Skip to content

Commit 04ebd5c

Browse files
authored
Merge pull request #238 from aula-app/dev
Release dev -> staging
2 parents 93c6db1 + c1a4efb commit 04ebd5c

2 files changed

Lines changed: 67 additions & 82 deletions

File tree

classes/models/Database.php

Lines changed: 23 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -87,23 +87,31 @@ public function query($query) {
8787
}
8888

8989
public function bind($param, $value, $type = null) {
90-
# provides binding functionality
91-
if (is_null($type)) {
92-
switch (true) {
93-
case is_int($value):
94-
$type = PDO::PARAM_INT;
95-
break;
96-
case is_bool($value):
97-
$type = PDO::PARAM_BOOL;
98-
break;
99-
case is_null($value):
100-
$type = PDO::PARAM_NULL;
101-
break;
102-
default:
103-
$type = PDO::PARAM_STR;
90+
if (str_starts_with($param, ':')) {
91+
# provides binding functionality
92+
if (is_null($type)) {
93+
switch (true) {
94+
case is_int($value):
95+
$type = PDO::PARAM_INT;
96+
break;
97+
case is_bool($value):
98+
$type = PDO::PARAM_BOOL;
99+
break;
100+
case is_null($value):
101+
$type = PDO::PARAM_NULL;
102+
break;
103+
default:
104+
$type = PDO::PARAM_STR;
105+
}
104106
}
107+
$this->stmt->bindValue($param, $value, $type);
108+
}
109+
}
110+
111+
public function bindAll($keyvalues) {
112+
foreach ($keyvalues as $key => $value) {
113+
$this->bind($key, $value);
105114
}
106-
$this->stmt->bindValue($param, $value, $type);
107115
}
108116

109117
public function execute() {
@@ -161,6 +169,4 @@ public function getPass() {
161169
public function getDbname() {
162170
return $this->dbname;
163171
}
164-
165172
}
166-
?>

classes/models/User.php

Lines changed: 44 additions & 65 deletions
Original file line numberDiff line numberDiff line change
@@ -1372,11 +1372,11 @@ public function addCSV($csv, $room_id, $user_level = 20, $separator = ";")
13721372
$data = str_getcsv($line, $separator);
13731373
$line_counter++;
13741374

1375-
$real_name = $data[0];
1376-
$display_name = $data[1];
1377-
$user_name = $data[2];
1378-
$email = $data[3];
1379-
$about_me = $data[4];
1375+
$real_name = trim($data[0]);
1376+
$display_name = trim($data[1]);
1377+
$user_name = trim($data[2]);
1378+
$email = strtolower(trim($data[3]));
1379+
$about_me = trim($data[4]);
13801380

13811381
// check if user name is still available
13821382
$user_ok = false;
@@ -1386,14 +1386,13 @@ public function addCSV($csv, $room_id, $user_level = 20, $separator = ";")
13861386

13871387
while ($user_ok == false && $attempts < 100) {
13881388
$temp_user = $this->checkUserExistsByUsername($user_name, $email); // check username / email in db
1389-
$temp_user_id = $temp_user['data']; // get id from array
13901389

13911390
$attempts++; # increment attempts to find a proper username
13921391

1393-
if ($temp_user_id > 0) {
1394-
# user exists
1392+
if ($temp_user['count'] > 0) {
1393+
# user exists, hence not OK
13951394
$user_ok = false;
1396-
#alter user name
1395+
# retry with altered username
13971396
$suffix = $this->generate_pass(3);
13981397
$user_name = $base_user_name . "_" . $suffix;
13991398
} else {
@@ -1601,7 +1600,7 @@ public function getUserPayload($user_id)
16011600

16021601
$stmt = $this->db->query('SELECT id, userlevel, temp_pw, hash_id, status, roles FROM ' . $this->db->au_users_basedata . ' WHERE id = :user_id ');
16031602
try {
1604-
$this->db->bind(':user_id', $user_id); // blind index
1603+
$this->db->bind(':user_id', $user_id);
16051604
$users = $this->db->resultSet();
16061605
$user_status = $users[0]['status'];
16071606
$user_id = $users[0]['id'];
@@ -1648,14 +1647,12 @@ public function checkCredentials($username, $pw)
16481647
pw is clear text
16491648
*/
16501649

1651-
// create temp blind index (future use for o1 parameter)
1652-
$bi = md5(strtolower($username));
16531650
$user_status = 0;
16541651
$user_id = 0;
16551652

