} else { $message .= sprintf('<p class="alert alert-success">%s <strong>%s</strong> %s</p>', $PMF_LANG['ad_msg_savedsuc_1'], $user->getLogin(), $PMF_LANG['ad_msg_savedsuc_2']); $message .= '<script type="text/javascript">updateUser(' . $userId . ');</script>'; } } } // delete user confirmation if ($userAction == 'delete_confirm' && $user->perm->checkRight($user->getUserId(), 'deluser')) { $message = ''; $user = new PMF_User_CurrentUser($faqConfig); $userId = PMF_Filter::filterInput(INPUT_POST, 'user_list_select', FILTER_VALIDATE_INT, 0); if ($userId == 0) { $message .= sprintf('<p class="alert alert-error">%s</p>', $PMF_LANG['ad_user_error_noId']); $userAction = $defaultUserAction; } else { $user->getUserById($userId); // account is protected if ($user->getStatus() == 'protected' || $userId == 1) { $message .= sprintf('<p class="alert alert-error">%s</p>', $PMF_LANG['ad_user_error_protectedAccount']); $userAction = $defaultUserAction; } else { $twig->loadTemplate('user/delete_confirm.twig')->display(array('PMF_LANG' => $PMF_LANG, 'csrfToken' => $user->getCsrfTokenFromSession(), 'userId' => $userId, 'userLogin' => $user->getLogin())); } } } // delete user if ($userAction == 'delete' && $user->perm->checkRight($user->getUserId(), 'deluser')) { $message = ''; $user = new PMF_User($faqConfig); $userId = PMF_Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT, 0); $csrfOkay = true;
/** * This static method returns a valid CurrentUser object if there is one * in the session that is not timed out. The session-ID is updated if * necessary. The CurrentUser will be removed from the session, if it is * timed out. If there is no valid CurrentUser in the session or the * session is timed out, null will be returned. If the session data is * correct, but there is no user found in the user table, false will be * returned. On success, a valid CurrentUser object is returned. * * @static * * @param PMF_Configuration $config * * @return null|PMF_User_CurrentUser */ public static function getFromSession(PMF_Configuration $config) { // there is no valid user object in session if (!isset($_SESSION[PMF_SESSION_CURRENT_USER]) || !isset($_SESSION[PMF_SESSION_ID_TIMESTAMP])) { return null; } // create a new CurrentUser object $user = new PMF_User_CurrentUser($config); $user->getUserById($_SESSION[PMF_SESSION_CURRENT_USER]); // user object is timed out if ($user->sessionIsTimedOut()) { $user->deleteFromSession(); $user->errors[] = 'Session timed out.'; return null; } // session-id not found in user table $session_info = $user->getSessionInfo(); $session_id = isset($session_info['session_id']) ? $session_info['session_id'] : ''; if ($session_id == '' || $session_id != session_id()) { return false; } // check ip if ($config->get('security.ipCheck') && $session_info['ip'] != $_SERVER['REMOTE_ADDR']) { return false; } // session-id needs to be updated if ($user->sessionIdIsTimedOut()) { $user->updateSessionId(); } // user is now logged in $user->_loggedIn = true; // save current user to session and return the instance $user->saveToSession(); return $user; }
} else { $message .= sprintf('<p class="alert alert-success">%s <strong>%s</strong> %s</p>', $PMF_LANG['ad_msg_savedsuc_1'], $user->getLogin(), $PMF_LANG['ad_msg_savedsuc_2']); $message .= '<script type="text/javascript">updateUser(' . $userId . ');</script>'; } } } // delete user confirmation if ($userAction == 'delete_confirm' && $permission['deluser']) { $message = ''; $user = new PMF_User_CurrentUser($faqConfig); $userId = PMF_Filter::filterInput(INPUT_POST, 'user_list_select', FILTER_VALIDATE_INT, 0); if ($userId == 0) { $message .= sprintf('<p class="alert alert-error">%s</p>', $PMF_LANG['ad_user_error_noId']); $userAction = $defaultUserAction; } else { $user->getUserById($userId, true); // account is protected if ($user->getStatus() == 'protected' || $userId == 1) { $message .= sprintf('<p class="alert alert-error">%s</p>', $PMF_LANG['ad_user_error_protectedAccount']); $userAction = $defaultUserAction; } else { ?> <header> <h2> <i class="icon-user"></i> <?php echo $PMF_LANG['ad_user_deleteUser']; ?> <?php echo $user->getLogin(); ?> </h2>