From 983a5d03533edd783b1e2fbc5a39d4fa24f679be Mon Sep 17 00:00:00 2001 From: shr3dd3r Date: Thu, 31 Aug 2023 23:26:16 +0300 Subject: [PATCH] =?UTF-8?q?=D0=9D=D0=B0=D0=BA=D0=BE=D0=BD=D0=B5=D1=86-?= =?UTF-8?q?=D1=82=D0=BE=20=D1=80=D0=B0=D0=B7=D0=BE=D0=B1=D1=80=D0=B0=D0=BB?= =?UTF-8?q?=D1=81=D1=8F=20=D1=81=20=D1=81=D0=B5=D1=81=D1=81=D0=B8=D1=8F?= =?UTF-8?q?=D0=BC=D0=B8,=20+=D0=BC=D0=B8=D0=BD=D0=BE=D1=80=D0=BD=D1=8B?= =?UTF-8?q?=D0=B5=20=D1=84=D0=B8=D0=BA=D1=81=D1=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- api/_auth.php | 26 +++++++++++++++++++------- api/user/delete.php | 9 +++++++-- docs/API.md | 2 +- 3 files changed, 27 insertions(+), 10 deletions(-) diff --git a/api/_auth.php b/api/_auth.php index 04a6bf3..c56375c 100644 --- a/api/_auth.php +++ b/api/_auth.php @@ -16,12 +16,15 @@ function EndSession () { -//session_start(); -// This ^ should be placed at login stage +// A few tips: +// session_start() - start OR RESUME session +// If $_SESSION["userid"] is set - it counted as active login session +// If its not set - it counted as no login session +session_start(); $LOGGED_IN = false; -if (session_status() == PHP_SESSION_ACTIVE && isset($_SESSION["userid"])) { +if (session_status() === PHP_SESSION_ACTIVE && isset($_SESSION["userid"])) { // If there are active session // Check if user still exist $s = $db->prepare("SELECT * FROM users WHERE id = ?"); $s->bind_param("s", $_SESSION["userid"]); @@ -32,10 +35,19 @@ if (session_status() == PHP_SESSION_ACTIVE && isset($_SESSION["userid"])) { die("user id used in session does not exist"); } $LOGGED_IN = true; -} elseif (session_status() == PHP_SESSION_ACTIVE && !isset($_SESSION["userid"])) { - echo "no userid, destroying session"; - EndSession(); - die("no userid in session"); +} elseif (session_status() === PHP_SESSION_DISABLED) { // If sessions are disabled + die("ERROR: please enable sessions in php config"); +} + +if ($Config["debug"] && isset($_REQUEST["debug"])) { // If there are not any session and debug mode is on + // ATTENTION: FOR DEBUG PURPOSES ONLY! + if ($_REQUEST["debug"] == "drop") { + EndSession(); + die("session discarded"); + } + $_SESSION["userid"] = intval($_REQUEST["debug"]); + print_r(["created_session" => $_SESSION]); + die(); } ?> \ No newline at end of file diff --git a/api/user/delete.php b/api/user/delete.php index 430ddcb..105dd61 100644 --- a/api/user/delete.php +++ b/api/user/delete.php @@ -8,7 +8,7 @@ require_once("./index.php"); // Delete existing account function User_Delete ($id) { global $db; - $s = $db->prepare("delete from users where id = $id"); + $s = $db->prepare("delete from users where id = ?"); $s->bind_param("s", $id); return $s->execute() !== false; } @@ -32,11 +32,16 @@ if (ThisFileIsRequested(__FILE__)) { ReturnJSONError($Err_RDP_InvalidID, "valid session must be provided"); } + // If its attempt to delete other account if (!User_HasRole($_SESSION["userid"], "admin") && $_SESSION["userid"] !== $UserID) ReturnJSONError($Err_DP_NotEnoughRole, "you need to be admin to delete other accounts"); $result = User_Delete($UserID); - EndSession(); + + // If it was self-deletion + if ($UserID === $_SESSION["userid"]) + EndSession(); + ReturnJSONData(["success" => $result]); } ?> \ No newline at end of file diff --git a/docs/API.md b/docs/API.md index babbab8..063f5e3 100644 --- a/docs/API.md +++ b/docs/API.md @@ -18,6 +18,7 @@ Files starting from "_" ("_example.php") are intended for internal use only. - _auth.php: things related to authentification - _errors.php: error strings - _json.php: wrappers for JSON functions +- _utils.php: random utility functions - [ ] stats.php (GET/POST): all general statistics about this instance @@ -30,7 +31,6 @@ Files starting from "_" ("_example.php") are intended for internal use only. - [ ] user/create.php (POST): create new user account - [ ] user/edit.php (POST): edit user profile - [x] user/delete.php (POST): delete user account -- [ ] user/__admin_session.php (GET): start debug session as admin - [ ] post/ (GET/POST): get single post by id - [ ] post/search.php (GET/POST): get list of posts matching the criteria