X-Git-Url: https://git.wh0rd.org/?a=blobdiff_plain;f=classes%2Fpref%2Fusers.php;h=ab8ac775b54319c77ff51d680a701efe4af6d59b;hb=3a0292303e453f38204279b5d1c978a4b9c367e9;hp=b4f043775c082d31effc3b7c49bfec34de58c9ec;hpb=0d6ecb1f1cc663497bdd8fccb3f2dc66d2cdb0b9;p=tt-rss.git diff --git a/classes/pref/users.php b/classes/pref/users.php index b4f04377..ab8ac775 100644 --- a/classes/pref/users.php +++ b/classes/pref/users.php @@ -12,253 +12,241 @@ class Pref_Users extends Handler_Protected { } function csrf_ignore($method) { - $csrf_ignored = array("index"); + $csrf_ignored = array("index", "edit", "userdetails"); return array_search($method, $csrf_ignored) !== false; } - function userdetails() { - - header("Content-Type: text/xml"); - print ""; - - $uid = sprintf("%d", $_REQUEST["id"]); - - print "".__('User details').""; + function edit() { + global $access_level_names; - print ""; - $result = db_query($this->link, "SELECT login, - ".SUBSTRING_FOR_DATE."(last_login,1,16) AS last_login, - access_level, - (SELECT COUNT(int_id) FROM ttrss_user_entries - WHERE owner_uid = id) AS stored_articles, - ".SUBSTRING_FOR_DATE."(created,1,16) AS created - FROM ttrss_users - WHERE id = '$uid'"); + print '
+
'; - if (db_num_rows($result) == 0) { - print "

".__('User not found')."

"; - return; - } + //print "
"; - // print "

User Details

"; + $id = (int) clean($_REQUEST["id"]); - $login = db_fetch_result($result, 0, "login"); + print_hidden("id", "$id"); + print_hidden("op", "pref-users"); + print_hidden("method", "editSave"); - print ""; + $sth = $this->pdo->prepare("SELECT * FROM ttrss_users WHERE id = ?"); + $sth->execute([$id]); - $last_login = make_local_datetime($this->link, - db_fetch_result($result, 0, "last_login"), true); + if ($row = $sth->fetch()) { - $created = make_local_datetime($this->link, - db_fetch_result($result, 0, "created"), true); + $login = $row["login"]; + $access_level = $row["access_level"]; + $email = $row["email"]; - $access_level = db_fetch_result($result, 0, "access_level"); - $stored_articles = db_fetch_result($result, 0, "stored_articles"); + $sel_disabled = ($id == $_SESSION["uid"] || $login == "admin") ? "disabled" : ""; - print ""; - print ""; + print "
".__("User")."
"; + print "
"; - $result = db_query($this->link, "SELECT COUNT(id) as num_feeds FROM ttrss_feeds - WHERE owner_uid = '$uid'"); + if ($sel_disabled) { + print_hidden("login", "$login"); + } - $num_feeds = db_fetch_result($result, 0, "num_feeds"); + print ""; - print "
"; + print ""; - print "
".__('Registered')."$created
".__('Last logged in')."$last_login
".__('Subscribed feeds count')."$num_feeds
"; + print "
".__("Authentication")."
"; + print "
"; - print "

".__('Subscribed feeds')."

