mirror/php-e107
1
0
Fork 0
mirror of https://github.com/e107inc/e107.git synced 2025-01-17 12:48:24 +01:00
Code Issues Releases Wiki Activity
php-e107/e107_admin/administrator.php
Nick Liu f6d6d1b185
Deprecate e_parse::toJS() 
`e_parse::toJS()`, documented with the description

> Convert text blocks which are to be embedded within JS

, does not protect strings from injections, which appears to be its
primary use.  Additionally, it performs multiple unrelated string
modifications:

* Replace Windows line breaks with a literal `\\n` (which would later be
  parsed as `\n` in JavaScript/JSON)
* Does not modify Unix line breaks (`\n`), which is inconsistent with
  the Windows line break behavior
* Removes HTML tags
* Replaces HTML entities as `htmlentities()` does

This method cannot be fixed because its usages are inconsistent.  Most
notably, some usages surround the method's output in single quotes while
others surround it with double quotes.  Strings cannot be JSON-encoded
without confounding quotation mark styles.

All core usages of `e_parse::toJS()` have been replaced with
alternatives, which are also documented in the method's DocBlock.

Fixes: #4546
2021-08-31 00:11:14 +02:00

212 lines
4.6 KiB
PHP
Raw Blame History

<?php
/*
* e107 website system
*
* Copyright (C) 2008-2013 e107 Inc (e107.org)
* Released under the terms and conditions of the
* GNU General Public License (http://www.gnu.org/licenses/gpl.txt)
*
* Administrators Management
*
*/
require_once(__DIR__.'/../class2.php');
if (!getperms('3'))
{
e107::redirect('admin');
exit;
}
if(isset($_POST['go_back']))
{ //return to listing - clear all posted data
header('Location:'.e_ADMIN_ABS.e_PAGE);
exit;
}
e107::coreLan('administrator', true);
$e_sub_cat = 'admin';
require_once('auth.php');
$frm = e107::getForm();
$mes = e107::getMessage();
$prm = e107::getUserPerms();
$action = '';
$sub_action = -1;
if (e_QUERY)
{
$tmp = explode(".", e_QUERY);
$action = $tmp[0]; // Used when called from elsewhere
$sub_action = varset($tmp[1],-1); // User ID
unset($tmp);
}
if(deftrue('e_DEMOMODE') && varset($_POST['update_admin']))
{
$mes = e107::getMessage();
$ns = e107::getRender();
$mes->addWarning(LAN_DEMO_FORBIDDEN);
$ns->tablerender("Forbidden",$mes->render());
require_once("footer.php");
exit;
}
if (isset($_POST['update_admin'])) // Permissions updated
{
$prm->updatePerms($_POST['a_id'],$_POST['perms']);
}
if (isset($_POST['edit_admin']) || $action == "edit")
{
$edid = array_keys($_POST['edit_admin']);
$theid = intval(($sub_action < 0) ? $edid[0] : $sub_action);
if ((!$sql->select("user", "*", "user_id=".$theid))
|| !($row = $sql->fetch()))
{
$mes->addDebug("Couldn't find user ID: {$theid}, {$sub_action}, {$edid[0]}"); // Debug code - shouldn't be executed
}
}
if (isset($_POST['del_admin']) && count($_POST['del_admin']))
{
$delid = array_keys($_POST['del_admin']);
$aID = intval($delid[0]);
$sql->select("user", "*", "user_id= ".$aID);
$row = $sql->fetch();
if ($row['user_id'] == 1)
{ // Can't delete main admin
$text = $row['user_name']." ".ADMSLAN_6."
<br /><br />
<a href='".e_ADMIN_ABS."administrator.php'>".LAN_CONTINUE."</a>";
$mes->addError($text);
$ns->tablerender(LAN_ERROR, $mes->render());
require_once("footer.php");
exit;
}
$mes->addAuto($sql->update("user", "user_admin=0, user_perms='' WHERE user_id= ".$aID), 'update', ADMSLAN_61, LAN_DELETED_FAILED, false);
$logMsg = str_replace(array('[x]', '[y]'),array($aID, $row['user_name']),ADMSLAN_73);
e107::getLog()->add('ADMIN_02',$logMsg,E_LOG_INFORMATIVE,'');
}
if(isset($_POST['edit_admin']) || $action == "edit")
{
$prm->edit_administrator($row);
}
else
{
show_admins();
}
function show_admins()
{
$sql = e107::getDb();
$frm = e107::getForm();
$ns = e107::getRender();
$mes = e107::getMessage();
$tp = e107::getParser();
$prm = e107::getUserPerms();
$sql->select("user", "*", "user_admin='1'");
$text = "
<form action='".e_SELF."' method='post' id='del_administrator'>
<fieldset id='core-administrator-list'>
<legend class='e-hideme'>".ADMSLAN_13."</legend>
<table class='table adminlist'>
<colgroup>
<col style='width: 5%' />
<col style='width: 20%' />
<col style='width: 65%' />
<col style='width: 10%' />
</colgroup>
<thead>
<tr>
<th>ID</th>
<th>".ADMSLAN_56."</th>
<th>".ADMSLAN_18."</th>
<th class='center last'>".LAN_OPTIONS."</th>
</tr>
</thead>
<tbody>
";
while ($row = $sql->fetch())
{
//$permtxt = "";
$text .= "
<tr>
<td>".$row['user_id']."</td>
<td><a href='".e107::getUrl()->create('user/profile/view', array('id' => $row['user_id'], 'name' => $row['user_name']))."'>".$row['user_name']."</a></td>
<td>
".$prm->renderperms($row['user_perms'],$row['user_id'],"words")."
</td>
<td class='center'>
";
if($row['user_id'] != "1" && intval($row['user_id']) !== USERID)
{
$text .= "
".$frm->submit_image("edit_admin[{$row['user_id']}]", 'edit', 'edit', LAN_EDIT)."
".$frm->submit_image("del_admin[{$row['user_id']}]", 'del', 'delete', ADMSLAN_59."? [".$row['user_name']."]")."
";
}
$text .= "
</td>
</tr>
";
}
$text .= "
</tbody>
</table>
".$frm->hidden('del_administrator_confirm','1')."
</fieldset>
</form>
";
$ns->tablerender(ADMSLAN_13, $mes->render().$text);
}
require_once("footer.php");
/**
* Handle page DOM within the page header
*
* @return string JS source
*/
function headerjs()
{
return '';
/*
require_once(e_HANDLER.'js_helper.php');
$ret = "
<script type='text/javascript'>
//add required core lan - delete confirm message
('".LAN_JSCONFIRM."').addModLan('core', 'delete_confirm');
</script>
<script type='text/javascript' src='".e_JS."core/admin.js'></script>
";
return $ret;*/
}
?>
Reference in New Issue View Git Blame Copy Permalink