[tt-rss.git] / classes / pref / users.php

<?php
class Pref_Users extends Handler_Protected {
		function before($method) {
			if (parent::before($method)) {
				if ($_SESSION["access_level"] < 10) {
					print __("Your access level is insufficient to open this tab.");
					return false;
				}
				return true;
			}
			return false;
		}

		function csrf_ignore($method) {
			$csrf_ignored = array("index", "edit", "userdetails");

			return array_search($method, $csrf_ignored) !== false;
		}

		function userdetails() {

			$uid = sprintf("%d", $_REQUEST["id"]);

			$result = $this->dbh->query("SELECT login,
				".SUBSTRING_FOR_DATE."(last_login,1,16) AS last_login,
				access_level,
				(SELECT COUNT(int_id) FROM ttrss_user_entries
					WHERE owner_uid = id) AS stored_articles,
				".SUBSTRING_FOR_DATE."(created,1,16) AS created
				FROM ttrss_users
				WHERE id = '$uid'");

			if ($this->dbh->num_rows($result) == 0) {
				print "<h1>".__('User not found')."</h1>";
				return;
			}

			// print "<h1>User Details</h1>";

			$login = $this->dbh->fetch_result($result, 0, "login");

			print "<table width='100%'>";

			$last_login = make_local_datetime(
				$this->dbh->fetch_result($result, 0, "last_login"), true);

			$created = make_local_datetime(
				$this->dbh->fetch_result($result, 0, "created"), true);

			$access_level = $this->dbh->fetch_result($result, 0, "access_level");
			$stored_articles = $this->dbh->fetch_result($result, 0, "stored_articles");

			print "<tr><td>".__('Registered')."</td><td>$created</td></tr>";
			print "<tr><td>".__('Last logged in')."</td><td>$last_login</td></tr>";

			$result = $this->dbh->query("SELECT COUNT(id) as num_feeds FROM ttrss_feeds
				WHERE owner_uid = '$uid'");

			$num_feeds = $this->dbh->fetch_result($result, 0, "num_feeds");

			print "<tr><td>".__('Subscribed feeds count')."</td><td>$num_feeds</td></tr>";

			print "</table>";

			print "<h1>".__('Subscribed feeds')."</h1>";

			$result = $this->dbh->query("SELECT id,title,site_url FROM ttrss_feeds
				WHERE owner_uid = '$uid' ORDER BY title");

			print "<ul class=\"userFeedList\">";

			while ($line = $this->dbh->fetch_assoc($result)) {

				$icon_file = ICONS_URL."/".$line["id"].".ico";

				if (file_exists($icon_file) && filesize($icon_file) > 0) {
					$feed_icon = "<img class=\"tinyFeedIcon\" src=\"$icon_file\">";
				} else {
					$feed_icon = "<img class=\"tinyFeedIcon\" src=\"images/blank_icon.gif\">";
				}

				print "<li>$feed_icon&nbsp;<a href=\"".$line["site_url"]."\">".$line["title"]."</a></li>";

			}

			if ($this->dbh->num_rows($result) < $num_feeds) {
				// FIXME - add link to show ALL subscribed feeds here somewhere
				print "<li><img
					class=\"tinyFeedIcon\" src=\"images/blank_icon.gif\">&nbsp;...</li>";
			}

			print "</ul>";

			print "<div align='center'>
				<button dojoType=\"dijit.form.Button\" type=\"submit\">".__("Close this window").
				"</button></div>";

			return;
		}

		function edit() {
			global $access_level_names;

			$id = $this->dbh->escape_string($_REQUEST["id"]);
			print "<form id=\"user_edit_form\" onsubmit='return false' dojoType=\"dijit.form.Form\">";

			print "<input dojoType=\"dijit.form.TextBox\" style=\"display : none\" name=\"id\" value=\"$id\">";
			print "<input dojoType=\"dijit.form.TextBox\" style=\"display : none\" name=\"op\" value=\"pref-users\">";
			print "<input dojoType=\"dijit.form.TextBox\" style=\"display : none\" name=\"method\" value=\"editSave\">";

			$result = $this->dbh->query("SELECT * FROM ttrss_users WHERE id = '$id'");

			$login = $this->dbh->fetch_result($result, 0, "login");
			$access_level = $this->dbh->fetch_result($result, 0, "access_level");
			$email = $this->dbh->fetch_result($result, 0, "email");

