From e71e4b7d751eca9005561312eb5bbec144c0fc38 Mon Sep 17 00:00:00 2001
From: Andre Lorbach <alorbach@adiscon.com>
Date: Tue, 15 Jul 2008 15:53:50 +0200
Subject: [PATCH] Added helper function to prompt user for verification of
 admin actions

This function will be used on other positions in the admin center
as well, everytime the user wants to delete something which cannot
be undone.
---
 src/admin/index.php                        |  5 ++
 src/admin/users.php                        | 36 ++++++++++--
 src/include/functions_common.php           | 67 +++++++++++++++++++---
 src/include/functions_users.php            | 11 +++-
 src/lang/en/admin.php                      |  8 +++
 src/templates/admin/admin_securecheck.html | 32 +++++++++++
 src/themes/default/main.css                |  6 ++
 7 files changed, 149 insertions(+), 16 deletions(-)
 create mode 100644 src/templates/admin/admin_securecheck.html

diff --git a/src/admin/index.php b/src/admin/index.php
index 11b01f6..8eb7cf3 100644
--- a/src/admin/index.php
+++ b/src/admin/index.php
@@ -115,6 +115,11 @@ else
 // --- END CREATE TITLE
 */
 
+// --- BEGIN CREATE TITLE
+$content['TITLE'] = InitPageTitle();
+$content['TITLE'] .= " :: General Options";
+// --- END CREATE TITLE
+
 // --- Parsen and Output
 InitTemplateParser();
 $page -> parser($content, "admin/admin_index.html");
diff --git a/src/admin/users.php b/src/admin/users.php
index 3aad54f..02f3e0f 100644
--- a/src/admin/users.php
+++ b/src/admin/users.php
@@ -53,19 +53,31 @@ InitFilterHelpers();	// Helpers for frontend filtering!
 
 // Init admin langauge file now!
 IncludeLanguageFile( $gl_root_path . '/lang/' . $LANG . '/admin.php' );
-
-// --- CONTENT Vars
-$content['TITLE'] = "Ultrastats - Admin Center - Users";	// Title of the Page 
 // --- 
 
 // --- BEGIN Custom Code
+
+// Only if the user is an admin!
+if ( !isset($_SESSION['SESSION_ISADMIN']) || $_SESSION['SESSION_ISADMIN'] == 0 ) 
+	DieWithFriendlyErrorMsg( $content['LN_ADMIN_ERROR_NOTALLOWED'] );
+
 if ($_GET['miniop'] == "setisadmin") 
 {
 	if ( isset($_GET['id']) && isset($_GET['newval']) )
 	{
 		//PreInit these values 
 		$content['USERID'] = intval(DB_RemoveBadChars($_GET['id']));
+		$iNewVal = intval(DB_RemoveBadChars($_GET['newval']));
 
+		// --- handle special case
+		if ( $content['USERID'] == $content['SESSION_USERID'] && (!isset($_GET['verify']) || $_GET['verify'] != "yes") && $iNewVal == 0)
+		{
+			// This will print an additional secure check which the user needs to confirm and exit the script execution.
+			PrintSecureUserCheck( $content['LN_USER_WARNREMOVEADMIN'], $content['LN_DELETEYES'], $content['LN_DELETENO'] );
+		}
+		// ---
+		
+		// Perform SQL Query!
 		$sqlquery = "SELECT * " . 
 					" FROM " . DB_USERS . 
 					" WHERE ID = " . $content['USERID'];
@@ -73,8 +85,6 @@ if ($_GET['miniop'] == "setisadmin")
 		$myuser = DB_GetSingleRow($result, true);
 		if ( isset($myuser['username']) )
 		{
-			$iNewVal = intval(DB_RemoveBadChars($_GET['newval']));
-
 			// Update is_admin setting!
 			$result = DB_Query("UPDATE " . DB_USERS . " SET 
 				is_admin = $iNewVal 
@@ -181,6 +191,14 @@ if ( isset($_GET['op']) )
 				}
 				else
 				{
+					// --- Ask for deletion first!
+					if ( (!isset($_GET['verify']) || $_GET['verify'] != "yes") )
+					{
+						// This will print an additional secure check which the user needs to confirm and exit the script execution.
+						PrintSecureUserCheck( GetAndReplaceLangStr( $content['LN_USER_WARNDELETEUSER'], $myrow['username'] ), $content['LN_DELETEYES'], $content['LN_DELETENO'] );
+					}
+					// ---
+
 					// do the delete!
 					$result = DB_Query( "DELETE FROM " . DB_USERS . " WHERE ID = " . $content['USERID'] );
 					if ($result == FALSE)
@@ -191,6 +209,8 @@ if ( isset($_GET['op']) )
 					else
 						DB_FreeQuery($result);
 
