function doRecover($username, $resetcode) { $certid = getCertId(); if ($certid == NULL) { die('You must be using a certificate to reset your account. Get one at <a href="getacert">getacert</a>'); } if (getUser($certid) != NULL) { die('You do not need a reset, you are already logged in!'); } global $authdb; $shacode = sha1($resetcode); $stmt = $authdb->prepare("SELECT username FROM users WHERE username = ? AND resetcode = ?"); if ($stmt == false) { die("Could not prepare query users for reset code statement: " . $authdb->error); } $stmt->bind_param("ss", $username, $shacode); if (!$stmt->execute()) { die("Could not query users for reset code: " . $authdb->error); } $stmt->bind_result($username); $stmt->store_result(); if (!$stmt->fetch()) { die('Invalid reset code or username.'); } //Check if it's multi-factor $currentMF = getMinFactors($username); if ($currentMF > 1) { $votes = countKeyVotes($username, '', $certid); if ($votes < $currentMF - 1) { return "ERROR: This account has {$currentMF}-factor authentication enabled. In order to reset it and activate this key, you must approve the reset from " . ($currentMF - 1 - $votes) . ' of your devices.'; } //OK, do it! setMFA($user, $factors); } //Save the new key associateKey($username, $certid); //Now generate a new recovery code return newReset($username); }
if ($_POST['action'] == 'delete') { if ($_POST['username'] == $curusr) { die("You can't delete yourself! You can only delete other users."); } deleteUser($_POST['username']); } elseif ($_POST['action'] == 'promote') { setAdmin($_POST['username'], true); } elseif ($_POST['action'] == 'activate') { setActive($_POST['username'], true); } elseif ($_POST['action'] == 'demote') { if ($_POST['username'] == $curusr) { die("You can't demote yourself! You can only demote other admins."); } setAdmin($_POST['username'], false); } elseif ($_POST['action'] == 'newreset') { $reset = newReset($_POST['username']); echo '<h1>New reset code for ' . htmlspecialchars($_POST['username']) . ": {$reset}</h1>"; } } ?> <h1>User Management</h1> <form action="admin" method="post"> <p>Search: <input type="text" name="search" value=""></p> <input type="submit" value="Go"> <?php echo getCSRFinputcode(); ?> </form> <table> <thead> <tr><th>Username</th><th>Address</th><th>City</th><th>State</th><th>Postal/zip code</th><th>Country</th><th>Admin</th></tr>