Pro-Idler/ManagePanel
1
0
Fork 0
forked from Business/ManagePanel
Code Issues Pull Requests Projects Releases Wiki Activity

User list and user editor/adder now working.

Browse Source
This commit is contained in:
Skylar Ittner 2017-05-26 00:09:42 -06:00
parent 2f9cff273b
commit 4b6fcd8f7c
13 changed files with 273 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
action.php
View File

@ -3,11 +3,15 @@
/** /**
* Make things happen when buttons are pressed and forms submitted. * Make things happen when buttons are pressed and forms submitted.
*/ */
require_once __DIR__ . "/required.php"; require_once __DIR__ . "/required.php";
require_once __DIR__ . "/lib/login.php";
dieifnotloggedin(); dieifnotloggedin();
if (account_has_permission($_SESSION['username'], "ADMIN") == FALSE) {
die("You don't have permission to be here.");
}
/** /**
* Redirects back to the page ID in $_POST/$_GET['source'] with the given message ID. * Redirects back to the page ID in $_POST/$_GET['source'] with the given message ID.
* The message will be displayed by the app. * The message will be displayed by the app.
@ -25,8 +29,49 @@ function returnToSender($msg, $arg = "") {
} }
switch ($VARS['action']) { switch ($VARS['action']) {
case "edituser":
if (is_empty($VARS['id'])) {
$insert = true;
} else {
if ($database->has('accounts', ['uid' => $VARS['id']])) {
$insert = false;
} else {
returnToSender("invalid_userid");
}
}
if (is_empty($VARS['name']) || is_empty($VARS['username']) || is_empty($VARS['status'])) {
returnToSender('invalid_parameters');
}
if (!$database->has('acctstatus', ['statusid' => $VARS['status']])) {
returnToSender("invalid_parameters");
}
$data = [
'realname' => $VARS['name'],
'username' => $VARS['username'],
'email' => $VARS['email'],
'acctstatus' => $VARS['status']
];
if (!is_empty($VARS['pass'])) {
$data['password'] = password_hash($VARS['pass'], PASSWORD_BCRYPT);
}
if ($insert) {
$data['phone1'] = "";
$data['phone2'] = "";
$data['accttype'] = 1;
$database->insert('accounts', $data);
} else {
$database->update('accounts', $data, ['uid' => $VARS['id']]);
}
returnToSender("user_saved");
case "signout": case "signout":
session_destroy(); session_destroy();
header('Location: index.php'); header('Location: index.php');
die("Logged out."); die("Logged out.");
default:
die("Invalid action");
} }

2
api.php
View File

@ -14,7 +14,7 @@ header("Content-Type: application/json");
$username = $VARS['username']; $username = $VARS['username'];
$password = $VARS['password']; $password = $VARS['password'];
if (user_exists($username) !== true || authenticate_user($username, $password, $errmsg) !== true) { if (user_exists($username) !== true || authenticate_user($username, $password, $errmsg) !== true || account_has_permission($username, "ADMIN") !== true) {
header("HTTP/1.1 403 Unauthorized"); header("HTTP/1.1 403 Unauthorized");
die("\"403 Unauthorized\""); die("\"403 Unauthorized\"");
} }

5
app.php
View File

@ -1,10 +1,7 @@
<?php <?php
require_once __DIR__ . "/required.php"; require_once __DIR__ . "/required.php";
if ($_SESSION['loggedin'] != true) { redirectIfNotLoggedIn();
header('Location: index.php');
die("Session expired. Log in again to continue.");
}
require_once __DIR__ . "/pages.php"; require_once __DIR__ . "/pages.php";

6
index.php
View File

@ -4,7 +4,7 @@ require_once __DIR__ . "/required.php";
require_once __DIR__ . "/lib/login.php"; require_once __DIR__ . "/lib/login.php";
// if we're logged in, we don't need to be here. // if we're logged in, we don't need to be here.
if ($_SESSION['loggedin']) { if ($_SESSION['loggedin'] && account_has_permission($_SESSION['username'], "ADMIN")) {
header('Location: app.php'); header('Location: app.php');
} }
@ -34,6 +34,9 @@ if (checkLoginServer()) {
break; break;
} }
if ($userpass_ok) { if ($userpass_ok) {
if (account_has_permission($VARS['username'], "ADMIN") == FALSE) {
$alert = lang("no admin permission", false);
} else {
$_SESSION['passok'] = true; // stop logins using only username and authcode $_SESSION['passok'] = true; // stop logins using only username and authcode
if (userHasTOTP($VARS['username'])) { if (userHasTOTP($VARS['username'])) {
$multiauth = true; $multiauth = true;
@ -43,6 +46,7 @@ if (checkLoginServer()) {
die("Logged in, go to app.php"); die("Logged in, go to app.php");
} }
} }
}
} else { } else {
if (!is_empty($errmsg)) { if (!is_empty($errmsg)) {
$alert = lang2("login server error", ['arg' => $errmsg], false); $alert = lang2("login server error", ['arg' => $errmsg], false);

