From 548ef21e7871c83a5e702ffb39d3573e932dfb20 Mon Sep 17 00:00:00 2001 From: Banana Date: Mon, 19 Feb 2024 15:19:58 +0100 Subject: [PATCH] user and group management. check if in use before deletion --- CHANGELOG | 1 + TODO | 1 - webclient/lib/possessed.class.php | 145 ++++++++++++++---- .../view/default/manageusers/manageusers.php | 2 +- 4 files changed, 116 insertions(+), 33 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 83d67c9..fe6f478 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,6 @@ 1.x - The Ceremonial Chambers * Added group infos to profile view. + * User- and groupmanagement: Check if in use before deletion. 1.6 - Chizra 2024-02-03 diff --git a/TODO b/TODO index c613771..607e8a9 100644 --- a/TODO +++ b/TODO @@ -9,7 +9,6 @@ ** change the css and js lookup too in main file * i18n support * Definition of fields in "card view" -* User and groupmanagement: Check where a user or group is used! * Export of an entry, collection or everything. Stored on disk. * Import of the export * remove ifset and maybe ifsetvalue from summoner diff --git a/webclient/lib/possessed.class.php b/webclient/lib/possessed.class.php index a555096..d1007f3 100644 --- a/webclient/lib/possessed.class.php +++ b/webclient/lib/possessed.class.php @@ -290,25 +290,27 @@ class Possessed { $ret = false; if(Summoner::validate($id,'digit')) { - try { - $this->_DB->begin_transaction(MYSQLI_TRANS_START_READ_WRITE); - $d1 = $this->_DB->query("DELETE FROM `".DB_PREFIX."_user` - WHERE `id` = '".$this->_DB->real_escape_string($id)."' - AND ".$this->_User->getSQLRightsString("delete")." - AND `protected` = '0'"); - $d2 = $this->_DB->query("DELETE FROM `".DB_PREFIX."_user2group` WHERE `fk_user_id` = '".$this->_DB->real_escape_string($id)."'"); - $d3 = $this->_DB->query("DELETE FROM `".DB_PREFIX."_userSession` WHERE `fk_user_id` = '".$this->_DB->real_escape_string($id)."'"); - - if($d1 === false || $d2 === false || $d3 === false) { - throw new Exception('Failed to delete the user'); - } - $this->_DB->commit(); - $ret = true; - } - catch (Exception $e) { - $this->_DB->rollback(); - Summoner::sysLog("[ERROR] ".__METHOD__." mysql catch: ".$e->getMessage()); - } + + if(!$this->_checkIfUserIsInUse($id)) { + try { + $this->_DB->begin_transaction(MYSQLI_TRANS_START_READ_WRITE); + $d1 = $this->_DB->query("DELETE FROM `".DB_PREFIX."_user` + WHERE `id` = '".$this->_DB->real_escape_string($id)."' + AND ".$this->_User->getSQLRightsString("delete")." + AND `protected` = '0'"); + $d2 = $this->_DB->query("DELETE FROM `".DB_PREFIX."_user2group` WHERE `fk_user_id` = '".$this->_DB->real_escape_string($id)."'"); + $d3 = $this->_DB->query("DELETE FROM `".DB_PREFIX."_userSession` WHERE `fk_user_id` = '".$this->_DB->real_escape_string($id)."'"); + + if ($d1 === false || $d2 === false || $d3 === false) { + throw new Exception('Failed to delete the user'); + } + $this->_DB->commit(); + $ret = true; + } catch (Exception $e) { + $this->_DB->rollback(); + Summoner::sysLog("[ERROR] " . __METHOD__ . " mysql catch: " . $e->getMessage()); + } + } } return $ret; @@ -387,18 +389,19 @@ class Possessed { $ret = false; if(Summoner::validate($id,'digit')) { - $queryStr = "DELETE FROM `".DB_PREFIX."_group` - WHERE ".$this->_User->getSQLRightsString("delete")." - AND `protected` = '0' - AND `id` = '".$this->_DB->real_escape_string($id)."'"; - if(QUERY_DEBUG) Summoner::sysLog("[QUERY] ".__METHOD__." query: ".Summoner::cleanForLog($queryStr)); - try { - $this->_DB->query($queryStr); - $ret = true; - } - catch (Exception $e) { - Summoner::sysLog("[ERROR] ".