Add template, allow users to change username/password

account.php

@@ -0,0 +1,111 @@
+<?php session_start();
+/* curload
+ * Simple file uploading using POST requests
+ * Licensed under the GNU Affero General Public License version 3.0
+ */
+
+include "config.php";
+include "core.php";
+
+$html = "";
+$html = printHeader($html);
+
+$Username = "";
+$Password = "";
+$ID = -1;
+$Primary = 0;
+$IsCurrentUser = false;
+
+// make sure a username and password is specified for authentication
+if (isset($_SESSION['username']) && isset($_SESSION['password'])) {
+    $Username = $_SESSION['username'];
+    $Password = $_SESSION['password'];
+} else {
+    print "Username and password must be specified.";
+    die();
+}
+
+if (isset($_REQUEST['id'])) {
+    $ID = $_REQUEST['id'];
+} else {
+    $ID = -1; // use the username and password to determine
+}
+
+$Authorized = 0;
+
+$Database = createTables($sqlDB);
+$DatabaseQuery = $Database->query('SELECT * FROM users');
+
+// check permissions
+while ($line = $DatabaseQuery->fetchArray()) {
+    if ($ID == -1 && $line['username'] == $Username && $Username != "" && $line['password'] != "" && $Password == $line['password']) {
+        $ID = $line['id'];
+        $SelUsername = $line['username'];
+        $IsCurrentUser = true;
+        $Authorized = 1;
+
+        break;
+    } else if ($line['username'] == $Username && $Username != "" && $line['password'] != "" && $Password == $line['password']) { // We're logged into an admin account
+        $UserDatabaseQuery = $Database->query('SELECT * FROM users');
+        $Primary = $line['primaryadmin'];
+        $IsCurrentUser = false;
+
+        while ($uline = $UserDatabaseQuery->fetchArray()) {
+            if ($ID == $uline['id'] && ($Primary && $uline['usertype'] == 2 || $uline['usertype'] != 2)) {
+                $SelUsername = $uline['username'];
+                $Authorized = 1;
+                break;
+            }
+        }
+    }
+}
+
+if ($Authorized == 0) {
+    die();
+}
+
+$html .= "\t\t\t<h1>Account options</h1>\n";
+$html .= "\t\t\t\t<p>This is where you can change account options.</p>\n";
+
+if ($allowPasswordChange || $IsCurrentUser) {
+    $html .= "\t\t\t\t<h2>Change password</h2>\n";
+    $html .= "\t\t\t\t\t<p>If you need to change your password, you can do so here:</p>\n";
+    $html .= "\t\t\t\t\t<form action=\"change.php\" method=\"post\" class=\"changePass\">\n";
+
+    if ($IsCurrentUser) {
+        $html .= "\t\t\t\t\t\t<label for=\"curpass\">Current password</label>\n";
+        $html .= "\t\t\t\t\t\t<input type=\"password\" name=\"curpass\" placeholder=\"Current password\">\n";
+    }
+
+    $html .= "\t\t\t\t\t\t<label for=\"newpass\">New password</label>\n";
+    $html .= "\t\t\t\t\t\t<input type=\"password\" name=\"newpass\" placeholder=\"New password\">\n";
+    $html .= "\t\t\t\t\t\t<label for=\"newpassc\">Confirm</label>\n";
+    $html .= "\t\t\t\t\t\t<input type=\"password\" name=\"newpassc\" placeholder=\"Confirm\">\n";
+    $html .= "\t\t\t\t\t\t<input type=\"hidden\" name=\"action\" value=\"pass\">\n";
+    $html .= "\t\t\t\t\t\t<input type=\"hidden\" name=\"id\"\" value=\"$ID\">\n";
+    $html .= "\t\t\t\t\t\t<input type=\"submit\" value=\"Change password\" name=\"change\">\n";
+    $html .= "\t\t\t\t\t</form>\n";
+}
+
+if ($allowUsernameChange || !$IsCurrentUser) {
+    $html .= "\t\t\t\t<h2>Change username</h2>\n";
+    $html .= "\t\t\t\t\t<p>If you need to change your username, you can do so here:</p>\n";
+    $html .= "\t\t\t\t\t<form action=\"change.php\" method=\"post\" class=\"changeUser\">\n";
+
+    if ($IsCurrentUser) {
+        $html .= "\t\t\t\t\t\t<label for=\"curusername\">Current username</label>\n";
+        $html .= "\t\t\t\t\t\t<input type=\"text\" name=\"curusername\" placeholder=\"Current username\">\n";
+    }
+
+    $html .= "\t\t\t\t\t\t<label for=\"newusername\">New username</label>\n";
+    $html .= "\t\t\t\t\t\t<input type=\"text\" name=\"newusername\" placeholder=\"New username\">\n";
+    $html .= "\t\t\t\t\t\t<input type=\"hidden\" name=\"action\" value=\"username\">\n";
+    $html .= "\t\t\t\t\t\t<input type=\"hidden\" name=\"id\"\" value=\"$ID\">\n";
+    $html .= "\t\t\t\t\t\t<input type=\"submit\" value=\"Change username\" name=\"change\">\n";
+    $html .= "\t\t\t\t\t</form>\n";
+}
+
+$html = printFooter($html);
+print "$html";
+
+?>

