-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathusers-forms.php
156 lines (136 loc) · 6.54 KB
/
users-forms.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
<?php
/*
* Project: ChatGPT API
* Author: Vontainment
* URL: https://vontainment.com
* Version: 2.0.0
* File: ../app/forms/users-forms.php
* Description: ChatGPT API Status Generator
*/
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
if (isset($_POST['edit_users'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$totalAccounts = $_POST['total-accounts'];
$maxApiCalls = $_POST['max-api-calls'];
$usedApiCalls = $_POST['used-api-calls'];
$expires = $_POST['expires'];
$admin = $_POST['admin'];
// CSRF token validation
if (!isset($_POST['csrf_token']) || $_POST['csrf_token'] !== $_SESSION['csrf_token']) {
$_SESSION['messages'][] = "Invalid CSRF token. Please try again.";
}
// Validate username and password
if (!preg_match('/^[a-z0-9]{8,18}$/', $username)) {
$_SESSION['messages'][] = "Username must be 8-18 characters long, lowercase letters and numbers only.";
}
// Validate if the password is either already a bcrypt hash or meets the strength requirements
if (
!preg_match('/^\$2[ayb]\$/', $password) && // Skip if it's a bcrypt hash
!preg_match('/^(?=.*[A-Za-z])(?=.*\d)(?=.*[\W_]).{8,16}$/', $password) // Validate strength for plain text
) {
$_SESSION['messages'][] = "Password must be 8-16 characters long, including at least one letter, one number, and one symbol.";
}
// Validate other fields
if (
!filter_var($totalAccounts, FILTER_VALIDATE_INT) ||
!filter_var($maxApiCalls, FILTER_VALIDATE_INT) ||
!filter_var($usedApiCalls, FILTER_VALIDATE_INT) ||
!preg_match('/^\d{4}-\d{2}-\d{2}$/', $expires) || !strtotime($expires) ||
!in_array($admin, ['0', '1'])
) {
$_SESSION['messages'][] = "There was an error processing input.";
}
// Check if any error messages have been added to the session
if (!empty($_SESSION['messages'])) {
header("Location: /users");
exit;
} else {
$db = new Database();
$db->query("SELECT * FROM users WHERE username = :username");
$db->bind(':username', $username);
$userExists = $db->single();
// Check if the password is already hashed
if (!password_verify($password, $userExists->password)) {
$password = password_hash($password, PASSWORD_DEFAULT);
}
if ($userExists) {
$db->query("UPDATE users SET password = :password, total_accounts = :totalAccounts, max_api_calls = :maxApiCalls, used_api_calls = :usedApiCalls, admin = :admin, expires = :expires WHERE username = :username");
} else {
$db->query("INSERT INTO users (username, password, total_accounts, max_api_calls, used_api_calls, expires, admin) VALUES (:username, :password, :totalAccounts, :maxApiCalls, :usedApiCalls, :expires, :admin)");
// Create directory for images if user is being created
$userImagePath = __DIR__ . '/../../public/images/' . $username;
if (!file_exists($userImagePath)) {
mkdir($userImagePath, 0777, true);
// Create index.php in the new directory
$indexFilePath = $userImagePath . '/index.php';
file_put_contents($indexFilePath, '<?php die(); ?>');
}
}
$db->bind(':username', $username);
$db->bind(':password', $password); // Store the hashed password
$db->bind(':totalAccounts', $totalAccounts);
$db->bind(':maxApiCalls', $maxApiCalls);
$db->bind(':usedApiCalls', $usedApiCalls);
$db->bind(':expires', $expires);
$db->bind(':admin', $admin);
$db->execute();
$_SESSION['messages'][] = "User has been created or modified.";
header("Location: /users");
exit;
}
} elseif (isset($_POST['delete_user']) && isset($_POST['username'])) {
$username = $_POST['username'];
// Check if the user is trying to delete their own account
if ($username === $_SESSION['username']) {
$_SESSION['messages'][] = "Sorry, you can't delete your own account.";
} else {
// CSRF token validation
if (!isset($_POST['csrf_token']) || $_POST['csrf_token'] !== $_SESSION['csrf_token']) {
$_SESSION['messages'][] = "Invalid CSRF token. Please try again.";
header("Location: /accounts");
exit;
}
$db = new Database();
// Remove the user from the users table
$db->query("DELETE FROM users WHERE username = :username");
$db->bind(':username', $username);
$db->execute();
// Remove all accounts associated with the user from the accounts table
$db->query("DELETE FROM accounts WHERE username = :username");
$db->bind(':username', $username);
$db->execute();
// Remove all statuses associated with the user from the status_updates table
$db->query("DELETE FROM status_updates WHERE username = :username");
$db->bind(':username', $username);
$db->execute();
// Remove all log entries associated with the user from the logs table
$db->query("DELETE FROM logs WHERE username = :username");
$db->bind(':username', $username);
$db->execute();
$_SESSION['messages'][] = "User Deleted";
header("Location: /accounts");
exit;
}
} elseif (isset($_POST['login_as']) && isset($_POST['username'])) {
$username = $_POST['username'];
// CSRF token validation
if (!isset($_POST['csrf_token']) || $_POST['csrf_token'] !== $_SESSION['csrf_token']) {
$_SESSION['messages'][] = "Invalid CSRF token. Please try again.";
header("Location: /accounts");
exit;
}
$user = getUserInfo($username);
if ($user) {
// Set original username in session if not already set
if (!isset($_SESSION['isReally'])) {
$_SESSION['isReally'] = $_SESSION['username'];
}
// Change session to new user
$_SESSION['username'] = $user->username;
$_SESSION['logged_in'] = true;
header("Location: /home");
exit;
}
}
}