misuzu/public/settings.php

<?php
require_once '../misuzu.php';

if (!user_session_active()) {
    echo render_error(403);
    return;
}

$errors = [];

$disableAccountOptions = !MSZ_DEBUG && (
    boolval(config_get_default(false, 'Private', 'enabled'))
    && boolval(config_get_default(false, 'Private', 'disable_account_settings'))
);

$currentEmail = user_email_get(user_session_current('user_id'));

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    if (!csrf_verify('settings', $_POST['csrf'] ?? '')) {
        $errors[] = MSZ_TMP_USER_ERROR_STRINGS['csrf'];
    } else {
        if (!empty($_POST['session'])) {
            $currentSessionKilled = false;

            if (is_array($_POST['session'])) {
                foreach ($_POST['session'] as $sessionId) {
                    $sessionId = intval($sessionId);
                    $session = user_session_find($sessionId);

                    if (!$session || (int)$session['user_id'] !== user_session_current('user_id')) {
                        $errors[] = "Session #{$sessionId} does not exist.";
                        break;
                    } elseif ((int)$session['session_id'] === user_session_current('session_id')) {
                        $currentSessionKilled = true;
                    }

                    user_session_delete($session['session_id']);
                    audit_log(MSZ_AUDIT_PERSONAL_SESSION_DESTROY, user_session_current('user_id'), [
                        $session['session_id'],
                    ]);
                }
            } elseif ($_POST['session'] === 'all') {
                $currentSessionKilled = true;
                user_session_purge_all(user_session_current('user_id'));
                audit_log(MSZ_AUDIT_PERSONAL_SESSION_DESTROY_ALL, user_session_current('user_id'));
            }

            if ($currentSessionKilled) {
                header('Location: /');
                return;
            }
        }

        if (!empty($_POST['role'])) {
            $roleId = (int)($_POST['role']['id'] ?? 0);

            if ($roleId > 0 && user_role_has(user_session_current('user_id'), $roleId)) {
                switch ($_POST['role']['mode'] ?? '') {
                    case 'display':
                        user_role_set_display(user_session_current('user_id'), $roleId);
                        break;

                    case 'leave':
                        if (user_role_can_leave($roleId)) {
                            user_role_remove(user_session_current('user_id'), $roleId);
                        } else {
                            $errors[] = "You're not allow to leave this role, an administrator has to remove it for you.";
                        }
                        break;
                }
            } else {
                $errors[] = "You're trying to modify a role that hasn't been assigned to you.";
            }
        }

        if (!$disableAccountOptions && !empty($_POST['current_password'])) {
            if (!user_password_verify_db(user_session_current('user_id'), $_POST['current_password'] ?? '')) {
                $errors[] = 'Your password was incorrect.';
            } else {
                // Changing e-mail
                if (!empty($_POST['email']['new'])) {
                    if (empty($_POST['email']['confirm']) || $_POST['email']['new'] !== $_POST['email']['confirm']) {
                        $errors[] = 'The addresses you entered did not match each other.';
                    } elseif ($currentEmail === mb_strtolower($_POST['email']['confirm'])) {
                        $errors[] = 'This is already your e-mail address!';
                    } else {
                        $checkMail = user_validate_email($_POST['email']['new'], true);

                        if ($checkMail !== '') {
                            switch ($checkMail) {
                                case 'dns':
                                    $errors[] = 'No valid MX record exists for this domain.';
                                    break;

                                case 'format':
                                    $errors[] = 'The given e-mail address was incorrectly formatted.';
                                    break;

                                case 'in-use':
                                    $errors[] = 'This e-mail address is already in use.';
                                    break;

                                default:
                                    $errors[] = 'Unknown e-mail validation error.';
                            }
                        } else {
                            user_email_set(user_session_current('user_id'), $_POST['email']['new']);
                            audit_log(MSZ_AUDIT_PERSONAL_EMAIL_CHANGE, user_session_current('user_id'), [
                                $_POST['email']['new'],
                            ]);
                        }
                    }
                }

