users.php 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438
  1. <?php
  2. class Pref_Users extends Handler_Protected {
  3. function before($method) {
  4. if (parent::before($method)) {
  5. if ($_SESSION["access_level"] < 10) {
  6. print __("Your access level is insufficient to open this tab.");
  7. return false;
  8. }
  9. return true;
  10. }
  11. return false;
  12. }
  13. function csrf_ignore($method) {
  14. $csrf_ignored = array("index", "edit", "userdetails");
  15. return array_search($method, $csrf_ignored) !== false;
  16. }
  17. function edit() {
  18. global $access_level_names;
  19. print "<form id='user_edit_form' onsubmit='return false' dojoType='dijit.form.Form'>";
  20. print '<div dojoType="dijit.layout.TabContainer" style="height : 400px">
  21. <div dojoType="dijit.layout.ContentPane" title="'.__('Edit user').'">';
  22. //print "<form id=\"user_edit_form\" onsubmit='return false' dojoType=\"dijit.form.Form\">";
  23. $id = (int) clean($_REQUEST["id"]);
  24. print_hidden("id", "$id");
  25. print_hidden("op", "pref-users");
  26. print_hidden("method", "editSave");
  27. $sth = $this->pdo->prepare("SELECT * FROM ttrss_users WHERE id = ?");
  28. $sth->execute([$id]);
  29. if ($row = $sth->fetch()) {
  30. $login = $row["login"];
  31. $access_level = $row["access_level"];
  32. $email = $row["email"];
  33. $sel_disabled = ($id == $_SESSION["uid"] || $login == "admin") ? "disabled" : "";
  34. print "<header>".__("User")."</header>";
  35. print "<section>";
  36. if ($sel_disabled) {
  37. print_hidden("login", "$login");
  38. }
  39. print "<fieldset>";
  40. print "<label>" . __("Login:") . "</label>";
  41. print "<input style='font-size : 16px'
  42. dojoType='dijit.form.ValidationTextBox' required='1'
  43. $sel_disabled name='login' value=\"$login\">";
  44. print "</fieldset>";
  45. print "</section>";
  46. print "<header>".__("Authentication")."</header>";
  47. print "<section>";
  48. print "<fieldset>";
  49. print "<label>" . __('Access level: ') . "</label> ";
  50. if (!$sel_disabled) {
  51. print_select_hash("access_level", $access_level, $access_level_names,
  52. "dojoType=\"fox.form.Select\" $sel_disabled");
  53. } else {
  54. print_select_hash("", $access_level, $access_level_names,
  55. "dojoType=\"fox.form.Select\" $sel_disabled");
  56. print_hidden("access_level", "$access_level");
  57. }
  58. print "</fieldset>";
  59. print "<fieldset>";
  60. print "<label>" . __("New password:") . "</label> ";
  61. print "<input dojoType='dijit.form.TextBox' type='password' size='20' placeholder='Change password'
  62. name='password'>";
  63. print "</fieldset>";
  64. print "</section>";
  65. print "<header>".__("Options")."</header>";
  66. print "<section>";
  67. print "<fieldset>";
  68. print "<label>" . __("E-mail:") . "</label> ";
  69. print "<input dojoType='dijit.form.TextBox' size='30' name='email'
  70. value=\"$email\">";
  71. print "</fieldset>";
  72. print "</section>";
  73. print "</table>";
  74. }
  75. print '</div>'; #tab
  76. print "<div href=\"backend.php?op=pref-users&method=userdetails&id=$id\"
  77. dojoType=\"dijit.layout.ContentPane\" title=\"".__('User details')."\">";
  78. print '</div>';
  79. print '</div>';
  80. print "<footer>
  81. <button dojoType='dijit.form.Button' class='alt-primary' type='submit' onclick=\"dijit.byId('userEditDlg').execute()\">".
  82. __('Save')."</button>
  83. <button dojoType='dijit.form.Button' onclick=\"dijit.byId('userEditDlg').hide()\">".
