From d8055192991ac8504e48c137038879790c762d2d Mon Sep 17 00:00:00 2001
From: Camil Staps
Date: Tue, 26 Jul 2016 14:27:14 +0200
Subject: Adding and deleting users

---
 classes/user.php             |  19 +++++
 include/clients-overview.php |   2 +-
 include/settings.php         | 170 ++++++++++++++++++++++++++++++++++++-------
 include/users-new.php        |  42 +++++++++++
 index.php                    |  73 ++++++++++---------
 install/index.php            |   2 +-
 login-ajax.php               |   7 +-
 login.php                    |  11 +++
 8 files changed, 262 insertions(+), 64 deletions(-)
 create mode 100644 include/users-new.php
diff --git a/classes/user.php b/classes/user.php
index e50f773..750e8bb 100644
--- a/classes/user.php
+++ b/classes/user.php
@@ -33,6 +33,16 @@ class user {
 	 */
 	protected $pdo, $id, $username, $password;
 
+	/**
+	 * Generate a random password
+	 *
+	 * @return string The password
+	 */
+	public static function generateRandomPassword() {
+		return preg_replace('/[^\w]/', '',
+			base64_encode(bin2hex(openssl_random_pseudo_bytes(4))));
+	}
+
 	/**
 	 * Hash a password
 	 *
@@ -140,6 +150,15 @@ class user {
 	// Other functions
 	//------------------------------------------------------------------------------
 
+	/**
+	 * Check if a user has administrator rights
+	 *
+	 * @return bool                     True iff the user has administrator rights
+	 */
+	public function isAdmin() {
+		return $this->getId() == 1;
+	}
+
 	/**
 	 * Verify a password
 	 *
diff --git a/include/clients-overview.php b/include/clients-overview.php
index 7ce45a6..fc2c3a0 100644
--- a/include/clients-overview.php
+++ b/include/clients-overview.php
@@ -70,7 +70,7 @@ require_once('./login.php');
                 <div class="form-group">
                     <label>Name:</label>
                     <input 
-                        type="text" name="name" class="form-control" placeholder="Title" 
+                        type="text" name="name" class="form-control" placeholder="Name"
                         data-bv-notempty="true" data-bv-notempty-message="You have to provide a name"/>
                 </div>
                 <button type="submit" class="btn btn-default">Go</button>
diff --git a/include/settings.php b/include/settings.php
index 7dfbbc3..896152c 100644
--- a/include/settings.php
+++ b/include/settings.php
@@ -35,43 +35,163 @@ require('./header.php');
 			<!-- /.col-lg-12 -->
 		</div>
 
