PageRenderTime 27ms CodeModel.GetById 22ms RepoModel.GetById 0ms app.codeStats 0ms

/phpmyfaq/admin/ajax.user.php

http://github.com/thorsten/phpMyFAQ
PHP | 219 lines | 174 code | 29 blank | 16 comment | 29 complexity | 871a4cc1572a64afef5f0202b8529019 MD5 | raw file
Possible License(s): MPL-2.0-no-copyleft-exception, LGPL-2.1, LGPL-3.0 
    

  1. <?php
    2. 

  2. 

  3. /**
    4. 

  4.  * AJAX: handling of Ajax user calls.
    5. 

  5.  *
    6. 

  6.  * This Source Code Form is subject to the terms of the Mozilla Public License,
    7. 

  7.  * v. 2.0. If a copy of the MPL was not distributed with this file, You can
    8. 

  8.  * obtain one at http://mozilla.org/MPL/2.0/.
    9. 

  9.  *
    10. 

  10.  * @package phpMyFAQ
    11. 

  11.  * @author Thorsten Rinne <thorsten@phpmyfaq.de>
    12. 

  12.  * @copyright 2009-2021 phpMyFAQ Team
    13. 

  13.  * @license http://www.mozilla.org/MPL/2.0/ Mozilla Public License Version 2.0
    14. 

  14.  * @link https://www.phpmyfaq.de
    15. 

  15.  * @since 2009-04-04
    16. 

  16.  */
    17. 

  17. 

  18. use phpMyFAQ\Auth;
    19. 

  19. use phpMyFAQ\Category;
    20. 

  20. use phpMyFAQ\Filter;
    21. 

  21. use phpMyFAQ\Helper\HttpHelper;
    22. 

  22. use phpMyFAQ\Helper\MailHelper;
    23. 

  23. use phpMyFAQ\Permission;
    24. 

  24. use phpMyFAQ\User;
    25. 

  25. 

  26. if (!defined('IS_VALID_PHPMYFAQ')) {
    27. 

  27.     http_response_code(400);
    28. 

  28.     exit();
    29. 

  29. }
    30. 

  30. 

  31. $ajaxAction = Filter::filterInput(INPUT_GET, 'ajaxaction', FILTER_UNSAFE_RAW);
    32. 

  32. $userId = Filter::filterInput(INPUT_GET, 'user_id', FILTER_VALIDATE_INT);
    33. 

  33. $userSearch = Filter::filterInput(INPUT_GET, 'q', FILTER_UNSAFE_RAW);
    34. 

  34. $csrfToken = Filter::filterInput(INPUT_GET, 'csrf', FILTER_UNSAFE_RAW);
    35. 

  35. 

  36. // Send headers
    37. 

  37. $http = new HttpHelper();
    38. 

  38. $http->setContentType('application/json');
    39. 

  39. $http->addHeader();
    40. 

  40. 

  41. if (
    42. 

  42.     $user->perm->hasPermission($user->getUserId(), 'add_user') ||
    43. 

  43.     $user->perm->hasPermission($user->getUserId(), 'edit_user') ||
    44. 

  44.     $user->perm->hasPermission($user->getUserId(), 'delete_user')
    45. 

  45. ) {
    46. 

  46.     $user = new User($faqConfig);
    47. 

  47. 

  48.     switch ($ajaxAction) {
    49. 

  49.         case 'get_user_list':
    50. 

  50.             $allUsers = [];
    51. 

  51.             foreach ($user->searchUsers($userSearch) as $singleUser) {
    52. 

  52.                 $users = new \stdClass();
    53. 

  53.                 $users->user_id = (int)$singleUser['user_id'];
    54. 

  54.                 $users->name = $singleUser['login'];
    55. 

  55.                 $allUsers[] = $users;
    56. 

  56.             }
    57. 

  57.             $http->sendJsonWithHeaders($allUsers);
    58. 

  58.             break;
    59. 

  59. 

  60.         case 'get_user_data':
    61. 

  61.             $user->getUserById($userId, true);
    62. 

  62.             $userdata = [];
    63. 

  63.             $userdata = $user->userdata->get('*');
    64. 

  64.             $userdata['status'] = $user->getStatus();
    65. 

  65.             $userdata['login'] = $user->getLogin();
    66. 

  66.             $userdata['is_superadmin'] = $user->isSuperAdmin();
    67. 

  67.             $http->sendJsonWithHeaders($userdata);
    68. 

  68.             break;
    69. 

  69. 

  70.         case 'get_all_user_data':
    71. 

  71.             $allUsers = $user->getAllUsers(false);
    72. 

  72.             $userData = [];
    73. 

  73.             foreach ($allUsers as $userId) {
    74. 

