summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--web/html/account.php7
-rw-r--r--web/lib/acctfuncs.inc.php32
-rw-r--r--web/lib/aur.inc.php2
-rw-r--r--web/template/pkg_details.php4
4 files changed, 30 insertions, 15 deletions
diff --git a/web/html/account.php b/web/html/account.php
index cccdd76c..2133734c 100644
--- a/web/html/account.php
+++ b/web/html/account.php
@@ -48,11 +48,8 @@ if (isset($_COOKIE["AURSID"])) {
if (empty($row)) {
print __("Could not retrieve information for the specified user.");
} else {
- # double check to make sure logged in user can edit this account
- #
- if ($atype == "Developer" || ($atype == "Trusted User" &&
- $row["AccountType"] != "Developer") ||
- ($row["ID"] == uid_from_sid($_COOKIE["AURSID"]))) {
+ /* Verify user has permission to edit the account */
+ if (can_edit_account($atype, $row, uid_from_sid($_COOKIE["AURSID"]))) {
display_account_form($atype, "UpdateAccount", $row["Username"],
$row["AccountType"], $row["Suspended"], $row["Email"],
"", "", $row["RealName"], $row["LangPreference"],
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index a41659ee..3759c63e 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -229,6 +229,8 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
$q.= ", AccountTypeID = ".intval($T);
}
if ($S) {
+ /* Ensure suspended users can't keep an active session */
+ delete_user_sessions($UID, $dbh);
$q.= ", Suspended = 1";
} else {
$q.= ", Suspended = 0";
@@ -246,7 +248,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
$q.= " WHERE ID = ".intval($UID);
$result = $dbh->exec($q);
if (!$result) {
- print __("Error trying to modify account, %s%s%s.",
+ print __("No changes were made to the account, %s%s%s.",
"<strong>", htmlspecialchars($U,ENT_QUOTES), "</strong>");
} else {
print __("The account, %s%s%s, has been successfully modified.",
@@ -480,12 +482,12 @@ function try_login($dbh=NULL) {
*
* The username must be longer or equal to USERNAME_MIN_LEN. It must be shorter
* or equal to USERNAME_MAX_LEN. It must start and end with either a letter or
- * a number. It can contain one period, hypen, or underscore. Returns username
- * if it meets all of those rules.
+ * a number. It can contain one period, hypen, or underscore. Returns boolean
+ * of whether name is valid.
*
* @param string $user Username to validate
*
- * @return string|void Return username if it meets criteria, otherwise void
+ * @return bool True if username meets criteria, otherwise false
*/
function valid_username($user) {
if (!empty($user)) {
@@ -500,13 +502,12 @@ function valid_username($user) {
# contain only letters and numbers,
# and at most has one dash, period, or underscore
if ( preg_match("/^[a-z0-9]+[.\-_]?[a-z0-9]+$/", $user) ) {
- #All is good return the username
- return $user;
+ return true;
}
}
}
- return;
+ return false;
}
/**
@@ -798,6 +799,23 @@ function delete_session_id($sid, $dbh=NULL) {
}
/**
+ * Remove all sessions belonging to a particular user
+ *
+ * @param int $uid ID of user to remove all sessions for
+ * @param \PDO $dbh An already established database connection
+ *
+ * @return void
+ */
+function delete_user_sessions($uid, $dbh=NULL) {
+ if (!$dbh) {
+ $dbh = db_connect();
+ }
+
+ $q = "DELETE FROM Sessions WHERE UsersID = " . intval($uid);
+ $dbh->exec($q);
+}
+
+/**
* Remove sessions from the database that have exceed the timeout
*
* @global int $LOGIN_TIMEOUT Time until session expires
diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php
index 9317ec94..d8c5cb49 100644
--- a/web/lib/aur.inc.php
+++ b/web/lib/aur.inc.php
@@ -94,7 +94,7 @@ function check_sid($dbh=NULL) {
* @return bool True if the CSRF token is the same as the cookie SID, otherwise false
*/
function check_token() {
- if (isset($_POST['token'])) {
+ if (isset($_POST['token']) && isset($_COOKIE['AURSID'])) {
return ($_POST['token'] == $_COOKIE['AURSID']);
} else {
return false;
diff --git a/web/template/pkg_details.php b/web/template/pkg_details.php
index b5d8a9f6..09734485 100644
--- a/web/template/pkg_details.php
+++ b/web/template/pkg_details.php
@@ -137,7 +137,7 @@ if ($row["SubmitterUID"]):
<td><?= htmlspecialchars($submitter) ?></td>
<?php endif; ?>
<?php else: ?>
- <td>None</td>
+ <td><?= __('None') ?></td>
<?php endif; ?>
</tr>
<tr>
@@ -155,7 +155,7 @@ if ($row["MaintainerUID"]):
<td><?= htmlspecialchars($maintainer) ?></td>
<?php endif; ?>
<?php else: ?>
- <td>None</td>
+ <td><?= __('None') ?></td>
<?php endif; ?>
</tr>
<tr>