13
lang/en_us.php
View File

@ -9,6 +9,7 @@ define("STRINGS", [
"2fa prompt" => "Enter the six-digit code from your mobile authenticator app.", "2fa prompt" => "Enter the six-digit code from your mobile authenticator app.",
"2fa incorrect" => "Authentication code incorrect.", "2fa incorrect" => "Authentication code incorrect.",
"login incorrect" => "Login incorrect.", "login incorrect" => "Login incorrect.",
"no admin permission" => "You do not have permission to access this system.",
"login server unavailable" => "Login server unavailable. Try again later or contact technical support.", "login server unavailable" => "Login server unavailable. Try again later or contact technical support.",
"account locked" => "This account has been disabled. Contact technical support.", "account locked" => "This account has been disabled. Contact technical support.",
"password expired" => "You must change your password before continuing.", "password expired" => "You must change your password before continuing.",
@ -35,5 +36,15 @@ define("STRINGS", [
"total users" => "Total Users", "total users" => "Total Users",
"view users" => "View Users", "view users" => "View Users",
"normal accounts" => "Normal Accounts", "normal accounts" => "Normal Accounts",
"locked accounts" => "Locked Accounts" "locked accounts" => "Locked Accounts",
"editing user" => "Editing {user}",
"invalid userid" => "Invalid user ID.",
"user saved" => "User saved.",
"adding user" => "Adding new user",
"placeholder name" => "John Doe",
"placeholder username" => "jdoe",
"placeholder email address" => "jdoe@example.com",
"placeholder password" => "swordfish",
"new password" => "New Password",
"non-local account warning" => "This account is not locally managed. Changes made here will not synchronize to the directory server and some attributes cannot be edited."
]); ]);

8
lang/messages.php
View File

@ -12,5 +12,13 @@ define("MESSAGES", [
"404_error" => [ "404_error" => [
"string" => "page not found", "string" => "page not found",
"type" => "info" "type" => "info"
],
"invalid_userid" => [
"string" => "invalid userid",
"type" => "danger"
],
"user_saved" => [
"string" => "user saved",
"type" => "success"
] ]
]); ]);

31
lib/login.php
View File

@ -157,6 +157,37 @@ function get_account_status($username) {
} }
} }
/**
* Check if the given username has the given permission (or admin access)
* @param string $username
* @param string $permcode
* @return boolean TRUE if the user has the permission (or admin access), else FALSE
*/
function account_has_permission($username, $permcode) {
$client = new GuzzleHttp\Client();
$response = $client
->request('POST', PORTAL_API, [
'form_params' => [
'key' => PORTAL_KEY,
'action' => "permission",
'username' => $username,
'code' => $permcode
]
]);
if ($response->getStatusCode() > 299) {
sendError("Login server error: " . $response->getBody());
}
$resp = json_decode($response->getBody(), TRUE);
if ($resp['status'] == "OK") {
return $resp['has_permission'];
} else {
return false;
}
}
//////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////
// Login handling // // Login handling //
//////////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////////////////

7
pages.php
View File

@ -20,6 +20,13 @@ define("PAGES", [
"static/js/users.js" "static/js/users.js"
], ],
], ],
"edituser" => [
"title" => "edit user",
"navbar" => false,
"scripts" => [
"static/js/edituser.js"
]
],
"404" => [ "404" => [
"title" => "404 error" "title" => "404 error"
] ]

