Skip to content
Snippets Groups Projects
Commit abbaafbd authored by Robert Anderson's avatar Robert Anderson
Browse files

Fixed up syntax 

Improved security
Improved readability
parent 43799fb9
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 423 additions and 285 deletions
webui/group-add.php
+ 3
5
View file @ abbaafbd
......@@ -34,16 +34,14 @@ printHeader(array(
));
if ($_POST['frmaction'] == "add") {
if (isset($_POST['frmaction']) && $_POST['frmaction'] == "add") {
?>
<p class="pageheader">Add Group</p>
<form method="post" action="group-add.php">
<div>
<input type="hidden" name="frmaction" value="add2" />
</div>
<input type="hidden" name="frmaction" value="add2" />
<table class="entry">
<tr>
<td class="entrytitle">Name</td>
......@@ -76,7 +74,7 @@ if ($_POST['frmaction'] == "add") {
<?php
# Check we have all params
} elseif ($_POST['frmaction'] == "add2") {
} elseif (isset($_POST['frmaction'] && $_POST['frmaction'] == "add2") {
?>
......
webui/group-attribute-add.php
+ 4
4
View file @ abbaafbd
......@@ -35,13 +35,13 @@ printHeader(array(
if (isset($_POST['frmaction']) && $_POST['frmaction'] == "add") {
?>
<p class="pageheader">Add attribute</p>
<form method="post" action="group-attribute-add.php">
<div>
<input type="hidden" name="frmaction" value="add2" />
</div>
<input type="hidden" name="frmaction" value="add2" />
<table class="entry">
<tr>
<td class="entrytitle">Attribute Name</td>
......@@ -83,7 +83,7 @@ if (isset($_POST['frmaction']) && $_POST['frmaction'] == "add") {
<?php
# Check we have all params
} elseif ($_POST['frmaction'] == "add2") {
} elseif (isset($_POST['frmaction']) && $_POST['frmaction'] == "add2") {
?>
......
webui/group-attribute-change.php
+ 3
6
View file @ abbaafbd
......@@ -40,8 +40,7 @@ if (isset($_POST['frmaction'] && $_POST['frmaction'] == "change") {
# Check an attribute was selected
if (isset($_POST['attr_id'])) {
# Prepare statement
$temp = $_POST['attr_id'];
$sql = "SELECT ID, Name, Operator, Value, Disabled FROM ${DB_TABLE_PREFIX}group_attributes WHERE ID = '$temp'";
$sql = "SELECT ID, Name, Operator, Value, Disabled FROM ${DB_TABLE_PREFIX}group_attributes WHERE ID = ".$db->quote($_POST['attr_id']);
$res = $db->query($sql);
$row = $res->fetchObject();
......@@ -50,10 +49,8 @@ if (isset($_POST['frmaction'] && $_POST['frmaction'] == "change") {
<p class="pageheader">Update Group Attribute</p>
<form action="group-attribute-change.php" method="post">
<div>
<input type="hidden" name="frmaction" value="change2" />
<input type="hidden" name="attr_id" value="<?php echo $_POST['attr_id']; ?>" />
</div>
<input type="hidden" name="frmaction" value="change2" />
<input type="hidden" name="attr_id" value="<?php echo $_POST['attr_id']; ?>" />
<table class="entry" style="width: 75%;">
<tr>
<td></td>
......
webui/group-attribute-delete.php
+ 30
13
View file @ abbaafbd
......@@ -35,12 +35,13 @@ printHeader(array(
));
# Display delete confirm screen
if (isset($_POST['frmaction'] && $_POST['frmaction'] == "delete") {
# Check a user was selected
if (isset($_POST['attr_id'])) {
?>
<p class="pageheader">Delete Attribute</p>
<form action="group-attribute-delete.php" method="post">
......@@ -54,51 +55,67 @@ if (isset($_POST['frmaction'] && $_POST['frmaction'] == "delete") {
<input type="submit" name="confirm" value="no" />
</div>
</form>
<?php
} else {
?>
<div class="warning">No attribute selected</div>
<?php
}
<?php
}
# SQL Updates
} elseif (isset($_POST['frmaction']) && $_POST['frmaction'] == "delete2") {
?>
<p class="pageheader">Attribute Delete Results</p>
<?php
if (isset($_POST['attr_id'])) {
<?php
if ($_POST['confirm'] == "yes") {
$res = $db->exec("DELETE FROM ${DB_TABLE_PREFIX}group_attributes WHERE ID = ".$_POST['attr_id']);
if (isset($_POST['attr_id'])) {
if (isset($_POST['confirm']) && $_POST['confirm'] == "yes") {
$res = $db->exec("DELETE FROM ${DB_TABLE_PREFIX}group_attributes WHERE ID = ".$db->quote($_POST['attr_id']));
if ($res !== FALSE) {
?>
<div class="notice">Attribute with ID: <?php print_r($_POST['attr_id']);?> deleted</div>
<?php
} else {
?>
<div class="warning">Error deleting attribute</div>
<div class="warning"><?php print_r($db->errorInfo()) ?></div>
<?php
}
?>
<?php
}
# Warn
} else {
?>
<div class="warning">Delete attribute aborted</div>
<?php
}
?>
<?php
} else {
?>
<div class="warning">Invocation error, no attribute ID selected</div>
<?php
}
}
}
printFooter();
......