  84. __('Cancel')."</button>
  85. </footer>";
  86. print "</form>";
  87. return;
  88. }
  89. function userdetails() {
  90. $id = (int) clean($_REQUEST["id"]);
  91. $sth = $this->pdo->prepare("SELECT login,
  92. ".SUBSTRING_FOR_DATE."(last_login,1,16) AS last_login,
  93. access_level,
  94. (SELECT COUNT(int_id) FROM ttrss_user_entries
  95. WHERE owner_uid = id) AS stored_articles,
  96. ".SUBSTRING_FOR_DATE."(created,1,16) AS created
  97. FROM ttrss_users
  98. WHERE id = ?");
  99. $sth->execute([$id]);
  100. if ($row = $sth->fetch()) {
  101. print "<table width='100%'>";
  102. $last_login = make_local_datetime(
  103. $row["last_login"], true);
  104. $created = make_local_datetime(
  105. $row["created"], true);
  106. $stored_articles = $row["stored_articles"];
  107. print "<tr><td>".__('Registered')."</td><td>$created</td></tr>";
  108. print "<tr><td>".__('Last logged in')."</td><td>$last_login</td></tr>";
  109. $sth = $this->pdo->prepare("SELECT COUNT(id) as num_feeds FROM ttrss_feeds
  110. WHERE owner_uid = ?");
  111. $sth->execute([$id]);
  112. $row = $sth->fetch();
  113. $num_feeds = $row["num_feeds"];
  114. print "<tr><td>".__('Subscribed feeds count')."</td><td>$num_feeds</td></tr>";
  115. print "<tr><td>".__('Stored articles')."</td><td>$stored_articles</td></tr>";
  116. print "</table>";
  117. print "<h1>".__('Subscribed feeds')."</h1>";
  118. $sth = $this->pdo->prepare("SELECT id,title,site_url FROM ttrss_feeds
  119. WHERE owner_uid = ? ORDER BY title");
  120. $sth->execute([$id]);
  121. print "<ul class=\"panel panel-scrollable list list-unstyled\">";
  122. while ($line = $sth->fetch()) {
  123. $icon_file = ICONS_URL."/".$line["id"].".ico";
  124. if (file_exists($icon_file) && filesize($icon_file) > 0) {
  125. $feed_icon = "<img class=\"icon\" src=\"$icon_file\">";
  126. } else {
  127. $feed_icon = "<img class=\"icon\" src=\"images/blank_icon.gif\">";
  128. }
  129. print "<li>$feed_icon&nbsp;<a href=\"".$line["site_url"]."\">".$line["title"]."</a></li>";
  130. }
  131. print "</ul>";
  132. } else {
  133. print "<h1>".__('User not found')."</h1>";
  134. }
  135. }
  136. function editSave() {
  137. $login = trim(clean($_REQUEST["login"]));
  138. $uid = clean($_REQUEST["id"]);
  139. $access_level = (int) clean($_REQUEST["access_level"]);
  140. $email = trim(clean($_REQUEST["email"]));
  141. $password = clean($_REQUEST["password"]);
  142. if ($password) {
  143. $salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
  144. $pwd_hash = encrypt_password($password, $salt, true);
  145. $pass_query_part = "pwd_hash = ".$this->pdo->quote($pwd_hash).",
  146. salt = ".$this->pdo->quote($salt).",";
  147. } else {
  148. $pass_query_part = "";
  149. }
  150. $sth = $this->pdo->prepare("UPDATE ttrss_users SET $pass_query_part login = ?,
  151. access_level = ?, email = ?, otp_enabled = false WHERE id = ?");
  152. $sth->execute([$login, $access_level, $email, $uid]);
  153. }
  154. function remove() {
  155. $ids = explode(",", clean($_REQUEST["ids"]));
  156. foreach ($ids as $id) {
  157. if ($id != $_SESSION["uid"] && $id != 1) {
  158. $sth = $this->pdo->prepare("DELETE FROM ttrss_tags WHERE owner_uid = ?");
  159. $sth->execute([$id]);
  160. $sth = $this->pdo->prepare("DELETE FROM ttrss_feeds WHERE owner_uid = ?");
  161. $sth->execute([$id]);
  162. $sth = $this->pdo->prepare("DELETE FROM ttrss_users WHERE id = ?");
  163. $sth->execute([$id]);
  164. }
  165. }
  166. }
  167. function add() {
  168. $login = trim(clean($_REQUEST["login"]));
  169. $tmp_user_pwd = make_password();