136
pages/edituser.php Normal file
View File

@ -0,0 +1,136 @@
<?php
require_once __DIR__ . '/../required.php';
require_once __DIR__ . "/../lib/login.php";
require_once __DIR__ . "/../lib/userinfo.php";
redirectifnotloggedin();
$userdata = [
'uid' => '',
'username' => '',
'realname' => '',
'email' => '',
'acctstatus' => '',
'typecode' => 'LOCAL'
];
$editing = false;
if (!is_empty($VARS['id'])) {
if ($database->has('accounts', ['uid' => $VARS['id']])) {
$editing = true;
$userdata = $database->select('accounts', ['[>]accttypes' => ['accttype' => 'typeid']], [
'uid',
'username',
'realname',
'email',
'acctstatus',
'typecode'
], [
'uid' => $VARS['id']
])[0];
} else {
// user id is invalid, redirect to a page that won't cause an error when pressing Save
header('Location: app.php?page=edituser');
}
}
if ($userdata['typecode'] != "LOCAL") {
$localacct = false;
} else {
$localacct = true;
}
?>
<form role="form" action="action.php" method="POST">
<div class="panel panel-blue">
<div class="panel-heading">
<h3 class="panel-title">
<?php
if ($editing) {
?>
<i class="fa fa-pencil-square-o"></i> <?php lang2("editing user", ['user' => "<span id=\"name_title\">" . htmlspecialchars($userdata['realname']) . "</span>"]); ?>
<?php
} else {
?>
<i class="fa fa-pencil-square-o"></i> <?php lang("adding user"); ?>
<?php
}
?>
</h3>
</div>
<div class="panel-body">
<?php
if (!$localacct) {
?>
<div class="alert alert-warning">
<?php lang("non-local account warning"); ?>
</div>
<?php
}
?>
<div class="form-group">
<label for="name"><i class="fa fa-user"></i> <?php lang("name"); ?></label>
<input type="text" class="form-control" id="name" name="name" placeholder="<?php lang("placeholder name"); ?>" required="required" value="<?php echo htmlspecialchars($userdata['realname']); ?>" />
</div>
<div class="row">
<div class="col-xs-12 col-md-6">
<div class="form-group">
<label for="username"><i class="fa fa-id-badge"></i> <?php lang("username"); ?></label>
<input type="text" <?php if (!$localacct) echo "disabled"; ?> class="form-control" name="username" id="username" placeholder="<?php lang("placeholder username"); ?>" required="required" value="<?php echo htmlspecialchars($userdata['username']); ?>" />
</div>
</div>
<div class="col-xs-12 col-md-6">
<div class="form-group">
<label for="email"><i class="fa fa-envelope"></i> <?php lang("email"); ?></label>
<input type="email" class="form-control" name="email" id="email" placeholder="<?php lang("placeholder email address"); ?>" value="<?php echo htmlspecialchars($userdata['email']); ?>" />
</div>
</div>
</div>
<div class="row">
<div class="col-xs-12 col-md-6">
<div class="form-group">
<label for="pass"><i class="fa fa-lock"></i> <?php lang("new password"); ?></label>
<input type="text" <?php if (!$localacct) echo "disabled"; ?> autocomplete="new-password" class="form-control" name="pass" id="pass" placeholder="<?php lang("placeholder password"); ?>" />
</div>
</div>
<div class="col-xs-12 col-md-6">
<div class="form-group">
<label for="status"><i class="fa fa-check-circle"></i> <?php lang("status"); ?></label>
<select class="form-control" name="status" id="status" required="required">
<?php
$statuses = $database->select('acctstatus', ['statusid (id)', 'statuscode (code)'], ["ORDER" => "statusid"]);
foreach ($statuses as $s) {
echo "<option";
if ($s['id'] == $userdata['acctstatus']) {
echo " selected";
}
echo " value=\"" . $s['id'] . "\">" . $s['code'] . "</option>";
}
?>
</select>
</div>
</div>
</div>
</div>
<input type="hidden" name="id" value="<?php echo htmlspecialchars($VARS['id']); ?>" />
<input type="hidden" name="action" value="edituser" />
<input type="hidden" name="source" value="users" />
<div class="panel-footer">
<button type="submit" class="btn btn-success"><i class="fa fa-floppy-o"></i> <?php lang("save"); ?></button>
<?php
if ($editing) {
?>
<a href="action.php?action=deleteuser&source=users&userid=<?php echo htmlspecialchars($VARS['id']); ?>" style="margin-top: 8px;" class="btn btn-danger btn-xs pull-right"><i class="fa fa-times"></i> <?php lang('delete'); ?></a>
<?php
}
?>
</div>
</div>
</form>

