From a8793a9872f733cdec76014faaa5d1c36b463e2e Mon Sep 17 00:00:00 2001
From: phpipam <miha.petkovsek@telemach.si>
Date: Thu, 21 Dec 2023 09:03:33 +0100
Subject: [PATCH] Fixed user cannot be deleted

---
 app/admin/users/edit-result.php | 122 +++++++++++++++++---------------
 app/admin/users/edit.php        |  11 ++-
 2 files changed, 70 insertions(+), 63 deletions(-)

diff --git a/app/admin/users/edit-result.php b/app/admin/users/edit-result.php
index 8cc518d7..b726f0ce 100755
--- a/app/admin/users/edit-result.php
+++ b/app/admin/users/edit-result.php
@@ -29,10 +29,6 @@ $_POST = $Admin->trim_array_objects ($_POST);
 # validate csrf cookie
 $User->Crypto->csrf_cookie ("validate", "user", $_POST['csrf_cookie']) === false ? $Result->show("danger", _("Invalid CSRF cookie"), true) : "";
 
-# fetch auth method
-$auth_method = $Admin->fetch_object ("usersAuthMethod", "id", $_POST['authMethod']);
-$auth_method!==false ? : $Result->show("danger", _("Invalid authentication method"), true);
-
 /* checks */
 
 # ID must be numeric
@@ -40,65 +36,75 @@ if($_POST['action']=="edit"||$_POST['action']=="delete") {
 	if(!is_numeric($_POST['userId']))									{ $Result->show("danger", _("Invalid ID"), true); }
 }
 
-# if password changes check and hash passwords
-if($auth_method->type != "local") { $_POST['password1'] = ""; $_POST['password2'] = ""; }
-if((!is_blank(@$_POST['password1']) || (@$_POST['action']=="add") && $auth_method->type=="local")) {
-	//checks
-	if($_POST['password1']!=$_POST['password2'])						{ $Result->show("danger", _("Passwords do not match"), true); }
-	if(strlen($_POST['password1'])<8)									{ $Result->show("danger", _("Password must be at least 8 characters long!"), true); }
 
-	//enforce password policy
-	$policy = (pf_json_decode($User->settings->passwordPolicy, true));
-	$Password_check->set_requirements  ($policy, pf_explode(",",$policy['allowedSymbols']));
-	if (!$Password_check->validate ($_POST['password1'])) 				{ $Result->show("danger alert-danger ", _('Password validation errors').":<br> - ".implode("<br> - ", $Password_check->get_errors ()), true); }
+# Add / edit actions
+if($_POST['action']!="delete") {
+	// validate authMethod
+	$auth_method = $Admin->fetch_object ("usersAuthMethod", "id", $_POST['authMethod']);
+	$auth_method!==false ? : $Result->show("danger", _("Invalid authentication method"), true);
 
-	//hash passowrd
-	$_POST['password1'] = $User->crypt_user_pass ($_POST['password1']);
-}
+	# if password changes check and hash passwords
+	if($auth_method->type != "local") { $_POST['password1'] = ""; $_POST['password2'] = ""; }
+	if((!is_blank(@$_POST['password1']) || (@$_POST['action']=="add") && $auth_method->type=="local")) {
+		//checks
+		if($_POST['password1']!=$_POST['password2'])						{ $Result->show("danger", _("Passwords do not match"), true); }
+		if(strlen($_POST['password1'])<8)									{ $Result->show("danger", _("Password must be at least 8 characters long!"), true); }
+
+		//enforce password policy
+		$policy = (pf_json_decode($User->settings->passwordPolicy, true));
+		$Password_check->set_requirements  ($policy, pf_explode(",",$policy['allowedSymbols']));
+		if (!$Password_check->validate ($_POST['password1'])) 				{ $Result->show("danger alert-danger ", _('Password validation errors').":<br> - ".implode("<br> - ", $Password_check->get_errors ()), true); }
 
-# general checks
-if(is_blank(@$_POST['real_name']))										{ $Result->show("danger", _("Real name field is mandatory!"), true); }
-# email format must be valid
-if (!$Tools->validate_email(@$_POST['email'])) 						{ $Result->show("danger", _("Invalid email address!"), true); }
-
-# username must not already exist (if action is add)
-if ($_POST['action']=="add") {
-	//username > 8 chars
-	if ($auth_method->type=="local") {
-		if(strlen($_POST['username'])<3)								{ $Result->show("danger", _("Username must be at least 3 characters long!"), true); }
-	} else {
-		if(is_blank($_POST['username']))								{ $Result->show("danger", _("Username must be at least 1 character long!"), true); }
+		//hash passowrd
+		$_POST['password1'] = $User->crypt_user_pass ($_POST['password1']);
 	}
-	//check duplicate
-	if($Admin->fetch_object("users", "username", $_POST['username'])!==false) {
-																		{ $Result->show("danger", _("User")." ".$_POST['username']." "._("already exists!"), true); }
+
+	# general checks
+	if(is_blank(@$_POST['real_name']))										{ $Result->show("danger", _("Real name field is mandatory!"), true); }
+	# email format must be valid
+	if (!$Tools->validate_email(@$_POST['email'])) 						{ $Result->show("danger", _("Invalid email address!"), true); }
+
+	# username must not already exist (if action is add)
+	if ($_POST['action']=="add") {
+		//username > 8 chars
+		if ($auth_method->type=="local") {
+			if(strlen($_POST['username'])<3)								{ $Result->show("danger", _("Username must be at least 3 characters long!"), true); }
+		} else {
+			if(is_blank($_POST['username']))								{ $Result->show("danger", _("Username must be at least 1 character long!"), true); }
+		}
+		//check duplicate
+		if($Admin->fetch_object("users", "username", $_POST['username'])!==false) {
+																			{ $Result->show("danger", _("User")." ".$_POST['username']." "._("already exists!"), true); }
+		}
 	}
-}
-# admin user cannot be deleted
-if($_POST['action']=="delete" && $_POST['userId']==1) 			{ $Result->show("danger", _("Admin user cannot be deleted"), true); }
-# admin user cannot be disabled
-if($_POST['disabled']=="Yes" && $_POST['userId']==1) 			{ $Result->show("danger", _("Admin user cannot be disabled"), true); }
 
