Merge pull request #174 from TheSerapher/issue-147

Issue 147
2013-06-13 02:39:23 -07:00 · 2013-06-13 02:39:23 -07:00 · 8c01351b76
commit 8c01351b76
parent 10a13f3eaf 44851e35df
17 changed files with 231 additions and 163 deletions
--- a/public/include/classes/statistics.class.php
+++ b/public/include/classes/statistics.class.php
@ -185,7 +185,8 @@ class Statistics {
    $stmt = $this->mysqli->prepare("
      SELECT
        a.id AS id,
-        a.admin as admin,
+        a.is_admin as is_admin,
        a.is_locked as is_locked,
        a.username AS username,
        a.donate_percent AS donate_percent,
        a.email AS email,
--- a/public/include/classes/user.class.php
+++ b/public/include/classes/user.class.php
@ -36,7 +36,10 @@ class User {
    return $this->getSingle($username, 'email', 'username', 's');
  }
  public function getUserAdmin($id) {
-    return $this->getSingle($id, 'admin', 'id');
+    return $this->getSingle($id, 'is_admin', 'id');
  }
  public function getUserLocked($id) {
    return $this->getSingle($id, 'is_locked', 'id');
  }
  public function getUserToken($id) {
    return $this->getSingle($id, 'token', 'id');
@ -44,9 +47,27 @@ class User {
  public function getIdFromToken($token) {
    return $this->getSingle($token, 'id', 'token', 's');
  }
  public function isLocked($id) {
    return $this->getUserLocked($id);
  }
  public function isAdmin($id) {
-    if ($this->getUserAdmin($id) == 1) return true;
+    return $this->getUserAdmin($id);
-    return false;
+  }
  public function changeLocked($id) {
    $field = array(
      'name' => 'is_locked',
      'type' => 'i',
      'value' => !$this->isLocked($id)
    );
    return $this->updateSingle($id, $field);
  }
  public function changeAdmin($id) {
    $field = array(
      'name' => 'is_admin',
      'type' => 'i',
      'value' => !$this->isAdmin($id)
    );
    return $this->updateSingle($id, $field);
  }
  public function setUserToken($id) {
@ -79,10 +100,15 @@ class User {
  public function checkLogin($username, $password) {
    $this->debug->append("STA " . __METHOD__, 4);
    $this->debug->append("Checking login for $username with password $password", 2);
    if ($this->isLocked($this->getUserId($username))) {
      $this->setErrorMessage("Account is locked. Please contact site support.");
      return false;
    }
    if ( $this->checkUserPassword($username, $password)) {
      $this->createSession($username);
      return true;
    }
    $this->setErrorMessage("Invalid username or password");
    return false;
  }
@ -300,7 +326,7 @@ class User {
  private function checkUserPassword($username, $password) {
    $this->debug->append("STA " . __METHOD__, 4);
    $user = array();
-    $stmt = $this->mysqli->prepare("SELECT username, id, admin FROM $this->table WHERE username=? AND pass=? LIMIT 1");
+    $stmt = $this->mysqli->prepare("SELECT username, id, is_admin FROM $this->table WHERE username=? AND pass=? LIMIT 1");
    if ($this->checkStmt($stmt)) {
      $stmt->bind_param('ss', $username, hash('sha256', $password.$this->salt));
      $stmt->execute();
@ -308,7 +334,7 @@ class User {
      $stmt->fetch();
      $stmt->close();
      // Store the basic login information
-      $this->user = array('username' => $row_username, 'id' => $row_id, 'admin' => $row_admin);
+      $this->user = array('username' => $row_username, 'id' => $row_id, 'is_admin' => $row_admin);
      return $username === $row_username;
    }
    return false;
@ -337,7 +363,8 @@ class User {
    $this->debug->append("STA " . __METHOD__, 4);
    session_destroy();
    session_regenerate_id(true);
-    return true;
+    // Enforce a page reload
    header("Location: index.php");
  }
  /**
@ -359,7 +386,7 @@ class User {
    $this->debug->append("Fetching user information for user id: $userID");
    $stmt = $this->mysqli->prepare("
      SELECT