__METHOD__." mysql catch: ".$e->getMessage()); - } + if(!$this->_checkIfGroupIsInUse($id)) { + $queryStr = "DELETE FROM `" . DB_PREFIX . "_group` + WHERE " . $this->_User->getSQLRightsString("delete") . " + AND `protected` = '0' + AND `id` = '" . $this->_DB->real_escape_string($id) . "'"; + if (QUERY_DEBUG) Summoner::sysLog("[QUERY] " . __METHOD__ . " query: " . Summoner::cleanForLog($queryStr)); + try { + $this->_DB->query($queryStr); + $ret = true; + } catch (Exception $e) { + Summoner::sysLog("[ERROR] " . __METHOD__ . " mysql catch: " . $e->getMessage()); + } + } } return $ret; @@ -647,4 +650,84 @@ class Possessed { return $ret; } + + /** + * Check if given userId is used and should not be deleted. + * + * @param string $userId + * @return bool + */ + private function _checkIfUserIsInUse(string $userId): bool { + $ret = false; + + $queryStr = "SELECT `id` FROM `".DB_PREFIX."_collection` + WHERE `owner` = '".$this->_DB->real_escape_string($userId)."'"; + if(QUERY_DEBUG) Summoner::sysLog("[QUERY] ".__METHOD__." query: ".Summoner::cleanForLog($queryStr)); + try { + $query = $this->_DB->query($queryStr); + if($query !== false && $query->num_rows > 0) { + $ret = true; + } + } + catch (Exception $e) { + Summoner::sysLog("[ERROR] ".__METHOD__." mysql catch: ".$e->getMessage()); + } + + if(!$ret) { + $queryStr = "SELECT `id` FROM `".DB_PREFIX."_user2group` + WHERE `fk_user_id` = '".$this->_DB->real_escape_string($userId)."'"; + if(QUERY_DEBUG) Summoner::sysLog("[QUERY] ".__METHOD__." query: ".Summoner::cleanForLog($queryStr)); + try { + $query = $this->_DB->query($queryStr); + if($query !== false && $query->num_rows > 0) { + $ret = true; + } + } + catch (Exception $e) { + Summoner::sysLog("[ERROR] ".__METHOD__." mysql catch: ".$e->getMessage()); + } + } + + return $ret; + } + + /** + * Check if given groupId is used and should not be deleted. + * + * @param string $groupId + * @return bool + */ + private function _checkIfGroupIsInUse(string $groupId): bool { + $ret = false; + + $queryStr = "SELECT `id` FROM `".DB_PREFIX."_collection` + WHERE `group` = '".$this->_DB->real_escape_string($groupId)."'"; + if(QUERY_DEBUG) Summoner::sysLog("[QUERY] ".__METHOD__." query: ".Summoner::cleanForLog($queryStr)); + try { + $query = $this->_DB->query($queryStr); + if($query !== false && $query->num_rows > 0) { + $ret = true; + } + } + catch (Exception $e) { + Summoner::sysLog("[ERROR] ".__METHOD__." mysql catch: ".$e->getMessage()); + } + + if(!$ret) { + $queryStr = "SELECT `id` FROM `".DB_PREFIX."_user2group` + WHERE `fk_group_id` = '".$this->_DB->real_escape_string($groupId)."'"; + if(QUERY_DEBUG) Summoner::sysLog("[QUERY] ".__METHOD__." query: ".Summoner::cleanForLog($queryStr)); + try { + $query = $this->_DB->query($queryStr); + if($query !== false && $query->num_rows > 0) { + $ret = true; + } + } + catch (Exception $e) { + Summoner::sysLog("[ERROR] ".__METHOD__." mysql catch: ".$e->getMessage()); + } + } + + return $ret; + } } diff --git a/webclient/view/default/manageusers/manageusers.php b/webclient/view/default/manageusers/manageusers.php index b236e39..0264a23 100644 --- a/webclient/view/default/manageusers/manageusers.php +++ b/webclient/view/default/manageusers/manageusers.php @@ -65,7 +65,7 @@ if(isset($_POST['submitForm'])) { $TemplateData['refresh'] = 'index.php?p=manageusers'; } else { - $TemplateData['message']['content'] = "User could not be deleted."; + $TemplateData['message']['content'] = "User could not be deleted. Make sure the user is not used anymore."; $TemplateData['message']['status'] = "error"; } } -- 2.39.5