From 083cb9429c3229309880d8f7c07ac60e34597fdf Mon Sep 17 00:00:00 2001
From: Richard Underwood <richard.underwood@digitaslbi.com>
Date: Tue, 20 Sep 2016 10:10:54 +0100
Subject: [PATCH] Modified users jtable to use id & fixed user deletion.

---
 includes/misc.inc.php | 42 ++++++++++++++++++++++++++++++------------
 index.php             |  7 +++++--
 users.php             | 17 ++++++-----------
 3 files changed, 41 insertions(+), 25 deletions(-)

diff --git a/includes/misc.inc.php b/includes/misc.inc.php
index 4281a89..a818cb2 100644
--- a/includes/misc.inc.php
+++ b/includes/misc.inc.php
@@ -159,7 +159,7 @@ function add_user($username, $isadmin = FALSE, $password = '') {
     return $ret;
 }
 
-function update_user($username, $isadmin, $password) {
+function update_user($id, $isadmin, $password) {
     if ($password && !preg_match('/\$6\$/', $password)) {
         $salt = bin2hex(openssl_random_pseudo_bytes(16));
         $password = crypt($password, '$6$'.$salt);
@@ -167,16 +167,23 @@ function update_user($username, $isadmin, $password) {
 
     $db = get_db();
 
+    $q = $db->prepare('SELECT * FROM users WHERE id = ?');
+    $q->bindValue(1, $id, SQLITE3_INTEGER);
+    $result = $q->execute();
+    $userinfo = $result->fetchArray(SQLITE3_ASSOC);
+    $q->close();
+    $username = $userinfo['emailaddress'];
+
     if ($password) {
-        $q = $db->prepare('UPDATE users SET isadmin = ?, password = ? WHERE emailaddress = ?');
+        $q = $db->prepare('UPDATE users SET isadmin = ?, password = ? WHERE id = ?');
         $q->bindValue(1, (int)(bool)$isadmin, SQLITE3_INTEGER);
         $q->bindValue(2, $password, SQLITE3_TEXT);
-        $q->bindValue(3, $username, SQLITE3_TEXT);
+        $q->bindValue(3, $id, SQLITE3_INTEGER);
         writelog("Updating password and/or settings for $username. Admin: ".(int)(bool)$isadmin);
     } else {
-        $q = $db->prepare('UPDATE users SET isadmin = ? WHERE emailaddress = ?');
+        $q = $db->prepare('UPDATE users SET isadmin = ? WHERE id = ?');
         $q->bindValue(1, (int)(bool)$isadmin, SQLITE3_INTEGER);
-        $q->bindValue(2, $username, SQLITE3_TEXT); 
+        $q->bindValue(2, $id, SQLITE3_INTEGER); 
         writelog("Updating settings for $username. Admin: ".(int)(bool)$isadmin);
     }
     $ret = $q->execute();
@@ -185,15 +192,26 @@ function update_user($username, $isadmin, $password) {
     return $ret;
 }
 
-function delete_user($username) {
+function delete_user($id) {
     $db = get_db();
-    $q = $db->prepare('DELETE FROM users WHERE id = ?');
-    $q->bindValue(1, $id, SQLITE3_INTEGER);
-    $ret = $q->execute();
-    $db->close();
 
-    writelog("Deleted user $username.");
-    return $ret;
+    $q = $db->prepare('SELECT * FROM users WHERE id = ?');
+    $q->bindValue(1, $id, SQLITE3_INTEGER);
+    $result = $q->execute();
+    $userinfo = $result->fetchArray(SQLITE3_ASSOC);
+    $q->close();
+
+    if($userinfo) {
+        $q = $db->prepare('DELETE FROM users WHERE id = ?');
+        $q->bindValue(1, $id, SQLITE3_INTEGER);
+        $ret = $q->execute();
+        $db->close();
+
+        writelog("Deleted user " . $userinfo['emailaddress'] . ".");
+        return $ret;
+    } else {
+        return false;
+    }
 }
 
 function valid_user($name) {
diff --git a/index.php b/index.php
index 41f23ac..8c764f4 100644
--- a/index.php
+++ b/index.php
@@ -991,12 +991,15 @@ $(document).ready(function () {
             deleteConfirmation: 'This user will be deleted. Are you sure?'
         },
         fields: {
+            id: {
+                key: true,
+                type: 'hidden'
+            },
             emailaddress: {
                 title: 'User',
-                key: true,
                 display: displayContent('emailaddress'),
                 inputClass: 'emailaddress',
-                create: true,
+                edit: false,
                 listClass: 'emailaddress'
             },
             password: {
diff --git a/users.php b/users.php
index 019619c..e31c122 100644
--- a/users.php
+++ b/users.php
@@ -64,20 +64,13 @@ case "create":
     break;
 
 case "update":
+    $id = isset($_POST['id']) ? intval($_POST['id']) : '';
     $emailaddress = isset($_POST['emailaddress']) ? $_POST['emailaddress'] : '';
     $isadmin = isset($_POST['isadmin']) ? $_POST['isadmin'] : '0';
     $password = isset($_POST['password']) ? $_POST['password'] : '';
 
-    if (!valid_user($emailaddress)) {
-        jtable_respond(null, 'error', "Please only use ^[a-z0-9@_.-]+$ for usernames");
-    }
-
-    if (!user_exists($emailaddress)) {
-        jtable_respond(null, 'error', 'Cannot update not existing user');
-    }
-
-    if (update_user($emailaddress, $isadmin, $password)) {
-        $result = array('emailaddress' => $emailaddress, 'isadmin' => $isadmin);
+    if ($id != '' and update_user($id, $isadmin, $password)) {
+        $result = array('isadmin' => $isadmin);
         jtable_respond($result, 'single');
     } else {
         jtable_respond(null, 'error', 'Could not update user');
@@ -85,7 +78,9 @@ case "update":
     break;
 
 case "delete":
-    if ($emailaddress != '' and delete_user($emailaddress) !== FALSE) {
+    $id = isset($_POST['id']) ? intval($_POST['id']) : '';
+
+    if ($id != '' and delete_user($id) !== FALSE) {
         jtable_respond(null, 'delete');
     } else {
         jtable_respond(null, 'error', 'Could not delete user');