Okay, a real change. Allow admin users to modify other user's information.

Goto the User List, look for BlueBalls, not RedBalls ...

www/modusr_form.php3

@@ -12,10 +12,26 @@ PAGEHEADER("Modify User Information Form");
 $uid = GETLOGIN();
 LOGGEDINORDIE($uid);
 
+#
+# The target uid and the current uid will generally be the same, unless
+# its an admin user modifying someone elses data. Must verify this case.
+#
+if (! isset($target_uid)) {
+    $target_uid = $uid;
+}
+
+if ($uid != $target_uid) {
+    $isadmin = ISADMIN($uid);
+    if (! $isadmin) {
+	USERERROR("You do not have permission to modify user information ".
+		  "for other users", 1);
+    }
+}
+
 ?>
 
 <center>
-<h1>Modify Your User Information</h1>
+<h1>Modify User Information</h1>
 <table align="center" border="1">
   <tr><td align="center" colspan="4">
           Only fields marked with * are required
@@ -28,10 +44,10 @@ LOGGEDINORDIE($uid);
 # Suck the current info out of the database and break it apart.
 #
 $info_result = mysql_db_query($TBDBNAME,
-	"select * from users where uid='$uid'");
+	"select * from users where uid='$target_uid'");
 if (! $info_result) {
     $err = mysql_error();
-    TBERROR("Database Error getting user info for user $uid: $err\n", 1);
+    TBERROR("Database Error getting user info for $target_uid: $err\n", 1);
 }
 
 $row = mysql_fetch_array($info_result);
@@ -52,7 +68,8 @@ echo "<form action=\"modusr_process.php3\" method=\"post\">\n";
 echo "<tr>
           <td>Username:</td>
           <td class=\"left\"> 
-              <input type=\"readonly\" name=\"uid\" value=\"$uid\"></td>
+              <input type=\"readonly\" name=\"target_uid\"
+                     value=\"$target_uid\"></td>
       </tr>\n";
 
 echo "<tr>

www/modusr_process.php3

@@ -7,17 +7,36 @@ include("defs.php3");
 PAGEHEADER("Modify User Information");
 
 #
-# First off, sanity check the form to make sure all the required fields
+# Only known and logged in users can modify info.
+#
+$uid = GETLOGIN();
+LOGGEDINORDIE($uid);
+
+#
+# The target_uid comes in as a POST var. It must be set. We allow
+# admin users to modify other user info, so must check for that.
+# 
+if (!isset($target_uid) ||
+    strcmp($target_uid, "") == 0) {
+  FORMERROR("Username");
+}
+
+if ($uid != $target_uid) {
+    $isadmin = ISADMIN($uid);
+    if (! $isadmin) {
+	USERERROR("You do not have permission to modify user information ".
+		  "for other users", 1);
+    }
+}
+
+#
+# Now sanity check the form to make sure all the required fields
 # were provided. I do this on a per field basis so that we can be
 # informative. Be sure to correlate these checks with any changes made to
 # the project form. Note that this sequence of  statements results in
 # only the last bad field being displayed, but thats okay. The user will
 # eventually figure out that fields marked with * mean something!
 #
-if (!isset($uid) ||
-    strcmp($uid, "") == 0) {
-  FORMERROR("Username");
-}
 if (!isset($usr_name) ||
     strcmp($usr_name, "") == 0) {
   FORMERROR("Full Name");
@@ -43,11 +62,6 @@ if (!isset($usr_affil) ||
   FORMERROR("Institutional Affiliation");
 }
 
-#
-# Only known and logged in users can modify info. uid came in as a POST var.
-#
-LOGGEDINORDIE($uid);
-
 #
 # Now see if the user is requesting to change the password. We do the usual
 # checks to make sure the two fields agree and that it passes our tests for
@@ -60,7 +74,7 @@ if (isset($new_password1) && strcmp($new_password2, "")) {
     }
 
     $mypipe = popen(escapeshellcmd(
-    "$TBCHKPASS_PATH $new_password1 $uid '$usr_name:$usr_email'"),
+    "$TBCHKPASS_PATH $new_password1 $target_uid '$usr_name:$usr_email'"),
     "w+");
     if ($mypipe) { 
         $retval=fgets($mypipe, 1024);
@@ -71,7 +85,7 @@ if (isset($new_password1) && strcmp($new_password2, "")) {
     }
     else {
 	TBERROR("TESTBED: checkpass failure\n".
-               "$usr_name ($uid) just tried change his password\n".
+               "$usr_name ($target_uid) just tried change his password\n".
                "but checkpass pipe did not open (returned '$mypipe').", 1);
     }
 
@@ -80,11 +94,12 @@ if (isset($new_password1) && strcmp($new_password2, "")) {
     #
     $encoding = crypt("$new_password1");
     $insert_result  = mysql_db_query($TBDBNAME, 
-		"UPDATE users SET usr_pswd=\"$encoding\" WHERE uid=\"$uid\"");
+		"UPDATE users SET usr_pswd=\"$encoding\" ".
+		"WHERE uid=\"$target_uid\"");
 
     if (! $insert_result) {
         $err = mysql_error();
-        TBERROR("Database Error changing password for $uid: $err", 1);
+        TBERROR("Database Error changing password for $target_uid: $err", 1);
     }
 }
 
@@ -103,11 +118,11 @@ $insert_result = mysql_db_query($TBDBNAME,
 	"usr_expires=\"$usr_expires\", ".
 	"usr_title=\"$usr_title\",     ".
 	"usr_affil=\"$usr_affil\"      ".
-	"WHERE uid=\"$uid\"");
+	"WHERE uid=\"$target_uid\"");
 
 if (! $insert_result) {
     $err = mysql_error();
-    TBERROR("Database Error changing user info for $uid: $err", 1);
+    TBERROR("Database Error changing user info for $target_uid: $err", 1);
 }
 
 ?>

www/showuser_list.php3

@@ -60,9 +60,10 @@ echo "<tr>
           <td>Projects</td>\n";
 
 #
-# Admin users get a "delete" option.
+# Admin users get a "delete" and a "modify" option.
 # 
 if ($isadmin) {
+    echo "<td align=center>Modify?</td>\n";
     echo "<td align=center>Delete?</td>\n";
 }
 echo "</tr>\n";
@@ -97,8 +98,10 @@ while ($row = mysql_fetch_array($query_result)) {
     }
 
     if ($isadmin) {
+	echo "<td align=center><A href='modusr_form.php3?target_uid=$thisuid'>
+                     <img alt=\"O\" src=\"blueball.gif\"></A></td>\n";
 	echo "<td align=center><A href='deleteuser.php3?target_uid=$thisuid'>
-                     <img alt=\"o\" src=\"redball.gif\"></A></td>\n";
+                     <img alt=\"X\" src=\"redball.gif\"></A></td>\n";
     }
     echo "</tr>\n";
 }