-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathusermgr.php
299 lines (271 loc) · 9.11 KB
/
usermgr.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
<HTML><HEAD>
<TITLE>User Manager</TITLE>
<LINK rel="stylesheet" href="style.css" type="text/css">
</HEAD><BODY bgcolor="#cccc99" background="../images/BG-shadowleft.gif">
<?php
$debug=0;
/*
* Session Management for PHP
*
* Copyright (c) 1998,1999 Jan Legenhausen, Kristian Koehntopp
*
* $Id: new_user.php3,v 1.10 1999/10/14 10:38:21 kk Exp $
*
* NOTE: This script requires that you have set up your PHPLIB
* with working Auth and Perm subclasses and that your
* $perm->permissions array includes a permission named
* "admin". If you are using the example, this will
* be the case.
*
* This script is capable of editing the user database. It requires
* an authenticated user. If the user has admin privilege, he can
* edit all users. If the user has less privilege, he can view all
* users, but not the passwords and can only change the own password.
*
* The script generates forms that submit values back to the script.
* Consequently the script below has three parts:
*
* 1. A section where utility functions are defined.
* 2. A section that is called only after the submit.
* 3. And a final section that is called when the script runs first time and
* every time after the submit.
*
* Scripts organized in this way will allow the user perpetual
* editing and they will reflect submitted changes immediately
* after a form submission.
*
* We consider this to be the standard organization of table editor
* scripts.
*
*/
include('inc/checkperm.inc');
include('header.php');
## straight from the examples...
get_request_values("letter,username,password,perms,u_id");
## Set this to something, just something different...
$hash_secret = "Jabberwocky...";
###
### Utility functions
###
check_view_perms();
## my_error($msg):
##
## Display error messages
function my_error($msg) {
?>
<table border=0 bgcolor="#eeeeee" align="center" cellspacing=0 cellpadding=4 width=540>
<tr>
<td><font color=#FF2020>Error: <?php print $msg ?></font></td>
</tr>
</table>
<BR>
<?php
}
## my_msg($msg):
##
## Display success messages
function my_msg($msg) {
?>
<table border=0 bgcolor="#eeeeee" align="center" cellspacing=0 cellpadding=4 width=540>
<tr>
<td><font color=#008000>O.K.: <?php print $msg ?></font></td>
</tr>
</table>
<br>
<?php
}
?>
<style type="text/css">
<!--
body { font-family: Arial, Helvetica, sans-serif }
td { font-family: Arial, Helvetica, sans-serif }
th { font-family: Arial, Helvetica, sans-serif }
-->
</style>
<?php if ($perm->have_perm("admin")) $txt = "Web Access Administration"; else $txt = "Change Password"; ?>
<p><font class=bigTextBold> <?=$txt?></font></p>
<?php
###
### Submit Handler
###
## Get a database connection
$db = new $_ENV["DatabaseClass"];
$QUERY_STRING="";
// Check if there was a submission
while (is_array($_POST)
&& list($key, $val) = each($_POST)) {
if($debug == 1) {
printf("key +$key+, val +$val+<br>");
}
check_edit_perms();
switch ($key) {
case "create": // Create a new user
if (!$perm->have_perm("admin")) { // Do we have permission to do so?
my_error("You do not have permission to create users.");
break;
}
if (empty($username) || empty($password)) { // Do we have all necessary data?
my_error("Please fill out <B>Username</B> and <B>Password</B>!");
break;
}
/* Does the user already exist?
NOTE: This should be a transaction, but it isn't... */
$db->query("select * from auth_user where username='$username'");
if ($db->nf()>0) {
my_error("User <B>$username</B> already exists!");
break;
}
// Create a uid and insert the user...
$u_id=md5(uniqid($hash_secret));
$password = hash_auth($username,$password);
$permlist = addslashes(implode($perms,","));
$query = "insert into auth_user values('$u_id','$username','$password','$permlist')";
$db->query($query);
if ($db->affected_rows() == 0) {
my_error("<b>Failed:</b> $query");
break;
}
my_msg("User \"$username\" created.<BR>");
break;
case "u_edit": // Change user parameters
if($debug == 1)
printf("u_edit, u_id +%s+<br>", $u_id);
if (!$perm->have_perm("admin")) { // user is not admin
if($auth->auth["uid"] == $u_id) { // user changes his own account
if($password) {
$password = hash_auth($username,$password);
$query = "update auth_user set password='$password' where user_id='$u_id'";
$db->query($query);
if ($db->affected_rows() == 0) {
my_error("<b>Failed:</b> $query");
break;
}
my_msg("Password of ". $auth->auth["uname"] ." changed.<BR>");
}
} else {
my_error("You do not have permission to change users.");
}
} else { // user is admin
if (empty($username)) { // Do we have all necessary data?
my_error("Please fill out <b>Username</b>!");
break;
}
// Update user information.