                // Changing password
                if (!empty($_POST['password']['new'])) {
                    if (empty($_POST['password']['confirm']) || $_POST['password']['new'] !== $_POST['password']['confirm']) {
                        $errors[] = 'The new passwords you entered did not match each other.';
                    } else {
                        $checkPassword = user_validate_password($_POST['password']['new']);

                        if ($checkPassword !== '') {
                            $errors[] = 'The given passwords was too weak.';
                        } else {
                            user_password_set(user_session_current('user_id'), $_POST['password']['new']);
                            audit_log(MSZ_AUDIT_PERSONAL_PASSWORD_CHANGE, user_session_current('user_id'));
                        }
                    }
                }
            }
        }
    }
}

$sessions = [
    'list' => [],
    'active' => user_session_current('session_id'),
    'amount' => user_session_count(user_session_current('user_id')),
    'offset' => max(0, intval($_GET['sessions']['offset'] ?? 0)),
    'take' => clamp($_GET['sessions']['take'] ?? 15, 5, 30),
];

$logins = [
    'list' => [],
    'amount' => user_login_attempts_count(user_session_current('user_id')),
    'offset' => max(0, intval($_GET['logins']['offset'] ?? 0)),
    'take' => clamp($_GET['logins']['take'] ?? 15, 5, 30),
];

$logs = [
    'list' => [],
    'amount' => audit_log_count(user_session_current('user_id')),
    'offset' => max(0, intval($_GET['logs']['offset'] ?? 0)),
    'take' => clamp($_GET['logs']['take'] ?? 15, 5, 30),
    'strings' => MSZ_AUDIT_LOG_STRINGS,
];

$sessions['list'] = user_session_list($sessions['offset'], $sessions['take'], user_session_current('user_id'));
$logins['list'] = user_login_attempts_list($logins['offset'], $logins['take'], user_session_current('user_id'));
$logs['list'] = audit_log_list($logs['offset'], $logs['take'], user_session_current('user_id'));

$getUserRoles = db_prepare('
    SELECT r.`role_id`, r.`role_name`, r.`role_description`, r.`role_colour`, r.`role_can_leave`
    FROM `msz_user_roles` as ur
    LEFT JOIN `msz_roles` as r
    ON r.`role_id` = ur.`role_id`
    WHERE ur.`user_id` = :user_id
    ORDER BY r.`role_hierarchy` DESC
');
$getUserRoles->bindValue('user_id', user_session_current('user_id'));
$userRoles = $getUserRoles->execute() ? $getUserRoles->fetchAll(PDO::FETCH_ASSOC) : [];

echo tpl_render('user.settings', [
    'errors' => $errors,
    'disable_account_options' => $disableAccountOptions,
    'current_email' => $currentEmail,
    'sessions' => $sessions,
    'logins' => $logins,
    'logs' => $logs,
    'user_roles' => $userRoles,
    'user_display_role' => user_role_get_display(user_session_current('user_id')),
]);
Add profile fields to database and add changing logic. 2018-03-23 00:01:42 +00:00			`<?php`
New config system, define a root dir constant and deprecate more of Application. 2018-10-04 20:30:55 +00:00			`require_once '../misuzu.php';`
Add profile fields to database and add changing logic. 2018-03-23 00:01:42 +00:00
Made imperative bits of the session system procedural like the rest. 2018-10-02 22:34:05 +00:00			`if (!user_session_active()) {`
finishing touches for the baseline (nowhere near done tho) 2018-05-26 20:33:05 +00:00			`echo render_error(403);`
Add profile fields to database and add changing logic. 2018-03-23 00:01:42 +00:00			`return;`
			`}`

