From f73a41753d2608187a0c85a28e419b8ea839d671 Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Fri, 23 Feb 2018 15:26:17 +0100 Subject: [adduser] Extend module to simple user manager (add/edit/remove) TODO: Assign roles --- modules-available/adduser/page.inc.php | 198 +++++++++++++++++++++++++++------ 1 file changed, 162 insertions(+), 36 deletions(-) (limited to 'modules-available/adduser/page.inc.php') diff --git a/modules-available/adduser/page.inc.php b/modules-available/adduser/page.inc.php index 87aaeef1..a4edcf59 100644 --- a/modules-available/adduser/page.inc.php +++ b/modules-available/adduser/page.inc.php @@ -7,51 +7,177 @@ class Page_AddUser extends Page { User::load(); - if (isset($_POST['action']) && $_POST['action'] === 'adduser') { - // Check required fields - if (empty($_POST['user']) || empty($_POST['pass1']) || empty($_POST['pass2']) || empty($_POST['fullname'])) { - Message::addError('main.empty-field'); - Util::redirect('?do=AddUser'); - } elseif ($_POST['pass1'] !== $_POST['pass2']) { - Message::addError('password-mismatch'); - Util::redirect('?do=AddUser'); - } elseif (!User::hasPermission('superadmin') && Database::queryFirst('SELECT userid FROM user LIMIT 1') !== false) { - Message::addError('adduser-disabled'); - Util::redirect('?do=Session&action=login'); + $action = Request::post(('action'), false, 'string'); + + if ($action === 'adduser') { + $this->addUser(); + } elseif ($action === 'edituser') { + $this->editUser(); + } elseif ($action === 'deleteuser') { + $this->deleteUser(); + } + if (Request::isPost()) { + Util::redirect('?do=adduser'); + } + } + + private function addUser() + { + // Check required fields + $login = Request::post('login', '', 'string'); + $pass1 = Request::post('pass1', '', 'string'); + $pass2 = Request::post('pass2', '', 'string'); + $fullname = Request::post('fullname', '', 'string'); + $phone = Request::post('phone', '', 'string'); + $email = Request::post('email', '', 'string'); + if (empty($login) || empty($pass1) || empty($pass2) || empty($fullname)) { + Message::addError('main.empty-field'); + return; + } elseif ($pass1 !== $pass2) { + Message::addError('password-mismatch'); + return; + } else { + if (Database::queryFirst('SELECT userid FROM user LIMIT 1') !== false) { + User::assertPermission('user.add'); + } + $data = array( + 'login' => $login, + 'pass' => Crypto::hash6($pass1), + 'fullname' => $fullname, + 'phone' => $phone, + 'email' => $email, + ); + Database::exec('INSERT INTO user SET login = :login, passwd = :pass, fullname = :fullname, phone = :phone, email = :email', $data); + $id = Database::lastInsertId(); + // Make it superadmin if first user. This method sucks as it's a race condition but hey... + $ret = Database::queryFirst('SELECT Count(*) AS num FROM user'); + if ($ret !== false && $ret['num'] == 1) { + $ret = Database::exec('UPDATE user SET permissions = 1, userid = 1 WHERE userid = :id', ['id' => $id], true); + if ($ret !== false) { + EventLog::clear(); + } + EventLog::info('Created first user ' . $login); + } else { + EventLog::info(User::getName() . ' created user ' . $login); + } + Message::addInfo('adduser-success'); + return; + } + } + + private function editUser() + { + User::assertPermission('user.edit'); + $userid = Request::post('userid', false, 'int'); + if ($userid === false) { + Message::addError('main.parameter-missing', 'userid'); + return; + } + $user = Database::queryFirst('SELECT userid, login, fullname, phone, email + FROM user WHERE userid = :userid', compact('userid')); + if ($user === false) { + Message::addError('user-not-found', $userid); + return; + } + // Check required fields + $login = Request::post('login', '', 'string'); + $pass1 = Request::post('pass1', '', 'string'); + $pass2 = Request::post('pass2', '', 'string'); + $fullname = Request::post('fullname', '', 'string'); + $phone = Request::post('phone', '', 'string'); + $email = Request::post('email', '', 'string'); + if (empty($login) || empty($fullname)) { + Message::addError('main.empty-field'); + } elseif (!