Manager/pages/users.php

<?php
    $HTML->setHTMLTitle("Benutzer");
    $HTML->importSeitenInhalt("users.html");
    $HTML->addHTMLHeader('<link rel="stylesheet" href="./style/admin-users.css">');

    if (!isset($_SESSION['LOGIN']) || !isset($_SESSION['LEVEL']) || $_SESSION['LEVEL'] < 100) {
        $HTML->setHTMLTitle("Kein Zugriff");
        $HTML->SetSeitenInhalt("Dazu hast du keine Rechte!");
        $HTML->build();
        echo $HTML->ausgabe();
        die();
    }

    include_once 'app/OpenSim.php';
    $opensim = new OpenSim();

    if ($_SERVER['REQUEST_METHOD'] == 'POST') {
        include_once 'app/FormValidator.php';
        if (isset($_POST['genpw'])) {
            $validator = new FormValidator(array(
                'userid' => array('required' => true, 'regex' => '/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/')
            ));

            if ($validator->isValid($_POST)) {
                require_once 'app/utils.php';
                $token = generateToken(32);
                $setToken = $RUNTIME['PDO']->prepare('REPLACE INTO PasswordResetTokens(PrincipalID,Token,RequestTime) VALUES(?,?,?)');
                $setToken->execute([$_POST['userid'], $token, time()]);
                $resetLink = "https://".$RUNTIME['DOMAIN'].'/index.php?page=reset-password&token='.$token;
                
                $HTML->ReplaceSeitenInhalt("%%MESSAGE%%", '<div class="alert alert-danger" role="alert">Das Passwort für '.htmlspecialchars($opensim->getUserName($_REQUEST['userid'])).' kann in den nächsten 24 Stunden über diesen Link zurückgesetzt werden: <b>'.$resetLink.'</b></div>');
            }
        } elseif (isset($_POST['generateLink'])) {
            $validator = new FormValidator(array()); // Needed only for CSRF token validation

            if ($validator->isValid($_POST)) {
                $inviteID = bin2hex(random_bytes(16));
                $link = "https://".$_SERVER['SERVER_NAME']."/index.php?page=register&code=".$inviteID;
        
                $statement = $RUNTIME['PDO']->prepare('INSERT INTO `InviteCodes` (`InviteCode`) VALUES (:InviteCode)');
                $statement->execute(['InviteCode' => $inviteID]);
                
                $HTML->ReplaceSeitenInhalt("%%link%%", $link);
            }
        }
    }

    $statement = $RUNTIME['PDO']->prepare("CREATE TABLE IF NOT EXISTS `InviteCodes` (`InviteCode` VARCHAR(64) NOT NULL, PRIMARY KEY (`InviteCode`))");
    $statement->execute();

    $table = '<table class="table"><thead><tr><th scope="col">Vorname</th><th scope="col">Nachname</th><th scope="col">Status</th><th scope="col">Aktionen</th></thead><tbody>%%ENTRY%%</tbody></table>';
    
    // Only select current primary account
    $statement = $RUNTIME['PDO']->prepare("SELECT FirstName,LastName,UserLevel,PrincipalID FROM UserAccounts JOIN auth ON auth.UUID = UserAccounts.PrincipalID ORDER BY Created ASC");
    $statement->execute();

    $statementIdent = $RUNTIME['PDO']->prepare("SELECT FirstName,LastName,UserLevel,IdentityID FROM UserIdentitys JOIN UserAccounts ON UserAccounts.PrincipalID = UserIdentitys.IdentityID WHERE UserIdentitys.PrincipalID = ? AND UserIdentitys.PrincipalID != UserIdentitys.IdentityID");
    while ($row = $statement->fetch()) {
        $entry = '<tr><td>'.htmlspecialchars($row['FirstName']).'</td><td>'.htmlspecialchars($row['LastName']).'</td><td>'.htmlspecialchars($row['UserLevel']).'</td><td><form action="index.php?page=users" method="post">%%CSRF%%<input type="hidden" name="userid" value="'.htmlspecialchars($row['PrincipalID']).'"><button type="submit" name="genpw" class="btn btn-link btn-sm">PASSWORT ZURÜCKSETZEN</button> <button type="submit" name="deluser" class="btn btn-link btn-sm" style="color: red">LÖSCHEN</button></form></td></tr>';
        $statementIdent->execute([$row['PrincipalID']]);
        while ($identRow = $statementIdent->fetch()) {
            $entry = $entry.'<tr class="ident-row"><td>'.htmlspecialchars($identRow['FirstName']).'</td><td>'.htmlspecialchars($identRow['LastName']).'</td><td>'.htmlspecialchars($identRow['UserLevel']).'</td><td><form action="index.php?page=users" method="post">%%CSRF%%<input type="hidden" name="userid" value="'.htmlspecialchars($identRow['IdentityID']).'"><button type="submit" name="delident" class="btn btn-link btn-sm">Identität löschen</button></form></td></tr>';
        }
        $table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
    }

