From 4beabd5df3e194eea19fa893c459b2509412fc66 Mon Sep 17 00:00:00 2001
From: Phyks <webmaster@phyks.me>
Date: Sun, 11 Aug 2013 22:25:25 +0200
Subject: [PATCH] Currency choice in install.php + edit user available

---
 TODO                                          |  3 +-
 inc/Storage.class.php                         | 17 +++--
 inc/User.class.php                            |  6 +-
 index.php                                     | 62 ++++++++++++++-----
 install.php                                   |  6 +-
 ....36ba0f7e771a8681573a91518b54b424.rtpl.php |  4 +-
 tpl/edit_users.html                           | 11 ++--
 tpl/header.html                               |  4 +-
 8 files changed, 78 insertions(+), 35 deletions(-)

diff --git a/TODO b/TODO
index 8b99dd7..28b9cb0 100755
--- a/TODO
+++ b/TODO
@@ -3,6 +3,7 @@
 * tokens + ban system
 * remember me
 * Display names
+* htmlspecialchars
 
 install.php :
 =============
@@ -12,5 +13,3 @@ install.php :
 index.php :
 ===========
 * Delete user (+ check if not you)
-* Edit user
-* Create user
diff --git a/inc/Storage.class.php b/inc/Storage.class.php
index 35517d5..67233be 100644
--- a/inc/Storage.class.php
+++ b/inc/Storage.class.php
@@ -118,9 +118,12 @@ class Storage {
 
             $i = false;
             foreach($this->fields as $field=>$type) {
-                if($i) { $query .= ','; } else { $i = true; }
+                if(isset($this->$field))
+                {
+                    if($i) { $query .= ','; } else { $i = true; }
 
-                $query .= $field.'=:'.$field;
+                    $query .= $field.'=:'.$field;
+                }
             }
 
             $query .= ' WHERE id='.$this->id;
@@ -139,9 +142,11 @@ class Storage {
             
             $i = false;
             foreach($this->fields as $field=>$type) {
-                if($i) { $query .= ','; } else { $i = true; }
+                if(isset($this->$field)) {
+                    if($i) { $query .= ','; } else { $i = true; }
                 
-                $query .= ':'.$field;
+                    $query .= ':'.$field;
+                }
             }
 
             $query .= ')';
@@ -151,7 +156,9 @@ class Storage {
         $query = $this->connection->prepare($query);
 
         foreach($this->fields as $field=>$type) {
-            $query->bindParam(':'.$field, $this->$field);
+            if(!empty($this->$field)) {
+                $query->bindParam(':'.$field, $this->$field);
+            }
         }
         
         $query->execute();
diff --git a/inc/User.class.php b/inc/User.class.php
index 801ffdc..552c779 100644
--- a/inc/User.class.php
+++ b/inc/User.class.php
@@ -72,7 +72,7 @@ class User extends Storage {
 
     public function sessionRestore($data, $serialized = false) {
         if($serialized)
-            $user_data = unserialize($serialized_data);
+            $user_data = unserialize($data);
         else
             $user_data = $data;
 
@@ -87,8 +87,8 @@ class User extends Storage {
         $users = $this->load();
 
         foreach($users as $user) {
-            $return[0] = new User();
-            $return[0]->sessionRestore($user);
+            $return[$user['id']] = new User();
+            $return[$user['id']]->sessionRestore($user);
         }
         return $return;
     }
diff --git a/index.php b/index.php
index 88ddca5..b7db423 100644
--- a/index.php
+++ b/index.php
@@ -1,4 +1,5 @@
 <?php
+    // Include necessary files
     if(!file_exists('inc/config.php')) header('location: install.php');
     require_once('inc/config.php');
     require_once('inc/User.class.php');
@@ -6,32 +7,41 @@
     raintpl::$tpl_dir = 'tpl/';
     raintpl::$cache_dir = 'tmp/';
 
+    // Define raintpl instance
     $tpl = new raintpl();
     $tpl->assign('instance_title', htmlspecialchars(INSTANCE_TITLE));
     $tpl->assign('connection', false);
     $tpl->assign('notice', '');
     $tpl->assign('error', '');
-    
+
+    // Handle current user status
     session_start();
-    $current_user = (isset($_SESSION['current_user']) ? unserialize($_SESSION['current_user']) : false);
-    $tpl->assign('admin', ($current_user !== false) ? (int) $current_user['admin'] : 0);
+    $current_user = new User();
+    if(isset($_SESSION['current_user'])) {
+        $current_user->sessionRestore($_SESSION['current_user'], true);
+    }
+    else {
+        $current_user = false;
+    }
+    $tpl->assign('current_user', $current_user);
 
-    $usersManager = new User();
-
-    if($current_user === false && (empty($_GET['do']) OR $_GET['do'] != 'connect')) { //If not connected, go to connection page
+    // If not connected, redirect to connection page
+    if($current_user === false && (empty($_GET['do']) OR $_GET['do'] != 'connect')) {
         header('location: index.php?do=connect');
     }
     
