diff options
| author | Camil Staps | 2016-07-26 14:27:14 +0200 |
|---|---|---|
| committer | Camil Staps | 2016-07-26 14:27:14 +0200 |
| commit | d8055192991ac8504e48c137038879790c762d2d (patch) | |
| tree | 0738603efca98c26d6d04cbd091898d4b6e9a34d | |
| parent | Option to add first user during installation (diff) | |
Adding and deleting users
| -rw-r--r-- | classes/user.php | 19 | ||||
| -rw-r--r-- | include/clients-overview.php | 2 | ||||
| -rw-r--r-- | include/settings.php | 170 | ||||
| -rw-r--r-- | include/users-new.php | 42 | ||||
| -rw-r--r-- | index.php | 73 | ||||
| -rw-r--r-- | install/index.php | 2 | ||||
| -rw-r--r-- | login-ajax.php | 7 | ||||
| -rw-r--r-- | login.php | 11 |
8 files changed, 262 insertions, 64 deletions
diff --git a/classes/user.php b/classes/user.php index e50f773..750e8bb 100644 --- a/classes/user.php +++ b/classes/user.php @@ -34,6 +34,16 @@ class user { protected $pdo, $id, $username, $password; /** + * Generate a random password + * + * @return string The password + */ + public static function generateRandomPassword() { + return preg_replace('/[^\w]/', '', + base64_encode(bin2hex(openssl_random_pseudo_bytes(4)))); + } + + /** * Hash a password * * @param string $password The password to be hashed @@ -141,6 +151,15 @@ class user { //------------------------------------------------------------------------------ /** + * Check if a user has administrator rights + * + * @return bool True iff the user has administrator rights + */ + public function isAdmin() { + return $this->getId() == 1; + } + + /** * Verify a password * * @param string $password The password to verify diff --git a/include/clients-overview.php b/include/clients-overview.php index 7ce45a6..fc2c3a0 100644 --- a/include/clients-overview.php +++ b/include/clients-overview.php @@ -70,7 +70,7 @@ require_once('./login.php'); <div class="form-group"> <label>Name:</label> <input - type="text" name="name" class="form-control" placeholder="Title" + type="text" name="name" class="form-control" placeholder="Name" data-bv-notempty="true" data-bv-notempty-message="You have to provide a name"/> </div> <button type="submit" class="btn btn-default">Go</button> diff --git a/include/settings.php b/include/settings.php index 7dfbbc3..896152c 100644 --- a/include/settings.php +++ b/include/settings.php @@ -35,43 +35,163 @@ require('./header.php'); <!-- /.col-lg-12 --> </div> + <?php + if (isset($_GET['delete_user']) && $_user->isAdmin()) { + try { + $user = new user($_pdo, $_GET['delete_user']); + if ($user->delete()) { + echo "<div class='alert alert-success alert-dismissable'><button type='button' class='close fa fa-times' data-dismiss='alert' aria-hidden='true'></button>The user with username <i>{$user->getUsername()}</i> has been removed.</div>"; + } else { + echo "<div class='alert alert-danger alert-dismissable'><button type='button' class='close fa fa-times' data-dismiss='alert' aria-hidden='true'></button>The user with username <i>{$user->getUsername()}</i> could not be removed.</div>"; + } + } catch (PDOException $e) { + echo "<div class='alert alert-danger alert-dismissable'><button type='button' class='close fa fa-times' data-dismiss='alert' aria-hidden='true'></button>The user with username <i>{$user->getUsername()}</i> could not be removed due to a PDO error.</div>"; + } catch (Exception $e) { + echo "<div class='alert alert-danger alert-dismissable'><button type='button' class='close fa fa-times' data-dismiss='alert' aria-hidden='true'></button>The user with id {$_GET['delete_user']} could not be found.</div>"; + } + } + ?> + <div class="row"> <div class="col-md-4"> <div class="panel panel-default"> <div class="panel-heading">Password</div> - <div class="panel-body"> - <?php - if (isset($_POST['password_update'])) { - if ($_POST['password_update'] != $_POST['password_update2']) { - echo '<div class="alert alert-danger">The passwords don\'t match.