X-Git-Url: https://git.wh0rd.org/?a=blobdiff_plain;f=classes%2Fpref%2Fusers.php;h=ad48e7a722a4b5be521a544da2b3fdf353859c25;hb=57932e183745bada9c6183056597cb5276f68d10;hp=82893c5487376384c50e225be2895cb1503ca328;hpb=4ee398a41e2176d4a5c997920db35cb6bed12f2e;p=tt-rss.git diff --git a/classes/pref/users.php b/classes/pref/users.php index 82893c54..ad48e7a7 100644 --- a/classes/pref/users.php +++ b/classes/pref/users.php @@ -20,12 +20,14 @@ class Pref_Users extends Handler_Protected { function edit() { global $access_level_names; + print "
"; + print '
'; - print ""; + //print ""; - $id = (int) $_REQUEST["id"]; + $id = (int) clean($_REQUEST["id"]); print_hidden("id", "$id"); print_hidden("op", "pref-users"); @@ -87,8 +89,6 @@ class Pref_Users extends Handler_Protected { print ""; - print ""; - } print '
'; #tab @@ -99,16 +99,18 @@ class Pref_Users extends Handler_Protected { print '
'; print "
-
"; + print ""; + return; } function userdetails() { - $id = (int) $_REQUEST["id"]; + $id = (int) clean($_REQUEST["id"]); $sth = $this->pdo->prepare("SELECT login, ".SUBSTRING_FOR_DATE."(last_login,1,16) AS last_login, @@ -168,25 +170,25 @@ class Pref_Users extends Handler_Protected { } print ""; - - + + } else { print "

".__('User not found')."

"; } - + } function editSave() { - $login = trim($_REQUEST["login"]); - $uid = $_REQUEST["id"]; - $access_level = (int) $_REQUEST["access_level"]; - $email = trim($_REQUEST["email"]); - $password = $_REQUEST["password"]; + $login = trim(clean($_REQUEST["login"])); + $uid = clean($_REQUEST["id"]); + $access_level = (int) clean($_REQUEST["access_level"]); + $email = trim(clean($_REQUEST["email"])); + $password = clean($_REQUEST["password"]); if ($password) { $salt = substr(bin2hex(get_random_bytes(125)), 0, 250); $pwd_hash = encrypt_password($password, $salt, true); - $pass_query_part = "pwd_hash = ".$this->pdo->quote($pwd_hash).", + $pass_query_part = "pwd_hash = ".$this->pdo->quote($pwd_hash).", salt = ".$this->pdo->quote($salt).","; } else { $pass_query_part = ""; @@ -199,7 +201,7 @@ class Pref_Users extends Handler_Protected { } function remove() { - $ids = explode(",", $_REQUEST["ids"]); + $ids = explode(",", clean($_REQUEST["ids"])); foreach ($ids as $id) { if ($id != $_SESSION["uid"] && $id != 1) { @@ -217,7 +219,7 @@ class Pref_Users extends Handler_Protected { function add() { - $login = trim($_REQUEST["login"]); + $login = trim(clean($_REQUEST["login"])); $tmp_user_pwd = make_password(8); $salt = substr(bin2hex(get_random_bytes(125)), 0, 250); $pwd_hash = encrypt_password($tmp_user_pwd, $salt, true); @@ -263,7 +265,7 @@ class Pref_Users extends Handler_Protected { $sth = $pdo->prepare("SELECT login, email FROM ttrss_users WHERE id = ?"); $sth->execute([$uid]); - + if ($row = $sth->fetch()) { $login = $row["login"]; @@ -274,7 +276,7 @@ class Pref_Users extends Handler_Protected { $pwd_hash = encrypt_password($tmp_user_pwd, $new_salt, true); - $sth = $pdo->prepare("UPDATE ttrss_users + $sth = $pdo->prepare("UPDATE ttrss_users SET pwd_hash = ?, salt = ?, otp_enabled = false WHERE id = ?"); $sth->execute([$pwd_hash, $new_salt, $uid]); @@ -285,8 +287,6 @@ class Pref_Users extends Handler_Protected { print_notice(T_sprintf("Sending new password of user %s to %s", $login, $email)); } - require_once 'classes/ttrssmailer.php'; - if ($email) { require_once "lib/MiniTemplator.class.php"; @@ -303,20 +303,20 @@ class Pref_Users extends Handler_Protected { $tpl->generateOutputToString($message); - $mail = new ttrssMailer(); + $mailer = new Mailer(); - $rc = $mail->quickMail($email, $login, - __("[tt-rss] Password change notification"), - $message, false); + $rc = $mailer->mail(["to" => "$login <$email>", + "subject" => __("[tt-rss] Password change notification"), + "message" => $message]); - if (!$rc) print_error($mail->ErrorInfo); + if (!$rc) print_error($mailer->error()); } - + } } function resetPass() { - $uid = $_REQUEST["id"]; + $uid = clean($_REQUEST["id"]); Pref_Users::resetUserPassword($uid, true); } @@ -329,7 +329,7 @@ class Pref_Users extends Handler_Protected { print "
"; - $user_search = trim($_REQUEST["search"]); + $user_search = trim(clean($_REQUEST["search"])); if (array_key_exists("search", $_REQUEST)) { $_SESSION["prefs_user_search"] = $user_search; @@ -344,7 +344,7 @@ class Pref_Users extends Handler_Protected { __('Search')."
"; - $sort = $_REQUEST["sort"]; + $sort = clean($_REQUEST["sort"]); if (!$sort || $sort == "undefined") { $sort = "login"; @@ -376,7 +376,10 @@ class Pref_Users extends Handler_Protected { print ""; #pane print "
"; - print "
"; + $sort = validate_field($sort, + ["login", "access_level", "created", "num_feeds", "created", "last_login"], "login"); + + if ($sort != "login") $sort = "$sort DESC"; $sth = $this->pdo->prepare("SELECT tu.id, @@ -388,8 +391,8 @@ class Pref_Users extends Handler_Protected { ttrss_users tu WHERE (:search = '' OR login LIKE :search) AND tu.id > 0 - ORDER BY :sort"); - $sth->execute([":search" => $user_search ? "%$user_search%" : "", ":sort" => $sort]); + ORDER BY $sort"); + $sth->execute([":search" => $user_search ? "%$user_search%" : ""]); print "

"; @@ -453,4 +456,4 @@ class Pref_Users extends Handler_Protected { print ""; #container } - } \ No newline at end of file + }