From 0429f2db6a02133f48fae7222c13f5607b10e392 Mon Sep 17 00:00:00 2001
From: Chris <christopher@clatza.dev>
Date: Thu, 7 Jan 2021 15:30:23 +0100
Subject: [PATCH] add password reset to users page

---
 pages/HTML/users.html |  3 ++-
 pages/users.php       | 23 +++++++++++++++++++++--
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/pages/HTML/users.html b/pages/HTML/users.html
index a4153b6..fec4512 100644
--- a/pages/HTML/users.html
+++ b/pages/HTML/users.html
@@ -1,7 +1,8 @@
 <div class="container-fluid">
 	<div class="row">
         <div class="col-md-6">
-            %%REGION-LIST%%
+            %%MESSAGE%%
+            %%USER-LIST%%
         </div>
 		<div class="col-md-6">
             <div style="width: 400px; margin: auto; left: 50%;">
diff --git a/pages/users.php b/pages/users.php
index 3b414c9..c0e35cd 100644
--- a/pages/users.php
+++ b/pages/users.php
@@ -1,4 +1,8 @@
 <?php
+    function generateRandomString($length = 10) {
+        return substr(str_shuffle(str_repeat($x='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', ceil($length/strlen($x)) )),1,$length);
+    }
+
     if(@$_SESSION['LEVEL'] < 100)
     {
         $HTML->setHTMLTitle("Kein Zugriff");
@@ -11,6 +15,20 @@
     $HTML->setHTMLTitle("Benutzer");
     $HTML->importSeitenInhalt("pages/HTML/users.html");
 
+    if(@$_REQUEST['action'] == 'genpw' && @$_REQUEST['userid'] != '')
+    {
+        $SALT   =   md5(rand(1111, 9999));
+        $NEWPW  =   generateRandomString(10);
+
+        $statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordHash = :PasswordHash WHERE UUID = :PrincipalID'); 
+        $statement->execute(['PasswordHash' => md5(md5($NEWPW).":".$SALT), 'PrincipalID' => $_REQUEST['userid']]);
+
+        $statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordSalt = :passwordSalt WHERE UUID = :PrincipalID'); 
+        $statement->execute(['passwordSalt' => $SALT, 'PrincipalID' => $_REQUEST['userid']]);
+
+        $HTML->ReplaceSeitenInhalt("%%MESSAGE%%", '<div class="alert alert-danger" role="alert">Das Passwort für '.$RUNTIME['OPENSIM']->getUserName($_REQUEST['userid']).' wurde geändert. Das neue Passwort ist <b>'.$NEWPW.'</b></div>'); 
+    }
+
     $statement = $RUNTIME['PDO']->prepare("CREATE TABLE IF NOT EXISTS `InviteCodes` (`InviteCode` VARCHAR(64) NOT NULL, PRIMARY KEY (`InviteCode`))"); 
     $statement->execute();
 
@@ -32,13 +50,14 @@
 
     while($row = $statement->fetch()) 
     {
-        $entry = '<tr><td>'.$row['FirstName'].'</td><td>'.$row['LastName'].'</td><td>'.$row['UserLevel'].'</td><td>PASSWORT ÄNDERN | SPERREN</td></tr>';
+        $entry = '<tr><td>'.$row['FirstName'].'</td><td>'.$row['LastName'].'</td><td>'.$row['UserLevel'].'</td><td><a href="index.php?page=users&action=genpw&userid='.$row['PrincipalID'].'">PASSWORT ÄNDERN</a></td></tr>';
         $table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
     }
 
     $table = str_replace("%%ENTRY%%", "", $table);
-    $HTML->ReplaceSeitenInhalt("%%REGION-LIST%%", $table);
+    $HTML->ReplaceSeitenInhalt("%%USER-LIST%%", $table);
     $HTML->ReplaceSeitenInhalt("%%link%%", ' '); 
+    $HTML->ReplaceSeitenInhalt("%%MESSAGE%%", ' '); 
 
     $HTML->build();
     echo $HTML->ausgabe();