			$sel_disabled = ($id == $_SESSION["uid"]) ? "disabled" : "";

			print "<div class=\"dlgSec\">".__("User")."</div>";
			print "<div class=\"dlgSecCont\">";

			if ($sel_disabled) {
				print "<input dojoType=\"dijit.form.TextBox\" style=\"display : none\" name=\"login\" value=\"$login\">";
			}

			print "<input size=\"30\" style=\"font-size : 16px\"
				dojoType=\"dijit.form.ValidationTextBox\" required=\"1\"
				onkeypress=\"return filterCR(event, userEditSave)\" $sel_disabled
				name=\"login\" value=\"$login\">";

			print "</div>";

			print "<div class=\"dlgSec\">".__("Authentication")."</div>";
			print "<div class=\"dlgSecCont\">";

			print __('Access level: ') . " ";

			if (!$sel_disabled) {
				print_select_hash("access_level", $access_level, $access_level_names,
					"dojoType=\"dijit.form.Select\" $sel_disabled");
			} else {
				print_select_hash("", $access_level, $access_level_names,
					"dojoType=\"dijit.form.Select\" $sel_disabled");
				print "<input dojoType=\"dijit.form.TextBox\" style=\"display : none\" name=\"access_level\" value=\"$access_level\">";
			}

			print "<hr/>";

			print "<input dojoType=\"dijit.form.TextBox\" type=\"password\" size=\"20\" onkeypress=\"return filterCR(event, userEditSave)\" placeholder=\"Change password\"
				name=\"password\">";

			print "</div>";

			print "<div class=\"dlgSec\">".__("Options")."</div>";
			print "<div class=\"dlgSecCont\">";

			print "<input dojoType=\"dijit.form.TextBox\" size=\"30\" name=\"email\" onkeypress=\"return filterCR(event, userEditSave)\" placeholder=\"E-mail\"
				value=\"$email\">";

			print "</div>";

			print "</table>";

			print "</form>";

			print "<div class=\"dlgButtons\">
				<button dojoType=\"dijit.form.Button\" type=\"submit\">".
					__('Save')."</button>
				<button dojoType=\"dijit.form.Button\" onclick=\"dijit.byId('userEditDlg').hide()\">".
					__('Cancel')."</button></div>";

			return;
		}

		function editSave() {
			$login = $this->dbh->escape_string(trim($_REQUEST["login"]));
			$uid = $this->dbh->escape_string($_REQUEST["id"]);
			$access_level = (int) $_REQUEST["access_level"];
			$email = $this->dbh->escape_string(trim($_REQUEST["email"]));
			$password = $_REQUEST["password"];

			if ($password) {
				$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
				$pwd_hash = encrypt_password($password, $salt, true);
				$pass_query_part = "pwd_hash = '$pwd_hash', salt = '$salt',";
			} else {
				$pass_query_part = "";
			}

			$this->dbh->query("UPDATE ttrss_users SET $pass_query_part login = '$login',
				access_level = '$access_level', email = '$email', otp_enabled = false
				WHERE id = '$uid'");

		}

		function remove() {
			$ids = explode(",", $this->dbh->escape_string($_REQUEST["ids"]));

			foreach ($ids as $id) {
				if ($id != $_SESSION["uid"] && $id != 1) {
					$this->dbh->query("DELETE FROM ttrss_tags WHERE owner_uid = '$id'");
					$this->dbh->query("DELETE FROM ttrss_feeds WHERE owner_uid = '$id'");
					$this->dbh->query("DELETE FROM ttrss_users WHERE id = '$id'");
				}
			}
		}

		function add() {

			$login = $this->dbh->escape_string(trim($_REQUEST["login"]));
			$tmp_user_pwd = make_password(8);
			$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
			$pwd_hash = encrypt_password($tmp_user_pwd, $salt, true);

			$result = $this->dbh->query("SELECT id FROM ttrss_users WHERE
				login = '$login'");

			if ($this->dbh->num_rows($result) == 0) {

				$this->dbh->query("INSERT INTO ttrss_users
					(login,pwd_hash,access_level,last_login,created, salt)
					VALUES ('$login', '$pwd_hash', 0, null, NOW(), '$salt')");


				$result = $this->dbh->query("SELECT id FROM ttrss_users WHERE
					login = '$login' AND pwd_hash = '$pwd_hash'");

				if ($this->dbh->num_rows($result) == 1) {

					$new_uid = $this->dbh->fetch_result($result, 0, "id");

					print format_notice(T_sprintf("Added user <b>%s</b> with password <b>%s</b>",
						$login, $tmp_user_pwd));

					initialize_user($new_uid);

				} else {

					print format_warning(T_sprintf("Could not create user <b>%s</b>", $login));

				}
			} else {
				print format_warning(T_sprintf("User <b>%s</b> already exists.", $login));
			}
		}

		static function resetUserPassword($uid, $show_password) {

			$result = db_query("SELECT login,email
				FROM ttrss_users WHERE id = '$uid'");

			$login = db_fetch_result($result, 0, "login");
			$email = db_fetch_result($result, 0, "email");
			$salt = db_fetch_result($result, 0, "salt");

			$new_salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
			$tmp_user_pwd = make_password(8);

