users.php 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454
  1. <?php
  2. class Pref_Users extends Handler_Protected {
  3. function before($method) {
  4. if (parent::before($method)) {
  5. if ($_SESSION["access_level"] < 10) {
  6. print __("Your access level is insufficient to open this tab.");
  7. return false;
  8. }
  9. return true;
  10. }
  11. return false;
  12. }
  13. function csrf_ignore($method) {
  14. $csrf_ignored = array("index", "edit", "userdetails");
  15. return array_search($method, $csrf_ignored) !== false;
  16. }
  17. function edit() {
  18. global $access_level_names;
  19. print "<form id=\"user_edit_form\" onsubmit='return false' dojoType=\"dijit.form.Form\">";
  20. print '<div dojoType="dijit.layout.TabContainer" style="height : 400px">
  21. <div dojoType="dijit.layout.ContentPane" title="'.__('Edit user').'">';
  22. //print "<form id=\"user_edit_form\" onsubmit='return false' dojoType=\"dijit.form.Form\">";
  23. $id = (int) clean($_REQUEST["id"]);
  24. print_hidden("id", "$id");
  25. print_hidden("op", "pref-users");
  26. print_hidden("method", "editSave");
  27. $sth = $this->pdo->prepare("SELECT * FROM ttrss_users WHERE id = ?");
  28. $sth->execute([$id]);
  29. if ($row = $sth->fetch()) {
  30. $login = $row["login"];
  31. $access_level = $row["access_level"];
  32. $email = $row["email"];
  33. $sel_disabled = ($id == $_SESSION["uid"] || $login == "admin") ? "disabled" : "";
  34. print "<div class=\"dlgSec\">".__("User")."</div>";
  35. print "<div class=\"dlgSecCont\">";
  36. if ($sel_disabled) {
  37. print_hidden("login", "$login");
  38. }
  39. print "<input size=\"30\" style=\"font-size : 16px\"
  40. dojoType=\"dijit.form.ValidationTextBox\" required=\"1\"
  41. $sel_disabled
  42. name=\"login\" value=\"$login\">";
  43. print "</div>";
  44. print "<div class=\"dlgSec\">".__("Authentication")."</div>";
  45. print "<div class=\"dlgSecCont\">";
  46. print __('Access level: ') . " ";
  47. if (!$sel_disabled) {
  48. print_select_hash("access_level", $access_level, $access_level_names,
  49. "dojoType=\"dijit.form.Select\" $sel_disabled");
  50. } else {
  51. print_select_hash("", $access_level, $access_level_names,
  52. "dojoType=\"dijit.form.Select\" $sel_disabled");
  53. print_hidden("access_level", "$access_level");
  54. }
  55. print "<hr/>";
  56. print "<input dojoType=\"dijit.form.TextBox\" type=\"password\" size=\"20\" placeholder=\"Change password\"
  57. name=\"password\">";
  58. print "</div>";
  59. print "<div class=\"dlgSec\">".__("Options")."</div>";
  60. print "<div class=\"dlgSecCont\">";
  61. print "<input dojoType=\"dijit.form.TextBox\" size=\"30\" name=\"email\" placeholder=\"E-mail\"
  62. value=\"$email\">";
  63. print "</div>";
  64. print "</table>";
  65. }
  66. print '</div>'; #tab
  67. print "<div href=\"backend.php?op=pref-users&method=userdetails&id=$id\"
  68. dojoType=\"dijit.layout.ContentPane\" title=\"".__('User details')."\">";
  69. print '</div>';
  70. print '</div>';
  71. print "<div class=\"dlgButtons\">
  72. <button dojoType=\"dijit.form.Button\" class=\"alt-primary\" type=\"submit\" onclick=\"dijit.byId('userEditDlg').execute()\">".
  73. __('Save')."</button>
  74. <button dojoType=\"dijit.form.Button\" onclick=\"dijit.byId('userEditDlg').hide()\">".
