summaryrefslogtreecommitdiffstats
path: root/web/lib
diff options
context:
space:
mode:
Diffstat (limited to 'web/lib')
-rw-r--r--web/lib/acctfuncs.inc.php32
-rw-r--r--web/lib/aur.inc.php2
2 files changed, 26 insertions, 8 deletions
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index a41659ee..3759c63e 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -229,6 +229,8 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
$q.= ", AccountTypeID = ".intval($T);
}
if ($S) {
+ /* Ensure suspended users can't keep an active session */
+ delete_user_sessions($UID, $dbh);
$q.= ", Suspended = 1";
} else {
$q.= ", Suspended = 0";
@@ -246,7 +248,7 @@ function process_account_form($UTYPE,$TYPE,$A,$U="",$T="",$S="",$E="",
$q.= " WHERE ID = ".intval($UID);
$result = $dbh->exec($q);
if (!$result) {
- print __("Error trying to modify account, %s%s%s.",
+ print __("No changes were made to the account, %s%s%s.",
"<strong>", htmlspecialchars($U,ENT_QUOTES), "</strong>");
} else {
print __("The account, %s%s%s, has been successfully modified.",
@@ -480,12 +482,12 @@ function try_login($dbh=NULL) {
*
* The username must be longer or equal to USERNAME_MIN_LEN. It must be shorter
* or equal to USERNAME_MAX_LEN. It must start and end with either a letter or
- * a number. It can contain one period, hypen, or underscore. Returns username
- * if it meets all of those rules.
+ * a number. It can contain one period, hypen, or underscore. Returns boolean
+ * of whether name is valid.
*
* @param string $user Username to validate
*
- * @return string|void Return username if it meets criteria, otherwise void
+ * @return bool True if username meets criteria, otherwise false
*/
function valid_username($user) {
if (!empty($user)) {
@@ -500,13 +502,12 @@ function valid_username($user) {
# contain only letters and numbers,
# and at most has one dash, period, or underscore
if ( preg_match("/^[a-z0-9]+[.\-_]?[a-z0-9]+$/", $user) ) {
- #All is good return the username
- return $user;
+ return true;
}
}
}
- return;
+ return false;
}
/**
@@ -798,6 +799,23 @@ function delete_session_id($sid, $dbh=NULL) {
}
/**
+ * Remove all sessions belonging to a particular user
+ *
+ * @param int $uid ID of user to remove all sessions for
+ * @param \PDO $dbh An already established database connection
+ *
+ * @return void
+ */
+function delete_user_sessions($uid, $dbh=NULL) {
+ if (!$dbh) {
+ $dbh = db_connect();
+ }
+
+ $q = "DELETE FROM Sessions WHERE UsersID = " . intval($uid);
+ $dbh->exec($q);
+}
+
+/**
* Remove sessions from the database that have exceed the timeout
*
* @global int $LOGIN_TIMEOUT Time until session expires
diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php
index 9317ec94..d8c5cb49 100644
--- a/web/lib/aur.inc.php
+++ b/web/lib/aur.inc.php
@@ -94,7 +94,7 @@ function check_sid($dbh=NULL) {
* @return bool True if the CSRF token is the same as the cookie SID, otherwise false
*/
function check_token() {
- if (isset($_POST['token'])) {
+ if (isset($_POST['token']) && isset($_COOKIE['AURSID'])) {
return ($_POST['token'] == $_COOKIE['AURSID']);
} else {
return false;