function ProcessUserRemove()
{
global $database;
global $current_user;
global $can_delete_users;
$result = new UserRemoveResult();
// only allow users with the required privileges to delete users
if (!$can_delete_users) {
$result->success = false;
$result->error_message = "Your user account does not have sufficient priviledges to delete users.";
return $result;
}
// verify the username has been set
if (!isset($_POST["user_remove"]) || empty($_POST["user_remove"])) {
$result->success = false;
$result->error_message = "No username to remove provided.";
return $result;
}
$result->user_name = $_POST["user_remove"];
// prevent the currently signed in user from being removed
if ($result->user_name === $current_user) {
$result->success = false;
$result->error_message = "You cannot remove the currently logged in user.";
return $result;
}
// if the user removal has been confirmed, remove the user from the database
$result->removal_confirmed = isset($_POST["user_remove_confirm"]);
if ($result->removal_confirmed) {
// check that the user account exists in the database
$user_read = new UserRead($database, "SELECT {0} FROM `map_server_users` WHERE username = ?");
$user_read->ExecuteQuery(array($result->user_name));
if (!$user_read->MoveNext()) {
$result->success = false;
$result->error_message = "Matching username not found in the database.";
return $result;
}
// delete the user account from the database
$sql = "DELETE FROM map_server_users WHERE username = ?";
$remove_user_query = $database->prepare($sql);
if ($remove_user_query->execute(array($result->user_name))) {
print_line_inset("User " . $result->user_name . " removed.<br/>", 2);
} else {
print_line_inset("Failed to remove user " . $result->user_name . ".<br/>", 2);
}
}
$result->success = true;
return $result;
}
function ProcessPasswordChange()
{
global $database;
global $current_user;
if (isset($_POST["current_password"]) || isset($_POST["new_password"]) || isset($_POST["repeat_password"])) {
// get the password variables
$current_password = null;
if (!isset($_POST["current_password"]) || empty($_POST["current_password"])) {
return "Current password not set.<br/>";
}
$current_password = $_POST["current_password"];
$new_password = null;
if (!isset($_POST["new_password"]) || empty($_POST["new_password"])) {
return "New password not set.<br/>";
}
$new_password = $_POST["new_password"];
$repeat_password = null;
if (!isset($_POST["repeat_password"]) || empty($_POST["repeat_password"])) {
return "Repeated password not set.<br/>";
}
$repeat_password = $_POST["repeat_password"];
// check that the new password was entered correctly
if ($new_password !== $repeat_password) {
return "New password does not match the repeated password.<br/>";
}
// get the current users database entry
$user_read = new UserRead($database, "SELECT {0} FROM `map_server_users` WHERE username = ?");
$user_read->ExecuteQuery(array($current_user));
if (!$user_read->MoveNext()) {
return "Failed to get current user account from the database.<br/>";
}
// check that the provided password matches the current users password
$password_hash = new PasswordHash(8, true);
if (!$password_hash->CheckPassword($current_password, $user_read->password_hash)) {
return "Incorrect password provided.<br/>";
}
$user_update = new UserUpdate($database, "UPDATE `map_server_users` SET {0} WHERE username = ?");
$user_update->username = $user_read->username;
$user_update->password_hash = $password_hash->HashPassword($new_password);
$user_update->map_database_permissions = $user_read->map_database_permissions;
$user_update->user_control_permissions = $user_read->user_control_permissions;
$user_update->ExecuteQuery(array($user_read->username));
return "Changes saved.<br/>";
}
return null;
}
function ProcessUserAdd()
{
global $database;
global $can_create_users;
$result = new UserAddResult();
if (!$can_create_users) {
$result->success = false;
$result->error_message = "Your user account does not have sufficient priviledges to add new users.";
return $result;
}
$result->user_name = "";
$result->user_can_create_map_entry = false;
$result->user_can_delete_map_entry = false;
$result->user_can_edit_map_entry = false;
$result->user_can_create_users = false;
$result->user_can_delete_users = false;
