Website
/
Manager
1
0
Fork 0
Code Releases 11 Activity

Use POST for user management, validate input

master
Anonymous Contributor 2023-08-23 18:16:35 +02:00
parent 6ca8988128
commit 8c7a31d88a
1 changed files with 36 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
pages/users.php
View File

@ -1,9 +1,8 @@
<?php <?php
function generateRandomString($length = 10) { $HTML->setHTMLTitle("Benutzer");
return substr(str_shuffle(str_repeat($x='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', ceil($length/strlen($x)) )),1,$length); $HTML->importSeitenInhalt("users.html");
}
if(@$_SESSION['LEVEL'] < 100) if(!isset($_SESSION['LOGIN']) || !isset($_SESSION['LEVEL']) || $_SESSION['LEVEL'] < 100)
{ {
$HTML->setHTMLTitle("Kein Zugriff"); $HTML->setHTMLTitle("Kein Zugriff");
$HTML->SetSeitenInhalt("Dazu hast du keine Rechte!"); $HTML->SetSeitenInhalt("Dazu hast du keine Rechte!");
@ -12,27 +11,26 @@
die(); die();
} }
include 'app/OpenSim.php'; if($_SERVER['REQUEST_TYPE'] == 'POST') {
$opensim = new OpenSim(); include '../app/FormValidator.php';
if(isset($_POST['genpw'])) {
$validator = new FormValidator(array(
'userid' => array('required' => true, 'regex' => '/[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/')
));
$HTML->setHTMLTitle("Benutzer"); if($validator->isValid($_POST)) {
$HTML->importSeitenInhalt("users.html"); $NEWPW = substr(str_shuffle(str_repeat($x='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', ceil(10/strlen($x)) )),1,10); // Generate random password (10 characters)
if(@$_REQUEST['action'] == 'genpw' && @$_REQUEST['userid'] != '')
{
$NEWPW = generateRandomString(10);
$statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordHash = :PasswordHash WHERE UUID = :PrincipalID'); $statement = $RUNTIME['PDO']->prepare('UPDATE auth SET passwordHash = :PasswordHash WHERE UUID = :PrincipalID');
$statement->execute(['PasswordHash' => password_hash($NEWPW, PASSWORD_ARGON2ID), 'PrincipalID' => $_REQUEST['userid']]); $statement->execute(['PasswordHash' => password_hash($NEWPW, PASSWORD_ARGON2ID), 'PrincipalID' => $_REQUEST['userid']]);
$HTML->ReplaceSeitenInhalt("%%MESSAGE%%", '<div class="alert alert-danger" role="alert">Das Passwort für '.htmlspecialchars($opensim->getUserName($_REQUEST['userid'])).' wurde geändert. Das neue Passwort ist <b>'.htmlspecialchars($NEWPW).'</b></div>'); $HTML->ReplaceSeitenInhalt("%%MESSAGE%%", '<div class="alert alert-danger" role="alert">Das Passwort für '.htmlspecialchars($opensim->getUserName($_REQUEST['userid'])).' wurde geändert. Das neue Passwort ist <b>'.htmlspecialchars($NEWPW).'</b></div>');
} }
}
else if(isset($_POST['generateLink'])) {
$validator = new FormValidator(array()); // Needed only for CSRF token validation
$statement = $RUNTIME['PDO']->prepare("CREATE TABLE IF NOT EXISTS `InviteCodes` (`InviteCode` VARCHAR(64) NOT NULL, PRIMARY KEY (`InviteCode`))"); if($validator->isValid($_POST)) {
$statement->execute();
if(isset($_REQUEST['generateLink']) || @$_REQUEST['generateLink'] != "")
{
$inviteID = md5(time().$_SESSION['UUID'].rand(11111, 9999999)); $inviteID = md5(time().$_SESSION['UUID'].rand(11111, 9999999));
$link = "https://".$_SERVER['SERVER_NAME']."/index.php?page=register&code=".$inviteID; $link = "https://".$_SERVER['SERVER_NAME']."/index.php?page=register&code=".$inviteID;
@ -41,6 +39,14 @@
$HTML->ReplaceSeitenInhalt("%%link%%", $link); $HTML->ReplaceSeitenInhalt("%%link%%", $link);
} }
}
}
include 'app/OpenSim.php';
$opensim = new OpenSim();
$statement = $RUNTIME['PDO']->prepare("CREATE TABLE IF NOT EXISTS `InviteCodes` (`InviteCode` VARCHAR(64) NOT NULL, PRIMARY KEY (`InviteCode`))");
$statement->execute();
$table = '<table class="table"><thead><tr><th scope="col">Vorname</th><th scope="col">Nachname</th><th scope="col">Status</th><th scope="col">Aktionen</th></thead><tbody>%%ENTRY%%</tbody></table>'; $table = '<table class="table"><thead><tr><th scope="col">Vorname</th><th scope="col">Nachname</th><th scope="col">Status</th><th scope="col">Aktionen</th></thead><tbody>%%ENTRY%%</tbody></table>';
@ -49,7 +55,7 @@
while($row = $statement->fetch()) while($row = $statement->fetch())
{ {
$entry = '<tr><td>'.htmlspecialchars($row['FirstName']).'</td><td>'.htmlspecialchars($row['LastName']).'</td><td>'.htmlspecialchars($row['UserLevel']).'</td><td><a href="index.php?page=users&action=genpw&userid='.htmlspecialchars($row['PrincipalID']).'">PASSWORT ÄNDERN</a></td></tr>'; $entry = '<tr><td>'.htmlspecialchars($row['FirstName']).'</td><td>'.htmlspecialchars($row['LastName']).'</td><td>'.htmlspecialchars($row['UserLevel']).'</td><td><form action="index.php?page=users" method="post">%%CSRF%%<input type="hidden" name="userid" value="'.htmlspecialchars($row['PrincipalID']).'"><button type="submit" name="genpw" class="btn btn-link btn-sm">PASSWORT ÄNDERN</button></form></td></tr>';
$table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table); $table = str_replace("%%ENTRY%%", $entry."%%ENTRY%%", $table);
} }