php-e107/e107_admin/administrator.php

<?php
/*
 * e107 website system
 *
 * Copyright (C) 2008-2013 e107 Inc (e107.org)
 * Released under the terms and conditions of the
 * GNU General Public License (http://www.gnu.org/licenses/gpl.txt)
 *
 * Administrators Management
 *
*/

require_once(__DIR__.'/../class2.php');
if (!getperms('3'))
{
	e107::redirect('admin');
	exit;
}

if(isset($_POST['go_back']))
{ //return to listing - clear all posted data
	header('Location:'.e_ADMIN_ABS.e_PAGE);
	exit;
}

e107::coreLan('administrator', true);

$e_sub_cat = 'admin';
require_once('auth.php');

$frm = e107::getForm();
$mes = e107::getMessage();
$prm = e107::getUserPerms();

$action = '';
$sub_action = -1;
if (e_QUERY)
{
	$tmp = explode(".", e_QUERY);
	$action = $tmp[0];					// Used when called from elsewhere
	$sub_action = varset($tmp[1],-1);	// User ID
	unset($tmp);
}

if(deftrue('e_DEMOMODE') && varset($_POST['update_admin']))
{
	
	$mes = e107::getMessage();
	$ns = e107::getRender();
	$mes->addWarning(LAN_DEMO_FORBIDDEN);
	$ns->tablerender("Forbidden",$mes->render());	
	require_once("footer.php");
	exit;
		
}

if (isset($_POST['update_admin'])) // Permissions updated
{	
	$prm->updatePerms($_POST['a_id'],$_POST['perms']);	
}


if (isset($_POST['edit_admin']) || $action == "edit")
{
	$edid = array_keys($_POST['edit_admin']);
    $theid = intval(($sub_action < 0) ? $edid[0] : $sub_action);
	if ((!$sql->select("user", "*", "user_id=".$theid))
		|| !($row = $sql->fetch()))
	{
		$mes->addDebug("Couldn't find user ID: {$theid}, {$sub_action}, {$edid[0]}");	// Debug code - shouldn't be executed
	}
}


if (isset($_POST['del_admin']) && count($_POST['del_admin']))
{
	$delid = array_keys($_POST['del_admin']);
	$aID = intval($delid[0]);
	$sql->select("user", "*", "user_id= ".$aID);
	$row = $sql->fetch();

	if ($row['user_id'] == 1)
	{	// Can't delete main admin
		$text = $row['user_name']." ".ADMSLAN_6."
		<br /><br />
		<a href='".e_ADMIN_ABS."administrator.php'>".LAN_CONTINUE."</a>";

		$mes->addError($text);
		$ns->tablerender(LAN_ERROR, $mes->render());

		require_once("footer.php");
		exit;
	}

	$mes->addAuto($sql->update("user", "user_admin=0, user_perms='' WHERE user_id= ".$aID), 'update', ADMSLAN_61, LAN_DELETED_FAILED, false);
	$logMsg = str_replace(array('[x]', '[y]'),array($aID, $row['user_name']),ADMSLAN_73);
	e107::getLog()->add('ADMIN_02',$logMsg,E_LOG_INFORMATIVE,'');
}


if(isset($_POST['edit_admin']) || $action == "edit")
{
	$prm->edit_administrator($row);
}
else
{
   show_admins();
}


function show_admins()
{
	$sql = e107::getDb();
	$frm = e107::getForm();
	$ns = e107::getRender();
	$mes = e107::getMessage();
	$tp = e107::getParser();
	$prm = e107::getUserPerms();

	
	$sql->select("user", "*", "user_admin='1'");

	$text = "
	<form action='".e_SELF."' method='post' id='del_administrator'>
		<fieldset id='core-administrator-list'>
			<legend class='e-hideme'>".ADMSLAN_13."</legend>
			<table class='table adminlist'>
				<colgroup>
					<col style='width:  5%' />
					<col style='width: 20%' />
					<col style='width: 65%' />
					<col style='width: 10%' />
				</colgroup>
				<thead>
					<tr>
						<th>ID</th>
						<th>".ADMSLAN_56."</th>
						<th>".ADMSLAN_18."</th>
						<th class='center last'>".LAN_OPTIONS."</th>
					</tr>
				</thead>
				<tbody>

