From a94bb6dbc7b120398f55d860f27503cdb73d25d9 Mon Sep 17 00:00:00 2001
From: Quitta <devnull@localhost>
Date: Mon, 1 Jul 2013 23:29:16 +0200
Subject: [PATCH] change password is now usable for GM's too by using a
 GET['id'] param!

---
 .../ryzom_ams/ams_lib/autoload/users.php      | 65 ++++++++++++---
 .../ryzom_ams/www/html/autoload/webusers.php  | 27 ++++++-
 .../www/html/func/change_password.php         | 80 ++++++++++++++-----
 .../server/ryzom_ams/www/html/func/login.php  |  3 +
 .../ryzom_ams/www/html/inc/settings.php       | 21 +++++
 .../ryzom_ams/www/html/templates/settings.tpl | 27 ++++---
 6 files changed, 173 insertions(+), 50 deletions(-)
 create mode 100644 code/ryzom/tools/server/ryzom_ams/www/html/inc/settings.php

diff --git a/code/ryzom/tools/server/ryzom_ams/ams_lib/autoload/users.php b/code/ryzom/tools/server/ryzom_ams/ams_lib/autoload/users.php
index 864c963bb..7373bc4a3 100644
--- a/code/ryzom/tools/server/ryzom_ams/ams_lib/autoload/users.php
+++ b/code/ryzom/tools/server/ryzom_ams/ams_lib/autoload/users.php
@@ -313,27 +313,43 @@ class Users{
      }
      
      public function check_change_password($values){
-          if ( isset( $values["user"] ) and isset( $values["CurrentPass"] ) and isset( $values["ConfirmNewPass"] ) and isset( $values["NewPass"] ) ){
-               $match = $this->checkLoginMatch($values["user"],$values["CurrentPass"]);
-               $newpass = $this->checkPassword($values["NewPass"]);
-               $confpass = $this->confirmPassword($newpass,$values["NewPass"],$values["ConfirmNewPass"]);
+          //if admin isn't changing others
+          if(!$values['adminChangesOther']){
+               if ( isset( $values["user"] ) and isset( $values["CurrentPass"] ) and isset( $values["ConfirmNewPass"] ) and isset( $values["NewPass"] ) ){
+                    $match = $this->checkLoginMatch($values["user"],$values["CurrentPass"]);
+                    $newpass = $this->checkPassword($values["NewPass"]);
+                    $confpass = $this->confirmPassword($newpass,$values["NewPass"],$values["ConfirmNewPass"]);
+               }else{
+                    $match = "";
+                    $newpass = "";
+                    $confpass = "";
+               }
           }else{
-               $match = "";
-               $newpass = "";
-               $confpass = "";
+               //if admin is indeed changing someone!
+               if ( isset( $values["user"] ) and isset( $values["ConfirmNewPass"] ) and isset( $values["NewPass"] ) ){
+                    $newpass = $this->checkPassword($values["NewPass"]);
+                    $confpass = $this->confirmPassword($newpass,$values["NewPass"],$values["ConfirmNewPass"]);
+               }else{
+                    $newpass = "";
+                    $confpass = "";
+               }
           }
-          if ( ( $match != "fail" ) and ( $newpass == "success" ) and ( $confpass == "success" ) ){
+          if (  !$values['adminChangesOther'] and ( $match != "fail" ) and ( $newpass == "success" ) and ( $confpass == "success" ) ){
+               return "success";
+          }else if($values['adminChangesOther'] and ( $newpass == "success" ) and ( $confpass == "success" ) ){
                return "success";
           }else{
                $pageElements = array(
-                'match_error_message' => $match,
                 'newpass_error_message' => $newpass,
                 'confirmnewpass_error_message' => $confpass
                 );
-               if ( $match != "fail" ){
-                    $pageElements['MATCH_ERROR'] = 'FALSE';
-               }else{
-                    $pageElements['MATCH_ERROR'] = 'TRUE';
+               if(!$values['adminChangesOther']){
+                    $pageElements['match_error_message'] = $match;
+                    if ( $match != "fail" ){
+                         $pageElements['MATCH_ERROR'] = 'FALSE';
+                    }else{
+                         $pageElements['MATCH_ERROR'] = 'TRUE';
+                    }
                }
                if ( $newpass != "success" ){
                     $pageElements['NEWPASSWORD_ERROR'] = 'TRUE';
@@ -348,6 +364,29 @@ class Users{
                return $pageElements;
           }
      }
+     
+     protected function setPassword($user, $pass){
+           try {
+               //make connection with and put into shard db
+               global $cfg;
+               $dbs = new DBLayer($cfg['db']['shard']);
+               $dbs->execute("UPDATE user SET Password = :pass WHERE Login = :user ",$values);
+               return "ok";
+          }
+          catch (PDOException $e) {
+               //oh noooz, the shard is offline! Put in query queue at ams_lib db!
+               /*try {
+                    $dbl = new DBLayer($cfg['db']['lib']);  
+                    $dbl->execute("INSERT INTO ams_querycache (type, query) VALUES (:type, :query)",array("type" => "createUser",
+                    "query" => json_encode(array($values["name"],$values["pass"],$values["mail"]))));
+                    return "shardoffline";
+               }catch (PDOException $e) {
+                    print_r($e);
+                    return "liboffline";
+               }*/
+          } 
+     }
 }
 
