* Restructure account.php to remove redundant code. * Remove own_account_details(). * Rework logic check to default to no access to account edit form. * Make default account action viewing account info. Signed-off-by: canyonknight <canyonknight@gmail.com> --- web/html/account.php | 34 +++++++++------------------------- web/html/index.php | 3 ++- web/lib/acctfuncs.inc.php | 18 ------------------ 3 files changed, 11 insertions(+), 44 deletions(-) diff --git a/web/html/account.php b/web/html/account.php index b0906d9..786ae02 100644 --- a/web/html/account.php +++ b/web/html/account.php @@ -50,14 +50,15 @@ if (isset($_COOKIE["AURSID"])) { } else { # double check to make sure logged in user can edit this account # - if ($atype == "User" || ($atype == "Trusted User" && $row["AccountType"] == "Developer")) { - print __("You do not have permission to edit this account."); - } else { - + if ($atype == "Developer" || ($atype == "Trusted User" && + $row["AccountType"] != "Developer") || + ($row["ID"] == uid_from_sid($_COOKIE["AURSID"]))) { display_account_form($atype, "UpdateAccount", $row["Username"], - $row["AccountType"], $row["Suspended"], $row["Email"], - "", "", $row["RealName"], $row["LangPreference"], - $row["IRCNick"], $row["PGPKey"], $row["ID"]); + $row["AccountType"], $row["Suspended"], $row["Email"], + "", "", $row["RealName"], $row["LangPreference"], + $row["IRCNick"], $row["PGPKey"], $row["ID"]); + } else { + print __("You do not have permission to edit this account."); } } @@ -89,24 +90,7 @@ if (isset($_COOKIE["AURSID"])) { search_accounts_form(); } else { - # A normal user, give them the ability to edit - # their own account - # - $row = own_account_details($_COOKIE["AURSID"]); - if (empty($row)) { - print __("Could not retrieve information for the specified user."); - } else { - # don't need to check if they have permissions, this is a - # normal user editing themselves. - # - print __("Use this form to update your account."); - print "<br />"; - print __("Leave the password fields blank to keep your same password."); - display_account_form($atype, "UpdateAccount", $row["Username"], - $row["AccountType"], $row["Suspended"], $row["Email"], - "", "", $row["RealName"], $row["LangPreference"], - $row["IRCNick"], $row["PGPKey"], $row["ID"]); - } + print __("You are not allowed to access this area."); } } diff --git a/web/html/index.php b/web/html/index.php index 0e36883..70698a4 100644 --- a/web/html/index.php +++ b/web/html/index.php @@ -60,8 +60,9 @@ if (isset($tokens[1]) && '/' . $tokens[1] == get_pkg_route()) { } else { $_REQUEST['Action'] = "AccountInfo"; } + } else { + $_REQUEST['Action'] = "AccountInfo"; } - } include get_route('/' . $tokens[1]); } elseif (get_route($path) !== NULL) { diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php index 7471d06..ed2c7c6 100644 --- a/web/lib/acctfuncs.inc.php +++ b/web/lib/acctfuncs.inc.php @@ -719,24 +719,6 @@ function account_details($uid, $username, $dbh=NULL) { return $row; } -function own_account_details($sid, $dbh=NULL) { - if(!$dbh) { - $dbh = db_connect(); - } - $q = "SELECT Users.*, AccountTypes.AccountType "; - $q.= "FROM Users, AccountTypes, Sessions "; - $q.= "WHERE AccountTypes.ID = Users.AccountTypeID "; - $q.= "AND Users.ID = Sessions.UsersID "; - $q.= "AND Sessions.SessionID = " . $dbh->quote($sid); - $result = $dbh->query($q); - - if ($result) { - $row = $result->fetch(PDO::FETCH_ASSOC); - } - - return $row; -} - function tu_voted($voteid, $uid, $dbh=NULL) { if (!$dbh) { $dbh = db_connect(); -- 1.7.12