	";

	while ($row = $sql->fetch())
	{
		//$permtxt = "";
		$text .= "
					<tr>
						<td>".$row['user_id']."</td>
						<td><a href='".e107::getUrl()->create('user/profile/view', array('id' => $row['user_id'], 'name' => $row['user_name']))."'>".$row['user_name']."</a></td>
						<td>
							".$prm->renderperms($row['user_perms'],$row['user_id'],"words")."
						</td>
						<td class='center'>
		";
		if($row['user_id'] != "1" && intval($row['user_id']) !== USERID)
		{
    		$text .= "
							".$frm->submit_image("edit_admin[{$row['user_id']}]", 'edit', 'edit', LAN_EDIT)."
							".$frm->submit_image("del_admin[{$row['user_id']}]", 'del', 'delete', ADMSLAN_59."? [".$row['user_name']."]")."

			";
    	}

		$text .= "
						</td>
					</tr>
		";
	}

	$text .= "
				</tbody>
			</table>
			".$frm->hidden('del_administrator_confirm','1')."
		</fieldset>
	</form>

	";
	$ns->tablerender(ADMSLAN_13, $mes->render().$text);
}


require_once("footer.php");


/**
 * Handle page DOM within the page header
 *
 * @return string JS source
 */
function headerjs()
{
	return '';
/*
	require_once(e_HANDLER.'js_helper.php');
	$ret = "
		<script>
			//add required core lan - delete confirm message
			('".LAN_JSCONFIRM."').addModLan('core', 'delete_confirm');
		</script>
		<script src='".e_JS."core/admin.js'></script>
	";

	return $ret;*/
}
?>
new module creation 2006-12-02 04:36:16 +00:00			`<?php`
			`/*`
eURL improvements & Administration area 2008-12-02 00:32:30 +00:00			`* e107 website system`
			`*`
#6 - LAN clean-up (HTML removal, double quotes, generic) 2013-03-21 00:50:16 +01:00			`* Copyright (C) 2008-2013 e107 Inc (e107.org)`
eURL improvements & Administration area 2008-12-02 00:32:30 +00:00			`* Released under the terms and conditions of the`
			`* GNU General Public License (http://www.gnu.org/licenses/gpl.txt)`
			`*`
			`* Administrators Management`
			`*`
new module creation 2006-12-02 04:36:16 +00:00			`*/`
Administrators management ready; other admin fixes/improvements 2008-12-20 15:23:48 +00:00
Test admin scripts are parsing correctly. 2021-01-16 13:32:35 -08:00			`require_once(__DIR__.'/../class2.php');`
new module creation 2006-12-02 04:36:16 +00:00			`if (!getperms('3'))`
			`{`
Header location cleanup. From now, please use e107::redirect(); to redirect to the home page, or e107::redirect('admin'); to redirect to the admin start page or e107::redirect($url); 2016-01-13 19:17:37 -08:00			`e107::redirect('admin');`
new module creation 2006-12-02 04:36:16 +00:00			`exit;`
			`}`
Administrators management ready; other admin fixes/improvements 2008-12-20 15:23:48 +00:00
			`if(isset($_POST['go_back']))`
			`{ //return to listing - clear all posted data`
			`header('Location:'.e_ADMIN_ABS.e_PAGE);`
			`exit;`
			`}`

Update methods to load LAN files in Admin Area (fingers crossed there are no typo's...) 2017-01-17 01:33:03 +01:00			`e107::coreLan('administrator', true);`
Add include_lan() to admin pages 2009-08-28 16:11:02 +00:00
new module creation 2006-12-02 04:36:16 +00:00			`$e_sub_cat = 'admin';`
			`require_once('auth.php');`

$emessage to $mes and LAN cleanup 2013-02-25 14:38:09 +01:00			`$frm = e107::getForm();`
			`$mes = e107::getMessage();`
Easy editing of administrator perms from admin->users. 2009-11-12 05:11:47 +00:00			`$prm = e107::getUserPerms();`
Administrators management ready; other admin fixes/improvements 2008-12-20 15:23:48 +00:00
Ad admin logging to administrator admin, plus some tidying up 2008-10-20 21:52:38 +00:00			`$action = '';`
			`$sub_action = -1;`
new module creation 2006-12-02 04:36:16 +00:00			`if (e_QUERY)`
			`{`
			`$tmp = explode(".", e_QUERY);`
Ad admin logging to administrator admin, plus some tidying up 2008-10-20 21:52:38 +00:00			`$action = $tmp[0]; // Used when called from elsewhere`
Administrators management ready; other admin fixes/improvements 2008-12-20 15:23:48 +00:00			`$sub_action = varset($tmp[1],-1); // User ID`
new module creation 2006-12-02 04:36:16 +00:00			`unset($tmp);`
			`}`