2
pages/home.php
View File

@ -30,7 +30,7 @@ redirectifnotloggedin();
<div class="panel panel-amber"> <div class="panel panel-amber">
<div class="panel-heading"><div class="panel-title"><?php lang("locked accounts") ?></div></div> <div class="panel-heading"><div class="panel-title"><?php lang("locked accounts") ?></div></div>
<div class="panel-body"> <div class="panel-body">
<h1><i class="fa fa-fw fa-user-times"></i> <?php echo $database->count('accounts', ['OR' => ['acctstatus' => 2, 'acctstatus' => 3]]); ?></h1> <h1><i class="fa fa-fw fa-user-times"></i> <?php echo $database->count('accounts', ['OR' => ['acctstatus #LOCKED_OR_DISABLED' => 2, 'acctstatus #CHANGE_PASSWORD' => 3]]); ?></h1>
</div> </div>
<div class="panel-footer"> <div class="panel-footer">
<a style="color: black;" href="app.php?page=users"><i class="fa fa-arrow-right fa-fw"></i> <?php lang('view users'); ?></a> <a style="color: black;" href="app.php?page=users"><i class="fa fa-arrow-right fa-fw"></i> <?php lang('view users'); ?></a>

21
pages/users.php
View File

@ -11,11 +11,11 @@ redirectifnotloggedin();
<tr> <tr>
<th data-priority="0"></th> <th data-priority="0"></th>
<th data-priority="1"><?php lang('actions'); ?></th> <th data-priority="1"><?php lang('actions'); ?></th>
<th data-priority="1"><?php lang('name'); ?></th> <th data-priority="1"><i class="fa fa-fw fa-user"></i> <?php lang('name'); ?></th>
<th data-priority="2"><?php lang('username'); ?></th> <th data-priority="2"><i class="fa fa-fw fa-id-badge"></i> <?php lang('username'); ?></th>
<th data-priority="3"><?php lang('email'); ?></th> <th data-priority="3"><i class="fa fa-fw fa-envelope"></i> <?php lang('email'); ?></th>
<th data-priority="3"><?php lang('status'); ?></th> <th data-priority="3"><i class="fa fa-fw fa-check-circle"></i> <?php lang('status'); ?></th>
<th data-priority="4"><?php lang('type'); ?></th> <th data-priority="4"><i class="fa fa-fw fa-server"></i> <?php lang('type'); ?></th>
</tr> </tr>
</thead> </thead>
<tbody> <tbody>
@ -54,11 +54,10 @@ redirectifnotloggedin();
<tr> <tr>
<th data-priority="0"></th> <th data-priority="0"></th>
<th data-priority="1"><?php lang('actions'); ?></th> <th data-priority="1"><?php lang('actions'); ?></th>
<th data-priority="1"><?php lang('name'); ?></th> <th data-priority="1"><i class="fa fa-fw fa-user"></i> <?php lang('name'); ?></th>
<th data-priority="2"><?php lang('username'); ?></th> <th data-priority="2"><i class="fa fa-fw fa-id-badge"></i> <?php lang('username'); ?></th>
<th data-priority="3"><?php lang('email'); ?></th> <th data-priority="3"><i class="fa fa-fw fa-envelope"></i> <?php lang('email'); ?></th>
<th data-priority="3"><?php lang('status'); ?></th> <th data-priority="3"><i class="fa fa-fw fa-check-circle"></i> <?php lang('status'); ?></th>
<th data-priority="4"><?php lang('type'); ?></th> <th data-priority="4"><i class="fa fa-fw fa-server"></i> <?php lang('type'); ?></th>
</tr>
</tfoot> </tfoot>
</table> </table>

7
required.php
View File

@ -185,7 +185,12 @@ if (!function_exists('base_url')) {
function redirectIfNotLoggedIn() { function redirectIfNotLoggedIn() {
if ($_SESSION['loggedin'] !== TRUE) { if ($_SESSION['loggedin'] !== TRUE) {
header('Location: ' . URL . '/index.php'); header('Location: ./index.php');
die(); die();
} }
require_once __DIR__ . "/lib/login.php";
if (account_has_permission($_SESSION['username'], "ADMIN") == FALSE) {
header('Location: ./index.php');
die("You don't have permission to be here.");
}
} }

3
static/js/edituser.js Normal file
View File

@ -0,0 +1,3 @@
$('#name').on('input propertychange paste', function() {
$('#name_title').text($('#name').val());
});