 
+     
\ No newline at end of file
diff --git a/code/ryzom/tools/server/ryzom_ams/www/html/autoload/webusers.php b/code/ryzom/tools/server/ryzom_ams/www/html/autoload/webusers.php
index 1e201508f..91c7bc317 100644
--- a/code/ryzom/tools/server/ryzom_ams/www/html/autoload/webusers.php
+++ b/code/ryzom/tools/server/ryzom_ams/www/html/autoload/webusers.php
@@ -48,9 +48,30 @@ class WebUsers extends Users{
         }else{
               return "fail";
         }	
-                   
-       
-
      }
      
+     
+    public function getUsername($id){
+        global $cfg;
+        
+        $dbw = new DBLayer($cfg['db']['web']);
+        $statement = $dbw->execute("SELECT * FROM ams_user WHERE UId=:id", array('id' => $id));
+        $row = $statement->fetch();
+        return $row['Login'];
+    }
+    
+    public function isLoggedIn(){
+        if(isset($_SESSION['user'])){
+            return true;
+        }
+        return false;
+    }
+    
+    public function isAdmin(){
+        if(isset($_SESSION['permission']) && $_SESSION['permission'] == 2){
+            return true;
+        }
+        return false;
+    }
+    
 }
\ No newline at end of file
diff --git a/code/ryzom/tools/server/ryzom_ams/www/html/func/change_password.php b/code/ryzom/tools/server/ryzom_ams/www/html/func/change_password.php
index 63a76a425..3603c5144 100644
--- a/code/ryzom/tools/server/ryzom_ams/www/html/func/change_password.php
+++ b/code/ryzom/tools/server/ryzom_ams/www/html/func/change_password.php
@@ -3,28 +3,66 @@
 function change_password(){
 	