16561653
$stmt = $this->db->query('SELECT id, username, pw, refresh_token, temp_pw, userlevel, hash_id, status, roles FROM ' . $this->db->au_users_basedata . ' WHERE username = :username ');
16571654
try {
1658-
$this->db->bind(':username', $username); // blind index
1655+
$this->db->bind(':username', $username);
16591656
$users = $this->db->resultSet();
16601657
$user_status = $users[0]['status'];
16611658
$user_id = $users[0]['id'];
@@ -1850,45 +1847,25 @@ public function getUsers($offset, $limit, $orderby = 0, $asc = 0, $both_names =
18501847
public function checkUserExistsByUsername($username, $email = "")
18511848
{
18521849
// helper function: checks if a user with this username or email adress is already in database
1853-
// generate blind index
1854-
1855-
$bi = md5(strtolower(trim($username)));
1856-
1857-
# init
1858-
$check_email = false;
1859-
$extra_where = "";
18601850

1861-
if (strlen(trim($email)) > 2) {
1862-
$extra_where = " OR email = :email";
1863-
$check_email = true;
1864-
}
1851+
$check_email = strlen(trim($email)) > 2;
18651852

1866-
$stmt = $this->db->query('SELECT id FROM ' . $this->db->au_users_basedata . ' WHERE bi = :bi' . $extra_where);
1867-
1868-
if ($check_email) {
1869-
$this->db->bind(':email', $email); // bind email
1870-
}
1871-
$this->db->bind(':bi', $bi); // bind blind index
1853+
// our mariadb uses case-insensitive collation by default => string comparisons are case-insensitive
1854+
$this->db->query('SELECT id FROM ' . $this->db->au_users_basedata . ' WHERE username = :username ' .
1855+
($check_email ? ' OR email = :email' : ''));
1856+
$this->db->bind(':username', trim($username));
1857+
$this->db->bind(($check_email ? ':email' : ''), trim($email));
18721858

18731859
$users = $this->db->resultSet();
1874-
if (count($users) < 1) {
1875-
$returnvalue['success'] = true; // set return value
1876-
$returnvalue['error_code'] = 2; // error code
1877-
$returnvalue['data'] = false; // returned data
1878-
$returnvalue['count'] = 0; // returned count of datasets
1879-
1880-
return $returnvalue;
1881-
1860+
$returnvalue['success'] = true;
1861+
$returnvalue['count'] = count($users);
1862+
$returnvalue['error_code'] = 0;
1863+
if (count($users) > 1 || empty($users)) {
1864+
$returnvalue['data'] = false;
18821865
} else {
1883-
$user_id = $users[0]['id']; // get user id from db
1884-
$returnvalue['success'] = true; // set return value
1885-
$returnvalue['error_code'] = 0; // error code
1886-
$returnvalue['data'] = $user_id; // returned data
1887-
$returnvalue['count'] = 1; // returned count of datasets
1888-
1889-
return $returnvalue;
1890-
1866+
$returnvalue['data'] = $users[0]['id'];
18911867
}
1868+
return $returnvalue;
18921869
}
18931870

18941871
public function getUsersByRoom($room_id, $status = -1, $offset = 0, $limit = 0, $orderby = 3, $asc = 0, $search_field = "", $search_text = "", $userlevel = -1)
@@ -2180,7 +2157,7 @@ public function addUser($realname, $displayname, $username, $email = "", $passwo
21802157
$realname = trim($realname);
21812158
$displayname = trim($displayname);
21822159
$username = trim($username);
2183-
$email = trim($email);
2160+
$email = strtolower(trim($email));
21842161
$about_me = trim($about_me);
21852162
$password = trim($password);
21862163
$updater_id = intval($updater_id);
@@ -2189,21 +2166,18 @@ public function addUser($realname, $displayname, $username, $email = "", $passwo
21892166

21902167
// check if user name is still available
21912168
$temp_user = $this->checkUserExistsByUsername($username, $email); // check username in db
2192-
$temp_user_id = $temp_user['data']; // get id from array
21932169

2194-
if ($temp_user_id > 0) {
2170+
if ($temp_user['count'] > 0) {
21952171
$returnvalue['success'] = true; // set return value
21962172
$returnvalue['error_code'] = 2; // db error code
2197-
$returnvalue['data'] = $temp_user_id; // returned data
2173+
$returnvalue['data'] = $temp_user['data']; // returned data
21982174
$returnvalue['count'] = 0; // returned count of datasets
21992175

22002176
return $returnvalue;
22012177
}
22022178

22032179
// generate hash password
22042180
$hash = password_hash($password, PASSWORD_DEFAULT);
2205-
// generate blind index
2206-
$bi = md5(strtolower(trim($username)));
22072181