webui/group-attributes.php
+ 57
27
View file @ abbaafbd
......@@ -34,6 +34,7 @@ printHeader(array(
));
?>
<p class="pageheader">Attribute List</p>
<form id="main_form" action="group-attributes.php" method="post">
......@@ -63,7 +64,7 @@ printHeader(array(
</select>
</div>
<p />
<p />
<table class="results" style="width: 75%;">
<tr class="resultstitle">
......@@ -73,44 +74,73 @@ printHeader(array(
<td class="textcenter">Value</td>
<td class="textcenter">Disabled</td>
</tr>
<?php
$_SESSION['attr_group_id'] = $_POST['group_id'];
if (isset($_POST['group_id'])) {
$_SESSION['attr_group_id'] = $_POST['group_id'];
if (isset($_POST['group_id'])) {
$temp = $_SESSION['attr_group_id'];
$sql = "SELECT ID, Name, Operator, Value, Disabled FROM ${DB_TABLE_PREFIX}group_attributes WHERE GroupID = $temp ORDER BY ID";
$res = $db->query($sql);
$sql = "SELECT
ID,
Name,
Operator,
Value,
Disabled
FROM
${DB_TABLE_PREFIX}group_attributes
WHERE
GroupID = ".$db->quote($_POST['group_id'])."
ORDER BY
ID
";
$res = $db->query($sql);
while ($row = $res->fetchObject()) {
while ($row = $res->fetchObject()) {
?>
<tr class="resultsitem">
<td><input type="radio" name="attr_id" value="<?php echo $row->id ?>"/><?php echo $row->id ?></td>
<td><?php echo $row->name ?></td>
<td><?php echo $row->operator ?></td>
<td><?php echo $row->value ?></td>
<td class="textcenter"><?php echo $row->disabled ? 'yes' : 'no' ?></td>
</tr>
<tr class="resultsitem">
<td><input type="radio" name="attr_id" value="<?php echo $row->id; ?>"/><?php echo $row->id; ?></td>
<td><?php echo $row->name; ?></td>
<td><?php echo $row->operator; ?></td>
<td><?php echo $row->value; ?></td>
<td class="textcenter"><?php echo $row->disabled ? 'yes' : 'no'; ?></td>
</tr>
<?php
}
$res->closeCursor();
if ($res->rowCount() == 0) {
}
$res->closeCursor();
if ($res->rowCount() == 0) {
?>
<p />
<tr>
<td colspan="5" class="textcenter">Group attribute list is empty</td>
</tr>
<p />
<tr>
<td colspan="5" class="textcenter">Group attribute list is empty</td>
</tr>
<?php
}
} else {
}
} else {
?>
<tr class="resultitem">
<td colspan="5" class="textcenter">No Group ID selected</td>
</tr>
<tr class="resultitem">
<td colspan="5" class="textcenter">No Group ID selected</td>
</tr>
<?php
}
}
?>
</table>
</form>
<?php
printFooter();
......
webui/group-delete.php
+ 43
51
View file @ abbaafbd
......@@ -36,109 +36,101 @@ printHeader(array(
# Display delete confirm screen
if ($_POST['frmaction'] == "delete") {
if (isset($_POST['frmaction']) && $_POST['frmaction'] == "delete") {
# Check a policy group was selected
if (isset($_POST['group_id'])) {
?>
<p class="pageheader">Delete Group</p>
<form action="group-delete.php" method="post">
<div>
<input type="hidden" name="frmaction" value="delete2" />
<input type="hidden" name="group_id" value="<?php echo $_POST['group_id']; ?>" />
</div>
<input type="hidden" name="frmaction" value="delete2" />
<input type="hidden" name="group_id" value="<?php echo $_POST['group_id']; ?>" />
<div class="textcenter">
Are you very sure? <br />
<input type="submit" name="confirm" value="yes" />
<input type="submit" name="confirm" value="no" />
</div>
</form>
<?php
} else {
?>
<div class="warning">No group selected</div>
<?php
}
<div class="warning">No group selected</div>
<?php
}
# SQL Updates
} elseif ($_POST['frmaction'] == "delete2") {
} elseif (isset($_POST['frmaction']) && $_POST['frmaction'] == "delete2") {
?>
<p class="pageheader">Group Delete Results</p>
<?php
if (isset($_POST['group_id'])) {
if (isset($_POST['confirm']) && $_POST['confirm'] == "yes") {
if ($_POST['confirm'] == "yes") {
$db->beginTransaction();
$res = $db->exec("DELETE FROM ${DB_TABLE_PREFIX}users_to_groups WHERE GroupID = ".$db->quote($_POST['group_id']));
if ($res !== FALSE) {
?>
<div class="notice">Users removed</div>
<?php
} else {
?>
<div class="warning">Error removing users</div>
<div class="warning"><?php print_r($db->errorInfo()) ?></div>
<?php
$db->rollback();
}
$resultRemoveMembers = $db->exec("DELETE FROM ${DB_TABLE_PREFIX}users_to_groups WHERE GroupID = ".$db->quote($_POST['group_id']));
$resultRemoveAttributes = $db->exec("DELETE FROM ${DB_TABLE_PREFIX}group_attributes WHERE GroupID = ".$db->quote($_POST['group_id']));
$resultRemoveGroup = $db->exec("DELETE FROM ${DB_TABLE_PREFIX}groups WHERE ID = ".$db->quote($_POST['group_id']));
if ($resultRemoveMembers && $resultRemoveAttributes && $resultRemoveGroup) {