+					// TODO: DELETE PERSONAL SETTINGS, GROUP MEMBERSHIP ...
+
 					// Do the final redirect
 					RedirectResult( GetAndReplaceLangStr( $content['LN_USER_ERROR_HASBEENDEL'], $myrow['username'] ) , "users.php" );
 				}
@@ -349,9 +369,13 @@ else
 	}
 	// --- 
 }
-
 // --- END Custom Code
 
+// --- BEGIN CREATE TITLE
+$content['TITLE'] = InitPageTitle();
+$content['TITLE'] .= " :: User Options";
+// --- END CREATE TITLE
+
 // --- Parsen and Output
 InitTemplateParser();
 $page -> parser($content, "admin/admin_users.html");
diff --git a/src/include/functions_common.php b/src/include/functions_common.php
index 9e8996c..071eda9 100644
--- a/src/include/functions_common.php
+++ b/src/include/functions_common.php
@@ -541,12 +541,17 @@ function InitConfigurationValues()
 		// Now we init the user session stuff
 		InitUserSession();
 
-		if ( isset($CFG["UserDBLoginRequired"]) && $CFG["UserDBLoginRequired"] == true && !$content['SESSION_LOGGEDIN'] )
-		{
-			// User needs to be logged in, redirect to login page
-			if ( !defined("IS_LOGINPAGE") )
-				RedirectToUserLogin();
-		}
+			if ( isset($CFG["UserDBLoginRequired"]) && $CFG["UserDBLoginRequired"] == true )
+			{
+				if ( !$content['SESSION_LOGGEDIN'] ) 
+				{
+					// User needs to be logged in, redirect to login page
+					if ( !defined("IS_LOGINPAGE") )
+						RedirectToUserLogin();
+				}
+			}
+			else if ( defined('IS_ADMINPAGE') )							// Language System not initialized yet
+				DieWithFriendlyErrorMsg( "You need to be logged in in order to access the admin pages." );
 
 		// General defaults 
 //		// --- Language Handling
@@ -559,6 +564,11 @@ function InitConfigurationValues()
 			$content['database_forcedatabaseupdate'] = "yes"; 
 		}
 	}
+	else
+	{
+		if ( defined('IS_ADMINPAGE') || defined("IS_LOGINPAGE") )	// Language System not initialized yet
+			DieWithFriendlyErrorMsg( "The phpLogCon user system is currently disabled or not installed." );
+	}
 
 	// --- Language Handling
 	if ( isset($_SESSION['CUSTOM_LANG']) && VerifyLanguage($_SESSION['CUSTOM_LANG']) )
@@ -711,17 +721,22 @@ function InitPageTitle()
 	else
 		$szReturn = "";
 
-	if ( isset($currentSourceID) && isset($content['Sources'][$currentSourceID]['Name']) )
-		$szReturn .= "Source '" . $content['Sources'][$currentSourceID]['Name'] . "' :: ";
+	if ( !defined('IS_ADMINPAGE') )
+	{
+		if ( isset($currentSourceID) && isset($content['Sources'][$currentSourceID]['Name']) )
+			$szReturn .= "Source '" . $content['Sources'][$currentSourceID]['Name'] . "' :: ";
+	}
 
