Merge pull request #2 from lilfade/dev

Updates

account/groups.php

@@ -0,0 +1,132 @@
+<?php
+/*
+
+UserFrosting Version: 0.1
+By Alex Weissman
+Copyright (c) 2014
+
+Based on the UserCake user management system, v2.0.2.
+Copyright (c) 2009-2012
+
+UserFrosting, like UserCake, is 100% free and open-source.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the 'Software'), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+
+*/
+
+require_once("../models/config.php");
+
+if (!securePage($_SERVER['PHP_SELF'])){
+  // Forward to index page
+  addAlert("danger", "Whoops, looks like you don't have permission to view that page.");
+  header("Location: index.php");
+  exit();
+}
+
+setReferralPage($_SERVER['PHP_SELF']);
+?>
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <meta name="description" content="">
+    <meta name="author" content="">
+
+    <title>UserFrosting Admin - Groups</title>
+
+	<?php require_once("includes.php");  ?>
+
+	<!-- Page Specific Plugins -->
+	<link rel="stylesheet" href="../css/bootstrap-switch.min.css" type="text/css" />
+
+	<script src="../js/bootstrap-switch.min.js"></script>
+	<script src="../js/jquery.tablesorter.js"></script>
+	<script src="../js/tables.js"></script>
+
+  </head>
+
+  <body>
+
+    <div id="wrapper">
+
+      <!-- Sidebar -->
+      <nav class="navbar navbar-inverse navbar-fixed-top" role="navigation">
+      </nav>
+
+      <div id="page-wrapper">
+	  	<div class="row">
+          <div id='display-alerts' class="col-lg-12">
+
+          </div>
+        </div>
+		<h1>Group Settings</h1>
+		<div class='row'>
+		<div class='col-lg-6'>
+		<div class='panel panel-primary'>
+		  <div class='panel-heading'>
+		  <h3 class='panel-title'>Permission Groups</h3>
+		  </div>
+		  <div class='panel-body'>
+			<ul id='permission-groups' class="list-group">
+			</ul>
+		  <button type='button' class='btn btn-primary addPermission'><i class='fa fa-plus-square'></i>  Add Permission Group</button>
+		  </div>
+		  </div>
+		</div>
+            <div id='info' class='col-lg-6'>
+                <p>{information for groups here}</p>
+            </div>
+		</div>
+		</div>
+        </div>
+	<script>
+        $(document).ready(function() {
+          // Get id of the logged in user to determine how to render this page.
+          var user = loadCurrentUser();
+          var user_id = user['user_id'];
+
+          // Load the header
+          $('.navbar').load('header.php', function() {
+			$('.navitem-groups').addClass('active');
+          });
+		  // Load permissions
+		  loadPermissions('permission-groups');
+
+		  // Bind permission delete and add buttons
+		  $('.addPermission').on('click', function(){
+			if ($('#permission-groups').has("input").length == 0) {
+			  $("<li class='list-group-item'><div class='row'><div class='col-lg-6'><input autofocus class='form-control' name='new_permission'/></div></div></li>")
+			  .appendTo('#permission-groups');
+			}
+			$('#permission-groups input').focus();
+
+			// Bind entering a value
+			$('#permission-groups input').blur(function(){
+			  // Submit to processing form
+			  addNewPermission($('#permission-groups input').val());
+			});
+		  });
+
+		  //alertWidget('display-alerts');
+
+		});
+	</script>
+  </body>
+</html>
+

account/site_settings.php

@@ -53,11 +53,11 @@
 	<?php require_once("includes.php");  ?>
 
 	<!-- Page Specific Plugins -->
-	<link rel="stylesheet" href="css/bootstrap-switch.min.css" type="text/css" />
+	<link rel="stylesheet" href="../css/bootstrap-switch.min.css" type="text/css" />
 
-	<script src="js/bootstrap-switch.min.js"></script>
-	<script src="js/jquery.tablesorter.js"></script>
-	<script src="js/tables.js"></script>
+	<script src="../js/bootstrap-switch.min.js"></script>
+	<script src="../js/jquery.tablesorter.js"></script>
+	<script src="../js/tables.js"></script>
 