  74.                 $user->getUserById($userId, true);
    75. 

  75.                 $userObject = new \stdClass();
    76. 

  76.                 $userObject->id = $user->getUserId();
    77. 

  77.                 $userObject->status = $user->getStatus();
    78. 

  78.                 $userObject->isSuperAdmin = $user->isSuperAdmin();
    79. 

  79.                 $userObject->isVisible = $user->getUserData('is_visible');
    80. 

  80.                 $userObject->displayName = $user->getUserData('display_name');
    81. 

  81.                 $userObject->userName = $user->getLogin();
    82. 

  82.                 $userObject->email = $user->getUserData('email');
    83. 

  83.                 $userData[] = $userObject;
    84. 

  84.             }
    85. 

  85.             $http->setStatus(200);
    86. 

  86.             $http->sendJsonWithHeaders($userData);
    87. 

  87.             break;
    88. 

  88. 

  89.         case 'get_user_rights':
    90. 

  90.             $user->getUserById($userId, true);
    91. 

  91.             $http->sendJsonWithHeaders($user->perm->getUserRights($userId));
    92. 

  92.             break;
    93. 

  93. 

  94.         case 'activate_user':
    95. 

  95.             if (!isset($_SESSION['phpmyfaq_csrf_token']) || $_SESSION['phpmyfaq_csrf_token'] !== $csrfToken) {
    96. 

  96.                 $http->setStatus(400);
    97. 

  97.                 $http->sendJsonWithHeaders(['error' => $PMF_LANG['err_NotAuth']]);
    98. 

  98.                 exit(1);
    99. 

  99.             }
    100. 

  100. 

  101.             $user->getUserById($userId, true);
    102. 

  102.             $user->activateUser();
    103. 

  103.             $http->sendJsonWithHeaders($user->getStatus());
    104. 

  104.             break;
    105. 

  105. 

  106.         case 'add_user':
    107. 

  107.             if (!isset($_SESSION['phpmyfaq_csrf_token']) || $_SESSION['phpmyfaq_csrf_token'] !== $csrfToken) {
    108. 

  108.                 $http->setStatus(400);
    109. 

  109.                 $http->sendJsonWithHeaders(['error' => $PMF_LANG['err_NotAuth']]);
    110. 

  110.                 exit(1);
    111. 

  111.             }
    112. 

  112. 

  113.             $errorMessage = [];
    114. 

  114.             $successMessage = '';
    115. 

  115. 

  116.             $postData = json_decode(file_get_contents('php://input'), true);
    117. 

  117. 

  118.             $userName = Filter::filterVar($postData['userName'], FILTER_UNSAFE_RAW);
    119. 

  119.             $userRealName = Filter::filterVar($postData['realName'], FILTER_UNSAFE_RAW);
    120. 

  120.             $userEmail = Filter::filterVar($postData['email'], FILTER_VALIDATE_EMAIL);
    121. 

  121.             $userPassword = Filter::filterVar($postData['password'], FILTER_UNSAFE_RAW);
    122. 

  122.             $userPasswordConfirm = Filter::filterVar($postData['passwordConfirm'], FILTER_UNSAFE_RAW);
    123. 

  123.             $userIsSuperAdmin = Filter::filterVar($postData['isSuperAdmin'], FILTER_VALIDATE_BOOLEAN);
    124. 

  124. 

  125.             $newUser = new User($faqConfig);
    126. 

  126. 

  127.             if (!$newUser->isValidLogin($userName)) {
    128. 

  128.                 $errorMessage[] = $PMF_LANG['ad_user_error_loginInvalid'];
    129. 

  129.             }
    130. 

  130.             if ($newUser->getUserByLogin($userName)) {
    131. 

  131.                 $errorMessage[] = $PMF_LANG['ad_adus_exerr'];
    132. 

  132.             }
    133. 

  133.             if ($userRealName === '') {
    134. 

  134.                 $errorMessage[] = $PMF_LANG['ad_user_error_noRealName'];
    135. 

  135.             }
    136. 

  136.             if (is_null($userEmail)) {
    137. 

  137.                 $errorMessage[] = $PMF_LANG['ad_user_error_noEmail'];
    138. 

  138.             }
    139. 

  139.             if (count($errorMessage) === 0) {
    140. 

  140.                 if (!$newUser->createUser($userName, $userPassword)) {
    141. 

  141.                     $errorMessage[] = $newUser->error();
    142. 

  142.                 } else {
    143. 

  143.                     $newUser->userdata->set(['display_name', 'email', 'is_visible'], [$userRealName, $userEmail, 0]);
    144. 

  144.                     $newUser->setStatus('active');
    145. 

