From 21b9e12b3e6e7fb92e4754ea51de9592cf7ec075 Mon Sep 17 00:00:00 2001
From: Faris AL-Otaibi <farisksa79@gmail.com>
Date: Wed, 27 Jul 2022 16:15:57 +0300
Subject: [PATCH] Bug Fixes: In the admin and in the singup function

---
 uploady/admin/users/actions/delete.php  |  4 +++
 uploady/admin/users/actions/update.php  | 17 ++++------
 uploady/admin/users/edit.php            |  2 +-
 uploady/admin/users/logic/addLogic.php  |  6 ++--
 uploady/admin/users/logic/editLogic.php |  4 +++
 uploady/admin/users/logic/viewLogic.php |  4 +++
 uploady/admin/users/view.php            | 43 ++++++++++++++++++++++++-
 uploady/logic/signupLogic.php           |  6 ++--
 uploady/src/Uploady/Utils.php           |  4 ---
 9 files changed, 69 insertions(+), 21 deletions(-)

diff --git a/uploady/admin/users/actions/delete.php b/uploady/admin/users/actions/delete.php
index 1027dae..ec4bb66 100755
--- a/uploady/admin/users/actions/delete.php
+++ b/uploady/admin/users/actions/delete.php
@@ -1,8 +1,12 @@
 <?php
 include_once '../../session.php';
+
 if ($_SERVER['REQUEST_METHOD'] == "POST") {
     if ($auth->checkToken($_POST['csrf'], $_SESSION['csrf'])) {
         foreach ($_POST['userid'] as $id) {
+            if ($data->id == $id) {
+                $utils->redirect($utils->siteUrl('/admin/users/view.php?msg=forbidden'));
+            }
             $user->deleteUser((int) $id);
         }
 
diff --git a/uploady/admin/users/actions/update.php b/uploady/admin/users/actions/update.php
index 77330ec..1ede4b7 100755
--- a/uploady/admin/users/actions/update.php
+++ b/uploady/admin/users/actions/update.php
@@ -4,23 +4,18 @@
 if ($_SERVER['REQUEST_METHOD'] == "POST") {
     $msg_code = "";
 
-    if ($auth->checkToken($_POST['csrf'], $_SESSION['csrf']) == false) {
-        $msg_code = "csrf";
-    } else {
+    if ($auth->checkToken($_POST['csrf'], $_SESSION['csrf'])) {
         unset($_POST['csrf']);
         $id = (int) $_POST['id'];
-        if ($_POST['password'] || $_POST['password'] != "") {
+
+        if (!$_POST['password'] || $_POST['password'] == "") {
+            unset($_POST['password']);
+        } else {
             $password = $utils->sanitize($_POST['password']);
             $_POST['password'] = password_hash($password, PASSWORD_BCRYPT);
-        } else {
-            unset($_POST['password']);
         }
 
-        if ($user->updateUser($id, $utils->esc($_POST))) {
-            $msg_code = "yes";
-        } else {
-            $msg_code = "error";
-        }
+        $msg_code = $user->updateUser($id, $utils->esc($_POST)) ? "yes" : "error";
     }
 
     $utils->redirect($utils->siteUrl(
diff --git a/uploady/admin/users/edit.php b/uploady/admin/users/edit.php
index f849a62..5063a76 100755
--- a/uploady/admin/users/edit.php
+++ b/uploady/admin/users/edit.php
@@ -34,7 +34,7 @@
                                     <?php if ($msg == "yes") : ?>
 
                                         <?php echo $utils->alert(
-                                            "Account has been created",
+                                            "Account has been updated",
                                             "success",
                                             "check-circle"
                                         ); ?>
diff --git a/uploady/admin/users/logic/addLogic.php b/uploady/admin/users/logic/addLogic.php
index 57140c2..e44cdc6 100755
--- a/uploady/admin/users/logic/addLogic.php
+++ b/uploady/admin/users/logic/addLogic.php
@@ -1,7 +1,9 @@
 <?php
-$upload = new Uploady\Handler\Upload();
+$upload = new \Farisc0de\PhpFileUploading\Upload();
 
-$user_id = $upload->generateUserID(true);
+$upload->generateUserID(true);
+
+$user_id = $upload->getUserID();
 
 if ($_SERVER['REQUEST_METHOD'] == 'POST') {
     if ($auth->checkToken($_POST['csrf'], $_SESSION['csrf'])) {
diff --git a/uploady/admin/users/logic/editLogic.php b/uploady/admin/users/logic/editLogic.php
index 33df556..de03429 100755
--- a/uploady/admin/users/logic/editLogic.php
+++ b/uploady/admin/users/logic/editLogic.php
@@ -1,3 +1,7 @@
 <?php
 