   </head>
 
@@ -83,7 +83,7 @@
 			<h3 class='panel-title'>Configuration</h3>
 		  </div>
 		  <div class='panel-body'>
-			<form class='form-horizontal' role='form' name='adminConfiguration' action='update_site_settings.php' method='post'>
+			<form class='form-horizontal' role='form' name='adminConfiguration' action='../api/update_site_settings.php' method='post'>
 			<div class="form-group">
 			  <label for="inputWebsiteName" class="col-sm-4 control-label">Site Name</label>
 			  <div class="col-sm-8">
@@ -151,22 +151,8 @@
 		</div>
 
 		<div class='col-lg-6'>
-		<div class='panel panel-primary'>
-		  <div class='panel-heading'>
-		  <h3 class='panel-title'>Permission Groups</h3>
-		  </div>
-		  <div class='panel-body'>
-			<ul id='permission-groups' class="list-group">
-			</ul>
-		  <button type='button' class='btn btn-primary addPermission'><i class='fa fa-plus-square'></i>  Add Permission Group</button>
-		  </div>
-
-		  </div>
-		</div>
-		</div>
-		</div>
+		<p>{Information for settings here}</p>
 	  </div>
-	</div>
 	<script>
         $(document).ready(function() {
           // Get id of the logged in user to determine how to render this page.
@@ -180,7 +166,7 @@
 
 		  $("form[name='adminConfiguration']").submit(function(e){
 			var form = $(this);
-			var url = 'update_site_settings.php';
+			var url = '../api/update_site_settings.php';
 			$.ajax({  
 			  type: "POST",  
 			  url: url,  
@@ -205,7 +191,7 @@
 
 		  // Load and initialize fields
 		  $('#regbox input[type="checkbox"]').bootstrapSwitch();
-		  var url = "load_site_settings.php";
+		  var url = "../api/load_site_settings.php";
 		  $.getJSON( url, {})
 		  .fail(function(result) {
 			addAlert("danger", "Oops, looks like our server might have goofed.  If you're an admin, please check the PHP error logs.");
@@ -254,24 +240,6 @@
 
 			}
 		  });
-		  // Load permissions
-		  loadPermissions('permission-groups');
-
-		  // Bind permission delete and add buttons
-		  $('.addPermission').on('click', function(){
-			if ($('#permission-groups').has("input").length == 0) {
-			  $("<li class='list-group-item'><div class='row'><div class='col-lg-6'><input autofocus class='form-control' name='new_permission'/></div></div></li>")
-			  .appendTo('#permission-groups');
-			}
-			$('#permission-groups input').focus();
-
-			// Bind entering a value
-			$('#permission-groups input').blur(function(){
-			  // Submit to processing form
-			  addNewPermission($('#permission-groups input').val());
-			});
-		  });
-
 		  //alertWidget('display-alerts');
 
 		});

account/user_details.php

@@ -31,15 +31,21 @@
 
 require_once("../models/config.php");
 
+// Recommended admin-only access
 if (!securePage($_SERVER['PHP_SELF'])){
-  // Forward to index page
-  addAlert("danger", "Whoops, looks like you don't have permission to view that page.");
-  header("Location: index.php");
-  exit();
+    addAlert("danger", "Whoops, looks like you don't have permission to update a user.");
+    if (isset($_POST['ajaxMode']) and $_POST['ajaxMode'] == "true" ){
+        echo json_encode(array("errors" => 1, "successes" => 0));
+    } else {
+        header("Location: " . getReferralPage());
+    }
+    exit();
 }
 