  170. $salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
  171. $pwd_hash = encrypt_password($tmp_user_pwd, $salt, true);
  172. if (!$login) return; // no blank usernames
  173. $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
  174. login = ?");
  175. $sth->execute([$login]);
  176. if (!$sth->fetch()) {
  177. $sth = $this->pdo->prepare("INSERT INTO ttrss_users
  178. (login,pwd_hash,access_level,last_login,created, salt)
  179. VALUES (?, ?, 0, null, NOW(), ?)");
  180. $sth->execute([$login, $pwd_hash, $salt]);
  181. $sth = $this->pdo->prepare("SELECT id FROM ttrss_users WHERE
  182. login = ? AND pwd_hash = ?");
  183. $sth->execute([$login, $pwd_hash]);
  184. if ($row = $sth->fetch()) {
  185. $new_uid = $row['id'];
  186. print T_sprintf("Added user %s with password %s",
  187. $login, $tmp_user_pwd);
  188. initialize_user($new_uid);
  189. } else {
  190. print T_sprintf("Could not create user %s", $login);
  191. }
  192. } else {
  193. print T_sprintf("User %s already exists.", $login);
  194. }
  195. }
  196. static function resetUserPassword($uid, $format_output = false) {
  197. $pdo = Db::pdo();
  198. $sth = $pdo->prepare("SELECT login FROM ttrss_users WHERE id = ?");
  199. $sth->execute([$uid]);
  200. if ($row = $sth->fetch()) {
  201. $login = $row["login"];
  202. $new_salt = substr(bin2hex(get_random_bytes(125)), 0, 250);
  203. $tmp_user_pwd = make_password();
  204. $pwd_hash = encrypt_password($tmp_user_pwd, $new_salt, true);
  205. $sth = $pdo->prepare("UPDATE ttrss_users
  206. SET pwd_hash = ?, salt = ?, otp_enabled = false
  207. WHERE id = ?");
  208. $sth->execute([$pwd_hash, $new_salt, $uid]);
  209. $message = T_sprintf("Changed password of user %s to %s", "<strong>$login</strong>", "<strong>$tmp_user_pwd</strong>");
  210. if ($format_output)
  211. print_notice($message);
  212. else
  213. print $message;
  214. }
  215. }
  216. function resetPass() {
  217. $uid = clean($_REQUEST["id"]);
  218. Pref_Users::resetUserPassword($uid);
  219. }
  220. function index() {
  221. global $access_level_names;
  222. print "<div dojoType='dijit.layout.BorderContainer' gutters='false'>";
  223. print "<div style='padding : 0px' dojoType='dijit.layout.ContentPane' region='top'>";
  224. print "<div dojoType='fox.Toolbar'>";
  225. $user_search = trim(clean($_REQUEST["search"]));
  226. if (array_key_exists("search", $_REQUEST)) {
  227. $_SESSION["prefs_user_search"] = $user_search;
  228. } else {
  229. $user_search = $_SESSION["prefs_user_search"];
  230. }
  231. print "<div style='float : right; padding-right : 4px;'>
  232. <input dojoType='dijit.form.TextBox' id='user_search' size='20' type='search'
  233. value=\"$user_search\">
  234. <button dojoType='dijit.form.Button' onclick='Users.reload()'>".
  235. __('Search')."</button>
  236. </div>";
  237. $sort = clean($_REQUEST["sort"]);
  238. if (!$sort || $sort == "undefined") {
  239. $sort = "login";
  240. }
  241. print "<div dojoType='fox.form.DropDownButton'>".
  242. "<span>" . __('Select')."</span>";
  243. print "<div dojoType='dijit.Menu' style='display: none'>";
  244. print "<div onclick=\"Tables.select('prefUserList', true)\"
  245. dojoType='dijit.MenuItem'>".__('All')."</div>";
  246. print "<div onclick=\"Tables.select('prefUserList', false)\"
  247. dojoType='dijit.MenuItem'>".__('None')."</div>";
  248. print "</div></div>";
  249. print "<button dojoType='dijit.form.Button' onclick='Users.add()'>".__('Create user')."</button>";
  250. print "
  251. <button dojoType='dijit.form.Button' onclick='Users.editSelected()'>".