			$pwd_hash = encrypt_password($tmp_user_pwd, $new_salt, true);

			db_query("UPDATE ttrss_users SET pwd_hash = '$pwd_hash', salt = '$new_salt'
				WHERE id = '$uid'");

			if ($show_password) {
				print T_sprintf("Changed password of user <b>%s</b> to <b>%s</b>", $login, $tmp_user_pwd);
			} else {
				print_notice(T_sprintf("Sending new password of user <b>%s</b> to <b>%s</b>", $login, $email));
			}

			require_once 'classes/ttrssmailer.php';

			if ($email) {
				require_once "lib/MiniTemplator.class.php";

				$tpl = new MiniTemplator;

				$tpl->readTemplateFromFile("templates/resetpass_template.txt");

				$tpl->setVariable('LOGIN', $login);
				$tpl->setVariable('NEWPASS', $tmp_user_pwd);

				$tpl->addBlock('message');

				$message = "";

				$tpl->generateOutputToString($message);

				$mail = new ttrssMailer();

				$rc = $mail->quickMail($email, $login,
					__("[tt-rss] Password change notification"),
					$message, false);

				if (!$rc) print_error($mail->ErrorInfo);
			}
		}

		function resetPass() {
			$uid = $this->dbh->escape_string($_REQUEST["id"]);
			Pref_Users::resetUserPassword($uid, true);
		}

		function index() {

			global $access_level_names;

			print "<div id=\"pref-user-wrap\" dojoType=\"dijit.layout.BorderContainer\" gutters=\"false\">";
			print "<div id=\"pref-user-header\" dojoType=\"dijit.layout.ContentPane\" region=\"top\">";

			print "<div id=\"pref-user-toolbar\" dojoType=\"dijit.Toolbar\">";

			$user_search = $this->dbh->escape_string($_REQUEST["search"]);

			if (array_key_exists("search", $_REQUEST)) {
				$_SESSION["prefs_user_search"] = $user_search;
			} else {
				$user_search = $_SESSION["prefs_user_search"];
			}

			print "<div style='float : right; padding-right : 4px;'>
				<input dojoType=\"dijit.form.TextBox\" id=\"user_search\" size=\"20\" type=\"search\"
					value=\"$user_search\">
				<button dojoType=\"dijit.form.Button\" onclick=\"updateUsersList()\">".
					__('Search')."</button>
				</div>";

			$sort = $this->dbh->escape_string($_REQUEST["sort"]);

			if (!$sort || $sort == "undefined") {
				$sort = "login";
			}

			print "<div dojoType=\"dijit.form.DropDownButton\">".
					"<span>" . __('Select')."</span>";
			print "<div dojoType=\"dijit.Menu\" style=\"display: none;\">";
			print "<div onclick=\"selectTableRows('prefUserList', 'all')\"
				dojoType=\"dijit.MenuItem\">".__('All')."</div>";
			print "<div onclick=\"selectTableRows('prefUserList', 'none')\"
				dojoType=\"dijit.MenuItem\">".__('None')."</div>";
			print "</div></div>";

			print "<button dojoType=\"dijit.form.Button\" onclick=\"addUser()\">".__('Create user')."</button>";

			print "
				<button dojoType=\"dijit.form.Button\" onclick=\"selectedUserDetails()\">".
				__('Details')."</button dojoType=\"dijit.form.Button\">
				<button dojoType=\"dijit.form.Button\" onclick=\"editSelectedUser()\">".
				__('Edit')."</button dojoType=\"dijit.form.Button\">
				<button dojoType=\"dijit.form.Button\" onclick=\"removeSelectedUsers()\">".
				__('Remove')."</button dojoType=\"dijit.form.Button\">
				<button dojoType=\"dijit.form.Button\" onclick=\"resetSelectedUserPass()\">".
				__('Reset password')."</button dojoType=\"dijit.form.Button\">";

			PluginHost::getInstance()->run_hooks(PluginHost::HOOK_PREFS_TAB_SECTION,
				"hook_prefs_tab_section", "prefUsersToolbar");

			print "</div>"; #toolbar
			print "</div>"; #pane
			print "<div id=\"pref-user-content\" dojoType=\"dijit.layout.ContentPane\" region=\"center\">";

			print "<div id=\"sticky-status-msg\"></div>";

			if ($user_search) {

				$user_search = explode(" ", $user_search);
				$tokens = array();

				foreach ($user_search as $token) {
					$token = trim($token);
					array_push($tokens, "(UPPER(login) LIKE UPPER('%$token%'))");
				}

				$user_search_query = "(" . join($tokens, " AND ") . ") AND ";

