Code cleanup and some fixes
This commit is contained in:
@@ -4,6 +4,18 @@ require_once("_db.php"); //("api/_db.php");
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
// End currently active session
|
||||||
|
function EndSession () {
|
||||||
|
session_unset();
|
||||||
|
session_destroy();
|
||||||
|
if (isset($_COOKIE["PHPSESSID"])) {
|
||||||
|
unset($_COOKIE["PHPSESSID"]);
|
||||||
|
setcookie("PHPSESSID", "", time() - 3600, "/");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
//session_start();
|
//session_start();
|
||||||
// This ^ should be placed at login stage
|
// This ^ should be placed at login stage
|
||||||
|
|
||||||
@@ -15,23 +27,14 @@ if (isset($_SESSION["userid"])) {
|
|||||||
$s->bind_param("s", $_SESSION["userid"]);
|
$s->bind_param("s", $_SESSION["userid"]);
|
||||||
$s->execute();
|
$s->execute();
|
||||||
if (!(bool)$s->get_result()->fetch_assoc()) { // If not, then destroy session
|
if (!(bool)$s->get_result()->fetch_assoc()) { // If not, then destroy session
|
||||||
session_unset();
|
EndSession();
|
||||||
session_destroy();
|
|
||||||
echo "user id does not exist";
|
echo "user id does not exist";
|
||||||
die("user id used in session does not exist");
|
die("user id used in session does not exist");
|
||||||
}
|
}
|
||||||
$LOGGED_IN = true;
|
$LOGGED_IN = true;
|
||||||
} else {
|
} else {
|
||||||
// ATTENTION: idk will this work, but this can be theoretically unsafe or cause fault
|
|
||||||
|
|
||||||
if (session_status()) {
|
if (session_status()) {
|
||||||
session_unset();
|
EndSession();
|
||||||
session_destroy();
|
|
||||||
}
|
|
||||||
|
|
||||||
if (isset($_COOKIE["PHPSESSID"])) {
|
|
||||||
unset($_COOKIE["PHPSESSID"]);
|
|
||||||
setcookie("PHPSESSID", "", time() - 3600, "/");
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -2,6 +2,7 @@
|
|||||||
|
|
||||||
// Internal errors
|
// Internal errors
|
||||||
$Err_Int_JSONEncode = "int.jsonencode"; // Failed to encode JSON data
|
$Err_Int_JSONEncode = "int.jsonencode"; // Failed to encode JSON data
|
||||||
|
$Err_Int_Unexpected = "int.unexpected"; // Unexpected result
|
||||||
|
|
||||||
// Request data parsing errors
|
// Request data parsing errors
|
||||||
$Err_RDP_InvalidID = "rdp.invalidid"; // Requested ID of resource is invalid
|
$Err_RDP_InvalidID = "rdp.invalidid"; // Requested ID of resource is invalid
|
||||||
@@ -11,5 +12,5 @@ $Err_RDP_InvalidArgs = "rdp.invalidargs"; // Invalid arguments supplied to
|
|||||||
$Err_DP_IDNotFound = "dp.idnotfound"; // Resource not found by requested ID
|
$Err_DP_IDNotFound = "dp.idnotfound"; // Resource not found by requested ID
|
||||||
$Err_DP_AlreadyLoggedIn = "dp.alreadyloggedin"; // User already logged into account
|
$Err_DP_AlreadyLoggedIn = "dp.alreadyloggedin"; // User already logged into account
|
||||||
$Err_DP_RegClosed = "dp.regclosed"; // Registration is closed
|
$Err_DP_RegClosed = "dp.regclosed"; // Registration is closed
|
||||||
$Err_DP_NotEnoughRole = "dp.notenoughrole"
|
$Err_DP_NotEnoughRole = "dp.notenoughrole"; // Power level is not enough for performing action
|
||||||
?>
|
?>
|
||||||
@@ -69,9 +69,11 @@ if (ThisFileIsRequested(__FILE__)) {
|
|||||||
ReturnJSONError($Err_RDP_InvalidArgs, "only allowed symbols are: " . $Config["registration"]["allowed_syms"]);
|
ReturnJSONError($Err_RDP_InvalidArgs, "only allowed symbols are: " . $Config["registration"]["allowed_syms"]);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Check if login already exists
|
||||||
if (User_LoginExist($login))
|
if (User_LoginExist($login))
|
||||||
ReturnJSONError($Err_RDP_InvalidArgs, "login already exists");
|
ReturnJSONError($Err_RDP_InvalidArgs, "login already exists");
|
||||||
|
|
||||||
|
// Create account
|
||||||
$result = User_Create($login, $password, $email, $invite);
|
$result = User_Create($login, $password, $email, $invite);
|
||||||
ReturnJSONData(["success" => $result]);