-      id, username, pin, api_key, admin, email,
+      id, username, pin, api_key, is_admin, email,
      IFNULL(donate_percent, '0') as donate_percent, coin_address, ap_threshold
      FROM $this->table
      WHERE id = ? LIMIT 0,1");
@ -417,7 +444,7 @@ class User {
        ");
    } else {
      $stmt = $this->mysqli->prepare("
-        INSERT INTO $this->table (username, pass, email, pin, api_key, admin)
+        INSERT INTO $this->table (username, pass, email, pin, api_key, is_admin)
        VALUES (?, ?, ?, ?, ?, 1)
        ");
    }
@ -505,6 +532,22 @@ class User {
      }
    return false;
  }
  /**
   * Check if a user is authenticated and allowed to login
   * Checks the $_SESSION for existing data
   * Destroys the session if account is now locked
   * @param none
   * @return bool
   **/
  public function isAuthenticated() {
    $this->debug->append("STA " . __METHOD__, 4);
    if ($_SESSION['AUTHENTICATED'] == true && ! $this->isLocked($_SESSION['USERDATA']['id']))
      return true;
    // Catchall
    $this->logoutUser();
    return false;
  }
 }
 // Make our class available automatically
--- a/public/include/pages/account.inc.php
+++ b/public/include/pages/account.inc.php
@ -1,13 +1,10 @@
 <?php
 // Make sure we are called from index.php
-if (!defined('SECURITY'))
+if (!defined('SECURITY')) die('Hacking attempt');
    die('Hacking attempt');
 if (!$_SESSION['AUTHENTICATED']) {
  header('Location: index.php?page=home');
 }
 if ($user->isAuthenticated()) {
  // Tempalte specifics
  $smarty->assign("CONTENT", "default.tpl");
 }
 ?>
--- a/public/include/pages/account/edit.inc.php
+++ b/public/include/pages/account/edit.inc.php
@ -4,10 +4,7 @@
 if (!defined('SECURITY'))
  die('Hacking attempt');
-if (!$_SESSION['AUTHENTICATED']) {
+if ($user->isAuthenticated()) {
  header('Location: index.php?page=home');
 }
  if ( ! $user->checkPin($_SESSION['USERDATA']['id'], $_POST['authPin']) && $_POST['do']) {
    $_SESSION['POPUP'][] = array('CONTENT' => 'Invalid PIN','TYPE' => 'errormsg');
  } else {
@ -79,6 +76,7 @@ if ( ! $user->checkPin($_SESSION['USERDATA']['id'], $_POST['authPin']) && $_POST
      break;
    }
  }
 }
 // Tempalte specifics
 $smarty->assign("CONTENT", "default.tpl");
--- a/public/include/pages/account/notifications.inc.php
+++ b/public/include/pages/account/notifications.inc.php
@ -2,8 +2,7 @@
 // Make sure we are called from index.php
 if (!defined('SECURITY')) die('Hacking attempt');
-if (!$_SESSION['AUTHENTICATED']) header('Location: index.php?page=home');
+if ($user->isAuthenticated()) {
  if ($_REQUEST['do'] == 'save') {
    if ($notification->updateSettings($_SESSION['USERDATA']['id'], $_REQUEST['data'])) {
      $_SESSION['POPUP'][] = array('CONTENT' => 'Updated notification settings');
@ -22,4 +21,5 @@ $aSettings = $notification->getNotificationSettings($_SESSION['USERDATA']['id'])
  $smarty->assign('NOTIFICATIONS', $aNotifications);
  $smarty->assign('SETTINGS', $aSettings);
  $smarty->assign('CONTENT', 'default.tpl');
 }
 ?>
--- a/public/include/pages/account/transactions.inc.php
+++ b/public/include/pages/account/transactions.inc.php
@ -2,11 +2,10 @@
 // Make sure we are called from index.php
 if (!defined('SECURITY')) die('Hacking attempt');
-if (!$_SESSION['AUTHENTICATED']) header('Location: index.php?page=home');
+if (!$user->isAuthenticated()) {
  $aTransactions = $transaction->getTransactions($_SESSION['USERDATA']['id']);
  if (!$aTransactions) $_SESSION['POPUP'][] = array('CONTENT' => 'Could not find any transaction', 'TYPE' => 'errormsg');
  $smarty->assign('TRANSACTIONS', $aTransactions);
  $smarty->assign('CONTENT', 'default.tpl');
 }
 ?>
--- a/public/include/pages/account/workers.inc.php
+++ b/public/include/pages/account/workers.inc.php
@ -2,8 +2,8 @@
 // Make sure we are called from index.php
 if (!defined('SECURITY')) die('Hacking attempt');
 if (!$_SESSION['AUTHENTICATED']) header('Location: index.php?page=home');