			} else {
				$user_search_query = "";
			}

			$result = $this->dbh->query("SELECT
					id,login,access_level,email,
					".SUBSTRING_FOR_DATE."(last_login,1,16) as last_login,
					".SUBSTRING_FOR_DATE."(created,1,16) as created
				FROM
					ttrss_users
				WHERE
					$user_search_query
					id > 0
				ORDER BY $sort");

			if ($this->dbh->num_rows($result) > 0) {

			print "<p><table width=\"100%\" cellspacing=\"0\"
				class=\"prefUserList\" id=\"prefUserList\">";

			print "<tr class=\"title\">
						<td align='center' width=\"5%\">&nbsp;</td>
						<td width='30%'><a href=\"#\" onclick=\"updateUsersList('login')\">".__('Login')."</a></td>
						<td width='30%'><a href=\"#\" onclick=\"updateUsersList('access_level')\">".__('Access Level')."</a></td>
						<td width='20%'><a href=\"#\" onclick=\"updateUsersList('created')\">".__('Registered')."</a></td>
						<td width='20%'><a href=\"#\" onclick=\"updateUsersList('last_login')\">".__('Last login')."</a></td></tr>";

			$lnum = 0;

			while ($line = $this->dbh->fetch_assoc($result)) {

				$uid = $line["id"];

				print "<tr id=\"UMRR-$uid\">";

				$line["login"] = htmlspecialchars($line["login"]);

				$line["created"] = make_local_datetime($line["created"], false);
				$line["last_login"] = make_local_datetime($line["last_login"], false);

				print "<td align='center'><input onclick='toggleSelectRow2(this);'
					dojoType=\"dijit.form.CheckBox\" type=\"checkbox\"
					id=\"UMCHK-$uid\"></td>";

				$onclick = "onclick='editUser($uid, event)' title='".__('Click to edit')."'";

				print "<td $onclick>" . $line["login"] . "</td>";

				if (!$line["email"]) $line["email"] = "&nbsp;";

				print "<td $onclick>" .	$access_level_names[$line["access_level"]] . "</td>";
				print "<td $onclick>" . $line["created"] . "</td>";
				print "<td $onclick>" . $line["last_login"] . "</td>";

				print "</tr>";

				++$lnum;
			}

			print "</table>";

			} else {
				print "<p>";
				if (!$user_search) {
					print_warning(__('No users defined.'));
				} else {
					print_warning(__('No matching users found.'));
				}
				print "</p>";

			}

			print "</div>"; #pane

			PluginHost::getInstance()->run_hooks(PluginHost::HOOK_PREFS_TAB,
				"hook_prefs_tab", "prefUsers");