admin.php

@@ -224,6 +224,7 @@ if ($Action == "files") {
 
         if ($Primary == 1 && $line['primaryadmin'] != 1) { // primary admins cannot be removed
             $html .= "\t\t\t\t\t\t<td class=\"adminRemove\"><a href=\"/remove-user.php?redir=admin&id=$ID&type=2\">Remove</a></td>\n";
+            $html .= "\t\t\t\t\t\t<td class=\"adminEdit\"><a href=\"/account.php?redir=admin&id=$ID\">Edit</a></td>\n";
         }
 
         $html .= "\t\t\t\t\t</tr>\n";

change.php

@@ -0,0 +1,137 @@
+<?php session_start();
+/* curload
+ * Simple file uploading using POST requests
+ * Licensed under the GNU Affero General Public License version 3.0
+ */
+
+include "config.php";
+include "core.php";
+
+$Username = "";
+$Password = "";
+$CurUsername = "";
+$CurPassword = "";
+$Action = "";
+$ID = 0;
+$Primary = 0;
+$IsCurrentUser = false;
+
+// make sure a username and password is specified for authentication
+if (isset($_SESSION['username']) && isset($_SESSION['password'])) {
+    $Username = $_SESSION['username'];
+    $Password = $_SESSION['password'];
+} else {
+    header("Location: /");
+    die();
+}
+
+if (isset($_REQUEST['id'])) {
+    $ID = $_REQUEST['id'];
+} else {
+    $ID = -1; // use the username and password to determine
+}
+
+// action
+if (isset($_REQUEST['action'])) {
+    $Action = $_REQUEST['action'];
+} else {
+    header("Location: /");
+    die();
+}
+
+$Authorized = 0;
+
+$Database = createTables($sqlDB);
+$DatabaseQuery = $Database->query('SELECT * FROM users');
+
+// check permissions
+while ($line = $DatabaseQuery->fetchArray()) {
+    if ($ID == -1 && $line['username'] == $Username && $Username != "" && $line['password'] != "" && $Password == $line['password']) {
+        $ID = $line['id'];
+        $Authorized = 1;
+        $IsCurrentUser = true;
+        $CurUsername = $line['username'];
+        $CurPassword = $line['password'];
+
+        break;
+    } else if ($line['username'] == $Username && $Username != "" && $line['password'] != "" && $Password == $line['password']) { // We're logged into an admin account
+        $UserDatabaseQuery = $Database->query('SELECT * FROM users');
+        $Primary = $line['primaryadmin'];
+
+        while ($uline = $UserDatabaseQuery->fetchArray()) {
+            if ($ID == $uline['id'] && ($Primary && $uline['usertype'] == 2 || $uline['usertype'] != 2)) {
+                $CurUsername = $uline['username'];
+                $CurPassword = $uline['password'];
+                $Authorized = 1;
+                break;
+            }
+        }
+    }
+}
+
+if ($Authorized == 0) {
+    header("Location: /");
+    die();
+}
+
+// perform the action
+if ($Action == "pass" && ($allowPasswordChange || !$IsCurrentUser)) {
+    if (!isset($_REQUEST['newpass']) || !isset($_REQUEST['newpassc'])) {
+        header("Location: /");
+        die();
+    }
+
+    if ($_REQUEST['newpass'] != $_REQUEST['newpassc']) {
+        header("Location: /");
+        die();
+    }
+
+    $NewPassword = htmlspecialchars(generatePassword($_REQUEST['newpass']));
+
+    if (!password_verify($_REQUEST['curpass'], $CurPassword) && $IsCurrentUser) {
+        header("Location: /");
+        die();
+    }
+
+    $Database->exec("UPDATE users SET password='$NewPassword' WHERE id='$ID'");
+} else if ($Action == "username" && ($allowUsernameChange || !$IsCurrentUser)) {
+    if (!isset($_REQUEST['newusername'])) {
+        header("Location: /");
+        die();
+    }
+
+    if (!isset($_REQUEST['curusername']) && $IsCurrentUser) {
+        header("Location: /");
+        die();
+    }
+
+    $NewUsername = htmlspecialchars($_REQUEST['newusername']);
+
+    if ($CurUsername != $_REQUEST['curusername'] && $IsCurrentUser) {
+        header("Location: /");
+        die();
+    }
+
+    // make sure no duplicates can exist
+    $UserDatabaseQuery = $Database->query('SELECT * FROM users');
+    while ($uline = $UserDatabaseQuery->fetchArray()) {
+        if ($uline['username'] == $NewUsername) {
+            header("Location: /");
+            die();
+            break;
+        }
+    }
+
+    // change it
+    $Database->exec("UPDATE users SET username='$NewUsername' WHERE id='$ID'");
+    $Database->exec("UPDATE uploads SET username='$NewUsername' WHERE username='$CurUsername'");
+} else {
+    header("Location: /");
+    die();
+}
+
+if ($IsCurrentUser) {
+    header('Location: login.php?logout=true');
+    die();
+}
+?>