"; + print __('Access level: ') . " "; - $result = db_query($this->link, "SELECT id,title,site_url FROM ttrss_feeds - WHERE owner_uid = '$uid' ORDER BY title"); + if (!$sel_disabled) { + print_select_hash("access_level", $access_level, $access_level_names, + "dojoType=\"dijit.form.Select\" $sel_disabled"); + } else { + print_select_hash("", $access_level, $access_level_names, + "dojoType=\"dijit.form.Select\" $sel_disabled"); + print_hidden("access_level", "$access_level"); + } - print "
    "; + print "
    "; - $row_class = "odd"; + print ""; - while ($line = db_fetch_assoc($result)) { + print "
"; - $icon_file = ICONS_URL."/".$line["id"].".ico"; + print "
".__("Options")."
"; + print "
"; - if (file_exists($icon_file) && filesize($icon_file) > 0) { - $feed_icon = ""; - } else { - $feed_icon = ""; - } + print ""; - print "
  • $feed_icon ".$line["title"]."
    • "; + print "
    "; - $row_class = $row_class == "even" ? "odd" : "even"; + print ""; } - if (db_num_rows($result) < $num_feeds) { - // FIXME - add link to show ALL subscribed feeds here somewhere - print "
  •  ...
    • "; - } + print '
    '; #tab + print "
    "; - print ""; + print '
    '; + print '
    '; - print "
    -
    "; + print "
    + +
    "; - print "]]>    "; + print ""; return; } - function edit() { - global $access_level_names; - - header("Content-Type: text/xml"); - - $id = db_escape_string($this->link, $_REQUEST["id"]); - - print ""; - print "".__('User Editor').""; - print ""; + function userdetails() { + $id = (int) clean($_REQUEST["id"]); - print ""; - print ""; - print ""; + $sth = $this->pdo->prepare("SELECT login, + ".SUBSTRING_FOR_DATE."(last_login,1,16) AS last_login, + access_level, + (SELECT COUNT(int_id) FROM ttrss_user_entries + WHERE owner_uid = id) AS stored_articles, + ".SUBSTRING_FOR_DATE."(created,1,16) AS created + FROM ttrss_users + WHERE id = ?"); + $sth->execute([$id]); - $result = db_query($this->link, "SELECT * FROM ttrss_users WHERE id = '$id'"); + if ($row = $sth->fetch()) { + print ""; - $login = db_fetch_result($result, 0, "login"); - $access_level = db_fetch_result($result, 0, "access_level"); - $email = db_fetch_result($result, 0, "email"); + $last_login = make_local_datetime( + $row["last_login"], true); - $sel_disabled = ($id == $_SESSION["uid"]) ? "disabled" : ""; + $created = make_local_datetime( + $row["created"], true); - print "
    ".__("User")."
    "; - print "
    "; + $stored_articles = $row["stored_articles"]; - if ($sel_disabled) { - print ""; - print ""; - } else { - print ""; - } + print "
    "; + print ""; - print ""; + $sth = $this->pdo->prepare("SELECT COUNT(id) as num_feeds FROM ttrss_feeds + WHERE owner_uid = ?"); + $sth->execute([$id]); + $row = $sth->fetch(); + $num_feeds = $row["num_feeds"]; - print "
    ".__("Authentication")."
    "; - print "
    "; + print "
    "; + print ""; - print __('Access level: ') . " "; + print "
    ".__('Registered')."$created
    ".__('Last logged in')."$last_login
    ".__('Subscribed feeds count')."$num_feeds
    ".__('Stored articles')."$stored_articles
    "; - if (!$sel_disabled) { - print_select_hash("access_level", $access_level, $access_level_names, - $sel_disabled); - } else { - print_select_hash("", $access_level, $access_level_names, - $sel_disabled); - print ""; - } + print "

    ".__('Subscribed feeds')."

    "; - print "
    "; + $sth = $this->pdo->prepare("SELECT id,title,site_url FROM ttrss_feeds + WHERE owner_uid = ? ORDER BY title"); + $sth->execute([$id]); - print __('Change password to') . - " "; + print ""; - print "
    - -
    "; - print "]]>    "; + } else { + print "

    ".__('User not found')."