  75. __('Cancel')."</button></div>";
  76. print "</form>";
  77. return;
  78. }
  79. function userdetails() {
  80. $id = (int) clean($_REQUEST["id"]);
  81. $sth = $this->pdo->prepare("SELECT login,
  82. ".SUBSTRING_FOR_DATE."(last_login,1,16) AS last_login,
  83. access_level,
  84. (SELECT COUNT(int_id) FROM ttrss_user_entries
  85. WHERE owner_uid = id) AS stored_articles,
  86. ".SUBSTRING_FOR_DATE."(created,1,16) AS created
  87. FROM ttrss_users
  88. WHERE id = ?");
  89. $sth->execute([$id]);
  90. if ($row = $sth->fetch()) {
  91. print "<table width='100%'>";
  92. $last_login = make_local_datetime(
  93. $row["last_login"], true);
  94. $created = make_local_datetime(
  95. $row["created"], true);
  96. $stored_articles = $row["stored_articles"];
  97. print "<tr><td>".__('Registered')."</td><td>$created</td></tr>";
  98. print "<tr><td>".__('Last logged in')."</td><td>$last_login</td></tr>";
  99. $sth = $this->pdo->prepare("SELECT COUNT(id) as num_feeds FROM ttrss_feeds
  100. WHERE owner_uid = ?");
  101. $sth->execute([$id]);
  102. $row = $sth->fetch();
  103. $num_feeds = $row["num_feeds"];
  104. print "<tr><td>".__('Subscribed feeds count')."</td><td>$num_feeds</td></tr>";
  105. print "<tr><td>".__('Stored articles')."</td><td>$stored_articles</td></tr>";
  106. print "</table>";
  107. print "<h1>".__('Subscribed feeds')."</h1>";
  108. $sth = $this->pdo->prepare("SELECT id,title,site_url FROM ttrss_feeds
  109. WHERE owner_uid = ? ORDER BY title");
  110. $sth->execute([$id]);
  111. print "<ul class=\"panel panel-scrollable list list-unstyled\">";
  112. while ($line = $sth->fetch()) {
  113. $icon_file = ICONS_URL."/".$line["id"].".ico";
  114. if (file_exists($icon_file) && filesize($icon_file) > 0) {
  115. $feed_icon = "<img class=\"icon\" src=\"$icon_file\">";
  116. } else {
  117. $feed_icon = "<img class=\"icon\" src=\"images/blank_icon.gif\">";
  118. }
  119. print "<li>$feed_icon&nbsp;<a href=\"".$line["site_url"]."\">".$line["title"]."</a></li>";
  120. }
  121. print "</ul>";
  122. } else {
  123. print "<h1>".__('User not found')."</h1>";
  124. }
  125. }
  126. function editSave() {
  127. $login = trim(clean($_REQUEST["login"]));
  128. $uid = clean($_REQUEST["id"]);
  129. $access_level = (int) clean($_REQUEST["access_level"]);
  130. $email = trim(clean($_REQUEST["email"]));
  131. $password = clean($_REQUEST["password"]);
  132. if ($password) {
  133. $salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
  134. $pwd_hash = encrypt_password($password, $salt, true);
  135. $pass_query_part = "pwd_hash = ".$this->pdo->quote($pwd_hash).",
  136. salt = ".$this->pdo->quote($salt).",";
  137. } else {
  138. $pass_query_part = "";
  139. }
  140. $sth = $this->pdo->prepare("UPDATE ttrss_users SET $pass_query_part login = ?,
  141. access_level = ?, email = ?, otp_enabled = false WHERE id = ?");
  142. $sth->execute([$login, $access_level, $email, $uid]);
  143. }
  144. function remove() {
  145. $ids = explode(",", clean($_REQUEST["ids"]));
  146. foreach ($ids as $id) {
  147. if ($id != $_SESSION["uid"] && $id != 1) {
  148. $sth = $this->pdo->prepare("DELETE FROM ttrss_tags WHERE owner_uid = ?");
  149. $sth->execute([$id]);
  150. $sth = $this->pdo->prepare("DELETE FROM ttrss_feeds WHERE owner_uid = ?");
  151. $sth->execute([$id]);
  152. $sth = $this->pdo->prepare("DELETE FROM ttrss_users WHERE id = ?");
  153. $sth->execute([$id]);
  154. }
  155. }
  156. }
  157. function add() {
  158. $login = trim(clean($_REQUEST["login"]));
  159. $tmp_user_pwd = make_password(8);
  160. $salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
  161. $pwd_hash = encrypt_password($tmp_user_pwd, $salt, true);
  162. if (!$login) return; // no blank usernames
  163. $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
  164. login = ?");
  165. $sth->execute([$login]);
  166. if (!$sth->fetch()) {
  167. $sth = $this->pdo->prepare("INSERT INTO ttrss_users