Added Bootstrap tabs to admin->administrator page and styled to match jquery-ui tabs. 2013-02-24 15:46:07 -08:00			`if(deftrue('e_DEMOMODE') && varset($_POST['update_admin']))`
			`{`

			`$mes = e107::getMessage();`
			`$ns = e107::getRender();`
			`$mes->addWarning(LAN_DEMO_FORBIDDEN);`
			`$ns->tablerender("Forbidden",$mes->render());`
			`require_once("footer.php");`
			`exit;`

			`}`
Ad admin logging to administrator admin, plus some tidying up 2008-10-20 21:52:38 +00:00
Easy editing of administrator perms from admin->users. 2009-11-12 05:11:47 +00:00			`if (isset($_POST['update_admin'])) // Permissions updated`
			`{`
			`$prm->updatePerms($_POST['a_id'],$_POST['perms']);`
new module creation 2006-12-02 04:36:16 +00:00			`}`

Ad admin logging to administrator admin, plus some tidying up 2008-10-20 21:52:38 +00:00
			`if (isset($_POST['edit_admin']) \|\| $action == "edit")`
new module creation 2006-12-02 04:36:16 +00:00			`{`
			`$edid = array_keys($_POST['edit_admin']);`
Ad admin logging to administrator admin, plus some tidying up 2008-10-20 21:52:38 +00:00			`$theid = intval(($sub_action < 0) ? $edid[0] : $sub_action);`
Code cleanup and optimization 2020-12-14 16:21:48 -08:00			`if ((!$sql->select("user", "*", "user_id=".$theid))`
			`\|\| !($row = $sql->fetch()))`
Ad admin logging to administrator admin, plus some tidying up 2008-10-20 21:52:38 +00:00			`{`
$emessage to $mes and LAN cleanup 2013-02-25 14:38:09 +01:00			`$mes->addDebug("Couldn't find user ID: {$theid}, {$sub_action}, {$edid[0]}"); // Debug code - shouldn't be executed`
Ad admin logging to administrator admin, plus some tidying up 2008-10-20 21:52:38 +00:00			`}`
new module creation 2006-12-02 04:36:16 +00:00			`}`

Ad admin logging to administrator admin, plus some tidying up 2008-10-20 21:52:38 +00:00
			`if (isset($_POST['del_admin']) && count($_POST['del_admin']))`
new module creation 2006-12-02 04:36:16 +00:00			`{`
			`$delid = array_keys($_POST['del_admin']);`
Ad admin logging to administrator admin, plus some tidying up 2008-10-20 21:52:38 +00:00			`$aID = intval($delid[0]);`
Code cleanup and optimization 2020-12-14 16:21:48 -08:00			`$sql->select("user", "*", "user_id= ".$aID);`
			`$row = $sql->fetch();`
new module creation 2006-12-02 04:36:16 +00:00
			`if ($row['user_id'] == 1)`
Administrators management ready; other admin fixes/improvements 2008-12-20 15:23:48 +00:00			`{ // Can't delete main admin`
			`$text = $row['user_name']." ".ADMSLAN_6."`
new module creation 2006-12-02 04:36:16 +00:00			`<br /><br />`
Replaced ADMSLAN_4 with LAN_CONTINUE First tiny step to contribute to the coding of e107 I have replace ADMSLAN_4 in administrator.php with LAN_CONTINUE from English.php and commented ADMSLAN_4 out in lan_administrator.php 2015-07-01 22:47:20 +01:00			`<a href='".e_ADMIN_ABS."administrator.php'>".LAN_CONTINUE."</a>";`
Administrators management ready; other admin fixes/improvements 2008-12-20 15:23:48 +00:00
$emessage to $mes and LAN cleanup 2013-02-25 14:38:09 +01:00			`$mes->addError($text);`
			`$ns->tablerender(LAN_ERROR, $mes->render());`
Administrators management ready; other admin fixes/improvements 2008-12-20 15:23:48 +00:00
new module creation 2006-12-02 04:36:16 +00:00			`require_once("footer.php");`
			`exit;`
			`}`