Massively cleaned up settings.php. 2018-10-29 19:12:06 +00:00			`$errors = [];`
Add profile fields to database and add changing logic. 2018-03-23 00:01:42 +00:00
Merge settings pages into one. 2018-10-28 02:02:00 +00:00			`$disableAccountOptions = !MSZ_DEBUG && (`
			`boolval(config_get_default(false, 'Private', 'enabled'))`
			`&& boolval(config_get_default(false, 'Private', 'disable_account_settings'))`
			`);`
Massively cleaned up settings.php. 2018-10-29 19:12:06 +00:00
			`$currentEmail = user_email_get(user_session_current('user_id'));`
Add avatar uploading. 2018-03-24 04:31:42 +00:00
Add profile fields to database and add changing logic. 2018-03-23 00:01:42 +00:00			`if ($_SERVER['REQUEST_METHOD'] === 'POST') {`
cool new CSRF protection system 2018-10-02 19:16:42 +00:00			`if (!csrf_verify('settings', $_POST['csrf'] ?? '')) {`
Massively cleaned up settings.php. 2018-10-29 19:12:06 +00:00			`$errors[] = MSZ_TMP_USER_ERROR_STRINGS['csrf'];`
Merged account and avatar settings pages. 2018-08-11 18:56:54 +00:00			`} else {`
Updated session manager styling. 2018-10-29 17:55:10 +00:00			`if (!empty($_POST['session'])) {`
			`$currentSessionKilled = false;`

			`if (is_array($_POST['session'])) {`
			`foreach ($_POST['session'] as $sessionId) {`
			`$sessionId = intval($sessionId);`
			`$session = user_session_find($sessionId);`
Added delete all sessions button. 2018-08-15 13:36:40 +00:00
Massively cleaned up settings.php. 2018-10-29 19:12:06 +00:00			`if (!$session \|\| (int)$session['user_id'] !== user_session_current('user_id')) {`
			`$errors[] = "Session #{$sessionId} does not exist.";`
Updated session manager styling. 2018-10-29 17:55:10 +00:00			`break;`
			`} elseif ((int)$session['session_id'] === user_session_current('session_id')) {`
			`$currentSessionKilled = true;`
			`}`

			`user_session_delete($session['session_id']);`
Convert audit log strings to constants. 2018-12-15 18:46:48 +00:00			`audit_log(MSZ_AUDIT_PERSONAL_SESSION_DESTROY, user_session_current('user_id'), [`
Updated session manager styling. 2018-10-29 17:55:10 +00:00			`$session['session_id'],`
			`]);`
			`}`
			`} elseif ($_POST['session'] === 'all') {`
			`$currentSessionKilled = true;`
Massively cleaned up settings.php. 2018-10-29 19:12:06 +00:00			`user_session_purge_all(user_session_current('user_id'));`
Convert audit log strings to constants. 2018-12-15 18:46:48 +00:00			`audit_log(MSZ_AUDIT_PERSONAL_SESSION_DESTROY_ALL, user_session_current('user_id'));`
Updated session manager styling. 2018-10-29 17:55:10 +00:00			`}`
Added underlying code to sessions page. 2018-03-26 02:08:35 +00:00
Updated session manager styling. 2018-10-29 17:55:10 +00:00			`if ($currentSessionKilled) {`
			`header('Location: /');`
Move more settings.php into functions. 2018-09-27 22:03:43 +00:00			`return;`
Added underlying code to sessions page. 2018-03-26 02:08:35 +00:00			`}`
Merged account and avatar settings pages. 2018-08-11 18:56:54 +00:00			`}`
Added underlying code to sessions page. 2018-03-26 02:08:35 +00:00
Added personal role management. 2018-11-17 20:37:18 +00:00			`if (!empty($_POST['role'])) {`
			`$roleId = (int)($_POST['role']['id'] ?? 0);`
Massively cleaned up settings.php. 2018-10-29 19:12:06 +00:00
Added personal role management. 2018-11-17 20:37:18 +00:00			`if ($roleId > 0 && user_role_has(user_session_current('user_id'), $roleId)) {`
			`switch ($_POST['role']['mode'] ?? '') {`
			`case 'display':`
			`user_role_set_display(user_session_current('user_id'), $roleId);`
			`break;`