$res = $db->exec("DELETE FROM ${DB_TABLE_PREFIX}group_attributes WHERE GroupID = ".$db->quote($_POST['group_id']));
if ($res !== FALSE) {
?>
<div class="notice">Attributes removed</div>
<div class="notice">Group deleted</div>
<?php
$db->commit();
} else {
?>
<div class="warning">Error removing attributes</div>
<div class="warning">Error deleting group</div>
<div class="warning"><?php print_r($db->errorInfo()) ?></div>
<?php
$db->rollback();
}
if ($res !== FALSE) {
$res = $db->exec("DELETE FROM ${DB_TABLE_PREFIX}groups WHERE ID = ".$db->quote($_POST['group_id']));
if ($res) {
?>
<div class="notice">Group deleted</div>
<?php
} else {
?>
<div class="warning">Error deleting group!</div>
<div class="warning"><?php print_r($db->errorInfo()) ?></div>
<?php
$db->rollback();
}
}
if ($res) {
$db->commit();
$db->rollback();
}
} else {
?>
<div class="notice">Group not deleted, aborted by user</div>
<?php
}
}
# Warn
} else {
?>
<div class="warning">Invocation error, no group ID</div>
<?php
}
<div class="warning">Invocation error, no group ID</div>
<?php
}
} else {
?>
<div class="warning">Invalid invocation</div>
<?php
}
}
printFooter();
......
webui/group-main.php
+ 20
13
View file @ abbaafbd
......@@ -32,6 +32,7 @@ printHeader(array(
));
?>
<p class="pageheader">User Groups</p>
<form id="main_form" action="group-main.php" method="post">
......@@ -76,40 +77,46 @@ printHeader(array(
<td class="textcenter">Disabled</td>
<td class="textcenter">Comment</td>
</tr>
<?php
$sql = "SELECT ID, Name, Priority, Disabled, Comment FROM ${DB_TABLE_PREFIX}groups ORDER BY ID";
$res = $db->query($sql);
$rownums = 0;
while ($row = $res->fetchObject()) {
if ($row->id != NULL) {
$rownums = $rownums + 1;
} else {
$rownums = $rownums - 1;
}
?>
<tr class="resultsitem">
<td><input type="radio" name="group_id" value="<?php echo $row->id ?>" /></td>
<td><?php echo $row->name ?></td>
<td><?php echo $row->priority ?></td>
<td class="textcenter"><?php echo $row->disabled ? 'yes' : 'no' ?></td>
<td><?php echo $row->comment ?></td>
<td><input type="radio" name="group_id" value="<?php echo $row->id; ?>" /></td>
<td><?php echo $row->name; ?></td>
<td><?php echo $row->priority; ?></td>
<td class="textcenter"><?php echo $row->disabled ? 'yes' : 'no'; ?></td>
<td><?php echo $row->comment; ?></td>
</tr>
<?php
}
$res->closeCursor();
if ($rownums <= 0) {
if ($res->rowCount() == 0) {
?>
<p />
<tr>
<td colspan="5" class="textcenter">Group list is empty</td>
</tr>
<?php
}
unset($rownums);
$res->closeCursor();
?>
</table>
</form>
<?php
printFooter();
......
webui/group-users.php
+ 31
38
View file @ abbaafbd
......@@ -50,67 +50,60 @@ if (isset($_POST['group_id'])) {
?>
<table class="results" style="width: 75%;">
<tr class="resultstitle">
<td class="textcenter">ID</td>
<td class="textcenter">Member</td>
<td class="textcenter">Disabled</td>
</tr>
<table class="results" style="width: 75%;">
<tr class="resultstitle">
<td class="textcenter">ID</td>
<td class="textcenter">Member</td>
<td class="textcenter">Disabled</td>
</tr>
<?php
# Get list of members belonging to this group
$stmt = $db->prepare("SELECT UserID FROM ${DB_TABLE_PREFIX}users_to_groups WHERE GroupID = ?");
$res = $stmt->execute(array($_REQUEST['group_id']));
# Get list of members belonging to this group
$stmt = $db->prepare("SELECT UserID FROM ${DB_TABLE_PREFIX}users_to_groups WHERE GroupID = ?");
$stmtResult = $stmt->execute(array($_REQUEST['group_id']));
$rownums = 0;
# Loop with rows
while ($row = $stmt->fetchObject()) {
if ($row->userid != NULL) {
$rownums = $rownums + 1;
} else {
$rownums = $rownums - 1;
}
# Loop with rows
while ($row = $stmt->fetchObject()) {
$sql = "SELECT ID, Username, Disabled FROM ${DB_TABLE_PREFIX}users WHERE ID = ".$row->userid;
$res = $db->query($sql);
$sql = "SELECT ID, Username, Disabled FROM ${DB_TABLE_PREFIX}users WHERE ID = ".$db->quote($row->userid);
$res = $db->query($sql);
# List users
while ($row = $res->fetchObject()) {
# List users
while ($row = $res->fetchObject()) {
?>
<tr class="resultsitem">
<td><?php echo $row->id ?></td>
<td><?php echo $row->username ?></td>
<td class="textcenter"><?php echo $row->disabled ? 'yes' : 'no' ?></td>
</tr>
<tr class="resultsitem">
<td><?php echo $row->id; ?></td>
<td><?php echo $row->username; ?></td>
<td class="textcenter"><?php echo $row->disabled ? 'yes' : 'no'; ?></td>
</tr>
<?php
}
$res->closeCursor();
}
$stmt->closeCursor();
$res->closeCursor();