 if ($user->isAuthenticated()) {
  switch ($_REQUEST['do']) {
  case 'delete':
    if ($worker->deleteWorker($_SESSION['USERDATA']['id'], $_GET['id'])) {
@ -33,4 +33,5 @@ if (!$aWorkers) $_SESSION['POPUP'][] = array('CONTENT' => 'You have no workers c
  $smarty->assign('CONTENT', 'default.tpl');
  $smarty->assign('WORKERS', $aWorkers);
 }
 ?>
--- a/public/include/pages/admin.inc.php
+++ b/public/include/pages/admin.inc.php
@ -1,13 +1,12 @@
 <?php
 // Make sure we are called from index.php
-if (!defined('SECURITY'))
+if (!defined('SECURITY')) die('Hacking attempt');
    die('Hacking attempt');
 // Check user to ensure they are admin
-if (!$user->isAdmin($_SESSION['USERDATA']['id'])) {
+if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {
  header("HTTP/1.1 404 Page not found");
-  die();
+  die("404 Page not found");
 }
 // Tempalte specifics
--- a/public/include/pages/admin/user.inc.php
+++ b/public/include/pages/admin/user.inc.php
@ -1,17 +1,28 @@
 <?php
 // Make sure we are called from index.php
-if (!defined('SECURITY'))
+if (!defined('SECURITY')) die('Hacking attempt');
    die('Hacking attempt');
 // Check user to ensure they are admin
-if (!$user->isAdmin($_SESSION['USERDATA']['id'])) {
+if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {
  header("HTTP/1.1 404 Page not found");
-  die();
+  die("404 Page not found");
 }
 $aRoundShares = $statistics->getRoundShares();
 // Change account lock
 if ($_POST['do'] == 'lock') {
  $supress_master = 1;
  $user->changeLocked($_POST['account_id']);
 }
 // Change account admin
 if ($_POST['do'] == 'admin') {
  $supress_master = 1;
  $user->changeAdmin($_POST['account_id']);
 }
 if ($_POST['query']) {
  // Fetch requested users
  $aUsers = $statistics->getAllUserStats($_POST['query']);
--- a/public/include/pages/admin/wallet.inc.php
+++ b/public/include/pages/admin/wallet.inc.php
@ -1,13 +1,12 @@
 <?php
 // Make sure we are called from index.php
-if (!defined('SECURITY'))
+if (!defined('SECURITY')) die('Hacking attempt');
    die('Hacking attempt');
 // Check user to ensure they are admin
-if (!$user->isAdmin($_SESSION['USERDATA']['id'])) {
+if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {
  header("HTTP/1.1 404 Page not found");
-  die();
+  die("404 Page not found");
 }
 if ($bitcoin->can_connect() === true){
--- a/public/include/pages/login.inc.php
+++ b/public/include/pages/login.inc.php
@ -7,7 +7,7 @@ if (!defined('SECURITY'))
 if ( $user->checkLogin($_POST['username'],$_POST['password']) ) {
  header('Location: index.php?page=home');
 } else {
-  $_SESSION['POPUP'][] = array('CONTENT' => 'Invalid username or password', 'TYPE' => 'errormsg');
+  $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to login: '. $user->getError(), 'TYPE' => 'errormsg');
 }
 $smarty->assign('CONTENT', 'default.tpl');
 ?>
--- a/public/include/pages/statistics/blocks.inc.php
+++ b/public/include/pages/statistics/blocks.inc.php
@ -1,9 +1,8 @@
 <?php
 // Make sure we are called from index.php
-if (!defined('SECURITY'))
+if (!defined('SECURITY')) die('Hacking attempt');
-    die('Hacking attempt');
+if (!$user->isAuthenticated()) header("Location: index.php?page=home");
 // Grab the last blocks found
 $iLimit = 30;
@ -14,9 +13,5 @@ $aBlockData = $aBlocksFoundData[0];
 $smarty->assign("BLOCKSFOUND", $aBlocksFoundData);
 $smarty->assign("BLOCKLIMIT", $iLimit);
 if ($_SESSION['AUTHENTICATED']) {
 $smarty->assign("CONTENT", "blocks_found.tpl");
 } else {
  $smarty->assign("CONTENT", "default.tpl");
 }
 ?>
--- a/public/include/pages/statistics/pool.inc.php
+++ b/public/include/pages/statistics/pool.inc.php
@ -50,7 +50,7 @@ $smarty->assign("LASTBLOCK", $aBlockData['height']);
 $smarty->assign("DIFFICULTY", $dDifficulty);
 $smarty->assign("REWARD", $config['reward']);
-if ($_SESSION['AUTHENTICATED']) {
+if ($user->isAuthenticated()) {
