Commit 21267375 authored by Leigh B. Stoller's avatar Leigh B. Stoller

Okay, a real change. Allow admin users to modify other user's information.

Goto the User List, look for BlueBalls, not RedBalls ...
parent 34081e1d
......@@ -12,10 +12,26 @@ PAGEHEADER("Modify User Information Form");
$uid = GETLOGIN();
LOGGEDINORDIE($uid);
#
# The target uid and the current uid will generally be the same, unless
# its an admin user modifying someone elses data. Must verify this case.
#
if (! isset($target_uid)) {
$target_uid = $uid;
}
if ($uid != $target_uid) {
$isadmin = ISADMIN($uid);
if (! $isadmin) {
USERERROR("You do not have permission to modify user information ".
"for other users", 1);
}
}
?>
<center>
<h1>Modify Your User Information</h1>
<h1>Modify User Information</h1>
<table align="center" border="1">
<tr><td align="center" colspan="4">
Only fields marked with * are required
......@@ -28,10 +44,10 @@ LOGGEDINORDIE($uid);
# Suck the current info out of the database and break it apart.
#
$info_result = mysql_db_query($TBDBNAME,
"select * from users where uid='$uid'");
"select * from users where uid='$target_uid'");
if (! $info_result) {
$err = mysql_error();
TBERROR("Database Error getting user info for user $uid: $err\n", 1);
TBERROR("Database Error getting user info for $target_uid: $err\n", 1);
}
$row = mysql_fetch_array($info_result);
......@@ -52,7 +68,8 @@ echo "<form action=\"modusr_process.php3\" method=\"post\">\n";
echo "<tr>
<td>Username:</td>
<td class=\"left\">
<input type=\"readonly\" name=\"uid\" value=\"$uid\"></td>
<input type=\"readonly\" name=\"target_uid\"
value=\"$target_uid\"></td>
</tr>\n";
echo "<tr>
......
......@@ -7,17 +7,36 @@ include("defs.php3");
PAGEHEADER("Modify User Information");
#
# First off, sanity check the form to make sure all the required fields
# Only known and logged in users can modify info.
#
$uid = GETLOGIN();
LOGGEDINORDIE($uid);
#
# The target_uid comes in as a POST var. It must be set. We allow
# admin users to modify other user info, so must check for that.
#
if (!isset($target_uid) ||
strcmp($target_uid, "") == 0) {
FORMERROR("Username");
}
if ($uid != $target_uid) {
$isadmin = ISADMIN($uid);
if (! $isadmin) {
USERERROR("You do not have permission to modify user information ".
"for other users", 1);
}
}
#
# Now sanity check the form to make sure all the required fields
# were provided. I do this on a per field basis so that we can be
# informative. Be sure to correlate these checks with any changes made to
# the project form. Note that this sequence of statements results in
# only the last bad field being displayed, but thats okay. The user will
# eventually figure out that fields marked with * mean something!
#
if (!isset($uid) ||
strcmp($uid, "") == 0) {
FORMERROR("Username");
}
if (!isset($usr_name) ||
strcmp($usr_name, "") == 0) {
FORMERROR("Full Name");
......@@ -43,11 +62,6 @@ if (!isset($usr_affil) ||
FORMERROR("Institutional Affiliation");
}
#
# Only known and logged in users can modify info. uid came in as a POST var.
#
LOGGEDINORDIE($uid);
#
# Now see if the user is requesting to change the password. We do the usual
# checks to make sure the two fields agree and that it passes our tests for
......@@ -60,7 +74,7 @@ if (isset($new_password1) && strcmp($new_password2, "")) {
}
$mypipe = popen(escapeshellcmd(
"$TBCHKPASS_PATH $new_password1 $uid '$usr_name:$usr_email'"),
"$TBCHKPASS_PATH $new_password1 $target_uid '$usr_name:$usr_email'"),
"w+");
if ($mypipe) {
$retval=fgets($mypipe, 1024);
......@@ -71,7 +85,7 @@ if (isset($new_password1) && strcmp($new_password2, "")) {
}
else {
TBERROR("TESTBED: checkpass failure\n".
"$usr_name ($uid) just tried change his password\n".
"$usr_name ($target_uid) just tried change his password\n".
"but checkpass pipe did not open (returned '$mypipe').", 1);
}
......@@ -80,11 +94,12 @@ if (isset($new_password1) && strcmp($new_password2, "")) {
#
$encoding = crypt("$new_password1");
$insert_result = mysql_db_query($TBDBNAME,
"UPDATE users SET usr_pswd=\"$encoding\" WHERE uid=\"$uid\"");
"UPDATE users SET usr_pswd=\"$encoding\" ".
"WHERE uid=\"$target_uid\"");
if (! $insert_result) {
$err = mysql_error();
TBERROR("Database Error changing password for $uid: $err", 1);
TBERROR("Database Error changing password for $target_uid: $err", 1);
}
}
......@@ -103,11 +118,11 @@ $insert_result = mysql_db_query($TBDBNAME,
"usr_expires=\"$usr_expires\", ".
"usr_title=\"$usr_title\", ".
"usr_affil=\"$usr_affil\" ".
"WHERE uid=\"$uid\"");
"WHERE uid=\"$target_uid\"");
if (! $insert_result) {
$err = mysql_error();
TBERROR("Database Error changing user info for $uid: $err", 1);
TBERROR("Database Error changing user info for $target_uid: $err", 1);
}
?>
......
......@@ -60,9 +60,10 @@ echo "<tr>
<td>Projects</td>\n";
#
# Admin users get a "delete" option.
# Admin users get a "delete" and a "modify" option.
#
if ($isadmin) {
echo "<td align=center>Modify?</td>\n";
echo "<td align=center>Delete?</td>\n";
}
echo "</tr>\n";
......@@ -97,8 +98,10 @@ while ($row = mysql_fetch_array($query_result)) {
}
if ($isadmin) {
echo "<td align=center><A href='modusr_form.php3?target_uid=$thisuid'>
<img alt=\"O\" src=\"blueball.gif\"></A></td>\n";
echo "<td align=center><A href='deleteuser.php3?target_uid=$thisuid'>
<img alt=\"o\" src=\"redball.gif\"></A></td>\n";
<img alt=\"X\" src=\"redball.gif\"></A></td>\n";
}
echo "</tr>\n";
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment