Merge pull request #174 from TheSerapher/issue-147

Issue 147

public/include/classes/statistics.class.php

@@ -185,7 +185,8 @@ class Statistics {
     $stmt = $this->mysqli->prepare("
       SELECT
         a.id AS id,
-        a.admin as admin,
+        a.is_admin as is_admin,
+        a.is_locked as is_locked,
         a.username AS username,
         a.donate_percent AS donate_percent,
         a.email AS email,

public/include/classes/user.class.php

@@ -36,7 +36,10 @@ class User {
     return $this->getSingle($username, 'email', 'username', 's');
   }
   public function getUserAdmin($id) {
-    return $this->getSingle($id, 'admin', 'id');
+    return $this->getSingle($id, 'is_admin', 'id');
+  }
+  public function getUserLocked($id) {
+    return $this->getSingle($id, 'is_locked', 'id');
   }
   public function getUserToken($id) {
     return $this->getSingle($id, 'token', 'id');
@@ -44,9 +47,27 @@ class User {
   public function getIdFromToken($token) {
     return $this->getSingle($token, 'id', 'token', 's');
   }
+  public function isLocked($id) {
+    return $this->getUserLocked($id);
+  }
   public function isAdmin($id) {
-    if ($this->getUserAdmin($id) == 1) return true;
+    return $this->getUserAdmin($id);
-    return false;
+  }
+  public function changeLocked($id) {
+    $field = array(
+      'name' => 'is_locked',
+      'type' => 'i',
+      'value' => !$this->isLocked($id)
+    );
+    return $this->updateSingle($id, $field);
+  }
+  public function changeAdmin($id) {
+    $field = array(
+      'name' => 'is_admin',
+      'type' => 'i',
+      'value' => !$this->isAdmin($id)
+    );
+    return $this->updateSingle($id, $field);
   }
 
   public function setUserToken($id) {
@@ -79,10 +100,15 @@ class User {
   public function checkLogin($username, $password) {
     $this->debug->append("STA " . __METHOD__, 4);
     $this->debug->append("Checking login for $username with password $password", 2);
-    if ( $this->checkUserPassword($username, $password) ) {
+    if ($this->isLocked($this->getUserId($username))) {
+      $this->setErrorMessage("Account is locked. Please contact site support.");
+      return false;
+    }
+    if ( $this->checkUserPassword($username, $password)) {
       $this->createSession($username);
       return true;
     }
+    $this->setErrorMessage("Invalid username or password");
     return false;
   }
 
@@ -300,7 +326,7 @@ class User {
   private function checkUserPassword($username, $password) {
     $this->debug->append("STA " . __METHOD__, 4);
     $user = array();
-    $stmt = $this->mysqli->prepare("SELECT username, id, admin FROM $this->table WHERE username=? AND pass=? LIMIT 1");
+    $stmt = $this->mysqli->prepare("SELECT username, id, is_admin FROM $this->table WHERE username=? AND pass=? LIMIT 1");
     if ($this->checkStmt($stmt)) {
       $stmt->bind_param('ss', $username, hash('sha256', $password.$this->salt));
       $stmt->execute();
@@ -308,7 +334,7 @@ class User {
       $stmt->fetch();
       $stmt->close();
       // Store the basic login information
-      $this->user = array('username' => $row_username, 'id' => $row_id, 'admin' => $row_admin);
+      $this->user = array('username' => $row_username, 'id' => $row_id, 'is_admin' => $row_admin);
       return $username === $row_username;
     }
     return false;
@@ -337,7 +363,8 @@ class User {
     $this->debug->append("STA " . __METHOD__, 4);
     session_destroy();
     session_regenerate_id(true);
-    return true;
+    // Enforce a page reload
+    header("Location: index.php");
   }
 
