function ProcessUserRemove() { global $database; global $current_user; global $can_delete_users; $result = new UserRemoveResult(); // only allow users with the required privileges to delete users if (!$can_delete_users) { $result->success = false; $result->error_message = "Your user account does not have sufficient priviledges to delete users."; return $result; } // verify the username has been set if (!isset($_POST["user_remove"]) || empty($_POST["user_remove"])) { $result->success = false; $result->error_message = "No username to remove provided."; return $result; } $result->user_name = $_POST["user_remove"]; // prevent the currently signed in user from being removed if ($result->user_name === $current_user) { $result->success = false; $result->error_message = "You cannot remove the currently logged in user."; return $result; } // if the user removal has been confirmed, remove the user from the database $result->removal_confirmed = isset($_POST["user_remove_confirm"]); if ($result->removal_confirmed) { // check that the user account exists in the database $user_read = new UserRead($database, "SELECT {0} FROM `map_server_users` WHERE username = ?"); $user_read->ExecuteQuery(array($result->user_name)); if (!$user_read->MoveNext()) { $result->success = false; $result->error_message = "Matching username not found in the database."; return $result; } // delete the user account from the database $sql = "DELETE FROM map_server_users WHERE username = ?"; $remove_user_query = $database->prepare($sql); if ($remove_user_query->execute(array($result->user_name))) { print_line_inset("User " . $result->user_name . " removed.<br/>", 2); } else { print_line_inset("Failed to remove user " . $result->user_name . ".<br/>", 2); } } $result->success = true; return $result; }
function ProcessPasswordChange() { global $database; global $current_user; if (isset($_POST["current_password"]) || isset($_POST["new_password"]) || isset($_POST["repeat_password"])) { // get the password variables $current_password = null; if (!isset($_POST["current_password"]) || empty($_POST["current_password"])) { return "Current password not set.<br/>"; } $current_password = $_POST["current_password"]; $new_password = null; if (!isset($_POST["new_password"]) || empty($_POST["new_password"])) { return "New password not set.<br/>"; } $new_password = $_POST["new_password"]; $repeat_password = null; if (!isset($_POST["repeat_password"]) || empty($_POST["repeat_password"])) { return "Repeated password not set.<br/>"; } $repeat_password = $_POST["repeat_password"]; // check that the new password was entered correctly if ($new_password !== $repeat_password) { return "New password does not match the repeated password.<br/>"; } // get the current users database entry $user_read = new UserRead($database, "SELECT {0} FROM `map_server_users` WHERE username = ?"); $user_read->ExecuteQuery(array($current_user)); if (!$user_read->MoveNext()) { return "Failed to get current user account from the database.<br/>"; } // check that the provided password matches the current users password $password_hash = new PasswordHash(8, true); if (!$password_hash->CheckPassword($current_password, $user_read->password_hash)) { return "Incorrect password provided.<br/>"; } $user_update = new UserUpdate($database, "UPDATE `map_server_users` SET {0} WHERE username = ?"); $user_update->username = $user_read->username; $user_update->password_hash = $password_hash->HashPassword($new_password); $user_update->map_database_permissions = $user_read->map_database_permissions; $user_update->user_control_permissions = $user_read->user_control_permissions; $user_update->ExecuteQuery(array($user_read->username)); return "Changes saved.<br/>"; } return null; }