}
# Did we get any results?
if ($rownums <= 0) {
# Did we get any results?
if ($stmt->rowCount() == 0) {
?>
<p />
<tr>
<td colspan="3" class="textcenter">Group has no users</td>
</tr>
<p />
<tr>
<td colspan="3" class="textcenter">Group has no users</td>
</tr>
<?php
}
unset($rownums);
}
$stmt->closeCursor();
?>
</table>
</table>
<?php
......
webui/index.php
+ 11
7
View file @ abbaafbd
......@@ -25,14 +25,18 @@ printHeader();
?>
<p class="pageheader">Features Supported</p>
<ul>
<li>Users &amp; Groups
<a title="Help on policies and groups" href="http://www.policyd.org/tiki-index.php?page=Policies%20%26%20Groups&structure=Documentation" class="help">
<img src="images/help.gif" alt="Help" />
</a>
<li>Users
<ul>
<li>Add, remove and edit users</li>
<li>Add, remove and edit user attributes</li>
<li>Add groups, remove groups and edit group attributes</li>
</ul>
</li>
<li>Groups
<ul>
<li>Define policy groups made up of various combinations of tags.</li>
<li>Define and manage policies comprising of ACL's which can include groups.</li>
<li>Add and remove groups</li>
<li>Add, remove and edit group attributes</li>
<li>Assign users to groups</li>
</ul>
</li>
</ul>
......
webui/user-add.php
+ 28
2
View file @ abbaafbd
......@@ -29,9 +29,10 @@ printHeader(array(
),
));
if (isset($_POST['frmaction']) && $_POST['frmaction'] == "add") {
if ($_POST['frmaction'] == "add") {
?>
<p class="pageheader">Add user</p>
<form method="post" action="user-add.php">
<div>
......@@ -49,23 +50,36 @@ if ($_POST['frmaction'] == "add") {
</tr>
</table>
</form>
<?php
# Check we have all params
} elseif ($_POST['frmaction'] == "add2") {
} elseif (isset($_POST['frmaction']) && $_POST['frmaction'] == "add2") {
?>
<p class="pageheader">User Add Results</p>
<?php
# Check name
if (empty($_POST['user_name'])) {
?>
<div class="warning">Username cannot be empty</div>
<?php
}
else if (!preg_match('/^[a-z0-9]+$/i', $_POST['user_name'])) {
?>
<div class="warning">Username invalid: must be alphanumeric</div>
<?php
# Add to database
} else {
$stmt = $db->prepare("INSERT INTO ${DB_TABLE_PREFIX}users (Username) VALUES (?)");
......@@ -74,20 +88,32 @@ if ($_POST['frmaction'] == "add") {
));
# Was it successful?
if ($res) {
?>
<div class="notice">User added</div>
<?php
} else {
?>
<div class="warning">Failed to add user</div>
<div class="warning"><?php print_r($stmt->errorInfo()) ?></div>
<?php
}
}
} else {
?>
<div class="warning">Invalid invocation</div>
<?php
}
printFooter();
......
webui/user-attribute-add.php
+ 28
6
View file @ abbaafbd
......@@ -37,8 +37,10 @@ printHeader(array(
if ($_POST['frmaction'] == "add") {
if (isset($_POST['frmaction']) && $_POST['frmaction'] == "add") {
?>
<p class="pageheader">Add attribute</p>
<form method="post" action="attribute-add.php">
......@@ -59,10 +61,10 @@ if ($_POST['frmaction'] == "add") {
<option value=":=">:=</option>
<option value="+=">+=</option>
<option value="!=">!=</option>
<option value=">">&gt</option>
<option value="<">&lt</option>
<option value=">=">&gt=</option>
<option value="<=">&lt=</option>
<option value=">">&gt;</option>
<option value="<">&lt;</option>
<option value=">=">&gt;=</option>
<option value="<=">&lt;=</option>
<option value="=~">=~</option>
<option value="!~">!~</option>
<option value="=*">=*</option>
......@@ -83,19 +85,27 @@ if ($_POST['frmaction'] == "add") {
</tr>
</table>
</form>
<?php
# Check we have all params
} elseif ($_POST['frmaction'] == "add2") {
} elseif (isset($_POST['frmaction']) && $_POST['frmaction'] == "add2") {
?>
<p class="pageheader">Attribute Add Results</p>
<?php
# Check for empty values
if (empty($_POST['attr_name']) || empty($_POST['attr_operator']) || empty($_POST['attr_value'])) {
?>
<div class="warning">Submission cannot have empty value</div>
<?php
} else {
$stmt = $db->prepare("INSERT INTO ${DB_TABLE_PREFIX}user_attributes (UserID,Name,Operator,Value) VALUES (?,?,?,?)");