			print "</div>"; #container

		}

	}
?>
Commit	Line	Data
66665fba	1	<?php
369dbc19	2	class Pref_Users extends Handler_Protected {
17f9d200 JK	3	function before($method) {
17f9d200 JK	4	if (parent::before($method)) {
66665fba AD	5	if ($_SESSION["access_level"] < 10) {
	6	print __("Your access level is insufficient to open this tab.");
	7	return false;
	8	}
	9	return true;
	10	}
	11	return false;
	12	}
	13
8484ce22	14	function csrf_ignore($method) {
d9afd9b2	15	$csrf_ignored = array("index", "edit", "userdetails");
8484ce22 AD	16
	17	return array_search($method, $csrf_ignored) !== false;
	18	}
	19
66665fba AD	20	function userdetails() {
66665fba AD	21
66665fba AD	22	$uid = sprintf("%d", $_REQUEST["id"]);
66665fba AD	23
d9c85e0f	24	$result = $this->dbh->query("SELECT login,
66665fba AD	25	".SUBSTRING_FOR_DATE."(last_login,1,16) AS last_login,
	26	access_level,
	27	(SELECT COUNT(int_id) FROM ttrss_user_entries
	28	WHERE owner_uid = id) AS stored_articles,
	29	".SUBSTRING_FOR_DATE."(created,1,16) AS created
	30	FROM ttrss_users
	31	WHERE id = '$uid'");
	32
d9c85e0f	33	if ($this->dbh->num_rows($result) == 0) {
66665fba AD	34	print "<h1>".__('User not found')."</h1>";
	35	return;
	36	}
	37
	38	// print "<h1>User Details</h1>";
	39
d9c85e0f	40	$login = $this->dbh->fetch_result($result, 0, "login");
66665fba AD	41
	42	print "<table width='100%'>";
	43
6322ac79	44	$last_login = make_local_datetime(
d9c85e0f	45	$this->dbh->fetch_result($result, 0, "last_login"), true);
66665fba	46
6322ac79	47	$created = make_local_datetime(
d9c85e0f	48	$this->dbh->fetch_result($result, 0, "created"), true);
66665fba	49
d9c85e0f AD	50	$access_level = $this->dbh->fetch_result($result, 0, "access_level");
d9c85e0f AD	51	$stored_articles = $this->dbh->fetch_result($result, 0, "stored_articles");
66665fba AD	52
	53	print "<tr><td>".__('Registered')."</td><td>$created</td></tr>";
	54	print "<tr><td>".__('Last logged in')."</td><td>$last_login</td></tr>";
	55
d9c85e0f	56	$result = $this->dbh->query("SELECT COUNT(id) as num_feeds FROM ttrss_feeds
66665fba AD	57	WHERE owner_uid = '$uid'");
66665fba AD	58
d9c85e0f	59	$num_feeds = $this->dbh->fetch_result($result, 0, "num_feeds");
66665fba AD	60
	61	print "<tr><td>".__('Subscribed feeds count')."</td><td>$num_feeds</td></tr>";
	62
	63	print "</table>";
	64
	65	print "<h1>".__('Subscribed feeds')."</h1>";
	66
d9c85e0f	67	$result = $this->dbh->query("SELECT id,title,site_url FROM ttrss_feeds
66665fba AD	68	WHERE owner_uid = '$uid' ORDER BY title");
	69
	70	print "<ul class=\"userFeedList\">";
	71
d9c85e0f	72	while ($line = $this->dbh->fetch_assoc($result)) {
66665fba AD	73
	74	$icon_file = ICONS_URL."/".$line["id"].".ico";
	75
	76	if (file_exists($icon_file) && filesize($icon_file) > 0) {
	77	$feed_icon = "<img class=\"tinyFeedIcon\" src=\"$icon_file\">";
	78	} else {
	79	$feed_icon = "<img class=\"tinyFeedIcon\" src=\"images/blank_icon.gif\">";
	80	}
	81
8d090a91	82	print "<li>$feed_icon <a href=\"".$line["site_url"]."\">".$line["title"]."</a></li>";
66665fba AD	83
	84	}
	85
d9c85e0f	86	if ($this->dbh->num_rows($result) < $num_feeds) {
66665fba AD	87	// FIXME - add link to show ALL subscribed feeds here somewhere
	88	print "<li><img
	89	class=\"tinyFeedIcon\" src=\"images/blank_icon.gif\"> ...</li>";
	90	}
	91
	92	print "</ul>";
	93
	94	print "<div align='center'>
d9afd9b2	95	<button dojoType=\"dijit.form.Button\" type=\"submit\">".__("Close this window").
66665fba AD	96	"</button></div>";
66665fba AD	97
66665fba AD	98	return;
	99	}
	100
	101	function edit() {
	102	global $access_level_names;
	103
d9c85e0f	104	$id = $this->dbh->escape_string($_REQUEST["id"]);
222a61c2	105	print "<form id=\"user_edit_form\" onsubmit='return false' dojoType=\"dijit.form.Form\">";
66665fba	106
222a61c2 AD	107	print "<input dojoType=\"dijit.form.TextBox\" style=\"display : none\" name=\"id\" value=\"$id\">";
	108	print "<input dojoType=\"dijit.form.TextBox\" style=\"display : none\" name=\"op\" value=\"pref-users\">";
	109	print "<input dojoType=\"dijit.form.TextBox\" style=\"display : none\" name=\"method\" value=\"editSave\">";
66665fba	110
d9c85e0f	111	$result = $this->dbh->query("SELECT * FROM ttrss_users WHERE id = '$id'");
66665fba	112
d9c85e0f AD	113	$login = $this->dbh->fetch_result($result, 0, "login");
	114	$access_level = $this->dbh->fetch_result($result, 0, "access_level");