</div>'; - } else if (!$_user->verifyPassword($_POST['password_current'])) { - echo '<div class="alert alert-danger">The current password was incorrect.</div>'; - } else { - try { - $_user->setPassword($_POST['password_update']); - echo '<div class="alert alert-success">Password successfully changed.</div>'; - } catch (PDOException $e) { - echo '<div class="alert alert-danger">An unknown error occurred.</div>'; - } + <div class="panel-body"> + <?php + if (isset($_POST['password_update'])) { + if ($_POST['password_update'] != $_POST['password_update2']) { + echo '<div class="alert alert-danger">The passwords don\'t match.</div>'; + } else if (!$_user->verifyPassword($_POST['password_current'])) { + echo '<div class="alert alert-danger">The current password was incorrect.</div>'; + } else { + try { + $_user->setPassword($_POST['password_update']); + echo '<div class="alert alert-success">Password successfully changed.</div>'; + } catch (PDOException $e) { + echo '<div class="alert alert-danger">An unknown error occurred.</div>'; } } - ?> - <form action="" method="post"> - <div class="form-group"> - <input class="form-control" type="password" name="password_current" placeholder="Current password"/> - </div> - <div class="form-group"> - <input class="form-control" type="password" name="password_update" placeholder="New password"/> - </div> + } + ?> + <form action="" method="post"> + <div class="form-group"> + <input class="form-control" type="password" name="password_current" id="password-current" placeholder="Current password"/> + </div> + <div class="form-group"> + <input class="form-control" type="password" name="password_update" placeholder="New password"/> + </div> + <div class="form-group"> + <input class="form-control" type="password" name="password_update2" placeholder="New password (verification)"/> + </div> + <input class="btn btn-primary" type="submit" value="Change password"/> + </form> + </div> + </div> + </div> + + <div class="col-md-4"> + <div class="panel panel-default"> + <div class="panel-heading">Users</div> + <div class="panel-body table-responsive"> + <table class="table table-bordered table-striped mixitup dataTable" id="overview-clients"> + <thead> + <tr> + <th class="mixitup-sort sorting" data-sort="mixerOrderId:desc">#</th> + <th class="mixitup-sort sorting" data-sort="mixerOrderUsername:desc">Username</th> + <?php if ($_user->isAdmin()) echo '<th>Tools</th>'; ?> + </tr> + </thead> + <tbody> + <?php + $users = BusinessAdmin::getUsers($_pdo); + foreach ($users as $user) { + echo "<tr class='mix' + data-mixer-order-id='{$user->getId()}' + data-mixer-order-username='{$user->getUsername()}'> + <td class='col-min-width'>{$user->getId()}</td> + <td class='col-max-width'>{$user->getUsername()}</td>"; + if ($_user->isAdmin()) { + if ($user->getId() == $_user->getId()) { + echo "<td class='col-min-width'> + <a title='Change password' href='#' onclick='$(\"#password-current\").focus();' class='btn btn-warning btn-circle fa fa-key'></a> + </td>"; + } else { + echo "<td class='col-min-width'> + <a title='Delete' href='?delete_user={$user->getId()}' class='btn btn-danger btn-circle fa fa-times'></a> + </td>"; + } + } + echo "</tr>"; + } + ?> + </tbody> + </table> + </div> + </div> + </div> + + <?php if ($_user->isAdmin()) : ?> + <div class="col-md-4"> + <div class="panel panel-default"> + <div class="panel-heading">Create new</div> + <div class="panel-body"> + <form role="form" id="newUser" action='<?=constants::url_external?