Наконец-то разобрался с сессиями, +минорные фиксы

api/_auth.php

@@ -16,12 +16,15 @@ function EndSession () {
 
 
 
-//session_start();
+// A few tips:
-// This ^ should be placed at login stage
+// session_start() - start OR RESUME session
+// If $_SESSION["userid"] is set - it counted as active login session
+// If its not set - it counted as no login session
+session_start();
 
 $LOGGED_IN = false;
 
-if (session_status() == PHP_SESSION_ACTIVE && isset($_SESSION["userid"])) {
+if (session_status() === PHP_SESSION_ACTIVE && isset($_SESSION["userid"])) { // If there are active session
 	// Check if user still exist
 	$s = $db->prepare("SELECT * FROM users WHERE id = ?");
 	$s->bind_param("s", $_SESSION["userid"]);
@@ -32,10 +35,19 @@ if (session_status() == PHP_SESSION_ACTIVE && isset($_SESSION["userid"])) {
 		die("user id used in session does not exist");
 	}
 	$LOGGED_IN = true;
-} elseif (session_status() == PHP_SESSION_ACTIVE && !isset($_SESSION["userid"])) {
+} elseif (session_status() === PHP_SESSION_DISABLED) { // If sessions are disabled
-	echo "no userid, destroying session";
+	die("ERROR: please enable sessions in php config");
+}
+
+if ($Config["debug"] && isset($_REQUEST["debug"])) { // If there are not any session and debug mode is on
+	// ATTENTION: FOR DEBUG PURPOSES ONLY!
+	if ($_REQUEST["debug"] == "drop") {
 		EndSession();
-	die("no userid in session");
+		die("session discarded");
+	}
+	$_SESSION["userid"] = intval($_REQUEST["debug"]);
+	print_r(["created_session" => $_SESSION]);
+	die();
 }
 
 ?>

api/user/delete.php

@@ -8,7 +8,7 @@ require_once("./index.php");
 // Delete existing account
 function User_Delete ($id) {
 	global $db;
-	$s = $db->prepare("delete from users where id = $id");
+	$s = $db->prepare("delete from users where id = ?");
 	$s->bind_param("s", $id);
 	return $s->execute() !== false;
 }
@@ -32,11 +32,16 @@ if (ThisFileIsRequested(__FILE__)) {
 		ReturnJSONError($Err_RDP_InvalidID, "valid session must be provided");
 	}
 
+	// If its attempt to delete other account
 	if (!User_HasRole($_SESSION["userid"], "admin") && $_SESSION["userid"] !== $UserID)
 		ReturnJSONError($Err_DP_NotEnoughRole, "you need to be admin to delete other accounts");
 
 	$result = User_Delete($UserID);
+
+	// If it was self-deletion
+	if ($UserID === $_SESSION["userid"])
 		EndSession();
+
 	ReturnJSONData(["success" => $result]);
 }
 ?>

docs/API.md

@@ -18,6 +18,7 @@ Files starting from "_" ("_example.php") are intended for internal use only.
 - _auth.php:                           things related to authentification
 - _errors.php:                         error strings
 - _json.php:                           wrappers for JSON functions
+- _utils.php:                          random utility functions
 
 - [ ] stats.php (GET/POST):                all general statistics about this instance
 
@@ -30,7 +31,6 @@ Files starting from "_" ("_example.php") are intended for internal use only.
 - [ ] user/create.php (POST):              create new user account
 - [ ] user/edit.php (POST):                edit user profile
 - [x] user/delete.php (POST):              delete user account
-- [ ] user/__admin_session.php (GET):      start debug session as admin
 
 - [ ] post/ (GET/POST):                    get single post by id
 - [ ] post/search.php (GET/POST):          get list of posts matching the criteria