    "; + } - return; } function editSave() { - $login = db_escape_string($this->link, trim($_REQUEST["login"])); - $uid = db_escape_string($this->link, $_REQUEST["id"]); - $access_level = (int) $_REQUEST["access_level"]; - $email = db_escape_string($this->link, trim($_REQUEST["email"])); - $password = db_escape_string($this->link, trim($_REQUEST["password"])); + $login = trim(clean($_REQUEST["login"])); + $uid = clean($_REQUEST["id"]); + $access_level = (int) clean($_REQUEST["access_level"]); + $email = trim(clean($_REQUEST["email"])); + $password = clean($_REQUEST["password"]); if ($password) { $salt = substr(bin2hex(get_random_bytes(125)), 0, 250); $pwd_hash = encrypt_password($password, $salt, true); - $pass_query_part = "pwd_hash = '$pwd_hash', salt = '$salt',"; + $pass_query_part = "pwd_hash = ".$this->pdo->quote($pwd_hash).", + salt = ".$this->pdo->quote($salt).","; } else { $pass_query_part = ""; } - db_query($this->link, "UPDATE ttrss_users SET $pass_query_part login = '$login', - access_level = '$access_level', email = '$email', otp_enabled = false - WHERE id = '$uid'"); + $sth = $this->pdo->prepare("UPDATE ttrss_users SET $pass_query_part login = ?, + access_level = ?, email = ?, otp_enabled = false WHERE id = ?"); + $sth->execute([$login, $access_level, $email, $uid]); } function remove() { - $ids = split(",", db_escape_string($this->link, $_REQUEST["ids"])); + $ids = explode(",", clean($_REQUEST["ids"])); foreach ($ids as $id) { if ($id != $_SESSION["uid"] && $id != 1) { - db_query($this->link, "DELETE FROM ttrss_tags WHERE owner_uid = '$id'"); - db_query($this->link, "DELETE FROM ttrss_feeds WHERE owner_uid = '$id'"); - db_query($this->link, "DELETE FROM ttrss_users WHERE id = '$id'"); + $sth = $this->pdo->prepare("DELETE FROM ttrss_tags WHERE owner_uid = ?"); + $sth->execute([$id]); + + $sth = $this->pdo->prepare("DELETE FROM ttrss_feeds WHERE owner_uid = ?"); + $sth->execute([$id]); + + $sth = $this->pdo->prepare("DELETE FROM ttrss_users WHERE id = ?"); + $sth->execute([$id]); } } } function add() { - $login = db_escape_string($this->link, trim($_REQUEST["login"])); + $login = trim(clean($_REQUEST["login"])); $tmp_user_pwd = make_password(8); $salt = substr(bin2hex(get_random_bytes(125)), 0, 250); $pwd_hash = encrypt_password($tmp_user_pwd, $salt, true); - $result = db_query($this->link, "SELECT id FROM ttrss_users WHERE - login = '$login'"); + $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE + login = ?"); + $sth->execute([$login]); - if (db_num_rows($result) == 0) { + if (!$sth->fetch()) { - db_query($this->link, "INSERT INTO ttrss_users + $sth = $this->pdo->prepare("INSERT INTO ttrss_users (login,pwd_hash,access_level,last_login,created, salt) - VALUES ('$login', '$pwd_hash', 0, null, NOW(), '$salt')"); - + VALUES (?, ?, 0, null, NOW(), ?)"); + $sth->execute([$login, $pwd_hash, $salt]); - $result = db_query($this->link, "SELECT id FROM ttrss_users WHERE - login = '$login' AND pwd_hash = '$pwd_hash'"); + $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE + login = ? AND pwd_hash = ?"); + $sth->execute([$login, $pwd_hash]); - if (db_num_rows($result) == 1) { + if ($row = $sth->fetch()) { - $new_uid = db_fetch_result($result, 0, "id"); + $new_uid = $row['id']; print format_notice(T_sprintf("Added user %s with password %s", $login, $tmp_user_pwd)); - initialize_user($this->link, $new_uid); + initialize_user($new_uid); } else { @@ -270,81 +258,68 @@ class Pref_Users extends Handler_Protected { } } - static function resetUserPassword($link, $uid, $show_password) { + static function resetUserPassword($uid, $show_password) { - $result = db_query($link, "SELECT login,email - FROM ttrss_users WHERE id = '$uid'"); + $pdo = Db::pdo(); - $login = db_fetch_result($result, 0, "login"); - $email = db_fetch_result($result, 0, "email"); - $salt = db_fetch_result($result, 0, "salt"); + $sth = $pdo->prepare("SELECT login, email + FROM ttrss_users WHERE id = ?"); + $sth->execute([$uid]); - $new_salt = substr(bin2hex(get_random_bytes(125)), 0, 250); - $tmp_user_pwd = make_password(8); + if ($row = $sth->fetch()) { - $pwd_hash = encrypt_password($tmp_user_pwd, $new_salt, true); + $login = $row["login"]; + $email = $row["email"]; - db_query($link, "UPDATE ttrss_users SET pwd_hash = '$pwd_hash', salt = '$new_salt' - WHERE id = '$uid'"); + $new_salt = substr(bin2hex(get_random_bytes(125)), 0, 250); + $tmp_user_pwd = make_password(8); - if ($show_password) { - print T_sprintf("Changed password of user %s - to %s", $login, $tmp_user_pwd); - } else { - print T_sprintf("Sending new password of user %s - to %s", $login, $email); - } + $pwd_hash = encrypt_password($tmp_user_pwd, $new_salt, true); - require_once 'lib/phpmailer/class.phpmailer.php'; + $sth = $pdo->prepare("UPDATE ttrss_users + SET pwd_hash = ?, salt = ?, otp_enabled = false + WHERE id = ?"); + $sth->execute([$pwd_hash, $new_salt, $uid]); - if ($email) { - require_once "lib/MiniTemplator.class.php"; + if ($show_password) { + print T_sprintf("Changed password of user %s to %s", $login, $tmp_user_pwd); + } else { + print_notice(T_sprintf("Sending new password of user %s to %s", $login, $email)); + } - $tpl = new MiniTemplator; + require_once 'classes/ttrssmailer.php'; - $tpl->readTemplateFromFile("templates/resetpass_template.txt"); + if ($email) { + require_once "lib/MiniTemplator.class.php"; - $tpl->setVariable('LOGIN', $login); - $tpl->setVariable('NEWPASS', $tmp_user_pwd); + $tpl = new MiniTemplator; - $tpl->addBlock('message'); + $tpl->readTemplateFromFile("templates/resetpass_template.txt"); - $message = ""; + $tpl->setVariable('LOGIN', $login); + $tpl->setVariable('NEWPASS', $tmp_user_pwd); - $tpl->generateOutputToString($message); + $tpl->addBlock('message'); - $mail = new PHPMailer(); + $message = ""; - $mail->PluginDir = "lib/phpmailer/"; - $mail->SetLanguage("en", "lib/phpmailer/language/"); + $tpl->generateOutputToString($message); - $mail->CharSet = "UTF-8"; + $mail = new ttrssMailer(); - $mail->From = SMTP_FROM_ADDRESS; - $mail->FromName = SMTP_FROM_NAME; - $mail->AddAddress($email, $login); + $rc = $mail->quickMail($email, $login, + __("[tt-rss] Password change notification"), + $message, false); - if (SMTP_HOST) { - $mail->Host = SMTP_HOST; - $mail->Mailer = "smtp"; - $mail->SMTPAuth = SMTP_LOGIN != ''; - $mail->Username = SMTP_LOGIN; - $mail->Password = SMTP_PASSWORD; + if (!$rc) print_error($mail->ErrorInfo); } - $mail->IsHTML(false); - $mail->Subject = __("[tt-rss] Password change notification"); - $mail->Body = $message; - - $rc = $mail->Send(); - - if (!$rc) print_error($mail->ErrorInfo); } } function resetPass() { - $uid = db_escape_string($this->link, $_REQUEST["id"]); - Pref_Users::resetUserPassword($this->link, $uid, true); + $uid = clean($_REQUEST["id"]); + Pref_Users::resetUserPassword($uid, true); } function index() { @@ -356,7 +331,7 @@ class Pref_Users extends Handler_Protected { print "
    "; - $user_search = db_escape_string($this->link, $_REQUEST["search"]); + $user_search = trim(clean($_REQUEST["search"])); if (array_key_exists("search", $_REQUEST)) { $_SESSION["prefs_user_search"] = $user_search; @@ -367,11 +342,11 @@ class Pref_Users extends Handler_Protected { print "
    -
    "; - $sort = db_escape_string($this->link, $_REQUEST["sort"]); + $sort = clean($_REQUEST["sort"]); if (!$sort || $sort == "undefined") { $sort = "login"; @@ -386,68 +361,55 @@ class Pref_Users extends Handler_Protected { dojoType=\"dijit.MenuItem\">".__('None')."
    "; print ""; - print ""; + print ""; print " - - - - "; + PluginHost::getInstance()->run_hooks(PluginHost::HOOK_PREFS_TAB_SECTION, + "hook_prefs_tab_section", "prefUsersToolbar"); + print ""; #toolbar print ""; #pane print "
    "; - print "
    "; - - if ($user_search) { - - $user_search = split(" ", $user_search); - $tokens = array(); + $sort = validate_field($sort, + ["login", "access_level", "created", "num_feeds", "created", "last_login"], "login"); - foreach ($user_search as $token) { - $token = trim($token); - array_push($tokens, "(UPPER(login) LIKE UPPER('%$token%'))"); - } - - $user_search_query = "(" . join($tokens, " AND ") . ") AND "; - - } else { - $user_search_query = ""; - } + if ($sort != "login") $sort = "$sort DESC"; - $result = db_query($this->link, "SELECT - id,login,access_level,email, + $sth = $this->pdo->prepare("SELECT + tu.id, + login,access_level,email, ".SUBSTRING_FOR_DATE."(last_login,1,16) as last_login, - ".SUBSTRING_FOR_DATE."(created,1,16) as created + ".SUBSTRING_FOR_DATE."(created,1,16) as created, + (SELECT COUNT(id) FROM ttrss_feeds WHERE owner_uid = tu.id) AS num_feeds FROM - ttrss_users + ttrss_users tu WHERE - $user_search_query - id > 0 + (:search = '' OR login LIKE :search) AND tu.id > 0 ORDER BY $sort"); - - if (db_num_rows($result) > 0) { + $sth->execute([":search" => $user_search ? "%$user_search%" : ""]); print "