22082182
$stmt = $this->db->query('INSERT INTO ' . $this->db->au_users_basedata . ' (temp_pw, pw_changed, o1, o2, o3, about_me, presence, auto_delegation, realname, displayname, username, email, pw, status, hash_id, created, last_update, updater_id, bi, userlevel) VALUES (:temp_pw, :pw_changed, :o1, :o2, :o3, :about_me, 1, 0, :realname, :displayname, :username, :email, :password, :status, :hash_id, NOW(), NOW(), :updater_id, :bi, :userlevel)');
22092183
// bind all VALUES
@@ -2213,7 +2187,6 @@ public function addUser($realname, $displayname, $username, $email = "", $passwo
22132187
$this->db->bind(':email', $this->crypt->encrypt($email));
22142188
$this->db->bind(':about_me', $this->crypt->encrypt($about_me));
22152189
$this->db->bind(':password', $hash);
2216-
$this->db->bind(':bi', $bi);
22172190
$this->db->bind(':userlevel', $userlevel);
22182191
$this->db->bind(':status', $status);
22192192
// generate unique hash for this user
@@ -2355,14 +2328,25 @@ public function editUser($user_id, $realname, $displayname, $username, $email, $
23552328
$user_id = $this->converters->checkUserId($user_id); // checks user id and converts user id to db user id if necessary (when user hash id was passed)
23562329
$status = intval($status);
23572330

2331+
$temp_user = $this->checkUserExistsByUsername($username, $email); // check username in db
2332+
// if there's more users with the new email/username, or if the new email/username belong to another user
2333+
if ($temp_user['count'] > 1 || $temp_user['data'] != $user_id) {
2334+
$this->syslog->addSystemEvent(1, "Error (username or email already exists) while editing user ".$user_id." by ".$updater_id, 0, "", 1);
2335+
$returnvalue['success'] = false; // set return value
2336+
$returnvalue['error_code'] = 2; // error code
2337+
$returnvalue['data'] = false; // returned data
2338+
$returnvalue['count'] = 0; // returned count of datasets
2339+
return $returnvalue;
2340+
}
2341+
23582342
$stmt = $this->db->query('UPDATE ' . $this->db->au_users_basedata . ' SET userlevel = :userlevel, realname = :realname , displayname= :displayname, username= :username, about_me= :about_me, position= :position, email = :email, last_update= NOW(), updater_id= :updater_id, status= :status WHERE id= :userid');
23592343
// bind all VALUES
2360-
$this->db->bind(':username', $this->crypt->encrypt($username));
2361-
$this->db->bind(':realname', $this->crypt->encrypt($realname));
2362-
$this->db->bind(':about_me', $this->crypt->encrypt($about_me));
2363-
$this->db->bind(':displayname', $this->crypt->encrypt($displayname));
2364-
$this->db->bind(':position', $this->crypt->encrypt($position));
2365-
$this->db->bind(':email', $this->crypt->encrypt($email));
2344+
$this->db->bind(':username', trim($username));
2345+
$this->db->bind(':realname', trim($realname));
2346+
$this->db->bind(':about_me', trim($about_me));
2347+
$this->db->bind(':displayname', trim($displayname));
2348+
$this->db->bind(':position', trim($position));
2349+
$this->db->bind(':email', strtolower(trim($email)));
23662350
$this->db->bind(':updater_id', $updater_id); // id of the user doing the update (i.e. admin)
23672351
$this->db->bind(':userlevel', $userlevel); // user level (10 default)
23682352
$this->db->bind(':status', $status); // user level (10 default)
@@ -2374,28 +2358,23 @@ public function editUser($user_id, $realname, $displayname, $username, $email, $
23742358
$action = $this->db->execute(); // do the query
23752359
$this->downgradeUserRoles($user_id, $userlevel);
23762360
} catch (Exception $e) {
2377-
23782361
$err = true;
23792362
}
2363+
23802364
if (!$err) {
23812365
$this->syslog->addSystemEvent(0, "Edited user " . $user_id . " by " . $updater_id, 0, "", 1);
23822366
$returnvalue['success'] = true; // set return value
23832367
$returnvalue['error_code'] = 0; // error code
23842368
$returnvalue['data'] = intval($this->db->rowCount()); // returned data
23852369
$returnvalue['count'] = 1; // returned count of datasets
2386-
23872370
return $returnvalue;
2388-
2389-
23902371
} else {
23912372
//$this->syslog->addSystemEvent(1, "Error while editing user ".$user_id." by ".$updater_id, 0, "", 1);
23922373
$returnvalue['success'] = false; // set return value
23932374
$returnvalue['error_code'] = 1; // error code
23942375
$returnvalue['data'] = false; // returned data
23952376
$returnvalue['count'] = 0; // returned count of datasets
2396-
23972377
return $returnvalue;
2398-
23992378
}
24002379
}// end function
24012380

0 commit comments

Comments
 (0)