$result->user_can_edit_users = false;
if (isset($_POST['user_add_username'])) {
$result->user_name = $_POST['user_add_username'];
$result->user_can_create_map_entry = isset($_POST['user_add_can_create_map_entry']);
$result->user_can_delete_map_entry = isset($_POST['user_add_can_delete_map_entry']);
$result->user_can_edit_map_entry = isset($_POST['user_add_can_edit_map_entry']);
$result->user_can_create_users = isset($_POST['user_add_can_create_users']);
$result->user_can_delete_users = isset($_POST['user_add_can_delete_users']);
$result->user_can_edit_users = isset($_POST['user_add_can_edit_users']);
print_line_inset("<h3>Output</h3>", 2);
if (empty($result->user_name)) {
print_line_inset("No username set.<br/><br/>", 2);
} else {
$user_read = new UserRead($database, "SELECT {0} FROM `map_server_users` WHERE username = ?");
$user_read->ExecuteQuery(array($result->user_name));
if ($user_read->MoveNext()) {
print_line_inset("An account with that username already exists.<br/><br/>", 2);
} else {
// generate a random password for the new user account
$result->user_password = substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, 8);
$user_write = new UserWrite($database, "INSERT INTO `map_server_users` ({0}) VALUES ({1})");
$password_hash = new PasswordHash(8, true);
$user_write->username = $result->user_name;
$user_write->password_hash = $password_hash->HashPassword($result->user_password);
if ($result->user_can_create_map_entry) {
$user_write->map_database_permissions |= AccessPermissions::ACCESS_PERMISSIONS_CREATE;
}
if ($result->user_can_delete_map_entry) {
$user_write->map_database_permissions |= AccessPermissions::ACCESS_PERMISSIONS_DELETE;
}
if ($result->user_can_edit_map_entry) {
$user_write->map_database_permissions |= AccessPermissions::ACCESS_PERMISSIONS_EDIT;
}
if ($result->user_can_create_users) {
$user_write->user_control_permissions |= AccessPermissions::ACCESS_PERMISSIONS_CREATE;
}
if ($result->user_can_delete_users) {
$user_write->user_control_permissions |= AccessPermissions::ACCESS_PERMISSIONS_DELETE;
}
if ($result->user_can_edit_users) {
$user_write->user_control_permissions |= AccessPermissions::ACCESS_PERMISSIONS_EDIT;
}
$user_write->ExecuteQuery(NULL);
print_line_inset("New user added!<br/>", 2);
print_line_inset("Username: "******"<br/>", 2);
print_line_inset("Password: "******"<br/>", 2);
print_line_inset("<br/>", 2);
print_line_inset("This password is randomly generated and should be changed by the user.<br/>", 2);
print_line_inset("<br/>", 2);
}
}
}
$result->success = true;
return $result;
}
<?php
if ($can_edit_users) {
?>
<th></th>
<?php
}
if ($can_delete_users) {
?>
<th></th>
<?php
}
?>
</tr>
<?php
// iterate through all users in the database
$user_reader = new UserRead($database, "SELECT {0} FROM `map_server_users`");
$user_reader->ExecuteQuery(NULL);
while ($user_reader->MoveNext()) {
// get the users details
$username = $user_reader->username;
$map_database_permissions = "";
if ($user_reader->map_database_permissions == AccessPermissions::ACCESS_PERMISSIONS_NONE) {
$map_database_permissions = "None";
} else {
if (AccessPermissions::ACCESS_PERMISSIONS_CREATE == ($user_reader->map_database_permissions & AccessPermissions::ACCESS_PERMISSIONS_CREATE)) {
$map_database_permissions .= "Create ";
}
if (AccessPermissions::ACCESS_PERMISSIONS_DELETE == ($user_reader->map_database_permissions & AccessPermissions::ACCESS_PERMISSIONS_DELETE)) {
$map_database_permissions .= "Delete ";
}
if (AccessPermissions::ACCESS_PERMISSIONS_EDIT == ($user_reader->map_database_permissions & AccessPermissions::ACCESS_PERMISSIONS_EDIT)) {
function ProcessUserEdit()
{
global $database;
global $current_user;
global $can_edit_users;
$result = new UserEditResult();
// only allow users with the required privileges to delete users
if (!$can_edit_users) {
$result->success = false;
$result->error_message = "Your user account does not have sufficient priviledges to edit users.";
return $result;
}
// verify the username has been set
if (!isset($_POST["user_edit"]) || empty($_POST["user_edit"])) {
$result->success = false;
$result->error_message = "No username to edit provided.";
return $result;
}
$result->user_name = $_POST["user_edit"];
