_to("admin_user") . "&action=delete&id=" . $id . "\" method=\"post\">\n";
- $html .= "<input type=\"submit\" value=\"Löschen\">\n";
- $html .= "</form>";
+ $html .= buttons([
+ button(user_delete_link($user_source), glyph('lock') . _("delete"), 'btn-danger')
+ ]);
$html .= "<hr />";
} else {
@@ -156,25 +156,6 @@ function admin_user() {
}
break;
- case 'delete':
- if ($user['UID'] != $id) {
- $user_source = User($id);
- if ($user_source === false)
- engelsystem_error("Unable to load user.");
- if ($user_source == null) {
- error(_('This user does not exist.'));
- redirect(users_link());
- }
-
- sql_query("DELETE FROM `User` WHERE `UID`='" . sql_escape($id) . "' LIMIT 1");
- sql_query("DELETE FROM `UserGroups` WHERE `uid`='" . sql_escape($id) . "'");
- engelsystem_log("Deleted user " . User_Nick_render($user_source));
- $html .= success("Benutzer gelöscht!", true);
- } else {
- $html .= error("Du kannst Dich nicht selber löschen!", true);
- }
- break;
-
case 'save':
$force_active = $user['force_active'];
if (in_array('admin_active', $privileges))
diff --git a/includes/view/User_view.php b/includes/view/User_view.php
index e5ed7e0e..09668d6f 100644
--- a/includes/view/User_view.php
+++ b/includes/view/User_view.php
@@ -20,6 +20,23 @@ $tshirt_sizes = array(
);
/**
+ * Gui for deleting user with password field.
+ */
+function User_delete_view($user) {
+ return page_with_title(sprintf(_("Delete %s"), User_Nick_render($user)), [
+ msg(),
+ buttons([
+ button(user_edit_link($user), glyph('chevron-left') . _("back"))
+ ]),
+ error(_("Do you really want to delete the user including all his shifts and every other piece of his data?"), true),
+ form([
+ form_password('password', _("Your password")),
+ form_submit('submit', _("Delete"))
+ ])
+ ]);
+}
+
+/**
* View for editing the number of given vouchers
*/
function User_edit_vouchers_view($user) {