			`case 'leave':`
			`if (user_role_can_leave($roleId)) {`
			`user_role_remove(user_session_current('user_id'), $roleId);`
			`} else {`
			`$errors[] = "You're not allow to leave this role, an administrator has to remove it for you.";`
			`}`
			`break;`
			`}`
			`} else {`
			`$errors[] = "You're trying to modify a role that hasn't been assigned to you.";`
			`}`
			`}`

			`if (!$disableAccountOptions && !empty($_POST['current_password'])) {`
Massively cleaned up settings.php. 2018-10-29 19:12:06 +00:00			`if (!user_password_verify_db(user_session_current('user_id'), $_POST['current_password'] ?? '')) {`
			`$errors[] = 'Your password was incorrect.';`
			`} else {`
			`// Changing e-mail`
			`if (!empty($_POST['email']['new'])) {`
			`if (empty($_POST['email']['confirm']) \|\| $_POST['email']['new'] !== $_POST['email']['confirm']) {`
			`$errors[] = 'The addresses you entered did not match each other.';`
			`} elseif ($currentEmail === mb_strtolower($_POST['email']['confirm'])) {`
			`$errors[] = 'This is already your e-mail address!';`
Merged account and avatar settings pages. 2018-08-11 18:56:54 +00:00			`} else {`
Massively cleaned up settings.php. 2018-10-29 19:12:06 +00:00			`$checkMail = user_validate_email($_POST['email']['new'], true);`
Merged account and avatar settings pages. 2018-08-11 18:56:54 +00:00
Massively cleaned up settings.php. 2018-10-29 19:12:06 +00:00			`if ($checkMail !== '') {`
			`switch ($checkMail) {`
			`case 'dns':`
			`$errors[] = 'No valid MX record exists for this domain.';`
			`break;`
Merged account and avatar settings pages. 2018-08-11 18:56:54 +00:00
Massively cleaned up settings.php. 2018-10-29 19:12:06 +00:00			`case 'format':`
			`$errors[] = 'The given e-mail address was incorrectly formatted.';`
			`break;`
Merged account and avatar settings pages. 2018-08-11 18:56:54 +00:00
Massively cleaned up settings.php. 2018-10-29 19:12:06 +00:00			`case 'in-use':`
			`$errors[] = 'This e-mail address is already in use.';`
			`break;`
Merged account and avatar settings pages. 2018-08-11 18:56:54 +00:00
Massively cleaned up settings.php. 2018-10-29 19:12:06 +00:00			`default:`
			`$errors[] = 'Unknown e-mail validation error.';`
Merged account and avatar settings pages. 2018-08-11 18:56:54 +00:00			`}`
Massively cleaned up settings.php. 2018-10-29 19:12:06 +00:00			`} else {`
			`user_email_set(user_session_current('user_id'), $_POST['email']['new']);`
Convert audit log strings to constants. 2018-12-15 18:46:48 +00:00			`audit_log(MSZ_AUDIT_PERSONAL_EMAIL_CHANGE, user_session_current('user_id'), [`
Massively cleaned up settings.php. 2018-10-29 19:12:06 +00:00			`$_POST['email']['new'],`
			`]);`
Merged account and avatar settings pages. 2018-08-11 18:56:54 +00:00			`}`
Massively cleaned up settings.php. 2018-10-29 19:12:06 +00:00			`}`
			`}`
Added underlying code to sessions page. 2018-03-26 02:08:35 +00:00
Massively cleaned up settings.php. 2018-10-29 19:12:06 +00:00			`// Changing password`
			`if (!empty($_POST['password']['new'])) {`
			`if (empty($_POST['password']['confirm']) \|\| $_POST['password']['new'] !== $_POST['password']['confirm']) {`
			`$errors[] = 'The new passwords you entered did not match each other.';`
			`} else {`
			`$checkPassword = user_validate_password($_POST['password']['new']);`
Added underlying code to sessions page. 2018-03-26 02:08:35 +00:00
Massively cleaned up settings.php. 2018-10-29 19:12:06 +00:00			`if ($checkPassword !== '') {`
			`$errors[] = 'The given passwords was too weak.';`
			`} else {`
			`user_password_set(user_session_current('user_id'), $_POST['password']['new']);`
Convert audit log strings to constants. 2018-12-15 18:46:48 +00:00			`audit_log(MSZ_AUDIT_PERSONAL_PASSWORD_CHANGE, user_session_current('user_id'));`
Merged account and avatar settings pages. 2018-08-11 18:56:54 +00:00			`}`
			`}`
			`}`
			`}`
			`}`
Add profile fields to database and add changing logic. 2018-03-23 00:01:42 +00:00			`}`
			`}`

