function ProcessPasswordChange() { global $database; global $current_user; if (isset($_POST["current_password"]) || isset($_POST["new_password"]) || isset($_POST["repeat_password"])) { // get the password variables $current_password = null; if (!isset($_POST["current_password"]) || empty($_POST["current_password"])) { return "Current password not set.<br/>"; } $current_password = $_POST["current_password"]; $new_password = null; if (!isset($_POST["new_password"]) || empty($_POST["new_password"])) { return "New password not set.<br/>"; } $new_password = $_POST["new_password"]; $repeat_password = null; if (!isset($_POST["repeat_password"]) || empty($_POST["repeat_password"])) { return "Repeated password not set.<br/>"; } $repeat_password = $_POST["repeat_password"]; // check that the new password was entered correctly if ($new_password !== $repeat_password) { return "New password does not match the repeated password.<br/>"; } // get the current users database entry $user_read = new UserRead($database, "SELECT {0} FROM `map_server_users` WHERE username = ?"); $user_read->ExecuteQuery(array($current_user)); if (!$user_read->MoveNext()) { return "Failed to get current user account from the database.<br/>"; } // check that the provided password matches the current users password $password_hash = new PasswordHash(8, true); if (!$password_hash->CheckPassword($current_password, $user_read->password_hash)) { return "Incorrect password provided.<br/>"; } $user_update = new UserUpdate($database, "UPDATE `map_server_users` SET {0} WHERE username = ?"); $user_update->username = $user_read->username; $user_update->password_hash = $password_hash->HashPassword($new_password); $user_update->map_database_permissions = $user_read->map_database_permissions; $user_update->user_control_permissions = $user_read->user_control_permissions; $user_update->ExecuteQuery(array($user_read->username)); return "Changes saved.<br/>"; } return null; }
function ProcessUserEdit() { global $database; global $current_user; global $can_edit_users; $result = new UserEditResult(); // only allow users with the required privileges to delete users if (!$can_edit_users) { $result->success = false; $result->error_message = "Your user account does not have sufficient priviledges to edit users."; return $result; } // verify the username has been set if (!isset($_POST["user_edit"]) || empty($_POST["user_edit"])) { $result->success = false; $result->error_message = "No username to edit provided."; return $result; } $result->user_name = $_POST["user_edit"]; // prevent the currently signed in user from being edited if ($result->user_name === $current_user) { $result->success = false; $result->error_message = "You cannot edit the currently logged in user."; return $result; } $user_read = new UserRead($database, "SELECT {0} FROM `map_server_users` WHERE username = ?"); $user_read->ExecuteQuery(array($result->user_name)); if (!$user_read->MoveNext()) { $result->success = false; $result->error_message = "Unable to find user in database."; return $result; } $result->user_can_create_map_entry = ($user_read->map_database_permissions & AccessPermissions::ACCESS_PERMISSIONS_CREATE) == AccessPermissions::ACCESS_PERMISSIONS_CREATE; $result->user_can_delete_map_entry = ($user_read->map_database_permissions & AccessPermissions::ACCESS_PERMISSIONS_DELETE) == AccessPermissions::ACCESS_PERMISSIONS_DELETE; $result->user_can_edit_map_entry = ($user_read->map_database_permissions & AccessPermissions::ACCESS_PERMISSIONS_EDIT) == AccessPermissions::ACCESS_PERMISSIONS_EDIT; $result->user_can_create_users = ($user_read->user_control_permissions & AccessPermissions::ACCESS_PERMISSIONS_CREATE) == AccessPermissions::ACCESS_PERMISSIONS_CREATE; $result->user_can_delete_users = ($user_read->user_control_permissions & AccessPermissions::ACCESS_PERMISSIONS_DELETE) == AccessPermissions::ACCESS_PERMISSIONS_DELETE; $result->user_can_edit_users = ($user_read->user_control_permissions & AccessPermissions::ACCESS_PERMISSIONS_EDIT) == AccessPermissions::ACCESS_PERMISSIONS_EDIT; if (isset($_POST['user_edit_save'])) { $result->user_can_create_map_entry = isset($_POST['user_edit_can_create_map_entry']); $result->user_can_delete_map_entry = isset($_POST['user_edit_can_delete_map_entry']); $result->user_can_edit_map_entry = isset($_POST['user_edit_can_edit_map_entry']); $result->user_can_create_users = isset($_POST['user_edit_can_create_users']); $result->user_can_delete_users = isset($_POST['user_edit_can_delete_users']); $result->user_can_edit_users = isset($_POST['user_edit_can_edit_users']); $user_update = new UserUpdate($database, "UPDATE `map_server_users` SET {0} WHERE username = ?"); $user_update->username = $user_read->username; $user_update->password_hash = $user_read->password_hash; $user_update->map_database_permissions = AccessPermissions::ACCESS_PERMISSIONS_NONE; $user_update->user_control_permissions = AccessPermissions::ACCESS_PERMISSIONS_NONE; if ($result->user_can_create_map_entry) { $user_update->map_database_permissions |= AccessPermissions::ACCESS_PERMISSIONS_CREATE; } if ($result->user_can_delete_map_entry) { $user_update->map_database_permissions |= AccessPermissions::ACCESS_PERMISSIONS_DELETE; } if ($result->user_can_edit_map_entry) { $user_update->map_database_permissions |= AccessPermissions::ACCESS_PERMISSIONS_EDIT; } if ($result->user_can_create_users) { $user_update->user_control_permissions |= AccessPermissions::ACCESS_PERMISSIONS_CREATE; } if ($result->user_can_delete_users) { $user_update->user_control_permissions |= AccessPermissions::ACCESS_PERMISSIONS_DELETE; } if ($result->user_can_edit_users) { $user_update->user_control_permissions |= AccessPermissions::ACCESS_PERMISSIONS_EDIT; } $user_update->ExecuteQuery(array($user_read->username)); print_line_inset("<h3>Output</h3>", 2); print_line_inset("Changes saved.<br/><br/>", 2); } $result->success = true; return $result; }