$userAction = $defaultUserAction; $message .= '<p class="error">' . $errorMessages['delUser_protectedAccount'] . '</p>'; } else { ?> <h2><?php print $text['header']; ?> </h2> <div id="user_confirmDelete"> <fieldset> <legend><?php print $text['delUser']; ?> <strong><?php print $user->getLogin(); ?> </strong></legend> <p><?php print $text['delUser_question']; ?> </p> <form action ="?action=user&user_action=delete" method="post"> <input type="hidden" name="user_id" value="<?php print $userId; ?> " /> <input type="hidden" name="csrf" value="<?php print $user->getCsrfTokenFromSession(); ?> " />
// delete user confirmation if ($userAction == 'delete_confirm' && $user->perm->checkRight($user->getUserId(), 'deluser')) { $message = ''; $user = new PMF_User_CurrentUser($faqConfig); $userId = PMF_Filter::filterInput(INPUT_POST, 'user_list_select', FILTER_VALIDATE_INT, 0); if ($userId == 0) { $message .= sprintf('<p class="alert alert-error">%s</p>', $PMF_LANG['ad_user_error_noId']); $userAction = $defaultUserAction; } else { $user->getUserById($userId); // account is protected if ($user->getStatus() == 'protected' || $userId == 1) { $message .= sprintf('<p class="alert alert-error">%s</p>', $PMF_LANG['ad_user_error_protectedAccount']); $userAction = $defaultUserAction; } else { $twig->loadTemplate('user/delete_confirm.twig')->display(array('PMF_LANG' => $PMF_LANG, 'csrfToken' => $user->getCsrfTokenFromSession(), 'userId' => $userId, 'userLogin' => $user->getLogin())); } } } // delete user if ($userAction == 'delete' && $user->perm->checkRight($user->getUserId(), 'deluser')) { $message = ''; $user = new PMF_User($faqConfig); $userId = PMF_Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT, 0); $csrfOkay = true; $csrfToken = PMF_Filter::filterInput(INPUT_POST, 'csrf', FILTER_SANITIZE_STRING); if (!isset($_SESSION['phpmyfaq_csrf_token']) || $_SESSION['phpmyfaq_csrf_token'] !== $csrfToken) { $csrfOkay = false; } $userAction = $defaultUserAction; if ($userId == 0 && !$csrfOkay) {
$userAction = $defaultUserAction; } else { $user->getUserById($userId, true); // account is protected if ($user->getStatus() == 'protected' || $userId == 1) { $message .= sprintf('<p class="alert alert-error">%s</p>', $PMF_LANG['ad_user_error_protectedAccount']); $userAction = $defaultUserAction; } else { ?> <header> <h2> <i class="icon-user"></i> <?php echo $PMF_LANG['ad_user_deleteUser']; ?> <?php echo $user->getLogin(); ?> </h2> </header> <p class="alert alert-danger"><?php print $PMF_LANG["ad_user_del_3"] . ' ' . $PMF_LANG["ad_user_del_1"] . ' ' . $PMF_LANG["ad_user_del_2"]; ?> </p> <form action ="?action=user&user_action=delete" method="post" accept-charset="utf-8"> <input type="hidden" name="user_id" value="<?php print $userId; ?> " /> <input type="hidden" name="csrf" value="<?php print $user->getCsrfTokenFromSession(); ?>