# Which user am I working with?
......@@ -108,22 +118,34 @@ if ($_POST['frmaction'] == "add") {
$_POST['attr_value'],
));
if ($res) {
?>
<div class="notice">Attribute added</div>
<?php
session_destroy();
} else {
?>
<div class="warning">Failed to add attribute</div>
<div class="warning"><?php print_r($stmt->errorInfo()) ?></div>
<?php
}
}
} else {
?>
<div class="warning">Invalid invocation</div>
<?php
}
printFooter();
......
webui/user-attribute-change.php
+ 43
19
View file @ abbaafbd
......@@ -37,15 +37,16 @@ printHeader(array(
# Display change screen
if ($_POST['frmaction'] == "change") {
if (isset($_POST['frmaction']) && $_POST['frmaction'] == "change") {
# Check an attribute was selected
if (isset($_POST['attr_id'])) {
# Prepare statement
$temp = $_POST['attr_id'];
$sql = "SELECT ID, Name, Operator, Value, Disabled FROM ${DB_TABLE_PREFIX}user_attributes WHERE ID = $temp";
$sql = "SELECT ID, Name, Operator, Value, Disabled FROM ${DB_TABLE_PREFIX}user_attributes WHERE ID = ".$db->quote($_POST['attr_id']);
$res = $db->query($sql);
$row = $res->fetchObject();
?>
<p class="pageheader">Update User</p>
<form action="attribute-change.php" method="post">
......@@ -64,14 +65,14 @@ if ($_POST['frmaction'] == "change") {
Name
<?php tooltip('user_attributes_name'); ?>
</td>
<td class="oldval texttop"><?php echo $row->name ?></td>
<td class="oldval texttop"><?php echo $row->name; ?></td>
<td><textarea name="user_attributes_name" cols="40" rows="1"></textarea></td>
</tr>
<tr>
<td class="entrytitle texttop">
Operator
</td>
<td class="oldval texttop"><?php echo $row->operator ?></td>
<td class="oldval texttop"><?php echo $row->operator; ?></td>
<td>
<select name="user_attributes_operator">
<option value="=">=</option>
......@@ -79,10 +80,10 @@ if ($_POST['frmaction'] == "change") {
<option value=":=">:=</option>
<option value="+=">+=</option>
<option value="!=">!=</option>
<option value=">">&gt</option>
<option value="<">&lt</option>
<option value=">=">&gt=</option>
<option value="<=">&lt=</option>
<option value=">">&gt;</option>
<option value="<">&lt;</option>
<option value=">=">&gt;=</option>
<option value="<=">&lt;=</option>
<option value="=~">=~</option>
<option value="!~">!~</option>
<option value="=*">=*</option>
......@@ -94,12 +95,12 @@ if ($_POST['frmaction'] == "change") {
</tr>
<tr>
<td class="entrytitle texttop">Value</td>
<td class="oldval texttop"><?php echo $row->value ?></td>
<td class="oldval texttop"><?php echo $row->value; ?></td>
<td><textarea name="user_attributes_value" cols="40" rows="5"></textarea></td>
</tr>
<tr>
<td class="entrytitle">Disabled</td>
<td class="oldval"><?php echo $row->disabled ? 'yes' : 'no' ?></td>
<td class="oldval"><?php echo $row->disabled ? 'yes' : 'no'; ?></td>
<td>
<select name="user_attributes_disabled">
<option value="">--</option>
......@@ -116,21 +117,28 @@ if ($_POST['frmaction'] == "change") {
<input type="submit" />
</div>
</form>
<?php
$res->closeCursor();
} else {
?>
<div class="warning">No attribute selected</div>
<?php
}
<div class="warning">No attribute selected</div>
<?php
}
# SQL Updates
} elseif ($_POST['frmaction'] == "change2") {
} elseif (isset($_POST['frmaction']) && $_POST['frmaction'] == "change2") {
?>
<p class="pageheader">Attribute Update Results</p>
<?php
# Check an attribute was selected
if (isset($_POST['attr_id'])) {
......@@ -155,35 +163,51 @@ if ($_POST['frmaction'] == "change") {
$res = $db->exec("UPDATE ${DB_TABLE_PREFIX}user_attributes SET $updateStr WHERE ID = ".$db->quote($_POST['attr_id']));
if ($res) {
?>
<div class="notice">Attribute updated</div>
<?php
} else {
?>
<div class="warning">Error updating attribute</div>
<div class="warning"><?php print_r($db->errorInfo()) ?></div>
<?php
}
}
# Warn
} else {
?>
<div class="warning">No attribute updates</div>
<?php
}
}
# Warn
} else {
?>
<div class="error">No attribute data available</div>
<?php
}
<?php
}
} else {
?>
<div class="warning">Invalid invocation</div>
<?php
}
......
