diff options
-rw-r--r-- | web/html/account.php | 7 | ||||
-rw-r--r-- | web/lib/acctfuncs.inc.php | 32 | ||||
-rw-r--r-- | web/lib/aur.inc.php | 2 | ||||
-rw-r--r-- | web/template/pkg_details.php | 4 |
4 files changed, 30 insertions, 15 deletions
diff --git a/web/html/account.php b/web/html/account.php index cccdd76..2133734 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -48,11 +48,8 @@ if (isset($_COOKIE["AURSID"])) { if (empty($row)) { print __("Could not retrieve information for the specified user."); } else { - # double check to make sure logged in user can edit this account - # - if ($atype == "Developer" || ($atype == "Trusted User" && - $row["AccountType"] != "Developer") || - ($row["ID"] == uid_from_sid($_COOKIE["AURSID"]))) { + /* Verify user has permission to edit the account */ + if (can_edit_account($atype, $row, uid_from_sid($_COOKIE["AURSID"]))) { display_account_form($atype, "UpdateAccount", $row["Username"], $row["AccountType"], $row["Suspended"], $row["Email"], "", "", $row["RealName"], $row["LangPreference"], diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index a41659e..3759c63 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -229,6 +229,8 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", $q.= ", AccountTypeID = ".intval($T); } if ($S) { + /* Ensure suspended users can't keep an active session */ + delete_user_sessions($UID, $dbh); $q.= ", Suspended = 1"; } else { $q.= ", Suspended = 0"; @@ -246,7 +248,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", $q.= " WHERE ID = ".intval($UID); $result = $dbh->exec($q); if (!$result) { - print __("Error trying to modify account, %s%s%s.", + print __("No changes were made to the account, %s%s%s.", "<strong>", htmlspecialchars($U,ENT_QUOTES), "</strong>"); } else { print __("The account, %s%s%s, has been successfully modified.", @@ -480,12 +482,12 @@ function try_login($dbh=NULL) { * * The username must be longer or equal to USERNAME_MIN_LEN. It must be shorter * or equal to USERNAME_MAX_LEN. It must start and end with either a letter or - * a number. It can contain one period, hypen, or underscore. Returns username - * if it meets all of those rules. + * a number. It can contain one period, hypen, or underscore. Returns boolean + * of whether name is valid. * * @param string $user Username to validate * - * @return string|void Return username if it meets criteria, otherwise void + * @return bool True if username meets criteria, otherwise false */ function valid_username($user) { if (!empty($user)) { @@ -500,13 +502,12 @@ function valid_username($user) { # contain only letters and numbers, # and at most has one dash, period, or underscore if ( preg_match("/^[a-z0-9]+[.\-_]?[a-z0-9]+$/", $user) ) { - #All is good return the username - return $user; + return true; } } } - return; + return false; } /** @@ -798,6 +799,23 @@ function delete_session_id($sid, $dbh=NULL) { } /** + * Remove all sessions belonging to a particular user + * + * @param int $uid ID of user to remove all sessions for + * @param \PDO $dbh An already established database connection + * + * @return void + */ +function delete_user_sessions($uid, $dbh=NULL) { + if (!$dbh) { + $dbh = db_connect(); + } + + $q = "DELETE FROM Sessions WHERE UsersID = " . intval($uid); + $dbh->exec($q); +} + +/** * Remove sessions from the database that have exceed the timeout * * @global int $LOGIN_TIMEOUT Time until session expires diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 9317ec9..d8c5cb4 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -94,7 +94,7 @@ function check_sid($dbh=NULL) { * @return bool True if the CSRF token is the same as the cookie SID, otherwise false */ function check_token() { - if (isset($_POST['token'])) { + if (isset($_POST['token']) && isset($_COOKIE['AURSID'])) { return ($_POST['token'] == $_COOKIE['AURSID']); } else { return false; diff --git a/web/template/pkg_details.php b/web/template/pkg_details.php index b5d8a9f..0973448 100644 --- a/web/template/pkg_details.php +++ b/web/template/pkg_details.php @@ -137,7 +137,7 @@ if ($row["SubmitterUID"]): <td><?= htmlspecialchars($submitter) ?></td> <?php endif; ?> <?php else: ?> - <td>None</td> + <td><?= __('None') ?></td> <?php endif; ?> </tr> <tr> @@ -155,7 +155,7 @@ if ($row["MaintainerUID"]): <td><?= htmlspecialchars($maintainer) ?></td> <?php endif; ?> <?php else: ?> - <td>None</td> + <td><?= __('None') ?></td> <?php endif; ?> </tr> <tr> |