+    // Initialize empty $_GET['do'] if required to avoid error
     if(empty($_GET['do'])) {
         $_GET['do'] = '';
     }
 
+    // Check what to do
     switch($_GET['do']) {
         case 'connect':
-            if($current_user !== false) header('location: index.php');
+            if($current_user !== false) {
+                header('location: index.php');
+            }
             if(!empty($_POST['login']) && !empty($_POST['password'])) {
-                $current_user = new User();
-                $current_user->setLogin($_POST['login']);
                 if($current_user->exists($_POST['login']) && $current_user->checkPassword($_POST['password'])) {
                     $_SESSION['current_user'] = $current_user->sessionStore();
                     header('location: index.php');
@@ -56,10 +66,8 @@
         case 'password':
             if(!empty($_POST['password']) && !empty($_POST['password_confirm'])) {
                 if($_POST['password'] == $_POST['password_confirm']) {
-                    $user = new User();
-                    $user->sessionRestore($current_user, false);
-                    $user->setPassword($user->encrypt($_POST['password']));
-                    $user->save();
+                    $current_user->setPassword($user->encrypt($_POST['password']));
+                    $current_user->save();
 
                     header('location: index.php');
                     exit();
@@ -74,9 +82,25 @@
 
         case 'edit_users':
         case 'add_user':
-            if(!$current_user['admin']) {
+            if(!$current_user->getAdmin()) {
                 header('location: index.php');
             }
+
+            if(!empty($_POST['login']) &&  (!empty($_POST['password']) || !empty($_POST['user_id'])) && isset($_POST['admin'])) {
+                $user = new User();
+                if(!empty($_POST['user_id'])) {
+                    $user->setId($_POST['user_id']);
+                }
+                $user->setLogin($_POST['login']);
+                if(!empty($_POST['password'])) {
+                    $user->setPassword($user->encrypt($_POST['password']));
+                }
+                $user->setAdmin($_POST['admin']);
+                $user->save();
+
+                header('location: index.php?do=edit_users');
+                exit();
+            }
  
             if(!empty($_GET['user_id']) || $_GET['do'] == 'add_user') {
                 if(!empty($_GET['user_id'])) {
@@ -91,13 +115,23 @@
             else {
                 $users_list = new User();
                 $users_list = $users_list->load_users();
+
                 $tpl->assign('users', $users_list);
                 $tpl->assign('view', 'list_users');
             }
+            $tpl->assign('login_post', (!empty($_POST['login']) ? htmlspecialchars($_POST['login']) : ''));
+            $tpl->assign('admin_post', (isset($_POST['admin']) ? (int) $_POST['admin'] : -1));
             $tpl->draw('edit_users');
             break;
 
         case 'delete_user':
+            if($_GET['user_id'] != $current_user->getId()) {
+                $user = new User();
+                $user->delete();
+
+                header('location: index.php');
+                exit();
+            }
             break;
 
         default:
diff --git a/install.php b/install.php
index bec9eaa..0eed6fb 100644
--- a/install.php
+++ b/install.php
@@ -11,7 +11,7 @@
         $block_form = true;
     }
 
-    if(!empty($_POST['mysql_host']) && !empty($_POST['mysql_login']) && !empty($_POST['mysql_db']) && !empty($_POST['admin_login']) && !empty($_POST['admin_password'])) {
+    if(!empty($_POST['mysql_host']) && !empty($_POST['mysql_login']) && !empty($_POST['mysql_db']) && !empty($_POST['admin_login']) && !empty($_POST['admin_password']) && !empty($_POST['currency'])) {
         $mysql_host = $_POST['mysql_host'];
         $mysql_login = $_POST['mysql_login'];
         $mysql_db = $_POST['mysql_db'];
@@ -50,7 +50,8 @@
     define('MYSQL_PREFIX', '".$mysql_prefix."');
     define('INSTANCE_TITLE', '".$instance_title."');
     define('BASE_URL', '".$_POST['base_url']."');
-    define('SALT', '".$salt."');";
+    define('SALT', '".$salt."');
+    define('CURRENCY', '".$_POST['currency']."');";
 
             if(file_put_contents("inc/config.php", $config)) {
                 try {
@@ -110,6 +111,7 @@
                     <label for="base_url">Base URL : </label><input type="text" size="30" name="base_url" id="base_url" value="<?php echo (!empty($_POST['base_url'])) ? htmlspecialchars($_POST['base_url']) : 'http'.(empty($_SERVER['HTTPS'])?'':'s').'://'.$_SERVER['SERVER_NAME'].str_replace("install.php", "", $_SERVER['REQUEST_URI']); ?>"/><br/>
                     <em>Note :</em> This is the base URL from which you access this page. You must keep the trailing "/" in the above address.
                 </p>
+                <p><label for="currency">Currency : </label><input type="text" name="currency" id="currency" size="3"/></p>
             </fieldset>
             <fieldset>
                 <legend>Administrator</legend>
diff --git a/tmp/header.36ba0f7e771a8681573a91518b54b424.rtpl.php b/tmp/header.36ba0f7e771a8681573a91518b54b424.rtpl.php
index de64d30..119aa57 100644
--- a/tmp/header.36ba0f7e771a8681573a91518b54b424.rtpl.php
+++ b/tmp/header.36ba0f7e771a8681573a91518b54b424.rtpl.php
@@ -22,14 +22,14 @@
         <li><a href="index.php?do=new_invoice">Add a bill</a></li>
         <li><a href="index.php?do=password">Change your password</a></li>
         <li><a href="index.php?do=paybacks">See paybacks</a></li>
+        <li><a href="index.php?do=disconnect">Disconnect</a></li>
     </ul>
-    <?php if( $admin == 1 ){ ?>
+    <?php if( $current_user->getAdmin() == 1 ){ ?>
 