   /**
@@ -359,7 +386,7 @@ class User {
     $this->debug->append("Fetching user information for user id: $userID");
     $stmt = $this->mysqli->prepare("
       SELECT
-      id, username, pin, api_key, admin, email,
+      id, username, pin, api_key, is_admin, email,
       IFNULL(donate_percent, '0') as donate_percent, coin_address, ap_threshold
       FROM $this->table
       WHERE id = ? LIMIT 0,1");
@@ -417,7 +444,7 @@ class User {
         ");
     } else {
       $stmt = $this->mysqli->prepare("
-        INSERT INTO $this->table (username, pass, email, pin, api_key, admin)
+        INSERT INTO $this->table (username, pass, email, pin, api_key, is_admin)
         VALUES (?, ?, ?, ?, ?, 1)
         ");
     }
@@ -505,6 +532,22 @@ class User {
       }
     return false;
   }
+
+  /**
+   * Check if a user is authenticated and allowed to login
+   * Checks the $_SESSION for existing data
+   * Destroys the session if account is now locked
+   * @param none
+   * @return bool
+   **/
+  public function isAuthenticated() {
+    $this->debug->append("STA " . __METHOD__, 4);
+    if ($_SESSION['AUTHENTICATED'] == true && ! $this->isLocked($_SESSION['USERDATA']['id']))
+      return true;
+    // Catchall
+    $this->logoutUser();
+    return false;
+  }
 }
 
 // Make our class available automatically

public/include/pages/account.inc.php

@@ -1,13 +1,10 @@
 <?php
 
 // Make sure we are called from index.php
-if (!defined('SECURITY'))
+if (!defined('SECURITY')) die('Hacking attempt');
-    die('Hacking attempt');
 
-if (!$_SESSION['AUTHENTICATED']) {
+if ($user->isAuthenticated()) {
-  header('Location: index.php?page=home');
+  // Tempalte specifics
+  $smarty->assign("CONTENT", "default.tpl");
 }
-
-// Tempalte specifics
-$smarty->assign("CONTENT", "default.tpl");
 ?>

public/include/pages/account/edit.inc.php

@@ -4,13 +4,10 @@
 if (!defined('SECURITY'))
   die('Hacking attempt');
 
-if (!$_SESSION['AUTHENTICATED']) {
+if ($user->isAuthenticated()) {
-  header('Location: index.php?page=home');
+  if ( ! $user->checkPin($_SESSION['USERDATA']['id'], $_POST['authPin']) && $_POST['do']) {
-}
-
-if ( ! $user->checkPin($_SESSION['USERDATA']['id'], $_POST['authPin']) && $_POST['do']) {
     $_SESSION['POPUP'][] = array('CONTENT' => 'Invalid PIN','TYPE' => 'errormsg');
-} else {
+  } else {
     switch ($_POST['do']) {
     case 'cashOut':
       if ($setting->getValue('manual_payout_active') == 1) {
@@ -78,6 +75,7 @@ if ( ! $user->checkPin($_SESSION['USERDATA']['id'], $_POST['authPin']) && $_POST
       }
       break;
     }
+  }
 }
 
 // Tempalte specifics

public/include/pages/account/notifications.inc.php

@@ -2,24 +2,24 @@
 
 // Make sure we are called from index.php
 if (!defined('SECURITY')) die('Hacking attempt');
-if (!$_SESSION['AUTHENTICATED']) header('Location: index.php?page=home');
+if ($user->isAuthenticated()) {
-
+  if ($_REQUEST['do'] == 'save') {
-if ($_REQUEST['do'] == 'save') {
     if ($notification->updateSettings($_SESSION['USERDATA']['id'], $_REQUEST['data'])) {
       $_SESSION['POPUP'][] = array('CONTENT' => 'Updated notification settings');
     } else {
       $_SESSION['POPUP'][] = array('CONTENT' => 'Failed to update settings', 'TYPE' => 'errormsg');
     }
+  }
+
+  // Fetch notifications
+  $aNotifications = $notification->getNofifications($_SESSION['USERDATA']['id']);
+  if (!$aNotifications) $_SESSION['POPUP'][] = array('CONTENT' => 'Could not find any notifications', 'TYPE' => 'errormsg');
+
+  // Fetch user notification settings
+  $aSettings = $notification->getNotificationSettings($_SESSION['USERDATA']['id']);
+
+  $smarty->assign('NOTIFICATIONS', $aNotifications);
+  $smarty->assign('SETTINGS', $aSettings);
+  $smarty->assign('CONTENT', 'default.tpl');
 }
-
-// Fetch notifications
-$aNotifications = $notification->getNofifications($_SESSION['USERDATA']['id']);
-if (!$aNotifications) $_SESSION['POPUP'][] = array('CONTENT' => 'Could not find any notifications', 'TYPE' => 'errormsg');
-
-// Fetch user notification settings
-$aSettings = $notification->getNotificationSettings($_SESSION['USERDATA']['id']);
-
-$smarty->assign('NOTIFICATIONS', $aNotifications);
-$smarty->assign('SETTINGS', $aSettings);
-$smarty->assign('CONTENT', 'default.tpl');
 ?>