     try{
-            if(isset($_SESSION["user"])){
-                $webUser = new WebUsers();
-                $params = Array( 'user' => $_SESSION["user"], 'CurrentPass' => $_POST["CurrentPass"], 'NewPass' => $_POST["NewPass"], 'ConfirmNewPass' => $_POST["ConfirmNewPass"]);
-                $result = $webUser->check_change_password($params);
-                if ($result == "success"){
-                    //edit stuff into db
+        //if logged in
+        if(WebUsers::isLoggedIn()){
+            
+            if(isset($_POST['target_id'])){
+                $adminChangesOther = false;
+                //if target_id is the same as session id or is admin
+                if(  ($_POST['target_id'] == $_SESSION['id']) ||  WebUsers::isAdmin()  ){
+                    if($_POST['target_id'] == $_SESSION['id']){
+                        $target_username = $_SESSION['user'];
+                    }else{
+                        $target_username = WebUsers::getUsername($_POST['target_id']);
+                        //isAdmin is true when it's the admin, but the target_id != own id
+                        $adminChangesOther = true;
+                        $_POST["CurrentPass"] = "dummypass";
+                    }
+                    $id = $_POST['target_id'];
+                    
+                    $webUser = new WebUsers();
+                    $params = Array( 'user' => $target_username, 'CurrentPass' => $_POST["CurrentPass"], 'NewPass' => $_POST["NewPass"], 'ConfirmNewPass' => $_POST["ConfirmNewPass"], 'adminChangesOther' => $adminChangesOther);
+                    $result = $webUser->check_change_password($params);
+                    if ($result == "success"){
+                        //edit stuff into db
+                        $hashpass = crypt($_POST["NewPass"], WebUsers::generateSALT());
+                        print('success!');
+                        exit;
+                         
+                    }else{
+                        
+                        $result['prevCurrentPass'] = $_POST["CurrentPass"];
+                        $result['prevNewPass'] = $_POST["NewPass"];
+                        $result['prevConfirmNewPass'] = $_POST["ConfirmNewPass"];
+                        $result['permission'] = $_SESSION['permission'];
+                        $result['no_visible_elements'] = 'FALSE';
+                        $result['target_id'] = $_POST['target_id'];
+                        if(isset($_GET['id'])){
+                            if(WebUsers::isAdmin() && ($_POST['target_id'] != $_SESSION['id'])){
+                                $result['isAdmin'] = "TRUE";
+                            }
+                        }
+                        helpers :: loadtemplate( 'settings', $result);
+                        exit;
+                    }
+                    
                 }else{
-                    $result['prevCurrentPass'] = $_POST["CurrentPass"];
-                    $result['prevNewPass'] = $_POST["NewPass"];
-                    $result['prevConfirmNewPass'] = $_POST["ConfirmNewPass"];
-                    $result['permission'] = $_SESSION['permission'];
-                    $result['no_visible_elements'] = 'FALSE';
-                    helpers :: loadtemplate( 'settings', $result);
-                    exit;
+                    //ERROR: permission denied!
                 }
-
-            }	
-	}catch (PDOException $e) {
-	     //go to error page or something, because can't access website db
-	     print_r($e);
-	     exit;
-	}
-	
+        
+            }else{
+                //ERROR: The form was not filled in correclty
+            }    
+        }else{
+            //ERROR: user is not logged in
+            exit;
+        }
+                  
+    }catch (PDOException $e) {
+         //go to error page or something, because can't access website db
+         print_r($e);
+         exit;
+    }
+    
 }
 