(empty($pass1) && empty($pass2)) && $pass1 !== $pass2) { + Message::addError('password-mismatch'); + } else { + $data = array( + 'login' => $login, + 'fullname' => $fullname, + 'phone' => $phone, + 'email' => $email, + 'userid' => $userid, + ); + $ret = Database::exec('UPDATE user SET login = :login, fullname = :fullname, phone = :phone, email = :email WHERE userid = :userid', $data, true); + if ($ret === false) { + Message::addError('db-error', Database::lastError()); } else { - $data = array( - 'user' => $_POST['user'], - 'pass' => Crypto::hash6($_POST['pass1']), - 'fullname' => $_POST['fullname'], - 'phone' => $_POST['phone'], - 'email' => $_POST['email'], - ); - if (Database::exec('INSERT INTO user SET login = :user, passwd = :pass, fullname = :fullname, phone = :phone, email = :email', $data) != 1) { - Util::traceError('Could not create new user in DB'); + if ($ret > 0) { + Message::addSuccess('user-edited'); } - // Make it superadmin if first user. This method sucks as it's a race condition but hey... - $ret = Database::queryFirst('SELECT Count(*) AS num FROM user'); - if ($ret !== false && $ret['num'] == 1) { - Database::exec('UPDATE user SET permissions = 1'); - EventLog::clear(); - EventLog::info('Created first user ' . $_POST['user']); - } else { - EventLog::info(User::getName() . ' created user ' . $_POST['user']); + if (!empty($pass1)) { + $data = [ + 'pass' => Crypto::hash6($pass1), + 'userid' => $userid, + ]; + Database::exec('UPDATE user SET passwd = :pass WHERE userid = :userid', $data); + Message::addSuccess('password-changed'); } - Message::addInfo('adduser-success'); - Util::redirect('?do=Session&action=login'); } } + Util::redirect('?do=adduser&show=edituser&userid=' . $userid); + } + + private function deleteUser() + { + User::assertPermission('user.remove'); + $userid = Request::post('userid', false, 'int'); + if ($userid === false) { + Message::addError('main.parameter-missing', 'userid'); + return; + } + //\\ + $user = Database::queryFirst('SELECT userid, login, fullname, phone, email + FROM user WHERE userid = :userid', compact('userid')); + if ($user === false) { + Message::addError('user-not-found', $userid); + return; + } + if ($user['userid'] == 1 || $user['userid'] == User::getId()) { + Message::addError('cannot-delete-1-self'); + return; + } + Database::exec('DELETE FROM user WHERE userid = :userid', compact('userid')); + Message::addSuccess('user-deleted', $userid); } protected function doRender() { - // No user was added, check if current user is allowed to add a new user - // Currently you can only add users if there is no user yet. :) - if (!User::hasPermission('superadmin') && Database::queryFirst('SELECT userid FROM user LIMIT 1') !== false) { - Message::addError('adduser-disabled'); - } else { - Render::addTemplate('page-adduser', $_POST); + Render::addTemplate('header'); + $hasUsers = (Database::queryFirst('SELECT userid FROM user LIMIT 1') !== false); + $show = Request::get('show', ($hasUsers ? 'list' : 'adduser'), 'string'); + if ($show === 'adduser') { + // Can add user if: - no user exists yet; - user has explicit permission to add users + if ($hasUsers) { + User::assertPermission('user.add'); + } + Render::addTemplate('page-adduser'); + } elseif ($show === 'edituser') { + User::assertPermission('user.edit'); + $userid = Request::get('userid', false, 'int'); + if ($userid === false) { + Message::addError('main.parameter-missing', 'userid'); + Util::redirect('?do=adduser&show=list'); + } + $user = Database::queryFirst('SELECT userid, login, fullname, phone, email + FROM user WHERE userid = :userid', compact('userid')); + if ($user === false) { + Message::addError('user-not-found', $userid); + } else { + // TODO: LDAP -> disallow pw change, maybe other fields too? + Render::addTemplate('page-edituser', $user); + } + } elseif ($show === 'list') { + User::assertPermission('list.view'); + $page = new Paginate('SELECT userid, login, fullname, phone, email FROM user ORDER BY login', 50); + $data = ['list' => $page->exec()->fetchAll(PDO::FETCH_ASSOC)]; + foreach ($data['list'] as &$u) { + // Don't allow deleting user 1 and self + $u['hide_delete'] = $u['userid'] == 1 || $u['userid'] == User::getId(); + } + unset($u); + Permission::addGlobalTags($data['perms'], null, ['user.add', 'user.edit', 'user.remove']); + $page->render('page-userlist', $data); } } -- cgit v1.2.3-55-g7522 From 00851bd25e57938a79356d2efb36c2bea1697760 Mon Sep 17 00:00:00 2001 From: Simon Rettberg Date: Fri, 23 Feb 2018 18:41:49 +0100 Subject: [adduser] Support setting user's roles on add/edit --- modules-available/adduser/page.inc.php | 33 ++++++ .../adduser/templates/page-adduser.html | 74 +++++++------ .../adduser/templates/page-edituser.html | 120 ++++++++++----------- .../adduser/templates/user-permissions.html | 24 +++++ .../inc/permissiondbupdate.inc.php | 28 ++++- .../permissionmanager/inc/permissionutil.inc.php | 23 ++++ 6 files changed, 198 insertions(+), 104 deletions(-) create mode 100644 modules-available/adduser/templates/user-permissions.html (limited to 'modules-available/adduser/page.inc.php') diff --git a/modules-available/adduser/page.inc.php b/modules-available/adduser/page.inc.php index a4edcf59..d1615828 100644 --- a/modules-available/adduser/page.inc.php +++ b/modules-available/adduser/page.inc.php @@ -61,6 +61,7 @@ class Page_AddUser extends Page EventLog::info(User::getName() . ' created user ' . $login); } Message::addInfo('adduser-success'); + $this->saveRoles($id); return; } } @@ -113,6 +114,7 @@ class Page_AddUser extends Page Database::exec('UPDATE user SET passwd = :pass WHERE userid = :userid', $data); Message::addSuccess('password-changed'); } + $this->saveRoles($userid); } } Util::redirect('?do=adduser&show=edituser&userid=' . $userid); @@ -141,6 +143,19 @@ class Page_AddUser extends Page Message::addSuccess('user-deleted', $userid); } + private function saveRoles($userid) + { + if (!Module::isAvailable('permissionmanager')) + return; + if (!User::hasPermission('.permissionmanager.users.edit-roles')) + return; + $roles = Request::post('roles', [], 'array'); + $ret = PermissionDbUpdate::setRolesForUser([$userid], $roles); + if ($ret > 0) { + Message::addSuccess('roles-updated'); + } + } + protected function doRender() { Render::addTemplate('header'); @@ -151,7 +166,12 @@ class Page_AddUser extends Page if ($hasUsers) { User::assertPermission('user.add'); } + Render::openTag('form', ['class' => 'form-adduser', 'action' => '?do=adduser', 'method' => 'post']); Render::addTemplate('page-adduser'); + if ($hasUsers) { + $this->showPermissions(); + } + Render::closeTag('form'); } elseif ($show === 'edituser') { User::assertPermission('user.edit'); $userid = Request::get('userid', false, 'int'); @@ -165,7 +185,10 @@ class Page_AddUser extends Page Message::addError('user-not-found', $userid); } else { // TODO: LDAP -> disallow pw change, maybe other fields too? + Render::openTag('form', ['class' => 'form-adduser', 'action' => '?do=adduser', 'method' => 'post']); Render::addTemplate('page-edituser', $user); + $this->showPermissions($userid); + Render::closeTag('form'); } } elseif ($show === 'list') { User::assertPermission('list.view'); @@ -181,4 +204,14 @@ class Page_AddUser extends Page } } + private function showPermissions($userid = false) + { + if (!Module::isAvailable('permissionmanager')) + return; + if (!User::hasPermission('.permissionmanager.users.edit-roles')) + return; + $data = ['roles' => PermissionUtil::getRoles($userid, false)]; + Render::addTemplate('user-permissions', $data); + } + } diff --git a/modules-available/adduser/templates/page-adduser.html b/modules-available/adduser/templates/page-adduser.html index 58d705f8..bd16dbbf 100644 --- a/modules-available/adduser/templates/page-adduser.html +++ b/modules-available/adduser/templates/page-adduser.html @@ -1,39 +1,37 @@ -