public/include/pages/account/transactions.inc.php

@@ -2,11 +2,10 @@
 
 // Make sure we are called from index.php
 if (!defined('SECURITY')) die('Hacking attempt');
-if (!$_SESSION['AUTHENTICATED']) header('Location: index.php?page=home');
+if (!$user->isAuthenticated()) {
-
+  $aTransactions = $transaction->getTransactions($_SESSION['USERDATA']['id']);
-$aTransactions = $transaction->getTransactions($_SESSION['USERDATA']['id']);
+  if (!$aTransactions) $_SESSION['POPUP'][] = array('CONTENT' => 'Could not find any transaction', 'TYPE' => 'errormsg');
-if (!$aTransactions) $_SESSION['POPUP'][] = array('CONTENT' => 'Could not find any transaction', 'TYPE' => 'errormsg');
+  $smarty->assign('TRANSACTIONS', $aTransactions);
-
+  $smarty->assign('CONTENT', 'default.tpl');
-$smarty->assign('TRANSACTIONS', $aTransactions);
+}
-$smarty->assign('CONTENT', 'default.tpl');
 ?>

public/include/pages/account/workers.inc.php

@@ -2,35 +2,36 @@
 
 // Make sure we are called from index.php
 if (!defined('SECURITY')) die('Hacking attempt');
-if (!$_SESSION['AUTHENTICATED']) header('Location: index.php?page=home');
 
-switch ($_REQUEST['do']) {
+if ($user->isAuthenticated()) {
-case 'delete':
+  switch ($_REQUEST['do']) {
+  case 'delete':
     if ($worker->deleteWorker($_SESSION['USERDATA']['id'], $_GET['id'])) {
       $_SESSION['POPUP'][] = array('CONTENT' => 'Worker removed');
     } else {
       $_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg');
     }
     break;
-case 'add':
+  case 'add':
     if ($worker->addWorker($_SESSION['USERDATA']['id'], $_POST['username'], $_POST['password'])) {
       $_SESSION['POPUP'][] = array('CONTENT' => 'Worker added');
     } else {
       $_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg');
     }
     break;
-case 'update':
+  case 'update':
     if ($worker->updateWorkers($_SESSION['USERDATA']['id'], $_POST['data'])) {
       $_SESSION['POPUP'][] = array('CONTENT' => 'Worker updated');
     } else {
       $_SESSION['POPUP'][] = array('CONTENT' => $worker->getError(), 'TYPE' => 'errormsg');
     }
     break;
+  }
+
+  $aWorkers = $worker->getWorkers($_SESSION['USERDATA']['id']);
+  if (!$aWorkers) $_SESSION['POPUP'][] = array('CONTENT' => 'You have no workers configured', 'TYPE' => 'errormsg');
+
+  $smarty->assign('CONTENT', 'default.tpl');
+  $smarty->assign('WORKERS', $aWorkers);
 }
-
-$aWorkers = $worker->getWorkers($_SESSION['USERDATA']['id']);
-if (!$aWorkers) $_SESSION['POPUP'][] = array('CONTENT' => 'You have no workers configured', 'TYPE' => 'errormsg');
-
-$smarty->assign('CONTENT', 'default.tpl');
-$smarty->assign('WORKERS', $aWorkers);
 ?>

public/include/pages/admin.inc.php

@@ -1,13 +1,12 @@
 <?php
 
 // Make sure we are called from index.php
-if (!defined('SECURITY'))
+if (!defined('SECURITY')) die('Hacking attempt');
-    die('Hacking attempt');
 