Massively cleaned up settings.php. 2018-10-29 19:12:06 +00:00			`$sessions = [`
			`'list' => [],`
			`'active' => user_session_current('session_id'),`
			`'amount' => user_session_count(user_session_current('user_id')),`
			`'offset' => max(0, intval($_GET['sessions']['offset'] ?? 0)),`
			`'take' => clamp($_GET['sessions']['take'] ?? 15, 5, 30),`
			`];`

			`$logins = [`
			`'list' => [],`
			`'amount' => user_login_attempts_count(user_session_current('user_id')),`
			`'offset' => max(0, intval($_GET['logins']['offset'] ?? 0)),`
			`'take' => clamp($_GET['logins']['take'] ?? 15, 5, 30),`
			`];`

			`$logs = [`
			`'list' => [],`
			`'amount' => audit_log_count(user_session_current('user_id')),`
			`'offset' => max(0, intval($_GET['logs']['offset'] ?? 0)),`
			`'take' => clamp($_GET['logs']['take'] ?? 15, 5, 30),`
Improved look of global audit log. 2018-12-15 18:14:23 +00:00			`'strings' => MSZ_AUDIT_LOG_STRINGS,`
Massively cleaned up settings.php. 2018-10-29 19:12:06 +00:00			`];`
Add profile fields to database and add changing logic. 2018-03-23 00:01:42 +00:00
Massively cleaned up settings.php. 2018-10-29 19:12:06 +00:00			`$sessions['list'] = user_session_list($sessions['offset'], $sessions['take'], user_session_current('user_id'));`
Fixed pagination in settings. Closes #73. 2018-12-01 12:20:21 +00:00			`$logins['list'] = user_login_attempts_list($logins['offset'], $logins['take'], user_session_current('user_id'));`
Massively cleaned up settings.php. 2018-10-29 19:12:06 +00:00			`$logs['list'] = audit_log_list($logs['offset'], $logs['take'], user_session_current('user_id'));`

//user role stuff 2018-11-16 17:54:56 +00:00			`$getUserRoles = db_prepare('`
Added personal role management. 2018-11-17 20:37:18 +00:00			SELECT r.`role_id`, r.`role_name`, r.`role_description`, r.`role_colour`, r.`role_can_leave`
//user role stuff 2018-11-16 17:54:56 +00:00			FROM `msz_user_roles` as ur
			LEFT JOIN `msz_roles` as r
			ON r.`role_id` = ur.`role_id`
			WHERE ur.`user_id` = :user_id
Added personal role management. 2018-11-17 20:37:18 +00:00			ORDER BY r.`role_hierarchy` DESC
//user role stuff 2018-11-16 17:54:56 +00:00			`');`
			`$getUserRoles->bindValue('user_id', user_session_current('user_id'));`
			`$userRoles = $getUserRoles->execute() ? $getUserRoles->fetchAll(PDO::FETCH_ASSOC) : [];`

Massively cleaned up settings.php. 2018-10-29 19:12:06 +00:00			`echo tpl_render('user.settings', [`
			`'errors' => $errors,`
			`'disable_account_options' => $disableAccountOptions,`
			`'current_email' => $currentEmail,`
			`'sessions' => $sessions,`
			`'logins' => $logins,`
			`'logs' => $logs,`
Added personal role management. 2018-11-17 20:37:18 +00:00			`'user_roles' => $userRoles,`
			`'user_display_role' => user_role_get_display(user_session_current('user_id')),`
Massively cleaned up settings.php. 2018-10-29 19:12:06 +00:00			`]);`