    $table = str_replace("%%ENTRY%%", "", $table);
    $HTML->ReplaceSeitenInhalt("%%USER-LIST%%", $table);
    $HTML->ReplaceSeitenInhalt("%%link%%", ' ');
    $HTML->ReplaceSeitenInhalt("%%MESSAGE%%", ' ');

    $HTML->build();
    echo $HTML->ausgabe();
add files 2020-06-03 15:31:18 +00:00			`<?php`
Use POST for user management, validate input 2023-08-23 16:16:35 +00:00			`$HTML->setHTMLTitle("Benutzer");`
			`$HTML->importSeitenInhalt("users.html");`
Add distinction of users and identities in admin 2023-08-27 09:59:43 +00:00			`$HTML->addHTMLHeader('<link rel="stylesheet" href="./style/admin-users.css">');`
add password reset to users page 2021-01-07 14:30:23 +00:00
Fix formatting according to PSR-12 2023-08-27 03:31:32 +00:00			`if (!isset($_SESSION['LOGIN']) \|\| !isset($_SESSION['LEVEL']) \|\| $_SESSION['LEVEL'] < 100) {`
add files 2020-06-03 15:31:18 +00:00			`$HTML->setHTMLTitle("Kein Zugriff");`
			`$HTML->SetSeitenInhalt("Dazu hast du keine Rechte!");`
			`$HTML->build();`
			`echo $HTML->ausgabe();`
			`die();`
combine pages 2020-08-04 10:00:38 +00:00			`}`

Fix formatting according to PSR-12 2023-08-27 03:31:32 +00:00			`include_once 'app/OpenSim.php';`
Fix OpenSim API being included too late in users 2023-08-23 16:16:35 +00:00			`$opensim = new OpenSim();`

Fix formatting according to PSR-12 2023-08-27 03:31:32 +00:00			`if ($_SERVER['REQUEST_METHOD'] == 'POST') {`
			`include_once 'app/FormValidator.php';`
			`if (isset($_POST['genpw'])) {`
Use POST for user management, validate input 2023-08-23 16:16:35 +00:00			`$validator = new FormValidator(array(`
Change validation regexes to be more strict 2023-08-23 16:16:36 +00:00			`'userid' => array('required' => true, 'regex' => '/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/')`
Use POST for user management, validate input 2023-08-23 16:16:35 +00:00			`));`
Only include and construct OpenSim when needed 2023-08-23 16:16:35 +00:00
Fix formatting according to PSR-12 2023-08-27 03:31:32 +00:00			`if ($validator->isValid($_POST)) {`
Let admins generate password reset links 2023-08-23 16:16:36 +00:00			`require_once 'app/utils.php';`
			`$token = generateToken(32);`
			`$setToken = $RUNTIME['PDO']->prepare('REPLACE INTO PasswordResetTokens(PrincipalID,Token,RequestTime) VALUES(?,?,?)');`
			`$setToken->execute([$_POST['userid'], $token, time()]);`
			`$resetLink = "https://".$RUNTIME['DOMAIN'].'/index.php?page=reset-password&token='.$token;`
Revert password hashing for OpenSim compatibility 2023-08-23 16:16:36 +00:00
Let admins generate password reset links 2023-08-23 16:16:36 +00:00			`$HTML->ReplaceSeitenInhalt("%%MESSAGE%%", '<div class="alert alert-danger" role="alert">Das Passwort für '.htmlspecialchars($opensim->getUserName($_REQUEST['userid'])).' kann in den nächsten 24 Stunden über diesen Link zurückgesetzt werden: <b>'.$resetLink.'</b></div>');`
Use POST for user management, validate input 2023-08-23 16:16:35 +00:00			`}`
Fix formatting according to PSR-12 2023-08-27 03:31:32 +00:00			`} elseif (isset($_POST['generateLink'])) {`
Use POST for user management, validate input 2023-08-23 16:16:35 +00:00			`$validator = new FormValidator(array()); // Needed only for CSRF token validation`
add password reset to users page 2021-01-07 14:30:23 +00:00
Fix formatting according to PSR-12 2023-08-27 03:31:32 +00:00			`if ($validator->isValid($_POST)) {`
Generate a random string as invite code 2023-08-23 16:16:35 +00:00			`$inviteID = bin2hex(random_bytes(16));`
Use POST for user management, validate input 2023-08-23 16:16:35 +00:00			`$link = "https://".$_SERVER['SERVER_NAME']."/index.php?page=register&code=".$inviteID;`