 // Check user to ensure they are admin
-if (!$user->isAdmin($_SESSION['USERDATA']['id'])) {
+if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {
   header("HTTP/1.1 404 Page not found");
-  die();
+  die("404 Page not found");
 }
 
 // Tempalte specifics

public/include/pages/admin/user.inc.php

@@ -1,17 +1,28 @@
 <?php
 
 // Make sure we are called from index.php
-if (!defined('SECURITY'))
+if (!defined('SECURITY')) die('Hacking attempt');
-    die('Hacking attempt');
 
 // Check user to ensure they are admin
-if (!$user->isAdmin($_SESSION['USERDATA']['id'])) {
+if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {
   header("HTTP/1.1 404 Page not found");
-  die();
+  die("404 Page not found");
 }
 
 $aRoundShares = $statistics->getRoundShares();
 
+// Change account lock
+if ($_POST['do'] == 'lock') {
+  $supress_master = 1;
+  $user->changeLocked($_POST['account_id']);
+}
+
+// Change account admin
+if ($_POST['do'] == 'admin') {
+  $supress_master = 1;
+  $user->changeAdmin($_POST['account_id']);
+}
+
 if ($_POST['query']) {
   // Fetch requested users
   $aUsers = $statistics->getAllUserStats($_POST['query']);

public/include/pages/admin/wallet.inc.php

@@ -1,13 +1,12 @@
 <?php
 
 // Make sure we are called from index.php
-if (!defined('SECURITY'))
+if (!defined('SECURITY')) die('Hacking attempt');
-    die('Hacking attempt');
 
 // Check user to ensure they are admin
-if (!$user->isAdmin($_SESSION['USERDATA']['id'])) {
+if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {
   header("HTTP/1.1 404 Page not found");
-  die();
+  die("404 Page not found");
 }
 
 if ($bitcoin->can_connect() === true){

public/include/pages/login.inc.php

@@ -7,7 +7,7 @@ if (!defined('SECURITY'))
 if ( $user->checkLogin($_POST['username'],$_POST['password']) ) {
   header('Location: index.php?page=home');
 } else {
-  $_SESSION['POPUP'][] = array('CONTENT' => 'Invalid username or password', 'TYPE' => 'errormsg');
+  $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to login: '. $user->getError(), 'TYPE' => 'errormsg');
 }
 $smarty->assign('CONTENT', 'default.tpl');
 ?>

public/include/pages/statistics/blocks.inc.php

@@ -1,9 +1,8 @@
 <?php
 
 // Make sure we are called from index.php
-if (!defined('SECURITY'))
+if (!defined('SECURITY')) die('Hacking attempt');
-    die('Hacking attempt');
+if (!$user->isAuthenticated()) header("Location: index.php?page=home");
-
 
 // Grab the last blocks found
 $iLimit = 30;
@@ -14,9 +13,5 @@ $aBlockData = $aBlocksFoundData[0];
 $smarty->assign("BLOCKSFOUND", $aBlocksFoundData);
 $smarty->assign("BLOCKLIMIT", $iLimit);
 
-if ($_SESSION['AUTHENTICATED']) {
+$smarty->assign("CONTENT", "blocks_found.tpl");
-  $smarty->assign("CONTENT", "blocks_found.tpl");
-} else {
-  $smarty->assign("CONTENT", "default.tpl");
-}
 ?>

public/include/pages/statistics/pool.inc.php

@@ -50,7 +50,7 @@ $smarty->assign("LASTBLOCK", $aBlockData['height']);
 $smarty->assign("DIFFICULTY", $dDifficulty);
 $smarty->assign("REWARD", $config['reward']);
 
-if ($_SESSION['AUTHENTICATED']) {
+if ($user->isAuthenticated()) {
   $smarty->assign("CONTENT", "authenticated.tpl");
 } else {
   $smarty->assign("CONTENT", "../default.tpl");

public/include/pages/statistics/user.inc.php

@@ -4,12 +4,10 @@
 if (!defined('SECURITY'))
     die('Hacking attempt');
 