  168. (login,pwd_hash,access_level,last_login,created, salt)
  169. VALUES (?, ?, 0, null, NOW(), ?)");
  170. $sth->execute([$login, $pwd_hash, $salt]);
  171. $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
  172. login = ? AND pwd_hash = ?");
  173. $sth->execute([$login, $pwd_hash]);
  174. if ($row = $sth->fetch()) {
  175. $new_uid = $row['id'];
  176. print T_sprintf("Added user %s with password %s",
  177. $login, $tmp_user_pwd);
  178. initialize_user($new_uid);
  179. } else {
  180. print T_sprintf("Could not create user %s", $login);
  181. }
  182. } else {
  183. print T_sprintf("User %s already exists.", $login);
  184. }
  185. }
  186. static function resetUserPassword($uid, $show_password) {
  187. $pdo = Db::pdo();
  188. $sth = $pdo->prepare("SELECT login, email
  189. FROM ttrss_users WHERE id = ?");
  190. $sth->execute([$uid]);
  191. if ($row = $sth->fetch()) {
  192. $login = $row["login"];
  193. $email = $row["email"];
  194. $new_salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
  195. $tmp_user_pwd = make_password(8);
  196. $pwd_hash = encrypt_password($tmp_user_pwd, $new_salt, true);
  197. $sth = $pdo->prepare("UPDATE ttrss_users
  198. SET pwd_hash = ?, salt = ?, otp_enabled = false
  199. WHERE id = ?");
  200. $sth->execute([$pwd_hash, $new_salt, $uid]);
  201. if ($show_password) {
  202. print_notice(T_sprintf("Changed password of user %s to %s", $login, $tmp_user_pwd));
  203. } else {
  204. print_notice(T_sprintf("Sending new password of user %s to %s", $login, $email));
  205. if ($email) {
  206. require_once "lib/MiniTemplator.class.php";
  207. $tpl = new MiniTemplator;
  208. $tpl->readTemplateFromFile("templates/resetpass_template.txt");
  209. $tpl->setVariable('LOGIN', $login);
  210. $tpl->setVariable('NEWPASS', $tmp_user_pwd);
  211. $tpl->addBlock('message');
  212. $message = "";
  213. $tpl->generateOutputToString($message);
  214. $mailer = new Mailer();
  215. $rc = $mailer->mail(["to_name" => $login,
  216. "to_address" => $email,
  217. "subject" => __("[tt-rss] Password change notification"),
  218. "message" => $message]);
  219. if (!$rc) print_error($mailer->error());
  220. }
  221. }
  222. }
  223. }
  224. function resetPass() {
  225. $uid = clean($_REQUEST["id"]);
  226. Pref_Users::resetUserPassword($uid, true);
  227. }
  228. function index() {
  229. global $access_level_names;
  230. print "<div dojoType='dijit.layout.BorderContainer' gutters='false'>";
  231. print "<div style='padding : 0px' dojoType='dijit.layout.ContentPane' region='top'>";
  232. print "<div dojoType='dijit.Toolbar'>";
  233. $user_search = trim(clean($_REQUEST["search"]));
  234. if (array_key_exists("search", $_REQUEST)) {
  235. $_SESSION["prefs_user_search"] = $user_search;
  236. } else {
  237. $user_search = $_SESSION["prefs_user_search"];
  238. }
  239. print "<div style='float : right; padding-right : 4px;'>
  240. <input dojoType=\"dijit.form.TextBox\" id=\"user_search\" size=\"20\" type=\"search\"
  241. value=\"$user_search\">
  242. <button dojoType=\"dijit.form.Button\" oncl1ick=\"Users.reload()\">".
  243. __('Search')."</button>
  244. </div>";
  245. $sort = clean($_REQUEST["sort"]);
  246. if (!$sort || $sort == "undefined") {
  247. $sort = "login";
  248. }
  249. print "<div dojoType=\"dijit.form.DropDownButton\">".
  250. "<span>" . __('Select')."</span>";
  251. print "<div dojoType=\"dijit.Menu\" style=\"display: none;\">";
  252. print "<div onclick=\"Tables.select('prefUserList', true)\"
  253. dojoType=\"dijit.MenuItem\">".__('All')."</div>";
  254. print "<div onclick=\"Tables.select('prefUserList', false)\"
  255. dojoType=\"dijit.MenuItem\">".__('None')."</div>";
  256. print "</div></div>";
  257. print "<button dojoType=\"dijit.form.Button\" onclick=\"Users.add()\">".__('Create user')."</button>";
  258. print "
  259. <button dojoType=\"dijit.form.Button\" onclick=\"Users.editSelected()\">".