+		<?php
+		if (isset($_GET['delete_user']) && $_user->isAdmin()) {
+			try {
+				$user = new user($_pdo, $_GET['delete_user']);
+				if ($user->delete()) {
+					echo "<div class='alert alert-success alert-dismissable'><button type='button' class='close fa fa-times' data-dismiss='alert' aria-hidden='true'></button>The user with username <i>{$user->getUsername()}</i> has been removed.</div>";
+				} else {
+					echo "<div class='alert alert-danger alert-dismissable'><button type='button' class='close fa fa-times' data-dismiss='alert' aria-hidden='true'></button>The user with username <i>{$user->getUsername()}</i> could not be removed.</div>";
+				}
+			} catch (PDOException $e) {
+				echo "<div class='alert alert-danger alert-dismissable'><button type='button' class='close fa fa-times' data-dismiss='alert' aria-hidden='true'></button>The user with username <i>{$user->getUsername()}</i> could not be removed due to a PDO error.</div>";
+			} catch (Exception $e) {
+				echo "<div class='alert alert-danger alert-dismissable'><button type='button' class='close fa fa-times' data-dismiss='alert' aria-hidden='true'></button>The user with id {$_GET['delete_user']} could not be found.</div>";
+			}
+		}
+		?>
+
 		<div class="row">
 			<div class="col-md-4">
 				<div class="panel panel-default">
 					<div class="panel-heading">Password</div>
-						<div class="panel-body">
-							<?php
-							if (isset($_POST['password_update'])) {
-								if ($_POST['password_update'] != $_POST['password_update2']) {
-									echo '<div class="alert alert-danger">The passwords don\'t match.</div>';
-								} else if (!$_user->verifyPassword($_POST['password_current'])) {
-									echo '<div class="alert alert-danger">The current password was incorrect.</div>';
-								} else {
-									try {
-										$_user->setPassword($_POST['password_update']);
-										echo '<div class="alert alert-success">Password successfully changed.</div>';
-									} catch (PDOException $e) {
-										echo '<div class="alert alert-danger">An unknown error occurred.</div>';
-									}
+					<div class="panel-body">
+						<?php
+						if (isset($_POST['password_update'])) {
+							if ($_POST['password_update'] != $_POST['password_update2']) {
+								echo '<div class="alert alert-danger">The passwords don\'t match.</div>';
+							} else if (!$_user->verifyPassword($_POST['password_current'])) {
+								echo '<div class="alert alert-danger">The current password was incorrect.</div>';
+							} else {
+								try {
+									$_user->setPassword($_POST['password_update']);
+									echo '<div class="alert alert-success">Password successfully changed.</div>';
+								} catch (PDOException $e) {
+									echo '<div class="alert alert-danger">An unknown error occurred.</div>';
 								}
 							}
-							?>
-							<form action="" method="post">
-								<div class="form-group">
-									<input class="form-control" type="password" name="password_current" placeholder="Current password"/>
-								</div>
-								<div class="form-group">
-									<input class="form-control" type="password" name="password_update" placeholder="New password"/>
-								</div>
+						}
+						?>
+						<form action="" method="post">
+							<div class="form-group">
+								<input class="form-control" type="password" name="password_current" id="password-current" placeholder="Current password"/>
+							</div>
+							<div class="form-group">
+								<input class="form-control" type="password" name="password_update" placeholder="New password"/>
+							</div>
+							<div class="form-group">
+								<input class="form-control" type="password" name="password_update2" placeholder="New password (verification)"/>
+							</div>
+							<input class="btn btn-primary" type="submit" value="Change password"/>
+						</form>
+					</div>
+				</div>
+			</div>
+
+			<div class="col-md-4">
+				<div class="panel panel-default">
+					<div class="panel-heading">Users</div>
+					<div class="panel-body table-responsive">
+						<table class="table table-bordered table-striped mixitup dataTable" id="overview-clients">
+							<thead>
+								<tr>
+									<th class="mixitup-sort sorting" data-sort="mixerOrderId:desc">#</th>
+									<th class="mixitup-sort sorting" data-sort="mixerOrderUsername:desc">Username</th>
+									<?php if ($_user->isAdmin()) echo '<th>Tools</th>'; ?>
+								</tr>
+							</thead>
+							<tbody>
+								<?php
+								$users = BusinessAdmin::getUsers($_pdo);
+								foreach ($users as $user) {
+									echo "<tr class='mix'
+												data-mixer-order-id='{$user->getId()}'
+												data-mixer-order-username='{$user->getUsername()}'>
+											<td class='col-min-width'>{$user->getId()}</td>
+											<td class='col-max-width'>{$user->getUsername()}</td>";
+									if ($_user->isAdmin()) {
+										if ($user->getId() == $_user->getId()) {
+											echo "<td class='col-min-width'>
+													<a title='Change password' href='#' onclick='$(\"#password-current\").focus();' class='btn btn-warning btn-circle fa fa-key'></a>
+												</td>";
+										} else {
+											echo "<td class='col-min-width'>
+													<a title='Delete' href='?delete_user={$user->getId()}' class='btn btn-danger btn-circle fa fa-times'></a>