$permlist = addslashes(implode($perms,","));
if (!empty($password)) $passquery = "password='".hash_auth($username,$password)."',"; else $passquery="";
$query = "update auth_user set username='$username', $passquery perms='$permlist' where user_id='$u_id'";
$db->query($query);
if ($db->affected_rows() == 0) {
my_error("<b>Failed:</b> $query");
break;
}
my_msg("User \"$username\" changed.<br />");
}
break;
case "u_kill": // Do we have permission to do so?
if (!$perm->have_perm("admin")) {
my_error("You do not have permission to delete users.");
break;
}
// Delete that user.
$query = "delete from auth_user where user_id='$u_id' and username='$username'";
$db->query($query);
if ($db->affected_rows() == 0) {
my_error("<b>Failed:</b> $query");
break;
}
my_msg("User \"$username\" deleted.<br />");
break;
default:
if($debug == 1)
printf("default switch: u_id: .$u_id. <br>");
break;
}
}
/* Output user administration forms, including all updated
information, if we come here after a submission...
*/
?>
<table border=0 bgcolor="#eeeeee" align="center" cellspacing=2 cellpadding=4 width=540>
<tr valign=top align=left class=toplink>
<th>Username</th>
<th>Password</th>
<th>Group(s)</th>
<th align=right>Action</th>
</tr>
<?php
if ($perm->have_perm("admin")):
?>
<!-- create a new user -->
<form method="post" action="<?php $sess->pself_url() ?>">
<tr valign=middle align=left>
<td><input type="text" name="username" size=12 maxlength=64 value=""></td>
<td><input type="text" name="password" size=12 maxlength=32 value=""></td>
<td><?php print $perm->perm_sel("perms","user");?></td>
<td align=right><input type="submit" name="create" value="Create User"></td>
</tr>
</form>
<?php
endif;
if (!$letter) $letter="0";
## Traverse the result set
if ($perm->have_perm("admin")) {
$QUERY_STRING="";
if ($letter!='all') $cond = "where username like '".$letter."%'"; else $cond="";
$db->query("select * from auth_user $cond order by username");
echo "<tr><td align=center colspan=4><table><tr>\n";
for ($l = 97 ; $l<=122; $l++)
echo "<td><a href=".$sess->self_url().$sess->add_query(array("letter"=>chr($l))).">".chr($l)."</a></td>\n";
echo "<td><a href=".$sess->self_url().$sess->add_query(array("letter"=>"all")).">all</a></td>\n";
echo "</tr></table></td></tr>\n";
}
else $db->query("select * from auth_user where username='".$auth->auth["uname"]."'");
while ($db->next_record()):
?>
<!-- existing user -->
<form method="post" action="<?php $sess->pself_url() ?>">
<tr valign=middle align=left>
<?php
if ($perm->have_perm("admin")):
?>
<td><input type="text" name="username" size=12 maxlength=64 value="<?php $db->p("username") ?>"></td>
<td><input type="password" name="password" size=12 maxlength=32 value=""></td>
<td><?php print $perm->perm_sel("perms", $db->f("perms")) ?></td>
<td align=center> <input type="hidden" name="u_id" value="<?php $db->p("user_id") ?>">
<input type="submit" name="u_kill" value="Kill"> <input type="submit" name="u_edit" value="Change">
</td>
<?php
elseif (strtolower($auth->auth["uname"]) == strtolower($db->f("username"))):
?>
<td>
<?php $db->p("username") ?>
</td>
<td><input type="password" name="password" size=12 maxlength=32 value=""></td>
<td>
<?php $db->p("perms") ?>
</td>
<td align=right> <input type="hidden" name="u_id" value="<?php $db->p("user_id") ?>">
<input type="submit" name="u_edit" value="Change"> </td>
<?php else: ?>
<!-- <td><?php $db->p("username") ?>
<td>**********</td>
<td>
<?php $db->p("perms") ?>
</td>
<td align=right> </td>
-->
<?php
endif;
?>
</tr>
</form>
<?php
endwhile;
?>
</table>
<br>
<?php
page_close();
?>
</body>
</html>