  260. __('Edit')."</button dojoType=\"dijit.form.Button\">
  261. <button dojoType=\"dijit.form.Button\" onclick=\"Users.removeSelected()\">".
  262. __('Remove')."</button dojoType=\"dijit.form.Button\">
  263. <button dojoType=\"dijit.form.Button\" onclick=\"Users.resetSelected()\">".
  264. __('Reset password')."</button dojoType=\"dijit.form.Button\">";
  265. PluginHost::getInstance()->run_hooks(PluginHost::HOOK_PREFS_TAB_SECTION,
  266. "hook_prefs_tab_section", "prefUsersToolbar");
  267. print "</div>"; #toolbar
  268. print "</div>"; #pane
  269. print "<div style='padding : 0px' dojoType='dijit.layout.ContentPane' region='center'>";
  270. $sort = validate_field($sort,
  271. ["login", "access_level", "created", "num_feeds", "created", "last_login"], "login");
  272. if ($sort != "login") $sort = "$sort DESC";
  273. $sth = $this->pdo->prepare("SELECT
  274. tu.id,
  275. login,access_level,email,
  276. ".SUBSTRING_FOR_DATE."(last_login,1,16) as last_login,
  277. ".SUBSTRING_FOR_DATE."(created,1,16) as created,
  278. (SELECT COUNT(id) FROM ttrss_feeds WHERE owner_uid = tu.id) AS num_feeds
  279. FROM
  280. ttrss_users tu
  281. WHERE
  282. (:search = '' OR login LIKE :search) AND tu.id > 0
  283. ORDER BY $sort");
  284. $sth->execute([":search" => $user_search ? "%$user_search%" : ""]);
  285. print "<p><table width=\"100%\" cellspacing=\"0\"
  286. class=\"prefUserList\" id=\"prefUserList\">";
  287. print "<tr class=\"title\">
  288. <td align='center' width=\"5%\">&nbsp;</td>
  289. <td width='20%'><a href=\"#\" onclick=\"Users.reload('login')\">".__('Login')."</a></td>
  290. <td width='20%'><a href=\"#\" onclick=\"Users.reload('access_level')\">".__('Access Level')."</a></td>
  291. <td width='10%'><a href=\"#\" onclick=\"Users.reload('num_feeds')\">".__('Subscribed feeds')."</a></td>
  292. <td width='20%'><a href=\"#\" onclick=\"Users.reload('created')\">".__('Registered')."</a></td>
  293. <td width='20%'><a href=\"#\" onclick=\"Users.reload('last_login')\">".__('Last login')."</a></td></tr>";
  294. $lnum = 0;
  295. while ($line = $sth->fetch()) {
  296. $uid = $line["id"];
  297. print "<tr data-row-id=\"$uid\" onclick='Users.edit($uid)'>";
  298. $line["login"] = htmlspecialchars($line["login"]);
  299. $line["created"] = make_local_datetime($line["created"], false);
  300. $line["last_login"] = make_local_datetime($line["last_login"], false);
  301. print "<td align='center'><input onclick='Tables.onRowChecked(this); event.stopPropagation();'
  302. dojoType=\"dijit.form.CheckBox\" type=\"checkbox\"></td>";
  303. print "<td title='".__('Click to edit')."'><i class='material-icons'>person</i> " . $line["login"] . "</td>";
  304. print "<td>" . $access_level_names[$line["access_level"]] . "</td>";
  305. print "<td>" . $line["num_feeds"] . "</td>";
  306. print "<td>" . $line["created"] . "</td>";
  307. print "<td>" . $line["last_login"] . "</td>";
  308. print "</tr>";
  309. ++$lnum;
  310. }
  311. print "</table>";
  312. if ($lnum == 0) {
  313. if (!$user_search) {
  314. print_warning(__('No users defined.'));
  315. } else {
  316. print_warning(__('No matching users found.'));
  317. }
  318. }
  319. print "</div>"; #pane
  320. PluginHost::getInstance()->run_hooks(PluginHost::HOOK_PREFS_TAB,
  321. "hook_prefs_tab", "prefUsers");
  322. print "</div>"; #container
  323. }
  324. }