api/user/__admin_session.php and random tweaks

api/_auth.php

@@ -21,7 +21,7 @@ function EndSession () {
 
 $LOGGED_IN = false;
 
-if (isset($_SESSION["userid"])) {
+if (session_status() == PHP_SESSION_ACTIVE && isset($_SESSION["userid"])) {
 	// Check if user still exist
 	$s = $db->prepare("SELECT * FROM users WHERE id = ?");
 	$s->bind_param("s", $_SESSION["userid"]);
@@ -32,10 +32,10 @@ if (isset($_SESSION["userid"])) {
 		die("user id used in session does not exist");
 	}
 	$LOGGED_IN = true;
-} else {
-	if (session_status()) {
-		EndSession();
-	}
+} elseif (session_status() == PHP_SESSION_ACTIVE && !isset($_SESSION["userid"])) {
+	echo "no userid, destroying session";
+	EndSession();
+	die("no userid in session");
 }
 
 ?>

api/user/__admin_session.php

@@ -0,0 +1,23 @@
+<?php // Start session as any user
+// ATTENTION: FOR DEBUG PURPOSES ONLY!
+require_once("../_auth.php");
+require_once("../_utils.php");
+
+
+
+if (ThisFileIsRequested(__FILE__)) {
+	require_once("../_json.php");
+
+	if (!$Config["debug"])
+		ReturnJSONError(null, "you need to enable debug mode in configuration file first");
+
+	if (!isset($_REQUEST["id"]))
+		ReturnJSONError($Err_RDP_InvalidID, "valid id must be specified");
+
+	if (!isset($_SESSION["userid"]))
+		session_start();
+
+	$_SESSION["userid"] = intval($_REQUEST["id"]);
+	ReturnJSONData($_SESSION);
+}
+?>

api/user/create.php

@@ -26,6 +26,10 @@ function User_Create ($login, $password, $email = null, $invite_id = null, $avat
 if (ThisFileIsRequested(__FILE__)) {
 	require_once("../_json.php");
 
+	// Dirty hack for debugging purposes. Will be removed later
+	if ($Config["debug"])
+		$_POST = $_REQUEST;
+
 	// If registration turned off
 	if (!$Config["registration"]["active"]) {
 		ReturnJSONError($Err_DP_RegClosed, "registrations are closed");

api/user/delete.php

@@ -1,4 +1,4 @@
-<?php
+<?php // Deleting existing account
 require_once("../_auth.php");
 require_once("../_utils.php");
 require_once("./index.php");
@@ -17,12 +17,16 @@ function User_Delete ($id) {
 
 if (ThisFileIsRequested(__FILE__)) {
 	require_once("../_json.php");
+
+	// Dirty hack for debugging purposes. Will be removed later
+	if ($Config["debug"])
+		$_POST = $_REQUEST;
 	
-	if (isset($_REQUEST["id"]) && $LOGGED_IN) {
-		if (!ctype_digit($_REQUEST["id"]))
+	if (isset($_POST["id"]) && $LOGGED_IN) {
+		if (!ctype_digit($_POST["id"]))
 			ReturnJSONError($Err_RDP_InvalidID, "id must be numeric");
-		$UserID = intval($_REQUEST["id"]);
-	} elseif (!isset($_REQUEST["id"]) && $LOGGED_IN) {
+		$UserID = intval($_POST["id"]);
+	} elseif (!isset($_POST["id"]) && $LOGGED_IN) {
 		$UserID = $_SESSION["userid"];
 	} else {
 		ReturnJSONError($Err_RDP_InvalidID, "valid session must be provided");

api/user/index.php

@@ -73,7 +73,7 @@ function User_GetInfoByID ($id) {
 	$result["avatar_path"]   = $d["avatar_path"];
 	$result["role"]          = $d["role"];
 	$result["banned"]        = $d["banned"];
-	if ($id === $_SESSION["userid"] || User_IsMod($_SESSION["userid"])) { // User himself and mods can see additional info
+	if (($id === $_SESSION["userid"]) || User_IsMod($_SESSION["userid"])) { // User himself and mods can see additional info
 		$result["email"]     = $d["email"];
 		$result["invite_id"] = $d["invite_id"];
 	}

config.json

@@ -1,4 +1,5 @@
 {
+	"debug": true,
 	"db": {
 		"addr": "localhost",
 		"name": "e949",

docs/API.md

@@ -30,6 +30,7 @@ Files starting from "_" ("_example.php") are intended for internal use only.
 - [ ] user/create.php (POST):              create new user account
 - [ ] user/edit.php (POST):                edit user profile
 - [x] user/delete.php (POST):              delete user account
+- [ ] user/__admin_session.php (GET):      start debug session as admin
 
 - [ ] post/ (GET/POST):                    get single post by id
 - [ ] post/search.php (GET/POST):          get list of posts matching the criteria