 $user_data = $user->getUserData($_GET['username']);
+
+if (isset($_GET['msg'])) {
+    $msg = $_GET['msg'];
+}
diff --git a/uploady/admin/users/logic/viewLogic.php b/uploady/admin/users/logic/viewLogic.php
index ec3d6c7..648a0f3 100755
--- a/uploady/admin/users/logic/viewLogic.php
+++ b/uploady/admin/users/logic/viewLogic.php
@@ -1,3 +1,7 @@
 <?php
 
 $users = $user->getUsers();
+
+if (isset($_GET['msg'])) {
+    $msg = $_GET['msg'];
+}
diff --git a/uploady/admin/users/view.php b/uploady/admin/users/view.php
index 85a9689..1bf60ab 100755
--- a/uploady/admin/users/view.php
+++ b/uploady/admin/users/view.php
@@ -25,12 +25,50 @@
                     <ol class="breadcrumb mb-4">
                         <li class="breadcrumb-item active">Dashboard</li>
                     </ol>
+                    <?php if (isset($msg)) : ?>
+
+                        <?php if ($msg == "yes") : ?>
+
+                            <?php echo $utils->alert(
+                                "Account has been updated",
+                                "success",
+                                "check-circle"
+                            ); ?>
+
+                        <?php elseif ($msg == "csrf") : ?>
+
+                            <?php echo $utils->alert(
+                                "CSRF token is invalid.",
+                                "danger",
+                                "times-circle"
+                            ); ?>
+
+                        <?php elseif ($msg == "forbidden") : ?>
+
+                            <?php echo $utils->alert(
+                                "Sorry, but you can't delete yourself!!",
+                                "danger",
+                                "times-circle"
+                            ); ?>
+
+                        <?php elseif ($msg == "error") : ?>
+
+                            <?php echo $utils->alert(
+                                "An unexpected error has occurred",
+                                "danger",
+                                "times-circle"
+                            ); ?>
+
+                        <?php endif; ?>
+
+                    <?php endif; ?>
                     <div class="card mb-4">
                         <div class="card-header">
                             <i class="fas fa-users mr-1"></i>
                             Manager Users
                         </div>
                         <form method="POST" action="<?= $utils->siteUrl('/admin/users/actions/delete.php') ?>">
+                            <?= $utils->input('csrf', $_SESSION['csrf']); ?>
                             <div class="card-body">
                                 <div class="table-responsive border pl-2 pb-2 pt-2 pr-2 pb-2 rounded">
                                     <table class="table nowrap table-bordered" width="100%" id="dataTable" cellspacing="0">
@@ -55,7 +93,10 @@
                                                     <td>
                                                         <div class="custom-control custom-checkbox">
                                                             <input type="checkbox" class="custom-control-input" id="user_<?= $u->id ?>" name="userid[]" value="<?= $u->id; ?>" <?= ($u->id == $data->id) ? 'disabled' : '' ?> />
-                                                            <label class="custom-control-label" for="user_<?= $u->id; ?>" </label> </div> </td> <td><?= $u->username; ?>
+                                                            <label class="custom-control-label" for="user_<?= $u->id; ?>" </label>
+                                                        </div>
+                                                    </td>
+                                                    <td><?= $u->username; ?>
                                                     </td>
                                                     <td><?= $u->email; ?></td>
                                                     <td><?= $u->is_admin ? 'yes' : 'no'; ?></td>
diff --git a/uploady/logic/signupLogic.php b/uploady/logic/signupLogic.php
index d16c292..09806bd 100755
--- a/uploady/logic/signupLogic.php
+++ b/uploady/logic/signupLogic.php
@@ -1,5 +1,5 @@
 <?php
-$upload = new Uploady\Handler\Upload();
+$upload = new \Farisc0de\PhpFileUploading\Upload();
 
 $mailer = new Uploady\Mailer($db);
 
@@ -15,11 +15,13 @@
 
         $hash = sha1($token);
 
+        $upload->generateUserID();
+
         $user->createUser([
             'username' => $username,
             'email' => $email,
             'password' => password_hash($password, PASSWORD_BCRYPT),
-            'user_id' => $upload->generateUserID(),
+            'user_id' => $upload->getUserID(),
             'activation_hash' => $hash,
             'is_active' => 0
         ]);
diff --git a/uploady/src/Uploady/Utils.php b/uploady/src/Uploady/Utils.php
index ca4d51c..4c65140 100755
--- a/uploady/src/Uploady/Utils.php
+++ b/uploady/src/Uploady/Utils.php
@@ -335,10 +335,6 @@ public function script($script_path, $assets = "assets")
      */
     public function esc($data)
     {
-        if ($this->data != null) {
-            $data = $this->data;
-        }
-
         if (is_string($data)) {
             if ($this->isEmpty($data)) {
                 return false;