>users/new' method="post" class="bootstrapValidator ajaxify" + data-ajaxify-options='{"success":"newUserSuccess","error":"newUserError","beforeSubmit":"newUserBeforeSubmit","clearForm":true}'> + <div class="ajaxify-response alert alert-dismissable"><button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button><span class="ajaxify-response-text"></span></div> <div class="form-group"> - <input class="form-control" type="password" name="password_update2" placeholder="New password (verification)"/> + <label>Username:</label> + <input + type="text" name="username" class="form-control" placeholder="Username" + data-bv-notempty="true" data-bv-notempty-message="You have to provide a username"/> </div> - <input class="btn btn-primary" type="submit" value="Change password"/> + <button type="submit" class="btn btn-default">Go</button> </form> + <script type="text/javascript"> + // Callback for before the form is submitted + function newUserBeforeSubmit() { + $('#newUser input').prop('disabled', true); + $('#newUser .ajaxify-response').hide().removeClass('alert-success alert-danger').find('.ajaxify-response-text').html(''); + } + + // Callback for when the form is successfully submitted + function newUserSuccess(data) { + if (data.success == true) { + $('#newUser .ajaxify-response') + .addClass('alert-success') + .show() + .find('.ajaxify-response-text') + .html(data.message); + + $('#newUser input, #newUser button').prop('disabled', false); + $('#newUser').data('bootstrapValidator').resetForm(); + } else { + $('#newUser .ajaxify-response') + .addClass('alert-danger') + .show() + .find('.ajaxify-response-text') + .html(data.message); + + $('#newUser input, #newUser button').prop('disabled', false); + $('#newUser').data('bootstrapValidator').resetForm(); + } + } + + // Callback for when form submission encountered an error + function newUserError() { + $('#newUser .ajaxify-response') + .addClass('alert-danger') + .show() + .find('.ajaxify-response-text') + .html('An unknown error occurred. Please contact support.'); + + $('#newUser input, #newUser button').prop('disabled', false); + $('#newUser').data('bootstrapValidator').resetForm(); + } + </script> </div> </div> </div> - </div> + <?php endif; ?> </div> <!-- /.row --> </div> diff --git a/include/users-new.php b/include/users-new.php new file mode 100644 index 0000000..5d86a83 --- /dev/null +++ b/include/users-new.php @@ -0,0 +1,42 @@ +<?php +/** + * BusinessAdmin: administrative software for small companies + * Copyright (C) 2015 Camil Staps (ViviSoft) + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + +define('REQUIRE_ADMIN', true); + +require_once('./conf.php'); +require_once('./login-ajax.php'); + +$response = new response(); + +try { + $pass = user::generateRandomPassword(); + $user = BusinessAdmin::createUser($_pdo, $_REQUEST['username'], $pass); + + if ($user === false) { + $response->success = false; + $response->message = "The user could not be created due to an error."; + } else { + $response->success = true; + $response->message = "User <i>'{$user->getUsername()}'</i> has been created with password <code>$pass</code>. <a class='alert-link' href='javascript:location.reload(true);'>Refresh the page</a>."; + } +} catch (PDOException $e) { + $response->success = false; + $response->message = "The user could not be created due to a PDO error ({$e->getMessage()})."; +} +echo $response->getJson(); @@ -1,31 +1,31 @@ <?php /** * Landing page - * + * * This handles basically all requests. Every request not to an existing file path, should be redirected here. * This file checks basic configuration and includes the required page, based on the REQUEST_URI. - * + * * @author Camil Staps * * BusinessAdmin: administrative software for small companies * Copyright (C) 2015 Camil Staps (ViviSoft) - * + * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. + * along with this program. If not, see <http://www.gnu.org/licenses/>. */ -/** - * Load the basic configuration (sessions, database, class autoloading, etc.) +/** + * Load the basic configuration (sessions, database, class autoloading, etc.) */ require_once('./conf.php'); @@ -36,38 +36,39 @@ $_request = str_replace(constants::url_internal, '', $_request); // This is the REQUEST_URI