From 3c5783b72688b36d076063b53d23c3bcdbaf6f1a Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Sat, 20 May 2006 15:26:00 +0100 Subject: user editor improved, some form parameter validation reimplemented for prototyped-forms --- backend.php | 128 ++++++++++++++++++++++++++++++++++++++---------------------- 1 file changed, 81 insertions(+), 47 deletions(-) (limited to 'backend.php') diff --git a/backend.php b/backend.php index d203af3fa..745a1a132 100644 --- a/backend.php +++ b/backend.php @@ -81,6 +81,10 @@ 1440 => "Daily", 10080 => "Weekly"); + $access_level_names = array( + 0 => "User", + 10 => "Administrator"); + $script_started = getmicrotime(); $link = db_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME); @@ -2007,13 +2011,9 @@ $edit_cat_id = $_GET["id"]; - if ($subop == "editCat") { - if ($cat_id != $edit_cat_id) { + if ($subop == "editCat" && $cat_id != $edit_cat_id) { $class .= "Grayed"; $this_row_id = ""; - } else { - $class .= "Selected"; - } } else { $this_row_id = "id=\"FCATR-$cat_id\""; } @@ -2683,30 +2683,6 @@ } - if ($id == "quickDelFeed") { - - $param = db_escape_string($param); - - $result = db_query($link, "SELECT title FROM ttrss_feeds WHERE id = '$param'"); - - if ($result) { - - $f_title = db_fetch_result($result, 0, "title"); - - print "Remove current feed ($f_title)?  - - "; - } else { - print "Error: Feed $param not found.  - "; - } - } - if ($id == "search") { print "
Search
"; @@ -3229,16 +3205,78 @@ $subop = $_GET["subop"]; + if ($subop == "edit") { + + $id = db_escape_string($_GET["id"]); + + print "
User editor
"; + + print "
"; + + print "
"; + + print ""; + print ""; + print ""; + + $result = db_query($link, "SELECT * FROM ttrss_users WHERE id = '$id'"); + + $login = db_fetch_result($result, 0, "login"); + $access_level = db_fetch_result($result, 0, "access_level"); + $email = db_fetch_result($result, 0, "email"); + + print ""; + print ""; + + print ""; + + print ""; + + $sel_disabled = ($id == $_SESSION["uid"]) ? "disabled" : ""; + + print ""; + + print "
Login: +
Change password: +
E-mail: +
Access level:"; + print_select_hash("access_level", $access_level, $access_level_names, + $sel_disabled); + print "
"; + + print "
"; + + print "
+ +
"; + + print "
"; + + return; + } + if ($subop == "editSave") { - if (!WEB_DEMO_MODE) { + if (!WEB_DEMO_MODE && $_SESSION["access_level"] >= 10) { - $login = db_escape_string($_GET["l"]); + $login = db_escape_string(trim($_GET["login"])); $uid = db_escape_string($_GET["id"]); - $access_level = sprintf("%d", $_GET["al"]); - $email = db_escape_string($_GET["e"]); + $access_level = sprintf("%d", $_GET["access_level"]); + $email = db_escape_string(trim($_GET["email"])); + $password = db_escape_string(trim($_GET["password"])); + + if ($password) { + $pwd_hash = 'SHA1:' . sha1($password); + $pass_query_part = "pwd_hash = '$pwd_hash', "; + print "
Changed password for user $login.
"; + } else { + $pass_query_part = ""; + } - db_query($link, "UPDATE ttrss_users SET login = '$login', + db_query($link, "UPDATE ttrss_users SET $pass_query_part login = '$login', access_level = '$access_level', email = '$email' WHERE id = '$uid'"); } @@ -3363,10 +3401,9 @@ print "   - Login - E-mail - Access Level - Last login"; + Login + Access Level + Last login"; $lnum = 0; @@ -3393,7 +3430,7 @@ $access_level_names = array(0 => "User", 10 => "Administrator"); - if (!$edit_uid || $subop != "edit") { +// if (!$edit_uid || $subop != "edit") { print ""; @@ -3403,13 +3440,10 @@ if (!$line["email"]) $line["email"] = " "; - print "" . - $line["email"] . ""; - print "" . $access_level_names[$line["access_level"]] . ""; - } else if ($uid != $edit_uid) { +/* } else if ($uid != $edit_uid) { if (!$line["email"]) $line["email"] = " "; @@ -3445,7 +3479,7 @@ print ""; print ""; - } + } */ print "".$line["last_login"].""; @@ -3458,14 +3492,14 @@ print "

"; - if ($subop == "edit") { +/* if ($subop == "edit") { print "Edit user: "; - } else { + } else { */ print " Selection: @@ -3478,7 +3512,7 @@ "; - } +// } } if ($op == "user-details") { -- cgit v1.2.3-54-g00ecf