webui/user-attribute-delete.php
+ 33
15
View file @ abbaafbd
......@@ -37,10 +37,12 @@ printHeader(array(
# Display delete confirm screen
if ($_POST['frmaction'] == "delete") {
if (isset($_POST['frmaction']) && $_POST['frmaction'] == "delete") {
# Check a user was selected
if (isset($_POST['attr_id'])) {
?>
<p class="pageheader">Delete Attribute</p>
<form action="attribute-delete.php" method="post">
......@@ -54,51 +56,67 @@ if ($_POST['frmaction'] == "delete") {
<input type="submit" name="confirm" value="no" />
</div>
</form>
<?php
} else {
?>
<div class="warning">No attribute selected</div>
<?php
}
<?php
}
# SQL Updates
} elseif ($_POST['frmaction'] == "delete2") {
} elseif (isset($_POST['frmaction'] && $_POST['frmaction'] == "delete2") {
?>
<p class="pageheader">Attribute Delete Results</p>
<?php
if (isset($_POST['attr_id'])) {
if (isset($_POST['attr_id'])) {
if (isset($_POST['confirm']) && $_POST['confirm'] == "yes") {
$res = $db->exec("DELETE FROM ${DB_TABLE_PREFIX}user_attributes WHERE ID = ".$db->quote($_POST['attr_id']));
if ($res) {
if ($_POST['confirm'] == "yes") {
$res = $db->exec("DELETE FROM ${DB_TABLE_PREFIX}user_attributes WHERE ID = ".$_POST['attr_id']);
if ($res !== FALSE) {
?>
<div class="notice">Attribute with ID: <?php print_r($_POST['attr_id']);?> deleted</div>
<div class="notice">Attribute with ID: <?php echo $_POST['attr_id']; ?> deleted</div>
<?php
} else {
?>
<div class="warning">Error deleting attribute</div>
<div class="warning"><?php print_r($db->errorInfo()) ?></div>
<?php
}
?>
<?php
}
# Warn
} else {
?>
<div class="warning">Delete attribute aborted</div>
<?php
}
?>
<?php
} else {
?>
<div class="warning">Invocation error, no attribute ID selected</div>
<?php
}
}
}
printFooter();
......
webui/user-attributes.php
+ 9
16
View file @ abbaafbd
......@@ -80,32 +80,25 @@ printHeader(array(
$_SESSION['attr_user_id'] = $_POST['user_id'];
if (isset($_POST['user_id'])) {
$temp = $_SESSION['attr_user_id'];
$sql = "SELECT ID, Name, Operator, Value, Disabled FROM ${DB_TABLE_PREFIX}user_attributes WHERE UserID = $temp ORDER BY ID";
$sql = "SELECT ID, Name, Operator, Value, Disabled FROM ${DB_TABLE_PREFIX}user_attributes WHERE UserID = ".$db->quote($_POST['user_id'])." ORDER BY ID";
$res = $db->query($sql);
$rownums = 0;
while ($row = $res->fetchObject()) {
if ($row->id != NULL) {
$rownums = $rownums + 1;
} else {
$rownums = $rownums - 1;
}
?>
<tr class="resultsitem">
<td><input type="radio" name="attr_id" value="<?php echo $row->id ?>"/><?php echo $row->id ?></td>
<td><?php echo $row->name ?></td>
<td><?php echo $row->operator ?></td>
<td><?php echo $row->value ?></td>
<td class="textcenter"><?php echo $row->disabled ? 'yes' : 'no' ?></td>
<td><input type="radio" name="attr_id" value="<?php echo $row->id; ?>"/><?php echo $row->id; ?></td>
<td><?php echo $row->name; ?></td>
<td><?php echo $row->operator; ?></td>
<td><?php echo $row->value; ?></td>
<td class="textcenter"><?php echo $row->disabled ? 'yes' : 'no'; ?></td>
</tr>
<?php
}
$res->closeCursor();
if ($rownums <= 0) {
if ($res->rowCount() == 0) {
?>
......@@ -117,7 +110,7 @@ printHeader(array(
<?php
}
unset($rownums);
$res->closeCursor();
} else {
?>
......