config.def.ini

@@ -25,6 +25,8 @@ enable_upload_removal      = true
 enable_user_upload_removal = false
 
 [credentials]
+allow_change_username      = true
+allow_change_password      = true
 sqldb                      = curload.sql
 
 [logging]

config.php

@@ -17,6 +17,7 @@ $storeIssued             = true;
 $storeLastUsage          = true;
 $storeUploads            = true;
 $publicUploading         = false;
+$allowPasswordChange     = true;
 $renameDuplicates        = true;
 $replaceOriginal         = false;
 $logoHeaderSize          = 16;
@@ -61,6 +62,8 @@ $instanceName = $configEntries['instance_name'];
 $instanceDescription = $configEntries['instance_description'];
 $footerText = $configEntries['footer_text'];
 $publicUploading = $configEntries['public_uploading'];
+$allowUsernameChange = $configEntries['allow_change_username'];
+$allowPasswordChange = $configEntries['allow_change_password'];
 $renameDuplicates = $configEntries['rename_duplicates'];
 $replaceOriginal = $configEntries['replace_original'];
 $enableUploadRemoval = $configEntries['enable_upload_removal'];

core.php

@@ -68,6 +68,8 @@ function printHeader($html) {
     if (!isset($_SESSION['type'])) {
         $html .= "\t\t\t\t<small id='login'><a id='login' href=\"login.php\">Log in</a></small>\n";
     } else {
+        $Username = $_SESSION['username'];
+        $html .= "\t\t\t\t<small id='username'><a id='username' href=\"account.php\">$Username</a></small>\n";
         $html .= "\t\t\t\t<small id='logout'><a id='logout' href=\"login.php?logout=true\">Log out</a></small>\n";
     }
 

index.css

@@ -21,7 +21,7 @@
     float: right;
 }
 
-#login, #logout {
+#login, #logout, #username {
     padding-left: 5px;
     float: right;
 }

templates/template-for-checking-password.php

@@ -0,0 +1,41 @@
+<?php session_start();
+/* curload
+ * Simple file uploading using POST requests
+ * Licensed under the GNU Affero General Public License version 3.0
+ */
+
+include "config.php";
+include "core.php";
+
+$Username = "";
+$Password = "";
+$id = 0;
+
+if (isset($_SESSION['username']) && isset($_SESSION['password'])) {
+    $Username = $_SESSION['username'];
+    $Password = $_SESSION['password'];
+} else {
+    print "Username and password must be specified.";
+    die();
+}
+
+$Authorized = 0;
+
+$Database = createTables($sqlDB);
+$DatabaseQuery = $Database->query('SELECT * FROM users');
+
+while ($line = $DatabaseQuery->fetchArray()) {
+    if ($line['username'] == $Username && $Username != "" && $line['password'] != "" && $Password == $line['password']) {
+        $id = $line['id'];
+        $Authorized = 1;
+
+        break;
+    }
+}
+
+if ($Authorized == 0) {
+    die();
+}
+
+// Do whatever the fuck you want here
+?>