  145.                     $newUser->setSuperAdmin($userIsSuperAdmin);
    146. 

  146.                     $mailHelper = new MailHelper($faqConfig);
    147. 

  147.                     $mailHelper->sendMailToNewUser($newUser, $userPassword);
    148. 

  148.                     $successMessage = [ 'data' => $PMF_LANG['ad_adus_suc'] ];
    149. 

  149.                 }
    150. 

  150. 

  151.                 $http->setStatus(201);
    152. 

  152.                 $http->sendJsonWithHeaders($successMessage);
    153. 

  153.                 exit(1);
    154. 

  154.             }
    155. 

  155. 

  156.             $http->setStatus(400);
    157. 

  157.             $http->sendJsonWithHeaders($errorMessage);
    158. 

  158.             break;
    159. 

  159. 

  160.         case 'delete_user':
    161. 

  161.             if (!isset($_SESSION['phpmyfaq_csrf_token']) || $_SESSION['phpmyfaq_csrf_token'] !== $csrfToken) {
    162. 

  162.                 $http->setStatus(400);
    163. 

  163.                 $http->sendJsonWithHeaders(['error' => $PMF_LANG['err_NotAuth']]);
    164. 

  164.                 exit(1);
    165. 

  165.             }
    166. 

  166. 

  167.             $user->getUserById($userId, true);
    168. 

  168.             if ($user->getStatus() == 'protected' || $userId == 1) {
    169. 

  169.                 $message = '<p class="alert alert-error">' . $PMF_LANG['ad_user_error_protectedAccount'] . '</p>';
    170. 

  170.             } else {
    171. 

  171.                 if (!$user->deleteUser()) {
    172. 

  172.                     $message = $PMF_LANG['ad_user_error_delete'];
    173. 

  173.                 } else {
    174. 

  174.                     $category = new Category($faqConfig, [], false);
    175. 

  175.                     $category->moveOwnership((int) $userId, 1);
    176. 

  176. 

  177.                     // Remove the user from groups
    178. 

  178.                     if ('basic' !== $faqConfig->get('security.permLevel')) {
    179. 

  179.                         $permissions = Permission::selectPerm('medium', $faqConfig);
    180. 

  180.                         $permissions->removeFromAllGroups($userId);
    181. 

  181.                     }
    182. 

  182. 

  183.                     $message = '<p class="alert alert-success">' . $PMF_LANG['ad_user_deleted'] . '</p>';
    184. 

  184.                 }
    185. 

  185.             }
    186. 

  186.             $http->sendJsonWithHeaders($message);
    187. 

  187.             break;
    188. 

  188. 

  189.         case 'overwrite_password':
    190. 

  190.             if (!isset($_SESSION['phpmyfaq_csrf_token']) || $_SESSION['phpmyfaq_csrf_token'] !== $csrfToken) {
    191. 

  191.                 $http->setStatus(400);
    192. 

  192.                 $http->sendJsonWithHeaders(['error' => $PMF_LANG['err_NotAuth']]);
    193. 

  193.                 exit(1);
    194. 

  194.             }
    195. 

  195. 

  196.             $userId = Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT);
    197. 

  197.             $csrfToken = Filter::filterInput(INPUT_POST, 'csrf', FILTER_UNSAFE_RAW);
    198. 

  198.             $newPassword = Filter::filterInput(INPUT_POST, 'npass', FILTER_UNSAFE_RAW);
    199. 

  199.             $retypedPassword = Filter::filterInput(INPUT_POST, 'bpass', FILTER_UNSAFE_RAW);
    200. 

  200. 

  201.             $user->getUserById($userId, true);
    202. 

  202.             $auth = new Auth($faqConfig);
    203. 

  203.             $authSource = $auth->selectAuth($user->getAuthSource('name'));
    204. 

  204.             $authSource->selectEncType($user->getAuthData('encType'));
    205. 

  205. 

  206.             if ($newPassword === $retypedPassword) {
    207. 

  207.                 if (!$user->changePassword($newPassword)) {
    208. 

  208.                     $http->setStatus(400);
    209. 

  209.                     $http->sendJsonWithHeaders(['error' => $PMF_LANG['ad_passwd_fail']]);
    210. 

  210.                 }
    211. 

  211.                 $http->sendJsonWithHeaders(['success' => $PMF_LANG['ad_passwdsuc']]);
    212. 

  212.             } else {
    213. 

  213.                 $http->setStatus(400);
    214. 

  214.                 $http->sendJsonWithHeaders(['error' => $PMF_LANG['ad_passwd_fail']]);
    215. 

  215.             }
    216. 

  216. 

  217.             break;
    218. 

  218.     }
    219. 

  219. }
    220. 

  220.