			$statement = $RUNTIME['PDO']->prepare('INSERT INTO `InviteCodes` (`InviteCode`) VALUES (:InviteCode)');
			`$statement->execute(['InviteCode' => $inviteID]);`

			`$HTML->ReplaceSeitenInhalt("%%link%%", $link);`
			`}`
			`}`
add password reset to users page 2021-01-07 14:30:23 +00:00			`}`

Fix formatting according to PSR-12 2023-08-27 03:31:32 +00:00			$statement = $RUNTIME['PDO']->prepare("CREATE TABLE IF NOT EXISTS `InviteCodes` (`InviteCode` VARCHAR(64) NOT NULL, PRIMARY KEY (`InviteCode`))");
fix pw page 2020-08-04 10:08:41 +00:00			`$statement->execute();`

combine pages 2020-08-04 10:00:38 +00:00			`$table = '<table class="table"><thead><tr><th scope="col">Vorname</th><th scope="col">Nachname</th><th scope="col">Status</th><th scope="col">Aktionen</th></thead><tbody>%%ENTRY%%</tbody></table>';`
add files 2020-06-03 15:31:18 +00:00
Add distinction of users and identities in admin 2023-08-27 09:59:43 +00:00			`// Only select current primary account`
			`$statement = $RUNTIME['PDO']->prepare("SELECT FirstName,LastName,UserLevel,PrincipalID FROM UserAccounts JOIN auth ON auth.UUID = UserAccounts.PrincipalID ORDER BY Created ASC");`
Fix formatting according to PSR-12 2023-08-27 03:31:32 +00:00			`$statement->execute();`
combine pages 2020-08-04 10:00:38 +00:00
Add distinction of users and identities in admin 2023-08-27 09:59:43 +00:00			`$statementIdent = $RUNTIME['PDO']->prepare("SELECT FirstName,LastName,UserLevel,IdentityID FROM UserIdentitys JOIN UserAccounts ON UserAccounts.PrincipalID = UserIdentitys.IdentityID WHERE UserIdentitys.PrincipalID = ? AND UserIdentitys.PrincipalID != UserIdentitys.IdentityID");`
Fix formatting according to PSR-12 2023-08-27 03:31:32 +00:00			`while ($row = $statement->fetch()) {`
Add distinction of users and identities in admin 2023-08-27 09:59:43 +00:00			$entry = '<tr><td>'.htmlspecialchars($row['FirstName']).'</td><td>'.htmlspecialchars($row['LastName']).'</td><td>'.htmlspecialchars($row['UserLevel']).'</td><td><form action="index.php?page=users" method="post">%%CSRF%%<input type="hidden" name="userid" value="'.htmlspecialchars($row['PrincipalID']).'"><button type="submit" name="genpw" class="btn btn-link btn-sm">PASSWORT ZURÜCKSETZEN</button> <button type="submit" name="deluser" class="btn btn-link btn-sm" style="color: red">LÖSCHEN</button></form></td></tr>';
			`$statementIdent->execute([$row['PrincipalID']]);`
			`while ($identRow = $statementIdent->fetch()) {`
			`$entry = $entry.'<tr class="ident-row"><td>'.htmlspecialchars($identRow['FirstName']).'</td><td>'.htmlspecialchars($identRow['LastName']).'</td><td>'.htmlspecialchars($identRow['UserLevel']).'</td><td><form action="index.php?page=users" method="post">%%CSRF%%<input type="hidden" name="userid" value="'.htmlspecialchars($identRow['IdentityID']).'"><button type="submit" name="delident" class="btn btn-link btn-sm">Identität löschen</button></form></td></tr>';`
			`}`
combine pages 2020-08-04 10:00:38 +00:00			`$table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);`
add files 2020-06-03 15:31:18 +00:00			`}`
combine pages 2020-08-04 10:00:38 +00:00
			`$table = str_replace("%%ENTRY%%", "", $table);`
add password reset to users page 2021-01-07 14:30:23 +00:00			`$HTML->ReplaceSeitenInhalt("%%USER-LIST%%", $table);`
Fix formatting according to PSR-12 2023-08-27 03:31:32 +00:00			`$HTML->ReplaceSeitenInhalt("%%link%%", ' ');`
Use POST for user management, validate input 2023-08-23 16:16:35 +00:00			`$HTML->ReplaceSeitenInhalt("%%MESSAGE%%", ' ');`
combine pages 2020-08-04 10:00:38 +00:00
			`$HTML->build();`
			`echo $HTML->ausgabe();`