+												</td>";
+										}
+									}
+									echo "</tr>";
+								}
+								?>
+							</tbody>
+						</table>
+					</div>
+				</div>
+			</div>
+
+			<?php if ($_user->isAdmin()) : ?>
+				<div class="col-md-4">
+					<div class="panel panel-default">
+						<div class="panel-heading">Create new</div>
+						<div class="panel-body">
+							<form role="form" id="newUser" action='<?=constants::url_external?>users/new' method="post" class="bootstrapValidator ajaxify"
+								data-ajaxify-options='{"success":"newUserSuccess","error":"newUserError","beforeSubmit":"newUserBeforeSubmit","clearForm":true}'>
+								<div class="ajaxify-response alert alert-dismissable"><button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button><span class="ajaxify-response-text"></span></div>
 								<div class="form-group">
-									<input class="form-control" type="password" name="password_update2" placeholder="New password (verification)"/>
+									<label>Username:</label>
+									<input
+										type="text" name="username" class="form-control" placeholder="Username"
+										data-bv-notempty="true" data-bv-notempty-message="You have to provide a username"/>
 								</div>
-								<input class="btn btn-primary" type="submit" value="Change password"/>
+								<button type="submit" class="btn btn-default">Go</button>
 							</form>
+							<script type="text/javascript">
+							// Callback for before the form is submitted
+							function newUserBeforeSubmit() {
+								$('#newUser input').prop('disabled', true);
+								$('#newUser .ajaxify-response').hide().removeClass('alert-success alert-danger').find('.ajaxify-response-text').html('');
+							}
+
+							// Callback for when the form is successfully submitted
+							function newUserSuccess(data) {
+								if (data.success == true) {
+									$('#newUser .ajaxify-response')
+										.addClass('alert-success')
+										.show()
+										.find('.ajaxify-response-text')
+											.html(data.message);
+
+									$('#newUser input, #newUser button').prop('disabled', false);
+									$('#newUser').data('bootstrapValidator').resetForm();
+								} else {
+									$('#newUser .ajaxify-response')
+										.addClass('alert-danger')
+										.show()
+										.find('.ajaxify-response-text')
+											.html(data.message);
+
+									$('#newUser input, #newUser button').prop('disabled', false);
+									$('#newUser').data('bootstrapValidator').resetForm();
+								}
+							}
+
+							// Callback for when form submission encountered an error
+							function newUserError() {
+								$('#newUser .ajaxify-response')
+									.addClass('alert-danger')
+									.show()
+									.find('.ajaxify-response-text')
+										.html('An unknown error occurred. Please contact support.');
+
+								$('#newUser input, #newUser button').prop('disabled', false);
+									$('#newUser').data('bootstrapValidator').resetForm();
+							}
+							</script>
 						</div>
 					</div>
 				</div>
-			</div>
+			<?php endif; ?>
 		</div>
 		<!-- /.row -->
 	</div>
diff --git a/include/users-new.php b/include/users-new.php
new file mode 100644
index 0000000..5d86a83
--- /dev/null
+++ b/include/users-new.php
@@ -0,0 +1,42 @@
+<?php
+/**
+ * BusinessAdmin: administrative software for small companies
+ * Copyright (C) 2015 Camil Staps (ViviSoft)
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+define('REQUIRE_ADMIN', true);
+
+require_once('./conf.php');
+require_once('./login-ajax.php');
+
+$response = new response();
+
+try {
+	$pass = user::generateRandomPassword();
+	$user = BusinessAdmin::createUser($_pdo, $_REQUEST['username'], $pass);
+
+	if ($user === false) {
+		$response->success = false;
+		$response->message = "The user could not be created due to an error.";
+	} else {
+		$response->success = true;
+		$response->message = "User <i>'{$user->getUsername()}'</i> has been created with password <code>$pass</code>. <a class='alert-link' href='javascript:location.reload(true);'>Refresh the page</a>.";
+	}
+} catch (PDOException $e) {
+	$response->success = false;
+	$response->message = "The user could not be created due to a PDO error ({$e->getMessage()}).";
+}
+echo $response->getJson();
diff --git a/index.php b/index.php
index 3c8d842..a689f7e 100644
--- a/index.php
+++ b/index.php
@@ -1,31 +1,31 @@
 <?php
 /**
  * Landing page
- * 
+ *
  * This handles basically all requests. Every request not to an existing file path, should be redirected here.
  * This file checks basic configuration and includes the required page, based on the REQUEST_URI.
- * 
+ *
  * @author Camil Staps
  *
  * BusinessAdmin: administrative software for small companies
  * Copyright (C) 2015 Camil Staps (ViviSoft)
- * 
+ *
  * This program is free software: you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
  * the Free Software Foundation, either version 3 of the License, or
  * (at your option) any later version.
- * 
+ *
  * This program is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.	See the
  * GNU General Public License for more details.
- * 
+ *
  * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ * along with this program.	If not, see <http://www.gnu.org/licenses/>.
  */
 