 	// Append phpLogCon
 	$szReturn .= "phpLogCon";
 
+	if ( defined('IS_ADMINPAGE') )
+		$szReturn .= " :: " . $content['LN_ADMIN_CENTER'] . " :: ";
+
 	// return result
 	return $szReturn;
 }
 
-
 function GetStringWithHTMLCodes($myStr)
 {
 	// Replace all special characters with valid html representations
@@ -982,4 +997,38 @@ function StartPHPSession()
 	}
 }
 
+function PrintSecureUserCheck( $warningtext, $yesmsg, $nomsg )
+{
+	global $content, $page;
+
+	// Copy properties
+	$content['warningtext'] = $warningtext;
+	$content['yesmsg'] = $yesmsg;
+	$content['nomsg'] = $nomsg;
+
+	// Handle GET and POST input!
+	$content['form_url'] = $_SERVER['SCRIPT_NAME'] . "?";
+	foreach ($_GET as $varname => $varvalue)
+		$content['form_url'] .= $varname . "=" . $varvalue . "&";
+	$content['form_url'] .= "verify=yes"; // Append verify!
+
+	foreach ($_POST as $varname => $varvalue)
+		$content['POST_VARIABLES'][] = array( "varname" => $varname, "varvalue" => $varvalue );
+
+	// --- BEGIN CREATE TITLE
+	$content['TITLE'] = InitPageTitle();
+	$content['TITLE'] .= " :: Confirm Action";
+	// --- END CREATE TITLE
+
+	// --- Parsen and Output
+	InitTemplateParser();
+	$page -> parser($content, "admin/admin_securecheck.html");
+	$page -> output(); 
+	// --- 
+	
+	// Exit script execution
+	exit;
+}
+
+
 ?>
\ No newline at end of file
diff --git a/src/include/functions_users.php b/src/include/functions_users.php
index 5f7a862..01a1510 100644
--- a/src/include/functions_users.php
+++ b/src/include/functions_users.php
@@ -44,6 +44,11 @@ if ( !defined('IN_PHPLOGCON') )
 ///include($gl_root_path . 'include/constants_logstream.php');
 // --- 
 
+// --- Define User System initialized!
+define('IS_USERSYSTEMENABLED', true);
+$content['IS_USERSYSTEMENABLED'] = true;
+// --- 
+
 // --- BEGIN Usermanagement Function --- 
 function InitUserSession()
 {
@@ -62,8 +67,9 @@ function InitUserSession()
 		{
 			$content['SESSION_LOGGEDIN'] = true;
 			$content['SESSION_USERNAME'] = $_SESSION['SESSION_USERNAME'];
+			$content['SESSION_USERID'] = $_SESSION['SESSION_USERID'];
 			$content['SESSION_ISADMIN'] = $_SESSION['SESSION_ISADMIN'];
-			
+
 			// Successfully logged in
 			return true;
 		}
@@ -125,10 +131,12 @@ function CheckUserLogin( $username, $password )
 	{
 		$_SESSION['SESSION_LOGGEDIN'] = true;
 		$_SESSION['SESSION_USERNAME'] = $username;
+		$_SESSION['SESSION_USERID'] = $myrow['ID'];
 		$_SESSION['SESSION_ISADMIN'] = $myrow['is_admin'];
 
 		$content['SESSION_LOGGEDIN'] = $_SESSION['SESSION_LOGGEDIN'];
 		$content['SESSION_USERNAME'] = $_SESSION['SESSION_USERNAME'];
+		$content['SESSION_USERID'] = $_SESSION['SESSION_USERID'];
 		$content['SESSION_ISADMIN'] = $_SESSION['SESSION_ISADMIN'];
 