     <ul>
         <li><a href="index.php?do=manage_paybacks">Manage paybacks</a></li>
         <li><a href="index.php?do=edit_users">Edit users</a></li>
         <li><a href="index.php?do=edit_notics">Edit notice on homepage</a></li>
-        <li><a href="index.php?do=disconnect">Disconnect</a></li>
     </ul>
     <?php } ?>
 
diff --git a/tpl/edit_users.html b/tpl/edit_users.html
index 3d255ea..ab91cce 100644
--- a/tpl/edit_users.html
+++ b/tpl/edit_users.html
@@ -21,15 +21,15 @@
         <td>{$value->getLogin()}</td>
         <td>{$value->getAdmin() ? "Yes" : "No"}</td>
         <td><a href="index.php?do=edit_users&user_id={$value->getId()}">Edit</a></td>
-        <td><a href="index.php?do=delete_user&user_id={$value->getId()}">Delete</a></td>
+        <td>{if condition="$value->getId() != $current_user->getId()"}<a href="index.php?do=delete_user&user_id={$value->getId()}">Delete</a>{/if}</td>
     </tr>
     {/loop}
 </table>
 {elseif condition="$view == 'edit_user'"}
 <h2>Edit a user</h2>
-<form method="post" action="index.php" id="edit_user_form">
+<form method="post" action="index.php?do=add_user" id="edit_user_form">
     <p>
-    <label for="login" class="label-block">Login : </label><input type="text" name="login" id="login" {$user_id != -1 ? 'value="'.$user_data->getLogin().'"' : ''}/>
+    <label for="login" class="label-block">Login : </label><input type="text" name="login" id="login" {if condition="$login_post != ''"} value="{$login_post}" {else} {$user_id != -1 ? 'value="'.$user_data->getLogin().'"' : ''} {/if}/>
     </p>
     <p>
         <label for="password" class="label-block">Password : </label><input type="password" name="password" id="password"/>
@@ -39,11 +39,12 @@
     </p>
     <p id="edit_user_admin_rights">
         Give admin rights to this user ?<br/>
-        <input type="radio" id="admin_yes" name="admin" {if condition="$user_id != -1 && $user_data->getAdmin()"}checked{/if}/><label for="admin_yes">Yes</label><br/>
-        <input type="radio" id="admin_no" id="admin" {if condition="$user_id == -1 || !$user_data->getAdmin()"}checked{/if}/><label for="admin_no">No</label>
+    <input type="radio" id="admin_yes" value="1" name="admin" {if condition="$admin_post == 1 || ($admin_post == -1 && $user_id != -1 && $user_data->getAdmin())"} checked{/if}/><label for="admin_yes">Yes</label><br/>
+    <input type="radio" id="admin_no" value="0" name="admin" {if condition="$admin_post == 0 || ($admin_post == -1 && ($user_id == -1 || !$user_data->getAdmin()))"} checked{/if}/><label for="admin_no">No</label>
     </p>
     <p class="center">
         <input type="submit" value="{$user_id != -1 ? 'Edit' : 'Add'}"/>
+        {if condition="$user_id != -1"}<input type="hidden" name="user_id" value="{$user_id}"/>{/if}
     </p>
 </form>
 
diff --git a/tpl/header.html b/tpl/header.html
index 3e1e882..e49010a 100755
--- a/tpl/header.html
+++ b/tpl/header.html
@@ -19,13 +19,13 @@
         <li><a href="index.php?do=new_invoice">Add a bill</a></li>
         <li><a href="index.php?do=password">Change your password</a></li>
         <li><a href="index.php?do=paybacks">See paybacks</a></li>
+        <li><a href="index.php?do=disconnect">Disconnect</a></li>
     </ul>
-    {if condition="$admin == 1"}
+    {if condition="$current_user->getAdmin() == 1"}
     <ul>
         <li><a href="index.php?do=manage_paybacks">Manage paybacks</a></li>
         <li><a href="index.php?do=edit_users">Edit users</a></li>
         <li><a href="index.php?do=edit_notics">Edit notice on homepage</a></li>
-        <li><a href="index.php?do=disconnect">Disconnect</a></li>
     </ul>
     {/if}
 </div>