diff --git a/code/ryzom/tools/server/ryzom_ams/www/html/func/login.php b/code/ryzom/tools/server/ryzom_ams/www/html/func/login.php
index 4edd60fe5..a34203541 100644
--- a/code/ryzom/tools/server/ryzom_ams/www/html/func/login.php
+++ b/code/ryzom/tools/server/ryzom_ams/www/html/func/login.php
@@ -10,6 +10,9 @@ function login(){
 			//handle successful login
 			$_SESSION['user'] = $_POST["Username"];
 			$_SESSION['permission'] = $result['Permission'];
+			$_SESSION['id'] = $result['UId'];
+			print('id=');
+			print($_SESSION['id']);
 			//go back to the index page.
 			header( 'Location: index.php' );
 			exit;
diff --git a/code/ryzom/tools/server/ryzom_ams/www/html/inc/settings.php b/code/ryzom/tools/server/ryzom_ams/www/html/inc/settings.php
new file mode 100644
index 000000000..2248b7d70
--- /dev/null
+++ b/code/ryzom/tools/server/ryzom_ams/www/html/inc/settings.php
@@ -0,0 +1,21 @@
+<?php
+
+function settings(){
+    if(WebUsers::isLoggedIn()){
+            //in case id-GET param set it's value as target_id, if no id-param is given, ue the session id.
+            if(isset($_GET['id'])){
+                if(WebUsers::isAdmin() && ($_GET['id']!= $_SESSION['id'])){
+                    $result['isAdmin'] = "TRUE";
+                }
+                $result['target_id'] = $_GET['id'];
+            }else{
+                $result['target_id'] = $_SESSION['id'];
+            }
+
+            return $result;
+    }else{
+        //ERROR: not logged in!
+        print("not logged in!");
+        exit;
+    }
+}
\ No newline at end of file
diff --git a/code/ryzom/tools/server/ryzom_ams/www/html/templates/settings.tpl b/code/ryzom/tools/server/ryzom_ams/www/html/templates/settings.tpl
index c3c425f71..c0e4f7a7b 100644
--- a/code/ryzom/tools/server/ryzom_ams/www/html/templates/settings.tpl
+++ b/code/ryzom/tools/server/ryzom_ams/www/html/templates/settings.tpl
@@ -10,21 +10,22 @@
 			</div>
 			<div class="box-content">
 				<div class="row-fluid">
-					<form id="changePassword" class="form-vertical" method="post" action="index.php">
+					<form id="changePassword" class="form-vertical" method="post" action="index.php?page=settings&id={$target_id}">
 						<legend>Change Password</legend>
 						
-						<div class="control-group {if isset($MATCH_ERROR) and $MATCH_ERROR eq "TRUE"}error{else if
-			isset($match_error_message) and $match_error_message neq "fail"}success{else}{/if}">
-						<label class="control-label">Current Password</label>
-							<div class="controls">
-							    <div class="input-prepend">
-								<span class="add-on" style="margin-left:5px;"><i class="icon-lock"></i></span>
-									<input type="password" class="input-xlarge" id="CurrentPass" name="CurrentPass" placeholder="Your current password" {if isset($prevCurrentPass)}value="{$prevCurrentPass}"{/if}>
-									{if isset($MATCH_ERROR) and $MATCH_ERROR eq "TRUE"}<span class="help-inline">The password is incorrect</span>{/if}
-							    </div>
+						{if !isset($isAdmin) or $isAdmin eq "FALSE"}
+							<div class="control-group {if isset($MATCH_ERROR) and $MATCH_ERROR eq "TRUE"}error{else if
+				isset($match_error_message) and $match_error_message neq "fail"}success{else}{/if}">
+							<label class="control-label">Current Password</label>
+								<div class="controls">
+								    <div class="input-prepend">
+									<span class="add-on" style="margin-left:5px;"><i class="icon-lock"></i></span>
+										<input type="password" class="input-xlarge" id="CurrentPass" name="CurrentPass" placeholder="Your current password" {if isset($prevCurrentPass)}value="{$prevCurrentPass}"{/if}>
+										{if isset($MATCH_ERROR) and $MATCH_ERROR eq "TRUE"}<span class="help-inline">The password is incorrect</span>{/if}
+								    </div>
+								</div>
 							</div>
-						</div>
-						
+						{/if}
 							<div class="control-group {if isset($NEWPASSWORD_ERROR) and $NEWPASSWORD_ERROR eq "TRUE"}error{else if
 			isset($newpass_error_message) and $newpass_error_message eq "success"}success{else}{/if}">
 						<label class="control-label">New Password</label>
@@ -50,7 +51,7 @@
 						</div>
 						
 						<input type="hidden" name="function" value="change_password">
-						
+						<input type="hidden" name="target_id" value="{$target_id}">
 						<div class="control-group">
 							<label class="control-label"></label>
 							<div class="controls">