function ProcessUserAdd() { global $database; global $can_create_users; $result = new UserAddResult(); if (!$can_create_users) { $result->success = false; $result->error_message = "Your user account does not have sufficient priviledges to add new users."; return $result; } $result->user_name = ""; $result->user_can_create_map_entry = false; $result->user_can_delete_map_entry = false; $result->user_can_edit_map_entry = false; $result->user_can_create_users = false; $result->user_can_delete_users = false; $result->user_can_edit_users = false; if (isset($_POST['user_add_username'])) { $result->user_name = $_POST['user_add_username']; $result->user_can_create_map_entry = isset($_POST['user_add_can_create_map_entry']); $result->user_can_delete_map_entry = isset($_POST['user_add_can_delete_map_entry']); $result->user_can_edit_map_entry = isset($_POST['user_add_can_edit_map_entry']); $result->user_can_create_users = isset($_POST['user_add_can_create_users']); $result->user_can_delete_users = isset($_POST['user_add_can_delete_users']); $result->user_can_edit_users = isset($_POST['user_add_can_edit_users']); print_line_inset("<h3>Output</h3>", 2); if (empty($result->user_name)) { print_line_inset("No username set.<br/><br/>", 2); } else { $user_read = new UserRead($database, "SELECT {0} FROM `map_server_users` WHERE username = ?"); $user_read->ExecuteQuery(array($result->user_name)); if ($user_read->MoveNext()) { print_line_inset("An account with that username already exists.<br/><br/>", 2); } else { // generate a random password for the new user account $result->user_password = substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, 8); $user_write = new UserWrite($database, "INSERT INTO `map_server_users` ({0}) VALUES ({1})"); $password_hash = new PasswordHash(8, true); $user_write->username = $result->user_name; $user_write->password_hash = $password_hash->HashPassword($result->user_password); if ($result->user_can_create_map_entry) { $user_write->map_database_permissions |= AccessPermissions::ACCESS_PERMISSIONS_CREATE; } if ($result->user_can_delete_map_entry) { $user_write->map_database_permissions |= AccessPermissions::ACCESS_PERMISSIONS_DELETE; } if ($result->user_can_edit_map_entry) { $user_write->map_database_permissions |= AccessPermissions::ACCESS_PERMISSIONS_EDIT; } if ($result->user_can_create_users) { $user_write->user_control_permissions |= AccessPermissions::ACCESS_PERMISSIONS_CREATE; } if ($result->user_can_delete_users) { $user_write->user_control_permissions |= AccessPermissions::ACCESS_PERMISSIONS_DELETE; } if ($result->user_can_edit_users) { $user_write->user_control_permissions |= AccessPermissions::ACCESS_PERMISSIONS_EDIT; } $user_write->ExecuteQuery(NULL); print_line_inset("New user added!<br/>", 2); print_line_inset("Username: "******"<br/>", 2); print_line_inset("Password: "******"<br/>", 2); print_line_inset("<br/>", 2); print_line_inset("This password is randomly generated and should be changed by the user.<br/>", 2); print_line_inset("<br/>", 2); } } } $result->success = true; return $result; }
<?php if ($can_edit_users) { ?> <th></th> <?php } if ($can_delete_users) { ?> <th></th> <?php } ?> </tr> <?php // iterate through all users in the database $user_reader = new UserRead($database, "SELECT {0} FROM `map_server_users`"); $user_reader->ExecuteQuery(NULL); while ($user_reader->MoveNext()) { // get the users details $username = $user_reader->username; $map_database_permissions = ""; if ($user_reader->map_database_permissions == AccessPermissions::ACCESS_PERMISSIONS_NONE) { $map_database_permissions = "None"; } else { if (AccessPermissions::ACCESS_PERMISSIONS_CREATE == ($user_reader->map_database_permissions & AccessPermissions::ACCESS_PERMISSIONS_CREATE)) { $map_database_permissions .= "Create "; } if (AccessPermissions::ACCESS_PERMISSIONS_DELETE == ($user_reader->map_database_permissions & AccessPermissions::ACCESS_PERMISSIONS_DELETE)) { $map_database_permissions .= "Delete "; } if (AccessPermissions::ACCESS_PERMISSIONS_EDIT == ($user_reader->map_database_permissions & AccessPermissions::ACCESS_PERMISSIONS_EDIT)) {