+$validator = new Validator();
+
 // Look up specified user
-$selected_user_id = $_GET['id'];
+$selected_user_id = $validator->requiredGetVar('id');
 
 if (!is_numeric($selected_user_id) || !userIdExists($selected_user_id)){
 	addAlert("danger", "I'm sorry, the user id you specified is invalid!");

api/delete_user_dialog.php

@@ -31,10 +31,10 @@
 
 // Request method: GET
 
-require_once("models/config.php");
-if (!securePage($_SERVER['PHP_SELF'])){
-    // Generate AJAX error
-    addAlert("danger", "Whoops, looks like you don't have permission to access this component.");
+require_once("../models/config.php");
+// User must be logged in
+if (!isUserLoggedIn()){
+    addAlert("danger", "You must be logged in to access this resource.");
     echo json_encode(array("errors" => 1, "successes" => 0));
     exit();
 }
@@ -58,6 +58,5 @@
         <button type="button" class="btn btn-default btn-lg btn-block" data-dismiss='modal'>Cancel</button>
       </div>
     </div>
-    </div>
   </div><!-- /.modal-content -->
 </div><!-- /.modal-dialog -->

api/load_form_user.php

@@ -40,6 +40,8 @@
   exit();
 }
 
+$validator = new Validator();
+
 // TODO: move this to a secured function
 
 // Parameters: box_id, render_mode, [user_id, show_dates, disabled]
@@ -86,12 +88,13 @@ function optionalBooleanGetVar($var_name, $default_value){
     } else
         return $default_value;
 }
-
+
+$userid = $validator->requiredGetVar('user_id');
 // Create appropriate labels
-if (isset($_GET['user_id']) and is_numeric($_GET['user_id'])){
+if (isset($userid) and is_numeric($userid)){
     $populate_fields = true;
     $button_submit_text = "Update user";
-    $user_id = htmlentities($_GET['user_id']);
+    $user_id = htmlentities($userid);
     $target = "update_user.php";
     $box_title = "Update User";
     $username_disable_str = "disabled";

api/update_site_settings.php

@@ -28,35 +28,36 @@
 THE SOFTWARE.
 
 */
-require_once("models/config.php");
+require_once("../models/config.php");
 
 set_error_handler('logAllErrors');
 
-// Recommended admin-only access
-if (!securePage($_SERVER['PHP_SELF'])){
-  addAlert("danger", "Whoops, looks like you don't have permission to update the site settings.");
-  if (isset($_POST['ajaxMode']) and $_POST['ajaxMode'] == "true" ){
-	echo json_encode(array("errors" => 1, "successes" => 0));
-  } else {
-	header("Location: " . getReferralPage());
-  }
-  exit();
+// User must be logged in
+if (!isUserLoggedIn()){
+    addAlert("danger", "You must be logged in to access this resource.");
+    echo json_encode(array("errors" => 1, "successes" => 0));
+    exit();
 }
 
+$validator = new Validator();
 //Forms posted
-if(!empty($_POST))
+if (isset($_POST)){
+    $posted = $_POST;
+}
+
+if(!empty($posted))
 {
-	$newSettings = $_POST;
-	$newWebsiteName = requiredPostVar('website_name');
-	$newWebsiteUrl = requiredPostVar('website_url');
+	$newSettings = $posted;
+	$newWebsiteName = $validator->requiredPostVar('website_name');
+	$newWebsiteUrl = $validator->requiredPostVar('website_url');
 	// Append a slash to the end, if not present
 	if (substr($newWebsiteUrl, -1) != "/"){
 	  $newWebsiteUrl = $newWebsiteUrl . "/";
 	  $newSettings['website_url'] = $newWebsiteUrl;
 	}
 
-	$newEmail = requiredPostVar('email');
-	$newTitle = requiredPostVar('new_user_title');
+	$newEmail = $validator->requiredPostVar('email');
+	$newTitle = $validator->requiredPostVar('new_user_title');
 	if (isset($newSettings['activation'])){
 		$newActivation = $newSettings['activation'];
 	} else {
@@ -69,8 +70,8 @@
 		$newSettings['can_register'] = $newRegistration = "0";
 	}
 	$newResend_activation_threshold = requiredPostVar('resend_activation_threshold');
-	$newLanguage = requiredPostVar('language');
-	$newTemplate = requiredPostVar('template');
+	$newLanguage = $validator->requiredPostVar('language');
+	$newTemplate = $validator->requiredPostVar('template');
 
 	//Validate new site name
 	if ($newWebsiteName != $websiteName) {