Added helper function to prompt user for verification of admin actions

This function will be used on other positions in the admin center
as well, everytime the user wants to delete something which cannot
be undone.

src/admin/index.php

@@ -115,6 +115,11 @@ else
 // --- END CREATE TITLE
 */
 
+// --- BEGIN CREATE TITLE
+$content['TITLE'] = InitPageTitle();
+$content['TITLE'] .= " :: General Options";
+// --- END CREATE TITLE
+
 // --- Parsen and Output
 InitTemplateParser();
 $page -> parser($content, "admin/admin_index.html");

src/admin/users.php

@@ -53,19 +53,31 @@ InitFilterHelpers();	// Helpers for frontend filtering!
 
 // Init admin langauge file now!
 IncludeLanguageFile( $gl_root_path . '/lang/' . $LANG . '/admin.php' );
-
-// --- CONTENT Vars
-$content['TITLE'] = "Ultrastats - Admin Center - Users";	// Title of the Page 
 // --- 
 
 // --- BEGIN Custom Code
+
+// Only if the user is an admin!
+if ( !isset($_SESSION['SESSION_ISADMIN']) || $_SESSION['SESSION_ISADMIN'] == 0 ) 
+	DieWithFriendlyErrorMsg( $content['LN_ADMIN_ERROR_NOTALLOWED'] );
+
 if ($_GET['miniop'] == "setisadmin") 
 {
 	if ( isset($_GET['id']) && isset($_GET['newval']) )
 	{
 		//PreInit these values 
 		$content['USERID'] = intval(DB_RemoveBadChars($_GET['id']));
+		$iNewVal = intval(DB_RemoveBadChars($_GET['newval']));
 
+		// --- handle special case
+		if ( $content['USERID'] == $content['SESSION_USERID'] && (!isset($_GET['verify']) || $_GET['verify'] != "yes") && $iNewVal == 0)
+		{
+			// This will print an additional secure check which the user needs to confirm and exit the script execution.
+			PrintSecureUserCheck( $content['LN_USER_WARNREMOVEADMIN'], $content['LN_DELETEYES'], $content['LN_DELETENO'] );
+		}
+		// ---
+		
+		// Perform SQL Query!
 		$sqlquery = "SELECT * " . 
 					" FROM " . DB_USERS . 
 					" WHERE ID = " . $content['USERID'];
@@ -73,8 +85,6 @@ if ($_GET['miniop'] == "setisadmin")
 		$myuser = DB_GetSingleRow($result, true);
 		if ( isset($myuser['username']) )
 		{
-			$iNewVal = intval(DB_RemoveBadChars($_GET['newval']));
-
 			// Update is_admin setting!
 			$result = DB_Query("UPDATE " . DB_USERS . " SET 
 				is_admin = $iNewVal 
@@ -181,6 +191,14 @@ if ( isset($_GET['op']) )
 				}
 				else
 				{
+					// --- Ask for deletion first!
+					if ( (!isset($_GET['verify']) || $_GET['verify'] != "yes") )
+					{
+						// This will print an additional secure check which the user needs to confirm and exit the script execution.
+						PrintSecureUserCheck( GetAndReplaceLangStr( $content['LN_USER_WARNDELETEUSER'], $myrow['username'] ), $content['LN_DELETEYES'], $content['LN_DELETENO'] );
+					}
+					// ---
+
 					// do the delete!
 					$result = DB_Query( "DELETE FROM " . DB_USERS . " WHERE ID = " . $content['USERID'] );
 					if ($result == FALSE)
@@ -191,6 +209,8 @@ if ( isset($_GET['op']) )
 					else
 						DB_FreeQuery($result);
 
+					// TODO: DELETE PERSONAL SETTINGS, GROUP MEMBERSHIP ...
+
 					// Do the final redirect
 					RedirectResult( GetAndReplaceLangStr( $content['LN_USER_ERROR_HASBEENDEL'], $myrow['username'] ) , "users.php" );
 				}
@@ -349,9 +369,13 @@ else
 	}
 	// --- 
 }
-
 // --- END Custom Code
 
+// --- BEGIN CREATE TITLE
+$content['TITLE'] = InitPageTitle();
+$content['TITLE'] .= " :: User Options";
+// --- END CREATE TITLE
+
 // --- Parsen and Output
 InitTemplateParser();
 $page -> parser($content, "admin/admin_users.html");

src/include/functions_common.php

@@ -541,12 +541,17 @@ function InitConfigurationValues()
 		// Now we init the user session stuff
 		InitUserSession();
 