	115	$email = $this->dbh->fetch_result($result, 0, "email");
66665fba AD	116
	117	$sel_disabled = ($id == $_SESSION["uid"]) ? "disabled" : "";
	118
	119	print "<div class=\"dlgSec\">".__("User")."</div>";
	120	print "<div class=\"dlgSecCont\">";
	121
	122	if ($sel_disabled) {
222a61c2	123	print "<input dojoType=\"dijit.form.TextBox\" style=\"display : none\" name=\"login\" value=\"$login\">";
66665fba AD	124	}
66665fba AD	125
222a61c2 AD	126	print "<input size=\"30\" style=\"font-size : 16px\"
	127	dojoType=\"dijit.form.ValidationTextBox\" required=\"1\"
	128	onkeypress=\"return filterCR(event, userEditSave)\" $sel_disabled
	129	name=\"login\" value=\"$login\">";
	130
66665fba AD	131	print "</div>";
	132
	133	print "<div class=\"dlgSec\">".__("Authentication")."</div>";
	134	print "<div class=\"dlgSecCont\">";
	135
	136	print __('Access level: ') . " ";
	137
	138	if (!$sel_disabled) {
	139	print_select_hash("access_level", $access_level, $access_level_names,
222a61c2	140	"dojoType=\"dijit.form.Select\" $sel_disabled");
66665fba AD	141	} else {
66665fba AD	142	print_select_hash("", $access_level, $access_level_names,
222a61c2 AD	143	"dojoType=\"dijit.form.Select\" $sel_disabled");
222a61c2 AD	144	print "<input dojoType=\"dijit.form.TextBox\" style=\"display : none\" name=\"access_level\" value=\"$access_level\">";
66665fba AD	145	}
66665fba AD	146
222a61c2	147	print "<hr/>";
66665fba	148
da8d534a	149	print "<input dojoType=\"dijit.form.TextBox\" type=\"password\" size=\"20\" onkeypress=\"return filterCR(event, userEditSave)\" placeholder=\"Change password\"
66665fba AD	150	name=\"password\">";
	151
	152	print "</div>";
	153
	154	print "<div class=\"dlgSec\">".__("Options")."</div>";
	155	print "<div class=\"dlgSecCont\">";
	156
da8d534a	157	print "<input dojoType=\"dijit.form.TextBox\" size=\"30\" name=\"email\" onkeypress=\"return filterCR(event, userEditSave)\" placeholder=\"E-mail\"
66665fba AD	158	value=\"$email\">";
	159
	160	print "</div>";
	161
	162	print "</table>";
	163
	164	print "</form>";
	165
	166	print "<div class=\"dlgButtons\">
222a61c2	167	<button dojoType=\"dijit.form.Button\" type=\"submit\">".
66665fba	168	__('Save')."</button>
222a61c2	169	<button dojoType=\"dijit.form.Button\" onclick=\"dijit.byId('userEditDlg').hide()\">".
66665fba AD	170	__('Cancel')."</button></div>";
66665fba AD	171
66665fba AD	172	return;
	173	}
	174
	175	function editSave() {
d9c85e0f AD	176	$login = $this->dbh->escape_string(trim($_REQUEST["login"]));
d9c85e0f AD	177	$uid = $this->dbh->escape_string($_REQUEST["id"]);
66665fba	178	$access_level = (int) $_REQUEST["access_level"];
d9c85e0f	179	$email = $this->dbh->escape_string(trim($_REQUEST["email"]));
c72069b0	180	$password = $_REQUEST["password"];
66665fba AD	181
66665fba AD	182	if ($password) {
8db5d8ea	183	$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
098df83b AD	184	$pwd_hash = encrypt_password($password, $salt, true);
098df83b AD	185	$pass_query_part = "pwd_hash = '$pwd_hash', salt = '$salt',";
66665fba AD	186	} else {
	187	$pass_query_part = "";
	188	}
	189
d9c85e0f	190	$this->dbh->query("UPDATE ttrss_users SET $pass_query_part login = '$login',
e9f42579	191	access_level = '$access_level', email = '$email', otp_enabled = false
b8386ad3	192	WHERE id = '$uid'");
66665fba AD	193
	194	}
	195
	196	function remove() {
d9c85e0f	197	$ids = explode(",", $this->dbh->escape_string($_REQUEST["ids"]));
66665fba AD	198
	199	foreach ($ids as $id) {
	200	if ($id != $_SESSION["uid"] && $id != 1) {
d9c85e0f AD	201	$this->dbh->query("DELETE FROM ttrss_tags WHERE owner_uid = '$id'");
	202	$this->dbh->query("DELETE FROM ttrss_feeds WHERE owner_uid = '$id'");
	203	$this->dbh->query("DELETE FROM ttrss_users WHERE id = '$id'");
66665fba AD	204	}
	205	}
	206	}
	207
	208	function add() {
	209
d9c85e0f	210	$login = $this->dbh->escape_string(trim($_REQUEST["login"]));
66665fba	211	$tmp_user_pwd = make_password(8);
8db5d8ea	212	$salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
098df83b	213	$pwd_hash = encrypt_password($tmp_user_pwd, $salt, true);
66665fba	214
d9c85e0f	215	$result = $this->dbh->query("SELECT id FROM ttrss_users WHERE
66665fba AD	216	login = '$login'");
66665fba AD	217
d9c85e0f	218	if ($this->dbh->num_rows($result) == 0) {
66665fba	219
d9c85e0f	220	$this->dbh->query("INSERT INTO ttrss_users