  $smarty->assign("CONTENT", "authenticated.tpl");
 } else {
  $smarty->assign("CONTENT", "../default.tpl");
--- a/public/include/pages/statistics/user.inc.php
+++ b/public/include/pages/statistics/user.inc.php
@ -4,12 +4,10 @@
 if (!defined('SECURITY'))
    die('Hacking attempt');
 if ($user->isAuthenticated()) {
  $aHourlyHashRates = $statistics->getHourlyHashrateByAccount($_SESSION['USERDATA']['id']);
  // Propagate content our template
  $smarty->assign("YOURHASHRATES", $aHourlyHashRates);
 if ($_SESSION['AUTHENTICATED']) {
  $smarty->assign("CONTENT", "default.tpl");
 }
 ?>
--- a/public/templates/mmcFE/admin/user/default.tpl
+++ b/public/templates/mmcFE/admin/user/default.tpl
@ -1,5 +1,22 @@
 <script language="javascript">
    function storeLock(id) {
      $.ajax({
       type: "POST",
       url: "{$smarty.server.PHP_SELF}",
       data: "page={$smarty.request.page}&action={$smarty.request.action}&do=lock&account_id=" + id,
     });
    }
    function storeAdmin(id) {
      $.ajax({
       type: "POST",
       url: "{$smarty.server.PHP_SELF}",
       data: "page={$smarty.request.page}&action={$smarty.request.action}&do=admin&account_id=" + id,
     });
    }
 </script>
 {include file="global/block_header.tpl" BLOCK_HEADER="Query User Database"}
-<form action="{$smarty.server.PHP_SELF}" method="POST">
+<form action="{$smarty.server.PHP_SELF}" method="POST" id='query'>
  <input type="hidden" name="page" value="{$smarty.request.page}">
  <input type="hidden" name="action" value="{$smarty.request.action}">
  <input type="text" class="pin" name="query" value="{$smarty.request.query|default:"%"}">
@ -23,6 +40,7 @@
      <th class="right">Est. Payout&nbsp;&nbsp;&nbsp;</th>
      <th class="right">Balance&nbsp;&nbsp;&nbsp;</th>
      <th class="center">Admin</th>
      <th class="center">Locked</th>
    </tr>
  </thead>
  <tbody>
@ -37,7 +55,14 @@
      <td class="right">{$USERS[user].payout.est_payout|number_format:"8"}</td>
      <td class="right">{$USERS[user].balance|number_format:"8"}</td>
      <td class="center">
-        <img src="{$PATH}/images/{if $USERS[user].admin}success{else}error{/if}.gif" />
+        <input type="hidden" name="admin[{$USERS[user].id}]" value="0"/>
        <input type="checkbox" onclick="storeAdmin({$USERS[user].id})" name="admin[{$USERS[user].id}]" value="1" id="admin[{$USERS[user].id}]" {if $USERS[user].is_admin}checked{/if} />
        <label for="admin[{$USERS[user].id}]"></label>
      </td>
      <td class="center">
        <input type="hidden" name="locked[{$USERS[user].id}]" value="0"/>
        <input type="checkbox" onclick="storeLock({$USERS[user].id})" name="locked[{$USERS[user].id}]" value="1" id="locked[{$USERS[user].id}]" {if $USERS[user].is_locked}checked{/if} />
        <label for="locked[{$USERS[user].id}]"></label>
      </td>
    </tr>
 {sectionelse}
--- a/public/templates/mmcFE/global/navigation.tpl
+++ b/public/templates/mmcFE/global/navigation.tpl
@ -11,7 +11,7 @@
              </ul>
            </li>
            {/if}
-            {if $smarty.session.AUTHENTICATED|default:"0" == 1 && $GLOBAL.userdata.admin == 1}
+            {if $smarty.session.AUTHENTICATED|default:"0" == 1 && $GLOBAL.userdata.is_admin == 1}
            <li><a href="{$smarty.server.PHP_SELF}?page=admin">Admin Panel</a>
              <ul>
                <li><a href="{$smarty.server.PHP_SELF}?page=admin&action=user">User Info</a></li>
--- a/sql/issue_147_accounts_upgrade.sql
+++ b/sql/issue_147_accounts_upgrade.sql
@ -0,0 +1,2 @@
 ALTER TABLE  `accounts` ADD  `is_locked` BOOLEAN NOT NULL DEFAULT FALSE AFTER  `email` ;
 ALTER TABLE  `accounts` CHANGE  `admin`  `is_admin` BOOLEAN NOT NULL DEFAULT FALSE ;
		`@ -0,0 +1,2 @@`
							ALTER TABLE `accounts` ADD `is_locked` BOOLEAN NOT NULL DEFAULT FALSE AFTER `email` ;
							ALTER TABLE `accounts` CHANGE `admin` `is_admin` BOOLEAN NOT NULL DEFAULT FALSE ;