summaryrefslogtreecommitdiffstats
path: root/web
diff options
context:
space:
mode:
Diffstat (limited to 'web')
-rw-r--r--web/html/account.php44
-rw-r--r--web/lib/acctfuncs.inc.php39
2 files changed, 49 insertions, 34 deletions
diff --git a/web/html/account.php b/web/html/account.php
index 63c3ada..2a96845 100644
--- a/web/html/account.php
+++ b/web/html/account.php
@@ -44,17 +44,10 @@ if (isset($_COOKIE["AURSID"])) {
} elseif ($action == "DisplayAccount") {
# the user has clicked 'edit', display the account details in a form
#
- $q = "SELECT Users.*, AccountTypes.AccountType ";
- $q.= "FROM Users, AccountTypes ";
- $q.= "WHERE AccountTypes.ID = Users.AccountTypeID ";
- $q.= "AND Users.ID = ".intval(in_request("ID"));
- $result = db_query($q, $dbh);
- if (!mysql_num_rows($result)) {
+ $row = account_details(in_request("ID"), in_request("U"));
+ if (empty($row)) {
print __("Could not retrieve information for the specified user.");
-
} else {
- $row = mysql_fetch_assoc($result);
-
# double check to make sure logged in user can edit this account
#
if ($atype == "User" || ($atype == "Trusted User" && $row["AccountType"] == "Developer")) {
@@ -71,24 +64,15 @@ if (isset($_COOKIE["AURSID"])) {
} elseif ($action == "AccountInfo") {
# no editing, just looking up user info
#
- $q = "SELECT Users.*, AccountTypes.AccountType ";
- $q.= "FROM Users, AccountTypes ";
- $q.= "WHERE AccountTypes.ID = Users.AccountTypeID ";
- if (isset($_REQUEST["ID"])) {
- $q.= "AND Users.ID = ".intval(in_request("ID"));
- } else {
- $q.= "AND Users.Username = '".db_escape_string(in_request("U")) . "'";
- }
- $result = db_query($q, $dbh);
- if (!mysql_num_rows($result)) {
+ $row = account_details(in_request("ID"), in_request("U"));
+ if (empty($row)) {
print __("Could not retrieve information for the specified user.");
} else {
- $row = mysql_fetch_assoc($result);
- display_account_info($row["Username"],
- $row["AccountType"], $row["Email"], $row["RealName"],
- $row["IRCNick"], $row["PGPKey"], $row["LastVoted"]);
+ display_account_info($row["Username"],
+ $row["AccountType"], $row["Email"], $row["RealName"],
+ $row["IRCNick"], $row["PGPKey"], $row["LastVoted"]);
}
-
+
} elseif ($action == "UpdateAccount") {
# user is submitting their modifications to an existing account
#
@@ -110,18 +94,10 @@ if (isset($_COOKIE["AURSID"])) {
# A normal user, give them the ability to edit
# their own account
#
- $q = "SELECT Users.*, AccountTypes.AccountType ";
- $q.= "FROM Users, AccountTypes, Sessions ";
- $q.= "WHERE AccountTypes.ID = Users.AccountTypeID ";
- $q.= "AND Users.ID = Sessions.UsersID ";
- $q.= "AND Sessions.SessionID = '";
- $q.= db_escape_string($_COOKIE["AURSID"])."'";
- $result = db_query($q, $dbh);
- if (!mysql_num_rows($result)) {
+ $row = own_account_details($_COOKIE["AURSID"]);
+ if (empty($row)) {
print __("Could not retrieve information for the specified user.");
-
} else {
- $row = mysql_fetch_assoc($result);
# don't need to check if they have permissions, this is a
# normal user editing themselves.
#
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index 31c43db..7ea423e 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -740,3 +740,42 @@ function clear_expired_sessions($dbh=NULL) {
return;
}
+function account_details($uid, $username, $dbh=NULL) {
+ if(!$dbh) {
+ $dbh = db_connect();
+ }
+ $q = "SELECT Users.*, AccountTypes.AccountType ";
+ $q.= "FROM Users, AccountTypes ";
+ $q.= "WHERE AccountTypes.ID = Users.AccountTypeID ";
+ if (!empty($uid)) {
+ $q.= "AND Users.ID = ".intval($uid);
+ } else {
+ $q.= "AND Users.Username = '".db_escape_string($username) . "'";
+ }
+ $result = db_query($q, $dbh);
+
+ if ($result) {
+ $row = mysql_fetch_assoc($result);
+ }
+
+ return $row;
+}
+
+function own_account_details($sid, $dbh=NULL) {
+ if(!$dbh) {
+ $dbh = db_connect();
+ }
+ $q = "SELECT Users.*, AccountTypes.AccountType ";
+ $q.= "FROM Users, AccountTypes, Sessions ";
+ $q.= "WHERE AccountTypes.ID = Users.AccountTypeID ";
+ $q.= "AND Users.ID = Sessions.UsersID ";
+ $q.= "AND Sessions.SessionID = '";
+ $q.= db_escape_string($sid)."'";
+ $result = db_query($q, $dbh);
+
+ if ($result) {
+ $row = mysql_fetch_assoc($result);
+ }
+
+ return $row;
+}