From ef60b955555ea1d22da8494a34440c3fd2d8b190 Mon Sep 17 00:00:00 2001
From: Philip Häusler <msquare@notrademark.de>
Date: Wed, 30 Dec 2015 15:48:41 +0100
Subject: add a more secure way to delete users containing a password request

---
 includes/pages/admin_user.php | 25 +++----------------------
 1 file changed, 3 insertions(+), 22 deletions(-)

(limited to 'includes/pages')

diff --git a/includes/pages/admin_user.php b/includes/pages/admin_user.php
index 6d327d7f..516bd1e4 100644
--- a/includes/pages/admin_user.php
+++ b/includes/pages/admin_user.php
@@ -113,9 +113,9 @@ function admin_user() {
       $html .= "<hr />";
     }
     
-    $html .= "<form action=\"" . page_link_to("admin_user") . "&action=delete&id=" . $id . "\" method=\"post\">\n";
-    $html .= "<input type=\"submit\" value=\"Löschen\">\n";
-    $html .= "</form>";
+    $html .= buttons([
+        button(user_delete_link($user_source), glyph('lock') . _("delete"), 'btn-danger') 
+    ]);
     
     $html .= "<hr />";
   } else {
@@ -156,25 +156,6 @@ function admin_user() {
         }
         break;
       
-      case 'delete':
-        if ($user['UID'] != $id) {
-          $user_source = User($id);
-          if ($user_source === false)
-            engelsystem_error("Unable to load user.");
-          if ($user_source == null) {
-            error(_('This user does not exist.'));
-            redirect(users_link());
-          }
-          
-          sql_query("DELETE FROM `User` WHERE `UID`='" . sql_escape($id) . "' LIMIT 1");
-          sql_query("DELETE FROM `UserGroups` WHERE `uid`='" . sql_escape($id) . "'");
-          engelsystem_log("Deleted user " . User_Nick_render($user_source));
-          $html .= success("Benutzer gelöscht!", true);
-        } else {
-          $html .= error("Du kannst Dich nicht selber löschen!", true);
-        }
-        break;
-      
       case 'save':
         $force_active = $user['force_active'];
         if (in_array('admin_active', $privileges))
-- 
cgit v1.2.3-54-g00ecf