Code cleanup and some fixes
This commit is contained in:
parent
41ddbcab9e
commit
074ce120e9
@ -4,6 +4,18 @@ require_once("_db.php"); //("api/_db.php");
|
||||
|
||||
|
||||
|
||||
// End currently active session
|
||||
function EndSession () {
|
||||
session_unset();
|
||||
session_destroy();
|
||||
if (isset($_COOKIE["PHPSESSID"])) {
|
||||
unset($_COOKIE["PHPSESSID"]);
|
||||
setcookie("PHPSESSID", "", time() - 3600, "/");
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
//session_start();
|
||||
// This ^ should be placed at login stage
|
||||
|
||||
@ -15,23 +27,14 @@ if (isset($_SESSION["userid"])) {
|
||||
$s->bind_param("s", $_SESSION["userid"]);
|
||||
$s->execute();
|
||||
if (!(bool)$s->get_result()->fetch_assoc()) { // If not, then destroy session
|
||||
session_unset();
|
||||
session_destroy();
|
||||
EndSession();
|
||||
echo "user id does not exist";
|
||||
die("user id used in session does not exist");
|
||||
}
|
||||
$LOGGED_IN = true;
|
||||
} else {
|
||||
// ATTENTION: idk will this work, but this can be theoretically unsafe or cause fault
|
||||
|
||||
if (session_status()) {
|
||||
session_unset();
|
||||
session_destroy();
|
||||
}
|
||||
|
||||
if (isset($_COOKIE["PHPSESSID"])) {
|
||||
unset($_COOKIE["PHPSESSID"]);
|
||||
setcookie("PHPSESSID", "", time() - 3600, "/");
|
||||
EndSession();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -2,6 +2,7 @@
|
||||
|
||||
// Internal errors
|
||||
$Err_Int_JSONEncode = "int.jsonencode"; // Failed to encode JSON data
|
||||
$Err_Int_Unexpected = "int.unexpected"; // Unexpected result
|
||||
|
||||
// Request data parsing errors
|
||||
$Err_RDP_InvalidID = "rdp.invalidid"; // Requested ID of resource is invalid
|
||||
@ -11,5 +12,5 @@ $Err_RDP_InvalidArgs = "rdp.invalidargs"; // Invalid arguments supplied to
|
||||
$Err_DP_IDNotFound = "dp.idnotfound"; // Resource not found by requested ID
|
||||
$Err_DP_AlreadyLoggedIn = "dp.alreadyloggedin"; // User already logged into account
|
||||
$Err_DP_RegClosed = "dp.regclosed"; // Registration is closed
|
||||
$Err_DP_NotEnoughRole = "dp.notenoughrole"
|
||||
$Err_DP_NotEnoughRole = "dp.notenoughrole"; // Power level is not enough for performing action
|
||||
?>
|
||||
@ -69,9 +69,11 @@ if (ThisFileIsRequested(__FILE__)) {
|
||||
ReturnJSONError($Err_RDP_InvalidArgs, "only allowed symbols are: " . $Config["registration"]["allowed_syms"]);
|
||||
}
|
||||
|
||||
// Check if login already exists
|
||||
if (User_LoginExist($login))
|
||||
ReturnJSONError($Err_RDP_InvalidArgs, "login already exists");
|
||||
|
||||
// Create account
|
||||
$result = User_Create($login, $password, $email, $invite);
|
||||
ReturnJSONData(["success" => $result]);
|
||||
} else { // Not enough arguments
|
||||
|
||||
@ -3,6 +3,9 @@ require_once("../_auth.php");
|
||||
require_once("../_utils.php");
|
||||
require_once("./index.php");
|
||||
|
||||
|
||||
|
||||
// Delete existing account
|
||||
function User_Delete ($id) {
|
||||
global $db;
|
||||
$s = $db->prepare("delete from users where id = $id");
|
||||
@ -10,25 +13,26 @@ function User_Delete($id){
|
||||
return $s->execute() !== false;
|
||||
}
|
||||
|
||||
|
||||
|
||||
if (ThisFileIsRequested(__FILE__)) {
|
||||
require_once("../_json.php");
|
||||
|
||||
if (isset($_REQUEST["id"])) {
|
||||
if (isset($_REQUEST["id"]) && $LOGGED_IN) {
|
||||
if (!ctype_digit($_REQUEST["id"]))
|
||||
ReturnJSONError($Err_RDP_InvalidID, "id must be numeric");
|
||||
if(!User_HasRole("admin")){
|
||||
ReturnJSONError($Err_DP_NotEnoughRole,"You need to be admin to delete other accounts");
|
||||
}
|
||||
$UserID = intval($_REQUEST["id"]);
|
||||
} else {
|
||||
if ($LOGGED_IN)
|
||||
} elseif (!isset($_REQUEST["id"]) && $LOGGED_IN) {
|
||||
$UserID = $_SESSION["userid"];
|
||||
else
|
||||
ReturnJSONError($Err_RDP_InvalidID, "id must be specified or valid session must be provided");
|
||||
} else {
|
||||
ReturnJSONError($Err_RDP_InvalidID, "valid session must be provided");
|
||||
}
|
||||
|
||||
if (!User_HasRole($_SESSION["userid"], "admin") && $_SESSION["userid"] !== $UserID)
|
||||
ReturnJSONError($Err_DP_NotEnoughRole, "you need to be admin to delete other accounts");
|
||||
|
||||
$result = User_Delete($UserID);
|
||||
session_unset();
|
||||
session_destroy();
|
||||
EndSession();
|
||||
ReturnJSONData(["success" => $result]);
|
||||
}
|
||||
?>
|
||||
@ -17,7 +17,7 @@ function User_LoginExist ($login): bool {
|
||||
}
|
||||
|
||||
// Check if user has specified role
|
||||
function User_HasRole ($id, $role): bool {
|
||||
function User_HasRole ($id, $role) {
|
||||
global $db;
|
||||
|
||||
$s = $db->prepare("SELECT * FROM users WHERE id = ?");
|
||||
@ -32,6 +32,7 @@ function User_HasRole ($id, $role): bool {
|
||||
if ($d["role"] == $role) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
@ -29,7 +29,7 @@ Files starting from "_" ("_example.php") are intended for internal use only.
|
||||
- [ ] user/list.php (GET/POST): get list of all users
|
||||
- [ ] user/create.php (POST): create new user account
|
||||
- [ ] user/edit.php (POST): edit user profile
|
||||
- [ ] user/delete.php (POST): delete user account
|
||||
- [x] user/delete.php (POST): delete user account
|
||||
|
||||
- [ ] post/ (GET/POST): get single post by id
|
||||
- [ ] post/search.php (GET/POST): get list of posts matching the criteria
|
||||
|
||||
Loading…
Reference in New Issue
Block a user