add a more secure way to delete users containing a password request
This commit is contained in:
parent
1983db901b
commit
ef60b95555
|
@ -27,10 +27,65 @@ function users_controller() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Delete a user, requires to enter own password for reasons.
|
||||||
|
*/
|
||||||
|
function user_delete_controller() {
|
||||||
|
global $privileges, $user;
|
||||||
|
|
||||||
|
if (isset($_REQUEST['user_id'])) {
|
||||||
|
$user_source = User($_REQUEST['user_id']);
|
||||||
|
} else
|
||||||
|
$user_source = $user;
|
||||||
|
|
||||||
|
if (! in_array('admin_user', $privileges))
|
||||||
|
redirect(page_link_to(''));
|
||||||
|
|
||||||
|
// You cannot delete yourself
|
||||||
|
if ($user['UID'] == $user_source['UID']) {
|
||||||
|
error(_("You cannot delete yourself."));
|
||||||
|
redirect(user_link($user));
|
||||||
|
}
|
||||||
|
|
||||||
|
if (isset($_REQUEST['submit'])) {
|
||||||
|
$ok = true;
|
||||||
|
|
||||||
|
if (! (isset($_REQUEST['password']) && verify_password($_REQUEST['password'], $user['Passwort'], $user['UID']))) {
|
||||||
|
$ok = false;
|
||||||
|
error(_("Your password is incorrect. Please try it again."));
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($ok) {
|
||||||
|
$result = User_delete($user_source['UID']);
|
||||||
|
if ($result === false)
|
||||||
|
engelsystem_error('Unable to delete user.');
|
||||||
|
|
||||||
|
mail_user_delete($user_source);
|
||||||
|
success(_("User deleted."));
|
||||||
|
engelsystem_log(sprintf("Deleted %s", User_Nick_render($user_source)));
|
||||||
|
|
||||||
|
redirect(users_link());
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return array(
|
||||||
|
sprintf(_("Delete %s"), $user_source['Nick']),
|
||||||
|
User_delete_view($user_source)
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
function users_link() {
|
function users_link() {
|
||||||
return page_link_to('users');
|
return page_link_to('users');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function user_edit_link($user) {
|
||||||
|
return page_link_to('admin_user') . '&user_id=' . $user['UID'];
|
||||||
|
}
|
||||||
|
|
||||||
|
function user_delete_link($user) {
|
||||||
|
return page_link_to('users') . '&action=delete&user_id=' . $user['UID'];
|
||||||
|
}
|
||||||
|
|
||||||
function user_link($user) {
|
function user_link($user) {
|
||||||
return page_link_to('users') . '&action=view&user_id=' . $user['UID'];
|
return page_link_to('users') . '&action=view&user_id=' . $user['UID'];
|
||||||
}
|
}
|
||||||
|
|
|
@ -48,6 +48,7 @@ require_once realpath(__DIR__ . '/../includes/helper/error_helper.php');
|
||||||
require_once realpath(__DIR__ . '/../includes/helper/email_helper.php');
|
require_once realpath(__DIR__ . '/../includes/helper/email_helper.php');
|
||||||
|
|
||||||
require_once realpath(__DIR__ . '/../includes/mailer/shifts_mailer.php');
|
require_once realpath(__DIR__ . '/../includes/mailer/shifts_mailer.php');
|
||||||
|
require_once realpath(__DIR__ . '/../includes/mailer/users_mailer.php');
|
||||||
|
|
||||||
require_once realpath(__DIR__ . '/../config/config.default.php');
|
require_once realpath(__DIR__ . '/../config/config.default.php');
|
||||||
if (file_exists(realpath(__DIR__ . '/../config/config.php')))
|
if (file_exists(realpath(__DIR__ . '/../config/config.php')))
|
||||||
|
|
|
@ -0,0 +1,9 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param User $user_source
|
||||||
|
*/
|
||||||
|
function mail_user_delete($user) {
|
||||||
|
engelsystem_email_to_user($user, '[engelsystem] ' . _("Your account has been deleted"), _("Your angelsystem account has been deleted. If you have any questions regarding your account deletion, please contact heaven."));
|
||||||
|
}
|
||||||
|
?>
|
|
@ -4,6 +4,15 @@
|
||||||
* User model
|
* User model
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Delete a user
|
||||||
|
*
|
||||||
|
* @param int $user_id
|
||||||
|
*/
|
||||||
|
function User_delete($user_id) {
|
||||||
|
return sql_query("DELETE FROM `User` WHERE `UID`='" . sql_escape($user_id) . "'");
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Update user.