Code cleanup and optimization 2020-12-14 16:21:48 -08:00			`$mes->addAuto($sql->update("user", "user_admin=0, user_perms='' WHERE user_id= ".$aID), 'update', ADMSLAN_61, LAN_DELETED_FAILED, false);`
Issue #2846 LAN vars cleanup 2017-11-06 13:48:08 -08:00			`$logMsg = str_replace(array('[x]', '[y]'),array($aID, $row['user_name']),ADMSLAN_73);`
More $admin_log global removal. 2014-10-23 11:12:13 -07:00			`e107::getLog()->add('ADMIN_02',$logMsg,E_LOG_INFORMATIVE,'');`
new module creation 2006-12-02 04:36:16 +00:00			`}`

Ad admin logging to administrator admin, plus some tidying up 2008-10-20 21:52:38 +00:00
			`if(isset($_POST['edit_admin']) \|\| $action == "edit")`
			`{`
Easy editing of administrator perms from admin->users. 2009-11-12 05:11:47 +00:00			`$prm->edit_administrator($row);`
Ad admin logging to administrator admin, plus some tidying up 2008-10-20 21:52:38 +00:00			`}`
			`else`
			`{`
new module creation 2006-12-02 04:36:16 +00:00			`show_admins();`
			`}`

Ad admin logging to administrator admin, plus some tidying up 2008-10-20 21:52:38 +00:00
			`function show_admins()`
			`{`
added "Make Admin" to 'Quick Add User" and cleaned up administrator routines. 2009-11-12 01:53:16 +00:00			`$sql = e107::getDb();`
			`$frm = e107::getForm();`
			`$ns = e107::getRender();`
			`$mes = e107::getMessage();`
Easy editing of administrator perms from admin->users. 2009-11-12 05:11:47 +00:00			`$tp = e107::getParser();`
			`$prm = e107::getUserPerms();`
added "Make Admin" to 'Quick Add User" and cleaned up administrator routines. 2009-11-12 01:53:16 +00:00


Issue #4283 - Update deprecated sql method usage. Removed old code. 2020-12-17 05:52:54 -08:00			`$sql->select("user", "*", "user_admin='1'");`
new module creation 2006-12-02 04:36:16 +00:00
Administrators management ready; other admin fixes/improvements 2008-12-20 15:23:48 +00:00			`$text = "`
new module creation 2006-12-02 04:36:16 +00:00			`<form action='".e_SELF."' method='post' id='del_administrator'>`
Administrators management ready; other admin fixes/improvements 2008-12-20 15:23:48 +00:00			`<fieldset id='core-administrator-list'>`
			`<legend class='e-hideme'>".ADMSLAN_13."</legend>`
Admin GUI refinements 2012-11-26 14:41:32 -08:00			`<table class='table adminlist'>`
Html Cleanup 2012-05-13 05:26:11 +00:00			`<colgroup>`
More HTML cleanup 2012-05-13 05:56:35 +00:00			`<col style='width: 5%' />`
			`<col style='width: 20%' />`
			`<col style='width: 65%' />`
			`<col style='width: 10%' />`
Administrators management ready; other admin fixes/improvements 2008-12-20 15:23:48 +00:00			`</colgroup>`
			`<thead>`
			`<tr>`
			`<th>ID</th>`
			`<th>".ADMSLAN_56."</th>`
			`<th>".ADMSLAN_18."</th>`
			`<th class='center last'>".LAN_OPTIONS."</th>`
			`</tr>`
			`</thead>`
			`<tbody>`

