Home Explore Help
Register Sign In
CopperWire
/
daktylos
4
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
daktylos
/
libs
/
EditUserAction.class.php

EditUserAction.class.php 2.3 KB
Permalink History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556 
  1. <?php
    2. 

  2. class EditUserAction implements IAction {
    3. 

  3. 	public function execute() {
    4. 

  4. 		if(!Authorize::isLoggedIn() || !Authorize::hasPermission()) {
    5. 

  5. 			return array("error" => "Access not authorized");
    6. 

  6. 		}
    7. 

  7. 

  8. 		$userId = $_POST['user_id'] ?? $_GET['user_id'] ?? "";
    9. 

  9. 		$username = $_POST['username'] ?? $_GET['username'] ?? "";
    10. 

  10. 		$displayName = $_POST['display_name'] ?? $_GET['display_name'] ?? "";
    11. 

  11. 		$email = $_POST['email'] ?? $_GET['email'] ?? "";
    12. 

  12. 		$password = $_POST['password'] ?? $_GET['password'] ?? "";
    13. 

  13. 		
    14. 

  14. 		//TODO: scrub inputs
    15. 

  15. 		if(empty($userId) || empty($username) || empty($displayName) || empty($email)) {
    16. 

  16. 			return array("error" => "One or more required fields missing: user_id, username, display_name, email");
    17. 

  17. 		}
    18. 

  18. 

  19. 		if(in_array($userId, array(1, 2)) && !isset($_SESSION['superadmin'])) {
    20. 

  20. 			return array("error" => "Cannot edit the superadmin account");
    21. 

  21. 		}
    22. 

  22. 

  23. 		$superAdminEditPassword = !empty($password) && isset($_SESSION['superadmin']) && $_SESSION['superadmin'];
    24. 

  24. 

  25. 		$db = SqliteDatabase::getSingleton();
    26. 

  26. 

  27. 		$sql = "UPDATE users SET username = :username, display_name = :display_name, email = :email WHERE rowid = :user_id";
    28. 

  28. 

  29. 		if($superAdminEditPassword) {
    30. 

  30. 			$sql = "UPDATE users SET username = :username, display_name = :display_name, email = :email, password = :passwordhash WHERE rowid = :user_id";
    31. 

  31. 		}
    32. 

  32. 		$preparedQuery = $db->prepare($sql);
    33. 

  33. 		$preparedQuery->bindValue(':username', $username);
    34. 

  34. 		$preparedQuery->bindValue(':display_name', $displayName);
    35. 

  35. 		$preparedQuery->bindValue(':email', $email);
    36. 

  36. 		if($superAdminEditPassword) {
    37. 

  37. 			$passwordHash = hash("sha256", $password);
    38. 

  38. 			$preparedQuery->bindValue(':passwordhash', $passwordHash);
    39. 

  39. 		}
    40. 

  40. 		$preparedQuery->bindValue(':user_id', $userId);
    41. 

  41. 		try {
    42. 

  42. 			$result = $preparedQuery->execute();
    43. 

  43. 			$loggerData = array();
    44. 

  44. 			$loggerData['display_name'] = $_SESSION['display_name'];
    45. 

  45. 			$loggerData['user_id'] = $_SESSION['user_id'];
    46. 

  46. 			$loggerData['edited_user_id'] = $userId;
    47. 

  47. 			$loggerData['user_display_name'] = $displayName;
    48. 

  48. 			$loggerData['username'] = $username;
    49. 

  49. 			SecurityLogger::action("edit-user", $loggerData, time());
    50. 

  50. 			return array("status" => "success", "message" => "Updated user '" . $username . "' (".$userId.").");
    51. 

  51. 		}
    52. 

  52. 		catch(Exception $e) {
    53. 

  53. 			return array("error" => "Error when updating user '" . $username. "' (".$userId."): invalid fields?" , "exception" => $e->getMessage());
    54. 

  54. 		}
    55. 

  55. 	}
    56. 

  56. }
    57.