switch // The default shows a 404 page $pages = array( - '/' => './include/home.php', - '/clients' => './include/clients.php', - '/clients/new' => './include/clients-new.php', - '/clients/edit' => './include/clients-edit.php', - '/contacts' => './include/contacts.php', - '/contacts/new' => './include/contacts-new.php', - '/contacts/edit' => './include/contacts-edit.php', - '/offers' => './include/offers.php', - '/offers/new' => './include/offers-new.php', - '/offers/edit' => './include/offers-edit.php', - '/assignments' => './include/assignments.php', - '/assignments/new' => './include/assignments-new.php', - '/assignments/edit' => './include/assignments-edit.php', - '/discounts' => './include/discounts.php', - '/discounts/new' => './include/discounts-new.php', - '/discounts/edit' => './include/discounts-edit.php', - '/about' => './include/about.php', - '/settings' => './include/settings.php', - '/ajax/collapse' => './include/ajax-collapse.php' + '/' => './include/home.php', + '/clients' => './include/clients.php', + '/clients/new' => './include/clients-new.php', + '/clients/edit' => './include/clients-edit.php', + '/contacts' => './include/contacts.php', + '/contacts/new' => './include/contacts-new.php', + '/contacts/edit' => './include/contacts-edit.php', + '/offers' => './include/offers.php', + '/offers/new' => './include/offers-new.php', + '/offers/edit' => './include/offers-edit.php', + '/assignments' => './include/assignments.php', + '/assignments/new' => './include/assignments-new.php', + '/assignments/edit' => './include/assignments-edit.php', + '/discounts' => './include/discounts.php', + '/discounts/new' => './include/discounts-new.php', + '/discounts/edit' => './include/discounts-edit.php', + '/about' => './include/about.php', + '/settings' => './include/settings.php', + '/users/new' => './include/users-new.php', + '/ajax/collapse' => './include/ajax-collapse.php' ); $_page = null; foreach ($pages as $uri => $path) { - if ($_request == $uri && file_exists($path)) { - $_page = $uri; - require($path); - break; - } + if ($_request == $uri && file_exists($path)) { + $_page = $uri; + require($path); + break; + } } if ($_page === null) { - $_page = '/404'; - http_response_code(404); - require('./include/404.php'); + $_page = '/404'; + http_response_code(404); + require('./include/404.php'); } diff --git a/install/index.php b/install/index.php index 878fe38..213eec7 100644 --- a/install/index.php +++ b/install/index.php @@ -131,7 +131,7 @@ if (isset($_GET['create_folders'])) { if (isset($_GET['create_user'])) { $username = 'admin'; try { - $password = bin2hex(openssl_random_pseudo_bytes(8)); + $password = user::generateRandomPassword(); $user = BusinessAdmin::createUser($_pdo, $username, $password); if ($user !== false) { echo "Created user '$username' ({$user->getId()}) with password '$password'."; diff --git a/login-ajax.php b/login-ajax.php index f8e1424..beb2f66 100644 --- a/login-ajax.php +++ b/login-ajax.php @@ -30,8 +30,13 @@ require_once('./conf.php'); if (!isset($_SESSION['login']) || $_SESSION['login'] === false) { - print(json_encode(['error' => 'You need to be logged in.'])); + print(json_encode(['success' => false, 'message' => 'You need to be logged in.'])); die(); } $_user = new user($_pdo, $_SESSION['login']); + +if (defined('REQUIRE_ADMIN') && REQUIRE_ADMIN && !$_user->isAdmin()) { + print(json_encode(['success' => false, 'message' => 'You need to be an administrator.'])); + die(); +} @@ -87,3 +87,14 @@ if (!isset($_SESSION['login']) || $_SESSION['login'] === false) { } $_user = new user($_pdo, $_SESSION['login']); + +if (defined('REQUIRE_ADMIN') && REQUIRE_ADMIN && !$_user->isAdmin()) { + include('./header.php'); + include('./nav.php'); + ?> + <h1>Access denied</h1> + <p class="lead">You need to be an administrator to access this page.</p> + <?php + include('./footer.php'); + die(); +} |