-$aHourlyHashRates = $statistics->getHourlyHashrateByAccount($_SESSION['USERDATA']['id']);
+if ($user->isAuthenticated()) {
-
+  $aHourlyHashRates = $statistics->getHourlyHashrateByAccount($_SESSION['USERDATA']['id']);
-// Propagate content our template
+  // Propagate content our template
-$smarty->assign("YOURHASHRATES", $aHourlyHashRates);
+  $smarty->assign("YOURHASHRATES", $aHourlyHashRates);
-
-if ($_SESSION['AUTHENTICATED']) {
   $smarty->assign("CONTENT", "default.tpl");
 }
 ?>

public/templates/mmcFE/admin/user/default.tpl

@@ -1,5 +1,22 @@
+<script language="javascript">
+    function storeLock(id) {
+      $.ajax({
+       type: "POST",
+       url: "{$smarty.server.PHP_SELF}",
+       data: "page={$smarty.request.page}&action={$smarty.request.action}&do=lock&account_id=" + id,
+     });
+    }
+    function storeAdmin(id) {
+      $.ajax({
+       type: "POST",
+       url: "{$smarty.server.PHP_SELF}",
+       data: "page={$smarty.request.page}&action={$smarty.request.action}&do=admin&account_id=" + id,
+     });
+    }
+</script>
+
 {include file="global/block_header.tpl" BLOCK_HEADER="Query User Database"}
-<form action="{$smarty.server.PHP_SELF}" method="POST">
+<form action="{$smarty.server.PHP_SELF}" method="POST" id='query'>
   <input type="hidden" name="page" value="{$smarty.request.page}">
   <input type="hidden" name="action" value="{$smarty.request.action}">
   <input type="text" class="pin" name="query" value="{$smarty.request.query|default:"%"}">
@@ -23,6 +40,7 @@
       <th class="right">Est. Payout&nbsp;&nbsp;&nbsp;</th>
       <th class="right">Balance&nbsp;&nbsp;&nbsp;</th>
       <th class="center">Admin</th>
+      <th class="center">Locked</th>
     </tr>
   </thead>
   <tbody>
@@ -37,7 +55,14 @@
       <td class="right">{$USERS[user].payout.est_payout|number_format:"8"}</td>
       <td class="right">{$USERS[user].balance|number_format:"8"}</td>
       <td class="center">
-        <img src="{$PATH}/images/{if $USERS[user].admin}success{else}error{/if}.gif" />
+        <input type="hidden" name="admin[{$USERS[user].id}]" value="0"/>
+        <input type="checkbox" onclick="storeAdmin({$USERS[user].id})" name="admin[{$USERS[user].id}]" value="1" id="admin[{$USERS[user].id}]" {if $USERS[user].is_admin}checked{/if} />
+        <label for="admin[{$USERS[user].id}]"></label>
+      </td>
+      <td class="center">
+        <input type="hidden" name="locked[{$USERS[user].id}]" value="0"/>
+        <input type="checkbox" onclick="storeLock({$USERS[user].id})" name="locked[{$USERS[user].id}]" value="1" id="locked[{$USERS[user].id}]" {if $USERS[user].is_locked}checked{/if} />
+        <label for="locked[{$USERS[user].id}]"></label>
       </td>
     </tr>
 {sectionelse}

public/templates/mmcFE/global/navigation.tpl

@@ -11,7 +11,7 @@
               </ul>
             </li>
             {/if}
-            {if $smarty.session.AUTHENTICATED|default:"0" == 1 && $GLOBAL.userdata.admin == 1}
+            {if $smarty.session.AUTHENTICATED|default:"0" == 1 && $GLOBAL.userdata.is_admin == 1}
             <li><a href="{$smarty.server.PHP_SELF}?page=admin">Admin Panel</a>
               <ul>
                 <li><a href="{$smarty.server.PHP_SELF}?page=admin&action=user">User Info</a></li>

sql/issue_147_accounts_upgrade.sql

@@ -0,0 +1,2 @@
+ALTER TABLE  `accounts` ADD  `is_locked` BOOLEAN NOT NULL DEFAULT FALSE AFTER  `email` ;
+ALTER TABLE  `accounts` CHANGE  `admin`  `is_admin` BOOLEAN NOT NULL DEFAULT FALSE ;