|
* Update user.
|
||||||
*
|
*
|
||||||
|
|
|
@ -113,9 +113,9 @@ function admin_user() {
|
||||||
$html .= "<hr />";
|
$html .= "<hr />";
|
||||||
}
|
}
|
||||||
|
|
||||||
$html .= "<form action=\"" . page_link_to("admin_user") . "&action=delete&id=" . $id . "\" method=\"post\">\n";
|
$html .= buttons([
|
||||||
$html .= "<input type=\"submit\" value=\"Löschen\">\n";
|
button(user_delete_link($user_source), glyph('lock') . _("delete"), 'btn-danger')
|
||||||
$html .= "</form>";
|
]);
|
||||||
|
|
||||||
$html .= "<hr />";
|
$html .= "<hr />";
|
||||||
} else {
|
} else {
|
||||||
|
@ -156,25 +156,6 @@ function admin_user() {
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case 'delete':
|
|
||||||
if ($user['UID'] != $id) {
|
|
||||||
$user_source = User($id);
|
|
||||||
if ($user_source === false)
|
|
||||||
engelsystem_error("Unable to load user.");
|
|
||||||
if ($user_source == null) {
|
|
||||||
error(_('This user does not exist.'));
|
|
||||||
redirect(users_link());
|
|
||||||
}
|
|
||||||
|
|
||||||
sql_query("DELETE FROM `User` WHERE `UID`='" . sql_escape($id) . "' LIMIT 1");
|
|
||||||
sql_query("DELETE FROM `UserGroups` WHERE `uid`='" . sql_escape($id) . "'");
|
|
||||||
engelsystem_log("Deleted user " . User_Nick_render($user_source));
|
|
||||||
$html .= success("Benutzer gelöscht!", true);
|
|
||||||
} else {
|
|
||||||
$html .= error("Du kannst Dich nicht selber löschen!", true);
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
|
|
||||||
case 'save':
|
case 'save':
|
||||||
$force_active = $user['force_active'];
|
$force_active = $user['force_active'];
|
||||||
if (in_array('admin_active', $privileges))
|
if (in_array('admin_active', $privileges))
|
||||||
|
|
|
@ -19,6 +19,23 @@ $tshirt_sizes = array(
|
||||||
'XL-G' => "XL Girl"
|
'XL-G' => "XL Girl"
|
||||||
);
|
);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Gui for deleting user with password field.
|
||||||
|
*/
|
||||||
|
function User_delete_view($user) {
|
||||||
|
return page_with_title(sprintf(_("Delete %s"), User_Nick_render($user)), [
|
||||||
|
msg(),
|
||||||
|
buttons([
|
||||||
|
button(user_edit_link($user), glyph('chevron-left') . _("back"))
|
||||||
|
]),
|
||||||
|
error(_("Do you really want to delete the user including all his shifts and every other piece of his data?"), true),
|
||||||
|
form([
|
||||||
|
form_password('password', _("Your password")),
|
||||||
|
form_submit('submit', _("Delete"))
|
||||||
|
])
|
||||||
|
]);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* View for editing the number of given vouchers
|
* View for editing the number of given vouchers
|
||||||
*/
|
*/
|
||||||
|
|
Loading…
Reference in New Issue