add('Access denied!'); $action = ACT_ERR_DENIED; } if (isset($_REQUEST['id'])) { $id = (int) $_REQUEST['id'] or $id = 0; } function makepwd($length) { mt_srand((double) microtime() * 1000000); $digits = "0123456789"; $chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; $umlauts = "ÄÖÜäöüß"; $specials = "!§$%&/()=?[]{}+~*#.,;:<>|"; $vocals = "AEIOUaeiou"; $consonants = "BCDFGHJKLMNPQRSTVWXYZbcdfghjklmnpqrstvwxyz"; $passwd = ''; $possible = $chars . $digits; $l = strlen($possible)-1; for ($k = 0; $k < $length; $k += 1) { $passwd .= $possible[mt_rand(0, $l)]; } return $passwd; } // ========== ACTIONS START =================================================== switch ($submit = form_get_action()) { case NULL: break; case 'add': $action = ACT_ADD; break; case 'view': $action = ACT_VIEW; break; case 'edit': $action = ACT_EDIT; break; case 'del': $action = ACT_DELETE; break; case 'pass': // Create new random password to display once $newpass = makepwd(8); $sql = "UPDATE user SET user_pass=:pass WHERE user_id=:id"; $sth = $dbh->prepare($sql); $sth->bindValue(':id', $id, PDO::PARAM_INT); $sth->bindValue(':pass', password_hash($newpass, PASSWORD_BCRYPT), PDO::PARAM_STR); try { $sth->execute(); } catch (PDOException $e) { $g_warning->Add($e->getMessage()); } $smarty->assign('newpass', $newpass); $action = ACT_VIEW; break; case 'insert': $user_name = strtolower(sanitize($_POST['user_name'])); $user_displayname = sanitize($_POST['user_displayname']); $user_password = md5(sanitize($_POST['user_password'])); // check if username exists $sth = $dbh->prepare("SELECT COUNT(*) FROM user WHERE user_name=?"); $sth->execute([$user_name]); if ($sth->fetchColumn() == 0) { $sql = "INSERT INTO user (user_name, user_displayname, user_pass) VALUE (?, ?, ?)"; $sth = $dbh->prepare($sql); $sth->execute([$user_name, $user_displayname, $user_password]); $id = $dbh->lastInsertId(); $action = ACT_VIEW; } else { $g_error->Add(_("Username already in use.")); $action = ACT_ADD; } break; case 'update': $user_name = sanitize($_POST['user_name']); $user_displayname = sanitize($_POST['user_displayname']); $user_realm = sanitize($_POST['user_realm']); // roles $role_add = sanitize($_POST['role_add']); $role_edit = sanitize($_POST['role_edit']); $role_delete = sanitize($_POST['role_delete']); $role_manage = sanitize($_POST['role_manage']); $role_admin = sanitize($_POST['role_admin']); // construct role set $role = array(); if ($role_add) $role[] = 'add'; if ($role_edit) $role[] = 'edit'; if ($role_delete) $role[] = 'delete'; if ($role_manage) $role[] = 'manage'; if ($role_admin) $role[] = 'admin'; $role = empty($role) ? NULL : implode(',', $role); $sql = "UPDATE user SET user_name=?, user_displayname=?, user_realm=?, user_role=? WHERE user_id=?"; $sth = $dbh->prepare($sql); $sth->execute([$user_name ,$user_displayname, $user_realm, $role, $id]); $action = ACT_VIEW; break; case 'delete': $sth = $dbh->prepare("DELETE FROM user WHERE user_id=?"); $sth->execute([$id]); $g_message->Add(_("User deleted.")); $action = ACT_DEFAULT; break; default: $g_error->Add(submit_error($submit)); $valid = FALSE; } // ========== ACTIONS END ===================================================== include("header.php"); if ($action == ACT_DEFAULT): // ========== VARIANT: default behavior ======================================= $sql = "SELECT user_id AS id, user_name AS name, user_displayname AS displayname, user_realm AS realm, user_role AS role FROM user ORDER BY user_name"; $sth = $dbh->query($sql); // role: convert db set to array $users = $sth->fetchAll(PDO::FETCH_ASSOC); for($i = 0; $i < count($users); $i++) { $users[$i]['role'] = explode(',', $users[$i]['role'] ); } $smarty->assign("users", $users); $smarty->display("user.tpl"); elseif ($action == ACT_ADD): // ========== VARIANT: add record ============================================= $realms = db_load_enum('user','user_realm'); $smarty->assign("realm_ids", $realms); $smarty->assign("realm_names", $realms); $smarty->assign("realm_selected", $realms[0]); $smarty->display("useradd.tpl"); elseif ($action == ACT_VIEW): // ========== VARIANT: view single record ===================================== $sql = "SELECT user_id AS id, user_name AS name, user_displayname AS displayname, user_realm as realm, user_role AS role, user_flags AS flags FROM user WHERE user_id=?"; $sth = $dbh->prepare($sql); $sth->execute([$id]); $user = $sth->fetch(PDO::FETCH_OBJ); $user->role = explode(',', $user->role); $user->flags = explode(',', $user->flags); $smarty->assign("user", $user); $smarty->display("userview.tpl"); elseif ($action == ACT_EDIT): // ========== VARIANT: edit single record ===================================== $sql = "SELECT user_id AS id, user_name AS name, user_displayname AS displayname, user_realm AS realm, user_role AS role, user_flags AS flags FROM user WHERE user_id=?"; $sth = $dbh->prepare($sql); $sth->execute([$id]); $user = $sth->fetch(PDO::FETCH_OBJ); $user->role = explode(',', $user->role); $smarty->assign("user", $user); // auth realms $smarty->assign("realm_ids", ['local', 'ldap']); $smarty->assign("realm_names", ['Local', 'LDAP']); $smarty->assign("realm_selected", $user->realm); $smarty->display("useredit.tpl"); elseif ($action == ACT_DELETE): // ========== VARIANT: delete record ========================================== $sth = $dbh->prepare("SELECT user_id AS id, user_name AS name FROM user WHERE user_id=?"); $sth->execute([$id]); $smarty->assign("user", $sth->fetch(PDO::FETCH_OBJ)); $smarty->display("userdel.tpl"); elseif ($action == ACT_ERR_DENIED): // ========== ERROR ACCESS TO PAGE DENIED ===================================== if (isset($_SERVER['HTTP_REFERER'])) { echo '
\n"; } echo ""; else: // ========== ERROR UNKNOWN VARIANT =========================================== echo "Unknown function call: Please report to system development!
\n"; endif; // $action == ... // ========== END OF VARIANTS ================================================= $smarty->display('footer.tpl');