-# custom fields check
-$myFields = $Tools->fetch_custom_fields('users');
-if(sizeof($myFields) > 0) {
-	foreach($myFields as $myField) {
-		# replace possible ___ back to spaces!
-		$myField['nameTest']      = str_replace(" ", "___", $myField['name']);
+	# custom fields check
+	$myFields = $Tools->fetch_custom_fields('users');
+	if(sizeof($myFields) > 0) {
+		foreach($myFields as $myField) {
+			# replace possible ___ back to spaces!
+			$myField['nameTest']      = str_replace(" ", "___", $myField['name']);
 
-		if(isset($_POST[$myField['nameTest']])) { $_POST[$myField['name']] = $_POST[$myField['nameTest']];}
+			if(isset($_POST[$myField['nameTest']])) { $_POST[$myField['name']] = $_POST[$myField['nameTest']];}
 
-		//booleans can be only 0 and 1!
-		if($myField['type']=="tinyint(1)") {
-			if($_POST[$myField['name']]>1) {
-				$_POST[$myField['name']] = "";
+			//booleans can be only 0 and 1!
+			if($myField['type']=="tinyint(1)") {
+				if($_POST[$myField['name']]>1) {
+					$_POST[$myField['name']] = "";
+				}
 			}
+			//not null!
+			if($myField['Null']=="NO" && is_blank($_POST[$myField['name']])) { $Result->show("danger", $myField['name']." "._("can not be empty!"), true); }
 		}
-		//not null!
-		if($myField['Null']=="NO" && is_blank($_POST[$myField['name']])) { $Result->show("danger", $myField['name']." "._("can not be empty!"), true); }
 	}
 }
 
+# admin user cannot be deleted
+if($_POST['action']=="delete" && $_POST['userId']==1) 			{ $Result->show("danger", _("Admin user cannot be deleted"), true); }
+# admin user cannot be disabled
+if($_POST['disabled']=="Yes" && $_POST['userId']==1) 			{ $Result->show("danger", _("Admin user cannot be disabled"), true); }
+
+
 
 /* update */
 
@@ -124,13 +130,15 @@ if($_POST['action']=="add") {
 }
 
 # custom fields
-if (sizeof($myFields)>0) {
-    foreach($myFields as $myField) {
-		# replace possible ___ back to spaces!
-		$myField['nameTest']      = str_replace(" ", "___", $myField['name']);
-
-		if(isset($_POST[$myField['nameTest']])) { $values[$myField['name']] = $_POST[$myField['nameTest']];}
-    }
+if(isset($myFields)) {
+	if (sizeof($myFields)>0) {
+	    foreach($myFields as $myField) {
+			# replace possible ___ back to spaces!
+			$myField['nameTest']      = str_replace(" ", "___", $myField['name']);
+
+			if(isset($_POST[$myField['nameTest']])) { $values[$myField['name']] = $_POST[$myField['nameTest']];}
+	    }
+	}
 }
 # update pass ?
 if(!is_blank(@$_POST['password1']) || (@$_POST['action']=="add" && $auth_method->type=="local")) {
diff --git a/app/admin/users/edit.php b/app/admin/users/edit.php
index b85c92f3..f77132fb 100755
--- a/app/admin/users/edit.php
+++ b/app/admin/users/edit.php
@@ -97,7 +97,11 @@ $(document).ready(function(){
     <!-- username -->
     <tr>
     	<td><?php print _('Username'); ?></td>
-    	<td><input type="text" class="form-control input-sm" name="username" value="<?php print @$user['username']; ?>" <?php if($_POST['action']=="edit"||$_POST['action']=="delete") print 'readonly disabled'; ?> <?php print $disabled; ?>></td>
+    	<td>
+    		<input type="text" class="form-control input-sm" name="username" value="<?php print @$user['username']; ?>" <?php if($_POST['action']=="edit"||$_POST['action']=="delete") print 'readonly disabled'; ?> <?php print $disabled; ?>></td>
+    		<input type="hidden" name="userId" value="<?php print @$user['id']; ?>">
+        	<input type="hidden" name="action" value="<?php print escape_input($_POST['action']); ?>">
+        	<input type="hidden" name="csrf_cookie" value="<?php print $csrf; ?>">
     	<td class="info2">
     		<?php if($_POST['action']=="add") { ?>
     		<a class='btn btn-xs btn-default adsearchuser' rel='tooltip' title='Search AD for user details'><i class='fa fa-search'></i></a>
@@ -141,11 +145,6 @@ $(document).ready(function(){
             <option value="User" 			<?php if (@$user['role'] == "User" || $_POST['action'] == "add") print "selected"; ?>><?php print _('Normal User'); ?></option>
         </select>
 
-
-        <input type="hidden" name="userId" value="<?php print @$user['id']; ?>">
-        <input type="hidden" name="action" value="<?php print escape_input($_POST['action']); ?>">
-        <input type="hidden" name="csrf_cookie" value="<?php print $csrf; ?>">
-
         </td>
         <td class="info2"><?php print _('Select user role'); ?>
 	    	<ul>
-- 
GitLab