  252. __('Edit')."</button dojoType=\"dijit.form.Button\">
  253. <button dojoType='dijit.form.Button' onclick='Users.removeSelected()'>".
  254. __('Remove')."</button dojoType=\"dijit.form.Button\">
  255. <button dojoType='dijit.form.Button' onclick='Users.resetSelected()'>".
  256. __('Reset password')."</button dojoType=\"dijit.form.Button\">";
  257. PluginHost::getInstance()->run_hooks(PluginHost::HOOK_PREFS_TAB_SECTION,
  258. "hook_prefs_tab_section", "prefUsersToolbar");
  259. print "</div>"; #toolbar
  260. print "</div>"; #pane
  261. print "<div style='padding : 0px' dojoType='dijit.layout.ContentPane' region='center'>";
  262. $sort = validate_field($sort,
  263. ["login", "access_level", "created", "num_feeds", "created", "last_login"], "login");
  264. if ($sort != "login") $sort = "$sort DESC";
  265. $sth = $this->pdo->prepare("SELECT
  266. tu.id,
  267. login,access_level,email,
  268. ".SUBSTRING_FOR_DATE."(last_login,1,16) as last_login,
  269. ".SUBSTRING_FOR_DATE."(created,1,16) as created,
  270. (SELECT COUNT(id) FROM ttrss_feeds WHERE owner_uid = tu.id) AS num_feeds
  271. FROM
  272. ttrss_users tu
  273. WHERE
  274. (:search = '' OR login LIKE :search) AND tu.id > 0
  275. ORDER BY $sort");
  276. $sth->execute([":search" => $user_search ? "%$user_search%" : ""]);
  277. print "<p><table width='100%' cellspacing='0' class='prefUserList' id='prefUserList'>";
  278. print "<tr class='title'>
  279. <td align='center' width='5%'>&nbsp;</td>
  280. <td width='20%'><a href='#' onclick=\"Users.reload('login')\">".__('Login')."</a></td>
  281. <td width='20%'><a href='#' onclick=\"Users.reload('access_level')\">".__('Access Level')."</a></td>
  282. <td width='10%'><a href='#' onclick=\"Users.reload('num_feeds')\">".__('Subscribed feeds')."</a></td>
  283. <td width='20%'><a href='#' onclick=\"Users.reload('created')\">".__('Registered')."</a></td>
  284. <td width='20%'><a href='#' onclick=\"Users.reload('last_login')\">".__('Last login')."</a></td></tr>";
  285. $lnum = 0;
  286. while ($line = $sth->fetch()) {
  287. $uid = $line["id"];
  288. print "<tr data-row-id='$uid' onclick='Users.edit($uid)'>";
  289. $line["login"] = htmlspecialchars($line["login"]);
  290. $line["created"] = make_local_datetime($line["created"], false);
  291. $line["last_login"] = make_local_datetime($line["last_login"], false);
  292. print "<td align='center'><input onclick='Tables.onRowChecked(this); event.stopPropagation();'
  293. dojoType='dijit.form.CheckBox' type='checkbox'></td>";
  294. print "<td title='".__('Click to edit')."'><i class='material-icons'>person</i> " . $line["login"] . "</td>";
  295. print "<td>" . $access_level_names[$line["access_level"]] . "</td>";
  296. print "<td>" . $line["num_feeds"] . "</td>";
  297. print "<td>" . $line["created"] . "</td>";
  298. print "<td>" . $line["last_login"] . "</td>";
  299. print "</tr>";
  300. ++$lnum;
  301. }
  302. print "</table>";
  303. if ($lnum == 0) {
  304. if (!$user_search) {
  305. print_warning(__('No users defined.'));
  306. } else {
  307. print_warning(__('No matching users found.'));
  308. }
  309. }
  310. print "</div>"; #pane
  311. PluginHost::getInstance()->run_hooks(PluginHost::HOOK_PREFS_TAB,
  312. "hook_prefs_tab", "prefUsers");
  313. print "</div>"; #container
  314. }
  315. }