webui/user-delete.php
+ 10
13
View file @ abbaafbd
......@@ -37,7 +37,7 @@ printHeader(array(
# Display delete confirm screen
if ($_POST['frmaction'] == "delete") {
if (isset($_POST['frmaction']) && $_POST['frmaction'] == "delete") {
# Check a user was selected
if (isset($_POST['user_id'])) {
......@@ -46,10 +46,8 @@ if ($_POST['frmaction'] == "delete") {
<p class="pageheader">Delete User</p>
<form action="user-delete.php" method="post">
<div>
<input type="hidden" name="frmaction" value="delete2" />
<input type="hidden" name="user_id" value="<?php echo $_POST['user_id']; ?>" />
</div>
<input type="hidden" name="frmaction" value="delete2" />
<input type="hidden" name="user_id" value="<?php echo $_POST['user_id']; ?>" />
<div class="textcenter">
Are you very sure? <br />
<input type="submit" name="confirm" value="yes" />
......@@ -69,7 +67,7 @@ if ($_POST['frmaction'] == "delete") {
}
# SQL Updates
} elseif ($_POST['frmaction'] == "delete2") {
} elseif (isset($_POST['frmaction']) && $_POST['frmaction'] == "delete2") {
?>
......@@ -79,17 +77,16 @@ if ($_POST['frmaction'] == "delete") {
if (isset($_POST['user_id'])) {
# Check to see if user's attributes are empty
$userID = $_POST['user_id'];
$sql = "SELECT * FROM ${DB_TABLE_PREFIX}user_attributes WHERE UserID = $userID";
$sql = "SELECT * FROM ${DB_TABLE_PREFIX}user_attributes WHERE UserID = ".$db->quote($_POST['user_id']);
$res = $db->query($sql);
if ($_POST['confirm'] == "yes") {
$res = $db->exec("DELETE FROM ${DB_TABLE_PREFIX}users WHERE ID = ".$_POST['user_id']);
if ($res !== FALSE) {
if (isset($_POST['confirm']) && $_POST['confirm'] == "yes") {
$res = $db->exec("DELETE FROM ${DB_TABLE_PREFIX}users WHERE ID = ".$db->quote($_POST['user_id']);
if ($res) {
?>
<div class="notice">User with ID: <?php print_r($_POST['user_id']);?> deleted</div>
<div class="notice">User with ID: <?php echo $_POST['user_id']; ?> deleted</div>
<?php
......@@ -98,7 +95,7 @@ if ($_POST['frmaction'] == "delete") {
?>
<div class="warning">Error deleting user</div>
<div class="warning"><?php print_r($db->errorInfo()) ?></div>
<div class="warning"><?php print_r($db->errorInfo()); ?></div>
<?php
......
webui/user-groups-add.php
+ 8
10
View file @ abbaafbd
......@@ -33,7 +33,7 @@ printHeader(array(
if (isset($_SESSION['groups_user_id'])) {
if ($_POST['frmaction'] == "add") {
if (isset($_POST['frmaction']) && $_POST['frmaction'] == "add") {
?>
<p class="pageheader">Available Groups</p>
......@@ -83,11 +83,11 @@ if (isset($_SESSION['groups_user_id'])) {
?>
<tr class="resultsitem">
<td><input type="radio" name="group_id" value="<?php echo $row->id ?>" /></td>
<td><?php echo $row->name ?></td>
<td><?php echo $row->priority ?></td>
<td class="textcenter"><?php echo $row->disabled ? 'yes' : 'no' ?></td>
<td><?php echo $row->comment ?></td>
<td><input type="radio" name="group_id" value="<?php echo $row->id; ?>" /></td>
<td><?php echo $row->name; ?></td>
<td><?php echo $row->priority; ?></td>
<td class="textcenter"><?php echo $row->disabled ? 'yes' : 'no'; ?></td>
<td><?php echo $row->comment; ?></td>
</tr>
<?php
......@@ -102,7 +102,7 @@ if (isset($_SESSION['groups_user_id'])) {
<?php
} elseif ($_POST['frmaction'] == "add2") {
} elseif (isset($_POST['frmaction']) && $_POST['frmaction'] == "add2") {
?>
......@@ -112,11 +112,9 @@ if (isset($_SESSION['groups_user_id'])) {
if (isset($_POST['group_id']) && !empty($_POST['users_to_groups_comment'])) {
$stmt = $db->prepare("INSERT INTO ${DB_TABLE_PREFIX}users_to_groups (UserID,GroupID,Comment,Disabled) VALUES (?,?,?,?)");
# Which user am I working with?
$groups_user_id = $_SESSION['groups_user_id'];
$res = $stmt->execute(array(
$groups_user_id,
$_SESSION['groups_user_id'],
$_POST['group_id'],
$_POST['users_group_comment'],
$_POST['users_group_disabled'],
......
webui/user-groups-delete.php
+ 43
16
View file @ abbaafbd
......@@ -36,12 +36,13 @@ printHeader(array(
));
# Display delete confirm screen
if ($_POST['frmaction'] == "delete") {
if (isset($_POST['frmaction']) && $_POST['frmaction'] == "delete") {
# Check a user was selected
if (isset($_POST['group_id'])) {
?>
<p class="pageheader">Remove Group Assignment</p>
<form action="user-groups-delete.php" method="post">
......@@ -55,50 +56,76 @@ if ($_POST['frmaction'] == "delete") {
<input type="submit" name="confirm" value="no" />
</div>
</form>
<?php
} else {
?>
<div class="warning">No group assignment selected</div>
<?php
}
<?php
}
# SQL Updates
} elseif ($_POST['frmaction'] == "delete2") {
} elseif (isset($_POST['frmaction']) && $_POST['frmaction'] == "delete2") {
?>
<p class="pageheader">Group Assignment Removal Results</p>
<?php
if (isset($_POST['group_id'])) {
if ($_POST['confirm'] == "yes") {
$res = $db->exec("DELETE FROM ${DB_TABLE_PREFIX}users_to_groups WHERE UserID = ".$_SESSION['groups_user_id']." AND GroupID = ".$_POST['group_id']);
if ($res !== FALSE) {
if (isset($_POST['group_id']) && isset($_SESSION['groups_user_id'])) {
if (isset($_POST['confirm']) && $_POST['confirm'] == "yes") {
$res = $db->exec("
DELETE FROM
${DB_TABLE_PREFIX}users_to_groups
WHERE
UserID = ".$db->quote($_SESSION['groups_user_id'])."