    "; print " - - + + + "; $lnum = 0; - while ($line = db_fetch_assoc($result)) { - - $class = ($lnum % 2) ? "even" : "odd"; + while ($line = $sth->fetch()) { $uid = $line["id"]; @@ -455,8 +417,8 @@ class Pref_Users extends Handler_Protected { $line["login"] = htmlspecialchars($line["login"]); - $line["created"] = make_local_datetime($this->link, $line["created"], false); - $line["last_login"] = make_local_datetime($this->link, $line["last_login"], false); + $line["created"] = make_local_datetime($line["created"], false); + $line["last_login"] = make_local_datetime($line["last_login"], false); print ""; + print ""; if (!$line["email"]) $line["email"] = " "; print ""; + print ""; print ""; print ""; @@ -479,26 +442,20 @@ class Pref_Users extends Handler_Protected { print "
     ".__('Login')."".__('Access Level')."".__('Login')."".__('Access Level')."".__('Subscribed feeds')." ".__('Registered')." ".__('Last login')."
    " . $line["login"] . " " . $line["login"] . "" . $access_level_names[$line["access_level"]] . "" . $line["num_feeds"] . "" . $line["created"] . "" . $line["last_login"] . "
    "; - } else { - print "

    "; + if ($lnum == 0) { if (!$user_search) { print_warning(__('No users defined.')); } else { print_warning(__('No matching users found.')); } - print "

    "; - } print "
    "; #pane - global $pluginhost; - $pluginhost->run_hooks($pluginhost::HOOK_PREFS_TAB, + PluginHost::getInstance()->run_hooks(PluginHost::HOOK_PREFS_TAB, "hook_prefs_tab", "prefUsers"); print ""; #container } - - } -?> + } \ No newline at end of file