Manager/pages/users.php

<?php
    function generateRandomString($length = 10) {
        return substr(str_shuffle(str_repeat($x='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', ceil($length/strlen($x)) )),1,$length);
    }

    if(@$_SESSION['LEVEL'] < 100)
    {
        $HTML->setHTMLTitle("Kein Zugriff");
        $HTML->SetSeitenInhalt("Dazu hast du keine Rechte!");
        $HTML->build();
        echo $HTML->ausgabe();
        die();
    }

    include 'app/OpenSim.php';
    $opensim = new OpenSim();

    $HTML->setHTMLTitle("Benutzer");
    $HTML->importSeitenInhalt("users.html");

    if(@$_REQUEST['action'] == 'genpw' && @$_REQUEST['userid'] != '')
    {
        $NEWPW  =   generateRandomString(10);

        $statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordHash = :PasswordHash WHERE UUID = :PrincipalID'); 
        $statement->execute(['PasswordHash' => password_hash($NEWPW, PASSWORD_ARGON2ID), 'PrincipalID' => $_REQUEST['userid']]);

        $HTML->ReplaceSeitenInhalt("%%MESSAGE%%", '<div class="alert alert-danger" role="alert">Das Passwort für '.htmlspecialchars($opensim->getUserName($_REQUEST['userid'])).' wurde geändert. Das neue Passwort ist <b>'.htmlspecialchars($NEWPW).'</b></div>'); 
    }

    $statement = $RUNTIME['PDO']->prepare("CREATE TABLE IF NOT EXISTS `InviteCodes` (`InviteCode` VARCHAR(64) NOT NULL, PRIMARY KEY (`InviteCode`))"); 
    $statement->execute();

    if(isset($_REQUEST['generateLink']) || @$_REQUEST['generateLink'] != "")
    {
        $inviteID   =   md5(time().$_SESSION['UUID'].rand(11111, 9999999));
        $link       =   "https://".$_SERVER['SERVER_NAME']."/index.php?page=register&code=".$inviteID;

        $statement = $RUNTIME['PDO']->prepare('INSERT INTO `InviteCodes` (`InviteCode`) VALUES (:InviteCode)'); 
        $statement->execute(['InviteCode' => $inviteID]);

        $HTML->ReplaceSeitenInhalt("%%link%%", $link); 
    }

    $table = '<table class="table"><thead><tr><th scope="col">Vorname</th><th scope="col">Nachname</th><th scope="col">Status</th><th scope="col">Aktionen</th></thead><tbody>%%ENTRY%%</tbody></table>';
    
    $statement = $RUNTIME['PDO']->prepare("SELECT FirstName,LastName,UserLevel,PrincipalID FROM UserAccounts ORDER BY Created ASC");
    $statement->execute(); 

    while($row = $statement->fetch()) 
    {
        $entry = '<tr><td>'.htmlspecialchars($row['FirstName']).'</td><td>'.htmlspecialchars($row['LastName']).'</td><td>'.htmlspecialchars($row['UserLevel']).'</td><td><a href="index.php?page=users&action=genpw&userid='.htmlspecialchars($row['PrincipalID']).'">PASSWORT ÄNDERN</a></td></tr>';
        $table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
    }

    $table = str_replace("%%ENTRY%%", "", $table);
    $HTML->ReplaceSeitenInhalt("%%USER-LIST%%", $table);
    $HTML->ReplaceSeitenInhalt("%%link%%", ' '); 
    $HTML->ReplaceSeitenInhalt("%%MESSAGE%%", ' '); 

    $HTML->build();
    echo $HTML->ausgabe();
?>
add files 2020-06-03 15:31:18 +00:00			`<?php`
add password reset to users page 2021-01-07 14:30:23 +00:00			`function generateRandomString($length = 10) {`
			`return substr(str_shuffle(str_repeat($x='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', ceil($length/strlen($x)) )),1,$length);`
			`}`

add files 2020-06-03 15:31:18 +00:00			`if(@$_SESSION['LEVEL'] < 100)`
			`{`
			`$HTML->setHTMLTitle("Kein Zugriff");`
			`$HTML->SetSeitenInhalt("Dazu hast du keine Rechte!");`
			`$HTML->build();`
			`echo $HTML->ausgabe();`
			`die();`
combine pages 2020-08-04 10:00:38 +00:00			`}`