098df83b AD	221	(login,pwd_hash,access_level,last_login,created, salt)
098df83b AD	222	VALUES ('$login', '$pwd_hash', 0, null, NOW(), '$salt')");
66665fba AD	223
66665fba AD	224
d9c85e0f	225	$result = $this->dbh->query("SELECT id FROM ttrss_users WHERE
66665fba AD	226	login = '$login' AND pwd_hash = '$pwd_hash'");
66665fba AD	227
d9c85e0f	228	if ($this->dbh->num_rows($result) == 1) {
66665fba	229
d9c85e0f	230	$new_uid = $this->dbh->fetch_result($result, 0, "id");
66665fba AD	231
	232	print format_notice(T_sprintf("Added user <b>%s</b> with password <b>%s</b>",
	233	$login, $tmp_user_pwd));
	234
a42c55f0	235	initialize_user($new_uid);
66665fba AD	236
	237	} else {
	238
	239	print format_warning(T_sprintf("Could not create user <b>%s</b>", $login));
	240
	241	}
	242	} else {
	243	print format_warning(T_sprintf("User <b>%s</b> already exists.", $login));
	244	}
	245	}
	246
233b74ad	247	static function resetUserPassword($uid, $show_password) {
66665fba	248
233b74ad	249	$result = db_query("SELECT login,email
66665fba AD	250	FROM ttrss_users WHERE id = '$uid'");
	251
	252	$login = db_fetch_result($result, 0, "login");
	253	$email = db_fetch_result($result, 0, "email");
098df83b AD	254	$salt = db_fetch_result($result, 0, "salt");
098df83b AD	255
8db5d8ea	256	$new_salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
66665fba	257	$tmp_user_pwd = make_password(8);
66665fba	258
098df83b AD	259	$pwd_hash = encrypt_password($tmp_user_pwd, $new_salt, true);
098df83b AD	260
233b74ad	261	db_query("UPDATE ttrss_users SET pwd_hash = '$pwd_hash', salt = '$new_salt'
66665fba AD	262	WHERE id = '$uid'");
66665fba AD	263
f43e9e97	264	if ($show_password) {
18446943	265	print T_sprintf("Changed password of user <b>%s</b> to <b>%s</b>", $login, $tmp_user_pwd);
f43e9e97	266	} else {
483f15d5	267	print_notice(T_sprintf("Sending new password of user <b>%s</b> to <b>%s</b>", $login, $email));
f43e9e97	268	}
66665fba	269
68fb3c95	270	require_once 'classes/ttrssmailer.php';
66665fba AD	271
66665fba AD	272	if ($email) {
66665fba AD	273	require_once "lib/MiniTemplator.class.php";
	274
	275	$tpl = new MiniTemplator;
	276
	277	$tpl->readTemplateFromFile("templates/resetpass_template.txt");
	278
	279	$tpl->setVariable('LOGIN', $login);
	280	$tpl->setVariable('NEWPASS', $tmp_user_pwd);
	281
	282	$tpl->addBlock('message');
	283
	284	$message = "";
	285
	286	$tpl->generateOutputToString($message);
	287
68fb3c95	288	$mail = new ttrssMailer();
66665fba	289
68fb3c95 AD	290	$rc = $mail->quickMail($email, $login,
	291	__("[tt-rss] Password change notification"),
	292	$message, false);
66665fba AD	293
	294	if (!$rc) print_error($mail->ErrorInfo);
	295	}
f43e9e97	296	}
66665fba	297
f43e9e97	298	function resetPass() {
d9c85e0f	299	$uid = $this->dbh->escape_string($_REQUEST["id"]);
a42c55f0	300	Pref_Users::resetUserPassword($uid, true);
66665fba AD	301	}
	302
	303	function index() {
	304
	305	global $access_level_names;
	306
	307	print "<div id=\"pref-user-wrap\" dojoType=\"dijit.layout.BorderContainer\" gutters=\"false\">";
	308	print "<div id=\"pref-user-header\" dojoType=\"dijit.layout.ContentPane\" region=\"top\">";
	309
	310	print "<div id=\"pref-user-toolbar\" dojoType=\"dijit.Toolbar\">";
	311
d9c85e0f	312	$user_search = $this->dbh->escape_string($_REQUEST["search"]);
66665fba AD	313
	314	if (array_key_exists("search", $_REQUEST)) {
	315	$_SESSION["prefs_user_search"] = $user_search;
	316	} else {
	317	$user_search = $_SESSION["prefs_user_search"];
	318	}
	319
	320	print "<div style='float : right; padding-right : 4px;'>
	321	<input dojoType=\"dijit.form.TextBox\" id=\"user_search\" size=\"20\" type=\"search\"
	322	value=\"$user_search\">
808ef3d4	323	<button dojoType=\"dijit.form.Button\" onclick=\"updateUsersList()\">".
66665fba AD	324	__('Search')."</button>
	325	</div>";
	326
d9c85e0f	327	$sort = $this->dbh->escape_string($_REQUEST["sort"]);
66665fba AD	328
	329	if (!$sort \|\| $sort == "undefined") {
	330	$sort = "login";
	331	}
	332
	333	print "<div dojoType=\"dijit.form.DropDownButton\">".
	334	"<span>" . __('Select')."</span>";
	335	print "<div dojoType=\"dijit.Menu\" style=\"display: none;\">";
	336	print "<div onclick=\"selectTableRows('prefUserList', 'all')\"
	337	dojoType=\"dijit.MenuItem\">".__('All')."</div>";
	338	print "<div onclick=\"selectTableRows('prefUserList', 'none')\"