// prevent the currently signed in user from being edited
if ($result->user_name === $current_user) {
$result->success = false;
$result->error_message = "You cannot edit the currently logged in user.";
return $result;
}
$user_read = new UserRead($database, "SELECT {0} FROM `map_server_users` WHERE username = ?");
$user_read->ExecuteQuery(array($result->user_name));
if (!$user_read->MoveNext()) {
$result->success = false;
$result->error_message = "Unable to find user in database.";
return $result;
}
$result->user_can_create_map_entry = ($user_read->map_database_permissions & AccessPermissions::ACCESS_PERMISSIONS_CREATE) == AccessPermissions::ACCESS_PERMISSIONS_CREATE;
$result->user_can_delete_map_entry = ($user_read->map_database_permissions & AccessPermissions::ACCESS_PERMISSIONS_DELETE) == AccessPermissions::ACCESS_PERMISSIONS_DELETE;
$result->user_can_edit_map_entry = ($user_read->map_database_permissions & AccessPermissions::ACCESS_PERMISSIONS_EDIT) == AccessPermissions::ACCESS_PERMISSIONS_EDIT;
$result->user_can_create_users = ($user_read->user_control_permissions & AccessPermissions::ACCESS_PERMISSIONS_CREATE) == AccessPermissions::ACCESS_PERMISSIONS_CREATE;
$result->user_can_delete_users = ($user_read->user_control_permissions & AccessPermissions::ACCESS_PERMISSIONS_DELETE) == AccessPermissions::ACCESS_PERMISSIONS_DELETE;
$result->user_can_edit_users = ($user_read->user_control_permissions & AccessPermissions::ACCESS_PERMISSIONS_EDIT) == AccessPermissions::ACCESS_PERMISSIONS_EDIT;
if (isset($_POST['user_edit_save'])) {
$result->user_can_create_map_entry = isset($_POST['user_edit_can_create_map_entry']);
$result->user_can_delete_map_entry = isset($_POST['user_edit_can_delete_map_entry']);
$result->user_can_edit_map_entry = isset($_POST['user_edit_can_edit_map_entry']);
$result->user_can_create_users = isset($_POST['user_edit_can_create_users']);
$result->user_can_delete_users = isset($_POST['user_edit_can_delete_users']);
$result->user_can_edit_users = isset($_POST['user_edit_can_edit_users']);
$user_update = new UserUpdate($database, "UPDATE `map_server_users` SET {0} WHERE username = ?");
$user_update->username = $user_read->username;
$user_update->password_hash = $user_read->password_hash;
$user_update->map_database_permissions = AccessPermissions::ACCESS_PERMISSIONS_NONE;
$user_update->user_control_permissions = AccessPermissions::ACCESS_PERMISSIONS_NONE;
if ($result->user_can_create_map_entry) {
$user_update->map_database_permissions |= AccessPermissions::ACCESS_PERMISSIONS_CREATE;
}
if ($result->user_can_delete_map_entry) {
$user_update->map_database_permissions |= AccessPermissions::ACCESS_PERMISSIONS_DELETE;
}
if ($result->user_can_edit_map_entry) {
$user_update->map_database_permissions |= AccessPermissions::ACCESS_PERMISSIONS_EDIT;
}
if ($result->user_can_create_users) {
$user_update->user_control_permissions |= AccessPermissions::ACCESS_PERMISSIONS_CREATE;
}
if ($result->user_can_delete_users) {
$user_update->user_control_permissions |= AccessPermissions::ACCESS_PERMISSIONS_DELETE;
}
if ($result->user_can_edit_users) {
$user_update->user_control_permissions |= AccessPermissions::ACCESS_PERMISSIONS_EDIT;
}
$user_update->ExecuteQuery(array($user_read->username));
print_line_inset("<h3>Output</h3>", 2);
print_line_inset("Changes saved.<br/><br/>", 2);
}
$result->success = true;
return $result;
}
function LogIn($username, $password)
{
$config = LoadConfig();
$database = OpenDatabase($config->map_database->data_source_name, $config->map_database->username_readonly, $config->map_database->password_readonly);
$user_read = new UserRead($database, "SELECT {0} FROM `map_server_users` WHERE username = ?");
$user_read->ExecuteQuery(array($username));
if (!$user_read->MoveNext()) {
return false;
}
$password_hash = new PasswordHash(8, true);
if ($password_hash->CheckPassword($password, $user_read->password_hash)) {
$this->is_logged_in = true;
$user = new User();
$user->username = $user_read->username;
$user->user_control_permissions = $user_read->user_control_permissions;
$user->map_database_permissions = $user_read->map_database_permissions;
$this->logged_in_user = $user;
} else {
$this->is_logged_in = false;
$this->logged_in_user = null;
}
$database = null;
return $this->is_logged_in;
}