			`";`
new module creation 2006-12-02 04:36:16 +00:00
RSS News feeds upgraded and corrected. 2015-04-05 20:24:51 -07:00			`while ($row = $sql->fetch())`
new module creation 2006-12-02 04:36:16 +00:00			`{`
Administrators management ready; other admin fixes/improvements 2008-12-20 15:23:48 +00:00			`//$permtxt = "";`
			`$text .= "`
			`<tr>`
			`<td>".$row['user_id']."</td>`
Moving the system to the new URL assembling, fixed call to a non-existent eUrl method system wide. 2011-11-26 18:17:42 +00:00			`<td><a href='".e107::getUrl()->create('user/profile/view', array('id' => $row['user_id'], 'name' => $row['user_name']))."'>".$row['user_name']."</a></td>`
Administrators management ready; other admin fixes/improvements 2008-12-20 15:23:48 +00:00			`<td>`
added "Make Admin" to 'Quick Add User" and cleaned up administrator routines. 2009-11-12 01:53:16 +00:00			`".$prm->renderperms($row['user_perms'],$row['user_id'],"words")."`
Administrators management ready; other admin fixes/improvements 2008-12-20 15:23:48 +00:00			`</td>`
			`<td class='center'>`
			`";`
Issue #2883 Permission fixes. 2017-12-01 17:00:02 -08:00			`if($row['user_id'] != "1" && intval($row['user_id']) !== USERID)`
new module creation 2006-12-02 04:36:16 +00:00			`{`
			`$text .= "`
Administrators management ready; other admin fixes/improvements 2008-12-20 15:23:48 +00:00			`".$frm->submit_image("edit_admin[{$row['user_id']}]", 'edit', 'edit', LAN_EDIT)."`
Deprecate `e_parse::toJS()` `e_parse::toJS()`, documented with the description > Convert text blocks which are to be embedded within JS , does not protect strings from injections, which appears to be its primary use. Additionally, it performs multiple unrelated string modifications: * Replace Windows line breaks with a literal `\\n` (which would later be parsed as `\n` in JavaScript/JSON) * Does not modify Unix line breaks (`\n`), which is inconsistent with the Windows line break behavior * Removes HTML tags * Replaces HTML entities as `htmlentities()` does This method cannot be fixed because its usages are inconsistent. Most notably, some usages surround the method's output in single quotes while others surround it with double quotes. Strings cannot be JSON-encoded without confounding quotation mark styles. All core usages of `e_parse::toJS()` have been replaced with alternatives, which are also documented in the method's DocBlock. Fixes: #4546 2021-08-31 00:11:14 +02:00			`".$frm->submit_image("del_admin[{$row['user_id']}]", 'del', 'delete', ADMSLAN_59."? [".$row['user_name']."]")."`
Administrators management ready; other admin fixes/improvements 2008-12-20 15:23:48 +00:00
			`";`
new module creation 2006-12-02 04:36:16 +00:00			`}`

Administrators management ready; other admin fixes/improvements 2008-12-20 15:23:48 +00:00			`$text .= "`
			`</td>`
			`</tr>`
			`";`
new module creation 2006-12-02 04:36:16 +00:00			`}`

Administrators management ready; other admin fixes/improvements 2008-12-20 15:23:48 +00:00			`$text .= "`
			`</tbody>`
			`</table>`
			`".$frm->hidden('del_administrator_confirm','1')."`
			`</fieldset>`
			`</form>`
new module creation 2006-12-02 04:36:16 +00:00
Administrators management ready; other admin fixes/improvements 2008-12-20 15:23:48 +00:00			`";`
added "Make Admin" to 'Quick Add User" and cleaned up administrator routines. 2009-11-12 01:53:16 +00:00			`$ns->tablerender(ADMSLAN_13, $mes->render().$text);`
new module creation 2006-12-02 04:36:16 +00:00			`}`


			`require_once("footer.php");`





Administrators management ready; other admin fixes/improvements 2008-12-20 15:23:48 +00:00			`/**`
			`* Handle page DOM within the page header`
			`*`
			`* @return string JS source`
			`*/`
			`function headerjs()`
			`{`
RSS News feeds upgraded and corrected. 2015-04-05 20:24:51 -07:00			`return '';`
			`/*`
Administrators management ready; other admin fixes/improvements 2008-12-20 15:23:48 +00:00			`require_once(e_HANDLER.'js_helper.php');`
			`$ret = "`
Fixes #4737 Removal of type="text/javascript" and type="text/css" 2022-03-31 08:24:34 -07:00			`<script>`
Administrators management ready; other admin fixes/improvements 2008-12-20 15:23:48 +00:00			`//add required core lan - delete confirm message`
			`('".LAN_JSCONFIRM."').addModLan('core', 'delete_confirm');`
			`</script>`
Fixes #4737 Removal of type="text/javascript" and type="text/css" 2022-03-31 08:24:34 -07:00			`<script src='".e_JS."core/admin.js'></script>`
Administrators management ready; other admin fixes/improvements 2008-12-20 15:23:48 +00:00			`";`
new module creation 2006-12-02 04:36:16 +00:00
RSS News feeds upgraded and corrected. 2015-04-05 20:24:51 -07:00			`return $ret;*/`
new module creation 2006-12-02 04:36:16 +00:00			`}`
Administrators management ready; other admin fixes/improvements 2008-12-20 15:23:48 +00:00			`?>`