	339	dojoType=\"dijit.MenuItem\">".__('None')."</div>";
	340	print "</div></div>";
	341
808ef3d4	342	print "<button dojoType=\"dijit.form.Button\" onclick=\"addUser()\">".__('Create user')."</button>";
66665fba AD	343
66665fba AD	344	print "
808ef3d4	345	<button dojoType=\"dijit.form.Button\" onclick=\"selectedUserDetails()\">".
66665fba	346	__('Details')."</button dojoType=\"dijit.form.Button\">
808ef3d4	347	<button dojoType=\"dijit.form.Button\" onclick=\"editSelectedUser()\">".
66665fba	348	__('Edit')."</button dojoType=\"dijit.form.Button\">
808ef3d4	349	<button dojoType=\"dijit.form.Button\" onclick=\"removeSelectedUsers()\">".
66665fba	350	__('Remove')."</button dojoType=\"dijit.form.Button\">
808ef3d4	351	<button dojoType=\"dijit.form.Button\" onclick=\"resetSelectedUserPass()\">".
66665fba AD	352	__('Reset password')."</button dojoType=\"dijit.form.Button\">";
66665fba AD	353
610fe115 AD	354	PluginHost::getInstance()->run_hooks(PluginHost::HOOK_PREFS_TAB_SECTION,
	355	"hook_prefs_tab_section", "prefUsersToolbar");
	356
66665fba AD	357	print "</div>"; #toolbar
	358	print "</div>"; #pane
	359	print "<div id=\"pref-user-content\" dojoType=\"dijit.layout.ContentPane\" region=\"center\">";
	360
	361	print "<div id=\"sticky-status-msg\"></div>";
	362
	363	if ($user_search) {
	364
a5680acb	365	$user_search = explode(" ", $user_search);
66665fba AD	366	$tokens = array();
	367
	368	foreach ($user_search as $token) {
	369	$token = trim($token);
	370	array_push($tokens, "(UPPER(login) LIKE UPPER('%$token%'))");
	371	}
	372
	373	$user_search_query = "(" . join($tokens, " AND ") . ") AND ";
	374
	375	} else {
	376	$user_search_query = "";
	377	}
	378
d9c85e0f	379	$result = $this->dbh->query("SELECT
66665fba AD	380	id,login,access_level,email,
	381	".SUBSTRING_FOR_DATE."(last_login,1,16) as last_login,
	382	".SUBSTRING_FOR_DATE."(created,1,16) as created
	383	FROM
	384	ttrss_users
	385	WHERE
	386	$user_search_query
	387	id > 0
	388	ORDER BY $sort");
	389
d9c85e0f	390	if ($this->dbh->num_rows($result) > 0) {
66665fba AD	391
	392	print "<p><table width=\"100%\" cellspacing=\"0\"
	393	class=\"prefUserList\" id=\"prefUserList\">";
	394
	395	print "<tr class=\"title\">
	396	<td align='center' width=\"5%\"> </td>
84391d69 AD	397	<td width='30%'><a href=\"#\" onclick=\"updateUsersList('login')\">".__('Login')."</a></td>
84391d69 AD	398	<td width='30%'><a href=\"#\" onclick=\"updateUsersList('access_level')\">".__('Access Level')."</a></td>
66665fba AD	399	<td width='20%'><a href=\"#\" onclick=\"updateUsersList('created')\">".__('Registered')."</a></td>
	400	<td width='20%'><a href=\"#\" onclick=\"updateUsersList('last_login')\">".__('Last login')."</a></td></tr>";
	401
	402	$lnum = 0;
	403
d9c85e0f	404	while ($line = $this->dbh->fetch_assoc($result)) {
66665fba	405
66665fba AD	406	$uid = $line["id"];
66665fba AD	407
84391d69	408	print "<tr id=\"UMRR-$uid\">";
66665fba AD	409
	410	$line["login"] = htmlspecialchars($line["login"]);
	411
a42c55f0 AD	412	$line["created"] = make_local_datetime($line["created"], false);
a42c55f0 AD	413	$line["last_login"] = make_local_datetime($line["last_login"], false);
66665fba	414
84391d69 AD	415	print "<td align='center'><input onclick='toggleSelectRow2(this);'
	416	dojoType=\"dijit.form.CheckBox\" type=\"checkbox\"
	417	id=\"UMCHK-$uid\"></td>";
66665fba AD	418
	419	$onclick = "onclick='editUser($uid, event)' title='".__('Click to edit')."'";
	420
	421	print "<td $onclick>" . $line["login"] . "</td>";
	422
	423	if (!$line["email"]) $line["email"] = " ";
	424
	425	print "<td $onclick>" . $access_level_names[$line["access_level"]] . "</td>";
	426	print "<td $onclick>" . $line["created"] . "</td>";
	427	print "<td $onclick>" . $line["last_login"] . "</td>";
	428
	429	print "</tr>";
	430
	431	++$lnum;
	432	}
	433
	434	print "</table>";
	435
	436	} else {
	437	print "<p>";
	438	if (!$user_search) {
	439	print_warning(__('No users defined.'));
	440	} else {
	441	print_warning(__('No matching users found.'));
	442	}
	443	print "</p>";
	444
	445	}
	446
	447	print "</div>"; #pane
6065f3ad	448
1ffe3391	449	PluginHost::getInstance()->run_hooks(PluginHost::HOOK_PREFS_TAB,
6065f3ad AD	450	"hook_prefs_tab", "prefUsers");
6065f3ad AD	451
66665fba AD	452	print "</div>"; #container
	453
	454	}
	455
	456	}
	457	?>