Fix include/template paths 2023-08-23 16:16:35 +00:00			`include 'app/OpenSim.php';`
Only include and construct OpenSim when needed 2023-08-23 16:16:35 +00:00			`$opensim = new OpenSim();`

combine pages 2020-08-04 10:00:38 +00:00			`$HTML->setHTMLTitle("Benutzer");`
Fix include/template paths 2023-08-23 16:16:35 +00:00			`$HTML->importSeitenInhalt("users.html");`
combine pages 2020-08-04 10:00:38 +00:00
add password reset to users page 2021-01-07 14:30:23 +00:00			`if(@$_REQUEST['action'] == 'genpw' && @$_REQUEST['userid'] != '')`
			`{`
			`$NEWPW = generateRandomString(10);`

			`$statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordHash = :PasswordHash WHERE UUID = :PrincipalID');`
Use Argon2id as password hashing algorithm 2023-08-23 16:16:34 +00:00			`$statement->execute(['PasswordHash' => password_hash($NEWPW, PASSWORD_ARGON2ID), 'PrincipalID' => $_REQUEST['userid']]);`
add password reset to users page 2021-01-07 14:30:23 +00:00
Only include and construct OpenSim when needed 2023-08-23 16:16:35 +00:00			`$HTML->ReplaceSeitenInhalt("%%MESSAGE%%", '<div class="alert alert-danger" role="alert">Das Passwort für '.htmlspecialchars($opensim->getUserName($_REQUEST['userid'])).' wurde geändert. Das neue Passwort ist <b>'.htmlspecialchars($NEWPW).'</b></div>');`
add password reset to users page 2021-01-07 14:30:23 +00:00			`}`

fix pw page 2020-08-04 10:08:41 +00:00			$statement = $RUNTIME['PDO']->prepare("CREATE TABLE IF NOT EXISTS `InviteCodes` (`InviteCode` VARCHAR(64) NOT NULL, PRIMARY KEY (`InviteCode`))");
			`$statement->execute();`

			`if(isset($_REQUEST['generateLink']) \|\| @$_REQUEST['generateLink'] != "")`
			`{`
			`$inviteID = md5(time().$_SESSION['UUID'].rand(11111, 9999999));`
			`$link = "https://".$_SERVER['SERVER_NAME']."/index.php?page=register&code=".$inviteID;`

			$statement = $RUNTIME['PDO']->prepare('INSERT INTO `InviteCodes` (`InviteCode`) VALUES (:InviteCode)');
			`$statement->execute(['InviteCode' => $inviteID]);`

			`$HTML->ReplaceSeitenInhalt("%%link%%", $link);`
			`}`

combine pages 2020-08-04 10:00:38 +00:00			`$table = '<table class="table"><thead><tr><th scope="col">Vorname</th><th scope="col">Nachname</th><th scope="col">Status</th><th scope="col">Aktionen</th></thead><tbody>%%ENTRY%%</tbody></table>';`
add files 2020-06-03 15:31:18 +00:00
Only fetch required rows from database 2023-08-23 16:16:34 +00:00			`$statement = $RUNTIME['PDO']->prepare("SELECT FirstName,LastName,UserLevel,PrincipalID FROM UserAccounts ORDER BY Created ASC");`
combine pages 2020-08-04 10:00:38 +00:00			`$statement->execute();`

			`while($row = $statement->fetch())`
			`{`
Always encode user input before including in HTML 2023-08-23 16:16:34 +00:00			`$entry = '<tr><td>'.htmlspecialchars($row['FirstName']).'</td><td>'.htmlspecialchars($row['LastName']).'</td><td>'.htmlspecialchars($row['UserLevel']).'</td><td><a href="index.php?page=users&action=genpw&userid='.htmlspecialchars($row['PrincipalID']).'">PASSWORT ÄNDERN</a></td></tr>';`
combine pages 2020-08-04 10:00:38 +00:00			`$table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);`
add files 2020-06-03 15:31:18 +00:00			`}`
combine pages 2020-08-04 10:00:38 +00:00
			`$table = str_replace("%%ENTRY%%", "", $table);`
add password reset to users page 2021-01-07 14:30:23 +00:00			`$HTML->ReplaceSeitenInhalt("%%USER-LIST%%", $table);`
fix pw page 2020-08-04 10:08:41 +00:00			`$HTML->ReplaceSeitenInhalt("%%link%%", ' ');`
add password reset to users page 2021-01-07 14:30:23 +00:00			`$HTML->ReplaceSeitenInhalt("%%MESSAGE%%", ' ');`
combine pages 2020-08-04 10:00:38 +00:00
			`$HTML->build();`
			`echo $HTML->ausgabe();`
add files 2020-06-03 15:31:18 +00:00			`?>`