AND
GroupID = ".$db->quote($_POST['group_id'])
);
if ($res) {
?>
<div class="notice">Group with ID: <?php print_r($_POST['group_id']);?> deleted from user with ID: <?php print_r($_SESSION['groups_user_id']);?></div>
<?php
session_destroy();
} else {
?>
<div class="warning">Error removing group assignment</div>
<div class="warning"><?php print_r($db->errorInfo()) ?></div>
<?php
}
?>
<div class="warning"><?php print_r($db->errorInfo()); ?></div>
<?php
}
# Warn
} else {
?>
<div class="warning">Remove Group Assignment aborted</div>
<?php
}
?>
<?php
} else {
?>
<div class="warning">Invocation error, no group ID selected</div>
<?php
}
}
}
printFooter();
......
webui/user-groups.php
+ 13
17
View file @ abbaafbd
......@@ -76,17 +76,15 @@ printHeader(array(
<?php
if (isset($_POST['user_id'])) {
$sql = "SELECT GroupID FROM ${DB_TABLE_PREFIX}users_to_groups WHERE UserID = ".$_POST['user_id'];
# Store user_id for later use
$_SESSION['groups_user_id'] = $_POST['user_id'];
$sql = "SELECT GroupID FROM ${DB_TABLE_PREFIX}users_to_groups WHERE UserID = ".$db->quote($_POST['user_id']);
$res = $db->query($sql);
$rownums = 0;
while ($row = $res->fetchObject()) {
if ($row->groupid != NULL) {
$rownums = $rownums + 1;
} else {
$rownums = $rownums - 1;
}
$sql = "SELECT ID, Name, Priority, Disabled, Comment FROM ${DB_TABLE_PREFIX}groups WHERE ID = ".$row->groupid;
$sql = "SELECT ID, Name, Priority, Disabled, Comment FROM ${DB_TABLE_PREFIX}groups WHERE ID = ".$db->quote($row->groupid);
$result = $db->query($sql);
while ($row = $result->fetchObject()) {
......@@ -94,11 +92,11 @@ printHeader(array(
?>
<tr class="resultsitem">
<td><input type="radio" name="group_id" value="<?php echo $row->id ?>"/></td>
<td><?php echo $row->name ?></td>
<td><?php echo $row->priority ?></td>
<td class="textcenter"><?php echo $row->disabled ? 'yes' : 'no' ?></td>
<td><?php echo $row->comment ?></td>
<td><input type="radio" name="group_id" value="<?php echo $row->id; ?>"/></td>
<td><?php echo $row->name; ?></td>
<td><?php echo $row->priority; ?></td>
<td class="textcenter"><?php echo $row->disabled ? 'yes' : 'no'; ?></td>
<td><?php echo $row->comment; ?></td>
</tr>
<?php
......@@ -107,8 +105,7 @@ printHeader(array(
$result->closeCursor();
}
$res->closeCursor();
if ($rownums <= 0) {
if ($res->rowCount() == 0) {
?>
......@@ -120,7 +117,7 @@ printHeader(array(
<?php
}
unset($rownums);
$res->closeCursor();
} else {
?>
......@@ -138,7 +135,6 @@ printHeader(array(
<?php
$_SESSION['groups_user_id'] = $_POST['user_id'];
printFooter();
......
webui/user-logs.php
+ 2
7
View file @ abbaafbd
......@@ -150,7 +150,7 @@ if (isset($_POST['user_id'])) {
FROM
${DB_TABLE_PREFIX}accounting
WHERE
Username = '$getuser'
Username = ".$db->quote($getuser)."
$extraSQL
ORDER BY
EventTimestamp
......@@ -269,7 +269,7 @@ if (isset($_POST['user_id'])) {
}
$res->closeCursor();
?>
</table>
</table>
<?php
} else {
......@@ -280,11 +280,6 @@ if (isset($_POST['user_id'])) {
}
?>
<?php
printFooter();
......
webui/user-main.php
+ 4
0
View file @ abbaafbd
......@@ -73,13 +73,17 @@ if (!isset($_POST['frmaction']))
<td class="textcenter">Username</td>
<td class="textcenter">Disabled</td>
</tr>
<?php
$sql = "SELECT ID, Username, Disabled FROM ${DB_TABLE_PREFIX}users ORDER BY ID ASC";
$res = $db->query($sql);
# List users
while ($row = $res->fetchObject()) {
?>
<tr class="resultsitem">
<td><input type="radio" name="user_id" value="<?php echo $row->id; ?>"/><?php echo $row->id; ?></td>
<td><?php echo $row->username; ?></td>
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment