From a61d73d804d615b555fdccbec669f8e2cf84217d Mon Sep 17 00:00:00 2001 From: canyonknight Date: Tue, 22 Jan 2013 02:18:14 +0000 Subject: aur.inc.php: Fix PHP undefined index notice for AURSID Occurs in the rare situation where a logged out user tries to POST a CSRF token. Signed-off-by: canyonknight Signed-off-by: Lukas Fleischer --- web/lib/aur.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'web/lib') diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php index 387d81d..e02c835 100644 --- a/web/lib/aur.inc.php +++ b/web/lib/aur.inc.php @@ -94,7 +94,7 @@ function check_sid($dbh=NULL) { * @return bool True if the CSRF token is the same as the cookie SID, otherwise false */ function check_token() { - if (isset($_POST['token'])) { + if (isset($_POST['token']) && isset($_COOKIE['AURSID'])) { return ($_POST['token'] == $_COOKIE['AURSID']); } else { return false; -- cgit v1.2.3-54-g00ecf From 1fd620cc2fc93b238af6793a9970f5a79f6ed7a3 Mon Sep 17 00:00:00 2001 From: canyonknight Date: Tue, 22 Jan 2013 22:15:35 +0000 Subject: acctfuncs.inc.php: Change return type of valid_username function The function is only determining whether a username is valid, so it makes more sense to simply return a boolean value. Signed-off-by: canyonknight Signed-off-by: Lukas Fleischer --- web/lib/acctfuncs.inc.php | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'web/lib') diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index a41659e..cdf4af6 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -480,12 +480,12 @@ function try_login($dbh=NULL) { * * The username must be longer or equal to USERNAME_MIN_LEN. It must be shorter * or equal to USERNAME_MAX_LEN. It must start and end with either a letter or - * a number. It can contain one period, hypen, or underscore. Returns username - * if it meets all of those rules. + * a number. It can contain one period, hypen, or underscore. Returns boolean + * of whether name is valid. * * @param string $user Username to validate * - * @return string|void Return username if it meets criteria, otherwise void + * @return bool True if username meets criteria, otherwise false */ function valid_username($user) { if (!empty($user)) { @@ -500,13 +500,12 @@ function valid_username($user) { # contain only letters and numbers, # and at most has one dash, period, or underscore if ( preg_match("/^[a-z0-9]+[.\-_]?[a-z0-9]+$/", $user) ) { - #All is good return the username - return $user; + return true; } } } - return; + return false; } /** -- cgit v1.2.3-54-g00ecf From 150b0f9f0a5174e72a27469030135e98b2a43815 Mon Sep 17 00:00:00 2001 From: canyonknight Date: Tue, 22 Jan 2013 22:38:02 +0000 Subject: Clear a user's active sessions following account suspension A suspended user can stay in active sessions. Introduce new function delete_user_sessions to remove all open sessions for a specific user. Allows suspensions to take effect immediately. Signed-off-by: canyonknight Signed-off-by: Lukas Fleischer --- web/lib/acctfuncs.inc.php | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'web/lib') diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index cdf4af6..002042d 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -229,6 +229,8 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", $q.= ", AccountTypeID = ".intval($T); } if ($S) { + /* Ensure suspended users can't keep an active session */ + delete_user_sessions($UID, $dbh); $q.= ", Suspended = 1"; } else { $q.= ", Suspended = 0"; @@ -796,6 +798,23 @@ function delete_session_id($sid, $dbh=NULL) { $dbh->query($q); } +/** + * Remove all sessions belonging to a particular user + * + * @param int $uid ID of user to remove all sessions for + * @param \PDO $dbh An already established database connection + * + * @return void + */ +function delete_user_sessions($uid, $dbh=NULL) { + if (!$dbh) { + $dbh = db_connect(); + } + + $q = "DELETE FROM Sessions WHERE UsersID = " . intval($uid); + $dbh->exec($q); +} + /** * Remove sessions from the database that have exceed the timeout * -- cgit v1.2.3-54-g00ecf From 65e93f134faf9c98574a99f7f40d9f0bdb4256eb Mon Sep 17 00:00:00 2001 From: canyonknight Date: Tue, 22 Jan 2013 22:41:43 +0000 Subject: acctfuncs.inc.php: Change wording of account editing message An error message is printed when the number of affected rows is 0 for an edited account. A count of 0 doesn't imply an error, only that no changes were made in the database. Signed-off-by: canyonknight Signed-off-by: Lukas Fleischer --- web/lib/acctfuncs.inc.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'web/lib') diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 002042d..3759c63 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -248,7 +248,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="", $q.= " WHERE ID = ".intval($UID); $result = $dbh->exec($q); if (!$result) { - print __("Error trying to modify account, %s%s%s.", + print __("No changes were made to the account, %s%s%s.", "", htmlspecialchars($U,ENT_QUOTES), ""); } else { print __("The account, %s%s%s, has been successfully modified.", -- cgit v1.2.3-54-g00ecf