From 32e4e9606fb2ac95b236913fcc0a98a7ee23bccd Mon Sep 17 00:00:00 2001 From: Malf Furious Date: Sat, 21 May 2016 21:44:53 -0400 Subject: Add MVC Deleteacct This will prompt the user for their password if they opt to delete their own account. This is to prevent malicious attempt by others to trick users into having there accounts deleted by way of a XSS attack. --- app/model/deleteacct.mod.php | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 app/model/deleteacct.mod.php (limited to 'app/model') diff --git a/app/model/deleteacct.mod.php b/app/model/deleteacct.mod.php new file mode 100644 index 0000000..ca01a0d --- /dev/null +++ b/app/model/deleteacct.mod.php @@ -0,0 +1,15 @@ + -- cgit v1.2.3 From f8f8cd372ca2bb6498d96318c159405db13a9fab Mon Sep 17 00:00:00 2001 From: Malf Furious Date: Sun, 22 May 2016 00:24:57 -0400 Subject: Add class constructor to Common model There are two functions that need called in the common model whenever a page is rendered. Rather than requiring all of the base MVC controllers to call them, I am placing them in a constructor for this model class. This constructor should fire automatically (since base mvc models inherit this class), unless base classes define their own constructors. I don't antisipate this happening, however in that case, they would just need to call parent::__construct(). --- app/model/common.mod.php | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'app/model') diff --git a/app/model/common.mod.php b/app/model/common.mod.php index 7630dfa..03ed54f 100644 --- a/app/model/common.mod.php +++ b/app/model/common.mod.php @@ -13,6 +13,16 @@ class CommonModel extends MasterModel "image/jpeg" ); + /* + * Constructor + */ + function __construct() + { + parent::__construct(); + $this->common_handleFormSubmissions($_REQUEST['input'], $_FILES['attachment']); + $this->common_deflt(); + } + /* * Default action */ -- cgit v1.2.3 From c2137095e8b176affa3e97af579a70d394eeb7c1 Mon Sep 17 00:00:00 2001 From: Malf Furious Date: Sun, 22 May 2016 03:02:33 -0400 Subject: Add action 'delete' to Deleteacct MVC This action will validate the user's password, and make sure you're not removing the last admin, then proceed to delete the current user's account from the database and log them out, for good. --- app/model/deleteacct.mod.php | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) (limited to 'app/model') diff --git a/app/model/deleteacct.mod.php b/app/model/deleteacct.mod.php index ca01a0d..89aca14 100644 --- a/app/model/deleteacct.mod.php +++ b/app/model/deleteacct.mod.php @@ -1,6 +1,8 @@ field_text("password", null, false); + + if (!$form->populate($input)) + { + $this->logFormErrors($form); + return; + } + + $user = $this->getCurrentUser(); + + if (!$user->validatePassword($form->password)) + { + $this->logError("Account not deleted - Password was incorrect"); + return; + } + + if ($user->admin && $user->getNumAdmins() == 1) + { + $this->logError("Account not deleted - Cannot remove the last admin account"); + return; + } + + $user->delObj(); + $this->redirectTo($this->ar() . "/"); + } } ?> -- cgit v1.2.3 From 2d1e4242a87b54578e24546dabe1525a014da24e Mon Sep 17 00:00:00 2001 From: Malf Furious Date: Sun, 22 May 2016 16:34:39 -0400 Subject: Add form submission handler for user removal Added handler for the button added in the previous commit. --- app/model/common.mod.php | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) (limited to 'app/model') diff --git a/app/model/common.mod.php b/app/model/common.mod.php index 03ed54f..5e6373c 100644 --- a/app/model/common.mod.php +++ b/app/model/common.mod.php @@ -58,6 +58,7 @@ class CommonModel extends MasterModel case "common-setting-admin": $this->saveSettingAdmin($input); break; case "common-setting-allusers-adduser": $this->saveSettingAllusersAdduser($input); break; case "common-setting-allusers-edituser": $this->saveSettingAllusersEdituser($input, $attachment); break; + case "common-setting-allusers-deluser": $this->saveSettingAllusersDeluser($input); break; } } @@ -283,6 +284,51 @@ class CommonModel extends MasterModel else $this->logFormErrors($form); } + + /* + * Allow admin to remove user accounts + */ + function saveSettingAllusersDeluser($input) + { + $form = new Form(); + $form->field_text("guid"); + + if (!$form->populate($input)) + { + $this->logFormErrors($form); + return; + } + + $user = $this->getCurrentUser(); + + if (!$user || $user->admin == 0) + { + $this->logError("Admin permissions required"); + return; + } + + $user = new User($form->guid); + + if ($user->type != "user") + { + $this->logError("Invalid user GUID"); + return; + } + + if ($user->admin && $user->getNumAdmins() == 1) + { + $this->logError("Account not deleted - Cannot remove the last admin account"); + return; + } + + $user->delObj(); + + if (!$this->getCurrentUser()) + { + /* did user delete their own account? */ + $this->redirectTo($this->ar() . "/"); + } + } } ?> -- cgit v1.2.3