-		if ( isset($CFG["UserDBLoginRequired"]) && $CFG["UserDBLoginRequired"] == true && !$content['SESSION_LOGGEDIN'] )
+			if ( isset($CFG["UserDBLoginRequired"]) && $CFG["UserDBLoginRequired"] == true )
+			{
+				if ( !$content['SESSION_LOGGEDIN'] ) 
 				{
 					// User needs to be logged in, redirect to login page
 					if ( !defined("IS_LOGINPAGE") )
 						RedirectToUserLogin();
 				}
+			}
+			else if ( defined('IS_ADMINPAGE') )							// Language System not initialized yet
+				DieWithFriendlyErrorMsg( "You need to be logged in in order to access the admin pages." );
 
 		// General defaults 
 //		// --- Language Handling
@@ -559,6 +564,11 @@ function InitConfigurationValues()
 			$content['database_forcedatabaseupdate'] = "yes"; 
 		}
 	}
+	else
+	{
+		if ( defined('IS_ADMINPAGE') || defined("IS_LOGINPAGE") )	// Language System not initialized yet
+			DieWithFriendlyErrorMsg( "The phpLogCon user system is currently disabled or not installed." );
+	}
 
 	// --- Language Handling
 	if ( isset($_SESSION['CUSTOM_LANG']) && VerifyLanguage($_SESSION['CUSTOM_LANG']) )
@@ -711,17 +721,22 @@ function InitPageTitle()
 	else
 		$szReturn = "";
 
+	if ( !defined('IS_ADMINPAGE') )
+	{
 		if ( isset($currentSourceID) && isset($content['Sources'][$currentSourceID]['Name']) )
 			$szReturn .= "Source '" . $content['Sources'][$currentSourceID]['Name'] . "' :: ";
+	}
 
 	// Append phpLogCon
 	$szReturn .= "phpLogCon";
 
+	if ( defined('IS_ADMINPAGE') )
+		$szReturn .= " :: " . $content['LN_ADMIN_CENTER'] . " :: ";
+
 	// return result
 	return $szReturn;
 }
 
-
 function GetStringWithHTMLCodes($myStr)
 {
 	// Replace all special characters with valid html representations
@@ -982,4 +997,38 @@ function StartPHPSession()
 	}
 }
 
+function PrintSecureUserCheck( $warningtext, $yesmsg, $nomsg )
+{
+	global $content, $page;
+
+	// Copy properties
+	$content['warningtext'] = $warningtext;
+	$content['yesmsg'] = $yesmsg;
+	$content['nomsg'] = $nomsg;
+
+	// Handle GET and POST input!
+	$content['form_url'] = $_SERVER['SCRIPT_NAME'] . "?";
+	foreach ($_GET as $varname => $varvalue)
+		$content['form_url'] .= $varname . "=" . $varvalue . "&";
+	$content['form_url'] .= "verify=yes"; // Append verify!
+
+	foreach ($_POST as $varname => $varvalue)
+		$content['POST_VARIABLES'][] = array( "varname" => $varname, "varvalue" => $varvalue );
+
+	// --- BEGIN CREATE TITLE
+	$content['TITLE'] = InitPageTitle();
+	$content['TITLE'] .= " :: Confirm Action";
+	// --- END CREATE TITLE
+
+	// --- Parsen and Output
+	InitTemplateParser();
+	$page -> parser($content, "admin/admin_securecheck.html");
+	$page -> output(); 
+	// --- 
+	
+	// Exit script execution
+	exit;
+}
+
+
 ?>

src/include/functions_users.php

@@ -44,6 +44,11 @@ if ( !defined('IN_PHPLOGCON') )
 ///include($gl_root_path . 'include/constants_logstream.php');
 // --- 
 
+// --- Define User System initialized!
+define('IS_USERSYSTEMENABLED', true);
+$content['IS_USERSYSTEMENABLED'] = true;
+// --- 
+
 // --- BEGIN Usermanagement Function --- 
 function InitUserSession()
 {
@@ -62,6 +67,7 @@ function InitUserSession()
 		{
 			$content['SESSION_LOGGEDIN'] = true;
 			$content['SESSION_USERNAME'] = $_SESSION['SESSION_USERNAME'];
+			$content['SESSION_USERID'] = $_SESSION['SESSION_USERID'];
 			$content['SESSION_ISADMIN'] = $_SESSION['SESSION_ISADMIN'];
 
