150 lines
4.8 KiB
PHP
150 lines
4.8 KiB
PHP
<?php
|
|
|
|
/*
|
|
* Copyright 2016 Lukas Metzger <developer@lukas-metzger.com>.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
require_once '../config/config-default.php';
|
|
require_once '../lib/database.php';
|
|
require_once '../lib/session.php';
|
|
|
|
$input = json_decode(file_get_contents('php://input'));
|
|
|
|
if(!isset($input->csrfToken) || $input->csrfToken !== $_SESSION['csrfToken']) {
|
|
echo "Permission denied!";
|
|
exit();
|
|
}
|
|
|
|
if(!isset($_SESSION['type']) || $_SESSION['type'] != "admin") {
|
|
echo "Permission denied!";
|
|
exit();
|
|
}
|
|
|
|
if(isset($input->action) && $input->action == "addUser") {
|
|
$passwordHash = password_hash($input->password, PASSWORD_DEFAULT);
|
|
|
|
$db->beginTransaction();
|
|
|
|
$stmt = $db->prepare("INSERT INTO \"user\"(name,password,type) VALUES (:name,:password,:type)");
|
|
|
|
$stmt->bindValue(':name', $input->name, PDO::PARAM_STR);
|
|
$stmt->bindValue(':password', $passwordHash, PDO::PARAM_STR);
|
|
$stmt->bindValue(':type', $input->type, PDO::PARAM_STR);
|
|
$stmt->execute();
|
|
|
|
$stmt = $db->prepare("SELECT MAX(id) FROM \"user\" WHERE name=:name AND password=:password AND type=:type");
|
|
$stmt->bindValue(':name', $input->name, PDO::PARAM_STR);
|
|
$stmt->bindValue(':password', $passwordHash, PDO::PARAM_STR);
|
|
$stmt->bindValue(':type', $input->type, PDO::PARAM_STR);
|
|
$stmt->execute();
|
|
$newUserId = $stmt->fetchColumn();
|
|
|
|
$db->commit();
|
|
|
|
$retval = Array();
|
|
$retval['newId'] = $newUserId;
|
|
}
|
|
|
|
if(isset($input->action) && $input->action == "getUserData") {
|
|
$stmt = $db->prepare("SELECT name,type FROM \"user\" WHERE id=:id LIMIT 1");
|
|
$stmt->bindValue(':id', $input->id, PDO::PARAM_INT);
|
|
$stmt->execute();
|
|
$stmt->bindColumn('name', $userName);
|
|
$stmt->bindColumn('type', $userType);
|
|
$stmt->fetch(PDO::FETCH_BOUND);
|
|
|
|
$retval = Array();
|
|
$retval['name'] = $userName;
|
|
$retval['type'] = $userType;
|
|
}
|
|
|
|
if(isset($input->action) && $input->action == "saveUserChanges") {
|
|
if(isset($input->password)) {
|
|
$passwordHash = password_hash($input->password, PASSWORD_DEFAULT);
|
|
$stmt = $db->prepare("UPDATE \"user\" SET name=:name,password=:password,type=:type WHERE id=:id");
|
|
$stmt->bindValue(':name', $input->name, PDO::PARAM_STR);
|
|
$stmt->bindValue(':password', $passwordHash, PDO::PARAM_STR);
|
|
$stmt->bindValue(':type', $input->type, PDO::PARAM_STR);
|
|
$stmt->bindValue(':id', $input->id, PDO::PARAM_INT);
|
|
$stmt->execute();
|
|
} else {
|
|
$stmt = $db->prepare("UPDATE \"user\" SET name=:name,type=:type WHERE id=:id");
|
|
$stmt->bindValue(':name', $input->name, PDO::PARAM_STR);
|
|
$stmt->bindValue(':type', $input->type, PDO::PARAM_STR);
|
|
$stmt->bindValue(':id', $input->id, PDO::PARAM_INT);
|
|
$stmt->execute();
|
|
}
|
|
}
|
|
|
|
if(isset($input->action) && $input->action == "getPermissions") {
|
|
|
|
$stmt = $db->prepare("
|
|
SELECT D.id,D.name
|
|
FROM permissions P
|
|
JOIN domains D ON P.domain=D.id
|
|
WHERE P.\"user\"=:user
|
|
");
|
|
|
|
$stmt->bindValue(':user', $input->id, PDO::PARAM_INT);
|
|
$stmt->execute();
|
|
|
|
$retval = Array();
|
|
|
|
while($obj = $stmt->fetchObject()) {
|
|
$retval[] = $obj;
|
|
}
|
|
}
|
|
|
|
if(isset($input->action) && $input->action == "removePermission") {
|
|
|
|
$stmt = $db->prepare("DELETE FROM permissions WHERE \"user\"=:user AND domain=:domain");
|
|
|
|
$stmt->bindValue(':user', $input->userId, PDO::PARAM_INT);
|
|
$stmt->bindValue(':domain', $input->domainId, PDO::PARAM_INT);
|
|
$stmt->execute();
|
|
}
|
|
|
|
if(isset($input->action) && $input->action == "searchDomains" && isset($input->term)) {
|
|
$stmt = $db->prepare("SELECT id,name AS text FROM domains WHERE name LIKE :name AND id NOT IN(SELECT domain FROM permissions WHERE \"user\"=:user)");
|
|
|
|
$searchTerm = "%" . $input->term . "%";
|
|
|
|
$stmt->bindValue(':name', $searchTerm, PDO::PARAM_STR);
|
|
$stmt->bindValue(':user', $input->userId, PDO::PARAM_INT);
|
|
$stmt->execute();
|
|
|
|
$retval = Array();
|
|
|
|
while($obj = $stmt->fetchObject()) {
|
|
$retval[] = $obj;
|
|
}
|
|
}
|
|
|
|
if(isset($input->action) && $input->action == "addPermissions") {
|
|
$stmt = $db->prepare("INSERT INTO permissions(\"user\",domain) VALUES (:user,:domain)");
|
|
|
|
foreach($input->domains as $domain) {
|
|
$stmt->bindValue(':user', $input->userId, PDO::PARAM_INT);
|
|
$stmt->bindValue(':domain', $domain, PDO::PARAM_INT);
|
|
$stmt->execute();
|
|
}
|
|
}
|
|
|
|
if(isset($retval)) {
|
|
echo json_encode($retval);
|
|
} else {
|
|
echo "{}";
|
|
}
|