|
ReturnJSONData(["success" => $result]);
|
||||||
} else { // Not enough arguments
|
} else { // Not enough arguments
|
||||||
|
|||||||
@@ -3,6 +3,9 @@ require_once("../_auth.php");
|
|||||||
require_once("../_utils.php");
|
require_once("../_utils.php");
|
||||||
require_once("./index.php");
|
require_once("./index.php");
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
// Delete existing account
|
||||||
function User_Delete ($id) {
|
function User_Delete ($id) {
|
||||||
global $db;
|
global $db;
|
||||||
$s = $db->prepare("delete from users where id = $id");
|
$s = $db->prepare("delete from users where id = $id");
|
||||||
@@ -10,25 +13,26 @@ function User_Delete($id){
|
|||||||
return $s->execute() !== false;
|
return $s->execute() !== false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
if (ThisFileIsRequested(__FILE__)) {
|
if (ThisFileIsRequested(__FILE__)) {
|
||||||
require_once("../_json.php");
|
require_once("../_json.php");
|
||||||
|
|
||||||
if (isset($_REQUEST["id"])) {
|
if (isset($_REQUEST["id"]) && $LOGGED_IN) {
|
||||||
if (!ctype_digit($_REQUEST["id"]))
|
if (!ctype_digit($_REQUEST["id"]))
|
||||||
ReturnJSONError($Err_RDP_InvalidID, "id must be numeric");
|
ReturnJSONError($Err_RDP_InvalidID, "id must be numeric");
|
||||||
if(!User_HasRole("admin")){
|
|
||||||
ReturnJSONError($Err_DP_NotEnoughRole,"You need to be admin to delete other accounts");
|
|
||||||
}
|
|
||||||
$UserID = intval($_REQUEST["id"]);
|
$UserID = intval($_REQUEST["id"]);
|
||||||
} else {
|
} elseif (!isset($_REQUEST["id"]) && $LOGGED_IN) {
|
||||||
if ($LOGGED_IN)
|
|
||||||
$UserID = $_SESSION["userid"];
|
$UserID = $_SESSION["userid"];
|
||||||
else
|
} else {
|
||||||
ReturnJSONError($Err_RDP_InvalidID, "id must be specified or valid session must be provided");
|
ReturnJSONError($Err_RDP_InvalidID, "valid session must be provided");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!User_HasRole($_SESSION["userid"], "admin") && $_SESSION["userid"] !== $UserID)
|
||||||
|
ReturnJSONError($Err_DP_NotEnoughRole, "you need to be admin to delete other accounts");
|
||||||
|
|
||||||
$result = User_Delete($UserID);
|
$result = User_Delete($UserID);
|
||||||
session_unset();
|
EndSession();
|
||||||
session_destroy();
|
|
||||||
ReturnJSONData(["success" => $result]);
|
ReturnJSONData(["success" => $result]);
|
||||||
}
|
}
|
||||||
?>
|
?>
|
||||||
@@ -17,7 +17,7 @@ function User_LoginExist ($login): bool {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Check if user has specified role
|
// Check if user has specified role
|
||||||
function User_HasRole ($id, $role): bool {
|
function User_HasRole ($id, $role) {
|
||||||
global $db;
|
global $db;
|
||||||
|
|
||||||
$s = $db->prepare("SELECT * FROM users WHERE id = ?");
|
$s = $db->prepare("SELECT * FROM users WHERE id = ?");
|
||||||
@@ -32,6 +32,7 @@ function User_HasRole ($id, $role): bool {
|
|||||||
if ($d["role"] == $role) {
|
if ($d["role"] == $role) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -29,7 +29,7 @@ Files starting from "_" ("_example.php") are intended for internal use only.
|
|||||||
- [ ] user/list.php (GET/POST): get list of all users
|
- [ ] user/list.php (GET/POST): get list of all users
|
||||||
- [ ] user/create.php (POST): create new user account
|
- [ ] user/create.php (POST): create new user account
|
||||||
- [ ] user/edit.php (POST): edit user profile
|
- [ ] user/edit.php (POST): edit user profile
|
||||||
- [ ] user/delete.php (POST): delete user account
|
- [x] user/delete.php (POST): delete user account
|
||||||
|
|
||||||
- [ ] post/ (GET/POST): get single post by id
|
- [ ] post/ (GET/POST): get single post by id
|
||||||
- [ ] post/search.php (GET/POST): get list of posts matching the criteria
|
- [ ] post/search.php (GET/POST): get list of posts matching the criteria
|
||||||
|
|||||||
Reference in New Issue
Block a user