 		// TODO SET LAST LOGIN TIME!
@@ -152,6 +160,7 @@ function DoLogOff()
 
 	unset( $_SESSION['SESSION_LOGGEDIN'] );
 	unset( $_SESSION['SESSION_USERNAME'] );
+	unset( $_SESSION['SESSION_USERID'] );
 	unset( $_SESSION['SESSION_ACCESSLEVEL'] );
 
 	// Redir to Index Page
diff --git a/src/lang/en/admin.php b/src/lang/en/admin.php
index 7f38740..dfdc53f 100644
--- a/src/lang/en/admin.php
+++ b/src/lang/en/admin.php
@@ -37,6 +37,9 @@ $content['LN_ADMINMENU_USEROPT'] = "User Options";
 $content['LN_ADMINMENU_GROUPOPT'] = "Group Options";
 $content['LN_ADMIN_CENTER'] = "Admin center";
 $content['LN_ADMIN_UNKNOWNSTATE'] = "Unknown State";
+$content['LN_ADMIN_ERROR_NOTALLOWED'] = "You are not allowed to access this page with your user level.";
+$content['LN_DELETEYES'] = "Yes";
+$content['LN_DELETENO'] = "No";
 
 // User Center
 $content['LN_USER_CENTER'] = "User Options";
@@ -61,6 +64,11 @@ $content['LN_USER_ERROR_HASBEENADDED'] = "User '%1' has been successfully added"
 $content['LN_USER_ERROR_HASBEENEDIT'] = "User '%1' has been successfully edited";
 $content['LN_USER_ISADMIN'] = "Is Admin?";
 $content['LN_USER_ADDEDIT'] = "Add/Edit User";
+$content['LN_USER_WARNREMOVEADMIN'] = "You are about to revoke your own administrative priviledges. Are you sure to remove your admin status?";
+$content['LN_USER_WARNDELETEUSER'] = "Are you sure that you want to delete the User '%1'? All his personal settings will be deleted as well.";
+$content['LN_USER_'] = "";
+$content['LN_USER_'] = "";
+$content['LN_USER_'] = "";
 $content['LN_USER_'] = "";
 
 
diff --git a/src/templates/admin/admin_securecheck.html b/src/templates/admin/admin_securecheck.html
new file mode 100644
index 0000000..a4f8921
--- /dev/null
+++ b/src/templates/admin/admin_securecheck.html
@@ -0,0 +1,32 @@
+<!-- INCLUDE include_header.html --> 
+
+<br><br>
+<table width="600" cellpadding="2" cellspacing="1" border="0" align="center" class="with_border">
+<tr>
+	<td align="center" valign="top" class="line0 ErrorMsg" colspan="2">{warningtext}</td>
+</tr>
+<tr>
+	<td align="center" class="line1" width="50%">
+		<br>
+		<form action="{form_url}" method="post" name="confirmform">
+			<!-- BEGIN POST_VARIABLES -->
+			<input type="hidden" name="{varname}" value="{varvalue}">
+			<!-- END POST_VARIABLES -->
+			<input type="image" src="{BASEPATH}images/icons/check.png" alt="{yesmsg}" class="borderless" width="16">
+			<br>
+			<input type="submit" value="{yesmsg}" class="borderless">
+		</form>
+
+	</td>
+	<td align="center" class="line2" width="50%">
+		<br>
+		<a HREF="javascript:history.back();">
+		<img src="{BASEPATH}images/icons/redo.png" class="borderless" width="16">
+		<br>{nomsg}
+		</a>
+	</td>
+</tr>
+</table>
+<br>
+
+<!-- INCLUDE include_footer.html -->
\ No newline at end of file
diff --git a/src/themes/default/main.css b/src/themes/default/main.css
index 1e49e04..1dd5333 100644
--- a/src/themes/default/main.css
+++ b/src/themes/default/main.css
@@ -445,3 +445,9 @@ select, input, button, textarea
 	font: bold 8pt Arial,Helvetica,sans-serif;
 	color: #BB0000 
 }
+
+.borderless
+{ 
+	border:0px solid;
+	background-color: transparent; 
+}