EditUserAction.class.php 2.3 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556
  1. <?php
  2. class EditUserAction implements IAction {
  3. public function execute() {
  4. if(!Authorize::isLoggedIn() || !Authorize::hasPermission()) {
  5. return array("error" => "Access not authorized");
  6. }
  7. $userId = $_POST['user_id'] ?? $_GET['user_id'] ?? "";
  8. $username = $_POST['username'] ?? $_GET['username'] ?? "";
  9. $displayName = $_POST['display_name'] ?? $_GET['display_name'] ?? "";
  10. $email = $_POST['email'] ?? $_GET['email'] ?? "";
  11. $password = $_POST['password'] ?? $_GET['password'] ?? "";
  12. //TODO: scrub inputs
  13. if(empty($userId) || empty($username) || empty($displayName) || empty($email)) {
  14. return array("error" => "One or more required fields missing: user_id, username, display_name, email");
  15. }
  16. if(in_array($userId, array(1, 2)) && !isset($_SESSION['superadmin'])) {
  17. return array("error" => "Cannot edit the superadmin account");
  18. }
  19. $superAdminEditPassword = !empty($password) && isset($_SESSION['superadmin']) && $_SESSION['superadmin'];
  20. $db = SqliteDatabase::getSingleton();
  21. $sql = "UPDATE users SET username = :username, display_name = :display_name, email = :email WHERE rowid = :user_id";
  22. if($superAdminEditPassword) {
  23. $sql = "UPDATE users SET username = :username, display_name = :display_name, email = :email, password = :passwordhash WHERE rowid = :user_id";
  24. }
  25. $preparedQuery = $db->prepare($sql);
  26. $preparedQuery->bindValue(':username', $username);
  27. $preparedQuery->bindValue(':display_name', $displayName);
  28. $preparedQuery->bindValue(':email', $email);
  29. if($superAdminEditPassword) {
  30. $passwordHash = hash("sha256", $password);
  31. $preparedQuery->bindValue(':passwordhash', $passwordHash);
  32. }
  33. $preparedQuery->bindValue(':user_id', $userId);
  34. try {
  35. $result = $preparedQuery->execute();
  36. $loggerData = array();
  37. $loggerData['display_name'] = $_SESSION['display_name'];
  38. $loggerData['user_id'] = $_SESSION['user_id'];
  39. $loggerData['edited_user_id'] = $userId;
  40. $loggerData['user_display_name'] = $displayName;
  41. $loggerData['username'] = $username;
  42. SecurityLogger::action("edit-user", $loggerData, time());
  43. return array("status" => "success", "message" => "Updated user '" . $username . "' (".$userId.").");
  44. }
  45. catch(Exception $e) {
  46. return array("error" => "Error when updating user '" . $username. "' (".$userId."): invalid fields?" , "exception" => $e->getMessage());
  47. }
  48. }
  49. }