function ProcessUserEdit() { global $database; global $current_user; global $can_edit_users; $result = new UserEditResult(); // only allow users with the required privileges to delete users if (!$can_edit_users) { $result->success = false; $result->error_message = "Your user account does not have sufficient priviledges to edit users."; return $result; } // verify the username has been set if (!isset($_POST["user_edit"]) || empty($_POST["user_edit"])) { $result->success = false; $result->error_message = "No username to edit provided."; return $result; } $result->user_name = $_POST["user_edit"]; // prevent the currently signed in user from being edited if ($result->user_name === $current_user) { $result->success = false; $result->error_message = "You cannot edit the currently logged in user."; return $result; } $user_read = new UserRead($database, "SELECT {0} FROM `map_server_users` WHERE username = ?"); $user_read->ExecuteQuery(array($result->user_name)); if (!$user_read->MoveNext()) { $result->success = false; $result->error_message = "Unable to find user in database."; return $result; } $result->user_can_create_map_entry = ($user_read->map_database_permissions & AccessPermissions::ACCESS_PERMISSIONS_CREATE) == AccessPermissions::ACCESS_PERMISSIONS_CREATE; $result->user_can_delete_map_entry = ($user_read->map_database_permissions & AccessPermissions::ACCESS_PERMISSIONS_DELETE) == AccessPermissions::ACCESS_PERMISSIONS_DELETE; $result->user_can_edit_map_entry = ($user_read->map_database_permissions & AccessPermissions::ACCESS_PERMISSIONS_EDIT) == AccessPermissions::ACCESS_PERMISSIONS_EDIT; $result->user_can_create_users = ($user_read->user_control_permissions & AccessPermissions::ACCESS_PERMISSIONS_CREATE) == AccessPermissions::ACCESS_PERMISSIONS_CREATE; $result->user_can_delete_users = ($user_read->user_control_permissions & AccessPermissions::ACCESS_PERMISSIONS_DELETE) == AccessPermissions::ACCESS_PERMISSIONS_DELETE; $result->user_can_edit_users = ($user_read->user_control_permissions & AccessPermissions::ACCESS_PERMISSIONS_EDIT) == AccessPermissions::ACCESS_PERMISSIONS_EDIT; if (isset($_POST['user_edit_save'])) { $result->user_can_create_map_entry = isset($_POST['user_edit_can_create_map_entry']); $result->user_can_delete_map_entry = isset($_POST['user_edit_can_delete_map_entry']); $result->user_can_edit_map_entry = isset($_POST['user_edit_can_edit_map_entry']); $result->user_can_create_users = isset($_POST['user_edit_can_create_users']); $result->user_can_delete_users = isset($_POST['user_edit_can_delete_users']); $result->user_can_edit_users = isset($_POST['user_edit_can_edit_users']); $user_update = new UserUpdate($database, "UPDATE `map_server_users` SET {0} WHERE username = ?"); $user_update->username = $user_read->username; $user_update->password_hash = $user_read->password_hash; $user_update->map_database_permissions = AccessPermissions::ACCESS_PERMISSIONS_NONE; $user_update->user_control_permissions = AccessPermissions::ACCESS_PERMISSIONS_NONE; if ($result->user_can_create_map_entry) { $user_update->map_database_permissions |= AccessPermissions::ACCESS_PERMISSIONS_CREATE; } if ($result->user_can_delete_map_entry) { $user_update->map_database_permissions |= AccessPermissions::ACCESS_PERMISSIONS_DELETE; } if ($result->user_can_edit_map_entry) { $user_update->map_database_permissions |= AccessPermissions::ACCESS_PERMISSIONS_EDIT; } if ($result->user_can_create_users) { $user_update->user_control_permissions |= AccessPermissions::ACCESS_PERMISSIONS_CREATE; } if ($result->user_can_delete_users) { $user_update->user_control_permissions |= AccessPermissions::ACCESS_PERMISSIONS_DELETE; } if ($result->user_can_edit_users) { $user_update->user_control_permissions |= AccessPermissions::ACCESS_PERMISSIONS_EDIT; } $user_update->ExecuteQuery(array($user_read->username)); print_line_inset("<h3>Output</h3>", 2); print_line_inset("Changes saved.<br/><br/>", 2); } $result->success = true; return $result; }
function LogIn($username, $password) { $config = LoadConfig(); $database = OpenDatabase($config->map_database->data_source_name, $config->map_database->username_readonly, $config->map_database->password_readonly); $user_read = new UserRead($database, "SELECT {0} FROM `map_server_users` WHERE username = ?"); $user_read->ExecuteQuery(array($username)); if (!$user_read->MoveNext()) { return false; } $password_hash = new PasswordHash(8, true); if ($password_hash->CheckPassword($password, $user_read->password_hash)) { $this->is_logged_in = true; $user = new User(); $user->username = $user_read->username; $user->user_control_permissions = $user_read->user_control_permissions; $user->map_database_permissions = $user_read->map_database_permissions; $this->logged_in_user = $user; } else { $this->is_logged_in = false; $this->logged_in_user = null; } $database = null; return $this->is_logged_in; }