-/** 
- * Load the basic configuration (sessions, database, class autoloading, etc.) 
+/**
+ * Load the basic configuration (sessions, database, class autoloading, etc.)
  */
 require_once('./conf.php');
 
@@ -36,38 +36,39 @@ $_request = str_replace(constants::url_internal, '', $_request);
 // This is the REQUEST_URI switch
 // The default shows a 404 page
 $pages = array(
-  '/' => './include/home.php',
-  '/clients' => './include/clients.php',
-  '/clients/new' => './include/clients-new.php',
-  '/clients/edit' => './include/clients-edit.php',
-  '/contacts' => './include/contacts.php',
-  '/contacts/new' => './include/contacts-new.php',
-  '/contacts/edit' => './include/contacts-edit.php',
-  '/offers' => './include/offers.php',
-  '/offers/new' => './include/offers-new.php',
-  '/offers/edit' => './include/offers-edit.php',
-  '/assignments' => './include/assignments.php',
-  '/assignments/new' => './include/assignments-new.php',
-  '/assignments/edit' => './include/assignments-edit.php',
-  '/discounts' => './include/discounts.php',
-  '/discounts/new' => './include/discounts-new.php',
-  '/discounts/edit' => './include/discounts-edit.php',
-  '/about' => './include/about.php',
-  '/settings' => './include/settings.php',
-  '/ajax/collapse' => './include/ajax-collapse.php'
+	'/' => './include/home.php',
+	'/clients' => './include/clients.php',
+	'/clients/new' => './include/clients-new.php',
+	'/clients/edit' => './include/clients-edit.php',
+	'/contacts' => './include/contacts.php',
+	'/contacts/new' => './include/contacts-new.php',
+	'/contacts/edit' => './include/contacts-edit.php',
+	'/offers' => './include/offers.php',
+	'/offers/new' => './include/offers-new.php',
+	'/offers/edit' => './include/offers-edit.php',
+	'/assignments' => './include/assignments.php',
+	'/assignments/new' => './include/assignments-new.php',
+	'/assignments/edit' => './include/assignments-edit.php',
+	'/discounts' => './include/discounts.php',
+	'/discounts/new' => './include/discounts-new.php',
+	'/discounts/edit' => './include/discounts-edit.php',
+	'/about' => './include/about.php',
+	'/settings' => './include/settings.php',
+	'/users/new' => './include/users-new.php',
+	'/ajax/collapse' => './include/ajax-collapse.php'
 );
 
 $_page = null;
 foreach ($pages as $uri => $path) {
-  if ($_request == $uri && file_exists($path)) {
-    $_page = $uri;
-    require($path);
-    break;
-  }
+	if ($_request == $uri && file_exists($path)) {
+		$_page = $uri;
+		require($path);
+		break;
+	}
 }
 
 if ($_page === null) {
-  $_page = '/404';
-  http_response_code(404);
-  require('./include/404.php');
+	$_page = '/404';
+	http_response_code(404);
+	require('./include/404.php');
 }
diff --git a/install/index.php b/install/index.php
index 878fe38..213eec7 100644
--- a/install/index.php
+++ b/install/index.php
@@ -131,7 +131,7 @@ if (isset($_GET['create_folders'])) {
 if (isset($_GET['create_user'])) {
 	$username = 'admin';
 	try {
-		$password = bin2hex(openssl_random_pseudo_bytes(8));
+		$password = user::generateRandomPassword();
 		$user = BusinessAdmin::createUser($_pdo, $username, $password);
 		if ($user !== false) {
 			echo "Created user '$username' ({$user->getId()}) with password '$password'.";
diff --git a/login-ajax.php b/login-ajax.php
index f8e1424..beb2f66 100644
--- a/login-ajax.php
+++ b/login-ajax.php
@@ -30,8 +30,13 @@
 require_once('./conf.php');
 
 if (!isset($_SESSION['login']) || $_SESSION['login'] === false) {
-	print(json_encode(['error' => 'You need to be logged in.']));
+	print(json_encode(['success' => false, 'message' => 'You need to be logged in.']));
 	die();
 }
 
 $_user = new user($_pdo, $_SESSION['login']);
+
+if (defined('REQUIRE_ADMIN') && REQUIRE_ADMIN && !$_user->isAdmin()) {
+	print(json_encode(['success' => false, 'message' => 'You need to be an administrator.']));
+	die();
+}
diff --git a/login.php b/login.php
index e60b7ed..d21fe79 100644
--- a/login.php
+++ b/login.php
@@ -87,3 +87,14 @@ if (!isset($_SESSION['login']) || $_SESSION['login'] === false) {
 }
 
 $_user = new user($_pdo, $_SESSION['login']);
+
+if (defined('REQUIRE_ADMIN') && REQUIRE_ADMIN && !$_user->isAdmin()) {
+	include('./header.php');
+	include('./nav.php');
+	?>
+	<h1>Access denied</h1>
+	<p class="lead">You need to be an administrator to access this page.</p>
+	<?php
+	include('./footer.php');
+	die();
+}
-- 
cgit v1.2.3

