Cyclone-Team/e949
2
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

api/user/__admin_session.php and random tweaks

Browse Source
This commit is contained in:
Shr3dd3r 2023-08-30 05:16:15 +03:00
parent 074ce120e9
commit ae719995ee
7 changed files with 44 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
api/_auth.php
View File

@ -21,7 +21,7 @@ function EndSession () {
$LOGGED_IN = false; $LOGGED_IN = false;
if (isset($_SESSION["userid"])) { if (session_status() == PHP_SESSION_ACTIVE && isset($_SESSION["userid"])) {
// Check if user still exist // Check if user still exist
$s = $db->prepare("SELECT * FROM users WHERE id = ?"); $s = $db->prepare("SELECT * FROM users WHERE id = ?");
$s->bind_param("s", $_SESSION["userid"]); $s->bind_param("s", $_SESSION["userid"]);
@ -32,10 +32,10 @@ if (isset($_SESSION["userid"])) {
die("user id used in session does not exist"); die("user id used in session does not exist");
} }
$LOGGED_IN = true; $LOGGED_IN = true;
} else { } elseif (session_status() == PHP_SESSION_ACTIVE && !isset($_SESSION["userid"])) {
if (session_status()) { echo "no userid, destroying session";
EndSession(); EndSession();
} die("no userid in session");
} }
?> ?>

23
api/user/__admin_session.php Normal file
View File

@ -0,0 +1,23 @@
<?php // Start session as any user
// ATTENTION: FOR DEBUG PURPOSES ONLY!
require_once("../_auth.php");
require_once("../_utils.php");
if (ThisFileIsRequested(__FILE__)) {
require_once("../_json.php");
if (!$Config["debug"])
ReturnJSONError(null, "you need to enable debug mode in configuration file first");
if (!isset($_REQUEST["id"]))
ReturnJSONError($Err_RDP_InvalidID, "valid id must be specified");
if (!isset($_SESSION["userid"]))
session_start();
$_SESSION["userid"] = intval($_REQUEST["id"]);
ReturnJSONData($_SESSION);
}
?>

4
api/user/create.php
View File

@ -26,6 +26,10 @@ function User_Create ($login, $password, $email = null, $invite_id = null, $avat
if (ThisFileIsRequested(__FILE__)) { if (ThisFileIsRequested(__FILE__)) {
require_once("../_json.php"); require_once("../_json.php");
// Dirty hack for debugging purposes. Will be removed later
if ($Config["debug"])
$_POST = $_REQUEST;
// If registration turned off // If registration turned off
if (!$Config["registration"]["active"]) { if (!$Config["registration"]["active"]) {
ReturnJSONError($Err_DP_RegClosed, "registrations are closed"); ReturnJSONError($Err_DP_RegClosed, "registrations are closed");

14
api/user/delete.php
View File

@ -1,4 +1,4 @@
<?php <?php // Deleting existing account
require_once("../_auth.php"); require_once("../_auth.php");
require_once("../_utils.php"); require_once("../_utils.php");
require_once("./index.php"); require_once("./index.php");
@ -18,11 +18,15 @@ function User_Delete ($id) {
if (ThisFileIsRequested(__FILE__)) { if (ThisFileIsRequested(__FILE__)) {
require_once("../_json.php"); require_once("../_json.php");
if (isset($_REQUEST["id"]) && $LOGGED_IN) { // Dirty hack for debugging purposes. Will be removed later
if (!ctype_digit($_REQUEST["id"])) if ($Config["debug"])
$_POST = $_REQUEST;
if (isset($_POST["id"]) && $LOGGED_IN) {
if (!ctype_digit($_POST["id"]))
ReturnJSONError($Err_RDP_InvalidID, "id must be numeric"); ReturnJSONError($Err_RDP_InvalidID, "id must be numeric");
$UserID = intval($_REQUEST["id"]); $UserID = intval($_POST["id"]);
} elseif (!isset($_REQUEST["id"]) && $LOGGED_IN) { } elseif (!isset($_POST["id"]) && $LOGGED_IN) {
$UserID = $_SESSION["userid"]; $UserID = $_SESSION["userid"];
} else { } else {
ReturnJSONError($Err_RDP_InvalidID, "valid session must be provided"); ReturnJSONError($Err_RDP_InvalidID, "valid session must be provided");

2
api/user/index.php
View File

@ -73,7 +73,7 @@ function User_GetInfoByID ($id) {
$result["avatar_path"] = $d["avatar_path"]; $result["avatar_path"] = $d["avatar_path"];
$result["role"] = $d["role"]; $result["role"] = $d["role"];
$result["banned"] = $d["banned"]; $result["banned"] = $d["banned"];
if ($id === $_SESSION["userid"] || User_IsMod($_SESSION["userid"])) { // User himself and mods can see additional info if (($id === $_SESSION["userid"]) || User_IsMod($_SESSION["userid"])) { // User himself and mods can see additional info
$result["email"] = $d["email"]; $result["email"] = $d["email"];
$result["invite_id"] = $d["invite_id"]; $result["invite_id"] = $d["invite_id"];
} }

1
config.json
View File

@ -1,4 +1,5 @@
{ {
"debug": true,
"db": { "db": {
"addr": "localhost", "addr": "localhost",
"name": "e949", "name": "e949",

1
docs/API.md
View File

@ -30,6 +30,7 @@ Files starting from "_" ("_example.php") are intended for internal use only.
- [ ] user/create.php (POST): create new user account - [ ] user/create.php (POST): create new user account
- [ ] user/edit.php (POST): edit user profile - [ ] user/edit.php (POST): edit user profile
- [x] user/delete.php (POST): delete user account - [x] user/delete.php (POST): delete user account
- [ ] user/__admin_session.php (GET): start debug session as admin
- [ ] post/ (GET/POST): get single post by id - [ ] post/ (GET/POST): get single post by id
- [ ] post/search.php (GET/POST): get list of posts matching the criteria - [ ] post/search.php (GET/POST): get list of posts matching the criteria