 			// Successfully logged in
@@ -125,10 +131,12 @@ function CheckUserLogin( $username, $password )
 	{
 		$_SESSION['SESSION_LOGGEDIN'] = true;
 		$_SESSION['SESSION_USERNAME'] = $username;
+		$_SESSION['SESSION_USERID'] = $myrow['ID'];
 		$_SESSION['SESSION_ISADMIN'] = $myrow['is_admin'];
 
 		$content['SESSION_LOGGEDIN'] = $_SESSION['SESSION_LOGGEDIN'];
 		$content['SESSION_USERNAME'] = $_SESSION['SESSION_USERNAME'];
+		$content['SESSION_USERID'] = $_SESSION['SESSION_USERID'];
 		$content['SESSION_ISADMIN'] = $_SESSION['SESSION_ISADMIN'];
 
 		// TODO SET LAST LOGIN TIME!
@@ -152,6 +160,7 @@ function DoLogOff()
 
 	unset( $_SESSION['SESSION_LOGGEDIN'] );
 	unset( $_SESSION['SESSION_USERNAME'] );
+	unset( $_SESSION['SESSION_USERID'] );
 	unset( $_SESSION['SESSION_ACCESSLEVEL'] );
 
 	// Redir to Index Page

src/lang/en/admin.php

@@ -37,6 +37,9 @@ $content['LN_ADMINMENU_USEROPT'] = "User Options";
 $content['LN_ADMINMENU_GROUPOPT'] = "Group Options";
 $content['LN_ADMIN_CENTER'] = "Admin center";
 $content['LN_ADMIN_UNKNOWNSTATE'] = "Unknown State";
+$content['LN_ADMIN_ERROR_NOTALLOWED'] = "You are not allowed to access this page with your user level.";
+$content['LN_DELETEYES'] = "Yes";
+$content['LN_DELETENO'] = "No";
 
 // User Center
 $content['LN_USER_CENTER'] = "User Options";
@@ -61,6 +64,11 @@ $content['LN_USER_ERROR_HASBEENADDED'] = "User '%1' has been successfully added"
 $content['LN_USER_ERROR_HASBEENEDIT'] = "User '%1' has been successfully edited";
 $content['LN_USER_ISADMIN'] = "Is Admin?";
 $content['LN_USER_ADDEDIT'] = "Add/Edit User";
+$content['LN_USER_WARNREMOVEADMIN'] = "You are about to revoke your own administrative priviledges. Are you sure to remove your admin status?";
+$content['LN_USER_WARNDELETEUSER'] = "Are you sure that you want to delete the User '%1'? All his personal settings will be deleted as well.";
+$content['LN_USER_'] = "";
+$content['LN_USER_'] = "";
+$content['LN_USER_'] = "";
 $content['LN_USER_'] = "";
 
 

src/templates/admin/admin_securecheck.html

@@ -0,0 +1,32 @@
+<!-- INCLUDE include_header.html --> 
+
+<br><br>
+<table width="600" cellpadding="2" cellspacing="1" border="0" align="center" class="with_border">
+<tr>
+	<td align="center" valign="top" class="line0 ErrorMsg" colspan="2">{warningtext}</td>
+</tr>
+<tr>
+	<td align="center" class="line1" width="50%">
+		<br>
+		<form action="{form_url}" method="post" name="confirmform">
+			<!-- BEGIN POST_VARIABLES -->
+			<input type="hidden" name="{varname}" value="{varvalue}">
+			<!-- END POST_VARIABLES -->
+			<input type="image" src="{BASEPATH}images/icons/check.png" alt="{yesmsg}" class="borderless" width="16">
+			<br>
+			<input type="submit" value="{yesmsg}" class="borderless">
+		</form>
+
+	</td>
+	<td align="center" class="line2" width="50%">
+		<br>
+		<a HREF="javascript:history.back();">
+		<img src="{BASEPATH}images/icons/redo.png" class="borderless" width="16">
+		<br>{nomsg}
+		</a>
+	</td>
+</tr>
+</table>
+<br>
+
+<!-- INCLUDE include_footer.html -->

src/themes/default/main.css

@@ -445,3 +445,9 @@ select, input, button, textarea
 	font: bold 8pt Arial,Helvetica,sans-serif;
 	color: #BB0000 
 }
+
+.borderless
+{ 
+	border:0px solid;
+	background-color: transparent; 
+}