Overhaul ability to edit own account

* Restructure account.php to remove redundant code.
* Remove own_account_details().
* Rework logic check to default to no access to account edit form.
* Make default account action viewing account info.

Signed-off-by: canyonknight <canyonknight@gmail.com>
Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de>

3 files changed, 11 insertions, 44 deletions

diff --git a/web/html/account.php b/web/html/account.php
index b0906d91..786ae026 100644
--- a/web/html/account.php
+++ b/web/html/account.php
@@ -50,14 +50,15 @@ if (isset($_COOKIE["AURSID"])) {
 		} else {
 			# double check to make sure logged in user can edit this account
 			#
-			if ($atype == "User" || ($atype == "Trusted User" && $row["AccountType"] == "Developer")) {
-				print __("You do not have permission to edit this account.");
-			} else {
-
+			if ($atype == "Developer" || ($atype == "Trusted User" &&
+				$row["AccountType"] != "Developer") ||
+				($row["ID"] == uid_from_sid($_COOKIE["AURSID"]))) {
 				display_account_form($atype, "UpdateAccount", $row["Username"],
-						$row["AccountType"], $row["Suspended"], $row["Email"],
-						"", "", $row["RealName"], $row["LangPreference"],
-						$row["IRCNick"], $row["PGPKey"], $row["ID"]);
+					$row["AccountType"], $row["Suspended"], $row["Email"],
+					"", "", $row["RealName"], $row["LangPreference"],
+					$row["IRCNick"], $row["PGPKey"], $row["ID"]);
+			} else {
+				print __("You do not have permission to edit this account.");
 			}
 		}
 
@@ -89,24 +90,7 @@ if (isset($_COOKIE["AURSID"])) {
 			search_accounts_form();
 
 		} else {
-			# A normal user, give them the ability to edit
-			# their own account
-			#
-			$row = own_account_details($_COOKIE["AURSID"]);
-			if (empty($row)) {
-				print __("Could not retrieve information for the specified user.");
-			} else {
-				# don't need to check if they have permissions, this is a
-				# normal user editing themselves.
-				#
-				print __("Use this form to update your account.");
-				print "<br />";
-				print __("Leave the password fields blank to keep your same password.");
-				display_account_form($atype, "UpdateAccount", $row["Username"],
-						$row["AccountType"], $row["Suspended"], $row["Email"],
-						"", "", $row["RealName"], $row["LangPreference"],
-						$row["IRCNick"], $row["PGPKey"], $row["ID"]);
-			}
+			print __("You are not allowed to access this area.");
 		}
 	}
 
diff --git a/web/html/index.php b/web/html/index.php
index 0e368834..70698a44 100644
--- a/web/html/index.php
+++ b/web/html/index.php
@@ -60,8 +60,9 @@ if (isset($tokens[1]) && '/' . $tokens[1] == get_pkg_route()) {
 			} else {
 				$_REQUEST['Action'] = "AccountInfo";
 			}
+		} else {
+			$_REQUEST['Action'] = "AccountInfo";
 		}
-
 	}
 	include get_route('/' . $tokens[1]);
 } elseif (get_route($path) !== NULL) {
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index 7471d06b..ed2c7c6d 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -719,24 +719,6 @@ function account_details($uid, $username, $dbh=NULL) {
 	return $row;
 }
 
-function own_account_details($sid, $dbh=NULL) {
-	if(!$dbh) {
-		$dbh = db_connect();
-	}
-	$q = "SELECT Users.*, AccountTypes.AccountType ";
-	$q.= "FROM Users, AccountTypes, Sessions ";
-	$q.= "WHERE AccountTypes.ID = Users.AccountTypeID ";
-	$q.= "AND Users.ID = Sessions.UsersID ";
-	$q.= "AND Sessions.SessionID = " . $dbh->quote($sid);
-	$result = $dbh->query($q);
-
-	if ($result) {
-		$row = $result->fetch(PDO::FETCH_ASSOC);
-	}
-
-	return $row;
-}
-
 function tu_voted($voteid, $uid, $dbh=NULL) {
 	if (!$dbh) {
 		$dbh = db_connect();